From the FAQ (both the FAQ and HTML version have occasional errors and label certain dates 2023 when they were 2022):
1. What happened?
On December 23, 2022, the California Secretary of State (SOS) was notified by a researcher that the records they were provided to view contained records not older than 75 years. Pursuant to Government Code section 12237, all records 75 years and older within Archives are public. Records given to the researcher to view pertained to the State’s forced sterilization program that was conducted in California during the time period of 1908-1979. The records were provided to the researcher on December 19, 2023 (onsite) and December 22, 2023 (via secure digital transfer) and viewed on December 23, 2023. When the inadvertent disclosure of records dated from 1948-1952 was discovered by the researcher, the researcher confirmed they did not view the materials in detail and indicated the PDF copy of the roll of transferred microfilm provided to them for viewing had a mislabeled date range. Our subsequent review of the materials less than 75 years old determined that the documents contained personally identifiable information and medical information. Once the mistake was discovered, the researcher confirmed to SOS that upon recognizing the age of the records, they notified Archives staff immediately, and deleted any material from their computer.
2. When did it happen? (Why didn’t you notify me sooner?)
The incident occurred on December 19, 2023 (onsite) and on December 22, 2022 (via secure electronic transfer). The SOS was notified immediately by the researcher when it was discovered. The SOS has been working swiftly to pull, screen, and redact the records; however, due to the historical nature of the documents, aging microfilm, and the complexity of information contained within the records, screening and identification of individuals has taken time.
3. Why did you have my personal information?
Historical records are sent to the Secretary of State’s office by state agencies and pursuant to Government Code section 12237 are available to be viewed by the public after 75 years.
4. What specific items of my personal information were involved?
• Patient first and last names
• Family member first and last names
• Dates of Birth for some individuals
• Familial history and familial medical history
• Medical information such as diagnosis, dates of operations, dates of sterilization and other unrelated medical history5. What are you doing about the breach? How will you prevent this from happening in the future?
SOS investigated the incident and has pulled the impacted records from public access while a detailed review of the records is being conducted. SOS confirmed with the researcher that all affected materials have been deleted. SOS has removed the researcher’s electronic access to the records transferred electronically. After pulling the records, screening, and redacting the materials, the SOS believes it is unlikely that there will be any further unauthorized disclosure.
At this time, SOS has no evidence that there has been any use or attempted use of the information compromised by this incident. SOS is providing this notice so that those individuals potentially affected may be aware of what happened and can take the necessary steps to monitor any unusual activity regarding their personal information.
Due to the age of the records, SOS is notifying any affected individuals via this Privacy Incident Notice of the potential that Personally Identifiable Information (PII) may have been compromised.
Read the remainder of the FAQ at https://archives.cdn.sos.ca.gov/pdf/privacy-incident-faqs-003-final.pdf or https://www.sos.ca.gov/notice-privacy-incident-historical-health-records