On Friday, June 21, the LA County Department of Health Services announced that a phishing attack in February permitted an employee’s login credentials to become available to a hacker, potentially compromising the personal information of approximately 47,000 people in the system.
According to computer technology company IBM, phishing attacks occur when hackers send links or attachments via email disguised as something innocuous, such as notifying the recipient they need to reset their password. Upon interacting with these links or attachments, users may unintentionally download malware onto their devices or otherwise share sensitive information.
Because these types of cyberattacks rely more on social engineering than exploiting technological vulnerabilities in a given system, phishing is a highly effective form of cybercrime, as IBM notes it accounts for 16% of all data breaches, necessitating proper training and understanding of what phishing is and how people can unwittingly fall victim to it if they fail to recognize the typical signs of a scam.
The DHS attack via a phishing email took place on Feb. 6. Upon discovering the security breach, the health services department stated it disabled the affected email account, quarantined all suspicious incoming emails, reset and re-imaged the user’s devices, and blocked websites that were identified as part of the phishing campaign.
Notifications were also sent out to all workforce members as reminders to maintain vigilance when receiving emails, particularly those with attachments or links that could lead to future intrusions.
Law enforcement was notified and they investigated the incident, according to DHS.
The potentially leaked information from the affected email may have included date of birth, full name, phone number, home address, e-mail address, government-issued ID, Social Security number, medical record number, health insurance information, and/or medical information.
DHS has stated it has put in place several security enhancements to reduce the likelihood of exposure to similar email attacks in the future.
In response to the information breach, the health services department is notifying affected individuals through mail. For those without a physical mailing address or where one is otherwise unavailable, the department is also notifying its workforce on its website to provide information and resources for data recovery purposes.
DHS also noted it is notifying the U.S. Department of Health & Human Services’ Office for Civil Rights and other agencies as required by law and/or contract.
Although the department can neither confirm nor deny whether any particular information has been accessed or tampered with, individuals are advised to review the accuracy and content of their medical and social information with their medical providers and remain vigilant against potential misuse of their personal data.
To help relieve concerns pertaining to this incident, the department has stated it is now working with an identity monitoring service to assist those affected with fraud consultation, identity theft restoration, and credit monitoring.
The previous week, the LA County Department of Public Health reported a similar attack, allowing another hacker in February to access the login credentials of 53 employees, potentially leaking information for over 200,000 people.