[jdietrich]

In the UK, the data regulator fined a small organisation £180,000 ($230,000) for exactly the same mistake on a list with 781 recipients. The organisation was a specialist sexual health clinic and the newsletter was for patients with HIV.

Without knowing the details, I can't say whether a €2000 fine was disproportionately onerous or a slap on the wrist.

https://www.businessinsider.com/nhs-trust-fined-for-leaking-...

[M2Ys4U]

It's worth noting that that fine was made under the Data Protection Act 1998 (implementing the Data Protection Directive), which is what was in force before the GDPR became law.

The ICO might well consider a similar breach worthy of a bigger fine now.

[rambojazz]

With such sensitive information they should really avoid CC/BCC and do it manually, or write a script for sending 1 email at a time. Not because CC/BCC is bad, but because you want to be 100% sure to dodge this kind of problems.

[rmc]

And the fine will make sure you remember to do that in future!

It's almost like laws can work.

[remus]

That'll be part of why they got the fine. One component of gdpr is taking reasonable steps to avoid leaking personal data, and as you pointed out relying on someone remembering to bcc rather than cc is asking for trouble.

[pluma]

Not just that. Health data is considered especially sensitive by the GDPR, so sharing it is a more serious transgression than simply sharing personally identifiable information in general.

[wbl]

The details are that some of the most sensitive medical information you could imagine got leaked. Huge, huge violation. Even in the US HIV status is extremely confidential.

[kortilla]

The details on the 2000 euro fine?

[wbl]

No the big one.

[zaarn]

Details on the 2k€ fine; the guy used his mailing list for harassment, the 2k€ fine would likely have also been issued prior to the GDPR as german privacy law is fairly strict.

[nothrabannosir]

HN tangent: This is a great example of where the oft touted wildcards on a personal domain fall short: if you’re on that list, you’re outed. Even without your name on it; only you use that domain.

This is where Outlook with their *@outlook.com and apple’s new system really do shine.

Commiserations to those affected :(

[Normal_gaussian]

Wildcards are a measure to track what others are (automatically) doing with your email address, provide a way to remove yourself from shared lists of bad actors, and sign up to something a dozen times. What they don't do is provide privacy against human eyes.

[Silhouette]

I've been wondering how this sort of email management strategy is going to handle the rules certain countries are bringing in now where if you want to go there then you have to provide a list of all of your email addresses and social media accounts. Has anyone run into that problem yet?

[londons_explore]

Yes, my email address is "usa-border@mydomain.com"