ShareThis Page

Los Angeles County workers hit by phishing attack; info of 750K exposed

| Saturday, Dec. 17, 2016, 10:36 p.m.

LOS ANGELES — Confidential health data or personal information of more than 750,000 people may have been accessed in a cyberattack on Los Angeles County employees in May that led to charges this week against a Nigerian national, officials have disclosed.

The May 13 attack targeted 1,000 county employees from several departments with a phishing email. The message tricked 108 employees into providing user names and passwords to their accounts, some of which contained confidential patient or client information.

Most of the 756,000 people whose information may have been accessed had contact with the Department of Health Services, according to the county. A smaller amount of confidential information from more than a dozen other county departments also was compromised.

Among the data potentially accessed were names, addresses, dates of birth, Social Security numbers, financial information and medical records — including diagnoses and treatment history — of clients, patients or others who received services from county departments.

Officials said there is no evidence that confidential information has been circulated, sold or released.

The county learned of the attack the day after it happened, and officials said they responded with security measures and a criminal investigation.

But the county waited more than seven months to inform the public, citing an exemption under state law that allows delayed notification to protect ongoing investigations.

Cyber investigators with the L.A. County district attorney's office traced the attack to Nigeria. Prosecutors issued an arrest warrant Thursday, accusing Austin Kelvin Onaghinor, 37, of launching the attack and charged him with nine felony counts, including unauthorized computer access and identify theft.

District Attorney Jackie Lacey said in a statement, “My office will work aggressively to bring this criminal hacker and others to Los Angeles County where they will be prosecuted to the fullest extent of the law.”

Once charges were filed, county officials began mailing notices Thursday to people whose information may have been accessed.

The county's Chief Executive Office said it delayed public notification of the attack at the request of the district attorney's office “to protect the confidentiality of the sensitive, ongoing investigation and prevent broader public harm.”

Notifying the public of the attack earlier “may have hindered” the investigation,” the county said in a notice about the data breach Friday.

In response to the attack, officials said they have strengthened security measures on county email accounts and enhanced employee training to guard against a growing number of cyber intrusions.

“These kinds of phishing attacks are on the rise throughout society — and the County has not been immune from that trend,” county spokesman Joel Sappell said in a statement.

In February, officials disclosed that the Department of Health Services had been targeted in a smaller-scale “ransomware” attack, a type of malware that cuts off users' access to files or threatens to destroy them unless a ransom is paid.

The district attorney's office said in a news release Friday that its cyber investigation team has protected the county from previous attacks, “has investigated 85 cases, involving hundreds of thousands of potential victims and has resulted in several successful prosecutions and restitution totaling nearly $4 million.”

TribLIVE commenting policy

You are solely responsible for your comments and by using TribLive.com you agree to our Terms of Service.

We moderate comments. Our goal is to provide substantive commentary for a general readership. By screening submissions, we provide a space where readers can share intelligent and informed commentary that enhances the quality of our news and information.

While most comments will be posted if they are on-topic and not abusive, moderating decisions are subjective. We will make them as carefully and consistently as we can. Because of the volume of reader comments, we cannot review individual moderation decisions with readers.

We value thoughtful comments representing a range of views that make their point quickly and politely. We make an effort to protect discussions from repeated comments either by the same reader or different readers

We follow the same standards for taste as the daily newspaper. A few things we won't tolerate: personal attacks, obscenity, vulgarity, profanity (including expletives and letters followed by dashes), commercial promotion, impersonations, incoherence, proselytizing and SHOUTING. Don't include URLs to Web sites.

We do not edit comments. They are either approved or deleted. We reserve the right to edit a comment that is quoted or excerpted in an article. In this case, we may fix spelling and punctuation.

We welcome strong opinions and criticism of our work, but we don't want comments to become bogged down with discussions of our policies and we will moderate accordingly.

We appreciate it when readers and people quoted in articles or blog posts point out errors of fact or emphasis and will investigate all assertions. But these suggestions should be sent via e-mail. To avoid distracting other readers, we won't publish comments that suggest a correction. Instead, corrections will be made in a blog post or in an article.