ICO fines sexual health clinic £250 for data breach

Bloomsbury Patient Network revealed identities of HIV patients when it sent out an email newsletter

The Information Commissioner's Office (ICO) has fined sexual health clinic Bloomsbury Patient Network (BPN) £250 for inadvertently revealing the identities of HIV patients in an email blunder.

The company, which offers support to patients, sent out an email newsletter using a list of email addresses in the ‘to' field rather than the ‘bcc' field to 200 patients. On receiving the email, the recipients could see all of the individual email addresses, many of which contained people's names.

In total, 56 patients' full or partial names were revealed in the data leak.

The ICO said that it had taken into account the fact that BPN received five complaints from affected individuals and that BPN did not ask the unauthorised recipients to delete the emails.

When considering how much to fine the BPN, the Information Commissioner decided that BPN had access to sufficient financial resources to pay the £250 penalty without causing undue financial hardship. The £250 fine is one of the lowest fines that the ICO has handed out to date.

The BPN case is remarkably similar to another data breach incident involving a sexual health clinic; in September, the ICO found that 56 Dean Street had revealed the names and contact details of almost 800 HIV positive patients. The ICO has not yet handed out a fine to the 56 Dean Street clinic, but it is likely to be more than the £250 penalty that the BPN has been ordered to pay, because of the number of patients whose data was exposed.