Ever put a bunch of names in the Cc field of an email when they were supposed to go in the Bcc field?
Chances are the worst you got were a few curt emails from disgruntled recipients who didn’t want their details displayed to one and all. For some poor worker at one of the U.K.’s leading sexual health clinics, however, the same mistake has made a lot of people extremely upset and could land the clinic with a hefty fine.
Here’s what happened: Each month, the Dean Street Clinic in central London sends out a newsletter to around 780 of its patients. The message provides the latest information on things like support services and available treatments.
You know what’s coming. Instead of copying and pasting the email addresses into the Bcc field to keep them hidden from the recipients, they were pasted instead into the Cc field. This meant everyone who received the email could see the full name and email address of everyone else on the list.
According to the BBC, data breaches like this could result in a fine of up to £500,000 ($765,000).
“I couldn’t breathe”
One man with HIV who’s been a patient at the clinic since 2010 told the BBC he “felt sick” when he realized what’d happened.
“I first saw the email at work but ignored it as I was busy, I then looked at it on the way home from work. I couldn’t breathe.”
He added, “I’m concerned who will get this information. If it ends up in the hands of the wrong people, such as hate groups, it could be dynamite.”
Soon after the health center realized the serious confidentiality breach, it set up a helpline and sent out an email of apology to those affected. It called the incident “completely unacceptable” and urged the recipients to delete the email “immediately.”
The apology continued, “We are urgently investigating how this has happened and I promise you that we will take steps to ensure it never happens again.”
The clinic insisted that “not everyone” on the list was HIV positive, though initial media reports appeared to suggest otherwise. The confusion prompted a number of concerned recipients to contact the clinic for clarification regarding their true status.
Defending the health center, patient Rob Sherrard told the Guardian it would be “tragic” if the incident took away from “all the amazing work” that the clinic does.
He added, “It’s human error and could have happened to anyone. I hope the individual responsible will be forgiven.”
- Here’s where to watch 2018’s Oscar nominees online
- The flu is poking holes in hospital cybersecurity, and a shot can’t save you
- This Virginia distillery just released a beer-finished whisky
- Hawaii just fired the person who sent that false missile alert
- How an Oregon man’s fight for traffic camera fairness reached a federal court