About 10,000 patient names and COVID-19 test results were released to an unauthorized source in a data breach announced Nov. 15 by the Delaware Division of Public Health.
Officials said letters are being mailed to individuals who were impacted by a recent data breach incident, and DPH is providing information to the public regarding the incident.
On Sept. 16, the Department of Health and Social Services discovered that a temporary DPH staff member mistakenly sent two unencrypted emails, one on Aug. 13 and another Aug. 20, to an unauthorized user, said Jennifer Brestel, DPH spokeswoman. These emails contained COVID-19 test results for about 10,000 individuals, she said. The Aug. 13 email included test results for individuals tested between July 16 and Aug. 10; the Aug. 20 email included test results for individuals tested on Aug. 15. The emails were meant for internal distribution to call center staff who assist individuals in obtaining their test results, Brestel said.
“The emails were sent, mistakenly, to only one unauthorized user,” Brestel said in a press release. “This individual alerted the Division of Public Health of the inadvertent receipt of emails. They reported deleting the emails, and the files attached to them. Currently, there is no evidence to suggest that there has been any attempt to misuse any of the information.”
The files that were mistakenly released to an unauthorized user included the date of the COVID-19 test, test location, patient name, patient date of birth, phone number if provided, and test result. No financial information was released, Brestel said.
A thorough investigation of the incident was conducted, she said, and DPH has reviewed and reinforced its Health Insurance Portability and Accountability Act policies and procedures. Division staff were retrained in HIPAA, and additional HIPAA training policies were put in place for temporary staff. The temporary staff member is no longer employed with the DPH, Brestel said.
As required by HIPAA, Brestel said, DPH has reported this breach to the U.S. Department of Health and Human Services. As required by state law, she said, the breach was reported to the Delaware Department of Justice.
DPH is establishing a dedicated call center, separate from its COVID-19 call center and independently staffed by a contracted company, to answer any questions about this incident. Call center representatives have been fully versed on the incident and can answer questions or concerns individuals may have regarding protection of their personal information. The call center can be reached at 1-833-791-1663, 9 a.m.-9 p.m. Monday through Friday, excluding U.S. holidays.
Information will also be posted on the Delaware Department of Health and Social Services website at: https://dhss.delaware.gov/dhss/.