NH DHHS Hacked, Data of Thousands of Clients Posted on Social Media

CONCORD, NH — The New Hampshire Department of Health and Human Services has confirmed a previous media report that its computer system was hacked last year and private information – including Social Security numbers and Medicaid ID numbers – were published on a social media site, according to a statement. The confirmation of the hack comes as WMUR-TV reported on Twitter earlier today that the department would be confirming that its internal files were hacked.

The NH DHHS learned about the hack on Nov. 4, according to Commissioner Jeffrey Meyers, and that personal information was posted on a social media site. That personal information included names, addresses, Social Security numbers, and Medicaid identification numbers. The information was accessed by a state hospital patient in October 2015. The patient was using a computer that was “using a computer that was available for use by patients in the library of the hospital,” Meyers noted.

During the course of investigation, the department learned that the individual was observed by a staff member to have accessed non-confidential DHHS information on a personal computer located in the New Hampshire Hospital library. While the staff member notified a supervisor, who took steps to restrict access to the library computers, the incident was not reported to management at New Hampshire Hospital or DHHS.

“As soon as DHHS learned of the posting of this DHHS information, it notified the New Hampshire Department of Information Technology, the NH State Police and other state officials,” Meyers stated. “With the assistance of law enforcement, the information was removed from social media within 24 hours and a criminal investigation is ongoing. DHHS and the New Hampshire Department of Information Technology (DoIT) have eliminated the source of the breach and the information can no longer be accessed by unauthorized individuals at New Hampshire Hospital.”

In August, the department learned that the patient posted the information on social media. An investigation at that time did not reveal any evidence that confidential personal or personal health information were breached, Meyers said.

“DHHS was informed (last month) by New Hampshire Hospital security that the same individual that day had posted confidential, personal information to a social media site,” he stated. “State officials and law enforcement were immediately informed, and the personal information was removed. As a result of the investigation to date, DHHS has determined that the breached files contain protected health information and personal information for as many as 15,000 DHHS clients who received services from DHHS prior to November 2015.”

Meyers said that the incident appears to be isolated and stemming from unauthorized access in October 2015 and is not the result of an external attack. The department is following all federal and state requirements regarding any breach of health and person information.

The department also released information on how those who may have been hit during the breach can protect themselves from incidents of identity theft or fraud by reviewing their account statements and monitoring their credit. Any suspicion of identity theft or fraud may be reported to local law enforcement or the Consumer Protection Bureau at the New Hampshire Department of Justice (1-888-468-4454 or 603-271-3641).

The DHHS has also made available a toll-free telephone number that affected individuals may call with questions about this incident. The toll-free number is 1-888-901-4999. DHHS is also posting notice and additional information regarding this incident on our website dhhs.nh.gov.

Republicans slam Hassan

The New Hampshire Republican State Committee (NHGOP) Chairwoman Jennifer Horn in a statement called the security breach at the NH DHHS "devastating" and stated that she was surprised that it took more than 50 days for the public to be informed about the breach. Horn suggested that the information was withheld in order to keep the information from harming her U.S. Senate bid against incumbent U.S. Sen. Kelly Ayotte, R-NH, a race she won by about 800 votes.

"The decision to withhold information about this breach was obviously political in nature and poorly served patients of the New Hampshire Hospital," she said. "In an extremely close U.S. Senate race, this misconduct from the Hassan Administration made the difference and will indelibly taint Hassan's slim victory and her term in Washington."

Image via Shutterstock.