A London gender identity clinic has mistakenly exposed details of close to 2,000 people on its email list.
The Charing Cross Gender Identity Clinic sent patients an email about an art competition, with hundreds of others CC-ed in.
The clinic later tried to recall the message but the error had already been noticed.
The Tavistock and Portman NHS Foundation Trust, which is responsible for the clinic, is investigating.
Two separate emails were sent, with about 900 people CC-ed on each.
One patient at the clinic, Jessie, told the BBC she was angry about what had happened.
"It could out someone, especially as this place treats people who are transgender," she said.
A spokesman for the Tavistock and Portman NHS Foundation Trust said: "We are currently investigating a data security incident.
"This incident involved an email from our patient and public involvement team regarding an art project.
"Unfortunately, due to an error, the email addresses of some of those we are inviting to participate were not hidden and therefore visible to all.
"We can confirm we are reporting this breach to the Information Commissioner's Office as well as treating it as a serious incident within the Trust."
A spokeswoman for the ICO said: "Tavistock and Portman NHS Foundation Trust has made us aware of an incident and we will assess the information provided."
In 2016, an NHS Trust was fined £180,000 after a sexual health centre mistakenly leaked the details of nearly 800 patients who had attended HIV clinics.
In that case, the 56 Dean Street clinic had sent a group email without using the BCC function, which obscures other recipients in the mailing list.
The incident took place before the introduction of the General Data Protection Regulation (GDPR), which can see organisations fined up to €20 million (£18m) or 4% of their annual global turnover.