New Hampshire Health Agency reports data breach

by Sonia Qin | 1/5/17 2:50am

The New Hampshire Department of Health and Human Services announced on Dec. 27 that it has been a victim of a data breach that commenced in Oct. 2015. DHHS is the state’s largest agency and covers welfare benefits, Medicaid, child protective services and other services.

This data breach resulted in 15,000 personal records of DHHS clients being posted on Facebook, including names, addresses, Social Security numbers and Medicaid identification numbers. The sensitive information was removed within 24 hours after the initial post with the help of the New Hampshire Department of Information Technology and can no longer be accessed by unauthorized users.

According to officials, the information was accessed by a New Hampshire Hospital psychiatric patient on Oct. 10, 2015 who was using a public computer in the hospital’s library.

Investigators learned that computers in the hospital library were not locked out of the state network, thus allowing the hacker to access confidential personal information and internal documents.

“In the course of investigation, we learned that this individual was observed by a staff member to have accessed non-confidential DHHS information on a personal computer located in the New Hampshire Hospital library,” DHHS Commissioner Jeffrey Meyers said in a press release. “The staff member notified a supervisor, who took steps to restrict access to the library computers. This incident, however, was not reported to management at New Hampshire Hospital or DHHS.”

In July 2016, the now-former patient posted DHHS training information on Facebook, information that he only could have gotten by accessing the department’s private network. This past August, the hacker sent a message to a hospital security officer saying that he had taken an “archive” of documents from the DHHS server.

On Nov. 4, four days before the Nov. 8 presidential election, the patient posted confidential, personal information on a Facebook account. This included several hundred documents and pictures, state hospital campus police confirmed.

State officials said that their month-long investigation included locating the target suspect, determining which patients’ records had been hacked and confirming that no victims had yet suffered financial losses.

Meyers announced the data breach and apologized to victims 53 days after the social media posting. Federal law requires public notice within 60 days.

The office of New Hampshire Gov. Maggie Hassan also released a statement on Dec. 27 stating that the data breach was recently discovered by the state and is being treated with “the utmost seriousness by all relevant state agencies.” The statement added that the breach “highlights the importance of continuing to strengthen the state’s cyber security efforts to protect personal data from both hackers and human error.”

As of Dec. 29, state prosecutors have confirmed that the individual responsible for the data breach has not been arrested and is not being identified because of privacy concerns and to preserve the ongoing investigation’s integrity.

“All available information indicates that this was an isolated incident stemming from unauthorized access in October 2015 as described above and is not the result of an external attack,” Meyers said in a statement.

Chief executive officer of cybersecurity firm SnoopWall, Inc. Gary Miliefsky said that access control and encryption are essential to preventing data breaches. If encryption had been in place with proper security and management protocols, the breach would not have occurred, Miliefsky said.

“There are so many breaches happening because people are not thinking of how to be proactive, but they’re being reactive,” he said. “Over 95 percent of breaches happen behind firewalls.”

He added that in this particular incident, the patient who was using the public computer in the library could access the information because there was no access control to separate personally identifying information from publically accessible information.

Miliefsky said that the state should be more proactive about cyber security and focus on “breach prevention, not breach remediation,” especially since cybercrime has been on the rise in recent years.

He also said that people should take more precautions to protect themselves since cybercrime is becoming much easier to commit.

This data breach is small compared to others that have been seen recently, but the right thing for the state government to do is to assume that it is bigger than it was, Miliefsky said.

He added that there was enough information contained in the records to be damaging and that the hacker could have sold the records on the black market had he wanted to.

Safety and Security director Harry Kinne said that there have been no reports of anyone being affected by this data breach on the College campus.

Lieutenant Scott Rathburn from the Hanover Police Department said that Hanover Police were not notified in advance of the breach but learned about it through the press release. He added that he is not aware of any residents in Hanover being affected by the breach.

“If somebody thinks that their information has been leaked, keep an eye on your credit reports and make sure you know where your accounts are,” Rathburn said.