The Bloomsbury Patient Network provides information and support for people who are HIV-positive.
But twice in 2014, staff emailed up to 200 members at a time without obscuring other patients’ email addresses.
The Information Commissioner’s Office (ICO) said it had levied a fine that would not cause “financial hardship”.
In February 2014, a member of staff at the Bloomsbury Patient Network emailed up to 200 patients who were HIV-positive.
The email addresses were entered into the “To” field, meaning they were visible to everybody who received the email.
Instead, email addresses should have been entered into the “BCC” field, which would have obscured them from other recipients.
In May 2014, the same member of staff repeated the error.
The ICO said 56 of the 200 email addresses contained the full or partial real names of patients.
It also noted that the Bloomsbury Patient Network (BPN) had received five complaints.
Considering the subject matter of the email message, it ruled that was a serious breach of data protection laws.
But the amount of the fine was mitigated by the “significant impact on BPN’s reputation as a result of this security breach”. The BPN has not commented.
Another HIV support group, 56 Dean Street, in London, made the same mistake with an email sent in September 2015.
It exposed the names and email addresses of 780 people when a newsletter was issued.
The ICO told the BBC its investigation into that incident was continuing.
Fines for breaches of data protection can reach £500,000.
“No matter how big or small an organisation is, when dealing with sensitive information, policy, procedure, training, and supervision must be in place to reduce the probability of human error occurring,” said Shaun Griffin, executive director of external affairs for Terrence Higgins Trust, an HIV charity which was not implicated in the ICO ruling.
“Incidences such as these are rare, and should not put anybody off getting a test for HIV. Nearly one in six people with HIV does not realise they have it,” he said.