The Delaware Division of Developmental Disabilities Services Data Breach
DOVER (Oct. 21, 2022) – The Delaware Division of Developmental
Disabilities Services is announcing today that it is mailing letters to
service recipients and legal guardians who were impacted by a recent
data breach incident and is providing information to the public
regarding the incident.
On August 23, 2022, staff within the Division of Developmental
Disabilities Services (DDDS) discovered that in the process of creating
new user accounts in the division’s client database, DDDS staff
inadvertently provided access to individual records of 7074 individuals.
As a result of these actions, 159 new users had potential access to
service recipients’ personal, identifiable information and protected
health information as well as potential access to more detailed
information through accessed accounts.
A thorough investigation of the incident was conducted. Using
forensic analysis available through the software’s vendor, the division
has been able to determine how many users accessed information not
intended for their use, and which service recipient records were opened
and viewed. While the division has determined that only 12 detailed
records were actively accessed, certain personal, identifiable
information and protected health information was passively available to
any user with the erroneous access level. The software vendor is unable
to determine who may have passively viewed this information.
Based on this internal investigation and consultation with the
software vendor, the division is taking corrective measures to tighten
security and protection of the personal health information of its
service recipients. DDDS has:
- Reviewed and reinforced its Health Insurance Portability and Accountability Act (HIPAA)-related policies and procedures.
- Established new guidelines for the creation of user accounts and a tightened approval process for accessing records.
- Worked with its vendor to institute technology checks on providing access.
The division will incorporate lessons from this analysis into the
design and implementation of its new client data management system
scheduled for transition in 2023.
As required by HIPAA and state law, the Delaware Division of
Developmental Disabilities Services has reported this breach to the U.S.
Department of Health and Human Services and to the Delaware Department
of Justice.
The Division of Developmental Disabilities Services is also
establishing a dedicated call center independently staffed by a
contracted company to answer any questions about this incident. Call
center representatives have been fully versed on the incident and can
answer questions or concerns individuals may have regarding protection
of their personal information. Additionally, the division will be
offering free access to credit monitoring to all impacted parties for a
period of one year.
| Large Health System Restricts Provider's Use of Patient Records Covered Entity: Multi-Hospital Healthcare Provider Issue: Impermissible Use A nurse practitioner who has privileges at a multi-hospital health care system and who is part of the system’s organized health care arrangement impermissibly accessed the medical records of her ex-husband. In order to resolve this matter to OCR’s satisfaction and to prevent a recurrence, the covered entity: terminated the nurse practitioner’s access to its electronic records system; reported the nurse practitioner’s conduct to the appropriate licensing authority; and, provided the nurse practitioner with remedial Privacy Rule training. ...read more |
| Private Practice Revises Process to Provide Access to Records Covered Entity: Private Practices Issue: Access A private practice failed to honor an individual's request for a complete copy of her minor son's medical record. OCR's investigation determined that the private practice had relied on state regulations that permit a covered entity to provide a summary of the record. OCR provided technical assistance to the covered entity, explaining that the Privacy Rule permits a covered entity to provide a summary of patient records rather than the full record only if the requesting individual agrees in advance to such a summary ...read more |
| Private Practice Ceases Conditioning of Compliance with the Privacy Rule Covered Entity: Private Practice Issue: Conditioning Compliance with the Privacy Rule A physician practice requested that patients sign an agreement entitled “Consent and Mutual Agreement to Maintain Privacy.” The agreement prohibited the patient from directly or indirectly publishing or airing commentary about the physician, his expertise, and/or treatment in exchange for the physician’s compliance with the Privacy Rule. A patient’s rights under the Privacy Rule are not contingent on the patient’s agreement with a covered entity. A covered entity’s obligation to comply with all requirements of the Privacy Rule ...read more |
|