A vendor working with the Maryland Developmental Disabilities Administration (DDA) was recently caught in a HIPAA breach after failing to securely mail postcards to recipients of DDA services, according to a press release from the Maryland Department of Health and Mental Hygiene. 
The DDA hired Inclusion Research Institute and its subcontractor M. Davis and Company to mail its annual quality-of-life survey to individuals who receive DDA services. M. Davis and Company mailed survey reminder postcards to approximately 2,200 individuals in February. The postcards indicated that DDA selected the recipients to take the survey because they received services from the department.
The healthcare services an individual receives is considered PHI. The postcards were not enclosed in envelopes, thereby disclosing to anyone who viewed them that the intended recipients received services from DDA. Therefore, this constitutes as a HIPAA breach, and the vendor is taking steps to notify affected individuals, according to the press release.