MD Anderson Informs Patients of Accidental Disclosure of Email Addresses

The University of Texas MD Anderson Cancer Center today sent letters to individuals whose email addresses were accidentally exposed in a communication to patients with a history of colon cancer. While MD Anderson was able to stop delivery of about half of the emails, approximately 599 people are believed to have received the communication.

The email regarding a research study was sent to 1,266 people on May 3, 2018. The study team member intended to blind the email addresses, but mistakenly made the addresses visible. The principal investigator immediately followed up with another email to the group, with addresses blinded, apologizing for the error and asking recipients to delete the email from their Inbox and Deleted Items folders.

Though the only patient information exposed were email addresses, MD Anderson takes this incident seriously and regrets the error. In addition to the follow-up email sent from the investigator, MD Anderson today mailed letters to patients or family members to make sure they are aware of the error. MD Anderson does not believe the email recipients are at risk of identity theft or financial harm because of this incident.

On an institutional level, MD Anderson this week began implementing technical controls to limit the number of visible email recipients getting a communication. Additional communication and training regarding privacy issues and patient information complement ongoing security efforts.

If email recipients have questions or concerns, they are being asked to contact MD Anderson’s Institutional Compliance Office at 1-833-552-1853 or PrivacyCompliance@mdanderson.org. Other information is available on MD Anderson’s web site at www.mdanderson.org