Posts

According to our 2018 End-of-Year Breach Report, there were a total of 372 data breaches in the medical and healthcare sector that exposed over 10 million records. As of September 2019, there have already been 368 data breaches that have exposed over 36 million records in the sector – poised to push well past the 2018 statistics. In the last two years, the ITRC has seen an increase in medical and healthcare data breaches – more than any other category we track, aside from the business sector.

Sign up for the ITRC Monthly Breach Newsletter for more information on these data breaches.

This is one reason why the Identity Theft Resource Center has been working to empower identity theft victims with the resources and tools to resolve their cases since 1999, including helping people proactively reduce their risk of becoming a victim of identity theft – especially of their highly sensitive personally health information (PHI). Since 2005, the ITRC has recorded over 10,000 publicly notified data breaches with monthly and cumulative end-of-year reports.

Last week we took a look at some of the largest business data breaches. This week we shift our attention to the top five most impactful medical and healthcare data breaches for consumers.

Anthem

In February 2015, Anthem suffered what is considered to be the largest medical and healthcare data breach and the largest Health Insurance Portability and Accountability Act (HIPAA) settlement in the United States. Nearly 80 million consumers were impacted with information like names, birthdates, Social Security numbers, addresses, phone numbers, email addresses and employment data being compromised. Minors on their parent’s healthcare plans were affected, which is particularly troubling due to the long shelf-life of the static data (SSNs) that was compromised. Anthem agreed to take corrective actions in 2018 by paying the U.S. Department of Health and Human Services, Office for Civil Rights $16 million to settle the violations of HIPAA Privacy and Security rules. This created awareness among consumers that while their health information was regulated under HIPAA, that didn’t mean that it wasn’t at risk for exposure – and not just their health information but a host of other components to their identity.

American Medical Collection Agency

Third-party billing and collections agency, American Medical Collections Agency, experienced a medical and healthcare data breach with an intrusion in its payment system in March of 2019. That intrusion exposed personal information of millions of patients. Over 24 million people and 20 entities (so far) were affected by this breach, including Quest Diagnostics who reported approximately 11.9 million of their patients were impacted. Some of the data exposed included names, dates of birth, payment card numbers, names of labs or medical service providers, dates of medical services, referring doctors, banking information, Social Security numbers and certain medical information like patient account numbers and health insurance numbers. The information exposed varied entity to entity since the same information was not provided to AMCA for their patients. As of this blog’s publish date, we’re still receiving notifications of medical industry organizations that were victims of this breach – we will continue to update the numbers as we receive them in our monthly Data Breach Report.

Premera Blue Cross

Major healthcare services provider Premera Blue Cross announced a data breach in March of 2015 that impacted over 11 million of its customers. The data breach was caused by hackers pretending to be Premera IT, sending employees phishing emails with links containing malware. This data breach affected both Premera Blue Cross and Premera Blue Shield of Alaska, as well as their affiliate brands Vivacity and Connexion Insurance Solutions, Inc. Names, birthdays, email addresses, physical addresses, phone numbers, Social Security numbers, member ID numbers, bank account information and claims information that could have been included in clinical information were some of the information exposed. In July 2019, Premera Blue Cross paid a total of $74 million ($32 million in damages and $42 million to improve data security) as part of a settlement. Premera will pay $50 to any class member who submits a claim, and up to $100,000 if class members can provide documents showing proven out-of-pocket damages from the breach.

Excellus Blue Cross Blue Shield

Blue Cross had another breach just six months later, this time including health insurer Excellus Blue Cross Blue Shield. This medial and healthcare data breach affected over ten million plan members and vendors. The cyberattack began in December 2013 and was not detected by Excellus until nearly two years later. Information such as names, dates of birth, Social Security numbers, addresses, phone numbers, claims and financial payment information (including some credit card numbers) was compromised.

