Uncategorized

Letter – Staff/Stakeholders – EE HIPAA

NOTICE OF DATA BREACH

Reference Number 22-01

We are contacting you because of a recent security incident that may have involved access to your personal information.  Although we are unaware of any actual access to, or misuse of, your information, we are providing notice to you about the incident because we determined that your records are among those that are impacted.

What Happened

A security event occurred in a file-sharing platform operated by the California Department of Corrections and Rehabilitation (CDCR). Access to the file-sharing platform is password protected with each authorized user having their own unique password to open, view, and download files. 

In January 2022, during routine maintenance, CDCR discovered some suspicious activity on the platform dating back to December 2021. CDCR immediately shut down that file-sharing platform and launched an extensive, multi-agency law enforcement investigation into whether an unauthorized user had accessed any data on the platform before it was shut down. That investigation was completed on June 22, 2022, and revealed an unauthorized user did access the system. Fortunately, that investigation revealed no evidence that any data was copied, downloaded, or otherwise acquired. 

While CDCR does not believe your data was acquired, it is possible that someone viewed your information while in the system.  Because of that, CDCR is required to notify you of the security event so you may take precautions to protect your information.

What Information Was Involved

The information was limited to your name, personal address, telephone number, email, date of birth, and COVID-19 testing results.  It did not contain any other information, such as Social Security number, Driver’s License number, or financial account numbers which could expose you to identity theft. Nonetheless, we felt it necessary to inform you since your medical information and other personal information was involved.

What We Are Doing

We take this matter very seriously and regret that this incident occurred. We want to assure you that we have reviewed and revised our procedures and practices to minimize the risk of recurrence. The affected platform is no longer in use. CDCR is utilizing a new system with greater security controls and protocols.

What You Can Do

Keep a copy of this notice for your records in case of future problems with your medical records. You may also want to request a copy of your medical records from your provider to serve as a baseline.

Because personal information was on the platform, we recommend that you place a fraud alert on your credit files and order copies of your credit reports by following the recommended privacy protection steps outlined in the enclosure. Check your credit reports for any accounts or medical bills that you do not recognize. If you find anything suspicious, follow the instructions found in step four of the enclosure.

The three major credit reporting bureaus and contact information is below:

Experian 1-888-397-3742 or https://www.experian.com/fraud/center.html

Equifax 1-800-525-6285 or https://www.equifax.com/personal/credit-report-services/credit-fraud-alerts/

TransUnion I-800-680-7289 or https://www.transunion.com/fraud-alerts

Other Important Information

For further information on how to protect yourself, please refer to the enclosure, “Breach Help –Consumer Tips from the California Attorney General.”

For More Information

For information about privacy protection steps and your medical privacy rights,you may visit the website of the California Department of Justice, Privacy Enforcement and Protection at www.oag.ca.gov/privacy.

Agency Contact

If you have additional questions about this incident, please call toll free 1-888-661-2471, or email us at SFTPInquiries@cdcr.ca.gov, and include the reference number 22-01.  Please do not include your Social Security number or medical information.  You may also send correspondence to:

California Department of Corrections and Rehabilitation

Office of Legal Affairs

Attention: Privacy Office

PO Box 942883

Sacramento, CA 94283-0001

Sincerely,

KATHLEEN ALLISON

Secretary