Sexual Assault Stitching together the response/aftermath of reporting and the criminal justice/survivor recovery system.

[dharmaBum]

Weird update: Throughout this process it looks like the claim manager has been emailing my personal identifiable information (PII) via the unredacted pdf application to providers, myself, and who knows who else in the form unsecure/unencrypted emails with attachments: social security number, name, birthdate, home address, business name and address.

I just documented and reported that to their privacy officer, including everyone who instructed me to email them that PII without offering an encrypted solution.

An aside, the claim manager made some sideswipe attack at some point by saying their office is currently handling hundreds of claims. In a state population of nearly 8 million folks, only "hundreds" of crime victims needing medical care have made it through the hurdles to be "handled." Am I one of the cases being "handled?"

 

[dharmaBum]

Weird update: Throughout this process it looks like the claim manager has been emailing my personal identifiable information (PII) via the unredacted pdf application to providers, myself, and who knows who else in the form unsecure/unencrypted emails with attachments: social security number, name, birthdate, home address, business name and address.

I just documented and reported that to their privacy officer, including everyone who instructed me to email them that PII without offering an encrypted solution.

An aside, the claim manager made some sideswipe attack at some point by saying their office is currently handling hundreds of claims. In a state population of nearly 8 million folks, only "hundreds" of crime victims needing medical care have made it through the hurdles to be "handled." Am I one of the cases being "handled?"

The claim manager "reply-all" responded to this report as, "Nothing to see here, Standard Operating Procedure." When I "reply-all" returned, "When will you answer my questions?" there have been crickets from the claim manager. The privacy officer replied directly to me that they will be researching my questions and responding when able.

 

[dharmaBum]

I ultimately got the final provider records confirmed sent to CVC, but then received an out-of-office auto-responder that the claim manager is absent for 3 more weeks and will process messages when they return. I had asked to be "copied" on the email confirmation sent after the fax of the records. The claim manager left a general email to use for "urgent" messages, which I used. It was urgent to know that the records had been received, properly attached to the file, and scheduled for review. The general email said they would forward my questions to a supervisor.

Simultaneously I follow-up on the PII breach specifically asking for the response protocol, because I know my social security, signature, everything you would need to craft an identity, is out there sitting on unsecure email servers from whomever the claim manager sent it to. He never responded with a list of where it had been sent. I know one of my counselors got it, she forwarded it to me, and I forwarded it back to the claim manager (not realizing at the time that it was an attachment with PII). I asked the counselor to delete her copy, and then realized she also had to delete her "sent" copy from her sent folder. There should be a one-sheet telling people what to do in this circumstance.

 

[dharmaBum]

Simultaneously I follow-up on the PII breach specifically asking for the response protocol, because I know my social security, signature, everything you would need to craft an identity, is out there sitting on unsecure email servers from whomever the claim manager sent it to. He never responded with a list of where it had been sent. I know one of my counselors got it, she forwarded it to me, and I forwarded it back to the claim manager (not realizing at the time that it was an attachment with PII). I asked the counselor to delete her copy, and then realized she also had to delete her "sent" copy from her sent folder. There should be a one-sheet telling people what to do in this circumstance.

The state agency reviewed my concern and said:

• To address your concerns regarding email encryption and security:
  • Our IT Security team will be conducting program wide training with the Crime Victims program about email security and encryption protocols.
  • The Crime Victims Program will be changing their procedures to ensure encryption is used appropriately

Which is a big deal. My report (which they found my PII had been shared unredacted 17 times) resulted in improved training and an actual change in a state-wide policy, which is a big deal.

The Crime Victims program will ensure that going forward any correspondences that may include the collection of PII will leverage the E2EE option. This may require additional steps on your end to interact with the email, but will add another layer of security ensuring that the email is only accessible by you outside of Labor and Industries.

This is great, but there is a medium amount of CYA in the email (mentioning they have consulted Legal Counsel) and pushing the responsiblity on to me to make sure that my medical providers they sent the unredacted/unsecured PII delete it properly. I can tell you the first one had not. They should have a letter that explains what to do, and that letter should come directly from the agency. I'm not responding or taking action for several days.

I feel glad they confirmed the security breach, and am relieved they realized it had to do with improvements they needed to make in their agency protocols (because if not I was going to have to tell them). I don't feel met in my distress or cared for in terms of "making me whole" as they stated that since a malicous 3rd party use hadn't been found that meant that no harm had occurred. But meanwhile, my signed application with tons of personally identifying and medically private information is just zinging around out there on email servers. They said that since they only sent it to medical providers that I had listed, even though it was unsecure and unredacted, it was pretty much fine.

