An investigation has been launched after an NHS clinic mistakenly revealed the identity of almost 800 patients who had attended HIV services.
The 56 Dean Street clinic in London’s Soho sent out a newsletter to patients on a group email, rather than to individuals.
A spokesman for the sexual health clinic, which is part of the Chelsea and Westminster NHS trust, said the mistake was caused by “human error”.
The clinic and others in the trust’s network make up Europe’s biggest sexual health service.
The error means patients who have attended HIV clinics at Dean Street were able to read the names and email addresses of other patients.
The spokesman said: “We can confirm that due to an administrative error, a newsletter about services at 56 Dean Street was sent to an email group rather than individual recipients.
“We have immediately contacted all the email recipients to inform them of the error and apologise.”
Elliot Herman, 38, from London, told the Guardian the email contained the names of friends who had never disclosed their HIV status to him before.
“It’s not difficult to put those names into Facebook and bring up their profiles and personal details,” he said.
He said if his details were on the list he would “feel angry and disappointed at the clinic”.
The spokesman for the clinic said it was not accurate to say all the patients on the list were HIV positive.
The newsletter was sent to about 780 patients who had signed up to the clinic’s OptionE service, which lets people book appointments and receive test results by email.
An internal investigation into what happened has been launched.
According to the Guardian, an email apology from Alan McOwan, Chelsea and Westminster Hospital NHS Trust’s director for sexual health, was sent to patients after the breach on Tuesday.
It said: “I’m writing to apologise to you. This morning at around 11.30am we sent you the latest edition of OptionE newsletter.
“This is normally sent to individuals on an individual basis but unfortunately we sent out today’s email to a group of email addresses. We apologise for this error.
“We recalled/deleted the email as soon as we realised what had happened. If it is still in your inbox please delete it immediately.
“Clearly this is completely unacceptable. We are urgently investigating how this has happened and I promise you that we will take steps to ensure it never happens again. We will send you the outcome of the investigation.”
The Information Commissioner’s Office (ICO) can levy fines of thousands of pounds for significant data breaches.