LONDON -- It was a careless mistake that could happen to anyone: You click “cc” instead of “bcc,” accidentally revealing an e-mail address you meant to keep hidden.
But in the case of a leading sexual health clinic in London, the blunder meant mistakenly revealing the names and e-mail addresses of hundreds of HIV-positive patients.
On Tuesday, the 56 Dean Street clinic, one of Europe’s busiest sexual health care providers, sent out its monthly “OptionE Newsletter,” but it failed to hide the details of the recipients’ e-mail addresses. The names and e-mail addresses are now known to the nearly 800 people who received the e-mail.
Here's the e-mail that was sent:
And the clinic's subsequent apology:
While the public has grown accustomed to major data breaches -- from the leaking of credit card information to Web sites revealing details of extramarital affairs -- the revelation of intimate details about hundreds of people’s physical health by a major medical center has caught many by surprise.
Elliot Herman, a 38-year-old writer from London, told The Washington Post that his husband was one of the 780 people who received the e-mail on Tuesday around lunchtime.
“The bigger issue is not just privacy, but stigma," Herman said. "Because it’s an HIV service there’s a stigma attached to all these names, the fact that people might or possibly have HIV, and that shouldn’t be a thing. Someone else on the list, a friend of mine, who incidentally had never told me that he was HIV-positive, he messaged me to say he counted to say there were 780 names.”
Herman said he filed a complaint to the National Health Service trust that runs the clinic. “They sent an e-mail today explaining what steps they are taking to make sure it can’t happen again,” he said.
The clinic realized its error shortly after it sent the e-mail. Within the hour, it sent a follow-up note asking recipients to delete the e-mail.
“It didn’t do anything other than draw attention to the mistake,” Herman said.
Alan McOwan, the lead clinician at 56 Dean Street, has apologized profusely for the error.
“Hands-up, we screwed up on this,” McOwan told the BBC. “We will do everything we can to rebuild the trust of the communities we serve.”
In an e-mailed statement, the Chelsea and Westminster National Health Service trust blamed the mistake on an administrative error. “We can confirm that due to an administrative error, a newsletter about services at 56 Dean Street was sent to an email group rather than individual recipients. We have immediately contacted all the e-mail recipients to inform them of the error and apologize,” the statement read.
While the data breach has been called appalling, many on social media quickly rallied behind the clinic, praising it for its work.
A spokesman for Britain’s Information Commissioner’s Office said that the agency is making inquiries into the details of this case. It can issue fines of up to 500,000 pounds ($764,000) for personal data security breaches.