Letter – Non‑HIPAA


Reference Number 22-01

CDCR had a recent problem with a computer system.  It may have involved access to information about inmates, parolees, and those discharged from CDCR custody since 2008.   We do not know if anyone looked at or copied any information, but we want you to know that this happened.

What Happened

This was a computer system that allows the California Department of Corrections and Rehabilitation (CDCR) to share data with certain people outside CDCR.  Each set of information is protected with a specific password.  Those allowed to get your information must have that password.   

In January 2022 during routine maintenance, CDCR discovered some suspicious activity on that system dating back to December 2021.  CDCR immediately shut down that system.  CDCR then began a multi-agency investigation into whether an unauthorized user had looked at or copied any of the information on the system before it was shut off.  In late June, 2022, that investigation revealed someone without permission did get into the system.  Fortunately, there was no sign that anyone copied your information.   

Even though it appears no one copied your information, it is possible that someone may have looked at your information while in the system.  Because of this CDCR must let you know this happened.  We are doing this so you can do what you need to do to protect your information.

What Information Was Involved

The information, which dated back to 2008, included inmate names, CDCR numbers, dates of birth, social security numbers, driver’s license numbers/California ID card numbers, and inmate trust account information.  Because this information could be used by an identity thief, CDCR is providing this information.  

What We Are Doing

We take this matter very seriously and regret that this happened. We want to assure you that we have changed our procedures and practices to limit the risk this will happen again.  That computer system is no longer being used.  CDCR is using a new system with more security controls.

What You Can Do

Because personal information was on the computer system, we recommend that anyone whose information was on this system place a fraud alert on their credit files and order copies of their credit reports by following the recommended privacy protection steps outlined in the “Breach Help –Consumer Tips from the California Attorney General,” which is also posted with this notice.  Those whose information was on the system  should also check their credit reports for any accounts they do not recognize. If they find anything suspicious, follow the instructions found in step four of “Breach Help –Consumer Tips from the California Attorney General.”

The three major credit reporting bureaus and contact information is below:

  • Experian 1-888-397-3742 or send a letter to:
    • Experian, P.O. Box 9554, Allen, TX 75013
  • Equifax 1-800-525-6285 or send a letter to:
    • Equifax, P.O. box 740256, Atlanta, GA 30374
  • TransUnion I-800-680-7289 or send a letter to:
    • Transunion, P.O. Box 2000, Chester, PA 19016

Other Important Information

For further information on how to protect yourself, please refer to the “Breach Help –Consumer Tips from the California Attorney General.”

For More Information

For information about privacy protection steps, you may visit the website of the California Department of Justice, Privacy Enforcement and Protection.

Agency Contact

If you have additional questions about this incident, please call toll free 1-888-661-2467 and reference incident number 22-01.  You will not be charged for calling this number from phones in your housing unit.  You may also send a letter to:

California Department of Corrections and Rehabilitation

Office of Legal Affairs

Attention: Privacy Office

PO Box 942883

Sacramento, CA 94283-0001