Here’s a good reminder for all HR employees. Double- and triple-check you’ve dotted your “I’s” and crossed your “T’s”. That way what happened to the city of Boston’s HR department won’t happen to you!
On Jan. 18, Boston’s HR department sent an email to about 100 employees who were unvaccinated and had tested positive for COVID-19. OK, no big deal, right? HR professionals send out emails all the time. But this email contained all the names and email addresses of those employees. And they were visible to everyone who got the email!
According to the Boston Herald, who obtained the email, it said: “Under the City’s earlier policy, you submitted information related to a positive COVID-19 test result. As continued testing is no longer allowed under the Policy, please be aware that you are required to become vaccinated in order to comply with the Policy if you have not already done so.”
It then went on to say that if they didn’t get vaccinated, they’d eventually be placed on unpaid leave.
Talk about a big oops!
‘We messed up’
The city’s HR department sent out another email to the original recipients apologizing for the colossal mishap, a few days after the mistake was discovered. It said: “Unintentionally and accidently, we messed up. The communication was intended to be sent as a BCC so as to respect employees’ privacy. The wrong button got pushed and so the email was sent showing all email addresses.
“We apologize for the error,” continued the email which was sent to the Boston Herald from the city. “We truly do take employee’s privacy interests seriously and have reviewed and improved our practices and guidelines to make sure this doesn’t happen again … We will do better. We thank you for your understanding.”
Look, mistakes happen. We’re all human, and we get it. But if the city thought they were going to get off the hook with an apology email, they were wrong.
HIPAA violation?
At a city council hearing, a union representing Boston Public Library workers spoke out describing this “mistake” as a privacy breach. And they’re looking for more than a “oops, we messed up.” They want people to be accountable for “these kinds of actions.”
Even people whose names weren’t in the email are disgruntled, saying it’s a breach of HIPAA for which fines can range from $100 to $50,000 per individual. (The average HIPAA fine is $1.5 million, according to the Department of Health and Human Services Office for Civil Rights.)
And still others saying, in all of their years of working they have never sent an email that compromised an employee’s personal and confidential information.
In a world where most companies are understaffed and people are doing more than one job, it’s easy to rush and try to get as much done as fast as possible. But you know as a Benefits pro working with people’s confidential information you must make sure you are doing everything by the book. That means taking a few extra minutes to make sure all the “I’s” are dotted and “T’s” are crossed.
