L.A. County reveals ‘possible breach’ of personal data from social services hotline
The nonprofit organization that operates Los Angeles County’s social services hotline inadvertently exposed personal information that was stored online, according to county officials and a private security firm that discovered the vulnerability.
UpGuard, a cybersecurity firm based in Mountain View, Calif., said it notified the county in April that it discovered exposed Social Security numbers, addresses and sensitive notes about calls regarding mental health and abuse.
In a statement Wednesday, Bill Kehoe, the county’s chief information officer, said that once officials were alerted to the issue, they “promptly directed” that access to the exposed information be blocked.
It was not immediately clear whether any unauthorized people accessed the data, which was kept in a cloud storage repository maintained by 211 L.A. County, the nonprofit group that operates the county’s 211 hotline.
Kehoe’s statement said the county had determined that “certain personal information” had been “vulnerable to a possible breach,” but he provided no details.
Chris Vickery, director of UpGuard’s cyberspace risk research team, said the information he discovered included names, email addresses and weakly encrypted passwords of users operating the 211 system, potentially opening them to attack. He said it was available for public download from an Amazon web server.
The data also contained records for 3.5 million calls and a substantial amount of personally identifiable information, Vickery said. That included 33,000 Social Security numbers, and in many cases full names and addresses — as well as detailed notes for 200,000 calls logged between 2010 and 2016.
In one example, the notes described an elderly woman with dementia who was allegedly being abused by her son. In another, they described a meth addict who said she was suicidal. A third example included details about a woman who suffered from paranoia and was on the verge of being evicted. The firm provided The Times with screen shots of redacted records to document its discovery.
“It’s pretty disturbing they would allow something like this to happen,” Vickery said.
Ralph Johnson, L.A. County’s chief information security officer, said he investigated the matter at the time and concluded the information was not sensitive. He described the data as “innocuous log information.”
Nonetheless, Johnson said, the information was not supposed to be public. He said he notified Maribel Marin, 211 L.A. County’s executive director, and that within roughly an hour the data had been taken down.
Johnson said he did not report the matter to his supervisor because he deemed the information nonconfidential, but his office was looking into it “more deeply” as a result of The Times’ inquiry.
Marin said that 211 L.A. County’s network undergoes security audits and that employees receive training in medical privacy laws. She said that the organization contracts with Amazon for storage in part because of the security it provides.
“It’s very hard for anyone in the general public to get access to the Amazon cloud,” she said.
Kelly Rethmeyer, a spokeswoman for UpGuard, said that if an administrator incorrectly configures permissions for the data it stores with Amazon, accessing the data can be “as simple as typing a URL.”
UpGuard said that is what happened in the L.A. County case, resulting in some files being available for public download.
The 211 L.A. County nonprofit has a contract worth up to $36 million with the county to provide information and referrals to health and human services via call-in and web platforms.
Rahul Telang, a professor of information systems and management at Carnegie Mellon University, said it’s not unusual that a government agency or vendor would use a cloud server like Amazon Web Services for data storage. Web services firms are more likely to have the expertise and scale to provide secure storage in a cost-efficient manner, he said.
But, Telang said, if an administrator grants access to data through a misconfigured security setting, “the cloud can’t really do anything about it.”
Telang said the majority of data breaches occur because of “access control” issues.
Neither UpGuard nor county nor 211 officials said they were aware that anyone had improperly accessed the call data.
However, Telang said, “it’s very hard to know sometimes when you are breached.”
If data includes valuable personal or financial information, such as Social Security numbers, it’s more likely to be targeted by hackers, he said.
“If you are in the business of keeping personally identifying information, you can pretty much be assured that you have a good chance of getting breached,” Telang said.
Kehoe, the county’s chief information officer, said it has an “aggressive commitment” to protecting personal information, whether maintained by the county or an outside vendor.
“In this case,” Kehoe said in his statement, “the county will be closely monitoring strong assurances from the vendor that it has strengthened its data safeguards, as well as its policies, protocols, processes and oversight to avoid any future exposure of sensitive information.”
The perils of parenting through a pandemic
What’s going on with school? What do kids need? Get 8 to 3, a newsletter dedicated to the questions that keep California families up at night.
You may occasionally receive promotional content from the Los Angeles Times.