Public Notices
December 2020 Data Security Incident
On Dec. 2, 2020, Netgain Technology LLC, a vendor that provides technology services to Ramsey County and other organizations, advised Ramsey County that it had experienced a security incident by a malicious outside hacker. The hacker sought to extort payment from Netgain in a scheme that is often referred to as "ransomware".
Upon learning of the incident, Ramsey County suspended all use of Netgain's application and moved to manual backup procedures, and performed an extensive technical analysis of possible exposure of its clients' data.
Although there is no indication the hackers had any interest in client data beyond the extortion scheme, a technical analysis performed by Ramsey County estimates as many as 8,700 clients of its Family Health Division may have had data accessed. On Jan. 29, 2021, following federal law and in an abundance of caution, Ramsey County notified all clients who may have possibly had data exposed of the incident.
The notification letter is available at ramseycounty.us/publicnotice. The letter includes a phone line for those with questions about the incident to call - 651-266-2275.
Under the Health Insurance Portability and Accountability Act (HIPAA), notification of any breach of protected health information involving more than 500 individuals must be provided to media outlets. In addition, if there is insufficient contact information for more than 10 individuals, notice must be provided to media in the areas where affected individuals reside or on a website posting that is maintained for 90 days. Clients may find out whether their information was in this data by contacting us at the number above.
Dec. 2018 Information Security Incident
UPDATES TO Dec. 11, 2018 Notification of Information Security Incident
On August 9, 2018, Ramsey County became aware of the unauthorized access to email accounts of 26 employees in an apparent scheme by an unknown outside party to divert employees' paychecks. Following the incident, Ramsey County took immediate steps to stop the intrusion and secure employee email accounts. The county then retained a data security firm to conduct further investigation. The firm's initial assessment was delivered on Oct. 12, 2018. It found that the hackers may have been able to see information about Ramsey County clients through the employee email accounts, including social security numbers, dates of birth, addresses and limited amounts of medical information. However, the county does not know whether any of this information was actually viewed during the attack.
Ramsey County has continued its investigation of potential impacts to clients and has provided periodic updates as new information has become available. Those updates follow:
UPDATE December 20, 2019: Beginning today, information security notices were mailed to thousands of clients of several non-HIPAA (Health Insurance Portability and Accountability Act) designated areas of Ramsey County. Some Ramsey County employees will be included in the mailing. Issuance of this group of notices is the last step in a process that began in August 2018. Clients of HIPAA-designated areas of the county whose private health information may have been compromised were prioritized first for comprehensive review and notification. Notifications to those clients began in December 2018 and has continued through September 2019 (see updates below). The Dec. 20, 2019 notice is being sent to clients (and some employees) who may have had non-health information compromised including names, addresses, social security numbers or other personally identifiable information.
Read the December 20, 2019 notification letter
UPDATE September 17, 2019: During the course of the ongoing internal investigation, on or about May 21, 2019, the county learned that limited amounts of health-related information had been identified in the email accounts of two employees related to services the county provides to various government agencies, such as administrative services to the Minnesota Department of Human Services (“DHS”) in support of the Child & Teen Checkups program (the “Program”), and administrative support to the St. Paul-Ramsey County Public Health Department. Roughly 113,267 additional individuals were potentially affected by the August 2018 information security incident. The information that may have been exposed includes names, addresses, dates of birth, and other identifiers of some Program participants, such as Women, Infants, and Children identification numbers, types, appointment dates and appointment types, patient master index numbers, household identification numbers, along with names of authorized representatives.
No social security numbers, financial or credit card information, prescription or diagnosis information was exposed.
The county does not know whether any of this information was actually viewed during the attack. The county is not aware of any misuse of the information.
The county, with assistance from DHS, identified individuals whose information may have been exposed and mailed notification letters to those affected Program participants at the most recent address available.
Read the September 17, 2019 notification letter
As of this update, the total number of individuals who may have had their individually identifiable health information compromised is now 117,905; the total number of notices mailed is now 116,255.
UPDATE July 1, 2019: In the time since the first group of about 500 notices were sent on Dec. 11, 2018, additional clients have been identified who may have had their individually identifiable health information compromised. The total number of individuals is now 4,638 and the number of notices mailed is 3,272. As these individuals have been identified through continued internal investigation, they have been mailed - at the address last known to Ramsey County - newly-dated copies of the letter linked below.
Dec. 11, 2018 Original Notice: About 500 clients of the Ramsey County Social Services department who may have had their individually identifiable health information compromised following an information security incident in August 2018 began receiving letters of notification today (Dec. 11, 2018) from Ramsey County.
The notification letter is available at ramseycounty.us/publicnotice. The letter includes a phone line for those with questions about the incident to call - 651-266-2275 (1-833-812-4159).
Under the Health Insurance Portability and Accountability Act (HIPAA), notification of any breach of protected health information involving more than 500 individuals must be provided to media outlets. In addition, if there is insufficient contact information for more than 10 individuals, notice must be provided to media in the areas where affected individuals reside or on a website posting that is maintained for 90 days. Clients may find out whether their information has been affected by contacting us at the number above.
Read the September 2019 Investigative Report
Posted December 11, 2018.
Update 1 posted April 16, 2019. 1,000+ notifications mailed.
Update 2 posted July 1, 2019.
Update 3 posted September 17, 2019.
Update 4 posted December 20, 2019.