NHS Highland rapped over data breach affecting HIV patients

The Information Commissioner’s Office (ICO) has issued a reprimand to NHS Highland over a “serious breach of trust” after the health service inadvertently exposed personal details of patients likely to be accessing HIV services.

The incident unfolded when someone at the organisation emailed 37 individuals likely to be accessing HIV services, inadvertently copying their email addresses into the carbon copy (CC) field rather than the blind carbon copy (BCC) field.

Such a lapse is a common breach of email security hygiene and etiquette that in many instances would go unremarked upon. However, it is considered a data breach nonetheless because as a general rule none of the parties involved have given their consent for their contact details to be shared with others.

In light of the sensitive nature of data on HIV patients, many of whom still live with shame and stigma in spite of the dramatic medical advances that have rendered HIV a manageable medical condition, the ICO said there was “simply no excuse” for the breach.

“What we saw here with NHS Highland was a serious breach of trust, and those accessing vital services [were] failed,” said the ICO deputy commissioner for regulatory supervision, Stephen Bonner.

“The stakes are just too high. Research shows that people living with HIV have experienced stigma or discrimination due to their status, which means organisations dealing with this type of information should take the utmost care with their personal data.

“Every HIV service provider in the country should look at this case and see it as a crucial learning experience. We are calling on organisations to raise their data protection standards and put the appropriate measures in place to keep people safe.”

In this case, the ICO has limited its action to a reprimand as opposed to a fine. This reflects changes made last year by incoming information commissioner John Edwards to scale back on fines issued to the public sector.

This was done on the basis that large fines against public sector organisations rarely affect directors and shareholders as they do in the private sector, and instead impact on the taxpayer in the shape of reduced budgets for vital services.

In a statement shared with media, NHS Highland acknowledged and accepted the ICO’s findings and said it was doing everything possible to avoid a repeat of the incident. It has already changed its email domain as part of a wider national rollout. The organisation has apologised unreservedly to the people affected.

Paul Holland, CEO of Beyond Encryption, commented: “Email is continually reported as a leading cause of data breaches, but it’s clear that both organisations and consumers are unaware of the security risks with using this communication channel.

“The latest research conducted by Beyond Encryption showed that a quarter of consumers had mistakenly shared personal information over email with the wrong recipient. It’s vital that organisations put adequate safeguards in place to mitigate human error and protect personal data.

“The pervasive use of email by organisations to share and request valuable personal information is also of significant concern. Almost three-quarters of consumers have been asked by businesses to share personal information over email, with a quarter stating they’ve had this information requested by health professionals, despite email being unsecured in nature.

“As this latest breach from NHS Highland shows, this is a highly concerning statistic, which raises serious questions as to how consumers' personal data is being protected. As we move into an increasingly digital age, organisations must put the appropriate tools in place to protect client and consumer data,” he said.