Server Misconfiguration leads to a leak of 600000 Patients PII

A server misconfiguration at Kentucky-based CorrectCare Integrated Health that provides medical claims processing for correctional facilities exposed sensitive information of nearly 600,000 inmates who received medical care during the last decade while incarcerated.

The HHS Office for Civil Rights’ HIPAA Breach Reporting Tool website also shows several breaches reported in recent weeks by CorrectCare’s clients, collectively affecting about another 100,000 individuals.

Those clients include the Louisiana Department of Public Safety and Corrections, Sacramento County Adult Correctional Health, and Mediko Correctional Healthcare, a firm that provides medical and mental health services to inmates at correctional facilities.

In one of breach notification letter that CorrectCare submitted to the California attorney general’s office, describes itself as a third-party health admin under contract with Health Net Federal Services and a business associate of the California Department of Corrections and Rehabilitation.

The file directories contained protected health information of individuals who were incarcerated in a state prison. Patient information contained in the exposed file directories included PII and limited health information, such as a diagnosis code and procedure codes.

Affected individuals are being offered 12 months of identity and credit monitoring. The company says it has implemented measures to enhance the security of its systems.

While CorrectCare says that it took “less than nine hours” to secure the server after discovery of the misconfiguration, a forensics investigation determined that the data exposure started as early as Jan. 22, and that the incident affected information of patients who received medical care over more than a decade – between Jan. 1, 2012, and July 6, 2022.