Health Care Service Corporation, doing business as Blue Cross Blue Shield of Montana (BCBSMT), is facing a probe into whether the company complied with Montana’s breach notification law following a significant data breach that impacted approximately 462,000 Montanans.

Like many health insurance providers, BCBSMT contracted with Conduent Business Services, a business associate that provides back-office administrative services to HIPAA-covered entities and government agencies. On January 13, 2025, Conduent identified unauthorized access to its network, and its forensic investigation confirmed that a threat actor had access to its network for three months between October 13, 2024, and January 13, 2025. Data compromised in the incident included names, addresses, dates of birth, Social Security numbers, health plan and medical record identifiers, diagnosis and treatment codes, provider details, and claims information. The Safepay ransomware group claimed responsibility for the attack.

Conduent disclosed the attack in a filing with the U.S. Securities and Exchange Commission (SEC) on April 9, 2025, although at the time the investigation was ongoing to determine the extent of the data breach. It has been more than a year since the attack was detected, and it is still unclear how many individuals have been affected. The Oregon Attorney General was notified that around 10.5 million individuals had been affected nationwide, and subsequently, the Texas Attorney General was informed that 14.7 million Texas residents had been affected.

In January 2025, BCBSMT was notified by Conduent that it was one of the affected clients; however, BCBSMT did not notify the affected individuals until October 2025 – a year after Conduent’s systems were first breached and 9 months after it first learned that it had been affected. State regulators launched a probe to determine if BCBSMT was compliant with state data breach notification law, which requires notifications to be issued without unreasonable delay. State regulators also seek to establish the circumstances surrounding the data breach.

The Montana Office of the Commissioner of Securities and Insurance (CSI) scheduled a public administrative hearing on January 22, 2026, to gather evidence about the breach, establish a timeline of events, and determine how BCBSMT responded to the incident. BCBSMT sought a temporary restraining order from the Lewis and Clark County District Court to prevent the hearing from taking place; however, the court denied the request.

“It is troubling that it appears [BCBS] attempted to avoid regulatory oversight and accountability by seeking to block this hearing through the courts,” said Montana CSI communications director Tyler Newcombe. “Our office is committed to protecting Montanans and ensuring a fair, transparent, and very serious process when sensitive personal and health data may have been placed at risk. Our office will consider all the evidence and then issue a final order in due course.”

A Hearing Examiner will review the record from the hearing and will propose a decision for the Commissioner to consider. The Commissioner will publish further information about the timeline of events to ensure transparency over the lengthy delay in issuing breach notifications.

The post Blue Cross Blue Shield of Montana Faces Data Breach Probe appeared first on The HIPAA Journal.

Protected health information has been exposed in data security incidents at Mitchell County Department of Social Services in North Carolina, 360 Dental in Pennsylvania, and GiaCare in Florida.

Mitchell County Department of Social Services

Individuals who received services from Mitchell County Department of Social Services in North Carolina have had their sensitive information stolen in a ransomware attack. The investigation into the October 2025 ransomware attack on Mitchell County was initiated on October 20, 2025, following the encryption of files. The attack caused email and phone outages that lasted for several days. The forensic investigation confirmed that there had been unauthorized network access between October 16, 2025, and October 20, 2025, during which time files were exfiltrated.

The data review and investigation are ongoing to determine the types of information involved and the individuals affected. After that information has been confirmed and up-to-date contact information has been obtained, notification letters will be mailed to the affected individuals. Complimentary credit monitoring and identity theft protection services will be offered to the affected individuals, if appropriate, for instance, if their Social Security numbers were compromised in the incident.

The data breach has been reported to the HHS’ Office for Civil Rights using an interim total of 501 individuals. The total will be updated when County officials have confirmed the total number of affected individuals. County officials have confirmed that steps have been or will be taken in response to the incident to strengthen security. Those measures include upgrading the County email system, deploying additional software to enhance detection and accelerate the County’s response to cyber incidents, updating password policies, and strengthening restrictions for access to computer systems.

