Pierluigi Paganini
April 29, 2024
The Los Angeles County Department of Health Services disclosed a data breach that impacted thousands of patients. Patients’ personal and health information was exposed after a phishing attack impacted over two dozen employees.
Los Angeles County Department of Health Services operates the public hospitals and clinics in Los Angeles County, and is the United States’ second largest municipal health system, after NYC Health + Hospitals.
The phishing attack occurred between February 19, 2024, and February 20, 2024. Attackers obtained the credentials of 23 DHS employees.
“A phishing e-mail tries to trick recipients into giving up important information. In this case, the DHS employees clicked on the link located in the body of the e-mail, thinking that they were accessing a legitimate message from a trustworthy sender.” reads the data breach notification sent to the impacted individuals. “Due to the ongoing investigation by law enforcement, we were advised to delay notifying you of this incident until now, as public notice may have hindered their investigation.”
The compromised information varied for each individual, potentially exposed information included the patient’s first and last name, date of birth, home address, phone number(s), e-mail address, medical record number, client identification number, dates of service, and/or medical information (e.g., diagnosis/condition, treatment, test results, medications), and/or health plan information.
Social Security Numbers (SSN) or financial information was not compromised.
The Los Angeles County Department of Health Services took several steps in response to the security breach, including conducting an administrative review, implementing additional controls to prevent future attacks, and enhancing employee training on identifying and responding to phishing campaigns.
DHS is going to notify affected individuals and relevant regulatory agencies, including the California Department of Public Health and the U.S. Department of Health & Human Services’ Office for Civil Rights, as required by law or contract.
The DHS encourages patients to review the content and accuracy of the information in their medical records with their medical provider. The company is also providing recommendations to patients to protect their information.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Los Angeles County DHS)
