A significant data breach at the Los Angeles County Department of Public Health (DPH) has affected over 200,000 individuals. The breach occurred between February 19 and 20, 2024, when an external threat actor used a phishing attack to obtain the login credentials of 53 DPH employees. This unauthorized access led to the theft of sensitive personal, medical, and financial information, affecting clients, employees, and others associated with DPH.
The compromised email accounts contained a wealth of sensitive data, including names, dates of birth, diagnosis and prescription details, medical record numbers, health insurance information, Social Security numbers, and other financial information. Not all data elements were present for every affected individual, with each person impacted differently based on the specific information in the compromised accounts.
DPH is taking extensive steps to notify all potentially affected individuals, sending notifications via post to those with available mailing addresses and posting a notice on its website for others. Impacted individuals are advised to review their medical records for accuracy and remain vigilant against identity theft by monitoring their financial statements and credit reports. To assist in protecting against potential misuse of their information, DPH is offering one year of free identity monitoring services through Kroll.
Upon discovering the breach, DPH took immediate action to mitigate further risks, disabling affected email accounts, resetting and re-imaging devices, blocking phishing websites, and quarantining suspicious emails. Additionally, the department has implemented numerous security enhancements to prevent future incidents. Awareness notifications have been distributed to all workforce members to bolster defense against phishing attacks.
The incident has been reported to law enforcement authorities, who investigated the breach, and the US Department of Health and Human Services’ Office for Civil Rights, as required by law. Affected individuals are encouraged to take proactive steps to protect their personal information, such as reviewing medical records, requesting free credit reports, placing fraud alerts, and considering security freezes on credit reports.
