A costly email mistake

I received an email from a doctor’s office where the sender put all of their patients’ email addresses in the “To” field rather than the “BCC” field. That meant every patient could see all of the other patients’ email addresses. Oy, let me count the ways that that is bad news.

To begin with, that is a violation of privacy, especially given the private nature of the business. It’s actually a HIPAA, (Health Insurance Portability and Accountability Act) violation because it is a healthcare organization.

But worse than that, was an unhappy patient decided to send an email to the whole list and state that because he had not had a complaint addressed the doctor was a scam. How do you think that made the patients feel? Concerned that the doctor might be a scam (actually, I think the correct term would be “scam artist”)? Worried that some disgruntled patient has our email addresses? Wondering if we want to continue doing business with this doctor? It’s probably all of those things. This was a very costly mistake for the business.

I’m sure the assistant or receptionist who sent the email had no idea that what she was doing was A. a violation of privacy, B. bad email etiquette and C. a potentially expensive mistake to the business. She knows now. I feel for her.

Email is a wonderful tool, but it must be used carefully and thoughtfully. If you need to send an email to a group of people, always, always put their email addresses in the “BCC” field.

Has this sort of thing ever happened to you? How would you feel if you were one of the patients included in the email? What would you do?

2 thoughts on “A costly email mistake

  1. BethBuelow

    Eeek!! What a blunder. I can think of one time when I accidentally put e-mails in the “To” rather than “Bcc” field, and it was to my current clients. While I didn’t violate any laws or rouse anyone’s ire, I felt cruddy, because I have a policy of keeping my client names confidential (if an individual client wants to say, “Beth is my coach,” that’s fine… I just can’t say “Jane is my client.”). You can bet, it only took that one time for me to remember to never do it again! If I’d been on the receiving end of the e-mail you describe here, I’m not sure what I’d do. I want to say “it depends,” but that’s allowing for lots of gray area where maybe there shouldn’t be any (HIPAA’s pretty clear, after all). For me personally: If everything else was fine, I wouldn’t want the person who hit “send” to get into big trouble; if I was otherwise displeased with the doc’s services, I’d use it as the final straw to start looking elsewhere for health care.

  2. ArdenClise


    Yes, it usually only takes making this blunder once to remember not to do it again.

    I agree with you that the situation does depend on how you feel about the business. In my case, I have had positive experiences with the doctor and I know the person who sent the email probably didn’t know she had goofed until it was too late. So, I politely emailed her and said I was sorry someone had chosen to send a nasty email to the list and that next time she has to send an email to a group I suggested she use the BCC field.

    It’s unfortunate it was a HIPAA violation. They actually sent another email, this one with the addresses hidden and apologized for the mistake. I’m sure they are mortified.

Leave a Reply

Your email address will not be published. Required fields are marked *