In February, the Los Angeles County Department of Public Health suffered a phishing attack that could have compromised the personal information of over 200,000 clients, employees, and other individuals. According to a statement on their website, the attack occurred on February 19 and 20, resulting in the compromise of email credentials belonging to 53 employees. These workers unknowingly clicked on a link in an email, thinking it was from a legitimate sender.
The perpetrators of the attack had access to a wide range of sensitive information contained in the compromised emails. This includes client names, dates of birth, diagnoses, prescriptions, medical record numbers, Medicare/Medi-Cal numbers, health insurance information, Social Security numbers and financial information. In response to the incident, DPH has implemented several security enhancements to reduce the risk of similar attacks in the future.
Immediately after discovering the phishing attack DPH took action by disabling affected email accounts resetting and re-imaging users’ devices blocking websites associated with phishing campaign and quarantining suspicious incoming emails. The department is currently working with law enforcement to investigate this incident and will notify relevant agencies as required by law or contract including U.S. Department of Health & Human Services’ Office for Civil Rights.
