HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Patient Posts PHI of New Hampshire State Psychiatric Hospital Patients Online

New Hampshire Department of Health and Human Services has alerted approximately 15,000 patients to a breach of some of their personal and highly sensitive information. Patient data were accessed by a former patient in October 2015 and were posted on a social media website.

The data accessed and posted online by the former patient included names and addresses along with Medicaid ID numbers and Social Security numbers. The patient gained access to the data on a laptop computer located in the hospital library. Patients are permitted to use the library and the computers, although access to patients’ protected health information should not have been possible.

At the time of the breach the patient was observed accessing ‘non-confidential’ hospital data by a staff member. The incident was reported to a supervisor and steps were taken to restrict access to the library computers. At the time, it was not known that sensitive data were accessed. While a supervisor was alerted to the incident, the matter was not escalated and neither the New Hampshire Hospital nor the New Hampshire Department of Health and Human Services (NH-DHHS) were informed.

However, ten months later in August 2016, a security official at the hospital alerted NH-DHHS that the former patient may have posted NH-DHHS data on a social media website. An investigation into the incident was launched and the Department of Information Technology was notified. The matter was also reported to State Police and state officials. However, according to the breach notice published by NH-DHHS on December 27, “An investigation at that time did not reveal any evidence that confidential personal or personal health information had been breached.”

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Three months later on November 4, 2016, hospital security notified NH-DHHS that the patient had posted some protected health information to a social media site that day. Within 24 hours of DHHS being informed of the breach, the PHI was removed from the site and a criminal investigation was launched. NH-DHHS says patients impacted by the breach had received services New Hampshire Hospital prior to November 2015, although no evidence has been uncovered to suggest any PHI has been misused.

NH-DHHS Commissioner Jeffrey A. Meyers issued a statement saying the breach was “an isolated incident stemming from unauthorized access in October 2015 as described above and is not the result of an external attack.”

He also confirmed that all state departments are investigating the incident and efforts are being made to strengthen state cybersecurity policies and procedures to better protect patient health data from attacks from hackers, as well as accidental disclosures as a result of human error.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.