[BreachExchange] HIV Scotland fined £10,000 for BCC email blunder identifying names of virus-carriers' patient-advocates

[Terrell Byrd]

https://www.theregister.com/2021/10/25/hiv_scotland_email_fail/

The United Kingdom's data watchdog is calling on organisations to review
their "bulk email practices" after a BCC blunder by HIV Scotland incurred a
£10,000 fine for breaking data protection regulations.

The case pertains to an email that was sent to 105 individuals on the
Community Advisory Network (CAN) list, which is made up of
patient-advocates "from across Scotland to represent the full diversity of
people living with HIV". In the offending chain, all of the email addresses
were visible to all recipients and some 65 were people identified by name.

The Information Commissioner's Office (ICO), which investigated the
February 2020 email event, said that from the personal information exposed,
assumptions could be made about the people's HIV status or risk.

The charity had bought a MailChimp account in July 2019 and told the ICO
[PDF] the system it had previously had in place for storing data had been
poor, involving a "variety of different Excel spreadsheets that individual
staff controlled."

It said it had migrated a number of lists to "provide the necessary
functionality for bulk messages to be sent in a more secure manner."
Unfortunately, HIV Scotland had not yet switched over the CAN list.

On 3 February last year, HIV Scotland hit send on an email – relating to an
event about to take place – via Microsoft Outlook, relaying the missive to
105 folk on the CAN. Instead of opting for the Blind Carbon Copy feature,
it used Carbon Copy.

After the subsequent investigation, the ICO said it found "shortcomings" in
the charity's email processes, ranging from "inadequate staff training,
incorrect methods of sending bulk emails by blind carbon copy and an
inadequate data protection policy."

"All personal data is important but the very nature of HIV Scotland's work
should have compelled it to take particular care," said Ken McDonald, head
of ICO Regions. "This avoidable error caused distress to the very people
the charity seeks to help."

"I would encourage all organisations to revisit their bulk email policies
to ensure they have robust procedures in place," he added.

HIV Scotland was penalised with a £10,000 fine under section 155 of the
Data Protection Act 2018. It fully migrated all of its lists to MailChimp
in late February 2020 and checked its SharePoint server to ensure no
personal data was stored separately from the secure mailing lists. Staff
have since undertaken online training.

"The Commissioner takes the view from her investigation that this breach
occurred primarily as a result of serious deficiencies in HIV Scotland's
technical and organisational measures," the ICO concluded.

The Register has asked HIV Scotland to comment.

This latest debacle follows another BCC blunder just last week by NHS
Digital in which it copied the entirety of the invite list of messages
about a "Let's Talk Cyber" breakfast briefing. No, the irony wasn't lost on
us.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20211025/a05de0bd/attachment.html>