CorrectCare Integrated Health, Inc.
Your Personal Info Could Be
Exposed Online After
This Hospital Breach
Breach Description
CorrectCare Integrated Health, Inc., a Kentucky-based company specializing in medical claims processing for correctional facilities, experienced a significant data breach that exposed the sensitive personal information of nearly 600,000 inmates. This breach was reported to the U.S. Department of Health and Human Services on October 31, 2022, and involved at least three “unauthorized access/disclosure” incidents due to a server misconfiguration[2]. The exposed information included full names, dates of birth, Social Security numbers, and limited health information such as diagnosis and procedure codes. However, financial account or payment card information was not exposed[2].
The breach was discovered on July 6, 2022, when it was found that two file directories on a CorrectCare web server had been inadvertently exposed to the internet. The data exposure began as early as January 22, 2022, affecting patients who received medical care over more than a decade, from January 1, 2012, to July 6, 2022[2]. CorrectCare took less than nine hours to secure the server after discovering the misconfiguration and has since implemented measures to enhance the security of its systems[2].
Affected individuals have been offered 12 months of identity and credit monitoring services. Despite these measures, the breach has raised significant concerns due to the sensitive nature of the exposed information and the potential difficulty for incarcerated individuals to protect themselves from the consequences of the breach[2].
Legal actions have been initiated against CorrectCare Integrated Health, Inc., including a class action lawsuit filed by plaintiffs who suffered actual damages as a result of the breach. These damages include time and expenses related to monitoring financial accounts for fraudulent activity, an increased risk of fraud and identity theft, and the lost value of their personal information[1]. The lawsuit accuses CorrectCare of failing to properly secure and safeguard protected health information as defined by the Health Insurance Portability and Accountability Act (HIPAA) and other medical information[1].
This breach is part of a larger trend of healthcare data breaches, which are particularly concerning due to the sensitive nature of the information involved. Healthcare institutions are among the most targeted by cyberattacks, making the protection of patient information a critical concern[12].
Citations:
- https://www.classaction.org/media/oliver-et-al-v-correctcare-integrated-health.pdf
- https://www.bankinfosecurity.com/correctcare-breach-a-20482
- https://www.hipaajournal.com/correctcare-integrated-health-data-breach-affects-thousands-of-inmates/
- https://www.anylaw.com/case/in-re-correctcare-data-breach-litigation/e-d-kentucky/02-21-2023/KzBzfoYBu9x5ljLUKx-h
- https://www.turkestrauss.com/2022/11/03/correctcare-integrated-health-data-breach-investigation/
- https://www.linkedin.com/posts/ellipticsystems_phishing-cyberattack-hacking-activity-7004489675767779329-2roC?trk=public_profile_like_view
- https://www.thelyonfirm.com/blog/correctcare-integrated-health-data-breach-investigation/
- https://law.justia.com/cases/federal/district-courts/kentucky/kyedce/5:2022cv00319/100469/33/
- https://www.pacermonitor.com/public/filings/DJXAVQVA/Hiley_v_CorrectCare_Integrated_Health__kyedce-22-00319__0001.0.pdf
- https://www.hipaajournal.com/october-2022-healthcare-data-breach-report/
- https://www.courtlistener.com/docket/66627935/in-re-correctcare-data-breach-litigation/
- https://stacker.com/kentucky/biggest-health-care-data-breaches-you-should-know-about-kentucky
- https://www.govinfo.gov/content/pkg/USCOURTS-kywd-5_08-cv-00094/pdf/USCOURTS-kywd-5_08-cv-00094-1.pdf
- https://casetext.com/case/penman-v-correct-care-solutions-llc
- https://www.robertabelllaw.com/library/Missed_Breaks_and_Lunch_Breaks_Overtime___Wages_Lawsuit_Against_CorrectCare.pdf