1. Home
  2. States
  3. New Hampshire

New Hampshire

Data breaches happen when unauthorized persons access confidential information in computer systems in unsecured environments. New Hampshire has been experiencing a growing number of health data breaches over the past five years. Between 2020 and 2023, a data breach in New Hampshire-based healthcare clearinghouse Inmediata exposed the personal information of 1.5 million consumers. It divulged protected patient data to strangers conducting online searches from any location in the US. The US healthcare sector has witnessed a 256% increase in hacking-related data breaches over the past five years. The average cost of these data breaches increased from $10.1 million in 2022 to $10.9 million in 2023. Most large-scale healthcare-related data breaches target confidential patient information and use it for financial fraud or identity theft.

Identity Theft Statistics

Identity Theft
Reports
30TH
State Rank (Reports per 100K Population)
1,302
Identity Theft Reports
Fraud & Other
Reports
20TH
State Rank (Reports per 100K Population)
8,447
Total Fraud & Other Reports
Fraud
Losses
$5.1M
Total Fraud Losses
$260
Median Fraud Losses

Top Ten Report Categories

Imposter Scams
24%
Identity Theft
13%
Online Shopping and Negative Reviews
7%
Telephone and Mobile Services
7%
Banks and Lenders
5%
Auto Related
5%
Prizes, Sweepstakes and Lotteries
4%
Debt Collection
4%
Internet Services
3%
Credit Bureaus, Iformation Furnishers and Report Users
3%

Top Identity Theft Types

35%
787
Credit Card Fraud
21%
471
Bank Fraud
15%
348
Other Identity Theft
10%
222
Loan or Lease Fraud
10%
222
Phone or Utilities Fraud
6%
141
Employment or Tax-Related Fraud
3%
72
Government Documents or Benefits Fraud

New Hampshire's Recent Biggest Data Breaches

2023
December

Hinsdale School District Cyber Attack

The Hinsdale School District experienced a cyber attack that adversely affected its computing network in December 2023. Hackers targeted the school's laptops and computers with a ransomware attack on December 11. That affected the learning operations of the Hinsdale School District's 532 students. Upon discovering the attack, school district officials engaged a specialized cybersecurity response group to recover its affected systems. The team succeeded in restoring the district's office administrative and instructional functions. School district officials have since implemented stronger security measures to prevent the possibility of similar attacks in the future.

2023
March

Point32Health Data Breach

Point32Health, Massachusetts' second-largest insurer, suffered a cyber attack in March 2023. The institution, which has more than 2.5 million clients, experienced a ransomware attack when one of its components was targeted by hackers. The Harvard Pilgrim Health Care was infiltrated on March 28, 2023. The hackers retained control of the system until forensic investigators detected the intrusion. They blocked it on April 2023. The data breach enabled the hackers to access Point32Health's clients' Social Security numbers, physical addresses, taxpayer ID numbers, health insurance account information, and birth dates. The institution has since been subjected to multiple class action lawsuits. Its executives notified law enforcement officials and clients of the data breach and engaged third-party experts to investigate. Point32Health has offered affected clients identity theft protection and credit monitoring services at no cost for 24 months. The institution has also implemented better security measures to prevent similar attacks in the future.

2023

Dartmouth Health Cheshire Medical Center Data Breach

The Dartmouth Health Cheshire Medical Center experienced a cyber attack from the KillNet hacktivist group in 2023. KillNet uses hacking techniques to advertise political ideologies and agendas. KillNet promotes Russian geopolitical ideologies and directs DDoS attacks to government institutions indirectly or directly promoting Ukraine's war efforts. The DDoS attack slowed down the functioning of Dartmouth Health Cheshire Medical Center's information portals and websites. The cyber attack also delayed connection requests and caused a service outage that lasted a few hours. The Dartmouth Health Cheshire Medical Center has since engaged security experts to strengthen its security system and prevent similar attacks in the future.

2022
March

NuLife Med Data Breach

NuLife Med, a New Hampshire-based medical device manufacturer, experienced a cyber attack in 2022. Between March 9 and 11, unauthorized parties accessed the institution's computer system and viewed personal information belonging to NuLife Med's clients. The institution's personnel revealed that the data breach exposed the driver's license information, Social Security numbers, and health insurance information of 81,244 clients. Its executives emphasized they took immediate steps to deal with the security breach. NuLife Med's personnel also disclosed that subsequent investigations into the incident showed no evidence of fraud resulting from the hacking incident. The institution has since strengthened its security and computer systems to prevent similar incidents in the future.

