Michigan Medicine Notifies 3,600 Patients of PHI Disclosure Due to Mailing Error
Michigan Medicine is notifying more than 3,600 patients of an impermissible disclosure of a limited amount of their protected health information.
In early September 2018, the Michigan Medicine Development Office launched a fundraising campaign that involved sending letters to a large number of its patients. A third-party vendor was contracted to print the letters for the mailing and while many of the letters were printed correctly, an error was made by the printing company that resulted in an impermissible disclosure of certain patients’ personal information.
According to Michigan Medicine, the error was introduced when the printing company installed new software. As a result of the error, a proportion of the letters contained information that was intended for other Michigan Medicine patients and did not match the name and address on the outside of the envelope.
Since this was a fundraising mailing, the letters did not contain any medical information, Social Security numbers, financial data, or other highly sensitive information. Patients affected by the error has their name, address, and in some cases email address and contact telephone number, disclosed to another Michigan Medicine patient.
The error was detected by Michigan Medicine on September 4, 2018 and prompt action was taken to alert the vendor to the error to prevent any further impermissible disclosures of patient information.
“Patient privacy is extremely important to us, and we take this matter very seriously,” said Jeanne Strickland, Michigan Medicine chief compliance officer. “Michigan Medicine took steps immediately to investigate this matter.”
As an additional measure to prevent similar breaches, Michigan Medicine’s Development Office will be using window envelopes for future mailings, eliminating the need to match envelopes with letters.
The Mailing error was a reportable breach under HIPAA and the Department of Health and Human Services’ Office for Civil Rights (OCR) was notified well inside the 60-day reporting deadline. The breach summary on the OCR website indicates 3,624 patients were affected by the incident.