Hundreds of vulnerable Delawareans were impacted in a recent Delaware Department of Health and Social Services HIPAA breach, WDEL has confirmed.
The breach occurred within the Delaware Division of Developmental Disabilities Services (DDDS).
Those affected received a letter, dated June 29, 2020, obtained by WDEL, that stated a DDDS provider was working with four University of Delaware students on a senior project that aimed to identify service gaps for recipients using geo-mapping, when private data was divulged.
"For the purposes of the project, the UD students requested information about service recipients living within a specific geographic area, as well as basic demographic information such as age range and disability status. In response, a DDDS staff person sent information, via email, to the four students on April 9, 2020 for use in their final project."
That information included full names, birth dates, primary diagnosis, and county--information the department said should have been "de-identified."
Director of Communications Jill Fredel confirmed to WDEL that 350 clients were affected by the breach.
"Social Security numbers were blacked out/redacted and therefore not part of the information share," the letter read.
The breach wasn't discovered until the students made their presentation on May 8, 2020, via Zoom, which included the protected health data.
"DDDS senior leadership halted the presentation as soon as the personal information was presented," the letter said. "DDDS instructed the students to delete all files containing the data used in the project (including emails, shared files, and the presentation itself)."
An investigation into the HIPAA breach is ongoing, but DDDS said the staff member responsible acknowledged their role and has been addressed "administratively." No further details were available.
The letter urges recipients to place a fraud alert on their credit report, order credit reports, and continue to monitor credit reports "out of an abundance of caution," but does not say DHSS or DDDS will take these steps on behalf of its vulnerable clients as many companies often do in data breaches.
"We take our role of safeguarding your personal information seriously. DDDS apologizes for the worry this situation may cause you. Please know we are doing everything we can to ensure it does not happen again," the letter said.
Fredel declined to answer further questions on breach or make anyone within the department available for an interview.