I've been curious to see how this one transpired - shocked to hear that the same trust made a similar mistake in 2010 when emailing a questionnaire to multiple patients in connection with their treatment.
56 Dean Street, a Soho-based sexual health clinic, offered a service to patients with HIV to receive test results and make appointments by email. Patients using the service also received an occasional newsletter. A small number of people who received the newsletter did not have HIV. An error meant that anyone receiving the September newsletter could see the email addresses of all the other recipients. Addresses had been wrongly entered into the ‘to’ field instead of the ‘bcc’ field, and 730 of the 781 email addresses contained people’s full name. Chelsea and Westminster Hospital NHS Foundation Trust, which runs the clinic, has been fined £180,000 after the ICO found there had been a serious breach of the Data Protection Act, which was likely to have caused substantial distress.