Phishing Attacks on Minnesota DHS Potentially Compromised PHI of 21,000 Patients

There were two phishing attacks on the Minnesota Department of Human Services (DHS) that impacted 21,000 persons provided with medical assistance. DHS already mailed the patients notification letters regarding the possible breach of their protected health information (PHI).

It was confirmed that two of DHS employees’ email accounts were compromised as a result of the employees clicking on hyperlinks embedded in the phishing emails. As per investigation results, the hackers had accessed the email accounts but the investigators were not sure which of the two accounts the attackers viewed or downloaded messages from.

Minnesota DHS stated that the attackers could have sent phishing emails to other employees also. It’s possible that other employees clicked on the phishing email links however there’s no report yet related to the breach of more employee email accounts. Investigation of the DHS phishing attacks is still continuing.

The security breaches were determined to have occurred on June 28 and July 9, 2018. However, DHS only became aware of it in August. Upon knowing about the phishing attacks, DHS took steps to secure the email accounts to keep the attackers from accessing the accounts. At this time there is no information whether the attackers really viewed or misused any information.

The investigators found it hard to determine who were the patients affected by the breach. Examining each email in the two accounts to verify patient data required a lot of time. Hence, there was a delay in issuing the breach notification letters to the patients.

The patients whose PHI was compromised were largely people that had prior communication with the State Medical Review Team and individuals that were provided services at the Minnesota DHS Direct Care and Treatment centers.

The compromised PHI of patients may have included their names, dates of birth, addresses, phone numbers, medical details, educational records, Social Security numbers, employment details, and financial data.

DHS claimed that they regard data privacy as highly important and they are working with employees and healthcare partners to keep PHI secure against cyberattacks.