The Delaware Division of Developmental Disabilities Services Data Breach
DOVER (Oct. 21, 2022) – The Delaware Division of Developmental
Disabilities Services is announcing today that it is mailing letters to
service recipients and legal guardians who were impacted by a recent
data breach incident and is providing information to the public
regarding the incident.
On August 23, 2022, staff within the Division of Developmental
Disabilities Services (DDDS) discovered that in the process of creating
new user accounts in the division’s client database, DDDS staff
inadvertently provided access to individual records of 7074 individuals.
As a result of these actions, 159 new users had potential access to
service recipients’ personal, identifiable information and protected
health information as well as potential access to more detailed
information through accessed accounts.
A thorough investigation of the incident was conducted. Using
forensic analysis available through the software’s vendor, the division
has been able to determine how many users accessed information not
intended for their use, and which service recipient records were opened
and viewed. While the division has determined that only 12 detailed
records were actively accessed, certain personal, identifiable
information and protected health information was passively available to
any user with the erroneous access level. The software vendor is unable
to determine who may have passively viewed this information.
Based on this internal investigation and consultation with the
software vendor, the division is taking corrective measures to tighten
security and protection of the personal health information of its
service recipients. DDDS has:
- Reviewed and reinforced its Health Insurance Portability and Accountability Act (HIPAA)-related policies and procedures.
- Established new guidelines for the creation of user accounts and a tightened approval process for accessing records.
- Worked with its vendor to institute technology checks on providing access.
The division will incorporate lessons from this analysis into the
design and implementation of its new client data management system
scheduled for transition in 2023.
As required by HIPAA and state law, the Delaware Division of
Developmental Disabilities Services has reported this breach to the U.S.
Department of Health and Human Services and to the Delaware Department
of Justice.
The Division of Developmental Disabilities Services is also
establishing a dedicated call center independently staffed by a
contracted company to answer any questions about this incident. Call
center representatives have been fully versed on the incident and can
answer questions or concerns individuals may have regarding protection
of their personal information. Additionally, the division will be
offering free access to credit monitoring to all impacted parties for a
period of one year.
| Must a covered entity inform individuals in advance of any fees that may be charged when the individuals request a copy of their PHI? This guidance remains in effect only to the extent that it is consistent with the court’s order in Ciox Health, LLC v. Azar, No. 18-cv-0040 (D.D.C. January 23, 2020), which may be found at https://ecf.dcd.uscourts.gov/cgi-bin/show_public_doc?2018cv0040-51. More information about the order is available at https://www.hhs.gov/hipaa/court-order-right-of-access/index.html. Any provision within this guidance that has been vacated by the Ciox Health decision is rescinded. Yes. When an individual requests access to her PHI and the covered entity intends to charge the ...read more |
| Can a covered entity refuse to disclose ePHI to an app chosen by an individual because of concerns about how the app will use or disclose the ePHI it receives? No. The HIPAA Privacy Rule generally prohibits a covered entity from refusing to disclose ePHI to a third-party app designated by the individual if the ePHI is readily producible in the form and format used by the app. See 45 CFR 164.524(a)(1), (c)(2)(ii), (c)(3)(ii). The HIPAA Rules do not impose any restrictions on how an individual or the individual’s designee, such as an app, may use the health information ...read more |
| Dentist Revises Process to Safeguard Medical Alert PHI Covered Entity: Health Care Provider Issue: Safeguards, Minimum Necessary An OCR investigation confirmed allegations that a dental practice flagged some of its medical records with a red sticker with the word "AIDS" on the outside cover, and that records were handled so that other patients and staff without need to know could read the sticker. When notified of the complaint filed with OCR, the dental practice immediately removed the red AIDS sticker from the complainant's file. To resolve this matter, OCR also required the practice to revise its policies and operating ...read more |
| State Hospital Sanctions Employees for Disclosing Patient's PHI Covered Entity: Health Care Provider / General Hospital Issue: Impermissible Disclosure A nurse and an orderly at a state hospital discussed the HIV/AIDS status of a patient and the patient's spouse within earshot of other patients without making reasonable efforts to prevent the disclosure. Upon learning of the incident, the hospital placed both employees on leave; the orderly resigned his employment shortly thereafter. Among other actions taken to satisfactorily resolve this matter, the hospital took further disciplinary action with the nurse, which included: documenting the employee record with a memo of ...read more |
|
February 2026
| Su | Mo | Tu | We | Th | Fr | Sa |
| 1 | 2 | 3 | 4 | 5 | 6 | 7 |
| 8 | 9 | 10 | 11 | 12 | 13 | 14 |
| 15 | 16 | 17 | 18 | 19 | 20 | 21 |
| 22 | 23 | 24 | 25 | 26 | 27 | 28 |
|
|
Blog Home
Newest Blog Entries
1/21/25 Understanding Business Associate Agreements
11/12/22 Modernizing Medicine Agrees to Pay $45 Million to Resolve Allegations of Accepting and Paying Illegal Kickbacks and Causing False Claims
11/12/22 Indian National Charged in $8 Million COVID-19 Relief Fraud Scheme
11/12/22 Former Hospital Employee Pleads Guilty To Criminal HIPPA Charges
11/12/22 Covered entities and those persons rendered accountable by general principles of corporate criminal liability may be prosecuted directly under 42 U.S.C. § 1320d-6
11/12/22 The Delaware Division of Developmental Disabilities Services Data Breach
11/12/22 OCR Settles Three Cases with Dental Practices for Patient Right of Access under HIPAA
11/12/22 HHS Issues Guidance on HIPAA and Audio-Only Telehealth
11/12/22 Five Former Methodist Hospital Employees Charged with HIPAA Violations
11/12/22 May a covered entity use or disclose protected health information for litigation?
11/12/22 When does the Privacy Rule allow covered entities to disclose protected health information to law enforcement officials?
Blog Archives
November 2022 (54)
January 2025 (1)
Blog Labels
EHR Fraud (1)
HIPAA (2)
PPP Fraud (1)
Telehealth (1)
Data Breach (1)
ePHI (2)
Covered Entity (40)
HIPAA Enforcement (3)
BAA (4)
|
