What You Need to Know about the Minnesota Department of Human Services Data Breach

The Minnesota Department of Human Services (MN DHS) is a vital part of the state’s health plan industry. It is responsible for managing public health, welfare programs, and social services within the state, ensuring support for vulnerable populations and that millions of residents have seamless access to healthcare. 

The recent MN DHS data breach directly impacted FEI Systems, the managing vendor of MnCHOICES, one of the department’s network systems. According to the DHS, MnCHOICES supports tribal nations, counties, and managed care organizations that serve state residents who require long-term services and support needed for them to live a good life. It is used to determine eligibility for long-term services and support.

FEI Systems notified the DHS about unauthorized access to data in MnCHOICES by a user affiliated with a licensed healthcare provider. Even though the user had a legitimate reason to access some data in the system, they went on to access more than was intended for work assignments without authorization.

According to the notification published on the DHS website, the user accessed demographic records of more than 300,000 people, including additional information for about 1,206 of the affected individuals. FEI Systems’ investigation revealed the user accessed information such as first name, last name, date of birth, sex, Medicaid ID, phone number, and address. The last four digits of some affected individuals’ Social Security numbers were also accessed.

The MN DHS has, since January 16, 2026, mailed clients notification letters of the data breach to the affected individuals. In that letter, the DHS said it has yet to find any evidence the data accessed has been misused but only provided the notice out of an abundance of caution. The department also confirmed that the user no longer has access to MnCHOICES.

When Was the Minnesota Department of Human Services Data Breach?

The user affiliated with a licensed health care provider responsible for the DHS incident accessed data in the MnCHOICES system without authorization from August 28, 2025, to September 21, 2025. While the unauthorized access stopped on September 21, 2025, the user’s access was not fully removed until October 30, 2025.

By the time FEI  Systems detected the unusual user activity on November 18, 2025, the user had accessed more detailed information than was reasonably necessary to perform its work assignment. At the DHS’s request, FEI Systems hired a cybersecurity company to conduct additional forensic investigation of the incident to determine the exact type of data accesses and the people impacted.

Officials of the MN DHS said the state Office of Inspector General is monitoring billing information held on file to determine if any of the compromised data has been used to commit fraud. They also stated that the department will fully investigate any potential frauds it identifies and, when appropriate, refer them to law enforcement.

How to Check If Your Data Was Breached

The Minnesota Department of Human Services (DHS) already mailed out notification letters to individuals impacted by the recent data incident involving its MnCHOICES systems. You should have received your letter by now if your information was compromised.

However, if you did not receive a notification letter but think your information may have been exposed in the incident, here are a couple of ways to check your status:

• Monitor your credit reports, bank accounts, and insurance statements closely for suspicious activity. For example, any unauthorized charges, new accounts, or false claims in your insurance may indicate your data was compromised.
• Type your email in any reliable data breach-check website to determine if your information has been leaked. These websites typically reveal if your phone number, address, or email has appeared in known leaks, recent data dumps, or on the dark web.
• An unusually high volume of text messages appearing to be from MN DHS or legitimate companies may also be a sign that your information, including your phone number, was compromised. Pay close attention to communications asking you to click on suspicious links, but do not click on them, as they may be potential phishing attempts. 

What to Do If Your Data Was Breached

If your information was exposed in the Minnesota Department of Human Services (DHS) data breach, continue to check the department’s website for updates on the incident. You should also monitor your email for subsequent communications regarding the breach, even if you have received a notification letter. However, be alert for phishing calls or emails that attempt to exploit the incident to trick you into divulging more personal information.

The MN DHS is not offering affected individuals free credit monitoring services due to the limited nature of data accessed. However, you can sign up for credit monitoring or  identity theft protection services. These services alert you if your information is being misused and help you safeguard your personal data.

You may also consider placing a credit freeze on your credit reports to prevent unauthorized opening of new accounts in your name. Contact the three major credit bureaus, Experian, Equifax, and TransUnion, to place a credit freeze free of charge. Additionally, you may place a fraud alert on your credit file. This makes it difficult for anyone to misuse your information.

Furthermore, if you believe your Medicaid ID was compromised in the DHS data breach, you may contact your healthcare provider to request an account of disclosures to find out who has accessed your records. Afterward, you may contact the state Medicaid agency and request a new, secure Medicaid number to prevent unauthorized use of your health benefits.

Are There Any Lawsuits Because of the Data Breach?

Currently, there is no substantiated lawsuit against the Minnesota Department of Human Services (DHS) regarding the recent data breach that left personal details of over 300,000 individuals compromised. However, some law firms are investigating reports of the incident, stating the risks of identity theft and fraud for impacted individuals as reasons for the investigations. Some of these investigations may result in potential class-action lawsuits against the MN DHS.

Can My Minnesota Department of Human Services Information Be Used for Identity Theft?

Yes. The information you have on file with the Minnesota Department of Human Services could be used for identity theft if exposed in any data incident, including the recent one involving MnCHOICES. The recent breach left sensitive information, such as names, addresses, birthdates, phone numbers, partial Social Security numbers, and Medicaid IDs, exposed. Thieves who lay their hands on these pieces of information may commit identity theft and other fraud with them.

Data accessed from the incident could be used to open new accounts, file fraudulent tax returns, or obtain medical services in your name. Cybercriminals may also trade them on the dark web, where other thieves can acquire them for other malicious uses. For instance, thieves may use your Social Security number to open credit cards, take out loans, or establish utility services in your name. They may even secure employment while impersonating you.

With your phone number and address, a thief could create a customized phone call or text message and attempt to get you to divulge sensitive data through a phishing attack. In most cases, they deploy such attacks, pretending to be authorized representatives of legitimate organizations.

What Can You Do to Protect Yourself Online?

Cybercriminals are always digging around online systems looking for vulnerabilities through which they can strike. It therefore becomes important that you secure yourself in today’s digital age, especially with so much of your personal and professional lives conducted online in the thick of growing risks of cyber threats.

The following tips will help ensure that you confidently navigate the internet safely while also protecting yourself online: 

• Where possible, enable two-factor authentication (2FA) for an extra layer of security for your online accounts. When activated, you will need two forms of identification to access such accounts.
• Invest in anti-malware and antivirus software to help detect and remove malicious software from your internet devices, including your computers and mobile phones. Always keep the software up to date with the latest security patches.
• Constantly educate yourself about common cyber threats and how to recognize them, as well as data breach trends, through sites like IDStrong.
• When banking or shopping online, be sure that the website is secure by looking for a padlock icon in the address bar or https:// in the URL.
• Avoid sharing sensitive personal or financial data over public Wi-Fi networks, as they are usually less secure. If you must perform a sensitive transaction online over a public Wi-Fi network, consider using a virtual private network to encrypt your connection and protect your information.
• Adjust your social media accounts’ privacy settings and options to protect yourself. For example, you may consider restricting who follows you and avoid posting personal information commonly used for passwords or password security questions.
• Avoid opening attachments or clicking any links from sources you do not recognize, even if they appear to have been sent by legitimate organizations. Poor grammar and spelling, incorrect company names or URLs, and urgent calls to action are common signs that such communications are scams. 
• Use unique, strong passwords on every website where you have accounts. When creating a password, make sure it is at least 12 characters long and combines numbers, letters, and special symbols. Additionally, avoid using the same passwords across your online accounts.
• Monitor your credit cards and bank accounts regularly for suspicious activity such as transfers between accounts and purchases you did not authorize. When you find any unusual activity, contact your bank immediately.