St. Francis Hospital inadvertently releases email addresses of 1,175 patients

St. Francis Hospital said Monday it inadvertently sent out a mass email to 1,175 patients last Friday, although no medical, treatment or other personal information was part of the string.

The Manchester Expressway hospital, known prominently for its heart facilities, said rather than have each patient "blind copied" on the email, everyone's email address was visible.

"St. Francis understands the importance of safeguarding our patients’ personal information and takes that responsibility very seriously,” Pam Burns, St. Francis privacy officer, said in a statement issued by the hospital. “We will continue to do all that we can to work with our patients to help minimize any potential impact of this situation. We regret that this incident has occurred, and we are committed to preventing such occurrences in the future. We appreciate our patients’ support during this time.”

This apparently is the first such email incident, the hospital said. In this case, it said, the email was recalled "immediately," while those patients who were on the email string were notified of the "potential breach."

St. Francis said the 1,175 people whose emails were "exposed" are one-half percent of its total patient base.

"Because the email address is the only identifier on the email, St. Francis believes that the email poses very little risk of any potential financial or reputational harm to a patient," the hospital said in a media release.

St. Francis did not say how the email was sent with individuals' names on it or what information was on the message to them. But it said it was taking steps to make sure it doesn't happen again.

The hospital confirmed it is preparing an official notification concerning the incident to the U.S. Department of Health & Human Services. That’s the federal agency that monitors compliance of the Health Insurance Portability and Accountability Act (HIPAA) of 1996.

A “breach notification rule” mandates that health-care and medical entities let the HHS know when a breach of “unsecured protected health information” occurs, according to the agency’s website.

“If the breach affects more than 500 individuals in a state or jurisdiction, the covered entity is required to provide notification to HHS (Office of Civil Rights) within 60 days as well as prominent media outlets serving the state or jurisdiction,” Rachel Seeger, senior health information privacy outreach specialist at HHS, said Monday via email.

Once such notification is made, the agency will open an investigation and post the incident publicly to a list of breaches on its website, she said.

Those St. Francis patients who have questions about the incident are asked to call the hospital at 1-800-723-4998.