THE CASE OF THE VANISHING LAP TOP
Last month, I got a call from an California prison inmate whom I know, who is serving a little less than two years in Chuckawalla Valley State Prison. The inmate, whom we’ll call Javier although that is not his real name, told me he was worried because a laptop containing his personal data, and that of hundreds, or maybe thousands of other inmates, had been stolen. By “personal data,” Javier said, he meant health records, his social security number, plus any and all other private information of his that was possessed by the California Department of Corrections and Rehabilitation (CDCR).
I should explain here that, because of my years of gang reporting starting in 1990, I often get collect calls from people residing in state and county correctional facilities. This is due to the fact that, during the most intense years of that reporting, I got to know a great many people who were active in the gang world. Those once-teenagers and young adults are now men and women in their late 30s to mid-40s, some even older. Most of those former gangsters I knew the best in those years have, against daunting odds, long ago rebooted their lives in healthy directions and are doing well as working people, taxpayers, husbands, wives, parents and, in some cases, grandparents.
But not all. Some of those I first met during the gang-haunted 1990’s are either dead or sentenced to prison for a very long time. Others, like my caller, are making progress. But, for a variety of reasons, they still struggle.
In any case, Javier was concerned that the laptop thief could and would engage in identify theft on a grand scale. “I’m getting out in a month,” he said. “And I want to do good for my wife and my kids. But this worries me. I can’t afford problems. I want to do everything right. I can’t afford to have some crazy thing go wrong”
It was Javier’s understanding that the laptop that contained all this personal data was never supposed to be removed from where it normally resided in a CDCR facility. But a staff member removed it anyway, he’d heard, for some reason or other. Then before the staffer could get home with the illegal laptop, somebody jacked the thing from his/her car.
I told Javier that the whole thing sounded awful, and took a few notes. Then I got busy with other stories and tasks, and did not investigate his stolen data tale any further.
This week, however, I began hearing from prison reform advocates who said that they too had been getting letters and calls from CDCR inmates who reside in a variety of California prisons. All of them told identical tales about the stolen data. And all—like Javier—-were very concerned.
One male inmate serving time at Richard J. Donovan Correctional Facility in San Diego was spooked by the idea of outsiders getting his medical files and wondered how all that information had been allowed to go outside the prison.
Another inmate, a 28-year-old woman housed at the California Institution for Women (CIW), wrote “please help me by looking into this.” She’d been in prison for the past decade, since she was 18, and much of that time she’d been seeing a doctor for mental health issues. She’d also been put in isolation for long, traumatizing stretches. The thought of confidential files from those years, and those shrink sessions, floating around in unauthorized hands, understandably panicked her.
THE BREACH
I called the CDCR to find if such a breach had indeed really occurred and, if so, what they had to say about it. The representative who got on the phone admitted that he was aware of the issue but said that they (the CDCR) were not the right people to comment, and that I needed to talk to someone at California Correctional Health Care Services [CCJCS]—the federal receiver’s office.
His tone was that of one who was lateraling a hot potato to someone else, and who was very glad to be ridding himself of the troublesome spud.
CCJCS is the organization formed by federal receiver J. Clark Kelso and his team as a consequence of a massive class action civil rights lawsuit (Plata v. Schwarzenegger) filed in 2001 against the State of California regarding the ghastly, and often deadly, quality of medical care in the state’s adult prisons, which it was determined violated the Eighth Amendment to the Constitution, the Americans with Disabilities Act, and a number of other statutes. When few changes were made after the settlement of the case, in 2005 the entire California prison medical system was put into federal receivership. Since 2006, Kelso and company have been tasked with reforming the massive health system that serves the CDCR’s approximately 125,000 adult inmates in California’s 34 prisons.
Ten years later, after much effort, oversight by a very attentive three-judge panel and federal receiver Kelso, plus one high-profile trip to the U.S. Supreme Court (Plata v. Brown), although many improvements have been made, alarming deficits remain.
But we’ll get back to those other Plata-related issues in a minute. First back to the breach.
When I called the CCJCS’s press officer, her voice mail told me she was out on vacation. And the person who is filling in for her had evidently left for the day. I did find, however, that the CCJC was in fact quite concerned with the data breach and had posted a statement about the problem on their website.
