Hackers Accessed 53 Los Angeles County Department of Public Health Email Accounts
Hackers conducted a phishing campaign on Los Angeles County Department of Public Health employees, accessed 53 email accounts, and potentially stole the data of more than 200,000 clients, employees, and other individuals. The massive email breach was announced by the Department of Public Health on Friday, which confirmed that the email accounts were compromised between February 19 and February 20, 2024. The emails were crafted to appear that they had been sent by a legitimate and trustworthy sender and contained a hyperlink in the message body to a malicious website. The website appeared to be legitimate and asked the employees to log in, which allowed the attackers to steal their credentials and use them to access their email accounts.
The review of the affected email accounts confirmed that they contained the personally identifiable and protected health information of clients who received services from the Department of Public Health, employees, and other individuals. The information exposed varied from individual to individual and may have included first and last names, dates of birth, diagnoses, prescriptions, medical record numbers, patient ID numbers, Medicare/Medi-Cal numbers, Social Security numbers, financial information, and health insurance information.
The Department of Public Health did not disclose when the phishing attack was detected but did say that notification letters would have been sent sooner; however, law enforcement requested the Department of Public Health delay issuing notifications so as not to hinder the investigation. Upon discovery of the attack, the affected email accounts were disabled, user devices were reset and reimaged, the websites linked in the phishing campaign have been blacklisted, and all suspicious inbound emails have been quarantined. The workforce has been re-educated on email risks, especially inbound emails containing links and attachments, and several enhancements have been made to improve email security.
While sensitive data has been exposed, it was not possible to determine whether that information was accessed or copied. As a precaution, the affected individuals have been offered a complimentary 1-year membership to an identity theft monitoring service, which includes credit monitoring, fraud consultation, and identity theft restoration services.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The incident has been reported to regulators, including the HHS’ Office for Civil Rights (OCR), but it is not yet showing on the OCR breach portal, so it is currently unclear exactly how many individuals have been affected.
