Ramsey County data breach may have affected nearly 118,000 people

Nearly 118,000 people who receive Ramsey County services may have had some personal or health information compromised when hackers breached the county's e-mail system in August 2018.

County officials had initially said more than 500 people were affected last winter, but officials dramatically increased that number Tuesday after hiring an outside data forensics firm that spent months evaluating what information may have been exposed.

The county has sent two different letters to people whose information may have been exposed during the breach.

One letter sent to 113,300 people Tuesday warns that personal information and "limited amounts of health-related information" may have been compromised. The other letter sent to 4,600 people starting in December warns that "names, addresses and social security numbers of individuals whose data is maintained by the county" may have been compromised.

Both letters offer an apology and information about credit monitoring.

County officials discovered unauthorized access to 28 county employee e-mail accounts on Aug. 9, 2018. Two of those employee e-mails contained information from the Minnesota Department of Human Services and St. Paul-Ramsey County Public Health Department.

Ramsey County stopped the intrusion the same day, notified law enforcement and beefed up its security.

"We do know the intent of the hackers was to try to steal employee paychecks," said Ramsey County spokesman John Siqveland. "We don't have any indication that other data in those accounts would have been of interest or viewed by the hackers, but we are providing notice to anyone who may have potentially had any health information exposed."

In the letter mailed this week, county officials say the compromised information may include names, addresses, birth dates and other identifiers, such as Women, Infants, and Children program identification numbers, appointment dates and appointment types.

According to the letter, "no social security numbers, financial information or credit card numbers, prescription or diagnosis information was exposed."

"The county does not know whether any of this information was actually viewed during the attack. The county is not aware of any misuse of the information," according to a statement from the county.

The county has notified the State Auditor's Office of the breach, along with the U.S. Department of Civil Rights and the media, as required by the Health Insurance Portability and Accountability Act, or HIPAA.

The notification letters are available at ramseycounty.us/publicnotice. The letter includes phone numbers to call with questions about the incident: 651-266-2275 or 1-833-812-4159.

Shannon Prather • 651-925-5037