A data breach last year at the state agency that oversees Minnesota’s health and welfare programs may have exposed the personal information of approximately 11,000 individuals.
The state Department of Human Services (DHS) notified lawmakers Tuesday that an employee’s e-mail account was compromised as a result of a cyberattack on or about March 26, 2018. A hacker unlawfully logged into a state e-mail account of a DHS employee and used it to send two e-mails to one of the employee’s co-workers, asking that co-worker to pay an “invoice” by wiring money.
The agency has no evidence that personal information contained in the hacked e-mail account was “viewed, downloaded or misused in any way,” Human Services Commissioner Tony Lourey said in a letter to legislative leaders on Tuesday. Even so, the hacker would have had the ability to obtain some of the account’s contents during the cyberattack, officials said.
“This cyberattack is an assault on our efforts in state government to provide quality services to Minnesotans in need,” Lourey wrote in the letter. “We pledge to do everything we can to uphold the privacy of the Minnesotans who receive services through our programs. We apologize for any concern or other negative impact due to this incident.”
The incident is the third data breach in just over a year at DHS, the state’s largest agency and comes as state agencies face a barrage of increasingly sophisticated hacking attempts. Over the last five months, state employees have reported more than 92,500 suspicious e-mails — an average of over 600 per day — to Minnesota IT Services, which provides technology services to state agencies. On average, Minnesota IT Services security staff identifies eight new phishing websites each day that specifically target state employees, the agency said.
Last June and July, for instance, hackers accessed the state e-mail accounts of two DHS employees and used those accounts to send spam e-mails. In that incident, the personal information of about 21,000 Minnesotans was compromised. Then, last September, a hacker used an e-mail phishing campaign to gain access to the state e-mail account of an employee in the Children and Family Services division of DHS. The hacker used this account to send spam e-mail messages and may have viewed some of the information contained in the account, according to DHS notifications.
The latest data breach occurred in the Direct Care and Treatment (DCT) division at DHS, which provides care to about 12,000 people with mental illnesses, developmental disabilities and substance abuse disorders. Once the hacker gained access to the state e-mail account, the person pretended to be a DCT employee and sent e-mails to the employee’s co-workers. They quickly recognized that the messages were suspicious and reported them to Minnesota IT Services.
At the time the cyberattack occurred last March, the compromised e-mail account contained a wide range of personal information about DHS clients, employees and applicants, including first and last names, dates of birth, other demographic data, treatment data and information about interactions with the agency. The account did not contain Social Security numbers or financial information. However, it is possible that, while in the account, the hacker viewed or downloaded some of the account’s data, officials said.
On Tuesday DHS began sending individual letters to all the people who may have been affected by the incident.
Responding to the string of cyberattacks, Minnesota IT Services in February deployed a new cybersecurity tool that blocks malicious links and attachments in e-mails intended for state employees. This tool could have prevented many of the breaches at DHS, including the latest incident. The agency has also revised its policies and procedures to ensure they can respond more quickly to data security incidents.
“With further investment, we can improve our ability to detect and deflect e-mail-based and other kinds of cyberattacks in the future to bring those numbers down,” said Aaron Call, the state’s chief information security officer.