Names, addresses, birth dates, phone and Social Security numbers of more than 9,000 Concord (N.H.) Hospital patients were exposed on the Internet for more than a month and the hospital's president said there's no way of knowing whether any were poached by criminals.
The 210-bed hospital sent letters June 8 notifying 9,297 patients and confirmed the breach Saturday to the Concord Monitor. A statement posted Sunday on its Web site said Concord Hospital was working to ensure no future security lapses occur.
Concord Hospital said Verus, an online billing contractor based in Bellevue, Wash., disabled an electronic firewall protecting the information on April 12 to perform maintenance, then inadvertently left if off. Verus notified Concord Hospital of the breach on May 30.
Concord Hospital President and Chief Executive Officer Michael Green said credit card and medical data were not exposed. However the hospital urged patients to take steps to protect themselves against fraud and identity theft because the personal information was accessed eight times.
"We have no way of knowing if anybody would have taken the database and would be trying to use it for any illegal purposes," he said.
Green said the hospital waited a week to notify patients because it wasn't clear how many people were affected until Thursday and wanted to investigate on its own.