Ohio mental health and addiction services agency discloses PHI of 59,000 people

OhioMHAS sent clients a postcard inviting them to take part in a satisfaction survey, thereby disclosing that the individuals had received treatment. And it’s not the first time the department has sent such a postcard.
By Bernie Monegain
04:42 PM
data breach HIPAA violation OhioMHAS postcard

The Ohio Department of Mental Health and Addiction Services notified the public – and 59,000 clients – that it disclosed their personal health information.

The incident involves a February 2016 postcard sent to consumers of mental health services inviting participation in an upcoming satisfaction survey. The department discovered on February 25 the postcard mailing violated HIPAA rules.

But it seems at least a few people at the department might have realized the postcards would pose a problem.

Learn on-demand, earn credit, find products and solutions. Get Started >>

The Feb. 25 incident resulted in a review of mailings from previous surveys, and the department discovered that similar postcards sent in previous years also resulted in a breach of protected health information.

The information released included: full name, address and a request that the person participate in a services satisfaction survey through OhioMHAS.

[Also: NewYork-Presbyterian Hospital to pay $2.2 million for 'egregious disclosure' of PHI in HIPAA violation]

The postcards did not include social security numbers or other information that could lead to potential identity theft. They also did not include specific information about the recipient’s mental health condition or services received.

Notices about the survey, however, should have been sent in sealed envelopes to avoid association of the recipient mental health or addiction services.

The consumer satisfaction survey is conducted annually by OhioMHAS, and solicits direct feedback about treatment in order to guide quality improvement initiatives and respond to reporting requirements for the federal Mental Health Block Grant.

OhioMHAS Director Tracy Plouck issued a statement of apology. “We regret this situation and any concern it may cause, and we are committed to diligently safeguarding consumer information moving forward,” Plouck said.

OhioMHAS is conducting a thorough review of its internal processes and policies relating to consumer outreach and data use, officials note in a statement. The agency also added to the existing training for all department staff members.

OhioMHAS notified individuals affected via U.S. mail using sealed envelopes, as well as through a notice on the OhioMHAS website.

Twitter: @Bernie_HITN
Email the writer: bernie.monegain@himssmedia.com

Like Healthcare IT News on Facebook and LinkedIn

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.