The incident occurred on April 3, 2018, at Accreditation, Audit & Risk Management Security, LLC (AARMS), a vendor that provides an online system for the DOC to conduct, manage, and track audits and inspections related to its accreditation and internal operations.
AARMS notified the DOC of the security incident on April 9, 2018, and it was at that time that the DOC became aware that employee, inmate and others’ information could have been involved. The company reports that its system was accessed without authorization and a portion of the data on the system was exported.
The exact contents of the data remain unknown, but may include individuals’ full names, driver’s license numbers, home addresses, Social Security numbers and/or medical information.
“Upon learning of this security incident, the Department of Corrections moved quickly to limit any potential harm to individuals and made contact with the authorities,” said Corrections Secretary John Wetzel. “We have identified potential risks and notified individuals who may be affected, as well as provided help to ensure their credit is protected.”
Directly following the incident, the DOC’s data was removed from the AARMS server and returned to the DOC. The DOC has engaged relevant authorities, including the FBI, to obtain further information regarding the incident.
The data is currently maintained within the commonwealth’s secure infrastructure, where it continues to be vigilantly protected. The commonwealth’s information technology infrastructure remains secure and has not been affected by the AARMS security incident.
While the DOC cannot confirm that any DOC data was included in the data exported by the unauthorized access, the agency is not aware of any misuse of any individual’s personal information. Out of an abundance of caution, the DOC will be offering credit monitoring and protection for one year at no cost to all potentially affected individuals.
The DOC has identified approximately 13,100 inmates, 680 employees and 11 others who may have been affected by the incident. Those who do not receive a notification letter are not within the identified scope of potentially affected individuals.
MEDIA CONTACT: Susan McNaughton, 717-728-4025; Amy Worden, 717-728-4026.
# # #