Breaches of PHI at North Dakota and Delaware State Departments

A phishing attack affected the Department of Human Services, North Dakota Department of Health, Cavalier County Health District, and other state departments that resulted in the compromise of employee email accounts from November 23 to December 23, 2019.

The investigation into the breach didn’t yield any proof that suggests the theft or misuse of any protected health information (PHI). There was also no information that the attack was intended to acquire patient data. A review of the compromised accounts showed that there were names, birth dates, addresses, driver’s license numbers, mothers’ maiden names, medical diagnoses, and treatment data contained in the accounts. The Social Security numbers and/or financial data of some persons were also included.

It is indicated in the breach report sent to the HHS’ Office for Civil Rights that 35,416 people were impacted. All people impacted received breach notification letters and those who had their Social Security number exposed received a complimentary membership to credit monitoring services. North Dakota also took steps to strengthen email security to avoid other attacks later on.

COVID-19 Test Results of 10,000 Individuals Impermissibly Disclosed

The Delaware Division of Public Health has encountered a breach of PHI that impacted roughly 10,000 people. On August 13, 2020 and August 20, 2020, a non-permanent employee mailed two unencrypted emails that contain COVID-19 test results to an unauthorized person. The results of tests done from July 16, 2020 to August 10, 2020 were contained in the first email. The results of tests done on August 15, 2020 were contained in a second email.

On September 16, 2020, the Delaware Division of Public Health found out about the HIPAA breach. The emails were supposed to be for internal distribution to people who had helped get the test results. However, they were also mailed to an unauthorized person who reported that he/she got the email by mistake. The recipient deleted the email and file attachment containing names, birth dates, telephone numbers, dates and locations of tests, and test results. The Division of Public Health is convinced there was no further disclosure of the data.

The Division of Public Health has evaluated its HIPAA-related policies and guidelines, gave additional HIPAA training to personnel, and has enforced more training for non-permanent employees. The person who made the error is no longer employed within the division of Public Health.

About Christine Garcia 1297 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at