The human resources department of the City of Boston in Massachusetts recently sent out an email to about 100 of its employees saying that they had submitted information indicating they had tested positive for COVID. The email that was sent on January 18 to its staff had all the names and emails visible on the chain.
The email said their policy had been updated to no longer allow continued COVID testing and that employees will need to be vaccinated against COVID or be subjected to disciplinary action.
"Under the City's earlier policy, you submitted information related to a positive COVID-19 test result," the City of Boston's email read, as per the Boston Herald. "As continued testing is no longer allowed under the Policy, please be aware that you are required to become vaccinated in order to comply with the Policy if you have not already done so."
The HR department of the city then apologized to the 100 employees days after it realized its mistake. A follow up email sent to the same group said, "Unintentionally and accidentally, we messed up."
"The communication was intended to be sent as a BCC so as to respect employees' privacy. The wrong button got pushed and so the email was sent showing all email addresses," the email continued. "We apologize for the error."
According to Fox News, the HR department "truly...[takes] employees' privacy interests seriously" and that they have "reviewed and improved" their practices to ensure such "accidents" never happens again. The 100 employees who received the first email were supposed to be blind-copied in the emails so that they would not see who else had received the same email.
A union that represents Boston Public Library workers raised concerns to the city's HR department and city office of labor relations over what they believe was a privacy breach. They argued that people must be "held accountable for these kinds of actions," Elissa Cadillic of AFSCME Local 1526 said. She argued that because of their negligence, "All of these people now know people's business."
Online readers on Fox News reacted to the breach of privacy of unvaccinated individuals, claiming that it was not as "accidental" as the Boston HR department said it was. Mike Bayne, who claims to have "sent over half a million emails" in his 30 years working as a professional, wrote, "I have never sent an email that compromised one of my client's personal information. This was NOT a mistake, this was done as a way to out those who are unvaccinated, in an effort to shame them."
Under the Health Insurance Portability and Accountability Act of 1996 or HIPAA, there are several tiers to the violation penalty structure, the HIPAA Journal reported. The Department of Health and Human Services' Office for Civil Rights (OCR) is responsible for resolving HIPAA violations using non-punitive measures. This case by the City of Boston may fall under Tier 3, "A violation suffered as a direct result of 'willful neglect' of HIPAA Rules, in cases where an attempt has been made to correct the violation."
The financial penalty for such entities will depend on "length of time a violation was allowed to persist, the number of people affected, and the nature of the data exposed." This will also be decided by the OCR, but for Tier 3 violations, entities will have to pay a minimum fine of $10,000 per violation up to $50,000.