Patient Posts PHI of New Hampshire State Psychiatric Hospital Patients Online
New Hampshire Department of Health and Human Services has alerted approximately 15,000 patients to a breach of some of their personal and highly sensitive information. Patient data were accessed by a former patient in October 2015 and were posted on a social media website.
The data accessed and posted online by the former patient included names and addresses along with Medicaid ID numbers and Social Security numbers. The patient gained access to the data on a laptop computer located in the hospital library. Patients are permitted to use the library and the computers, although access to patients’ protected health information should not have been possible.
At the time of the breach the patient was observed accessing ‘non-confidential’ hospital data by a staff member. The incident was reported to a supervisor and steps were taken to restrict access to the library computers. At the time, it was not known that sensitive data were accessed. While a supervisor was alerted to the incident, the matter was not escalated and neither the New Hampshire Hospital nor the New Hampshire Department of Health and Human Services (NH-DHHS) were informed.
However, ten months later in August 2016, a security official at the hospital alerted NH-DHHS that the former patient may have posted NH-DHHS data on a social media website. An investigation into the incident was launched and the Department of Information Technology was notified. The matter was also reported to State Police and state officials. However, according to the breach notice published by NH-DHHS on December 27, “An investigation at that time did not reveal any evidence that confidential personal or personal health information had been breached.”
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Three months later on November 4, 2016, hospital security notified NH-DHHS that the patient had posted some protected health information to a social media site that day. Within 24 hours of DHHS being informed of the breach, the PHI was removed from the site and a criminal investigation was launched. NH-DHHS says patients impacted by the breach had received services New Hampshire Hospital prior to November 2015, although no evidence has been uncovered to suggest any PHI has been misused.
NH-DHHS Commissioner Jeffrey A. Meyers issued a statement saying the breach was “an isolated incident stemming from unauthorized access in October 2015 as described above and is not the result of an external attack.”
He also confirmed that all state departments are investigating the incident and efforts are being made to strengthen state cybersecurity policies and procedures to better protect patient health data from attacks from hackers, as well as accidental disclosures as a result of human error.