Virginia Department of Health Professionals

In May 2009, the Virginia Department of Health Professionals (DHP) announced a security breach impacting the agency’s Prescription Monitoring Program. DHP discovered the breach one month prior after a message was posted on the Prescription Monitoring Program website by a hacker claiming to have stolen eight million patient records and 35.5 million prescriptions. In fact, the message included a ransom note demanding $10 million in seven days or the hacker would sell the data to the highest bidder. The breach was first reported on WikiLeaks.

As we recap the last 10,000 breaches, the ITRC hopes to help those impacted – both consumers and businesses fall victim to the nefarious acts of fraudsters – understand how to minimize their risk and mitigate their data compromises. Medical/healthcare breaches don’t just impact health information. As we can see by these examples, static information like Social Security numbers, date of birth can also be gleaned by those harvesting data through breaches – which puts consumers at an even higher risk of every aspect of identity theft (not just medical).

If you ever receive a data breach notification letter, do not just toss it aside or throw it away. Call us toll-free at 888.400.5530 or LiveChat to talk with a live-advisor on what you should do. If you are a business impacted by a data breach incident, please reach out to the ITRC to discuss how we can provide assistance to your impacted customers.

As part of this series, in our next 10,000 Breaches Later blog we will take a look at some of the largest government and military breaches since 2005 and what they meant for consumers. For a look at all of ITRC’s 10,000 breaches blogs, visit https://www.idtheftcenter.org/10000-data-breaches-blog-series/

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


You might also like…

12 Million Quest Diagnostic Patients Exposed in Third-Party Breach

Medicaresupplement.com Data Breach Caused by Accidental Exposure

10,000 Breaches Later: The Benchmark Breaches That Created Systemic Change

 

In our 2018 End-of-the-Year Data Breach Report, the Identity Theft Resource Center reported 907 data breaches that impacted the business sector; these breaches equaled more than the amount reported for the banking, education, government and medical sectors combined. Of the five industry categories ITRC tracks for data breaches (banking/credit/financial; business; education; government/military; and medical/healthcare), business-related data breaches are the most common.

You can learn more by signing up for the ITRC Monthly Breach Newsletter.

That is just one reason why the ITRC has been working to empower identity theft victims with the resources and tools to resolve their cases since 1999. Our mission is to help people proactively reduce their risk of becoming a victim of identity theft and to empower them if they become a victim. Since 2005, the ITRC has recorded over 10,000 publicly notified data breaches. We’re continuing our 10,000 breaches blog series with a look at the top five business data breaches that impacted U.S. consumers and personal information compromised.

Starwood Hotels & Resorts Worldwide, LLC. (Marriott International)

In November 2018, Marriott announced that its Starwood guest reservation database had been accessed by an unauthorized user. Nearly 383 million records were accessed in this business data breach, which included names, mailing addresses, phone numbers, email addresses, passport numbers, Starwood Preferred Guest account information, birth dates and encrypted payment card numbers. Hotels are typically hot targets for data thieves due to the sheer volume of people’s data available.

Heartland Payment Systems

Payment processor Heartland Payment Systems announced in January 2009 that its processing systems had been breached one year prior, affecting thousands of businesses and banking institutions. Around 130 million consumers’ credit and debit card information had been stolen including cardholder names, card numbers and card expiration dates, putting all consumers at risk for fraud. An investigation into the business data breach began once Heartland received notifications from Visa and MasterCard about suspicious activity surrounding the payment systems processed card transactions.

Equifax

Once again, Equifax makes the list. As many people know, in 2017 Equifax experienced a hack that exposed 148 million U.S. consumer’s personal information including names, dates of birth, Social Security numbers, addresses, phone numbers, Driver’s License numbers, email addresses, payment card information and Tax ID numbers. In July 2019, Equifax reached a $700 million settlement due to their business data breach and agreed to spend up to $425 million to help the victims of the breach. If you were affected, you can file a claim for cash or free credit monitoring services. You can also file a claim for a minor that has been impacted as well. If you have questions about the settlement and what it means, read more here.

