21,000 Patients' Data Compromised in Minnesota Hacks

But the state Department of Human Services claims there’s no evidence that the information has been viewed or misused.

Two phishing attacks against the Minnesota Department of Human Services resulted in data breaches.

Minnesota officials have notified 20,800 people of a data breach that threatened to expose their private information, including medical data, this past summer.

The Minnesota Department of Human Services learned of the attacks more than two months ago, in mid-August, and reported it just last week. They were the result of two phishing campaigns, which struck the state agency in late June and July, compromising individuals’ Social Security numbers, medical information and other sensitive information.

>> READ: Yes, Healthcare’s Data Breach Problem Really Is That Bad

But the department said in a letter to victims (PDF) that there’s no evidence that hackers “viewed, downloaded or misused” the jeopardized personal information.

“We continue to work hard to protect against these and other types of data security incidents,” Emily Piper, the agency’s commissioner, wrote in the notification. “We use the technology at our disposal to its fullest potential to prevent and mitigate data security incidents, and push for security technology upgrades.”

She added that her team is updating “relevant policies and procedures” and teaching staff members about “email best practices” and proper incident response.

Using phishing, hackers gained access to two email accounts, where sensitive information was stored.

Minnesota’s state information technology unit learned of the attacks quickly and soon secured the accounts, according to the letter. After completing its investigation, the IT team told human affairs what had happened.

The affected department suggested victims review their credit reports for suspicious transactions.

“We sincerely regret these data security incidents and apologize for any impact they may have on you or your family,” Piper noted in the letter.

The successful attacks are part of a larger wave of phishing attacks against the Minnesota Department of Human Services in recent months. Across geographic and industry lines, phishing has spread rapidly — and with great consequences. In healthcare, specifically, data breach after data breach is attributed to malicious email campaigns.

Data breaches, meanwhile, have battered the industry. Over the past eight years, hundreds of millions of patient records have been exposed by hackers, making medicine’s digital transformation something of a blessing and a curse.

Minnesota’s human services department plans to release a report on the incident in the future.

Get the best insights in healthcare analytics directly to your inbox.

Related

Can Outside Disruption Save Healthcare?

WannaCry, NotPetya and Cyberwarfare’s Threat to Healthcare

With 860K Affected Patients, July Among Worst Data Breach Months of Year