The California Department of Corrections and Rehabilitation (CDCR) issued a breach notification this week. Because the notification mentions COVID-19 testing, at first, DataBreaches thought it was the incident CDCR had disclosed last month, but no, it turns out that that was a different incident.
The newly revealed breach affects staff, visitors, and others tested for COVID-19 by the state Department of Corrections and Rehabilitation between June 2020 and last January.
The breach was discovered in January 2022 and appears to have involved unauthorized access in December 2021 that potentially affected medical information on everyone who was tested for COVID-19 by the department from June 2020 through January 2022. It did not include COVID testing information for the incarcerated population.
The state indicates that the breach also potentially included mental health information for the incarcerated population in the Mental Health Services Delivery System going as far back as 2008.
CDCR has provided four different notification templates depending on which population was potentially affected and which types of personal or protected information:
- Letter – Currently/Formerly Incarcerated – HIPAA/TABE
- Letter – Currently/Formerly Incarcerated – SUDT HIPAA/TABE
- Letter – Non-HIPAA
- Letter – Staff/Stakeholders – EE HIPAA
For the incarcerated population in the Mental Health Service Delivery System, the information included their name, CDCR number, mental health treatment, mental health history, and mental health diagnosis. Additionally, information in the Trust, Restitution, Accounting, and Canteen System (TRACS) was also potentially involved. This information includes records of transactions made to and from trust accounts since 2008, as well as some trust account numbers.
Information about people on parole who are in substance use disorder treatment programs may have also been involved.
Some of the data included Social Security Numbers, driver’s license numbers, and trust account information. However, the investigation did not reveal any evidence this information was copied or downloaded.
No numbers for the different subgroups have been provided as yet publicly, but at least some of this will likely appear on HHS’s public breach tool.