On Oct. 25, 2022, CorrectCare Integrated Health Inc., a County contractor, notified Sacramento County Health Services of a potential data breach impacting approximately 5,372 County Correctional Health patients. Based on the contact information on file, these individuals will be mailed a notification of the data exposure and will be notified that they will have the no-charge option to have one year of credit monitoring, credit resolution and identity restoration services.
On July 6, 2022, CorrectCare identified two unsecured folders containing protected health information. An investigation by CorrectCare revealed the folders had been exposed to the public internet between January 22, 2022, and July 6, 2022. As of July 7, additional testing of security folders confirmed the issue had been remedied and files secured.
Actions taken in response to the incident:
- A cyber forensics security firm was hired by CorrectCare to conduct an investigation to analyze the nature and scope of the incident and to determine whether any patient information may have been exposed.
- Dark web searches completed a week after notification found no data related to Correct Care.
- Complimentary one-year of credit monitoring, credit resolution, and identity restoration services offered to all impacted individuals.
Adult Correctional Health patients can call 916-876-7195 or email
ACHAdmin@saccounty.gov with questions regarding the breach. A point of contact has been identified at both the Main Jail and Rio Cosumnes Correctional Center to answer questions from inmates still in custody who may be impacted.
This incident has been reported to the U.S. Department of Health & Human Services, and the California Department of Health Care Services. Under the Freedom of Information Act (5 U.S.C. §552) and HHS regulations at 45 C.F.R. Part 5, the Office of Civil Rights (OCR) may be required to release information provided in the breach notification. For breaches affecting more than 500 individuals, some of the information provided will be made publicly available by posting on the HHS website pursuant to § 13402(e)(4) of the Health Information Technology for Economic and Clinical Health (HITECH) Act (Pub. L. 111-5). Additionally, OCR will use this information, pursuant to §13402(i) of the HITECH Act, to provide an annual report to Congress regarding the number and nature of breaches that are reported each year and the actions taken to respond to such breaches. OCR will make every effort, as permitted by law, to protect information that identifies individuals or that, if released, could constitute a clearly unwarranted invasion of personal privacy.