The gender identity clinic breached the email addresses of almost 2,000 service users. (Envato)
An NHS Gender Identity Clinic (GIC) in Charing Cross breached the email addresses of almost 2,000 transgender people who use its services today (September 6).
An email was sent to service users about an art competition, but instead of the email list being masked, recipients were able to see all of the email addresses that had been copied in.
Another email was then sent trying to recall the first, and the mistake was repeated.
Trans comedian and activist Shon Faye wrote on Twitter: “The Gender Identity Clinic in London just sent out a mass email to me with lots of other (patients’ ?!) email addresses visible in the address bar. What. The. F***. This is potentially a massive breach of patient confidentiality.”
She added: “On a personal note. I feel sorry for the staff member who sent the email. I hope they’re ok. This was an accident on their part. But the Trust should have ensured better compliance and confidentiality. It’s an institutional failing.”
The Gender Identity Clinic in London just sent out a mass email to me with lots of other (patients’ ?!) email addresses visible in the address bar. What. The. Fuck. This is potentially a massive breach of patient confidentiality @TaviAndPort
— shon faye. (@shonfaye) September 6, 2019
One former service user, Lines, told PinkNews: “I feel very bad for all the people whose details were dropped in this, especially people who unlike myself are relatively non-open about transition. Really could potentially put people in serious danger.
“I suspect a lack of funding doesn’t help – they are clearly understaffed.”
In 2016, the Chelsea and Westminster Hospital NHS Foundation Trust was hit with a £180,000 fine after 800 people had their HIV status exposed by a sexual health clinic via email.
However, this was before the introduction of European data law GDPR in 2018, meaning that a fine for Tavistock and Portman could be much more.
Violators of GDPR can be fined up to €20 million or four percent of their yearly turnover, whichever is greater.
It was reported on social media that the clinic had sent recipients of the email an apology, but some people who use the service are concerned about the effect of a fine on the already financially stretched clinic.
So after the big Gender Clinic breach, we have been sent an apology.
This is not good enough honestly, but this is the best they can do..
It’s clear they will be fined. But this is counterproductive as the fine will come from funds which would be used to treat us patients. pic.twitter.com/6P2EnKSsRZ
— Neon Genesis Estradiol ❤️?️?❤️ (@JessieKat96) September 6, 2019
One service user, who has used the Charing Cross GIC for four years, told PinkNews: “I’m pretty annoyed that they clearly have systematic issues with their admin side of things and I’m worried about that list falling into the wrong hands.
“I am more worried about the fact it’s likely they’ll be fined. Trans people’s data got leaked, and the way to fix that isn’t taking money from the already underfunded clinic we rely on.
“Like, none of us affected will see anything from this, but my appointment could be delayed if they have to lay off staff over a fine.”
A spokesperson for the Tavistock and Portman NHS Foundation Trust, which runs the clinic, told PinkNews: “We are currently investigating a data security incident.
“This incident involved an email from our Patient and Public Involvement team regarding an art project that we are looking forward to launching.
“Unfortunately, due to an error, the email addresses of some of those we are inviting to participate were not hidden and therefore visible to all.
“We can confirm we are reporting this breach to the Information Commissioner’s Office as well as treating it as a serious incident within the Trust.”
The Charing Cross GIC is, according to its website, the largest and oldest gender clinic in the UK, dating back to 1966.