A Mankato (Minn.) Clinic employee exposed 535 patients' protected health information by mistakenly emailing the data to an external email account, the clinic said in a Sept. 20 notification.
On Aug. 3, the clinic employee emailed a spreadsheet containing patients' information to an external email account, which was not encrypted. After discovering that the email had been sent by mistake, the employee contacted the recipient and asked for the message to be deleted. The recipient said they deleted it and that they never opened the attached spreadsheet.
Patient information contained in the spreadsheet included names, addresses, phone numbers, birthdates, medical record numbers and insurance details. The breach did not involve Mankato Clinic's EHR.
After investigating the incident, the clinic determined that it occurred because of its email system's autocomplete feature, which inputted the name of the colleague with the external email account when the sender typed the intended recipient's name.