A recent New Hampshire Hospital data breach has resulted in the disclosure of the protected health information of 15,000 patients. The Department of Health and Human Services (DHHS) psychiatric hospital data breach occurred in October last year. The person responsible for the breach was identified at the time, but the incident was not deemed to be severe and the attack went unreported.
In October 2015, a patient of New Hampshire Hospital used a hospital library computer to access non-confidential files. A staff member noticed that the patient had accessed information that shouldn’t have been accessible and the incident was reported to a supervisor. However, the matter was not reported to hospital officials, although action was taken to restrict access to library computers.
10 months later in August this year, a hospital security official brought the incident to the attention of the DHHS after it was discovered that the patient may have gained access to sensitive patient data and potentially posted PHI on a social media website. The DHHS investigated the incident – and reported it to the Department of Information Technology, law enforcement, and state officials – but the investigation did not uncover any evidence to suggest that confidential patient information had been breached.
Three months later on November 4, 2016, a hospital security official confirmed that the protected health information of patients had in fact been breached and information had been downloaded and posted online. Rapid action was taken by the DHHS and the posted material was taken down within 24 hours. The information posted to the social media website included patients’ names, Social Security numbers, and Medicaid numbers.
NH-DHHS Commissioner Jeffrey A. Meyers confirmed that the incident did involve PHI, but said this was “an isolated incident stemming from unauthorized access in October 2015… not the result of an external attack.”
The investigation into the New Hampshire Hospital data breach has been ongoing but it has now been confirmed that the breach was the result of human error, not a failure of the security systems in place at the hospital
Denis Goulet, Commissioner of the Department of Information Technology, said yesterday that the breach occurred as a result of a misconfigured file server. The computers in the library – and all computers that are used by non-state employees – typically do not have access to networks that contain sensitive data. However, there are instances when access to the state network is required on those computers. Goulet said, “[At times] business requirements dictate that we would have such a PC on the network.”
Librarians are required to have network access; however, patients that use computers in the hospital library are normally prevented from accessing sensitive data. State employees and patients are required to log on to the computers, but their privileges are naturally different. Unfortunately, a change to the configuration of the network resulted in access to sensitive information being possible.
“At some point in the past, and I phrase it that way because we haven’t figured out the details of when the change was made, the file server that the breached information resided on had a subtle configuration change that allowed someone who was inquisitive to find this information,” said Goulet. The technical investigation of the New Hampshire Hospital data breach is continuing.
To prevent future incidents, shared computers will be audited more closely, policies and documentation on use of the computers have been updated to reduce the risk of human error, and the use of shared PCs has been limited. However, questions are being asked about how it took 13 months to confirmed PHI had been accessed.