The Los Angeles County Division of Well being Companies disclosed a knowledge breach after 1000’s of sufferers’ private and well being data was uncovered in a knowledge breach ensuing from a current phishing assault impacting over two dozen staff.
This built-in well being system operates the general public hospitals and clinics in L.A. County (essentially the most populous county in the US) and is the second largest public well being care system within the nation after NYC Well being + Hospitals.
As revealed in knowledge breach notifications despatched to doubtlessly affected people, 23 staff had their mailboxes compromised after their credentials had been stolen in a February assault.
Because of this, the attackers gained entry to sufferers’ private and well being knowledge saved within the staff’ e-mail inboxes.
“DHS conducted an administrative review and determined that approximately 6,085 individuals’ information may have been impacted,” L.A. County Well being Companies informed BleepingComputer in an announcement.
“Between February 19, 2024, and February 20, 2024, DHS experienced a phishing attack. Specifically, a hacker was able to gain log-in credentials of 23 DHS employees through a phishing e-mail,” the notifications additionally revealed.
“In this case, the DHS employees clicked on the link located in the body of the e-mail, thinking that they were accessing a legitimate message from a trustworthy sender.”
Paperwork and e-mails within the compromised mailboxes included a mixture of sufferers’ private and well being data, together with:
- first and final title, date of beginning, dwelling tackle, telephone quantity(s), e-mail tackle, medical document quantity, consumer identification quantity, dates of service
- medical data (e.g., analysis/situation, therapy, take a look at outcomes, drugs),
- and/or well being plan data.
Affected people might have been impacted otherwise, and the information saved within the breached e-mail inboxes didn’t embody Social Safety Numbers (SSNs) or monetary data.
After discovering the breach, L.A. County Well being Companies disabled the impacted e-mail accounts, reset and re-imaged the compromised staff’ gadgets, and quarantined all suspicious incoming e-mails. It additionally circulated consciousness notifications to all staff, reminding them to at all times be vigilant when reviewing e-mails, particularly these with attachments or hyperlinks.
The well being system may even notify the U.S. Division of Well being & Human Companies’ Workplace for Civil Rights, the California Division of Public Well being, and different related companies of the information breach.
Moreover, regardless that no proof was discovered in the course of the investigation that the attackers accessed or misused the uncovered private and well being data, L.A. County Well being Companies advises affected sufferers to contact their healthcare suppliers to confirm the content material and accuracy of their medical data.
Replace April 26, 05:20 EDT: Added L.A. County Well being Companies assertion.
