NHS email blunder reveals names of HIV patients

Posted on September 3, 2015 at 11:56 am Written by

NHS-email-blunderYesterday afternoon, 56 Dean Street, a GUM and HIV clinic which is part of the Chelsea and Westminster NHS Foundation Trust sent out a newsletter to its HIV positive patients. The problem? Rather than using the “BCC” field to protect patient identities when sending out their “OptionE” newsletter, they left every one of the 780 patients’ contact details in the ‘To’ field. This means everyone who received this email now has contact details (name and email address) for the clinic’s 779 other HIV positive patients.

At 13:05 yesterday, the clinic then attempted to use Microsoft Outlook’s ‘recall’ feature – which only compounded the situation by sending out the full list of email addresses and names a second time. At 14:27 the patients received a third email, this time sent correctly (albeit with typos), with an apology from Dr Alan McOwan, stating that they were “urgently investigating” how the blunder happened and promised to send the patients the outcome of the investigation.

Email marketing is one of the most powerful marketing tools available but only when it’s done right. And as 56 Dean Street has clearly demonstrated, using your standard email account (e.g. Outlook, Hotmail or Gmail) to send mass messages is not the right way to do it.

NewZapp takes the security of its customer data extremely seriously. Each NewZapp account is accessed via a secure 128bit encrypted link using an individual username and password. Once logged on to the system it is impossible for a user to access data belonging to another customer. We regularly test our application security by several methods including SQL injection attack, session spoofing, URL manipulation and even brute force.

The NewZapp server architecture itself consists of a private LAN segment within a network facility protected by a Cisco firewall. All customer data is stored on a fully patched Microsoft SQL Server cluster which is non-public facing – the only access to the server is via secure VPN link or directly from the NewZapp application itself.

As a Data Controller we are bound by the Data Protection Act and are therefore obligated to take all necessary means to protect the data that we hold on behalf of our customers. This ensures that nobody can access data that they are not granted permission for and there’s no way for you to accidentally send out an email displaying the personal data of other recipients.

At NewZapp if you have less than 1000 email addresses, you can send up to 6 times a month and it’s completely FREE! Yes, you can enjoy all of the security features mentioned above, and because we are a UK company, the data is held in the UK for your sole use and it costs nothing.

If 56 Dean Street had a free NewZapp account then this whole disaster could have been avoided. #justsaying

Get the latest Email Marketing updates & insights