The Los Angeles County Department of Public Health (DPH) has disclosed a significant data breach impacting more than 200,000 individuals. The data breach at Los Angeles County DPH, occurring between February 19 and 20, 2024, involved the theft of sensitive personal, medical, and financial information.
The data breach was initiated through a phishing attack, where an external threat actor obtained the login credentials of 53 DPH employees. “Between February 19, 2024, and February 20, 2024, DPH experienced a phishing attack,” reads the official notice.
Data Breach at Los Angeles County DPH: What Happened
The phishing email, designed to appear legitimate, tricked employees into divulging their credentials by clicking on a malicious link. This unauthorized access led to a wide-ranging compromise of data, affecting various individuals associated with DPH, including clients, employees, and others.
The compromised email accounts contained a wealth of sensitive data. The potentially exposed information includes:
- First and last names
- Dates of birth
- Diagnosis and prescription details
- Medical record numbers/patient IDs
- Medicare/Med-Cal numbers
- Health insurance information
- Social Security numbers
- Other financial information
It is important to note that not all of the above data elements were present for every affected individual. Each individual may have been impacted differently based on the specific information contained in the compromised accounts. “Affected individuals may have been impacted differently and not all of the elements listed were present for each individual,” Los Angeles County DPH informed.
Data Breach at Los Angeles County DPH Notification
DPH is taking extensive steps to notify all potentially affected individuals. Notifications are being sent via post to those whose mailing addresses are available. For individuals without a mailing address, DPH also posts a notice on its website to provide necessary information and resources.
The department has advised impacted individuals to review the content and accuracy of their medical records with their healthcare providers.
However, on delay in notification, Los Angeles County DPH said, “Due to an investigation by law enforcement, we were advised to delay notification of this incident, as public notice may have hindered their investigation.”
To assist in protecting against potential misuse of their information, DPH is offering one year of free identity monitoring services through Kroll, a global leader in risk mitigation and response.
“To help relieve concerns and restore confidence following this incident, we have secured the services of Kroll, a global leader in risk mitigation and response, to provide identity monitoring for one year at no cost to affected clients,” reads the notice.
Response and Preventive Measures
Upon discovering the Los Angeles County DPH data breach, DPH took immediate action to mitigate further risks. The department disabled the affected email accounts, reset and re-imaged the users’ devices, blocked the websites involved in the phishing campaign, and quarantined all suspicious incoming emails. Additionally, DPH has implemented numerous security enhancements to prevent similar incidents in the future.
Awareness notifications have been distributed to all workforce members, reminding them to be vigilant when reviewing emails, especially those containing links or attachments. These measures aim to bolster the department’s defense against phishing attacks and other cyber threats.
The incident was promptly reported to law enforcement authorities, who investigated the breach. The US Department of Health and Human Services’ Office for Civil Rights and other relevant agencies are also notified, as required by law and contractual obligations.
Steps for Individuals to Protect Themselves
While DPH cannot confirm whether any information has been accessed or misused, affected individuals are encouraged to take proactive steps to protect their personal information. These steps include:
- Reviewing Medical Records: Individuals should review their medical records and Explanation of Benefits statements for any discrepancies or unauthorized services. Any irregularities should be reported to their healthcare provider or health plan.
- Requesting Credit Reports: Individuals should remain vigilant against identity theft and fraud by regularly reviewing their financial statements and credit reports. Under US law, individuals are entitled to one free credit report annually from each of the three major credit reporting bureaus: Equifax, Experian, and TransUnion. Free credit reports can be requested at http://www.annualcreditreport.com or by calling 1-877-322-8228.
- Placing Fraud Alerts: Individuals can place a fraud alert on their credit files, which notifies creditors to take additional steps to verify identity before granting credit. Fraud alerts can be set up by contacting any of the major credit bureaus.
- Security Freezes: A security freeze can also be placed on credit reports, which prevents credit bureaus from releasing any information without written authorization. This measure can help prevent unauthorized credit activity but may delay the approval of new credit requests.
The Los Angeles County Department of Public Health continues to cooperate with law enforcement and other agencies to protect the privacy and security of its clients, employees, and other stakeholders.