The UK's National Health Service was issued a £180,000 (about $260,000) fine on Monday for mistakenly leaking the names of more than 700 HIV patients.
In September 2015, the 56 Dean Street clinic, a sexual health clinic in London's Soho area, sent out a newsletter that revealed the email addresses of HIV patients to one another, the BBC reported at the time. The addresses had been copied into the "to" field of the email, instead of the "bcc" field, which obscures the names of recipients from one another.
The Information Commissioner's Office, which serves as the UK's data protection watchdog, investigated the breach and found that a similar mistake had been made in 2010. It issued a fine to the NHS Trust responsible for the clinic, which will be paid to the government.
"The clinic served a small area of London, and we know that people recognised other names on the list, and feared their own name would be recognised too," said Information Commissioner Christopher Graham in a statement. "That our investigation found this wasn't the first mistake of this type by the Trust only adds to what was a serious breach of the law."
"We fully accept the ruling of the ICO for what was a serious breach and we have worked to ensure that it can never happen again," Zoe Penn, director of Chelsea and Westminster NHS Trust, said in a statement. "I reiterate my apology to all those that were affected by this incident."
Update 12:49 p.m. UK: Added statement from the Chelsea and Westminster NHS Trust.