California corrections says potential data breach affected staff, inmates

The California Department of Corrections and Rehabilitation says an unauthorized user gained access to a file system that held COVID-19 test data and inmates' mental health records.
San Quentin State Prison
San Quentin State Prison is in Marin County, California. (Getty Images)

The California Department of Corrections and Rehabilitation said Monday a potential data breach earlier this year exposed information related to staff and visitors who underwent COVID-19 tests, as well as mental health information collected on current and former inmates dating as far back as 2008.

The potential breach was discovered in January, when the department’s IT team discovered suspicious activity on a file transfer system that had started last December. That system had been used to process medical information collected on California corrections staff, prison visitors and other individuals who’d been tested for COVID-19 between June 2020 and this past January.

The incident was confirmed in June when a multi-agency investigation, involving law enforcement and forensic examiners, discovered that the file transfer system had been accessed by an unauthorized user, though corrections officials said they are “not aware of any misuse, viewing or copying of the information.” The department’s IT office also suspended use of the system upon first noticing the suspicious activity.

The incident did not include coronavirus testing data collected from the systems incarcerated population, officials said.


Current and former inmates, though, may have been affected because the potential breach also touched the corrections department’s Mental Health Services Delivery System. Affected data, reaching back nearly 15 years, included inmate names, numbers, mental health history and treatments. The department’s mental health portfolio includes psychiatric care, counseling and substance-abuse treatments, among other services.

Information about paroled individuals currently receiving substance-abuse treatment may have also been exposed, officials said. A letter to current and former inmates states that the incident did not expose any Social Security numbers, driver’s licenses or financial accounts.

Benjamin Freed

Written by Benjamin Freed

Benjamin Freed was the managing editor of StateScoop and EdScoop, covering cybersecurity issues affecting state and local governments across the country. He wrote extensively about ransomware, election security and the federal government’s role in assisting states and cities with information security.

Latest Podcasts