Cyber-security experts criticise data handling processes after HIV clinic email error

Security experts have criticised the processes that allowed the names and email addresses of hundreds of HIV-positive patients in London to be revealed in an email newsletter.

Patients who expected anonymity instead saw their names sent to 780 other people
Patients who expected anonymity instead saw their names sent to 780 other people

This morning, hundreds of people who were signed up for the “Option E” service at the 56 Dean Street clinic in London received an email newsletter which disclosed not only their email address but also the names and email addresses of 780 other recipients.

The Option E service allows patients of the clinic, which provides HIV and other sexual health services, to book appointments and receive test results by email.

The clinic apologised and issued an email recall request shortly after it was sent but of course it was too late.

Patients of the clinic, interviewed by The Guardian, were distressed, complaining that they had no way of controlling who would see this information. Some recipients said they recognised names on the list of people they knew but of whom they were unaware of their HIV status.

Other patients said they would be disappointed if the breach overshadowed the “amazing work” of the clinic.

Health secretary Jeremy Hunt, speaking at the NHS Innovation Expo conference in Manchester, said the breach was “completely unacceptable”.

The government's itself has been criticised by privacy advocates for its plans to upload anonymised patient data to a national database to be used by drug companies, academics and researchers.

Unfortunately, this is not an isolated case, as Norman Shaw, CEO of ExactTrak noted: “It comes hot off the heels of the Thomson breach last week which was also a case of human error resulting in an email being sent that disclosed personal information.”

Shaw added: “It's ludicrous to think that at a personal level, hotmail will show us a pop up asking if we meant to attach something if it thinks we should have.  At an industry level, we don't get a pop up to say 'are you sure you want to cc 780 people into this email?'”

The prospect of the Information Commissioner fining the clinic £500,000 for the data breach didn't impress him, pointing out that this would just mean that much less money for the NHS.

“Instead, people who handle data need to be trained to do so correctly; organisations need to have technologies in place to deter people from making mistakes in the first instance; and the ICO needs to figure out a better way to enforce good data practices because it doesn't seem to be having any effect at the moment,” he said. “The amount of data we're dealing with is exploding exponentially so this is a problem that's only going to get worse without the proper attention from individuals, organisations and industry bodies.”

Tony Pepper, CEO of Egress said, “This is particularly frustrating when lessons could have been learned from similar breaches to improve employee education on data protection and best practice when handling sensitive information. While many organisations already have top-down policies and procedures in place, it is clear that often staff are not following these rules. Consequently, matching policy with smart information security technology is the best way to protect against human error.”

“Data protection should be of the upmost importance in environments like this. Unfortunately recent research by the Online Trust Alliance found that almost one-third (29 percent) of data losses are caused by staff – whether done maliciously or accidentally, so looking within your organisation for potential threats to data security is imperative,” said Luke Brown, vice president and GM, Europe Middle East Africa India & Latam at Digital Guardian.

“We have seen numerous data breaches like this over the last year and whilst businesses often recover it's the victims that continue to pay the price,” he added.

“The most tragic thing about this breach is that it was entirely preventable,” said Jacob Ginsberg, senior director at security company, Echoworx. “Solutions such as gateway encryption can scan email for sensitive content and automatically apply policy to stop data leaks before they start.”

Sign up to our newsletters