A hospital does not need a hacker to trigger a HIPAA breach. Sometimes a mail-merge does the job on its own. It is effectively what happened at Sentara Hospitals in Virginia. A billing run designed to send statements to more than 16,000 guarantors paired 577 of those statements with the wrong mailing labels.

They were each given envelopes addressed to them, but the health information inside was for somebody else. No servers were hacked. No login information was stolen. Just a label file that did not match a billing batch, which caused a reportable HIPAA violation. As compliance teams move into the second half of 2026, it is a good reminder that while budgets and headlines are focused on phishing, ransomware, and vendor compromises, physical mail is still a live source of protected health information (PHI) exposure.

 

The problem with paper

A peer-reviewed analysis of the HHS Office for Civil Rights breach portal from 2010 to 2018, looking at more than 2,500 large breaches involving nearly 195 million records, found that paper or film accounted for almost 22% of the media locations reported with those incidents. Email’s share of reported incidents spiked over the same time period, but paper never went away as a category; it just stopped being the story anyone was telling.

And a separate review published in JAMA found that more than half of all reported breaches between 2009 and 2017 were not the result of outside attack, but instead the result of internal missteps, misrouted communications, and handling errors, not intrusion. It is precisely the kind of internal error that caused Sentara’s mail-merge failure.

 

The risk in the envelope

In 2017, Aetna paid $1,000,000 to OCR in three separate incidents, two of which involved nothing more than an envelope. In one instance, close to 12,000 people were affected when window envelopes used for mailing contained private medical information and the recipient’s name and address.

A clear impression left on an envelope revealed that the addressee was participating in a research study on a sensitive health matter, exposing 1,600 people before the letter was even opened. Neither was due to a system failure. The decisions on design, templates, logos, and window placements had never been looked at for what they meant until after the mailing had already gone out.

 

Why physical mail is harder to control structurally

Email misdirection is a real and ongoing threat, but physical mail has some features that make mistakes harder to detect and impossible to undo:

  • No audit trail: Postal mail has no delivery log, no read receipt, and no record of what was inside a given envelope.
  • Batch processing amplifies the effect of one mistake: One mistake in a mail merge or label generation is not just one letter wrong. It affects every letter in the error’s downline, usually before anyone even realizes it.
  • The envelope itself may reveal PHI: Window envelopes, return addresses, and program branding can reveal information without opening the letter.

 

Email can help fill the gaps

Moving a communication from paper to email eliminates the envelope problem. It leaves an audit trail, as most email systems will record who sent what, when, and whether it was delivered, which postal mail simply cannot do. The evidentiary layer is useful for incident response and also for showing due diligence to OCR post-event. But it would be a mistake to assume that the problem disappears when PHI moves to email. According to Paubox’s 2026 Healthcare Email Security Report, 41% of breached organizations were high risk, and 75% of organizations failed to roll out DMARC at a level that could stop attacks.

Encryption alone is not a solution, either. You can encrypt a message in transit, and it can still go to the wrong person. It can sit in an inbox without oversight or be part of a workflow that no one has risk assessed. There is also a workflow-friction issue, as Paubox’s Healthcare Email Security Maturity Index 2026 found that 46% of healthcare organizations still rely on manual encryption triggers, partial department coverage, or no encryption at all, meaning outbound PHI protection can depend on a sender remembering to take the right step.

The same benchmark found that 48% of healthcare organizations require encrypted email recipients to log in to a portal or create an account to read messages; among those organizations, more than one in three reported that clinical staff bypasses the workflow. In a separate Paubox summary of the same findings, 34% of organizations reported clinical staff bypassing encryption to avoid portal friction.

 

How HIPAA compliant email fits in

The answer is not to stop using email because of the risk, but to use HIPAA compliant email in a way that controls the risks that paper cannot. A well-built, HIPAA compliant email platform can encrypt PHI by default, authenticate senders, prevent spoofing, generate delivery records, implement access controls, and provide compliance teams with visibility into how sensitive data moves within the organization.

The value of that structure is borne out by a study of secure messaging in primary care, which found that “secure messaging has the potential to improve communication and information flow” in clinical settings. Healthcare organizations need systems to make routine disclosures more traceable, reviewable, and easier to govern. Physical mail relies too much on manual alignment, envelope design, and batch processing accuracy. HIPAA compliant email does not eliminate human error, but it gives organizations stronger technical and administrative controls around the everyday messages where PHI exposure often starts.

 

FAQs

Does HIPAA regulate how providers communicate with patients?

HIPAA requires covered entities to safeguard PHI when communicating with patients, but it does not state that all provider communication must be over a single channel.

 

Can patients request that communications be sent in another way?

HIPAA gives patients the right to request confidential communications by alternative means or at alternative locations.

 

Does HIPAA require all patient emails to be encrypted?

HIPAA's Security Rule allows ePHI to be sent over electronic open networks, provided it is adequately protected.