Active breach tracker MN Disclosed April 25, 2025

Carlton County Public Health and Human Services Data Breach 2025: 3,502 Affected · Employee Email Account Compromise · MN. Filed With HHS OCR. What To Do.

Carlton County Public Health and Human Services (MN) confirmed unauthorized third-party access to a single employee email account between January 23 and February 6, 2025. The county filed with HHS OCR and issued public notice on April 25, 2025, with mailed notifications following on May 2, 2025. A total of 3,502 individuals — primarily Public Health and Human Services clients and household members — had personal and protected health information potentially accessed, including Social Security numbers, driver's license numbers, financial account numbers, medical diagnoses, treatment information, medications, and insurance ID numbers.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Jan 23, 2025

Unauthorized third-party access to a Carlton County Public Health and Human Services employee email account begins (per subsequent forensic review)

Feb 6, 2025

Suspicious activity detected on the employee email account; the account is immediately secured and an external forensic investigation is launched

Apr 10, 2025

Forensic file review completed; county begins locating address information for affected individuals

Apr 25, 2025

Carlton County issues public Notice of Data Security Incident and files HIPAA breach notification with HHS Office for Civil Rights covering 3,502 individuals

May 2, 2025

Individual notification letters mailed to the 3,502 affected individuals with offer of 12 months of free credit monitoring and fraud consultation services

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth Social Security number Driver's license number

02

Health records

Don't expire and can't be reissued

Medical condition, treatment, or diagnosis information Medical record number Medications

03

Contact & insurance

Phishing + targeted scams

Full name Address Financial account number Online account username and password Healthcare provider names Location(s) of service Dates of service and case identification number Health insurance identification number
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

Carlton County Public Health and Human Services (“Carlton HHS”), the public health and human services department for Carlton County, Minnesota, confirmed that an unauthorized third party accessed a single employee email account between January 23 and February 6, 2025. The county detected the intrusion on February 6, immediately secured the account, and engaged outside forensic specialists. The subsequent file review concluded that personal and protected health information for 3,502 individuals — mostly people who received services from Carlton HHS and their household members — had been accessed or acquired during the two-week intrusion window. The county issued a public Notice of Data Security Incident and filed its HIPAA breach notification with the HHS Office for Civil Rights on April 25, 2025, with individual notification letters mailed on May 2, 2025.

Timeline

  • January 23, 2025 — Unauthorized access to a Carlton HHS employee email account begins, per the county’s forensic review.
  • February 6, 2025 — Carlton HHS detects suspicious activity on the email account, immediately secures it, and launches an external forensic investigation.
  • April 10, 2025 — The forensic file review concludes that protected health and personal information was accessible during the intrusion window; the county begins locating current addresses for affected individuals.
  • April 25, 2025 — Carlton County issues its public Notice of Data Security Incident and files the HIPAA breach notification with HHS Office for Civil Rights at the final figure of 3,502 individuals.
  • May 2, 2025 — Individual notification letters are mailed to affected individuals, accompanied by an offer of 12 months of complimentary credit monitoring and fraud consultation services.

What was exposed

Per Carlton County’s Notice of Data Security Incident and corroborating trade-press reporting in HIPAA Journal and local coverage in Pine Knot News, the data elements potentially accessed vary by individual but may include:

  • Full name
  • Address
  • Date of birth
  • Social Security number
  • Driver’s license number
  • Financial account number
  • Online account username and password
  • Information related to medical condition, treatment, or diagnosis
  • Names of healthcare providers
  • Locations of service
  • Medical record number
  • Medications
  • Dates of service and case identification number or other unique identifier related to services provided
  • Health insurance identification number

This is an unusually broad data-element set for a single-mailbox compromise. It reflects the reality that a public-health-and-human-services caseworker’s email is a working file: it routinely contains application packets, eligibility paperwork, provider correspondence, and case notes. The threat actor has not been publicly identified, and no leak-site posting of Carlton County data has been independently reported.

