Ryan Carter, Los Angeles Daily News:
The attack occurred May 13, 2016, when 108 county employees were deceived by an email they believed to be legitimate into providing their usernames and passwords, according to officials.
Some of those employees, according to officials at the county, had “confidential client/patient information” in their email accounts through their county responsibilities.
That information may have included first and last names, dates of birth, Social Security numbers, driver’s license or state identification numbers, payment card information, bank account information, home addresses, phone numbers, and/or medical information, such as Medi-Cal or insurance carrier identification numbers, diagnosis, treatment history or medical record numbers.
It’s worth noting that a small typo — “legitimate” instead of “illegitimate” — and a similar phishing email likely changed the course and result of the 2016 election. Both of these attacks could have been prevented by using two-factor authentication and being more aware of what a phishing email looks like.
Sadly, as electronic communications and data storage are increasingly consolidated around a handful of popular providers — Google, Apple, Oracle, Salesforce, and a handful of others — it is easy enough for enterprising hackers to slap together a fake login page and send it to thousands of users. If only a fraction of them take the bait, that may still represent hundreds of thousands, or even millions, of records.
And another thing: why did it take officials seven months to notify those affected? Given the kind of data at stake here, that’s egregiously irresponsible.