View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

NHS Highland rapped by ICO for HIV patient data leak

The health service body was careless with an email and exposed patients' information. But it avoided a costly fine.

By Claudia Glover

NHS Highland has been reprimanded for a “serious breach of trust” after an error led to data on 40 patients linked to HIV treatment systems being leaked. Data watchdog the Information Commissioner’s Office (ICO) says the health service organisation must apply higher standards when protecting such sensitive data.

NHS Highland leaks dozens of HIV patients’ data leading to a reprimand from the ICO. (Photo by rafapress/Shutterstock)

The ICO has chosen to implement the “public sector approach” in punishing the body, which is a reprimand instead of a £35,000 fine which would be issued to a private sector organisation for such a misdemeanour.

NHS Highland is the largest of 14 regional health bodies in Scotland, covering the care of 320,000 people.

NHS Highland data breach: patient information leaked

The breach occurred when NHS Highland sent an email to all of its HIV service patients which exposed details of the entire mailing list, giving patients access to names and emails.

The health service inadvertently used the carbon copy instead of blind carbon copy function in the email, leading some patients to recognise one another. One recipient confirmed they recognised four individuals, one of whom was a previous sexual partner.

Stephen Bonner, ICO deputy commissioner, expressed deep concerns over the lacklustre treatment of such sensitive data. “The stakes are just too high,” he said. “Research shows that people living with HIV have experienced stigma or discrimination due to their status, which means organisations dealing with this type of information should take the utmost care with their personal data.”

The highest standards must be set by the services when working with such potentially damaging data, he added. “Every HIV service provider in the country should look at this case and see it as a crucial learning experience. We are calling on organisations to raise their data protection standards and put the appropriate measures in place to keep people safe,” said Bonner.

Content from our partners
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape
Green for go: Transforming trade in the UK

Nearly one thousand of these so-called “non-cyber” breaches have been reported since 2019, the ICO says. “Under data protection law, organisations must have appropriate technical and organisational systems in place to ensure personal data is kept safe and not inappropriately exposed to others,” a statement said.

Data breaches in the NHS can be costly

NHS data leaks can be highly damaging. In February of last year, personal data from tens of thousands of people was leaked in a massive data breach that included details of medical procedures of adults and children.

This was leaked from a third-party supplier of patient letter print fulfilment and dispatch, PSL Print Management. The breach happened when an employee, who was in dispute with the company, requested all emails and texts related to their employment. They were instead sent a memory stick appearing to be full of the contents of the firm’s entire email server, featuring data apparently from patients.

In 2020, the NHS was penalised again for the breach of over 100 staff accounts. Some 113 NHS email accounts were compromised with phishing attacks.

Topics in this article :
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU