So far this year, there have been more than 630 data breaches in the U.S., putting 2016 on track to exceed the total of 780 breaches in 2015 and millions of individuals at risk of identity fraud, according to the Identity Theft Resource Center.
When companies, organizations or government agencies experience a data breach that may have exposed people’s personal information, one of the many issues they must address is how to help those affected. Should they offer them identity theft services?
If so, how should they choose the provider and what features should they look for? Consumer Federation of America and its Identity Theft Service Best Practices Working Group, which includes consumer advocates and identity theft service providers, have created a checklist, “My company’s had a data breach, now what? 7 questions to ask when considering identity theft services,” to help breached entities make these decisions.
“Identity theft services may not be necessary for every breach, but if you’re going to offer this kind of service, it is important to make sure that that it provides the information and assistance that best fits the needs of the people who are impacted,” said Susan Grant, Director of Consumer Protection and Privacy at CFA.
One of the questions that the checklist suggests asking is whether the service will provide information to the breach victims about how to reduce the potential damage that may result from the breach – for example, by changing their account numbers and passwords, monitoring their accounts online, and using fraud alerts, security freezes and other tools.
Other general questions include:
Are services available 24/7?
Is there a toll-free number with live operators?
What response times will the provider commit to?
Can the service handle multiple languages?
If monitoring is provided, how quickly are alerts sent?
Are there specially trained personnel to help victims of fraud resulting from the breach, and will that assistance continue for problems that aren’t resolved when the contract ends?
Susan Grant, director of consumer protection and privacy at the Consumer Federation of America, said, “Scammers are always changing their pitches and looking for things that work. The IRS phony agent obviously works. It scares the heck out of people.”
The Consumer Federation of America and the North American Consumer Protection Investigators report is based on input from 33 consumer agencies from 21 states, including the Florida Department of Agriculture and Consumer Services.
To read the full report, which provides additional suggestions for new laws as well as descriptions of agencies’ biggest achievements and challenges and tips for how consumers can protect themselves, click here.
Grant said imposter scams of all kinds have really taken off in the last year. She theorizes that a lot of people are behind on paying their taxes and don’t realize that the IRS does not call people asking them to send money.
“There is an alarming trend. It has gotten to the point that if someone is saying they are from a government agency, or your utility, or it’s your boss, you really don’t know whether in fact that is true. You need to be skeptical and check directly with whom they purport to represent before you send any money or give information,” Grant said.
In a new type of imposter scam, crooks infiltrate companies’ or organizations’ email systems and send messages purporting to be from the CEOs to employees with urgent instructions to wire money somewhere.
Tax and wage-related fraud were the most common forms of identity theft reported to the Federal Trade Commission last year, so it’s no surprise that tax ID theft was one of the fastest-growing complaints to state and local consumer agencies, the report says.
Aggressive sales tactics for solar power and electricity seem to be at the root of energy services comlais.
“Consumers are misled about the potential savings, locked into long-term contracts, and in some cases, discover that their service has been switched to another complaint without their consent,” the report states.
The top 10 complaints received last year by agencies participating in the CFA survey were automotive, home improvement/construction, utilities, credit/debt, retail sales, services, landlord/tenant, household goods, health products/services and Internet sales.
Health Department spokesman Tim O’Connor said Monday that the U.S. Justice Department provided the list and is investigating further. The department had to verify that the individuals were its clients. It contacted them by mail.
Letters have been received by the clients, who are now contacting the department for more information about what they should do. The department already told the clients how to review their credit history and report any suspicious activity to law enforcement.
The list included names, dates of birth, Social Security numbers, Medicaid numbers, phone numbers and medical record numbers of people who were clients of the health department.
O’Connor said its procedures require it to notify the clients before issuing a public notice about the breach.
It’s not the first time health department patients’ personal information has been breached.
On May 15, 2014 a former Palm Beach County Health Department clerk was sentenced to two years in prison for using her job to steal people’s identities to seek fraudulent tax refunds.
Salita St. Simon was a senior clerk in the Department’s Belle Glade office. She admitted to stealing personal information, such as names, dates of birth, Social Security numbers and medical record numbers from roughly 2,800 clients over the course of a year, according to court records.
St. Simon said she provided the data to acquaintances who used it to obtain tax refunds.
