A Clinic's Email Screwup Revealed 780 Patients' HIV Status

A stereotypical data breach might involve state-sponsored hackers, or cybercriminals looking for a payday. But yesterday, a leading HIV clinic in the UK revealed the identities of hundreds of its patients—by accidentally copying them all into the same email.

The email, which was sent by Central London clinic 56 Dean Street, was a standard newsletter written to update patients on upcoming changes to the service, according to a copy obtained by Buzzfeed News. These letters are apparently sent out monthly, and the recipients are usually all blind-CC'd.

This time, however, the email addresses of around 780 people who had visited the clinic were CC'd so all other recipients of the email could see them. Naturally, this list likely included hundreds of people who have been diagnosed with HIV, and who may have wanted to keep that information private.

As well as revealing to everyone in the list the email addresses of other HIV patients, it would be trivial to then find the patients' real names, social media profiles, and possibly even street addresses.

56 Dean Street then reportedly sent two more emails to the affected patients: an attempt to "recall" the original message, followed by an apology.

One data protection advocate said this case highlights the responsibility organisations have to handle sensitive data properly.

"Incidents like this are all too common and harmful," Jim Killock, executive director of Open Rights Group, a charity that focuses on data protection and surveillance issues, told Motherboard in an email. "Organisations need to understand and manage their risks much better."

Killock also thinks that authorities should get involved. "This is a data breach, so the minimum is that the ICO [Information Commissioner's Office] should investigate under data protection law. Usually they give advice to ensure the organisation adopts better practice, rather than issue fines."

The ICO is an independent UK body that aims to uphold information rights, including adequate data protection.

"The ICO should listen to the patients involved," Killock added. "Any punishment should reflect the distress and harm that has been caused to the clinic's patients."

A newsletter about services at 56 Dean Street was sent to an email group rather than individuals. We are so sorry this has happened […]
— 56 Dean Street (@56deanstreet) September 2, 2015

The hospital that manages 56 Dean Street did not immediately respond to a request for comment, but the clinic's Twitter account made a series of posts to apologise. "A newsletter about services at 56 Dean Street was sent to an email group rather than individuals. We are so sorry this has happened," the first read.

"We've contacted everybody who's affected to apologise and offer support," another followed. 56 Dean Street also tweeted a phone number that potential victims of the breach could reach them on.