toggle accessibility mode

NH Strengthens Healthcare Cybersecurity in Response to 2015 Hack

By John DiGiacomo

In New Hampshire, state officials are diligently working to update and strengthen the state’s computer systems against breaches after there was a cybersecurity breach in 2015 involving the New Hampshire Department of Health and Human Services (DHHS). The DHHS press release regarding the data breach can be found here. According to the Concord Monitor, as a result of the 2015 attack on the DHHS, the confidential personal information of approximately 15,000 patients who had received services from the DHHS were exposed. Patient names, addresses, Social Security numbers, and Medicaid numbers were posted to social media sites on the internet.

Former Psychiatric Patient Perpetrates Breach

The healthcare cybersecurity breach of New Hampshire’s DHHS patient data was perpetrated by a former patient of the psychiatric hospital while using a computer station in the hospital library, rather than by a mysterious outside entity over the internet. While the state customarily provides some government computers for public use at locations such as state-run hospital libraries, the 2015 data breach was unprecedented. The former patient gained access to the state’s network and amassed confidential patient data, which was then posted to the internet via social media channels. This type of hack, i.e., access to a state’s computer network via a state-owned computer, is extremely rare, and the DHHS data breach incident is likely the first one of its kind in the state of New Hampshire.

Gaining access to the state’s network was not as easy as it may sound for the former patient hacker. The former patient had to hack into the state’s computer network from the hospital library computer. The state employs a number of cybersecurity breach prevention techniques, including two-factor authentication and the frequent mandatory changing of user passwords. While few details have been released about the breach because of an on-going criminal investigation, it was made clear that the former patient had an interest in hacking activities.

DHHS Sending Out Data Breach Notifications

The DHHS is busily preparing and sending out data breach notifications in compliance with state and federal law to the patients that were affected by the hack. At present the DHHS has no reason to believe that the personal information of those affected by the data breach has been misused, but there is clear evidence that the personal information was exposed. Additionally, none of the information that was disclosed was credit card or banking information. The New Hampshire Department of Justice Office of the Attorney General tracks instances of data security breach on a website that is accessible by the public.

Speak With a Data Breach Lawyer

We have written previously about healthcare cybersecurity here and here. Healthcare organizations are 4 1/2 times more likely to suffer from a data breach. Organizations should not be concerned about being hacked, but about having a plan in place for when they are hacked.

We have helped businesses of all sizes and government entities and institutions deal with the aftermath of a patient privacy breach. We provide thoughtful and knowledgeable counsel to help you fulfill your breach notifications obligations under the law in any of the 50 states. Since civil fines are available in some states for a failure to expeditiously notify those affected by data breaches, it is important that you act quickly to comply with the required breach notification laws that apply to your particular situation. You need the legal team from Revision Legal in your corner today. Contact us using the form on this page or call us at 855-473-8474.

Put Revision Legal on your side