NOTICE OF DATA EXPOSURE
What happened?
On July 6, 2022, CorrectCare confirmed that a breach of regulated information occurred when a misconfigured web server led to exposure of patient information contained in two file directories as early as January 22, 2022. The company’s security processes were able to detect and remediate the exposure in less than nine hours upon discovery. The company immediately engaged a third-party cybersecurity firm to conduct a forensic investigation to analyze the nature and scope of the incident. Between September 1, 2022, and October 5, 2022, the investigation determined that more than 438,000 CDCR inmates/patients who received medical care between January 1, 2012 and July 6, 2022 were among those individuals whose data was potentially impacted. CorrectCare cannot confirm that any patients’ personal information was copied from its website or used inappropriately. However, it is notifying the public because protected health information was accessible to an unauthorized person or persons.
What information was involved?
The patient information contained in the file directories included full name, date of birth, social security number, CDCR number, and limited health information, such as a diagnosis code and/or CPT code. Please note that the patient information stored in these file directories did not include driver’s license numbers, financial account information, or debit or credit card information. While CorrectCare has no reason to believe that any patient’s information has been misused, we are nonetheless notifying all affected patients out of an abundance of caution.
When did the breach happen?
The exposure was discovered by the company on July 6, 2022, and we successfully remediated it in less than nine hours. Further investigation revealed that patient information contained in these file directories may have been exposed as early as January 22, 2022, and thereby subject to unauthorized access. CorrectCare is working with leading cybersecurity experts and has implemented specific steps to further enhance the security of its systems and further protect the information of its clients and those under their care.
Why did CorrectCare have access to my information to begin with?
CorrectCare helps manage health care claims on behalf of the CDCR and therefore had authorized access to this information.
Does this mean I’m a victim of identity theft?
No. At this point in time, we do not have any evidence to believe that any of the information involved in this incident has been used to commit fraud. We wanted to inform those that may have been impacted so that they can take the appropriate steps to protect themselves. If your information was involved in this incident, the best way to protect yourself is to sign up for the complimentary 12-month membership to Experian’s IdentityWorks. Information for how to sign up for the service can be found below.
If I’m an incarcerated person, and my information was accessed, what should I do?
If you are an incarcerated individual and your information was involved in this incident, keep a copy of this notice for your records in case of future problems with your medical or financial records. We encourage you to take advantage of the complimentary 12-month membership of Experian’s IdentityWorks. To enroll in this service, please follow the instructions in the “Steps You Can Take to Help Protect Your Personal Information” below by 2/28/23. This product provides you with superior identity detection and resolution of identity theft.
[Please note: your Correctional Counselor and other institutional staff do not have information on this issue. We strongly encourage you to use the resources below.]
If I am no longer an incarcerated person and my information was accessed, what should I do?
If you are no longer an incarcerated individual, but were previously incarcerated at one of the affected facilities, you should keep a copy of this notice for your records in case of future problems with your medical or financial records. We encourage you to enroll in the complimentary 12-month membership of Experian’s IdentityWorks by following the instructions in the “Steps You Can Take to Help Protect Your Personal Information” below by 2/28/23.
What are we doing?
CorrectCare takes the protection of your personal information seriously and we have taken and will continue to take steps to prevent a similar occurrence. CorrectCare has been working with CDCR and outside cybersecurity experts and have implemented specific steps to safeguard against future exposure of PHI.
In addition, to address any concerns and mitigate any exposure or risk of harm following this incident, CorrectCare is offering a complimentary 12-month membership of Experian’s IdentityWorks to any individuals whose information was involved in this incident.
What you can do?
Although CorrectCare is not aware of any instances of misuse of any patient information, we recommend all individuals impacted by this incident take advantage of the complimentary identity protection services being offered using the instructions below. We also encourage you to remain vigilant and review the enclosed Information about Identity Theft Protection outlining additional steps you can take to protect your information.
For More Information
Visit https://oag.ca.gov/privacy (California Office of the Attorney General)
Any individual who believes their data may have been exposed are encouraged to enroll in Experian’s IdentityWorksSM by visiting experianidworks.com/plus (use Activation Code YJWF423PWC), calling toll-free 844-700-1314 (reference Engagement Number B079693 and Activation Code YJWF423PWC) for additional information, Monday through Friday from 8 am – 10 pm Central, or Saturday and Sunday from 10 am – 7 pm Central (excluding major U.S. holidays).
