NHS service leaks identities of patients living with HIV
An NHS health board has apologised after the identifies of HIV patients were accidentally disclosed.
NHS Highland says it is investigating after an email inviting patients to a HIV support group was sent with the addresses of all recipients visible.
37 people living with HIV were impacted by the leak.
NHS board ‘deeply regrets’ HIV data leak
Speaking to STV, a service user said: “It took me some time to process what I had seen.
“I know it stems from a genuine mistake but anonymity and confidentiality are so important.
“I scrolled the list and saw names clearly in some of those addresses, mine included.
“You feel physically sick, people you know, people you might have been with over the years and it sets off all those dark thoughts you had just after diagnosis.”
A spokesman for NHS Highland told STV: “NHS Highland deeply regrets that this breach of confidentiality has happened and we have contacted patients individually to apologise.
“As per normal procedure, a formal internal review is being conducted to understand how this has happened and to consider any steps to avoid this happening in future.”
HIV Scotland chief executive Nathan Sparling told PinkNews: “This kind of leak is unacceptable and it is only right that NHS Highland have reached out to those affected and apologised.
“Confidentiality is of paramount importance when it comes to people living with HIV, and the decision to disclose their status should be theirs and theirs alone.
“People affected by this leak will be understandably distressed, and HIV Scotland stands ready to support all those affected.
“I am pleased that NHS Highland have instigated a swift investigation. There must be strict safeguards put in place to ensure that this sort of thing never happens again.”
HIV data leaks have led to large fines before
The leak is not the first data blunder of its kind.
In 2016, the trust that runs London’s 56 Dean Street clinic was hit with an £180,000 fine after an email accidentally exposed the names and email addresses of 780 people, the majority of whom have HIV.
The Information Commissioner’s Office found the mix-up constituted a serious breach of the Data Protection Act, which was likely to have caused substantial distress.
Information Commissioner Christopher Graham said: “People’s use of a specialist service at a sexual health clinic is clearly sensitive personal data. The law demands this type of information is handled with particular care following clear rules, and put simply, this did not happen.
“It is clear that this breach caused a great deal of upset to the people affected.”
The Chelsea and Westminster Hospital NHS Foundation Trust had previously made a similar error in March 2010, when a member of staff in the pharmacy department sent a questionnaire to 17 patients in relation to their HIV treatment, entering emails in the ‘to’ field instead of the ‘bcc’ field.