NOTICE OF DATA EXPOSURE
On July 6, 2022, CorrectCare Integrated Health (CorrectCare), a third-party health administrator discovered that two file directories on a web server had been inadvertently exposed to the public internet.
The file directories contained protected health information (PHI) of certain individuals from various Covered Entities who were incarcerated and received medical care between specific dates.
For a list of the specific Covered Entities and dates of service, please click here.
Upon discovery of the data exposure, CorrectCare took immediate steps to remediate the exposure and secured the server in less than nine hours. CorrectCare also promptly engaged a third-party cybersecurity firm to conduct an investigation to analyze the nature and scope of the incident.
What information was involved?
The patient information contained in the file directories included full name, date of birth, social security number, DOC ID, and limited health information, such as a diagnosis code and/or CPT code. Please note that the patient information stored in these file directories did not include driver’s license numbers, financial account information, or debit or credit card information. While CorrectCare has no reason to believe that any patient’s information has been misused, we are nonetheless notifying all affected patients out of an abundance of caution.
When did the breach happen?
The exposure was discovered by the company on July 6, 2022, and we successfully remediated it in less than nine hours. Further investigation revealed that patient information contained in these file directories may have been exposed as early as January 22, 2022, and thereby subject to unauthorized access. CorrectCare is working with leading cybersecurity experts and has implemented specific steps to further enhance the security of its systems and further protect the information of its clients and those under their care.
Why did CorrectCare have access to my information to begin with?
CorrectCare helps manage health care claims on behalf of these Covered Entities and therefore had authorized access to this information.
Does this mean I’m a victim of identity theft?
No. At this point in time, we do not have any evidence to believe that any of the information involved in this incident has been used to commit fraud. We wanted to inform those that may have been impacted so that they can take the appropriate steps to protect themselves. If your information was involved in this incident, the best way to protect yourself is to sign up for the complimentary 12-month membership to Experian’s IdentityWorks. Information for how to sign up for the service can be found below.
If I’m an incarcerated person, and my information was accessed, what should I do?
If you are an incarcerated individual and your information was involved in this incident, keep a copy of this notice for your records in case of future problems with your medical or financial records. We encourage you to take advantage of the complimentary 12-month membership of Experian’s IdentityWorks. To enroll in this service, please follow the instructions in the “Steps You Can Take to Help Protect Your Personal Information” below by February 28, 2023. This product provides you with superior identity detection and resolution of identity theft.
[Please note: your Correctional Counselor and other institutional staff do not have information on this issue. We strongly encourage you to use the resources below.]
If I am no longer an incarcerated person and my information was accessed, what should I do?
If you are no longer an incarcerated individual but were previously incarcerated at one of the affected facilities, you should keep a copy of this notice for your records in case of future problems with your medical or financial records. We encourage you to enroll in the complimentary 12-month membership of Experian’s IdentityWorks by following the instructions in the “Steps You Can Take to Help Protect Your Personal Information” below by February 28, 2023.
What are we doing?
CorrectCare takes the protection of your personal information seriously and we have taken and will continue to take steps to prevent a similar occurrence. CorrectCare has been working with each Covered Entity and outside cybersecurity experts and has implemented specific steps to safeguard against future exposure of PHI.
In addition, to address any concerns and mitigate any exposure or risk of harm following this incident, CorrectCare is offering a complimentary 12-month membership of Experian’s IdentityWorks to any individuals whose information was involved in this incident.
What you can do?
Although CorrectCare is not aware of any instances of misuse of any patient information, we recommend all individuals impacted by this incident take advantage of the complimentary identity protection services being offered using the instructions below. We also encourage you to remain vigilant and review the enclosed Information about Identity Theft Protection outlining additional steps you can take to protect your information.
For More Information
We sincerely regret any inconvenience or concern that this Incident may cause you, and we remain dedicated to ensuring the privacy and security of all information in our control. If you have further questions or concerns, or would like an alternative to enrolling online, please call toll-free (844) 700-1314 from 11:00 AM – 7:00 PM CST Monday-Friday (reference Engagement Number B079693 and Activation Code YJWF423PWC).
STEPS YOU CAN TAKE TO HELP PROTECT YOUR PERSONAL INFORMATION
Enroll in Credit Monitoring
To help protect your identity, CorrectCare is offering a complimentary 12-month membership of Experian’s IdentityWorksSM . This product provides you with superior identity detection and resolution of identity theft. To activate your membership and start monitoring your personal information, please follow the steps below:
Ensure that you enroll by February 28, 2023 (Your code will not work after this date.)
Visit the Experian IdentityWorks website to enroll: experianidworks.com/plus
Provide your activation code: YJWF423PWC
If you have questions about the product, need assistance with Identity Restoration that arose as a result of this incident, or would like an alternative to enrolling in Experian IdentityWorks online, please contact Experian’s customer care team at 844-700-1314 by February 28, 2023. Be prepared to provide engagement number B079693 and Activation Code YJWF423PWC as proof of eligibility for the Identity Restoration services by Experian.
ADDITIONAL DETAILS REGARDING YOUR 12-MONTH EXPERIAN IDENTITYWORKS MEMBERSHIP
A credit card is not required for enrollment in Experian IdentityWorks.
You can contact Experian immediately regarding any fraud issues, and have access to the following features once you enroll in Experian IdentityWorks:
Experian credit report at signup: See what information is associated with your credit file. Daily credit reports are available for online members only.*
Credit Monitoring: Actively monitors Experian file for indicators of fraud.
Dark Web Monitoring
Identity Restoration: Identity Restoration specialists are immediately available to help you address credit and non-credit-related fraud.
Experian IdentityWorks ExtendCARETM: You receive the same high level of Identity Restoration support even after your Experian IdentityWorks membership has expired.
$1 Million Identity Theft Insurance**: Provides coverage for certain costs and unauthorized electronic fund transfers.
If you believe there was fraudulent use of your information as a result of this incident and would like to discuss how you may be able to resolve those issues, please reach out to an Experian agent at 844-700-1314 (reference Engagement Number B079693 and Activation Code YJWF423PWC). If, after discussing your situation with an agent, it is determined that identity restoration support is needed then an Experian Identity Restoration agent is available to work with you to investigate and resolve each incident of fraud that occurred from the date of the incident (including, as appropriate, helping you with contacting credit grantors to dispute charges and close accounts; assisting you in placing a freeze on your credit file with the three major credit bureaus; and assisting you with contacting government agencies to help restore your identity to its proper condition).
Please note that Identity Restoration is available to you for 12 months from the date of this letter and does not require any action on your part at this time. The Terms and Conditions for this offer are located at www.ExperianIDWorks.com/restoration. You will also find self-help tips and information about identity protection at this site.