The Los Angeles County Department of Mental Health suffered a phishing attack that allowed unauthorized access to the email account of an employee resulting in the compromise of protected health information (PHI) for 1,598 individuals.
The attack happened on March 20, 2024, when the attacker used the compromised email account at an anonymous external entity to transmit a phishing email to a Department of Mental Health employee. The employee responded to the email message thinking that it is legit, and exposed the account data. The Department mentioned the employee kept a confidential patient and client data in those accounts. The attacker was able to access the sensitive data saved in the account.
LACDMH stated it hired a forensic company to find out what the attacker accessed and downloaded. The analysis of the impacted account revealed that the breached information contained at least one of these data: patients’ names, phone numbers, addresses, birth dates, Social Security numbers, and medical record numbers.
After securing the breached accounts and changing the credentials for Office 365 and multifactor authentication, the Department of Mental Health evaluated and revised its security guidelines, procedures, and safety measures. The healthcare provider also notified Microsoft concerning the vulnerability and applied extra safety measures to àvoid the same incidents later.
The assessment process was done on May 16, 2024. Personal notifications were sent to the impacted individuals on May 20, 2024.
LACDMH mentioned it’s uncertain whether the attacker accessed any of the data. For safety precautions, the provider notified the impacted people through mail. The addresses of some affected clients are not available, but the department guaranteed that everyone affected would be contacted.
Any individual with concerns about the data breach can call (888) 217-0379 for assistance. Those worried that the attacker accessed their information during the phishing attack can go to the department’s website. Steps can be implemented to protect personal data.
“LACDMH is sorry for the inconvenience caused by the incident. To avoid the same breach in the future, LACDMH has applied extra safety measures to boost computer systems security.