Children’s Minnesota takes the privacy and security of our patients’ information very seriously. Regrettably, this notice concerns an email security incident that involved some of that information.
What happened?
On March 13, 2024, our investigation into suspicious email account activity identified unauthorized access to two employee email accounts. We took immediate steps to secure the accounts and began an investigation with the assistance of a computer forensics firm. Our investigation determined that the email accounts were accessed for brief periods of time between February 29, 2024, and March 25, 2024. We began a detailed review and analysis of the email accounts’ contents, which is ongoing.
What information was involved?
Based on our review to date, the information involved is related to some patients within the surgical services department. The information may include patients’ names, and one or more of the following: address, date of birth, insurance carrier, medical record number, provider name, treatment cost information, and/or limited treatment information related to care received at Children’s Minnesota (such as diagnosis codes or procedure information). Importantly, financial account, credit card information, and Social Security numbers were not contained in the affected email accounts.
This incident did not affect all Children’s Minnesota patients; only some patients within the surgical services department whose information was included in the employees’ email accounts. Children’s Minnesota’s medical and electronic health records systems are separate from our email accounts and were not involved.
What we are doing
We want our patients to know that we take this matter very seriously and are committed to taking steps to help prevent something like this from happening again, including providing continued privacy and cybersecurity training to our staff and identifying additional safeguards that can be implemented to enhance the security of our email environment.
Children’s Minnesota is mailing notification letters to all patients whose information may have been included in the email accounts in the coming weeks. We have also established a dedicated toll-free call center, which may be contacted at 888-326-6156, Monday through Friday, 8 a.m. to 8 p.m. (CST).
What you can do
While at this time we have no evidence that any information involved in this incident has been misused, out of an abundance of caution, we recommend affected individuals review any statements received from their healthcare providers. If individuals see services they did not receive, please contact the provider immediately.