HIV Clinic Fined for Data Breach
The UK based Bloomsbury Patient Network has been fined 250 pounds for mistakenly revealing the identity of HIV-positive patients in a group email.
The Bloomsbury Patient Network is supposed to provide information and support for patients have been found to be HIV-positive. Unfortunately, in two separate occasions that took place in 2014, staffers at the BPN sent out emails to their members with up to 200 other memeber’s cc’d, effectively outing the members’ conditions to each other. The members’ emails should have been BCC’d in order to protect their identities, especially seeing as 56 of the 200 emails contained the full or partial names of the patients. The BCC issue was repeated a second time by the same staffer despite the BPN having received five separate complaints about the matter.
UK data breach watchdog group The Information Commissoner’s Office identified the breach and moved to punish the BPN for their error without disabling the group, claiming that the fine would not cause “financial hardship.” That said, the ICO maintained that the subject matter of the emails implied that the visibility of the other email addresses constituted a serious breach of data protection laws.
The Bloomsbury Patient Network is not the only medical group to make this error; indeed, another London-based HIV support group called 56 Dean Street made the exact same error in September of this year. Simply as a result of not BCC’ing, 56 Dean Street exposed over 780 members when it sent out a newsletter.
250 pounds is no laughing matter for a non-profit, but considering that data breach fines can reach up to 500,000 pounds, the ICO is clearly not attempting to take the BPN down.
“No matter how big or small an organisation is, when dealing with sensitive information, policy, procedure, training, and supervision must be in place to reduce the probability of human error occurring,” explained Shaun Griffin, executive director of external affairs for Terrence Higgins Trust, an HIV charity which was not implicated in the ICO ruling. “Incidents such as these are rare and should not put anybody off getting a test fot HIV,” he continued. “Nearly one in six people with HIV does not realize they have it.”
Data breaches such as these have understandable emotional impacts on the victims involved; although discriminating against a person (especially in terms of employment) based on their medical history or their status as HIV positive has long been illegal in the UK, the information is still sensitive and the disease remains somewhat taboo even in our more modern times.
Perhaps the only aspect of the breach worth being thankful about is the fact that HIV-positive patients were only exposed to each other, and only in terms of their email addresses. This acts as its own damage control to some extent, as no one could out another based on this information without yielding that the the outter, or a friend or family member of the outter, also is HIV-positive, given that that’s the only way that that information would be collected.