[BreachExchange] Data breach exposes information of thousands of patients in L.A. County

Destry Winant destry at riskbasedsecurity.com
Thu Jul 11 09:55:05 EDT 2019


https://www.latimes.com/local/california/la-me-nemadji-breach-20190709-story.html

The personal information of thousands of patients who have received
medical care through Los Angeles County’s hospitals and clinics was
exposed in a data breach, officials said Tuesday.

The Nemadji Research Corp., which contracts with the L.A. County
Department of Health Services, fell victim to a phishing attack
earlier this year that allowed outside access to medical information
for 14,591 patients.

The data that was exposed includes patient names, addresses, dates of
birth, medical record numbers and Medi-Cal identification numbers. Two
patients’ Social Security numbers were also revealed, officials said.

The Department of Health Services oversees several clinics and
hospitals, including County-USC Medical Center in Boyle Heights and
Olive View-UCLA Medical Center in Sylmar. The agency is the
second-largest health system in the nation, according to its website.

The agency contracts with Nemadji, which is based in Minnesota, for
help verifying which patients are eligible for programs that could
cover the cost of their care, such as checking for Medi-Cal
eligiblity.

On March 28, a Nemadji employee opened an email that allowed an
outsider to access the company’s data for several hours. Though the
data was encrypted, the email account included encryption keys that
made it possible to gather patient information, according to a
statement from Nemadji.

County officials said there was no evidence that its patients were the
target of the attack or that any patient information had been misused.

However, Nemadji is offering access to free credit monitoring and
identity protection services for anyone who may have been affected.
The company said that it improved its email security systems and
employee training after the attack.

Nemadji has set up an assistance line at (800) 491-4740 for anyone
seeking more information about the incident. It will be staffed from 8
a.m. to 5:30 p.m. PST, Monday through Friday. More information can be
found at the company’s website, nemadji.org.

The Department of Health Services maintains a searchable list of its
facilities online.


More information about the BreachExchange mailing list