UPDATES TO Dec. 11, 2018 Notification of Information Security Incident
On August 9, 2018, Ramsey County became aware of the unauthorized access to email accounts of 26 employees in an apparent scheme by an unknown outside party to divert employees' paychecks. Following the incident, Ramsey County took immediate steps to stop the intrusion and secure employee email accounts. The county then retained a data security firm to conduct further investigation. The firm's initial assessment was delivered on Oct. 12, 2018. It found that the hackers may have been able to see information about Ramsey County clients through the employee email accounts, including social security numbers, dates of birth, addresses and limited amounts of medical information. However, the county does not know whether any of this information was actually viewed during the attack.
Ramsey County has continued its investigation of potential impacts to clients and has provided periodic updates as new information has become available. Those updates follow:
UPDATE December 20, 2019: Beginning today, information security notices were mailed to thousands of clients of several non-HIPAA (Health Insurance Portability and Accountability Act) designated areas of Ramsey County. Some Ramsey County employees will be included in the mailing. Issuance of this group of notices is the last step in a process that began in August 2018. Clients of HIPAA-designated areas of the county whose private health information may have been compromised were prioritized first for comprehensive review and notification. Notifications to those clients began in December 2018 and has continued through September 2019 (see updates below). The Dec. 20, 2019 notice is being sent to clients (and some employees) who may have had non-health information compromised including names, addresses, social security numbers or other personally identifiable information.
UPDATE September 17, 2019: During the course of the ongoing internal investigation, on or about May 21, 2019, the county learned that limited amounts of health-related information had been identified in the email accounts of two employees related to services the county provides to various government agencies, such as administrative services to the Minnesota Department of Human Services (“DHS”) in support of the Child & Teen Checkups program (the “Program”), and administrative support to the St. Paul-Ramsey County Public Health Department. Roughly 113,267 additional individuals were potentially affected by the August 2018 information security incident. The information that may have been exposed includes names, addresses, dates of birth, and other identifiers of some Program participants, such as Women, Infants, and Children identification numbers, types, appointment dates and appointment types, patient master index numbers, household identification numbers, along with names of authorized representatives.
No social security numbers, financial or credit card information, prescription or diagnosis information was exposed.
The county does not know whether any of this information was actually viewed during the attack. The county is not aware of any misuse of the information.
The county, with assistance from DHS, identified individuals whose information may have been exposed and mailed notification letters to those affected Program participants at the most recent address available.
As of this update, the total number of individuals who may have had their individually identifiable health information compromised is now 117,905; the total number of notices mailed is now 116,255.
UPDATE July 1, 2019: In the time since the first group of about 500 notices were sent on Dec. 11, 2018, additional clients have been identified who may have had their individually identifiable health information compromised. The total number of individuals is now 4,638 and the number of notices mailed is 3,272. As these individuals have been identified through continued internal investigation, they have been mailed - at the address last known to Ramsey County - newly-dated copies of the letter linked below.
Dec. 11, 2018 Original Notice: About 500 clients of the Ramsey County Social Services department who may have had their individually identifiable health information compromised following an information security incident in August 2018 began receiving letters of notification today (Dec. 11, 2018) from Ramsey County.
The notification letter is available at ramseycounty.us/publicnotice. The letter includes a phone line for those with questions about the incident to call - 651-266-2275 (1-833-812-4159).
Under the Health Insurance Portability and Accountability Act (HIPAA), notification of any breach of protected health information involving more than 500 individuals must be provided to media outlets. In addition, if there is insufficient contact information for more than 10 individuals, notice must be provided to media in the areas where affected individuals reside or on a website posting that is maintained for 90 days. Clients may find out whether their information has been affected by contacting us at the number above.
Posted December 11, 2018.
Update 1 posted April 16, 2019. 1,000+ notifications mailed.
Update 2 posted July 1, 2019.
Update 3 posted September 17, 2019.
Update 4 posted December 20, 2019.