The Los Angeles County Department of Health Services (LACDHS) recently disclosed a major data breach impacting an unknown number of patients after their personal and health information was exposed following a credential theft phishing attack targeting over two dozen LACDHS employees in February 2024.
LACDHS is the second largest public health system in the United States, operating the public hospitals and clinics within Los Angeles County, California’s most populous county. As the main provider of healthcare services for millions of Los Angeles residents each year, a breach of this scale puts a huge amount of sensitive patient data at risk.
LA County Phishing Attack Details
According to breach notifications sent to affected individuals, 23 LACDHS employees on February 19-20, 2024 fell victim to a sophisticated phishing email that tricked them into clicking a link which allowed the cybercriminals to steal their account login credentials.
Emails and documents stored within the compromised employee accounts contained a variety of patients’ personal and health information, including:
- Full name, date of birth, address, phone numbers, and email
- Medical record and client identification numbers
- Dates of medical services
- Diagnoses, treatment details, test results, medications
- Health plan information
Social Security Numbers and financial data were not present. It is unclear exactly how many unique patients may have been impacted.
Response by LA County Health Services
In response, LACDHS immediately disabled compromised accounts, reset devices, and began notifying potentially affected individuals. They are also notifying regulatory agencies and advising patients to verify medical records with providers. An investigation found no evidence the stolen data has been misused so far.
This large-scale breach of sensitive patient data from LACDHS, resulting from a seemingly successful phishing campaign, puts Los Angeles residents at risk of potential identity theft and medical fraud.