What Your Brand Can Learn from the Bloomsbury Patient Network Data Breach

1.3K

Key takeaways

• Bloomsbury Patient Network accidentally placed 56 members’ names and addresses in the email “To” field, exposing them to a 200-member contact list.
• The UK Information Commissioner’s Office (ICO) fined the organization £250 for the breach.
• Similar incidents exist: Chelsea and Westminster NHS emailed HIV test results of 800 people to its entire mailing list, showing this is not isolated.
• Root cause: a simple workflow error (To vs BCC), plus general quality oversights like typos, can cause major privacy breaches.
• Immediate safeguards: double- and triple-check emails before sending, use BCC for mass mailings and reduce typos/quality issues.
• Compliance step: familiarize yourself with applicable laws and consider engaging email marketing experts.

Introduction

Data breaches in the world of email marketing are almost always major news stories – and the Bloomsbury Patient Network event from December 18th is no exception to this rule. In fact, with the personal information of over 56 members of this HIV support group affected by the inbox blunder, this leak stands as one of the most damaging such occurrences in quite some time. To give you an idea of the backlash surrounding this email marketing faux pas – as well as ensure that your brand never falls prey to the same mistakes – here’s a complete review of the Bloomsbury Patient Network breach.

What Happened with the Bloomsbury Patient Network?

According to Kat Hall of The Register, this United Kingdom based support group created a massive confidentiality breach during the routine rollout of its periodic email marketing newsletter. More specifically, the team behind the Bloomsbury Patient Network accidentally copied the names and addresses of 56 of its subscribers into the “To” field of the message – and not in the “BCC” portion of the email template.

While this might not seem like much of a problem initially, this simple mistake exposed private information about these patients to the rest of the 200-member contract list. After a quick review of the situation, the Information Commissioner’s Office (ICO) – Britain’s leading authority on consumer privacy and data regulation – fined this organization £250 for this data transgression.

What makes this incident even more concerning is the fact that it stands as the latest in a series of email marketing missteps regarding healthcare information in the region. In a piece from September, Alexander J. Martin – also of The Register – reported that the Chelsea and Westminster NHS Foundation Trust emailed HIV test results of 800 members of its mailing list to its entire base of subscribers.

Why This Story Matters to Your Organization

While these stories originate from our neighbors on the other side of “The Pond,” there’s still plenty of important lessons to be learned from such incidents. First off, it only takes one simple mouse click to completely remove the barrier of privacy that separates the members of your contact list from one another.

Additionally, thanks to increased oversight from ICO, Canada’s Anti-Spam Legislation (CASL), and other governing bodies, the penalties for exposing private information or otherwise overstepping your brand’s boundaries in the inbox continue to grow. Don’t believe it? A quick look at the official CASL site shows that organizations caught bending its privacy or data usage rules can expect a fine of up to $10 million for their wayward operations.

In other words, even if you can trace the root of your infraction to an honest mistake, the team behind this set of email marketing guidelines is more than willing to penalize your business to the fullest if it feels that you have put the rights of the user at risk during your outreach operations.

Making Sure You Don’t Follow in the Footsteps of the Bloomsbury Patient Network

So how can you safeguard your brand from this unwanted – and clearly costly – outcome? For starters, use incidents like the one perpetrated by the Bloomsbury Patient Network as learning experiences that cover what not to do during your time in the inbox.

In this case, always double- and triple-check your emails before pressing the “Send” button. Failing to do so is an easy way to let something little, like listing your contacts in the “To” field and not the “BCC” portion of the message, slip through the cracks. As an added bonus, enacting this kind of thorough strategy also ensures that the threat of typos and other quality issues remains at a minimum as your brand tries to make a positive impression via its email marketing operations.

Outside of keeping an eye out for the little mistakes that turn into big problems, don’t be afraid to connect with a team of email marketing experts if you have any questions about what is or isn’t acceptable in the inbox. Yes, familiarizing yourself with the exact wording of CASL and other pertinent legislation is definitely a crucial part of the process, but it doesn’t hurt to have a team with years of experience and insight on your side as you navigate the sometimes confusing and turbulent waters of these rules and regulations.

With these concepts leading the way, as well as a willingness to learn from any other email marketing issues and missteps that pop up in the future, there’s no reason why your brand has to follow in the footsteps of the Bloomsbury Patient Network and other organizations that didn’t quite place a high enough priority on consumer privacy and the protection of sensitive data.

FAQ