The identities and email addresses of 780 HIV-positive patients of the 56 Dean Street clinic in London were accidentally revealed September 2, when those patients were sent the clinic’s OptionE monthly email newsletter as part of a group email. The recipients to this email included many people who had wished to keep their HIV status private. Many email newsletter services exist specifically to avoid negligent mistakes like this from being made. Had the patients’ emails been blind carbon copied (bcc) to the email newsletter instead of sent directly to them (typed in the “to” bar), all 780 patients would have received the newsletter anonymously. Dean Street sent out an apology email shortly after, urging recipients to delete the first email they received.

A week later, they sent out another email newsletter, apologising yet again and informing patients of steps they’ve taken to rectify the situation. According to the September 8 newsletter, Dean Street suspended all further OptionE group emails, hosted the OptionE newsletter on the 56 Dean Street webpage instead of in an email, deleted all patient information from their Outlook contact list and imposed a two hour delay on all OptionE emails, in case they need to stop any emails from going out in the future. Dean Street also set up a helpline for anyone who may have required counselling or emotional support as a result of this data breach.

In addition to this, Dean Street emphasised the legality of this situation going forward, specifically that, “It is a criminal offence under the Data Protection Act to deliberately publish/further disclose sensitive personal data without a legally legitimate reason for doing so. To this end, any individual who chooses to further distribute the data in this way runs the risk of prosecution.” This begs the question, is data protection still valid on a list that’s already been made public?

According to Buzzfeed News, only patients who used Dean Street’s OptionE service, which allows patients to set appointments and see test results by email instead of over-the-phone, were automatically signed up for the OptionE email newsletter. The fact that the 780 recipients of the email newsletter are the only ones who had access to the breached data leads me to think that the information can be well contained, especially for a data breach of this size. In addition, the actions Dean Street took to change their email operations in wake of this data breach shows they’ve made further attempts to contain the spread of this information.

According to Schedule 7 of the Data Protection Principles in the Data Protection Act, “appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.” The way the personal data was processed in this situation is, of course, unauthorised and unlawful, and therefore Dean Street is being subjected to two separate formal investigations, one on behalf of the NHS Information Commission (ICO), and another through the Chelsea and Westminster Hospital, with which Dean Street is affiliated.

We have already seen Dean Street apologize and take responsibility for what happened, but if that personal data were to be made even more public by a third party, by a malicious individual posting the names and email addresses to an online forum, for example, the ICO would be forced to take action against that malicious individual, not against Dean Street and Chelsea and Westminster Hospital. Just because the information was publicly revealed, that does not change the status of the data as personal data, and therefore it is still protected under the Data Protection Act.

#56DeanStreet #STDclinic #Dataprotection