The Delaware Division of Developmental Disabilities Services (DDDS) is announcing today that it is mailing letters to service recipients and legal guardians who were impacted by a recent data breach incident and is providing information to the public regarding the incident.
On August 23, 2022, staff within the DDDS discovered that in the process of creating new user accounts in the division’s client database, DDDS staff inadvertently provided access to individual records of 7074 individuals. As a result of these actions, 159 new users had potential access to service recipients’ personal, identifiable information and protected health information as well as potential access to more detailed information through accessed accounts.
A thorough investigation of the incident was conducted. Using forensic analysis available through the software’s vendor, the division has been able to determine how many users accessed information not intended for their use, and which service recipient records were opened and viewed. While the division has determined that only 12 detailed records were actively accessed, certain personal, identifiable information and protected health information was passively available to any user with the erroneous access level. The software vendor is unable to determine who may have passively viewed this information.
Based on this internal investigation and consultation with the software vendor, the division is taking corrective measures to tighten security and protection of the personal health information of its service recipients. DDDS has:
Reviewed and reinforced its Health Insurance Portability and Accountability Act (HIPAA)-related policies and procedures.
Established new guidelines for the creation of user accounts and a tightened approval process for accessing records.
Worked with its vendor to institute technology checks on providing access.
The division will incorporate lessons from this analysis into the design and implementation of its new client data management system scheduled for transition in 2023.
As required by HIPAA and state law, the Delaware Division of Developmental Disabilities Services has reported this breach to the U.S. Department of Health and Human Services and to the Delaware Department of Justice.
The Division of Developmental Disabilities Services is also establishing a dedicated call center independently staffed by a contracted company to answer any questions about this incident. Call center representatives have been fully versed on the incident and can answer questions or concerns individuals may have regarding protection of their personal information. Additionally, the division will be offering free access to credit monitoring to all impacted parties for a period of one year.
The call center can be reached at 1-833-875-0644 Monday through Friday, from 9:00 a.m. to 9:00 p.m. Eastern Time, excluding U.S. holidays.
Information is also be posted on the Delaware Department of Health and Social Services website at: https://dhss.delaware.gov/dhss/ and the division’s website: https://dhss.delaware.gov/dhss/ddds/.
Source: DHHS