Receiving HIPAA breach notification letters in the mail has become a disappointingly commonplace occurrence for many Americans over the past few years. In a single breach alone in February 2015, as many as 80 million individuals had their protected health information (PHI) breached by Anthem. HIPAA regulation mandates that breaches be reported to affected patients informing them of the full extent of the information that was exposed.

So when patients of the Buffalo [New York] Medical Group received letters informing them that their PHI had been breached, they were rightfully concerned.

The letter detailed a convoluted set of interactions, wherein a former nurse allegedly disclosed the PHI of a number of patients to her boyfriend. In August of 2015, though, the nurse and her boyfriend “had a big breakup and he sent a tell-all letter […] detailing these HIPPA [sic] violations.

When the Buffalo Medical Group was reached for comment about the content of the letter, however, they said that it was not official, and that the alleged HIPAA violations were entirely unfounded.

The Buffalo Medical Group immediately launched an investigation into the source of the letter, and found that it hadn’t originated from their offices or from any of their employees. The Group released a statement saying that:

[T]he letter was fabricated and widely distributed for the sole purpose of harassing the individuals named in the letter, and that the motives of the author are wholly unrelated to the professional conduct of the Buffalo Medical Group or its employees. We are working with our advisors to take appropriate legal action against the responsible party.

No word yet as to why the letter was sent to these few patients. But this case raises the important question of the legitimacy of the breach notification process. False claims that PHI has been breached can be damaging to the organizational reputation of the practices they impersonate, and can pose dangers to the integrity of targeted patients’ privacy.

Even though the fraudulent letter wasn’t being used to scam patients, similar schemes have circulated widely for years and have been used to harvest data, amounting to identity theft and significant financial or personal stress.

The Department of Health and Human Services’ Office for Civil Rights hasn’t released any guidance about the nature of fraudulent breach notification, but one thing is clear: if you receive a letter and see HIPAA spelled “HIPPA,” you’d be wise to give it a second glance.