Central Valley Regional Center, Inc. (CVRC), a California-based nonprofit serving individuals with developmental disabilities, suffered a data breach due to the improper disposal of sensitive documents by a contracted janitorial service. Between March 1, 2025, and July 7, 2025, confidential records including names, addresses, dates of birth, Social Security numbers, medical information, and other personal data were discarded in regular trash instead of being shredded. The breach impacted documents spanning 2015 to 2025, affecting over 28,000 individuals across six counties. CVRC reported the incident to law enforcement and regulatory bodies, offering one year of free identity protection (LifeLock) and establishing a call center for affected parties. Legal investigations are underway, with potential compensation claims for victims of unauthorized exposure.
Source: https://www.claimdepot.com/investigations/central-valley-regional-center-data-breach-2025
TPRM report: https://www.rankiteo.com/company/central-valley-regional-center
"id": "cen1802718092025",
"linkid": "central-valley-regional-center",
"type": "Breach",
"date": "6/2015",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Individuals served by CVRC and '
'their families (2015–2025); '
'exact number not specified',
'industry': 'Healthcare / Social Services '
'(Developmental Disabilities Support)',
'location': 'Fresno, California, USA',
'name': 'Central Valley Regional Center, Inc. (CVRC)',
'size': 'Serves 28,000+ individuals across 6 counties '
'(Merced, Mariposa, Madera, Fresno, Tulare, '
'Kings)',
'type': 'Nonprofit Organization'}],
'attack_vector': 'Physical (Improper Document Disposal by Third-Party '
'Janitorial Service)',
'customer_advisories': 'Enroll in complimentary LifeLock identity protection; '
'monitor for identity theft; contact call center for '
'questions (1-888-840-0361).',
'data_breach': {'data_encryption': 'Not Applicable (Physical Documents)',
'data_exfiltration': 'No (Physical Loss via Improper '
'Disposal)',
'file_types_exposed': 'Paper Documents',
'personally_identifiable_information': 'Yes (Names, '
'Addresses, DOBs, '
'SSNs, Medical Data)',
'sensitivity_of_data': 'High (Includes SSNs, Medical '
'Information, and Other Personal Data)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Protected Health Information '
'(PHI)']},
'date_detected': '2025-07',
'date_publicly_disclosed': '2025-09-11',
'description': 'Central Valley Regional Center, Inc. (CVRC) experienced a '
'data breach due to the improper disposal of confidential '
'documents by a contracted janitorial service. Sensitive '
'documents, including personally identifiable information '
'(PII) of individuals served by CVRC and their families '
'(2015–2025), were discarded in regular trash instead of being '
'shredded. The incident occurred at one CVRC facility between '
'March 1, 2025, and July 7, 2025, and was discovered in July '
'2025. Affected data includes names, addresses, dates of '
'birth, Social Security numbers, medical information, and '
'other personal details. CVRC reported the breach to law '
'enforcement and regulatory authorities, offering one year of '
'complimentary identity protection services (LifeLock) to '
'impacted individuals.',
'impact': {'brand_reputation_impact': 'Moderate to High (Given Sensitive '
'Nature of Data and Population Served)',
'customer_complaints': 'Expected (Due to Breach Notification)',
'data_compromised': ['Names',
'Addresses',
'Dates of Birth',
'Social Security Numbers',
'Medical Information',
'Other Personal Data'],
'identity_theft_risk': 'High (Due to Exposure of SSNs and Medical '
'Data)',
'legal_liabilities': 'Potential Lawsuits and Regulatory Fines '
'(e.g., California Consumer Privacy Act, '
'HIPAA if applicable)',
'operational_impact': 'Potential Legal and Reputational Damage; '
'Identity Theft Risk for Affected '
'Individuals'},
'investigation_status': 'Ongoing (Class Action Investigation by Shamis & '
'Gentile P.A.)',
'lessons_learned': 'Importance of secure document destruction protocols, '
'third-party vendor oversight, and physical security '
'measures for sensitive data.',
'motivation': 'Negligence / Human Error',
'post_incident_analysis': {'corrective_actions': ['Termination of Janitorial '
'Contract (or Enforcement '
'of Secure Practices)',
'Implementation of '
'Mandatory Shredding for '
'All Sensitive Documents',
'Enhanced Vendor Compliance '
'Audits',
'Expanded Training on Data '
'Protection'],
'root_causes': ['Failure to Enforce Secure '
'Document Destruction Policies',
'Lack of Oversight for Third-Party '
'Janitorial Service',
'Inadequate Physical Security '
'Controls for Sensitive '
'Documents']},
'recommendations': ['Implement Strict Document Destruction Policies for '
'Third-Party Vendors',
'Conduct Regular Audits of Physical Security Practices',
'Enhance Employee and Vendor Training on Data Handling',
'Expand Identity Protection Services for Affected '
'Individuals',
'Review Compliance with CCPA and HIPAA (if applicable)'],
'references': [{'source': 'Shamis & Gentile P.A. Investigation Notice'}],
'regulatory_compliance': {'legal_actions': 'Under Investigation (Class Action '
'Lawsuits Expected)',
'regulations_violated': ['California Consumer '
'Privacy Act (CCPA)',
'Potentially HIPAA (if '
'medical data falls under '
'protected health '
'information)',
'California State '
'Department of '
'Developmental Services '
'Policies'],
'regulatory_notifications': 'California Attorney '
'General; California '
'State Department of '
'Developmental '
'Services'},
'response': {'communication_strategy': 'Breach Notification Letters; Public '
'Disclosure to California Attorney '
'General; Dedicated Call Center',
'containment_measures': 'Termination of Improper Disposal '
'Practices; Review of Janitorial '
'Contracts',
'incident_response_plan_activated': 'Yes (Reported to Law '
'Enforcement and Regulatory '
'Authorities)',
'law_enforcement_notified': 'Yes',
'recovery_measures': 'Dedicated Call Center for Affected '
'Individuals (1-888-840-0361)',
'remediation_measures': 'Offer of 1 Year Complimentary Identity '
'Protection (LifeLock)',
'third_party_assistance': 'LifeLock (Identity Protection '
'Services)'},
'stakeholder_advisories': 'Breach notification letters sent to affected '
'individuals; dedicated call center established.',
'threat_actor': 'Unintentional (Third-Party Janitorial Service)',
'title': 'Central Valley Regional Center, Inc. Data Breach (Improper Disposal '
'of Confidential Information)',
'type': 'Data Breach (Improper Disposal / Physical Security Failure)',
'vulnerability_exploited': 'Lack of Secure Document Destruction Procedures'}