Data Disaster: Los Angeles Public Health Department Suffers Biggest Data Breach

Published on : 19 Jun 2024

los angeles data breach

On June 17, 2024, the Los Angeles County Department of Public Health (DPH) disclosed a data breach impacting more than 200,000 clients, employees, and other individuals. The stolen data includes personal, medical and financial information.

The DPH said the incident took place between February 19-20, 2024, was caused by a gang of cyber criminals who gained access to the log-in credentials of email accounts of 53 employees through a phishing email. The email was crafted to appear as if it had been sent from a legitimate source asking the employees to log-in, which allowed the criminals to gain access. It, however, did not disclose when the breach was detected. 

The DPH which serves approximately 10 million people in the Los Angeles County said the information identified in the affected email accounts contained the personally identifiable (PI) and protected health information (PHI) of clients who received services from them. It further added that the information exposed varied from individual to individual and may have included first and last names, dates of birth, diagnoses, prescriptions, medical record numbers, etc. 

Preventive measures and responses 

Following the discovery of the breach, the Department of Public Health disabled all the impacted email accounts, reset and re-imaged the users’ devices, blacklisted the websites linked to the phishing attack, and all suspicious inbound. It has also begun training all its employees in email security, especially inbound emails. 

It has also notified impacted individuals by sending notifications via post to those whose mailing addresses were available. For individuals without a mailing address, DPH posted a notice on its website to provide necessary information and resources. 

The incident has been reported to the US Department of Health and Human Services’ Office for Civil Rights and other relevant agencies as required by law and contractual obligations who are investigating the matter. 

Narendra Sahoo
Narendra Sahoo

Narendra Sahoo (PCI QPA, PCI QSA, PCI SSF ASSESSOR, CISSP, CISA, CRISC, 27001 LA) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2 Compliance & Audit, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.