What happened?

 

On July 6, 2022, CorrectCare Integrated Health (CorrectCare), a third-party health administrator discovered that two file directories on a web server had been inadvertently exposed to the public internet. 
 

The file directories contained protected health information (PHI) of certain individuals from various Covered Entities who were incarcerated and received medical care between specific dates.
 

For a list of the specific Covered Entities and dates of service, please click here.

​

Upon discovery of the data exposure, CorrectCare took immediate steps to remediate the exposure and secured the server in less than nine hours. CorrectCare also promptly engaged a third-party cybersecurity firm to conduct an investigation to analyze the nature and scope of the incident.

 

What information was involved?

 

The patient information contained in the file directories included full name, date of birth, social security number, DOC ID, and limited health information, such as a diagnosis code and/or CPT code. Please note that the patient information stored in these file directories did not include driver’s license numbers, financial account information, or debit or credit card information. While CorrectCare has no reason to believe that any patient’s information has been misused, we are nonetheless notifying all affected patients out of an abundance of caution.

 

When did the breach happen?

 

The exposure was discovered by the company on July 6, 2022, and we successfully remediated it in less than nine hours. Further investigation revealed that patient information contained in these file directories may have been exposed as early as January 22, 2022, and thereby subject to unauthorized access. CorrectCare is working with leading cybersecurity experts and has implemented specific steps to further enhance the security of its systems and further protect the information of its clients and those under their care.

 

Why did CorrectCare have access to my information to begin with?

 

CorrectCare helps manage health care claims on behalf of these Covered Entities and therefore had authorized access to this information.

 

Does this mean I’m a victim of identity theft?

 

No. At this point in time, we do not have any evidence to believe that any of the information involved in this incident has been used to commit fraud. We wanted to inform those that may have been impacted so that they can take the appropriate steps to protect themselves. If your information was involved in this incident, the best way to protect yourself is to sign up for the complimentary 12-month membership to Experian’s IdentityWorks.  Information for how to sign up for the service can be found below.

 

If I’m an incarcerated person, and my information was accessed, what should I do?

 

If you are an incarcerated individual and your information was involved in this incident, keep a copy of this notice for your records in case of future problems with your medical or financial records. We encourage you to take advantage of the complimentary 12-month membership of Experian’s IdentityWorks. To enroll in this service, please follow the instructions in the “Steps You Can Take to Help Protect Your Personal Information” below by February 28, 2023. This product provides you with superior identity detection and resolution of identity theft.

 

[Please note: your Correctional Counselor and other institutional staff do not have information on this issue. We strongly encourage you to use the resources below.]

 

If I am no longer an incarcerated person and my information was accessed, what should I do?

 

If you are no longer an incarcerated individual but were previously incarcerated at one of the affected facilities, you should keep a copy of this notice for your records in case of future problems with your medical or financial records. We encourage you to enroll in the complimentary 12-month membership of Experian’s IdentityWorks by following the instructions in the “Steps You Can Take to Help Protect Your Personal Information” below by February 28, 2023.

 

What are we doing?

 

CorrectCare takes the protection of your personal information seriously and we have taken and will continue to take steps to prevent a similar occurrence. CorrectCare has been working with each Covered Entity and outside cybersecurity experts and has implemented specific steps to safeguard against future exposure of PHI.

 

In addition, to address any concerns and mitigate any exposure or risk of harm following this incident, CorrectCare is offering a complimentary 12-month membership of Experian’s IdentityWorks to any individuals whose information was involved in this incident.

 

What you can do?

 

Although CorrectCare is not aware of any instances of misuse of any patient information, we recommend all individuals impacted by this incident take advantage of the complimentary identity protection services being offered using the instructions below. We also encourage you to remain vigilant and review the enclosed Information about Identity Theft Protection outlining additional steps you can take to protect your information.

 

For More Information

 

We sincerely regret any inconvenience or concern that this Incident may cause you, and we remain dedicated to ensuring the privacy and security of all information in our control.  If you have further questions or concerns, or would like an alternative to enrolling online, please call toll-free (844) 700-1314 from 11:00 AM – 7:00 PM CST Monday-Friday (reference Engagement Number B079693 and Activation Code YJWF423PWC).