Carlton County Public Health and Human Services Data Breach 2025: 3,502 Affected · Employee Email Account Compromise · MN. Filed With HHS OCR. What To Do.
Carlton County Public Health and Human Services (MN) confirmed unauthorized third-party access to a single employee email account between January 23 and February 6, 2025. The county filed with HHS OCR and issued public notice on April 25, 2025, with mailed notifications following on May 2, 2025. A total of 3,502 individuals — primarily Public Health and Human Services clients and household members — had personal and protected health information potentially accessed, including Social Security numbers, driver's license numbers, financial account numbers, medical diagnoses, treatment information, medications, and insurance ID numbers.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Jan 23, 2025
Unauthorized third-party access to a Carlton County Public Health and Human Services employee email account begins (per subsequent forensic review)
Feb 6, 2025
Suspicious activity detected on the employee email account; the account is immediately secured and an external forensic investigation is launched
Apr 10, 2025
Forensic file review completed; county begins locating address information for affected individuals
Apr 25, 2025
Carlton County issues public Notice of Data Security Incident and files HIPAA breach notification with HHS Office for Civil Rights covering 3,502 individuals
May 2, 2025
Individual notification letters mailed to the 3,502 affected individuals with offer of 12 months of free credit monitoring and fraud consultation services
Jan 23, 2025
Unauthorized third-party access to a Carlton County Public Health and Human Services employee email account begins (per subsequent forensic review)
Feb 6, 2025
Suspicious activity detected on the employee email account; the account is immediately secured and an external forensic investigation is launched
Apr 10, 2025
Forensic file review completed; county begins locating address information for affected individuals
Apr 25, 2025
Carlton County issues public Notice of Data Security Incident and files HIPAA breach notification with HHS Office for Civil Rights covering 3,502 individuals
May 2, 2025
Individual notification letters mailed to the 3,502 affected individuals with offer of 12 months of free credit monitoring and fraud consultation services
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
Carlton County Public Health and Human Services (“Carlton HHS”), the public health and human services department for Carlton County, Minnesota, confirmed that an unauthorized third party accessed a single employee email account between January 23 and February 6, 2025. The county detected the intrusion on February 6, immediately secured the account, and engaged outside forensic specialists. The subsequent file review concluded that personal and protected health information for 3,502 individuals — mostly people who received services from Carlton HHS and their household members — had been accessed or acquired during the two-week intrusion window. The county issued a public Notice of Data Security Incident and filed its HIPAA breach notification with the HHS Office for Civil Rights on April 25, 2025, with individual notification letters mailed on May 2, 2025.
Timeline
- January 23, 2025 — Unauthorized access to a Carlton HHS employee email account begins, per the county’s forensic review.
- February 6, 2025 — Carlton HHS detects suspicious activity on the email account, immediately secures it, and launches an external forensic investigation.
- April 10, 2025 — The forensic file review concludes that protected health and personal information was accessible during the intrusion window; the county begins locating current addresses for affected individuals.
- April 25, 2025 — Carlton County issues its public Notice of Data Security Incident and files the HIPAA breach notification with HHS Office for Civil Rights at the final figure of 3,502 individuals.
- May 2, 2025 — Individual notification letters are mailed to affected individuals, accompanied by an offer of 12 months of complimentary credit monitoring and fraud consultation services.
What was exposed
Per Carlton County’s Notice of Data Security Incident and corroborating trade-press reporting in HIPAA Journal and local coverage in Pine Knot News, the data elements potentially accessed vary by individual but may include:
- Full name
- Address
- Date of birth
- Social Security number
- Driver’s license number
- Financial account number
- Online account username and password
- Information related to medical condition, treatment, or diagnosis
- Names of healthcare providers
- Locations of service
- Medical record number
- Medications
- Dates of service and case identification number or other unique identifier related to services provided
- Health insurance identification number
This is an unusually broad data-element set for a single-mailbox compromise. It reflects the reality that a public-health-and-human-services caseworker’s email is a working file: it routinely contains application packets, eligibility paperwork, provider correspondence, and case notes. The threat actor has not been publicly identified, and no leak-site posting of Carlton County data has been independently reported.
Sensitive populations involved
Carlton HHS is the county’s combined Public Health and Human Services department, which means the affected population is materially different from a typical hospital-system breach. The 3,502 individuals are predominantly:
- Public Health clients — including recipients of WIC, immunization records, communicable-disease follow-up, maternal-child home visits, and lead-screening services.
- Human Services clients — including Medical Assistance (Minnesota’s Medicaid), MinnesotaCare, SNAP, MFIP cash assistance, child protection, adult protection, and waiver-program participants such as Consumer Directed Community Supports (CDCS), Medical Assistance for Employed Persons with Disabilities (MA-EPD), and TEFRA.
