Cc: vs. Bcc: Email Blunder Exposes 780 HIV Patients' Identities
"I find it impossible to believe that in this day and age this can happen," one patient said.
56 Dean Street, a sexual health clinic in London, recently sent a newsletter to HIV patients -- but the employee responsible made a basic email error. Instead of all recipients being blind copied (Bcc:) on the email, each recipient could view the approximately 780 other recipients' names and email addresses in the Cc: field.
It's a very common mistake, but it rarely has this kind of impact. Alan McOwan, Chelsea and Westminster Hospital trust's director for sexual health, told the Belfast Telegraph that the staff member is responsible is "devastated by what happened."
In a series of tweets, the clinic stated, "A newsletter about services at 56 Dean Street was sent to an email group rather than individuals. We are so sorry this has happened. We’ve contacted everybody who’s affected to apologise and offer support. 56 Dean Street wants to offer the best care possible. This error means we’ve not met our usual standards."
"Once again, we are very sorry that this has happened," the clinic added. "If you’re worried you can call 020 3315 9555 and 020 3315 9594 to speak to a member of our team."
The Guardian reports that U.K. health secretary Jeremy Hunt has ordered an inquiry into how the U.K. National Health Service (NHS) handles confidential medical information following the "completely unacceptable" breach.
"Nothing matters more to us than our own health, but we must also understand that for NHS patients nothing matters more to them than confidence that the NHS will look after their own personal medical data with the highest standards of security," Hunt said. "The truth is the NHS have not won the public's trust in our ability to do this, as today's completely unacceptable data breach at the Dean Street surgery demonstrates."
One HIV patient who was copied on the email told the Guardian that "in the wrong hands, this list could be dynamite."
"I find it impossible to believe that in this day and age this can happen," he said. "I was able to scroll down the list and identify the names of a number of people who I knew, some of whom I was unaware of their status."
While the highly sensitive nature of the information exposed makes this incident particularly noteworthy, breaches like this happen with disturbing frequency.
Massachusetts' Alternative Therapies Group, a marijuana dispensary, last month sent an email addressed "Dear Patient," with 157 patients' email addresses listed in the Cc: field instead of the Bcc: field by mistake, Boston.com reports.
"We understand the sensitivity of personal information and deeply regret this error," Alternative Therapies Group said in a statement. "We assure you that proper controls will be implemented immediately to prevent this from happening in the future."
Also last month, the U.K.'s Rossendale Council mistakenly included 500 people's email addresses in an email about plans regarding locations to be allocated for housing, employment and leisure uses over the next decade.
A council spokesman told the Rossendale Free Press that the failure to blind copy email recipients was due to an "unfortunate administrative error."
"We realized the error immediately and, although nothing could be done to reverse it, we have apologized to the few people who contacted us about this," the spokesman said. "We are looking at what measures and system changes can be put in place to avoid this happening in the future."
CompTIA's recent "Trends in Information Security" study found that while 52 percent of security breaches are caused by human error, only 54 percent of companies offer some form of cyber security training.
"The field is indeed full of opportunity for IT firms that can offer the best training or the best overall security package for mitigating human error and improving a business' security posture," the CompTIA report states.
A recent eSecurity Planet article examined the importance of offering security training to employees.
Photo courtesy of Shutterstock.