Former PM’s wife in email error
Former prime minister’s wife Dr Mary English ‘‘apologised profusely’’ for an error made by her receptionist at her Kelburn medical practice that revealed her patients’ identities to one another.
English wrote to patients of her Wellington practice, Kelburn GPs, explaining that a group email sent on Tuesday ‘‘was mistakenly entered in the ‘To’ rather than the correct ‘BCC’ line’’, leaving the email visible to all recipients. The group email, sent to 133 of English’s patients, included many full names in the email addresses.
Ironically, the initial email was notifying patients they would no longer be using ‘‘ordinary email’’ to communicate with them because it was ‘‘not regarded as secure enough for private health communication between GPs and their patients’’.
In another email, sent two days later, English, , who is married to Sir Bill English, ‘‘apologised profusely’’ for the error.
‘‘My receptionist informed me about this error straight away and we have reinforced with her the policy of using BCC only.’’
Yesterday, English said the email’s recipients were promptly advised of the mistake and reassured appropriate steps had been taken to ensure the mistake would not be repeated.
‘‘It was a generic, administrative group email,’’ she said.
‘‘Unfortunately, their email addresses were placed in the ‘To’ line instead of the ‘BCC’ line.’’
A spokesman for the Privacy Commissioner said he had not been made aware of Kelburn GPs’ email privacy breach.
‘‘There’s no compulsion for the agency to tell us under the current Privacy Act. Breach notification is currently voluntary.’’
However, proposed changes to the Privacy Act would have required Kelburn GPs to notify the office of the Privacy Commissioner of the breach, he said.
Human error was the most common cause of data breaches and failure to BCC was the email breach the office of the Privacy Commissioner was most contacted about.
‘‘We do recommend that organisations and businesses make sure they have systems which prevent the likelihood of this happening.’’
In the majority of such cases, the information disclosed was usually nothing more than email addresses, which were ‘‘at the less serious end of the range of personal information’’, the spokesman said.
‘‘While there may be a possibility of harm to an individual resulting from this particular breach – given that it would reveal the identities of other patients who use the practice – it is more likely that this breach is also at the less serious end.’’
If an individual felt harmed by the breach, they could complain to the Privacy Commissioner’s office.