HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Patients’ Email Addresses Accidentally Disclosed by Rutland Regional Medical Center

An electronic survey can provide healthcare organizations with valuable information to improve patient services; however, in the case of Rutland Regional Medical Center, it has resulted in a privacy breach.

According to the Burlington Free Press, Rutland Regional Medical Center sent emails to more than 700 patients asking for opinions on discharge paperwork in an effort to make improvements to patient discharges.

Rather than using an email group or the BCC field to mask patients email addresses, patients email addresses were added to the ‘to’ field. Consequently, the email addresses of more than 700 patients were revealed to all who received the mailshot.

The error only revealed the email addresses of patients, many of whom would not have been easily identifiable from their email addresses. However, any patient who was identifiable from their email addresses would also have had their status as a patient of Rutland Regional Medical Center disclosed to other individuals. The email also suggests that the recipient had recently been discharged from hospital; something patients may have wished to remain private.

Please see the HIPAA Journal Privacy Policy

Peg Bolgioni, a spokesperson for Rutland Regional Hospital, issued a statement apologizing for the error and privacy breach. She said as soon as staff were alerted to the mistake the mailing was terminated. An investigation into the incident has been launched to determine how the error was made.

Errors such as this may not warrant HIPAA violation penalties and are unlikely to elevate the risk of patients experiencing identity theft and fraud, although there is potential for the disclosed email addresses to be misused.

Email addresses can be used to send phishing emails and other malicious messages. For instance, malicious individuals could send phishing emails impersonating the hospital in an attempt to gather further information to commit fraud.

Incidents such as this can all too easily occur as a result of poor training or human error. It is important for healthcare organizations to ensure that staff members are properly trained and policies and procedures implemented to prevent errors from resulting in patient privacy violations.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.