Minnesota Department of Human Services Company CyberSecurity Posture

mn.gov
ISOSOC2 Type 1SOC2 Type 2PCI DSSHIPAAGDPR

The Minnesota Department of Human Services (DHS) helps provide essential services to Minnesota’s most vulnerable residents. Working with many others, including counties, tribes and non-profits, DHS helps ensure that Minnesota seniors, people with disabilities, children and others meet their basic needs and have the opportunity to reach their full potential DHS employs a highly talented and dedicated workforce committed to providing services that produce positive outcomes for clients in a cost-effective manner. Employees have an opportunity to make a difference in the lives of Minnesotans every day. Be a part of growing team of talented professionals! Career opportunities at DHS Public policy analysts Human Service Technicians (Direct Care) Administrative and executive assistants Accountants and auditors Budget and business analysts Doctors and pharmacists Mental Health Professional Educators Human Resources Licensed Alcohol & Drug Counselor Nurses and nursing assistants Physical therapists Rehabilitation therapists Researchers, planners and data analysts Social workers Attorneys Health care administrators Eligibility and benefits representatives Interns and fellows

Minnesota Department of Human Services A.I CyberSecurity Scoring

MDHS

Company Details

Linkedin ID:

minnesota-department-of-human-services

Website:

http://mn.gov/dhs

Employees number:

1,876

Number of followers:

34,170

NAICS:

92

Industry Type:

Government Administration

Homepage:

mn.gov

IP Addresses:

Scan still pending

Company ID:

MIN_3087173

Scan Status:

In-progress

AI scoreMDHS Risk Score (AI oriented)

Between 0 and 549

https://images.rankiteo.com/companyimages/minnesota-department-of-human-services.jpeg
MDHS Government Administration
Updated:
  • Powered by our proprietary A.I cyber incident model
  • Insurance preferes TPRM score to calculate premium
globalscoreMDHS Global Score (TPRM)

XXXX

https://images.rankiteo.com/companyimages/minnesota-department-of-human-services.jpeg
MDHS Government Administration
  • Instant access to detailed risk factors
  • Benchmark vs. industry & size peers
  • Vulnerabilities
  • Findings

Minnesota Department of Human Services

Critical
Current Score
224
C (Critical)
01000
9 incidents
-114.75 avg impact

Incident timeline with MITRE ATT&CK tactics, techniques, and mitigations.

JANUARY 2026
314
Breach
16 Jan 2026 • FEI Systems: Minnesota Department of Human Services data breach impacts 300K
Minnesota DHS Data Breach Exposes Personal Information of Nearly 304,000 Individuals

**Minnesota DHS Data Breach Exposes Personal Information of Nearly 304,000 Individuals** In late August, an unauthorized user affiliated with a licensed healthcare provider accessed sensitive data in Minnesota’s **MnCHOICES** system a platform used by counties, tribes, and agencies to assess and plan long-term services for vulnerable populations. The breach persisted for nearly a month before being detected. The unauthorized access included **names, dates of birth, addresses, phone numbers, Medicaid IDs, and the last four digits of Social Security numbers** for nearly **304,000 individuals**. For **1,206 people**, additional details such as ethnicity, birth records, physical traits, education, income, and benefits were exposed. The user, who had legitimate but limited access to MnCHOICES, **exceeded their authorized permissions** by retrieving more data than necessary for their role. Access was revoked on **October 30** after **FEI Systems**, the vendor managing the system, detected unusual activity in mid-November and reported it to the state. A forensic investigation was subsequently launched. The **Minnesota Department of Human Services (DHS)** stated there is **no evidence the data was misused**, though the **Office of Inspector General** is monitoring billing records for potential fraud. Affected individuals were notified via a **January 16 letter**, nearly four months after the breach occurred. The delay was attributed to the need to verify impacted records and complete the investigation before issuing notices. In response, DHS implemented **additional technical safeguards** and reported the incident to the **Minnesota Office of the Legislative Auditor** and the **U.S. Department of Health and Human Services**. The breach highlights vulnerabilities in systems handling sensitive health and social services data.

