Data breach affects 10,000 tested for COVID-19 in Delaware

Listen 1:38
Drive-through test sites like this one in Delaware are popping up around the Philly region. (Butch Comegys for WHYY)

Drive-through test sites like this one in Delaware are popping up around the Philly region. (Butch Comegys for WHYY)

The information of 10,000 Delawareans who got tested for COVID-19 in July and August was accidentally sent to an unauthorized person, the Delaware Division of Public Health announced  Sunday.

The division is now mailing letters to those impacted by the data breach, which was discovered on Sept. 16.

A temporary staff member sent two unencrypted emails in August to an unauthorized user that contained COVID-19 test results of about 10,000 individuals who were tested between July 16 and August 10 and on August 15.

The emails were meant for internal distribution to call center staff who assist individuals in obtaining their test results, DPH said, but instead, they were mistakenly sent to one unauthorized user. An investigation showed that there was no malfeasance during the incident.

The receiver of the emails, a member of the public, alerted DPH and said they deleted the emails. DPH said there is no evidence that there has been any attempt to misuse any of the information, which include test dates and locations, and individuals’ names and birth dates, phone numbers and test results. There’s no financial information or social security information shared in these emails.

DPH officials also say there’s minimal to no risk of a patient’s information being leaked elsewhere.

DPH staff have since been retrained in HIPAA, and additional HIPAA training policies were put in place for temporary staff. The temporary staff member is no longer employed with DPH.

DPH also wants to reinforce procedures regarding sharing this type of information, including enforcing the importance of encrypting emails to improve safety.

“I understand during this pandemic there’s a lot of interest in getting information faster and everyone has been busy and trying to do their best to meet expectations, not just internally but also public,” said DPH Medical Director Dr. Rick Hong.

DPH has reported the data breach to the U.S. Department of Health and Human Services and to the Delaware Department of Justice, as required by state law and HIPPA.

“There’s always some concern this will have a ripple effect and impact our response to COVID,” Hong said. “I hope people see this as a positive, that we decided to share this information and be transparent because we do understand the value of patient privacy. We will take proper measures to not only fix the problem, but share what happened.”

He added that this might mean a slower rate of getting test results to the public.

“We do want to focus on patient privacy and make sure that’s protected and that may slow down certain processes like results-sharing. There needs to be a balancing act regarding the operating efficiency and patient privacy,” he said.

DPH has established a call center to answer questions about the incident. The call center can be reached at 1-833-791-1663 Monday through Friday, from 9:00 a.m. to 9:00 p.m. Eastern Time, excluding U.S. holidays.

Get daily updates from WHYY News!

Want a digest of WHYY’s programs, events & stories? Sign up for our weekly newsletter.

Together we can reach 100% of WHYY’s fiscal year goal