Data breaches refer to unauthorized attainment of personal or financial information, which would compromise the confidentiality, security, and integrity of the data that the host holds. Cybercriminals typically use the information obtained without authorization for their interests, such as identity theft or system compromise. In Minnesota, data breaches are prevalent, with the most common being email hacking, malware, ransomware, and phishing. Minnesota ranks 24th in victims per state, with over $103 million in losses in 2022. The most affected areas are government-facilitated healthcare and educational institutions.

Identity Theft Statistics

Identity Theft
State Rank (Reports per 100K Population)
Identity Theft Reports
Fraud & Other
State Rank (Reports per 100K Population)
Total Fraud & Other Reports
Total Fraud Losses
Median Fraud Losses

Top Ten Report Categories

Imposter Scams
Identity Theft
Telephone and Mobile Services
Prizes, Sweepstakes and Lotteries
Online Shopping and Negative Reviews
Banks and Lenders
Credit Bureaus, Iformation Furnishers and Report Users
Debt Collection
Internet Services
Auto Related

Top Identity Theft Types

Credit Card Fraud
Other Identity Theft
Bank Fraud
Government Documents or Benefits Fraud
Employment or Tax-Related Fraud
Loan or Lease Fraud
Phone or Utilities Fraud

Minnesota's Recent Biggest Data Breaches


University of Minnesota

In July 2023, the University of Minnesota became aware of a system breach of its database. It immediately intervened and began an investigation to assess the point of the breach. The investigation determined that the data breach affected people who submitted their information as prospective applicants, students, employees, and university program participants. It entailed names, telephone numbers, driver's licenses, Social Security, and university identification numbers. It also provided a statement indicating the safety and privacy of all university personnel are a main priority. The university also increased its vigilance in securing maintained information. However, ongoing scans of the institution's electronic systems have yet to reveal suspicious activity.


Minnesota Department of Education (MDE)

In May 2023, Minnesota I.T. Services serving the state's Department of Education became aware of a data breach courtesy of a third party's vulnerability. An unauthorized party obtained MDE data on a MOVEit server. The Department of Education took steps to secure their data and began an investigation to determine the effects of the breach as well as who was affected. The files accessed were from 95,000 students who were in foster care. They included names, birth dates, and counties where the students had been placed. No financial information, though, was included in any of the files within the data breach. The Department also indicated they were working to notify affected individuals.


Netgain Technology Ransomware Attack

In December 2020, Netgain, a vendor for Minnesota-based family medical practice Associated Eye Care, was a victim of a data breach that compromised the information of 200,000 individuals. Upon being notified, they began an investigation to determine what information was exposed. AEC underwent extensive data mining to identify all of the affected individuals. Some of the exposed data included names, addresses, medical histories, and Social Security numbers. Class action lawsuits were filed against Netgain following the breach because the notification to healthcare clients was delayed unreasonably.


Children's Minnesota Foundation

Between February and May 2020, the Children Minnesota Foundation's network was breached via its cloud-based service provider, Blackbaud. It discovered that an unauthorized individual gained access to their systems and attained backup copies of databases utilized by the clientele. The information accessed included names, addresses, phone numbers, birth dates, gender, medical records, dates of treatment, and locations. In Minnesota, 160,268 were affected because of the data breach. Blackbaud indicated no reason to believe the information was distributed or misused; however, affected individuals are advised to check their credit records regularly. Blackbaud was sued because it failed to reveal the data breach for months, though. It had to agree to a settlement worth $780,000 to the state of Minnesota.


Central Minnesota Mental Health Center Email Breach

In October 2021, the Central Minnesota Mental Health Center became aware of a data breach that exposed the data of 28,725 people. Following this discovery, the organization moved to secure its email accounts and engaged third-party investigators. They also took steps toward preventing further unauthorized access to their systems. The investigation also determined that personal information such as doctor's names, addresses, clinical information, and treatment locations were exposed.

What Should You Do if You Are in a Breach?

