Metro Atlanta company suffers data breach, affecting 54K inmates

Experts say incarcerated people make for desirable identity theft targets
October 4, 2022 Alpharetta - Exterior of a building at 1720 Winward Concourse in Alpharetta, where the corporate offices of CorrectHealth are located, on Tuesday, October 4, 2022. The Forsyth County company provides healthcare for people inside correctional facilities nationwide. It was the target of a recent data breach. CorrectHealth reported the breach and notified the 54,000 affected inmates in late August. (Hyosub Shin / Hyosub.Shin@ajc.com)

Credit: HYOSUB SHIN / AJC

Credit: HYOSUB SHIN / AJC

October 4, 2022 Alpharetta - Exterior of a building at 1720 Winward Concourse in Alpharetta, where the corporate offices of CorrectHealth are located, on Tuesday, October 4, 2022. The Forsyth County company provides healthcare for people inside correctional facilities nationwide. It was the target of a recent data breach. CorrectHealth reported the breach and notified the 54,000 affected inmates in late August. (Hyosub Shin / Hyosub.Shin@ajc.com)

A Forsyth County company that provides healthcare for people inside correctional facilities nationwide was the target of a recent data breach, leaving tens of thousands of incarcerated people at risk of having their identities stolen.

CorrectHealth reported the breach and notified the 54,000 affected inmates in late August, but the incident until now has largely avoided publicity. Inmates are among the more vulnerable people to data breaches and among the more tempting targets for cyber thieves.

That’s because of the potential for criminals to obtain sensitive personal information and use it without detection as an incarcerated person might not be promptly alerted nor have access behind bars to tools with which to protect themselves.

Of the affected inmates nationwide, it is unclear how many are from Georgia or who are incarcerated here. Georgia Attorney General Chris Carr’s office said last week it had not been notified by CorrectHealth of the breach.

On Aug. 25, CorrectHealth said on its website it reported the data breach to the FBI and the Maine Attorney General’s office. Under Maine state law, companies are required to disclose a data breach any time the vital information of a resident of the state is compromised. According to the state’s attorney general, three Maine residents were among the victims of the breach.

While other Georgia companies such as financial technology and credit reporting giant Equifax have suffered larger data breaches over the past few years, experts said the CorrectHealth incident ranks as one of the more severe because of the information that was compromised and the victims’ incarcerated status.

“If their mail hasn’t been properly routed to them... and it hasn’t been forwarded to the place where they’re incarcerated, that could increase the difficulty (of protecting themselves),” Jim Van Dyke, vice president of innovation for Sontiq, told The Atlanta Journal-Constitution.

Sontiq, a cybersecurity company owned by TransUnion, ranks the severity of data breaches on a one to 10 scale, with 10 being the most serious. Van Dyke said the CorrectHealth breach is a seven, which ranks in the top 8% of data breaches his company analyzes.

CorrectHealth, which operates in 37 facilities and treats more than 14,000 patients each year, did not respond to multiple requests for comment. The company does not list all of its locations on its website.

CorrectHealth has provided services to several Georgia correctional facilities, including the Clayton County jail, the Chatham County jail and a nursing center in Milledgeville for parolees, according to reports in the AJC.

The hacking incident went undetected for months, increasing the likelihood of financial consequences for the victims, experts say.

On Nov. 10, CorrectHealth discovered an unauthorized user gained access to employee email accounts through a phishing scam, according to the company’s breach notice. After roughly half a year of investigating and review, CorrectHealth determined that names, addresses, Social Security numbers, driver’s license numbers, passport numbers, financial account information and medical information may have been leaked.

“Although (CorrectHealth) has not received any reports of related identity theft since the date of the incident, we are notifying you out of an abundance of caution and for purposes of full transparency,” the company said in the notice. A pair of trade publications first reported on the breach in August.

Van Dyke said hackers who get their hands on this leaked information could establish new credit accounts, access the victims’ existing financial accounts or commit medical identity theft.

The company said it is cooperating with the FBI “as part of a larger investigation into the threat group responsible.”

Tony Thomas, a spokesman for the FBI’s Atlanta office said he can’t confirm or deny the existence of specific investigations, but he said the FBI has roughly 100 open investigations into ransomware attacks across the country.

“All Georgia companies are at risk,” Thomas said in an email. “It is vital for Georgia businesses to come forward when crimes like ransomware strike their operations.”

Georgia Watch, a consumer advocacy organization, said inmates have the same rights as all Americans and should take steps to protect themselves after a data breach, namely freezing their credit.

“As we become more connected through technology, there are more opportunities for data to slip through the cracks, putting consumers from all walks of life at risk,” Georgia Watch said in a statement. “These data breaches have shown us that we cannot always trust that the sensitive information we give to businesses is safe and protected.”