June 21, 2024
Contact: media@dhs.lacounty.gov
LA County Department of Health Services Responding to Privacy Breach
The Department of Health Services experienced a cyberattack in which the personally identifiable and/or health information of approximately 47,000 individuals may have been compromised. The Department has implemented enhancements to reduce exposure to future cyberattacks.
Los Angeles, CA — The Los Angeles County Department of Health Services (“DHS”) disclosed today that on February 6, 2024, it was the victim of a cyberattack in which a hacker circumvented the multi-factor authentication safeguards of an employee’s Microsoft 365 account through a method commonly referred to as “push notification spamming.” This cyberattack may have provided the attacker with access to certain personal information of approximately 47,000 individuals.
Upon discovery of the attack, law enforcement was notified of the cyberattack and initiated a criminal investigation. DHS was directed to delay notifications so as not to impede the investigation. Additionally, DHS disabled the impacted e-mail account, reset and re-imaged the user’s device(s), blocked websites that were identified as part of the phishing campaign and quarantined all suspicious incoming e-mails. Awareness notifications were distributed to all DHS workforce members to be vigilant when reviewing e-mails, especially those including links or attachments.
DHS conducted a comprehensive review, with the assistance of an industry-leading forensic firm, to identify any personal and/or health information which may have been affected. The information identified in the potentially compromised email account may have included full name, date of birth, home address, phone number(s), e-mail address, Social Security Number, government issued ID, medical record number, health insurance information (health plan and member number), and/or medical information (e.g., diagnosis/condition, medication, treatment, dates of service). Not all of the elements listed were present for each impacted individual.
DHS has already begun notifying impacted individuals by mail. For individuals whose mailing address is not available, DHS is also posting notice on its website to provide information about the incident and steps individuals can take to protect themselves from identity theft. DHS will also notify the U.S. Department of Health and Human Services’ Office for Civil Rights, the California Department of Public Health, the State Attorney General, and other agencies in accordance with statutory requirements.
DHS remains vigilant in its efforts to protect confidential information and endeavors to stay ahead of the rapidly evolving and continuous threats to large data systems and has implemented additional safeguards and technical security measures to reduce exposure to similar cyberattacks in the future. DHS has enhanced its training to identify and respond to cyberattacks and continues to strengthen its information privacy and security program.
While DHS cannot confirm whether information has been misused, individuals are encouraged to remain vigilant and review the content and accuracy of the information in their medical record with their medical provider and be watchful for any suspicious activity on any of their accounts. Additionally, DHS has secured the services of an identity monitoring service to assist those affected with Credit Monitoring, Fraud Consultation, and Identity Theft Restoration.
A dedicated call center has been established for individuals with questions about the incident at 1-866-898-8099 and is available, Monday through Friday from 6:00 a.m. to 5:00 p.m. Pacific Time (excluding weekends and major U.S. holidays). Additional information is available on the following website: https://dhs.lacounty.gov/
Safeguarding personal information is a top priority, and DHS deeply regrets any inconvenience on those affected by this cyberattack. DHS will continue to support law enforcement’s investigation into this matter.