Almost 2,000 patients of an NHS gender identity clinic have had their email addresses disclosed in a “horrendous” breach of patient confidentiality.
Those involved are patients of the Tavistock and Portman NHS foundation trust in London who are transitioning gender or considering doing so.
Their email addresses were all included, and therefore left visible, in an email by an official at the trust on Friday afternoon that should have been sent to recipients on a blind copy basis.
“This is a horrendous breach of privacy. It’s very alarming because it could have an impact on people’s lives,” Shon Faye, who was one of those affected, told the Guardian. “It could lead to people being outed to family members or to their communities as being trans, where it may be a risk to them being known to be trans. That could be hugely dangerous to their wellbeing and safety.”
The trust admitted that just under 2,000 patients’ email addresses had been released to all recipients by mistake. It has classified the leak as a “serious incident” – one which involves risk to patients and will be the subject of an investigation – and also reported it to the information commissioner.
“We are currently investigating a data security incident,” a trust spokesperson said. “This incident involved an email from our patient and public involvement team regarding an art project that we are looking forward to launching. Unfortunately, due to an error, the email addresses of some of those we are inviting to participate were not hidden and therefore visible to all.
“We can confirm we are reporting this breach to the Information Commissioner’s Office as well as treating it as a serious incident within the trust.”
The official sent the email about an art competition for patients, displaying all the patients’ email addresses, at 2.23pm. He apparently immediately realised his mistake and a minute later sent a second email – using the blind copy function – seeking to recall the first one.
A lawyer specialising in NHS data breaches said the leak could cost the trust many millions of pounds.
Sean Humber, of solicitors Leigh Day, said: “This extremely unfortunate disclosure of sensitive personal information is clearly unlawful, being a breach of the duty of confidence owed by the clinic to each of its patients and a misuse of their private information as well as being a breach of the General Data Protection Regulation. It is also likely to represent a breach of the patients’ right to a private life under the Human Rights Act.
“While it will obviously depend on the individual circumstances, I would say that, on the basis of similar cases, individual affected patients would have claims worth at least thousands of pounds, perhaps running into tens of thousands, which means that the trust is looking at a pretty hefty bill for all of this.”
Those affected are all adults with issues relating to gender. All are patients at the trust’s gender identity clinic, based in Fulham in south-west London. Set up in 1966, it is the largest and oldest such specialist clinic in the UK and accepts referrals from the four home nations.
Its staff include psychologists, psychiatrists, hormone specialists and speech and language therapists. “We work together in order to provide holistic gender care, focusing on the biological/medical, psychological and social aspects of gender,” the trust’s website explains.
The breach prompted a strong reaction on social media. One person said: “Tavistock and Portman gender identity clinic has just sent out an email to service users with everyone’s email addresses on the To: line. I hope the Information Commissioner’s Office are informed at once. They literally just outed thousands of trans patients.”
Another said: “If I were the gender identity clinic I would not leak the details of thousands of trans people receiving treatment in this extremely hostile climate.”
The trust’s chair is the former Liberal Democrat MP Paul Burstow, who was the minister for mental health between 2010 and 2012 in the Conservative-Lib Dem coalition government.
Faye tweeted her sympathy for the official who made the mistake. “On a personal note. I feel sorry for the staff member who sent the email. I hope they’re OK. This was an accident on their part. But the trust should have ensured better compliance and confidentiality. It’s an institutional failing.”