State Dept. of Corrections notifies employees, inmates of online security incident with third-party vendor
HARRISBURG — A “security incident” at a third-party vendor may have compromised the personal information of employees, inmates and others involved with the state Department of Corrections, the DOC announced Monday in a press release.
The DOC says it has sent letters to those who may have been affected by the incident, which occurred on April 3 at Accreditation, Audit & Risk Management Security, LLC, a vendor that provides the online system the DOC usses to conduct, manage, and track audits and inspections related to its accreditation and internal operations.
The DOC it was notified by the vendor on April 9 that employee, inmate, and others’ information may have been compromised. The company reports that its system was accessed without authorization and a portion of the data on the system was exported.
The exact contents of the data remain unknown, but may include individuals’ full names, driver’s license numbers, home addresses, Social Security numbers and/or medical information, the DOC says.
“Upon learning of this security incident, the Department of Corrections moved quickly to limit any potential harm to individuals and made contact with the authorities,” said Corrections Secretary John Wetzel. “We have identified potential risks and notified individuals who may be affected, as well as provided help to ensure their credit is protected.”
Directly following the incident, the DOC’s data was removed from the vendor’s server and returned to the DOC. The DOC has engaged relevant authorities, including the FBI, to obtain further information regarding the incident.
The data is currently maintained within the commonwealth’s secure infrastructure, where it continues to be protected, the DOC says.
While the DOC cannot confirm that any of its data was included in the data exported by the unauthorized access, the agency is not aware of any misuse of any individual’s personal information. The DOC says it will be offering credit monitoring and protection for one year at no cost to all potentially affected individuals.
The DOC has identified approximately 13,100 inmates, 680 employees and 11 others who may have been affected by the incident. Those who do not receive a notification letter are not within the identified scope of potentially affected individuals, the DOC says.