In early 2022, the California Department of Corrections and Rehabilitation (CDCR) Information Technology (IT) professionals discovered a potential data breach following routine maintenance on one our information systems. The breach potentially included medical information on everyone who was tested for COVID-19 by the department from June 2020 through January 2022, including staff, visitors, and others. It did not include COVID testing information for the incarcerated population.
The breach also potentially included mental health information for the incarcerated population in the Mental Health Services Delivery System going as far back as 2008.
At this time and as a result of our forensic analysis, CDCR does not have any collaborating evidence which suggests the data exposed has been compromised or misused.
Despite this, CDCR is notifying potentially impacted people out of an abundance of caution so they may take any steps they think they need to do to protect themselves.
- Letter – Currently/Formerly Incarcerated – HIPAA/TABE
- Letter – Currently/Formerly Incarcerated – HIPAA/TABE (Spanish)
- Letter – Currently/Formerly Incarcerated – SUDT HIPAA/TABE
- Letter – Non-HIPAA
- Letter – Staff/Stakeholders – EE HIPAA
When did the data breach happen?
The exact date is not known, but in January 2022, CDCR discovered some suspicious activity in a file transfer system dating back to December 2021. CDCR IT staff took immediate action, suspending the affected system. The department also notified authorities, and began a multi-agency investigation.
In late June, that investigation revealed someone or something entered the system without permission. Fortunately, there was no sign that anyone looked at or copied your information.
How was the data breach discovered?
It was discovered during the information systems’ routine maintenance.
What information was accessed?
At this time, it appears there is no sign of anyone accessing, copying or even looking at the information. However, the information in that file sharing system included medical information from everyone who received a COVID-19 test in the department from June 2020 through January 2022.
For the incarcerated population in the Mental Health Service Delivery System, the information included their name, CDCR number, mental health treatment, mental health history, and mental health diagnosis. Additionally, information in the Trust, Restitution, Accounting, and Canteen System (TRACS) was also potentially involved. This information includes records of transactions made to and from trust accounts since 2008, as well as some trust account numbers.
Information about people on parole who are in substance use disorder treatment programs may have also been involved.
Some of the data included Social Security Numbers, driver’s license numbers, and trust account information. However, the investigation did not reveal any evidence this information was copied or downloaded.
Why was that information in the system to begin with?
CDCR has a responsibility to file relevant information on how the department operates with entities outside CDCR, including federal court monitors and attorneys, contractors who conduct COVID-19 testing for staff, and others. The information is placed in the system in a password-protected folder. Each password can only open that one folder. Only someone with the correct password is able to open that folder, look at information in it, and make a copy to place on their own computer system. CDCR’s use of this system enables large amounts of data to be quickly shared with those who need to receive it in a timely manner. As a result of this incident, CDCR placed a 30-day deadline for information to be in the system before it is removed.
What was done with the accessed information?
Based on the investigation that was conducted following the discovery of the data breach, it appears none of the information has been used and CDCR is not aware of any information being viewed or copied by an unauthorized user. However, we value transparency, and out of an abundance of caution, are communicating with those who were potentially impacted.
Who was responsible?
CDCR does not have information on the party or parties responsible for the breach.
Is it possible more information was accessed than what has been discovered so far?
The problem was limited to this one computer system. CDCR continues to monitor all of its other systems to ensure none were impacted. To date, we have no evidence any were targeted.
Why did it take so long to discover it, and why were impacted people not told sooner?
When the breach was discovered, CDCR immediately shut down the system and initiated a multi-agency law enforcement and forensic investigation in order to conduct a thorough review into the matter. Until that investigation was concluded, CDCR did not know if any information was seen or copied by an unauthorized user. As soon as CDCR received the investigation report in late June 2022, CDCR chose to notify all impacted parties despite the fact that CDCR is not aware of any misuse, viewing, or copying of the information by the unauthorized user.
Does this mean I’m a victim of identity theft?
No. The fact that someone may have had access to your information doesn’t mean you are a victim of identity theft or that your information will be used to commit fraud. We wanted to let you know about the incident so you can take appropriate steps to protect yourself. The way to protect yourself is to place a fraud alert on your credit files, order your credit reports and review them for possible problems.
How will I know if any of my personal information was used by someone else?
The best way to find out is to order your credit reports from the three credit bureaus: Equifax, Experian and Trans Union. If you notice accounts on your credit report that you did not open or applications for credit (“inquiries”) that you did not make, these could be indications that someone else is using your personal information, without your permission.
Do I have to pay for the credit report?
No. You can order your credit reports from all three credit bureaus for free once a year. You can do this online at www.annualcreditreport.com or by phone at 1-877-322-8228.
If my information was accessed, what should I do?
Keep a copy of this notice for your records in case of future problems with your medical records. CDCR has set up a toll-free number where you can call for information contained in this FAQ. That number will be staffed from 8 a.m. to 5 p.m., Monday through Friday Pacific Standard Time for the next 90 days. Information specific to an individual will not be available, but we will offer as much information on this situation as we can, and any next steps you should take as a precaution.
- Current or formerly incarcerated: (888) 661-2467
- Staff/stakeholders: (888) 661-2471
For additional questions, please email SFTPInquiries.cdcr.ca.gov
For further information on how to protect yourself, please refer to the enclosure “Breach Help –Consumer Tips from the California Attorney General.”
For information about privacy protection steps and your medical privacy rights,you may visit the website of the California Department of Justice, Privacy Enforcement and Protection at www.oag.ca.gov/privacy.
If I’m an incarcerated person, and my information was accessed, what should I do?
Keep a copy of this notice for your records in case of future problems with your medical and/or financial records. You can also call (888) 661-2467. You will not be charged for calling this number. Information specific to you or any individual will not be available, but we can assist you with any precautionary measures you may choose to take.
You may also send a letter to:
California Department of Corrections and Rehabilitation
Office of Legal Affairs
Attention: Privacy Office
PO Box 942883
Sacramento, CA 94283-0001
You may also write or call the following credit bureaus to check on their credit, and ensure there has been no identity theft:
1-888-397-3742 or www.experian.com/fraud/center.html
P.O. Box 9554
Allen, TX 75013
1-800-525-6285 or www.equifax.com/personal/credit-report-services/credit-fraud-alerts/
P.O. Box 740256
Atlanta, GA 330374
I-800-680-7289 or www.transunion.com/fraud-alerts
P.O. Box 2000
Chester, PA 19016
Please note: your Correctional Counselor and other institutional staff do not have information on this issue. We strongly encourage you to use the above resources.
What are you doing to make sure this doesn’t happen again?
That computer system is no longer being used. CDCR is using a new system with more security controls. We take this matter very seriously and regret that this happened. We are committed to transparency as we move forward with increased data security measures in place.
We want to assure everyone that we have changed our procedures and practices to limit the risk this will happen again.