53 LA County Public Health Workers Fall for Phishing Email. 200,000 People May Be Affected (yahoo.com) 37
The Los Angeles Times reports that "The personal information of more than 200,000 people in Los Angeles County was potentially exposed after a hacker used a phishing email to steal the login credentials of 53 public health employees, the county announced Friday."
Details that were possibly accessed in the February data breach include the first and last names, dates of birth, diagnoses, prescription information, medical record numbers, health insurance information, Social Security numbers and other financial information of Department of Public Health clients, employees and other individuals. "Affected individuals may have been impacted differently and not all of the elements listed were present for each individual," the agency said in a news release...
The data breach happened between Feb. 19 and 20 when employees received a phishing email, which tries to trick recipients into providing important information such as passwords and login credentials. The employees clicked on a link in the body of the email, thinking they were accessing a legitimate message, according to the agency...
The county is offering free identity monitoring through Kroll, a financial and risk advisory firm, to those affected by the breach. Individuals whose medical records were potentially accessed by the hacker should review them with their doctor to ensure the content is accurate and hasn't been changed. Officials say people should also review the Explanation of Benefits statement they receive from their insurance company to make sure they recognize all the services that have been billed. Individuals can also request credit reports and review them for any inaccuracies.
From the official statement by the county's Public Health department: Upon discovery of the phishing attack, Public Health disabled the impacted e-mail accounts, reset and re-imaged the user's device(s), blocked websites that were identified as part of the phishing campaign and quarantined all suspicious incoming e-mails. Additionally, awareness notifications were distributed to all workforce members to remind them to be vigilant when reviewing e-mails, especially those including links or attachments. Law enforcement was notified upon discovery of the phishing attack, and they investigated the incident.
The data breach happened between Feb. 19 and 20 when employees received a phishing email, which tries to trick recipients into providing important information such as passwords and login credentials. The employees clicked on a link in the body of the email, thinking they were accessing a legitimate message, according to the agency...
The county is offering free identity monitoring through Kroll, a financial and risk advisory firm, to those affected by the breach. Individuals whose medical records were potentially accessed by the hacker should review them with their doctor to ensure the content is accurate and hasn't been changed. Officials say people should also review the Explanation of Benefits statement they receive from their insurance company to make sure they recognize all the services that have been billed. Individuals can also request credit reports and review them for any inaccuracies.
From the official statement by the county's Public Health department: Upon discovery of the phishing attack, Public Health disabled the impacted e-mail accounts, reset and re-imaged the user's device(s), blocked websites that were identified as part of the phishing campaign and quarantined all suspicious incoming e-mails. Additionally, awareness notifications were distributed to all workforce members to remind them to be vigilant when reviewing e-mails, especially those including links or attachments. Law enforcement was notified upon discovery of the phishing attack, and they investigated the incident.
Come on, let's call for the county health official (Score:3, Funny)
This is slashdot, where a lynch mob is always the correct response to a cybersecurity breach.
Re: s to be drawn and quartered (Score:2)
Bleh, the title length gets no warning.
Re: (Score:2)
Re: (Score:3)
Nah, let's mix it up. Occasionally they should be drawn and quartered.
Re: (Score:2)
I doubt anyone would be sad to see the thieves swinging from lampposts.
Hanging the thieves would accomplish little. There will always be others to take their place.
The solution is better security, which should include education and training.
53 workers fell for a blatantly obvious phishing scam.
That wouldn't have happened if professional pen-testers had sent them phishing emails first.
Then, first-time offenders could receive additional training, and 2nd-time offenders could be fired.
Re: Come on, let's call for the county health offi (Score:2)
Turns out training doesn't work out so well. It does for the more obvious phish attempts, which this may or may not have been. But the truth is, anybody, and that includes everybody reading this sentence, can be social engineered. The fact is, you can be whether you believe it or not, and if you believe you can't then you're even more likely to be susceptible.
Fortunately there's new technology these days that makes phishing nearly impossible, and it's called hardware attestation. Basically if either the mac
Re: (Score:2)
None of what you describe prevents the scenario of "Hey, this is Chuck from the Foozball department. I need you to log into your account for me and press the Ploobadoof button."
Re: (Score:2)
You can do both.
Re: (Score:2)
The solution is better security, which should include education and training.
No. It isn't. Firing the farking mouth-breathers desperately engaging with every phishing campaign out there is the only workable solution. Because people that dumb will *always* be that dumb and clearly couldn't care less about the fallout from their personal choice to be idiots.
Re: Come on, let's call for the county health offi (Score:2)
That's only the second part of being drawn and quartered, and they're not dead yet when it's finished. Unless it's a woman, then they skip the ceremony and simply burn her at the stake.
Re: (Score:3)
Thank for pointing out the obvious. If a store gets robbed, everybody blames the robber. If a virtual store gets robbed (you know, a website) everybody blames the store.
Yes, security is important, but let's not kid ourselves. Phishing emails trick some people every time, in every company.
Re: (Score:1)
Phishing! Rise and repeat, Rise and Repeat! (Score:5, Informative)
I mean come on, a phishing email? In 2024? If your going to enable HTML email take the precautions needed to try and protect your users.
