THE CASE OF THE VANISHING LAP TOP
Last month, I got a call from an California prison inmate whom I know, who is serving a little less than two years in Chuckawalla Valley State Prison. The inmate, whom we’ll call Javier although that is not his real name, told me he was worried because a laptop containing his personal data, and that of hundreds, or maybe thousands of other inmates, had been stolen. By “personal data,” Javier said, he meant health records, his social security number, plus any and all other private information of his that was possessed by the California Department of Corrections and Rehabilitation (CDCR).
I should explain here that, because of my years of gang reporting starting in 1990, I often get collect calls from people residing in state and county correctional facilities. This is due to the fact that, during the most intense years of that reporting, I got to know a great many people who were active in the gang world. Those once-teenagers and young adults are now men and women in their late 30s to mid-40s, some even older. Most of those former gangsters I knew the best in those years have, against daunting odds, long ago rebooted their lives in healthy directions and are doing well as working people, taxpayers, husbands, wives, parents and, in some cases, grandparents.
But not all. Some of those I first met during the gang-haunted 1990’s are either dead or sentenced to prison for a very long time. Others, like my caller, are making progress. But, for a variety of reasons, they still struggle.
In any case, Javier was concerned that the laptop thief could and would engage in identify theft on a grand scale. “I’m getting out in a month,” he said. “And I want to do good for my wife and my kids. But this worries me. I can’t afford problems. I want to do everything right. I can’t afford to have some crazy thing go wrong”
It was Javier’s understanding that the laptop that contained all this personal data was never supposed to be removed from where it normally resided in a CDCR facility. But a staff member removed it anyway, he’d heard, for some reason or other. Then before the staffer could get home with the illegal laptop, somebody jacked the thing from his/her car.
I told Javier that the whole thing sounded awful, and took a few notes. Then I got busy with other stories and tasks, and did not investigate his stolen data tale any further.
This week, however, I began hearing from prison reform advocates who said that they too had been getting letters and calls from CDCR inmates who reside in a variety of California prisons. All of them told identical tales about the stolen data. And all—like Javier—-were very concerned.
One male inmate serving time at Richard J. Donovan Correctional Facility in San Diego was spooked by the idea of outsiders getting his medical files and wondered how all that information had been allowed to go outside the prison.
Another inmate, a 28-year-old woman housed at the California Institution for Women (CIW), wrote “please help me by looking into this.” She’d been in prison for the past decade, since she was 18, and much of that time she’d been seeing a doctor for mental health issues. She’d also been put in isolation for long, traumatizing stretches. The thought of confidential files from those years, and those shrink sessions, floating around in unauthorized hands, understandably panicked her.
I called the CDCR to find if such a breach had indeed really occurred and, if so, what they had to say about it. The representative who got on the phone admitted that he was aware of the issue but said that they (the CDCR) were not the right people to comment, and that I needed to talk to someone at California Correctional Health Care Services [CCJCS]—the federal receiver’s office.
His tone was that of one who was lateraling a hot potato to someone else, and who was very glad to be ridding himself of the troublesome spud.
CCJCS is the organization formed by federal receiver J. Clark Kelso and his team as a consequence of a massive class action civil rights lawsuit (Plata v. Schwarzenegger) filed in 2001 against the State of California regarding the ghastly, and often deadly, quality of medical care in the state’s adult prisons, which it was determined violated the Eighth Amendment to the Constitution, the Americans with Disabilities Act, and a number of other statutes. When few changes were made after the settlement of the case, in 2005 the entire California prison medical system was put into federal receivership. Since 2006, Kelso and company have been tasked with reforming the massive health system that serves the CDCR’s approximately 125,000 adult inmates in California’s 34 prisons.
Ten years later, after much effort, oversight by a very attentive three-judge panel and federal receiver Kelso, plus one high-profile trip to the U.S. Supreme Court (Plata v. Brown), although many improvements have been made, alarming deficits remain.
But we’ll get back to those other Plata-related issues in a minute. First back to the breach.
When I called the CCJCS’s press officer, her voice mail told me she was out on vacation. And the person who is filling in for her had evidently left for the day. I did find, however, that the CCJC was in fact quite concerned with the data breach and had posted a statement about the problem on their website.
It reads in part:
A staff member’s non-encrypted, password-protected laptop was stolen from their personal vehicle. This laptop may have contained PII and PHI for patients within the California Department of Corrections and Rehabilitation incarcerated between the years 1996 and 2014….
…Appropriate actions were immediately implemented and shall continue to occur. This includes, but is not limited to, corrective discipline, information security training, procedural amendments, process changes and technology controls and safeguards.
The statement also noted that the CCJCS staff had done its best to notify each individual whose “unsecured protected” information had been, or is reasonably believed to have been “accessed, acquired, used, or disclosed as a result of such breach.”
WLA has obtained a copy of the letter sent to each inmate, which begings like this:
We are contacting you of a possible information security incident involving your personal Information.
On April 25, 2016, California Correctional Health Care Service (CCHCS) Identified a potential breach of your Personally Identifiable Information and Protected Health Information that occurred on February 25,2016. An unencrypted laptop Was stolen from a CCHS workforce member’s personal vehicle…
It goes on from there in a manner that appears to be fairly honest but not terribly reassuring.
OTHER MEDICAL CARE ISSUES
It is possible, of course, maybe even probable, that no one’s information is being used in a compromising fashion, that the thief simply saw a laptop, broke into the car, grabbed the thing, then sold it after wiping the hard drive, having no idea what he/she was wiping.
But the staff carelessness and reported flouting of rules involved in the mess is not heartening when one looks at some of other problems remaining in the CDCR’s medical care system, after all this time in receivership.
There is, for example, the alarming rash of suicides at the California Institution for Women (CIR) that we wrote about last month. Specifically, after an eight-month examination of suicide prevention practices at all 34 prisons of the California Department of Corrections and Rehabilitation, the suicide prevention examiner found that CIW, specifically, was a “a problematic institution that exhibited numerous poor practices in the area of suicide prevention.”
As if to painfully make the point, a few months after report was released, on April 14, a 35-year old woman woman killed herself under heart-wrenching circumstances. Then, less than a week later still, another CIW woman made a serious suicide attempt that reportedly landed her in a coma.
And, if that isn’t enough, there is the fact that the California Office of the Inspector General has recently reported that one-third of the 17 state prisons inspected last year (as part of the Plata lawsuit) showed large deficits with the quality of medical care those prisons were providing to inmates.
For instance, the OIG’s May 18 report showed Mule Creek prison failed in a staggering 11 our of 12 “primary (clinical) quality indicators” applicable to the prison, and was adequate in only one.
In a report on Ironwood State Prison released on May 25, inspectors noted that the state of medical care at Ironwood wasn’t as hideous as that at Mule Creek. It seemed that Ironwood failed to hit only 2 out of 8 clinical quality indicators, instead of 11 out of 12. Still, two out of eight, for those who have not done the math, is a 25 percent failure. Overall, the inspectors deemed the medical care at Ironwood, like Mule Creek, to be “Inadequate.” (The benchmark, by the way, is adequate.)
In other words, today we’re talking about a troubling data theft–-which may or may not turn out to do harm to inmates. But it is difficult not to see that take-home computer breach as a symptom of an array of disturbing and potentially dangerous problems that still plague our state’s prison medical care system.