Lesson Content

Welcome to lesson 1.1, where we will examine the anatomy of the Minnesota Department of Human Services data breach involving the MnCHOICES system. This incident provides critical insights into insider threats and the vulnerabilities present in multi-stakeholder healthcare systems. Let us begin with the incident overview. On November 18th, 2025, the Minnesota Department of Human Services discovered that an unauthorised user had accessed the MnCHOICES system, a web-based platform used by counties, tribes, and managed care organisations to assess long-term care needs. This breach compromised the records of approximately 304,000 individuals over a period spanning from late August to mid-November 2025. What makes this incident particularly significant is that it represents an insider threat rather than an external cyberattack. The perpetrator was a user affiliated with a licensed healthcare provider who possessed legitimate credentials to access the system. However, this individual exceeded their authorised scope, accessing far more data than reasonably necessary to perform their assigned work duties. Let us examine the technical aspects of this attack using the MITRE ATT&CK framework. The primary technique employed was the abuse of valid accounts, categorised under technique T1078. The attacker did not need to compromise credentials or exploit software vulnerabilities. Instead, they systematically leveraged their existing access to enumerate and retrieve excessive records, aligning with the Discovery tactic TA0003. The attack progression followed a clear escalation pattern. Initially, the user accessed broad demographic data including income, education backgrounds, and ethnicity information for hundreds of thousands of individuals. As the attack progressed, they narrowed their focus to more detailed personal information for over 1,200 people, including names, dates of birth, addresses, telephone numbers, Medicaid identification numbers, and partial Social Security numbers. This incident highlights the absence of common vulnerability exposures or CVEs, as no software vulnerabilities were exploited. The breach stemmed entirely from insufficient access restrictions and inadequate monitoring of user behaviour within the system. The detection of this breach came through vendor monitoring rather than internal security controls. FEI Systems, the company managing the MnCHOICES system, identified anomalous access patterns and alerted the Minnesota Department of Human Services. This detection method reveals significant gaps in the organisation's own security monitoring capabilities. Several technical indicators of compromise emerged from this incident. The primary indicator was the anomalous access volume, with approximately 304,000 demographic records and 1,200 detailed personal information records accessed within a single month by one user account. Additionally, the scope of access deviated significantly from the user's assigned work, including unrelated income and education data that fell outside their legitimate job functions. The timeline of this attack spans several months, beginning in late August 2025 when unauthorised access commenced. The attack continued for approximately one month, with bulk demographic access escalating to detailed personal information retrieval. Detection occurred in November 2025 when FEI Systems identified the anomaly and alerted the Department of Human Services. Official identification of the breach occurred on November 18th, 2025, leading to immediate account disabling and engagement of forensic specialists. From an impact perspective, this breach affected over 300,000 individuals, primarily recipients of long-term care services. While no direct financial losses resulted from service disruption or ransom demands, significant indirect costs arose from forensic investigations, notification processes, and ongoing fraud monitoring. The reputational damage to both Minnesota DHS and FEI Systems highlights recurring vulnerabilities in government health service systems. The regulatory implications of this breach are substantial, particularly regarding HIPAA compliance. The MnCHOICES system handles protected health information, including Medicaid identification numbers and health-related demographic data. This breach constitutes an impermissible disclosure of protected health information by an authorised user who exceeded minimum necessary access requirements, violating both HIPAA Privacy and Security Rules. Under HIPAA reporting requirements, Minnesota DHS must notify affected individuals within 60 days of discovery, report to the Department of Health and Human Services Office for Civil Rights within 60 days, and potentially notify media outlets if more than 500 individuals are affected. The organisation met these requirements by issuing notification letters on January 16th, 2026, and confirming reports to federal authorities. Potential penalties under HIPAA can reach up to 1.9 million pounds per violation type annually, with the negligence tier applying due to delayed detection. As a business associate, FEI Systems shares liability for this incident, emphasising the importance of vendor security management. This incident exemplifies broader industry vulnerabilities in provider-heavy government health systems. The multi-stakeholder access architecture of MnCHOICES, which grants access to external healthcare providers, creates a distributed trust model where credential compromise at any provider organisation can compromise state data. The excessive permission scope granted to users, combined with inadequate role-based access controls, enabled this breach to occur and persist undetected for months. Several critical controls could have prevented or minimised this incident. The principle of least privilege would restrict user access to only the minimum data necessary for specific job functions. User and Entity Behaviour Analytics could monitor for anomalous query volumes and access patterns, enabling real-time detection rather than the months-long delay experienced in this case. Data loss prevention systems would scan queries for personal information access attempts and prevent bulk exports of sensitive data. Multi-factor authentication combined with session monitoring could enforce per-session verification and automatically terminate sessions that deviate from baseline behaviour patterns. Automated auditing and Security Information and Event Management systems would provide real-time logging of access volumes and user-role mismatches, integrating with analysis tools for immediate alerting. The implementation of Zero Trust architecture principles would mandate verification of every access request regardless of existing credentials, requiring just-in-time access approval for sensitive queries and preventing insider overreach. Immediate response actions following breach discovery included access termination, forensic investigation, and stakeholder notification. However, the user's access was not terminated until October 30th, 2025, over a month after unauthorised access had ceased, creating an unnecessary window of vulnerability. Long-term remediation strategies must address the fundamental architectural weaknesses exposed by this incident. These include implementing comprehensive role-based access controls with documented approval workflows, deploying advanced detection and response capabilities through Security Information and Event Management systems, and establishing robust vendor management frameworks with mandatory security requirements. The Minnesota DHS breach serves as a stark reminder that insider threats require specialised detection and prevention strategies. Unlike external attacks that leave clear forensic evidence, insider threats exploit legitimate access channels and can persist undetected for extended periods. Organisations must implement behavioural analytics, enforce strict access controls, and maintain continuous monitoring to protect against these sophisticated threats. This concludes our examination of the Minnesota DHS MnCHOICES system breach. The lessons learned from this incident emphasise the critical importance of comprehensive access management, continuous monitoring, and robust vendor oversight in protecting sensitive healthcare information from insider threats.

Assessment Questions

Question 1

Which MITRE ATT&CK technique best describes the primary attack vector used in the Minnesota DHS breach?

1. T1566 Phishing
2. T1078 Valid Accounts
3. T1190 Exploit Public-Facing Application
4. T1133 External Remote Services

Question 2

What was the primary factor that enabled the breach to persist undetected for approximately one month?

1. Sophisticated malware that evaded detection systems
2. Insufficient logging and monitoring of user access patterns
3. Encrypted communication channels used by the attacker
4. Compromised administrator credentials providing elevated access

Question 3

Under HIPAA regulations, what is the maximum time frame for notifying affected individuals following discovery of a breach?

1. 30 days
2. 45 days
3. 60 days
4. 90 days

Question 4

Which security control would have been most effective in preventing the excessive data access observed in this incident?

1. Multi-factor authentication for all user accounts
2. Principle of least privilege with role-based access controls
3. Network segmentation between internal and external users
4. Regular vulnerability scanning of the MnCHOICES system

Question 5

What distinguishes this breach from typical external cyberattacks in terms of detection methodology?

1. It required specialised forensic tools to identify the attack vectors
2. It was detected through vendor monitoring rather than internal security controls
3. It generated distinctive network traffic patterns that triggered automated alerts
4. It left clear audit trails that were immediately visible to system administrators