Scam of the day – June 20, 2017 – Another cosmetic surgery clinic suffers data breach

On June 5th I reported to you about the data breach at a Lithuanian cosmetic surgery clinic and now we have learned about a similar, but significantly different data breach suffered by prominent Beverly Hills plastic surgeon  Dr. Zain Kadri whose patients include people from many states and four countries.

The data breach, which law enforcement says, affects approximately 15,000 people includes tremendous amounts of data, information and documents including before and after surgery photographs, patient records, credit card information and patient contact information.  It appears that Dr. Kadri’s practice was both electronically hacked and physically burgled by a person, who police say, was a former employee.

The patients victimized by this crime face blackmail, extortion and identity theft as a result of the data breach.

TIPS

Medical practices continue to be a prime target for identity thieves because they are often quite vulnerable to cyberattacks, but as this case apparently shows, data breaches can be done through old fashioned burglaries as well and it is important for all entities that store personal data to take steps to secure data both physically as well as electronically and to limit access to such information to only such employees as have a need to have access to the information.

Unfortunately, there is little that we as consumers and patients can do other than to limit the amount of personal information we provide, as best we can.  For example, your doctor does not need your Social Security number.  We should also inquire of anyone or any entity that retains our personal information about what they do to secure that information.

Scam of the day – September 7, 2016 – IRS fails to notify identity theft victims

The IRS is certainly aware of the serious problems posed by identity theft which costs taxpayers billions of dollars in phony refunds paid to identity thieves filing income tax returns with fake W-2s in order to obtain fraudulent refunds.  This makes it more startling to recently learn from a report of the Treasury Inspector General for Tax Administration (TIGTA) that between 2011 and 2015, the IRS failed to notify more than a million taxpayers who had their Social Security numbers stolen even though the IRS was fully aware that these people were victims of employment related identity theft.  Employment related identity theft occurs when someone steals another person’s Social Security number in order to get a job.  Often this occurs when illegal immigrants use stolen Social Security numbers to get a job because they cannot legitimately obtain their own Social Security number.  The IRS becomes aware of the Social Security number being misused when the income tax returns filed using the Social Security number don’t match the W-2s associated with the Social Security number.

In 2014, the IRS instituted a pilot program by which it notified 25,000 people when their Social Security numbers were used by someone else to get a job, but the program was abandoned after a short time.  In April, the IRS indicated that it would begin to notify new victims of employment related identity theft beginning in January of 2017, however, in its report, TIGTA is recommending that the IRS institute procedures to notify not only people who become victims after January of 2017, but also everyone who had become a victim of employment related identity theft previously.  TIGTA also recommended to the IRS that it notify the Social Security Administration when it becomes aware of employment related identity theft.

TIPS

While the intention of the identity thief who commits employment related identity theft is not as nefarious as that of an identity thief who commits identity theft that causes unpaid debt to be incurred in the name of the victim, the dangers of employment related identity theft can easily turn into medical identity theft whereby your medical records become corrupted by the medical records of the identity thief or criminal identity theft whereby crimes are committed in your name.  The best thing you can do to prevent any kind of identity theft is to maintain the privacy of your Social Security number as much as possible.

Scam of the day – August 13, 2016 – Healthcare worker convicted of identity theft

Data breaches at hospitals and other health care providers are a major problem.  The Ponemon Institute’s study of the health care industry this year found 90% of health care organizations suffered data breaches during the last two years including the massive data breach at Anthem.  However, often overlooked is the fact that not all data breaches are caused by outside attacks.  Many of them are caused by rogue employees with access to data that they steal and then sell to others or use themselves for purposes of identity theft.  Recently Alana Wells a health care worker in Alabama pleaded guilty to stealing patients’ names, dates of birth and Social Security numbers and then using them with her co-conspirators for purposes of income tax identity theft by which they filed phony tax returns using the names and Social Security numbers of their victims’ seeking fraudulent tax refunds.  Sentencing will occur later this year and she faces a sentence of up to seven years in prison.