Experian/T-Mobile

In September 2015, Experian North America disclosed a breach of their computer systems that affected 15 million applicants for device financing from wireless provider T-Mobile. Names, birthdays, addresses, Social Security numbers, alternate forms of identification (such as Driver’s License numbers, passport numbers or military ID numbers) were some of the information exposed. While the business data breach impacted Experian’s services, it did not affect their consumer credit database. According to T-Mobile, Experian took full responsibility for the theft of data from its server and offered free credit monitoring services to all the consumers who were potentially at risk.

MyFitnessPal (Under Armour)

It was discovered that an unauthorized party acquired data associated with Under Armour’s MyFitnessPal user accounts in March of 2018. Approximately 150 million user accounts were compromised in the business data breach exposing usernames, email addresses and hashed passwords. MyFitnessPal released a notice of data breach stating they quickly took steps to determine the nature and scope of the issue and were working with data security firms and law enforcement authorities in an investigation. In the same statement, MyFitnessPal recommended users change their passwords for all their MyFitnessPal accounts, review their accounts for suspicious activity, be cautious of any unsolicited communications that ask for your personal data and to avoid clicking on links or downloading attachments from suspicious emails. (These are practices the ITRC encourages consumers to take with all of their accounts to reduce their risk of identity theft.)

Coming Up In 10,000 Breaches…

As we recap the last 10,000 breaches, the ITRC hopes that we can help those impacted – both as consumers and business – understand how to minimize their risk and mitigate their identity compromises. If you received a data breach notification letter, don’t just toss it aside. Call us at 888.400.5530 or LiveChat to talk with a live-advisor on what you should do. If you are a business impacted by a data breach incident, please reach out to the ITRC to discuss how we can provide assistance to your impacted customers.

 As part of this series, in our next 10,000 Breaches Later blog we will take a look at some of the top medical and healthcare breaches since 2005. For a look at all of the 10,000 breaches blogs, visit https://www.idtheftcenter.org/10000-data-breaches-blog-series.

 

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


You might also like…

10,000 Breaches Later: The Benchmark Breaches That Created Systemic Change

New Tool Breach Clarity Helps Consumers Make Sense of Data Breaches

10,000 Breaches Later: Three Major Data Breaches Consumers Should Know About

 

By 2021, over 2.14 billion people worldwide are expected to buy goods and services online, up from 1.66 billion global digital buyers in 2016. That means retail data breaches will also be on the rise as point-of-sale (POS) systems, e-commerce sites and other store servers are major targets for hackers looking for large volumes of personally identifiable information (PII) and behavioral data.

Sign up for the ITRC Monthly Breach Newsletter

That is one reason why the Identity Theft Resource Center has been working to empower identity theft victims with the resources and tools to resolve their cases since 1999., including helping people proactively reduce their risk of becoming a victim of identity theft. Since 2005, the ITRC has recorded over 10,000 publicly notified data breaches with monthly and cumulative end-of-year report published.

Read next: 2018 End-of-Year Data Breach Report

ITRC currently tracks five industry categories: banking/credit/financial; business; education; government/military and medical/healthcare. ITRC is a leader in reporting new data breach trends. We’re continuing our 10,000 breaches blog series with a look at the five most impactful retail data breaches for consumers.

Target

Retail giant Target makes the list for their 2013 data breach that exposed the payment card information of 40 million people and the personal information of 70 million. Hackers were able to infect Target’s POS systems with malware, disrupting holiday shopping for millions of consumers. Between Black Friday and Christmas shopping, anyone who shopped at Target from November 27 to December 15, 2013 was at risk for fraud. In a public statement to customers, Target said they moved swiftly to address the issue and that they regret any inconvenience it might have caused.

