The Delaware Division of Public Health (DPH) announced this week that it was mailing letters to individuals who were impacted by a recent data breach incident and is providing information to the public regarding the incident.
Officials said that on Sept. 16, 2020, the Department of Health & Social Services (DHSS) discovered that a Division of Public Health temporary staff member had mistakenly sent two unencrypted emails — one on Aug. 13 and one on Aug. 20, to an unauthorized user. The emails contained COVID-19 test results for approximately 10,000 individuals. The Aug. 13 email included test results for individuals tested between July 16 and Aug. 1. The Aug. 20 email included test results for individuals tested on Aug. 15. The emails were meant for internal distribution to call-center staff who assist individuals in obtaining their test results, officials noted.
The emails were sent, mistakenly, to only one unauthorized user, and that individual alerted the Division of Public Health of the inadvertent receipt of emails. They reported deleting the emails, and the files attached to them. Currently, there is no evidence to suggest that there has been any attempt to misuse any of the information, officials emphasized.
The files that were mistakenly released to an unauthorized user contained the following information related to COVID-19 test results: the date of the test, test location, patient name, patient date of birth, phone number if provided and test result. No financial information was released.
A thorough investigation of the incident was conducted, officials noted, saying that the Division of Public Health has since reviewed and reinforced its Health Insurance Portability & Accountability Act (HIPAA)-related policies and procedures. Division staff were retrained in HIPAA, and additional HIPAA training policies were put in place for temporary staff. The temporary staff member is no longer employed with the Division of Public Health, they noted.
As required by HIPAA, the Delaware Division of Public Health has reported the breach to the U.S. Department of Health & Human Services and to the Delaware Department of Justice, as required by state law.
The Division of Public Health is also establishing a dedicated call center, separate from its COVID-19 call center and independently staffed by a contracted company, to answer any questions about this incident. Call-center representatives have been fully versed on the incident and can answer questions or concerns individuals may have regarding protection of their personal information, they said.
The call center, which was to be operational beginning Monday, Nov. 16, can be reached at 1-833-791-1663, Monday through Friday, from 9 a.m. to 9 p.m., excluding holidays. Information will also be posted on the Delaware Department of Health & Social Services website at: https://dhss.delaware.gov/dhss/.