Minnesota
Table of Contents
- Identity Theft Statistics
- Top Ten Report Categories
- Top Identity Theft Types
- Fraud & Other Reports by Metropolitan Area
- Minnesota’s Recent Biggest Data Breaches
- What Should You Do if You Are in a Breach?
- Step-by-Step Process for Responding to a Data Breach
- Responsibilities of Companies that Have Been Breached
- Laws
- Resources
Data breaches refer to unauthorized attainment of personal or financial information, which would compromise the confidentiality, security, and integrity of the data that the host holds. Cybercriminals typically use the information obtained without authorization for their interests, such as identity theft or system compromise. In Minnesota, data breaches are prevalent, with the most common being email hacking, malware, ransomware, and phishing. Minnesota ranks 24th in victims per state, with over $103 million in losses in 2022. The most affected areas are government-facilitated healthcare and educational institutions.
Identity Theft Statistics
Reports
Reports
Losses
Top Ten Report Categories
Top Identity Theft Types
Minnesota's Recent Biggest Data Breaches
University of Minnesota
In July 2023, the University of Minnesota became aware of a system breach of its database. It immediately intervened and began an investigation to assess the point of the breach. The investigation determined that the data breach affected people who submitted their information as prospective applicants, students, employees, and university program participants. It entailed names, telephone numbers, driver's licenses, Social Security, and university identification numbers. It also provided a statement indicating the safety and privacy of all university personnel are a main priority. The university also increased its vigilance in securing maintained information. However, ongoing scans of the institution's electronic systems have yet to reveal suspicious activity.
Minnesota Department of Education (MDE)
In May 2023, Minnesota I.T. Services serving the state's Department of Education became aware of a data breach courtesy of a third party's vulnerability. An unauthorized party obtained MDE data on a MOVEit server. The Department of Education took steps to secure their data and began an investigation to determine the effects of the breach as well as who was affected. The files accessed were from 95,000 students who were in foster care. They included names, birth dates, and counties where the students had been placed. No financial information, though, was included in any of the files within the data breach. The Department also indicated they were working to notify affected individuals.
Netgain Technology Ransomware Attack
In December 2020, Netgain, a vendor for Minnesota-based family medical practice Associated Eye Care, was a victim of a data breach that compromised the information of 200,000 individuals. Upon being notified, they began an investigation to determine what information was exposed. AEC underwent extensive data mining to identify all of the affected individuals. Some of the exposed data included names, addresses, medical histories, and Social Security numbers. Class action lawsuits were filed against Netgain following the breach because the notification to healthcare clients was delayed unreasonably.
Children's Minnesota Foundation
Between February and May 2020, the Children Minnesota Foundation's network was breached via its cloud-based service provider, Blackbaud. It discovered that an unauthorized individual gained access to their systems and attained backup copies of databases utilized by the clientele. The information accessed included names, addresses, phone numbers, birth dates, gender, medical records, dates of treatment, and locations. In Minnesota, 160,268 were affected because of the data breach. Blackbaud indicated no reason to believe the information was distributed or misused; however, affected individuals are advised to check their credit records regularly. Blackbaud was sued because it failed to reveal the data breach for months, though. It had to agree to a settlement worth $780,000 to the state of Minnesota.
Central Minnesota Mental Health Center Email Breach
In October 2021, the Central Minnesota Mental Health Center became aware of a data breach that exposed the data of 28,725 people. Following this discovery, the organization moved to secure its email accounts and engaged third-party investigators. They also took steps toward preventing further unauthorized access to their systems. The investigation also determined that personal information such as doctor's names, addresses, clinical information, and treatment locations were exposed.
What Should You Do if You Are in a Breach?
Unfortunately, data breaches are pretty common now, considering our online connections and dependence on digital service delivery. Criminals work in the shadows to steal your personal information, so sometimes, it's only when you notice certain signs that ongoing fraud becomes apparent. These danger signs apply to both individuals and businesses.
