Cyber Incident Victim: Central Minnesota Mental Health Center

The Central Minnesota Mental Health Center (CMMHC) experienced a cybersecurity incident involving unauthorized access to its email systems between September 20 and October 29, 2021. Malicious activity was detected on October 21, 2021, prompting the organization to secure the affected email accounts. The breach exposed sensitive personal and health information of 28,725 individuals. While the specific method of initial compromise was not detailed in public disclosures, the incident timeline indicates unauthorized access persisted for over five weeks before containment. CMMHC did not publicly identify the threat actors or their motives but confirmed the exposure of protected health information (PHI) during the access period.

Compromised data included patient addresses, clinical treatment information, Social Security numbers, and driver’s license numbers. The breach did not involve physical records or non-email systems according to available reports. CMMHC implemented security measures to regain control of the email accounts following the October 21 discovery but did not disclose whether multi-factor authentication or other safeguards were added post-incident. No ransomware deployment or data destruction was reported. The organization’s notification did not specify whether forensic analysis determined exact data exfiltration volumes or whether attackers maintained persistent access beyond October 29. Impacted individuals received breach notifications without reported delays, though regulatory filing timelines were not explicitly stated.