On June 17, 2024, the Los Angeles County Department of Public Health (DPH) disclosed a data breach impacting more than 200,000 clients, employees, and other individuals. The stolen data includes personal, medical and financial information.
The DPH said the incident took place between February 19-20, 2024, was caused by a gang of cyber criminals who gained access to the log-in credentials of email accounts of 53 employees through a phishing email. The email was crafted to appear as if it had been sent from a legitimate source asking the employees to log-in, which allowed the criminals to gain access. It, however, did not disclose when the breach was detected.
The DPH which serves approximately 10 million people in the Los Angeles County said the information identified in the affected email accounts contained the personally identifiable (PI) and protected health information (PHI) of clients who received services from them. It further added that the information exposed varied from individual to individual and may have included first and last names, dates of birth, diagnoses, prescriptions, medical record numbers, etc.
Preventive measures and responses
Following the discovery of the breach, the Department of Public Health disabled all the impacted email accounts, reset and re-imaged the users’ devices, blacklisted the websites linked to the phishing attack, and all suspicious inbound. It has also begun training all its employees in email security, especially inbound emails.
It has also notified impacted individuals by sending notifications via post to those whose mailing addresses were available. For individuals without a mailing address, DPH posted a notice on its website to provide necessary information and resources.
The incident has been reported to the US Department of Health and Human Services’ Office for Civil Rights and other relevant agencies as required by law and contractual obligations who are investigating the matter.