UPDATE TO Dec. 11, 2018 Notification of Information Security Incident
About 500 clients of the Ramsey County Social Services department who may have had their individually identifiable health information compromised following an information security incident in August 2018 began receiving letters of notification today (Dec. 11, 2018) from Ramsey County.
UPDATE April 16, 2019: In the time since the first group of about 500 notices were sent on Dec. 11, 2018, more than 500 additional clients have been identified who may have had their individually identifiable health information compromised. As these individuals have been identified through continued internal investigation, they have been mailed - at the address last known to Ramsey County - newly-dated copies of the letter linked below.
On August 9, 2018, the county became aware of the unauthorized access to email accounts of 28 Ramsey County employees in an apparent scheme to divert employees' paychecks. Following the incident, Ramsey County took immediate steps to stop the intrusion and secure employee email accounts. The county then contracted a data security firm to conduct further investigation. The firm's assessment was delivered on Oct. 12, 2018. It found that the hackers may have been able to see information about Ramsey County clients through the employee email accounts, including social security numbers, dates of birth, addresses and limited amounts of medical information.
The notification letter is available at ramseycounty.us/publicnotice. The letter includes a phone line for those with questions about the incident to call - 651-266-2275 (1-833-812-4159).
Under the Health Insurance Portability and Accountability Act (HIPAA), notification of any breach of protected health information involving more than 500 individuals must be provided to media outlets. In addition, if there is insufficient contact information for more than 10 individuals, notice must be provided to media in the areas where affected individuals reside or on a website posting that is maintained for 90 days. Clients may find out whether their information has been affected by contacting us at the number above.
Posted December 11, 2018. Update posted April 16, 2019.