The breach impacted staff, visitors, and others, resulting in a large class action lawsuit.
What happened
In early 2022, the California Department of Corrections and Rehabilitation (CDCR) discovered what they called a “potential data breach” following maintenance on their information systems.
The potential breach impacted individuals who had been tested for COVID-19 by the department between June 2020 and January 2022. It included a variety of individuals, like staff, visitors, and others who may have needed to be tested by the department during that time. Incarcerated individuals were not included. Impacted information may have included names, personal addresses, telephone numbers, emails, dates of birth, and COVID-19 testing results.
Going deeper
According to a notice published by the CDCR, the breach may have also included mental health information since 2008 for incarcerated individuals in the Mental Health Services Delivery System. Involved information varied, but for these individuals, it may have included treatment history and diagnosis, but did not include other private information like Social Security numbers or financial account numbers.
CDCR says they do not have any “collaborating evidence which suggests the data exposed has been compromised or misused.”
CDCR reported the breach to the HHS’ Office for Civil Rights, including the numbers of individuals whose protected health information may have been involved. It’s estimated that 236,000 individuals were impacted, but others were likely impacted even if their protected health information was not involved.
What’s new
Since then, a lawsuit, Thomas, et al. v. California Department of Corrections and Rehabilitation, et al has formed, alleging CDCR had insufficient safeguards that led to the breach.
Ultimately, CDCR agreed to settle the case without admitting any wrongdoing or liability. Instead, their stance is that continued litigation would be costly and risky. CDCR ultimately agreed to pay $1.8 million.
Under the settlement, the settlement fund–minus any expenses–will be divided equally between the class members. Claims must be submitted by February 14th. A final approval hearing is scheduled for March 7th, 2025.
The big picture
Ultimately, the incident and subsequent lawsuit show the value individuals place on their private data. Even though the settlement will provide some relief for victims, it doesn’t mitigate the fact that their data may now be on the dark web, opening individuals up to fraud or identity theft. The incident also shows that some facilities, particularly correctional ones, may have data on individuals even if they are not inmates. Nevertheless, large settlements like this can encourage facilities to carefully monitor their IT environment and implement additional safeguards to protect data of inmates, visitors, and staff.
Related: HIPAA Compliant Email: The Definitive Guide
Abby Grifno