People who understand bureacracies and institutions.. help me know what to do next?

 

[Friday]

People who understand bureacracies and institutions.. help me know what to do next?

I have to be in a particular headspace to understand bureaucrazy. LAWYERS get to skip the line (I’m BRITISH! I KNOW how to queue!). A lot like how shamens were outside of normal rules in society? Lawyers. Get. Shit. Done. when dealing with bureaucracy.

There are only 2 types of lawyers; those who make everything easier, and those who make everything impossible. The first subset is usually expensive as hell. Worth it though. If you need to do more than queue in an orderly fashion, 17 different times, returning to your first queue, in the end.

 

[dharmaBum]

I keep following up with this process. It has broken into three sections:
1. processing the actual current application
2. holding the agency accountable for their actions regarding the Independent Medical Exam
3. managing the details of the PII breach and confirming that the agency will not take accountability or corrective action regarding my personal data was that was sent unredacted through unencrypted email servers.

Meanwhile...
I am on the agenda as the first speaker after the introduction for a statewide legislative briefing on the crisis in crime survivor resources. There may be around 400 audience members, including 40-50 legislators. Coming up in just over a week!

 

[dharmaBum]

I keep following up with this process. It has broken into three sections:
1. processing the actual current application
2. holding the agency accountable for their actions regarding the Independent Medical Exam
3. managing the details of the PII breach and confirming that the agency will not take accountability or corrective action regarding my personal data was that was sent unredacted through unencrypted email servers.

Meanwhile...
I am on the agenda as the first speaker after the introduction for a statewide legislative briefing on the crisis in crime survivor resources. There may be around 400 audience members, including 40-50 legislators. Coming up in just over a week!

Yay! I gave my remarks at the legislative briefing. It was "testimony-style" which means there is no dialogue or follow-up, except that one legislator, in their remarks referenced my testimony. I felt relieved afterward.

This morning the agency managing the PII breach confirmend that they won't reach out to folks who received the PII with instructions for deletion/clean-up, so I sent the instructions and CC'd the agency. I feel nervous, because that is a pretty bold action coming from me.

The other half of the agency that has been slow-rolling my application for so long has been slow-rolling their response to my request for them to

<>reply with instructions for making a formal complaint.

Interestingly, at the legislative briefing the two other survivors who spoke and several of the legislators & service providers all highlighted that the current institutional responses to survivors are harmful, especially long wait-times. Who knows what is in store for my future? I hope to not get hassled by the agency re the PII breach AND would like to work on/draft legislation with an updated crime-survivors bill of rights. My most out-of-the-box thinking is that crime-survivors need connection and collective bargaining like in a union. Separated we are weakened through isolation and exhausted trying to "win" against institutions, although we have already "lost" via the nature of crime. United, the tales we can tell of similar non-trauma-informed, non-victim-centered, harmful policies and treatment are legion.

 

[dharmaBum]

YIKES!

I just sent my MASSIVE but not exhaustive formal complaint covering my current application experience to a variety of state agency recipients. There are no actual instructions for making a formal complaint to this agency, and I was told to send it to "email" and it will be forwarded to the appropriate manager. I've already been through several managers. I'm curious who will be deemed appropriate.

 

[dharmaBum]

YIKES!

I just sent my MASSIVE but not exhaustive formal complaint covering my current application experience to a variety of state agency recipients. There are no actual instructions for making a formal complaint to this agency, and I was told to send it to "email" and it will be forwarded to the appropriate manager. I've already been through several managers. I'm curious who will be deemed appropriate.

After not hearing anything for 48 hours, I sent a follow-up email expressing dismay at the lack of even a courtesy "read-receipt, fowarded to..." After 30 minutes, I received an email from the state agency program manager confirming receipt and a list of steps they are taking regarding my complaint, including consulting the state assistant attorney general (AAG). They have given a timeline of 12 calendar days before I should expect new contact, at which time they will schedule a phone consultation with myself and my advocate to discuss the results after they talk to the AAG.

 

[dharmaBum]

After not hearing anything for 48 hours, I sent a follow-up email expressing dismay at the lack of even a courtesy "read-receipt, fowarded to..." After 30 minutes, I received an email from the state agency program manager confirming receipt and a list of steps they are taking regarding my complaint, including consulting the state assistant attorney general (AAG). They have given a timeline of 12 calendar days before I should expect new contact, at which time they will schedule a phone consultation with myself and my advocate to discuss the results after they talk to the AAG.

In a day designed for crazy-making, I continue to wade through what feels like intentional cognitive dissonance.

