Mankato Clinic Notifies Patients of Breach of Unsecured Protected Health Information

Monday, September 20, 2021

Mankato Clinic has notified 535 patients of a breach of unsecured protected health information after discovering the following event:

On August 3rd an electronic spreadsheet containing patient information was mistakenly e-mailed to a colleague of a Mankato Clinic employee to an external e-mail account. The e-mail was not encrypted. Upon discovery a few minutes after the e-mail had been sent in error, the employee contacted the recipient and asked that the e-mail be deleted. The recipient confirmed that the e-mail was deleted and that the attached spreadsheet was never opened.  

Patient information contained within the spreadsheet included: patient full name, address, phone number, e-mail address, date of birth, sex, medical record number, healthcare provider’s name, diagnosis information, and primary insurance carrier. Fortunately, Social Security numbers were not included in the information. This breach did not involve the Mankato Clinic’s electronic health record.

Mankato Clinic has investigated this incident and has determined that it occurred due to use of their e-mail’s auto-complete feature – when the employee typed in the intended recipient’s name, it auto-completed with the name of a colleague with an external e-mail account.  The Mankato Clinic has received assurances that none of the patient information was accessed prior to being deleted by the recipient. 

Because the information is protected under HIPAA and was sent via unencrypted e-mail, it meets the definition of a breach under the HIPAA guidelines and therefore requires Mankato Clinic to notify each patient with a letter describing the incident.

These patients do not need to take any action to protect themselves from potential harm resulting from the breach of their personal health information since the e-mail was immediately deleted by the recipient and the information did not include any financial information.

Mankato Clinic understands the importance of safeguarding our patients’ personal information and takes that responsibility very seriously.  Since 2003, we have required all staff to participate in annual HIPAA training; because of this training the employee involved in this incident immediately recognized that a breach had occurred and self-reported the incident. The Mankato Clinic apologizes for this error and is doing everything possible to rectify the situation.

Patients may call the Release of Information Department at 1-800-657-6944 – Extension 4037, or 507-385-4037 during normal business hours (Monday – Friday 8am to 5pm) with any questions.