An NHS gender identity clinic has inadvertently shared the personal data of just under 2,000 service users in a mass email data breach.

The Charing Cross Gender Identity Clinic sent out two emails to separate mailing lists of patients about an art competition it is holding, with hundreds of patients CC’ed into each. The clinic later tried to recall the email but the error had already been noted by several recipients.

The Tavistock and Portman NHS Foundation Trust, which is responsible for the clinic, is now investigating.

A Tavistock and Portman NHS Foundation Trust spokesperson said: “We are currently investigating a data security incident.

“This incident involved an email from our Patient and Public Involvement team regarding an art project that we are looking forward to launching. Unfortunately, due to an error, the email addresses of some of those we are inviting to participate were not hidden and therefore visible to all.

“We can confirm we are reporting this breach to the Information Commissioner’s Office as well as treating it as a serious incident within the Trust.”

Gender identity clinic leak and GDPR

In 2016 the Chelsea and Westminster Hospital NHS Foundation Trust was fined £180,000 after the details of nearly 800 patients who had attended the 56 Dean Street HIV clinic in Soho were inadvertently leaked.

Rather than using the BCC function when sending a group email, which hides email addresses from fellow recipients, addresses had been wrongly entered into the ‘To’ field. Of the 781 email addresses leaked, 730 contained the recipient’s full names.

With the introduction of 2018’s General Data Protection Regulation (GDPR), which can see organisations fined up to £18m or 4% of their annual global turnover for data breaches, Tavistock and Portman may be facing an even bigger fine.

Section 22 of the Gender Recognition Act also carries an unlimited fine for disclosing protected information about a person who has applied for a gender recognition certificate.

Tim Sadler, CEO of Tessian, highlighted the severity of the breach:

“This breach is a huge violation of GDPR, exposing incredibly sensitive, personally identifiable information and putting patients in a very vulnerable position. The ICO will undoubtedly investigate the incident and the clinic could be penalised for its misconduct.

3 Things That Will Change the World Today

“It is also incredibly concerning that these clinics are sharing highly sensitive, confidential patient data over a channel as risky and open as email. Email is certainly the number one form of communication used today but clinics should be employing stricter policies and technology solutions to stop patient data being leaked as a result of a simple mistake such as this.”


Read more: Sharing user data is “routine” for many health apps