DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Los Angeles County 211 exposed call logs with details

Posted on May 18, 2018 by Dissent

Another day, another leak involving sensitive information.  From the UpGuard team:

The UpGuard Cyber Risk Team can now disclose that sensitive data from the Los Angeles County 211 service, a nonprofit assistance organization described on their website as “the central source for providing information and referrals for all health and human services in LA County,” was publicly exposed online.

The contents of the downloadable files include access credentials for those operating the 211 system, email addresses for contacts and registered resources of LA County 211, and most troubling, detailed call notes. These notes describe the reason for the calls, including personally identifying information for people reporting the problem, persons in need, and, where applicable, their reported abusers. Included in the more than 3 million rows of call logs are 200,000 rows of detailed notes, including graphic descriptions of elder abuse, child abuse, and suicidal distress, raising serious, large-scale privacy concerns. In many of these cases, full names, phone numbers, addresses, and even 33,000 instances of full Social Security numbers are revealed among the data.

Read more on UpGuard.

UpGuard’s spokesperson confirmed to me that UpGuard first attempted to reach out to LA County 211 on within hours of discovering the exposure on March 14. Why, then did it take more than a month – until April 24 – for the county to get notified and do something??? I have reached back out to UpGuard to try to get more details as to why notification was not accomplished more quickly. Note that I am NOT criticizing UpGuard at all. I want to know where the county’s notification system may have broken down if it was not possible for UpGuard to quickly and effectively notify them on March 14.

Update:  So Chris Vickery filled me in more on what happened with the attempt to notify.  According to Chris, the county was called in 1 hours and 15 minutes after discovery.

“Couldn’t get a real person,” Chris told me, “so 15 minutes later I called 211 itself (the public line) and spoke to an operator. The operator took me seriously and said she would send my contact details to the proper IT contacts and also gave me an admin support email to send a message to. The support email address must be an “internal only” email address because it bounced when I sent a notification message to it. I don’t know what happened to the operators email to the supposed IT staffer. I never heard from them.”

Ugh. A colleague of Chris’s followed up eventually as the others were busy dealing with the AggregateIQ/Cambridge Analytica situation. When the colleague got a direct number for someone in IT,  they were finally able to make notification to the IT people.

No related posts.

Category: Breach IncidentsExposureGovernment SectorHealth Data

Post navigation

← Tidal Investigating ‘Potential Data Breach’ After Reports of Inflated Subscriber and Streaming Numbers
Steward Must Convince Jury Doc Fired For HIPAA Violation →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Air Force Employee Pleads Guilty to Conspiracy to Disclose Unlawfully Classified National Defense Information
  • UK police arrest four in connection with M&S, Co-op and Harrods cyberattacks (1)
  • At U.S. request, France jails Russian basketball player Daniil Kasatkin on suspicion of ransomware conspiracy
  • Avantic Medical Lab hacked; patient data leaked by Everest Group
  • Integrated Oncology Network victim of phishing attack; multiple locations affected (2)
  • HHS’ Office for Civil Rights Settles HIPAA Privacy and Security Rule Investigation with Deer Oaks Behavioral Health for $225k and a Corrective Action Plan
  • HB1127 Explained: North Dakota’s New InfoSec Requirements for Financial Corporations
  • Credit reports among personal data of 190,000 breached, put for sale on Dark Web; IT vendor fined
  • Five youths arrested on suspicion of phishing
  • Russia Jailed Hacker Who Worked for Ukrainian Intelligence to Launch Cyberattacks on Critical Infrastructure

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • How to Build on Washington’s “My Health, My Data” Act
  • Department of Justice Subpoenas Doctors and Clinics Involved in Performing Transgender Medical Procedures on Children
  • Google Settles Privacy Class Action Over Period Tracking App
  • ICE Is Searching a Massive Insurance and Medical Bill Database to Find Deportation Targets
  • Franklin, Tennessee Resident Sentenced to 30 Months in Federal Prison on Multiple Cyber Stalking Charges
  • On July 7, Gemini AI will access your WhatsApp and more. Learn how to disable it on Android.
  • German court awards Facebook user €5,000 for data protection violations

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.