Gender identity clinic investigating data security incident after patient email leak
The Charing Cross Gender Identity Clinic in London is investigating a 'data security incident'. The clinic supports adults with issues related to gender. It has patients who are transitioning or considering doing so from across the UK.
Tavistock and Portman NHS Foundation Trust run the clinic. According to a statement on its website, the breach exposed the email addresses of many of its patients.
The statement reads:
"We are currently investigating a data security incident.
"This incident involved an email from our Patient and Public Involvement team regarding an art project that we are looking forward to launching. Unfortunately, due to an error, the email addresses of some ofthose we are inviting to participate were not hidden and therefore visible to all.
"We are hugely apologetic and understand that this is a serious data breach."
Approximately 2,000 peopleare exposed
Two separate emails were sent to Charing Cross Gender Identity Clinic patients. In total, the personal details of almost 2,000 trans patients are reported to be exposed.
This is a massive breach of patient confidentiality and people are understandably upset. Speaking to the media, one patient said: "It could out someone, especially as this place treats people who are transgender".
There are also concerns that, in being outed as trans, "that could be hugely dangerous to their wellbeing and safety."
The breach was caused by human error
Most security breaches happen because of distractions or mistakes. And that certainly seems to be the case here. In fact, not using the blind carbon copy (bcc) functionality when sending to multiple recipients is a common cause of data breaches.
Often this happens because strict policies and procedures are not in place to ensure the safe processing of information. Or, staff have not received regular data protection training to make sure they understand the potential consequences of breaching data protection laws. In this case, the clinic also appears to be financially stretched and under-resourced.
However, the bottom line is that the Trust should have ensured better compliance to protect potentially vulnerable patients and maintain their privacy.
What happens now?
The Charing Cross Gender Identity Clinic data breach has been reported to the Information Commissioner's Office (ICO) and is now being investigated. The Trust is also treating the privacy violation as a serious incident.
The ICO could fine the Charing Cross Gender Identity Clinic
Where adequate processes and protections are not in place, the ICO does have the power to issue fines.
For example, an independent inquiry into child sexual abuse was fined £200,000 by the ICO after sending a bulk email that identified possible abuse victims. In this case, an officer sent an email to 90 people involved in a review without using bcc. This allowed the recipients to see each other's email addresses and identified them as possible victims of child sexual abuse. In 2016, the ICO also fined another London clinic £180,000 after it leaked the email details of almost 800 patients diagnosed as HIV positive.
These fines were issued before the introduction of the GDPR in 2018, so, a penalty for Tavistock and Portman could be much higher. However, it's important to note that, while the ICO does hand out fines, it does not award compensation to victims of data breaches.
Make a claim against the Charing Cross Gender Identity Clinic
Data breaches are not just caused by cybercriminals. Every day we hear how simple human errors are causing misery and upset to people across the UK. And, given the nature of this data breach, the emotional distress to patients should not be underestimated. Furthermore, this breach could potentially put people in serious danger.
Of course, there are concerns that claiming compensation could take money from an already underfunded clinic. However, in 2019, all organisations should have insurance in place to protect against such threats.
What's more, while you might support the clinic, it must meet its legal obligations when it comes to protecting sensitive data. Where an organisation fails to do this, holding it to account is often the only way to ensure standards are improved.