The personal information of more than 200,000 people in Los Angeles County was potentially exposed after a hacker used a phishing email to steal the login credentials of 53 public health employees, the county announced Friday.
Details that were possibly accessed in the February data breach include the first and last names, dates of birth, diagnoses, prescription information, medical record numbers, health insurance information, Social Security numbers and other financial information of Department of Public Health clients, employees and other individuals.
“Affected individuals may have been impacted differently and not all of the elements listed were present for each individual,” the agency said in a news release.
The Department of Public Health will mail notices to those affected by the breach. Anyone who wants to find out if their information was exposed can also call (866) 898-4312 from 6 a.m. to 5 p.m. Monday through Friday.
The data breach happened between Feb. 19 and 20 when employees received a phishing email, which tries to trick recipients into providing important information such as passwords and login credentials. The employees clicked on a link in the body of the email, thinking they were accessing a legitimate message, according to the agency. Additional details about the phishing email were not immediately available.
It is not clear when officials became aware of the incursion. A department spokesperson did not immediately provide answers to emailed questions on Friday.
In response, officials said they have disabled the impacted email accounts, reset devices, blocked websites that were identified as being part of the phishing campaign and quarantined all suspicious incoming emails.
How do you protect yourself?
The county is offering free identity monitoring through Kroll, a financial and risk advisory firm, to those affected by the breach.
Individuals whose medical records were potentially accessed by the hacker should review them with their doctor to ensure the content is accurate and hasn’t been changed. Officials say people should also review the Explanation of Benefits statement they receive from their insurance company to make sure they recognize all the services that have been billed.
Individuals can also request credit reports and review them for any inaccuracies.
Experts say the most effective way to block potential use of your Social Security number is to put a freeze on your credit files, which will prevent anyone from opening a new account with your information. It’s free to place one and you can lift it when you need to. However, you have to contact each of the three major credit bureaus individually, which can be done online.
Times deputy editor Jon Healey contributed to this report.