Data Breach – State Inadvertently Provided Access to Health Information of Over 7,000 People – First State Update

The Delaware Division of Developmental Disabilities Services (DDDS) today announces that it is sending letters to service recipients and legal guardians who have been impacted by a recent data breach incident and providing information to the public regarding the incident.

On August 23, 2022, DDDS staff discovered that during the process of creating new user accounts in the division’s client database, DDDS staff had inadvertently provided access to individual records of 7074 people. As a result of these actions, 159 new users gained potential access to personally identifiable information and protected health information of service recipients, as well as potential access to more detailed information through accessed accounts.

A thorough investigation into the incident has been conducted. Using forensic analysis available from the software vendor, the division was able to determine how many users accessed information not intended for their use and what service recipient records were opened and consulted. Although the division determined that only 12 detailed records were actively accessed, some personally identifiable information and protected health information was passively available to any user with the wrong access level. The software provider is unable to determine who may have passively viewed this information.

Based on this internal investigation and consultation with the software vendor, the division is taking corrective action to strengthen the security and protection of the personal health information of its service recipients. DDDS has:

Reviewed and strengthened its Health Insurance Portability and Accountability Act (HIPAA) policies and procedures.
Established new guidelines for creating user accounts and a tighter approval process for accessing records.
Worked with its provider to institute technology checks on access provision.
The division will incorporate the lessons of this analysis into the design and implementation of its new customer data management system, which is scheduled to transition in 2023.

As required by HIPAA and state law, the Delaware Division of Developmental Disabilities Services has reported this violation to the US Department of Health and Human Services and the Delaware Department of Justice.

The Developmental Disabilities Services Division is also setting up a dedicated call center staffed independently by a contracted company to answer any questions regarding this incident. Call center representatives are fully aware of the incident and can respond to individuals’ questions or concerns regarding the protection of their personal information. Additionally, the division will provide free access to credit monitoring to all relevant parties for a period of one year.

The call center can be reached at 1-833-875-0644 Monday through Friday, 9:00 a.m. to 9:00 p.m. Eastern Time, excluding US holidays.

Information is also posted on the Delaware Department of Health and Human Services website at: https://dhss.delaware.gov/dhss/ and the division website: https:// dhss.delaware.gov/dhss/ddds/.

Source: DHHS

Comments are closed.