The Minnesota Department of Human Services was victim of a phishing email scam, where someone had the ability to access the information of approximately 21,000 individuals who interacted with the department.
DHS sent out a letter to those individuals whose information may have been accessed. In the letter, it says incidents occurred in June and July.
“The two email accounts contained information about some of the people who interacted with DHS between October 2010 and July 2018,” the department said. “The vast majority of these people interacted with our State Medical Review Team, and a much smaller number interacted with one of our Direct Care and Treatment facilities.”
According to DHS, Minnesota IT Services secured the accounts and stopped the spread of the phishing emails. MNIT also investigated the incidents and reported the results of the investigation to DHS in August.
DHS reviewed every item in the accounts to determine who may have been affected.
In the statement, the department said, “We currently have no evidence that this information was actually clicked, viewed, downloaded, or misused.”
DHS said it is believed the data was able to be accessed after two employees clicked on a link they received in an email.
“The Minnesota Department of Human Services takes very seriously our responsibility to protect the private information and data of Minnesotans, and will continue our vigilant efforts to uphold the highest standards of IT security and data privacy,” the department said in a statement.
This is not the first time a state agency has experienced a data breach.
In 2013, the Minnesota Department of Natural Resources announced one of its employees accessed the motor vehicle records of 5,000 people without authorization.
That same year, a worker at MNsure accidentally sent out the names and social security numbers of 2,400 insurance agents.