A blog considering the legal position of patients recently affected by the data breach of a London HIV clinic.
An NHS funded HIV clinic in London has inadvertently disclosed the names of hundreds of its patients in sending out a group email; this breach of confidential information is being investigated by the Information Commissioner’s Office and may lead to many legal claims for compensation.
On 1st September a member of staff at the Dean Street HIV clinic in London sent a group email of its newsletter to its patients; as a result of this human error the email recipients were all included in the open “to” list rather than being hidden by blind copy into the email. There were 780 patients affected by this breach of confidential patient identity information. Not only did this error reveal patient names, but it also revealed their email addresses.
The Trust who manage the clinic, Chelsea and Westminster hospital NHS Trust, have made a direct apology to all of those involved.
The Health Secretary, Jeremy Hunt, commented that the leak of such private information threatened to damage “the public’s trust in our ability to look after their personal data securely…..If we are going to win that trust, we need to strengthen the independent oversight of data security within the NHS to a level that we don’t have at the moment.”
It is thought that this error should never have been possible due to specialist computer software (encryption systems) which should be in place to prevent a computer operator from sending out any private information.
Many patients are now looking for answers as to how this significant breach of data happened and for the clinic to be held to account by the Information Commissioner, who deal with all serious breaches of the Data Protection Act. The ICO have powers to impose financial sanctions on the clinic but cannot award individuals compensation; this must be done through the normal civil Courts system.
It has been normal practice up to now that only those who have suffered financial losses or distress relating to financial losses as a result of a breach of confidential information who could claim compensation. A recent case  brought against Google has however widened the scope to include those who have suffered only “distress”. Therefore compensation may be awarded even if you have not suffered financial losses as a result of the breach, the level of which will be dependent on the nature of the distress suffered. There may also be a claim under the Human Rights Act.
The recent case law is however being challenged in the Supreme Court and the NHS may wish to await the outcome of the Supreme Court decision before agreeing to any claims for compensation.
We have already been approached by a number of patients affected by this awful breach of their privacy. As patients in the NHS system they had full trust in the clinic caring for them and this breach has now resulted in exposure of very private information about their health. Some patients had not informed families, friends or employers of their HIV status and have suffered great anguish that they may now need to do so.
As each case is different and the law relating to data breach claims is complex, those affected are strongly advised to seek legal advice regarding their options.