Belgrade Regional Health Center Data Breach (2015)

When a physician's assistant left the Belgrade Regional Health Center, a letter was sent to patients to tell them about the impending change in personnel; however, that letter also resulted in a breach of 854 patients' Protected Health Information (PHI). The mailing took place on October 21, 2015 and patients first started notifying the health center of the error two days later when the letters started to be received. An investigation into the incident revealed that an error had been made with the mail merge; a step in the mailing process that can easily result in the accidental disclosure of patient PHI. The error was made by a mailing vendor of the health center. A number of other healthcare providers have also experienced very similar privacy breaches this year. In this case, the letters included the correct patients name and address, but also the name and address of another individual. The inclusion of an incorrect name and address also indirectly disclosed that that individual was a patient of Belgrade Regional Health Center. Breach notification letters have now been sent to patients affected by the breach, and the privacy incident has been reported to the Department of Health and Human Services' Office for Civil Rights (OCR).