UK Health Clinic Accidentally Publishes HIV Status of 800 Patients

An anonymous reader writes: A sexual health clinic in London accidentally disclosed the HIV positive status of almost 800 patients. The Guardian reports: "The health secretary, Jeremy Hunt, has ordered an inquiry into how the NHS handles confidential medical information after the “completely unacceptable” breach of the privacy of hundreds of HIV patients. The 56 Dean Street clinic in London apologized on Wednesday after sending a newsletter on Tuesday which disclosed the names and email addresses of about 780 recipients. The newsletter is intended for people using its HIV and other sexual health services, and gives details of treatments and support.

Status was NOT divulged, only email identities

[SillyBrit]

As I understand it, this was your usual failure to use blind copy (BCC) when sending a bulk email. The HIV status of people was not divulged, only the email addresses of other recipients (not sure if this included the recipient account names as well as the address). The recipients were people who had used the clinic for some services.

Re:Status was NOT divulged, only email identities

From the article, the service is "a service set up for patients who are stable and on long-term HIV treatment." So, no, status wasn't formally disclosed but it's not like a general clinic where you'd have positive and negative test results.

BCC is a horrible trap waiting for that fat-fingered moment. There are better ways, but they need training.

Re:Status was NOT divulged, only email identities

[AmiMoJo]

Someone from the clinic was interviewed on the radio yesterday, and stated that no everyone on the list was HIV positive. Some were dealing with other sexual health issues, some were just interested parties or other clinicians.

Re:Status was NOT divulged, only email identities

[Dutch+Gun]

The newsletter is intended for people using its HIV and other sexual health services, and gives details of treatments and support.

This strongly implies there's some medical issue with all the recipients of this e-mail newsletter. After all, why would someone be subscribed to this who is not HIV positive or has some other affliction? And if you read the article, their full names were included in the list, as is common with e-mail. Frequent gaffe or not, this is a huge breach of privacy for those involved.

I'm curious... does anyone know if there a way to create a mailing list in Outlook (or whatever they used) such that it can ONLY be sent via BCC (at least without taking obvious steps)? If not, why in the world is that not a feature? If you're requiring an employee to manually choose the correct field (which typically isn't the default field) every time the mailer is sent out, then it's only a matter of time before they get it wrong, and the whole damned list gets sent to everyone. We see this blunder being made all the time. You'd think someone would have found a solution other than telling the operator "don't be an idiot", because *everyone* makes mistakes from time to time.

Re:Status was NOT divulged, only email identities

[tigersha]

CC is a horrible trap, BCC is not

Re:Status was NOT divulged, only email identities

[symes]

It would be fairly trivial to write a script that cycles through a list of email addresses and sends a personalized mail to each address. I wouild also imagine somewhere in MS's office package the mail merge feature could be tweaked to make this happen. Anyone who relies on email as a part of thier business to communicate with clients really ought to have something in place that manages contacts, keeps them up to date and facilitates distribution of information. I think the issue with this particular clinic is that they are most likely underfunded and can't invest in comms. Actually, this is something Google and MS should think about - they've been pretty proactive in small charity and related areas - easy to make a newsletter app happen in both Office and Gmail.

Re:Status was NOT divulged, only email identities

[Opportunist]

Yeah, 'cause anyone without HIV is terribly interested in a newsletter concerning its treatment.

I can't wait to get my next Alzheimer newsletter. Or ... wait, did I get it yesterday?

Re:Status was NOT divulged, only email identities

The mistake would be *not* using BCC.

Re:Status was NOT divulged, only email identities

[DaveAtWorkAnnoyingly]

This strongly implies there's some medical issue with all the recipients of this e-mail newsletter. After all, why would someone be subscribed to this who is not HIV positive or has some other affliction?

And in one sentence you've proven how personal information can lead to completely the wrong conclusions. This is why privacy is no joke and needs to be taken seriously...

Re:Status was NOT divulged, only email identities

[hsa]

I disagree. This was probably a mailing list, so if you receive a mail without hidden receiver addresses, like:

From: hospital.info@nhs.london.co.uk
To: hiv.center@london.co.uk
CC: Bob Burger <bob.burger@hotmail.com>, Cecil Cockburn <cecil1990@gmail.com>, David Davidson <dave@tesco.co.uk>, etc..
Subject: New treatment times for your HIV-infection and community meetings

It is not hard to imagine, that other people on the list would be infected with HIV as well..  Now the recipients know 800 other people, that have a high probability of being infected, too. How many people without HIV would actually subscribe to a newletter about it?

