CONCORD, N.H. (AP) - New Hampshire’s top information security official says a data breach that led to personal information of up to 15,000 people being posted online required “average computer skills” and was not the result of sophisticated hacking.
Department of Information Technology Commissioner Denis Goulet on Thursday provided new information about the data breach, first announced by state officials Tuesday. Officials said a former psychiatric patient at the state-run New Hampshire Hospital accessed the confidential data last year using a computer in the hospital library and posted the information to social media last month. The postings included Social Security numbers and names and was removed within 24 hours.
A criminal investigation is underway.
Goulet said it appears the patient was able to access the data due to an accidental computer configuration. The library computer in question had been granted limited access to the state network, Goulet said. It now appears a “subtle configuration change” made by someone else unintentionally made it possible for the patient to access the data file, he said.
Goulet said it required only “average computer skills and a good dose of inquisitiveness” for the patient to obtain the files. The state’s IT department is looking into the specific change on the breached computer and reviewing file access permission across state government.
The Department of Health and Human Services has retained cybersecurity experts from Deloitte to assist in its investigation of the breach and develop an action plan to avoid future incidents, spokesman Jake Leon said.
Please read our comment policy before commenting.