A claims processing company claims that the affected data is at least ten years old. Nearly 600,000 prisoners who got medical care while detained over the past ten years had sensitive information exposed. Due to a server misconfiguration at a company that processes medical claims for correctional facilities. A faulty server exposed the PHI of 600,000 Inmates.

On October 31, Kentucky-based CorrectCare Integrated Health Inc. reported server misconfiguration-related “unauthorized access/disclosure”. Breaches affecting almost 500,000 people to the Health and Human Services U.S. Department.

The HHS Office for Civil Rights HIPAA Breach Reporting Tool website lists other breaches that CorrectCare’s clients have recently reported, affecting nearly another 100,000 people. A faulty server exposed the PHI of 600,000 Inmates.

Among these are the Sacramento County Adult Correctional Health, the Louisiana Department of Public Safety and Corrections, and Mediko Correctional Healthcare. This company offers medical and mental health services to prisoners at detention facilities.

Breach Details

CorrectCare describes itself as a third-party health administrator working under contract with Health Net Federal Services. And a business associate of the Department of Corrections and Rehabilitation California in a sample breach notification letter it provided to the attorney general’s office of California on October 31.

In the letter, the business claims that on July 6, it learned that two file directories on a CorrectCare web server had been inadvertently made available to the public internet.

According to CorrectCare, which has filed a complaint with the California attorney general’s office. The file directories held protected health information of prisoners of state prisons.

Social Security number, Full name, date of birth,  and some restricted health information, such as diagnosis and procedure codes, were among the patient data in the exposed file folders.

According to CorrectCare, the patient information was not exploited and no financial accounts, payment cards, or driver’s license data have been compromised.

An identity and credit monitoring service for 12 months is available to those affected.

Even though CorrectCare claims that it only took “less than nine hours” to secure the server after the misconfiguration was discovered. A forensics investigation found that the data exposure began as early as January 22. The incident affected patient data for more than a decade, from January 1, 2012, to July 06, 2022.

The business claims to have taken steps to improve the security of its systems.

Information Security Media Group asked CorrectCare for more information on the issue, but they did not react immediately.

High Risk

IT misconfiguration-related breaches are relatively prevalent, according to privacy lawyer Kirk Nahra of the law firm WilmerHale. And the circumstances surrounding the CorrectCare event are particularly alarming.

He argues that a breach might make it more difficult to protect confined people. All the typical things a person would do to protect oneself from danger may be considerably tougher for these individuals, says the author. “It’s unclear how they would get notice, if they could sign up for credit monitoring, etc.”

In recent months and years, numerous significant breaches involving health data have been caused by IT misconfigurations. These occurrences frequently include finding years’ worth of private health information mistakenly posted online.