TJX Companies

In January 2007, TJX Companies Inc., operator of stores like T.J. Maxx, Marshalls and HomeGoods, experienced a retail data breach that affected 94 million customers. Payment card information and customer return records, which included driver’s license numbers, military I.D. numbers or Social Security numbers, were stolen by hackers who were able to gain access to TJX’s computer systems that process and store transaction information. TJX reached settlements with a majority of entities in 2007 and 2008.

Home Depot

Target is not the only retailer that experienced a breach of their POS systems. In 2014, Home Depot announced that they had experienced a retail data breach affecting their payment card processing systems. The hackers were able to steal the payment card information of 40 million customers and emails of 54 million. Since the incident, there have been 57 lawsuits filed against the large retailer. While the company did not admit any wrongdoing, they say they settled so they could move forward and put the incident behind them without incurring further costs.

Hudson Bay

Hudson Bay, parent company of Saks Fifth Avenue and Lord & Taylor, experienced a retail data breach that affected the payment card information of five million customers in 2018. Most of the stores affected were located in New York and New Jersey. It is reported that the retail data breach only affected in-store purchases and did not affect its e-commerce sites. In a statement, Hudson Bay said they deeply regretted any inconvenience or concern the breach may have caused. They also said there was no indication that Social Security or driver’s license numbers were stolen.

Hannaford Brothers

In 2008, supermarket company Hannaford Brothers was breached. It affected just over four million customers. Malware was placed on 300 Hannaford servers as part of the retail data breach which allowed hackers to steal customers’ payment card details as they were used at the check-out. Of the just over four million customers who were affected, more than 1,800 reported their credit cards had been used.

As we recap the last 10,000 breaches, the ITRC hopes that we can help those impacted – both consumers and business fall victim to the nefarious acts of fraudsters – understand how to minimize their risk and mitigate their data compromises. If you received a data breach notification letter, don’t just toss it aside. Call us at 888.400.5530 or LiveChat to talk with a live-advisor on what you should do. If you are a business impacted by a data breach incident, please reach out to us to discuss how we can provide assistance to your impacted customers.

As part of this series, in our next 10,000 Breaches Later blog  we will take a look at some of the biggest business breaches since 2005 and what they meant for consumers. For a look at all of the ITRC’s 10,000 breaches blogs, visit idtheftcenter.org.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


You might also like…

10,000 Breaches Later: The Benchmark Breaches That Created Systemic Change

10,000 Breaches Later: Three Major Data Breaches Consumers Should Know About

New Tool Breach Clarity Helps Consumers Make Sense of Data Breaches

 

The Identity Theft Resource Center has been working to empower breach victims with the resources and tools to resolve their cases since 1999. That includes helping people proactively reduce their risk of becoming a victim of identity theft, especially after they were impacted by a data breach. Since 2005, the ITRC has recorded over 10,000 publicly notified breaches. Here is a look at five watershed moments that created systemic change for consumers.

Equifax

In 2017, 148.8 million people were affected by this impactful data breach that through the Freedom from Equifax Exploitation Act led to credit freezes being free and regulation changes as noted in ITRC’s “Equifax One Year Later Aftermath Report.” On July 22, 2019, Equifax reached a $700 million settlement with the Federal Trade Commission (FTC) where Equifax agreed to spend up to $425 million to help victims of the breach. And it’s changing the standard of proof for settlements – shifting the onus from the entity that was breached to the consumer having to prove that they were impacted. Because of Equifax, we’re still seeing people push for data breach law reform.

Target

During the busy holiday season in 2013, Target was hit by a data breach that exposed the credit card data of 40 million people and the personal information of 70 million, upsetting lawmakers. This breach made customers uneasy about using payment cards and was a catalyst for pushing forward the adoption of chip card technology. It also created a greater understanding of the need for authentication options. Consumers are now more acutely aware of their transactional engagements with retailers and how their financial information could be a gateway to other types of compromise.

