[BreachExchange] Personal info of about 15, 000 NH DHHS clients accessed by patient, some posted on social media

Audrey McNeil audrey at riskbasedsecurity.com
Tue Dec 27 19:56:48 EST 2016


http://www.nh1.com/news/personal-info-of-about-15-000-
nh-dhhs-clients-accessed-by-patient-some-posted-on-social-media/

Personal information from the New Hampshire Department of Health and Human
Services' internal files has been posted to a social media site,
Commissioner Jeffrey A. Meyers said.

DHHS learned Nov. 4 of this breach and notified the NH Department of
Information Technology, NH State Police and other state officials.

With the assistance of law enforcement, the information was removed from
social media within 24 hours and a criminal investigation was launched,
Meyers said.

The information that was put out included names, addresses, Social Security
Numbers and Medicaid identification numbers of those who received services
before November 2015. About 15,000 clients' information was accessed, but
only "a very small number" of those accounts was posted on social media,
Meyers said.

This information was allegedly accessed in October 2015 by an individual
who was a patient at New Hampshire Hospital at the time, using a computer
that was available for use by patients in the library of the hospital.

This patient was observed by a staff member to have accessed
non-confidential DHHS information on a personal computer located in the New
Hampshire Hospital library. The staff member notified a supervisor, who
took steps to restrict access to the library computers. The incident was
not reported to management at New Hampshire Hospital or DHHS.

In August 2016, a security official at New Hampshire Hospital informed DHHS
that the same individual might have posted on social media some DHHS
information. This was reported to the Department of Information Technology,
the State Police and other state officials. An investigation did not reveal
any evidence that confidential personal or personal health information had
been breached, Meyers said.

Meyers said there is no evidence that individuals’ protected information
has been misused or that any credit card or banking information was
accessed. However, those who received services from DHHS prior to November
of 2015 may wish to take steps to monitor their credit and bank statements.

DHHS is making available a toll-free telephone number - 1-888-901-4999
<(888)%20901-4999> - that affected individuals may call with questions
about this incident.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161227/3ef47448/attachment.html>


More information about the BreachExchange mailing list