he Los Angeles County Department of Health Services (DHS) has disclosed a data breach caused by an employee falling victim to a push notification spamming attack.“A hacker circumvented the multi-factor authentication safeguards of an employee’s Microsoft 365 account through a method commonly referred to as ‘push notification spamming’,” the DHS said in an incident notice (PDF).Also referred to as push notification fatigue, the attack technique targets multi-factor authentication (MFA) that relies on push notifications on the user’s device, prompting them to approve login attempts after entering their username and password.The attackers inundate the user’s device with MFA push notifications, causing the user to believe that there could be a glitch and to approve the login attempt.“We believe that the cyber-attack may have provided the attacker with access to certain personal information,” the organization told the potentially impacted individuals.Potentially compromised information includes names, dates of birth, home addresses, phone numbers, email addresses, government ID, Social Security numbers, health insurance information, and medical information.“Upon discovery of the phishing attack, we acted swiftly to disable the impacted email account, reset and reimaged the user’s device(s), blocked websites that were identified as part of the phishing campaign and quarantined all suspicious incoming emails,” DHS said.The health agency is providing the potentially impacted individuals with one year of free identity monitoring services.It is unclear how many individuals might have been affected by the data breach and whether the incident is related to a February 2024 data breach the Los Angeles County DHS revealed in April.The previously disclosed incident occurred between February 19 and February 20, after hackers accessed the email accounts of 23 DHS employees, compromising the personal information of 6,085 individuals. The LA County’s Department of Public Health (DPH) and Department of Mental Health were also affected.SecurityWeek has emailed the LA County DHS for additional information on the incident and will update this article as soon as a reply arrives.