This article is from the source 'bbc' and was first published or seen on . It last changed over 40 days ago and won't be checked again for changes.
You can find the current article at its original source at http://www.bbc.co.uk/news/technology-35131543
The article has changed 3 times. There is an RSS feed of changes available.
| Version 1 | Version 2 |
|---|---|
| HIV clinic fined £250 for data breach | HIV clinic fined £250 for data breach |
| (6 days later) | |
| A health clinic that mistakenly revealed the identity of HIV-positive patients in a group email has been fined £250 by the UK's data watchdog. | A health clinic that mistakenly revealed the identity of HIV-positive patients in a group email has been fined £250 by the UK's data watchdog. |
| The Bloomsbury Patient Network provides information and support for people who are HIV-positive. | The Bloomsbury Patient Network provides information and support for people who are HIV-positive. |
| But twice in 2014, staff emailed up to 200 members at a time without obscuring other patients' email addresses. | But twice in 2014, staff emailed up to 200 members at a time without obscuring other patients' email addresses. |
| The Information Commissioner's Office (ICO) said it had levied a fine that would not cause "financial hardship". | The Information Commissioner's Office (ICO) said it had levied a fine that would not cause "financial hardship". |
| Data breach | Data breach |
| In February 2014, a member of staff at the Bloomsbury Patient Network emailed up to 200 patients who were HIV-positive. | In February 2014, a member of staff at the Bloomsbury Patient Network emailed up to 200 patients who were HIV-positive. |
| The email addresses were entered into the "To" field, meaning they were visible to everybody who received the email. | The email addresses were entered into the "To" field, meaning they were visible to everybody who received the email. |
| Instead, email addresses should have been entered into the "BCC" field, which would have obscured them from other recipients. | Instead, email addresses should have been entered into the "BCC" field, which would have obscured them from other recipients. |
| In May 2014, the same member of staff repeated the error. | In May 2014, the same member of staff repeated the error. |
| Serious error | Serious error |
| The ICO said 56 of the 200 email addresses contained the full or partial real names of patients. | The ICO said 56 of the 200 email addresses contained the full or partial real names of patients. |
| Considering the subject matter of the email message, it ruled that was a serious breach of data protection laws. | Considering the subject matter of the email message, it ruled that was a serious breach of data protection laws. |
| But the amount of the fine was mitigated by the "significant impact on BPN's reputation as a result of this security breach". | But the amount of the fine was mitigated by the "significant impact on BPN's reputation as a result of this security breach". |
| A spokesperson for the BPN told the BBC: "We have paid the fine without making any appeal, acknowledging that our old mailing system was flawed in its potential for human error." | |
| "We were in the process of changing systems when the breach in question occurred and we have since been using a secure and anonymous mailing system." | |
| Continuing investigation | Continuing investigation |
| Another HIV support group, 56 Dean Street, in London, made the same mistake with an email sent in September 2015. | Another HIV support group, 56 Dean Street, in London, made the same mistake with an email sent in September 2015. |
| It exposed the names and email addresses of 780 people when a newsletter was issued. | It exposed the names and email addresses of 780 people when a newsletter was issued. |
| The ICO told the BBC its investigation into that incident was continuing. | The ICO told the BBC its investigation into that incident was continuing. |
| Fines for breaches of data protection can reach £500,000. | Fines for breaches of data protection can reach £500,000. |
| "No matter how big or small an organisation is, when dealing with sensitive information, policy, procedure, training, and supervision must be in place to reduce the probability of human error occurring," said Shaun Griffin, executive director of external affairs for Terrence Higgins Trust, an HIV charity which was not implicated in the ICO ruling. | "No matter how big or small an organisation is, when dealing with sensitive information, policy, procedure, training, and supervision must be in place to reduce the probability of human error occurring," said Shaun Griffin, executive director of external affairs for Terrence Higgins Trust, an HIV charity which was not implicated in the ICO ruling. |
| "Incidences such as these are rare, and should not put anybody off getting a test for HIV. Nearly one in six people with HIV does not realise they have it," he said. | "Incidences such as these are rare, and should not put anybody off getting a test for HIV. Nearly one in six people with HIV does not realise they have it," he said. |