360 Dental

360 Dental in Philadelphia, PA, has recently reported a data breach to the HHS’ Office for Civil Rights that has affected 11,273 individuals. According to its substitute breach notice, this was a ransomware attack that resulted in file encryption. The incident was detected on November 16, 2025, and the file review confirmed that sensitive patient data had been exposed in the incident.

The types of data involved varied from individual to individual and may have included names in combination with one or more of the following: date of birth, address, telephone number, email, patient account or chart number, dental and clinical records (such as treatment history, clinical notes, x -rays, and diagnostic information), insurance provider and member ID, appointment information, and emergency contacts. A limited number of Social Security numbers were also exposed.

360 Dental has taken steps to improve security following the ransomware attack. The affected computers have been replaced, the affected server has been rebuilt, software has been updated, and additional security tools have been implemented, including firewalls, antivirus software, multifactor authentication, and VPN-only remote access.

GiaCare

GiaCare, a Coral Springs, Florida-based company that provides healthcare staffing and IT services to government entities and healthcare organizations, has recently announced a data security incident, first identified on or around December 23, 2025.

GiaCare learned that a vulnerability existed Gladinet CentreStack, a third-party file sharing platform. GiaCare worked closely with its IT vendor to investigate and confirm the security of its systems and data. The IT vendor confirmed that GiaCare’s systems were secure and had not been accessed; however, the vulnerability had been exploited, and data within the Gladinet CentreStack platform had been accessed and exfiltrated by an unauthorized third-party on December 6, 2025. While the threat actor involved was not named, several cybersecurity firms linked the Gladinet CentreStack attacks to the Cl0p ransomware group – a group known to target zero-day vulnerabilities in file-sharing platforms.

The file review confirmed that names, Social Security numbers, and driver’s license numbers were compromised in the incident. The affected individuals are being notified by mail and have been offered complimentary credit monitoring and identity theft protection services. The number of affected individuals has yet to be publicly disclosed.

The post Mitchell County Dept. Social Services; 360 Dental; GiaCare Announce Data Breaches appeared first on The HIPAA Journal.

MACT Health Board has confirmed that patient data was stolen in a November 2025 cyberattack, for which the INC Ransom ransomware group claimed credit. Data breaches have also been announced by TriCity Family Services in Illinois, HAP (Health Alliance Plan) in Michigan, and Zenflow in California.

MACT Health Board, California

MACT Health Board, a provider of healthcare services to the American Indian and Alaskan Native population in Mariposa, Amador, Alpine, Calaveras & Tuolumne counties in California, has notified individuals affected by a November 2025 security incident. MACT Health board launched an investigation into a potential security breach when it experienced disruption to its IT systems. The investigation confirmed that an unauthorized third party had access to its computer network from November 12, 2025, to November 20, 2025. A review of the exposed files commenced on November 25, 2025, and was completed on January 9, 2026.

Patient information compromised in the incident included names in combination with one or more of the following: diagnoses, test results, medical images, treatment information, doctors’ names, and or Social Security numbers. Notification letters started to be mailed to the affected individuals on January 23, 2026, and individuals whose Social Security numbers were involved have been offered complimentary credit monitoring and identity theft protection services. Additional safeguards and technical security measures have been implemented to prevent similar incidents in the future.  The data breach is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

TriCity Family Services, Illinois

TriCity Family Services, a provider of counseling and mental health services to residents in Kane County, Illinois, has started notifying 2,511 patients about a data security incident.  In the spring of 2025, suspicious activity was identified within its computer network. An investigation was launched, and it was confirmed that an unauthorized actor had access to its computer network from November 11, 2024, to May 14, 2025. During that time, sensitive data was exfiltrated from its network.

