A Cleveland-based University Hospitals Rainbow Babies and Children's Hospital employee emailed a message to a group of patients, inadvertently allowing the recipients to see each other's email addresses, according to a news release emailed to Becker's Hospital Review.
The private health information exposed in the Feb. 28 incident includes email addresses and health information related to medical condition.
"While the email message itself did not contain any specific health information about any patient, the nature of the message implied all recipients receiving the message shared the same medical condition," UH said in the news release.
The employee, who has not been identified, sent an email to an estimated 840 patients, or their parents or guardians, regarding a new billing policy, according to The Plain Dealer. The employee placed all the individuals' email addresses in the "To" field when sending the email, which allowed the message recipients to see one another's email addresses.
UH launched an internal investigation on the same day the incident occurred. The health system said it is not aware of any identity theft or harm to patients caused by the employee's unauthorized disclosure of patient PHI, and it has sent letters to notify all individuals who may have been affected.
The health system has educated the employee on proper procedure when communicating with patients electronically as well as information regarding patient privacy and HIPAA, according to the news release.
"UH takes the protection of patient health information very seriously," the health system said. "UH continually evaluates and strengthens its health information practices to enhance the security and privacy of its patients' information, including the ongoing training, education and counseling of its workforce regarding patient privacy matters."