15k patients’ info shared on social media from NH Hospital data breach

15k patients’ info shared on social media from NH Hospital data breach
About 15,000 patients in the New Hampshire Department of Health and Human Services had their information shared on social media, including their names and Social Security numbers. An investigation found a former psychiatric patient was behind the breach.

The New Hampshire Department of Health and Human Services (DHHS) experienced a massive data breach thanks to one patient who accessed a personal computer left in the hospital library. DHHS announced Tuesday that the breach occurred in October 2015 but did not learn of it until November 4, 2016.

The patient was seen accessing non-confidential DHHS information in the New Hampshire Hospital Library by staff members who changed their policy regarding use of computers but did not file any reports about the incident with the hospital or DHHS.

However, in August security officials found that the patient had been sharing information on social media. They informed DHHS, who in turn reported it to the Department of Information Technology (DIT). An investigation was launched but it did not turn up any evidence of a breach or that sensitive information was being shared.

It wasn’t until November 2016 that DHHS learned that the patient was sharing information – and that it was some of the most sensitive information that can be shared. Over 15,000 clients of DHHS and New Hampshire Hospital in Concord had their names, addresses, Social Security numbers and Medicaid identification numbers shared on an unidentified social media platform.

"All available information indicates that this was an isolated incident stemming from unauthorized access in October 2015 as described above and is not the result of an external attack," DHHS Commissioner Jeffrey A. Meyers said in a statement.

Officials claim that the information was removed within 24 hours of discovering the breach and that there has been no evidence of clients being victimized because of the leak.

While DHHS emphasized that there have been no reports of credit card fraud or identity theft, New Hampshire Gov. Maggie Hassan (D) released a statement stressing that the incident “is being treated with the utmost seriousness by all relevant state agencies.” She continued to explain that it “highlights the importance of continuing to strengthen the state's cyber security efforts to protect personal data from both hackers and human error.

She added that all state employees have been receiving cybersecurity training but reaffirmed that all relevant state departments are investigating the incident.