The Minnesota Office of Legislative Auditor has begun an investigation into the Department of Human Services’ handling of two security breaches, in which as many as 21,000 low-income Minnesotans on medical assistance may have had personal information compromised.
“I’m concerned about the lack of prompt reporting of a serious data breach,” said James Nobles, legislative auditor.
Nobles said his office is still waiting for a formal report from DHS explaining the full extent to the breaches.
It was back on June 28 and July 9 that two DHS employees clicked on a link in an email, which led hackers into the accounts, potentially compromising data that could include social security numbers, phone numbers, medical information and much more.
DHS sent letters on Oct. 9 to those 21,000 Minnesotans about the breaches.
Lawmakers on the Senate’s Health and Human Services Committee discussed the incidents at a meeting Oct. 17 in St. Paul.
“Could you please try and help us connect why there was such a failure here of four months before folks were notified of the compromising situation of their private data?” asked Sen. Mary Kiffmeyer, (R) Big Lake.
The chief privacy official for DHS represented the agency and took a few questions.
To the question of the gap in time to notify those affected, Leah Flygare said once they learned of the potential breach, they immediately worked to identify each individual who may have been affected. She stresses it’s a process that simply takes time.
DHS released the following statement about the breaches:
“Under state and federal law, DHS must investigate and report breaches without unreasonable delay and no later than 60 days after it learns about the breach. We were notified about the breach by MNIT Services Aug. 13. DHS worked as quickly as possible to investigate this breach – which involved a detailed and labor-intensive review of a large number of emails and documents — and to notify anyone who may be impacted by this breach.”
