Minnesota Cybersecurity Incidents: Notable Breaches & Ransomware Attacks

Minnesota's economy spans some of the most data-intensive industries in the country. The state is home to 16 Fortune 500 companies, including Target, UnitedHealth Group, Best Buy, and US Bancorp, all headquartered in the Minneapolis–Saint Paul metro area. The concentration of retail, healthcare, and financial services creates an unusually dense attack surface for cybercriminals. Minnesota also anchors one of the nation's largest healthcare ecosystems, centered on the Mayo Clinic in Rochester and the major hospital systems in the Twin Cities, generating enormous volumes of protected health information that commands premium prices on dark web markets.

The incidents documented below are not abstract case studies. Each one reveals specific vulnerabilities — from point-of-sale system weaknesses to phishing exploits targeting hospital staff — that remain relevant to Minnesota organizations today. Understanding this history is essential for any business developing a security posture that accounts for the state's unique cyber threat landscape and evolving data privacy requirements.

Major Cyber Incidents in Minnesota: A Timeline

2013 — Target Corporation Data Breach

The Target breach remains one of the most consequential retail cyberattacks in history. During the holiday shopping season of November–December 2013, attackers compromised Target's point-of-sale systems across nearly 1,800 stores nationwide, stealing credit and debit card data from approximately 40 million customers and personal information from an additional 70 million individuals. The attackers gained initial access through Fazio Mechanical Services, a Pennsylvania-based HVAC vendor that had network credentials for Target's systems. From there, they moved laterally through the Minneapolis-headquartered retailer's network to install RAM-scraping malware on POS terminals. Target ultimately paid $18.5 million in a multistate settlement, $10 million in a class-action settlement, and its CIO and CEO both resigned. The breach fundamentally changed how retailers approach network segmentation and vendor risk management.

2017 — Minnesota Department of Human Services Data Exposure

The Minnesota Department of Human Services (DHS) experienced multiple data incidents between 2017 and 2019 involving employee email account compromises. In the most significant incident, a state employee's email account was accessed by an unauthorized party, exposing the personal data of approximately 11,000 individuals who had received services from DHS. Exposed data included names, Social Security numbers, addresses, and details about services received. The incidents prompted a legislative audit and led to significant reforms in the state's email security practices, including mandatory multi-factor authentication for all state employees handling sensitive data.

2018 — Fairview Health Services Phishing Attack

Fairview Health Services, a Minneapolis-based nonprofit health system operating hospitals and clinics across Minnesota, disclosed that a phishing attack compromised employee email accounts containing protected health information. The breach affected approximately 2,600 patients, with exposed data including names, dates of birth, medical record numbers, and in some cases health insurance information. The incident highlighted the persistent vulnerability of healthcare organizations to credential harvesting attacks that bypass traditional perimeter defenses.

2019 — Allina Health Ransomware Incident

Allina Health, one of the largest healthcare systems in Minnesota with more than 100 clinics and 12 hospitals, experienced a ransomware incident that disrupted operations across multiple facilities. The attack forced some clinics to revert to paper-based record-keeping and delayed patient scheduling. While Allina stated that patient data was not exfiltrated, the operational disruption lasted several days and demonstrated how ransomware targeting healthcare systems can create patient safety risks even without data theft.

2020 — Xcel Energy Vendor Breach

Xcel Energy, the Minneapolis-based utility serving approximately 1.8 million electric customers across eight states, was affected by a third-party data breach in 2020. The breach originated through a vendor that provided data services to Xcel, exposing customer account information including names, addresses, and account numbers. While no financial data was compromised, the incident underscored the supply-chain risks facing critical infrastructure providers and the difficulty of maintaining security across an extended vendor ecosystem.

2021 — Entira Family Clinics Ransomware Attack

Entira Family Clinics, a network of primary care practices in the Twin Cities metro area, disclosed a ransomware attack that compromised the personal and medical information of approximately 200,000 patients. The Hive ransomware group claimed responsibility for the attack, which involved encryption of clinical systems and exfiltration of data including patient names, Social Security numbers, medical records, and health insurance details. The breach was one of the largest healthcare-specific incidents in Minnesota's history.

2023 — Minnesota Department of Education MOVEit Breach

The Minnesota Department of Education was among hundreds of organizations worldwide affected by the Clop ransomware gang's mass exploitation of a zero-day vulnerability in MOVEit Transfer file-sharing software in May–June 2023. The breach exposed personal data belonging to approximately 95,000 students in foster care and 124 students placed in schools through the Minnesota Department of Corrections. Exposed data included names, dates of birth, and county of placement. The incident illustrated how a single supply-chain vulnerability can simultaneously compromise government agencies regardless of their own internal security posture.

Minnesota Data Breach Notification Law

Minnesota's breach notification requirements are codified in Minnesota Statutes Section 325E.61. The law requires any person or business that owns or licenses data containing personal information to notify affected Minnesota residents following discovery of a breach. Notification must be made in the most expedient time possible and without unreasonable delay, though unlike some states Minnesota does not specify an exact day count. The law defines personal information as an individual's first name or first initial and last name combined with Social Security numbers, driver's license numbers, or financial account numbers.

