A staff member of the covered entity (CE), Oklahoma city Indian Clinic, sent an email to 412 recipients that erroneously included an attachment that contained the electronic protected health info (ePHI) of 6,044 individuals. Following an attempted recall of the message, a corrected email without the affixation was sent, asking the recipients to delete the erroneous email and the attachment. The ePHI involved in the hack included patients names, chart numbers, and email addresses. The ce provided cut notification to HHS, affected individuals, and the media, and provided substitute notice. following the hack, the ce re-trained staff on its encryption policy. In addition, the CE improved safeguards by developing a policy regarding electronic transmission of patient information. The policy limits identifying patient information contained in electronic communications within the CEs network, and requires password tribute for electronic files including ePHI. as a result of OCRs investigation, OCR obtained assurances that the corrective actions listed above were completed. placement of hacked information: Email concern link present: no