222
critical -92
FEI1768877970
Incident Details -
Type
Data Breach
Attack Vector
Unauthorized Access
Vulnerability Exploited
Excessive Permissions
Impact
Data Compromised: Personal Information, Medicaid IDs, Last Four Digits of SSNs, Ethnicity, Birth Records, Physical Traits, Education, Income, Benefits Systems Affected: MnCHOICES System Brand Reputation Impact: Yes Identity Theft Risk: Yes
Response
Incident Response Plan Activated: Yes Third Party Assistance: FEI Systems (Forensic Investigation) Containment Measures: Access revoked on October 30, 2023 Remediation Measures: Additional technical safeguards implemented Communication Strategy: Affected individuals notified via letter on January 16, 2024
Data Breach
Personal Identifiable Information Medicaid IDs Social Security Numbers (Last Four Digits) Ethnicity Birth Records Physical Traits Education Income Benefits Number Of Records Exposed: 304,000 (1,206 with additional sensitive data) Sensitivity Of Data: High Data Exfiltration: No evidence of misuse Personally Identifiable Information: Yes
Regulatory Compliance
Minnesota Office of the Legislative Auditor U.S. Department of Health and Human Services
Lessons Learned
Vulnerabilities in systems handling sensitive health and social services data; need for stricter access controls and monitoring.
Recommendations
Implement additional technical safeguards, enhance monitoring of user permissions, and expedite breach notification processes.
Investigation Status
Completed
Customer Advisories
Affected individuals notified via letter on January 16, 2024
Post Incident Analysis
Root Causes: Excessive user permissions, delayed detection of unauthorized access Corrective Actions: Additional technical safeguards implemented, stricter access controls
References
Blog URL Source URL
DECEMBER 2025
301
NOVEMBER 2025
383
Breach
01 Nov 2025 • FEI Systems and Minnesota Department of Health and Human Services: Minnesota Health Program Faces Data Breach Affecting 300,000
Minnesota DHS Reports Data Breach Affecting 300,000 in MnCHOICES Program

**Minnesota DHS Reports Data Breach Affecting 300,000 in MnCHOICES Program** The Minnesota Department of Health and Human Services (DHS) is notifying residents after a data breach exposed sensitive information from approximately 300,000 users of the **MnCHOICES** program. The incident, discovered in **November**, involved unauthorized access by a **"provider-associated" user** within the web-based system, which is used by counties, Tribal Nations, and managed care facilities to assess long-term care and support eligibility. **FEI Systems**, the vendor managing the program, alerted state officials to the breach. While the unauthorized user has since been blocked, a forensic analysis confirmed that the accessed data has **not been misused**. The compromised information may include personal and medical details used in eligibility determinations. Affected individuals will receive letters from the Minnesota DHS with guidance to monitor their medical statements for suspicious activity. The **Minnesota DHS Office of Inspector General** is leading the ongoing investigation into the incident.

292
critical -91
FEIMIN1769103080
Incident Details -
Type
Data Breach
Attack Vector
Unauthorized access by insider
Impact
Data Compromised: Personal and medical details used in eligibility determinations Systems Affected: MnCHOICES web-based system Identity Theft Risk: High
Response
Third Party Assistance: FEI Systems (forensic analysis) Containment Measures: Unauthorized user blocked Communication Strategy: Affected individuals notified via letters with guidance to monitor medical statements
Data Breach
Personal information Medical details Number Of Records Exposed: 300,000 Sensitivity Of Data: High Data Exfiltration: Not confirmed Personally Identifiable Information: Yes
Investigation Status
Ongoing (led by Minnesota DHS Office of Inspector General)
Customer Advisories
Letters sent to affected individuals with monitoring guidance
References
Blog URL Source URL
OCTOBER 2025
383
SEPTEMBER 2025
558
Breach
21 Sep 2025 • FEI Systems and Minnesota Department of Human Services: Minnesota Agency Notifies 304,000 of Vendor Breach
Minnesota Agency Reports 304,000-Person Data Breach Linked to Vendor System

