The Delaware Division of Developmental Disabilities Services Data Breach

DOVER (Oct. 21, 2022) – The Delaware Division of Developmental Disabilities Services is announcing today that it is mailing letters to service recipients and legal guardians who were impacted by a recent data breach incident and is providing information to the public regarding the incident.

On August 23, 2022, staff within the Division of Developmental Disabilities Services (DDDS) discovered that in the process of creating new user accounts in the division’s client database, DDDS staff inadvertently provided access to individual records of 7074 individuals. As a result of these actions, 159 new users had potential access to service recipients’ personal, identifiable information and protected health information as well as potential access to more detailed information through accessed accounts.

A thorough investigation of the incident was conducted. Using forensic analysis available through the software’s vendor, the division has been able to determine how many users accessed information not intended for their use, and which service recipient records were opened and viewed. While the division has determined that only 12 detailed records were actively accessed, certain personal, identifiable information and protected health information was passively available to any user with the erroneous access level. The software vendor is unable to determine who may have passively viewed this information.

Based on this internal investigation and consultation with the software vendor, the division is taking corrective measures to tighten security and protection of the personal health information of its service recipients. DDDS has:

  • Reviewed and reinforced its Health Insurance Portability and Accountability Act (HIPAA)-related policies and procedures.
  • Established new guidelines for the creation of user accounts and a tightened approval process for accessing records.
  • Worked with its vendor to institute technology checks on providing access.

The division will incorporate lessons from this analysis into the design and implementation of its new client data management system scheduled for transition in 2023.

As required by HIPAA and state law, the Delaware Division of Developmental Disabilities Services has reported this breach to the U.S. Department of Health and Human Services and to the Delaware Department of Justice.

The Division of Developmental Disabilities Services is also establishing a dedicated call center independently staffed by a contracted company to answer any questions about this incident. Call center representatives have been fully versed on the incident and can answer questions or concerns individuals may have regarding protection of their personal information. Additionally, the division will be offering free access to credit monitoring to all impacted parties for a period of one year.



Large Provider Revises Patient Contact Process to Reflect Requests for Confidential Communications Covered Entity: General Hospital Issue: Impermissible Disclosure; Confidential Communications A patient alleged that a general hospital disclosed protected health information when a hospital staff person left a message on the patient’s home phone answering machine, thereby failing to accommodate the patient’s request that communications of PHI be made only through her mobile or work phones.  In response, the hospital instituted a number of actions to achieve compliance with the Privacy Rule.  To resolve this matter to the satisfaction of OCR, the hospital: retrained an entire Department with ...read more



Pharmacy Chain Institutes New Safeguards for PHI in Pseudoephedrine Log Books Covered Entity: Pharmacies Issue: Safeguards A grocery store based pharmacy chain maintained pseudoephedrine log books containing protected health information in a manner so that individual protected health information was visible to the public at the pharmacy counter. Initially, the pharmacy chain refused to acknowledge that the log books contained protected health information. OCR issued a written analysis and a demand for compliance. Among other corrective actions to resolve the specific issues in the case, OCR required that the pharmacy chain implement national policies and procedures to safeguard the ...read more



HHS Issues Guidance on HIPAA and Audio-Only Telehealth Today, the U.S. Department of Health and Human Services (HHS), through its Office for Civil Rights (OCR), is issuing guidance on how covered health care providers and health plans can use remote communication technologies to provide audio-only telehealth services when such communications are conducted in a manner that is consistent with the applicable requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules, including when OCR’s Notification of Enforcement Discretion for Telehealth - PDF is no longer in effect. This guidance will help individuals ...read more



Clinic Sanctions Supervisor for Accessing Employee Medical Record Covered Entity: Outpatient Facility Issue: Impermissible Use and Disclosure A hospital employee's supervisor accessed, examined, and disclosed an employee's medical record. OCR's investigation confirmed that the use and disclosure of protected health information by the supervisor was not authorized by the employee and was not otherwise permitted by the Privacy Rule. An employee's medical record is protected by the Privacy Rule, even though employment records held by a covered entity in its role as employer are not. Among other corrective actions to resolve the specific issues in the case, a letter ...read more

July 2026
SuMoTuWeThFrSa
1234
567891011
12131415161718
19202122232425
262728293031

Blog Home

Newest Blog Entries
1/21/25 Understanding Business Associate Agreements

11/12/22 Modernizing Medicine Agrees to Pay $45 Million to Resolve Allegations of Accepting and Paying Illegal Kickbacks and Causing False Claims

11/12/22 Indian National Charged in $8 Million COVID-19 Relief Fraud Scheme

11/12/22 Former Hospital Employee Pleads Guilty To Criminal HIPPA Charges

11/12/22 Covered entities and those persons rendered accountable by general principles of corporate criminal liability may be prosecuted directly under 42 U.S.C. § 1320d-6

11/12/22 The Delaware Division of Developmental Disabilities Services Data Breach

11/12/22 OCR Settles Three Cases with Dental Practices for Patient Right of Access under HIPAA

11/12/22 HHS Issues Guidance on HIPAA and Audio-Only Telehealth

11/12/22 Five Former Methodist Hospital Employees Charged with HIPAA Violations

11/12/22 May a covered entity use or disclose protected health information for litigation?

11/12/22 When does the Privacy Rule allow covered entities to disclose protected health information to law enforcement officials?

Blog Archives
January 2025 (1)
November 2022 (54)

Blog Labels
PPP Fraud (1)
HIPAA (2)
ePHI (2)
HIPAA Enforcement (3)
Data Breach (1)
Covered Entity (40)
Telehealth (1)
BAA (4)
EHR Fraud (1)