Louisiana Corrections Department Suffers Third-Party Data Breach, 85K Impacted

November 09, 2022 - The Louisiana Department of Public Safety and Corrections reported a third-party data breach that impacted 85,466 inmates who received offsite medical care during their incarceration between January 2013 and July 2022.

The breach originated at CorrectCare, a third-party health administrator under contract with the department to process medical claims. On July 6, CorrectCare discovered that two file directories containing protected health information (PHI) were “inadvertently exposed to the public internet.”

The file directories contained names, dates of birth, Social Security numbers, DOC IDs, and diagnosis codes. The breach did not impact the department’s EHR system.

“Upon discovery of the data exposure, CorrectCare took immediate steps to remediate the exposure and secured the server in less than nine hours,” the department explained.

“CorrectCare also promptly engaged a third-party cybersecurity firm to conduct an investigation to analyze the nature and scope of the incident.”

The department said it was working with CorrectCare to implement additional PHI safeguards.

USV Optical Experiences Unauthorized Network Access

U.S. Vision subsidiary USV Optical notified individuals of unauthorized network activity that could have impacted patient PHI. U.S. Vision first discovered the incident in May 2021 and said it immediately began working with third-party specialists to investigate.

“That investigation is ongoing. However, the investigation determined that records related to certain customers and employees may have been viewed and/or taken by an unauthorized individual as a result of this incident,” the notice stated.

“Therefore, U.S. Vision is notifying potentially impacted individuals that their information may have been at risk.”

The impacted information potentially included names, eyecare insurance information, addresses, dates of birth, and “other individual identifiers.”

U.S. Vision said it had no evidence of identity theft or fraud relating to the incident.

Phoenix Programs of Florida Suffers Email Breach

Phoenix Programs of Florida, also known as Phoenix House Florida, discovered that an unauthorized party had accessed certain employee email accounts at various times between July 2021 and November 2021.

Phoenix House Florida notified 6,594 that their information may have been involved in the incident. However, the outpatient addiction treatment center said it had no indication that the unauthorized party actually viewed or acquired any personal information.

The information on the accounts included Social Security numbers, names, driver’s license numbers, dates of birth, credit card information, and medical information.

“Phoenix House Florida takes the security of individuals’ personal information very seriously and apologizes for any inconvenience or concern this incident might cause,” the notice concluded.