A costly email mistake

I received an email from a doctor’s office where the sender put all of their patients’ email addresses in the “To” field rather than the “BCC” field. That meant every patient could see all of the other patients’ email addresses. Oy, let me count the ways that that is bad news.

To begin with, that is a violation of privacy, especially given the private nature of the business. It’s actually a HIPAA, (Health Insurance Portability and Accountability Act) violation because it is a healthcare organization.

But worse than that, was an unhappy patient decided to send an email to the whole list and state that because he had not had a complaint addressed the doctor was a scam. How do you think that made the patients feel? Concerned that the doctor might be a scam (actually, I think the correct term would be “scam artist”)? Worried that some disgruntled patient has our email addresses? Wondering if we want to continue doing business with this doctor? It’s probably all of those things. This was a very costly mistake for the business.

I’m sure the assistant or receptionist who sent the email had no idea that what she was doing was A. a violation of privacy, B. bad email etiquette and C. a potentially expensive mistake to the business. She knows now. I feel for her.

Email is a wonderful tool, but it must be used carefully and thoughtfully. If you need to send an email to a group of people, always, always put their email addresses in the “BCC” field.

Has this sort of thing ever happened to you? How would you feel if you were one of the patients included in the email? What would you do?

Please note: We have a new method of delivering blog posts to your inbox. If you have previously received these blog posts through Feedburner, please subscribe to receive these blog posts through the form below and unsubscribe to the posts you receive through Feedburner.

Feel free to share:

Posted in


Arden Clise is founder and president of Clise Etiquette. Her love for business etiquette began in previous jobs when she was frequently asked for etiquette, public speaking and business attire advice by executives and board members. The passion for etiquette took hold and compelled Arden to start a consulting business to help others. Read more >>


  1. BethBuelow on February 1, 2012 at 2:04 pm

    Eeek!! What a blunder. I can think of one time when I accidentally put e-mails in the “To” rather than “Bcc” field, and it was to my current clients. While I didn’t violate any laws or rouse anyone’s ire, I felt cruddy, because I have a policy of keeping my client names confidential (if an individual client wants to say, “Beth is my coach,” that’s fine… I just can’t say “Jane is my client.”). You can bet, it only took that one time for me to remember to never do it again! If I’d been on the receiving end of the e-mail you describe here, I’m not sure what I’d do. I want to say “it depends,” but that’s allowing for lots of gray area where maybe there shouldn’t be any (HIPAA’s pretty clear, after all). For me personally: If everything else was fine, I wouldn’t want the person who hit “send” to get into big trouble; if I was otherwise displeased with the doc’s services, I’d use it as the final straw to start looking elsewhere for health care.

  2. ArdenClise on February 1, 2012 at 8:03 pm


    Yes, it usually only takes making this blunder once to remember not to do it again.

    I agree with you that the situation does depend on how you feel about the business. In my case, I have had positive experiences with the doctor and I know the person who sent the email probably didn’t know she had goofed until it was too late. So, I politely emailed her and said I was sorry someone had chosen to send a nasty email to the list and that next time she has to send an email to a group I suggested she use the BCC field.

    It’s unfortunate it was a HIPAA violation. They actually sent another email, this one with the addresses hidden and apologized for the mistake. I’m sure they are mortified.

  3. Amnie on July 31, 2017 at 7:16 pm

    I made the To instead of bcc mistake… I’m employed at a law firm… Although the notification was only to inform clients and colleges about our faulty telephone and Internet lines, I feel like I’ve compromised the firm. This now gives me sleepless nights and I’m thinking of resigning.

  4. Arden on August 1, 2017 at 12:29 pm

    Amnie, mistakes happen. I’m sorry this happened to you. Have you spoken to your boss? It would be a good idea to be honest about what happened so that if there are any questions from clients your manager will know how to respond. Don’t resign. People make mistakes all the time and your manager can decide how egregious this was. Being honest about your mistake will give you more credibility and show that you’re an honest, responsible employee.

  5. Ovi on August 16, 2017 at 6:31 am

    I once CCed about 300 people instead of BCC in a promotional e-mail for a club. My god, the shit I got from one particular person who was telling me he wants to sue unless I pay him whatever amount. He also demanded a written apology letter to his address.

    It was a mistake. They happen, get over it. Someone who doesn’t understand that these things happen need to get off their high horse. I am only human. It’s just an electronic message and I did not kill anyone. E-mail addresses are created and erased each day. Sure it is bothersome to wake up with lots of spam and having to sort through it, but you will have to do it at some point in a number of years of using the same e-mail address.

    The way I dealt with it: apologized and took people off our list if they requested to do. The person who was trying to get money off me I totally ignored forever. He can literally fuck off. Sorry for my language. 🙂

    I know now to quadruple check when about to send mass e-mails or word merged letters. Annie I hope you do not quit just for that, relax about it – apologize and pay attention in the future. It will all be fine I assure you! I felt just like you when it happened to me.

  6. Arden on September 27, 2017 at 8:49 am

    Ovi, it’s true, we are only human and goodness knows I make a ton of mistakes myself. Sometimes the best lessons are the hardest. At least they have been for me. I’m sorry you had someone be so rude and trite about the email you sent. That’s too bad. You were right to ignore him after you apologized. It sounds like you handled it the best you can and are being very careful with emails today. Good for you.

  7. Kris on December 1, 2021 at 10:58 pm

    I’ve had this happen before. I was sending monthly reminders to come in for check up and I had someone instruct me how to send these since it was my first time . and I accidentally hit to instead of bcc. I got a email from a patient. I apologize immediately to every patient. Mistakes happen we are human.

  8. Arden on December 3, 2021 at 11:20 am

    Very true, Kris. We are human and accidents happen. Sometimes the best way to learn something is to make mistakes. Glad it all worked out well.

Leave a Comment