It seems hard to imagine that companies still suffer accidental data breaches, but it happens with alarming frequency and it led to a ‘Magic: The Gathering’ data breach. It may be an employee who downloads some malicious software or falls for a spear phishing campaign, or someone who leaves an unsecured laptop or flash drive out. Regardless of how it happens, what is important is that it happens often enough that more companies should be safeguarding themselves from this kind of threat.

One frighteningly common event is the accidental overexposure, which occurs when a company unintentionally puts its sensitive information online for anyone to find. Sadly, even though they are doing it by mistake, that does not stop malicious people from finding the information and using it.

The most recent example of a company leaving a database of customer information exposed on the internet is Wizards of the Coast, the developer of the popular game, ‘Magic: The Gathering.’ It led to a ‘Magic: The Gathering’ data breach. This card-based game has been widely popular for many years and has a devoted following. Unfortunately, the owners used an unsecured Amazon Web Services bucket. This online server contained customer data for more than 452,000 users, including usernames and hashed and salted passwords. However, the information was not encrypted.

Accidental data breaches like the ‘Magic: The Gathering’ data breach have happened to numerous well-known, large-scale companies recently. It is always with the same issue that the requirement to password protect the server is turned off by default. Unless the company opts to password protect the server and takes the steps to do so, their information can go online without any kind of wall around it.

Unfortunately, TechCrunch reported this incident with a somewhat bothersome finding. A security company called Fidus Information Security discovered the database of information and contacted the game developers. However, there is no way of knowing if anyone else had already compromised the information. In this case, as TechCrunch states, “Fidus reached out to Wizards of the Coast but did not hear back. It was only after TechCrunch reached out that the game maker pulled the storage bucket offline.”

One of the most critical things any company can do during a data breach like the ‘Magic: The Gathering’ data breach is to respond in a timely way. Leaving the information online while looking into the matter or failing to notify the customers of the breach quickly is not the best way to protect anyone. The developer has informed affected customers to change their passwords and has reported the breach to officials who oversee the EU’s privacy compliance regulations.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


You might also like…

Three-Pronged Web Service Data Breach A Cause For Alarm

Virtual Reality Privacy Concerns

Who is Responsible for Fraud Prevention? Join the Fraud Week Twitter Chat with ACFE!

Three web services recently suffered a web service data breach in August. The news broke from Krebs On Security that users of Network Solutions, Register.com and Web.com may have received notice that an unauthorized user was able to gain access to certain important pieces of information from users’ accounts.

Domain Registration Websites

The three companies in question have a very important place in the online business world. They register website domain names, which means that if you create a website, they may hold the key data around that website. This web service data breach is particularly alarming if your website had sensitive information about the owners—including names, email addresses, phone numbers and physical addresses—which may have been compromised. Sensitive websites might be political in nature, may involve children’s photographs or identifying features or might pertain to marginalized communities of people.

Change Your Password Immediately

So far, Web.com, which owns both of the other two registration companies, has only issued a blanket warning to customers to change their passwords. The web service data breach notification is available on a separate section of their website, but none of the companies list this important announcement on their home pages.

If you have registered a website via any of these companies, it is important to change your password right away. However, even if you have not used one of them, it is encouraged to take this time to go to your domain registration company and change your password for good measure.

Watch For More Sophisticated Phishing Emails

Phishing attacks are another serious concern from breaches like the web service data breach. Hackers use or sell your email information in order to flood you with spam emails, mass marketing and fraud attempts. It would be easy for someone to create a fake email that appears to come from one of these companies and then send you an email demanding your login credentials or financial information. Be on the lookout for these kinds of approaches, and know how to respond to a potentially harmful email or text message.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


You might also like…

Adobe Account Information Leaked After Server Left Unsecured

Be on the Lookout for 2020 Census Scams

Hy-Vee Cards Stolen in Recent Data Breach Are Fetching a Higher Price on Dark Web Websites

According to our 2018 End-of-Year Breach Report, there were a total of 135 financial, credit and banking data breaches, exposing 1,709,013 records last year. In the report, banking/credit/financial had the third-highest amount of data breaches of the five industry categories the Identity Theft Resource Center tracks. Of all the data breaches recorded in 2018, hacking was the most common form of data breaches. That trend has been noticeable throughout our 10,000 Breaches Later blog series and continues to play a role when it comes to financial, credit and banking data breaches.

