CA Department of Corrections Suffers Healthcare Data Breach

August 24, 2022 - The California Department of Corrections and Rehabilitation (CDCR) discovered a potential healthcare data breach following routine maintenance on its information systems, a notice on its website stated. There is currently no evidence that the data was exfiltrated or viewed, but CDCR was unable to rule out the possibility.

The IT team first discovered the breach in January 2022 but was unable to determine the exact date that the breach began. However, CDCR observed suspicious activity in a file transfer system dating back to December 2021.

The incident potentially included medical information about anyone tested for COVID-19 by the department from June 2020 through January 2022, including “staff, visitors, and others.”

The data breach did not involve the COVID-19 testing information of incarcerated individuals, but other information pertaining to incarcerated individuals was involved. 

“The breach also potentially included mental health information for the incarcerated population in the Mental Health Services Delivery System going as far back as 2008,” the notice explained.

“At this time and as a result of our forensic analysis, CDCR does not have any collaborating evidence which suggests the data exposed has been compromised or misused.”

For those whose COVID-19 testing data was potentially exposed, the information included names, addresses, birth dates, phone numbers, emails, and COVID-19 test results. For currently and formerly incarcerated individuals, the breach potentially impacted names, CDCR numbers, mental health treatment and history, and mental health diagnosis information.

Additionally, some information in the Trust, Restitution, Accounting, and Canteen System (TRACS) and information about people on parole who are in substance use disorder treatment programs may have also been involved.

“Based on the investigation that was conducted following the discovery of the data breach, it appears none of the information has been used and CDCR is not aware of any information being viewed or copied by an unauthorized user,” CDCR stressed.

“However, we value transparency, and out of an abundance of caution, are communicating with those who were potentially impacted.”

Interoperability Solutions Vendor Notifies 96K of Data Breach

Onyx Technology, which provides interoperability products and services to providers, payers, and government entities, disclosed a data breach that impacted 96,814 individuals. The breach impacted one of Onyx’s clients, Independent Care Health Plan (iCare).

On June 28, Onyx discovered an attack on its computer systems. Further investigation revealed that a server was potentially removed or accessed beginning on March 28 and ending on June 28. The notice did not specify an outage, but it did not that Onyx “regained access to its systems on July 7,” more than a week after discovering the incident.  

The data impacted by the breach included names, birth dates, addresses, iCare member ID numbers, dates of service, phone numbers, Medicare ID numbers, and provider names.

“We do not think that information has been misused because of this event,” the notice explained. “We are giving individuals things they can do to protect their information.”

Onyx provided impacted individuals with two years of credit monitoring and encouraged individuals to review account statements and explanation of benefits forms.