PHI of 21,000 Patients of Minnesota DHS Potentially Compromised

Two recent phishing attacks on the Minnesota Department of Human Services (DHS) have resulted in a potential breach of protected health information (PHI) that may impact up to 21,000 Minnesota residents.

DHS explained that the email accounts of two DHS employees were compromised after they responded to phishing emails. According to DHS investigation, the attackers were able to access the two email accounts but it was not possible to ascertain whether any messages in the accounts that contained PHI were opened or copied.

Minnesota DHS noted that the attackers may have targeted other employees as well and that other employees may have clicked links in the phishing emails, but that has yet to be confirmed. The breach investigation is ongoing.

The two email account breaches happened on June 28 and July 9, 2018, but the DHS IT department only discovered the incidents in August. Once discovered, DHS secured both email accounts to block the attackers and prevent further unauthorized access. No evidence has been found to suggest that PHI was viewed, downloaded, or misused.

It has taken a considerable amount of time to determine which patients have been affected by the incidents, as each email in the compromised accounts needed to be opened, read, and checked for PHI. DHS explained that is why it has taken so long to send notifications letters to affected individuals.

The patients whose PHI was exposed had previously has some interaction with the State Medical Review Team or had received services from Minnesota DHS Direct Care and Treatment facilities.


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

The PHI potentially accessed was limited to names, addresses, contact numbers, birth dates, medical data, Social Security numbers, educational records, job information, and financial details.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: