back to article London NHS trust fined £180,000 after second bcc fail on HIV email list

The Information Commissioner's Office (ICO) has handed down a £180,000 fine to an NHS trust in London after it revealed the email addresses of more than 700 users of an HIV information service. The data blunder occurred last year when a sexual health clinic at 56 Dean Street, which is operated as part of Chelsea and …

  1. Adrian 4

    How does someone accidentally enter 730 names in a To list ?

    This should be solved by using mailing list software, not some Outlook bodge.

    1. Doctor Syntax Silver badge
      Facepalm

      "not some Outlook bodge."

      But but...isn't Outlook email?

      1. hplasm
        Happy

        But but...isn't Outlook email?

        No, but it thinks it is.

        1. Anonymous Coward
          Anonymous Coward

          Re: But but...isn't Outlook email?

          >>> No, but it thinks it is.

          No, it really is. And much as I love knocking MS and think Office is bloated cr@p, Outlook is a country mile ahead of the alternatives.

    2. wolfetone Silver badge

      "How does someone accidentally enter 730 names in a To list ?

      This should be solved by using mailing list software, not some Outlook bodge."

      I worked for a youth charity and some clown of a woman emailed about 500/600 people by including everyone on a CC. I received complaints about it as I was the IT manager, and I spoke to the woman who was absolutely vile.

      So, really, it's only an accident when someone gets pulled up about the matter and there's a fine involved. For everything else there's laziness.

    3. Just Enough

      "How does someone accidentally enter 730 names in a To list ?"

      Excel email list. Copy. Click in wrong header field. Paste. Send.

      1. Hans 1
        Boffin

        The real question is, why does the admin not use address/header rewriting, when recipient is not part of the trust, check if bcc:, else reject email ... or, be smart, always put all external recipients in bcc:, and remove all external from to:, ensure to: always has at least one addressee, else fill with no-reply email address.

        Easy ? that will be 1 euro, thanks!

        1. TonyJ

          "...The real question is, why does the admin not use address/header rewriting,.."

          Yep.

          Have to agree. It isn't even that difficult to do.

          But.

          Whilst on the one hand, I wouldn't "blame" MS for this cockup (and I've seen similar with other sensitive lists) in general, one thing I do blame them for is that they don't show the Bcc pane by default.

          So we have a bunch of technophobes (which in my experience of 10+ years of working on gov/military contracts is 90+% of users) being expected to understand the concept of things that aren't even put there in front of them by default.

          I'm normally an MS supporter, having built my career on their software (and others to be fair, such as Citrix) but this always annoys me. Intensely.

          1. AndrueC Silver badge
            Meh

            Whilst I wouldn't say that Outlook is awful - I'd actually agree that it's one of the better clients - it does have a few annoying foibles.

            The searching is poor. It starts off badly by not using the de-facto standard Ctrl+F as the shortcut for search and goes downhill after that.

            The difficulty of changing the font size on the folder pane is also a nuisance to those of us with ageing eyes.

            As for CC - I hate it with a passion. I rely on DEA for my spam protection and I do not want my custom addresses sent to everyone.

    4. Oh Homer
      Childcatcher

      Re: "accidentally"

      It's not accidental, it's ignorance.

      The fact is that, like most "consumer" grade technology, e-mail is presented as something which requires absolutely no training to use properly, and consequently the great unwashed hordes use it improperly.

      Blame the likes of Microsoft for encouraging decades of bad practices, or more generally the commercialisation of something highly technical without adequate regulation. You can't drive a car without a license (and thus driving lessons). It's my view that no one should be permitted to operate a computer without adequate training either, at least not those aspects of it that involve interacting with others. Perhaps a better analogy would be the licensing requirements for ham radio operators. Anything with public consequences demands social responsibility, and since "self-regulation" demonstrably doesn't work, it must therefore be enforced.

      Take another example, again largely instigated by Microsoft, such as placing the cursor at the top of a reply, thus causing the endemic problem of upside down conversations. The debate is easily resolved by explaining that a book is not typically read back to front, so why would you read an e-mail conversation that way? Sadly, in spite of this unassailable argument, the great unwashed hordes are so heavily entrenched in decades of bad habits, that they continue unabated, whilst cheerfully conceding the point, much like a lifelong smoker.

      And so it is with "CC" mass mailings. Most of the culprits probably have no idea what "BCC" is, and if you explained it to them they still probably wouldn't see what all the fuss was about. They are permanently stuck in this institutionally indoctrinated mindset of bad practices, perpetuated by apathy and ignorance.

