Misconfigured Server Exposed PHI of 600,000 InmatesClaims Processing Firm Says Affected Data Is Up to a Decade or More Old
A server misconfiguration at a firm that provides medical claims processing for correctional facilities exposed sensitive information of nearly 600,000 inmates who received medical care during the last decade while incarcerated.
Kentucky-based CorrectCare Integrated Health Inc. on Oct. 31 reported to the U.S. Department of Health and Human Services at least three "unauthorized access/disclosure" breaches affecting a total of nearly 500,000 individuals involving its server misconfiguration incident.
The HHS Office for Civil Rights' HIPAA Breach Reporting Tool website also shows several breaches reported in recent weeks by CorrectCare's clients, collectively affecting about another 100,000 individuals.
Those clients include the Louisiana Department of Public Safety and Corrections, Sacramento County Adult Correctional Health, and Mediko Correctional Healthcare, a firm that provides medical and mental health services to inmates at correctional facilities.
In a sample breach notification letter that CorrectCare submitted to the California attorney general's office on Oct. 31, the company describes itself as a third-party health administrator under contract with Health Net Federal Services and a business associate of the California Department of Corrections and Rehabilitation.
The company says in the letter that it discovered on July 6 that two file directories on a CorrectCare web server had been "inadvertently" exposed to the internet.
The file directories contained protected health information of individuals who were incarcerated in a state prison, CorrectCare tells the California attorney general's office.
Patient information contained in the exposed file directories included full name, date of birth, Social Security number, and limited health information, such as a diagnosis code and procedure codes.
Driver's license numbers, financial accounts or payment cards were not exposed, CorrectCare says, adding that it has "no reason to believe that any patient's information has been misused."
Affected individuals are being offered 12 months of identity and credit monitoring.
While CorrectCare says that it took "less than nine hours" to secure the server after discovery of the misconfiguration, a forensics investigation determined that the data exposure started as early as Jan. 22, and that the incident affected information of patients who received medical care over more than a decade - between Jan. 1, 2012, and July 6, 2022.
The company says it has implemented measures to enhance the security of its systems.
CorrectCare did not immediately respond to Information Security Media Group's request for additional details concerning the incident.
Privacy attorney Kirk Nahra of the law firm WilmerHale says breaches involving IT misconfigurations are a very common occurrence - and that the circumstances around the CorrectCare incident are particularly concerning.
"It may be harder for incarcerated individuals to be protected as a result of a breach," he says. "It's not clear how they would get notice, whether they could sign up for credit monitoring, etc. All the normal things that an individual would do to protect themselves from harm may be much harder for these individuals."
IT misconfigurations have been at the root of many major health data breaches in recent months and years. Often, those incidents involve the discovery of many years' worth of sensitive health data being accidentally exposed on the web (see: Drug Testing Lab Portal Incident Exposed Data for 4 Years).