Some breaches are not as bad as HHS's breach tool might suggest
In my recent recap of new additions to HHS’s public breach tool, I noted an incident involving Summit Community Care Clinic. My summary of the breach log was:
Summit Community Care Clinic in Colorado reported that 921 patients were affected by a Hacking/IT incident that occurred July 22. There is no statement or notice on their web site at this time, and PHIprivacy.net e-mailed them to request information.
It turns out that the “hacking/IT incident” was an e-mail gaffe that resulted in 921 patients’ e-mail addresses being in the TO: field instead of the BCC: field for an invitation to a monthly patient advisory meeting. The clinic issued a press release at the time, which they have sent to PHIprivacy.net:
On July 22, 2013, a staff member of Summit Community Care Clinic sent an e-mail to patients inviting them to a Patient Advisory Committee. In addressing the e-mail, the staff person mistakenly placed recipients e-mail addresses in the “To” section of the e-mail as opposed to the “Bcc” section. This meant that all of the recipients of the e-mail were able to see all of the e-mail addresses of the other recipients. This error represented a breach of patient privacy.
HIPAA requires that a breach of this nature be immediately reported to patients who may have been impacted. Part of that notification includes a press release to local media within 60 days of the date of the breach. On July 23, 2013, all patients were notified via e-mail that the breach occurred. Additionally, a report was made to the Federal Health and Human Services Department regarding the breach. The protected information that was released was limited to e-mail addresses. No other protected health information was released.
Patient privacy is critically important to all Summit Community Care Clinic staff as well as our Board of Directors. If any person impacted by the breach would like more information or has questions regarding this incident, please feel free to contact the clinic directly at (970)668-4049 or by writing our Board of Directors at P.O. Box 4337, Frisco, CO 80443.
They have also sent PHIprivacy.net a copy of the patient notification letter, which reads:
If you are receiving this e-mail, you also recently received an invitation to our Patient Advisory Committee. These invitations are sent to clinic patients to encourage participation and feedback regarding the quality of our services. The normal protocol for sending these e-mails is to enter the e-mail addresses under the Blind CC or “Bcc” category so that no e-mail addresses are visible to any other recipient. In the e-mail sent on July 22, our staff person mistakenly put the addresses in the “To:” section, which made the addresses visible to other recipients. The protected information that was made visible was your e-mail address. No other protected health information was released.
This was a mistake and a breach of your patient privacy. We are deeply sorry that this mistake occurred. Patient privacy is critically important to all clinic staff as well as our Board of Directors. We have notified the Department of Health and Human Services of our mistake. We are also notifying all of you, so that you are aware of what occurred. If you would like more information or have question regarding this incident, please feel free to contact me directly or to contact our Board of Directors at P.O. Box 4337, Frisco, CO 80443.
In e-mail to PHIprivacy.net, their Chief Executive Officer noted that several hundred of the e-mails came back undeliverable, “but if even one patient saw the 921 e-mails, it was a breach of PHI for all 921 patients.”
Nice notification and response, Summit Community Care Clinic.