The Information Commissioner’s Office has fined the Bloomsbury Patient Network (BPN) after it inadvertently revealed the identities of HIV patients on two occasions due to placing all addresses for a newsletter distribution list in the “to” field instead of the “bcc” field.
BPN was fined £250, which may seem somewhat mild considering the potential embarrassment to individuals.
According to the monetary penalty notice:
On or about 17 February 2014, a Patient Representative sent an e-mail newsletter to between 60 and 200 service users on BPN’s distribution list who all had HIV. The e-mail addresses were entered into the “to” field instead of the blind carbon copy (“bcc”) field. The recipients of the e-mail could therefore see the e-mail addresses of all the other recipients.
The Patient Representative agreed to be more careful when sending future e-mails. However, there was no formal guidance or training to remind the Patient Representative to double check that the group e- mail addresses were entered into the correct field.
Further, BPN did not replace the e-mail account it was using with an account that could send a separate e-mail to each service user on the distribution list.
On 6 May 2014, the same Patient Representative sent an e-mail to 200 service users on BPN’s distribution list. The group e-mail addresses were again entered into the “to” field in error. The Commissioner understands that 56 out of the 200 group e-mail addresses contained the full or partial names of service users.
Five service users filed formal complaints with the ICO about the disclosure.