Fraud Management & Cybercrime
,
Ransomware
HIPAA Protected Health Information Among Data Stolen in Nov. 2023 Attack
The City of Long Beach, Calif., is notifying roughly 260,000 individuals that their protected health information may have been stolen in a November 2023 cyberattack that also disrupted IT systems for several weeks. The city says it’s added $1 million to its cybersecurity budget since the incident.
See Also: 2025 Ransomware Report: What Q1 Trends Reveal About the Year Ahead
One media outlet reported the total number of people affected by the incident could be as high as about 470,060, based on breach reports the City of Long Beach filed to various state attorneys general.
The City of Long Beach did not immediately respond to Information Security Media Group’s requests for clarification about whether the 260,000 individuals reported to the U.S. Department of Health and Human Services on April 14 are a subset of a larger number.
A spokesperson for the city told ISMG that the potentially compromised files “could pertain to residents, employees, customers and stakeholders.” The city did not pay a ransom, she said.
The city said in its breach notice that it experienced a network security incident on Nov. 14, 2023 in which an “unauthorized third party” gained access to its network.
In response to the incident, the city temporarily took its IT systems offiline. During the outage, any enterprise functions were offline, including utility bill payment processing and digital amenities offered by the Long Beach Public Library, as well as other municipal services. The city’s IT systems were restored over several weeks.
In a frequently asked questions document posted on its website, the city said the year-plus delay in breach notification was due to the “extensive forensics investigation and manual document review” that took the municipality approximately 15 months to finally complete on March 18.
“Anyone who has experienced a sophisticated cyber incident knows it is a time-intensive process,” the city said.
Information potentially accessed or acquired by the hackers varies among individual but includes name, date of birth, financial account and payment card information, biometric information, medical diagnosis and treatment information, as well as government ID numbers. Individuals whose Social Security numbers where potentially compromised are being offered complimentary credit monitoring.
“This has proven to be an unprecedented event for our organization, and we continue to take this investigation and its findings seriously,” said Rex Richardson, Long Beach mayor. “We will continue to be as transparent as we can.”
The Southern California coastal city, which houses approximately 466,000 people, approved last September a $3.6 billion annual budget for fiscal 2025.
The municipality said it added $1 million “to enhance cybersecurity and information technology infrastructure through the use of cybersecurity experts, training, testing, data loss prevention tools and more.”
The increased cyber spending also funds two new positions that will be added to the cybersecurity team “to increase capacity to monitor, analyze and contribute to risk mitigation efforts and one position focused on regulatory compliance, including Payment Card Industry and HIPAA,” according to a city budget document.