Arizona

Data breaches occur when someone gains unauthorized access to or releases personally identifiable information (PII). This could be any data capable of disclosing an individual's identity. In Arizona, cyberattacks have affected organizations of all sizes, from healthcare providers to educational institutions. Between 2020 and 2022, nearly 600,000 records were exposed in Arizona because of data breaches.

Identity Theft Statistics

Identity Theft
Reports
19TH
State Rank (Reports per 100K Population)
10,744
Identity Theft Reports
Fraud & Other
Reports
6TH
State Rank (Reports per 100K Population)
50,964
Total Fraud & Other Reports
Fraud
Losses
$29.7M
Total Fraud Losses
$346
Median Fraud Losses

Top Ten Report Categories

Imposter Scams
19%
Identity Theft
17%
Telephone and Mobile Services
9%
Banks and Lenders
5%
Debt Collection
5%
Online Shopping and Negative Reviews
4%
Auto Related
4%
Credit Bureaus, Iformation Furnishers and Report Users
4%
Prizes, Sweepstakes and Lotteries
4%
Internet Services
3%

Top Identity Theft Types

33%
7,609
Credit Card Fraud
27%
6,111
Other Identity Theft
12%
2,665
Loan or Lease Fraud
9%
2,072
Employment or Tax-Related Fraud
9%
2,042
Bank Fraud
7%
1,682
Phone or Utilities Fraud
3%
749
Government Documents or Benefits Fraud

Arizona's Recent Biggest Data Breaches

2023
September

Cardiovascular Consultants Ltd

On September 29, 2023, Cardiovascular Consultants Ltd, an Arizona-based healthcare company, detected suspicious activity within its computer systems. The company sought the help of a third-party cybersecurity company, which revealed someone accessed the company's systems around September 27, 2023. Cardiovascular Consultants Ltd notified all affected individuals about the breach on December 2, 2023. The company also provided free credit monitoring, identity theft protection, and fraud resolution services for 24 months to mitigate the impact.

2023
September

Mount Graham Regional Medical Center

Mount Graham Regional Medical Center experienced a data breach discovered on September 27, 2023. The company took the necessary measures internally to terminate unauthorized access and accomplished this within four hours. External cybersecurity experts were brought in to assist in the investigation, which led to the revelation that certain patient information was compromised. The attackers accessed sensitive data, including names, addresses, Social Security numbers, and medical records of patients. On November 15, 2023, Mount Graham Regional Medical Center updated its website, explaining the incident and the actions taken. The breach was reported to authorities on September 29, 2023.

2023
June

Blue Cross Blue Shield of Arizona

On June 21, 2023, Blue Cross Blue Shield of Arizona faced a significant data breach. The breach originated from TMG Health, one of AZ Blue's vendors, which experienced a cyberattack leading to unauthorized access to sensitive customer information. This compromised data includes names, member IDs, addresses, email addresses, phone numbers, dates of birth, Social Security Numbers, and banking details. AZ Blue promptly initiated an investigation and, upon completion, notified the affected individuals.

TMG Health later discovered that an unauthorized party had accessed and downloaded confidential information of AZ Blue customers. On August 17, 2023, AZ Blue notified the U.S. Department of Health and Human Services Office for Civil Rights about this breach.

2023
January

Arizona Department of Economic Security Division of Developmental Disabilities

On January 9, 2023, the Arizona Department of Economic Security Division of Disability DES/DDD discovered a data breach in their systems. Investigations revealed that a former employee possessed records containing sensitive details of certain DES/DDD members. The data included names, addresses, phone numbers, and the Health Care Cost Containment System's ID numbers. In response, over 850 members were notified of the breach and advised to take precautionary measures, such as placing fraud alerts and security freezes on their credit reports.

2022
August

City of Tucson, Arizona

In 2022, the city of Tucson, Arizona, encountered a significant data breach impacting the information of 123,513 individuals. Notification of the breach by the Maine Attorney General's Office disclosed that the breach occurred between May 17, 2022, and May 31, 2022.

The breach, discovered on August 12, 2022, involved the theft of individuals' Social Security numbers, names, and other personal details. It originated from an external system breach, with suspicious activity first noticed on a user's network account on May 29.

Upon detecting the suspicious activity, the city engaged a team of third-party forensic experts to investigate thoroughly and assess the extent of the breach. The city embarked on a comprehensive review of all relevant information, confirming the exposure of users' data. As a precaution, the city provided 12 months of complimentary credit monitoring and identity restoration services through Experian.

What Should You Do if You Are in a Breach?

