Cyber Incident Victim: Center for Alternative Sentencing and Employment Services

The Center for Alternative Sentencing and Employment Services (CASES) experienced a data security incident involving unauthorized access to employee email accounts between July 6, 2020, and October 4, 2020. The organization discovered the unauthorized access on November 18, 2020, and engaged external cybersecurity firms to investigate the scope and cause. On January 6, 2021, CASES confirmed that an unauthorized third party had acquired some of its information. The compromised email accounts contained client data, though the breach did not affect all individuals served by the organization—only those whose information resided in the accessed accounts. The investigation revealed that exposed information included names, dates of birth, medical or client identification numbers, and clinical treatment details. A subset of records also contained health insurance information, financial account details, Social Security numbers, and driver's license numbers.

CASES began notifying affected clients via mailed letters on January 15, 2021, and established a dedicated call center for inquiries. Individuals not receiving notification by February 15 were instructed to contact the provided phone number. The organization offered complimentary credit monitoring and identity protection services to clients whose Social Security numbers or driver's license numbers were exposed. All impacted individuals were advised to review insurance and medical statements for unauthorized activity. CASES stated its investigation remained ongoing, with additional notifications planned if further exposures were identified. In response to the breach, the organization implemented enhanced security tools and reinforced staff training on email security protocols. The incident compromised sensitive information from a limited client subset but did not disrupt all organizational services or systems.