The Kentucky-based healthcare administration organization recently agreed to settle a lawsuit regarding a data breach for $6.49 million.
What happened
According to CorrectCare's web notification, the organization discovered on July 6th, 2022 that “two file directories on CorrectCare web server had been inadvertently exposed to the public internet.” The files contained protected health information of certain incarcerated individuals in a California Correctional facility.
Upon discovering the data exposure, CorrectCare immediately began securing the servers, which took less than nine hours. They also investigated with an outside cybersecurity firm.
The investigation was completed between September 1st, 2022 and October 5th, 2022. Individuals who received medical care from CCHCS between January 1st, 2012 and July 6th, 2022, were among those whose data may have been leaked. Data was likely exposed beginning as early as January 22, 2022, allowing for potential unauthorized access.
The information in the leak included names, dates of birth, Social Security numbers, CDCR ID numbers, and some health information.
It’s estimated the breach impacted approximately 600,000 individuals and was not reported until November 2022.
CorrectCare is a third-party health administrator that helps hospitals and practices access the appropriate medical providers and manage the claims payment process. They’ve provided utilization and claims management for both small and large facilities to help reduce medical costs and improve the quality of care. CorrectCare is also a business associate of California Correctional Health Care Services (CCHCS), which provides health services to incarcerated individuals in California.
The healthcare administrator faced a data breach back in 2022.
What’s next
After the data leak, CorrectCare promised to evaluate its safety and security protocols. The organization said they have now “implemented specific steps to further enhance the security of its systems and further protect the information of its clients and those under its care.” The administrator offered complimentary credit and identity theft monitoring.
In response, a class action lawsuit was filed by the firm Shub & Johns. The lawsuit claimed that CorrectCare had been negligent in data protection, which resulted in the data leak.
On September 17th, 2024, a judge granted approval for the final settlement in the United States District Court for the Eastern District of Kentucky.
The big picture
Ultimately, this breach cost CorrectCare $6.49 million in the settlement alone, which doesn’t account for court fees, costs associated with the investigation, and costs associated with amending their security and data protection policies.
While staying up to date on proper cybersecurity protocols and practices can have its own cost, its far less than resolving a data leak or breach after it occurs. Organizations can save time, money, and their reputation by having the highest security measures possible.
Related: HIPAA Compliant Email: The Definitive Guide
Abby Grifno
