DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Some breaches are not as bad as HHS's breach tool might suggest

Posted on September 23, 2013 by Dissent

In my recent recap of new additions to HHS’s public breach tool, I noted an incident involving Summit Community Care Clinic. My summary of the breach log was:

Summit Community Care Clinic in Colorado reported that 921 patients were affected by a Hacking/IT incident that occurred July 22. There is no statement or notice on their web site at this time, and PHIprivacy.net e-mailed them to request information.

It turns out that the “hacking/IT incident” was an e-mail gaffe that resulted in 921 patients’ e-mail addresses being in the TO: field instead of the BCC: field for an invitation to a monthly patient advisory meeting. The clinic issued a press release at the time, which they have sent to PHIprivacy.net:

On July 22, 2013, a staff member of Summit Community Care Clinic sent an e-mail to patients inviting them to a Patient Advisory Committee. In addressing the e-mail, the staff person mistakenly placed recipients e-mail addresses in the “To” section of the e-mail as opposed to the “Bcc” section. This meant that all of the recipients of the e-mail were able to see all of the e-mail addresses of the other recipients. This error represented a breach of patient privacy.

HIPAA requires that a breach of this nature be immediately reported to patients who may have been impacted. Part of that notification includes a press release to local media within 60 days of the date of the breach. On July 23, 2013, all patients were notified via e-mail that the breach occurred. Additionally, a report was made to the Federal Health and Human Services Department regarding the breach. The protected information that was released was limited to e-mail addresses. No other protected health information was released.

Patient privacy is critically important to all Summit Community Care Clinic staff as well as our Board of Directors. If any person impacted by the breach would like more information or has questions regarding this incident, please feel free to contact the clinic directly at (970)668-4049 or by writing our Board of Directors at P.O. Box 4337, Frisco, CO 80443.

They have also sent PHIprivacy.net a copy of the patient notification letter, which reads:

Dear Patient:

If you are receiving this e-mail, you also recently received an invitation to our Patient Advisory Committee. These invitations are sent to clinic patients to encourage participation and feedback regarding the quality of our services. The normal protocol for sending these e-mails is to enter the e-mail addresses under the Blind CC or “Bcc” category so that no e-mail addresses are visible to any other recipient. In the e-mail sent on July 22, our staff person mistakenly put the addresses in the “To:” section, which made the addresses visible to other recipients. The protected information that was made visible was your e-mail address. No other protected health information was released.

This was a mistake and a breach of your patient privacy. We are deeply sorry that this mistake occurred. Patient privacy is critically important to all clinic staff as well as our Board of Directors. We have notified the Department of Health and Human Services of our mistake. We are also notifying all of you, so that you are aware of what occurred. If you would like more information or have question regarding this incident, please feel free to contact me directly or to contact our Board of Directors at P.O. Box 4337, Frisco, CO 80443.

In e-mail to PHIprivacy.net, their Chief Executive Officer noted that several hundred of the e-mails came back undeliverable, “but if even one patient saw the 921 e-mails, it was a breach of PHI for all 921 patients.”

Nice notification and response, Summit Community Care Clinic.


Related:

  • Two more entities have folded after ransomware attacks
  • Data breach feared after cyberattack on AMEOS hospitals in Germany
  • Premier Health Partners issues a press release about a breach two years ago. Why was this needed now?
  • Theft from Glasgow’s Queen Elizabeth University Hospital sparks probe
  • North Country Healthcare responds to Stormous's claims of a breach
  • Texas Enacts Electronic Health Record Data Localization Law
Category: Health Data

Post navigation

← Clark & Anderson accounting firm notifies thousands after unencrypted backup drive stolen from employee’s car
Oh, those hidden fields in Excel spreadsheets: Columbia University Medical Center notifies students of breach →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • PowerSchool commits to strengthened breach measures following engagement with the Privacy Commissioner of Canada
  • Hungarian police arrest suspect in cyberattacks on independent media
  • Two more entities have folded after ransomware attacks
  • British institutions to be banned from paying ransoms to Russian hackers
  • Data breach feared after cyberattack on AMEOS hospitals in Germany
  • Microsoft Releases Urgent Patch for SharePoint RCE Flaw Exploited in Ongoing Cyber Attacks
  • Global hack on Microsoft product hits U.S., state agencies, researchers say
  • Inquiry launched after identities of SAS soldiers leaked in fresh data breach
  • UK sanctions Russian cyber spies accused of facilitating murders
  • Michigan ‘ATM jackpotting’: Florida men allegedly forced machines to dispense $107K

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • British government reportedlu set to back down on secret iCloud backdoor after US pressure
  • Idaho agrees not to prosecute doctors for out-of-state abortion referrals
  • As companies race to add AI, terms of service changes are going to freak a lot of people out. Think twice before granting consent!
  • Uganda orders Google to register as a data-controller within 30 days after landmark privacy ruling
  • Meta investors, Zuckerberg reach settlement to end $8 billion trial over Facebook privacy violations
  • ICE is gaining access to trove of Medicaid records, adding new peril for immigrants
  • Microsoft can’t protect French data from US government access

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.