The file review confirmed that the following information was included in the exfiltrated files: names, dates of birth, presenting health issues, requested treatment, treatment location, and provider names. Its electronic medical record system was not accessed in the attack. TriCity Family Services said it is reviewing its policies, procedures, and processes related to the storage and access of sensitive information and will take steps to improve security to prevent similar incidents in the future.

While the nature of the incident was not disclosed, the INC Ransom ransomware group claimed responsibility for the attack and added TriCity Family Services to its dark web data leak site. INC Ransom claimed to have exfiltrated 22 GB of data in the attack.

HAP (Health Alliance Plan), Michigan

HAP (Health Alliance Plan) in Michigan has notified 1,059 individuals about the exposure of some of their protected health information as a result of a phishing attack. On October 24, 2025, an employee responded to a phishing email and inadvertently disclosed their credentials, allowing the threat actor to access their account. The investigation was unable to determine if any member information was accessed or acquired in the incident, so notification letters were sent to all potentially affected individuals. Protected health information in the account was limited to names, addresses, dates of birth, and HAP ID numbers, and for a limited number of individuals, Social Security numbers. The affected individuals have been offered two years of complimentary identity theft protection services as a precaution.

Zenflow, California

Zenflow, a San Francisco-based medical device company, has recently notified individuals about a security incident. Limited information about the incident has been released to date, such as when the incident occurred, the nature of the security breach, or for how long its computer systems were subject to unauthorized access. The data breach notice submitted to the Massachusetts Attorney General indicates that names and Social Security numbers were involved, and that single-bureau credit monitoring and identity theft protection services have been offered to the affected individuals for 24 months. It is currently unclear how many individuals have been affected.

The post MACT Health Board Patients Affected by November 2025 Ransomware Attack appeared first on The HIPAA Journal.

Munson Healthcare, the largest health system in Northern Michigan, has recently notified patients about unauthorized access to its electronic medical record system. The unauthorized access started as early as January 22, 2025, and was detected by its EHR vendor Cerner on February 20, 2025. Cerner, now Oracle Health, confirmed that a hacker gained access to two legacy Cerner servers and potentially stole a range of personal and health information. Munson Healthcare has confirmed that the stolen data included names, Social Security numbers, and information typically found in electronic medical records, such as medical record numbers, diagnoses, medications, test results, care and treatment information, and doctors’ names. The data on the servers was awaiting migration to the Oracle Cloud at the time of the data breach.

Munson Healthcare said Cerner took action to prevent further unauthorized access, engaged third-party cybersecurity experts to investigate the data breach, and notified law enforcement about the cyberattack. While Oracle Health publicly confirmed the cyberattack in March 2025, it has taken months for the affected healthcare providers to be notified, and many patients have only recently learned that their personal and health information was stolen in the incident. Munson Healthcare attributed the delay in issuing notifications to Cerner, which has previously stated that the delay was at the request of law enforcement so as not to interfere with the investigation.

Oracle Health has not confirmed exactly how many of its healthcare provider clients have been affected, nor the number of affected individuals. Multiple class action lawsuits have been filed in response to the data breach, and as part of the litigation, the company’s attorneys said up to 80 hospitals may have been affected. Munson Healthcare was one of the worst-affected clients, as 1,01,891 current and former patients have been affected. Munson Healthcare has confirmed that the affected individuals have been offered complimentary credit monitoring and identity theft protection services for two years.

Munson Healthcare’s Chief Legal Officer, Rachel Roe, and Michigan Attorney General Dana Nessel issued a consumer alert about the data breach last week. Attorney General Nessel is pushing for stronger consumer data protection laws to be enacted. New legislation was passed by the Senate last summer, but has yet to be passed by the House of Representatives. “These [notification] delays put consumers at higher risk of identity theft, and our state needs stronger laws to better protect Michiganders from bad actors,” said AG Nessel. “I urge anyone who receives a notice that their personal information may have been compromised to consider taking advantage of the free credit monitoring resources being offered.”

