Los Angeles County (Calif.) Department of Health Services, the country’s second-largest municipal health system, fell victim to the scam in February after a cybercriminal got through the multifactor authentication of an employee’s Microsoft 365 account via the hacking technique, according to a notice.
With push notification spamming, aka multifactor authentication bombing or fatigue, a cybercriminal will flood a device with notifications for multifactor authentication login permission, hoping the user approves one of them.
“Upon discovery of the phishing attack, we acted swiftly to disable the impacted email account, reset and reimaged the user’s device(s), blocked websites that were identified as part of the phishing campaign and quarantined all suspicious incoming emails,” the health system stated. “Further, we enhanced training to identify and respond to phishing attacks as part of the DHS ongoing cybersecurity awareness program.”
The Department of Health Services told HHS in late June that 41,444 individuals were affected by the hack. The breached data may have included personal contact information, Social Security and government-issued ID numbers, health insurance information, diagnoses, treatments and medications.
At the Becker's 11th Annual IT + Revenue Cycle Conference: The Future of AI & Digital Health, taking place September 14–17 in Chicago, healthcare executives and digital leaders from across the country will come together to explore how AI, interoperability, cybersecurity, and revenue cycle innovation are transforming care delivery, strengthening financial performance, and driving the next era of digital health. Apply for complimentary registration now.
