The Wisconsin Department of Health Services (DHS) notified 8,157 Medicaid members after discovering that letters containing personal and private information had been sent to outdated addresses.

 

What happened

DHS discovered the mailing issue on April 30, 2026, then identified the affected members and stopped future mailings to the incorrect addresses. On June 30, 2026, the agency sent notification letters to members whose information may have been accessed by unauthorized individuals. It offered them one year of free credit monitoring, along with access to a dedicated call center.

The incident was later posted on the HHS Office for Civil Rights breach portal as affecting 8,157 people, with a submission date of July 1, 2026. OCR classified the event as an unauthorized access or disclosure incident involving paper or films, not a hacking or IT incident, and listed Wisconsin DHS as a health plan with no business associate involved.

 

What was said

According to the Wisconsin DHS statement, “Today, the Wisconsin Department of Health Services (DHS) announced that some Medicaid members receiving benefits from the state's Supplemental Security Income program had letters with personal and private information regarding an increase in their benefits sent out to their outdated addresses.”

 

Why it matters

The Wisconsin DHS incident was a low-tech privacy failure rather than a cyberattack. Instead of malware, ransomware, or a compromised server, the exposure came through an ordinary administrative mailing process. The case shows how protected information can still leave an organization through everyday communication workflows when contact data is not properly controlled. It is an example of why HIPAA compliant email can offer operational advantages over paper mail when configured correctly.

Secure email systems can support encryption, recipient authentication, access controls, delivery tracking, bounce management, and audit logs, while a misdirected paper letter is difficult to recall, trace, or restrict once delivered. As one Annual Symposium Proceedings Archive study explains, secure electronic messaging is intended to “extend access to care, improve transparency, and safeguard patient confidentiality.” Privacy risk also exists in the routine processes used to communicate sensitive patient or member information.

 

FAQs

Does HIPAA apply to paper mail?

HIPAA is not limited to electronic systems. The Privacy Rule protects protected health information held or transmitted by a covered entity or business associate in any form or media, including electronic, paper, or oral information.

 

Why can a wrong address mailing be considered a breach?

A wrong-address mailing can become a breach when protected information is disclosed to someone who is not authorized to receive it.

 

Why does this matter if no hacking occurred?

HIPAA risk is not only a cybersecurity issue.