Oops. It appears that somehow, Berkeley Endocrine Clinic had spam sent to a number of its patients. Trying to address that, they sent out an email to all patients. Unfortunately, as Dr. Omar Murad explains, the patients’ names and email addresses showed in the TO: field:
On April 22, 2016, my office was subject to a spam email which we believe went to many patients. Though no patient information was affected by that correspondence, we sent a notification email to all individuals on our email list, informing them of the spam. Inadvertently, the recipient list for the notification email on April 22, 2016 was not hidden.
But here’s the thing – apart from the patient privacy breach, how did spam get sent to many of their patients? What compromise accounts for that and have they dealt with any security issue that might suggest?