Ramsey County Email Breach Count Rises to 117,905 Victims

• There is no indication that the attackers exploited the data in any way beyond the scheme to steal employee paychecks.
• As per officials, email retention procedures were changed after the attack.

An overview: According to the most recent update, a cyberattack launched against county information systems on August 9, 2018, affected way more individuals than previously assumed or calculated. Officials from Ramsey County had initially announced that the email breach impacted only 26 employees. The breach tally has been on a hike spree since then, reaching to 117,905 in a September 2019 update.

A timeline of updates:

• On August 9, 2018, Ramsey County became aware of the unauthorized access to email accounts of 26 employees.
• As per Dec 2018 update, health information of about 500 clients of the Ramsey County Social Services Department was assumed to be compromised.
• According to July 2019 update, the total number of individuals now stood at 4,638.
• And, as per the latest update on September 17, 2019, roughly 117,905 individuals were potentially affected by the August 2018 information security incident.

How the County had responded: Though the county officials had successfully stopped the attackers on the same day they discovered the attack, it seems enough damage was done already.

• An investigation was launched with help from an outside forensics firm.
• The county officials managed to secure the remaining accounts and also informed the law enforcement about the attack.
• The county updated its password protections, improved security training, implemented further data security software, and took other important steps to ensure the protection of accounts, and hence the data.
• More importantly, email retention procedures went under change.

What’s on stake: The personal data and some medical information of thousands of individuals was compromised during the email hack attack.

• The emails contained spreadsheets and attachments related to program appointments, including those from the Minnesota Department of Human Services’ child and teenager checkup program.
• The impacted data included names, dates of birth, contact details, appointment dates and types, patient master index numbers, Women, Children, and Infant identification numbers, and other identifiers.
• It did not have social security numbers, credit cards, prescription, diagnosis information, or any financial data.

To date, the Minnesota DHS has suffered from multiple breaches. The fact broadly highlights a lack of resources and the defenseless plight of government and small health agencies in the state.