Email Message Accidentally Exposes of Patient Information
Who: University Hospitals Rainbow Babies & Children’s Hospital
# of Accounts Breached: About 840 patients
What was affected: An employee emailed a message to a group of patients, inadvertently allowing the recipients to see each other’s email addresses
When it happened: February 28, 2019
How it happened: UH said the employee, who has not been publicly identified, sent an email to a “select group of patients or their parents/guardians containing personally identifiable information” on Feb. 28. The employee accidentally listed all of the recipients of the message in the “to” field, making their email addresses visible to everyone else included in the email, the news release said.
Outcome: UH launched an internal investigation the same day the email was sent and said the employee’s actions “violated UH policies and procedures.”
When asked if the employee was disciplined, UH spokesman George Stamatis said, “The employee was sanctioned in a manner deemed appropriate for the violation.” UH mailed letters to each individual included in the email notifying them of the unauthorized disclosure of patient information. The employee email was related to a new departmental billing policy. The system also plans to provide additional training to staff on electronic communication with patients, according to the news release.