15,000 patients in the New Hampshire Department of Health and Human Services (DHHS) had their personal information stolen. The breach compromised PII including their names and Social Security numbers which were shared on social media.

The investigation concluded that a former psychiatric patient was able to carry out a breach via an open computer in the hospital library.

The breach occurred in October 2015 but was not discovered until November 2016. DHHS made the following statement: In October, “[the] individual was observed by a staff member to have accessed non-confidential DHHS information on a personal computer located in the New Hampshire Hospital library. The staff member notified a supervisor, who took steps to restrict access to the library computers. This incident, however, was not reported to management at New Hampshire Hospital or DHHS.”

When that person went on to post non-personal information on social media, it drew the attention of the New Hampshire Department of Information Technology, the State Police and other state officials.

On November 4th, the same person again posted to social media: “On November 4, 2016, DHHS was informed by New Hampshire Hospital security that the same individual that day had posted confidential, personal information to a social media site. State officials and law enforcement were immediately informed, and the personal information was removed.”

“A criminal investigation is ongoing,” the department said. “DHHS and the New Hampshire Department of Information Technology (DoIT) have eliminated the source of the breach and the information can no longer be accessed by unauthorized individuals at New Hampshire Hospital.”

The statement went on to say: “Safeguarding the personal, financial and medical information of DHHS clients is one of this Department’s highest priorities. DHHS will continue to work with state agency partners to make every effort to ensure that the Department’s data remains secure.”

Source: Info Security