• Christine Mould
  • 3 September 2015

NHS causes major data protection breach

The NHS Sexual Health Clinic in Soho that sent out a newsletter on Tuesday disclosing the names and email addresses of about 780 people has apologised and pledged to investigate how the breach occurred. This newsletter was for people using its sexual health services and included details of treatments and support, and instead of hiding the personal details of those on its recipient list it included their full names and email addresses.

This privacy breach is thought to be one of the biggest of its kind and in response the Care Quality Commission is due to conduct a thorough and independent review into the existing data security measures that the NHS has and the effectiveness of these. This review will look at how the NHS can improve its security against cyber attacks and ways to prevent staff from inadvertently disclosing confidential and sensitive information.

The Information Commissioner’s Office (ICO) said that it was currently making enquiries into the incident; it can levy fines of up to £500,000 for significant data breaches.

A spokesman for the clinic said the breach was down to a “human mistake”, but this privacy breach brings into focus how data security is managed and how important it is to ensure that policies are in place to reduce the likelihood of incidents like this reoccurring in the future.

The Data Protection Act (DPA) 1998 says, "appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data." Any organisation that stores personal data must be fully aware of and compliant with the DPA.