California Department of Corrections and Rehabilitation Hack Exposed Sensitive Data
The California Department of Corrections and Rehabilitation (CDCR) has recently discovered that unauthorized individuals have gained access to one of its information systems. The compromised system contained medical information on all individuals who had been tested for COVID-19 between June 2020 and January 2022, including staff members, visitors, and other individuals, although not inmates. The information related to COVID-19 tests included name, personal address, telephone number, email, date of birth, and COVID-19 testing results.
Files on the system also included the mental health information of inmates in the Mental Health Services Delivery System dating back to 2008, as well as the information of individuals on parole who were in substance use disorder treatment programs. Some of the exposed data included Social Security Numbers, driver’s license numbers, and trust account information.
The data of inmates included name, CDCR number, mental health treatment, mental health history, and mental health diagnosis, and information in the Trust, Restitution, Accounting, and Canteen System (TRACS) was also potentially involved, which includes transaction records made by CDCR to and from trust accounts since 2008, along with some trust account numbers.
CDCR said the data breach was discovered during routine maintenance. The investigation did not confirm when the system was first compromised; however suspicious activity was identified in a file transfer system dating back to December 2021. CDCR was unable to confirm whether any specific information had been accessed or exfiltrated and said no corroborating evidence was found to suggest any exposed data had been compromised or misused.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
CDCR said procedures and practices have been updated to limit the potential for further breaches and the affected computer system is no longer being used. A replacement computer system has been implemented with more security controls.
The incident has been reported to the HHS’ Office for Civil Rights as affecting 236,000 individuals.
Lamoille Health Partners Hit with Ransomware Attack
Lamoille Health Partners in Vermont has recently confirmed that it was the victim of a ransomware attack on June 13, 2022. Prompt action was taken to prevent further unauthorized access to its systems and a third-party digital forensics firm was engaged to assist with the investigation. Lamoille Health Partners said it was possible to securely restore the encrypted files from backups so no ransom was paid; however, the forensic investigation confirmed that the attackers had access to its systems between June 12, 2022, and June 13, 2022, and during that time it is possible that documents containing patients protected health information may have been accessed or acquired.
On June 24, 2022, Lamoille Health Partners determined that the documents that may have been accessed included patient information such as names, addresses, dates of birth, Social Security numbers, health insurance information, and medical treatment information. 59,381 individuals have been notified that their protected health information was exposed. Complimentary identity protection and credit monitoring services have been offered to individuals who had Social Security numbers exposed.
Update April 3, 2024: A $540,000 settlement has been proposed to resolve all claims made in the class action lawsuit that was filed in response to the data breach.
