Philadelphia on Friday disclosed it had been hit by a cyberattack in May and that the malicious actors may have accessed the personal and health data of city employees through their email accounts.
In a Notice of Privacy Incident statement, city officials said they became aware of “suspicious activity” in city email systems in May. The city launched an investigation, which determined that between May 26 and July 28, an unauthorized actor may have gained access to certain city email accounts.
While review of impacted data is still ongoing, the city reports that the types of information accessed during the incident may vary by user. Along with health data — which included diagnosis and treatment information — affected information includes demographics, names, addresses, dates of birth, Social Security numbers and other contact information, according to the notice.
The city said it reported the event to the U.S. Department of Health and Human
Services and will report this event to other regulators as necessary. Officials said they will confirm the identities and contact information for potentially impacted individuals and provide notice via written letters.
“As part of our ongoing commitment to information security, we are also reviewing our existing policies and procedures, implementing additional administrative and technical safeguards to further secure information in our care, and providing additional training on how to safeguard information in our email environment,” a city statement read.
Also on Friday, the Orange County District Attorney’s Office in Los Angeles detected a cyberattack and shut down their system to “prevent further intrusion,” CBS Los Angeles reported. It is unclear if the attack was successful. The DA’s office said it’s investigating the incident and working with the Orange County Sheriff’s Department and the FBI.