On April 9, 2025, the California Office of the Attorney General disclosed a data breach affecting the California Correctional Health Care Services (CCHCS). The incident occurred on August 21, 2023, when an employee inadvertently sent an unencrypted email containing Protected Health Information (PHI) including last names, CDCR identification numbers, risk levels, and medical details to an unauthorized recipient. The exact number of impacted individuals remains undetermined, but the exposed data poses significant privacy and security risks. The breach involved sensitive health-related information, which could lead to identity theft, targeted phishing, or reputational harm for both the affected individuals and the organization. As a government-operated healthcare provider within the correctional system, CCHCS is responsible for safeguarding highly confidential patient data, making this incident particularly concerning for compliance with HIPAA and other regulatory standards. The unauthorized disclosure of medical records and inmate identifiers may also undermine trust in the institution’s ability to protect sensitive information.
Source: https://oag.ca.gov/ecrime/databreach/reports/sb24-601161
TPRM report: https://www.rankiteo.com/company/california-correctional-health-care-services
"id": "cal950091725",
"linkid": "california-correctional-health-care-services",
"type": "Breach",
"date": "8/2023",
"severity": "60",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"{'affected_entities': [{'customers_affected': 'Unknown (PHI of '
'inmates/patients exposed)',
'industry': 'Healthcare / Corrections',
'location': 'California, USA',
'name': 'California Correctional Health Care Services '
'(CCHCS)',
'type': 'Government Agency (Healthcare)'}],
'attack_vector': 'Human Error (Unencrypted Email)',
'data_breach': {'data_encryption': 'No (Email was Unencrypted)',
'data_exfiltration': 'Yes (Sent to Unauthorized Recipient)',
'file_types_exposed': 'Email Content',
'number_of_records_exposed': 'Unknown',
'personally_identifiable_information': 'Yes (Last Name, CDCR '
'#, Risk Level)',
'sensitivity_of_data': 'High (Medical and Identifiable '
'Information)',
'type_of_data_compromised': ['Protected Health Information '
'(PHI)',
'Personally Identifiable '
'Information (PII)']},
'date_detected': '2025-04-09',
'date_publicly_disclosed': '2025-04-09',
'description': 'On April 9, 2025, the California Office of the Attorney '
'General reported a data breach involving the California '
'Correctional Health Care Services (CCHCS). The breach '
'occurred on August 21, 2023, when an employee sent an '
'unencrypted email containing Protected Health Information '
'(PHI), including last name, CDCR #, risk level, and medical '
'information, to an unauthorized recipient. The number of '
'affected individuals is currently unknown.',
'impact': {'brand_reputation_impact': 'Potential (Due to PHI Exposure)',
'data_compromised': ['Last Name',
'CDCR #',
'Risk Level',
'Medical Information (PHI)'],
'identity_theft_risk': 'Moderate (PHI Exposure)',
'legal_liabilities': 'Potential (HIPAA Violation)'},
'investigation_status': 'Ongoing (Number of Affected Individuals Unknown)',
'post_incident_analysis': {'root_causes': ['Lack of Email Encryption '
'Protocols',
'Employee Training Gaps on Data '
'Handling']},
'references': [{'date_accessed': '2025-04-09',
'source': 'California Office of the Attorney General'}],
'regulatory_compliance': {'regulations_violated': ['Health Insurance '
'Portability and '
'Accountability Act '
'(HIPAA)'],
'regulatory_notifications': 'California Office of '
'the Attorney General'},
'response': {'communication_strategy': 'Public Disclosure via California '
'Office of the Attorney General'},
'title': 'California Correctional Health Care Services (CCHCS) Data Breach '
'via Unencrypted Email',
'type': 'Data Breach',
'vulnerability_exploited': 'Lack of Email Encryption / Employee Negligence'}