Re: (Score:1)
"employees clicked on a link in the body of the email" obviously, the IT department isn't doing their job! And the anti-virus products they are using (if any) don't work! Why wasn't the url checked and sanitized before it ever got to the end users? I mean come on, a phishing email? In 2024? If your going to enable HTML email take the precautions needed to try and protect your users.
Where I work we have a very aggressive IT security department. Annual training, everything is scanned, links are replaced with "safelinks" so I can't see where they go, and mass emails use third party click counters that redirect. Sometimes they "safelink" the counter emails, so I have no clue what I'm clicking on. If I want to safely click on something I think is internal I have to search and hope the link I'm looking for doesn't require a logon, because if it does search engines can't find it. My comp
Re: (Score:2)
There are very good filters for phishing these days - one of the biggest ones is the little banner saying "This email came from outside the organization". Basically if you see that and it claims to be from a coworker or someone from the company, it's an instant fake.
The second is there are many filters from Barracuda and such that are extremely effective against phishing. Yes, they cost money, but it's generally less than having to suffer a data breach.
The third is training - you can get yearly training cou
Another argument in favor of password managers (Score:3)
They aren't fooled by look-alike sites or URLs. As long as you don't circumvent them and manually copy the information in anyway.
"Officials say people should also review the Explanation of Benefits statement they receive from their insurance company to make sure they recognize all the services that have been billed. Individuals can also request credit reports and review them for any inaccuracies."
This is sometimes easier said than done. Ever had a non-trivial medical procedure? There can easily be a half-dozen separate entities billing you, not all of whom you may immediately realize were involved - labs, anesthesiologists, external docs asked to review films, etc. etc.
Insufficient Checks & Balances (Score:2)
LA County seems to have a lot of problems. [blogspot.com]
Among others, they are allegedly routinely paying ~$60/hr. for entry-level clerical labor, giving such tasks to specialists and managers instead. That's sometimes called "top heavy", a common problem in bureaucracies.
It's almost as bad as paying doctors their doctor salary to mop hospital floors.
Re: (Score:2)
You act as though stupidity is not a universal human trait.
Re: (Score:3)
You act as though stupidity is not a universal human trait.
Stupid people and stupid organizations are two different things. An organization can have plenty of smart people and still be stupid. For instance, if you have smart accountants, smart engineers, and smart marketers, and the accountants make engineering decisions, the engineers make marketing decisions, and the marketers make accounting decisions, you have a stupid organization.
Organizational stupidity is more common in bureaucracies, which lack the feedback of market competition.
If a manufacturer is stupid
Re: (Score:2)
That's why checks and balances are needed. Log waste complaints, put anti-waste clauses in policy manual, let outside agency inspect and audit it, require cost-benefit analysis instead of guess out of ass, etc.
That doesn't require rocket science, just administrative discipline.
Clarification (Score:1)
Clarification: have auditors audit the waste-log, not the policy manual. Well, okay, both.
Wow (Score:2)
MICROS~1 Windows strikes again .. (Score:2, Interesting)
Re: (Score:2)
I believe it was Netscape that started putting HTML in e-mails, although my memory is getting fuzzy at this point.
Re: (Score:2)
HTML introduced in Outlook Express in 1996.
HTML introduced in Netscape Communicator in 1997
Re: (Score:2)
Ummm... no. I don't think OE existed before 1997, and Netscape Navigator 3.0 from 1996 happily sends HTML mail, complete with links, Javascript and even Java (I just checked this!).
P.S. this might be interesting: https://www.jwz.org/blog/2017/09/html-email-was-that-your-fault/
Re: (Score:2)
Re: (Score:2)
Quote from the same Wikipedia page:
[Internet Mail and News] Version 2.0 was released at the end of 1996. Internet Mail and News handled only plain text and rich text (RTF) email, lacking HTML email.
In 1997 the program was changed and renamed to Outlook Express
Hence, in 1996 Microsoft didn't yet support HTML Mail. The predecessors of the "big" Outlook like Exchange Client (because Outlook also started in 1997) didn't support HTML Mail, either.
Re: (Score:2)
Wow (Score:2)
According to http://publichealth.lacounty.g... [lacounty.gov] that is 1% of their workers. That's a pretty high figure to fall victim to a phishing attack. Considering that the site I just linked is called about.htm and served over http, they might have a problem with their IT budget...
Re:Wow (Score:4, Interesting)
Having seen the results of numerous pen tests, 1% is incredibly low. I'm used to seeing numbers more on the order of 10% who fall for phishing emails.
53 idiots from how many? (Score:2)
Stupidity at multiple levels of management (Score:2)
Was the link to a log-in page? Why are businesses putting direct links in e-mails? We've known for 25 years that's bad behaviour, yet billion-dollar corporations keep doing it: Both to their customers and themselves.
Why did the browser/employee accept a HTTP request to a web-site? How can you keep health information private if it's plain-text on every network it touches?
caused by? (Score:1)
So, was this caused by affirmative action, or by DEI?
Broken record time! (Score:2)
That's terrible! (Score:1)