Minnesota Agency Reports 304,000-Person Data Breach Linked to Vendor Access Misuse
The Minnesota Department of Human Services (DHS) has notified nearly 304,000 individuals of a data breach involving unauthorized access to its MnChoices system, a platform used by counties, tribal nations, and managed care organizations to assess eligibility for long-term services, including disability, housing, and mental health support. The system is managed by third-party vendor FEI Systems.
On November 18, 2025, FEI detected "unusual user activity" and reported it to DHS the following day. An investigation revealed that between August 28 and September 21, 2025, a worker affiliated with a licensed healthcare provider accessed data beyond their authorized scope. While the user had legitimate access to limited information, they retrieved more data than necessary for their role. DHS revoked the provider’s access on October 30, 2025.
The breach exposed demographic details for 303,965 individuals, with an additional subset of 1,206 affected by further data exposure. Compromised information includes names, addresses, dates of birth, Medicaid IDs, partial Social Security numbers, ethnicity, race, financial eligibility details, and program-specific data.
Authorities found no evidence of external hacking. The DHS Office of Inspector General is monitoring billing records for potential fraud, while the incident has been reported to the Minnesota Office of the Legislative Auditor and the U.S. Department of Health and Human Services as a HIPAA breach. Since the user was not a DHS employee, no disciplinary action was taken by the agency. FEI has not provided further comment.
Source: https://www.bankinfosecurity.com/minnesota-agency-notifies-304000-vendor-breach-a-30570
FEI Systems cybersecurity rating report: https://www.rankiteo.com/company/fei-systems2
Minnesota Department of Human Services cybersecurity rating report: https://www.rankiteo.com/company/minnesota-department-of-human-services
"id": "FEIMIN1768948386",
"linkid": "fei-systems2, minnesota-department-of-human-services",
"type": "Breach",
"date": "9/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '303,965 individuals (plus 1,206 '
'with additional data exposure)',
'industry': 'Healthcare & Social Services',
'location': 'Minnesota, USA',
'name': 'Minnesota Department of Human Services (DHS)',
'type': 'Government Agency'},
{'industry': 'IT Services',
'name': 'FEI Systems',
'type': 'Third-Party Vendor'}],
'attack_vector': 'Insider Threat',
'customer_advisories': 'Notification sent to affected individuals',
'data_breach': {'number_of_records_exposed': '303,965 (plus 1,206 with '
'additional exposure)',
'personally_identifiable_information': 'Names, addresses, '
'dates of birth, '
'partial Social '
'Security numbers, '
'ethnicity, race',
'sensitivity_of_data': 'High',
'type_of_data_compromised': 'Personally Identifiable '
'Information (PII), Medicaid IDs, '
'partial SSNs, demographic data, '
'financial eligibility details, '
'program-specific data'},
'date_detected': '2025-11-18',
'description': 'The Minnesota Department of Human Services (DHS) has notified '
'nearly 304,000 individuals of a data breach involving '
'unauthorized access to its MnChoices system, a platform used '
'by counties, tribal nations, and managed care organizations '
'to assess eligibility for long-term services, including '
'disability, housing, and mental health support. The system is '
'managed by third-party vendor FEI Systems. Unauthorized '
'access occurred due to a worker affiliated with a licensed '
'healthcare provider accessing data beyond their authorized '
'scope.',
'impact': {'data_compromised': 'Demographic details, names, addresses, dates '
'of birth, Medicaid IDs, partial Social '
'Security numbers, ethnicity, race, financial '
'eligibility details, and program-specific '
'data',
'identity_theft_risk': 'High',
'systems_affected': 'MnChoices system'},
'investigation_status': 'Ongoing (DHS Office of Inspector General monitoring '
'billing records for fraud)',
'post_incident_analysis': {'root_causes': 'Excessive data access permissions '
'granted to a third-party worker'},
'references': [{'source': 'Cyber Incident Description'}],
'regulatory_compliance': {'regulations_violated': ['HIPAA'],
'regulatory_notifications': ['Minnesota Office of '
'the Legislative '
'Auditor',
'U.S. Department of '
'Health and Human '
'Services']},
'response': {'communication_strategy': 'Notification to affected individuals',
'containment_measures': 'Access revoked for the provider on '
'October 30, 2025'},
'threat_actor': 'Worker affiliated with a licensed healthcare provider',
'title': 'Minnesota Agency Reports 304,000-Person Data Breach Linked to '
'Vendor Access Misuse',
'type': 'Data Breach',
'vulnerability_exploited': 'Excessive Data Access Permissions'}