Contents:
Following a recent phishing attack that affected over two dozen employees, the Los Angeles County Department of Health Services revealed a data breach exposing thousands of patients’ personal and medical information.
This is the second largest public health care system in the nation, behind NYC Health + Hospitals, and runs the public hospitals and clinics in L.A. County, the most populous county in the nation.
What Do We Know About the Attack?
According to a data breach notification sent to potentially affected individuals, 23 employees had their credentials stolen in a February attack.
The L.A. Country Health Services told BleepingComputer in a statement that after an administrative review conducted by the DHS, they determined that the information of approximately 6,085 individuals may have been impacted.
Between February 19, 2024, and February 20, 2024, DHS experienced a phishing attack. Specifically, a hacker was able to gain log-in credentials of 23 DHS employees through a phishing e-mail… In this case, the DHS employees clicked on the link located in the body of the e-mail, thinking that they were accessing a legitimate message from a trustworthy sender.
L.A. County Health Services (Source)
Following the breach, the attackers got their hands on a combination of personal and health information including:
- First and last name, date of birth, home address, phone numbers, e-mail address, medical record number, client identification number, dates of service;
- Medical information such as diagnosis/conditions, treatments, test results, medications, etc.;
- Health plan information.
Social Security Numbers (SSNs) and financial information were not among the data kept in the compromised email accounts, yet affected individuals may have experienced various outcomes.
L.A. County Health Services stopped impacted email accounts, reset and re-imaged the compromised employees’ devices, and quarantined all suspected incoming emails as soon as they learned about the hack. All staff members received awareness notifications as well, advising them to constantly exercise caution while reading emails, particularly ones that contain attachments or links.
The U.S. Department of Health & Human Services’ Office for Civil Rights, the California Department of Public Health, and other relevant agencies will also be notified about the data breach.
Furthermore, L.A. County Health Services recommends impacted patients to get in touch with their healthcare providers to confirm the veracity and content of their medical records, even though the investigation yielded no proof that the attackers had access to or misused the exposed personal and health information.
If you liked this piece, follow us on LinkedIn, Twitter, Facebook, and YouTube for more cybersecurity news and topics.