TIPS

Apart from the lesson that employers must do a better job of protecting the data they hold from rogue employees, which admittedly is a difficult job, one thing we as consumers should do is recognize that this problem occurs everywhere and consequently, whenever possible, we should limit the amount of personal information we give any company or institution with which we do business to the minimum amount necessary.  When it comes to hospitals and health care institutions, despite the fact that they routinely ask for your Social Security number, they have no true reason to use it as an identifier. When asked, suggest another number such as your driver’s license.

Scam of the day – December 14, 2015 – Hospital identity theft arrests

Although we often think that identity theft is a high tech crime, in fact identity theft is a high tech, low tech and no tech crime.  The Manhattan District Attorney recently arrested a married couple Kyle Steed and his wife Krystle Steed charging them in a 193 count indictment involving identity theft in which fraudulent charges were made in the names of their victims totaling more than $300,000.  The basis for the identity theft was definitely no tech.  The District Attorney is alleging that Kyle Steed who worked at the Lenox Hill Hospital stole personal information of more than 80 emergency room patients.  Among the information stolen were names, birth dates and Social Security numbers of the victims.   However, rather than hack into the hospital’s computers, Kyle Steed is alleged to have done his data theft the old fashioned way by stealing the information from paper records of the hospital.  Krystle Steed used the stolen information to access their victims’ credit card accounts charging more than $300,000 worth of expensive purchases including designer bags.

TIPS

Lenox Hospital is notifying patients who were affected by the data breach which occurred between January of 2014 and February of 2015.  This crime again illustrates the importance of companies that retain personal information doing a better job of protecting their data in whatever form it is stored.  It also illustrates the importance of limiting the amount of data that you provide companies with which we all deal as much as possible.  Although hospitals commonly require people to provide their Social Security numbers, they generally do not have a need for doing so and often do so merely to make it simpler to collect overdue bills.

Scam of the day – September 13, 2015 – Another major health care data breach

Health insurer Excellus Blue Cross/Blue Shield became the latest major health insurer to disclose that it had suffered a data breach affecting 10.5 million people.  The compromised information may include names, birth dates, Social Security numbers, mailing addresses, telephone numbers, member identification numbers, financial account information and claims information.  This hacking, which was just announced, but has been going on since December of 2013 is the fourth major health care data breach this year with anthem Blue Cross/Blue Shield being the largest, having affected upwards to 80 million people.  As I warned everyone in my USA Today column in which I made my cyberpredictions for 2015, the health care industry is tremendously vulnerable to data breaches and we can expect these data breaches to continue.  Here is a link to that column.  http://www.usatoday.com/story/money/personalfinance/2014/12/20/cyber-hack-data-breach/20601043/

A recent audit of health care companies and insurers showed that more than 81% of these companies have suffered a data breach in the last two years alone and that number only relates to the data breaches that have been discovered.  There may have been more that remain undiscovered.

The potential consequences of medical company data breaches can be tremendous to affected individuals.  The medical records of an identity thief accessing your medical insurance can become intermingled with your medical records such that you can mistakenly receive improper treatment, such as a potentially deadly blood transfusion of the wrong blood type.

TIPS

Excellus will be sending out snail mail letters to those people affected by the data breach shortly.  If you receive an email purportedly from Excellus asking you to click on links for information about the data breach, it is a phishing email aimed at getting you to download malware on to your computer and make you a victim of identity theft.  As many hacked companies do, Excellus is offering two years of free credit monitoring, however these services will do nothing to protect you from identity theft.  In order to do that, I suggest that you put a credit freeze on your credit report at each of the three major credit reporting agencies in order to prevent someone who already has your personal information such as your Social Security number from accessing your credit report to run up debts in your name.  You can find information about how to do a credit freeze in the Scamicide Archives.  For more information about the Excellus data breach, you can either call their toll free hotline number of 877-589-3331 or got their website by clicking on this link. http://www.excellusfacts.com/

