The Minnesota Department of Human Services’ vendor breach was not the only recent breach disclosed that affected more than 300,000 people. Monroe University in New York also disclosed a breach involving a lot of sensitive information. From their January 13 notification letter:
We are posting this notice to inform our community of a data security incident. We have learned that an unauthorized party gained access to certain Monroe University computer systems between December 9, 2024 and December 23, 2024 and acquired copies of some files on our network during that time. We reviewed these files and, on September 30, 2025, determined that they contained some personal information for certain individuals. The type of information involved varied by person but may have included one or more of the following: name, date of birth, Social Security number, driver’s license number, passport number, government identification number, medical information, health insurance information, electronic account or email username and password, financial account information, and/or student data.
As reported to the Maine Attorney General’s Office, the breach affected a total of 320,973 people.
The incident has not appeared on HHS’s public breach tool for breaches affecting more than 500 people covered by HIPAA, so the number of patients or health plan members affected is not yet clear.
No criminal gang has claimed responsibility for the breach and data from it does not appear to have been leaked as of publication, but since these are the types of data that are attractive to criminals, we may see them for sale online at some point.
