Advising with empathy and experience

Apology follows HIV data error.

A London health centre has apologised after accidently revealing details of 780 patients, many of who are living with HIV

Afterwards Health secretary Jeremy Hunt ordered an inquiry into how the NHS handles confidential medical information after the “completely unacceptable” breach of privacy by The 56 Dean Street clinic

The patient’s details, including names and email addresses, were sent with an online newsletter intended for people using its HIV and other sexual health services, and gives details of treatments and support. It was meant to be ‘blind-copied’ rather than sent as a group email

Jeremy Hunt said the Care Quality Commission (CQC) would conduct a thorough and independent review of the effectiveness of existing data security measures in the NHS and recommend changes.

The inquiry will also look into how the NHS can strengthen its security against cyber-attacks and reduce the risk of staff inadvertently disclosing sensitive information.

The health secretary said the inquiry was vital to ensure patients could be confident that the health service will properly safeguard details of their health and treatment records.

He told delegates at NHS England’s annual conference in Manchester: “We will throw this all away if we lose the public’s trust in our ability to look after their personal data securely.

“Nothing matters more to us than our own health, but we must also understand that for NHS patients nothing matters more to them than confidence that the NHS will look after their own personal medical data with the highest standards of security.

“The NHS has not won the public’s trust in our ability to do this as this completely unacceptable data breach at the Dean Street surgery demonstrates.”

The clinic, run by the Chelsea and Westminster NHS trust, apologised shortly after sending the email and pledged to investigate how the breach had occurred.

Britain’s data protection watchdog is also likely to launch an investigation into the privacy breach, thought to be one of the biggest of its kind.

The newsletter was sent to about 780 patients who had signed up to the clinic’s Option E service, which allows people to book appointments and receive test results by email. Instead of hiding the personal details of those on its recipient list, it included their full names and email addresses.

Fines for breaches of data protection can reach £500,000.