When the Littleton Regional Hospital received a complaint from a patient on March 25, they initiated an investigative audit that revealed that the patient’s information had been improperly accessed by a former employee on three separate occasions going back to October 2008. The breach was then promptly reported (pdf) to the patient on March 27 and then to the to the New Hampshire Attorney General’s Office on April 13.
This is one of those small breaches that do not involve financial information but could be very distressing to the victim. So the question becomes: if Littleton’s security and privacy protections were inadequate to prevent such snooping, what are they going to do differently going forward? There was no indication in the notification.