Clinic data leak shows how easy it is for organisations to be the subject of high profile breaches, says expert

The 56 Dean Street clinic in London mistakenly disclosed the details of 780 people who receive its HIV information sheet in an email, according to a report by the BBC. The clinic has confirmed that it failed to ensure intended recipients were blind-copied into its email.

In a series of tweets it posted, the clinic said: "A newsletter about services at 56 Dean Street was sent to an email group rather than individuals. We are so sorry this has happened. We’ve contacted everybody who’s affected to apologise and offer support. 56 Dean Street wants to offer the best care possible. This error means we’ve not met our usual standards. Once again, we are very sorry that this has happened."

The Information Commissioner's Office (ICO) said it is aware of the 56 Dean Street data breach and is "making enquiries".

A review aimed at finding out how the breach happened and preventing similar breaches in future has already been launched by Chelsea and Westminster Hospital, which runs the Dean Street centre, a spokesperson for the hospital said, according to the BBC's report.

Data protection law expert Lucy Jenkinson of Pinsent Masons, the law firm behind Out-Law.com, said 'human error' is frequently the cause of data breaches.

"In our world where we send emails so often and sending them to multiple recipients is so effortless, the risk of this type of breach happening to organisations is high," Jenkinson said. "The reputational damage is bad enough. But the UK regulator, the Information Commissioner, can impose monetary penalties of up to £500,000 and any affected individual can take action in the courts for damage suffered or for damage and distress."

"However, if the new General Data Protection Regulation is agreed by EU law makers, organisations may be looking at being subject to much larger fines in future if they cannot satisfy the regulator that they have the appropriate technical and organisational measures in place to prevent such occurrences," she said.

Jenkinson said that the 56 Dean Street data breach also "demonstrates the need for organisations to have slick internal processes and procedures in place to be able to react to such breaches quickly".

This is so that they can "mitigate, if possible, any damage to affected individuals, prevent further occurrences, manage their reputation and consider reporting to any relevant regulators", she said.