Sign up for our ITRC Monthly Breach Newsletter for more information on these data breaches.

This is one of many reasons why the ITRC  has been working to empower financial, credit and banking identity theft victims with the resources they need to resolve their cases since 1999. That includes helping people proactively reduce their risk of becoming a victim of identity theft. Since 2005, the ITRC has recorded over 10,000 publicly notified data breaches with monthly and cumulative end-of-year reports.

Last month, we looked at some of the largest government and military data breaches. Now we shift our focus to the top five most impactful financial, credit and banking data breaches (as well as a bonus breach) for consumers.

Capital One

Just three months ago on July 29, 2019, Capital One announced that a hacker had gained access to 100 million U.S. and six million Canadian Capital One customers’ accounts and credit card applications in March of 2019. Individuals and small businesses were affected by this data breach that disclosed names, addresses, dates of birth, email addresses, credit scores, credit limits, payment history and balances. Roughly 140,000 Social Security numbers (SSNs) and 80,000 linked bank account numbers were also exposed. At the time of the breach, the ITRC urged consumers to take action, freeze their credit, be aware of scams and to document all of their steps they were taking if they were impacted (utilizing our ID Theft Help App as one tool). This breach was particularly impactful due to the high amount of SSNs and bank account numbers exposed and the gigantic amount of accounts accessed. A stolen Social Security number can lead to multiple types of identity theft, including financial identity theft, government identity theft, criminal identity theft, medical identity theft and utility fraud.

JPMorgan Chase & Co.

First reported in August of 2014, JPMorgan Chase & Co. experienced a cyberattack that allowed hackers to access the personal information of 76 million households and seven million small businesses. The information accessed included names, addresses, phone numbers, email addresses and internal JPMorgan Chase & Co. information of those users. Customers affected by this breach were those who used Chase.com, JP Morgan online, Chase Mobile and JP Morgan Mobile. Many JPMorgan Chase & Co. customers were impacted because JPMorgan Chase & Co. did not have to send out notification letters to affected consumers in many states because the breach did not expose sensitive information like account numbers, passwords, dates of birth and Social Security numbers. Instead, Chase posted a blanket statement on the homepage of their website. That left some individuals affected on their own to figure out what to do.

CardSystems

Credit card processing company, CardSystems Solutions, Inc., discovered in May 2005 and reported one month later that they had experienced a  data breach in which a hacker was able to insert a virus into the computer system that captured customer data. Around 40 million Visa and MasterCard credit and debit card accounts were affected. Following the breach, Visa said it would continue to work with CardSystems when the case was resolved. MasterCard said that it would give CardSystems a limited amount of time to demonstrate compliance with MasterCard’s security requirements. The data breach led to Visa and MasterCard dropping CardSystems as their credit card processor. An important point for consumers to understand in this instance, in particular, is that many institutions utilize third-party vendors that can have a detrimental impact on their data even if the consumer is as vigilant as possible.

BNY Mellon Shareowner Services

On February 27, 2008, Bank of New York Mellon (BNY Mellon) lost a box of backup tapes in transit to a storage facility that contained the names, addresses, dates of birth and Social Security numbers of 12.5 million customers. Connecticut Attorney General Richard Blumenthal said he was alarmed and deeply concerned at the time of the breach. Notification letters were sent to those affected in May and the breach had such a large impact the bank went on to hire more customer service representatives to handle the influx of calls from concerned customers. This is a reminder that if you are impacted by a breach, it is important to take the necessary steps to protect yourself.

Scottrade

In October 2015, retail stock brokerage firm, Scottrade, INC., disclosed that hackers had stolen client contact information and SSNs for 4.6 million customers. In an email notice sent to customers, Scottrade said that although SSNs, email addresses and other sensitive data were contained in the accessed system, they believed that only client names and street addresses were the focus of the hack. However, the company said it would offer those affected identity theft protection services “as a precaution.” At the time of the breach, federal authorities were also investigating similar thefts at other financial services companies. It is important for consumers to realize that even if a company believes that only certain records where the targets, any data that may have been compromised opens those impacted to much more risk than an organization may communicate in its notification.

Bonus Breach: First American Financial Corp.