Scam of the day – August 11, 2015 – Medical Informatics Engineering class actions filed

Recently I told you about the hacking and data breach of Medical Informatics Engineering (MIE) and its cloud service NoMoreClipboard.   MIE operates more than 300 medical centers in 38 states.  On May 26th it discovered that it had been hacked since May 7th.  Unfortunately the personal information compromised in the data breach was very significant including names, telephone numbers, mailing addresses, usernames, password security questions and answers, spousal information, email addresses, birth dates, Social Security numbers, health insurance policy information and more all of which puts the victims of the data breach in serious jeopardy of traditional and medical identity theft.  It is estimated that almost four million people had their personal information stolen.  The company started notifying affected victims whose personal information was hacked by traditional mail in June and July.  Now, however, two lawsuits have been filed on behalf of the victims in the Federal District Court in Ft. Wayne Indiana seeking class action status.  Both lawsuits  allege that MIE was negligent in not implementing proper security measures to protect the personal information it collected and stored.

TIPS

If you are one of the victims of the data breach and want more information about the two class actions, you can contact the law firms, Price Waicukauski & Riley LLC and Cohen & Malad LLP by clicking on the following links respectively http://www.price-law.com/join-a-current-case and http://www.cohenandmalad.com/contact-us/

You can also call MIE’s toll-free hotline at 866-328-1987 for more information.   In addition, you should also carefully monitor all of your financial accounts and check your medical records to make sure that someone has not accessed your health insurance and made you a victim of medical identity theft.  You should also put a credit freeze on your credit report.  You can find out how to put a credit freeze on your credit report by going to the Archives of Scamicide.  Be wary of any emails that you receive purporting to be from MIE because you can expect identity thieves to be sending out these as phishing email posing as MIE seeking to have you provide personal information or click on links containing malware.

Steve Weisman’s latest column for USA Today

Here is a link to my column from today’s edition of USA Today.  It deals with the recent data breach at UCLA Health services and the problems of medical identity theft.

http://www.usatoday.com/story/money/personalfinance/2015/07/24/steve-weisman-health-care-data-breach/30593661/

Scam of the day – July 20, 2015 – UCLA Health System hacked affecting 4.5 million people

The parade of data breaches at major health care providers continues as I predicted in my USA Today column last December.  Here is a link to that column.  http://www.usatoday.com/story/money/personalfinance/2014/12/20/cyber-hack-data-breach/20601043/

The present data breach is of the UCLA Health System and it may have been going on undetected since September of 2014 until recently being discovered.  The information that may have been compromised is a treasure trove of data for identity thieves.  It included names, Social Security numbers, medical records, ID numbers and addresses on 4.5 million people.  But, as I always say, things aren’t as bad as you think — they are worse.  The stolen data was totally unencrypted making the threat to the people in the UCLA Health Systems computers more serious.

Medical identity theft can not only result in your financial life being threatened.  The mixing of medical records of the victim of the identity theft with the medical records of the identity thief utilizing the medical insurance can potentially be deadly, such as when a person might receive the wrong blood type in a transfusion or a drug to which they may be seriously allergic.  Again, compounding the problem, it can be extremely difficult or even impossible to remove the identity thief’s medical information from the victim’s medical records after the problem has been discovered due to quirks in the medical privacy laws.

TIPS

If you are one of the people affected by this data breach, UCLA will be notifying you by regular mail and will explain your options.  They will not be notifying people by email or text messages so if you receive such a communication, you should not click on any links contained in the email or text message because they have been sent by an identity thief as a phishing email attempting to lure you into downloading malware by clicking on the link.

Those people affected will be offered free credit monitoring for a year.  They also should monitor their financial and medical insurance accounts carefully for early indications of fraud.  Putting a credit freeze on their credit reports would also be a good step to take.  You can find more information about credit freezes here in the Scamicide archives.

