County of Los Angeles Department of Mental Health
Your Personal Info Could Be
Exposed Online After
This Hospital Breach
Breach Description
The Los Angeles County Department of Mental Health (LACDMH) experienced a data breach due to a phishing email attack that occurred on October 17, 2023. The attack involved a malicious actor or actors gaining access to a LACDMH employee’s Microsoft Office 365 account through a multi-factor authentication attack known as push notification spamming. The compromised email account contained confidential client/patient information due to the employee’s responsibilities within the County[1].
The breach potentially exposed personal information, including names, dates of birth, addresses, telephone numbers, Social Security numbers, and client record numbers. However, not all information was accessed for all clients[1]. The LACDMH began mailing letters to individuals whose personal information was involved in the incident on December 22, 2023, and also provided notice for those whose information was contained in the emails and attachments reviewed but for whom LACDMH did not have adequate address information[1].
A dedicated call center was established for individuals to call with questions about the incident at (866) 983-5589, available Monday through Friday from 6 a.m. to 3:30 p.m. Pacific Time. The LACDMH website contains information on steps individuals can take to protect their personal information[1].
In response to the breach, LACDMH has implemented additional safeguards and technical security measures to enhance the security of its computer systems[1]. The U.S. Department of Health and Human Services Office for Civil Rights Breach Portal also lists the incident as a hacking/IT incident affecting 1,284 individuals[2].
The LACDMH is the nation’s largest public mental health department, serving over 10 million people in the region with an annual budget approaching $3 billion and a staff of 6,000[1].
Citations:
- https://file.lacounty.gov/SDSInter/dmh/1153322_ProjectHoundPressRelease122223FINAL.pdf
- https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf?adobe_mc=MCMID%3D02408406485458979789220680779370557994%7CMCORGID%3DA8833BC75245AF9E0A490D4D%2540AdobeOrg%7CTS%3D1696377600
- http://file.lacounty.gov/SDSInter/dmh/1123279_DataBreachPressRelease042122FINAL.pdf
- https://file.lacounty.gov/SDSInter/dmh/1152774_PROJECTREDWOODSUBSTITUTENOTICE.pdf
- https://laist.com/news/health/la-county-department-of-mental-health-announces-it-was-victim-of-cyberattack
- https://dmh.lacounty.gov/press-center/press-releases/
- https://www.databreaches.net/la-county-department-of-mental-health-compromised-by-phishing-attack/
- https://dmh.lacounty.gov
- https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf?ref=blog.gitguardian.com
- https://oag.ca.gov/ecrime/databreach/reports/sb24-578351
- https://laist.com/brief/news/health/la-county-department-of-mental-health-announces-it-was-victim-of-cyberattack
- https://www.legalscoops.com/la-county-department-of-mental-health-compromised-by-a-cyber-attack/
- https://oag.ca.gov/system/files/NOTICE%20OF%20DATA%20BREACH%20LETTER%20-%20LACDMH_0.pdf
- https://oag.ca.gov/privacy/databreach/list
- https://oag.ca.gov/system/files/Notice%20of%20Data%20Breach%20Sample%204861-2942-5048%20v1.pdf
- https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
- https://www.the74million.org/article/trove-of-l-a-students-mental-health-records-posted-to-dark-web-after-cyber-hack/