In May 2019, it was reported that financial services corporation, First American Financial Corp., had been exposing a massive 885 million real estate and mortgage-related documents through its website. By simply altering a nine-digit record number attached to a transaction link, users were able to potentially pull up other transaction documents containing information such as names, phone numbers, addresses, driver’s licenses, Social Security numbers, bank account numbers and statements, mortgage and tax records and wire transactions receipts. In an update posted by First American regarding the financial, credit and banking data breach, the investigation only identified 32 consumers whose non-public personal information was likely accessed without authorization. This breach could have led to mortgage fraud where a hacker tries to take out a loan in the victim’s name as well as other types of fraud like title fraud.

As we recap the last 10,000 breaches, the ITRC hopes to help those impacted understand how to minimize their risk and mitigate their data compromises. If you have received a data breach notification letter, call us at 888.400.5530 or LiveChat to talk with a live-advisor on what you should do.

In our final 10,000 Breaches Later blog, we will take a look at some of the biggest education data breaches since 2005 and the effect they have had on children, parents and teachers. For a look at all of ITRC’s 10,000 breaches blogs, visit https://www.idtheftcenter.org/10000-data-breaches-blog-series/.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


You might also like…

10,000 Breaches Later: Top Five Military and Government Data Breaches

10,000 Breaches Later: Top Five Medical and Healthcare Data Breaches

10,000 Breaches Later: Top Five Business Data Breaches

A lot of data breaches are the work of highly-skilled hackers who use technical know-how to infiltrate a company’s cyber defenses. Others are not so elaborate, such as when a low-level criminal sends a phishing email to a company employee, one that contains a virus purchased on the dark web. While those two malicious scenarios involve different ability levels, there is a whole other possibility for data breaches, that being accidental overexposures. The Adobe account information leak followed a similar scenario.

When a company employee allows information to simply exist in a way that anyone can steal it, it is called an accidental overexposure. Unfortunately, recent news has demonstrated that far too many businesses are storing their sensitive data in cloud-based storage solutions, then failing to secure it.

As the recently announced Adobe Creative Cloud breach, leading to Adobe account information leaked shows, all it takes is uploading a few customers’ login credentials—or in this case, about seven million customers’ data—to a cloud-based storage bucket and then not switching the default setting of “no password required” to a password-protected option.

Security researcher Bob Diachenko and Comparitech discovered the database of emails, usernames and product selections online, available to anyone who stumbled upon it in their web browser. While some estimates show that the database was left exposed for about a week, there is no way of knowing how long it was visible. The experts who found it alerted Adobe, who secured the database that same day after Adobe Account information leaked.

Unfortunately, with such a common occurrence as this, there is really only one recourse consumers have. It is imperative that all tech users rely on strong, unique passwords for all of their online accounts, and that they change these passwords regularly. That way, if a database is left exposed and a nefarious actor discovers it, the password contained in the database will be useless because it is outdated.

Also, as the information contained in this breach event shows, learning how to spot spam and phishing emails is another way to protect yourself. With limited information such as this, scammers can easily send users emails that masquerade as communications from Adobe, even going so far as to list the exact products the recipients use. Be alert to this kind of tactic, and know how to protect yourself from emailed threats.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


You might also like…

Hy-Vee Cards Stolen in Recent Data Breach Are Fetching a Higher Price on Dark Web Websites

Millions Of Venmo Payments Accessed Publicly

Best Western Open Database Exposes Government Records

Dark web websites contain a lot of stolen information, and that now includes Hy-Vee cards selling at unusually high prices. When an identity thief steals your information, you might be surprised to discover how little you are actually worth, at least when it comes to posting your data for sale on dark web websites. Hackers often fetch as little as $1 apiece for complete identities, largely because they can sell them to multiple people and because they often upload entire databases containing thousands of identities at a time.

However, a recent data breach shows an alarming departure from the ordinary. Hy-Vee stores suffered a breach in which customers’ credit card information was stolen, and these and other Hy-Vee cards are now appearing on dark web websites for as much as $17 to $35 each. What brought on such an unheard-of price increase?

First, these Hy-Vee cards are verified to work. Unlike phony cards or even ones that were stolen from your wallet, for example, this is a massive trove of card numbers that were used recently. If they were listed for sale on dark web websites before Hy-Vee was notified of a breach, then there would have been no reason for the cardholders to cancel them. Even if a client bought a hundred or a thousand sets of card numbers, some of the Hy-Vee cards should still be working.

Security experts say that credit cards have begun fetching a higher price overall recently, possibly due to the ability to use a credit card online before even paying the thief who stole them, just to prove they still work. From there, criminals use the cards to buy high-priced items that they can sell for a quick profit on dark web websites.

