1. Home
  2. States
  3. Delaware

Delaware

Table of Contents

Data breaches pose significant risks to individuals and organizations by allowing unauthorized parties to gain sensitive information. The frequency of breaches has escalated, leading to widespread compromises of personal data such as names, addresses, Social Security numbers, and medical records. According to state regulators, recent data breaches involving insurance carriers and third-party companies may have exposed the personal financial information of over 32,000 Delaware residents. In 2023, Delaware ranked 38th in terms of the number of victims affected and lost $35,376,770 to data breaches.

Identity Theft Statistics

Identity Theft
Reports
7TH
State Rank (Reports per 100K Population)
2,188
Identity Theft Reports
Fraud & Other
Reports
3RD
State Rank (Reports per 100K Population)
7,928
Total Fraud & Other Reports
Fraud
Losses
$5.7M
Total Fraud Losses
$338
Median Fraud Losses

Top Ten Report Categories

Identity Theft
22%
Imposter Scams
18%
Telephone and Mobile Services
6%
Credit Bureaus, Iformation Furnishers and Report Users
6%
Banks and Lenders
5%
Online Shopping and Negative Reviews
5%
Debt Collection
5%
Prizes, Sweepstakes and Lotteries
4%
Auto Related
4%
Internet Services
3%

Top Identity Theft Types

34%
1,882
Credit Card Fraud
26%
1,452
Other Identity Theft
16%
892
Bank Fraud
11%
637
Loan or Lease Fraud
7%
393
Phone or Utilities Fraud
3%
187
Employment or Tax-Related Fraud
3%
144
Government Documents or Benefits Fraud

Recent Data Breaches in Delaware

2023
May

Henrietta Johnson Medical Center

On May 22, 2023, Henrietta Johnson Medical Center was notified of a data breach on patient data. Delaware Health Network, a provider specializing in EHR management, brought the breach to their attention. This breach, which occurred On April 5, resulted in an authorized party copying the files of 500 Delawareans from the company's systems. The breach exposed crucial details, such as patient names, ethnicities, dates of birth, medical record numbers, laboratory data, diagnosis codes, and health insurance information. No Social Security numbers, driver's license numbers, or financial information were compromised in the breach. The hospital reported the incident to the HHS on June 27, 2023.

2022
August

Premier Physical Therapy and Sports Performance, Limited Partnership

On August 12, 2022, Premier PT discovered that phishing messages had been sent from two users' email accounts within the Premier PT system. Upon this revelation, Premier PT promptly initiated a thorough investigation to ascertain the origin and extent of the breach. The organization enlisted the expertise of top cybersecurity professionals to aid in this investigation. As a precautionary measure, Premier PT immediately disabled logins for the implicated accounts and enforced password resets for all users within their network. After thorough analysis, Premier PT determined that the users' email accounts had fallen victim to phishing attempts from an external source. The accounts were compromised by an unauthorized third party, who subsequently used them to send messages to other recipients. Fortunately, the breach did not extend to Premier PT's internal systems. In response, Premier PT thoroughly examined the affected users' mailboxes to assess the potential impact on individuals and data. The company identified individuals affected by the breach on October 5, 2022, and sent a notification.

2022
July

Bayhealth Medical Center, Inc.

On July 5, 2022, Bayhealth Medical Center, Inc. disclosed a data breach that affected the private information of 17,481 patients. The breach originated from a third-party vendor, Professional Finance Company, Inc. (PFC), utilized by Bayhealth for debt collection. Compromised data included patients' full names, addresses, dates of birth, Social Security numbers, health insurance details, and medical treatment records, accessible to an unauthorized entity. On July 5, 2022, Bayhealth notified the public of the data breach by publishing a notice on its website.

2022
February

Christiana Spine Center

On February 25, 2022, Christiana Spine Center suffered a data breach that gave unauthorized access to protected health information. The attackers were able to acquire sensitive personally identifiable information of 3,500 individuals. Exposed information included names, addresses, Social Security numbers, personal health information, and health insurance identification numbers. On May 23, 2022, the center published a notice to inform affected individuals.

What Should You Do if You Are in a Breach?

Unfortunately, data breaches are pretty common now, considering our online connections and dependence on digital service delivery. Criminals work in the shadows to steal your personal information, so sometimes, it's only when you notice certain signs that ongoing fraud becomes apparent. These danger signs apply to both individuals and businesses.

