New Probe Launched into DHS' 'Serious Data Breach'

October 17, 2018 10:12 PM

The Minnesota Office of Legislative Auditor has begun an investigation into the Department of Human Services' handling of two security breaches, in which as many as 21,000 low-income Minnesotans on medical assistance may have had personal information compromised.

“I’m concerned about the lack of prompt reporting of a serious data breach,” said James Nobles, legislative auditor.


Nobles said his office is still waiting for a formal report from DHS explaining the full extent to the breaches.

It was back on June 28 and July 9 that two DHS employees clicked on a link in an email, which led hackers into the accounts, potentially compromising data that could include social security numbers, phone numbers, medical information and much more.

DHS sent letters on Oct. 9 to those 21,000 Minnesotans about the breaches.

More from KSTP

Lawmakers on the Senate’s Health and Human Services Committee discussed the incidents at a meeting Wednesday morning in St. Paul.

"Could you please try and help us connect why there was such a failure here of four months before folks were notified of the compromising situation of their private data?" asked Sen. Mary Kiffmeyer, (R) Big Lake.

The chief privacy official for DHS represented the agency and took a few questions.

"We assigned staff and attorneys to review each and every email in order to identify each and every individual that may have been affected by these incidents. That process took, frankly, a long time, we wanted to do a good job, I believe that we did do a good job," said Leah Flygare.

To the question of the gap in time to notify those affected, Flygare said once they learned of the potential breach, they immediately worked to identify each individual who may have been affected. She stresses it's a process that simply takes time.

DHS released the following statement about the breaches:

"Under state and federal law, DHS must investigate and report breaches without unreasonable delay and no later than 60 days after it learns about the breach. We were notified about the breach by MNIT Services Aug. 13.  DHS worked as quickly as possible to investigate this breach – which involved a detailed and labor-intensive review of a large number of emails and documents -- and to notify anyone who may be impacted by this breach."

Issue on Campaign Trail

5 EYEWITNESS NEWS reached out to DFL candidate for governor Tim Walz about the DHS data breach and changes he’d make under his administration.

"It's unacceptable, cybersecurity is absolutely critical, people's personal data, especially when it comes to medical and HIPAA data we have to ensure it doesn't happen,” said Walz.

Walz said he would reach out to cybersecurity experts in the Minnesota National Guard to work to improve the state’s defense.

"In state government it's critical, continuing to put a focus on it, it has to be done, and the new technology,” Walz said. “These cyber warriors are the ones who can go after and stop it ahead of time."

After a campaign stop in Duluth, Republican Jeff Johnson said the breach shows a “level of arrogance” with how it was handled.

Johnson was asked about how it would be handled under his administration.

"There's certainly legislative action you can take to make sure we're doing a better of protecting information, it's something I dealt with when I was in the legislature a while back,” Johnson said. “I think it's more about accountability and holding government accountable, when these mistakes, or screw-ups happen."


Eric Chaloux

Copyright 2018 - KSTP-TV, LLC A Hubbard Broadcasting Company


Minneapolis City Council passes $1.6 billion budget, more police officers included

St. Paul City Council approves 2020 budget with split vote

Man arrested, charged in connection to 1992 St. Paul unsolved homicide

Chiefs of police around Minnesota examines new ways to help those during suicide calls

Twins home opener tickets on sale, team plans ballpark upgrades

Judiciary panel to take first steps toward impeachment vote