University mailing reveals patient treatment info
A quality improvement survey project at the University of Wisconsin-Madison campus in July resulted in a data breach when postcards that contained protected health information were mailed to about 1,000 participating patients.
Because the protected health information of more than 500 individuals was released in the mailing, the university was required to notify the Office of Civil Rights for the Department of Health and Human Services.
The university sent a mailing in envelopes to ask people to participate in a survey. A week later, a second mailing was sent to the same group, but this time on a postcard that contained the patient’s name. That was not a HIPAA violation, because it was no different than other mailings that contain a name and address, according to the university.
The problem with the postcard was that it referred to prescription medications and family planning services related to the recipient, which is a HIPAA violation.
In a notification letter, the university noted it has no indication that information on the postcards has been misused.
The university is not offering credit monitoring or identity theft protection services “because there was no financial or personally identifying data that was improperly shared,” a university representative said.
Since the incident, the university has added additional levels of reviews for direct mailings and is re-educating employees on patient mailing procedures.