A California health system was breached after a hacker gained access through "push notification spamming."
Los Angeles County (Calif.) Department of Health Services, the country's second-largest municipal health system, fell victim to the scam in February after a cybercriminal got through the multifactor authentication of an employee's Microsoft 365 account via the hacking technique, according to a notice.
With push notification spamming, aka multifactor authentication bombing or fatigue, a cybercriminal will flood a device with notifications for multifactor authentication login permission, hoping the user approves one of them.
"Upon discovery of the phishing attack, we acted swiftly to disable the impacted email account, reset and reimaged the user's device(s), blocked websites that were identified as part of the phishing campaign and quarantined all suspicious incoming emails," the health system stated. "Further, we enhanced training to identify and respond to phishing attacks as part of the DHS ongoing cybersecurity awareness program."
The Department of Health Services told HHS in late June that 41,444 individuals were affected by the hack. The breached data may have included personal contact information, Social Security and government-issued ID numbers, health insurance information, diagnoses, treatments and medications.