Los Angeles County Department of Health Services suffers data breach compromising patient records

• The data breach occurred after Nemadji Research Corporation, a contractor of the L.A. County Department of Health Services fell victim to a phishing attack in March 2019.
• The exposed data includes patient names, addresses, dates of birth, medical record numbers and Medi-Cal identification numbers.

Almost 14,591 patients who received medical care through Los Angeles County’s hospitals and clinics had their personal information compromised in a data breach.

What happened?

The data breach occurred after Nemadji Research Corporation, a contractor of the L.A. County Department of Health Services fell victim to a phishing attack in March 2019. Nemadji provides verification services to the L.A County DHS such as verifying which patients are eligible for Medi-Cal.

On March 28, 2019, a Nemadji employee opened a phishing email that allowed an unauthorized third-party to access the organization’s data for several hours. Though the data was encrypted, the employee’s email account included encryption keys.

What data was exposed?

• The exposed data includes patient names, addresses, dates of birth, medical record numbers and Medi-Cal identification numbers.
• Two patients’ also had their Social Security numbers exposed.
• However, County officials confirmed that there is no evidence that the patients were the target of the attack or that any patient information had been misused.

What was the response?

• Upon learning the incident, the agency reported the data breach to the FBI and the appropriate state and federal regulators.
• Nemadji has improved its email security systems and is providing training to its employees on how to identify phishing emails.
• The contractor is notifying the potentially impacted patients about the incident and is requesting them to monitor their account statements for any suspicious activity.
• The contractor is also providing free credit monitoring and identity protection services to all the potentially impacted patients.