Minnesota Department of Human Services: Data breach compromised records of 300K people at Minnesota human services department

Minnesota DHS Reports Data Breach Affecting 304,000 Individuals

The Minnesota Department of Human Services (DHS) recently disclosed a data breach impacting nearly 304,000 state residents, stemming from unauthorized access to the MnCHOICES system a platform used by counties, tribes, and managed care organizations to support individuals requiring long-term services.

The breach began in late August 2023, when a user affiliated with a healthcare provider accessed state data without proper authorization. While the individual had legitimate access to some MnCHOICES data, they exceeded their permissions, retrieving sensitive information over a one-month period. By the time the breach was detected on November 18, 2023, the unauthorized access had exposed demographic records, income data, and educational backgrounds of hundreds of thousands of individuals. For over 1,200 people, the breach included more detailed personal information, such as names, phone numbers, dates of birth, addresses, Medicaid ID numbers, and partial Social Security numbers.

The state’s investigation, conducted with assistance from FEI Systems (the IT vendor managing MnCHOICES) and an external cybersecurity firm, found no evidence of data misuse. However, notifications were issued out of caution. The Minnesota Office of Inspector General is monitoring billing records for potential fraud, with plans to refer any suspicious activity to law enforcement.

The DHS has not disclosed the identity of the unauthorized user or the healthcare provider involved. The incident highlights vulnerabilities in systems handling sensitive health and demographic data.

Source: https://statescoop.com/minnesota-human-services-data-breach/

Minnesota Department of Human Services cybersecurity rating report: https://www.rankiteo.com/company/minnesota-department-of-human-services

"id": "MIN1768941399",
"linkid": "minnesota-department-of-human-services",
"type": "Breach",
"date": "8/2023",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"

{'affected_entities': [{'customers_affected': '304,000 individuals',
                        'industry': 'Healthcare and Social Services',
                        'location': 'Minnesota, USA',
                        'name': 'Minnesota Department of Human Services (DHS)',
                        'size': 'Large',
                        'type': 'Government Agency'}],
 'attack_vector': 'Unauthorized Access',
 'customer_advisories': 'Notifications issued to affected individuals',
 'data_breach': {'number_of_records_exposed': '304,000 (1,200 with sensitive '
                                              'data)',
                 'personally_identifiable_information': 'Yes',
                 'sensitivity_of_data': 'High for 1,200 individuals',
                 'type_of_data_compromised': ['Demographic records',
                                              'Income data',
                                              'Educational backgrounds',
                                              'Names',
                                              'Phone numbers',
                                              'Dates of birth',
                                              'Addresses',
                                              'Medicaid ID numbers',
                                              'Partial Social Security '
                                              'numbers']},
 'date_detected': '2023-11-18',
 'description': 'The Minnesota Department of Human Services (DHS) disclosed a '
                'data breach impacting nearly 304,000 state residents due to '
                'unauthorized access to the MnCHOICES system, which supports '
                'individuals requiring long-term services. The breach exposed '
                'demographic records, income data, educational backgrounds, '
                'and sensitive personal information for over 1,200 '
                'individuals.',
 'impact': {'brand_reputation_impact': 'Potential reputational damage to '
                                       'Minnesota DHS',
            'data_compromised': 'Demographic records, income data, educational '
                                'backgrounds, names, phone numbers, dates of '
                                'birth, addresses, Medicaid ID numbers, '
                                'partial Social Security numbers',
            'identity_theft_risk': 'High for 1,200 individuals with exposed '
                                   'sensitive data',
            'systems_affected': 'MnCHOICES system'},
 'investigation_status': 'Completed (no evidence of data misuse found)',
 'lessons_learned': 'Highlights vulnerabilities in systems handling sensitive '
                    'health and demographic data, particularly regarding '
                    'permission controls.',
 'post_incident_analysis': {'root_causes': 'Unauthorized access due to '
                                           'excessive permissions granted to a '
                                           'user affiliated with a healthcare '
                                           'provider'},
 'references': [{'source': 'Cyber Incident Description'}],
 'response': {'communication_strategy': 'Notifications issued to affected '
                                        'individuals',
              'enhanced_monitoring': 'Monitoring by Minnesota Office of '
                                     'Inspector General for potential fraud',
              'third_party_assistance': 'FEI Systems, External Cybersecurity '
                                        'Firm'},
 'threat_actor': 'Unauthorized User Affiliated with Healthcare Provider',
 'title': 'Minnesota DHS Data Breach Affecting 304,000 Individuals',
 'type': 'Data Breach',
 'vulnerability_exploited': 'Excessive Permissions'}