PHI of 3,600 Michigan Medicine Patients Disclosed Because of Mailing Error


Michigan Medicine is informing over 3,600 patients that some of their protected health information (PHI) was impermissibly disclosed. The Michigan Medicine Development Office had a fundraising campaign and sent letters to many of its patients in early September 2018. The printing of the letters for mailing was done by a third-party vendor. Most of the letters had correct printing, but some had errors resulting in the impermissible disclosure of some patients’ personal data.

Michigan Medicine explained that the error in printing happened when a new software was installed by the printing company. The error that resulted was the mismatch of information contained in some of the patients’ letters with the name and address printed on the envelopes that enclosed the letters.

Considering that the letters were for a fundraising campaign, there was no medical data, Social Security numbers, financial information, or other highly sensitive data contained in the letters. The information of the patients disclosed to another Michigan Medicine patient included their names, addresses, and email addresses and contact numbers for some patients.

Michigan Medicine discovered the error on September 4, 2018 and took immediate action in alerting the vendor to stop the impermissible disclosure of more patient data. Michigan Medicine chief compliance officer Jeanne Strickland said that the hospital regards patient privacy with extreme importance, that is why they took steps right away to investigate this breach.

To avoid similar breaches, Michigan Medicine’s Development Office decided to use window envelopes for mailings in the future so that there’s no need to match the letters with the envelopes. Under HIPAA, mailing error is considered a reportable breach, so Michigan Medicine had to submit a breach report to the Department of Health and Human Services’ Office for Civil Rights (OCR) within 60 days of discovering the breach. It is indicated in OCR’s breach summary portal that 3,624 patients were impacted by the data breach.