1. Home
  2. States
  3. Connecticut

Connecticut

Data breaches occur accidentally or intentionally when personal information is exposed to unauthorized parties. Cybercriminals have made successful careers of infiltrating businesses and institutions to access data before reselling it or demanding a ransom. Connecticut has experienced wide-scale data breaches within the healthcare, government, and tech-related sectors over the past few years. In 2023, it ranked 27th in the number of victims, incurring more than $120 million in losses the same year. Despite statutes in place to protect and help individuals affected by data breaches, these figures are still rising.

Identity Theft Statistics

Identity Theft
Reports
22ND
State Rank (Reports per 100K Population)
4,564
Identity Theft Reports
Fraud & Other
Reports
19TH
State Rank (Reports per 100K Population)
22,250
Total Fraud & Other Reports
Fraud
Losses
$13.8M
Total Fraud Losses
$277
Median Fraud Losses

Top Ten Report Categories

Imposter Scams
22%
Identity Theft
17%
Banks and Lenders
6%
Telephone and Mobile Services
5%
Online Shopping and Negative Reviews
5%
Credit Bureaus, Iformation Furnishers and Report Users
5%
Auto Related
5%
Debt Collection
4%
Internet Services
4%
Prizes, Sweepstakes and Lotteries
3%

Top Identity Theft Types

30%
2,834
Credit Card Fraud
21%
1,965
Other Identity Theft
15%
1,384
Government Documents or Benefits Fraud
13%
1,266
Bank Fraud
8%
793
Loan or Lease Fraud
7%
641
Employment or Tax-Related Fraud
7%
630
Phone or Utilities Fraud

Connecticut's Recent Biggest Data Breaches

2023
September

Prospect Medical Holdings Data Breach

In September 2023, Prospect Medical issued notification of a data breach event following unauthorized activity on their networks. On discovery, Prospect Medical contained the incident and launched an investigation with the assistance of a third-party data security firm. From the assessment, the information taken included birth dates, health insurance data, medications, names, providers, and treatment dates. In November of the same year, the company started mailing letters to those whose information was involved. The affected were also provided complimentary credit monitoring and identity protection.

2023
August

New Haven Public Schools, Connecticut Data Breach

In August 2023, the New Haven public school district was hacked during a ransomware attack. Rather than stealing private information, the cybercriminals locked the data and extorted money from the school district. They also accessed the district's chief operating officer's email account. After monitoring correspondence between the COO and vendors, they impersonated both and diverted payments meant for the school bus contractor. More than $6 million was stolen in the incident, though $ 3.6 million has been recouped.

2023
July

Welltok Data Breach

In July 2023, Welltok became aware of a data breach connected to the MOVEit Transfer tool. The company had previously installed security patches and made upgrades available. Due to the violation, more than 800,000 residents in the state had their information exposed. The company also began issuing notices to the affected in December 2023. A lawyer from their offices also wrote a letter to the attorney general's office. Welltok moved to investigate the event and assess all security systems. It has provided access to credit monitoring for twenty-four months to all affected.

2023
March

Connecticut College Data Breach

Connecticut College experienced a data breach in 2023, first detecting the unauthorized activity in March. The institution immediately moved to contain the situation and took steps to mitigate damage. They notified the law enforcement authorities and began an investigation to ascertain the scope of the personal information revealed. The College found that there was no evidence of personal information being misused. More than 800,000 people were exposed, though, following the breach. The College also began notifying members of the Connecticut College community whose data was allegedly involved about what was being done to protect their information. The institution is also issuing complimentary credit monitoring to those whose personal information was exposed.

2018
December

University Of Connecticut Health Centre Data Breach

The University of Connecticut Health Center suffered a breach that compromised the information of more than 325,000 people. This occurred when an unauthorized third party accessed their systems when they gained access to employee email accounts in December 2018. An investigation was started concerning the incident. Some of the information exposed included names, birth dates, addresses, and billing details. The University has since issued notification letters to all affected patients and is offering free identity protection to 1,500 patients whose Social Security details have been revealed. There was also a helpline for patients open on Monday through Friday.

What Should You Do if You Are in a Breach?

