In New Hampshire, state officials are diligently working to update and strengthen the state’s computer systems against breaches after there was a cybersecurity breach in 2015 involving the New Hampshire Department of Health and Human Services (DHHS). The DHHS press release regarding the data breach can be found here. According to the Concord Monitor, as a result of the 2015 attack on the DHHS, the confidential personal information of approximately 15,000 patients who had received services from the DHHS were exposed. Patient names, addresses, Social Security numbers, and Medicaid numbers were posted to social media sites on the internet.

Former Psychiatric Patient Perpetrates Breach

The healthcare cybersecurity breach of New Hampshire’s DHHS patient data was perpetrated by a former patient of the psychiatric hospital while using a computer station in the hospital library, rather than by a mysterious outside entity over the internet. While the state customarily provides some government computers for public use at locations such as state-run hospital libraries, the 2015 data breach was unprecedented. The former patient gained access to the state’s network and amassed confidential patient data, which was then posted to the internet via social media channels. This type of hack, i.e., access to a state’s computer network via a state-owned computer, is extremely rare, and the DHHS data breach incident is likely the first one of its kind in the state of New Hampshire.

Gaining access to the state’s network was not as easy as it may sound for the former patient hacker. The former patient had to hack into the state’s computer network from the hospital library computer. The state employs a number of cybersecurity breach prevention techniques, including two-factor authentication and the frequent mandatory changing of user passwords. While few details have been released about the breach because of an on-going criminal investigation, it was made clear that the former patient had an interest in hacking activities.

DHHS Sending Out Data Breach Notifications

The DHHS is busily preparing and sending out data breach notifications in compliance with state and federal law to the patients that were affected by the hack. At present the DHHS has no reason to believe that the personal information of those affected by the data breach has been misused, but there is clear evidence that the personal information was exposed. Additionally, none of the information that was disclosed was credit card or banking information. The New Hampshire Department of Justice Office of the Attorney General tracks instances of data security breach on a website that is accessible by the public.

Speak With a Data Breach Lawyer

We have written previously about healthcare cybersecurity here and here. Healthcare organizations are 4 1/2 times more likely to suffer from a data breach. Organizations should not be concerned about being hacked, but about having a plan in place for when they are hacked.

We have helped businesses of all sizes and government entities and institutions deal with the aftermath of a patient privacy breach. We provide thoughtful and knowledgeable counsel to help you fulfill your breach notifications obligations under the law in any of the 50 states. Since civil fines are available in some states for a failure to expeditiously notify those affected by data breaches, it is important that you act quickly to comply with the required breach notification laws that apply to your particular situation. You need the legal team from Revision Legal in your corner today. Contact us using the form on this page or call us at 855-473-8474.

New Hampshire’s Data Breach Notification Law: What the DHHS Was Required to Do

New Hampshire’s breach notification statute, RSA 359-C:19-21, requires any person or entity that owns or licenses personal information of New Hampshire residents to notify affected residents following a security breach of unencrypted personal information in the most expedient time possible. “Personal information” under the New Hampshire law includes a combination of an individual’s first name or first initial and last name with any of the following: Social Security number, driver’s license number, account number or credit or debit card number combined with access codes, or medical and health insurance information. The 2015 DHHS breach, which exposed names, addresses, Social Security numbers, and Medicaid numbers, clearly qualified as personal information under the statute.

New Hampshire’s law also requires notice to the New Hampshire Attorney General and to consumer reporting agencies if the breach affects more than 1,000 residents. With approximately 15,000 patients affected, the DHHS had obligations to the AG’s office in addition to its direct obligations to patients. The AG’s office maintains a publicly accessible archive of reported breaches, which serves as a deterrent, a public accountability mechanism, and a resource for researchers and advocates tracking breach trends in the state.

HIPAA Obligations for Healthcare Entities

Because the DHHS breach involved protected health information (PHI) — specifically the names, addresses, and Medicaid numbers of individuals who received health services — it also triggered obligations under the HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414. HIPAA requires covered entities to notify affected individuals within 60 days of discovering a breach, to notify the Secretary of Health and Human Services, and — when the breach affects 500 or more residents of a state — to provide notice to prominent media outlets in that state. For a breach affecting 15,000 New Hampshire patients, all three notification prongs applied.

HIPAA notifications must include a description of what happened and the date of the breach and discovery, a description of the types of information involved, steps affected individuals should take to protect themselves, a description of what the covered entity is doing to investigate, mitigate, and prevent future breaches, and contact information for affected individuals to ask questions. Drafting compliant HIPAA notifications — particularly for a breach of this magnitude — requires careful attention to both the regulatory requirements and the risk that an insufficiently informative notice will draw greater regulatory scrutiny.

Insider Threat: A Persistent and Underappreciated Risk

The NH DHHS breach illustrates one of the most challenging categories of cybersecurity risk: the insider threat. While most public discourse about data breaches focuses on external hackers and nation-state actors, a substantial percentage of healthcare data breaches involve insiders — current or former employees, patients, or contractors with some degree of authorized or unauthorized access to an organization’s systems. The Verizon Data Breach Investigations Report consistently identifies insider threats as responsible for a significant share of healthcare breaches, reflecting the large number of individuals who interact with healthcare systems in roles that require access to patient data.

Defending against insider threats requires a different set of controls than defending against external attacks. Network segmentation — ensuring that any single compromised device or account cannot access the entire network — is critical. Role-based access controls that limit each user’s access to only the data they need for their specific function reduce the damage any single insider can cause. Monitoring for anomalous data access patterns, such as a library workstation accessing patient records from multiple departments, can provide early warning of an insider threat before large-scale exfiltration occurs.

Lessons for Healthcare Organizations and Government Agencies

The NH DHHS breach, unusual as it was in its method, illustrates lessons applicable to every healthcare organization and government agency that holds sensitive patient or citizen data. Public-access workstations on networks that also carry sensitive data create an inherent tension between the agency’s service mission and its data security obligations. Network architects should ensure that public terminals are on fully isolated network segments with no pathway to systems holding personal information. Two-factor authentication is a necessary baseline, not a complete solution — attackers who gain physical access to an authorized terminal or who social-engineer their way past authentication controls will defeat 2FA.

Organizations that have experienced a breach — or that are concerned about their vulnerability to insider threats — should consult with experienced healthcare cybersecurity counsel. Revision Legal advises healthcare providers, health systems, and government agencies on HIPAA compliance, breach response, and the development of data security programs capable of defending against both external and internal threats. Contact us using the form on this page or call us at 855-473-8474.