25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Patients’ Email Addresses Accidentally Disclosed by Rutland Regional Medical Center

Posted By on May 18, 2017

An electronic survey can provide healthcare organizations with valuable information to improve patient services; however, in the case of Rutland Regional Medical Center, it has resulted in a privacy breach.

According to the Burlington Free Press, Rutland Regional Medical Center sent emails to more than 700 patients asking for opinions on discharge paperwork in an effort to make improvements to patient discharges.

Rather than using an email group or the BCC field to mask patients email addresses, patients email addresses were added to the ‘to’ field. Consequently, the email addresses of more than 700 patients were revealed to all who received the mailshot.

The error only revealed the email addresses of patients, many of whom would not have been easily identifiable from their email addresses. However, any patient who was identifiable from their email addresses would also have had their status as a patient of Rutland Regional Medical Center disclosed to other individuals. The email also suggests that the recipient had recently been discharged from hospital; something patients may have wished to remain private.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Peg Bolgioni, a spokesperson for Rutland Regional Hospital, issued a statement apologizing for the error and privacy breach. She said as soon as staff were alerted to the mistake the mailing was terminated. An investigation into the incident has been launched to determine how the error was made.

Errors such as this may not warrant HIPAA violation penalties and are unlikely to elevate the risk of patients experiencing identity theft and fraud, although there is potential for the disclosed email addresses to be misused.

Email addresses can be used to send phishing emails and other malicious messages. For instance, malicious individuals could send phishing emails impersonating the hospital in an attempt to gather further information to commit fraud.

Incidents such as this can all too easily occur as a result of poor training or human error. It is important for healthcare organizations to ensure that staff members are properly trained and policies and procedures implemented to prevent errors from resulting in patient privacy violations.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Prevent HIPAA Email Violations

Avoid the common misunderstandings and implementation errors relating to HIPAA email.

Learn more