State officials are working to strengthen the security of the state’s computer network, after a data breach last year leaked the confidential information of thousands of New Hampshire Department of Health and Human Services clients.
A former patient at New Hampshire’s state psychiatric hospital used a computer in the hospital library to access information of about 15,000 individuals who received department services, according to a DHHS statement.
While on the state’s network, the patient accessed confidential information including names, addresses, Social Security numbers and Medicaid ID numbers and posted the information on social media sites.
When it comes to cybersecurity on the state’s computer network, an incident like this is rare, said Denis Goulet, commissioner of the New Hampshire Department of Information Technology.
“This the first instance I’m aware we’ve had trouble with it,” Goulet said. “From what I understand, we really haven’t had a history of data breaches in the state of New Hampshire.”
More common are threats coming from outside entities. State and federal governments are generally top targets for viruses and malware.
“We’re continuously being probed and poked, attempts being made to penetrate our network from outside entities,” Goulet said.
What happened in this case – a person getting access to confidential state information on a state computer – is much rarer, but is also on Goulet’s radar.
The state provides some computers for public use in places like the New Hampshire Hospital library, which Goulet calls “a big risk-management exercise.”
He said the state has to carefully weigh the need to supply computer services to the public with the risk that creates.
“That’s something we work on every single day,” he said. “In general, we’re very cautious about providing access to the state network. In general, it’s not easy at all” to log on.
Some of those security measures include complex, regularly changing passwords and two-factor authentication.
Goulet said he could not share any information about how the New Hampshire Hospital patient was able to access the state’s network, due to an ongoing criminal investigation.
“The person was someone who was interested in that topic, but other than that I don’t know what the skill level was,” he said.
The incident occurred in October 2015 and Goulet’s department took steps to restrict accessibility on the library computers. Still, state officials were not notified until August 2016.
At that time, officials were told the patient may have posted information online, but an investigation at the time didn’t suggest that any of that information included confidential information like names, birth dates or Social Security numbers.
However, on Nov. 4, New Hampshire Hospital security notified state officials that the patient had indeed posted confidential information.
State Department of Health and Human Services Commissioner Jeffrey Meyers said the incident points to the need to further protect the state network.
“We’re talking about computers that are connected to a network by DOIT (Department of Information Technology), not by HHS,” Meyers said. “This issue involves not just the Department of Health and Human Services, it raises the issue of the security of all state information. There’s a whole host of agencies that collect and maintain data.”
Meyers said the patient posted screenshots of the confidential information, so while 15,000 people are affected by the leak, the information does not include the names, addresses, Social Security and Medicaid information for all 15,000.
“It’s only a small amount of information that was posted,” Meyers said. “That obviously triggered concern as to what had been accessed.”
Meyers said he is working with the IT department to make sure network security for his branch is strengthened.
On Wednesday, Gov. Maggie Hassan called the situation “very serious” and said a cybersecurity specialist will do a full audit of the Department of Health and Human Services “to determine whether there are other weak spots or other improvements we should take.”
Asked whether she was concerned that a similar breach could happen on another state computer, Hassan said state officials are “certainly taking steps to make sure that isn’t the case.”
Goulet said whenever an incident or breach happens, it’s a learning experience for how security can be better.
He said he’ll be focusing on tightening policies and training on what a potential breach is and how it can be managed internally.
“Every time there’s a successful attempt of any sort, we typically learn something from that so we can tweak the network to make it a little bit safer,” Goulet said. “This is no exception.”
(Ella Nilsen can be reached at 369-3322, firstname.lastname@example.org or on Twitter