Minnesota DHS Data Breach Exposes Personal Information of Nearly 304,000 Individuals In late August, an unauthorized user affiliated with a licensed healthcare provider accessed sensitive data in Minnesota’s MnCHOICES system a platform used by counties, tribes, and agencies to assess and plan long-term services for vulnerable populations. The breach persisted for nearly a month before being detected. The unauthorized access included names, dates of birth, addresses, phone numbers, Medicaid IDs, and the last four digits of Social Security numbers for nearly 304,000 individuals. For 1,206 people, additional details such as ethnicity, birth records, physical traits, education, income, and benefits were exposed. The user, who had legitimate but limited access to MnCHOICES, exceeded their authorized permissions by retrieving more data than necessary for their role. Access was revoked on October 30 after FEI Systems, the vendor managing the system, detected unusual activity in mid-November and reported it to the state. A forensic investigation was subsequently launched. The Minnesota Department of Human Services (DHS) stated there is no evidence the data was misused, though the Office of Inspector General is monitoring billing records for potential fraud. Affected individuals were notified via a January 16 letter, nearly four months after the breach occurred. The delay was attributed to the need to verify impacted records and complete the investigation before issuing notices. In response, DHS implemented additional technical safeguards and reported the incident to the Minnesota Office of the Legislative Auditor and the U.S. Department of Health and Human Services. The breach highlights vulnerabilities in systems handling sensitive health and social services data.

Minnesota DHS Reports Data Breach Affecting 300,000 in MnCHOICES Program The Minnesota Department of Health and Human Services (DHS) is notifying residents after a data breach exposed sensitive information from approximately 300,000 users of the MnCHOICES program. The incident, discovered in November, involved unauthorized access by a "provider-associated" user within the web-based system, which is used by counties, Tribal Nations, and managed care facilities to assess long-term care and support eligibility. FEI Systems, the vendor managing the program, alerted state officials to the breach. While the unauthorized user has since been blocked, a forensic analysis confirmed that the accessed data has not been misused. The compromised information may include personal and medical details used in eligibility determinations. Affected individuals will receive letters from the Minnesota DHS with guidance to monitor their medical statements for suspicious activity. The Minnesota DHS Office of Inspector General is leading the ongoing investigation into the incident.

Minnesota Agency Reports 304,000-Person Data Breach Linked to Vendor System The Minnesota Department of Human Services (DHS) is notifying nearly 304,000 individuals of a data breach involving unauthorized access to its MnChoices system, a third-party IT platform managed by FEI Systems. The system is used by counties, tribal nations, and managed care organizations to assess eligibility for long-term services, including disability, housing, and mental health support. The breach was detected on November 18, 2025, when FEI Systems identified "unusual user activity" and reported it to DHS the following day. An investigation revealed that a healthcare worker affiliated with a licensed provider accessed data beyond their authorized scope between August 28 and September 21, 2025. The state revoked the provider’s access on October 30, 2025, and FEI commissioned a forensic review at DHS’s request. Exposed data includes names, addresses, dates of birth, Medicaid IDs, partial Social Security numbers, and sensitive details such as ethnicity, income, and program eligibility. While 303,965 individuals had demographic information accessed, an additional 1,206 had more extensive records compromised. Authorities found no evidence of external hacking, and the DHS Office of Inspector General is monitoring for potential fraud. The incident was reported to the Minnesota Office of the Legislative Auditor and the U.S. Department of Health and Human Services as a HIPAA breach. Since the unauthorized user was not a DHS employee, no disciplinary action was taken by the agency. FEI Systems has not provided further comment.

Minnesota Agency Reports 304,000-Person Data Breach Linked to Vendor Access Misuse The Minnesota Department of Human Services (DHS) has notified nearly 304,000 individuals of a data breach involving unauthorized access to its MnChoices system, a platform used by counties, tribal nations, and managed care organizations to assess eligibility for long-term services, including disability, housing, and mental health support. The system is managed by third-party vendor FEI Systems. On November 18, 2025, FEI detected "unusual user activity" and reported it to DHS the following day. An investigation revealed that between August 28 and September 21, 2025, a worker affiliated with a licensed healthcare provider accessed data beyond their authorized scope. While the user had legitimate access to limited information, they retrieved more data than necessary for their role. DHS revoked the provider’s access on October 30, 2025. The breach exposed demographic details for 303,965 individuals, with an additional subset of 1,206 affected by further data exposure. Compromised information includes names, addresses, dates of birth, Medicaid IDs, partial Social Security numbers, ethnicity, race, financial eligibility details, and program-specific data. Authorities found no evidence of external hacking. The DHS Office of Inspector General is monitoring billing records for potential fraud, while the incident has been reported to the Minnesota Office of the Legislative Auditor and the U.S. Department of Health and Human Services as a HIPAA breach. Since the user was not a DHS employee, no disciplinary action was taken by the agency. FEI has not provided further comment.