A costly email mistake

I received an email from a doctor’s office where the sender put all of their patients’ email addresses in the “To” field rather than the “BCC” field. That meant every patient could see all of the other patients’ email addresses. Oy, let me count the ways that that is bad news.

To begin with, that is a violation of privacy, especially given the private nature of the business. It’s actually a HIPAA, (Health Insurance Portability and Accountability Act) violation because it is a healthcare organization.

But worse than that, was an unhappy patient decided to send an email to the whole list and state that because he had not had a complaint addressed the doctor was a scam. How do you think that made the patients feel? Concerned that the doctor might be a scam (actually, I think the correct term would be “scam artist”)? Worried that some disgruntled patient has our email addresses? Wondering if we want to continue doing business with this doctor? It’s probably all of those things. This was a very costly mistake for the business.

I’m sure the assistant or receptionist who sent the email had no idea that what she was doing was A. a violation of privacy, B. bad email etiquette and C. a potentially expensive mistake to the business. She knows now. I feel for her.

Email is a wonderful tool, but it must be used carefully and thoughtfully. If you need to send an email to a group of people, always, always put their email addresses in the “BCC” field.

Has this sort of thing ever happened to you? How would you feel if you were one of the patients included in the email? What would you do?

10 thoughts on “A costly email mistake

  1. BethBuelow

    Eeek!! What a blunder. I can think of one time when I accidentally put e-mails in the “To” rather than “Bcc” field, and it was to my current clients. While I didn’t violate any laws or rouse anyone’s ire, I felt cruddy, because I have a policy of keeping my client names confidential (if an individual client wants to say, “Beth is my coach,” that’s fine… I just can’t say “Jane is my client.”). You can bet, it only took that one time for me to remember to never do it again! If I’d been on the receiving end of the e-mail you describe here, I’m not sure what I’d do. I want to say “it depends,” but that’s allowing for lots of gray area where maybe there shouldn’t be any (HIPAA’s pretty clear, after all). For me personally: If everything else was fine, I wouldn’t want the person who hit “send” to get into big trouble; if I was otherwise displeased with the doc’s services, I’d use it as the final straw to start looking elsewhere for health care.

  2. ArdenClise


    Yes, it usually only takes making this blunder once to remember not to do it again.

    I agree with you that the situation does depend on how you feel about the business. In my case, I have had positive experiences with the doctor and I know the person who sent the email probably didn’t know she had goofed until it was too late. So, I politely emailed her and said I was sorry someone had chosen to send a nasty email to the list and that next time she has to send an email to a group I suggested she use the BCC field.

    It’s unfortunate it was a HIPAA violation. They actually sent another email, this one with the addresses hidden and apologized for the mistake. I’m sure they are mortified.

  3. Amnie

    I made the To instead of bcc mistake… I’m employed at a law firm… Although the notification was only to inform clients and colleges about our faulty telephone and Internet lines, I feel like I’ve compromised the firm. This now gives me sleepless nights and I’m thinking of resigning.

  4. Arden Post author

    Amnie, mistakes happen. I’m sorry this happened to you. Have you spoken to your boss? It would be a good idea to be honest about what happened so that if there are any questions from clients your manager will know how to respond. Don’t resign. People make mistakes all the time and your manager can decide how egregious this was. Being honest about your mistake will give you more credibility and show that you’re an honest, responsible employee.

  5. Ovi

    I once CCed about 300 people instead of BCC in a promotional e-mail for a club. My god, the shit I got from one particular person who was telling me he wants to sue unless I pay him whatever amount. He also demanded a written apology letter to his address.

    It was a mistake. They happen, get over it. Someone who doesn’t understand that these things happen need to get off their high horse. I am only human. It’s just an electronic message and I did not kill anyone. E-mail addresses are created and erased each day. Sure it is bothersome to wake up with lots of spam and having to sort through it, but you will have to do it at some point in a number of years of using the same e-mail address.

    The way I dealt with it: apologized and took people off our list if they requested to do. The person who was trying to get money off me I totally ignored forever. He can literally fuck off. Sorry for my language. 🙂

    I know now to quadruple check when about to send mass e-mails or word merged letters. Annie I hope you do not quit just for that, relax about it – apologize and pay attention in the future. It will all be fine I assure you! I felt just like you when it happened to me.

  6. Arden Post author

    Ovi, it’s true, we are only human and goodness knows I make a ton of mistakes myself. Sometimes the best lessons are the hardest. At least they have been for me. I’m sorry you had someone be so rude and trite about the email you sent. That’s too bad. You were right to ignore him after you apologized. It sounds like you handled it the best you can and are being very careful with emails today. Good for you.

  7. Maria

    Hi! I would like to ask you for advice. That happened to me recently. It is a personal blog, and suscribers were just a few (less than 20). Most of them are family and friends, but ramdom individuals as well… Do you think in these cases would be good to apologize for the mistake in next notifications? Or is it better to let it go and not try to do that again? In my case the problem was just the personal email list…

    All my support to Ovi, dont worry! You weren’t the first one, and you will not be the last one. Mistakes are common.

    Thanks a lot in advance.

    Best regards,

  8. Arden Clise

    Maria, thanks for stopping by. Since it’s such a small group of subscribers I would send a personal email to the group with their email addresses in the BCC field and apologize for the mistake. Mistakes happen. Best to be transparent and apologetic. People usually appreciate that.

  9. Kelly


    Unfortunately I just made this huge mistake today sending out a general announcement to our patients and completely forgot to placed the email addresses in the BCC before hitting send. I realized the mistake as soon as I sent, but I’m freaking out right now. I know this is a HIPPA violation, but can someone sue our office because of this honest mistake? What would happen if someone decides to report the incident to HHS? Is there anything we can do at this point?

    Any advise you can provide is greatly appreciated!


  10. Arden Post author

    Hello Kelly,

    So sorry to hear this happened. Mistakes happen. I’m not a HIPPA expert so I can’t answer your question about that. I have found that apologies make a big difference. I would suggest emailing everyone and making sure their email addresses are in the bcc field and apologize for the mistake. Assure them that it will never happen again. Is there some sort of discount or perk you can give them that wouldn’t cost you much? If not, leave it at the apology and move on. Most people won’t notice and if someone contacts you about it apologize and let them know the steps you are taking to make sure it doesn’t happen again.

Leave a Reply

Your email address will not be published. Required fields are marked *