Alabama
Table of Contents
- Identity Theft Statistics
- Top Ten Report Categories
- Top Identity Theft Types
- Fraud & Other Reports by Metropolitan Area
- Alabama’s Recent Biggest Data Breaches
- What Should You Do if You Are in a Breach?
- Step-by-Step Process for Responding to a Data Breach
- Responsibilities of Companies that Have Been Breached
- Laws
- Resources
Data breaches are increasingly relevant in the present age as cybercrimes proliferate on a national and state level. In Alabama, the issue is significant, considering it ranks 26th in the number of victims per state, and the state incurred $96,479,649 in damages in 2022 from breaches. Compared to other states, Alabama has experienced minimal breaches, which is why it was the 50th to enact a consumer protection law requiring that residents be notified their data has been breached. That said, the most common data breach types therein are phishing, identity theft, malware, and email hacking. Targets are health, educational, and tech sector facilities.
Identity Theft Statistics
Reports
Reports
Losses
Top Ten Report Categories
Top Identity Theft Types
Alabama's Recent Biggest Data Breaches
Community Health Systems Data Breach
Six hospitals in the state were the victim of a third-party data breach involving Community Health Systems. In January 2023, cybercriminals infiltrated the file transfer system of this parent company, accessing the information of 962,884 patients. The hospitals affected were Grandview Medical Center, Crestwood Medical Center, Flowers Hospital, Gadsden Regional Medical Center, South Baldwin Regional Medical Center, and the Medical Center Enterprise. This attack involved the patients' names, birth dates, social security details, medical diagnoses, medications, and other insurance information.
Burr & Forman Data Breach
In October 2023, Burr and Forman experienced a data breach entailing information belonging to their clients. Immediately they became aware of the incident, the firm initiated an Incident Response plan to investigate the event. They also engaged the services of third-party cybersecurity specialists to do the investigation. It was determined that names, medical coding details, Social Security, and insurance information were compromised. 19,893 people were affected because of the data breach. The firm sent notification letters to the affected people with recorded address information in January 2024. Burr & Forman also provided a toll-free call center so affected individuals could get answers to questions they had related to the incident.
Cardiovascular Consultants
In September 2023, Cardiovascular Consultants noted that its computer network was breached following a cybersecurity event. The organization then initiated an incident response to stop and investigate the breach. Based on the assessment, it was found that the cybercriminals accessed specific sectors of CVC. The personal information obtained entailed birth dates, Social Security numbers, emergency contacts, state identification numbers, insurance policies, and their guarantors. It also mailed notification letters to all individuals whose information was exposed within the systems and provided 24 months of identity protection. All who get notifications from Cardiovascular Consultants or may be concerned about experiencing identity theft are encouraged to review their accounts regularly.
Northstar EMS Data Breach
In September 2022, Northstar became aware of suspicious activity in their network. They took steps to secure their systems and hired external cybersecurity experts to investigate. NorthStar determined that an unauthorized party had accessed data stored within their network. They then undertook an in-depth review of the data to assess the scope of the information accessed during the breach. Northstar estimated that names, birth dates, Social Security numbers, Medicare/ Medicaid numbers, health insurance details, and patient ID numbers were acquired.
Alabama Women's Health Center
In August 2022, Henderson and Walton Women's Center reported a data breach following the hacking of an email account. The facility responded by shutting down its IT network and enrolling the services of an external consultant to perform the investigation. The assessment afterward found that the hackers responsible could access patient information such as patient names, birth dates, Social Security numbers, state identification details, and medical information. 34,306 patients were affected by the breach, and each received a notification letter to inform them of the attack.
What Should You Do if You Are in a Breach?
Unfortunately, data breaches are pretty common now, considering our online connections and dependence on digital service delivery. Criminals work in the shadows to steal your personal information, so sometimes, it's only when you notice certain signs that ongoing fraud becomes apparent. These danger signs apply to both individuals and businesses.
Unfamiliar
Credit Card Charges
If you find unauthorized transactions on your credit card, there is a significant possibility your phone number, email address, or card number has been compromised.
