Sacramento County Employees Were Targeted
Sacramento, Calif., January 21, 2022 - Multiple Sacramento County employees, on June 22, 2021, were the target of a malicious phishing campaign that consisted of emails designed to trick victims into revealing sensitive login credentials to their computer account. A total of five employees furnished their County login credentials into an external website.
The security audit of the user's mailboxes completed on Nov. 17, 2021, revealed the exposure of 2,096 protected health information and 816 Personal Identifiable Information records were identified. Based on the contact information on file, these individuals were mailed a notification of the data exposure on January 21, 2022, and were notified that they will have the no charge option to have one year of credit monitoring, credit resolution, and identity restoration services to all impacted individuals. This information has also been posted virtually and at office locations the individuals had visited.
Safeguards in Place Prior to the Incident:
- Privacy Rule Safeguards (Training, Policies and Procedures)
- Security Rule Administrative Safeguards (Risk Analysis, Risk Management)
- Security Rule Physical Safeguards (Facility Access Controls, Workstation Security)
- Security Rule Technical Safeguards (Access Controls, Transmission Security)
Actions Taken in Response to the Incident:
- Changed password/strengthened password requirements
- Created a new/updated Security Rule Risk Management Plan
- Implemented new technical safeguards
- Implemented periodic technical and nontechnical evaluations
- Improved physical security
- Provided individuals with free credit monitoring
- Took steps to mitigate harm
- Trained or retrained workforce members
- Implemented countywide 2 Factor Authentication
- Provided countywide Security Awareness Training
This incident has been reported to the Sacramento Sheriff (Case #21-211501) and the U.S. Department of Homeland Security (Case#2021-USCERTv3142X8), as well as the U.S. Department of Health & Human Services, and California Department of Health Care Services. Under the Freedom of Information Act (5 U.S.C. §552) and HHS regulations at 45 C.F.R. Part 5, Office of Civil Rights (OCR) may be required to release information provided in the breach notification. For breaches affecting more than 500 individuals, some of the information provided will be made publicly available by posting on the HHS web site pursuant to § 13402(e)(4) of the Health Information Technology for Economic and Clinical Health (HITECH) Act (Pub. L. 111-5). Additionally, OCR will use this information, pursuant to §13402(i) of the HITECH Act, to provide an annual report to Congress regarding the number and nature of breaches that are reported each year and the actions taken to respond to such breaches. OCR will make every effort, as permitted by law, to protect information that identifies individuals or that, if released, could constitute a clearly unwarranted invasion of personal privacy.
Brenda Bongiorno, Sacramento County Public Information Officer