The post More than 100K Munson Healthcare Patient Affected by Cerner Cyberattack appeared first on The HIPAA Journal.

Patients of Laurel Health Centers have been notified that their protected health information was exposed in a July 2025 security incident, and Modern Health has identified unauthorized access to member profiles.

Laurel Health Centers

Laurel Health Centers, a Federally Qualified Health Center network in Northern Pennsylvania, has discovered unauthorized access to its email environment. An investigation was launched on July 14, 2025, to determine the cause of unusual email activity. The investigation determined that an unauthorized third party had access to certain email accounts between July 11, 2025, and July 25, 2025. During that time, emails and files may have been viewed or copied.

The affected email accounts were reviewed and found to contain patient information. The types of information vary from individual to individual and may include names in combination with one or more of the following: address, telephone number, email address, date of birth, Social Security numbers, medical record number, date(s) of service, medical provider, Medicare information, insurance information, diagnostic information, treatment and diagnosis data, insurance carrier, procedure codes, disability status, dental and denture information, immunization record, behavioral health information, Pennsylvania Account ID, account number, credit card information, checking account information and claim information.

Laurel Health Centers said it took time to conclusively determine that the threat actor no longer had access to its systems, hence the delay between discovering the unauthorized activity and confirming that the threat actor had been eradicated from its email environment. The review of the email accounts concluded on December 30, 2025, and notification letters were mailed to the affected individuals shortly thereafter. Complimentary credit monitoring services have been offered to the affected individuals. The incident is not currently listed on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

Modern Health

Modern Health, a management support organization that provides services to several affiliated entities, including Modern Health Arizona, Modern Health California, Modern Health New Jersey, Elevate Tele-Medicine Telehealth, and Modern Life, has recently notified the Massachusetts Attorney General about an incident involving unauthorized access to member profiles on its behavioral health platform.

In November 2025, Modern Health determined that an unauthorized individual had accessed a limited number of member profiles. Steps were immediately taken to disable those profiles, and an investigation was launched to determine the extent of the unauthorized activity. The affected profiles were reviewed and found to contain sensitive member data, although Social Security numbers and financial information were not exposed. The review of the affected profiles was completed on January 5, 2026, and the affected individuals were notified via email on January 12, 2026. It is currently unclear how many individuals were affected in total. The Massachusetts Attorney General was informed that two state residents were affected.

The post Patients of Philadelphia’s Laurel Health Centers Affected by Data Breach appeared first on The HIPAA Journal.

Columbia Medical Practice has experienced a ransomware attack in which patient data was stolen, and Jupiter Medical Center has notified patients that their personal and health information was stolen in a January 2025 security incident.

Columbia Medical Practice

Columbia Medical Practice in Columbia, Maryland, has recently confirmed that patient data was compromised in a November 2025 ransomware attack. The investigation confirmed that an unnamed threat actor accessed its network on November 5, 2025, and used malware to encrypt files. Prior to file encryption, files were exfiltrated, some of which contained patient information. Columbia Medical Practice said it was able to recover the encrypted files, and it is reviewing the affected files to determine the individuals affected and the exact types of data involved. The Qilin ransomware group claimed responsibility for the attack.

The electronic medical record system was not accessed; however, files on the compromised parts of its network contained names, addresses, phone numbers, birth dates, passport numbers, Social Security numbers, driver’s license numbers, other government identifiers, financial account information (but not information such as security codes that would permit access), health insurance information, patient account numbers, and health information, which may include diagnoses, diagnosis codes, treatment/condition information, prescription information, history information, dates of service, locations of service, assigned physician names and health services payment information. The types of information involved vary from individual to individual.

