The Delaware Division of Public Health (DPH) announced Nov. 15 that it is mailing letters to individuals who were impacted by a recent data breach incident, and is providing information to the public regarding the incident for the first time.
On Sept. 16, 2020, the Department of Health and Social Services (DHSS) discovered that a Division of Public Health temporary staff member mistakenly sent two unencrypted emails, one on Aug. 13, 2020, and one on Aug. 20, 2020, to an unauthorized user. In a statement, DPH said that these two emails contained COVID-19 test results for roughly 10,000 individuals. DPH noted that the emails were meant for internal distribution to call center staff who assist individuals in obtaining their test results.
The emails were sent, mistakenly, to only one unauthorized user, DPH said. This individual alerted the Division of Public Health of the inadvertent receipt of emails. The unauthorized user told authorities that they deleted both the emails and the files attached to them. “Currently, there is no evidence to suggest that there has been any attempt to misuse any of the information,” DPH said.
The files impacted by the breach included information related to COVID-19 test results, including the date of the test, test location, patient name, patient date of birth, phone number if provided, and test result. No financial information was released, DPH noted.
As a result of the breach, DPH said it has reviewed and reinforced its Health Insurance Portability and Accountability Act (HIPAA)-related policies and procedures. Additionally, DPH staff were retrained in HIPAA, and additional HIPAA training policies were put in place for temporary staff. The temporary staff member is no longer employed with the Division of Public Health, DPH noted.
As required by HIPAA, DPH reported the breach to the U.S. Department of Health and Human Services and to the Delaware Department of Justice, as required by state law. DPH has also established a call center to answer any questions about this incident.