Active breach tracker St. Paul, MN Disclosed January 16, 2026

Minnesota DHS / MnCHOICES Data Breach 2026: 303,965 Long-Term Care Records Accessed by Healthcare Provider Insider. What Was Exposed and What To Do

Minnesota DHS disclosed in January 2026 that a healthcare provider with legitimate MnCHOICES access viewed records of 303,965 Minnesotans seeking long-term care services outside their authorization scope. Last 4 of SSN, Medicaid ID, address, and demographic data exposed. No credit monitoring offered. Here is what was taken and what to do.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Aug 28, 2025

Insider began accessing records outside authorized scope

Oct 30, 2025

Provider's MnCHOICES access revoked

Nov 18, 2025

FEI Systems detected unusual user activity

Jan 16, 2026

DHS notice letters mailed; HHS OCR filing

Jan 28, 2026

Joint MN Senate and House Human Services Committee hearing

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth Last 4 digits of Social Security number

03

Contact & insurance

Phishing + targeted scams

Full name Sex Phone number Home address Medicaid ID

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Lynch Carpenter (publicly investigating) Srourian Law Firm (publicly investigating)
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

What happened

The Minnesota Department of Human Services operates MnCHOICES, a long-term-care assessment platform used by county social workers, Tribal Nation assessors, managed care organization care coordinators, and case managers to determine eligibility for Home and Community-Based Services waivers, Personal Care Assistance, nursing facility level-of-care, and disability waivers. MnCHOICES is operated under contract by FEI Systems, a private vendor based in Maryland.

Between August 28 and September 21, 2025, an individual user affiliated with a licensed Minnesota healthcare provider accessed records inside MnCHOICES that were outside the scope of their authorization. The user had legitimate credentials. This was not an external hack. There was no ransomware. The data was accessed through credential abuse by a person who was supposed to have limited access for their job and used that access to view a much broader set of records.

DHS revoked the provider’s MnCHOICES access on October 30, 2025. FEI Systems detected the unusual activity pattern on November 18, 2025 and reported it to DHS the next day. Forensic review by an outside cybersecurity firm followed.

DHS filed with the US Department of Health and Human Services Office for Civil Rights and mailed notification letters on January 16, 2026, confirming 303,965 affected individuals. The provider entity has not been publicly named. No public criminal charges or named disciplinary action against the user or the provider entity have been reported as of mid-May 2026.

What was exposed

For all 303,965 affected individuals, the exposed data includes:

  • Full name
  • Sex
  • Date of birth
  • Phone number
  • Home address
  • Medicaid ID
  • Last 4 digits of Social Security number

For a subset of 1,206 individuals (Letter B cohort), additional data was accessed:

  • Ethnicity
  • Birth record information
  • Physical traits
  • Education
  • Income and benefits data
  • Some medical information

DHS classified the entire dataset as “private welfare data” under Minnesota Statute § 13.46.

Two things make this less severe than a typical healthcare breach, and one thing makes it more severe. Less severe: only the last 4 digits of SSN were exposed (not the full number), and no financial account information was in the dataset. More severe: presence in the MnCHOICES system is itself disclosure of disability or long-term-care need under HIPAA, and the combination of Medicaid ID + last 4 SSN + DOB + address is a reasonably complete identity-verification kit for someone seeking to commit medical identity theft.

What DHS is offering

No credit monitoring services are being offered. DHS cited the limited nature of the accessed data (specifically, the absence of full SSN and financial account numbers) and directed affected individuals to free credit-bureau resources at annualcreditreport.com and the FTC’s consumer.gov/idtheft.

What to do if you received a notification letter

This week:

  1. Pull a free credit report from each bureau at annualcreditreport.com. You are entitled to one from each bureau per year.
  2. Place a free credit freeze at Equifax, Experian, and TransUnion. Even though full SSN was not exposed, the last 4 + DOB + address combination is enough for some account-opening attempts.
  3. Watch for medical-identity-theft signals. Review Explanation of Benefits statements from any health insurance you carry for unfamiliar services billed against your Medicaid number.
  4. Be skeptical of phone calls that mention your Medicaid ID, county case-management relationship, or long-term-care plan. The exposed dataset includes enough specificity to support targeted phishing.

This month:

  1. Exercise your Minnesota Government Data Practices Act rights. Minn. Stat. § 13.04 gives you the right to see what records the state holds about you and to challenge inaccuracies. Stat. § 13.055 governs the notification you received and gives you additional rights to information about the disclosure.
  2. Stop the ongoing flow of your health and demographic data. HealthConsent files HIPAA restriction requests, data-broker deletion requests, and state-law deletion requests so the demographic and Medicaid-program-presence data exposed in this breach is not continuously re-shared and sold by other entities downstream.

Frequently asked questions

Was this a hacker breach?

No. A single user “affiliated with a licensed healthcare provider” had legitimate MnCHOICES credentials and used them to view records far beyond what their authorized role required. This is insider credential abuse, not external intrusion. The provider entity has not been publicly named.

Why is no credit monitoring offered?

DHS cited the limited nature of the accessed data: the dataset contained the last 4 digits of SSN rather than the full number, and no financial account information. DHS concluded that the standard credit-monitoring response was not warranted. You can still place free credit freezes and pull free credit reports yourself.

Should I sue?

As of mid-May 2026, no class action complaint has been filed in either federal or state court over this breach. Two plaintiffs’ firms (Lynch Carpenter and Srourian Law Firm) have publicly announced investigations and are accepting affected individuals. Sovereign immunity makes suing the state agency directly difficult; FEI Systems (the private vendor) is the more likely primary defendant if a complaint is eventually filed. We are not a law firm and cannot give legal advice.

What is MnCHOICES and why was I in the database?

MnCHOICES is the assessment instrument used to determine eligibility for Home and Community-Based Services waivers, Personal Care Assistance, nursing-facility level-of-care, and disability waivers in Minnesota. If you, a family member you care for, or someone you support has gone through a Minnesota long-term-care or disability assessment, your record is in MnCHOICES. The system covers people of any age with disabilities or long-term-care needs.

Is HealthConsent affiliated with Minnesota DHS or FEI Systems?

No. HealthConsent is an independent health-data privacy service.

Continue reading

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.