Cyber Incident Victim: Delaware Health Network

On or around April 5, 2023, Delaware Health Net (DHN) experienced a cyber event. DHN is a healthcare-controlled network provider and electronic health records management provider that offers services to various entities, including the Henrietta Johnson Medical Center (HJMC) in Delaware. The incident involved unauthorized access to DHN's systems. During this unauthorized access, certain files were copied from the systems. The specific technical means of the initial access or the exact systems compromised were not detailed in the available information.

The breach was discovered by DHN, though the precise timeline and methods of detection were not publicly disclosed. Following the discovery, DHN initiated its response. The nature of the incident response and containment actions taken by DHN were not explicitly outlined in the notices from affected clients. The investigation into the cyber event determined that unauthorized actors had accessed and exfiltrated data.

A significant consequence of this incident was the potential exposure of patient data belonging to clients of DHN. The Henrietta Johnson Medical Center was one such client that was notified of the breach. In its communications, HJMC reported that DHN had not yet identified the precise patient data that may have been impacted by the copying of files. Despite this lack of specific confirmation from the vendor, HJMC stated it was possible that the involved patient data included a range of sensitive personal and medical information. The types of information potentially compromised included the full name, date of birth, ethnicity, medical record number, diagnosis code, lab information, and health insurance information of patients.

The scope of the incident, in terms of the total number of individuals affected across all of DHN's clients, was not definitively established in the public reporting. HJMC, however, submitted a report to the U.S. Department of Health and Human Services on June 27, 2023. This report indicated that 500 patients were affected. This figure is often used as a reporting threshold under federal regulations, suggesting the actual number of HJMC patients impacted was likely greater than 500, but the exact count was not finalized or publicly confirmed by that date. No other clients of DHN were reported to have publicly disclosed breaches related to this same event at that time, raising questions about the full extent of the impact across DHN's customer base.

The response included notification efforts by the affected covered entity, Henrietta Johnson Medical Center. HJMC posted a public notice on its website to inform its patients of the breach at its vendor, Delaware Health Net. This notice served to disclose the occurrence of the incident and the types of data that were potentially involved. The medical center's notice clarified that the breach originated within DHN's systems and not its own. The public notice was published on or before June 29, 2023, as it was referenced in reports on that date. The incident also caused some public confusion regarding the responsible party, initially misidentifying the Delaware Health Information Network (DHIN) as the entity involved. This required a public correction and clarification to distinguish DHN from the unrelated DHIN, highlighting the challenges in accurately attributing and reporting on third-party vendor incidents.

The investigation into the incident was ongoing as of the last reported updates. Delaware Health Net continued its forensic analysis to determine the full scope and specifics of the data that was accessed and copied. The inability to immediately identify the precise data elements affected for its clients was a noted aspect of the post-incident investigation. The long-term impacts, including any potential misuse of the exfiltrated data or regulatory actions, were not detailed in the available information. The primary documented impacts were the confirmed unauthorized access and data exfiltration from DHN's systems and the subsequent potential risk to the confidentiality of patient information held by its clients, specifically evidenced by the breach reporting undertaken by the Henrietta Johnson Medical Center.