If you have additional questions regarding this incident, you may also write to:
CorrectCare Privacy Office
PO Box 1178
Montebello, CA 90640
STEPS YOU CAN TAKE TO HELP PROTECT YOUR PERSONAL INFORMATION
Enroll in Credit Monitoring
To help protect your identity, CorrectCare is offering a complimentary 12-month membership of Experian’s IdentityWorksSM . This product provides you with superior identity detection and resolution of identity theft. To activate your membership and start monitoring your personal information, please follow the steps below:
-
Ensure that you enroll by February 28, 2023 (Your code will not work after this date.)
-
Visit the Experian IdentityWorks website to enroll: experianidworks.com/plus
-
Provide your activation code: YJWF423PWC
If you have questions about the product, need assistance with Identity Restoration that arose as a result of this incident, or would like an alternative to enrolling in Experian IdentityWorks online, please contact Experian’s customer care team at 844-700-1314 by February 28, 2023. Be prepared to provide engagement number B079693 and Activation Code YJWF423PWC as proof of eligibility for the Identity Restoration services by Experian.
ADDITIONAL DETAILS REGARDING YOUR 12-MONTH EXPERIAN IDENTITYWORKS MEMBERSHIP
A credit card is not required for enrollment in Experian IdentityWorks.
You can contact Experian immediately regarding any fraud issues, and have access to the following features once you enroll in Experian IdentityWorks:
-
Experian credit report at signup: See what information is associated with your credit file. Daily credit reports are available for online members only.*
-
Credit Monitoring: Actively monitors Experian file for indicators of fraud.
-
Dark Web Monitoring
-
Identity Restoration: Identity Restoration specialists are immediately available to help you address credit and non-credit-related fraud.
-
Experian IdentityWorks ExtendCARETM: You receive the same high level of Identity Restoration support even after your Experian IdentityWorks membership has expired.
-
$1 Million Identity Theft Insurance**: Provides coverage for certain costs and unauthorized electronic fund transfers.
If you believe there was fraudulent use of your information as a result of this incident and would like to discuss how you may be able to resolve those issues, please reach out to an Experian agent at 844-700-1314 (reference Engagement Number B079693 and Activation Code YJWF423PWC). If, after discussing your situation with an agent, it is determined that identity restoration support is needed then an Experian Identity Restoration agent is available to work with you to investigate and resolve each incident of fraud that occurred from the date of the incident (including, as appropriate, helping you with contacting credit grantors to dispute charges and close accounts; assisting you in placing a freeze on your credit file with the three major credit bureaus; and assisting you with contacting government agencies to help restore your identity to its proper condition).
Please note that Identity Restoration is available to you for 12 months from the date of this letter and does not require any action on your part at this time. The Terms and Conditions for this offer are located at www.ExperianIDWorks.com/restoration. You will also find self-help tips and information about identity protection at this site.
Notificación Aviso Sustituto en la Web de CorrectCare
Lo siguiente tiene como intención ofrecer un Aviso de Violación de Datos para quienes estén interesados por los aspectos específicos de este incidente de ciberseguridad que ha sufrido CorrectCare Integrated Health (CorrectCare).
¿Qué pasó?
El 6 de julio de 2022, CorrectCare, administrador de salud de terceros bajo contrato con Health Net Federal Services (HNFS), socio comercial de CCHCS/CDCR, descubrió que dos directorios de archivos en el servidor web de CorrectCare habían sido expuestos involuntariamente en la red pública de internet. Los directorios de archivos contenían información médica protegida (IMP) de ciertos individuos que se encontraban encarcelados en una locación CDCR (California Department of Corrections and Rehabilitation). Al descubrir la exposición de los datos, CorrectCare de inmediato dio los pasos necesarios para remediar la exposición asegurando el servidor en menos de nueve (9) horas. Posteriormente, CorrectCare contrató a una firma de ciberseguridad de terceros para que realizara una investigación forense a fin de analizar la naturaleza y alcance del incidente. El 5 de octubre de 2022, la investigación determinó que los pacientes que recibieron atención médica entre el 1 de enero de 2012 y el 6 de julio de 2022 se encontraban entre aquellos cuyos datos estaban potencialmente afectados. Después, la investigación reveló que un servidor de la web mal configurado llevó a que fuera expuesta la información de pacientes contenida en dichos directorios de archivos desde el 22 de enero de 2022, y que por ello estaba sujeta a un acceso no autorizado.
¿Qué información estaba implicada?
