$100 Million awarded Since 1994 6,000 Satisfied Clients

Posted On November 3, 2022 Consumer Privacy & Data Breaches

Data Breach Alert: CorrectCare Integrated Health

NOTICE: If you received a NOTICE OF DATA BREACH letter from CorrectCare Integrated Health, contact the attorneys at Console & Associates at (866) 778-5500 to discuss your legal options, or submit a confidential Case Evaluation form here.

Data Breach AlertOn October 31, 2022, CorrectCare Integrated Health filed notice of a data breach with the Office of the California Attorney General after the company learned that it had inadvertently posted sensitive information belonging to individuals incarcerated in the California Department of Corrections and Rehabilitation (“CDCR”) system on the internet. Based on the company’s official filing, the incident resulted in an unauthorized party gaining access to consumers’ full names, dates of birth, Social Security numbers, CDCR numbers, and protected health information. After confirming that consumer data was leaked, CorrectCare began sending out data breach notification letters to all individuals who were impacted by the recent data security incident.

If you received a data breach notification, it is essential you understand what is at risk. The data breach lawyers at Console & Associates, P.C. are actively investigating the CorrectCare data breach on behalf of people whose information was exposed. As a part of this investigation, we are providing free consultations to anyone affected by the breach who is interested in learning more about the risks of identity theft, what they can do to protect themselves, and what their legal options may be to obtain compensation from CorrectCare Integrated Health.

What We Know So Far About the CorrectCare Integrated Health Breach

The available information regarding the CorrectCare Integrated Health breach comes from the company’s filing with the California Attorney General’s Office. According to this source, on July 6, 2022, CorrectCare learned that two file directories on the company’s server had been accidentally posted on the internet. In response, CorrectCare took down the directories; however, they were publicly available for a period of about nine hours. Next, CorrectCare began working with a third-party cybersecurity firm to determine the nature and scope of the incident, as well as what information was leaked and whether any of it was accessed by unauthorized parties.

The CorrectCare investigation revealed that patients who received medical care in a CDCR facility between January 1, 2012 and July 6, 2022 were among those whose data was potentially impacted. The investigation also revealed another vulnerability related to a misconfigured web server, which exposed the information contained in these directories as early as January 22, 2022.

Upon discovering that sensitive consumer data was made available to an unauthorized party, CorrectCare Integrated Health began to review the affected files to determine what information was compromised and which consumers were impacted. While the breached information varies depending on the individual, it may include your full name, date of birth, social security number, CDCR number, and protected health information

On October 31, 2022, CorrectCare Integrated Health sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident.

More Information About CorrectCare Integrated Health

Founded in 2009, CorrectCare Integrated Health is a third-party insurance administrator based in Lexington, Kentucky. The company specializes in providing administrative services to correctional facilities across the United States, helping these facilities meet the inmate population’s medical needs. CorrectCare Integrated Health employs more than 65 people and generates approximately $10 million in annual revenue.

Why Data Breach Victims Must Play Close Attention to Their Protected Health Information

The CorrectCare data breach leaked a significant amount of information belonging to incarcerated individuals, including their Social Security numbers and protected health information. While there are certain aspects of the CorrectCare breach that make it unique, the fact that it compromised inmates’ protected health information is not among them. Indeed, healthcare data breaches have become extremely common, and more than 2 million victims had their PHI compromised this year alone.

As cybercriminals and other bad actors continue to focus their efforts on obtaining patients’ protected health information, it is incredibly important for victims of a healthcare data breach to understand what is at risk and what their options are.

The first step is to understand what is meant by “protected health information.” Protected health information, often referred to as PHI for short, is demographic information, medical history information, test and laboratory results, mental health information, insurance information and other data collected by healthcare professionals.