Here is a link to a press release by UCLA which describes the data breach and your options.

https://www.uclahealth.org/pages/data2015.html

Scam of the day – June 23, 2015 – Another major health care data breach

Medical software company, Medical Informatics Engineering (MIE) became the latest of a long line of companies in the health care industry to become a victim of a significant data breach.  As I warned people in my USA Today column last December in which I made my predictions for the year 2015, data breaches in the health care industry will be happening with greater frequency as a result of the unfortunate combination of the health care industry in general not doing a particularly good job of protecting its data and its data being very attractive to identity thieves. http://www.usatoday.com/story/money/personalfinance/2014/12/20/cyber-hack-data-breach/20601043/

MIE just recently announced that its main network had been hacked on May 7th and was discovered on May 26th.  The data stolen included names, addresses, birth dates, Social Security numbers and health records, all of which put the victims of this breach in serious jeopardy of identity theft.  Although the full extent of the data breach has not yet been determined, among the company’s clients are Concentra which operates more than 300 medical facilities in 38 states.  Some of the other specific facilities affected include Fort Wayne Neurological Center, Franciscan St. Francis Health Indianapolis, Gynecology Center, Inc., Fort Wayne and the Rochester Medical Group.

TIPS

MIE has indicated that it will be notifying patients for whom they have mailing addresses with information about the data breach although as a  supplier of medical software to institutions, it may well not have addresses on all affected individuals.  If you receive an email purporting to be from MIE, you should ignore it as it is a phishing email seeking to obtain personal information from you in order to make you a victim of identity theft.  MIE is not contacting affected individuals by email or text messages.

MIE is offering free credit monitoring and identity theft protection services to those people affected by the data breach.  For information about the program, you can go to a special section of the company’s website by clicking on this link.  http://www.mieweb.com/notice/ or you can call a special toll-free hotline established by the company to answer any questions people may have about the data breach.  The number is 866-328-1987.

 

Scam of the day – March 19, 2015 – Another huge healthcare data breach

Premera Blue Cross has just disclosed that it had been hacked since May 5,  2014 causing a data breach that was only discovered on January 29, 2015.   As a result of the hacking, by presently undetermined hackers (although early indications again point the finger at Chinese hackers), a treasure trove of information was compromised including customers’ names, date of birth, email addresses, addresses, telephone numbers, member identification numbers, Social Security numbers, bank account information, contact information and even claims data.  The data breach includes customers of Premera Blue Cross, Premera Blue Cross Blue Shield of Alaska and its affiliates Vivacity and Connexion Insurance Solutions affecting as many as eleven million people.  This data puts the victims of this data breach in serious danger of identity theft.  The health care industry in general is extremely vulnerable to data breaches and was warned by the FBI to be on the alert for such attacks last summer.  In my USA Today column of predictions for 2015 I also predicted that there would be major hacks in the health care industry this year http://www.usatoday.com/story/money/personalfinance/2014/12/20/cyber-hack-data-breach/20601043/

Data breaches in the health care industry are particularly dangerous to us all because they put us in danger of not just regular identity theft, but also medical identity theft which can corrupt your medical records and present the threat of receiving possibly deadly treatment because of incorrect information in your medical records.

TIPS

Premera started sending letters to affected people on March 17th and are offering two years of free credit monitoring and identity theft protection services.  For more information about this, you can go to Premera’s website at http://www.premeraupdate.com/  You can also call Premera with questions at 800-768-5817.  Premera customers should also be wary of mail, emails or any other communications that they receive purporting to be from Premera because the hackers have the names, addresses and email addresses of Premera customers and may contact you electronically and attempt to lure you into clicking on links that may download keystroke logging malware that can steal all of  the information from your computer and use it to make you a victim of identity theft.  You are better off going to Premera’s real website at the address indicated above.  Premera victims would also be wise to put a credit freeze on their credit reports.  You can find information here on the Scamicide website as to how to do so.  For those of us not affected, this data breach reminds us that whenever possible you should not provide your Social Security number to health care providers or anyone else with whom you do business unless there is an absolute need to do so.