Breach of DHHS internal files

CONCORD — State Health and Human Services Commissioner Jeffrey A. Meyers released a statement last week explaining a breach of client information stored in DHHS computers earlier this year and steps that the department has taken to close the breach, improve security and notify people who may have been affected.

Meyers said the Department of Health and Human Services learned on Nov. 4 that personal information from DHHS internal files had been posted to a social media site.

“As soon as DHHS learned of the posting of this DHHS information, it notified the New Hampshire Department of Information Technology, the N.H. State Police and other state officials. With the assistance of law enforcement, the information was removed from social media within 24 hours and a criminal investigation is ongoing,” he said, adding that DHHS and the N.H. Department of Information Technology have eliminated the source of the breach and removed the information from the website.

The information breached includes names, addresses, Social Security numbers, and Medicaid identification numbers for as many as 15,000 DHHS clients who received services before November 2015

The press release notes that all available information indicates that this was an isolated incident stemming from unauthorized access in October 2015 and is not the result of an external attack.

And Myers said, at this time, there is no indication that any of the information, which had been posted briefly on a social media website before officials were able to take it down, has been misused or that any credit card or banking information was accessed.

Meyers explained that the information was accessed in October 2015 by an person who was then a patient at New Hampshire Hospital, using a computer that was available for use by patients in the library of the hospital.

Although staff members at the hospital were aware that the patient had accessed non-confidential DHHS information, they did not know that any confidential information had been accessed. They restricted access on the computer but did not notify hospital management or DHHS at that time.

In August, a security official at the state hospital informed DHHS that the former patient may have posted some DHHS information on social media in August, but, again, investigation did not reveal evidence that confidential information had been breached.

Then on Nov. 4, DHHS was informed by state hospital security that the individual had that day posted confidential, personal information to a social media site. State officials and law enforcement were immediately informed, and the personal information was removed.

Meyers noted that DHHS is following all federal and state requirements regarding a breach of protected health information and personal information and is complying with requirements to notify anyone who may have been affected to inform them that their protected health and personal information may have been accessed and what self-protection measures they can take.

Anyone who received services from DHHS prior to November 2015 may wish to take steps to monitor their credit and bank statements. Individuals can protect themselves from incidents of identity theft or fraud by reviewing their account statements and monitoring their credit.

Any suspicion of identity theft or fraud may be reported to local law enforcement or the Consumer Protection Bureau at the New Hampshire Department of Justice (1-888-468-4454 or (603) 271-3641).

DHHS is making available a toll-free telephone number that affected individuals may call with questions about this incident. The toll-free number is 1-888-901-4999.

DHHS is also posting notice and additional information regarding this incident on their website,

“Safeguarding the personal, financial and medical information of DHHS clients is one of this department’s highest priorities. DHHS will continue to work with state agency partners to make every effort to ensure that the Department’s data remains secure,” Meyers said.