Remember, if you receive a data breach notification letter, it is important that you take it seriously. Follow the steps outlined in the letter and contact your credit card company immediately if your card was affected.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


You might also like…

California Improves Outdated Privacy Law with Biometric Protection

How Zombie Apps and Accounts Can Come Back To Life

Worst Places in the U.S. for Identity Theft

While data breaches of any kind are alarming enough, a business data breach that can leak information from an open database relating to national security can be very scary. For example, the Office of Personnel Management breach in 2015 leaked the complete identities, sometimes including background checks, fingerprints and even information pertaining to security clearances, for about 21.5 million people who work for or are related to an employee of the U.S. government.

A data breach of a hotel chain reservation system might not seem as significant as the OPM breach, but in its own way, it could be. Autoclerk, a reservation management system used by the Best Western Hotels and Resorts company, was the target of a breach of an open database that leaked names, addresses, birth dates, obscured credit card information, dates of reservations and even room numbers for thousands of people. In total, there are expected to be hundreds of thousands of individual reservations in the cache of data.

Hotel reservations might not seem that serious, but any data breach of government records is a notable event. It is especially troubling when many of these guests are military or government personnel traveling on official business. The information pertaining to locations, dates and names could prove useful to someone with an interest in it. The data from the open database contained past travel arrangements and upcoming scheduled trips for officials in the military and the Department of Homeland Security. The government records even reportedly included the names of officials who have scheduled trips to Russia and Israel, among other places.

What is worse is that the information from this data breach was discovered online with no encryption. Anyone who had reason to look for it could locate it and sift through its contents.

This is the kind of event that should serve as a wake-up call to anyone who uses technology. There is no such thing as a “foolproof” system that can keep every hacker out. It is up to individuals to do their part in keeping outsiders from finding out too much about their personal information and their activities. Protecting your information and your sensitive details should be paramount when operating any type of technology.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


You might also like…

Popular VPN Provider, NordVPN, Breached by Hackers

FBI Warns of Hackers Bypassing Some Types of Two-Factor Authentication

Facebook Lottery Scam Brings Attention to Hoaxes, Phishing Attempts and Account Takeovers

Many security-minded tech users employ a virtual private network (VPN) when they’re online as their own private tunnel on the internet. But, it could be a bit of a disaster if someone managed to break into a VPN provider’s servers and uncover what its subscribers have been up to. That appears to be what happened to one of the world’s most highly recommended providers, NordVPN.

The Impact on Users

In response to the NordVPN breach, the company has issued a statement following online speculation about a breach of its system. Apparently, someone gained access to an expired internal private key, which let them recreate one of NordVPN’s servers on their own system. Some sources have said that the only way this would have been possible is if the hacker had “root access to a container server,” which would have let them uncover a lot of information, but that has not been confirmed by the company. In fact, NordVPN’s statement indicates that no compromising information could have been accessed since the company does not gather, store, or sell its customers’ logs.

While the company assures its users that their login credentials and internet activity could not have been accessed, it’s important to understand that tools like a VPN are only an additional layer of protection. They’re not meant to be the entire fortress that protects your browsing or your identity. Interestingly, two other VPN providers have been mentioned in this same incident as having also been breached, but those have not been confirmed.

Protect Your Browsing

Obviously, VPNs are supposed to keep people from being able to see what you do when you’re browsing, shopping, using your financial accounts, and more. Also, they have a special feature that allows you to “reroute” where the internet thinks you’re logging in from. That means someone in one country can use a VPN and appear as though they’re logging in from another country; there are quite a few legal reasons why someone might want to do that.

As such, everyone from privacy-focused parents who want to protect their kids online to journalists who are reporting from deep within a dangerous zone might benefit from a VPN. Business users are especially likely to use one since they can help protect proprietary information, keep sensitive documents from leaking to the public, safeguard new projects, and more.