**Minnesota Agency Reports 304,000-Person Data Breach Linked to Vendor System** The Minnesota Department of Human Services (DHS) is notifying nearly 304,000 individuals of a data breach involving unauthorized access to its **MnChoices** system, a third-party IT platform managed by **FEI Systems**. The system is used by counties, tribal nations, and managed care organizations to assess eligibility for long-term services, including disability, housing, and mental health support. The breach was detected on **November 18, 2025**, when FEI Systems identified "unusual user activity" and reported it to DHS the following day. An investigation revealed that a **healthcare worker affiliated with a licensed provider** accessed data beyond their authorized scope between **August 28 and September 21, 2025**. The state revoked the provider’s access on **October 30, 2025**, and FEI commissioned a forensic review at DHS’s request. Exposed data includes **names, addresses, dates of birth, Medicaid IDs, partial Social Security numbers, and sensitive details** such as ethnicity, income, and program eligibility. While **303,965 individuals** had demographic information accessed, an additional **1,206** had more extensive records compromised. Authorities found **no evidence of external hacking**, and the **DHS Office of Inspector General** is monitoring for potential fraud. The incident was reported to the **Minnesota Office of the Legislative Auditor** and the **U.S. Department of Health and Human Services** as a **HIPAA breach**. Since the unauthorized user was not a DHS employee, no disciplinary action was taken by the agency. FEI Systems has not provided further comment.

374
critical -184
FEIMIN1768969952
Incident Details -
Type
Data Breach
Attack Vector
Insider Threat
Vulnerability Exploited
Unauthorized access by authorized user
Impact
Data Compromised: Names, addresses, dates of birth, Medicaid IDs, partial Social Security numbers, ethnicity, income, program eligibility Systems Affected: MnChoices system (FEI Systems) Identity Theft Risk: Yes
Response
Third Party Assistance: Forensic review commissioned by FEI Systems Containment Measures: Access revoked for the unauthorized provider on October 30, 2025 Communication Strategy: Notifications sent to affected individuals
Data Breach
Type Of Data Compromised: Personally Identifiable Information (PII), Protected Health Information (PHI), Medicaid IDs, partial SSNs, demographic data, program eligibility details Number Of Records Exposed: 304,000+ Sensitivity Of Data: High Personally Identifiable Information: Names, addresses, dates of birth, partial Social Security numbers, ethnicity, income
Regulatory Compliance
Regulations Violated: HIPAA Regulatory Notifications: Reported to U.S. Department of Health and Human Services, Minnesota Office of the Legislative Auditor
Investigation Status
Ongoing (DHS Office of Inspector General monitoring for fraud)
Customer Advisories
Notifications sent to affected individuals
Post Incident Analysis
Root Causes: Unauthorized access by an authorized user beyond their scope
References
Blog URL Source URL
Breach
21 Sep 2025 • FEI Systems and Minnesota Department of Human Services: Minnesota Agency Notifies 304,000 of Vendor Breach
Minnesota Agency Reports 304,000-Person Data Breach Linked to Vendor Access Misuse

**Minnesota Agency Reports 304,000-Person Data Breach Linked to Vendor Access Misuse** The Minnesota Department of Human Services (DHS) has notified nearly 304,000 individuals of a data breach involving unauthorized access to its *MnChoices* system, a platform used by counties, tribal nations, and managed care organizations to assess eligibility for long-term services, including disability, housing, and mental health support. The system is managed by third-party vendor **FEI Systems**. On **November 18, 2025**, FEI detected "unusual user activity" and reported it to DHS the following day. An investigation revealed that between **August 28 and September 21, 2025**, a worker affiliated with a licensed healthcare provider accessed data beyond their authorized scope. While the user had legitimate access to limited information, they retrieved more data than necessary for their role. DHS revoked the provider’s access on **October 30, 2025**. The breach exposed **demographic details** for 303,965 individuals, with an additional subset of 1,206 affected by further data exposure. Compromised information includes names, addresses, dates of birth, Medicaid IDs, partial Social Security numbers, ethnicity, race, financial eligibility details, and program-specific data. Authorities found **no evidence of external hacking**. The DHS Office of Inspector General is monitoring billing records for potential fraud, while the incident has been reported to the **Minnesota Office of the Legislative Auditor** and the **U.S. Department of Health and Human Services** as a **HIPAA breach**. Since the user was not a DHS employee, no disciplinary action was taken by the agency. FEI has not provided further comment.

