A Notice to Our Patients Regarding a Recent Email Incident
The University of Texas MD Anderson Cancer Center (MD Anderson) takes its patients’ privacy seriously. This notice is to advise some of our patients of an unauthorized disclosure of their health information.
On May 3, 2018, an MD Anderson employee sent an email seeking to recruit people for a research study involving people with a history of colon cancer. The employee meant to send the email in a manner that hid the email addresses of the recipients, but accidentally made the email addresses visible to the others who received the email. We were able to stop delivery on some of the emails, but approximately 599 people still received it. These people may have seen the email addresses to which the email was sent and, if they were able to identity anyone from their email address, may have assumed the person was an MD Anderson patient and had a history of colon cancer.
This incident does not affect all MD Anderson patients; it only affects certain MD Anderson patients in the Houston area who have a history of colon cancer.
We have no reason to believe any individual is at risk for identity theft or financial harm as a result of this incident. However, in an abundance of caution, we mailed letters to affected individuals on May 31, 2018, and established a dedicated phone line to answer any questions. If you believe you are affected and do not receive a letter by June 22, 2018, please call 1-833-552-1853, Monday through Friday, during regular business hours.
We recommend people learn more about privacy law and their rights under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and pay close attention to medical and financial records and monitor those records for any mistakes or suspicious activity. We also request anyone who received this email to please delete it.
We sincerely regret that this incident occurred and apologize on behalf of MD Anderson. As a result of this incident, we are in the process of implementing technical controls to limit the number of external recipients an employee can include in an email. We re-educated our employees about the proper way to email research participants and patients, as well as retrained the employee involved about MD Anderson’s policies on protecting patient privacy.