Anthem

In 2015, Anthem suffered a large consumer data breach that impacted nearly 80 million people. The information compromised included names, birthdates, Social Security numbers, addresses, phone numbers, email addresses and employment data that could have included income information. Minors who were on their parent’s health plans were affected, which is particularly troubling due to the long shelf-life of the static data (SSNs) that was compromised. In 2018, Anthem agreed to take corrective actions and pay the U.S. Department of Health and Human Services, Office for Civil Rights $16 million to settle violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. In order to place a claim for the settlement, victims needed to provide proper documentation for out-of-pocket costs. The Anthem breach is considered to be the largest health data breach and the largest HIPAA settlement in the United States.

OPM

Over 21 million people were affected by the second Office of Personal Management (OPM) impactful data breach, which occurred in 2016. Investigators determined that 19.7 million applicants for security clearances had their Social Security numbers and other personal information stolen – including biometric and protected health information. Not only did it impact those that were under OPM’s jurisdiction, but it also impacted those that were dependents as well. It was a sophisticated, large-scale hacking event that resulted in the creation of the National Background Investigations Bureau (NBIB).

ChoicePoint

ChoicePoint was part of a large impactful data breach in 2005 that led to the personal information of at least 163,000 Americans being sold to a crime ring. Fraudsters, posing as customers of the company, gained access to the company’s background check database – giving them the ability to mine sensitive personal information for nefarious purposes. In 2008, ChoicePoint agreed to pay $10 million to settle a class-action lawsuit. Since the breach, Senators have proposed a law to regulate the data broker industry called the “Data Broker Accountability and Transparency Act.”

Bonus Breach: U.S. Department of Veteran Affairs

This 2006 data breach affected 26.5 million veterans, spouses, active-duty military personnel and reserve military personnel. It led to the acknowledgment of many vulnerabilities in the VA. It also heightened awareness of the importance of protecting computer equipment containing personally identifiable information and responding to effectively to a breach that poses privacy risks. Lessons learned included rapid notification of key government officials being critical, a core group of senior officials being designated to make all decisions regarding an agency’s response and determining when to offer credit monitoring to affected individuals requires risk-based management solutions.

As we recap the last 10,000 breaches, the ITRC hopes that we can help those impacted – both as consumers and business – understand how to minimize their risk and mitigate their identity compromises. If you received a data breach notification letter, don’t just toss it aside. Call us at 888.400.5530 or LiveChat to talk with a live-advisor on what you should do. As part of this series, in our next 10,000 Breaches Later blog we will take a look at some of the top retail breaches since 2005. To stay up to date on the latest news in identity theft and data breaches, sign-up for our newsletters.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


You might also like…

10,000 Breaches Later: Three Major Data Breaches Consumers Should Know About

Should You Consider Credit Monitoring Services as Part of a Breach? 

New Tool Breach Clarity Helps Consumers Make Sense of Data Breaches

 

and two that changed how we should perceive our data…

Since 1999, the Identity Theft Resource Center has been hard at work empowering identity theft victims with the resources and tools to resolve their cases, as well as helping people proactively reduce their risk of becoming a victim of identity theft. One of the most common ways consumers have their information misappropriated is through data breaches. Since 2005, we have recorded over 10,000 publicly notified breaches. Let’s look at the top three major data breaches with the biggest impact to consumers based on our new risk assessment tool, Breach Clarity, developed in partnership with Futurion and its creator Jim Van Dyke.

Based on ITRC’s database of data breach notifications and Breach Clarity’s proprietary processing, Van Dyke says consumers can be better educated on the significance of which breaches rank as the all-time riskiest to the individual consumer in terms of both size and scope.   The new tool includes the potential impact on the affected individual identity-holder, what types of identity theft could occur based on the records exposed and what steps that person needs to take to minimize his/her risk. Here is a look at the top five major data breaches that impacted individuals in the United States:

The U.S. Office of Personal Management

In June 2015, The U.S. Office of Personal Management (OPM) was the target of two separate hacking events exposing background investigation records of 21.5 million Federal government employees and contractors. Some of the information impacted was Social Security numbers (SSN), fingerprint data and security clearance information. Additionally, it also exposed PII of dependents including SSNs, date of birth and other information.

