Home   News   Article

Reprimand for NHS Highland after 'serious' email data breach


By Val Sweeney

Easier access to your trusted, local news. Subscribe to a digital package and support local news publishing.



Click here to sign up to our free newsletters!
NHS Highland has been issued with a formal reprimand after email addresses of people accessing HIV services were sent to others by mistake.
NHS Highland has been issued with a formal reprimand after email addresses of people accessing HIV services were sent to others by mistake.

NHS Highland has been issued with a formal reprimand after email addresses of people accessing HIV services were sent to others by mistake.

The Information Commissioner’s Office (ICO) said it was a "serious breach of trust".

NHS Highland has apologised for the breach of confidentiality and said it is doing everything possible to prevent a repetition of the mistake.

The error happened in June 2019 when the health authority emailed 37 people inadvertently using CC (carbon copy) instead of BCC (blind carbon copy).

Recipients could see the personal email addresses of others receiving the email, with one person confirming they recognised four other individuals including a previous sexual partner.

Attempts were made to recall the email but they were not successful.

Later the same day NHS Highland received a number of phone calls from recipients and a patient also attended a clinic advising all email addresses were visible.

The ICO’s investigation determined that the distress and damage that may have been caused could be significant.

Two patients submitted formal complaints to NHS Highland. One of these patients made more than one complaint.

The ICO could have issued a £35,000 fine but instead issued a reprimand.

NHS Highland has included ICO recommendations in its information governance action plan and will provide an update to the ICO in June.

Stephen Bonner, ICO deputy commissioner for regulatory supervision, said: "What we saw here with NHS Highland was a serious breach of trust, and those accessing vital services failed.

"The stakes are just too high.

"Research shows that people living with HIV have experienced stigma or discrimination due to their status, which means organisations dealing with this type of information should take the utmost care with their personal data.

"HIV service providers must set the highest standard for themselves and their service users.

"Every HIV service provider in the country should look at this case and see it as a crucial learning experience. We are calling on organisations to raise their data protection standards and put the appropriate measures in place to keep people safe."

A spokesman for NHS Highland said the health authority was sorry that the breach of confidentiality had happened.

"We acknowledge and accept the findings of the Information Commissioner and are doing all we can to prevent a repetition of this incident," he said.

"Since this incident, NHS Highland has changed email domain as part of a national roll out. We continue to work closely with domain providers to examine options to prevent similar events happening in the future and to ensure we are adhering to the recommendations of the Information Commissioner.

"We would take this opportunity to again apologise - unreservedly - to everyone who was affected by this incident."


Do you want to respond to this article? If so, click here to submit your thoughts and they may be published in print.



This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies - Learn More