Minnesota DHS Data Breach Exposes Personal Information of Nearly 304,000 Individuals
In late August, an unauthorized user affiliated with a licensed healthcare provider accessed sensitive data in Minnesota’s MnCHOICES system a platform used by counties, tribes, and agencies to assess and plan long-term services for vulnerable populations. The breach persisted for nearly a month before being detected.
The unauthorized access included names, dates of birth, addresses, phone numbers, Medicaid IDs, and the last four digits of Social Security numbers for nearly 304,000 individuals. For 1,206 people, additional details such as ethnicity, birth records, physical traits, education, income, and benefits were exposed.
The user, who had legitimate but limited access to MnCHOICES, exceeded their authorized permissions by retrieving more data than necessary for their role. Access was revoked on October 30 after FEI Systems, the vendor managing the system, detected unusual activity in mid-November and reported it to the state. A forensic investigation was subsequently launched.
The Minnesota Department of Human Services (DHS) stated there is no evidence the data was misused, though the Office of Inspector General is monitoring billing records for potential fraud. Affected individuals were notified via a January 16 letter, nearly four months after the breach occurred. The delay was attributed to the need to verify impacted records and complete the investigation before issuing notices.
In response, DHS implemented additional technical safeguards and reported the incident to the Minnesota Office of the Legislative Auditor and the U.S. Department of Health and Human Services. The breach highlights vulnerabilities in systems handling sensitive health and social services data.
FEI Systems cybersecurity rating report: https://www.rankiteo.com/company/fei-systems2
"id": "FEI1768877970",
"linkid": "fei-systems2",
"type": "Breach",
"date": "1/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '304,000 individuals',
'industry': 'Healthcare & Social Services',
'location': 'Minnesota, USA',
'name': 'Minnesota Department of Human Services (DHS)',
'type': 'Government Agency'}],
'attack_vector': 'Unauthorized Access',
'customer_advisories': 'Affected individuals notified via letter on January '
'16, 2024',
'data_breach': {'data_exfiltration': 'No evidence of misuse',
'number_of_records_exposed': '304,000 (1,206 with additional '
'sensitive data)',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Personal Identifiable '
'Information',
'Medicaid IDs',
'Social Security Numbers (Last '
'Four Digits)',
'Ethnicity',
'Birth Records',
'Physical Traits',
'Education',
'Income',
'Benefits']},
'date_detected': '2023-11-15',
'date_publicly_disclosed': '2024-01-16',
'date_resolved': '2023-10-30',
'description': 'In late August, an unauthorized user affiliated with a '
'licensed healthcare provider accessed sensitive data in '
'Minnesota’s MnCHOICES system, a platform used by counties, '
'tribes, and agencies to assess and plan long-term services '
'for vulnerable populations. The breach persisted for nearly a '
'month before being detected. The unauthorized access included '
'names, dates of birth, addresses, phone numbers, Medicaid '
'IDs, and the last four digits of Social Security numbers for '
'nearly 304,000 individuals. For 1,206 people, additional '
'details such as ethnicity, birth records, physical traits, '
'education, income, and benefits were exposed. The user '
'exceeded their authorized permissions by retrieving more data '
'than necessary for their role.',
'impact': {'brand_reputation_impact': 'Yes',
'data_compromised': 'Personal Information, Medicaid IDs, Last Four '
'Digits of SSNs, Ethnicity, Birth Records, '
'Physical Traits, Education, Income, Benefits',
'identity_theft_risk': 'Yes',
'systems_affected': 'MnCHOICES System'},
'investigation_status': 'Completed',
'lessons_learned': 'Vulnerabilities in systems handling sensitive health and '
'social services data; need for stricter access controls '
'and monitoring.',
'post_incident_analysis': {'corrective_actions': 'Additional technical '
'safeguards implemented, '
'stricter access controls',
'root_causes': 'Excessive user permissions, '
'delayed detection of unauthorized '
'access'},
'recommendations': 'Implement additional technical safeguards, enhance '
'monitoring of user permissions, and expedite breach '
'notification processes.',
'references': [{'source': 'Minnesota Department of Human Services'}],
'regulatory_compliance': {'regulatory_notifications': ['Minnesota Office of '
'the Legislative '
'Auditor',
'U.S. Department of '
'Health and Human '
'Services']},
'response': {'communication_strategy': 'Affected individuals notified via '
'letter on January 16, 2024',
'containment_measures': 'Access revoked on October 30, 2023',
'incident_response_plan_activated': 'Yes',
'remediation_measures': 'Additional technical safeguards '
'implemented',
'third_party_assistance': 'FEI Systems (Forensic Investigation)'},
'threat_actor': 'Affiliated User (Licensed Healthcare Provider)',
'title': 'Minnesota DHS Data Breach Exposes Personal Information of Nearly '
'304,000 Individuals',
'type': 'Data Breach',
'vulnerability_exploited': 'Excessive Permissions'}