A recent Delaware Department of Health and Social Services data breach resulted in the private data of hundreds of disabled Delawareans’ being included in a student project.
Data included in the breach included full names, birth dates, primary diagnosis, and county of residence.
The breach occurred when four students from the University of Delaware contacted a Delaware Division of Developmental Disabilities Services (DDDS) provider. The students reached out to request data for a project that aimed to use geo-mapping to detect gaps in the services received by DDDS recipients.
A DDDS employee who emailed out information in response to the students’ request neglected to anonymize sensitive data. Their slip-up caused the private information of 350 recipients of DDDS support to be exposed.
The data breach was only discovered when the unwitting students included the sensitive data in a presentation on their senior project, given via Zoom on May 8.
According to WDEL, those affected by the breach were notified by letter. Dated June 29, the letter stated: “For the purposes of the project, the UD students requested information about service recipients living within a specific geographic area, as well as basic demographic information such as age range and disability status. In response, a DDDS staff person sent information, via email, to the four students on April 9, 2020, for use in their final project.”
The information emailed to the students included highly sensitive data that the department admitted should have been “de-identified.”
Social Security numbers included in the data sent out to students had been redacted.
According to the letter, action was taken to secure the data as soon as the breach was detected.
“DDDS senior leadership halted the presentation as soon as the personal information was presented,” the letter said. “DDDS instructed the students to delete all files containing the data used in the project (including emails, shared files, and the presentation itself).”
While the staff member who claimed responsibility for the breach has been addressed “administratively,” according to the DDDS, an investigation into the incident is ongoing.
Those impacted by the breach were not offered any form of free credit monitoring.