Los Angeles County in recent days has begun to notify about 756,000 individuals of a massive cyberattack that occurred in May 2016 across multiple county departments, including healthcare, mental health and public health services.

Most of the affected individuals had contact with the Department of Healthcare Services, the Los Angeles Times reports.

The attacker sent phishing emails to 1,000 county employees, and 108 of them clicked on the message and gave usernames and passwords, according to a notice from the county. As has become common in the era of cyber attacks, notification to affected individuals was delayed far past the HIPAA requirement of 60 days from discovery of a breach at the request of law enforcement agencies. The agencies often are investigating multiple breaches launched by the same attacker, find other HIPAA cover entities that were hit and then notify them.

Compromised information at LA County included names, dates of birth, Social Security numbers, driver’s license or state identification numbers, home addresses, phone numbers, payment card and bank account information, and medical information, such as insurance identification number, diagnoses, treatment histories and medical record number. A known suspect is being sought with an arrest warrant issued for a person with Nigerian citizenship, account to the county notice.

The county is offering identity monitoring services to affected individuals for one year; the services include credit monitoring, identity consultation and identity restoration. However, attackers commonly now wait until after protective services end before using the stolen information.

This is not LA County’s first major breach of protected health information. The theft of a laptop at a regional office in 2013 affected 18,162 individuals. The county also was the victim of a major breach in 2014, when business associate Sutherland Healthcare Solutions had eight computers stolen, affecting more than 300,000 individuals. Following the latest breach, the county has enhanced its cybersecurity awareness training.

(This article appears courtesy of our sister publication, Health Data Management)

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access