- Minnesota IT Services (MNIT) Commissioner Johanna Clyborne faced criticism for the four-month delay in informing victims of two phishing attacks that exposed PHI and other personal information on 20,800 clients of the Minnesota Department of Human Services (DHS) during an Oct. 17 state Senate hearing.
Hackers succeeded in accessing email accounts of two DHS employees through successful phishing campaigns in late June and early July. However, victims were not notified until October.
Information that may have been compromised in the attacks included names, dates of births, Social Security numbers, addresses, telephone numbers, medical information, educational records, employment information, and financial information.
“The MNIT security team is not fully resourced to address these persistent threats. Regardless of those resource constraints, I’m very disappointed, and frankly angry, that it took us far too long to alert our partners in regard to the DHS potential breach that had occurred. The delay was unacceptable,” Clyborne told the state Senate Health and Human Services Finance and Policy Committee.
“Due to the significant increase in phishing attacks this summer, we were unable to perform deep analysis into the email box contents as we had done previously. To accommodate that workload, we now provide details of all compromised accounts to agency data practices or privacy staff, allowing them the first opportunity to analyze the potentially exploited data,” she related.
Clyborne said that this year her security team dealt with over 700 security incidences involving state government agencies, including 150 serious phishing attacks. Since July, her security team has identified 1,600 phishing emails targeting state employees, averaging 22 per day.
MNIT CISO Aaron Call testified that his team discovered the first breach on June 28 and determined that it was low risk and put it aside. On Aug. 8, the team received additional information, prompting it to reopen the investigation into the first compromised account. Further investigation resulted in a greater urgency to inform DHS staff.
“This incident prompted us to change our process. Instead of making the assessments, prioritizing, and setting [a low-risk incident] aside, the team now immediately provides the information about an incident to all of our agency partners’ privacy and data practices staff so they can be aware of it and perform their own due diligence as necessary,” Call related.
The second incident, which was discovered on July 9, was immediately assessed as a higher-risk incident, and DHS was informed on July 10, he said. The MNIT security staff continued its investigation and provided a final report on the phishing attacks to DHS on Aug. 13.
Call said that the Minnesota state government averages 80 incidents a month requiring manual analysis or time investment from the incident response security staff. This year, the state government had seen 240 known compromised credentials. The frequency and profitability of attacks are increasing, and the cybercriminals are getting more funding, he noted.
State Sen. Mary Kiffmeyer asked: “Why was there a lapse of four months before folks were notified of the compromise of their private data? What are you going to do to ensure that all agencies have a direct connection to MNIT so that when you have an incident, there is a chain of command where it gets reported to the right people?”
Clyborne responded that the process changes are designed to address the delay in notification. MNIT is considering sending monthly reports to the state agencies identifying targets and threat level. MNIT also is requesting funding for security tools designed to filter out phishing attacks.
State Sen. Melissa Wiklund asked if the process changes implemented by MNIT could overwhelm other agency IT staff, which wouldn’t have the same forensic expertise as MNIT.
Wiklund also asked about the timeline to notify victims about a breach. Clyborne answered that it would be up to the particular agency as to the notification timeline.
The problems of increased cyberattacks, cybersecurity skills shortage, lack of financial resources, and inadequate processes discussed during the hearing are the same problems confronted by healthcare cybersecurity teams. There are no easy solutions to these issues, either for governments or healthcare organizations.