UCC sends errant email to hundreds

The University Counseling Center sent out a mass email to all of its patients, raising privacy concerns


Connor Murphey/Old Gold & Black

Cooper Sullivan, Assistant News Editor

Professional email etiquette has been preached over the last year as virtual learning and interactions have grown. Double-check the spelling, make sure it’s being sent from your university account and if the recipient list is encrypted, make sure it stays encrypted.

On the morning of April 14, the University Counseling Center sent out a feedback survey to 860 email addresses — some students, faculty, staff and 68 accounts unaffiliated with the university — in which the recipient list was unencrypted and visible to all who had access to the email.

About 10 minutes later, Interim Director Dr. Daniel Paredes sent out a subsequent email with the subject line “DELETE PREVIOUS E-MAIL WITHOUT OPENING”.

In that email, Paredes briefly explained that the “UCC Feedback request (1 of 3) [was] sent out in carbon copy rather than blind carbon copy. [Information Services] has been informed of the breach and is being asked to recall the e-mail from all inboxes. As I am able to provide information about the number of times the message sent publicly has been opened, I will follow-up.”

Paredes sent that update close to 11 p.m. on the same night in which he revealed that 860 emails were sent out, 401 of which were either deleted by IS or the recipients before being read and 391 of which were opened but were recalled by IS following approval from senior university administration. Sixty-eight messages’ status were unaccounted for as they were sent to non-university accounts. IS had no ability to recall these emails.

“While student email addresses were visible to recipients, no personal information about the nature, if any, of a relationship with the UCC was disclosed,” said the email.

When asked if this information privacy breach is a violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Paredes said that the UCC does not have to adhere to HIPAA standards “because we do not accept insurance” and the law is not applicable to the UCC.

“Counseling center privileges are articulated both by state law regarding mental health practice (our providers are licensed or work under the supervision of a licensee) and the U.S. Department of Education, which has delineated how our records are independent of the academic record (which is covered by FERPA),” said Paredes.

FERPA, the Family Educational Rights and Privacy Act of 1974, prevents educational institutions of all levels from releasing academic records or information without the permission of the student (or the student’s parent if they are under 18). In other words, Paredes is arguing that the UCC falls under neither act’s jurisdiction because of the insurance requirement and because the mental health record of students is not the same as a transcript.

Some students, however, feel differently than Paredes.

“I think it’s just a mistake. Personally, I’m open about my struggles with mental health, so I don’t care much if people know,” said one student, who asked to remain anonymous. “Nonetheless, students have a right to confidentiality. “They broke HIPAA guidelines and should be punished accordingly.”

Mark Hall, professor of law and public health at Wake Forest says that HIPAA is fairly technical in defining what it applies to.

“It does not cover health information generally, but only when that information is held by a ‘covered entity,’ which, generally speaking, is someone in the health care sector,” Hall said. “When health services [UCC] are more incidental to an organization’s primary function [Wake Forest education], I frankly don’t know enough about the technical regulations to say whether or not HIPAA applies.”

When asked why non-university emails were on the recipient list, how the recipient list was unencrypted or if reduced staffing inadvertently caused this mistake to fly under the radar, Paredes declined to comment.