On 6 September 2019, a London gender identity clinic exposed details of almost 2,000 people on its email list.
Charing Cross Gender Identity Clinic sent out a mass email disclosing to the recipients the email addresses of patients. We understand that two separate emails were sent, with about 900 people CC-ed on each email. The emails were sent from the ‘Patient and Public Involvement’ team at the Clinic discussing an art project. The unauthorised disclosure of almost 2,000 individual’s data resulted from email addresses of those invited to participate in the art project being placed in the ‘To’ field instead of the ‘BCC’ field; thereby making the email addresses visible to other recipients.
It is understood that those affected are all adults, who are or were patients at the South West London clinic. The Clinic describes itself on its website as providing “holistic gender care, focusing on the biological/medical, psychological and social aspects of gender„. Given the Clinic’s role, the disclosure of patients’ identities is a serious data breach of sensitive personal data, with potentially serious consequences.
Tavistock and Portman NHS Foundation Trust, the Trust responsible for the Charing Cross Clinic, issued a statement in which the Trust expressed its ‘sincerest apologies’ for the incident and provided any affected individuals with information regarding support and its complaints procedures. The Trust confirmed it has reported the breach to the Information Commissioner’s Office (ICO) and is treating the data leak as a ‘serious incident within the Trust’.
This story is unfortunately too familiar. In 2016, the 56 Dean Street clinic in London, a sexual health clinic operated by the Chelsea and Westminster NHS Foundation Trust, was fined £180,000 by the ICO for a similar incident involving a newsletter sent out in 2015 that mistakenly revealed the recipients email addresses to one another. The error meant that 781 people who had attended HIV clinics and opted in to an online service had visibility of the names and email addresses of other patients.
In both this latest data leak and the 56 Dean Street clinic error, both incidents were preventable. Not only do such incidents cause significant harm and distress to those whose personal data is unlawfully disclosed, but they have the potential to cause untold reputational damage to the NHS, including in the confidence of patients when handling their special category personal data.
Under the General Data Protection Regulation (GDPR) introduced last year, data controllers are at risk of being fined by the ICO up to £20 million or 4% of their annual global turnover. The fine levied against Chelsea and Westminster NHS Foundation Trust was prior to the introduction of the GDPR, which increased the cap on fines. It remains to be seen what approach the ICO may take in its investigation into this data breach.
Individuals impacted by the data leak also have the option of claiming compensation. Due to the severity of the breach and the sensitive personal data disclosed as a result, there is a real potential for substantial claims against the Trust.
If you have been affected by this data breach and would like to receive further information about making a claim for compensation please get in touch with the Data Law team at JMW Solicitors.