Cyber Incident Victim: California Department of Corrections and Rehabilitation
Date:
Aug 2022
Location:
United States of America
Summary
A cybersecurity incident at the California Department of Corrections and Rehabilitation potentially exposed medical information of employees and visitors tested for COVID-19, alongside uncovered vulnerabilities revealing inmate mental health records, financial account details, and personally identifiable information including Social Security numbers for parolees in treatment programs. Unauthorized access to a single system was detected, though no evidence confirmed data misuse or exfiltration. The agency transitioned to a more secure system, notified affected individuals post-investigation, and established dedicated support channels. The breach scope included historical data but did not involve COVID-19 test results for incarcerated individuals.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The California Department of Corrections and Rehabilitation (CDCR) announced on August 22, 2022, that unauthorized access to its systems potentially exposed sensitive data spanning multiple categories of individuals. The breach was discovered in June 2022 when investigators identified unauthorized entry into a specific computer system, though no evidence indicated data was viewed or copied. The primary exposure involved medical information of employees and visitors who underwent COVID-19 testing through CDCR between June 2020 and January 2022. During the subsequent investigation, officials uncovered additional potential compromises affecting inmate records dating back to 2008. These included mental health treatment details containing names and clinical information from the Mental Health Service Delivery System, along with financial account data tracked through a separate system. Parolees participating in substance use disorder treatment programs also faced potential exposure of driver’s license numbers and Social Security numbers. The breach did not involve COVID-19 testing data for incarcerated individuals. CDCR confirmed the incident was isolated to one system but could not identify the responsible party or determine the exact method of unauthorized access.
Upon concluding the investigation, CDCR implemented notification procedures for affected individuals, establishing toll-free support lines and publishing informational resources online. The department migrated operations to a new system incorporating enhanced security controls to prevent recurrence. No evidence suggested misuse of exposed data, though the scope included highly sensitive categories such as mental health records and financial identifiers. The timeline of vulnerabilities extended significantly, with some inmate data systems potentially compromised for over a decade prior to detection. Response efforts focused on containment through system replacement rather than forensic attribution or recovery operations. The incident exposed systemic security gaps across legacy platforms handling medical, financial, and correctional treatment records without specifying technical causes or attack vectors.