In a notice posted on its website last week, the department said the email credentials of 53 employees had been compromised in the incident that occurred between Feb. 19 and Feb. 20.
“In this case, the DPH employees clicked on the link located in the body of the email, thinking that they were accessing a legitimate message from a trustworthy sender,” the agency said in the notice.
The perpetrators could have accessed a range of information contained within staff emails, including client names, dates of birth, diagnosis, prescriptions, medical record number/patient ID, Medicare/Medi-Cal number, health insurance information, Social Security Numbers and financial information.
“DPH has implemented numerous enhancements to reduce our exposure to similar email attacks in the future,” the department said. “Upon discovery of the phishing attack, we acted swiftly to disable the impacted email accounts, reset and re-imaged the user’s device(s), blocked websites that were identified as part of the phishing campaign and quarantined all suspicious incoming emails.”
DPH is working with law enforcement to investigate the incident and said it “will notify the U.S. Department of Health & Human Services’ Office for Civil Rights and other agencies as required by law and/or contract.”
This story first appeared in Industry Insider — California, part of e.Republic, Government Technology’s parent company.