Breach Clarity Weekly Data Breach Report: Week of May 10

Each week Breach Clarity, recently acquired by Sontiq, compiles a list of what it considers to be notable data breaches—those that are worth highlighting because of the increased intensity of the risk to personal information. The Breach Clarity score identifies the level of risk on a scale of 1 to 10—the higher the score, the more severe the breach and level of risk.

This week two of our top breaches occurred at health care providers and involved theft of medical records and insurance information. Medical identity fraud is a challenging fraud type to assess, since it is quite difficult to commit and consequently fairly rare, but when it does occur, it can have a terrible impact on victims. The most common way for criminal groups to profit from medical identity fraud is to use the victim’s identity to get access to prescription drugs or medical devices that have a high value in black markets. In other cases, the perpetrator may take on the victim’s identity to get personal medical care because they lack insurance or other means of access to the medical system. Either way, in addition the to the financial consequences of the fraud, victims risk having medical providers making decisions based on incorrect information, being flagged for substance abuse and other medical consequences.

Unfortunately, medical identity fraud can be incredibly difficult to detect and resolve. Under HIPAA’s privacy rules, consumers can request copies of their medical records, which can allow victims to identify erroneous records, but typically those records need to be requested from the provider where the treatment occurred and victims may have never had contact with the provider used by the fraudster. Similarly, with no central reporting agency like the credit bureaus in financial services, disputing those records requires individually engaging with the provider where the treatment occurred. The department of U.S. Health and Human Services and the Federal Trade Commission both maintain resources with additional information on warning signs to help identify and resolve medical identity fraud.

New breaches added: 29

NYDIG Execution LLC and NYDIG Trust Company LLC (Third Party LogicGate, Inc.)

BreachIQ score: 8

A cyberattack on LogicGate, a software company providing risk management solutions for NYDIG, allowed the perpetrator to gain access to data stored in the LogicGate Risk Cloud environment. NYDIG used LogicGate to store compliance-related data collected from new customers and counterparties. Exposed data types include Social Security numbers, financial account information, passport and driver’s license numbers, addresses, contact information and more.

What should you do? Since the information stolen in this breach creates a high risk of fraudulently opened credit (loan accounts), safeguards like locking or freezing your credit are the best place to start. If you expect to need to have your credit account unlocked, enrolling in credit monitoring through the provider offered by the breached organization or through a free service can help keep you informed of potentially suspicious changes to your credit report.

More information

St. John’s Well Child and Family Center

BreachIQ score: 6

A cyberattack against St. John’s Well Child and Family Center disrupted St. John’s access to certain systems and allowed the perpetrator to access records containing sensitive personal information. Exposed data types include medical records, contact information, patient identification numbers and, in one case, a Social Security number.

What should you do? Since the information stolen in this breach creates a high risk of fraudulently opened credit (loan accounts), safeguards like locking or freezing your credit are the best place to start. If you expect to need to have your credit account unlocked, enrolling in credit monitoring through the provider offered by the breached organization or through a free service can help keep you informed of potentially suspicious changes to your credit report.

More information

Achievement Center of LECOM Health (ACLH)

BreachIQ score: 5

Unauthorized access to two business email accounts at ACLH allowed the perpetrator to gain access to sensitive personal information on staff and clients contained in messages and attachments that passed through the affected email accounts. Exposed data types include medical records such as diagnoses and treatments, insurance information, Social Security numbers and contact information.

What should you do? Since the information stolen in this breach creates a high risk of fraudulently opened credit (loan accounts), safeguards like locking or freezing your credit are the best place to start. If you expect to need to have your credit account unlocked, enrolling in credit monitoring through the provider offered by the breached organization or through a free service can help keep you informed of potentially suspicious changes to your credit report.

More Information

AmeriCommerce

BreachIQ score: 5

A cyberattack on AmeriCommerce, a technology company providing payment processing services for online merchants, allowed the perpetrator to insert malicious code on AmeriCommerce’s clients’ websites. This code was designed to capture information entered during checkout, including credit and debit card numbers, security codes, expiration dates, etc. Since the malware was only able to capture information entered into the browser, purchases made with card data saved with the merchant were not affected.

What should you do? When credit or debit card data is stolen, you should contact your issuer to determine whether you need a replacement card. Many card issuers also allow you to set up alerts for large or unusual purchases. These alerts can help you quickly identify suspicious activity and notify your bank or credit union of the fraud.

More information

About the Breach Clarity Score

Breach Clarity, recently acquired by Sontiq, created an algorithm that deeply analyzes and assigns every publicly reported data breach a Breach Clarity score, most often from 1 to 10. The higher the score, the more severe. (In rare and extreme cases, the score can exceed 10.)

The idea for the Breach Clarity score came from data breach expert Jim Van Dyke, who realized the public should be able to access the same analysis he used as an expert witness to discern data breach risks in the country’s biggest data breach cases. Breach Clarity’s artificial intelligence algorithm simulates that advanced, objective analysis and is available to anyone as a free tool in the fight against identity fraud and cybercrime. The score, risks and recommended action for any publicly reported data breach is available at Breach Clarity.

Avatar photo

Kyle Marchini

Kyle Marchini is a product manager at Breach Clarity, where he oversees the development and implementation of data breach intelligence solutions for financial institutions, identity security providers and other organizational partners. Prior to his work at Breach Clarity, Kyle was a Senior Analyst for Fraud Management at research-based advisory firm Javelin Strategy & Research. He deeply studied both fraud management and consumer behavior, directing some of the industry’s most widely-cited research on identity fraud. His work has been cited on topics ranging from the impact of fraud and breaches on consumers’ banking relationships to the role of emerging technologies such as behavioral analytics in mitigating fraud risk.

kyle-marchini has 27 posts and counting.See all posts by kyle-marchini