North Dakota and Delaware State Departments Report Breaches of PHI

Share this article on:

The North Dakota Department of Health, Department of Human Services, Cavalier County Health District, and other state agencies were impacted by a phishing attack that saw multiple employee email accounts compromised between November 23 and December 23, 2019.

The breach investigation did not uncover any evidence to suggest protected health information was stolen or misused or that the attack was conducted in order to obtain patient information. An analysis of the compromised accounts revealed they contained names, dates of birth, addresses, medical diagnoses and treatment information, driver’s license numbers and mothers’ maiden name and, for a limited number of individuals, Social Security numbers and/or financial information.

The breach report submitted to the HHS’ Office for Civil Rights indicates 35,416 individuals were affected by the breach. All individuals affected have been notified and those who had their Social Security number exposed have been offered free membership to credit monitoring services. North Dakota has since taken steps to improve email security to prevent attacks from succeeding in the future.

Delaware Division of Public Health Alerts 10,000 About Impermissible Disclosure of COVID-19 Test Results

The Delaware Division of Public Health has experienced a breach of protected health information that has affected approximately 10,000 individuals. A temporary member of staff sent two unencrypted emails containing COVID-19 test results to an unauthorized individual on August 13, 2020 and August 20, 2020. The first email contained the results of tests conducted between July 16, 2020 and August 10, 2020, and the second included results from tests taken on August 15, 2020.

The Delaware Division of Public Health discovered the HIPAA breach on September 16, 2020. The emails were meant for internal distribution to individuals who had assisted in obtaining the test results, but they were also sent to one unauthorized individual who reported receiving the email in error. The email and data have been deleted and the Division of Public Health has no reason to think there has been any further disclosure of the information. The file attachment contained names, dates of birth, phone numbers, test dates, test locations, and test results.

The Division of Public Health has reviewed its HIPAA-related policies and procedures, provided further HIPAA training to staff members, and has implemented additional training for temporary staff. The individual who made the error is no longer employed within the division of Public Health.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On