I don’t know if you have heard about this by now, but this was huge news on September 2nd when a London clinic sent out a weekly newsletter to 780 recipients who included HIV-positive patients and accidentally forgot to hide their names. Usually one would put the names in the blind copy (Bcc) field, but the employee who sent out the newsletter, sent it to the 780 recipients using the To field rather than the Bcc field. The newsletter sent by the clinic looks as follows:
When the clinic staff realized the mistake, they immediately tried to recall the email, thereby sending the email a second time. Asking people to delete an email makes them curious, and this in turn makes them check the original email again. In my experience, recalling an email doesn’t work a majority of the time:
Social media exploded with people aghast at how and why this happened. This busy clinic offers confidential HIV treatment to its patients and yet was the one revealing their names to others. People were able to identify names of their friends who had previously not disclosed their illnesses. There were also names of persons affiliated with the clinic who are not HIV positive but who may have signed up to receive the newsletter. Automatically, it is presumed that these persons are also HIV-positive. The clinic issued an apology letter to the recipients of the emails:
Now there are so many things that went wrong here: sending out the email, recalling it, and sending an apology letter and then stating that each person affected had been personally contacted (i.e., via the apology letter). This certainly was not the best way to approach this breach of confidentiality, more should have been done or should be done for the email recipients.
Granted that this was a human error, a leak this big is huge and irreversible. The employee who sent out the email is reported to be distraught but even an apology does not help make the situation better. Stigma and discrimination is very high across the world, and inadvertently revealing patients names to each other and the public is not acceptable.
Clinics are charged with keeping their patients names and healthcare information private and when they leak the information, it is a major breach of trust and loyalty. I don’t know if there is anything that can possibly be done to rectify the situation and make things better for the patients. It is easy to take the names on the list and post them publicly for others to see, or use social media platforms to find out who the persons are. The things that can and may be going wrong as a result of revelation of the patients name is a lot. The clinic also exposed itself to possible litigation and may lose some of its patients as a result of this privacy breach. This type of issues makes HIV-positive persons mistrust healthcare services and healthcare professionals, and they may also limit access and use of healthcare services.
There are email software management systems available that help send emails to many recipients easily and without revealing their names. Some of these mass email software systems offer free services. They are easy to use and the newsletters are very attractive. Persons dealing with confidential information, or those that don’t need their email recipients to know who else is receiving the email should look into using these services. Using the mass email services cuts out the possibility of human error by using the wrong field to input email recipients. Personally, I prefer and have used MailChimp which offers sending up to 2000 free emails a month. Other popular mass email software systems include:
A side by side comparison of The Best Email Marketing Services of 2015 is located at http://www.pcmag.com/article2/0,2817,2453354,00.asp.
Please take measures to protect your patients, your clinic, and yourself from having an issue such as this happen in the future by using one of these services that meets your need. What are your thoughts on this privacy breach?