OLYMPIA—The Department of Social and Health Services’ Developmental Disabilities Administration confirmed that on June 22, 2020, email addresses of clients and their representatives were improperly disclosed through an addressing error.
The purpose of that email was to notify DDA clients of their rights, as required by a new law that went into effect in June 2020.
Officials state that the email mistakenly listed the email addresses of recipients in the “To” line rather than the “Bcc” line.
As a result, each recipient’s email address was visible to all the other recipients.
Under the HIPAA Privacy Rule, email addresses of patients or their relatives or household members are confidential and classified as protected health information or PHI.
The breach affected 648 DDA clients and was discovered the same day it occurred, when one recipient reported to DDA that all the email addresses were visible.
DDA sent a second, correctly addressed email to the recipients asking them to delete the inadvertent message. DDA then resent the required client rights information in a new email. No street addresses, phone numbers, social security numbers or client financial data were in the email.
DSHS is notifying all clients affected by this breach.
At this time, there is no reason to believe that the disclosure of the email addresses will result in identity theft or harm to credit scores.
Those with questions or concerns can find more information on the Washington State Attorney General’s website as well as the Federal Trade Commission’s site.
Since this incident, staff received additional training around handling confidential patient information and email practices. Anyone with questions or concerns related to this incident can contact Geoff Nisbet via email or DDA Help at 844-935-3468 (toll free).