Sacramento County Employees Were Targeted
On May 15, 2023, multiple Sacramento County employees were the target of a malicious phishing campaign that consisted of emails designed to trick victims into revealing sensitive login credentials to their computer account. A total of five employees furnished their County login credentials into an external website.
The security audit of the user's mailboxes completed and revealed the exposure of 5,525 protected health information and 474 Personal Identifiable Information records are being reviewed. Based on the contact information on file, impacted individuals will be mailed a notification of the data exposure once all have been identified. These victims will have the no charge option to have one year of credit monitoring, credit resolution, and identity restoration services to all impacted individuals. This information will also be posted at office locations the individuals had visited.
Safeguards in Place Prior to the Incident:
- Privacy Rule Safeguards (Training, Policies and Procedures)
- Security Rule Administrative Safeguards (Risk Analysis, Risk Management)
- Security Rule Physical Safeguards (Facility Access Controls, Workstation Security)
- Security Rule Technical Safeguards (Access Controls, Transmission Security)
Actions Taken in Response to the Incident:
- Changed password/strengthened password requirements
- Created a new/updated Security Rule Risk Management Plan
- Implemented new technical safeguards
- Implemented periodic technical and nontechnical evaluations
- Improved physical security
- Provided individuals with free credit monitoring
- Took steps to mitigate harm
- Trained or retrained workforce members
- Implemented countywide 2 Factor Authentication
- Provided countywide Security Awareness Training
This incident has been reported the U.S. Department of Health & Human Services, and California Department of Health Care Services. Under the Freedom of Information Act (5 U.S.C. §552) and HHS regulations at 45 C.F.R. Part 5, Office of Civil Rights (OCR) may be required to release information provided in the breach notification. For breaches affecting more than 500 individuals, some of the information provided will be made publicly available by posting on the HHS web site pursuant to § 13402(e)(4) of the Health Information Technology for Economic and Clinical Health (HITECH) Act (Pub. L. 111-5). Additionally, OCR will use this information, pursuant to §13402(i) of the HITECH Act, to provide an annual report to Congress regarding the number and nature of breaches that are reported each year and the actions taken to respond to such breaches. OCR will make every effort, as permitted by law, to protect information that identifies individuals or that, if released, could constitute a clearly unwarranted invasion of personal privacy.