CorrectCare has reached a settlement agreement of $6.49 million in a class action lawsuit concerning a significant data breach that affected nearly 600,000 prison inmates. The breach, which occurred due to a misconfigured web server, exposed sensitive personal health information (PHI) of inmates who received medical care between January 2012 and July 2022. The affected facilities included various correctional institutions in Louisiana, Georgia, South Carolina, and California, where CorrectCare provided claims processing services for inmate healthcare.
The lawsuit was prompted by the exposure of highly sensitive information, including full names, birthdates, Social Security numbers, and specific health data such as diagnosis codes. Privacy advocates and experts have noted that this case is particularly significant because it demonstrates that even vulnerable populations, like prison inmates, can pursue and win class action privacy claims. Kirk Nahra, a privacy attorney, emphasized the need for enhanced security measures for incarcerated individuals, who often have limited access to protections in the event of a breach.
Under the terms of the settlement finalized by a federal court in Kentucky on September 17, class members who submit eligible claims may receive compensation of up to $10,000 for unreimbursed out-of-pocket losses directly linked to the data breach. These losses can include bank fees, credit reports, and other expenses incurred from the time of the breach until August 27, 2024. Additionally, eligible inmates from California may receive an extra cash payment due to the state’s Consumer Privacy Act, reflecting the unique legal protections available to residents.
While the settlement sum is noteworthy, some experts have pointed out that the compensation offered to inmates appears lower than amounts typically seen in similar data breach settlements. Notably, provisions for credit monitoring and injunctive relief to improve data security practices are absent from this settlement. The CorrectCare case serves as a reminder of the critical need for robust security measures within the corrections industry, as well as the importance of holding organizations accountable for protecting sensitive information, especially for populations that may be disproportionately affected by breaches.
