Follow Slashdot blog updates by subscribing to our blog RSS feed

 


Forgot your password?
Close
typodupeerror
×
Government Privacy Security

53 LA County Public Health Workers Fall for Phishing Email. 200,000 People May Be Affected (yahoo.com) 37

Posted by EditorDavid from the we-just-clicked dept.
The Los Angeles Times reports that "The personal information of more than 200,000 people in Los Angeles County was potentially exposed after a hacker used a phishing email to steal the login credentials of 53 public health employees, the county announced Friday." Details that were possibly accessed in the February data breach include the first and last names, dates of birth, diagnoses, prescription information, medical record numbers, health insurance information, Social Security numbers and other financial information of Department of Public Health clients, employees and other individuals. "Affected individuals may have been impacted differently and not all of the elements listed were present for each individual," the agency said in a news release...

The data breach happened between Feb. 19 and 20 when employees received a phishing email, which tries to trick recipients into providing important information such as passwords and login credentials. The employees clicked on a link in the body of the email, thinking they were accessing a legitimate message, according to the agency...

The county is offering free identity monitoring through Kroll, a financial and risk advisory firm, to those affected by the breach. Individuals whose medical records were potentially accessed by the hacker should review them with their doctor to ensure the content is accurate and hasn't been changed. Officials say people should also review the Explanation of Benefits statement they receive from their insurance company to make sure they recognize all the services that have been billed. Individuals can also request credit reports and review them for any inaccuracies.
From the official statement by the county's Public Health department: Upon discovery of the phishing attack, Public Health disabled the impacted e-mail accounts, reset and re-imaged the user's device(s), blocked websites that were identified as part of the phishing campaign and quarantined all suspicious incoming e-mails. Additionally, awareness notifications were distributed to all workforce members to remind them to be vigilant when reviewing e-mails, especially those including links or attachments. Law enforcement was notified upon discovery of the phishing attack, and they investigated the incident.

53 LA County Public Health Workers Fall for Phishing Email. 200,000 People May Be Affected More | Reply

53 LA County Public Health Workers Fall for Phishing Email. 200,000 People May Be Affected

Comments Filter:

  • Come on, let's call for the county health official (Score:3, Funny)

    by ArmoredDragon ( 3450605 ) on Sunday June 16, 2024 @02:55PM (#64553643)

    This is slashdot, where a lynch mob is always the correct response to a cybersecurity breach.

    • Bleh, the title length gets no warning.

    • If it weren't so difficult to track them down, I doubt anyone would be sad to see the thieves swinging from lampposts.

      • Nah, let's mix it up. Occasionally they should be drawn and quartered.

      • I doubt anyone would be sad to see the thieves swinging from lampposts.

        Hanging the thieves would accomplish little. There will always be others to take their place.

        The solution is better security, which should include education and training.

        53 workers fell for a blatantly obvious phishing scam.

        That wouldn't have happened if professional pen-testers had sent them phishing emails first.

        Then, first-time offenders could receive additional training, and 2nd-time offenders could be fired.

        • Turns out training doesn't work out so well. It does for the more obvious phish attempts, which this may or may not have been. But the truth is, anybody, and that includes everybody reading this sentence, can be social engineered. The fact is, you can be whether you believe it or not, and if you believe you can't then you're even more likely to be susceptible.

          Fortunately there's new technology these days that makes phishing nearly impossible, and it's called hardware attestation. Basically if either the mac

          • Re: (Score:2)

            by garote ( 682822 )

            None of what you describe prevents the scenario of "Hey, this is Chuck from the Foozball department. I need you to log into your account for me and press the Ploobadoof button."

        • You can do both.

        • The solution is better security, which should include education and training.

          No. It isn't. Firing the farking mouth-breathers desperately engaging with every phishing campaign out there is the only workable solution. Because people that dumb will *always* be that dumb and clearly couldn't care less about the fallout from their personal choice to be idiots.

      • That's only the second part of being drawn and quartered, and they're not dead yet when it's finished. Unless it's a woman, then they skip the ceremony and simply burn her at the stake.

    • Thank for pointing out the obvious. If a store gets robbed, everybody blames the robber. If a virtual store gets robbed (you know, a website) everybody blames the store.

      Yes, security is important, but let's not kid ourselves. Phishing emails trick some people every time, in every company.

      • Re: (Score:1)

        by jjbenz ( 581536 )
        So true, we've had people fall for those multiple times in my organization. Now most of the people email me to check whether it's legit or not, a little bit of progress I guess.

  • Phishing! Rise and repeat, Rise and Repeat! (Score:5, Informative)

    by oldgraybeard ( 2939809 ) on Sunday June 16, 2024 @02:59PM (#64553651)
    "employees clicked on a link in the body of the email" obviously, the IT department isn't doing their job! And the anti-virus products they are using (if any) don't work! Why wasn't the url checked and sanitized before it ever got to the end users?
    I mean come on, a phishing email? In 2024? If your going to enable HTML email take the precautions needed to try and protect your users.

    • Re: (Score:1)

      by Anonymous Coward

      "employees clicked on a link in the body of the email" obviously, the IT department isn't doing their job! And the anti-virus products they are using (if any) don't work! Why wasn't the url checked and sanitized before it ever got to the end users? I mean come on, a phishing email? In 2024? If your going to enable HTML email take the precautions needed to try and protect your users.