OPM was one of most significant major data breaches in memory, with it ranking a ten in severity on Breach Clarity. Van Dyke says it created a risk through the exposure of security clearance and biometric data for those working in service of our country.

Equifax

Credit reporting agency, Equifax, experienced a hack in 2017 that exposed 146.6 million U.S. consumer’s personal information. “Equifax has been regarded by many to be the worst of all data breaches because this hack generally exposed Social Security numbers for a massive amount of individuals,” Van Dyke said. The information exposed included names, birthdays, SSNs, addresses, phone numbers, Driver’s License numbers, email addresses, payment card information and Tax ID numbers.

While this major data breach ranked ten in severity and exposed so much information, it is not among the worst in terms of per-victim impact. As we learn more about the settlement process <link> for this breach, each individual consumer will need to assess the impact based on their circumstances.

Anthem, Inc.

In 2015 Anthem, Inc. had a major data breach, exposing nearly 79 million sensitive records. Van Dyke says it created a dangerous risk, receiving an overall risk level of eight. Breach Clarity shows that it created a unique pattern of risk that included new financial account creation and tax refund fraud.

There were two other breaches that really changed how consumers viewed their data and how companies should secure it. No two breaches have the same impact, but Facebook and Yahoo brought the spotlight on how companies could manage their users’ data security better. It also reminded users that they are ultimately responsible for the information that is being housed in any particular platform. When all else fails, don’t share it if you don’t want it to be potentially exposed publicly.

Facebook

In 2018, hackers were able to tap into the ever-popular social media landscape stealing account access tokens from Facebook and then using them to access user names, contact details and profile information like usernames, birthdays and device types used to access to access additional information.

“The Facebook breach represents a particularly unique type of breach,” Van Dyke said. “It represents behavioral data that victims may not be prepared to respond to. It is unlikely that even a social media behemoth like Facebook will earn a top risk score in Breach Clarity, yet again we need to continue understanding how personal relationships and behavioral data increase risk of a variety of crimes.”

The security hack affected 50 million accounts and led to tokens being stolen from 30 million of them, resulting in the major data breach getting a risk score of five on Breach Clarity.

Yahoo

After experiencing a major data breach affecting 500 million users in September 2016, Yahoo announced a second breach just months later in December that affected more than one billion user accounts. “Yahoo was one of the biggest data breaches ever,” Van Dyke said. “Both in sheer number of victims and the duration of exposure during which criminals had access to private data.”

An unauthorized third party stole information like names, email addresses, phone numbers, birthdays, passwords and security questions and answers from users. Van Dyke says users who emailed private documents like tax returns may be at particular risk because criminals may have also had access to personal email records. He says Breach Clarity cannot predict all of the possible identity theft and fraud risks because of the varying nature of private data exposed while the criminals had access. This particular major data breach received a risk score of four.

Also, you can use Breach Clarity to see the actionable steps you can take after a data breach. If you think you might have identity theft, speak to one of our advisors for free assistance at 888.400.5530.

As we recap the last 10,000 breaches, the ITRC hopes that we can help those impacted – both as consumers and business – understand how to minimize their risk and mitigate their identity compromises. If you received a data breach notification letter, don’t just toss it aside. Call us at 888.400.5530 or LiveChat to talk with a live-advisor on what you should do. As part of this series, in our next 10,000 Breaches Later blog we will take a look at some of the top retail breaches since 2005. To stay up to date on the latest news in identity theft and data breaches, sign-up for our newsletters.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


You might also like…

10,000 Breaches Later: The Benchmark Breaches That Created Systemic Change

Should You Consider Credit Monitoring Services as Part of a Breach? 

New Tool Breach Clarity Helps Consumers Make Sense of Data Breaches