The Department of Human Services notified lawmakers this week that a data breach last year potentially exposed the personal information of 11,000 Minnesotans.
The email of a state employee was breached and used to send emails to co-workers asking for wire transfers. The breach exposed Minnesotans’ last names, dates of birth, Social Security numbers and treatment information. A statement from the department says there’s no evidence that any personal information was viewed or misused in any way. DHS has notified the Legislative Auditor and the FBI about the breach.
An employee reported the suspicious activity at the time, which triggered an investigation by the state’s top IT agency, MN.IT. DHS also hired a contractor to look into the breach, which completed its work last month.
“Partnering with MN.IT, we have been able to successfully defend against the vast majority of these cyber attacks targeting state government and will continue to pursue strategies to protect and defend against future cyber attacks,” DHS Commissioner Tony Lourey said.
It’s the third known breach that occurred in 2018. In January, the department notified lawmakers that a phishing scheme in September resulted in an employee clicking on a malicious link. Sen. Michelle Benson, R-Ham Lake, said the department needs to “get its house in order.”
“This begs a larger question: how serious is DHS about data security? Three breaches in a year affecting 35,000 people. This is unacceptable. It was in February of this year that DHS purchased software to prevent phishing emails from going through our system,” she said. “So we have some questions that need to be answered to restore trust.”
DHS said the new software could have prevented this breach, as well as others last year. They are also training employees to identify the increasingly “sophisticated” cyber attacks that attempt to penetrate state systems.