CONCORD, N.H. (AP) – The state Department of Health and Human Services mistakenly released personal information on about 9,300 Medicare Part D recipients to its service providers two weeks ago and is now notifying those affected.

In letters to clients and providers obtained Wednesday by The Associated Press, the department said it is taking steps to make sure no information is used illegally. But it urged the people affected to initiate credit fraud alerts or freezes on their accounts.

Associate Commissioner Nancy Rollins said 9,300 clients are affected by the breach, the first at the department. The department said 18,000 New Hampshire residents are covered by Medicare Part D, but only those receiving a letter were affected by the breach.

Gov. John Lynch assured the public that the department is taking steps to ensure a breach does not happen again.

“Though the department’s release of this information was accidental, it simply should not have occurred. The department assures me they doing everything they can to assist citizens whose information was compromised, and that they have undertaken a review of their procedures to ensure this does not happen again,” Lynch said.

Their information was mistakenly attached to a Dec. 1 e-mail to 61 providers and health-related organizations, such as nursing homes and home health care agencies. The e-mail described changes to Medicare Part D plans, which help people buy prescription drugs.

The attached document contained names, addresses, Medicare Part D plan information, Social Security numbers and the amount of each person’s monthly premiums.

The department said it discovered the breach on Dec. 4 and began contacting those who got the e-mail to ask them to delete the information. It sent a letter on Monday to residents whose information was in the document.

“We have received confirmation from most of the recipients of the information that your personal information has been deleted. Our efforts are ongoing. We have no evidence that the information has been misused or distributed further,” Rollins said in the letter.

The letter has contact information for TransUnion, Equifax and Experian – the three major credit reporting companies.

Rollins urged clients to pay close attention to insurance claim notices to be sure the services listed match those the clients received.

“Finally, no representative of DHHS will contact you to request personal information related to this incident. If anyone makes such an attempt, please do not divulge any information,” Rollins said.

Anyone contacted should call (800) 852-3345 extension 8838 to report the incident, she said. People outside the state should call (603) 271-8838.

Rollins said 12 phone lines were opened Monday, but few people called. By the end of Tuesday, 177 people had called, mostly with questions about whether their Social Security benefits were affected. Rollins said many don’t have credit or debit cards, but do have bank accounts that should be monitored.

Rollins defended the delay in notifying clients and the media.

“The decision was to work with our providers. It had not gone out in any kind of public document,” she said.

Once that was done, the department drafted a letter to clients, she said.

“We will be undergoing a thorough review of what led to this incident and DHHS will put measures in place to ensure it does not occur again,” Rollins said in the letter to clients.


Only subscribers are eligible to post comments. Please subscribe or to participate in the conversation. Here’s why.

Use the form below to reset your password. When you've submitted your account email, we will send an email with a reset code.