Britain's biggest gender identity clinic 'leaks' data of nearly 2,000 patients

6 September 2019, 16:04

The Tavistock and Portman NHS Foundation Trust run the clinic in west London
The Tavistock and Portman NHS Foundation Trust run the clinic in west London. Picture: Google Street View

By Megan White

Britain’s biggest gender identity clinic has launched an investigation after the email addresses of nearly 2,000 patients were shared in a serious data security breach.

The Tavistock and Portman NHS Foundation Trust accidentally shared patients’ emails after sending out an invite to join a new art project at the Charing Cross Clinic.

The emails were only shared to other patients, but the Trust said they are treating the incident as serious and have reported it to the Information Commissioner’s Office.

They said two emails had been sent to patients, with one sharing around 900 emails, and the other bringing the total number of email addresses shared to almost 2,000.

LGBTQ activist and journalist Shon Faye posted about the incident on Twitter, branding the leak an “institutional failing.”

She said: “The Gender Identity Clinic in London just sent out a mass email to me with lots of other (patients’ ?!) email addresses visible in the address bar. What. The. F**k. This is potentially a massive breach of patient confidentiality.

“On a personal note. I feel sorry for the staff member who sent the email. I hope they’re ok.

“This was an accident on their part. But the Trust should have ensured better compliance and confidentiality. It’s an institutional failing.”

Data protection breaches can carry a fine of up to 4 per cent of annual global turnover or €20 million.

The breach could also contravene section 22 of the Gender Recognition Act, which prevents the identities of transgender people from being disclosed.

A Trust spokesman said: “We are currently investigating a data security incident.

“This incident involved an email from our Patient and Public Involvement team regarding an art project that we are looking forward to launching.

“Unfortunately, due to an error, the email addresses of some of those we are inviting to participate were not hidden and therefore visible to all.

“We can confirm we are reporting this breach to the Information Commissioner's Office as well as treating it as a serious incident within the Trust.”

In 2016, an NHS clinic in London was fined £180,000 for a similar breach.

Patients who were on the HIV clinic email list of 56 Dean Street, a sexual health clinic, were sent a newsletter which showed the email addresses of all the other recipients.

Addresses were entered into the “to” field of the email, instead of “bcc,” which hides other recipients’ emails.