      Sadly the great unwashed hordes will never even read this, and the few who do will conclude that it's nothing but the manic ravings of an obnoxiously elitist dinosaur, full of sound and fury, signifying nothing ... until 700 HIV patients have their privacy deeply violated by this prevailing environment of apathy and ignorance, at which point the great unwashed hordes will briefly feign outrage, then resume business as usual.

      1. Gordon 10
        Stop

        Re: "accidentally"

        Agree totally but its not the "great unwashed hordes" that the the problem. its the PHB's and the Mandarins.

        Damn those juicy seedless mini oranges.

        1. AMBxx Silver badge

          Re: "accidentally"

          NHS Email is Exchange 2003. I'm pretty sure there's a setting on there to limit the number of addresses in to and cc. 10 should be enough for anyone. Just not configured properly.

          Nothing to do with consumer grade client - you can connect with pretty much anything.

      2. Doctor Syntax Silver badge

        Re: "accidentally"

        "the endemic problem of upside down conversations"

        I once saw, and sometimes use, the following as a sig:

        the flow.

        breaks up

        Top-posting

      3. Crisp

        Re: It's not accidental, it's ignorance.

        In my experience ignorance leads to accidents.

      4. Mark 85

        @Oh Homer -- Re: "accidentally"

        And so it is with "CC" mass mailings. Most of the culprits probably have no idea what "BCC" is, and if you explained it to them they still probably wouldn't see what all the fuss was about.

        There is this problem in a nutshell. Ask the users what "CC" means and then ask what "BCC" means. They don't frikkin' know!!! Carbon Copy? Blind Carbon Copy? "What's that? What a carbon copy?" Education may be the answer or if, big if, the email application writers would allow an admin to remove the CC setting for anything going out of house. Or just remove it. Period. Maybe and automatic set up where TO become BCC when there's more than one email addy.

        And let's not get started on the morons who hit "Reply All".....

        1. Ken Moorhouse Silver badge

          Re: @Oh Homer -- "accidentally"

          Who remembers the Microsoft Dinosaurs?

          http://photos1.blogger.com/blogger/3239/1858/1600/Microsoft_medres.jpg

    5. Gordon 10
      FAIL

      @Adrian

      You actually don't get the financial and technical constraints that these kind of organisations operate under.

      The would be lucky to get the funds to send the email button pusher on a data privacy awareness course ( a practical one, not a box ticking central mgt exercise), let alone mailing list software that has been a) approved by the NHS tech governance people.

      b) Doesn't cost them their entire departmental budget for the year.

      1. Doctor Syntax Silver badge

        "lucky to get the funds to send the email button pusher on a data privacy awareness course"

        Then how are they going to pay the fine(s)?

      2. Anonymous Coward
        Anonymous Coward

        Clearly had a spare £180,000 behind the sofa.

        Part of me thinks this is a public organisation, being fined to pay into another public organisation. The fine paid for by us the public...

        Part of me thinks that they need to look at the ppi initiatives to see if this was in what they bought as their "email" system, as it's clearly not fit for purpose...

        £180,000 pays for a lot of training courses...

    6. Duffaboy
      FAIL

      Let's face it

      Most users lack Pc skills, otherwise most of us would be unemployed.

    7. Chemical Bob

      Re: not some Outlook bodge

      Outlook *is* a bodge.

  2. Doctor Syntax Silver badge

    "While some remedial measures were put in place following this mistake, there was no specific training implemented,"

    If there wasn't even specific training it's difficult to see what the remedial measures were. Or maybe they replaced the temp who sent the first one by the temp who sent the second.

    There's no two ways about it, personal liability is needed.

    1. PrivateCitizen
      FAIL

      There's no two ways about it, personal liability is needed.

      Seconded.

      The problem here is NHS Chief Execs / "leadership" teams get bonuses and promotions by cutting costs. This means that lower quality staff are hired, training is curtailed and pressure is piled on the few competent workers who remain.

      In this environment, breaches are inevitable.

      However, when the happen, the PUBLIC as a whole takes the hit, not the people directly. The fine comes out the NHS operating budget while the management continue to get their bonuses.

  3. Stuart Halliday

    A simple script to check for multiple addresses in the To: or CC: field and either reject it or rewrite it to the BCC: field.

    This is so simple to do, it beggers belief that their IT Staff doesn't do it. Sack one of them for being an idiot.

