NHS service accidentally reveals identities of HIV patients in email blunder

An NHS health board has found itself in the awkward position of apologising to 37 patients, after accidentally disclosing their identities.

An email sent by NHS Highland invited people with HIV to a support group run by Raigmore Hospital’s sexual health clinic in Inverness, Scotland. But rather than blind carbon copying (Bcc’ing) the sensitive email’s recipients, all addresses were included in the email’s Cc: field.

Ironically the email invitation promised to “respect anonymity” and to “never identify members present” at the meeting.

One exposed patient described to Scottish TV how he felt when he realised what had happened:

“I know it stems from a genuine mistake but anonymity and confidentiality are so important. I scrolled the list and saw names clearly in some of those addresses, mine included.”

“You feel physically sick, people you know, people you might have been with over the years and it sets off all those dark thoughts you had just after diagnosis.”

A spokesperson for the health board apologised to the email’s recipients:

“NHS Highland deeply regrets that this breach of confidentiality has happened and we have contacted patients individually to apologise. As per normal procedure, a formal internal review is being conducted to understand how this has happened and to consider any steps to avoid this happening in future.”

Nathan Sparling, chief executive of charity HIV Scotland, told BBC News welcomed NHS Highland’s investigation, but said that the breach was “unacceptable”:

“Confidentiality is of paramount importance when it comes to people living with HIV, and the decision to disclose their status should be theirs and theirs alone.”

Sadly this isn’t the first time that HIV patients have suffered at the hands of a careless privacy breach.

A few years ago, a sexual health clinic in Soho, London, managed to disclose the names and email addresses of approximately 780 people, most of whom had HIV.

The trust that ran London’s 56 Dean Street clinic were subsequently hit with a £180,000 fine.

And it’s not just health services, of course, who make these kind of email blunders.

Earlier this month I described how the Dutch Data Protection Authority had found itself in the ironic position of reporting itself for a data protection failure after making the same kind of mistake via email.

You can hear more about that incident, and other organisations who have made similar boo-boos, and how they might be stopped, in this episode of the “Smashing Security” podcast:

Found this article interesting? Follow Graham Cluley on Twitter, Mastodon, or Threads to read more of the exclusive content we post.

Graham Cluley •   @gcluley

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.