Cyber Incident Victim: Los Angeles County Department of Mental Health

The Los Angeles County Department of Mental Health experienced a malicious cyberattack between October 19 and October 21, 2021. The incident stemmed from phishing emails distributed through a compromised email server belonging to a trusted partner organization. Attackers leveraged this unauthorized access to target the department’s systems, though the specific method of initial compromise was not detailed in public disclosures. The breach investigation revealed that attackers potentially accessed sensitive personal and medical information belonging to 5,129 individuals. Exposed data included Social Security numbers, driver’s license numbers, and medical information, though forensic analysis did not confirm whether data was exfiltrated or merely accessible during the intrusion window. The department did not publicly specify whether internal employee accounts or specific systems were directly breached beyond the partner email vector.

Following the discovery of the incident, the department initiated response protocols, though the exact date of detection relative to the October attack window was not disclosed. Forensic investigations confirmed the scope and nature of the breach, leading to formal determination of impacted individuals. Notification letters were mailed to all affected parties by April 21, 2022, approximately six months post-incident. The department’s public statement emphasized a review of existing security protocols but did not specify whether multi-factor authentication, email filtering, or other technical controls were strengthened as a result. No ransomware deployment, financial demands, or extended operational disruptions were reported in connection with the phishing attack. Identity theft protection services were not mentioned in the available breach notification summary, unlike parallel incidents affecting other organizations described in the same reporting period.