The email addresses of more than 900 Walworth County residents were unintentionally disclosed last month because of an error by the county’s Department of Health & Human Services staff, county officials announced.
The error occurred when two staff members sent emails on Feb. 16, 24 and 25 to 907 people who were eligible for COVID-19 vaccinations, according to a news release.
The emails directed recipients to follow a link to schedule their COVID-19 vaccinations.
The recipients’ email addresses were entered on the “To” line of the email instead of the “Bcc,” or “blind carbon copy,” line. This allowed each recipient to view the email addresses of everyone who received the emails.
Two recipients contacted the department Feb. 25, saying they noticed the error, said Carlo Nevicosi, deputy director of the health and human services department.
The department does not believe those affected should take any immediate steps to protect themselves, according to the release.
The mistake by two public health employees was embarrassing, Nevicosi said.
“We want people to sign up for this and come get their vaccine. We don’t want this to be a barrier to anyone accepting the vaccine,” Nevicosi said.
The disclosure constitutes a violation of the Health Insurance Portability and Accountability Act, or HIPAA, which requires the department to disclose a breach affecting more than 500 residents, both to those affected and news media, according to the release.
The only protected health information disclosed were the email addresses and the fact that those people were eligible to make an appointment for the vaccine, according to the release.
All those who received the emails have been notified, according to the release.
The department’s privacy officer identified two employees responsible for the breach. The officer concluded the information was released unintentionally.
Nevicosi said the two employees still work for the department.
“Our consumers’ rights to privacy and our adherence to HIPAA is of the utmost importance to us,” said Aaron Winden, supervisor of compliance and medical records, as quoted in the release. “We will continue to do everything in our power to prevent situations like this from happening in the future.”
All department employees receive annual training on this subject.
The privacy officer retrained the identified employees, according to the release.
A change was made to Microsoft Outlook that increased the visibility of the “Bcc” option, and public health staff members were given training and resources, according to the release.
All new employees with registration and/or scheduling responsibilities will receive training in maintaining security of health information.
Nevicosi said the department plans to shift to the online vaccination-registration system developed by Microsoft and the state starting March 29.