State announces COVID-related data breach

DOVER — The Division of Public Health announced a data breach Sunday affecting approximately 10,000 people, although the agency noted there is no evidence of any attempt to misuse any of the information.

DPH is mailing letters to individuals impacted by the breach.

According to DPH, a temporary agency staffer accidentally sent unencrypted emails containing COVID-19 test results for around 10,000 Delawareans on Aug. 13 and Aug. 20 to an unauthorized user. The Aug. 13 email included test results for individuals tested between July 16 and Aug. 10, while the Aug. 20 email had results for people tested on Aug. 15.

The emails, meant for distribution to call center staff who assist individuals in obtaining their test results, were sent to a single unauthorized user by mistake. This individual alerted DPH and reported deleting the emails.

The files mistakenly released contained the date of the COVID-19 tests, test location, patient name, patient date of birth, phone number if provided and test result. No financial information was included.

As required by federal and state law, the state has reported the breach to the U.S. Department of Health and Human Services and to the Delaware Department of Justice.

Division staff were retrained in Health Insurance Portability and Accountability Act policies and procedures, and new training policies were put in place for temporary staff. The temporary employee who sent the emails is no longer employed by DPH.

DPH is also establishing a dedicated call center, separate from its COVID-19 call center and independently staffed by a contracted company, to answer any questions about this incident. It will start Monday and operate Monday through Friday from 9 a.m. to 9 p.m. excluding holidays. It can be reached at 1-833-791-1663.

Information will also be posted on the Delaware Department of Health and Social Services website at dhss.delaware.gov/dhss/.