Re:Status was NOT divulged, only email identities

[AmiMoJo]

Yeah, 'cause anyone without HIV is terribly interested in a newsletter concerning its treatment.

Exactly, people who care for people with HIV, clinical staff, researchers etc. all subscribe to such newsletters.

Re:Status was NOT divulged, only email identities

[Imrik]

BCC already does this, why would you go to the trouble of setting up an entirely different method?

Re: Status was NOT divulged, only email identities

[BarbaraHudson]

And then there's everyone who the server logs showed they were browsing experts exchange (expertsexchange.com) and it was interpreted as expert sex change. Guess that's why they changed it to experts-exchange.com

Re:Status was NOT divulged, only email identities

[TheRaven64]

Using CC or BCC as a substitute for a mailing list is a good indicator that the organisation in question has no IT skills at all and probably shouldn't be trusted with any data that you might want to be confidential and that they might want to store on a computer.

Re:Status was NOT divulged, only email identities

Time to drop HIPPA then, right?

Re:Status was NOT divulged, only email identities

[sbaker]

The problem isn't who, exactly, was on the list - and what their HIV status might be.

The problem is the PERCEPTION in the general public about what the HIV status must be of people on that list. My guess is that a vast majority of people would assume that they are all HIV sufferers...that's incorrect, but that's what they'll assume.

At least one person who replied right here on Slashdot is advocating that the names of people with HIV should be public knowledge.

So - what is the intersection of people who (stupidly) think the names should be made public and people who (stupidly) assume that everyone on the list has HIV? I think we all know that this is hardly an empty set!

Hence it is very likely that people who DON'T have HIV will be publically identified as people who DO have HIV...and the consequences of THAT can be fairly extreme, both to interpersonal relationship - and (in some places) to getting a job, getting health care coverage, etc.

Also, it's really trivial to find someone's name from their email address - and to find their street address from those pieces of information.

So, no, this is not the small matter you're describing...it's potentially devastating.

Re:Status was NOT divulged, only email identities

Using CC or BCC as a substitute for a mailing list is a good indicator that the organisation in question has no IT skills at all and probably shouldn't be trusted with any data that you might want to be confidential and that they might want to store on a computer.

Inability to enforce IT good practices is not the same as not having any good practices or lacking the skills to develop them. It's often a managerial problem e.g. managers don't see why their staff should "waste time" on such issues and repeated exposures of data doesn't change their mind unless their bottom line is threatened. I do however agree that this means they shouldn't be trusted with data - unfortunately this probably applies to every company/government/council/charity/organisation in existence now and for a good time to come. Even on Slashdot we see idiots calling out IT for "making their work difficult" with all our security nonsense - its clear that their work is simply more important than basic data security.

Re:Status was NOT divulged, only email identities

I'm curious... does anyone know if there a way to create a mailing list in Outlook (or whatever they used) such that it can ONLY be sent via BCC (at least without taking obvious steps)?

My understanding of Distribution Lists in MS Exchange (2010 at least) is that the list is expanded at the submission stage and the emails are sent individually from that point - so as far as external recipients are concerned, they are the only recipient of that email. I believe internal recipients are able to see that a Distribution List was used and view the recipients of that DL - unless it's marked as a private DL, in which case only those with explicit or inherited permissions can do so.

Could be wrong though - anything sensitive we send is usually done on a 1-to-1 basis and encrypted before it goes anywhere, so the above is not a scenario I've had to spend much time looking at.

That happens when graphists are put in charge ...

[ArsenneLupin]

... of medical duties.

No, graphists are not better than other people at their job.

A web developer still makes better web sites than a graphist.

And a doctor still knows better when to shut up about medical details than a graphist.

And no, people in general don't like newsletters (even when they DON'T divulge private details to other recipients).

So, please get back to your pretty pictures, and let us do OUR jobs.

Shouldn't have said anything

[symes]

So what seems to have happened is that someone, some admin guy, was asked to send out the HIV Monthly newsletter by email. Does just that but in such a way all email addresses were visible. Now, probably like a lot of people, I also receive emailed newsletters and similar. Occasionally they also have all other recipients email addresses exposed. So my thoughts are whether this is a general issue that affects all mass email or is it something specific to this clinic? Receipt of a newsletter from an HIV clinic does not necessarily mean you have HIV. My guess is a lot of recipients will be trustees, bureaucrats and various others. Also, is an email address personal information? Certainly some people will have their name in their address but for many those email addresses are already on twitter, facebook and various other locations. So this particular case seems like a storm in a tea cup, but it also suggests there might be a general issue in the way mass email is sent that needs some thought.

