NH Department of Health & Human Services hacked; 15,000 affected (UPDATED)
Todd Bookman reports:
The state’s Department of Health and Human Services says personal information for as many as 15,000 clients has been breached.
Names, addresses, social security numbers and Medicaid ID numbers were stolen, with some information posted on social media sites.
The agency says a patient at the state-run psychiatric hospital in Concord accessed the information in October, 2015 through a computer in the facility’s library.
Read more on Sentinel Source.
From the department’s notification to individuals:
On November 4, 2016, DHHS determined that a breach of confidential personal information from DHHS files had occurred which involved access by a single unauthorized individual. The breach was discovered when the individual posted some information to social media. With the assistance of law enforcement, the information was removed within 24 hours and a criminal investigation is ongoing. We have investigated and learned that your protected health information and/or personal information may have been compromised.
DHHS worked with law enforcement and the New Hampshire Department of Information Technology and took immediate steps to secure and safeguard its systems and have eliminated the source of the breach so protected health information and/or personal information can no longer be accessed by unauthorized individuals. We have no evidence that any credit card or banking information was accessed or obtained or that the information accessed has been used to access any person’s accounts.
DHHS has determined that your protected health information and/or personal information have been accessed. The data accessed includes protected health information and/or personal information regarding individuals having involvement with the New Hampshire Department of Health and Human Services prior to November 2015. Not all types of information were accessed for all individuals receiving this Notice. However, the information accessed included your name and at least one of the following: date of birth, address, social security number, Medicaid identification number, and medical services records.
From the department’s press release:
“The personal information was accessed, in October 2015, by an individual who was a patient at New Hampshire Hospital at that time, using a computer that was available for use by patients in the library of the hospital. In the course of investigation, we learned that this individual was observed by a staff member to have accessed non-confidential DHHS information on a personal computer located in the New Hampshire Hospital library. The staff member notified a supervisor, who took steps to restrict access to the library computers. This incident, however, was not reported to management at New Hampshire Hospital or DHHS.
“In August 2016, a security official at New Hampshire Hospital informed DHHS that the same individual may have posted on social media some DHHS information. That was immediately reported to the Department of Information Technology, the State Police and other state officials. An investigation at that time did not reveal any evidence that confidential personal or personal health information had been breached.
“On November 4, 2016, DHHS was informed by New Hampshire Hospital security that the same individual that day had posted confidential, personal information to a social media site. State officials and law enforcement were immediately informed, and the personal information was removed. As a result of the investigation to date, DHHS has determined that the breached files contain protected health information and personal information for as many as 15,000 DHHS clients who received services from DHHS prior to November 2015. All available information indicates that this was an isolated incident stemming from unauthorized access in October 2015 as described above and is not the result of an external attack.
Update: Some really admirable transparency from the state as to the errors that enabled the patient to access files they should not have been able to access.