An investigation has been launched after an NHS clinic mistakenly revealed the identity of almost 800 patients who had attended HIV services.
The 56 Dean Street clinic in London's Soho sent out a newsletter to patients on a group email, rather than to individuals.
A spokesman for the sexual health clinic, which is part of the Chelsea and Westminster NHS trust, said the mistake was caused by "human error".
The clinic and others in the trust’s network make up Europe’s biggest sexual health service.
The error means patients who have attended HIV clinics at Dean Street were able to read the names and email addresses of other patients.
The spokesman said: “We can confirm that due to an administrative error, a newsletter about services at 56 Dean Street was sent to an email group rather than individual recipients.
“We have immediately contacted all the email recipients to inform them of the error and apologise.”
Elliot Herman (38), from London, told the Guardian the email contained the names of friends who had never disclosed their HIV status to him before.
"It's not difficult to put those names into Facebook and bring up their profiles and personal details," he said.
He said if his details were on the list he would “feel angry and disappointed at the clinic”.
The spokesman for the clinic said it was not accurate to say all the patients on the list were HIV positive.
The newsletter was sent to about 780 patients who had signed up to the clinic’s OptionE service, which lets people book appointments and receive test results by email.
An internal investigation into what happened has been launched.
According to the Guardian, an email apology from Alan McOwan, Chelsea and Westminster Hospital NHS Trust's director for sexual health, was sent to patients after the breach on Tuesday.
It said: “I’m writing to apologise to you. This morning at around 11.30am we sent you the latest edition of OptionE newsletter.
“This is normally sent to individuals on an individual basis but unfortunately we sent out today’s email to a group of email addresses. We apologise for this error.
“We recalled/deleted the email as soon as we realised what had happened. If it is still in your inbox please delete it immediately.
“Clearly this is completely unacceptable. We are urgently investigating how this has happened and I promise you that we will take steps to ensure it never happens again. We will send you the outcome of the investigation.”
The Information Commissioner’s Office (ICO) can levy fines of thousands of pounds for significant data breaches.
Online magazine beyondpositive said it had been contacted by patients.
It said the clinic had tried to rectify its mistake by using Microsoft Outlook's recall feature, which sent out the full list of email addresses and names a second time.
This was followed up by the email from Dr Alan McOwan.
One patient told the website: “56 Dean Street have a service called Option E — that’s for patients who prefer to book appointments and get results via email.
“They send a regular email newsletter to their patients, keeping them updated.
“However, yesterday, instead of putting a batch of several hundred or so email addresses in the BCC box, they put them in the to box, thereby revealing the people’s full names and email addresses to every other recipient; and, of course, because they’re all Option E customers, we also now know their HIV status.
“This is serious breach of data protection. There are several names I recognise from the list and while I am of course being discreet, I am not sure I trust every other person on the list to do the same.”