Keep Up Your Identity Hygiene

Protect yourself online and via mobile by locking down your identifying information, securing everything with strong passwords, and using two-factor authentication when you can. Remember, cybersecurity is often a leap-frogging game of catch-up; as new security tools come to market, hackers find new ways to break into them or abuse them. Therefore, it’s important that you treat all of your security measures as safety nets, not the sum total of your online protection.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


You might also like…

One Simple Way to Not Get Your Twitch Account Hacked

FBI Warns of Hackers Bypassing Some Types of Two-Factor Authentication

Are You CyberSmart? Majority of U.S. Adults Lack Digital Knowledge

According to the Bureau of Labor Statistics, there are nearly 22 million government employees in the United States; according to the New York Times the U.S. has 1.3 million active-duty troops and 865,000 military members in the reserves. That is over 24 million Americans combined in the U.S. government and military.

The Identity Theft Resource Center’s 2018 End-of-Year Data Breach Report showed 79 data breaches impacting military and government entities, exposing 5,302,846 records. In 2017 those numbers were even higher with 99 breaches that exposed 9,927,798 records. You can learn more by signing up for our ITRC Monthly Breach Newsletter.

While the government/military industry category had fewer breaches in 2018, the ITRC continues to empower identity theft victims – particularly those that are victims of both government agencies and the military breaches – with the resources and tools to resolve their cases. Our mission, since our founding in 1999, is to help people proactively reduce their risk of becoming a victim and to empower them to mitigate their cases if they have become one. Since 2005, the ITRC has recorded over 10,000 publicly notified data breaches. As part of our 10,000 Breaches Later blog series, last week we took a look at the most impactful medical and healthcare data breaches. This week we continue with our latest installment looking at the top five military and government data breaches that impacted U.S. consumers and personal information that was compromised.

Office of Personnel Management (OPM)

For the third time in our 10,000 Breaches Later blog series, OPM makes the list. In June 2015, The U.S. Office of Personnel Management (OPM) suffered two separate hacking events that exposed background investigation records of 21.5 million Federal government employees and contractors. Some of the information impacted was Social Security numbers (SSN), fingerprint/biometric data and security clearance information. It also exposed personally identifiable information (PII) of dependents including SSNs, birth dates and other information. It was a sophisticated, large-scale hacking event that led to the creation of the National Background Investigations Bureau (NBIB). The impact to those Federal employees and their dependents was potentially catastrophic given the amount and sensitivity of the data compromised.

U.S. Military – National Archives and Records Administration

In October 2009, the Inspector General of the National Archives and Records Administration announced a military and government data breach that impacted 76 million U.S. military veterans. The incident involved a defective hard drive that was sent back to its vendor for repair, determined unrepairable and sent to another firm to be recycled. While sent to be recycled, it still contained PII and sensitive PII of veterans. The hard drive helped power eVetRecs, a system used by veterans to request copies of health records and discharge papers. With that type of information available to a fraudster, the potential for government identity theft and benefits fraud could create havoc for a veteran seeking services.

United States Postal Service (USPS)

Right before the holiday season in November of 2018, and weeks after the Secret Service issued an alert that cybercriminals were using the United States Postal Service’s Informed Delivery feature to commit fraud and identity theft, the USPS announced that they had fixed a flaw in their system that exposed the personal information of 60 million users. Any user could login to an usps.com account to query the system for details belonging to other users due to the flaw. Some of the details users could have had access to included email addresses, usernames, user IDs, account numbers, street addresses, phone numbers, authorized users and mailing campaign data. All of that information meant that not only could a thief potentially know what was coming to your mailbox, but they could also pose as the address-owner and have the mail rerouted, creating a huge issue for folks with sensitive mail on the way to them.

Government Payment Service, Inc. (GovPayNow.com)

In September 2018, Government Payment Service, Inc., who is contracted by thousands of government agencies – including Federal, state, regional and local/city/town governments – to process payments related to government fees and fines, announced that their payment portal had exposed 14 million customer records. The online system allowed registered users to access copies of their receipts. However, access was not properly restricted and unauthorized recipients were able to view other user’s receipts by simply changing the digits displayed in the web address. Information that could be viewed on the receipts included names, addresses, phone numbers and the last four digits of payment card numbers. This breach also covered data stretching all the way back to 2012. The payment service released a statement saying they updated their system to ensure that only authorized users could view their individual receipts.

California Secretary of State

The California Secretary of State announced in December 2017 that they were investigating a cyberattack in which hackers stole the data of California voters and held it for ransom payable in Bitcoin. The information accessed included the names, addresses, phone numbers, email addresses, places of birth and gender of 19.2 million voters. According to DarkReading, the Kromtech researchers stated they had not been able to identify the owner of the database and believe it could have been a political action committee or a specific campaign based on the unofficial title of the repository. However, they reiterated that was only a suspicion. Access to voter records can create a treasure trove of information for a fraudster, but it can also provide a wealth of information from state-actors attempting to influence election outcomes. Consumers should be aware of the sensitive nature of voter data and the potential unique identity theft aspects that could come from its exposure.

