It was recently announced that the Delaware Division of Public Health (DPH) mailed out breach letters to 10,000 patients. These patients, who had been tested for COVID-19, had their health information accidentally sent in unencrypted emails to an unauthorized individual. More details on the health department breach are discussed.

How Did the Health Department Breach Occur?

On September 16, 2020, the Delaware Department of Health and Social Services (DHSS) discovered that a temporary employee had sent two separate unencrypted emails, containing the COVID-19 test results of 10,000 patients, to an unauthorized user. These emails, that were accidentally sent by the employee, were sent on August 13 and August 20.

Health Department Breach

The unauthorized email sent on August 13 contained COVID test results for patients tested from July 16, 2020 to August 10, 2020; while the email sent August 20 contained the test results for patients tested on August 15, 2020. 

In addition to the test results, other protected health information (PHI) was also exposed, including the dates of testing, testing locations, patient names, patient dates of birth, and phone numbers.

Both emails were intended for internal distribution to assist call center staff in answering patient questions regarding their COVID test results. Luckily, the emails that caused the health department breach, were only sent to one unauthorized individual who promptly notified DPH and deleted the emails.

Let’s Simplify Compliance

HIPAA training is an important part of preventing insider breaches. Learn more about Compliancy Group’s training!

Learn More!
HIPAA Seal of Compliance

In response to the health department breach, DPH conducted a thorough investigation and has reviewed and revised their HIPAA policies and procedures. They have also retrained their staff on the proper uses and disclosures of PHI, and increased HIPAA training for their temporary staff. The employee that caused the health department breach no longer works for DPH.

How to Prevent a Breach of This Type

There are several ways in which you can prevent this type of breach from occurring within your organization.

Policies and procedures. You should have policies and procedures regarding the proper uses and disclosure of PHI. 

Access controls. Only employees that require access to PHI, should be given access to the sensitive data. This is known as the minimum necessary standard. Although the employee that caused the health department breach likely required limited access to PHI, it may be in your best interest to only give PHI access to permanent employees.

Employee training. Arguably the most effective way to prevent insider breaches is to train employees. Under HIPAA, all employees that have the potential to access PHI are required to be trained annually on your organization’s policies and procedures, and HIPAA basics