Minnesota Agency Reports 304,000-Person Data Breach Linked to Vendor System
The Minnesota Department of Human Services (DHS) is notifying nearly 304,000 individuals of a data breach involving unauthorized access to its MnChoices system, a third-party IT platform managed by FEI Systems. The system is used by counties, tribal nations, and managed care organizations to assess eligibility for long-term services, including disability, housing, and mental health support.
The breach was detected on November 18, 2025, when FEI Systems identified "unusual user activity" and reported it to DHS the following day. An investigation revealed that a healthcare worker affiliated with a licensed provider accessed data beyond their authorized scope between August 28 and September 21, 2025. The state revoked the provider’s access on October 30, 2025, and FEI commissioned a forensic review at DHS’s request.
Exposed data includes names, addresses, dates of birth, Medicaid IDs, partial Social Security numbers, and sensitive details such as ethnicity, income, and program eligibility. While 303,965 individuals had demographic information accessed, an additional 1,206 had more extensive records compromised. Authorities found no evidence of external hacking, and the DHS Office of Inspector General is monitoring for potential fraud.
The incident was reported to the Minnesota Office of the Legislative Auditor and the U.S. Department of Health and Human Services as a HIPAA breach. Since the unauthorized user was not a DHS employee, no disciplinary action was taken by the agency. FEI Systems has not provided further comment.
Source: https://www.govinfosecurity.com/minnesota-agency-notifies-304000-vendor-breach-a-30570
FEI Systems cybersecurity rating report: https://www.rankiteo.com/company/fei-systems2
Minnesota Department of Human Services cybersecurity rating report: https://www.rankiteo.com/company/minnesota-department-of-human-services
"id": "FEIMIN1768969952",
"linkid": "fei-systems2, minnesota-department-of-human-services",
"type": "Breach",
"date": "9/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '303,965 individuals '
'(demographic data), 1,206 '
'individuals (extensive records)',
'industry': 'Healthcare / Social Services',
'location': 'Minnesota, USA',
'name': 'Minnesota Department of Human Services (DHS)',
'type': 'Government Agency'},
{'industry': 'Technology / Healthcare IT',
'name': 'FEI Systems',
'type': 'IT Vendor'}],
'attack_vector': 'Insider Threat',
'customer_advisories': 'Notifications sent to affected individuals',
'data_breach': {'number_of_records_exposed': '304,000+',
'personally_identifiable_information': 'Names, addresses, '
'dates of birth, '
'partial Social '
'Security numbers, '
'ethnicity, income',
'sensitivity_of_data': 'High',
'type_of_data_compromised': 'Personally Identifiable '
'Information (PII), Protected '
'Health Information (PHI), '
'Medicaid IDs, partial SSNs, '
'demographic data, program '
'eligibility details'},
'date_detected': '2025-11-18',
'description': 'The Minnesota Department of Human Services (DHS) is notifying '
'nearly 304,000 individuals of a data breach involving '
'unauthorized access to its MnChoices system, a third-party IT '
'platform managed by FEI Systems. The system is used by '
'counties, tribal nations, and managed care organizations to '
'assess eligibility for long-term services, including '
'disability, housing, and mental health support. A healthcare '
'worker affiliated with a licensed provider accessed data '
'beyond their authorized scope.',
'impact': {'data_compromised': 'Names, addresses, dates of birth, Medicaid '
'IDs, partial Social Security numbers, '
'ethnicity, income, program eligibility',
'identity_theft_risk': 'Yes',
'systems_affected': 'MnChoices system (FEI Systems)'},
'investigation_status': 'Ongoing (DHS Office of Inspector General monitoring '
'for fraud)',
'post_incident_analysis': {'root_causes': 'Unauthorized access by an '
'authorized user beyond their '
'scope'},
'references': [{'source': 'Minnesota Department of Human Services'}],
'regulatory_compliance': {'regulations_violated': 'HIPAA',
'regulatory_notifications': 'Reported to U.S. '
'Department of Health '
'and Human Services, '
'Minnesota Office of '
'the Legislative '
'Auditor'},
'response': {'communication_strategy': 'Notifications sent to affected '
'individuals',
'containment_measures': 'Access revoked for the unauthorized '
'provider on October 30, 2025',
'third_party_assistance': 'Forensic review commissioned by FEI '
'Systems'},
'threat_actor': 'Healthcare worker affiliated with a licensed provider',
'title': 'Minnesota Agency Reports 304,000-Person Data Breach Linked to '
'Vendor System',
'type': 'Data Breach',
'vulnerability_exploited': 'Unauthorized access by authorized user'}