Article Details
Scrape Timestamp (UTC): 2024-04-26 09:28:32.988
Original Article Text
Click to Toggle View
LA County Health Services: Patients' data exposed in phishing attack . The Los Angeles County Department of Health Services disclosed a data breach after thousands of patients' personal and health information was exposed in a data breach resulting from a recent phishing attack impacting over two dozen employees. This integrated health system operates the public hospitals and clinics in L.A. County (the most populous county in the United States) and is the second largest public health care system in the country after NYC Health + Hospitals. As revealed in data breach notifications sent to potentially affected individuals, 23 employees had their credentials stolen in a February attack. "DHS conducted an administrative review and determined that approximately 6,085 individuals' information may have been impacted," L.A. County Health Services told BleepingComputer in a statement. "Between February 19, 2024, and February 20, 2024, DHS experienced a phishing attack. Specifically, a hacker was able to gain log-in credentials of 23 DHS employees through a phishing e-mail," the notifications also revealed. "In this case, the DHS employees clicked on the link located in the body of the e-mail, thinking that they were accessing a legitimate message from a trustworthy sender." Documents and e-mails in the compromised mailboxes included patients' personal and health information, including a combination of: Affected individuals may have been impacted differently, and the data stored in the breached e-mail inboxes did not include Social Security Numbers (SSNs) or financial information. After discovering the breach, L.A. County Health Services disabled the impacted e-mail accounts, reset and re-imaged the compromised employees' devices, and quarantined all suspicious incoming e-mails. It also circulated awareness notifications to all employees, reminding them to always be vigilant when reviewing e-mails, especially those with attachments or links. The health system will also notify the U.S. Department of Health & Human Services' Office for Civil Rights, the California Department of Public Health, and other relevant agencies of the data breach. Additionally, even though no evidence was found during the investigation that the attackers accessed or misused the exposed personal and health information, L.A. County Health Services advises affected patients to contact their healthcare providers to verify the content and accuracy of their medical records. Update April 26, 05:20 EDT: Added L.A. County Health Services statement.
Daily Brief Summary
The Los Angeles County Department of Health Services recently announced a significant data breach affecting 6,085 individuals, following a phishing attack on 23 of its employees.
The phishing incident occurred between February 19 and February 20, 2024, during which hackers stole employee login credentials through deceitful emails.
Compromised email accounts contained sensitive personal and health information of patients due to unauthorized access, although Social Security Numbers and financial data were reportedly not included.
In response to the breach, affected e-mail accounts were disabled, compromised devices were reset, and an email quarantine was implemented to manage suspicious messages.
L.A. County Health Services has initiated a series of precautionary measures, including widespread employee training on email security, and has informed federal and state health authorities about the breach.
Even though there was no detected misuse of the disclosed information, L.A. County Health Services has advised patients to verify their medical records' integrity with their healthcare providers.
Notifications of the breach were sent to potentially impacted individuals, highlighting the importance of vigilance in safeguarding personal health information against phishing schemes.