374
critical -184
FEIMIN1768948386
Incident Details -
Type
Data Breach
Attack Vector
Insider Threat
Vulnerability Exploited
Excessive Data Access Permissions
Impact
Data Compromised: Demographic details, names, addresses, dates of birth, Medicaid IDs, partial Social Security numbers, ethnicity, race, financial eligibility details, and program-specific data Systems Affected: MnChoices system Identity Theft Risk: High
Response
Containment Measures: Access revoked for the provider on October 30, 2025 Communication Strategy: Notification to affected individuals
Data Breach
Type Of Data Compromised: Personally Identifiable Information (PII), Medicaid IDs, partial SSNs, demographic data, financial eligibility details, program-specific data Number Of Records Exposed: 303,965 (plus 1,206 with additional exposure) Sensitivity Of Data: High Personally Identifiable Information: Names, addresses, dates of birth, partial Social Security numbers, ethnicity, race
Regulatory Compliance
HIPAA Minnesota Office of the Legislative Auditor U.S. Department of Health and Human Services
Investigation Status
Ongoing (DHS Office of Inspector General monitoring billing records for fraud)
Customer Advisories
Notification sent to affected individuals
Post Incident Analysis
Root Causes: Excessive data access permissions granted to a third-party worker
References
Blog URL Source URL
SEPTEMBER 2025
649
Breach
16 Sep 2025 • Minnesota Department of Human Services: Minnesota Department of Human Services data breach impacts 300K
Minnesota Department of Human Services Data Breach

**Minnesota Department of Human Services Data Breach Exposes Personal Information of 304,000 Individuals** A data breach at the Minnesota Department of Human Services (DHS) compromised the private information of nearly 304,000 individuals, the agency disclosed in a January 16 notification letter. The unauthorized access occurred approximately four months before affected individuals were informed. The breach involved a system managed by the DHS, though the department stated there is no current evidence that the exposed data was misused. To mitigate potential risks, the agency’s Office of Inspector General is actively monitoring billing records for signs of fraudulent activity. Impacted individuals were advised to review their healthcare statements and credit reports for suspicious activity. The DHS has not provided further details on the cause of the breach or the specific types of data accessed. The incident highlights ongoing vulnerabilities in state-managed systems handling sensitive personal information.

557
critical -92
MIN1768885020
Incident Details -
Type
Data Breach
Impact
Data Compromised: Personal information of 304,000 individuals Systems Affected: DHS-managed system Identity Theft Risk: Potential risk due to exposed personal information
Response
Communication Strategy: Notification letter sent to affected individuals Enhanced Monitoring: Active monitoring of billing records for fraudulent activity by the Office of Inspector General
Data Breach
Type Of Data Compromised: Personal information Number Of Records Exposed: 304,000 Sensitivity Of Data: High (private information) Personally Identifiable Information: Yes
Recommendations
Affected individuals were advised to review their healthcare statements and credit reports for suspicious activity.
Investigation Status
Ongoing
Customer Advisories
Review healthcare statements and credit reports for suspicious activity.
References
Blog URL Source URL
AUGUST 2025
648
JULY 2025
646
JUNE 2025
643
MAY 2025
641
APRIL 2025
700
MARCH 2025
636
FEBRUARY 2025
698
AUGUST 2023
669
Breach
01 Aug 2023 • Minnesota Department of Human Services: Data breach compromised records of 300K people at Minnesota human services department
Minnesota DHS Data Breach Affecting 304,000 Individuals

**Minnesota DHS Reports Data Breach Affecting 304,000 Individuals** The Minnesota Department of Human Services (DHS) recently disclosed a data breach impacting nearly 304,000 state residents, stemming from unauthorized access to the **MnCHOICES** system a platform used by counties, tribes, and managed care organizations to support individuals requiring long-term services. The breach began in **late August 2023**, when a user affiliated with a healthcare provider accessed state data without proper authorization. While the individual had legitimate access to some MnCHOICES data, they exceeded their permissions, retrieving sensitive information over a **one-month period**. By the time the breach was detected on **November 18, 2023**, the unauthorized access had exposed **demographic records, income data, and educational backgrounds** of hundreds of thousands of individuals. For over **1,200 people**, the breach included more detailed personal information, such as **names, phone numbers, dates of birth, addresses, Medicaid ID numbers, and partial Social Security numbers**. The state’s investigation, conducted with assistance from **FEI Systems** (the IT vendor managing MnCHOICES) and an external cybersecurity firm, found **no evidence of data misuse**. However, notifications were issued **out of caution**. The **Minnesota Office of Inspector General** is monitoring billing records for potential fraud, with plans to refer any suspicious activity to law enforcement. The DHS has not disclosed the identity of the unauthorized user or the healthcare provider involved. The incident highlights vulnerabilities in systems handling sensitive health and demographic data.

