About 15,000 patients in the New Hampshire Department of Health and Human Services (DHHS) found themselves exposed when their information was shared on social media, including their names and Social Security numbers. Addresses and Medicaid ID numbers were in there too.
This is a tale of lacking a basic security posture: An investigation has uncovered that a former psychiatric patient was able to carry out a breach via an open computer in the hospital library.
DHHS announced last week that the breach occurred in October 2015, but that it did not learn of it until November 4, 2016. Yet the timeline is more complicated than that:
In October, “[the] individual was observed by a staff member to have accessed non-confidential DHHS information on a personal computer located in the New Hampshire Hospital library,” the department said in a statement. “The staff member notified a supervisor, who took steps to restrict access to the library computers. This incident, however, was not reported to management at New Hampshire Hospital or DHHS.”
The same person went on to post non-personal DHHS information on social media on August 2016, this time drawing attention from the New Hampshire Department of Information Technology, the State Police and other state officials.
So wherefore the confidential information? Our patient/offender surfaced again in November:
“On November 4, 2016, DHHS was informed by New Hampshire Hospital security that the same individual that day had posted confidential, personal information to a social media site. State officials and law enforcement were immediately informed, and the personal information was removed.”
The breached files contain protected health information and personal information for as many as 15,000 DHHS clients who received services from DHHS prior to November 2015.
“A criminal investigation is ongoing,” the department said. “DHHS and the New Hampshire Department of Information Technology (DoIT) have eliminated the source of the breach and the information can no longer be accessed by unauthorized individuals at New Hampshire Hospital.”
It added, “Safeguarding the personal, financial and medical information of DHHS clients is one of this Department’s highest priorities. DHHS will continue to work with state agency partners to make every effort to ensure that the Department’s data remains secure.”
Photo © Narin Nonthamand