October 11, 2018 10:14 PM
Minnesota’s Department of Human Services earlier this week mailed out 21,000 letters alerting low-income Minnesotans on medical assistance they may be possible victims of a hack on state computers back in the summer.
Two DHS employees clicked on a link in an email they shouldn't have, which led hackers into the workers' email accounts back on June 28 and July 9, according to the state.
"What we know is the hacker had the opportunity to look into the email account, whether he even did look in, and did actually look at any of these emails that had this personal information, we don't know for sure," said DHS Deputy Commissioner Chuck Johnson.
DHS told potential victims the email accounts that were hacked may have included their first and last names, dates of birth, Social Security numbers, addresses, telephone numbers, medical information, educational records, employment records and/or financial information.
"We take the protection of the data that we control very seriously, we regret that this breach happened, apologize to the 21,000 people we had to notify," Johnson said.
More from KSTP
DHS continues to investigate if more employees were targeted in the phishing incidents.
"We are looking at a couple of others (employees) that may have been compromised, but it looks like they are probably OK," Johnson said.
At this point Johnson couldn't say if other Minnesotans' personal information could have been hacked as well due to their current investigation.
“Don’t know at this point,” said Johnson.
"A breach of 20 some odd thousand is surprising and disappointing," said Rep. Jim Nash of Waconia. “To me a responsible administration would have gotten those letter sent out as quickly as humanly possible, immediately after they had been breached."
Nash, who works in the IT security industry, said he fought for legislation that was vetoed as part of an omnibus bill that would have provided more cybersecurity training resources for state workers.
"People entrust this data to the state and they get health care benefits,” Nash said. “Some of them are quite vulnerable in this system, they may not have ability to mount a defense for themselves if something were to happen, this is a sensitive issue."
Johnson explained they learned from state IT officials back in mid-August of the hacks that took place in June and July.
"We had to figure out who was affected,” Johnson said the length of time it took to notify possible victims. “Knowing the email box has been compromised, was there personal or private information in that email box, whose information was it and is it information we have to report on."
"In just the last nine months, the Minnesota IT Services Security Operations Center saw more than 700 security incidents, which included more than 150 serious phishing attack cases impacting the State of Minnesota,” said Aaron Call, the chief information security officer for the State of Minnesota.
“The Security Operations Center blocks an average of 13 malicious websites targeting state email users every day,” Call said.
This is not the first time a state agency has experienced a data breach.
In 2013, the Minnesota Department of Natural Resources announced one of its employees accessed the motor vehicle records of 5,000 people without authorization.
That same year, a worker at MNsure accidentally sent out the names and social security numbers of 2,400 insurance agents.
Updated: October 11, 2018 10:14 PM
Created: October 11, 2018 07:46 PM
(Copyright 2018 - KSTP-TV, LLC A Hubbard Broadcasting Company