#privacy: UK gender identity clinic exposes patient details

A London gender identity clinic has exposed the personal details of almost 2,000 transgender patients.

The Charing Cross Gender Identity Clinic sent patients an email about a competition whilst accidentally cc’ing hundreds of others. Subsequently, the email revealed hundreds of patient’s name and email addresses. 

Two seperate emails had been sent, both cc’ing about 900 people each. 

The clinic attempted to recall the message, but by then it was too late and the error had been noticed. 

The Tavistock and Portman NHS Foundation Trust, which run the clinic, are investigating the incident. A spokesperson for both said: “We can confirm we are reporting this breach to the Information Commissioner’s Office as well as treating it as a serious incident within the Trust.”

One patient told the BBC how angry she was: “It could out someone, especially as this place treats people who are transgender.”

LGBT campaigner Shon Faye, who was also copied into the email from the clinic tweeted that it was “potentially a massive breach of patient confidentiality.”

 “I feel sorry for the staff member who sent the email. I hope they’re OK. This was an accident on their part. But the Trust should have ensured better compliance and confidentiality. It’s an institutional failing.” 

In 2016, the NHS Trust was fined £180,000 after a sexual health centre had leaked the email details of nearly 800 patients who had been diagnosed with HIV. In this particular case, a newsletter had been sent out and had included the names and email addresses of patients by mistake. 

Steve Wright, CEO of Privacy Culture commented:

“This data is classified as Sensitive Personal Data (Medical) and therefore should have had more controls applies. This unfortunately is another example of poor process and technology control.”

“Insufficient training and lack of user process in this case could potentially lead these individuals into taking out legal action under GDPR against this organisation, not to mention the fine they will receive from the ICO.”


PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.