Background on Data Privacy Incident and Frequently Asked Questions

Background on incident

At the end of January 2024, Allina Health was alerted to a concern involving a former Allina Health employee and began an investigation. On March 7, 2024, we determined that while employed by Allina Health, this individual inappropriately accessed certain health information of some patients.

It is important to note that this was not a cybersecurity attack.

Frequently Asked Questions

What information may have been involved? 

While the information affected may vary by individual, Allina Health determined that the information affected may have included:   

  • Name and date of birth
  • Address and contact information
  • Limited clinical information which may have included:  
    • Symptoms/Diagnosis/Treatment Information 
    • Medications 
  • Health insurance information
  • Photo ID
  • Last four digits of your social security number

This information DID NOT include:

  • Credit card numbers  
  • Banking information 

What measures have been taken to prevent this from happening again?

Allina Health is committed to protecting your privacy and understands that these types of events can cause concern. We recently implemented a more robust access monitoring system to audit employees' access to the electronic medical record and we continue to evaluate opportunities to enhance this system.

Will legal action be taken against the individual?

We cannot comment on potential legal matters.

Was my information involved and how will I know?

We have sent communication to individuals whose information may have been involved.

Have affected patients been notified?

Allina Health has notified those impacted by this incident. In addition, there is a link to the notice on AllinaHealth.org which will be in place for 90 days and a news release was sent out to relevant media outlets.

Has this incident been reported to the Government?

Allina Health notified the federal Office for Civil Rights of this incident. 

What can I do if my information was involved?

We are providing those individuals impacted a complimentary two-year membership of credit monitoring/identity protection services. Information about enrolling for these services can be found in the notification letter.

We recommend that you regularly review the explanation of benefits provided by your health care insurer, credit card statements, and bank accounts for suspicious activity. Any unusual service or charge should be reported to the appropriate financial institution, insurer, or health care program immediately. If you suspect that someone is using your personal information to obtain medical services or incur charges without your permission, please report this to the local police department immediately. 

For More Information

Patients who may have been impacted can call 888-387-9415 Monday – Friday from 8:00 AM to 6:00 PM (Central Time), beginning Monday, May 6, 2024.

I want to file a complaint; where can I do this?

You may file a complaint with the Allina Health Compliance and Privacy by writing to the following address:

Allina Health
Compliance and Privacy
Mail Route 10839
P.O. Box 43
Minneapolis, MN 55440-0043

If you would like to submit an additional complaint to the Office for Civil Rights you can submit your complaint on their website: (http://www.hhs.gov/ocr/privacy/hipaa/complaints/index.html), by email OCRComplaint@hhs.gov, or by mail:

Centralized Case Management Operations 
U.S. Department of Health and Human Services
200 Independence Avenue, S.W.
Room 509F HHH Bldg.
Washington, D.C. 20201