Minnesota DHS Data Breach, 300,000+ Records Exposed—What Was Compromised and What to Do Now

ByAll About Lawyer Reading Time: 5 minutes

The Minnesota Department of Human Services (DHS) has confirmed a significant data breach affecting 303,965 individuals as of January 2026. The incident involved unauthorized access to sensitive records within the MnCHOICES system, a tool used by counties and tribal nations to manage long-term services for residents. If you or a family member received social services in Minnesota, your personal and health information may have been exposed.

This guide provides the essential details on what was compromised, who is affected, and the legal steps you should take now to protect your identity and investigate your right to compensation.

What Data Was Exposed in the Minnesota DHS Breach?

The breach was not a traditional “hack” from the outside. Instead, it involved an insider threat: a user affiliated with a licensed healthcare provider used legitimate credentials to access data far beyond their authorized scope.

According to the official notification letters mailed beginning January 16, 2026, the compromised data varies by individual:

  • For 303,965 people: Exposed data includes names, sex, dates of birth, phone numbers, addresses, Medicaid ID numbers, and the last four digits of Social Security numbers.
  • For 1,206 people: Much more sensitive information was accessed, including ethnicity, birth records, physical traits, education history, income, and specific government benefits data.
  • Health Information: Because MnCHOICES handles long-term care assessments, Protected Health Information (PHI) was included in the exposure, triggering federal HIPAA reporting requirements.

Who is Affected by the MnCHOICES Breach?

You are likely affected if you are a Minnesota resident who used the MnCHOICES system for assessment or planning of long-term services and support. This includes individuals who worked with:

  • Minnesota County social services offices.
  • Tribal Nations within Minnesota.
  • Managed care organizations and consultation service providers.

The unauthorized access occurred between August 28 and September 21, 2025, but was not detected until mid-November 2025 by FEI Systems, the vendor managing the network.

Is There a Class Action Lawsuit or Settlement?

As of late January 2026, multiple class action investigations have been launched. Law firms, including Lynch Carpenter, are currently seeking affected individuals to participate in potential litigation against both the Minnesota DHS and FEI Systems.

  • Settlement Status: There is currently no finalized settlement or guaranteed payout.
  • Legal Grounds: Investigations are focusing on whether the DHS and its vendor failed to implement adequate “access controls” and monitoring to prevent an insider from snooping on sensitive files.
  • Compensation: If a settlement is reached, victims may be entitled to recover damages for “time spent” monitoring their identity, emotional distress, and any actual financial losses.

What You Must Know

How to Verify if You Are Affected

Minnesota DHS began mailing physical notification letters on January 16, 2026. If you received a letter, your information was definitely compromised. If you haven’t received a letter but have used MnCHOICES, you can contact the DHS directly or check for updates on their official website.

The Minnesota Department of Human Services (DHS) has confirmed a significant data breach affecting 303,965 individuals as of January 2026. The incident involved unauthorized access to sensitive records within the MnCHOICES system, a tool used by counties and tribal nations to manage long-term services for residents. If you or a family member received social services in Minnesota, your personal and health information may have been exposed.

Why Credit Monitoring Isn’t Being Offered (Yet)

In a move that has frustrated some advocates, Minnesota DHS stated in January 2026 that it is not currently offering free credit monitoring services because full Social Security numbers and financial account details were not involved for the majority of victims. However, legal experts warn that a Medicaid ID combined with a partial SSN is often enough for sophisticated bad actors to commit “medical identity theft.”

The Risk of Medical Identity Theft

Unlike financial theft, medical identity theft involves someone using your Medicaid ID to receive medical treatment or prescriptions in your name. This can result in incorrect information being added to your permanent medical records, which can be dangerous for your future healthcare.

What to Do Next

Step 1: Review Your Healthcare and Insurance Statements

Carefully audit every “Explanation of Benefits” (EOB) you receive. If you see a doctor’s visit or procedure you didn’t authorize, report it immediately to the DHS Office of Inspector General at 651-431-2650.

Step 2: Place a Fraud Alert on Your Credit Report

Even though full SSNs weren’t stolen, your demographic data (name, DOB, address) can be used for “phishing” attacks. You can place a free 1-year fraud alert by contacting one of the three major bureaus:

  • Equifax: 1-800-525-6285
  • Experian: 1-888-397-3742
  • TransUnion: 1-800-680-7289

Step 3: Document Your Time and Stress

If you choose to join a class action lawsuit, you will need evidence of how the breach affected you. Keep a log of any time spent calling banks, changing passwords, or reviewing medical bills related to this incident like happend in Des-moines-orthopaedic-surgeons-data-breac.

FAQs

What exactly was stolen in the Minnesota DHS breach?

For most of the 304,000 victims, names, addresses, Medicaid IDs, and the last four digits of SSNs were exposed. A smaller group of 1,206 people had income and health history data stolen.

How long do I have to file a claim?

Because a settlement has not yet been reached, there is no claim deadline. However, you should contact a lawyer as soon as possible if you wish to be part of the initial class action filings.

Was this a ransomware attack?

No. This was an “unauthorized access” incident where a legitimate user with system credentials viewed records they weren’t supposed to see.

Is the state offering identity theft protection?

No, the state has not offered free monitoring as of January 2026. Affected individuals are encouraged to use free tools like AnnualCreditReport.com to monitor themselves.

Can I sue the Minnesota DHS for this?

You may be able to join a data breach lawsuit like happend with gulshan-management-services-data-breach if it can be proven that the state’s negligence allowed the unauthorized access to go undetected for weeks.

Last Updated: January 30, 2026

Disclaimer: This article is for informational purposes only and does not constitute legal advice. Please consult with a licensed attorney to discuss your specific legal rights.

Are you concerned about your privacy? Learn more about your rights in a data breach at AllAboutLawyer.com.

Stay informed, stay protected. — AllAboutLawyer.com

About the Author

Sarah Klein, JD

Sarah Klein, JD, is a licensed attorney and legal content strategist with over 12 years of experience across civil, criminal, family, and regulatory law. At All About Lawyer, she covers a wide range of legal topics — from high-profile lawsuits and courtroom stories to state traffic laws and everyday legal questions — all with a focus on accuracy, clarity, and public understanding.
Her writing blends real legal insight with plain-English explanations, helping readers stay informed and legally aware.
Read more about Sarah

Leave a Reply

Your email address will not be published. Required fields are marked *