Patient data possibly compromised in Ramsey County breach

The information services department of Ramsey County Social Services identified a cyberattack against its systems that may have jeopardized patient information.

The agency, based in St. Paul, Minn., on August 9 became aware of the incident. Attackers sought control of email accounts of about 28 employees in the social services department and other departments, trying to steal paychecks.

IT personnel stopped the attack, secured affected emails, implemented additional safeguards and notified law enforcement agencies.

GovCenterEastbuilding-CROP.jpg

Ramsey County did not offer free protective services in the patient notification letter, but simply gave patients basic information on protecting themselves from credit and identity theft, and the letter emphasized the need to place a fraud alert on credit files.

Also See: Feds fine hospital that didn’t cut data access to former employee

“We sincerely apologize for any inconvenience this security incident may cause you,” noted Ryan O’Connor, county manager, in the notification letter.

Data that may have been compromised included limited medical information, as well as names, addresses and Social Security numbers of persons whose data is maintained by the county. Most county passwords were strengthened and reset by late afternoon. In all, about 500 individuals were affected.

The county then hired a forensics firm to help assess the attack, and in early October, it determined that protected health information may have been accessible to the hackers.

Since the attack, the county has implemented multifactor authentication technology, increased user education and bought new auditing and monitoring software.

County officials did not reply to queries asking for comment and additional information.

For reprint and licensing requests for this article, click here.