Breach included medical information
No current evidence suggests misuse of data
Department has sent notices to those impacted
SACRAMENTO – The California Department of Corrections and Rehabilitation (CDCR) today announced a potential data breach that included medical information on people who were tested for COVID-19 in the department from June 2020 through January 2022, including staff, visitors, and others. It did not include COVID testing information for the incarcerated population.
The potential breach was discovered in early 2022, following routine maintenance on one of our information systems. The breach also potentially included other medical information for a portion of the incarcerated population going as far back as 2008, as well as some financial information.
Following the discovery of the potential breach, department staff took immediate action, and suspended all of the affected systems. The department also notified authorities, and began a multi-agency investigation that concluded this summer.
At this time and as a result of our forensic analysis, CDCR does not have any collaborating evidence which suggests the data exposed has been compromised or misused. Out of an abundance of caution, the department is notifying all potentially impacted parties, and has also set up toll-free numbers for anyone who may have been impacted.
These numbers will be staffed during business hours Monday-Friday for the next 90 days:
- For general public/staff: (888) 661-2471
- For currently or formerly incarcerated: (888) 661-2467
CDCR has provided public service announcements in both English and Spanish as well as a frequently asked questions resource: https://www.cdcr.ca.gov/family-resources/2022/08/22/potential-data-breach
CDCR takes this matter very seriously and regrets this happened. We have changed our procedures and practices to limit the risk of any future breaches, including discontinuing the use of the platform that suffered the security breach. We are committed to transparency as we move forward with these increased data security measures.