It reads in part:
A staff member’s non-encrypted, password-protected laptop was stolen from their personal vehicle. This laptop may have contained PII and PHI for patients within the California Department of Corrections and Rehabilitation incarcerated between the years 1996 and 2014….
…Appropriate actions were immediately implemented and shall continue to occur. This includes, but is not limited to, corrective discipline, information security training, procedural amendments, process changes and technology controls and safeguards.
The statement also noted that the CCJCS staff had done its best to notify each individual whose “unsecured protected” information had been, or is reasonably believed to have been “accessed, acquired, used, or disclosed as a result of such breach.”
WLA has obtained a copy of the letter sent to each inmate, which begings like this:
Dear so-and-so,
We are contacting you of a possible information security incident involving your personal Information.
What happened:
On April 25, 2016, California Correctional Health Care Service (CCHCS) Identified a potential breach of your Personally Identifiable Information and Protected Health Information that occurred on February 25,2016. An unencrypted laptop Was stolen from a CCHS workforce member’s personal vehicle…
It goes on from there in a manner that appears to be fairly honest but not terribly reassuring.
OTHER MEDICAL CARE ISSUES
It is possible, of course, maybe even probable, that no one’s information is being used in a compromising fashion, that the thief simply saw a laptop, broke into the car, grabbed the thing, then sold it after wiping the hard drive, having no idea what he/she was wiping.
But the staff carelessness and reported flouting of rules involved in the mess is not heartening when one looks at some of other problems remaining in the CDCR’s medical care system, after all this time in receivership.
There is, for example, the alarming rash of suicides at the California Institution for Women (CIR) that we wrote about last month. Specifically, after an eight-month examination of suicide prevention practices at all 34 prisons of the California Department of Corrections and Rehabilitation, the suicide prevention examiner found that CIW, specifically, was a “a problematic institution that exhibited numerous poor practices in the area of suicide prevention.”
As if to painfully make the point, a few months after report was released, on April 14, a 35-year old woman woman killed herself under heart-wrenching circumstances. Then, less than a week later still, another CIW woman made a serious suicide attempt that reportedly landed her in a coma.
And, if that isn’t enough, there is the fact that the California Office of the Inspector General has recently reported that one-third of the 17 state prisons inspected last year (as part of the Plata lawsuit) showed large deficits with the quality of medical care those prisons were providing to inmates.
For instance, the OIG’s May 18 report showed Mule Creek prison failed in a staggering 11 our of 12 “primary (clinical) quality indicators” applicable to the prison, and was adequate in only one.
In a report on Ironwood State Prison released on May 25, inspectors noted that the state of medical care at Ironwood wasn’t as hideous as that at Mule Creek. It seemed that Ironwood failed to hit only 2 out of 8 clinical quality indicators, instead of 11 out of 12. Still, two out of eight, for those who have not done the math, is a 25 percent failure. Overall, the inspectors deemed the medical care at Ironwood, like Mule Creek, to be “Inadequate.” (The benchmark, by the way, is adequate.)
In other words, today we’re talking about a troubling data theft–-which may or may not turn out to do harm to inmates. But it is difficult not to see that take-home computer breach as a symptom of an array of disturbing and potentially dangerous problems that still plague our state’s prison medical care system.
I currently am employed by CCHCS (California Correctional Health Care Services), and a missing laptop is the least of the organizations problems.It is by far the worst entity in civil service, with virtually no oversight. Patient care, for mental health at least, is virtually non-existent. Clinical staff are too busy keeping up with artificial deadlines for paperwork that acts as “proof” of care… Unfortunately,managerial and executive staff (of which there are unjustifiably too many – I’ve never seen such a waste of resources) care more about protecting their positions via inmate-patient numbers than patient outcomes, and from my experience at CIW, and witnessing the rate of staff turnover and dissatisfaction, the illegal internal practices, lack of accountability, and sheer ineptness from the top down, I sincerely believe that the Receiver has fostered an untenable mandate which does not at all focus on patient care, but rather documentation (much of it fraudulent) on the part of providers to gleam the semblance of fulfilling CCHCS organizational mandate, while ensuring conditions never actually improve. Again, its all about job security to the majority the supervisory and executive staff- and its disgusting.