The collection and use of PHI are governed by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). However, not all healthcare-related data is protected health information. In order for health information to be considered “protected,” it must contain at least one identifier. Under HIPAA, there are 18 different identifiers, including:

  • Name;
  • Address (anything smaller than a state);
  • Social security number;
  • Dates (more specific than just a year) related to an individual, such as a patient’s birthdate, admission date, etc.;
  • Email address;
  • Phone number;
  • Fax number;
  • Medical record number;
  • Health plan beneficiary number;
  • Account number;
  • Certificate or license number;
  • Vehicle identifiers, such as serial numbers and license plate numbers;
  • Device identifiers and serial numbers;
  • Web URL;
  • Internet protocol (IP) address;
  • Biometric IDs, such as a fingerprint or voice print;
  • Full-face photographs and other photos of identifying characteristics; and
  • Any other unique identifying characteristic.

Given the very personal nature of PHI, healthcare data breaches are very concerning. However, aside from the privacy risks, there is also a very real risk of physical and financial harm. Hackers who obtain protected health information may attempt to obtain medical care in a victim’s name or sell the information to another party who plans on doing the same. This not only leaves the victim responsible for the bill but can also lead to misleading and incorrect information being added to their medical records.

If You Have Questions About Your Rights Following the CorrectCare Integrated Health Data Breach, Console & Associates, P.C. Can Help

At Console & Associates, P.C., our consumer privacy lawyers monitor all security and data breaches to help affected consumers pursue their legal remedies. We offer free consultations to victims of data breaches and can explain your rights in clear, understandable terms so you can make an informed decision about how to proceed with your case. If you’ve been affected by the CorrectCare data breach or any other data security incident, Console & Associates, P.C., will investigate your case at no charge and offer you thorough advice about how to most effectively proceed with your case. If you decide to bring a case, we only get paid if you do. If your claim is successful, any legal fees are either paid by the defendant or come out of the funds recovered from the defendant. If your claim doesn’t result in a recovery, you will pay nothing.

To schedule your free consultation, just call (866) 778-5500 today or fill out our secure contact form.

Below is a copy of the initial data breach letter issued by CorrectCare Integrated Health (the actual notice sent to consumers can be found here):

Dear [Redacted],

On July 6, 2022, CorrectCare, a third-party health administrator under contract with the Health Net Federal Services (HNFS), Business Associate of CCHCS/CDCR, discovered that two file directories on the CorrectCare web server had been inadvertently exposed to the public internet. The file directories contained protected health information (PHI) of certain individuals who were incarcerated in a CDCR facility. Upon discovery of the data exposure, CorrectCare took immediate steps to remediate the exposure by securing the server in less than nine (9) hours. Subsequently, CorrectCare engaged a third- party cybersecurity firm to conduct a forensic investigation to analyze the nature and scope of the incident. Between September 1, 2022, and October 5, 2022, the investigation determined that patients who received medical care between January 1, 2012 and July 6, 2022 were among those whose data was potentially impacted. Further investigation revealed that a misconfigured web server led to exposure of patient information contained in these file directories as early as January 22, 2022, and thereby subject to unauthorized access.

What information was involved?

The patient information contained in the file directories included full name, date of birth, social security number, CDCR number, and limited health information, such as a diagnosis code and/or Current Procedure Terminology (CPT) code. Please note that the patient information stored in these file directories did not include driver’s license numbers, financial account information, or debit or credit card information. While CorrectCare has no reason to believe that any patient’s information has been misused, we are nonetheless notifying all affected patients out of an abundance of caution.

What We Are Doing?

CorrectCare takes the protection of your personal information seriously, and we have taken and will continue to take steps to prevent a similar occurrence. Upon discovery of this incident, CorrectCare, with assistance of leading cybersecurity experts, has implemented specific steps to further enhance the security of its systems and further protect the information of its clients and those under its care.

In addition, to address any concerns and mitigate any exposure or risk of harm following this incident, CorrectCare is offering a complimentary 12-month membership of Experian’s IdentityWorks to any individuals whose information was involved in this incident.

Why did CorrectCare have access to my information to begin with?

CorrectCare has a Business Associate Agreement (BAA) with the Health Net Federal Services and helps manage health care claims on behalf of the CCHCS/CDCR, a covered entity, and therefore has authorized access to this personal health information.

NOTICE: If you received a NOTICE OF DATA BREACH letter from CorrectCare Integrated Health, contact the attorneys at Console & Associates at (866) 778-5500 to discuss your legal options, or submit a confidential Case Evaluation form here.