Nearly 14,600 patient records were exposed months ago in a “phishing attack” against a contractor working with the Los Angeles County Department of Health Services, county officials announced Tuesday.
There is no evidence that DHS patient information was the specific target of the phishing email, which was sent to an employee of Nemadji Research Corp., according to DHS officials.
Authorities say they haven’t yet seen any indication that patient data has been misused. However, the hacker had access to the employee’s email account for several hours on March 28 and records from several clients of the research firm were exposed during that time, according to DHS.
Data at risk may have included personal information such as first and last names, home address, date of birth, phone number and various data related to medical services provided. The Social Security numbers of two patients were also identified, according to DHS.
Nemadji began alerting the 14,591 affected individuals on Monday by mail, with recommendations on steps to protect against damaging use of the information. Those suggestions include vigilant monitoring against identity theft and fraud by actively reviewing financial accounts and monitoring credit reports.
The company is offering access to free credit monitoring and identity protection services. Individuals are also entitled under federal law to one free credit report annually from each of three major credit reporting bureaus. Reports can be ordered at www.annualcreditreport.com or by calling 877-322-8228.
The company also reported the breach to the FBI and relevant state and federal regulators and said it has taken steps to enhance email security and employee training, according to a DHS statement.
Nemadji’s work for the county includes identifying and verifying patient eligibility for programs that reimburse the county for care provided.
A dedicated assistance line at 800-491-4740 will be staffed from 8 a.m. to 5:30 p.m. on weekdays. More details can also be found at www.nemadji.org.
Supervisor Janice Hahn said DHS trains its employees to notice and report phishing schemes, but contractors don’t necessarily offer the same training. She called for a report in 30 days on recommendations to improve internal security and privacy in health facilities operated by the county and its contract partners.
“DHS has recently undergone a risk assessment of its internal security and privacy and there are areas that need strengthening,” Hahn said in a motion that was approved by the Board of Supervisors.