- Buy Microsoft Visio Professional or Microsoft Project Professional 2024 for just $80
- Get Microsoft Office Pro and Windows 11 Pro for 87% off with this bundle
- Buy or gift a Babbel subscription for 78% off to learn a new language - new low price
- Join BJ's Wholesale Club for just $20 right now to save on holiday shopping
- This $28 'magic arm' makes taking pictures so much easier (and it's only $20 for Black Friday)
YMCA Fined for Data Breach, ICO Raises Concerns About Privacy
The Information Commissioner’s Office (ICO) has called for stronger protections for people living with HIV who are being denied “basic dignity and privacy” by repeated data breaches that disclose their HIV status.
This comment comes as the ICO has fined the Central YMCA £7,500 for a data breach that affected people living with HIV.
The YMCA breach saw emails intended for those on a HIV support program sent to 264 email addresses using carbon copy (CC) instead of blind carbon copy (BCC), revealing the email addresses to all recipients.
The ICO said 166 individuals could be identified or potentially identified from their email address. As a result, it could be inferred that these individuals were likely to be living with HIV.
The fine was initially recommended to be £300,000, but this was subsequently reduced in line with the ICO’s public sector approach to fines.
🆕 People living with HIV are being denied “basic dignity and privacy” by repeated data breaches that disclose their HIV status.
John Edwards has condemned data protection standards at health services and called for urgent improvements: https://t.co/y0C8x0GGAD pic.twitter.com/r8kldb5BR0
— ICO – Information Commissioner’s Office (@ICOnews) April 30, 2024
Jacquie Richardson, Chief Executive of Northern Ireland HIV charity, Positive Life, said, “This warning from the Information Commissioner should remind all of us that someone’s HIV status requires sensitivity and discretion at all times.”
Adam Freedman, Policy, Research & Influencing Manager at National AIDS Trust, was also supportive of the ICO’s decision and said strong regulatory action is needed when organizations breach protection of HIV status.
BCC a Blind Spot for Data Protection
The ICO has previously issued fines or reprimands for data breaches affecting people living with HIV to charity HIV Scotland and health board NHS Highland. Both of these data breaches were due to mistakes in using BCC emails for sensitive communications.
In 2023, the ICO issued a warning to organizations to use replacements to the BCC email function when sending emails containing sensitive personal information. At the time, the ICO said that failure to use BCC correctly is consistently within the top 10 non-cyber breaches, with nearly a thousand reported since 2019.
The health sector accounted for over a fifth of all personal data breaches in 2022/2023, making it the most common source of reports to the ICO.