21,000 Patients of Minnesota DHS Notified That Their PHI Has Potentially Been Compromised

by | Oct 14, 2018

Letters have been mailed to approximately 21,000 individuals on medical assistance by the Minnesota Department of Human Services to alert them of a potential breach of their protected health information (PHI) due to two phishing campaigns which took place recently.

Two DHS employees’ staff email accounts have been confirmed as having been impacted due to the employees clicking on links in phishing emails. The review into the breach found that the hackers accessed both staff email accounts although it was not possible to discover which, if any, emails in the account had been accessed or copied by the hackers.

Minnesota DHS is of the opinion that that other staff members may also have been targeted and could also have clicked on links in phishing emails, but it has not yet been deduced whether their accounts have been violated. The investigation into the phishing attacks is current.

The two email account breaches happened on June 28 and July 9, 2018, although the IT department only confirmed that the accounts had been breached in August. Upon identifying the phishing attack, both accounts were securely protected to prevent further access.

It has taken a significant amount of time to carry out the investigation and determine which patients have been impacted. That process required every single email in each account to be reviewed for patient data, which caused the delay in issuing breach notification letters.

Most of the people impacted by the breach had previously interacted with the State Medical Review Team, although some people who had received services from Minnesota DHS Direct Care and Treatment facilities also had some of their PHI obtained.

The PHI in the compromised staff email accounts included full names, addresses, telephone numbers, dates of birth, Social Security numbers, educational records, medical information, employment details, and financial data.

Minnesota DHS revealed a statement about the breach which said: “We immediately took steps to secure these accounts, and currently have no evidence that any information was actually viewed, downloaded or misused. We take data privacy very seriously at DHS, and continue to work with our employees and partners to prevent cyberattacks.”

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy