Hacks at Twin Cities medical firms affect more than 1 million customers

Two Twin Cities health care companies are reporting that major data breaches revealed, between the two of them, the vital personal information of 1.35 million people.

This week, Minneapolis-based MNGI Digestive Health disclosed that nearly 766,000 consumers were affected by a data breach. Last month, Eden Prairie-based Consulting Radiologists reported a hack that affects nearly 584,000 people.

Hackers have found particular success in the health care sector, and 2023 was a record year for both the number of data breaches and the number of people affected, according to the HIPAA Journal, a news site covering health care data privacy.

This year started out with an arm of Minnetonka-based UnitedHealth Group being hit by a massive hack that may have affected tens of millions of people. The February breach gummed up operations at United’s Change Healthcare, a clearing house for electronic health claims across the country.

MNGI Digestive Health, a gastroenterology specialist with 11 Twin Cities clinics, reported Monday a “data security incident” involving patients and employees.

Social Security, driver’s license and passport numbers were included in the breach, as were birthdates and medical, health insurance and payment information, MNGI’s online notification said. MNGI added that it “was not aware of the misuse” of anyone’s information.

MNGI “discovered unauthorized activity” on its network in August 2023, but the company didn’t identify people whose personal data was potentially exposed until June 7. In a report to the Maine Attorney General’s Office, MNGI said that 765,937 people nationwide were affected by the hack.

MNGI declined to comment beyond its public statements.

Consulting Radiologists reported a data breach on its website on June 14. The company does teleradiology for more than 100 health care facilities in and around Minnesota, and it has on-site radiology services at 22 hospitals and clinics, including Abbott Northwestern.

On its website, Consulting Radiologists said it “detected suspicious activity” on its network on Feb. 12. A few days later, the Pioneer Press reported that Consulting Radiologists went “offline” due to a cyberattack, temporarily severing service to some customers.

On April 17, Consulting Radiologists discovered its data had been compromised — including names, addresses, birthdates, and medical and health insurance information. The breach also included Social Security and driver’s license numbers for a “small subsets of patients,” the company said on its website.

One patient from Plymouth received a notification this week from her identity theft protection service that her Social Security number had been found on the dark web. The notification cites the Consulting Radiologists hack.

On its website, Consulting Radiologists said it had no evidence that compromised information had been used for nefarious purposes. The company did not respond to requests for further comment.

The data breach affected 583,824 people, Consulting Radiologists said in a report to the U.S. Department of Health and Human Services (HHS), which tracks medical-related hacks.

The hacks at Consulting Radiologists and MNGI would rank among the top 20 of about 370 medical data breaches through mid-July, HHS data indicates. The biggest health care hack this year was at California-based Kaiser Foundation Health Plan, which affected 13.4 million people.

The largest ever U.S. health care cyberattack involved nearly 79 million people and occurred in 2015 at health insurer Anthem.

Health care is particularly vulnerable to cyberattacks, owing to its “high propensity to pay a ransom, the value of patient records and often inadequate security,” according to a February 2023 report by HHS. Hackers often post stolen data on the dark web, demanding ransom from their targets.

Last year, there were 725 data breaches in the health care sector affecting 133 million people — both record numbers, according to the HIPPA Journal. Those 2023 numbers included big hacks at two Twin Cities companies.

Minneapolis-based PBI Research Services, which combs death records to help insurers and pension funds save money by not overpaying benefits, reported a data breach affecting 1.87 million people. Radius Global Solutions, a Bloomington-based debt collector that serves the medical business and other industries, disclosed a hack involving 600,794 people.