Cyber Incident Victim: CorrectHealth
Date:
Nov 2021
Location:
United States of America
Summary
A Georgia-based healthcare provider for incarcerated individuals experienced unauthorized access to employee email accounts, compromising personal and medical information including names, addresses, Social Security numbers, driver's licenses, passport details, financial data, and limited health records. The organization notified 54,066 affected individuals following an investigation, though no identity theft incidents were reported. In response, security enhancements included mandatory password resets, multi-factor authentication for administrative staff, single sign-on implementation for clinical teams, external email disclaimers, advanced phishing protections, and recurring employee cybersecurity training. The breach prompted criticism regarding delayed remediation efforts given the implemented protections could have potentially prevented the incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In November 2021, CorrectHealth, a Georgia-based private healthcare provider for incarcerated individuals, discovered unauthorized access to certain employee email accounts. The breach timeline and initial intrusion method were not disclosed by the organization. Following detection, CorrectHealth initiated an investigation that extended until July 2022, when they identified 54,066 affected individuals requiring notification. The compromised data included personally identifiable information such as names, addresses, Social Security numbers, Driver’s License numbers, and passport numbers, along with financial account information and limited medical details. The organization did not specify whether impacted individuals consisted solely of employees or included patients, nor did they clarify their status as HIPAA-covered entities subject to federal health data breach reporting requirements. CorrectHealth publicly stated no evidence of identity theft incidents stemming from the breach had been reported since its discovery.
In response to the incident, CorrectHealth implemented multiple security enhancements beginning in late 2021. These measures included a mandatory company-wide password reset for all employees, deployment of an advanced phishing protection service for their email system, and the addition of disclaimers to all externally received emails. The organization rolled out Multi-Factor Authentication for administrative staff accounts and initiated implementation of Single Sign-On solutions for clinical staff access systems. Additionally, CorrectHealth instituted mandatory weekly data security training and monthly simulated phishing exercises for all personnel. Despite acknowledging no concrete evidence of misuse of the exposed data, the organization proceeded with breach notifications to affected individuals in July 2022, citing transparency and precaution as motivating factors for disclosure. The notification process occurred approximately nine months after the initial breach discovery and eight months after containment efforts commenced.