The following is a statement released by Health and Human Services Commissioner Jeffrey Meyers:
The Department of Health and Human Services learned on November 4, 2016, that some personal information from DHHS internal files had been posted to a social media site.
As soon as DHHS learned of the posting of this DHHS information, it notified the New Hampshire Department of Information Technology, the NH State Police and other state officials.
With the assistance of law enforcement, the information was removed from social media within 24 hours and a criminal investigation is ongoing. DHHS and the New Hampshire Department of Information Technology (DoIT) have eliminated the source of the breach and the information can no longer be accessed by unauthorized individuals at New Hampshire Hospital.
The information breached includes names, addresses, social security numbers, and Medicaid identification numbers.
The personal information was accessed in October 2015, by an individual who was a patient at New Hampshire Hospital at that time, using a computer that was available for use by patients in the library of the hospital. In the course of investigation, we learned that this individual was observed by a staff member to have accessed non-confidential DHHS information on a personal computer located in the New Hampshire Hospital library.
The staff member notified a supervisor, who took steps to restrict access to the library computers. This incident, however, was not reported to management at New Hampshire Hospital or DHHS.
In August 2016, a security official at New Hampshire Hospital informed DHHS that the same individual may have posted on social media some DHHS information. That was immediately reported to the Department of Information Technology, the State Police and other state officials. An investigation at that time did not reveal any evidence that confidential personal or personal health information had been breached.
On November 4, 2016, DHHS was informed by New Hampshire Hospital security that the same individual that day had posted confidential, personal information to a social media site. State officials and law enforcement were immediately informed, and the personal information was removed.
As a result of the investigation to date, DHHS has determined that the breached files contain protected health information and personal information for as many as 15,000 DHHS clients who received services from DHHS prior to November 2015. All available information indicates that this was an isolated incident stemming from unauthorized access in October 2015 as described above and is not the result of an external attack.
DHHS is following all federal and state requirements regarding a breach of protected health information and personal information. DHHS is complying with requirements to notify potentially impacted individuals to inform them that their protected health and/or personal information may have been accessed and the self-protection measures they can take. DHHS will send through the mail a written notification to all impacted individuals for whom we have a valid mailing address.
DHHS has no evidence that individuals’ protected information has been misused or that any credit card or banking information was accessed. However, individuals who received services from DHHS prior to November 2015 may wish to take steps to monitor their credit and bank statements. Individuals can protect themselves from incidents of identity theft or fraud by reviewing their account statements and monitoring their credit. Any suspicion of identity theft or fraud may be reported to local law enforcement or the Consumer Protection Bureau at the New Hampshire Department of Justice (1-888-468-4454 or603-271-3641).
DHHS is making available a toll-free telephone number that affected individuals may call with questions about this incident. The toll-free number is 1-888-901-4999. DHHS is also posting notice and additional information regarding this incident on our website, www.dhhs.nh.gov.
Safeguarding the personal, financial and medical information of DHHS clients is one of this Department’s highest priorities. DHHS will continue to work with state agency partners to make every effort to ensure that the Department’s data remains secure.