Five Years On From the 56 Dean Street Data Breach – What Have We Learnt?

Aman Johal, Lawyer and Director of consumer action law firm Your Lawyers, explores the significance of the breach and what it means for the future of data security under GDPR.

In 2015, an email was sent from the 56 Dean Street Clinic in relation to its “Option-E” services that disclosed the names and email addresses of close to 800 patients using the clinic for HIV services. It is understood that the email was meant to BCC (i.e. Blind Carbon Copy) the recipients in to allow them to receive the email confidentially, but the standard CC (Carbon Copy) function was used instead.

The result was that the names and email addresses for patients using the clinic’s HIV services were disclosed without consent, which is a very serious breach of confidentiality that has caused a substantial degree of psychological harm to many of those affected.

With the fifth anniversary of this infamous and monumental breach recently passing, what lessons have been learnt, or should have been learnt, by now? And what are the rights of individuals involved in data breach events like this?

Lessons Learnt

Unfortunately, data breaches containing highly sensitive healthcare data continue to take place at an alarming rate. When they do occur, they often cause a substantial degree of damage to those involved.

The 56 Dean Street data breach was particularly shocking because many of the recipients are living with HIV, and this incredibly personal and sensitive information was shared without consent. Many people know others on the list, and many of our clients have affirmed the fact that they did not want their status to be shared with individuals they know or are acquainted with; let alone shared with the wider public.

Unfortunately, data breaches containing highly sensitive healthcare data continue to take place at an alarming rate.

The breach highlighted how an act as simple as sending an email can cause a monumental breach of personal and sensitive data. These kinds of events are often labelled as “human error” incidents, but we always look at the systemic failures that are the true and underlying cause of such events. This breach was, of course, completely avoidable. The use of proper mailing software and technology that is readily available in the UK, or even adequate training, policies, and procedures, could have easily averted the obvious risks of sending an email in such an archaic way.

Despite the precedent that this breach ought to have set, we continue to see breaches that are easily avoidable, and they hit the headlines all the time. A breach that is practically identical to the 56 Dean Street Clinic happened in 2019 when a member of staff at The Charing Cross Gender Identity clinic accidentally CC’d patients into an email, exposing the personal details of almost 2,000 people. Your Lawyers represent clients for cases arising from this breach as well, with some of the patients having suffered serious harm from their personal healthcare information being exposed.

How another breach like this has happened again – in this sector and in practically identical circumstances – is bewildering.

It is clear that organisations continue to fail to understand the value of privacy and how sensitive data is, yet it is relatively easy to avoid these serious breaches. The correct technology, training, policies, and procedures, as well as the implementation of security software, must be in place to prevent future occurrences similar to the 56 Dean Street breach from happening again. The sharing of this kind of data can have a serious impact on patient health and wellbeing, and such events may also hinder public confidence in getting the vital help that they may need.

Organisations must prioritise data protection at all times. As incidents like the 56 Dean Street data breach show, everyone must understand the vital importance of keeping sensitive information private.

Victims’ rights and financial implications

Due to the timing of this breach, the sexual health clinic was not bound by the GDPR laws which organisations must now adhere to. This meant that the Information Commissioner fined the clinic £180,000. Had this breach occurred a few years later, the fine could have been much larger, as organisations in breach of the GDPR can now be fined up to €20 million, or up to 4% of their annual worldwide turnover for the preceding financial year; whichever is greater.

Victims affected by a data breach have the right to claim compensation if the information that has been exposed and/or misused leads to any form of distress or financial harm. In the case of the 56 Dean Street data breach, claimants most seriously affected are likely to receive damages of up to £30,000, with claims assessed on individual merit in terms of the impact on the person.

The sensitivity of healthcare data means that compensation amounts can often be higher than those where it is personal data alone that is exposed or misused, but context is important. Incidents like the British Airways data breach, where payment card data has been exposed, can cause serious distress from the threat of fraud, or from financial losses arising from actual fraud. Even in cases like the Virgin Media data leak, where personal information was accessible online without any security, victims can be exposed to fraud and theft, which can lead to higher distress awards.

It is important that all organisations adhere to strict data protection regulations. People around the country put faith in organisations to keep their personal information private, and everyone has a duty to adhere to privacy legislation to keep data safe.

The 56 Dean Street data breach resulted in significant distress and it was an easily avoidable incident. The lessons learnt for all organisations should be obvious and easily actionable but, five years on, data breaches continue to be a regular occurrence. In our view, this is clear evidence that lessons are simply not being learnt, especially when we continue to see identical incidents taking place in the healthcare sector and beyond.