Topics
More on Risk Management

59,000 people have health info disclosed by Ohio mental health department

The incident involves a February 2016 postcard sent to consumers of mental health services inviting participation in an upcoming satisfaction survey.

Bernie Monegain, Editor, Healthcare IT News

The Ohio Department of Mental Health and Addiction Services notified the public – and 59,000 clients – that it disclosed their personal health information.

The incident involves a February 2016 postcard sent to consumers of mental health services inviting participation in an upcoming satisfaction survey. The department discovered on February 25 the postcard mailing violated HIPAA rules.

But it seems at least a few people at the department might have realized the postcards would pose a problem.

[Also: Lahey Hospital pays $850,000 over security breach, potential HIPAA violations]

The Feb. 25 incident resulted in a review of mailings from previous surveys, and the department discovered that similar postcards sent in previous years also resulted in a breach of protected health information.

The information released included: full name, address and a request that the person participate in a services satisfaction survey through OhioMHAS.

The postcards did not include social security numbers or other information that could lead to potential identity theft. They also did not include specific information about the recipient's mental health condition or services received.

Notices about the survey, however, should have been sent in sealed envelopes to avoid association of the recipient mental health or addiction services.

[Also: Healthcare most hit with data breaches in 2015, ransomware gaining popularity among hackers]

The consumer satisfaction survey is conducted annually by OhioMHAS, and solicits direct feedback about treatment in order to guide quality improvement initiatives and respond to reporting requirements for the federal Mental Health Block Grant.

OhioMHAS Director Tracy Plouck issued a statement of apology. "We regret this situation and any concern it may cause, and we are committed to diligently safeguarding consumer information moving forward," Plouck said.

OhioMHAS is conducting a thorough review of its internal processes and policies relating to consumer outreach and data use, officials note in a statement. The agency also added to the existing training for all department staff members.

OhioMHAS notified individuals affected via U.S. mail using sealed envelopes, as well as through a notice on the OhioMHAS website.

Twitter: @Bernie_HITN