    1. Just Enough

      One of their IT staff didn't do it probably because no-one told them to do it. IT staff monkeying with people's email without instruction or permission is the kind of thing that gets them sacked.

      Hopefully now someone at management level has consulted with the IT staff, asked what can be done to stop this, then told them to do it.

      1. allthecoolshortnamesweretaken

        "Hopefully now someone at management level has consulted with the IT staff..."

        "Our IT guys can do e-mail too? Who knew? Super! Have them do it. Why, we might even be able to reduce secretarial staff!"

        Be careful what you wish for. Don't give them wierd ideas, they already come up with enough of them by themselves. Always try to manage the management before they try to manage you.

    2. Anonymous Coward
      Facepalm

      So we'll punish the patients instead

      So as well as having their HIV status strongly implied ("a small number of people who received the newsletter did not have HIV"), people will now receive slightly worse healthcare because some of the budget will be rerouted to HM Treasury?

      Maybe if the trust screws up a few more times, then all the budget could be spent in this way.

      Perhaps retributive justice would be better served by publishing the names of the people ultimately responsible, along with any embarrassing medical details. If they don't have any, then perhaps some could be strongly implied.

      1. Jimmy2Cows Silver badge

        Re: So we'll punish the patients instead

        Perhaps retributive justice would be better served by publishing the names of the people ultimately responsible, along with any embarrassing medical details. If they don't have any, then perhaps some could be strongly implied.

        Karmic justice eh? Would be nice, but you'd probably find yourself on the wrong side of a data protection breach and risk being fined. Not to mention, slander, harassment etc.

        Breaches like this are almost criminal, so why not go the whole hog and make such negligence a criminal act, with a range of penalties depending on the severity of the breach? Suppose that's awfully close to legislating against stupidity...

        1. Adam 52 Silver badge

          Re: So we'll punish the patients instead

          "Breaches like this are almost criminal"

          They used to be proper criminal but that protection was removed by the Health and Social Care Act 2012 to enable privately financed hospitals. Speculation on why removal of that protection was necessary is left as an exercise for the reader.

  4. Bumpy Cat

    Mailing list software please

    Too much of this is done by giving non-technical people a list of email addresses and a message. Does the fault lie 100% with them? Or with their management, who also don't know better? Or with the overworked IT team, who don't even know that this is happening?

    We have similar scenarios, and we run mailing list software so it is very hard to make this kind of mistake. The biggest problem is actually finding the people who need this setup and training them to use it.

    1. Paul Crawford Silver badge

      Re: Mailing list software please

      Indeed, people do dumb things, people make mistakes.

      The issue here is its the 2nd time its happened, and its a known risk, so someone high up needs a total bollocking for not putting in place technical measures to stop stupid abuse of To/CC fields. Really, having a limit of 5 or so (maybe with an override button with "Are you really sure?" and a list of personal actions that *will* be applied if abused) would make little difference to sane email use, and having other configured options like email lists for any internal or external groups that need large updates would deal with the rest.

    2. Doctor Syntax Silver badge

      Re: Mailing list software please

      "Or with their management, who also don't know better?"

      In this case they'd already been fined. The management have zero excuse for not knowing better.

  5. Richard Simpson

    As always, toothless watchdogs

    I simply can't see the point of fining public bodies. The £180k has simply gone round in a circle inside government. The money isn't going to be retrieved by docking the pay of those responsible is it! Either those attending the clinic now get a lower quality service or the central NHS just tops the money back up again.

    I guess it's slightly embarrassing for the immediate career prospects of those involved, but I am sure it will soon all be forgotten. Where I work in government, if you let secret stuff out by being a complete cretin you lose your job and possibly get a trip to the slammer. Somehow that doesn't seem to apply in cases like this, I wonder why. Could it be that the secrets I am careful about belong to HMG whilst the ones spread around here (vis HIV status) belong to citizens?

  6. Known Hero
    Facepalm

    Every single time this happens

    I seriously wonder why they don't run checks for multiple recipients in the to field. As stated above 10 is plenty, if not excessive.

    If you need to mail an office, use groups.

    I would almost consider setting external emails to ONLY bcc, yes excessive, but considering the information they deal with I would think proportionate, especially considering this has happened multiple times before .

  7. chris 17 Silver badge

    Fines should be used to implement mandatory training and software

    Fines should be used to implement mandatory training and software solution to prevent this happening again.

