Minnesota DHS Suffers Another Phishing Attack: State IT Services Struggling to Cope with Barrage of Attacks

The Minnesota Department of Human Services (DHS) has discovered another employee email account has been compromised as a result of a phishing attack. The latest incident has only just been reported, although the breach occurred on or before March 26, 2018.

Three Phishing Attacks: 31,800 Records Exposed

The breach is in addition to two other phishing attacks that saw email accounts compromised in June and July of 2018. Those attacks were announced in October 2018 and resulted in the exposure of 20,800 Minnesotans’ PHI. The March 26 email account compromise saw the PHI of 10,263 Minnesotans exposed.

The March phishing attack allowed the attacker to gain access to the email account of an employee of the Direct care and Treatment Administration. Emails were then sent from that account to co-workers requesting wire transfers be made. The email requests were flagged as suspicious and were reported to MNIT, which secured the account. No wire transfers were made.

During the time that the account was accessible, the attacker potentially accessed emails in the account which included protected health information. MNIT was unable to determine whether any PHI had been viewed or copied. The account contained information such as names, contact information, dates of birth, treatment data, legal histories, and two Social Security numbers. No reports of misuse of PHI have been received.

Minnesota IT Services (MNIT) reported the breach to the FBI and, on April 9, 2019, DHS notified the Department of Health and Human Services’ Office for Civil Rights, the Office of the Legislative Auditor, credit reporting agencies, the media, and state senate and house representatives. Individual notices have also been sent to all individuals affected by the breach.

Since being notified about the breach, DHS hired a contractor to assess the contents of the email account to check for protected health information. Due to the number of emails in the account, that process took some time to complete. DHS says the account review was completed on March 21, 2019.

It is unclear from the DHS breach notification letter when the breach was discovered. DHS said MNIT provided details of the breach investigation on February 15, 2019. While breach notifications were issued to affected individuals within 60 days of DHS discovering the breach, in compliance with HIPAA, there was a major delay in the breach being reported to DHS by MNIT.

It took four months before notifications were issued to alert individuals about the previous two phishing attacks, and more than a year for individuals affected by this phishing attack to be notified.

State Government Agencies Suffer 700 Security Incidents in 10 Months

A senate hearing took place in October last year following the announcement of the other two phishing attacks. At the hearing it was made clear that MNIT was simply not prepared for the volume of cyberattacks and lacked the resources to deal with them.

MNIT explained at the hearing that more than 700 security incidents involving state government agencies had to be dealt with by MNIT up to October 2018, including 150 phishing attacks. On average, state employees were sent an average of 22 phishing emails a day.

Up to October, the state government had experienced 80 cyberattacks that required manual analysis and 240 sets of employee credentials had been compromised. At the hearing, MNIT CISO Aaron Call explained that “the frequency and profitability of attacks are increasing, and the cybercriminals are getting more funding.”

Since receiving notification about the latest breach, DHS has implemented additional security measures to prevent further phishing attacks. These include a tool that blocks links and email attachments in emails sent to state employees. DHS says the tool would have prevented this and past breaches from occurring.

Policies and procedures have also been revised at DHS and MNIT has said it is now immediately reporting breaches to agency data practices or privacy staff to allow them to analyze the incidents to determine whether data have been exploited. DHS has said it is continuing to provide employees with training to help them identify increasingly sophisticated cyberattacks against DHS.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.