Data Breach Revealed by Los Angeles County Health Services

Threat Actor: Phishing attackers | Phishing attackers
Victim: Los Angeles County Department of Health Services | Los Angeles County Department of Health Services
Price: Not mentioned
Exfiltrated Data Type: Personal and health information (e.g., name, date of birth, address, phone number, email, medical records, health plan information)

Additional Information :

  • The Los Angeles County Department of Health Services disclosed a data breach that impacted thousands of patients.
  • The breach occurred after a phishing attack that targeted over two dozen employees.
  • The phishing attack took place between February 19, 2024, and February 20, 2024.
  • Attackers obtained the credentials of 23 DHS employees.
  • The compromised information varied for each individual, potentially exposing personal and health information.
  • Social Security Numbers (SSN) or financial information was not compromised.
  • The Los Angeles County Department of Health Services took several steps in response to the breach, including conducting an administrative review, implementing additional controls, and enhancing employee training on identifying and responding to phishing campaigns.
  • DHS is notifying affected individuals and relevant regulatory agencies as required by law or contract.
  • The DHS encourages patients to review the content and accuracy of their medical records and provides recommendations to protect their information.

The Los Angeles County Department of Health Services disclosed a data breach that impacted thousands of patients. Patients’ personal and health information was exposed after a phishing attack impacted over two dozen employees.

Los Angeles County Department of Health Services operates the public hospitals and clinics in Los Angeles County, and is the United States’ second largest municipal health system, after NYC Health + Hospitals.

The phishing attack occurred between February 19, 2024, and February 20, 2024. Attackers obtained the credentials of 23 DHS employees.

“A phishing e-mail tries to trick recipients into giving up important information. In this case, the DHS employees clicked on the link located in the body of the e-mail, thinking that they were accessing a legitimate message from a trustworthy sender.” reads the data breach notification sent to the impacted individuals. “Due to the ongoing investigation by law enforcement, we were advised to delay notifying you of this incident until now, as public notice may have hindered their investigation.”

The compromised information varied for each individual, potentially exposed information included the patient’s first and last name, date of birth, home address, phone number(s), e-mail address, medical record number, client identification number, dates of service, and/or medical information (e.g., diagnosis/condition, treatment, test results, medications), and/or health plan information.

Social Security Numbers (SSN) or financial information was not compromised.

The Los Angeles County Department of Health Services took several steps in response to the security breach, including conducting an administrative review, implementing additional controls to prevent future attacks, and enhancing employee training on identifying and responding to phishing campaigns.

DHS is going to notify affected individuals and relevant regulatory agencies, including the California Department of Public Health and the U.S. Department of Health & Human Services’ Office for Civil Rights, as required by law or contract.

The DHS encourages patients to review the content and accuracy of the information in their medical records with their medical provider. The company is also providing recommendations to patients to protect their information.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, Los Angeles County DHS)



Original Source: https://securityaffairs.com/162494/data-breach/los-angeles-county-department-of-health-services-data-breach.html