On april 13, 2015, the covered entity (CE), Borgess medical Center-Borgess Rheumatology, impermissibly disclosed protected health information (PHI) due to an erroneous usage of mail merge, which mixed up 700 patients names and addresses. The PHI involved in the drudge included patients names, medications, and their association with Borgess Rheumatology as patients. The CE provided hack notification to HHS, affected individuals, and the media. Following the hack, the CE implemented a new process that included verification of the data files used for mail merges, including a secrecy Officer review. It also trained workforce members and added an informal quality check of spreadsheets involving patient information. OCR obtained documented assurances that the CE implemented the corrective actions noted above. Location of hacked information: Paper/Films Business associate present: no