July 9, 2019
A Los Angeles County Department of Health Services (DHS) contractor, the Nemadji Research Corporation, is notifying patients about a “phishing attack” that exposed the personal information of 14,591 patients. Nemadji’s work for DHS consists of identifying and verifying patient eligibility for programs that will reimburse for care provided by DHS.
There is no evidence that DHS patient information specifically was the target of the phishing email, sent to a Nemadji employee, and no indication that any patient data has been misused. The hacker had access to the employee’s email account for several hours on March 28, 2019, and records from several of Nemadji’s clients, including DHS, were exposed during that time.
The personal information for DHS patients present in the email account at the time of the incident varied by individual, but may have included first and last names and one or more of the following data elements: address, date of birth, phone number, patient account number, medical record number, admission and discharge dates, Medi-Cal identification number, month and year of service. The Social Security Number of two patients and diagnostic codes of four patients were also identified.
Nemadji began notifying individuals potentially affected by the breach via first class mail on July 8, 2019. The notifications include detailed information on the recommended steps individuals may take to protect their information. Although Nemadji is unaware of any actual or attempted misuse of information as a result of this incident, Nemadji is offering potentially impacted individuals access to free credit monitoring and identity protection services.
Upon discovering this incident, Nemadji took steps to confirm the security of its systems, including employee email accounts. Nemadji reviewed existing security policies and implemented additional measures to further protect information, including enhanced email security and employee training. Nemadji also reported this incident to the Federal Bureau of Investigation and notified necessary state and federal regulators.
Nemadji has established a dedicated assistance line for individuals seeking additional information regarding this incident. Individuals may call 1-800-491-4740 from 8:00 a.m. to 5:30 p.m. PT, Monday through Friday with questions or if they would like additional information. Additional information can also be found on Nemadji’s website, nemadji.org. Potentially affected individuals may also consider the information and resources outlined below.
Nemadji encourages potentially impacted individuals to remain vigilant against incidents of identity theft and fraud and to review account statements, credit reports, and explanation of benefits forms for suspicious activity. Under U.S. law, individuals with credit reports are entitled to one free credit report annually from each of the three major credit reporting bureaus.