New Hampshire Cybersecurity Incidents: Notable Breaches & Ransomware Attacks

New Hampshire may be one of the smallest states by population, but its unique economic profile creates outsized cybersecurity risk. The state's lack of income and sales taxes has attracted a disproportionate concentration of technology companies, defense contractors like BAE Systems, and advanced manufacturers like DEKA Research. Combined with a major academic medical center in Dartmouth-Hitchcock and a tourism economy that processes millions of payment card transactions annually, New Hampshire organizations manage sensitive data volumes that far exceed what the state's population alone would suggest.

The breach history documented below reveals that New Hampshire faces the same sophisticated threat actors targeting larger states — but often with fewer dedicated cybersecurity resources available to respond. Each incident carries lessons about credential management, vendor risk, and the importance of preparation. Understanding these New Hampshire cyber threats is a necessary starting point for any security program in the Granite State.

Major Cyber Incidents in New Hampshire: A Timeline

2013 — Dartmouth-Hitchcock Medical Center Insider Breach

Dartmouth-Hitchcock Medical Center, the largest healthcare provider in New Hampshire and the anchor of the Dartmouth Health system, disclosed that an employee had improperly accessed patient medical records without authorization over an extended period. The breach affected hundreds of patients and exposed protected health information including diagnoses, treatment records, and demographic data. The incident led to disciplinary action and a review of access controls and audit logging systems across the organization.

2015 — Anthem Inc. Breach (New Hampshire Impact)

The massive 2015 breach of Anthem Inc., one of the largest health insurers in the United States, affected approximately 78.8 million records nationwide, including a significant number of New Hampshire residents covered by Anthem-affiliated plans. The breach, attributed to a Chinese state-sponsored group, compromised names, Social Security numbers, dates of birth, and employment information. New Hampshire joined a multi-state attorney general investigation that ultimately resulted in a $115 million class action settlement, the largest data breach settlement in history at that time.

2018 — City of Portsmouth Phishing Attack

The City of Portsmouth, one of New Hampshire's most prominent coastal municipalities, fell victim to a business email compromise attack in 2018. Attackers impersonated a city vendor and redirected a payment of approximately $156,000 to a fraudulent bank account. The incident was discovered when the legitimate vendor reported nonpayment. Portsmouth subsequently implemented additional verification procedures for payment changes and expanded employee training on social engineering threats.

2019 — Wolfeboro School District Ransomware

The Governor Wentworth Regional School District in Wolfeboro experienced a ransomware attack that encrypted administrative systems and disrupted school operations. The attack forced the district to take its network offline and rebuild systems from backups. While student data was not confirmed to have been exfiltrated, the incident highlighted the vulnerability of New Hampshire's smaller school districts, which typically operate with minimal IT staff and limited cybersecurity budgets.

2020 — Elliot Health System Data Breach

Elliot Health System, a major healthcare provider in southern New Hampshire affiliated with SolutionHealth, disclosed a data breach after discovering unauthorized access to employee email accounts. The compromised accounts contained patient information including names, dates of birth, medical record numbers, and health insurance details. The breach prompted Elliot Health to implement additional email security controls including advanced threat protection and mandatory multi-factor authentication for all remote email access.

2022 — New Hampshire Department of Health and Human Services Data Exposure

The New Hampshire Department of Health and Human Services (DHHS) disclosed that a software vulnerability in a third-party application used for COVID-19 contact tracing had exposed personal information of state residents. The exposure included names, dates of birth, phone numbers, and in some cases health-related data. The incident underscored the supply-chain risks inherent in government technology procurement and led to updated vendor security assessment procedures across state agencies.

2023 — BAE Systems Subcontractor Phishing Campaign

Several small defense subcontractors in the BAE Systems supply chain operating out of southern New Hampshire reported a coordinated phishing campaign targeting employees with access to controlled unclassified information. The attackers used highly targeted spear-phishing emails mimicking BAE Systems procurement communications. While the full scope was not publicly disclosed due to defense sensitivities, the incidents prompted increased attention to CMMC compliance timelines for small manufacturers in the state's defense sector.

New Hampshire's Data Breach Notification Law

New Hampshire's breach notification statute, RSA 359-C:20, requires any person doing business in the state who owns or licenses computerized data containing personal information to notify affected individuals when a security breach is discovered. Notification must be made as quickly as possible, consistent with the needs of law enforcement. Personal information is defined as an individual's first name or initial and last name combined with Social Security numbers, driver's license numbers, or financial account numbers with access credentials.

If a breach affects more than 1,000 New Hampshire residents, the organization must notify the New Hampshire Attorney General's office and all nationwide consumer credit reporting agencies. Notification to the AG must include the anticipated date of notification, the approximate number of affected individuals, and a description of the breach. The Attorney General has enforcement authority and can pursue violations under the state's Consumer Protection Act. For a complete overview of New Hampshire's regulatory requirements, see our New Hampshire compliance and privacy law guide.

Which New Hampshire Industries Are Most Targeted?

Defense and Aerospace

New Hampshire hosts BAE Systems' Electronic Systems division in Nashua, one of the largest defense electronics facilities in the region, along with dozens of smaller defense subcontractors. These organizations handle controlled unclassified information and in some cases classified data, making them persistent targets for nation-state cyber espionage, particularly from Chinese and Russian threat actors. Small manufacturers serving the defense supply chain are especially vulnerable because they often lack dedicated security personnel.

