LONDON -- It was a careless mistake that could happen to anyone: You click “cc” instead of “bcc,” accidentally revealing an e-mail address you meant to keep hidden.
But in the case of a leading sexual health clinic in London, the blunder meant mistakenly revealing the names and e-mail addresses of hundreds of HIV-positive patients.
On Tuesday, the 56 Dean Street clinic, one of Europe’s busiest sexual health care providers, sent out its monthly “OptionE Newsletter,” but it failed to hide the details of the recipients’ e-mail addresses. The names and e-mail addresses are now known to the nearly 800 people who received the e-mail.
Here's the e-mail that was sent:
The "OptionE" email sent to patients by the 56 Dean Street clinic pic.twitter.com/sBdcgV00FQ
— Karla Adam (@karlaadam) September 2, 2015
And the clinic's subsequent apology:
A newsletter about services at 56 Dean Street was sent to an email group rather than individuals. We are so sorry this has happened [...]
— 56 Dean Street (@56deanstreet) September 2, 2015
While the public has grown accustomed to major data breaches -- from the leaking of credit card information to Web sites revealing details of extramarital affairs -- the revelation of intimate details about hundreds of people’s physical health by a major medical center has caught many by surprise.
Whoa. Yesterday at lunchtime, 56 Dean Street emailed a list of 780 patients, all HIV positive, and forgot to hide the recipient list.
— Sam (@hardfemme) September 2, 2015
Elliot Herman, a 38-year-old writer from London, told The Washington Post that his husband was one of the 780 people who received the e-mail on Tuesday around lunchtime.
“The bigger issue is not just privacy, but stigma," Herman said. "Because it’s an HIV service there’s a stigma attached to all these names, the fact that people might or possibly have HIV, and that shouldn’t be a thing. Someone else on the list, a friend of mine, who incidentally had never told me that he was HIV-positive, he messaged me to say he counted to say there were 780 names.”
Herman said he filed a complaint to the National Health Service trust that runs the clinic. “They sent an e-mail today explaining what steps they are taking to make sure it can’t happen again,” he said.
The clinic realized its error shortly after it sent the e-mail. Within the hour, it sent a follow-up note asking recipients to delete the e-mail.
“It didn’t do anything other than draw attention to the mistake,” Herman said.
Alan McOwan, the lead clinician at 56 Dean Street, has apologized profusely for the error.
“Hands-up, we screwed up on this,” McOwan told the BBC. “We will do everything we can to rebuild the trust of the communities we serve.”
In an e-mailed statement, the Chelsea and Westminster National Health Service trust blamed the mistake on an administrative error. “We can confirm that due to an administrative error, a newsletter about services at 56 Dean Street was sent to an email group rather than individual recipients. We have immediately contacted all the e-mail recipients to inform them of the error and apologize,” the statement read.
While the data breach has been called appalling, many on social media quickly rallied behind the clinic, praising it for its work.
Before everyone reaches for the pitchforks - this is one, yes sad, accident. @56deanstreet do amazing, life saving, work every single day
— Lex (@toddlerlex) September 2, 2015
Yes, @56deanstreet have made an absolutely massive error but they do incredible, valuable, necessary work - let's remember that as well.
— Ryan Nelson (@RyanJohnNelson) September 2, 2015
I've been to Dean Street clinic numerous times. Their services are invaluable to gay AND straight people. This was human error. It happens.
— Padraig Prendergast (@paudieaudi) September 2, 2015
A spokesman for Britain’s Information Commissioner’s Office said that the agency is making inquiries into the details of this case. It can issue fines of up to 500,000 pounds ($764,000) for personal data security breaches.
We are aware of the incident regarding the 56 Dean Street clinic and are making enquiries
— ICO (@ICOnews) September 2, 2015