Hacker hits LA County Health, putting data of 14,600 at risk
A data breach at the Los Angeles County Department of Health Services has affected about 14,600 individuals after a hacker infiltrated a business associate working in the department.
The associate, who worked for Nemadji, a vendor providing patient eligibility and billing services for the county, clicked on a malware-laden email account and Nemadji immediately launched an investigation and got help from a third-party computer forensics firm.
“Our investigation determined that an unknown individual had access to the employee’s email account for several hours on March 28 due to the employee falling victim to a phishing email,” Nemadji told affected patients in a notification letter.
While nearly all of the information in the email account was encrypted at the time of the incident, the encryption keys or similar variations were included in the email account.
“Therefore, we reviewed the email account to identify what personal information was stored within the account and to whom that information was related,” the letter explained.
On June 5, the first instance of personal information that may have been accessible following the incident was identified, and that is when the first notifications starting going out.
Potentially compromised patient information could have included as many as 16 types of protected health information, with the most sensitive being Social Security and Medicaid/Medicare numbers.
Following the breach, Nemadji implemented additional safeguards such as enhanced email security and additional employee training. The vendor also notified the FBI and state and federal regulators, and offered additional information to affected patients on how to best to protect their data.
“Although we are unaware of any actual or attempted misuse of information as a result of this incident, we are offering potentially impacted individuals access to credit monitoring and identity protection services,” patients were advised. Nemadji did not respond to a request for information on the length of protective services—generally one or two years—or the credit firm providing the services.