By DAMIEN FISHER, InDepthNH.org
Data breaches at several New Hampshire medical facilities involving potentially 150,000 people were reported to the United States Department of Health and Human Services since the start of 2021.
There are eight data breaches reported at seven New Hampshire health-care facilities, with one company, NuLife Med LLC in Manchester, reporting two breaches this year. One reported in May and the other reported in July, according to the database kept by HHS.
Most of the breaches are reported to be hacking/IT incidents involving networked servers, though in one case, at Dartmouth-Hitchcock Medical Center, a laptop with patient data went missing. That loss was recorded on the database in July.
Despite the missing laptop with data involving 1,201 people, there is currently no indication that patient data was taken by any malicious actors in the DHMC loss, according to Audra Burns, Senior Manager of Media Relations, Communications and Marketing at DHMC.
“There is no evidence at this time of any misuse of patient information contained on the device. We are considering additional safeguards to protect patient information as a result of this incident. Patients whose information was contained on the device have been notified,” Burns wrote in a statement to InDepth.
Like DHMC, the Mental Health Center of Greater Manchester also had a data breach this year, but Rik Cornell, the Vice President of Community Relations for the provider, said so far none of the patient information involved has been reported as taken. The breach, reported on the HHS database in May of this year, put the records of 1,322 patients at potential risk.
“We didn’t have any patient information exposed,” Cornell said.
The actual breach was discovered in February of this year, and after notifying the patients involved, the Mental Health Center of Greater Manchester has found none of the records have been stolen or used illegally.
“We didn’t hear anything through July,” Cornell said.
In the case of the Mental Health Center of Greater Manchester, Cornell said the data breach involved the improper storage of data in an unsecured manner.
“We got nothing to hide. We were trusting somebody was doing what they were supposed to be doing. It’s so hard to keep everything safe,” Cornell said.
It typically takes months from the time the data breach is discovered before it gets reported onto the HHS database. In the case of DHMC, the laptop first went missing in March. After an internal investigation, it was determined that in May the laptop could not be found. By June, the hospital was able to determine that the data on the laptop included “a limited number of patients’ first and last names, dates of birth and medical record numbers, as well as the dates, types, and results of audiology tests,” according to Burns.
“It’s important to note that the device did not contain any other patient diagnosis, treatment, medication or hospitalization information, nor did the device contain any patient Social Security numbers or financial information,” Burns wrote.
In February, The Mental Health Center of Greater Manchester learned that a server that contained patient data had been subject to a cyberattack. That server was controlled by the Illinois-based Center for Life Management, a partner of the Manchester organization. No evidence has been found that anyone improperly accessed the exposed data.
Living Innovations, an organization that provides support for people with disabilities, reported a data breach that took place in June of this year. The aim of the attack appears to have been the organization itself, and not the patient information, according to a statement Living Innovations issued.
“The evidence suggests that this was an attempt to induce a fraudulent invoice payment—and not to access client information. However, because we could not rule out that client information may have been viewed, we reviewed all emails and attachments in the mailboxes. Our review identified client health insurance or Medicaid information, Social Security numbers, and limited information related to services received at Living Innovations,” the statement reads.
Living Innovations has locations in Derry, Concord, Dover, and Exeter, as well as location in Maine and Rhode Island. The breach potentially exposed data for 4,000 people.
Greater Nashua Mental Health reports the records of 1,085 people involved in court-ordered diversion programs were potentially exposed. That data includes names, addresses, dates of birth, Social Security numbers, diagnosis code, medication name, court liaison discharge notes, and healthcare provider organizational name. Greater Nashua Mental Health’s statement on the breach also claims that nothing exposed has so far been used for fraud.
“The investigation team did not find any postings of personal information on the internet and did not identify any actual misuse of your personal financial or health information during the course of the investigation,” the Greater Nashua Mental Health statement reads.
NuLife Med LLC in Manchester, a company that provides medical devices for people recovering from orthopedic surgery, reports two data breaks on the HHS database. One in May potential exposed 81,244 people, while one reported in July lists 3,805 people’s information put at risk. The company declined to comment and referred questions to attorney Jon Sistare. Sistare did not provide a comment.
According to a statement the company issued, however, patient data has so far not been stolen.
“A recent data security event involving NuLife Med, LLC (“NuLife”), may affect the security of information related to certain individuals who are affiliated with NuLife as current or former patients or potential patients. While at this time there is no indication of identity theft or fraud resulting from this event, we are providing you with information about the event, our response to it, and information related to what you may do to better protect your information, should you feel it appropriate to do so,” the NuLife statement reads.
The November 2021 data breach at Neuro Rehab Associates in Salem involves 501 patients, but the clinic’s parent company, the Northeast Rehabilitation Hospital Network is currently investigating a date breach potentially involving 190,000 patients.
A spokesman for Northeast Rehab Associates in Salem did not respond to requests for comment. Among the potentially compromised data are the names, Social Security numbers, financial account numbers, and credit and debit card numbers for patients. Neuro Rehab Associates representatives did not respond to a request for comment.
Neuro Rehab Associates, operates acute rehabilitation hospitals located in Salem, Nashua, Portsmouth and Manchester, New Hampshire. Their network includes over 20 outpatient centers, a home care division, a sports medicine division, and an outpatient pediatric division.
Optima Dermatology in Exeter, part of the Dermatology Center of Indiana and Advanced Dermatology & Skin Cancer Center, discovered a breach took place last year, potentially exposing more than 58,000 patient records. These records include full names, date of births, medical treatment and/or conditions information, health insurance claims and/or application information, health insurance policy and/or subscriber numbers, and medical record numbers.
The company did not respond to a request for comment, but in a statement claims that none of the potentially exposed information has been used for fraud.
All the organizations have stated that the impacted clients have been notified about the breaches, and each organization has provided contact information for anyone impacted.
Dartmouth-Hitchcock’s confidential call center for patients is available at 1-800-939-4170 between 9 a.m. and 9 p.m. Monday through Friday.
The Mental Health Center of Greater Manchester’s toll-free assistance line is 844-925-1207, available Monday through Friday from 9 a.m. to 9 p.m.
Living Innovation’s Experian toll-free number for people who have been potentially exposed is 833-559-0155, available Monday through Friday 8 a.m. through 10 p.m. Central Standard Time, and 10 a.m. to 7 p.m. CST, Saturday’s and Sunday’s. People using that number should be prepared to provide Experian with Engagement Number: B058858.
Optima’s toll-free number is 844-978-4460, available Monday through Friday, 9 a.m. to 9 p.m.
NuLife’s toll-free line is 888-301-5930, available Monday to Friday 9 a.m. to 9 p.m. People may also write to NuLife at 250 N. Commercial Street, Suite 3003, Manchester, NH 03101.
Neuro Rehab’s toll-free line is 855-604-1665, available 9 a.m. to 9 p.m., Monday through Friday. People may also write to NHRN at 70 Butler Street. Salem, New Hampshire 03079. There are also numerous law firms currently investigating the Neuro Rehab data breach for a potential class action lawsuit.
Greater Nashua Mental Health provides a list of resources for people potentially impacted, and that can be found online.