The Los Angeles County Division of Well being Providers disclosed a data breach after sufferers’ private and well being data was uncovered in a data breach ensuing from a latest phishing assault impacting over two dozen workers.
This built-in well being system operates the general public hospitals and clinics in L.A. County (essentially the most populous county in the US) and is the second largest public well being care system within the nation after NYC Well being + Hospitals.
As revealed in data breach notifications despatched to an undisclosed variety of probably affected people, 23 workers had their credentials stolen in a February assault.
“Between February 19, 2024, and February 20, 2024, DHS skilled a phishing assault. Particularly, a hacker was in a position to acquire log-in credentials of 23 DHS workers via a phishing e-mail,” the notifications revealed.
“On this case, the DHS workers clicked on the hyperlink positioned within the physique of the e-mail, pondering that they have been accessing a authentic message from a reliable sender.”
Paperwork and e-mails within the compromised mailboxes included sufferers’ private and well being data, together with a mix of:
- first and final identify, date of delivery, dwelling handle, cellphone quantity(s), e-mail handle, medical file quantity, consumer identification quantity, dates of service
- medical data (e.g., prognosis/situation, therapy, take a look at outcomes, drugs),
- and/or well being plan data.
Affected people could have been impacted otherwise, and the info saved within the breached e-mail inboxes didn’t embrace Social Safety Numbers (SSNs) or monetary data.
After discovering the breach, L.A. County Well being Providers disabled the impacted e-mail accounts, reset and re-imaged the compromised workers’ gadgets, and quarantined all suspicious incoming e-mails. It additionally circulated consciousness notifications to all workers, reminding them to all the time be vigilant when reviewing e-mails, particularly these with attachments or hyperlinks.
The well being system may even notify the U.S. Division of Well being & Human Providers’ Workplace for Civil Rights, the California Division of Public Well being, and different related businesses of the data breach.
Moreover, although no proof was discovered throughout the investigation that the attackers accessed or misused the uncovered private and well being data, L.A. County Well being Providers advises affected sufferers to contact their healthcare suppliers to confirm the content material and accuracy of their medical data.
BleepingComputer reached out to an L.A. County Well being Providers spokesperson with extra questions concerning the incident, however a response was not instantly obtainable.
