Yesterday afternoon (12:46 September 1 2015) 56 Dean Street a GUM and HIV clinic, part of Chelsea and Westminster NHS Foundation Trust, sent out a newsletter to its HIV positive patients. The problem? They left every one of the 780 patients’ contact details in the ‘To’ field. This means everyone who received this email now has contact details (name and email address) for the clinic’s 779 other HIV positive patients.
This is a nasty incident for all involved, and I hope that calm heads prevail. The Information Commissioner’s Office will be sure to take a close look, however.
This is the second issue with data in as many weeks, after the Ashley Madison leak. It’s easy to draw distinctions between the two, and argue that the Ashley Madison victims “had it coming,” but I’m not sure that’s the right approach.
Both the people who took tests at 56 Dean Street and the people who signed up to Ashley Madison had a reasonable expectation that that information would not end up in the public domain.
It should be incumbent on anyone working with data that sensitive to take basic security precautions, or to take the relevant training so that they know the consequences of cc’ing 800 people in an email.
In my line of work I’ve been asked numerous times why we can’t just “send an email using Outlook,” and on each occasion I’ve taken the time to explain why it isn’t good practice and the potential consequences.
My worry is that as more and more sensitive data comes online, we become immune to the risks that that brings. It’s not good enough to dichotomise between “deserving” and “undeserving” victims. We can do better than this.