ELK GROVE, CA (May 16, 2025) – On April 9, 2025, California Correctional Health Care Services (CCHCS) sent notification letters to approximately 4,100 patients for a privacy incident involving Protected Health Information (PHI).

A March 2025 audit revealed an incident where a CCHCS employee sent an unencrypted email with PHI to an unauthorized recipient’s personal email account in August 2023. The email included patients’ last names, CDCR numbers and health-related information.

Upon discovery, immediate actions were taken to investigate and mitigate any personal risks. CCHCS is actively investigating the full impact and implementing corrective measures. The recipient of the email has provided attestation that the email has been permanently deleted.

What is CCHCS Doing?

CCHCS takes data privacy and confidentiality of patient information seriously and remains committed to protecting the personal information of our patients. In response to this incident, CCHCS is reinforcing our security protocols and conducting an internal investigation.

Our investigation so far has determined that 4,105 CDCR patients were among those whose data was potentially impacted. CCHCS is sending notification letters to affected individuals to notify them of the breach and explain the actions being taken in response. This press release serves to provide information to potentially impacted individuals who may no longer be in custody to receive the letter.

Persons who feel they may have been affected by this potential data breach can contact CCHCS with questions or concerns via the following methods:

For non-media inquiries, please contact:

CCHCS Privacy Office
(877) 974-4722 or write to:

California Correctional Health Care Services
P.O. 588500, Suite D-3
Elk Grove, CA 95758-8500

For media inquiries, please contact
Lifeline@cdcr.ca.gov