    1. Duffaboy

      Re: Fines should be used to implement mandatory training and software

      Training ? Whats that, oh an unnecessary expense that was phased out years ago.

  8. Graham Anderson

    Not very hot on SSL either

    From 11 March to 8 May, the bookings site was running with an expired SSL cert. SSL Labs only gives them a Grade C.

  9. Ken Moorhouse Silver badge

    IT ASBO

    Rather than fining organisations is there some way to issue them with an IT ASBO? Make it so that their broadband is cut off and their domain names suspended until they have some kind of compliance audit of their ability to handle IT in a more appropriate manner.

  10. Anonymous Coward
    Anonymous Coward

    It happened before. It will happen again

    Posting anonymously for reasons below

    In 2012 my local GUM Clinic moved sites. The local admin (who I don't blame) did exactly the same. Forgot to BCC a list to all HIV patients telling them about the move. It was obvious looking at the list that this was the case. Most of the email addresses had real names embedded, some were people I knew. It was pretty easy to identify 70% of the list. The admin in this case was mortified and even called me personally as I knew her quite well having attended the clinic since 1996.

    I immediately took down my personal website as it had details about me and how to contact me

    I complained to the local health authority central office and raised several concerns that I asked to be addressed including reporting the incident to the appropriate authority and the lack of data protection at the NHS.NET outbound gateway. I also asked that the local trust remove my email address from all of their records.

    After a pregnant pause of many weeks I received letter offering me £200 to buy some new domains, rebuild my website and re-host my email. The letter also said they had removed my email address from all of their systems as requested. No comment on the other issues I had raised. To accept this I had to handover my (personal) domains to the local health authority and sign a legally binding agreement that I would not discuss the matter with anyone.

    At this point I decided to not accept this "very generous" offer and to waste no more of my own time and taxpayers money chasing idiots.

    Two months later I received an email (yes an email!) advising me that as I had not responded the matter was considered closed. Yes an email, the irony is huge.

    I guess the MTW Health Authority covered it up in house as there was never any fine as far as I could work out.

    1. Doctor Syntax Silver badge

      Re: It happened before. It will happen again

      "Two months later I received an email (yes an email!) advising me that as I had not responded the matter was considered closed."

      In the circumstances I'd have replied that they might consider the matter closed but I didn't and as they hadn't reported the incident to the DPA I would now do so.

  11. caffeine addict

    If the trust have said that most people on the list are HIV+, would that make this email libelous...? Or does "most" work like HIGNFY's "allegedly"?

    1. veti Silver badge

      It probably is libellous. Probably.

      But given that it costs hundreds of thousands of pounds to bring an action for libel, and you can't get legal aid for that expense, they're probably safe.

      (Incidentally, "allegedly" is just a running joke. It doesn't, in fact, make you magically immune from libel suits. It's the cost/benefit analysis that does that.)

  12. Anonymous Coward
    Anonymous Coward

    I know of one example where a good working mailing-list was replaced with a spreadsheet after management and one staff-member decided it was all "too difficult" and "technical" and butchered the operator.

    Sometimes you wonder....

    1. Anonymous Coward
      Anonymous Coward

      Ditto

      Yup seen that. The first time a user was correctly asked "You appear to have too many recipients in the "To" box. Should this email have been sent using "BCC"?", that user then decided that being asked a question introduced a level of complication they could not handle, and as such they then introduced their own email to resolve the issue, that simply did things without these bothersome checks.

      You can't train stupid. You also cant train anyone above you, if they can simply tell you "I don't want to use this, I am exempt from these restrictions".

  13. David Roberts

    NHS?

    Or is the NHS just carrying the can for the charity they contracted to do the work?

    If so it is possible that the charity doesn't have any proper IT infrastructure or professional mail server admins.

    1. Anonymous Coward
      Anonymous Coward

      Re: NHS?

      Having worked IT for the NHS - as one of many contractors - many clerical staff, in fact most non medical staff, were supplied by a resourcer.

      What may happen : swap one resource out for another.

      Easier than bringing it in house, easier than accountability, easier than negotiating contracts when the agency has supplied someone rubbish.

  14. Anonymous Coward
    Anonymous Coward

    Ownership

    So who ultimately carried the can.. In reverse order of probability;

    - the user?

    - their manager?

    - the IT team, unfairly

    - The carpet (as in once fine dealt with, under the carpet it goes with changes or preventative measures)

    Answers on an email with all your friends' addresses in the To: field also, so I can sell your data.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like