Calls from
Debt Collectors
Phone calls or letters from collection agencies seeking debt payment for a loan you do not remember taking are also signs of identity theft.
New Credit Cards
or Loans in Your Name
A new line of credit in your name or a loan taken is a warning sign you are a victim of identity theft.
Surprise Credit
Score Drops
Sudden credit drops with no obvious cause are a sign of suspicious activities.
Unusual Activity on Your
Social Security Account
The federal government also considers social security numbers personal identifiers, so check your social security statement regularly to ensure no one has access to benefits without consent.
Inability to
Sign-in to Accounts
If you are locked out of the account, it is usually because someone has hacked into it and changed the password. You should immediately try all possible recovery options and contact customer support if all fails.
Step-by-Step Process for Responding to a Data Breach
Contact Local Law Enforcement
As an individual or a business, report the incident to the police and file a police report.
Assess and Secure Compromised Areas
Identify which aspects of your information have been affected, such as emails, passwords, credit card numbers, social security numbers, full names, and phone numbers.
Contain the Breach
Isolate the affected system to prevent further damage.
Create New, Strong Passwords for All Accounts
This may involve changing usernames and passwords for compromised platforms, using strong passwords with a mix of upper and lower-case letters, digits, and special characters.
Notify Affected Institutions
Inform your bank, credit card companies, and other affected institutions. Request they close or freeze any accounts that may be implicated in the breach to reduce financial risk.
Update Security on Digital Accounts
Change passwords for all accounts affected by the breach. Make sure each password is totally unique, and you use two-factor verification as an additional layer of security.
Check for Malware
Examine your computers and mobile devices for installed malware. Install robust antivirus software to detect and remove any viruses or malicious software.
Freeze Your Credit
In cases of identity theft, contact all credit bureaus to freeze your credit.
Monitor Your Mail and Credit Reports
Keep an eye out for any unauthorized changes in your mail.
Engage Legal Assistance When Applicable
If you are a business, consider hiring a law firm experienced in handling data breaches.
Responsibilities of Companies that Have Been Breached
In Alabama, businesses are required to provide notices of data breaches to residents in the event of such an incident. This can be done in either written or email form as state regulations permit. The notice requirements provided to individuals or state authorities in Alabama include a synopsis of the event, the number of affected people, services issued, and the business's contact data for additional queries.
Should the scope of the breach affect more than 1,000 residents, then the business is required to inform the office of the Alabama Attorney General. Businesses must also provide security measures to protect the information they have custody over, including developing procedures for identifying risks of breach and adapting these measures to different circumstances.
Individuals directly affected by the data breach must be notified within 45 days, provided it does not interfere with a law enforcement investigation. If the cost of sending the notices by mail or email exceeds $500,000 or the number exceeds 100,000, the entity responsible can implement a substitute notice. Here, the business can put the notice on its website or a statewide media outlet. That also works if the organization does not have a way to contact the affected individuals because they do not have their contact information. Companies that violate the Data Breach Notification Act and subsequent regulations are committing an unlawful practice per the Deceptive Trade Practices Act in Alabama. Businesses that do not notify the impacted people or the Attorney General are liable to face a civil penalty of $5,000 for each day they do not disclose the data breach.
Laws
- The Alabama Data Breach Notification Act defines personal or sensitive information and gives types. It also requires that entities that have experienced a data breach are to notify the Attorney General should the breach result in the unauthorized attainment of personal details.
- According to the Alabama Deceptive Trade Practices Act, a person commits the crime of false advertising if, in connection with the promotion of the sale, consumption, or use of property, initiates a misleading statement which in advertisement addresses the public.
Resources
- Federal Bureau of Investigation Internet Crime Report
- Cardiovascular Consultants – Notice of Data Breach
- NorthStar Emergency Medical Services- Notice of Data Security Incident
- Attorney General Steve Marshall, Data Breach Notification
- Ala. Code 1975, § 13A-9-41 Deceptive Business Practices
- Alabama Attorney General's Office