I received a letter from CDCR IN REGARDS TO THE data breach that happened in February 2016 I attain a lawyer do you have any good Lawyers I’m thinking about Morgan & Morgan Law Firm
So what are we supposed to do?is their a class action?
That happened to me too.
Received a letter from the California department of corrections and rehabilitations informing me of this data breach but I was told in the letter that they didn’t get any of our personal information only medical I’ve contacted Morgan and Morgan but have yet to hear back from them.
This happen to me and I am still waiting to hear about the class action lawsuit. I am now out after doing 18 years.
In regards to my data breach I think I should file a discrimination law suit against the attorney general who refused to comment or assist me. In order to protect his own client agencies
The post card I received, was written in such a way that one could easily mistake what is being said that you didn’t have to respond. But if you didn’t sign the card and mail it back, you were excluded.
IM SO AMUSED I CAME LOOKING FOR A DEFINITE ANSWER ON WHAT EXACTLY THE DATES ARE AND IF THE NOTICE I RECIEVED WAS VALID. ITS FUNNY I SERVED 2 SEPERATE TERMS IN CHOWCHILLA CENTRAL CALIFORNIA WOMEN FACILITY AND ONE TERM THEY HAD ME UNDER KATHERINE C. AND THE NEXT TERM WITH A NEW NUMBER OVER 7 YEARS AFTER TERMINATING MY PAROLE I WAS IN CUSTODY UNDER CATHERINE C. (NOT LEGAL SPELLING) AND I RECIEVED TWO NOTICES WITH TWO CLASS MEMBER ID #S………WELL I USED TO THINK ALL I WOULD HAVE GOTTEN OUT OF PRISON WAS SOME BOXING LESSONS, GATE MONEY, NEW FAMILY, AND SOME BAD MEMORIES FROM CO’S BUT THE MONEY WOULD BE NICE MY TAX RETURNS ARE ALL FUCKED UP BECAUSE SOMEONES BEEN GETTING UNEMPLOYMENT IN MY NAME IN DIFFERENT STATES WHILE I WAS WORKING HONESTLY SO THIS WOULD BE NICE. IM LEAVING A LINK HERE FOR ANYONE MAN OR WOMAN WHO WAS IN CUSTODY AT CDCR https://www.correctcaresettlement.com/………
My information was stolen CDC # G31734 chavez
Yes, I was incarcerated at that time. And did receive a notice from C.D.C.R. that there was an data breach that occurred.
Johnny A.Moore, c.d.c.r.# K20033 incarcerated since 1998 release date of Nov.21,2023.
My brother who is incarcerated at the CIM facility in Chino Cal. He had all of is ID stolen, his pension fund hacked into and funds withdrawn. Another retirement account was hacked and the monthly checks sent to a new bank account that the hackers set up. They took all of his saving that where in his Net Spend account as well as Mobil bank. They had a driver’s l. made and a new birth certificate and took over his SS. account. He did not know he was hacked until it was too late as they got all of his money that he will need to live on when he gets out. He got a letter years ago but at that time it was just a notification without any follow up letters. Although I suspect that the guards don’t always give him all of his mail. Plus he has been transferred 3 times since the first letter went out. The prison officials have not done anything to help him. They did not even take a report. He has been shooed out of the offices and accused or running a scam on himself. They have not allow him to make any phone calls to the banks or his union that is where his pension is from. I have tried to contact authorities and I get shuffled on to another entity. I have talked to two ombudsmen without any results. The financial institutions won’t do anything unless I or my brother show that a police report has been filled. But no one in law enforcements will take the dang report. Currently his unit is in lockdown due to one crazy inmate that stabbed a guard. So what they did in put everyone in lockdown. That means his ability to try to get cooperation from any prison officials is off the table for now. I honestly believe that half the staff there are corrupt.
was there a law suit following this data breach? If so, is today the last day to submit your claim? Where? I was asked my an incarcerated person in Mule Creek.
A
I was in C D C R 2011 to 2022 do I qualify to be in the data breach law suit?