Involves Clients of the Department of Child, Family & Adult Services
Multiple Sacramento County employees, on June 22, 2021, were the target of a malicious phishing campaign that consisted of emails designed to trick victims into revealing sensitive login credentials to their computer account. A total of five employees furnished their County login credentials into an external website.
The security audit of the user's mailboxes completed on Nov. 17, 2021, revealed the exposure of 2,096 protected health information and 816 Personal Identifiable Information records were identified. Based on the contact information on file, these individuals were mailed a notification of the data exposure the week of January 17, 2022.
However, it is anticipated that the County may not have the contact for all potentially impacted by the data exposure. Therefore the County is posting this information on its impacted department websites and at office locations individuals had visited.
Sacramento County is providing a no charge option to have one year of credit monitoring, credit resolution, and identity restoration services to all impacted individuals.
Am I Affected?
Data Breach Name Verification application decommissioned as of January 10, 2023.
To learn more, review the Data Breach FAQs.
Sacramento County Information Security Measures
Safeguards in Place Prior to the June 22, 2021 Incident:
- Privacy Rule Safeguards (Training, Policies and Procedures)
- Security Rule Administrative Safeguards (Risk Analysis, Risk Management)
- Security Rule Physical Safeguards (Facility Access Controls, Workstation Security)
- Security Rule Technical Safeguards (Access Controls, Transmission Security)
Actions Taken in Response to the June, 2021 Incident:
- Changed password/strengthened password requirements
- Created a new/updated Security Rule Risk Management Plan
- Implemented new technical safeguards
- Implemented periodic technical and nontechnical evaluations
- Improved physical security
- Provided individuals with free credit monitoring
- Took steps to mitigate harm
- Trained or retrained workforce members
- Implemented countywide 2 Factor Authentication
- Provided countywide Security Awareness Training
This incident has been reported to the Sacramento Sheriff (Case #21-211501) and the U.S. Department of Homeland Security (Case#2021-USCERTv3142X8), as well as the U.S. Department of Health & Human Services, and California Department of Health Care Services.
Under the Freedom of Information Act (5 U.S.C. §552) and HHS regulations at 45 C.F.R. Part 5, Office of Civil Rights (OCR) may be required to release information provided in the breach notification.
For breaches affecting more than 500 individuals, some of the information provided will be made publicly available by posting on the HHS web site pursuant to § 13402(e)(4) of the Health Information Technology for Economic and Clinical Health (HITECH) Act (Pub. L. 111-5).
Additionally, OCR will use this information, pursuant to §13402(i) of the HITECH Act, to provide an annual report to Congress regarding the number and nature of breaches that are reported each year and the actions taken to respond to such breaches.
OCR will make every effort, as permitted by law, to protect information that identifies individuals or that, if released, could constitute a clearly unwarranted invasion of personal privacy.