A Reading GP clinic has sent out almost 300 private email addresses in a "massive data breach" which has led to an NHS review.

An email was sent out by South Reading & Shinfield Group Medical Practice on Wednesday, inviting recipients to a Patient Participation Group Meeting on November 17. 

The sender had carbon copied (CCd) 288 email addresses into the invitation, but had neglected to put them into blind CC (BCC). 

As the recipients of the email did not know each other, the inclusion of the email addresses in normal CC created the risk of revealing personal data to those who should not have it or do not need it, which may amount to a personal data breach. 

One of the recipients replied to say: "Probably not the best to have everyone's email public here. I'm replying all just to let people know."

Another responded to say: "Not sure if the service is aware but this is a MASSIVE data breach."

After these replies were sent, recipients later received another email to say that the Patient Participation Group Meeting had been cancelled.

Patients at South Reading & Shinfield Group Medical Practice received an email from the clinic on Thursday apologising for the breach, which the clinic said was “a result of human error”.

Adeline Fleming, Practice Manager at South Reading & Shinfield Group Medical Practice, said: “We are having a patient Participation Group meeting and wanted to invite patients for you to be able to access the meeting online without coming to the premises. 

“Upon being made aware of the data breach, a number of immediate actions were taken: We sought advice from our Data Protection Officer to ensure that our actions to resolve this incident were thorough and appropriate; the Teams Calendar invite was cancelled and deleted; our IT Team was contacted to ensure and assist in recalling the invitation.

“This incident was raised internally as a significant event in the organisation; we have reviewed our procedure for sending emails to patients; the data breach will also be reported on the NHS Data Security and Protection Toolkit incident reporting tool and the ICO is automatically notified if required.

“Please be assured that we continue to take data security and confidentiality very seriously.  We have a robust system in place to manage and learn from significant events. This incident will be discussed at a future significant event review meeting.”

A similar mistake was made by an outsourcing company Serco, which accidentally revealed the email addresses of 300 people who were training to assist the Government's "track and trace" service in May 2020, at the beginning of the Coronavirus pandemic.

The breach occurred after a member of staff wrote an email to the recipients asking them not to contact the help desk for information on their training, but all of the personal email addresses were listed in the CC section, rather than in the BCC section. That meant the personal email addresses of all the fellow trainees were clearly visible to all who received the email.

At least one employee reported the breach to the Information Commissioner's Office (ICO) but the firm was not fined.