Two recent phishing attacks on the Minnesota Department of Human Services (DHS) have resulted in a potential breach of protected health information (PHI) that may impact up to 21,000 Minnesota residents.
DHS explained that the email accounts of two DHS employees were compromised after they responded to phishing emails. According to DHS investigation, the attackers were able to access the two email accounts but it was not possible to ascertain whether any messages in the accounts that contained PHI were opened or copied.
Minnesota DHS noted that the attackers may have targeted other employees as well and that other employees may have clicked links in the phishing emails, but that has yet to be confirmed. The breach investigation is ongoing.
The two email account breaches happened on June 28 and July 9, 2018, but the DHS IT department only discovered the incidents in August. Once discovered, DHS secured both email accounts to block the attackers and prevent further unauthorized access. No evidence has been found to suggest that PHI was viewed, downloaded, or misused.
It has taken a considerable amount of time to determine which patients have been affected by the incidents, as each email in the compromised accounts needed to be opened, read, and checked for PHI. DHS explained that is why it has taken so long to send notifications letters to affected individuals.
The patients whose PHI was exposed had previously has some interaction with the State Medical Review Team or had received services from Minnesota DHS Direct Care and Treatment facilities.
The PHI potentially accessed was limited to names, addresses, contact numbers, birth dates, medical data, Social Security numbers, educational records, job information, and financial details.