The New Hampshire Department of Health and Human Services (DHHS) recently announced that personal information belonging to as many as 15,000 DHHS clients was posted to a social media site over a year ago by a patient at New Hampshire Hospital.
“The personal information was accessed, in October 2015, by an individual who was a patient at New Hampshire Hospital at that time, using a computer that was available for use by patients in the library of the hospital,” DHHS said in a statement. “In the course of investigation, we learned that this individual was observed by a staff member to have accessed non-confidential DHHS information on a personal computer located in the New Hampshire Hospital library.”
The staff member notified a supervisor, who restricted access to library computers — but the incident was never reported to hospital management or to DHHS.
In August of 2016, almost a year later, a hospital security official notified DHHS that the same person may have posted some DHHS information on social media, though an investigation didn’t uncover any evidence that confidential information had been exposed.
Finally, on November 4, 2016, New Hampshire Hospital security notified DHHS that the same individual had in fact posted confidential, personal information to a social media site.
“State officials and law enforcement were immediately informed, and the personal information was removed,” the DHHS stated. “As a result of the investigation to date, DHHS has determined that the breached files contain protected health information and personal information for as many as 15,000 DHHS clients who received services from DHHS prior to November 2015.”
The information exposed online includes names, addresses, Social Security numbers and Medicaid identification numbers.
William Hinkle, communications director for the office of New Hampshire Governor Maggie Hassan, told the New Hampshire Union Leader that the breach is being treated very seriously. “It highlights the importance of continuing to strengthen the state’s cyber security efforts to protect personal data from both hackers and human error,” he said.
A recent Nuix survey of corporate information security practitioners found that fully 97 percent of respondents said human behavior is their greatest vulnerability.
In response, security executives are trying to use policies, awareness and training to help people become part of the solution.
“Where this breaks down is that a large proportion of people, even after they’ve had security awareness training, will still put their organizations at risk by opening malicious attachments and visiting suspect websites,” Nuix global head of security intelligence Dr. Jim Kent said in a statement. “While the policies and training are crucial, we need to get better at ‘idiot-proofing’ our technology so that even if people do the wrong thing, the malware doesn’t run or doesn’t achieve its goals.”
Seventy-nine percent of respondents said they had increased spending on data breach detection in the past year, and 72 percent said they plan to do so in the coming year.