Michigan Medicine is sending notification letters to 3,600 patients regarding the impermissible disclosure of some of their protected health information (PHI). The Michigan Medicine Development Office conducted a fundraising project and mailed letters to a number of its patients in early September 2018. A third-party vendor took care of the printing of the letters for mailing. The majority of the letters were printed correctly, but there were some errors that caused the impermissible disclosure of a number of patients’ personal information.
Michigan Medicine stated that the mailing error was because of the installation of a new software by the printing firm. That’s why the information printed in some patients’ letters did not match the name and address printed on the envelopes.
Since the letters were intended for a fundraising project, they contained no medical information, Social Security numbers, financial accounts, or any highly sensitive information. The only patient information disclosed to other Michigan Medicine patients were names, email addresses, addresses and phone numbers of a number of patients.
Michigan Medicine found out about the mailing error on September 4, 2018 and immediately alerted the third-party vendor to discontinue the mailing to cease the impermissible disclosure of patient information. Chief compliance officer of Michigan Medicine, Jeanne Strickland, claimed that the patient privacy is extremely important to the hospital, for this reason they investigated the breach right away.
To prevent the occurrence of similar breaches, Michigan Medicine’s Development Office determined to use envelopes with windows for future mailings to do away with the need to match the printed information on the letters to the envelopes. Under HIPAA, mailing error is deemed as a breach that needs to be reported. Michigan Medicine submitted a breach report to the Department of Health and Human Services’ Office for Civil Rights (OCR) within 60 days from the date of discovering the breach. The published breach summary on OCR’s website indicated that the data breach affected 3,624 patients.