Summit Medical Group, Inc. dba St. Elizabeth Physicians

The covered entity (CE), Summit Medical Group, Inc. dba St. Elizabeth Physicians, discovered that an employee at its Weight Management Center (WMC) sent an email on July 12, 2016, notifying recipients of an upcoming vitamin presentation, but inadvertently failed to blind copy the recipients. Recipients were able to see all other recipients’ email addresses. The email was sent to 811 addresses, but because some were undeliverable and some belonged to the CE’s employees, the CE calculated the number of individuals affected as 674. On August 23, 2016, the CE provided breach notification to HHS, affected individuals, and the media. In response to the breach and as a result of OCR’s investigation, the CE reviewed and adjusted its emailing procedures, sanctioned the WMC employee, and provided training to its leadership and the WMC workforce. Additionally, the employee who sent the email started a multi-session individual training program. OCR obtained assurances that the CE implemented the corrective actions listed above.
Location of breached information: Email
Business associate present: No