HIPAA/HITECH,
Standards, Regulations & Compliance
State Monitoring Incident Involving a Health Entity Worker for Potential Fraud
The Minnesota Department of Human Services has alerted almost 304,000 individuals about a significant data breach involving unauthorized access by a healthcare worker to sensitive information contained within an IT system managed by FEI Systems. State officials are actively monitoring the situation for indications of potential fraud.
This breach pertains to the MnChoices system, utilized by various counties, tribal nations, and managed care organizations to determine eligibility for essential long-term services, including assistance for disabilities, food support, housing, and mental health services. The MnChoices platform is handled by the third-party vendor, FEI Systems.
On November 18, 2025, FEI noted “unusual user activity” and promptly reported these findings to the Department of Human Services the following day. Investigation revealed that between August 28 and September 21, 2025, a user associated with a licensed healthcare provider accessed data in the MnChoices system without authorization.
In response to the unauthorized access, the agency terminated the healthcare provider’s access to MnChoices on October 30, 2025. Although FEI confirmed that the user had limited access rights to the system, it was determined that the individual accessed more data than necessary to fulfill their job responsibilities. Following the incident, FEI enlisted a cybersecurity firm to conduct a forensic investigation as requested by state officials.
The breach impacts approximately 303,965 individuals, with more sensitive information potentially accessed for 1,206 of them. Data that may have been compromised includes names, addresses, email details, phone numbers, Medicaid IDs, Social Security numbers, ethnic backgrounds, and more. This data poses heightened risks of identity theft and fraud, elevating concerns within the affected population.
The agency has found no evidence of external hacking involvement. The DHS Office of Inspector General is investigating to ensure the protection of sensitive billing information and to identify any signs of fraudulent activity derived from the accessed data.
The incident has been reported to both the Minnesota Office of the Legislative Auditor and the U.S. Department of Health and Human Services in accordance with HIPAA regulations. Notably, since the individual involved was not a DHS employee, no disciplinary action was pursued against the state agency.
As businesses observe this incident, it reinforces the importance of stringent access controls and continuous monitoring for unauthorized activities. The potential for exploiting the breach aligns with tactics outlined in the MITRE ATT&CK framework, including initial access and privilege escalation, which highlight the critical need for robust cybersecurity measures among organizations handling sensitive health data.
