Postcard Error Highlights HIPAA Risks With Mailers 

Michigan Medicine began notifying approximately 1,015 individuals on August 14 about a privacy incident in June 2025 that may have exposed some of their health information.  According to the Ann Arbor-based health care provider, Michigan Medicine mailed postcards to recruit participants for a research study, but the postcards were sent without envelopes, which could have exposed protected health information (PHI) to anyone who handled them.  

The University of Michigan’s Institutional Review Board mistakenly approved the use of the postcard, but has since stopped mailings, launched an investigation, and implemented additional staff training to prevent future incidents. 

This case highlights how simple mailing errors can lead to HIPAA violations and the exposure of sensitive patient data. 

Protecting PHI in Mailings: Lessons from Recent Breaches 

Health care organizations often focus on digital security threats, but physical mailing errors remain a surprisingly common cause of HIPAA violations. A misaddressed letter, a window envelope that reveals too much, or even a postcard sent without an envelope can expose sensitive patient health information and trigger costly penalties. 

Michigan Medicine is not alone. Several other health care organizations have faced enforcement actions and settlements after physical mailing mistakes exposed PHI: 

• Solara Medical Supplies (2025): Reached a $3 million settlement with HHS after multiple HIPAA violations. The first involved a phishing attack that exposed the electronic PHI (ePHI) of 114,007 individuals. The second violation occurred when breach notification letters about the phishing incident were sent to the wrong addresses, further exposing the PHI of 1531 individuals. 

• EmblemHealth (2019): Paid $100,000 to the state of New Jersey after a mailing vendor error disclosed the personal information of more than 6,000 customers. 

• Aetna (2017): Settled for $17 million after window envelopes revealed that policyholders were taking HIV medications—a breach affecting about 12,000 individuals. 

Each of these cases illustrates how small oversights in mailing procedures can lead to large-scale privacy violations and major financial consequences. 

The Role of Vendors in Protecting PHI 

Many health care organizations rely on third-party vendors for printing, mailing, and other administrative tasks. When vendors handle PHI, the health care organization remains responsible for ensuring compliance. That’s why it’s essential to have a Business Associate Agreement (BAA) in place with every vendor that touches PHI and to conduct periodic audits or reviews of vendor processes to ensure ongoing compliance. 

As the EmblemHealth case demonstrated, vendor errors can have significant consequences, yet regulators hold covered entities accountable. Proper agreements and due diligence are critical safeguards. 

It is important to remember that business associates carry responsibility for safeguarding patient data. In March 2025, Health Fitness settled with OCR over a potential HIPAA violation after reporting breaches on behalf of multiple covered entities it served as a business associate. Read more here: Business Associate Fined for Alleged Risk Analysis Failure. 

How to Avoid Common Mailing Violations 

Health care organizations can reduce risk by implementing proactive safeguards: 

• Provide regular staff training on HIPAA-compliant mailing procedures. 
• Ensure Business Associate Agreements are in place with all mailing vendors. 
• Conduct risk assessments to identify vulnerabilities in mailing workflows. 
• Use opaque envelopes so no PHI is visible. 
• Double-check addresses before sending sensitive information. 
• Adopt secure mailing practices such as certified mail with tracking. 
• Review and update policies regularly to stay aligned with HIPAA standards. 

Mailing errors may seem minor compared to large-scale cyberattacks, but regulators take them just as seriously. Recent enforcement actions show that patient privacy must be protected at every step, including something as simple as a letter in the mail. 

By prioritizing safeguards and training, health care organizations can protect patient trust, reduce risk, and avoid costly HIPAA penalties.