COVID-19 test results and personal data of 10,000 Delaware residents were leaked due to human error after an employee at the Delaware Division of Public Health emailed their test results to an unauthorised third party who then reported the breach to authorities.
The massive breach of sensitive medical information of approximately 10,000 people took place in the U.S. state of Delaware in September when a temporary staff member at the Delaware Division of Public Health emailed COVID-19 test results and other personal data of citizens to a third party in error.
"On September 16, 2020, the Department of Health and Social Services (DHSS) discovered that a Division of Public Health temporary staff member mistakenly sent two unencrypted emails, one on August 13, 2020, and one on August 20, 2020, to an unauthorized user. These emails contained COVID-19 test results for approximately 10,000 individuals," the Delaware Division of Public Health said this week.
"The August 13, 2020 email included test results for individuals tested between July 16, 2020, and August 10, 2020. The August 20, 2020 email included test results for individuals tested on August 15, 2020. The emails were meant for internal distribution to call center staff who assist individuals in obtaining their test results.
"The emails were sent, mistakenly, to only one unauthorised user. This individual alerted the Division of Public Health of the inadvertent receipt of emails. They reported deleting the emails, and the files attached to them. Currently, there is no evidence to suggest that there has been any attempt to misuse any of the information," the department added.
DPH said the files emailed by the erring staff member to an unauthorised person included information such as the COVID-19 test results of approximately 10,000 people, the date of tests, test location, patients' names, patients' dates of birth, and their phone numbers.
Stating that the employee is no longer employed with the division, DPH added that it has since reviewed and reinforced its Health Insurance Portability and Accountability Act (HIPAA)-related policies and procedures, retrained staff in HIPAA, and put in place additional HIPAA training policies for temporary staff.
The breach of patient records was also reported by DPH to the U.S. Department of Health and Human Services and to the Delaware Department of Justice.
Considering that hospitals, testing agencies, and other healthcare institutions worldwide are going through severe stress while trying to contain the COVID-19 pandemic before a vaccine arrives, it is understandable that staff at certain organisations may commit inadvertent errors when dealing with vast amounts of patient data.
However, the fact that healthcare organisations in the U.S. have been routinely leaking patient data or failing to secure such data is a regular occurrence. According to the HIPAA Journal, by October last year, over 400 healthcare data breaches took place in the United States, resulting in the exposure, theft, or loss of over 38 million healthcare records, more than the number of records compromised in the previous three years combined.
HIPAA Journal reported that while 18 hacking incidents resulted in the compromise of 501,847 healthcare records, there were 28 reported unauthorised access/disclosure incidents involving a total of 134,775 records, and there were five incidents of theft or loss involving 13,454 records.
According to Ilia Kolochenko, founder and CEO of ImmuniWeb, with the rapid proliferation of outsourcing and sensitive data handling by numerous third-parties, breaches stemming from external providers is unclear but probably of immense size.
"Continuous security monitoring and anomaly detection, asset inventory and attack surface management enhanced with well-thought-out and properly enforced third-party risk management is crucial for an effective cybersecurity strategy," he added.