Unfortunately, data breaches are pretty common now, considering our online connections and dependence on digital service delivery. Criminals work in the shadows to steal your personal information, so sometimes, it's only when you notice certain signs that ongoing fraud becomes apparent. These danger signs apply to both individuals and businesses.

Unfamiliar
Credit Card Charges

If you find unauthorized transactions on your credit card, there is a significant possibility your phone number, email address, or card number has been compromised.

Calls from
Debt Collectors

Phone calls or letters from collection agencies seeking debt payment for a loan you do not remember taking are also signs of identity theft.

New Credit Cards
or Loans in Your Name

A new line of credit in your name or a loan taken is a warning sign you are a victim of identity theft.

Surprise Credit
Score Drops

Sudden credit drops with no obvious cause are a sign of suspicious activities.

Unusual Activity on Your
Social Security Account

The federal government also considers social security numbers personal identifiers, so check your social security statement regularly to ensure no one has access to benefits without consent.

Inability to
Sign-in to Accounts

If you are locked out of the account, it is usually because someone has hacked into it and changed the password. You should immediately try all possible recovery options and contact customer support if all fails.

Step-by-Step Process for Responding to a Data Breach

01

Contact Local Law Enforcement

As an individual or a business, report the incident to the police and file a police report.

02

Assess and Secure Compromised Areas

Identify which aspects of your information have been affected, such as emails, passwords, credit card numbers, social security numbers, full names, and phone numbers.

03

Contain the Breach

Isolate the affected system to prevent further damage.

04

Create New, Strong Passwords for All Accounts

This may involve changing usernames and passwords for compromised platforms, using strong passwords with a mix of upper and lower-case letters, digits, and special characters.

05

Notify Affected Institutions

Inform your bank, credit card companies, and other affected institutions. Request they close or freeze any accounts that may be implicated in the breach to reduce financial risk.

06

Update Security on Digital Accounts

Change passwords for all accounts affected by the breach. Make sure each password is totally unique, and you use two-factor verification as an additional layer of security.

07

Check for Malware

Examine your computers and mobile devices for installed malware. Install robust antivirus software to detect and remove any viruses or malicious software.

08

Freeze Your Credit

In cases of identity theft, contact all credit bureaus to freeze your credit.

09

Monitor Your Mail and Credit Reports

Keep an eye out for any unauthorized changes in your mail.

10

Engage Legal Assistance When Applicable

If you are a business, consider hiring a law firm experienced in handling data breaches.

Responsibilities of Companies that Have Been Breached

Businesses in Arizona are obligated to report a data breach when the personal information of Arizona residents has been accessed by an unauthorized individual. This also applies where a business suspects it has been invaded. The legislation requires businesses to notify potential victims and the required parties of the breach within 45 days.

If the breach affects over 1,000 Arizona residents, businesses must notify the Arizona Attorney General's Office and national consumer reporting agencies like TransUnion and Equifax. However, notification may be postponed if a law enforcement agency deems that providing notice would hinder a criminal investigation.

Businesses can use written letters, telephone calls, or email notifications to inform individuals about data breaches.

Notifications sent to affected Arizona residents should contain the following details:

  1. The estimated date of the breach
  2. An overview of the personal information compromised in the breach
  3. Addresses and Toll-free contact numbers of consumer reporting agencies
  4. Contact and address of the Federal Trade Commission (FTC) or a governmental agency that assists consumers with identity theft concerns.

When submitting a notification to the Attorney General's Office, one must include the following:

  1. The contact and name of the business
  2. The name and contact information of the legal counsel
  3. Date when the data breach occurred
  4. A comprehensive description of the breach
  5. The nature of the personal information exposed

Laws

  • According to Ariz. A.R.S. §§18-551 and18-552, anyone who licenses, owns, or maintains covered information is subject to its provisions. Unless access to the encryption key was given, this law does not cover encrypted or redacted information.
  • When notifying individuals affected by a breach, companies must do so promptly using the primary communication method between the company and the customer. Notification methods may include telephone, written notices, or electronic notifications in compliance with E-SIGN.

If over 100,000 people are affected or notifying them costs more than $50,000, companies can use other methods, like posting notices on websites or broadcasting. The responsibility to inform affected individuals does not rest with those managing the breached data; instead, it falls on the data owner or licensee unless otherwise agreed.

Covered information includes:

  • Names (first and last, or first initial and last name)
  • Social Security Numbers
  • Driver's License Numbers
  • Financial Account Information
  • Taxpayer Identification Number
  • Health Insurance Identification Number
  • Medical Information
  • Biometrics
  • Passport Number

The Arizona Attorney General can fine a business that fails to comply with the above requirements. Damages can range from $10,000 to $500,000 per breach. This penalty applies to all kinds of agencies, whether they are government-run or not.

Resources