Hackers may have stolen more than a decade’s worth of mental health records of current and former California prison inmates, the state Department of Corrections and Rehabilitation says.
Letters from the department downplay the scope of the incident by saying that it appears whoever attained unauthorized access to prison systems doesn’t appear to have copied any information.
Forensic analysis did not turn up evidence suggesting the data exposed has been compromised or misused, the prison system says in a statement.
“It is possible that someone may have looked at your information while in the system,” says the department’s notification letters. Also potentially involved are records of parolees in substance use disorder treatment programs.
The incident potentially affects 236,000 people, a number that also includes staff and visitors tested between June 2020 and January 2022 by state prisons for the novel coronavirus. Virus test information for incarcerated individuals was not among the data compromised, CDCR says.
The department says it first discovered last January suspicious activity in a file transfer system that first appeared in December 2021.
In late June, an investigation into the suspicious activity revealed “someone or something entered” the affected IT system without permission, CDCR says.
The Department of Health and Human Services’ HIPAA Breach Reporting Tool website shows that the department on Aug. 22 reported the breach to HHS’ Office for Civil Rights as a hacking/IT incident.
CDCR did not immediately respond to Information Security Media Group’s request for additional details about the breach, including the breakdown between the number of people affected by the COVID-19 testing information compromise versus the number affected by the mental health and substance abuse records intrusion.
California says the breach affects the incarcerated population by potentially exposing their names, prison numbers, mental health treatment, mental health history and mental health diagnosis.
Information in the prison system’s Trust, Restitution, Accounting, and Canteen System, which contains restitution payment records, was also potentially compromised. This information includes records of transactions made to and from trust accounts since 2008, as well as some trust account numbers, CDCR says.
For prison staff, visitors and other non-incarcerated individuals, information affected by the incident includes name, personal address, telephone number, email address, date of birth, and novel coronavirus testing results.
CDCR says the affected data was contained in the compromised file-sharing system because the entity “has a responsibility to file relevant information on how the department operates” with outside entities ranging from attorneys to federal court monitors.
The information is placed in the system in a password-protected folder, CDCR says. “Each password can only open that one folder. Only someone with the correct password is able to open that folder, look at information in it, and make a copy to place on their own computer system,” CDCR says.
Following the incident, CDCR also says it has reviewed and revised its procedures and practices to minimize the risk of recurrence. “The affected platform is no longer in use. CDCR is utilizing a new system with greater security controls and protocols,” the statement says.
CDCR says it does not have information on the party or parties responsible for the breach.
Regulatory attorney Rachel Rose says the breach raises various concerns.
Mental health records and substance abuse treatment carry the potential for blackmail or residual harm in the future, she says.
Also concerning is that the incident affected correctional employees, she says. “With the heightened focus on law enforcement and judicial security, having names of individuals who work in correctional facilities out on the web is problematic.”
The HHS OCR website shows that the CDCR incident is by far the largest of only three major HIPAA breaches reported to the federal agency since 2009 by a state correctional facility.
The other two such breaches were both unauthorized access/disclosure incidents. They were reported by the Wisconsin Department of Corrections in July 2020 and August 2019, respectively, and affected 1,853 and 1,041 individuals, respectively.