577
critical -92
MIN1768941399
Incident Details -
Type
Data Breach
Attack Vector
Unauthorized Access
Vulnerability Exploited
Excessive Permissions
Impact
Data Compromised: Demographic records, income data, educational backgrounds, names, phone numbers, dates of birth, addresses, Medicaid ID numbers, partial Social Security numbers Systems Affected: MnCHOICES system Brand Reputation Impact: Potential reputational damage to Minnesota DHS Identity Theft Risk: High for 1,200 individuals with exposed sensitive data
Response
Third Party Assistance: FEI Systems, External Cybersecurity Firm Communication Strategy: Notifications issued to affected individuals Enhanced Monitoring: Monitoring by Minnesota Office of Inspector General for potential fraud
Data Breach
Demographic records Income data Educational backgrounds Names Phone numbers Dates of birth Addresses Medicaid ID numbers Partial Social Security numbers Number Of Records Exposed: 304,000 (1,200 with sensitive data) Sensitivity Of Data: High for 1,200 individuals Personally Identifiable Information: Yes
Lessons Learned
Highlights vulnerabilities in systems handling sensitive health and demographic data, particularly regarding permission controls.
Investigation Status
Completed (no evidence of data misuse found)
Customer Advisories
Notifications issued to affected individuals
Post Incident Analysis
Root Causes: Unauthorized access due to excessive permissions granted to a user affiliated with a healthcare provider
References
Blog URL Source URL
NOVEMBER 2022
732
Data Leak
01 Nov 2022 • Minnesota Department of Human Services
Minnesota DHS Data Breach

Minnesota Department of Human Services (DHS) suffered a data breach incident after a DHS employee accidentally emailed the parent billing statements of 4,307 individuals involved in the program. The billing statements included first and last names, addresses, DHS-generated billing account numbers, and parental fee account activity. DHS implemented new procedures to address the error that led to the incident, and communicated these procedure changes to staff.

651
high -81
MIN164122123
Incident Details -
Type
Data Breach
Attack Vector
Human Error
Vulnerability Exploited
Human Error
Impact
first and last names addresses DHS-generated billing account numbers parental fee account activity
Response
Implemented new procedures to address the error Communicated procedure changes to staff
Data Breach
Personal Information Account Information Sensitivity Of Data: Medium first and last names addresses
Post Incident Analysis
Root Causes: Human Error Implemented new procedures to address the error Communicated procedure changes to staff
References
Blog URL Source URL
JUNE 2020
713
Vulnerability
16 Jun 2020 • Minnesota Department of Human Services (DHS)
Lack of Security Reviews Left Minnesota SNAP System Vulnerable to Breaches and Fraud

The Minnesota Department of Human Services (DHS) failed to conduct mandatory security reviews of its Supplemental Nutrition Assistance Program (SNAP) computer system in **2020 and 2023**, as revealed by federal audits. This system stores highly sensitive personal data of over **440,000 SNAP beneficiaries**, including private financial and identification details. The omission of these reviews was attributed to **resource constraints**, leaving the system vulnerable to **un detected security gaps, breaches, or fraud risks**. While the agency claimed compliance in **March 2024** under the new oversight of the Department of Children, Youth and Families (DCYF), beneficiaries expressed deep concerns over **data privacy and trust erosion** in public assistance programs. The exposed vulnerabilities could enable unauthorized access to confidential records, potentially leading to **identity theft, financial fraud, or misuse of personal information**. The audits explicitly warned that such negligence **heightens the likelihood of a breach**, though no confirmed incident was reported. The failure underscores systemic weaknesses in safeguarding critical welfare infrastructure, risking long-term reputational and operational damage.

