- A patient at New Hampshire Hospital reportedly hacked into the New Hampshire Department Of Health And Human Services (DHHS), posting information online and creating a potential data breach for 15,000 individuals.
DHHS said in an online statement that it learned on November 4, 2016 that certain internal files had been posted to a social media site. As many as 15,000 DHHS clients who received services from DHHS prior to November 2015 may have had certain information accessed.
The affected data includes names, addresses, Social Security numbers, and Medicaid identification numbers.
The individual who is believed to have posted the information was reportedly a patient at New Hampshire Hospital, and accessed the data through a computer available for patient use in the hospital library. The data was accessed in October 2015, and the individual was “observed by a staff member to have accessed non-confidential DHHS information on a personal computer located in the New Hampshire Hospital library.”
“The staff member notified a supervisor, who took steps to restrict access to the library computers. This incident, however, was not reported to management at New Hampshire Hospital or DHHS. In August 2016, a security official at New Hampshire Hospital informed DHHS that the same individual may have posted on social media some DHHS information. That was immediately reported to the Department of Information Technology, the State Police and other state officials.”
DHHS said that there is no evidence that any PHI was misused or that any credit card or banking information was accessed.
Individuals who received DHHS services before November 2015 are encouraged to monitor their credit and banking statements, and are told that they “can protect themselves from incidents of identity theft or fraud by reviewing their account statements and monitoring their credit.”
“Safeguarding the personal, financial and medical information of DHHS clients is one of this Department’s highest priorities,” DHHS stated. “DHHS will continue to work with state agency partners to make every effort to ensure that the Department’s data remains secure.”
Indiana hospital reports PHI made accessible online
Indiana-based Fairbanks Hospital recently announced on its website that certain current and former patient PHI was made electronically accessible to Fairbanks employees. Some employees who were not meant to have such PHI access were also given the ability, Fairbanks explained.
“The investigation has determined that this issue existed since at least November of 2013, however we are unable to determine whether the issue existed prior to that time,” the hospital said. “We have now corrected this issue so that only the appropriate Fairbanks personnel has electronic access to files containing patient information.”
The OCR data breach reporting tool states that 12,994 individuals may have had their information exposed.
Potentially affected data included names, Social Security numbers, dates of birth, contact information, patient identification numbers, diagnoses, treatment information, health insurance information, and information related to initial admission and appointment scheduling.
The information will also vary by patient, Fairbanks explained, adding that the majority of patients are “only having their name and limited information relating to initial admission and scheduling of appointments impacted.”
The hospital said it is not aware of any actual or attempted misuse of the information. Identity and credit monitoring services are not being offered, but Fairbanks listed steps that individuals can take if they are concerned for the security of their information.
“We encourage you to remain vigilant against incidents of identity theft and fraud, to review your account statements, and to monitor your credit reports and explanation of benefits forms for suspicious activity,” Fairbanks said. “This also includes reviewing account statements, medical bills, and health insurance statements regularly to ensure that no one has submitted fraudulent medical claims using your name and address.”
Medical records stolen from vehicle in Ohio
Henry County Health Department (HCHD) in Ohio recently announced on its website that some patient records were stolen from an employee’s vehicle, possibly exposing the information of 574 individuals.
A health department nurse had her home broken into on October 22, 2016, according to HCHD. The nurse’s car was also stolen from her garage, and it contained a bag with an HCHD laptop and paper records that contained medical information.
HCHD added that the nurse was allowed to have the records for her regular duties because she would occasionally visit patients in their homes.
The suspect was apprehended and the car returned, but the laptop and medical records were not found.
“At this time, we do not know what has become of the laptop and records,” HCHD stated. “However, the investigation revealed that the laptop and records were not the targets of the theft, but rather the unintended cargo of the suspect’s car theft.”
The unsecured PHI on the laptop included patient names, dates of birth, Social Security numbers, phone numbers, medical diagnoses and codes, medication lists, and medical insurance information.
“HCHD has increased security with respect to the laptops that we use and how we handle medical records in the field. While all our laptops utilize a password authentication process we have now encrypted all our laptops to prevent access to laptop files in ways that may circumvent the login process. We have also reviewed and updated our processes and procedures for the handling of laptops and medical records necessary for nurse visitation of patients in their homes.”
Potentially affected individuals will also be offered a complimentary one-year membership in a credit/identity theft monitoring service.