The Charing Cross Gender Identity Clinic, an NHS gender identity clinic, has mistakenly exposed details of nearly 2,000 transgender patients on its email list.
According to a report from The Guardian, patients of the said clinic received an email on Friday containing hundreds of other patient’s names and email addresses. As explained by the clinic, the security incident stemmed from a mistake made by a staff member, who sent an email regarding an art competition run by the clinic to about 900 people accidentally CC-ed on it.
“We are currently investigating a data security incident,” said the trust’s spokesperson. “This incident involved an email from our patient and public involvement team regarding an art project that we are looking forward to launching. Unfortunately, due to an error, the email addresses of some of those we are inviting to participate were not hidden and therefore visible to all.”
As reported by BBC, the clinic tried to halt the delivery of the message, however, the error had already been noticed to the recipients. To date, the Tavistock and Portman NHS Foundation Trust, which is responsible for the clinic, is investigating the said data breach.
“This is a horrendous breach of privacy. It’s very alarming because it could have an impact on people’s lives,” Shon Faye, an LGBT campaigner and a victim of the security incident, told The Guardian. “It could lead to people being outed to family members or to their communities as being trans, where it may be a risk to them being known to be trans. That could be hugely dangerous to their wellbeing and safety.”
In 2016, an NHS Trust was fined £180,000 after a similar security incident involving 800 patients happened. Under the said case, a sexual health centre is reported to have mistakenly leaked the details of patients who had attended HIV clinics.
“I feel sorry for the staff member who sent the email. I hope they’re OK. This was an accident on their part. But the Trust should have ensured better compliance and confidentiality. It’s an institutional failing,” added Shon Faye.
In a statement, the ICO confirmed that the Charing Cross Gender Identity Clinic had notified their office about the incident.
“All organisations processing personal data should do so safely and securely. If anyone has concerns about how their data has been handled, they can report these concerns to us,” the statement added.