The Ohio Department of Mental Health and Addiction Services is notifying patients that it inadvertently disclosed protected health information of approximately 59,000 individuals.
In February, the agency sent postcards to mental health consumers inviting them to participate in a satisfaction survey. Sending the survey invitation on a postcard, rather than a sealed envelope, constituted the data breach, because patient names and addresses were exposed and associated with having received mental health services.
"The postcards did not include Social Security numbers or other information which could lead to potential identity theft, and did not include any specific information about the recipient's mental health condition or services received," according to the OhioMHAS notification letter. "Communications about the survey should have been sent in sealed envelopes to avoid association of the recipient with the satisfaction survey."
The agency said it is reviewing its internal processes and policies regarding consumer outreach and data use.
More articles on data breaches:
Google reports data breach affecting employees stemming from third-party benefits provider
Gmail, Hotmail, Yahoo email users may be part of 272M breached data theft
Calif. chiropractor burgled, warns 600 patients of potential data breach