California state prison system suffered a cyberattack, potentially exposing sensitive medical data

Updated on: 15 November 2023

Anna Zhadan
Contributor

Threat actors managed to access the computer system of the California Department of Corrections and Rehabilitation (CDCR), potentially impacting 236,000 people.

During a maintenance session in January 2022, CDCR noticed suspicious activity on a computer system dating back to December 2021. A multi-agency investigation later revealed that a threat actor managed to access the system.

Although the Department’s statement suggests that there was no sign of someone copying personal data, it is nonetheless “possible that someone may have looked at your information while in the system.”

The breach potentially affected 236,000 people, including staff and visitors who were tested for COVID-19 by the department from June 2020 through January 2022, as well as information about people on parole who are in substance use disorder treatment programs

It also might have included mental health information for the incarcerated population in the Mental Health Services Delivery System going as far back as 2008. For those impacted, their name, CDCR number, mental health treatment, mental health history, and mental health diagnosis could have been exposed.

The CDCR’s statement suggests that some of the accessed data included Social Security Numbers, driver’s license numbers, and trust account information.

“At this time and as a result of our forensic analysis, CDCR does not have any collaborating evidence which suggests the data exposed has been compromised or misused,” CDCR said in a statement.

In response to the breach, CDCR shut down the system and initiated a multi-agency law enforcement and forensic investigation.