Aitkin County Health and Human Services Data Breach Affects 81,000 Individuals
Aitkin County Health and Human Services in Minnesota has identified a breach of its email environment. Data breaches have also been confirmed by Decatur Diagnostic Laboratory in Alabama and Gem State Dermatology in Idaho.
Aitkin County Health and Human Services, Minnesota
Aitkin County Health and Human Services in Minnesota has identified a breach of its email environment. On April 8, 2026, an email account was found to be sending phishing emails. Immediate action was taken to secure its email system, and an investigation was launched to determine the scope of the breach. Assisted by third-party digital forensics experts, Aitkin County HHS determined that there had been unauthorized access to three employee email accounts between April 7, 2026, and April 8, 2026. The investigation confirmed that the contents of one of the accounts had been downloaded.
The accounts were reviewed and found to contain the protected health information of 83,114 individuals, including names, addresses, dates of birth, Social Security numbers, dates of service, locations of service, individual case identifying numbers, PMI numbers, medical or health information, diagnosis and/or treatment information, healthcare provider names, medications, health insurance identification numbers, information regarding the type and status of forms filed with MnCHOICES, the date forms were last modified, health insurance claims information and/or information related to services received by Aitkin County HHS. A report containing some of the above data types relating to individuals not associated with the County was also found in the email account.
Passwords have been changed, employees have received additional training on email cybersecurity practices, and efforts are continuing to raise awareness of phishing emails. The email retention policy has also been updated to reduce the impact of any future incidents, and additional cybersecurity measures and monitoring partnerships are being considered to strengthen security.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Decatur Diagnostic Laboratory, Alabama
Decatur Diagnostic Laboratory Inc., in Alabama, has recently reported a data breach to the HHS’ Office for Civil Rights using a placeholder estimate of at least 500 affected individuals. The clinical laboratory has added a breach notice to its website, which confirms that this was a hacking incident involving data exfiltration. The notice does not state when the breach was detected, or for how long the hacker had access to its network.
Decatur Diagnostic Laboratory has confirmed that the data exfiltrated in the attack included names in combination with one or more of the following: date of birth, Social Security number, driver’s license number, medical record number, and/or patient code. The affected individuals have been advised to remain vigilant against incidents of identity theft and fraud over the next 24 months. The notice does not mention free credit monitoring and identity theft protection services. While this was not confirmed as a ransomware attack, a ransomware group has claimed responsibility. The LockBit 5 group claims it exfiltrated data in the attack and added the lab to its dark web data leak site.
Gem State Dermatology, Idaho
Improper disposal incidents are the rarest category of data breach. The first such incident of the year to date affects Gem State Dermatology in Boise, Idaho. On July 8, 2026, patient documents containing HIPAA-protected data were found in a dumpster three miles from the dermatology practice. A member of the public identified boxes of paperwork that appeared to be billing statements containing medical and personal information of patients of the dermatology practice. In addition to paperwork, what appeared to be thousands of microscope slides containing patient information, and presumably biological samples, were also found in the dumpster.
The material has now been collected by the practice, and an internal investigation has been launched to determine how the incident happened. At this early stage of the investigation, the practice is unable to confirm how any patients have been affected by the incident.


