ST PAUL, Minn. — The Minnesota Department of Human Services is sending letters to 11,000 persons who may been affected by a data breach that occurred more than a year ago.
DHS Deputy Commissioner Chuck Johnson said it was discovered when an agency employee received an email from a co-worker that didn't seem right because it was seeking unusually private information.
"We learned a hacker phished into one of our employees' emails, had that account at least long enough to be able to send fake email to another of our employees," Johnson told KARE.
DHS notified Minnesota IT Services, or MNIT, the state agency that runs the email system used by all state government employees and departments.
MNIT staff initially believed the hacker hadn't gained access to any customer email messages, but recently determined 11,000 customer emails may have been visible to the hacker. That's what prompted the letters this week.
"We’re telling them that we regret that this happened, we’re extremely sorry," Johnson explained.
"We take this very seriously. We take all the control of all the data we have on people very seriously."
MNIT blocks thousands of email hacking threats every day, according to Aaron Call, that state's Chief Information Officer.
"Over the last five months, state employees across the Executive branch have reported over 92,500 suspicious emails. With further investments we can improve our ability to detect and deflect email-based attacks and other cyber-attacks to bring those numbers down."
Call said MNIT has added more sophisticated tools for scanning attachments since the breach occurred, which has made a dent in the hacker storm.
Lawmakers blast agency
Senate Republicans took DHS to task for the breach, pointing out it's the third one in recent years.
"Another 11,000 people, another data breach, another security failure! How serious is DHS about security?" Sen. Michelle Benson, the Ham Lake Republican who chairs the Health and Human Services Committee, told reporters Wednesday.
Sen. Benson noted the latest news comes on the heels of a Legislative Auditor's report that DHS lacks the internal controls needed to prevent fraud in the Child Care Assistance Program.
She said the GOP Senate Majority is growing increasingly impatient with DHS and losing confidence in the agency's ability to handle sensitive data.
Benson added that to the list of why Republicans oppose Gov. Walz's proposed medical insurance program known as OneCare, which would be operated by DHS.
"Let’s help them do it well and I am willing to be a partner in helping them do it well, but we’re not adding anything else until they get this house in order," Benson remarked.
Republican lawmakers have had Minnesota IT services under a microscope for the past two years because of the troubled launch of the Dept. of Public Safety's drivers and registration system known as MNLARS.
Damage limited
Johnson said the cyber incursion exposed information people may have emailed to DHS such as names, dates of birth, contact information, treatment and legal history. He said it didn't contain any financial data or Social Security numbers.
"The systems that contain all the information we need to run the programs that serve a million or more Minnesotans, that data sits in a completely separate place."
The letter gives detailed information about how to check credit reports and bank accounts for signs of fraud. People with questions are urged to call the DHS at 651-431-5020 or toll free 833-246-8262.
The agency serves roughly one million Minnesotans through health care, nutrition, child care and other state and federally funded public assistance programs. Those benefits are handled directly by DHS or by county social services offices in coordination with the state.