Why did the Minnesota Department of Human Services wait nearly three months to notify patients about sensitive data exposed in a cyber attack?
The agency's letters to those who had their personally identifiable information (PII) exposed never answers that question.
Instead, it says two phishing attacks against the agency were successful, the first on June 28, 2018, and the second on July 9.
Hackers then had access to two employee accounts, exposing data on 21,000 patients.
Minnesota DHS Commissioner Emily Piper had this to say in the breach notification letter:
The two email accounts contained information about some people who have interacted with DHS, including you. Examples of the type of information found in the email accounts at the time they were compromised include: first and last names, dates of birth, Social Security numbers, addresses, telephone numbers, medical information, educational records, employment records, and/or financial information.
State leaders are upset the agency's breach notification took so long. Reports the StarTribune:
On Friday, state Senate Majority Leader Paul Gazelka said in a statement that there was “no excuse for a delay that long” in notifying people. He wrote that the breach shows that government can’t secure data. “It’s a recipe for disaster,” he added.
[Related: State breach notification requirements and timeline map]
Here at SecureWorld, we are thankful for the many Minnesota information security leaders who collaborate annually at SecureWorld Twin Cities.
Together, we can create a recipe for successful cybersecurity practices that protects us, one region at a time.