Ohio Department of Mental Health and Addiction Services Data Breach (2016)

The Ohio Department of Mental Health and Addiction Services (OhioMHAS) today notified the public of a privacy incident involving protected health information (PHI). The issue involves a February 2016 postcard sent to consumers of mental health services inviting participation in a satisfaction survey. On Feb. 25, the department discovered that the postcard mailing resulted in the inadvertent disclosure of protected health information. The unintentional release of information included: full name, address and a request that the person participate in a services satisfaction survey through OhioMHAS. The postcards did not include social security numbers or other information which could lead to potential identity theft, and did not include any specific information about the recipient's mental health condition or services received. Communications about the survey should have been sent in sealed envelopes to avoid association of the recipient with the satisfaction survey. The consumer satisfaction survey is conducted annually by OhioMHAS, and solicits direct feedback about treatment experiences in order to guide quality improvement initiatives and respond to reporting requirements for the federal Mental Health Block Grant. The Feb. 25 incident resulted in a review of mailings from previous surveys, and the department deemed that similar postcards sent in previous years also resulted in a breach of protected health information. In total, the incident impacted approximately 59,000 individuals. "OhioMHAS takes very seriously its commitment to the privacy and protection of people receiving mental health treatment," stated Director Tracy Plouck. "We regret this situation and any concern it may cause, and we are committed to diligently safeguarding consumer information moving forward." As a result, OhioMHAS is undergoing a thorough review of its internal processes and policies relating to consumer outreach and data use to assure better oversight and protection of health information, including additional training for all department staff members.