The New Hampshire Department of Health and Human Services announced on December 27 that a former New Hampshire State Psychiatric Hospital patient is behind a breach that began on a laptop computer located in the hospital library and affected approximately 15,000 patients, exposing names and addresses along with Medicaid ID numbers and Social Security numbers.
While patients were permitted to use the library and the computers, they should not have been able to access patients’ PHI. At the time of the breach in October 2015, a staff member observed a patient accessing “non-confidential” hospital data and alerted a supervisor. Steps were then taken to restrict access to the library computers, though neither the hospital nor the NH-DHHS were informed of the incident.
In August 2016, a security official at the hospital alerted NH-DHHS that the data may have been posted on a social media website. An investigation into the incident was launched, however, according to the breach notice published by NH-DHHS on December 27, “An investigation at that time did not reveal any evidence that confidential personal or personal health information had been breached.”
On November 4, 2016, hospital security notified NH-DHHS that the patient had posted some PHI to a social media site that day. Within 24 hours, the PHI was removed from the site and a criminal investigation was launched and continues. The department is notifying those who may have been affected and is recommending that anyone who received services from DHHS before November 2015 take steps to monitor their credit and bank statements.
Could your company be at risk for a similar breach? Can you risk finding out on a social media posting?
A critical part of PrivaPlan’s Security Risk Assessments is the PHI Inventory, which works for both physical PHI and electronic PHI. The inventory process identifies all areas in the facility that PHI is located and how it is used. By performing this assessment and documenting where PHI is located, covered entities can protect their patients’ information from unauthorized breaches described here.
For more information or other services PrivaPlan provides, contact our HIPAA experts at email@example.com or call 877-218-7707.