Minneapolis healthcare provider data breach impacted over 760k patients

Minneapolis-based healthcare provider MNGI Digestive Health said that the data security incident it suffered last year compromised the sensitive personal information of more than 760,000 individuals.

 

In a data breach notice filed with the Office of Maine Attorney General, MNGI said that on August 25, 2023, it discovered suspicious activity in its internal network. The healthcare provider immediately launched an investigation, with assistance from external cyber security experts, to determine the nature and scope of the incident.

 

“This investigation determined that unauthorised access to certain portions of its network occurred on August 20, 2023. Following a thorough and time-intensive review of the affected data, MNGI learned on June 7, 2024 that certain individuals’ personal and protected health information was potentially affected by this incident,” reads the notice.

 

The compromised data included names, dates of birth, Social Security numbers. driver’s license or state ID numbers, passport numbers, taxpayer ID numbers, financial account information, payment card information medical information, health insurance information, biometric data, patient account numbers, usernames and associated passwords.

 

MNGI’s filing with the state regulator revealed that at least 765,937 individuals were impacted by the incident.

 

“MNGI has implemented measures to enhance the security of its digital environment in an effort to minimize the risk of a similar incident occurring in the future,” the healthcare provider said in a letter to affected individuals.

 

While MNGI found no evidence of the compromised information being misused, it advised all affected individuals to regularly monitor their credit reports, account and benefit statements and report any suspicious activity to law enforcement authorities, including the police and state attorney general.

 

It has also offered one year of complimentary identity protection and credit monitoring services through CyEx to all affected individuals.

 

In September, the AlphV BlackCat ransomware group claimed responsibility for the cyber attack and listed MNGI as a victim on its data leak site. The group claimed to be in possession of more than 2TB of patients data and threatened to publish the same if its ransom demand was not met.