Our Daily Breach 2024/10/04

Today's story is a tale of two breaches.

From January to July 2022, two file directories were publicly available on the internet. Anyone with the right URL could have casually browsed the deeply personal health information of 600,000 inmates across California, Georgia, Louisiana, and South Carolina. These records, belonging to individuals who had served time between 2012 and 2022, included full name, date of birth, social security numbers, correctional ID numbers, and health procedures received. The company responsible, CorrectCare Integrated Health, LLC—tasked with managing medical claims for correctional facilities—left this data unsecured for months.

As a consequence, CorrectCare was forced to establish a $6.49 million settlement fund for victims of the breach. Individuals who could prove their data had been compromised were eligible to receive up to $10,000 for any unreimbursed losses "fairly traceable" to the breach. As per terms of this settlement the victims had to take action, submitting claims and evidence of loss by August 27, 2024, in order to receive any compensation.

In a similar case, the Lehigh Valley Health Network (LVHN) announced in February 2023 that it had suffered a major breach. This time, 135,000 cancer patients had their personal information stolen, with some even having nude photos published by the BlackCat ransomware gang on the dark web.

The LVHN breach led to a settlement agreement of $65 million. Unlike the CorrectCare case, LVHN victims did not need to submit claims or prove losses. The settlement automatically included all affected individuals, with the largest portion (80%) allocated to victims whose photos were leaked. These individuals could claim compensation for time spent addressing the breach and for financial losses of up to $500,000.

While both breaches exposed deeply personal and sensitive data, the contrast in responses is stark. CorrectCare's breach affected 600,000 former inmates, but the settlement fund was only $6.49 million—equating to just over $10 per victim. Those impacted had to prove they were harmed by the breach, a burden placed squarely on the victims themselves. In contrast, the Lehigh Valley Health Network (LVHN) breach impacted 135,000 people—less than a quarter of the number affected by CorrectCare—yet their settlement was ten times larger, at $65 million. This works out to nearly $500 per victim. Moreover, LVHN victims did not have to prove their losses; they were automatically included, with the most vulnerable receiving priority. This sharp difference in compensation highlights an unsettling reality: society continues to devalue certain populations, particularly the formerly incarcerated, even in matters of justice and restitution. True rehabilitation means ensuring all individuals, regardless of their past, are treated with dignity and given the protection they deserve in the face of corporate negligence.

Sources

600,000 Prison Inmates to Share in $6.49M Breach Settlement

A misconfigured web server and the exposure of sensitive information for nearly 600,000 prison inmates in 2022 will cost medical claims processing company

Marianne Kolbasuk McGee

Health Network Reaches $65M Settlement Over Data Breach

Lehigh Valley Health Network has announced a tentative agreement to pay $65 million to those affected by a data breach last year, following a lawsuit that originally focused on photos of cancer patients.

GovTechNews Staff

Our Daily Breach is going to take a break to enjoy the weekend but we guarantee that there will be more breaches ;)