Healthcare

Dartmouth-Hitchcock Medical Center and the broader Dartmouth Health system represent the state's largest healthcare employer, while southern New Hampshire is served by Elliot Health System, Catholic Medical Center, and several regional hospitals. Healthcare data remains among the most valuable commodities on dark web markets, and hospitals face intense pressure to pay ransoms because system downtime directly threatens patient safety.

Technology and Software

New Hampshire's favorable tax environment — no income tax and no sales tax — has attracted technology companies including Oracle's Dyn (DNS infrastructure), Bottomline Technologies, and numerous startups and SaaS firms. These companies are both targets for intellectual property theft and potential vectors for supply chain attacks on their customers. Smaller tech firms should explore IT security for small businesses to establish baseline protections.

Tourism and Hospitality

The White Mountains, Lakes Region, and seacoast draw millions of visitors annually, generating substantial payment card transaction volumes. Hotels, restaurants, and retail businesses in tourist areas are frequent targets for point-of-sale malware and payment card skimming, particularly during peak summer and fall foliage seasons.

What New Hampshire Businesses Must Do After a Breach

If your New Hampshire organization experiences a data breach, the following steps are required or strongly recommended under state law and industry best practices:

• Contain the breach immediately — isolate affected systems, revoke compromised credentials, and preserve forensic evidence before beginning remediation

• Conduct a thorough investigation — determine what data was accessed, how the attacker gained entry, and whether the breach is ongoing

• Notify affected individuals as quickly as possible under RSA 359-C:20, including a description of the incident, the type of data exposed, and recommended protective measures

• Notify the New Hampshire Attorney General if 1,000 or more residents are affected, including the anticipated notification date and the approximate number of affected individuals

• Notify credit reporting agencies if more than 1,000 individuals are affected by the breach

• Engage legal counsel familiar with New Hampshire data breach law to ensure compliance with RSA 359-C and any applicable federal regulations like HIPAA or CMMC

• Document the entire response timeline — maintain records of discovery, containment, investigation, and all notifications for potential regulatory review

How to Protect Your New Hampshire Business Before an Incident

The breach history above reveals consistent patterns: phishing attacks, unencrypted data, insider threats, and supply chain vulnerabilities. New Hampshire businesses can materially reduce their risk by addressing these specific weaknesses:

• Implement multi-factor authentication across all remote access points, email systems, and privileged accounts — phishing remains the most common initial access vector in New Hampshire incidents

• Conduct regular vulnerability assessments with particular attention to web applications, VPN endpoints, and any operational technology systems in manufacturing environments

• Establish and test an incident response plan at least annually, including tabletop exercises that simulate ransomware and business email compromise scenarios

• Train employees on phishing recognition — the Portsmouth BEC attack and defense subcontractor phishing campaign both demonstrate that human error remains the primary vulnerability

• Segment your network so that a compromise in one area cannot spread laterally to critical systems or sensitive data stores

• Vet third-party vendors for security practices before granting them access to your systems or data, as the DHHS exposure demonstrated supply-chain risk

Many New Hampshire businesses, particularly small and mid-sized firms, partner with managed IT and security providers to maintain continuous monitoring and response capabilities that would be impractical to build with internal staff alone.

Frequently Asked Questions

How quickly must a New Hampshire business report a data breach?

RSA 359-C:20 requires notification as quickly as possible, consistent with the legitimate needs of law enforcement. Unlike states with fixed deadlines such as 30 or 60 days, New Hampshire uses a reasonableness standard. However, the Attorney General's office expects prompt action, and unnecessary delays can trigger enforcement under the Consumer Protection Act.

What triggers the obligation to notify the New Hampshire Attorney General?

If a data breach affects more than 1,000 New Hampshire residents, the organization must notify the Attorney General's office in addition to the affected individuals. The AG notification must include the anticipated date of individual notifications, an approximate count of affected residents, and a description of the breach and response measures.

Does New Hampshire have a comprehensive data privacy law like GDPR or CCPA?

Yes. In 2024, New Hampshire enacted SB 255, the New Hampshire Privacy Act, which takes effect on January 1, 2025. It grants consumers rights to access, correct, delete, and port their personal data, and requires businesses to conduct data protection assessments for high-risk processing activities. See our New Hampshire privacy law guide for full details.

Are New Hampshire defense contractors required to meet CMMC compliance?

Yes. Any company handling controlled unclassified information for the Department of Defense must achieve CMMC certification, regardless of company size. New Hampshire has a significant concentration of small defense subcontractors in the BAE Systems and other defense supply chains that must meet these requirements. CMMC 2.0 Level 2 requires implementing all 110 controls in NIST SP 800-171.

What industries in New Hampshire are most frequently targeted by cyberattacks?

Healthcare and defense/aerospace account for the most high-profile incidents, driven by the value of the data they hold and mandatory reporting requirements. However, municipalities, school districts, and small technology firms are also frequent targets because they often operate with limited security budgets and staffing. The state's tourism and hospitality sector faces significant payment card fraud risk during peak seasons.