      Where I work we have a very aggressive IT security department. Annual training, everything is scanned, links are replaced with "safelinks" so I can't see where they go, and mass emails use third party click counters that redirect. Sometimes they "safelink" the counter emails, so I have no clue what I'm clicking on. If I want to safely click on something I think is internal I have to search and hope the link I'm looking for doesn't require a logon, because if it does search engines can't find it. My comp

    • Re: (Score:2)

      by tlhIngan ( 30335 )

      There are very good filters for phishing these days - one of the biggest ones is the little banner saying "This email came from outside the organization". Basically if you see that and it claims to be from a coworker or someone from the company, it's an instant fake.

      The second is there are many filters from Barracuda and such that are extremely effective against phishing. Yes, they cost money, but it's generally less than having to suffer a data breach.

      The third is training - you can get yearly training cou

  • They aren't fooled by look-alike sites or URLs. As long as you don't circumvent them and manually copy the information in anyway.

    "Officials say people should also review the Explanation of Benefits statement they receive from their insurance company to make sure they recognize all the services that have been billed. Individuals can also request credit reports and review them for any inaccuracies."

    This is sometimes easier said than done. Ever had a non-trivial medical procedure? There can easily be a half-dozen separate entities billing you, not all of whom you may immediately realize were involved - labs, anesthesiologists, external docs asked to review films, etc. etc.

  • LA County seems to have a lot of problems. [blogspot.com]

    Among others, they are allegedly routinely paying ~$60/hr. for entry-level clerical labor, giving such tasks to specialists and managers instead. That's sometimes called "top heavy", a common problem in bureaucracies.

    It's almost as bad as paying doctors their doctor salary to mop hospital floors.

    • You act as though stupidity is not a universal human trait.

      • You act as though stupidity is not a universal human trait.

        Stupid people and stupid organizations are two different things. An organization can have plenty of smart people and still be stupid. For instance, if you have smart accountants, smart engineers, and smart marketers, and the accountants make engineering decisions, the engineers make marketing decisions, and the marketers make accounting decisions, you have a stupid organization.

        Organizational stupidity is more common in bureaucracies, which lack the feedback of market competition.

        If a manufacturer is stupid

      • Re: (Score:2)

        by Tablizer ( 95088 )

        That's why checks and balances are needed. Log waste complaints, put anti-waste clauses in policy manual, let outside agency inspect and audit it, require cost-benefit analysis instead of guess out of ass, etc.

        That doesn't require rocket science, just administrative discipline.

  • Wow (Score:2)

    by Dusanyu ( 675778 )
    Not only did they loose Information that can be used to make accounts in someones’s name but PHI (Protected health information as well) I hope everyone who was effected pushes for there full rights granted by HIPAA The county i live in the access to information like this is by a smart card with a rolling code. And its much smaller than LA county
  • Microsoft, the company that made URLs dangerous /s

    • Re: (Score:2)

      by vbdasc ( 146051 )

      I believe it was Netscape that started putting HTML in e-mails, although my memory is getting fuzzy at this point.

      • > I believe it was Netscape that started putting HTML in e-mails, although my memory is getting fuzzy at this point.

        HTML introduced in Outlook Express in 1996.
        HTML introduced in Netscape Communicator in 1997

        • Re: (Score:2)

          by vbdasc ( 146051 )

          Ummm... no. I don't think OE existed before 1997, and Netscape Navigator 3.0 from 1996 happily sends HTML mail, complete with links, Javascript and even Java (I just checked this!).

          P.S. this might be interesting: https://www.jwz.org/blog/2017/09/html-email-was-that-your-fault/

          • “Outlook Express, formerly known as Microsoft Internet Mail and News .. Initial Release August 1996 [wikipedia.org]”

            • Re: (Score:2)

              by vbdasc ( 146051 )

              Quote from the same Wikipedia page:

              [Internet Mail and News] Version 2.0 was released at the end of 1996. Internet Mail and News handled only plain text and rich text (RTF) email, lacking HTML email.

              In 1997 the program was changed and renamed to Outlook Express

              Hence, in 1996 Microsoft didn't yet support HTML Mail. The predecessors of the "big" Outlook like Exchange Client (because Outlook also started in 1997) didn't support HTML Mail, either.

  • According to http://publichealth.lacounty.g... [lacounty.gov] that is 1% of their workers. That's a pretty high figure to fall victim to a phishing attack. Considering that the site I just linked is called about.htm and served over http, they might have a problem with their IT budget...

  • I know, there are idiots everywhere.BR> But how many did receive these mails without clicking on the bad links?

  • ... a link in the body of the email ...

    Was the link to a log-in page? Why are businesses putting direct links in e-mails? We've known for 25 years that's bad behaviour, yet billion-dollar corporations keep doing it: Both to their customers and themselves.

    Why did the browser/employee accept a HTTP request to a web-site? How can you keep health information private if it's plain-text on every network it touches?

  • So, was this caused by affirmative action, or by DEI?

  • You know you can easily prevent this kind of issues. PGP, simply sign / encrypt the emails, and now you have a verified chain. If you wonder is the email is legit, does its signature match the key ring?
  • That's terrible! I had a similar experience with a data breach a few years ago, and it was such a hassle to sort out. On a different note, mullein drops [amazon.com] have really helped me with my respiratory health. I started using them after a bad cough wouldn't go away, and they worked wonders! If you're looking for something natural to support your lungs, definitely check them out.

Slashdot Top Deals

"The algorithm to do that is extremely nasty. You might want to mug someone with it." -- M. Devine, Computer Science 340

Close