Cyber Incident Victim: Eastern Los Angeles Regional Center

On July 15, 2021, Eastern Los Angeles Regional Center (ELARC) detected suspicious activity in an employee’s email account, indicating unauthorized access. The organization immediately performed a password reset to secure the account and initiated an investigation to assess the breach’s scope. The forensic analysis confirmed the unauthorized access was limited to a single day—July 15, 2021—and involved no evidence of data exfiltration or actual misuse of the compromised information. The email account contained protected health information (PHI) of 12,921 individuals, including full names, Social Security numbers, ELARC-issued client identifiers, Tax ID numbers, medical histories, treatment or diagnosis details, and health insurance information. ELARC determined the breach did not extend beyond this isolated email account compromise and found no indication that the attacker viewed, copied, or exploited the exposed data.

In response to the incident, ELARC implemented additional technical safeguards to strengthen information security protocols, though specific technical measures were not disclosed. The organization notified affected individuals and offered 12 months of complimentary credit monitoring and identity protection services through Kroll. ELARC’s public statement emphasized that the breach investigation revealed no evidence of attempted or actual misuse of the compromised PHI. The center did not disclose whether law enforcement was involved or whether regulatory bodies were formally notified. Remediation efforts focused on securing the affected account, enhancing system-wide safeguards, and providing breach notifications to impacted parties without delaying beyond the two-month period between the July discovery and late September public reporting.