Re:Shouldn't have said anything

I think you'd have a pareto-style 80/20 split between "patients with HIV" and "other parties", and that's good enough for strong inference to be drawn. HIV is the poster child for sensitive data, so yeah, it does matter.

It's trivially easy to do, and trivially easy to screw up: a classic infosec trap.

Re:Shouldn't have said anything

[tigersha]

She/He is an idiot because she/he used CC instead of BCC. Something that riles me in general.

Re:Shouldn't have said anything

[godel_56]

I think you'd have a pareto-style 80/20 split between "patients with HIV" and "other parties", and that's good enough for strong inference to be drawn. HIV is the poster child for sensitive data, so yeah, it does matter.

It's trivially easy to do, and trivially easy to screw up: a classic infosec trap.

I believe this clinic deals mostly with sexually transmitted diseases, so being revealed having some variety of the clap won't be much of an improvement in many people's eyes.

Re:Shouldn't have said anything

[godel_56]

She/He is an idiot because she/he used CC instead of BCC. Something that riles me in general.

This is also a fault of the particular implementation of the CC function. When selected it should put up a warning that all the addressees details will be included in every email sent and ask "Are you sure?" before it goes ahead and sends.

Re:That happens when graphists are put in charge .

What the fuck is a graphist?

Why shouldn't this be public anyway?

I don't understand why this information should be kept private. HIV is highly communicable under certain circumstances. Having a registry of people infected with HIV would allow people to avoid the type of contact that can spread HIV with infected persons. It would also allow people to identify if they may have contracted HIV because they had sexual relations with someone who has HIV. This might allow those people to receive treatment earlier and prevent them from further spreading HIV. If there's a disease that has no cure at present and is highly contagious under certain conditions, don't people have a right to know who's infected so they can do what's necessary to avoid contracting that disease? I'm all for privacy of medical records when you're not putting people at risk of contracting a dangerous and currently incurable disease. But in this instance, there's a strong public safety interest that these records shouldn't be private anyway.

Re:Why shouldn't this be public anyway?

[Opportunist]

Because people are stupid.

HIV is pretty much non-contagious as long as you don't exchange some sort of body fluid. Now, I don't know how you go about in your everyday life, but I don't routinely have people spill blood, semen or other stuff coming out of their body into mine.

But people are stupid.

Remember the H1N1 craze? Swine flu? Or any other of the sky-is-falling pandemics? SARS anyone? Yes, they are contagious. How many cases did we have around the US and Europe? Was it more than a dozen combined? People went apeshit over that crap. Mostly because they didn't have the first clue about it other than "oh it's killing people, watch out!"

And now imagine these people should interact with people who actually carry a deadly disease. No matter that there is no sensible way they could get infected, they WILL go bananas over it.

HIV is already a disease that puts a terrible weight on your psyche. Making these people outcasts for no reason whatsoever doesn't really help it.

Re:Why shouldn't this be public anyway?

Stigma and discrimination. HIV +ve individuals are routinely denied housing, employment and ostracised from society due to their HIV status. By making a public register this would further discourage people from seeking appropriate testing and treatment.

    The most common mode of transmission is through sexual intercourse and effective treatment of HIV (through the use of HAARTs) significantly reduces the chance of passing the infection on. By discouraging people from seeking out proper healthcare they will be more infectious and less likely to know their HIV status. The casual hookups of things like: grindr, sex on premises venues, beats etc... can be fairly anonymous, so a public register of HIV infected individuals is not exactly going to be the most useful thing anyway.

Disclaimer: I am an HIV epidemiologist.

Re:Why shouldn't this be public anyway?

Remember the H1N1 craze? Swine flu? Or any other of the sky-is-falling pandemics? SARS anyone? Yes, they are contagious. How many cases did we have around the US and Europe? Was it more than a dozen combined? People went apeshit over that crap. Mostly because they didn't have the first clue about it other than "oh it's killing people, watch out!"

So, was our fortune in those diseases not becoming strongly pandemic by chance, or partially because people "went apeshit over that crap"?

Our health system in the US pretty much proved they weren't ready to cope with diseases like Ebola when they started bringing infected people back to the United States. We've since found out that the virus remains in hosts that were determined to be "free" of the disease, for example in eyeballs, yet we have cases like this one where health employees clearly flaunt their ignorance of the possibilities for catastrophe.

