Cyber Incident Victim: Nemadji Research Corporation

On March 28, 2019, an employee email account at Nemadji Research Corporation, operating as California Reimbursement Enterprises, was compromised by unauthorized actors. Nemadji served as a contractor for the Los Angeles County Department of Health Services (DHS), specializing in identifying and verifying patient eligibility for reimbursement programs covering county-provided healthcare services. The breach exposed sensitive personal information belonging to 14,591 LA County patients. While most data within the email account was encrypted, the encryption keys required to access this information were stored within the same compromised account, rendering the protective measures ineffective. Los Angeles County officials publicly disclosed the incident on July 9, 2019, through an official news release, with public notifications issued on July 11.

The incident impacted multiple Nemadji clients beyond LA County, including Essentia Health, which separately notified over 1,000 affected individuals. Exposed information included patient records containing personally identifiable information and protected health data, though specific data elements were not detailed in public statements. Nemadji published a formal notice acknowledging that the attacker gained access to encrypted data alongside the decryption keys due to their storage within the breached email environment. No information was disclosed regarding the duration of unauthorized access, intrusion methods, or whether data was exfiltrated or merely viewed. LA County directed impacted patients to dedicated resources on its DHS website, while Nemadji provided a separate incident notice page. The breach highlighted risks associated with third-party vendor security practices, particularly the storage of encryption credentials alongside protected data.