Notice of Data Privacy Incident

Hennepin Healthcare 11/3/2023 – Hennepin Healthcare is providing notice of a data privacy incident involving a third party business partner, Westat, Inc. (“Westat”), that may impact a limited number of individuals’ information. Hennepin Healthcare partners with Westat to participate in a health-related study conducted by a governmental agency. Westat received information from Hennepin Healthcare to provide research support services for this study. Hennepin Healthcare is unaware of any misuse of individual information and is providing this notice out of an abundance of caution.

Westat utilized MOVEit Transfer (“MOVEit”) third-party software to manage data it collected and/or maintained on behalf of Hennepin Healthcare. On May 30, 2023, Westat detected unusual activity occurring in its MOVEit instance and the following day MOVEit announced a zero-day vulnerability that had impacted a large number of companies across various industries. Westat immediately took steps to ensure the security of its environment, and with the assistance of third-party forensic specialists, conducted an investigation to determine the nature and scope of the activity.

The investigation determined that certain data stored on the MOVEit server may have been copied without authorization between May 28 and May 29, 2023. Westat conducted a detailed review of data involved to determine the type of information that was present and to whom it related. This review confirmed that certain information belonging to medical providers was present in the impacted data and was accessed or acquired during the MOVEit incident. Upon completion of this analysis, Westat notified governmental agency partners and impacted medical providers and is now providing notification to impacted individuals at the direction of certain impacted medical providers, including Hennepin Healthcare.  Westat also notified federal law enforcement, the U.S. Department of Health and Human Services, and other regulators, as required.

The types of personal information that may have been copied by the unauthorized actor include: Your name, medical record number/identifier, birth date, age, gender, date and/or time of service, condition or disposition, discharge destination, diagnosis, and provider and/or department information.

Individuals are encouraged to remain vigilant against incidents of identity theft by reviewing account statements and explanations of benefits for unusual activity. Any suspicious activity should be reported to the appropriate insurance company, health care provider, or financial institution.

Individuals seeking additional information regarding this incident can call Westat’s dedicated, toll-free number at 1-888-566-8328. Individuals may also write to Westat at Westat, Inc., 1600 Research Blvd, Rockville, MD 20850.