The ICA Leadership and HMIS Governing Board would like to inform you of an intrusion that occurred in Minnesota’s HMIS.

What happened? On January 24, 2022, ICA learned that an individual gained unauthorized access to Minnesota’s HMIS. This individual was able to view and alter client records, which contain personally identifying information.

ICA immediately inactivated the account and launched an audit investigation to understand the impact.

Since then, we have worked swiftly on three fronts: consulting with our legal counsel, leadership, and HMIS Governing Board; examining our internal procedures that allowed this event to occur; and notifying affected clients and agencies.

Here is a summary of our findings and response:

• Eleven client files were accessed, some of whom were known to the person who gained access.

• We are doing all we can to notify each client affected in writing and offering them identify theft protection and credit score monitoring. We have reached 4 of 11 so far.

• All agencies who most recently served an affected client have been reached by phone.

• Effective January 31st, 2022, ICA implemented changes to user training, system set up, and billing processes to safeguard against this happening again.

In partnership with HMIS users, we consider ourselves custodians of client data and take this event seriously. Read on for a detailed account of events and the actions we have taken in response.

How did this happen? An individual completed user training under false pretenses. Prior to this incident, ICA allowed new users to register on their own behalf, including their program and employer. Once this individual completed training, ICA granted them access to HMIS under the agency provider tree listed on their registration.

Is this widespread? No. There were 11 client records accessed.

Were client records in HMIS altered? A small number of clients' records were altered but they have since been corrected. To the best of our knowledge, there is no effect to any client's housing or benefit status in HMIS.

Were my clients affected? All agencies who most recently served an affected current or former client have been reached by phone. They will also be issued a letter this week. If you did not receive a phone call from our HMIS Director, your programs and clients are unaffected.

What is ICA doing to help? ICA has arranged for the affected clients to have 12 months of credit score monitoring and identity theft protection if they choose. We are also immediately changing internal policies to prevent recurrence of a similar event.

What is the HMIS Governing Board doing to help? The board is providing oversight and ensuring ICA is taking right and transparent actions to correct course. The board will prioritize reviewing HMIS policies and practices related to system access.

What changes is ICA making to prevent this from happening again?
Effective January 31st, 2022, ICA implemented several strategies to safeguard user training, set up, and billing processes:

1. Prospective users will no longer be able to register for training on their own behalf. Instead, a trusted contact, like a supervisor, at the individual's agency must submit the form. You can learn more by visiting our HMIS Training webpage.

2. Additional user information will be collected at registration.

3. When a prospective user completes training, a “training complete” email will be sent to the trusted agency contact.

4. We increased the strength of temporary passwords we assign so they are randomized and unique.

5. ICA will notify agencies’ billing contact when an unused/held license is requested and assigned.

Please note that these changes will extend ICA’s response time from 2 to 3 days.

What was the timeline of events?

• September 2021 – Individual completed user training.

• September 2021 – Individual was set up with HMIS access.

• October 2021 – January 2022 – individual logged in 26 times, mostly viewing records, altering, and creating a few.

• January 24, 2022 – A user alerted ICA’s helpdesk when they saw their client enrollment numbers were not what they expected. Through this exchange with the agency, we uncovered that the data discrepancy was caused by the individual’s data entry. The user account was immediately inactivated.

• January 25, 2022 – ICA Minnesota notified internal leadership and our HMIS Governing Board, frequent communication begins. ICA leadership also immediately engaged legal counsel.

• January 27, 2022 – Audit investigation complete. ICA learned the extent of clients viewed was limited to 11 people who had HMIS records active between 2012 - 2022.

• January 28 – February 3, 2022 – ICA directly notified agencies who were the most recent contact for the client record.

• February 7-11, 2022 – Client and agency letters issued by mail.

• February 11, 2022 – HMIS community notified.

In partnership with HMIS users, we consider ourselves custodians of agency and client data. We take this event seriously. We believe the actions we have taken and changes we made will prevent an incident like this from happening in the future.

We thank you for your continued trust and partnership.

Please contact our HMIS Director, Britt Heinz-Amborn, at britt.heinzamborn@icalliances.org or our HMIS Governing Board Chair, Joel Salzer, at joel.salzer@state.mn.us with any questions.