Unfortunately, data breaches are pretty common now, considering our online connections and dependence on digital service delivery. Criminals work in the shadows to steal your personal information, so sometimes, it's only when you notice certain signs that ongoing fraud becomes apparent. These danger signs apply to both individuals and businesses.

Credit Card Charges

If you find unauthorized transactions on your credit card, there is a significant possibility your phone number, email address, or card number has been compromised.

Calls from
Debt Collectors

Phone calls or letters from collection agencies seeking debt payment for a loan you do not remember taking are also signs of identity theft.

New Credit Cards
or Loans in Your Name

A new line of credit in your name or a loan taken is a warning sign you are a victim of identity theft.

Surprise Credit
Score Drops

Sudden credit drops with no obvious cause are a sign of suspicious activities.

Unusual Activity on Your
Social Security Account

The federal government also considers social security numbers personal identifiers, so check your social security statement regularly to ensure no one has access to benefits without consent.

Inability to
to Accounts

If you are locked out of the account, it is usually because someone has hacked into it and changed the password. You should immediately try all possible recovery options and contact customer support if all fails.

Step-by-Step Process for Responding to a Data Breach


Contact Local Law Enforcement

As an individual or a business, report the incident to the police and file a police report.


Assess and Secure Compromised Areas

Identify which aspects of your information have been affected, such as emails, passwords, credit card numbers, social security numbers, full names, and phone numbers.


Contain the Breach

Isolate the affected system to prevent further damage.


Create New, Strong Passwords for All Accounts

This may involve changing usernames and passwords for compromised platforms, using strong passwords with a mix of upper and lower-case letters, digits, and special characters.


Notify Affected Institutions

Inform your bank, credit card companies, and other affected institutions. Request they close or freeze any accounts that may be implicated in the breach to reduce financial risk.


Update Security on Digital Accounts

Change passwords for all accounts affected by the breach. Make sure each password is totally unique, and you use two-factor verification as an additional layer of security.


Check for Malware

Examine your computers and mobile devices for installed malware. Install robust antivirus software to detect and remove any viruses or malicious software.


Freeze Your Credit

In cases of identity theft, contact all credit bureaus to freeze your credit.


Monitor Your Mail and Credit Reports

Keep an eye out for any unauthorized changes in your mail.


Engage Legal Assistance When Applicable

If you are a business, consider hiring a law firm experienced in handling data breaches.

Responsibilities of Companies that Have Been Breached

An entity must disclose any data breach to the affected individuals who are subjects when an information compromise has occurred. According to the state regulations, a notice has to be in writing, inform of a breach investigation, and be sent without unreasonable delay. If a breach is to be sent to more than 1,000 people, the entity must also notify consumer reporting agencies. Personal information is classified as names, Social Security numbers, driver's licenses, accounts, and credit card or debit card numbers. Personal information, though, does not include any publicly available data that is lawfully revealed to everyone.

The Minnesota Department of Administration indicates that notices being sent to residents have to include a description of the data breach, the entity's name and contacts, as well as the personal information types compromised. It also recommended additional actions like free credit reports and security freezes.

Communication with the state residents can be done by electronic, email, or written notices. It is possible for a substitute notice to be given if the expense of issuing a notice to the affected is more than $250,000 or the affected number 500,000 and above. It is also acceptable to issue a substitute notice if the business does not have sufficient contact details for everyone affected by the data breach.

Entities that have their notification processes directed by internal policy and that are consistent with timing requirements of breaches will be considered in compliance with the notification obligations of the state. That is provided the entity notifies individuals by its internal policies following a data breach.


  • 2023 Minnesota Statutes, 325E.61 Data Warehouses; Notice required for certain disclosures. The law indicates that any individual or business that owns or licenses information shall disclose system security breaches following discovery to any individual directly affected. It also has to be done at the most suitable time.
  • Minnesota Session Laws, 2006, Chapter 233--S.F. No. 2002 - It relates to consumer protection concerning the regulation of freezes on an individual's credit report, protection from identity theft, and deletion of personal records. It also entails modification of notice requirements and regulation of data warehouses.