A hacker who accessed the work email addresses of Contra Costa County employees could have obtained the sensitive personal information of residents who sought state-run health care coverage and other forms of assistance through the county.
And the victims apparently include Contra Costa County supervisors Karen Mitchoff and John Gioia, as well as Mitchoff’s mother.
The hacker primarily targeted the county’s Employment and Human Services Department, which coordinates Medi-Cal applications, food assistance and elderly and child care programs. Of the eight email accounts compromised in the data breach, seven belonged to employees in the department and one to a staff member in Human Resources.
According to the county, Social Security numbers, driver’s licenses, passports, financial account numbers and health insurance information are among the data exposed.
“We reviewed the emails and attachments that could have been accessed or downloaded and determined that emails and attachments contained information pertaining to certain County employees, as well as individuals who communicated with the County’s Employment & Human Services Department,” the county revealed in its website.
But the county noted there’s no evidence the hacker actually viewed or downloaded any of the data.
County officials first noticed “suspicious activity” in an employee’s email account last July, county spokesperson Susan Shiu said. Its ensuing investigation lasted nine months, concluding on March 11 that the hacker had accessed eight employees’ accounts at various times last year between June 24 and Aug. 12.
Medi-Cal applications that residents email to the Employment and Human Services department include Social Security numbers. Two of those numbers belonged to Supervisor Karen Mitchoff and her mother, who received letters notifying them that the numbers were exposed in the breach.
Mitchoff said Tuesday she applied for Medi-Cal on behalf of her mother and included their Social Security numbers in documents she emailed to Employment and Human Services.
Because many other residents similarly apply for Medi-Cal coverage through that department, a whole “wealth of information” may have been exposed, Mitchoff said.
The county’s investigation did not conclude how exactly the hacker entered county staff’s emails, but Shiu said the data breach took place at the same time as a phishing attack, in which the recipient of a fraudulent email is baited into compromising account details.
“Phishing attacks represent a large proportion of all cyber-attacks facing government,” Shiu said in an email.
Supervisor Gioia, who similarly received notice that his personal information may have been compromised, said he believes the phishing attack might be to blame.
The county is offering some help to the victims: “We have established a dedicated, toll-free call center for individuals to call with questions about the incident, and we are also offering complimentary credit monitoring to eligible individuals who request it.”
But the offer “doesn’t take away from the fact that (the breach) causes people to be concerned about providing their personal information to a government agency,” Gioia acknowledged, saying he intends to ask questions about the hacking at a coming Board of Supervisors meeting.
This is the second time in recent years that the internal server of a county agency has been breached. In 2020, the Contra Costa County public library system became the target of a ransomware attack that downed the wireless internet networks of all 26 library branches for a month.
Past notable data breaches have extended to the highest levels of government, including a 2020 intrusion campaign into large public agencies and private companies that the Department of Homeland Security accused Russian hackers of carrying out.
Mitchoff, who was a longtime county employee before becoming supervisor, said her Social Security information is more important than ever since she’s retiring this year. But that’s just a consequence of doing business on computers, she said.
“These things happen, nobody likes them, and I’m assured that the county is putting whatever protections in place so that this doesn’t happen again,” Mitchoff said.
“Hackers are going to hack, to use that trope,” she added. “That’s what they love to do, and it seems there’s always someone out there who wants to get into our system.”