708
critical -5
MIN3124431112425
Incident Details -
Type
Security Oversight Compliance Failure Potential Data Vulnerability
Vulnerability Exploited
Lack of Security Reviews Unpatched Security Gaps Resource Constraints in DHS
Impact
SNAP Eligibility Determination System Increased Risk of Breaches Potential Fraud Erosion of Public Trust Concerns from SNAP Beneficiaries Over Data Security Loss of Trust in Public Assistance Programs Potential Risk Due to Unsecured Personal Data
Response
Security Plan Review and Certification (March 2024) Ongoing Certification Process for 2025 Public Statements by DCYF Commissioner Tikki Brown Media Coverage via 5 INVESTIGATES
Data Breach
Personal Data of SNAP Beneficiaries (High) Potential Exposure (Names, Addresses, Financial Data, etc.)
Regulatory Compliance
Federal Single Audit Requirements for Information System Security Reviews
Lessons Learned
Regular security reviews and resource allocation are critical to preventing vulnerabilities in systems handling sensitive public welfare data. Delays in compliance can erode public trust and increase risks of fraud or breaches.
Recommendations
Prioritize and fund mandatory security reviews for systems handling sensitive data. Implement continuous monitoring and third-party audits to ensure compliance. Enhance transparency with beneficiaries regarding data security measures. Allocate dedicated resources for cybersecurity within public welfare agencies.
Investigation Status
Ongoing (Media Investigation by 5 INVESTIGATES; DCYF Claims Remediation Underway)
Customer Advisories
Public Statements by DCYF Commissioner Addressing Concerns
Initial Access Broker
SNAP Eligibility System Database
Post Incident Analysis
Lack of Resources in DHS for Security Reviews Failure to Comply with Federal Audit Requirements Inadequate Oversight of Critical Public Welfare Systems Security Plan Certification (March 2024) by DCYF Ongoing Certification Process for 2025 Media Engagement to Rebuild Public Trust
References
Blog URL Source URL
MARCH 2018
767
Breach
01 Mar 2018 • Minnesota Department of Human Services
Minnesota Department of Human Services Data Breach

Minnesota Department of Human Services suffered a data breach through an employee’s e-mail account. The attack exposed the personal information of about 11,000 people. The hackers were immediately detected and the servers were secured.

679
critical -88
MIN21149222
Incident Details -
Type
Data Breach
Attack Vector
Email Compromise
Vulnerability Exploited
Compromised Email Account
Impact
Personal Information Email Servers
Response
Secured Servers
Data Breach
Type Of Data Compromised: Personal Information
Initial Access Broker
Entry Point: Compromised Email Account
References
Blog URL Source URL

Frequently Asked Questions

According to Rankiteo, the current A.I.-based Cyber Score for Minnesota Department of Human Services is 224, which corresponds to a Critical rating.

According to Rankiteo, the A.I. Rankiteo Cyber Score for December 2025 was 301.

According to Rankiteo, the A.I. Rankiteo Cyber Score for November 2025 was 292.

According to Rankiteo, the A.I. Rankiteo Cyber Score for October 2025 was 383.

According to Rankiteo, the A.I. Rankiteo Cyber Score for September 2025 was 649.

According to Rankiteo, the A.I. Rankiteo Cyber Score for August 2025 was 648.

According to Rankiteo, the A.I. Rankiteo Cyber Score for July 2025 was 646.

According to Rankiteo, the A.I. Rankiteo Cyber Score for June 2025 was 643.

According to Rankiteo, the A.I. Rankiteo Cyber Score for May 2025 was 641.

According to Rankiteo, the A.I. Rankiteo Cyber Score for April 2025 was 700.

According to Rankiteo, the A.I. Rankiteo Cyber Score for March 2025 was 636.

According to Rankiteo, the A.I. Rankiteo Cyber Score for February 2025 was 698.

Over the past 12 months, the average per-incident point impact on Minnesota Department of Human Services’s A.I Rankiteo Cyber Score has been -114.75 points.

You can access Minnesota Department of Human Services’s cyber incident details on Rankiteo by visiting the following link: https://www.rankiteo.com/company/minnesota-department-of-human-services.

You can find the summary of the A.I Rankiteo Risk Scoring methodology on Rankiteo by visiting the following link: Rankiteo Algorithm.

You can view Minnesota Department of Human Services’s profile page on Rankiteo by visiting the following link: https://www.rankiteo.com/company/minnesota-department-of-human-services.

With scores of 18.5/20 from OpenAI ChatGPT, 20/20 from Mistral AI, and 17/20 from Claude AI, the A.I. Rankiteo Risk Scoring methodology is validated as a market leader.