The Los Angeles County Department of Health Services recently disclosed a significant data breach affecting thousands of patients, following a phishing attack on over two dozen employees. This incident took place within one of the largest public health care systems in the United States, which operates numerous public hospitals and clinics across L.A. County. In February 2024, 23 employees fell victim to a phishing scam that allowed hackers to steal their credentials and gain access to their email inboxes, where patients’ personal and health information was stored.
The compromised data included a wide array of sensitive information such as patients’ names, dates of birth, home addresses, phone numbers, email addresses, medical record numbers, client identification numbers, dates of service, medical diagnoses, treatments, test results, medications, and health plan information. Fortunately, the breach did not involve Social Security Numbers or financial data. However, the exposure of such comprehensive health and personal information could still pose significant risks to affected individuals.
Upon discovering the breach, L.A. County Health Services took swift action to mitigate the damage and prevent further unauthorized access. The department disabled the compromised email accounts, reset and re-imaged the affected employees’ devices, and implemented a quarantine on all suspicious incoming emails. Additionally, they issued reminders to all employees about the importance of vigilance when handling emails, particularly those containing links or attachments.
Despite no evidence of the accessed data being misused, L.A. County Health Services is taking precautionary steps to protect affected patients. They have notified relevant regulatory bodies, including the U.S. Department of Health & Human Services’ Office for Civil Rights and the California Department of Public Health. The health system also advises patients to contact their healthcare providers to verify the accuracy and content of their medical records, underscoring their commitment to patient security and regulatory compliance in the wake of this cybersecurity incident.
