More than 5,000 incarcerated patients of the Sacramento County (Calif.) Correctional Health organization have had their private medical data exposed on the internet for months due to a contractor data breach, according to Sacramento County Health Services.
Sacramento County Health Services announced in late November that its contractor CorrectCare Integrated Health informed them on Oct. 25 of a potential data breach impacting approximately 5,372 County Correctional Health incarcerated patients. The county said that based on the contact information on file, these individuals will be mailed a notification of the data exposure and will be notified that they will have the no-charge option to have one year of credit monitoring, credit resolution and identity restoration services.
Back in July, CorrectCare identified two unsecured folders containing protected health information. An investigation by CorrectCare revealed the folders had been exposed to the public internet between January 22, 2022, and July 6, 2022. As of July 7, additional testing of security folders confirmed the issue had been remedied and files secured, the county said in a press release.
The county also detailed actions taken in response to the data breach, including:
- A cyber forensics security firm was hired by CorrectCare to conduct an investigation to analyze the nature and scope of the incident and to determine whether any patient information may have been exposed;
- Dark web searches completed a week after notification found no data related to Correct Care; and
- Complimentary one-year of credit monitoring, credit resolution, and identity restoration services is being offered to all impacted individuals.
The county said the incident has been reported to the U.S. Department of Health & Human Services, and the California Department of Health Care Services.