The ICO has just issued a reprimand to NHS Highland for a serious breach of trust arising from failure to use BCC when emailing potential users of a service.

The facts relate to contact with HIV service users of NHS Highland. The email sent by NHS Highland accidentally used CC instead of BCC when emailing a group of 37 HIV service users. It meant that each recipient could see all the other email addresses of people contacted regarding the service.

One recipient confirmed that they were able to identify four people known to them via the email addresses. Failure to use BCC correctly when sending group emails is consistently in the top 10 non-cyber breaches, with around 1,000 reports to the UK ICO since 2019, it is also one of the most easily avoided breaches.

Head of Commercial Helen Brain says:

“Organisations must ensure they have appropriate technical and organisational measures in place to keep personal data secure and ensure that it is not disclosed inappropriately or accidentally to others. Taking the NHS Highland email breach as an example; while human error can and does occur, with the right technical measures in place this breach may have been avoided and the risk of a breach with potentially serious consequences for the data subjects could have been mitigated.”