Louisiana Department of Public Safety and Corrections Reports Cybersecurity Incident

Published 6:40 am Wednesday, November 2, 2022

BATON ROUGE – The Louisiana Department of Public Safety and Corrections (DPS&C) today announced that a cybersecurity incident at a third-party health administrator under contract to process medical claims led to the exposure of personal health information (PHI) of certain members of their incarcerated population. The exposure of two file directories on a single server operated by CorrectCare (the Company) was discovered on July 6, 2022, and impacted approximately 80,000 pretrial and DOC inmates who were incarcerated and received offsite medical care between January 1, 2013, and July 7, 2022. DPS&C contracts with CorrectCare to process medical claims for state and pretrial inmates who receive offsite non-primary and emergency medical care. This is separate and apart from the Department’s onsite medical care and electronic health records (EHR), which are managed by the Department and are not part of this breach.

Upon discovery of the data exposure, CorrectCare took immediate steps to remediate the exposure and secured the server in less than nine hours. The Company also retained leading cyber forensics and security consultants to assist in a thorough investigation of the incident, which is ongoing. Currently, the investigation has not uncovered any evidence of misuse of any patient information. CorrectCare is working closely with DPS&C to keep them informed of the full extent of the data exposure and its impact on currently or formerly incarcerated individuals. CorrectCare is also notifying all affected patients out of an abundance of caution.

Although CorrectCare remediated the data exposure in less than nine hours, further investigation revealed that patient information may have been exposed as early as January 22, 2022, and subject to unauthorized access. The patient information involved in the data exposure included name, date of birth, DOC ID, social security number, and limited health information, such as a diagnosis code and/or CPT code. Please note that no driver’s license numbers, financial account information, or debit or credit card information was exposed.

CorrectCare is offering each affected individual one year of free credit and identity theft monitoring services through Experian IdentityWorks^SM. Any individual who believes their data may have been exposed are encouraged to enroll in Experian’s IdentityWorks^SM by visiting https://experianidworks.com/plus (use Activation Code YJWF423PWC) or calling toll-free (844) 700-1314 from 11 a.m.– 7 p.m. Central Standard Time, Monday-Friday (reference Engagement Number B079693 and Activation Code YJWF423PWC).

DPS&C takes the privacy and security of those under its care very seriously and understands that protecting their information is essential. DPS&C will continue to work with CorrectCare and other partners to safeguard against future exposure of PHI.