You simply need to treat such infections with the same respect you do computer security. If there's a possibility of a breach, assume there will be a breach. Assuming otherwise just ensures that if a breach occurs it will be so much worse.

Re:Why shouldn't this be public anyway?

[rhazz]

HIV is highly communicable under certain circumstances.

If you are referring to the circumstance where someone puts their penis in someone else's body cavity, then yes you're right. But rather than publishing the name of everyone who has been tested positive (which wouldn't reveal the names of any one who HASN'T been tested), why don't you and your latest partner get tested before having sex? If that's too much hassle, then you (or anyone else) are part of the problem - you could be spreading HIV now.

Having a registry of people infected with HIV would allow people to avoid the type of contact that can spread HIV with infected persons.

Once people know that HIV test results are public record, they will choose to not get tested.

Re:Why shouldn't this be public anyway?

[sbaker]

So your position is that the entire country (world maybe) should have access to identity information for everyone who currently has a potentially fatal, communicable disease? Knowing their email addresses would hardly be adequate to help people avoid the problems you describe, so you must (logically) be advocating for revealing actual names and work/home addresses.

Hmmm - so what other diseases should be accorded such special status?

Unless you have some kind of unseemly bias, you must be concerned about all diseases that are at least as communicable as HIV, and which cause at least that number of deaths - would that be a reasonable low bar for you?

So...let's see - in the UK, about 6,000 people die every year from HIV/AIDS - and about 25,000 die from influenza.

Oh [citation required] huh? OK - the numbers are here:

http://www.avert.org/uk-hiv-ai... (6,000 people died from AIDS in 2012)
http://www.theguardian.com/soc... (28,000 people died from influenza in just two weeks in January 2015)

How about communicability?

To be infected by HIV, you need to exchange body fluids - pretty unlikely to happen, statistically.
To be infected by influenza, you just need to be standing nearby when they sneeze - incredibly likely.

So - unless your position comes from a specific bias against HIV sufferers *because* of the most common routes of infection - you should reasonably be pressing the government to release the names of all known influenza sufferers instead.

I think we know what your feelings are in that regard - so we can only conclude from your post that it's pure, unreasoning bias.

Re:Why shouldn't this be public anyway?

[dave420]

Or maybe the H1N1/SARS/Whatever hype accompanied real action to prevent the problem from becoming too big. Just think about the usual muppets screaming that Y2K was hyped up massively and nothing happened - precisely because work was done to stop it becoming so bad.

Re:Why shouldn't this be public anyway?

[Opportunist]

And I have a rock that protects me from tiger attacks...

Re:Why shouldn't this be public anyway?

You simply need to treat such infections with the same respect you do computer security.

OMG, we are soooo screwed.

Re:Why shouldn't this be public anyway?

So your position is ...

No, of course it isn't. That's how trolling works, dummy.

On the bright side, at least someone put a little effort into it for a change.

Finger trouble...

Standard issue baby boomer reluctance to use computers properly.

"Why would we buy a tool to send bulk email when the intern can do it for peanuts?"

This is why, executives. This is why you need to use the correct tools. Just do a mail merge. It is unbelievably simple. So simple that the intern could do it.

It's OK right?

[wickedsteve]

We don't need any privacy right? Unless they are terrorists they have nothing to hide.

Re:It's OK right?

Not yet, we're at stage 2 so far, stage 3 is later.

1. If you've done nothing ILLEGAL you have nothing to hide.
2. If you've done nothing WRONG you have nothing to hide.
3. If you can PROVE you're not a terrorist you have nothing to hide.
4. If you can PROVE you will do nothing WRONG now or in the FUTURE you have nothing to hide.
5. Only terrorists want privacy, so you must be a terrorist.

The biggest shift is from 'illegal', i.e. breaking laws that permit search warrants, to 'wrong' where right and wrong is any arbitrary judgement of anyone in a uniform.

Re:It's OK right?

Now that you mention it, I do notice that change.
Nice distinction!

Re:That happens when graphists are put in charge .

[Calydor]

Someone the OP has a personal issue with, I assume.

Easy problem to solve: Ban CC:

[tigersha]

Take out CC: in mails and only allow BCC:

I seriously hate it when my friends send a mail to me with some other people and my email address is not hand-delivered to the virus and spam-harvester infested horrors of my other friends. If ALL emails only went out by BCC this would not happen.