Unfamiliar
Credit Card Charges

If you find unauthorized transactions on your credit card, there is a significant possibility your phone number, email address, or card number has been compromised.

Calls from
Debt Collectors

Phone calls or letters from collection agencies seeking debt payment for a loan you do not remember taking are also signs of identity theft.

New Credit Cards
or Loans in Your Name

A new line of credit in your name or a loan taken is a warning sign you are a victim of identity theft.

Surprise Credit
Score Drops

Sudden credit drops with no obvious cause are a sign of suspicious activities.

Unusual Activity on Your
Social Security Account

The federal government also considers social security numbers personal identifiers, so check your social security statement regularly to ensure no one has access to benefits without consent.

Inability to
Sign-in to Accounts

If you are locked out of the account, it is usually because someone has hacked into it and changed the password. You should immediately try all possible recovery options and contact customer support if all fails.

Step-by-Step Process for Responding to a Data Breach

01

Contact Local Law Enforcement

As an individual or a business, report the incident to the police and file a police report.

02

Assess and Secure Compromised Areas

Identify which aspects of your information have been affected, such as emails, passwords, credit card numbers, social security numbers, full names, and phone numbers.

03

Contain the Breach

Isolate the affected system to prevent further damage.

04

Create New, Strong Passwords for All Accounts

This may involve changing usernames and passwords for compromised platforms, using strong passwords with a mix of upper and lower-case letters, digits, and special characters.

05

Notify Affected Institutions

Inform your bank, credit card companies, and other affected institutions. Request they close or freeze any accounts that may be implicated in the breach to reduce financial risk.

06

Update Security on Digital Accounts

Change passwords for all accounts affected by the breach. Make sure each password is totally unique, and you use two-factor verification as an additional layer of security.

07

Check for Malware

Examine your computers and mobile devices for installed malware. Install robust antivirus software to detect and remove any viruses or malicious software.

08

Freeze Your Credit

In cases of identity theft, contact all credit bureaus to freeze your credit.

09

Monitor Your Mail and Credit Reports

Keep an eye out for any unauthorized changes in your mail.

10

Engage Legal Assistance When Applicable

If you are a business, consider hiring a law firm experienced in handling data breaches.

Responsibilities of Companies that Have Been Breached

Title 6, § 12B-102(a) of the Delaware Code requiring security breach notifications became effective on April 14, 2018. The law mandates that businesses maintaining the personal information of Delaware residents notify the affected residents if their personal information is compromised due to a data security breach.

The affected entity must send the notification without any undue delay but no later than 60 days after discovering the breach. This obligation can only be postponed if it might disrupt a police investigation or if it takes longer for a business to find out that personal information was stolen. Also, if the data breach involved the exposure of residents' Social Security numbers, the business must offer the affected persons credit monitoring services for at least one year. However, if an investigation concludes that the breach is unlikely to cause any harm or identity theft, the business may not be required to provide such services.

According to Title 6, § 12B-102(d) of the Delaware Code, in instances where the security of more than 500 Delaware residents is compromised, it is necessary to inform the Delaware Attorney General. Additionally, the law outlines exceptions for compliance with other regulations like HIPAA or GLBA and allows for delayed notification if law enforcement deems it necessary.

Laws

In Delaware, there's no strict rule on how you have to tell Delaware residents if their info was exposed in a security breach. Businesses can use a Model Data Security Breach Notification Form to make reporting an incident easier.

While other methods may suffice, employing the Model Data Security Breach Notification Form ensures compliance with Delaware's breach notification law. While using the alternative notification methods, the Consumer Protection Unit recommends ensuring readability and accessibility by using clear language and structuring content with headings similar to those in the Model Data Security Breach Notification Form.

Businesses should incorporate these details within their notice to the affected individuals:

  • A brief overview of the security incident
  • The exact or approximate date of the security breach
  • Details regarding the compromised personal data
  • Measures being implemented by the business in response
  • Advised actions for affected residents to safeguard themselves (such as contacting credit reporting agencies for fraud alerts and credit freezes)
  • Contact information of the business for inquiries

Affected businesses can use either the online web form or the downloadable fillable PDF form to report a data security breach to the Delaware Attorney General. Using the forms above will satisfy the written notice requirement to the Attorney General under Delaware's data security breach notification law. However, other forms of written or electronic notice may also be acceptable if they provide the same information required.

Resources

Table of Contents