A former patient of the New Hampshire Department of Health and Human Services (DHHS) posted data of patients, including Social Security numbers, to social media.
How many victims?
Around 15,000 clients of DHHS and New Hampshire Hospital in Concord.
What type of information?
Personal information such as birth dates, addresses, Social Security numbers, Medicaid identification numbers and medical services record.
A patient accessed patient data in October 2015 via a personal computer in the hospital library. The person was observed by staff, but they believed no confidential information was accessed so did not file a report with the hospital or DHHS. In August, security officials observed that the former patient was posting data on social media. DHHS was informed and they reported the incident to the Department of Information Technology (DIT). While an investigation was begun at the time, no evidence of a breach was detected, nor evidence of sensitive information being shared. It wasn't until November 2016 that DHHS detected the sensitive information being shared.
What was the response?
Officials at DHHS stated that the PII was deleted within 24 hours upon discovery. There has been no evidence of credit card fraud or identity theft resulting from the data exposure, they stated. In a release, New Hampshire Gov. Maggie Hassan (D) said the incident “is being treated with the utmost seriousness by all relevant state agencies.
” She said cybersecurity efforts in the state were being strengthened, all state employees were receiving cybersecurity training, and investigations into the incident continue. Affected individuals were advised to report any incident of identity theft to local law enforcement or the Consumer Protection Bureau of the New Hampshire Department of Justice.