Cyber Incident Victim: Minnesota Department of Human Services
Date:
Jan 2026
Location:
United States of America
Summary
The Minnesota Department of Human Services experienced an unauthorized data breach when a user affiliated with a licensed health-care provider inappropriately accessed private information in the MnCHOICES system, impacting approximately 304,000 individuals. The compromised data included names, birthdates, contact details, Medicaid IDs, and partial Social Security numbers, with additional demographic and benefits information exposed for 1,206 people. The user, who had legitimate credentials but exceeded authorized access levels, was terminated from the system following detection of unusual activity by the system’s vendor, which triggered a forensic investigation. The agency confirmed no evidence of data misuse but enhanced technical safeguards and notified affected individuals while monitoring for fraudulent activity. Federal authorities and state auditors were informed of the incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 0 motives | 0 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The Minnesota Department of Human Services (DHS) experienced a data breach involving unauthorized access to its MnCHOICES system between August 28 and September 21, 2025. A user affiliated with a licensed health-care provider, who possessed legitimate credentials, accessed private data beyond the scope necessary for their work assignments. The MnCHOICES system, managed by vendor FEI Systems, is utilized by counties, tribal nations, managed care organizations, and consultation service providers to conduct assessments and planning for residents requiring long-term services and support. The breach was detected in mid-November 2025 when FEI Systems observed unusual activity and alerted Minnesota DHS, prompting the department to commission a forensic investigation by a cybersecurity firm. The unauthorized access impacted 303,965 individuals, exposing names, sex, dates of birth, phone numbers, addresses, Medicaid IDs, and the last four digits of Social Security numbers. For 1,206 individuals, additional data was compromised, including ethnicity, birth records, physical traits, education level, income details, and benefit information. The affiliated service provider was terminated from the system on October 30, 2025, prior to the discovery of the breach’s full scope.
Minnesota DHS formally reported the incident to the U.S. Department of Health and Human Services on January 16, 2026, in compliance with HIPAA breach notification requirements, and also notified the Minnesota Office of the Legislative Auditor. The department’s Office of Inspector General initiated monitoring of billing data to detect potential fraudulent or inappropriate activity, though no evidence of data misuse was identified. Affected individuals received notifications advising them to review health-care statements and credit reports for suspicious activity, with delays attributed to the forensic investigation and verification process. DHS confirmed implementing additional technical safeguards to prevent similar incidents but did not disclose specific measures. The breach occurred amid federal scrutiny of fraud allegations in Minnesota’s social services programs, though no direct link was established between the incident and broader investigations. FEI Systems and Minnesota DHS maintained operational continuity throughout the response, with no service disruptions reported.