It was widely reported in 2012 that 741 income tax returns worth a total of $1.1 million in refunds were filed from a single address in Belle Glade. It is not clear whether there was a connection to St. Simon’s case.
O’Connor said that since St. Simon’s arrest, the department has conducted more detailed background checks and increased the interview process on people who will have access to records.
Health department officials believe that the clients in this year’s breach are not the same as those in the St. Simon case.
Other Palm Beach County Health Department incidents of information breaches, but which have not been linked to actual identity theft include:
In 2005, 6,500 HIV positive patients’ names were on a confidential list that was emailed to 800 people, O’Connor said.
Also in 2005, 15 pages form a confidential list of HIV-positive patients disappeared from an analysts’ desk.
In 2007 a file cabinet being sold at a surplus auction contained test results of patients who tested positive for various communicable diseases.
If you receive a notice or have been a patient and have questions about the records breach, call the health department at 855-438-2778 from 8 a.m. to 5 p.m. Monday through Friday.
Tips if you think your medical records have been breached
If you believe that you have been a victim of identity theft and provide the credit reporting agency with a valid police report the reporting agency cannot charge you to place, lift or remove a security freeze on your credit reports. In all other cases, a credit reporting agency may charge you up to $5 each time you place temporarily lift or permanently remove a security freeze.
You may also want to place a fraud alert on your credit report. You are entitled to receive a free credit report annually from each of the three credit bureaus. Even if you do not find suspicious activity on your initial credit report, the Federal Trade Commission recommends that you check your credit reports and credit card statement periodically. For more information, go to www.annualcreditreport.com or call 877-322-8228 or contact these agencies:
•TransUnion: 800-680-7289; www.transunion.com; Fraud Victim Assistance Division, P. O. Box 6790, Fullerton, CA 92834-6790.
•Equifax: 800-525-6285; www.equifax.com; P. O. Box 740241, Atlanta, GA 30374-0241
•Experian: 888-EXPERIAN (397-3742); www.experian.com; P. O. Box 9554, Allen, TX 75013
In addition, if you believe that you have been the victim of identity theft, you have the right to file a police report and to obtain a copy of that report. Many creditors will require the information from the police report before excusing you from paying for any fraudulent charges or debts.
You can also file a complaint with the Federal Trade commission at http://www.ftc.gov or at 811- ID-Theft (877-438-4338).
Here are some things that could help you determine that your medical information may have been uses by someone else:
•Getting a bill for medical services you didn’t receive.
•Being contacted by a debt collector about medical debt you don’t owe.
•Seeing medical collection notices on your credit report that you do not recognize.
•Attempting to make a legitimate insurance claim and being told by your health plan that you’vereached your limit on benefits.
•Being denied insurance because your medical record shows a condition you don’t have.
•Noticing on a statement from your health plan that the health plan paid claims for care you did no receive.
If you believe someone else may have used your medical information, you may wish to consider taking additional steps which are outline on the Federal Trade commission’s website at www.ftc.gov.
Florida ranked first in the nation in the number of fraud-related and other consumer complaints filed with the Federal Trade Commission last year, with 306,133 complaints, amounting to 1,510 per 100,000 people.
The top category for Florida was debt collection, followed by telephone and mobile services, impostor scams, banks and lenders; prizes, sweepstakes and lotteries; auto-related complaints, shop-at-home and catalog sales, television and electronic media; credit bureaus and credit cards.
The state ranked third in the number of identity theft complaints filed with the FTC, at 44,063, or 217 per 100,000 people.
Among metropolitan areas, Miami-Fort Lauderdale-West Palm Beach ranked third in identity theft complaints, with 17,832, or 300 per 100,000 people.
Debt collection, identity theft and imposter scams were the most common categories of consumer complaints received by the Federal Trade Commission’s Consumer Sentinel Network in 2015, according to the agency’s new data book.
Some of the increase can be attributed to the fact that more people know to complain to the FTC about bad business practices, frauds and scams. Technology helped, too — more complaints are reaching the FTC through the convenience of mobile apps.
While debt collection complaints rose to the top spot among complaint categories, the report notes that this was due in large part to a surge in complaints contributed by a data contributor who collects complaints via a mobile app. This change caused a spike in complaints related to unwanted debt collection mobile phone calls.
