Cyber Incident Victim: Sacramento County

On June 22, 2021, Sacramento County experienced a phishing attack that compromised five employee email accounts after staff disclosed their credentials in response to malicious emails. The breach exposed protected health information (PHI) of 2,096 county employees and personal information of 816 additional individuals. The county confirmed the incident through its investigation but did not specify the exact timeframe during which unauthorized access to the email accounts occurred. Exposed data included sensitive employee and individual information, though the specific types of compromised PHI beyond general categorization were not detailed in available reports. Sacramento County issued breach notification letters to affected parties on January 21, 2022—seven months after the attack’s discovery—in compliance with regulatory requirements.

In response to the incident, Sacramento County implemented several corrective measures including the provision of 12 months of free credit monitoring, credit resolution services, and identity restoration support to impacted individuals. The county enhanced its technical safeguards by enforcing stricter password policies and deploying two-factor authentication across relevant systems. Administrative improvements included updates to the organization’s security management plan and mandatory additional cybersecurity training for staff to address phishing recognition and response protocols. No evidence suggested public disclosure of exfiltrated data or malicious use of the compromised information beyond initial unauthorized access. The breach highlighted operational vulnerabilities in email security practices, though Sacramento County did not report disruptions to critical services or systems beyond the compromised accounts.