Cyber Incident Victim: Central Valley Regional Center

On July 29, 2019, Central Valley Regional Center (CVRC) in California discovered unauthorized third-party access to one or more employee email accounts. The breach investigation revealed the unauthorized access occurred between July 25 and August 2, 2019, indicating a nine-day period of potential exposure. CVRC confirmed on August 12, 2019, that personal information within the compromised email accounts may have been affected. The organization did not specify the exact number of email accounts breached but indicated multiple accounts could have been involved. No details were provided regarding how the unauthorized access was initially detected or whether external threat actors or internal factors contributed to the incident. The center did not disclose whether the breach involved malware, phishing, or credential compromise as the attack vector.

The compromised data included individuals' names, addresses, contact information, dates of birth, and dates of death. Sensitive government identifiers such as Social Security numbers, driver's license details, state identification cards, Medi-Cal numbers, and UCI numbers were also exposed. Medical or health information, health insurance details, and treatment-related data formed part of the breach scope. For a limited subset of individuals, additional financial and tax information was affected, including Taxpayer Identification numbers, financial account or payment card details, PINs, account passwords, usernames, email addresses, electronic identifiers with access means, and IRS PINs. CVRC initiated patient notifications following the August 12 determination of impacted data and offered affected individuals credit monitoring and credit protection services. No information was disclosed regarding law enforcement involvement, system remediation steps, or whether the breach resulted from inadequate security controls.