Delaware Public Health officials Sunday said it is sending letters to people who were impacted by a recent data breach involving COVID-19 test results.
DPH said the Department of Health and Social Services discovered September 16th that a temporary staff member mistakenly sent two unencrypted e-mails in August to an unauthorized user. The e-mails contained test results of about 10,000 people.
The information was meant for internal distribution to call center staff who helped people obtain their test results.
DPH said the person who got the e-mails claimed to have deleted them and the files attached to them. Currently there is no evidence that there was any attempt to misuse any of the information, which included the date and location of the test, the patient’s name and date of birth, phone number if provided and the result of the test.
DPH also is establishing a call center that will answered Monday through Friday 9:00 a.m. until 9:00 p.m. – 833-791-1663.
More details were provided Sunday in a news release from the Delaware Division of Public Health, which follows:
The Delaware Division of Public Health (DPH) is announcing today that it is mailing letters to individuals who were impacted by a recent data breach incident and is providing information to the public regarding the incident.
On September 16, 2020, the Department of Health and Social Services (DHSS) discovered that a Division of Public Health temporary staff member mistakenly sent two unencrypted emails, one on August 13, 2020, and one on August 20, 2020, to an unauthorized user. These emails contained COVID-19 test results for approximately 10,000 individuals. The August 13, 2020 email included test results for individuals tested between July 16, 2020, and August 10, 2020. The August 20, 2020 email included test results for individuals tested on August 15, 2020. The emails were meant for internal distribution to call center staff who assist individuals in obtaining their test results.
The emails were sent, mistakenly, to only one unauthorized user. This individual alerted the Division of Public Health of the inadvertent receipt of emails. They reported deleting the emails, and the files attached to them. Currently, there is no evidence to suggest that there has been any attempt to misuse any of the information.
The files that were mistakenly released to an unauthorized user contained the following information related to COVID-19 test results: the date of the test, test location, patient name, patient date of birth, phone number if provided, and test result. No financial information was released.
A thorough investigation of the incident was conducted. The Division of Public Health has reviewed and reinforced its Health Insurance Portability and Accountability Act (HIPAA)-related policies and procedures. Division staff were retrained in HIPAA, and additional HIPAA training policies were put in place for temporary staff. The temporary staff member is no longer employed with the Division of Public Health.
As required by HIPAA, the Delaware Division of Public Health has reported this breach to the U.S. Department of Health and Human Services and to the Delaware Department of Justice, as required by state law.
The Division of Public Health is also establishing a dedicated call center, separate from its COVID-19 call center and independently staffed by a contracted company, to answer any questions about this incident. Call center representatives have been fully versed on the incident and can answer questions or concerns individuals may have regarding protection of their personal information.
The call center, which will be operational beginning Monday, November 16, can be reached at 1-833-791-1663 Monday through Friday, from 9:00 a.m. to 9:00 p.m. Eastern Time, excluding U.S. holidays.
Information will also be posted on the Delaware Department of Health and Social Services website at: https://dhss.delaware.gov/dhss/.