Phishing scam hit MN agency; data of 3K possibly exposed

The Minnesota Department of Human Services is sending out letters Wednesday to up to 3,000 people whose personal information might have been exposed in a data breach.

The agency notified state lawmakers that a phishing scheme in September resulted in an employee clicking on a malicious link. The hacking incident has been reported to the Legislative Auditor and the FBI.

DHS commissioner Tony Lourey says there is no evidence yet that the information was viewed, downloaded or misused.

The type of data at risk includes names, phone numbers, birth dates and information about child protection cases. It also includes about 30 numbers involving Social Security, driver's licenses and financial accounts, DHS added.

Grow the Future of Public Media

MPR News is supported by Members. Gifts from individuals power everything you find here. Make a gift of any amount today to become a Member!

"We respect and value the privacy of the Minnesotans we serve and sincerely regret any concern or other negative impact this incident may cause," Lourey wrote in a letter to lawmakers.

"Although we are not aware of any misuses of the information contained in the DHS employee's email account," he added, "our notification letter to the individuals who may be impacted by this incident includes suggestions about how they can protect against identity theft and other forms of fraud."

While the agency has known about the breach since October, it is only now alerting the public after investigations by the state technology department and a contractor.

A similar data breach occurred last summer, when a hacker accessed two employees' email accounts through a phishing scheme. That breach was much larger, with roughly 21,000 Minnesotans' personal information potentially leaked.

Legislators are considering a proposal this session to expand notification requirements when data held by a government agency are compromised.

MPR News reporter Briana Bierschbach contributed to this report.

Correction (Jan. 30, 2019): About 30 numbers involving Social Security, driver's licenses and financial accounts were exposed. An earlier version of this story described them all as Social Security numbers.