- Household members of those clients, whose information appears in eligibility files even when they are not the direct service recipient.
These populations are disproportionately low-income, disabled, elderly, or otherwise dependent on public benefits. The combination of Social Security number, driver’s license number, full medical diagnosis information, and Medicaid identifier in a single file is the worst-case identity-theft profile, because it supports both financial fraud (new credit accounts, tax-refund fraud) and medical identity theft (fraudulent claims billed under a real Medicaid ID, which can take years to unwind through state agencies). For child-welfare and adult-protection clients within this population, the secondary risk is address exposure — a county human-services case file commonly contains the relocated address of a domestic-violence survivor or a foster placement that should not be discoverable.
What the entity is offering
Carlton County is offering affected individuals:
- 12 months of complimentary credit monitoring and fraud consultation services through a third-party identity-protection provider.
- A dedicated toll-free helpline at 1-833-745-2048, 8 a.m. to 8 p.m. Central, with engagement number B144136 referenced in the substitute notice.
Internally, Carlton HHS reports that it has enhanced internal policies, procedures, and cybersecurity practices; updated its email retention policy; communicated with all staff on phishing-email awareness; and provided additional email-cybersecurity training to the employee whose account was compromised.
Class-action and regulatory posture
Federal: the HHS OCR portal entry remains open. No civil money penalty or corrective-action plan has been announced as of this writing.
Class action: at least one plaintiff-side firm — Srourian Law Firm — has publicly announced an investigation into a potential class action against Carlton County Public Health and Human Services. No consolidated complaint has been publicly docketed in Minnesota federal or state court as of this writing. Sovereign-immunity defenses available to a Minnesota county and limitations under the Minnesota Government Data Practices Act and Minnesota Tort Claims Act are likely to shape any private litigation; that is one reason class actions against county human-services departments often resolve more slowly than against private health systems.
What to do if you may be affected
- Activate the 12 months of credit monitoring offered in your notification letter. The enrollment code is specific to your letter and cannot be obtained from a public web search. If you did not receive a letter but believe you may have been a Carlton HHS client between roughly 2020 and early 2025, call the county helpline at 1-833-745-2048 to confirm whether your record is in the affected population.
- Freeze your credit with Equifax, Experian, and TransUnion regardless of whether you enroll in monitoring. A security freeze blocks new account openings outright; credit monitoring only alerts you after the fact. Both protections are free and reversible.
- Watch for medical identity theft. Because Medicaid identifiers, diagnoses, medications, and provider names were potentially involved, review every Explanation of Benefits from your health plan and every notice from the Minnesota Department of Human Services regarding Medical Assistance, MinnesotaCare, or any waiver program you participate in. Fraudulent Medicaid billing is harder to detect than credit-card fraud because the victim is usually not the first to see the false claim.
- Watch your tax return. Stolen Social Security numbers combined with date of birth are the building blocks of tax-refund fraud. Consider requesting an IRS Identity Protection PIN for the 2025 and 2026 tax years.
- Be alert to targeted phishing. A combination of your name, address, Medicaid identifier, and a known medical condition or medication supports highly convincing impersonation of Carlton County, your provider, your pharmacy, or your insurer. Verify any unsolicited outreach by calling a number you look up independently rather than one provided in an email, text, or voicemail.
- For protected populations: if you are a domestic-violence survivor, foster youth, foster parent, or otherwise have an address-confidentiality concern, contact Carlton HHS directly to ask whether your protected address was in the exposed file set, and review your participation in the Minnesota Safe at Home address-confidentiality program.
Sources
- HHS Office for Civil Rights Breach Portal — federal regulatory record of the April 25, 2025 filing at 3,502 individuals.
- Carlton County, MN — Notice of Data Security Incident — the county’s primary substitute notice describing the intrusion window, data elements, helpline, and credit-monitoring offer.
- HIPAA Journal — Carlton County Public Health and Human Services notifies 3,502 individuals — independent trade-press confirmation of the intrusion dates, scope, and remediation steps.
- Pine Knot News — Carlton County reports data breach — local press coverage of the May 2, 2025 mailings and exposed-data list.
- MN.gov — Carlton County Public Health and Human Services (entity profile) — Minnesota Department of Human Services profile describing the populations and waiver programs served by Carlton HHS.
- Srourian Law Firm — Class-action investigation page — plaintiff-side investigation; no complaint filed as of this writing.
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HHS Office for Civil Rights Breach Portal
- Carlton County, MN — Notice of Data Security Incident
- HIPAA Journal — Carlton County Public Health and Human Services notifies 3,502 individuals
- Pine Knot News — Carlton County reports data breach
- MN.gov — Carlton County Public Health and Human Services (entity profile)
- Srourian Law Firm — Class-action investigation page (Carlton County Public Health and Human Services)
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.