Data Breach Impacts Mental Health Patients
5/2 UPDATE: LA County Dept. of Mental Health Confirms 5,129 Individuals Affected by Recent Data Breach
The Los Angeles County Department of Mental Health (LACDMH) just reported to the U.S. Department of Health and Human Services (“HHS”) that its recent hacking incident affected 5,129 people. HHS did not specify whether all individuals affected were patients of LACDMH, but notifications were drafted to both direct adult data breach victims as well as the parents and/or guardians of minors whose information may have been accessed. LACDMH is the largest county mental health department in the country, serving over 250,000 county residents annually.
There has been a steep rise of health provider hacking incidents and ransomware events in the U.S.
From October 19 to October 21, 2021, LACDMH was the victim of a “phishing” email campaign.[1]
According to LACDMH, some of its employees were tricked into opening a website link that compromised their email accounts. Those accounts were then used to send out more than 1,000 additional phishing emails. Some of the hacked employee accounts contained confidential patient/client information.
On March 4th LACDMH completed their investigation, concluding that the personal information of certain patients may have been accessed or downloaded. The Department began providing notice to affected California individuals on April 21, 2022, but to date has not offered any form of relief.
To view LACDMH’s Press Release regarding this data breach, click here.
What Personal Health Information Is at Risk?
The personal information at risk includes names and one or more of the following:
- Date of Birth
- Social Security Number
- Driver’s License number
- Medical Information
- Health Information
- Health Insurance Information
- Financial Account Number
No credit monitoring is being offered according to the terms of the Notice, or any compensation.
The full text of the LACDMH Notice of Data Breach can be found here.
Special California Privacy Laws Protect You
If you are a California resident, the California Confidentiality of Medical Information Act (CMIA) requires that every health care provider who maintains medical information do so in a manner that preserves its confidentiality.
Participants in data breach lawsuits can recover damages, injunctive relief (to make sure that the business has reasonable security practices to protect consumer data from being leaked again), and anything else the court concludes is necessary to compensate data breach victims and prevent these harms from reoccurring. Under the CMIA, if you received a Recent Notice of Data Breach from LACDMH, you may be entitled to $1,000 and your actual damages resulting from the negligent release of your confidential information.
As Personal Data Doesn’t Degrade, Identity Theft Services, Credit Monitoring, and Other Protections May Be Needed to Prevent Identity Theft
Identity theft is on the upswing. In 2018 approximately 23 million people in the United States reported that they had been victims of identity theft within the previous year.[2] By 2021, there were over 50 million personal records compromised nationwide; with the T-Mobile data breach alone affecting 6 million consumers.
Cybercrimes present an attractive target for hackers: Data can be bought and sold anonymously, and the going rate per personal record is estimated to be in the range of $20 per record, depending on the type of information (according to Privacy Affairs Dark Web Index of 2021).
Medical records and health insurance information are even more valuable, as that data can potentially provide access to expensive health care along with other forms of identity theft.
Particularly with data such as Social Security Numbers, cyber thieves may choose to wait years to capitalize on compromised personal data. The longer cyber thieves can go undetected, the more they stand to profit from their illegal activities.
Not every data breach will lead to identity theft. But once you know your data has been disclosed, it is reasonable to be concerned that your data will be used to cause you significant financial losses. Compromised data also increases the risk of hacking, phishing, and increased anxiety over future losses and identity theft.
6 Steps You Can Take to Protect Yourself If Your Personal Information Has Been Compromised
- Purchase credit monitoring services
- Order and review your credit reports – you are entitled to one free report from Experian, TransUnion and Equifax annually (link to official government site)
- Review your account statements regularly for suspicious activity
- Place a “fraud alert” with one of the three major credit bureaus
- Place a “security freeze” on your credit report
- Secure legal representation
What Is the Difference Between a Credit Freeze and a Fraud Alert?
A credit freeze is the strongest step you can take to prevent fraudulent accounts being opened under your name. A credit freeze prevents a credit bureau from sharing your information with others. You can put a credit freeze in place with each of the three major credit bureaus by using the following links: Equifax, Experian, and Transunion.
If you put on a credit freeze, no one will be able to open new credit accounts in your name. You can still use your active credit cards with a freeze in place. It costs nothing to put a credit freeze in place, lasts indefinitely, and will not affect your credit score.
However, if your credit card information has been compromised, a credit freeze will not prevent a cyber-thief from making purchases with your stolen card. Cancelling the card and getting a new card with a different number is the only way to stop such transactions from taking place.
You can also place a fraud alert on all of your credit reports. Fraud alerts are free and are a flag for potential credit providers that you may have been a victim of identity theft. They allow you to apply for new credit cards and other forms of credit without having to unfreeze your account. Fraud alerts can last one to seven years, and can be lifted by you at any time.
Once you put a fraud alert in place at one credit bureau, it will alert the other two for you. You can put a fraud alert in place with any of the three major credit bureaus: Equifax, Experian, and Transunion.
[1] “Phishing” is a type of scam where a cyber-criminal sends a fraudulent email to trick a person into believing they are interacting with a legitimate business or person so that they will open email with code that affects their computer or make them reveal sensitive information.
[2] Source: E. Harrell, Victims of Identity Theft, 2018. US Department of Justice, Office of Justice Programs, Bureau of Justice Statistics, 2021.