Topics
More on Operations

New Hampshire DHHS breach exposes 15,000 patients' data on social media

A patient accessed the information from a library computer and, nearly a year later, posted it online.

Jessica Davis, Associate Editor

A New Hampshire Hospital patient hacked into the Granite State's Department of Health and Human Services and accessed the records of more than 15,000 patients, which were later posted onto a social media site, DHHS Commissioner Jeffrey A. Meyers announced Dec. 27.

Affected data includes names, Social Security numbers, addresses and Medicaid identification numbers. But the New Hampshire DHHS said there's no evidence financial data was included. All DHHS patients who received care from DHHS before November 2015 may have been included in the hack.

The breach occurred in October 2015, and officials learned of the breach on Nov. 4, 2016.

The patient accessed DHHS data, using a computer available to all patients in the hospital's library. What's troubling is that although this was noticed by staff who reported it to a supervisor and steps were taken to restrict this kind of access, it wasn't reported to hospital management or DHHS.

[Also: Community Health Plan of Washington breach affects nearly 400,000 members]

As a result, some of the stolen data was posted on a social media site in August 2016, officials said. The NH Department of Information Technology, state police and other state officials were immediately notified.

However, DHHS wasn't informed this data was posted until November and is just now informing the public of the breach.

Gov. Maggie Hassan told New Hampshire Public Radio a cybersecurity consultant will evaluate DHHS' computer system, in collaboration with the current law enforcement investigation. She defended the near two-month delay in reporting the breach, saying "state officials needed to know the precise data stolen and the patients who may be affected."

[Also: Data breaches spike 60 percent, more than 400,000 records stolen in November]

"We're taking steps to investigate fully what happened here," Hassan said. "And also of course, as we learn precisely what the information that was access was is and who it impacts, go through the notification process.

"Safeguarding the personal, financial and medical information of DHHS clients is one of this Department's highest priorities," Meyers said in a statement. "DHHS will continue to work with state agency partners to make every effort to ensure that the Department's data remains secure."

DHHS told all patients to monitor their banking and credit information for the next year. The provider is notifying all patients via mail.

This article first appeared in Healthcare IT News.

Twitter: @JessiefDavis