Columbia Medical Practice said it is evaluating additional technical measures, reviewing its cyber auditing practices, and reviewing and updating its policies and procedures to reduce the risk of similar incidents in the future. Notification letters will be mailed to the affected individuals when the file review is concluded. At present, the incident is not listed on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

Jupiter Medical Center

Jupiter Medical Center in Jupiter, Florida, has started notifying patients about unauthorized access to electronic medical records. Notification letters have only recently been sent, although the data breach occurred in January 2025. The breach involved its medical record vendor, Cerner (Now Oracle Health).

Jupiter was one of many healthcare providers affected by the breach. While Oracle Health has not confirmed publicly exactly how many of its clients were affected, in a recent lawsuit, Oracle Health’s attorneys said up to 80 hospitals may have been affected. Jupiter Medical Center said law enforcement requested delaying announcing the data breach and issuing notifications as it would potentially interfere with the law enforcement investigation.

The breach affected a limited number of patients and involved information typically found in medical records, as well as Social Security numbers. The affected individuals have been offered two years of complimentary credit monitoring services.

The post Columbia Medical Practice; Jupiter Medical Center Announce Data Breaches appeared first on The HIPAA Journal.

Based on breach reports submitted to the U.S. Department of Health and Human Services (HHS), November saw relatively low numbers of healthcare data breaches. On average in 2025, 57 healthcare data breaches affecting 500 or more individuals were reported to the HHS’ Office for Civil Rights (OCR) each month. In fact, for the past six years, data breaches have been reported at a rate of around 60 per month. The OCR breach portal currently lists 32 large healthcare data breaches for November, and a similar number were reported in October (28) – numbers that have not been regularly seen since 2018.

Compared to previous Novembers, data breaches have decreased substantially, with a 54% reduction from November 2024 and a 56% reduction from November 2023.

While data breaches appear to have halved in October and November, it coincides with the U.S. government shutdown due to Congress failing to pass appropriations legislation for the 2026 fiscal year. The shutdown lasted from October 1, 2025, to November 12, 2025, and during that time, no data breaches were added to the OCR data breach portal. The significant backlog has taken some time to clear, and there may still be breach reports that have yet to be added to the breach portal from that period.

Low numbers of data breaches do not always mean low numbers of affected individuals, as was demonstrated in October 2025, when only 28 breaches were reported, but more than 11 million individuals were affected. Breach victims fell substantially in November, which saw the fewest number of individuals affected by large healthcare data breaches so far this year. Based on current figures, 1,415,934 individuals are known to have had their protected health information exposed or impermissibly disclosed in data breaches reported in November. That’s the lowest monthly total since January 2023, and an 87.2% reduction from October. So far in 2025, from January 1, 2025, to November 30, 2025, 686 large healthcare data breaches have been reported affecting 55,695,906 individuals.

The number of affected individuals in November 2025 was the lowest in the past five years. While the low numbers of data breaches and affected individuals are certainly good news, this trend may be short-lived, as some sizable data breaches have been confirmed by HIPAA-regulated entities in the past two months that have yet to appear on the OCR data breach portal.

The Biggest Healthcare Data Breaches Reported in November 2025

In November, 16 healthcare data breaches were reported to OCR that affected more than 10,000 individuals. The biggest confirmed healthcare data breach of the month affected VITAS Hospice Services in Florida and involved unauthorized access to the protected health information of almost 320,000 patients. An account used by one of its vendors was compromised, and the account was used to access VITAS systems.

The medical supply company Fieldtex Products reported the second-largest data breach, also a hacking incident, affecting 238,615 individuals. A further three breach reports were submitted to OCR by Fieldtex Products in December, adding a further 35,748 individuals to that total. Delta Dental of Virginia reported a hacking incident that was initially thought to have affected 145,918 individuals, although following investigation, was reduced to 126,953 individuals.  This was the largest email data breach of the month and involved unauthorized access to a single email account.

Data breaches must be reported to OCR within 60 days of discovery, per the HIPAA Breach Notification Rule. If the total number of affected individuals is not known, an estimate should be provided within those 60 days. HIPAA-regulated entities often submit a breach report using a placeholder figure of 500 or 501 affected individuals when data reviews are ongoing. In November, two data breaches were reported with 500 totals indicative of placeholder figures.

