In a classic email snafu NHS Highland sent messages to 37 patients infected with HIV and inadvertently used carbon copy (CC) instead of Blind Carbon Copy meaning the recipients could see each other’s email addresses.
This is according to Britain’s data watchdog, the Information Commissioner’s Office, which has “reprimanded” the Health Board, which serves a regional population of some 320,000 people and has an annual operating budget of £780 million ($964 million).
The error took place in June 2019 when a member of staff opened the prior group email and copied all those on the list and emailed a newsletter to the the group of 37 “data subjects” – aka patients – without using BCC. Efforts to recall the mail failed.
Rather than issuing a £35,000 ($43,000) fine, the ICO is instead taking its “public sector approach” introduced in June 2022: working with senior leaders to “encourage compliance, prevent harms before they occur and learn lessons when things have gone wrong.”
Patients wrongly told they’ve got cancer in SMS snafu
The ICO described the email error as a “serious breach of trust.” In a statement, Stephen Bonner, ICO deputy commissioner for regulatory supervision, said of the mistake:
“The stakes are just too high. Research shows that people living with HIV have experienced stigma or discrimination due to their status, which means organizations dealing with this type of information should take the utmost care with their personal data.
“Every HIV service provider in this country should look at this case and see it as a crucial learning experience. We are calling on organizations to raise their data protection standards and put the appropriate measures in place to keep people safe,” he said.
The ICO said using BCC incorrectly is within the top 10 “non-cyber breaches, with nearly a thousands reported since 2019.” This includes a blunder by HIV Scotland in 2021 when it dispatched an email to 105 individuals on the Community Advisory Network, comprised of patient-advocates representing people with the virus. In that case it was fined £10,000.
Also in late 2021, NHS Digital found itself in an embarrassing situation when it failed to hit BCC when sending invites to a NHS Digital’s Full Digital Breakfast: Let’s talk cyber event on four occasions. It also happened to the MoD that year. ®