By HFT Staff

On March 13, 2024, Children’s Minnesota’s investigation into suspicious email account activity identified unauthorized access to two employee email accounts. They took immediate steps to secure the accounts and began an investigation with the assistance of a computer forensics firm. Their investigation determined the email accounts were accessed for brief periods between February 29, 2024, and March 25, 2024. They began a detailed review and analysis of the email accounts’ contents, which is ongoing. 

Based on their review to date, the information involved is related to some patients within the surgical services department. The information may include patients’ names, and one or more of the following: address, date of birth, insurance carrier, medical record number, provider name, treatment cost information, and/or limited treatment information related to care received at Children’s Minnesota (such as diagnosis codes or procedure information). Importantly, financial account, credit card information, and Social Security numbers were not contained in the affected email accounts. 

This incident did not affect all Children’s Minnesota patients; only some patients within the surgical services department whose information was included in the employees’ email accounts. Children’s Minnesota’s medical and electronic health records systems are separate from their email accounts and were not involved. 

Children’s Minnesota is taking steps to help prevent something like this from happening again, including providing continued privacy and cybersecurity training to their staff and identifying additional safeguards that can be implemented to enhance the security of their email environment. 

Children’s Minnesota is mailing notification letters to all patients whose information may have been included in the email accounts in the coming weeks.