Catch Of The Week: What To Do…If You’re Caught In A Data Breach

Caricature by artist Paul Ziomek.
Los Alamos
Data breaches … they happen all the time, right? It can be easy to ignore them, but it’s important to pay attention when these show up in the news, or you could end up with fraudulent charges, your identity stolen, or worse.
Last week the American Medical Collections Agency (AMCA) revealed it was the victim of hackers who had unauthorized access to their system from August of 2018 until March of 2019. Over 20 million LabCorp, Quest, and OpkoHealth patients who had been placed into collections with this company had their personal and financial data exposed. These three companies are the only ones known to be affected by the AMCA data breach at this time, but that could change as the investigation into the breach of the company’s servers continues.
It is important to note that not everyone who had lab work done with these companies will be affected; only patients who did not pay their bill on time would have been passed off to AMCA.
No medical or insurance data is known to have been exposed as a result of this breach. Data compromised likely included name, contact information, credit card or bank information, and for Quest customers, may have included Social Security numbers. Some customers may also have had their date of birth exposed, though that has not been confirmed.
Also announced last week, Evites suffered a data breach. Evites is a website where users can create party invites and send them via email. Hackers were able to access an old database containing user data, including full names, countries, emails, IP addresses, and cleartext (unencrypted) passwords from customers. The database was posted for sale on the dark web and contained information for about 10 million users.
What should you do if you get a notification that you were affected by a data breach?
1. First of all, you need to figure out what data was lost. The loss of publicly available data like your name, address, or phone number is less sensitive and probably won’t cause you much trouble. More sensitive data like email addresses, date of birth, and payment-card numbers can lead to increased spam emails, possible fraudulent charges, and some risk of identity theft. The most sensitive information of all would be information like your social security number, passport number, online account passwords, and financial account numbers. This information can be very damaging and lead to identity fraud, hijacking of your online accounts, and fraudulent charges.
2. The company may tell you that stolen information was encrypted, but keep in mind this doesn’t mean your data is safe; encryption can be cracked. If your encrypted password is less than ten characters long and/or contains dictionary words, you can consider it lost. Immediately change the passwords on any compromised online accounts. If you reused the compromised password on multiple accounts, be sure to change those as well! Hackers can automate the account compromise process and test possible email and password combos across multiple sites quickly. Do not make their job easy by reusing the same password across multiple websites.
3. If your financial information was compromised, contact your bank or credit card immediately and let them know. Professional credit card thieves will try to make multiple purchases on the stolen card as quickly as possible, usually within hours of the theft. If you receive a notification that your financial information was compromised in a data breach, check your statement history and look for any suspicious charges. For most credit cards, you can report a card lost or stolen at any time and only be liable for at most $50 of the charges. Debit cards usually offer less protection; you only have two business days after learning of the fraudulent charges to tell your bank. If you notify them after that you may be liable for up to $500; let 60 days go by, and you could be liable for all charges. Avoid using your debit card for any online transactions.
4. Be sure to contact one of the major credit reporting bureaus and ask them to put a fraud alert on your account. Once one credit reporting bureau receives a fraud notification, they are required to alert all the other credit reporting bureaus. Fraud alerts are free and can be renewed every year. You can also request that a credit freeze be placed on your account; no one will be able to run a credit report on you or open an account without your permission.
Credit freezes are also free, though they may cause complications if you need to apply for a new credit card, mortgage, or change cellular or cable services.
5. Most of the time if you are the victim of a data breach, the company will offer you one or two years of credit or identity monitoring services. Be sure to read the fine print of the offer to check what kind of protection you are getting. There are numerous free and paid services out there that can help!
In today’s connected world, data breaches are becoming an everyday occurrence. Pay attention, don’t ignore any notification that you were affected by a breach, and make sure that you take steps to protect yourself in the event you are a victim!
Additional Resources:
Better Business Bureau (BBB) Tips:
Editor’s note: Becky Rutherford works in information technology at Los Alamos National Laboratory.