Healthcare providers are failing to protect the privacy of people living with HIV, watchdog warns

Information Commissioner John Edwards has set out the regulator’s priorities (PA) (PA Archive)
Information Commissioner John Edwards has set out the regulator’s priorities (PA) (PA Archive)

Healthcare providers are failing to protect the privacy of people living with HIV, the UK’s data watchdog has warned.

The Information Commissioner’s Office said it has been forced to hand fines worth thousands to organisations which have released the details of those living with HIV.

Speaking with The Independent, Information Commissioner John Edwards, said: “It is a huge problem [within healthcare] and it’s a disproportionate amount of our business.

“That’s partly because of the seriousness and the sensitivity of health information, the huge scale of the health sector and very many moving parts, with many opportunities for information to slip out as it moves from one place to another, and frankly, they’re just not doing well enough.”

In a warning on Tuesday the watchdog highlighted specific concerns over HIV patients’ data being breached through the use of bulk emails in which staff have not used the blind copy function.

Mr Edwards told The Independent that the NHS and voluntary sector healthcare providers, need improvements in technology that require investment in new systems of communication.

“I think there’s a lot of fairly low-tech solutions like storing stuff in spreadsheets,” he said, suggesting a more sophisticated approach is needed.

Healthcare providers accounted for a fifth of all of personal data breaches in 2022-23.

According to the ICO, there have been 19 notifications of organisations providing healthcare services which have breached patients’ data since 2019. Seven of these have been in the last financial year.

In one case highlighted by the commissioner, the Young Men’s Cristian Association (YMCA) of London was fined £7,500 after it sent emails to 264 people intended for people on its HIV support programme but copied all addresses in rather than blind copying the emails. This meant recipients could see who else had received the mail.

The warning comes following news that dating app Grindr faces law suits from hundreds of users alleging they had their private information, including HIV status, shared without consent.

Last year The Independent revealed more than a million NHS patients’ details were compromised after a cyberattack on the University of Manchester.

The ICO told The Independent his office is now also looking into how health services engage with Artificial Intelligence technologies which require the use of personal data to train their systems.

He said: “A lot of care has to be taken because we’re seeing a significant number of challenges with people exercising their rights in relation to data held on generative AI systems.”

The Information Commissioner said: “People living with HIV are being failed across the board when it comes to their privacy and urgent improvements are needed across the UK. We have seen repeated basic failures to keep their personal information safe - mistakes that are clear and easy to avoid…

“We know from speaking to those living with HIV and experts in the sector that these data breaches shatter the trust in these services. They also expose people to stigma and prejudice from wider society and deny them the basic dignity and privacy that we all expect when it comes to our health.

The ICO has also had to reprimand the trust NHS Highland last year for over the same issue after it bulk emailed 37 people, with an email for those likely to be accessing HIV services which revealed the personal addresses of others.

In 2021 a charity called HIV Scotland was fined £10,000 for personal data breaches involving 65 people.

In August 2023 the ICO warned failure to use the blind copy feature when sending bulk emails is one of the most commonly recorded data breaches.