Phishing Scam Causes LACDMH to Send Out More Than 1,000 Additional Compromised Emails
Los Angeles County Department of Mental Health (“LACDMH”) recently reported that it had a data breach caused by a successful “phishing” scam potentially exposing the personal information of 5,129 people. LACDMH notified both the U.S. Department of Health and Human Services (“HHS”) and the California Office of the Attorney General. Notifications were drafted to both adults and parents/guardians of minor children whose information may have been accessed. According the LACDMH, from October 19 to October 21, 2021, some of its employees were tricked into opening a website link that compromised their email accounts. Malicious actors were then able to obtain the log-in credentials for three LACDMH employees. | What is “phishing”? “Phishing” describes a scam where a cyber-criminal sends a fraudulent email to trick a person into believing they are interacting with a legitimate business or person so that they will open the email or email attachment. Once opened, the email releases a code that infects computers, causing them to reveal sensitive information and/or send out more fraudulent emails. |
Those accounts were then used to send out more than 1,000 additional phishing emails. Some of the hacked employee accounts contained confidential patient/client information.
Potential information at risk includes names and one or more of the following:
· Date of Birth
· Social Security Number
· Driver’s License number
· Medical Information
· Health Information
· Health Insurance Information
· Financial Account Number
To view additional information regarding this data breach, click here.
LACDMH began providing notice to affected California individuals on April 21, 2022, but to date has not offered any form of credit monitoring or monetary relief. This is the third data breach reported by LACDMH since 2017.
According to research published in the online journal Healthcare, health-related data “are more sensitive than other types of data because any data tampering can lead to faulty treatment, with fatal and irreversible losses to patients. Hence, healthcare data need enhanced security, and should be breach-proof.” (Seh AH, et al., Healthcare Data Breaches: Insights and Implications. Healthcare. 2020; 8(2):133.)
California Laws Protect Patient Personal Information
If you are a California resident, the California Confidentiality of Medical Information Act (CMIA) requires that every health care provider who maintains medical information do so in a manner that preserves its confidentiality. Participants in data breach lawsuits can recover damages, injunctive relief (to make sure that the business has reasonable security practices to protect consumer data from being leaked again), and anything else the court concludes is necessary to compensate data breach victims and prevent these harms from reoccurring. Under the CMIA, you may be entitled to $1,000 and your actual damages resulting from the negligent release of your confidential information.
If you have received a Data Breach Notice from LA County Dept. of Mental Health and are concerned about this breach and what your options are please fill out this contact form.
Confidential • No cost • No obligation
Comments