La información de pacientes que contenían los directorios de archivos incluía el nombre completo, fecha de nacimiento, número del seguro social, número del CDCR, e información limitada sobre salud, como el código de diagnóstico y/o código CPT. Favor de observar que la información del paciente que figuraba en esos archivos no incluía número de licencia de conducir, información de cuentas financieras, ni información de tarjetas de débito o crédito. Aunque CorrectCare no tiene razón para creer que la información de algún paciente haya sido mal usada, estamos sin embargo notificando a todos los pacientes afectados en un esfuerzo por lograr el mayor de los cuidados.
¿Qué estamos haciendo?
CorrectCare toma muy en serio el cuidado de sus datos personales y hemos dado y seguiremos dando los pasos necesarios para evitar que vuelva a ocurrir algo semejante. Al descubrir el incidente, CorrectCare, con ayuda de los mejores expertos en ciberseguridad, ha hecho todo lo necesario para aumentar todavía más la seguridad de sus sistemas, a fin de proteger la información de sus clientes y de las personas bajo su custodia.
Además, a fin de atender todas las preocupaciones y mitigar cualquier exposición o riesgo de daño como resultado de este incidente, CorrectCare ofrece a cualquier persona cuya información estuvo implicada en este incidente una membrecía sin costo por 12 meses a IdentityWorks de Experian.
¿Cómo es que CorrectCare tuvo acceso a mi información para empezar?
CorrectCare tiene un Acuerdo de socio comercial (BAA) con Health Net Federal Services y colabora en la gestión de reclamaciones por atención médica en favor de CCHCS/CDCR), entidad cubierta, y por lo tanto tiene acceso a esta información de salud personal.
¿Esto significa que soy víctima de robo de identidad?
No. Por el momento no tenemos ninguna prueba que nos haga pensar que alguna parte de la información implícita en este incidente ha sido usada para cometer un fraude. Queríamos informar a quienes se han visto afectados para que ellos hagan lo conducente para protegerse. Si su información es pate de este incidente, la mejor manera de protegerse es firmar la membrecía sin costo por 12 meses a Identity Works de Experian. A continuación encontrará la información sobre cómo registrarse para obtener el servicio.
Si estoy en la cárcel y tuvieron acceso a mi información, ¿qué debo hacer?
Si se encuentra usted en la cárcel y su información estuvo implicada en este incidente, guarde una copia de este aviso en su expediente en caso de futuros problemas con respecto a sus registros financieros o expediente médico. Le recomendamos aprovechar la membrecía sin costo durante 12 meses a IdentityWorks de Experian. Para registrarse en este servicio, siga las instrucciones de “Pasos para proteger su información personal” que aparece a continuación antes de 28 de Febrero, 2023. Este producto le ofrece una estupenda detección y resolución de robo de identidad.
[Por favor tome nota. Su Consejero penitenciario y otros miembros del personal no tiene información sobre este asunto. Le recomendamos encarecidamente que use los recursos que figuran a continuación]
Si ya no estoy en la cárcel y tuvieron acceso a mi información, ¿qué debo hacer?
Si ya no está en la cárcel, pero estuvo y recibió atención médica cuando estaba en una de las prisiones de CDCR entre el 1 de enero de 2012 y el 6 de julio de 2022, debe guardar una copia de este aviso en su expediente en caso de futuros problemas en sus registros financieros y expediente médico. Para registrarse en este servicio, siga las instrucciones de “Pasos para proteger su información personal” que aparece a continuación antes de 28 de Febrero, 2023. Este producto le ofrece una estupenda detección y resolución de robo de identidad.
Lo que ustedes pueden hacer
Aunque CorrectCare no tiene noticias de que haya habido mal uso de la información de un paciente, recomendamos a todas las personas afectadas por este incidente que aprovechen los servicios de protección de identidad sin costo que se ofrecen a continuación usando las instrucciones que ahí aparecen. Recomendamos también que se mantengan atentos y revisen la información que se incluye sobre Protección de Robo de Identidad, donde se mencionan acciones adicionales para proteger su información.
Para más información
Lamentamos sinceramente cualquier inconveniente o preocupación que este incidente le haya causado y seguimos dedicados a garantizar la privacidad y seguridad de toda la información que esté bajo nuestro control. Si tuviera alguna otra pregunta o alguna duda, o si quiere una alternativa al registro en línea, por favor llame sin costo 844-700-1314 (refiere al número B079693 y código YJWF423PWC) de lunes a viernes de 8 am – 10 pm Central, o sábado y domingo 10 am – 7 pm Central (salvo los días festivos en los EUA) o puede escribir a CorrectCare Privacy Office, PO Box 1178, Montebello, CA 90640. Por favor ayúdenos incluyendo su número B079693.