Mail server maintainers such as Postfix/Exim and such should band together and simply phase out CC and start treating the CC header as a BCC header. And then should begin rejecting mails with a CC with multiple email addresses in it outright. This would solve half of the world's spam problems in a few years too.

Re:Easy problem to solve: Ban CC:

CC has legitimate uses though. For instance in business you might email someone but copy in several other people in the team. You don't want to use BCC as you want replies to go to your teammates too, and you don't want to use To so it's clear who the email was intended for.

Re:Easy problem to solve: Ban CC:

Check out the last revision of outlook: BCC is hidden by default!

Re:Easy problem to solve: Ban CC:

[stephanruby]

And then should begin rejecting mails with a CC with multiple email addresses in it outright.

There is nothing preventing you from doing that right now with your own email client.

This would solve half of the world's spam problems in a few years too.

That's assuming the world still even has a spamming problem.

Personally, I don't have a problem with email spam (except for spam faxes). Unfortunately, I still have stupid co-workers that will order things from unsolicited faxes, thus rewarding the spamming behavior, and unfortunately, the phone/fax system is still largely ill-equipped to deal with such problems.

Re:Easy problem to solve: Ban CC:

[Dr_Barnowl]

Agree : I use "To: " for people I expect to take an action, and "CC" for people I just think need to be informed.

Of course, this is way too subtle for the majority of people...

Re:Easy problem to solve: Ban CC:

The problem is, they're using the wrong tool. It's like managing a database or having a bug-tracker using Excel. Microsoft (or,well, whoever) needs to write a "Newsletter Management Tool" which can be Outlook with little changes to the UI. No more "CC" field, instead it just has "Recipient Emails" field which will be BCC...

Re:Easy problem to solve: Ban CC:

In this case it's likely that they used TO to send the newsletter to all interested persons, so banning CC won't solve anything.

Re: Easy problem to solve: Ban CC:

Actually, even BCC is the wrong method. Such a tool should actually loop through the Recipient Addresses and sent "To" each one individually.

Re:Easy problem to solve: Ban CC:

LOL... Fax? Seriously? Americans still use fax machines? Why?

Re:Easy problem to solve: Ban CC:

[wbo]

No, it isn't hidden. It doesn't appear in the "Quick Compose" window but then again I wouldn't expect to see it there since that is designed just for short messages or quick replies.

In the full compose window the Bcc field is right below the To and Cc fields just where it has been for the past several versions.

Re:Easy problem to solve: Ban CC:

[sbaker]

Certainly both BCC and CC have their valid uses - but you'd be amazed the number of people who don't understand the difference. Even after I pointed it out, the HR team at a company I worked for a few years ago would still send out emails about upcoming events and benefits stuff to the entire company using CC. Then a huge number of "Thanks for telling me!" types of replies would wind up being spread around the entire company.

Perhaps mail clients should retire the acronyms and spell out more explicitly what happens. Maybe have just one box for CC's and when you hit SEND, ask whether you want the recipients to get each other's email addresses or not.

Re:Easy problem to solve: Ban CC:

[penguinoid]

It probably wouldn't hurt to have a big massive warning pop up if you try to CC, reply all, or forward to more than a dozen people.

Re:Wait...

[Opportunist]

Rest assured, if you should ever contract it, I'll be personally doing my best to take out double page ads in the Sun to announce it to the world.

Health clinic?

Is that a word? I thought a clinic is always a health care institution.

Re:Health clinic?

Is that a word?

Nope, 'health clinic' is two words.

I thought a clinic is always a health care institution.

Clinic is also used in things like 'pc clinic', 'motor clinic' etc - so generally about care, but not limited to just health.

Nothing has been disclosed, after all.

[LordHighExecutioner]

They were also listed in the Ashley Madison database.

Ironic organizational removal of BCC?

I have seen some mail systems where BCC is not possible.
Idk probably pissed off an exec when the found out the board was Blind CC'ed in that embarrassing email exchange.

Also BCC could have even been removed as an attempt to protect privacy.

One click away from failure

[dhaen]

That all the patients' details were in an address book mystifies me. I wonder if their addresses were in the same file, and what else? These things are bound to happen given the pressures and distractions of modern life. More precautions are needed where harm may result.

you could call it

The Do Not Fuck List.

oh no, now everyone is safe

[slashmydots]

Now everyone knows whose fluids to avoid. How terrible! They should have to tattoo is on their heads if they're found positive. That would stop AIDS in one generation.

Crosscheck!

[wardrich86]

How long until these get cross-checked with the Ashley Madison hacked records? Data is fun!