1. I reach out to a legal advocate at one of the sexual assault resources centers (SARC) involved in the claim. The supervisor of all legal advocates, actually, in the largest resource agency in not just our state, but our region. She recommends legal counsel, knowing that today the state agency, CVC is engaging the Assistant Attorney General, which is apparently the legal team for state agencies.

2. The claim unit supervisor sends me a thought-terminating circular email where she repeats nonsense arguments and accepts no accountability, but actually shifts accountability to myself and the above SARC.

3. When I arrive home in the dark there are four letters from the CVC agency in my mailbox:
3a. They have discovered a letter from a counselor in 2012 protesting the closure of my claim
3b. They are "reopening" my 2012 claim, so my 2025 claim is moot
3c. The wretched IME from 9/25/25 has determined I am fixed and stable, so there is no need for further claim services
3d. All of my providers will get a letter asking if they agree with the IME

 

[dharmaBum]

I had an online meeting today with the Program Manager, Unit Supervisor, myself, my spouse and my sexual assault advocate. It was scheduled for one hour, but went for two hours. At least the tone from Program Manager Brimmer was contrite. The Claim Unit Supervisor was dismissive and did not present professionally on camera, often swiveling in the chair, and even applying chapstick at one point. Glad my spouse and advocate were there. So many words, but hard to recall or process details. The gist is the claim is open and a new claim manager will be assigned. There are some benefits for accupuncture now, so hopefully there will be a way to access that, as it is the most effective treatment.

Spouse was so steamed about lack of professionalism re: Supervisor's affect that he called the Program Manager afterward and asked for a different intermediary, even though there is the only claim unit supervisor. Program Manager said they would look for one.

Still had to reiterate I am waiting for a response in writing to my formal complaint.

Main takeaways from the Program Manager are:
CVC doesn't have formal process and timelines
CVC should treat applicants like the crime victims they are and should return calls and have reasonable timelines, etc.
CVC "owns" that they made mistakes.

No offer to address the impacts of the mistakes that were made in my case. Assurance that training will/may occur to make improvement.

I was very assertive about how my time would not be spent listening to excuses about how bureaocracies function. I was very assertive. I raised my voice at times. I spoke over people at times. I did not apologize.

In the end, the meeting only functionally addressed that there will be a new claim manager and they will need details about what type of treatment is made now.

Formal Complaint will be addressed separately.

There was no addressing of redress or recompense for decades of reduced quality of life due to claims denied "in error."

Neither Program Manager nor Claims Unit Supervisor were prepared to answer a basic question, "what amount of benefits have been paid out under this claim," although that question was sent in writing around 2 months ago. An additional similar appointment is scheduled in 2 weeks. Program Manager has not successfully consulted with the State Assistant Attorney General's office yet.

Claims Unit Supervisor made a very unfortunate statement early on saying that they had learned of the need to reopen the claim due to error due to her "deep dive" on the "files." At the crime victim's request. I made repeatedly known. Program Manager shared that all claim managers should do a deep dive on the file history when a claim that has been closed for a number of years has a reopening application.

Repeated confirmation that best practices in communication were not practice by Claim Manager, and then I was told to let him know "what I needed" as the claim went forward. He was not at the meeting. Spouse expressed "thumbs down," and that conversation led to the assignment of a new claim manager.

 

[dharmaBum]

Follow-up in writing received:
Program Manager conceeds all items on the formal complaint, apologizes, and promises improved training and timelines.
Risk Manager is compelled to address items unresolved in the PII exposure section of the complaint. He is pedantic and unrepentant. It's been about 7 days and I haven't figured out how to respond to that communication. Maybe I don't need to. He finally sent the PII Data Management policy for the agency, but only after being compelled to do so.

The claim is active and at first blush providers are connected to submit their billing after insurance.

I am told that I can submit receipts for services received I paid for out-of-pocket during periods where "corrections" of the claim to active status meant I would have been covered.

I am told that if I had refused to attend the hostile IME and my claim was denied, I would have had a right to appeal it to the state industrial insurance board, which is a review panel above the agency level. I'm told only orders that are issued as legal statements can be appealed, so there is no oversight for 8.5 months of time when no order was "issued."

That part is frustrating, as I'm quite the compliant customer. The earlier I had complained and/or refused, the less harm and stress I would have experienced, supposedly.

I've contacted 8 lawyers but haven't found one who will take my case as damages against the state. I'm waiting to hear back from 2 and there is one "Justice Project," which focuses on state agencies that I haven't reached out to.

It is all super overwhelming. I assume I am supposed to feel satisfied that the claim is active, but that is literally the least they could do.