Coming Up In 10,000 Breaches Later

As we recap military and government data breaches, the ITRC hopes to help those impacted – both as consumers, businesses and government entities – understand how to minimize their risk and mitigate their identity compromises. If you received a data breach notification letter, do not just toss it aside or file it away. Call us at 888.400.5530 or LiveChat to talk with a live-advisor on what you should do. If you are a government or military entity impacted by a data breach incident, please reach out to the ITRC at itrc@idtheftcenter.org to discuss how we can provide assistance to your impacted customers. Every victim of a data breach should download our free ID Theft Help App to track their activities around any given data breach.

As part of this series, in our next 10,000 Breaches Later blog, we will take a look at some of the top banking, credit and financial breaches since 2005. For a look at all of the 10,000 breaches blogs, visit https://www.idtheftcenter.org/10000-data-breaches-blog-series.


You might also like…

“Federal Government Empowerment Money Program” Scam Circulates on Social Media

In New Scam, Criminals Pose as Government Officials Pretending to Help with Identity Theft

10,000 Breaches Later: Top Five Medical and Healthcare Data Breaches

A Sarrell Dental data breach has led to notification letters being sent to all of its patients after ransomware was discovered on its servers back in July. The software, believed to have been installed as early as January 2019, does not seem to have locked up the network or encrypted any files, and Sarrell Dental, the largest dental provider in the state of Alabama, did not pay any sort of ransom.

However, this is still a serious matter. Sarrell actually shut down its entire network for two weeks following the data breach and hired outside experts to investigate the discovery. The company found no evidence that any patient information was accessed, stolen or compromised, but they are not taking any chances. All individuals who were believed to have been affected by the Sarrell Dental data breach, although that total number has not been disclosed, reportedly received notification letters last month. These letters contained instructions for receiving free credit and identity monitoring for a predetermined period of time.

Medical offices are hot targets for this kind of attack due to the sheer volume of data they collect on patients. Also, the resulting fines and lawsuits related to privacy violations and interruptions to patient care can lead many providers to simply pay the demanded ransom, which can lead hackers to strike in hopes of a nice payoff.

Unfortunately, as some organizations have already learned, paying the ransom in this kind of event does not guarantee the files will be unlocked or the data that was compromised will not be stolen or used. In some reports, hackers have not only withheld the unencryption key following receipt of the ransom payment, but they were also actually unable to unlock the network due to the type of ransomware they had used.

Sarrell’s patients received their notification letters beginning around September 12, 2019. However, there is a strict deadline for taking advantage of the security tools that Sarrell Dental is providing to affected patients following the Sarrell Dental data breach. All applications must be completed by December 12, 2019, and instructions for signing up are in the notification letter.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


You might also like…

One Simple Way to Not Get Your Twitch Account Hacked

Do Your Boss a Favor and Don’t Fall for a Gift Card Scam

Instagram Creates New Feature That Fights Phishing Attacks

According to our 2018 End-of-Year Breach Report, there were a total of 372 data breaches in the medical and healthcare sector that exposed over 10 million records. As of September 2019, there have already been 368 data breaches that have exposed over 36 million records in the sector – poised to push well past the 2018 statistics. In the last two years, the ITRC has seen an increase in medical and healthcare data breaches – more than any other category we track, aside from the business sector.

Sign up for the ITRC Monthly Breach Newsletter for more information on these data breaches.

This is one reason why the Identity Theft Resource Center has been working to empower identity theft victims with the resources and tools to resolve their cases since 1999, including helping people proactively reduce their risk of becoming a victim of identity theft – especially of their highly sensitive personally health information (PHI). Since 2005, the ITRC has recorded over 10,000 publicly notified data breaches with monthly and cumulative end-of-year reports.

Last week we took a look at some of the largest business data breaches. This week we shift our attention to the top five most impactful medical and healthcare data breaches for consumers.