Businesses must also notify the major consumer reporting agencies if a breach affects more than 500 Minnesota residents. With the passage of the Minnesota Consumer Data Privacy Act in 2024, organizations now face additional obligations around data handling and consumer rights that intersect with breach notification duties. For a complete analysis of these requirements, see our guide to Minnesota cybersecurity compliance.

Which Minnesota Industries Are Most Targeted?

Healthcare

Minnesota's healthcare sector, anchored by the Mayo Clinic, Allina Health, Fairview Health Services, and HealthPartners, generates vast quantities of protected health information. The Entira Family Clinics and Fairview breaches demonstrate that organizations of all sizes are targets. Healthcare records sell for $250–$1,000 per record on dark web markets — far more than credit card data — making this sector a persistent target for both ransomware operators and data thieves. Organizations should explore healthcare IT security strategies designed for clinical environments.

Retail

With Target and Best Buy both headquartered in the Twin Cities, Minnesota is a major hub for retail operations and the point-of-sale systems, e-commerce platforms, and customer databases they depend on. The 2013 Target breach proved that even the largest retailers can be compromised through vendor access, and the lesson applies to the thousands of smaller retailers throughout Minnesota that may have even fewer security controls.

Financial Services

US Bancorp, Ameriprise Financial, and Securian Financial are among the major financial institutions headquartered in Minnesota. Financial services firms face regulatory requirements from multiple agencies and are targeted by sophisticated threat actors seeking access to transaction systems and customer financial data.

How to Protect Your Minnesota Business

The pattern across Minnesota's breach history is clear: initial access comes most often through phishing, compromised vendor credentials, or unpatched software vulnerabilities. Defending against these vectors requires layered controls, not a single product.

• Implement multi-factor authentication on all email accounts, VPN access, and privileged systems — phishing was the entry point in the DHS, Fairview, and multiple other Minnesota incidents

• Assess vendor security rigorously — the Target and Xcel Energy breaches both originated through third-party access, and supply-chain attacks continue to grow in frequency

• Maintain and test offline backups — ransomware incidents at Allina Health and Entira Family Clinics show that healthcare organizations in particular must be able to restore operations quickly

• Patch file transfer and internet-facing systems promptly — the MOVEit vulnerability exploited in the Department of Education breach had a patch available, but the attack moved faster than many organizations' update cycles

• Train all employees on phishing recognition — human error remains the most common initial access vector across every Minnesota industry

Many Minnesota organizations partner with managed IT services providers or managed security services firms to maintain continuous monitoring without building a full in-house security operations center.

Frequently Asked Questions

How quickly must a Minnesota business report a data breach?

Minnesota Statutes Section 325E.61 requires notification in the most expedient time possible and without unreasonable delay. Unlike states such as Texas (60 days) or Colorado (30 days), Minnesota does not set a specific day limit. However, regulators have indicated that delays beyond 60 days are likely to be considered unreasonable absent extraordinary circumstances. Businesses must also notify consumer reporting agencies if the breach affects more than 500 Minnesota residents.

What was the largest data breach in Minnesota history?

The 2013 Target breach is by far the largest, affecting approximately 40 million credit and debit card accounts and the personal information of up to 70 million additional individuals. While Target operated stores nationwide, the breach originated from and was managed out of the company's Minneapolis headquarters, making it fundamentally a Minnesota cybersecurity incident. Total costs to Target exceeded $300 million including settlements, legal fees, and remediation.

Are Minnesota healthcare organizations required to report breaches?

Yes, through multiple overlapping requirements. HIPAA requires covered entities and business associates to notify affected individuals within 60 days and report breaches affecting 500 or more individuals to the HHS Office for Civil Rights. Minnesota Statutes Section 325E.61 adds state-level notification requirements. The new Minnesota Consumer Data Privacy Act also creates obligations around the handling of health data by entities that may not be subject to HIPAA, broadening the scope of organizations with reporting duties.

Did Minnesota state agencies improve cybersecurity after the DHS breaches?

Yes. Following the 2017–2019 series of email compromises at the Department of Human Services, the Minnesota Legislature authorized additional funding for the state's cybersecurity office, known as Minnesota IT Services (MNIT). The state implemented mandatory multi-factor authentication for all employees with access to sensitive data, expanded security awareness training, and established a centralized incident response process. A subsequent legislative audit confirmed measurable improvements in the state's security posture, though it noted that ongoing investment would be necessary.

How did the MOVEit breach affect Minnesota specifically?

The MOVEit breach affected the Minnesota Department of Education, exposing personal data of approximately 95,000 students in foster care and 124 students placed through the Department of Corrections. The Clop ransomware gang exploited a zero-day SQL injection vulnerability in Progress Software's MOVEit Transfer application. Minnesota was one of hundreds of organizations affected globally, but the exposure of foster care student data made it particularly sensitive and prompted the state to accelerate its review of third-party file transfer tools used across all agencies.