56 Dean Street fined £180,000 by ICO

  • 9 May 2016
56 Dean Street fined £180,000 by ICO
56 Dean Street in London's Soho

The 56 Dean Street clinic in London’s Soho has been fined £180,000 by the Information Commissioner’s Office after an email blunder led to the leak of almost 800 email addresses of patients.

The fine is one of the largest to be imposed on an NHS trust by the ICO, although it falls well short of the £325,000 that Brighton and Sussex University Hospitals NHS Trust received for breaching the Data Protection Act in 2012, after a contractor it paid to destroy hard drives instead sold them on eBay.

ICO Christopher Graham said the size of the fine reflected 56 Dean Street’s “serious breach of the law”, which occurred after an email newsletter about its HIV services was sent out as a group email, with the email addresses of recipients revealed to one another.

“People’s use of a specialist sexual health clinic is clearly sensitive personal data,” Graham added in a statement. “The law demands that this type of information is handled with particular care, following clear rules and, put simply, this did not happen.”

56 Dean Street is an innovative clinic run by Chelsea and Westminster NHS Trust that serves a high-risk community in central London.

The email breach occurred in September 2015, and the trust immediately apologised, set up a helpline for patients, and promised a full investigation. The service initially received considerable support from users on social media.

However, Graham said: “IT is clear that this breach caused a great deal of upset to the people affected.”

He also revealed that it was not the first time the trust had run into this kind of problem, and that a pharmacy employee had emailed a HIV treatment questionnaire to 17 patients in 2010 using the ‘to’ field rather than the ‘bcc’ field.

Graham said this “only adds” to the seriousness of the later breach. The trust’s medical director, Zoe Penn, said it accepted the ICO’s ruling and was working hard to make sure it did not happen again.

“I reiterate my apology to all those who were affected by this incident,” she said. “We have kept in touch with affected individuals, with their consent, to update them on the actions we have taken and will continue to take in order to prevent others from being put in a similar situation in the future.”

The Information Commissioner's Office is able to issue fines of up to £500,000 for breaches of the Data Protection Act that are "serious" and that cause "substantial distress."

The fines are paid into HM Treasury's Consolidated Fund, and are not kept by the ICO. A new information commissioner, Elizabeth Denham, is due to take over this summer.

Subscribe to our newsletter

Subscribe To Our Newsletter

Subscribe To Our Newsletter

Sign up

Related News

Kootenai Health cyber attack impacts 464,000 patients

Kootenai Health cyber attack impacts 464,000 patients

US healthcare provider Kootenai Health has revealed that data belonging to 464,000 patients has been compromised following a cyber attack.
Advanced fined £6m over stolen patient data in 2022 cyber attack

Advanced fined £6m over stolen patient data in 2022 cyber attack

The Information Commissioner’s Office has imposed a £6.09m fine on Advanced for failing to protect personal information during a cyber attack.
ICO guidance on transparency published for health and care sector

ICO guidance on transparency published for health and care sector

New guidance has been issued by ICO over how health and care organisations should be transparent over the use of personal information.