Confidential information and health records of 756,000 individuals who had contact with Los Angeles County departments may have been exposed following a phishing scheme in May, CBS Los Angeles announced.
A phishing scam tricked 108 Los Angeles County employees into revealing their usernames and passwords. Among the allegedly exposed data are names, Social Security numbers, birth dates, credit card and driver’s license numbers, home addresses and treatment schemes, among others. No evidence shows the information has been sold or made public.
“Some of those employees had confidential client/patient information in their email accounts because of their County responsibilities,” according to CBS. “County officials learned of the breach the next day, and immediately implemented strict security measures.”
The phishing cyberattack has been linked to a Nigerian national, 37-year-old Kelvin Onaghinor who now faces nine charges, including unauthorized computer access and identity theft. A warrant for his arrest was issued on Thursday and he could face up to 13 years in prison. The man has not been arrested yet, as his whereabouts are unknown. Other suspects are also looked into.
“My office will work aggressively to bring this criminal hacker and others to Los Angeles County, where they will be prosecuted to the fullest extent of the law,” said District Attorney Jackie Lacey.
A forensic investigation by LA County revealed that possibly affected departments were Assessor, Chief Executive Office, Children and Family Services, Child Support Services, Health Services, Human Resources, Internal Services, Mental Health, Probation, Public Health, Public Library, Public Social Services and Public works.
Although the attack was immediately detected, investigators asked for a delay in an official statement to protect the investigation.