Causes of November 2025 Healthcare Data Breaches

Hacking and other IT incidents continue to dominate the breach reports, accounting for 78% of the month’s data breaches (25 incidents) and 99.1% of the month’s affected individuals (1,403,361). On average, 56,134 individuals were affected by each of these incidents (median: 15,027).

Unauthorized access/disclosure incidents accounted for 15.6% of the month’s data breaches (5 incidents) and 0.5% of the month’s affected individuals (7,591). The average breach size was 1,518 individuals (median: 1,518). Loss and theft incidents accounted for 6.3% of the month’s breaches (2 incidents) and 0.4% of the month’s affected individuals. The average breach size was 2,491 individuals (median 2,491).

Ransomware attacks continue to be one of the biggest cyber threats in healthcare, although hacking incidents are rarely reported as such. A recent analysis from GuidePoint Security identified a 58% year-over-year increase in ransomware attacks in 2025, with Qilin, INC Ransom, and SafePay the biggest threats to healthcare organizations. Some threat actors, Pear, for example, have opted for pure data theft and extortion, skipping file encryption in their attacks. Pear has targeted several healthcare organizations in recent months, and a recently emerged ransomware group called Sinobi has claimed many healthcare victims.

While a majority of the hacking incidents (59%) involved compromised network servers, email continues to be targeted and is often used for initial access in more comprehensive attacks on an organization. In November, almost 19% of incidents involved compromised email accounts.

Where did the Data Breaches Occur?

Healthcare providers were the worst-affected HIPAA-covered entities in November, with 22 reported breaches (867,100 affected individuals), with three data breaches at health plans (129,118 affected individuals) and no data breaches at healthcare clearinghouses. In November, 7 business associates of HIPAA-covered entities reported data breaches (419,716 affected individuals); however, a further two breaches occurred at business associates but were reported by the affected covered entities. The charts below are based on where the data breach occurred, rather than the entity that reported the breach.

Geographic Distribution of Healthcare Data Breaches

In November, large healthcare data breaches were reported by HIPAA-regulated entities based in 21 U.S. states. Virginia was the worst-affected state with four breaches, followed by New York and Wisconsin with three data breaches.

While entities in Florida only experienced 2 large healthcare data breaches, the state had the highest number of affected individuals.

HIPAA Enforcement Activity in November 2025

The government shutdown during October and a significant part of November brought many HHS workflows to a grinding halt as staff were furloughed, and there were no announcements about HIPAA enforcement actions. Enforcement activity is continuing, and while there were no new announcements, 2025 ranks as one of the busiest years for HIPAA enforcement. Including one penalty announced in December, OCR closed the year with settlements and civil monetary penalties – the second-highest annual total to date. State Attorneys General also enforce the HIPAA Rules; however, there were no known enforcement actions announced in November to resolve alleged HIPAA violations.

This report is based on data obtained from the HHS’ Office for Civil Rights on January 20, 2026.

The post November 2025 Healthcare Data Breach Report appeared first on The HIPAA Journal.

Data breaches have recently been announced by Central Maine Healthcare, Dermatology Associates in Kentucky, and Reproductive Medicine Associates of Michigan. The Central Maine Healthcare data breach has affected 145,000 individuals.

Central Maine Healthcare

Central Maine Healthcare, an integrated nonprofit healthcare system serving around 400,000 residents in central and western Maine, has announced a major data breach involving the electronic protected health information of up to 145,000 patients.

Suspicious activity was identified within its IT systems on June 1, 2025, and immediate action was taken to secure its systems while an investigation sought to determine the nature and scope of the activity. The investigation determined that between March 19, 2025, and June 1, 2025, an unauthorized third party had access to its network and accessed or acquired files containing sensitive patient data.

