MINNEAPOLIS (AP) — Minnesota's legislative auditor said Friday he's investigating a data privacy breach at the Department of Natural Resources in which an employee accessed the driving or motor vehicle records of about 5,000 people without authorization.
That list includes several journalists, attorneys and government employees, and possibly some legislators.
The DNR announced the breach Tuesday, saying the employee was no longer with the agency, and that it found no evidence the data was sold, disclosed to others or used for criminal purposes. The agency also said the state Bureau of Criminal Apprehension was investigating the breach, but no charges had been filed.
Legislative Auditor Jim Nobles declined to say what he has learned so far about the breach. The DNR has declined to release the employee's name or his or her position within the agency.
"We are following up with the Bureau of Criminal Apprehension to have a good understanding of what they have already done and what they need to do further," Nobles said, adding that his office doesn't want to interfere with or duplicate the investigation into potential criminal charges.
Officials haven't said why the former employee accessed the records, but the DNR sent notifications this week to the 5,000 affected Minnesotans.
Several journalists received the letters, including two Associated Press reporters and reporters at Twin Cities newspapers and television stations. Several lawyers, court personnel and state government employees also have said they received the notices.
It's not clear whether the former DNR employee accessed their records as part of any pattern or just by coincidence.
"It's weird. I mean, it's just weird," said Rep. Rick Hansen, DFL-South St. Paul, who sent Nobles a letter Thursday saying it would be prudent for him to investigate.
Hansen said he became concerned when he started seeing reports that the breach included reporters, and he later heard from colleagues that several legislators had also received the same letters, though he said he didn't know who.
"It starts out as a small story and it gets to be more complex," Hansen said. "The auditor has the ability and authority to get to the bottom of this. He's done that before and I have confidence in his skill and professionalism to do it again."
It's illegal to access drivers' license data without a legitimate government purpose, but past investigations have found that misuse is common and several public employees have faced discipline for it. In one case, several cities recently agreed to pay more than $1 million to a former Eden Prairie police officer who alleged her private data was improperly viewed by more than 140 officers from various departments.
Because personal data was accessed, Nobles said his office must determine why the breach happened, how it was discovered and how quickly and effectively the DNR responded, as well as how data security can be improved to prevent a reoccurrence.
Nobles noted his office had already been looking into the broader issue of how law enforcement officers use state databases, primarily the big drivers' license database. Those findings are expected next month.
DNR officials have declined to say whether the former employee was fired or resigned.
The agency denied an AP request for more information under the state's open records law, saying the information is private until a "final disposition" is reached. DNR data practices compliance officer Sheila Deyo wouldn't elaborate, but the portion of the law she cited in denying the AP's request suggests the former employee may be contesting his or her departure from the agency.
Annamarie Hill-Kleinhans, the executive director of the Minnesota Indian Affairs Council, said she received one of the DNR's letters and took the steps it recommended to protect herself against identity theft.
She said the case highlights the need for people to protect themselves against identity theft before it happens.
"At this point nothing surprises me," she said. "I just think it's the world we live in."