where a sender has misused the 'BCC' field
I'm not sure I'd say that it was misused, that seems to be unfairly stigmatising the BCC. It's more like they simply didn't use it, leading to the obvious information exposure.
I have the same thing at work. Email notification about stuff. Sent from somebody to somebody else, with dozens of names in the CC field (including some personal addresses for people like me who don't have a work account).
I did try to "educate" them, so the response was to mail me separately...when they remembered. So I gave up, and am happy that I gave them a specific email address.
This sort of thing should be mandatory training for everybody that deals with email, especially in these GDPR days...