Hennepin County is responding to a cyberattack that saw hackers gain access to the email accounts of around 20 employees.
While this is a small fraction of the 9,300 staff the county employs, the attackers used the access to send malicious emails from the Hennepin County accounts, which look as if they'd been genuinely sent by a county worker.
It's also possible they accessed emails that contained private data about residents for whom the county provides services, with officials currently in the process of evaluating how much information has been compromised.
The county said they infiltrated the accounts using phishing emails that started arriving at the end of June.
It has now referred the matter to the FBI for investigation, as well as notifying various vendors with which it has a business relationship.
"Hennepin County takes its responsibility to protect resident data very seriously," Jerome Driessen, the county's chief information officer, said.
"We continue ongoing employee training and education. We also continuously enhance IT security measures to prevent increasingly sophisticated cyberattacks, and we hope this announcement can further dialogue about the increasing threats to all organizations’ cybersecurity."
Hackers use phishing attacks by disguising emails that contain a link or attachment for the recipient to click or download, giving the hacker sensitive information or access to the account in the process.
Driessen says that Hennepin County is increasing facing the threat of phishing attacks, "like many organizations."
"We’ve been aggressively responding to and monitoring activity since the first indication, and increased our efforts to protect staff this week," he added.