21,000 Patients of Minnesota DHS Notified That Their PHI Has Potentially Been Compromised

Letters have been mailed to approximately 21,000 individuals on medical assistance by the Minnesota Department of Human Services to alert them of a potential breach of their protected health information (PHI) due to two phishing campaigns which took place recently.

Two DHS employees’ staff email accounts have been confirmed as having been impacted due to the employees clicking on links in phishing emails. The review into the breach found that the hackers accessed both staff email accounts although it was not possible to discover which, if any, emails in the account had been accessed or copied by the hackers.

Minnesota DHS is of the opinion that that other staff members may also have been targeted and could also have clicked on links in phishing emails, but it has not yet been deduced whether their accounts have been violated. The investigation into the phishing attacks is current.

The two email account breaches happened on June 28 and July 9, 2018, although the IT department only confirmed that the accounts had been breached in August. Upon identifying the phishing attack, both accounts were securely protected to prevent further access.

It has taken a significant amount of time to carry out the investigation and determine which patients have been impacted. That process required every single email in each account to be reviewed for patient data, which caused the delay in issuing breach notification letters.

Most of the people impacted by the breach had previously interacted with the State Medical Review Team, although some people who had received services from Minnesota DHS Direct Care and Treatment facilities also had some of their PHI obtained.

The PHI in the compromised staff email accounts included full names, addresses, telephone numbers, dates of birth, Social Security numbers, educational records, medical information, employment details, and financial data.

Minnesota DHS revealed a statement about the breach which said: “We immediately took steps to secure these accounts, and currently have no evidence that any information was actually viewed, downloaded or misused. We take data privacy very seriously at DHS, and continue to work with our employees and partners to prevent cyberattacks.”