Cyber Incident Victim: Volunteers of America Southwest California

On or around November 16, 2021, Volunteers of America Southwest California, a San Diego-based social service organization, experienced a phishing attack compromising an employee email account. The incident began when an employee received a deceptive email designed to mimic a voicemail notification, containing a link to a fraudulent website prompting the entry of login credentials. Upon submission, these credentials were captured by attackers, who subsequently gained unauthorized access to the employee’s email account. The organization detected and remediated the intrusion on the same day, November 16, terminating the unauthorized access promptly. A forensic review of the compromised email account confirmed the exposure of client information, primarily consisting of first and last names in the majority of cases. A subset of records additionally contained individuals’ COVID-19 vaccination status. The organization engaged third-party experts to validate its containment measures, confirming the breach was fully remediated following the incident.

The investigation revealed the attackers accessed the email account only on November 16, 2021, with no evidence of prolonged or broader system compromise beyond the single account. Volunteers of America Southwest California reported the incident to the U.S. Department of Health and Human Services Office for Civil Rights, disclosing that protected health information of 1,300 individuals was exposed. No financial data, Social Security numbers, or login credentials beyond the initially phished employee account were identified as compromised. In response, the organization implemented enhanced email security protocols, though specific technical measures were not detailed in public disclosures. The breach notification process emphasized the limited scope of exposed data compared to typical healthcare breaches, focusing on name and vaccination status disclosures without evidence of subsequent misuse.