The Minnesota Star Tribune reports:
A breach in a Minnesota Department of Human Services system allowed inappropriate access to the private data of nearly 304,000 people.
There is not evidence the data was misused, the department said in a Jan. 16 letter notifying impacted individuals. The letter was sent about four months after the breach occurred.
[…]
For nearly a month starting in late August, a user affiliated with a licensed health care provider accessed data in the state MnCHOICES system without authorization, the notification letter states. Counties, tribes and others use the MnCHOICES system to do assessments and planning for Minnesotans who need long-term services and supports.
The user accessed people’s names, sex, date of birth, phone number, address, Medicaid ID and the last four digits of their social security number. They got additional data for 1,206 people, including demographic information, such as their ethnicity, birth record, physical traits, education, income and benefits.
Read more at Minnesota Star Tribune.
The MN DHS statement from its website:
On January 16, 2026, the Minnesota Department of Human Services mailed clients notification of a data breach involving its MnCHOICES system. The system is used by counties, Tribal Nations, and managed care organizations to support their assessment and planning work for Minnesotans needing long-term services and supports.
In November, DHS received notification from FEI Systems, the vendor that manages MnCHOICES, indicating a provider-associated user had accessed the demographic records of over 300,000 individuals and additional information for 1,206 of those individuals. The user no longer has access.
DHS ordered a forensic investigation be completed by the vendor. At this time there is no evidence information has been misused. Additional safeguards have been put in place to prevent similar incidents. A sample individual breach notification for both sets of impacted individuals client letter is attached for your reference. More information about MnCHOICES can be found, here.
The DHS Office of Inspector General is aware of this incident and has developed data-driven processes to monitor and evaluate billing information, in an effort identify whether there was fraudulent or inappropriate use of the accessed data. If potential fraud is identified, DHS will fully investigate and when appropriate refer those matters to law enforcement. DHS has also requested individuals affected by this breach partner with us, by reviewing their health care statements and reporting any suspicious charges or services.
The January 16 notification letter explains more about what happened:
DHS’ MnCHOICES system is managed by FEI.com, Inc. under the business name FEI Systems (FEI). On November 18, 2025, FEI detected unusual user activity and reported its finding to DHS on November 19, 2025.
FEI informed DHS that from August 28, 2025, to September 21, 2025, a user affiliated with a licensed health care provider accessed data in the MnCHOICES system without authorization. While FEI confirmed the user was authorized to access limited data in the system, the user accessed more data than was reasonably necessary to perform work assignments. At the request of DHS, FEI has hired a cybersecurity company to conduct additional forensic investigation of the incident.