Sensitive populations involved

Carlton HHS is the county’s combined Public Health and Human Services department, which means the affected population is materially different from a typical hospital-system breach. The 3,502 individuals are predominantly:

  • Public Health clients — including recipients of WIC, immunization records, communicable-disease follow-up, maternal-child home visits, and lead-screening services.
  • Human Services clients — including Medical Assistance (Minnesota’s Medicaid), MinnesotaCare, SNAP, MFIP cash assistance, child protection, adult protection, and waiver-program participants such as Consumer Directed Community Supports (CDCS), Medical Assistance for Employed Persons with Disabilities (MA-EPD), and TEFRA.
  • Household members of those clients, whose information appears in eligibility files even when they are not the direct service recipient.

These populations are disproportionately low-income, disabled, elderly, or otherwise dependent on public benefits. The combination of Social Security number, driver’s license number, full medical diagnosis information, and Medicaid identifier in a single file is the worst-case identity-theft profile, because it supports both financial fraud (new credit accounts, tax-refund fraud) and medical identity theft (fraudulent claims billed under a real Medicaid ID, which can take years to unwind through state agencies). For child-welfare and adult-protection clients within this population, the secondary risk is address exposure — a county human-services case file commonly contains the relocated address of a domestic-violence survivor or a foster placement that should not be discoverable.

What the entity is offering

Carlton County is offering affected individuals:

  • 12 months of complimentary credit monitoring and fraud consultation services through a third-party identity-protection provider.
  • A dedicated toll-free helpline at 1-833-745-2048, 8 a.m. to 8 p.m. Central, with engagement number B144136 referenced in the substitute notice.

Internally, Carlton HHS reports that it has enhanced internal policies, procedures, and cybersecurity practices; updated its email retention policy; communicated with all staff on phishing-email awareness; and provided additional email-cybersecurity training to the employee whose account was compromised.

Class-action and regulatory posture

Federal: the HHS OCR portal entry remains open. No civil money penalty or corrective-action plan has been announced as of this writing.

Class action: at least one plaintiff-side firm — Srourian Law Firm — has publicly announced an investigation into a potential class action against Carlton County Public Health and Human Services. No consolidated complaint has been publicly docketed in Minnesota federal or state court as of this writing. Sovereign-immunity defenses available to a Minnesota county and limitations under the Minnesota Government Data Practices Act and Minnesota Tort Claims Act are likely to shape any private litigation; that is one reason class actions against county human-services departments often resolve more slowly than against private health systems.

What to do if you may be affected

  • Activate the 12 months of credit monitoring offered in your notification letter. The enrollment code is specific to your letter and cannot be obtained from a public web search. If you did not receive a letter but believe you may have been a Carlton HHS client between roughly 2020 and early 2025, call the county helpline at 1-833-745-2048 to confirm whether your record is in the affected population.
  • Freeze your credit with Equifax, Experian, and TransUnion regardless of whether you enroll in monitoring. A security freeze blocks new account openings outright; credit monitoring only alerts you after the fact. Both protections are free and reversible.
  • Watch for medical identity theft. Because Medicaid identifiers, diagnoses, medications, and provider names were potentially involved, review every Explanation of Benefits from your health plan and every notice from the Minnesota Department of Human Services regarding Medical Assistance, MinnesotaCare, or any waiver program you participate in. Fraudulent Medicaid billing is harder to detect than credit-card fraud because the victim is usually not the first to see the false claim.
  • Watch your tax return. Stolen Social Security numbers combined with date of birth are the building blocks of tax-refund fraud. Consider requesting an IRS Identity Protection PIN for the 2025 and 2026 tax years.
  • Be alert to targeted phishing. A combination of your name, address, Medicaid identifier, and a known medical condition or medication supports highly convincing impersonation of Carlton County, your provider, your pharmacy, or your insurer. Verify any unsolicited outreach by calling a number you look up independently rather than one provided in an email, text, or voicemail.
  • For protected populations: if you are a domestic-violence survivor, foster youth, foster parent, or otherwise have an address-confidentiality concern, contact Carlton HHS directly to ask whether your protected address was in the exposed file set, and review your participation in the Minnesota Safe at Home address-confidentiality program.

Sources

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.