Thief on Thief Crime: Hackers Target the Incarcerated More Than You Think


They say “don’t do the crime if you can’t do the time,” but what happens when cybercriminals decide to commit their own version of double jeopardy? Instead of sentencing convicts to twice the jailtime, though, hackers often target people who are incarcerated and steal their identities.

In fact, a recent cyberattack on a healthcare company in Atlanta, GA affected the data within correctional facilities nationwide. CorrectHealth, which operates out of Forsyth County in Georgia, runs healthcare services in prisons all over the country. In late August, 54K inmates were potentially affected and notified about a data breach affecting their information.

What this Means?

Do convicts seem like an interesting choice for identity theft? They shouldn’t, when you consider the purposes of identity theft: Opening bank accounts and credit cards under false names, creating fake IDs or passports to travel incognito, and make transactions with little trace. Meanwhile, the victims in prison aren’t immediately notified of a breach and potentially are even barred from reacting to the full extent necessary to contain the damage. Identity theft needs to be taken up with the IRS, which is difficult to do behind bars and prevents victims from having someone outside help clean their systems and restore and -secure their data.

Additionally, inmates don’t get to choose their facility or healthcare providers; hence they can’t make choices about various cybersecurity measures that somebody free might make, such as changing log-in credentials or choosing service providers based on their own research and standards. Meanwhile, the prisons have PII from addresses, to full names to social security numbers. All of this makes the prisoners enticing targets to identity thieves, who can operate unseen and even (potentially) pin things on someone who already has a record.

CorrectHealth reported the breach to the both victims and the FBI, as well as other appropriate authorities. Some states, like Maine, require breaches to be reported to their Attorney General whenever a resident’s personally identifying information (PII) gets exposed. Nonetheless this incident raises questions about what people who are, or recently were, incarcerated can do to protect their online data.

Safeguarding PII (Record or No Record)

This is far from the first time that prisoners have been subject to cyber events. In 2020, the U.S. Marshals Service experienced a data breach that affected 387K former and current prisoners. If you get notified of a breach like this, you should sign up for a credit freeze or fraud alert system with a credit reporting agency to offset future damages you may otherwise incur from the incident.

Millions of Americans experience identity theft every year! People who are or have been to prison are no exception. In fact, they can be even more attractive targets to cybercriminals because they don’t have the same resources to monitor their data and report transgressions as someone with 24/7 access to their cards and accounts. It can take years and a lot of money to regain a stolen identity, but ex-cons aren’t the ones who should have to pay for this crime.


The CorrectHealth breach that occurred over the summer just goes to show that anyone, truly anyone, can be the victim of a cybercrime. Some bad actors go after big names with full pockets; others seek out the more vulnerable to exploit. If you ever receive a notification that your PII has been leaked, you should monitor your credit reports and other accounts for suspicious activity so you don’t end up in a years-long tango with the IRS to win your identity back.

Crime never sleeps! Follow our blog for the hottest tips on keeping your data cyber-secure.


Related Posts