2021

Peterborough Town Computer Hack

In 2021, Peterborough Town in New Hampshire was hacked and robbed of $2.3 million. The hackers posed as officials affiliated with Beck & Belluci contractors and the ConVal School District. They approached Peterborough Town municipal officials seeking vendor payments for services provided by Beck & Belluci contractors and the ConVal School District. The unsuspecting town workers sent invoices to the hackers' accounts. Once they discovered their mistake, the town officials engaged the Public Risk Management Exchange (PRIMEX). The town was awarded $125,000 coverage, and the US Secret Service assisted with the recovery of more than $603,000, which was sent to Beck & Bellucci. Peterborough has since been able to pay all balance due to Beck & Bellucci and ConVal.

What Should You Do if You Are in a Breach?

Unfortunately, data breaches are pretty common now, considering our online connections and dependence on digital service delivery. Criminals work in the shadows to steal your personal information, so sometimes, it's only when you notice certain signs that ongoing fraud becomes apparent. These danger signs apply to both individuals and businesses.

Unfamiliar
Credit Card Charges

If you find unauthorized transactions on your credit card, there is a significant possibility your phone number, email address, or card number has been compromised.

Calls from
Debt Collectors

Phone calls or letters from collection agencies seeking debt payment for a loan you do not remember taking are also signs of identity theft.

New Credit Cards
or Loans in Your Name

A new line of credit in your name or a loan taken is a warning sign you are a victim of identity theft.

Surprise Credit
Score Drops

Sudden credit drops with no obvious cause are a sign of suspicious activities.

Unusual Activity on Your
Social Security Account

The federal government also considers social security numbers personal identifiers, so check your social security statement regularly to ensure no one has access to benefits without consent.

Inability to
Sign-in to Accounts

If you are locked out of the account, it is usually because someone has hacked into it and changed the password. You should immediately try all possible recovery options and contact customer support if all fails.

Step-by-Step Process for Responding to a Data Breach

01

Contact Local Law Enforcement

As an individual or a business, report the incident to the police and file a police report.

02

Assess and Secure Compromised Areas

Identify which aspects of your information have been affected, such as emails, passwords, credit card numbers, social security numbers, full names, and phone numbers.

03

Contain the Breach

Isolate the affected system to prevent further damage.

04

Create New, Strong Passwords for All Accounts

This may involve changing usernames and passwords for compromised platforms, using strong passwords with a mix of upper and lower-case letters, digits, and special characters.

05

Notify Affected Institutions

Inform your bank, credit card companies, and other affected institutions. Request they close or freeze any accounts that may be implicated in the breach to reduce financial risk.

06

Update Security on Digital Accounts

Change passwords for all accounts affected by the breach. Make sure each password is totally unique, and you use two-factor verification as an additional layer of security.

07

Check for Malware

Examine your computers and mobile devices for installed malware. Install robust antivirus software to detect and remove any viruses or malicious software.

08

Freeze Your Credit

In cases of identity theft, contact all credit bureaus to freeze your credit.

09

Monitor Your Mail and Credit Reports

Keep an eye out for any unauthorized changes in your mail.

10

Engage Legal Assistance When Applicable

If you are a business, consider hiring a law firm experienced in handling data breaches.

Responsibilities of Companies that Have Been Breached

N.H. Rev. Stat. §§ 359-C:19 explains the actions business organizations or owners should take when data breaches compromise personal information. This Statute applies to any organization, partnership, entrepreneur, limited liability company, or unincorporated association that operates in New Hampshire and licenses computerized data. The type of personal information that is legally protected in New Hampshire includes financial account codes, passwords, and numbers, Social Security numbers, debit and credit card numbers, and government identification documents like driver's license numbers. Under this Statute, business entities must notify clients of data breaches whenever unauthorized persons access their personal data. Additionally, business entities must inform the New Hampshire attorney general's office when such data breaches occur. Business organizations may delay informing their clients about data breaches that affect their personal information if this action will jeopardize ongoing criminal investigations. Entities should inform affected persons about data breaches using established communication methods including email notice, telephone, or written notice. State laws allow entities to issue substitute notices when more than 1,000 persons are affected by the data breach or the cost of notification surpasses $5,000. N.H. Rev. Stat. §§ 359-C:19 stipulates that data breach notices must include the business organization's phone number and the kind of personal data that has been exposed. The notice should also explain how it happened. All notices informing consumer reporting agencies about data breaches should include the date when notifications were sent and the number of customers that received them.

Laws

  • N.H. Rev. Stat. §§ 359-C:19, passed in 2007 in New Hampshire, is a privacy law that discusses data breach notification policies within the State. It stipulates the regulations business owners and organizations in New Hampshire must follow when they experience cyber-attacks that cause data breaches. This Statute empowers New Hampshire's attorney general to penalize business entities that do not adhere to regulations pertaining to data breaches within the State.
  • The New Hampshire Consumer Protection Act provides New Hampshire residents with rights related to their personal data. Under this Law, business entities have a duty to protect the accessibility, integrity, and confidentiality of personal data like health information, financial account numbers, codes, passwords, and Social Security numbers.

Resources