
Aitkin County Health and Human Services, the county government department in Aitkin County, Minnesota that provides public assistance, health and social-service programs, disclosed a data breach that affected approximately 83,114 individuals in the United States.
Between April 7, 2026, and April 8, 2026, cyber criminals gained unauthorized access to three county email accounts. The intrusion was discovered when a Health and Human Services employee's email account was found to be sending phishing emails.
The county launched an investigation with a third-party cybersecurity and data forensics consultants to understand the incident. The investigation determined that during the period of unauthorized access, the cyber criminals downloaded the contents of the compromised Health and Human Services email account.
The county then conducted a review of the affected data to determine what information was involved, who may have been affected and where those individuals reside.
During the review, the county identified a report from the Minnesota Department of Human Services (DHS) in the compromised email account. The report contained MnCHOICES information for individuals associated with the county.
On May 13, 2026, the county confirmed that the DHS report also inadvertently included viewable information for individuals not associated with the county. The county notified DHS, and the two agencies worked together to prepare written notifications for the affected population contained in the report.
The breach exposed both personally identifiable information (PII) and protected health information (PHI) included names, addresses, dates of birth, Social Security numbers, dates of services, locations of services, individual case identifying numbers, PMI numbers, medical or health information, diagnosis and treatment information, healthcare provider names, medications, health insurance identification numbers, information about the type and status of forms filed with MnCHOICES, dates forms were last modified, health insurance claims information and information related to services received by the county's Health and Human Services department.
The information contained in the DHS report exposed included names, individual case identifying numbers, PMI numbers, information about the type and status of forms filed with MnCHOICES, dates forms were last modified and the names of organizations or locations providing services.
The breach was disclosed to the U.S. Department of Health and Human Services on June 17, 2026. The county began notifying affected individuals on June 17, 2026. It also posted a notice of the data security incident on its website.
The county notified Minnesota IT Services and all appropriate state regulators. It sent notification letters to individuals whose personal information or protected health information was affected. For individuals whose contact information the county does not have on file, it posted a public notice to help reach them.
The county set up a toll-free telephone number, 1-844-817-0953, available between 8 a.m. and 8 p.m. CT, for questions about the incident. Affected individuals also have the right to request a report on the facts and details of the investigation by calling that number and asking for delivery by mail.








.webp)
.webp)
.webp)

.webp)
.webp)
.webp)
.webp)