Unfamiliar
Credit Card Charges
If you find unauthorized transactions on your credit card, there is a significant possibility your phone number, email address, or card number has been compromised.
Calls from
Debt Collectors
Phone calls or letters from collection agencies seeking debt payment for a loan you do not remember taking are also signs of identity theft.
New Credit Cards
or Loans in Your Name
A new line of credit in your name or a loan taken is a warning sign you are a victim of identity theft.
Surprise Credit
Score Drops
Sudden credit drops with no obvious cause are a sign of suspicious activities.
Unusual Activity on Your
Social Security Account
The federal government also considers social security numbers personal identifiers, so check your social security statement regularly to ensure no one has access to benefits without consent.
Inability to
Sign-in to Accounts
If you are locked out of the account, it is usually because someone has hacked into it and changed the password. You should immediately try all possible recovery options and contact customer support if all fails.
Step-by-Step Process for Responding to a Data Breach
Contact Local Law Enforcement
As an individual or a business, report the incident to the police and file a police report.
Assess and Secure Compromised Areas
Identify which aspects of your information have been affected, such as emails, passwords, credit card numbers, social security numbers, full names, and phone numbers.
Contain the Breach
Isolate the affected system to prevent further damage.
Create New, Strong Passwords for All Accounts
This may involve changing usernames and passwords for compromised platforms, using strong passwords with a mix of upper and lower-case letters, digits, and special characters.
Notify Affected Institutions
Inform your bank, credit card companies, and other affected institutions. Request they close or freeze any accounts that may be implicated in the breach to reduce financial risk.
Update Security on Digital Accounts
Change passwords for all accounts affected by the breach. Make sure each password is totally unique, and you use two-factor verification as an additional layer of security.
Check for Malware
Examine your computers and mobile devices for installed malware. Install robust antivirus software to detect and remove any viruses or malicious software.
Freeze Your Credit
In cases of identity theft, contact all credit bureaus to freeze your credit.
Monitor Your Mail and Credit Reports
Keep an eye out for any unauthorized changes in your mail.
Engage Legal Assistance When Applicable
If you are a business, consider hiring a law firm experienced in handling data breaches.
Responsibilities of Companies that Have Been Breached
An entity must disclose any data breach to the affected individuals who are subjects when an information compromise has occurred. According to the state regulations, a notice has to be in writing, inform of a breach investigation, and be sent without unreasonable delay. If a breach is to be sent to more than 1,000 people, the entity must also notify consumer reporting agencies. Personal information is classified as names, Social Security numbers, driver's licenses, accounts, and credit card or debit card numbers. Personal information, though, does not include any publicly available data that is lawfully revealed to everyone.
The Minnesota Department of Administration indicates that notices being sent to residents have to include a description of the data breach, the entity's name and contacts, as well as the personal information types compromised. It also recommended additional actions like free credit reports and security freezes.
Communication with the state residents can be done by electronic, email, or written notices. It is possible for a substitute notice to be given if the expense of issuing a notice to the affected is more than $250,000 or the affected number 500,000 and above. It is also acceptable to issue a substitute notice if the business does not have sufficient contact details for everyone affected by the data breach.
Entities that have their notification processes directed by internal policy and that are consistent with timing requirements of breaches will be considered in compliance with the notification obligations of the state. That is provided the entity notifies individuals by its internal policies following a data breach.
Laws
- 2023 Minnesota Statutes, 325E.61 Data Warehouses; Notice required for certain disclosures. The law indicates that any individual or business that owns or licenses information shall disclose system security breaches following discovery to any individual directly affected. It also has to be done at the most suitable time.
- Minnesota Session Laws, 2006, Chapter 233--S.F. No. 2002 - It relates to consumer protection concerning the regulation of freezes on an individual's credit report, protection from identity theft, and deletion of personal records. It also entails modification of notice requirements and regulation of data warehouses.