10,000 COVID-19 test results sent to 'unauthorized user' in August, DPH announces Sunday
A temporary Division of Public Health staff member emailed COVID-19 test results for about 10,000 individuals — including the names and date of birth of each patient and their test result — to someone from outside the agency in August, state officials announced Sunday.
On two occasions — Aug. 13 and Aug. 20 — the temporary staffer sent unencrypted emails to an "unauthorized user" with test results for individuals tested between July 16 and Aug. 15, according to a press release.
Division of Public Health spokesperson Jennifer Brestel said the emails were supposed to be sent internally to call center staff who help people obtain their test results. Brestel said the emails were "mistakenly" sent outside the agency and the temporary staffer is no longer employed by the Division of Public Health.
The agency says they became aware of the data breach on Sept. 16, almost two months before notifying the public.
"With any such event, it takes time to gather the relevant information, identify the affected individuals, hold the necessary internal discussions, and make the appropriate decisions to line-up the assistance services that are being offered," Brestel said in a statement when asked why the agency waited.
"The Department of Health and Social Services was diligent with the investigation to ensure the appropriate protection services would be provided."
WHAT YOU NEED TO KNOW ABOUT SURGE: 6 pressing questions you need answered as COVID-19 cases surge in Delaware
According to the press release, the person who received the emails notified the Division of Public Health and reported deleting them and the attached files. The agency says there is no evidence that suggests "any attempt to misuse any of the information."
The Division of Public Health will be mailing letters to those affected by the data breach and is establishing a call center to answer questions specifically about the breach.
According to the press release, for each test result the emails included the date of the test, test location, patient name and date of birth and the patient's phone number if provided. No financial information was released.
This is the first COVID-19 data breach revealed by the Division of Public Health.
At times, state health officials have waited several months to share information regarding the spread of the virus in specific situations. The state has also changed the way it monitors the virus's spread, adjustments they attribute to a growing body of science enabling a better understanding of the virus.
In the throes of the spring surge in Delaware, state health officials and representatives from poultry companies would not share numbers regarding the spread of the virus within Sussex County poultry plants — an early hot spot.
Nearly six months into the pandemic — and four months after outbreaks at poultry plants were identified, the state released data on infections among poultry workers. A September report from the Delaware Pandemic Resurgence Advisory Committee later revealed one poultry plant experienced a positive rate of 30% at one point during the pandemic.
The announcement of the data breach comes as the coronavirus pandemic has reclaimed national attention post Election Day and amid the worst spike of infections yet.
Delaware reported 405 new cases of COVID-19 on Sunday, bringing its seven-day average to an all-time high of 315 cases per day. The state has set a new record for its seven-day average of new cases in 10 of the last 11 days.
At least one hospital did not report hospitalizations Sunday, leading to an inaccurate figure in Sunday's data. Delaware reported 132 hospitalizations on Saturday.
The percent of people who tested positive, however, continued to increase to a seven-day average of 14.1%.
To date, 28,803 Delawareans have been infected, of which 736 have died.