YMCA Fined for Data Breach, ICO Raises Concerns About Privacy for Peop

The Information Commissioner’s Office (ICO) has called for stronger protections for people living with HIV who are being denied “basic dignity and privacy” by repeated data breaches that disclose their HIV status.

This comment comes as the ICO has fined the Central YMCA £7,500 for a data breach that affected  people living with HIV.

The YMCA breach saw emails intended for those on a HIV support program sent to 264 email addresses using carbon copy (CC) instead of blind carbon copy (BCC), revealing the email addresses to all recipients.

The ICO said 166 individuals could be identified or potentially identified from their email address. As a result, it could be inferred that these individuals were likely to be living with HIV.

The fine was initially recommended to be £300,000, but this was subsequently reduced in line with the ICO’s public sector approach to fines.

Jacquie Richardson, Chief Executive of Northern Ireland HIV charity, Positive Life, said, “This warning from the Information Commissioner should remind all of us that someone’s HIV status requires sensitivity and discretion at all times.”

Adam Freedman, Policy, Research & Influencing Manager at National AIDS Trust, was also supportive of the ICO’s decision and said strong regulatory action is needed when organizations breach protection of HIV status.

BCC a Blind Spot for Data Protection

The ICO has previously issued fines or reprimands for data breaches affecting people living with HIV to charity HIV Scotland and health board NHS Highland. Both of these data breaches were due to mistakes in using BCC emails for sensitive communications.

In 2023, the ICO issued a warning to organizations to use replacements to the BCC email function when sending emails containing sensitive personal information. At the time, the ICO said that failure to use BCC correctly is consistently within the top 10 non-cyber breaches, with nearly a thousand reported since 2019.

The health sector accounted for over a fifth of all personal data breaches in 2022/2023, making it the most common source of reports to the ICO.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button