The Los Angeles County Division of Well being Providers disclosed a data breach after hundreds of sufferers’ private and well being info was uncovered in a data breach ensuing from a current phishing assault impacting over two dozen workers.
This built-in well being system operates the general public hospitals and clinics in L.A. County (essentially the most populous county in the US) and is the second largest public well being care system within the nation after NYC Well being + Hospitals.
As revealed in data breach notifications despatched to doubtlessly affected people, 23 workers had their mailboxes compromised after their credentials had been stolen in a February assault.
In consequence, the attackers gained entry to sufferers’ private and well being information saved within the workers’ e-mail inboxes.
“DHS performed an administrative evaluate and decided that roughly 6,085 people’ info might have been impacted,” L.A. County Well being Providers instructed BleepingComputer in a press release.
“Between February 19, 2024, and February 20, 2024, DHS skilled a phishing assault. Particularly, a hacker was in a position to achieve log-in credentials of 23 DHS workers via a phishing e-mail,” the notifications additionally revealed.
“On this case, the DHS workers clicked on the hyperlink positioned within the physique of the e-mail, pondering that they had been accessing a reliable message from a reliable sender.”
Paperwork and e-mails within the compromised mailboxes included a mix of sufferers’ private and well being info, together with:
- first and final identify, date of start, house deal with, telephone quantity(s), e-mail deal with, medical file quantity, consumer identification quantity, dates of service
- medical info (e.g., analysis/situation, remedy, check outcomes, medicines),
- and/or well being plan info.
Affected people might have been impacted in another way, and the info saved within the breached e-mail inboxes didn’t embody Social Safety Numbers (SSNs) or monetary info.
After discovering the breach, L.A. County Well being Providers disabled the impacted e-mail accounts, reset and re-imaged the compromised workers’ units, and quarantined all suspicious incoming e-mails. It additionally circulated consciousness notifications to all workers, reminding them to all the time be vigilant when reviewing e-mails, particularly these with attachments or hyperlinks.
The well being system may even notify the U.S. Division of Well being & Human Providers’ Workplace for Civil Rights, the California Division of Public Well being, and different related companies of the data breach.
Moreover, despite the fact that no proof was discovered throughout the investigation that the attackers accessed or misused the uncovered private and well being info, L.A. County Well being Providers advises affected sufferers to contact their healthcare suppliers to confirm the content material and accuracy of their medical information.
Replace April 26, 05:20 EDT: Added L.A. County Well being Providers assertion.