The GEO Group, a company known for running private prisons and illegal immigration detention centers in the US and other countries, says it suffered a ransomware attack over the summer.
Personal data and health information for some inmates and residents was exposed during the incident, which took place on August 19.
This includes data for inmates and employees at the South Bay Correctional and Rehabilitation Facility in Florida, a youth facility in Marienville, Pennsylvania, and a now-closed facility in California, the company told ZDNet.
"GEO implemented several containment and remediation measures to address the incident, restore its systems and reinforce the security of its networks and information technology systems," the company said.
GEO said it recovered its data but did not say if this meant restoring from backups or paying the ransomware gang to decrypt its files.
In documents filed with the US Securities Exchange Commission on Tuesday, the GEO Group played down the security breach and said its aftermath won't have any material impact on its business, operations, or financial results.
The company is now sending data breach notification letters to all impacted individuals.
Exposed personal details could include name, address, date of birth, Social Security number, employee ID number, driver's license number, medical treatment information, and other health-related information.
The incident impacted only a small portion of the GEO Group's network, which includes 123 private prisons, processing centers, and community reentry centers in the United States, Australia, South Africa, and the United Kingdom.
US government contracts amounted for more than half of the GEO Group's 2019 revenue, according to the company's yearly 10-K form filed with the SEC.
The company's stock price fell 14% from $9.76 at the end of trading on Tuesday to $8.38 the next day, after GEO disclosed the incident.