On February 6, 2024, the Los Angeles County Department of Health Services (DHS) experienced a data breach that impacted approximately 47,000 individuals. The breach was the result of a push notification spamming attack, where attackers exploited a vulnerability in multi-factor authentication (MFA) systems. This attack method, known as push notification fatigue, overwhelmed an employee’s Microsoft 365 account with numerous authentication requests, leading to accidental approval of a malicious login attempt.
The compromised data included a range of personal information such as names, dates of birth, home addresses, phone numbers, email addresses, Social Security numbers, government IDs, health insurance information, and medical records. The attackers managed to bypass the MFA safeguards, allowing them unauthorized access to sensitive information. The DHS acted promptly by disabling the affected email account, resetting the user’s device, and blocking malicious websites.
Following the breach, the DHS notified the affected individuals by mail and is offering one year of free identity monitoring services to help mitigate any potential risks. This breach occurred about two weeks before another incident revealed in April, where hackers accessed the email accounts of 23 DHS employees, compromising the personal information of 6,085 individuals.
The earlier breach also involved the Los Angeles County Department of Public Health and the Department of Mental Health. It remains unclear whether the two incidents are connected. The DHS continues to investigate and enhance its security measures to prevent future breaches.
Reference:
