Mail error leads to HIPAA breach at the University of Michigan Medicine

The University of Michigan Medicine is notifying approximately 3,700 patients about a mailing error that resulted in letters containing personal health information (PHI) to be sent to the wrong patients.

In a press release, Michigan Medicine explains that in early September, it began a fundraising campaign that involved sending a letter to a large number of patients using a contracted printing company. On September 4, it discovered that a portion of the letters were sent by the vendor in which the name and address on the letter did not match the name and address on the envelope, to whom it was sent.

Though the information on the letter did not include Social Security numbers or financial information, the letter included names and addresses, as well as some phone numbers and email addresses, all of which are considered PHI under HIPAA.

According to the press release, the vendor took prompt steps to fix the error and prevent a reoccurrence. The Michigan Medicine Development Office states it will use window envelopes going forward to eliminate the need to match letters to envelopes.

This is the second data breach that Michigan Medicine has reported to the Office for Civil Rights this year. In June, they announced the theft of a laptop that contained PHI of approximately 870 patients.