A data breach by NHS Highland – exposing confidential names and email addresses of 37 people with HIV – is being probed by a national independent watchdog set up to uphold information rights.
The health authority has apologised for revealing the personal details of the 37 recipients to each other in an email that was distributed to invite patients to a support group run by Raigmore Hospital’s sexual health service.
Organisations have 72 hours to report a breach to the Information Commissioner’s Office should it pose a risk to people’s rights and freedom.
A spokesman for NHS Highland confirmed the authority had lodged a report into the breach of confidential information, believed to have been caused by human error.
An ICO spokesperson said: “We have received a report from the Highland Health Board and we will assess the information provided.”
When the data breach was identified, a spokesman for the health authority said: “NHS Highland deeply regrets that this breach of confidentiality has happened and we have contacted patients individually to apologise.
“As per normal procedure, a formal internal review is being conducted to understand how this has happened and to consider any steps to avoid this happening in the future.”
Nathan Sparling, chief executive of the HIV Scotland charity, said: “When you are dealing with a group of people who are living with the most stigmatised health condition there is, confidentiality is of the uttermost importance.”
The ICO is the UK’s independent body set up to uphold information rights.
It is a non-departmental public body which reports directly to Parliament and is sponsored by the department for digital, culture, media and sport.
The ICO’s office in Edinburgh provides a local point of contact for members of the public and organisations based in Scotland.
As well as operating an advice service to address general enquiries, it promotes good practice in data protection by raising awareness of organisational responsibilities across all sectors.
It also influences policy in related areas by working closely with the departments of the Scottish government and the wider public sector.
Scotland has its own Information Commissioner who regulates the Freedom for Information (Scotland) Act which covers Scottish public authorities.
The main focus of the Scottish office is data protection, for which the ICO is the sole regulatory body in Scotland.