Los Angeles County Public Health Department data breach affects over 200,000 individuals

The Los Angeles County Department of Public Health (DPH) has disclosed a data breach affecting more than 200,000 individuals. The breach, which occurred between February 19 and 20, 2024, involved the theft of personal, medical, and financial information after an attacker gained login credentials of 53 Public Health employees through a phishing email.

 

The compromised data may include names, dates of birth, diagnosis and prescription details, medical record numbers, Medicare/Med-Cal numbers, health insurance information, Social Security numbers, and other financial details. The DPH noted that the extent of the information compromised varies for each individual.

 

The breach affects the department responsible for serving approximately 10 million residents of Los Angeles County. Impacted individuals are being notified via mail, and for those without a mailing address, a notice has been posted on the DPH website providing information and resources.

 

"While Public Health cannot confirm whether information has been accessed or misused, individuals are encouraged to review the content and accuracy of the information in their medical record with their medical provider," the DPH stated. Affected individuals are also offered one year of free identity monitoring from Kroll.

 

Following the incident, the DPH implemented several security enhancements to prevent similar future attacks. These measures include disabling impacted email accounts, resetting and re-imaging affected users’ devices, blocking websites involved in the phishing campaign, and quarantining suspicious emails. Additionally, the department has issued awareness notifications to all workforce members, urging them to exercise caution when handling emails with links or attachments.

 

Law enforcement has investigated the breach, and the U.S. Department of Health and other relevant agencies have been notified as required by law and contracts.

 

This disclosure follows a recent incident involving the U.S. private healthcare provider Ascension, which suffered a ransomware attack after an employee downloaded a malicious file. This attack led to ambulance diversions and postponed patient appointments, with attackers believed to have stolen files containing protected health information (PHI) and personally identifiable information (PII) of patients.