A hacker who broke into the work email addresses of Contra Costa County employees could gain access to the sensitive personal information of residents seeking state-run health care and other forms of assistance through the county.
And the victims apparently include Contra Costa County supervisors Karen Mitchoff and John Gioia, as well as Mitchoff’s mother.
The hacker targeted the county’s employment and human resources department, which coordinates Medi-Cal applications, food aid and elderly and child care programs.
According to a county press release, CPR numbers, driver’s licenses, passports, financial account numbers and health insurance information are among the data revealed.
“We reviewed the emails and attachments that may have been accessed or downloaded and determined that emails and attachments contained information about certain county employees as well as individuals who communicated with the county’s employment and human resources department,” the county revealed. on its website.
But the county noted that there is no evidence that the hacker actually saw or downloaded any of the data.
According to the county, an unauthorized person gained access to employees’ emails at various times last year between June 24 and August 12. The press release does not indicate when the county discovered the breach and began investigating it, but says the investigation was completed by March 11th.
A county spokesman could not be reached for further details about the breach, including the number of email addresses that may have been compromised.
Medi-Cal applications, which residents email to the Department of Employment and Personnel, include CPR numbers. Two of these numbers belonged to Supervisor Karen Mitchoff and her mother, who received letters informing them that the numbers had been revealed in the breach.
Mitchoff said Tuesday that she applied for Medi-Cal on behalf of her mother and included their CPR numbers in documents she emailed to Employment and Human Services.
Because many other residents similarly apply for Medi-Cal coverage through that department, an entire “wealth of information” may have been revealed, Mitchoff said.
Gioia said he was also notified that his email address may have been broken. He’s not sure how it happened, but suspects it could have been phished by a fraudulent email pretending to be from a county employee.
The county offers some assistance to victims: “We have established a dedicated, free call center that individuals can call with questions about the incident, and we also offer free credit monitoring to eligible individuals who request it.”
But the offer “does not take away from the fact that (the breach) makes people worried about giving their personal information to a government agency,” Gioia acknowledged, saying he intends to question the hacking at a forthcoming Board of Directors. Supervisor meeting.
This is the second time in recent years that the internal server of a county administrative board has been broken. In 2020, Contra Costa County Public Library System became the target of a ransomware attack to lowered the wireless internet networks of all 26 library departments in one month.
Past notable data breaches have expanded to the highest levels of government, including one 2020 intrusion campaign in large public bodies and private companies which the Department of Homeland Security accused Russian hackers of carrying out.
Mitchoff, who was a longtime county employee before becoming supervisor, said her social security information is more important than ever since she retired this year. But it’s just a consequence of doing business on computers, she said.
“These things are happening, no one likes them, and I’m sure the county is putting all protection in place so this does not happen again,” Mitchoff said.
“Hackers will hack to use that trope,” she added. “That’s what they love to do, and it seems like there’s always someone out there who wants to get into our system.”