The file review confirmed that names and Social Security numbers were compromised, in combination with one or more of the following: address, date(s) of service, provider names, treatment information, and health insurance information. Notification letters started to be mailed to the affected individuals in late December 2025, and single-bureau credit monitoring, credit report, and credit score services have been offered.

Dermatology Associates, Kentucky

Dermatology Associates in Louisville, Kentucky, has recently announced an August 2025 security incident that may have resulted in unauthorized access to patient data. Suspicious activity was identified within its computer systems on August 4, 2025, and third-party cybersecurity experts were engaged to investigate the activity.

The investigation confirmed unauthorized access to its network for a period of two months from June 4, 2025, to August 4, 2025. The data review is ongoing, so the types of information involved have yet to be confirmed. Dermatology Associates said the information likely exposed in the incident included names, addresses, dates of birth, driver’s license numbers, telephone numbers, physician names, billing/claims information, patient ID/account numbers, and health insurance information.

Steps have been taken to improve security, and notification letters will be sent by mail when the investigation is concluded. The data breach is currently shown on the HHS’ Office for Civil Rights breach portal with a placeholder figure of at least 501 affected individuals. The total will be updated when the file review is concluded.

Reproductive Medicine Associates of Michigan

Reproductive Medicine Associates of Michigan (RMAM), a fertility clinic in Troy, MI, has started notifying patients about a recent cybersecurity incident that involved the theft of sensitive data from its network. Suspicious network activity was identified on October 22, 2025, and immediate action was taken to secure its IT environment. Third-party cybersecurity specialists were engaged to investigate the activity, who confirmed that data had been exfiltrated.

On December 19, 2025, a substitute data breach notice was added to the RMAM website that states that the file review is ongoing, and notification letters will be mailed to the affected individuals when that process is completed. The notifications will provide information on the exact types of information involved for each individual. At present, the total number of individuals affected has yet to be confirmed.

The post Central Maine Healthcare Data Breach Affects 145,000 Individuals appeared first on The HIPAA Journal.

The Minnesota Department of Human Services (DHS) has notified almost 304,000 individuals about unauthorized access to their demographic records. The records were stored in the MnChoices system, which is used by counties, Tribal Nations, and managed care organizations to support their assessment and planning work for state residents requiring long-term services and support.

The system is managed by the third-party vendor, FEI Systems, which notified the Minnesota DHS in November about unauthorized access to data in the system by a user associated with a licensed healthcare provider. While there was a legitimate reason to access limited information in the system, some data was accessed without authorization by the user. The unauthorized access ceased on September 21, 2025, and the user’s access to the system was fully removed on October 30, 2025.

For the majority of affected individuals, the information accessed was limited to demographic information, although for 1,206 individuals, additional information was also accessed. Some medical information was accessed, and for certain individuals, the last four digits of their Social Security numbers. While the forensic investigation identified the categories of information accessed, it was not possible to determine, on a record-by-record basis, exactly what information was accessed for each individual. Due to the limited nature of the data accessed, Minnesota DHS is not providing the affected individuals with free credit monitoring services.

A forensic investigation was ordered to determine the exact types of information accessed and the individuals affected. At the time of issuing notification letters on January 16, 2026, no data misuse had been identified. Minnesota DHS has confirmed that the user no longer has access to the system, and additional safeguards have been implemented to prevent similar unauthorized access incidents in the future.

The DHS Office of Inspector General was made aware of the incident and has developed data-driven processes to monitor and evaluate billing information to determine whether there has been inappropriate or fraudulent use of the accessed data. Should any fraudulent use be identified, a thorough investigation will be conducted, and the matter will be reported to law enforcement. In that regard, the Minnesota DHS has requested that all individuals who receive a notification letter about the incident carefully review their health care statements and report any suspicious charges or services.

The post Minnesota Department of Human Services Data Breach Affects Over 300K Individuals appeared first on The HIPAA Journal.