Anthem

In February 2015, Anthem suffered what is considered to be the largest medical and healthcare data breach and the largest Health Insurance Portability and Accountability Act (HIPAA) settlement in the United States. Nearly 80 million consumers were impacted with information like names, birthdates, Social Security numbers, addresses, phone numbers, email addresses and employment data being compromised. Minors on their parent’s healthcare plans were affected, which is particularly troubling due to the long shelf-life of the static data (SSNs) that was compromised. Anthem agreed to take corrective actions in 2018 by paying the U.S. Department of Health and Human Services, Office for Civil Rights $16 million to settle the violations of HIPAA Privacy and Security rules. This created awareness among consumers that while their health information was regulated under HIPAA, that didn’t mean that it wasn’t at risk for exposure – and not just their health information but a host of other components to their identity.

American Medical Collection Agency

Third-party billing and collections agency, American Medical Collections Agency, experienced a medical and healthcare data breach with an intrusion in its payment system in March of 2019. That intrusion exposed personal information of millions of patients. Over 24 million people and 20 entities (so far) were affected by this breach, including Quest Diagnostics who reported approximately 11.9 million of their patients were impacted. Some of the data exposed included names, dates of birth, payment card numbers, names of labs or medical service providers, dates of medical services, referring doctors, banking information, Social Security numbers and certain medical information like patient account numbers and health insurance numbers. The information exposed varied entity to entity since the same information was not provided to AMCA for their patients. As of this blog’s publish date, we’re still receiving notifications of medical industry organizations that were victims of this breach – we will continue to update the numbers as we receive them in our monthly Data Breach Report.

Premera Blue Cross

Major healthcare services provider Premera Blue Cross announced a data breach in March of 2015 that impacted over 11 million of its customers. The data breach was caused by hackers pretending to be Premera IT, sending employees phishing emails with links containing malware. This data breach affected both Premera Blue Cross and Premera Blue Shield of Alaska, as well as their affiliate brands Vivacity and Connexion Insurance Solutions, Inc. Names, birthdays, email addresses, physical addresses, phone numbers, Social Security numbers, member ID numbers, bank account information and claims information that could have been included in clinical information were some of the information exposed. In July 2019, Premera Blue Cross paid a total of $74 million ($32 million in damages and $42 million to improve data security) as part of a settlement. Premera will pay $50 to any class member who submits a claim, and up to $100,000 if class members can provide documents showing proven out-of-pocket damages from the breach.

Excellus Blue Cross Blue Shield

Blue Cross had another breach just six months later, this time including health insurer Excellus Blue Cross Blue Shield. This medial and healthcare data breach affected over ten million plan members and vendors. The cyberattack began in December 2013 and was not detected by Excellus until nearly two years later. Information such as names, dates of birth, Social Security numbers, addresses, phone numbers, claims and financial payment information (including some credit card numbers) was compromised.

Virginia Department of Health Professionals

In May 2009, the Virginia Department of Health Professionals (DHP) announced a security breach impacting the agency’s Prescription Monitoring Program. DHP discovered the breach one month prior after a message was posted on the Prescription Monitoring Program website by a hacker claiming to have stolen eight million patient records and 35.5 million prescriptions. In fact, the message included a ransom note demanding $10 million in seven days or the hacker would sell the data to the highest bidder. The breach was first reported on WikiLeaks.

As we recap the last 10,000 breaches, the ITRC hopes to help those impacted – both consumers and businesses fall victim to the nefarious acts of fraudsters – understand how to minimize their risk and mitigate their data compromises. Medical/healthcare breaches don’t just impact health information. As we can see by these examples, static information like Social Security numbers, date of birth can also be gleaned by those harvesting data through breaches – which puts consumers at an even higher risk of every aspect of identity theft (not just medical).

If you ever receive a data breach notification letter, do not just toss it aside or throw it away. Call us toll-free at 888.400.5530 or LiveChat to talk with a live-advisor on what you should do. If you are a business impacted by a data breach incident, please reach out to the ITRC to discuss how we can provide assistance to your impacted customers.

As part of this series, in our next 10,000 Breaches Later blog we will take a look at some of the largest government and military breaches since 2005 and what they meant for consumers. For a look at all of ITRC’s 10,000 breaches blogs, visit https://www.idtheftcenter.org/10000-data-breaches-blog-series/

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


You might also like…

12 Million Quest Diagnostic Patients Exposed in Third-Party Breach

Medicaresupplement.com Data Breach Caused by Accidental Exposure

10,000 Breaches Later: The Benchmark Breaches That Created Systemic Change