Begin Main Content Area

Data Security Incident Information

The DOC has sent letters to employees, inmates and others notifying them that their personal information may have been compromised by a security incident at a third-party vendor. 

The incident occurred on April 3, 2018, at Accreditation, Audit & Risk Management Security, LLC (AARMS), a vendor that provides an online system for the DOC to conduct, manage and track audits and inspections related to its accreditation and internal operations.

AARMS notified the DOC of the security incident on April 9, 2018, and it was at that time that the DOC became aware that employee, inmate and others' information could have been involved. The company reports that its system was accessed without authorization and a portion of the data on the system was exported.

The exact contents of the exported data remain unknown, but may include individuals' full names, driver's license numbers, home addresses, Social Security numbers and/or medical information. Directly following the incident, the DOC's data was removed from the AARMS server and returned to the DOC. The DOC has engaged relevant authorities, including the FBI, to obtain further information regarding the incident.

The data is currently maintained within the Commonwealth's secure infrastructure, where it continues to be vigilantly protected. The Commonwealth's information technology infrastructure remains secure and has not been affected by the AARMS security incident.

The DOC cannot confirm that any DOC data was included in the data exported by the unauthorized access, and we are not aware of any misuse of any individual's personal information.  Out of an abundance of caution, the DOC is offering credit monitoring and protection for one year at no cost to all potentially affected individuals.  Affected individuals need to register for the services by following the direction provided in the notification letters.

The DOC has identified approximately 13,100 inmates, 680 employees and 11 others who may have been affected by the incident.  Those who do not receive a notification letter are not within the identified scope of potentially affected individuals.