Bangor, Maine-based Northern Light Acadia Hospital mistakenly emailed the names of 300 patients who had prescriptions for Suboxone, a medication used to treat opioid use disorder, to an editor at the Bangor Daily News.
The email, which was a violation of HIPAA, also included the medical providers treating the patients.
Arcadia's director of communication forwarded Bangor Daily News an email that contained a spreadsheet of the patients taking the opioid use disorder treatment drug. The news organization destroyed the files.
Hospital President Scott Oxley determined the data breach was an "isolated" accident that occurred due to human error.
"For us, this is a huge deal. Three hundred names were shared unintentionally. They were shared, nonetheless. This never should have happened," Mr. Oxley said in an interview April 17, according to the Bangor Daily News. "We're not making any excuses for this, but we don't classify this mistake as a systemic issue."
Arcadia is working with its information technology department to ensure a similar incident does not occur. The hospital also plans to alert patients to the data breach.
More articles about cybersecurity:
Hackers may turn patient PHI into malware in medical image files
Update: Data breach exposes 278,000 Navicent Health patients' information
Hackers tried to reroute payments of 5,600 Blue Cross of Idaho members