Jeremy Hunt says HIV patient data breach 'completely unacceptable'


The identities of hundreds of HIV-positive patients have been mistakenly circulated after a data breach at a clinic

The 56 Dean Street clinic in London's Soho sent a newsletter to about 780 patients on a group email, rather than to individuals.

It contained the names and email addresses of patients who had attended HIV clinics at Dean Street, which is part of the Chelsea and Westminster Hospital NHS Foundation Trust.

Alan McOwan, Chelsea and Westminster Hospital trust's director for sexual health, said the mistake was realised "within minutes" and every patient was being contacted individually.

He said: "A  member of staff who usually sends out the monthly email pasted the email addresses into the CC bit of the box rather than the blind CC bit.

"The member of staff is clearly devastated by what happened."

An internal investigation had been launched and all mass emails to patients have been stopped, he said.

He said it was not accurate to say every patient on the list was HIV positive.

Health Secretary Jeremy Hunt described the breach as "completely unacceptable".

Speaking at the NHS Innovation Expo conference in Manchester, he said patients needed to have confidence that the NHS would look after personal data.

"The truth is that we will throw this all away if we lose the public's trust in our ability to look after their personal data securely," he said.

"Nothing matters more to us than our own health but we must also understand that for NHS patients, nothing matters more to them than confidence that the NHS will look after their own personal medical data with the highest standards of security.

"The truth is the NHS have not won the public's trust in our ability to do this as today's completely unacceptable data breach at the Dean Street surgery demonstrates."

The monthly newsletter was sent to patients signed up to the clinic's OptionE service, which lets people book appointments and receive test results by email.

The clinic originally tried to rectify its mistake by using Microsoft Outlook's recall feature.

This was followed by an email apology from Mr McOwan to patients.

Online magazine beyondpositive, which is for people living with or affected by HIV, said it had been contacted by patients affected by the breach.

Editor Tom Hayes said: "This is a huge breach of confidentiality."

He said trust between clinics and patients can take a long time to build up.

"One person who contacted us said they were going to transfer their care to another clinic because that trust had gone," he said.

"There may be friends finding out things about other friends because of this."

One patient said. "There are several names I recognise from the list and, while I am of course being discreet, I am not sure I trust every other person on the list to do the same."

The newsletter contained details of physiotherapy sessions, mindfulness stress reduction courses and new telephone consultation clinics run by the service.

Another patient whose details were exposed by the email said the NHS has "no way of controlling who sees this information now and, in the wrong hands, this list could be dynamite".

He told The Guardian: "I find it impossible to believe that in this day and age this can happen. I was able to scroll down the list and identify the names of a number of people who I knew, some of whom I was unaware of their status."

The Information Commissioner's Office (ICO), which can levy fines of up to £500,000 for significant data breaches, said on Twitter that it was investigating the matter.

The National Aids Trust said it was "deeply concerned" by the leak.

Chief executive Deborah Gold said: "Confidentiality is crucial to people living with HIV.

"Who people disclose their HIV status to is an extremely personal decision - this type of leak will be very distressing and should not have been possible."