Identity theft complaints were the second most reported, increasing more than 47 percent percent from 2014 on the back of a massive jump in complaints about tax identity theft from consumers. Identity theft complaints had been the top category for the previous 15 years. Imposter scams – in which scammers impersonate someone else to commit fraud – remained the third-most common complaint in 2015.
“We recognize that identity theft and unlawful debt collection practices continue to cause significant harm to many consumers,” said Jessica Rich, Director of the FTC’s Bureau of Consumer Protection. “Steps like the recent upgrade to IdentityTheft.gov and our leadership of a nationwide initiative to combat unlawful debt collection practices are critical to our ongoing work to protect consumers from these harms.”
In January 2016, the FTC announced the new version of IdentityTheft.gov, which now allows consumers the ability to create a personalized identity theft recovery plan.
Consumer Federation of America has added Equifax, ID Watchdog and Worldwide Benefit Services’ ID Theft Assist to the list of companies that are part of CFA’s Identity Theft Service Best Practices Working Group.
“We are pleased to have these companies in our working group,” said Susan Grant, Director of Consumer Protection and Privacy at CFA. “Working group members are committed to promoting responsible practices in the identity theft service industry and helping to educate the public about identity theft.”
CFA’s Identity Theft Service Best Practices Working Group has embarked on a new project to develop a checklist with questions that businesses, organizations and government agencies should ask when they are considering providing identity theft services to data breach victims. Advice for consumers, including Nine things to Check When Shopping for Identity Theft Services
People are receiving fake emails purporting to be from TurboTax, and the company is warning people not to respond. They’re from scammers.
Last year and in prior years, criminals used TurboTax to file returns ahead of legitimate taxpayers. In some cases, they simply opened another account in the victim’s name, and were not caught by TurboTax. The result was an identity theft nightmare for the victims and delays in obtaining their refunds.
The fake emails have the title “TurboTax not working for days now…”
Intuit, the company which owns TurboTax, advises the following:
Do not open the attachment in the email.
Send a copy of the email to email@example.com.
Do not forward the email to anyone else.
Delete the email.
On the Internet, “phishing” refers to criminal activity that attempts to fraudulently obtain sensitive information.
Here’s what you can do to protect yourself from a phishing attack:
If you suspect you have received a phishing email from Intuit, please forward it immediately to firstname.lastname@example.org. We will look into each reported instance.
Make sure you subscribe to an anti-virus software and keep it up-to-date.
Make sure you have updated your web browser to one that includes anti-phishing security features, such as Internet Explorer 7 or Firefox version 3 or higher.
Make sure that you keep up to date on the latest releases and patches for your operating systems and critical programs. These releases are frequently security related.
Do not respond to emails asking for account, password, banking, or credit card information.
Do not open up an attachment that claims to be a software update. We will not send any software updates via email.
Do not respond to text messages or voicemails that ask you to call a number and enter your account number and pin.
Make sure you have passwords on your computer and your payroll files.
It’s Tax Identity Theft Awareness Week, and Florida Attorney General Pam Bondi is urging Floridians to be especially alert to identity theft and tax-related scams.
Tax identity theft occurs when someone other than the taxpayer:
Files a fraudulent tax return using a taxpayer’s Social Security number and personal information to receive a tax refund;
· Uses a taxpayer’s Social Security number to get a job fraudulently, causing a victim’s income not to match what has been reported to the IRS; and
· Claims a taxpayer’s child as a dependent fraudulently, preventing that child being rightfully claimed as a dependent on the taxpayer’s annual return.
As Floridians prepare to file annual tax returns this year, they can safeguard against identity theft and tax fraud by following these tips:
File tax returns early in the tax season;
· Research a tax preparer thoroughly before providing personal information;
· Use a secure internet connection when filing electronically. Do not use unsecure, publicly available Wi-Fi hotspots;
· Mail tax returns directly from the post office, not from home;
· Know that Floridians are eligible for an Identity Protection PIN from the IRS. Should someone enrolled in the IRS IP PIN program and file a return with an incorrect PIN, the IRS will reject or delay the return until it is submitted with the correct PIN and the taxpayer’s identity is confirmed. To obtain an IRS IP PIN IRS.gov;
· Know that the IRS will never initiate contact by email, phone, text or social media. If the IRS needs information, it will first contact by mail; and
· If a Social Security number has been compromised, contact the IRS ID Theft Protection Specialized Unit at (800) 908-4490.