Chairman Cassidy Expands Oversight into Democrats’ Cybersecurity Failures, Sounds Alarm on Minnesota Governor Walz

WASHINGTON – U.S. Senator Bill Cassidy, M.D. (R-LA), Chairman of the U.S. Senate Health, Education, Labor, and Pensions (HELP) Committee, slammed Minnesota Governor Tim Walz after his state’s health department recklessly exposed hundreds of thousands of patients' private data.

The Minnesota Department of Human Services (DHS) recently admitted a cyberbreach exposed 300,000 Americans’ private data, including highly sensitive information such as Social Security numbers and medical data.

“Cyber criminals continue to exploit vulnerabilities to gain access to this data, potentially using it to interrupt care and commit fraud,” wrote Dr. Cassidy. “As hostile actors use more sophisticated methods to obtain health information, government stewards of protected health information (PHI) must all take robust steps to deter these attacks.”

Some states have repeatedly failed to protect families’ private and oftentimes sensitive information from cyber criminals. Cassidy recently called out Illinois Governor JB Pritzker after his health department repeatedly allowed more than a million American’s private information to be accessed and failed to notify consumers within the required period under the law.

Earlier this Congress, the HELP Committee passed Cassidy’s Health Care Cybersecurity and Resilience Act to further protect Americans’ health data. He has investigated several cybersecurity lapses, including those by OPEXUS and UnitedHealth Group.

Read the full letter here or below:

Dear Commissioner Gandhi:

Protecting the privacy and security of sensitive health information is essential to ensure that patients receive the best care and that their information is not misused. Cyber criminals continue to exploit vulnerabilities to gain access to this data, potentially using it to interrupt care and commit fraud. In 2025, there were 628 reported health care data breaches. As hostile actors use more sophisticated methods to obtain health information, government stewards of protected health information (PHI) must all take robust steps to deter these attacks.

The recent announcement by the Minnesota Department of Human Services (DHS) raises questions about its commitment to data security. On January 16, 2026, the Minnesota DHS disclosed that the PHI of over 300,000 individuals had been accessed by a third-party vendor without authorization. Of those 300,000, over 1,200 individuals had sensitive information such as Social Security and medical information accessed.

The Minnesota DHS has thus far been unable to fully identify what information was accessed for each impacted individual. The Minnesota DHS has also declined to offer free credit monitoring services to impacted individuals, despite recommending individuals request a copy of their credit report.

Minnesota DHS provides support to Minnesota residents, including food, health care, housing, and child care services. Given Minnesota DHS’ role in helping vulnerable communities, its failure to identify the full scope of the incident and offer basic remedial support in light of a cybersecurity incident is unacceptable. To that end, I request answers to the following questions by April 14, 2026.

1. Minnesota DHS has stated that it first became aware of the security incident it disclosed on January 16, 2026 on November 19, 2025.
1. What immediate steps did Minnesota DHS take to respond to the incident?
2. Did Minnesota DHS notify any state or federal entities? If so, please provide a list of those entities and when Minnesota DHS notified them.
2. Minnesota DHS has indicated that the security incident was a result of a third party “access[ing] more data than was reasonably necessary.”
1. What steps has Minnesota DHS taken to identify information affected by the security incident?
2. What security practices does Minnesota DHS employ to ensure its infrastructure has adequate security protocols in place?
3. Does Minnesota DHS conduct any security audits of its information technology (IT) infrastructure? If so, when was the last time Minnesota DHS conducted an audit, and what was the conclusion of that audit?
4. Minnesota DHS has stated that it has “implemented additional technical safeguards to prevent similar incidents in the future.” What technical safeguards does Minnesota DHS intend to implement?
3. Minnesota DHS has recommended that impacted individuals request access to their credit reports to monitor potentially suspicious transactions. Minnesota DHS, however, has declined to provide free credit monitoring “due to the limited nature of the data accessed.”
1. Why did Minnesota DHS decline to provide free credit monitoring?
2. Has Minnesota DHS committed to providing any other support to impacted entities? If so, what support has Minnesota DHS committed to providing?

Sincerely,

###

For all news and updates from HELP Republicans, visit our website or Twitter at @GOPHELP.