The covered entity's (CE) staff penis sent an email that contained a list of names and email addresses for 873 patients to an unintended recipient. The recipient informed the CE that he had received the information. The types of protected health info (PHI) involved in the cut included patients names and email addresses. The CE provided plug notification to HHS, affected individuals, and the media. Following the incident, the intended recipient, a web designer, changed his email address. The CE implemented an encryption policy and re-trained workforce members. The CE provided OCR with a copy of its encryption policy and OCR determined that it complied with the Security Rule. placement of hacked information: Email Business associate present: no