Threat Actor: Phishing campaign | Phishing campaign
Victim: LA County’s Department of Public Health | LA County’s Department of Public Health
Price: N/A
Exfiltrated Data Type: Personal information, including names, dates of birth, diagnoses, prescriptions, medical record numbers, Medicare/Med-Cal numbers, health insurance information, Social Security Numbers, and other financial information.
Additional Information :
- The data breach occurred between February 19 and February 20, 2024.
- Threat actors obtained the log-in credentials of 53 Public Health employees through a phishing campaign.
- Impacted individuals may have had different elements of their personal information compromised.
- Public Health disabled the impacted email accounts, reset and reimaged the user’s devices, blocked the origin websites of the attack, and quarantined suspicious incoming emails.
- Impacted individuals are being notified by mail.
- Public Health has implemented enhancements to reduce exposure to similar email attacks in the future.
- DPH cannot confirm if any information has been accessed or misused.
- Impacted individuals are recommended to review the content and accuracy of their medical records with their medical providers.
- The agency is offering entitled individuals free credit and identity monitoring services.
The LA County’s Department of Public Health announced that the personal information of more than 200,000 was compromised after a data breach that occurred between February 19 and February 20, 2024.
Threat actors obtained the log-in credentials of 53 Public Health employees through a phishing campaign.
“Between February 19, 2024, and February 20, 2024, the Los Angeles County Department of Public Health experienced a phishing attack in which a hacker was able to gain log-in credentials of 53 Public Health employees through a phishing email, compromising the personal information of more than 200,000 individuals.” reads the notice of data breach published by DPH.
Upon discovering the phishing attack, Public Health disabled the impacted email accounts, and reset and reimaged the user’s device. The organization also blocked websites that was the origin of the attack and quarantined all suspicious incoming emails.
Potentially compromised e-mail accounts may have included DPH clients/employees/other individuals’ first and last name, date of birth, diagnosis, prescription, medical record number/patient ID, Medicare/Med-Cal number, health insurance information, Social Security Number, and other financial information.
“Affected individuals may have been impacted differently and not all of the elements listed were present for each individual.” continues the notice.
LA County’s Department of Public Health is notifying impacted individuals by mail.
The company is informing the U.S. Department of Health & Human Services’ Office for Civil Rights and other relevant agencies.
In response, Public Health has implemented numerous enhancements to reduce exposure to similar e-mail attacks in the future.
At the time of this writing, DPH cannot confirm if any information has been accessed or misused. The company recommends that impacted individuals review the content and accuracy of their medical records with their medical providers.
DPH announced it has implemented several enhancements to reduce exposure to similar email attacks in the future.
The agency is also offering entitled individuals free credit and identity monitoring services.
In April, the Los Angeles County Department of Health Services disclosed a data breach that impacted thousands of patients. Patients’ personal and health information was exposed after a phishing attack impacted over two dozen employees.
Los Angeles County Department of Health Services operates the public hospitals and clinics in Los Angeles County, and is the United States’ second largest municipal health system, after NYC Health + Hospitals.
The phishing attack occurred between February 19, 2024, and February 20, 2024. Attackers obtained the credentials of 23 DHS employees.
“A phishing e-mail tries to trick recipients into giving up important information. In this case, the DHS employees clicked on the link located in the body of the e-mail, thinking that they were accessing a legitimate message from a trustworthy sender.” reads the data breach notification sent to the impacted individuals. “Due to the ongoing investigation by law enforcement, we were advised to delay notifying you of this incident until now, as public notice may have hindered their investigation.”
The compromised information varied for each individual, potentially exposed information included the patient’s first and last name, date of birth, home address, phone number(s), e-mail address, medical record number, client identification number, dates of service, and/or medical information (e.g., diagnosis/condition, treatment, test results, medications), and/or health plan information.
Social Security Numbers (SSN) or financial information was not compromised.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, LA County’s Department of Public Health)
Original Source: https://securityaffairs.com/164585/data-breach/la-countys-department-of-public-health-dph-data-breach.html