Los Angeles County says 25 departments affected by February phishing incident

Multiple departments of Los Angeles County’s government were successfully breached as part of a wide-ranging phishing campaign conducted in February, officials told Recorded Future News.

Overall, 25 of the county’s 38 departments were affected, but only two health-related agencies have released public notices. They were the only ones required to do so under California state law, according to a spokesperson for the county, because the personal or health information of more than 500 people was compromised in each incident.

The Department of Health Services and the Department of Public Health each disclosed those breaches in recent months, specifying that the phishing incidents occurred between February 19-20.   

A spokesperson for the Department of Public Health explained that the accounts of a total of 283 county employees across the 25 affected departments were affected by the phishing campaign. County officials declined to provide more information about data potentially stolen from the non-healthcare departments. 

“The incident is being investigated by the Los Angeles County District Attorney's Office-Cyber Crime Investigations Unit,” the county spokesperson said, declining to answer questions about what other departments were affected and whether they will ever notify the public that they were attacked. 

Los Angeles County is the most populous in the United States, with nearly 10 million residents across the City of Los Angeles and several other cities. 

'Clicked on the link'

The phishing campaign most recently drew public attention about a week ago, when the Department of Public Health notified regulators that the information of more than 200,000 people was accessed when hackers stole the login credentials of 53 of its employees in February.

The breached information included names, dates of birth, Social Security numbers, diagnoses, prescriptions, medical record numbers, Medicare numbers, health insurance information and financial data. 

The department registers birth and death certificates, and it operates dozens of programs on a wide range of issues, including disease control and prevention and substance abuse. 

In April, BleepingComputer reported on the breach affecting the Department of Health Services, which operates public hospitals and clinics in the county. The phishing campaign allowed hackers to obtain the login credentials of 23 Health Services employees, and the data of more than 6,000 people reportedly was affected by that incident. 

Separately, the Department of Public Health told victims in breach notification letters sent out last week that department employees “clicked on the link located in the body of the e-mail, thinking that they were accessing a legitimate message from a trustworthy sender.”

“Due to an investigation by law enforcement, we were advised to delay notifying you of this incident, as public notice may have hindered their investigation,” the department added.

Officials at the department said once they discovered the phishing attack, they disabled all of the impacted email accounts, blocked websites that were part of the campaign and quarantined all emails deemed to be suspicious. 

The U.S. Department of Health and Human Services’ Office for Civil Rights and other agencies were also notified by the Department of Public Health.

For those who did not have mailing addresses available, the Department of Public Health posted the notice on its website. Victims are being given one year of identity monitoring services. 

The city’s housing authority and largest school district were both affected by cyberattacks last year. 

Hackers claimed two weeks ago that they had again breached the systems of the Los Angeles Unified School District and stole millions of records on students and teachers. 

A spokesperson for the school district told Recorded Future News that they are investigating the claim and engaged law enforcement to help respond to the incident. This week the district confirmed that the data was stolen as part of a larger campaign of attacks against customers of data storage giant Snowflake.

On June 21, the Los Angeles County Department of Health Services disclosed a separate data breach that occurred on February 6.