Minnesota official tells lawmakers his department was hacked
ST. PAUL - It’s never good to get a letter saying your personal information was at risk, and Minnesota state government has had to send a lot of them lately.
In a letter to state lawmakers, Human Services Commissioner Tony Lourey wrote that the email account of one his department’s employees was the target of a cyber attack. The hacker accessed the account in March 2018 and used it to send emails to other workers trying to get them to send money for a fake invoice.
“This cyberattack is an assault on our efforts in state government to provide quality services to Minnesotans in need,” Lourey said in a statement. “We pledge to do everything we can to uphold the privacy of the Minnesotans who receive services through our programs.”
During the intrusion, the hacker would have had access to view the personal information of 11,000 Minnesotans. The data includes: “first and last names, dates of birth, contact information, treatment data and legal history,” Lourey wrote to lawmakers.
There is no evidence the hacker viewed any of that private information, but it could have been viewed or even downloaded.
“We apologize for any concern or other negative impact due to this incident,” Lourey’s statement said. “We are sending letters to the individuals who may have been affected by this incident, in compliance with federal law.”
The time between the data breach and Tuesday’s disclosure to the Legislature was more than a year. During that time, the state’s technology agency, MNIT, investigated the hack and the human services department hired a contractor to help identify people whose information was at risk.
This hack is the latest to show the vulnerability of the state’s computer systems.
In January, the Department of Human Services disclosed that about 3,000 people could have had their information at risk because of a similar “phishing” scam. Last year, hackers might have gained access to department information of 22,000 Minnesotans.
“Partnering with MNIT, we have been able to successfully defend against the vast majority of these cyberattacks targeting state government and will continue to pursue strategies to protect and defend against future cyberattacks,” Lourey said.
Also in January, the state’s troubled vehicle registration system reported that it accidentally sent 1,500 people’s private information to state contractors.