The Los Angeles County Department of Health Services (DHS) publicly disclosed that it experienced a cyberattack in February of this year.
In a press release, the department said it was a victim of a cyberattack in which a hacker circumvented the multi-factor authentication safeguards of an employee’s Microsoft 365 account through a method commonly referred to as “push notification spamming.” The county further disclosed that the cyberattack may have provided the attacker with access to certain personal information of approximately 47,000 individuals.
The Department of Health Services said that once the attack was discovered, the department notified law enforcement and initiated a criminal investigation. DHS said that it was directed by law enforcement to delay notifications so as not to impede the investigation.
Upon discovering the attack, DHS also disabled the impacted e-mail account, reset and re-imaged the user’s device(s), blocked websites that were identified as part of the phishing campaign, and quarantined all suspicious incoming e-mails. The department also sent awareness notifications to its workforce to be vigilant when reviewing e-mails, especially those including links or attachments.
DHS said it conducted a comprehensive review, with the assistance of an outside forensic firm, to identify any personal and/or health information that may have been affected. The investigation found that the information identified in the potentially compromised email account may have included full name, date of birth, home address, phone number(s), e-mail address, Social Security Number, government-issued ID, medical record number, health insurance information (health plan and member number), and/or medical information (e.g., diagnosis/condition, medication, treatment, dates of service). However, not all the elements listed were present for each impacted individual.
DHS has already begun notifying impacted individuals by mail. For individuals whose mailing address is not available, DHS is also posting a notice on its website to provide information about the incident and steps individuals can take to protect themselves from identity theft. DHS will also notify the U.S. Department of Health and Human Services’ Office for Civil Rights, the California Department of Public Health, the State Attorney General, and other agencies in accordance with statutory requirements.
In response to the attack, DHS has set up a dedicated call center for individuals with questions about the incident. Additionally, the department has secured the services of an identity monitoring service to assist those affected with credit monitoring, fraud consultation, and identity theft restoration.