Information governance breach

A practice sent an email to 500 patients with their addresses visible to all recipients

The scene

A GP practice sent out a survey to 500 patients by email. Very soon afterwards, a number of patients complained that the email had been sent in such a way that everyone who received it could see the email addresses of all other recipients.

The practice manager contacted the MDU for advice, having already established that the cause of the problem was a human error: the staff member concerned had forgotten to check that the email would be 'blind copied' to recipients. The practice had already designed a checklist, including a new requirement that future mass emails would be double-checked by a second staff member.

MDU advice

The adviser recommended that the practice write to all recipients of the email to apologise and explain what had gone wrong, set out what was being done to prevent similar incidents in future and provide an opportunity for people to complain. The adviser assisted with the letter and recommended further, individual responses to all who had already complained or did complain, addressing their particular concerns. The adviser also recommended that the practice hold a significant event review to discuss and disseminate the learning from this incident and inform the Local Area Team of NHS England about what had happened.

Serious information governance breaches must also be reported to the Information Commissioner (ICO). The Health and Social Care Information Centre provides guidance, available on the ICO website, which includes a checklist for determining the seriousness of incidents according to the scale of the breach and the sensitivity of the information. All organisations processing health and adult social care personal data are required to use the Information Governance (IG) Toolkit Incident Reporting Tool to report serious incidents to the ICO, Department of Health and other regulators.


The practice reported the incident and the ICO noted that a significant number of people were involved but sensitive medical information had not been disclosed. In addition, the ICO noted that the incident had resulted from human error and steps had been taken by the practice to inform and apologise to those affected, and measures put in place to try and prevent recurrence. No further action was taken by the ICO.

Dr Catherine Wills
Medico-legal adviser

This page was correct at publication on 10/01/2014. Any guidance is intended as general guidance for members only. If you are a member and need specific advice relating to your own circumstances, please contact one of our advisers.