Minnesota DHS notifies nearly 304,000 people of unauthorized access to MnCHOICES records

The Minnesota Department of Human Services has begun notifying nearly 304,000 individuals after unauthorized access was identified within MnCHOICES, a state system used to support assessments and service planning for residents requiring long-term services and supports. The department confirmed that the access involved demographic and related private welfare data and that the activity ended in September 2025.

The incident involved MnCHOICES, a system used by counties, Tribal Nations, and managed care organizations across Minnesota. The system is operated by FEI Systems, a third-party vendor responsible for managing the platform on behalf of the state. FEI Systems notified the department in November 2025 after detecting unusual user activity linked to an individual associated with a licensed health care provider.

The investigation determined that the user had legitimate authorization to access limited information in MnCHOICES but exceeded that access by viewing data that was not necessary for assigned duties. The unauthorized activity occurred between Aug. 28 and Sept. 21, 2025. Access for the user was fully terminated on Oct. 30, 2025.

According to the department, the incident affected the records of 303,965 individuals. For most, the accessed information was limited to demographic data. For 1,206 individuals, additional information was accessed, including some medical details and, in certain cases, the last four digits of Social Security numbers. The department said the forensic investigation identified the categories of data accessed but could not determine precisely which data elements were viewed for each individual.

The affected information is classified as private welfare data under Minnesota law and includes names, addresses, email addresses, phone numbers, dates of birth, sex, Medicaid identifiers, demographic characteristics, and eligibility-related data. Because of the limited nature of the access and the absence of confirmed misuse, the department said it is not offering free credit monitoring services to those affected.

A forensic investigation was ordered following the discovery of the incident. As of Jan. 16, 2026, when notification letters were issued, the department said no misuse of the accessed data had been identified. Additional technical safeguards have since been implemented to reduce the risk of similar incidents.

The DHS Office of Inspector General has been notified and is using data-driven processes to monitor billing information for potential inappropriate or fraudulent activity related to the incident. The department said any evidence of fraud would result in a full investigation and referral to law enforcement.

The department has asked individuals who receive notification letters to carefully review health care statements and report any suspicious charges or services to their providers. DHS said the user responsible for the unauthorized access no longer has any ability to access the MnCHOICES system.