Unfortunately, data breaches are pretty common now, considering our online connections and dependence on digital service delivery. Criminals work in the shadows to steal your personal information, so sometimes, it's only when you notice certain signs that ongoing fraud becomes apparent. These danger signs apply to both individuals and businesses.

Unfamiliar
Credit Card Charges

If you find unauthorized transactions on your credit card, there is a significant possibility your phone number, email address, or card number has been compromised.

Calls from
Debt Collectors

Phone calls or letters from collection agencies seeking debt payment for a loan you do not remember taking are also signs of identity theft.

New Credit Cards
or Loans in Your Name

A new line of credit in your name or a loan taken is a warning sign you are a victim of identity theft.

Surprise Credit
Score Drops

Sudden credit drops with no obvious cause are a sign of suspicious activities.

Unusual Activity on Your
Social Security Account

The federal government also considers social security numbers personal identifiers, so check your social security statement regularly to ensure no one has access to benefits without consent.

Inability to
Sign-in to Accounts

If you are locked out of the account, it is usually because someone has hacked into it and changed the password. You should immediately try all possible recovery options and contact customer support if all fails.

Step-by-Step Process for Responding to a Data Breach

01

Contact Local Law Enforcement

As an individual or a business, report the incident to the police and file a police report.

02

Assess and Secure Compromised Areas

Identify which aspects of your information have been affected, such as emails, passwords, credit card numbers, social security numbers, full names, and phone numbers.

03

Contain the Breach

Isolate the affected system to prevent further damage.

04

Create New, Strong Passwords for All Accounts

This may involve changing usernames and passwords for compromised platforms, using strong passwords with a mix of upper and lower-case letters, digits, and special characters.

05

Notify Affected Institutions

Inform your bank, credit card companies, and other affected institutions. Request they close or freeze any accounts that may be implicated in the breach to reduce financial risk.

06

Update Security on Digital Accounts

Change passwords for all accounts affected by the breach. Make sure each password is totally unique, and you use two-factor verification as an additional layer of security.

07

Check for Malware

Examine your computers and mobile devices for installed malware. Install robust antivirus software to detect and remove any viruses or malicious software.

08

Freeze Your Credit

In cases of identity theft, contact all credit bureaus to freeze your credit.

09

Monitor Your Mail and Credit Reports

Keep an eye out for any unauthorized changes in your mail.

10

Engage Legal Assistance When Applicable

If you are a business, consider hiring a law firm experienced in handling data breaches.

Responsibilities of Companies that Have Been Breached

State law requires businesses that hold or license information to provide notices for data breaches. Personal information is defined as any of the following:

  1. Social Security Numbers
  2. Driver's Licenses or State Identification Details
  3. Passport Numbers
  4. Credit Card or Debit Card Details
  5. Financial Account Numbers in combination with passwords or other ways to access
  6. Biometric Information
  7. Names, Email Addresses, and User Names in combination with passwords or other ways to access

Notices issued to consumers must be given no later than 60 days after the breach was discovered. The involved entities also have to notify the Office of the Attorney General within the same period. Businesses will fill out and submit an online form that addresses the most common questions.

Data breaches that have been sent to residents will include the entity's contact information, names, types of data exposed, and a description of the breach. For those data breaches that affect online accounts, they have to direct residents to the best way to protect their accounts, which is by changing passwords or taking security measures. In cases where breaches involved Social Security data or tax identification numbers, those affected have to be provided two years of complimentary identity theft protection.

Substitute notices can also be provided if the entity shows that the costs associated with giving notice are more than $250,000 or the number of affected individuals is higher than 500,000. These may also be issued if the business does not have everyone affected's up-to-date contact details. It can notify them using email, a conspicuous posting on the website, and alerts to the major statewide media outlets. There are cases when a notification of the affected people can be delayed, such as when it is in contravention of law enforcement investigations into the same matter.

Laws

  • Connecticut statute § 36a-701b refers to the laws of notification of data breaches in the state. It mandates that all who own, license, or maintain computerized data must disclose security breaches to all affected.
  • The Connecticut Data Privacy Act provides residents with particular rights to their data, and it establishes privacy protection and responsibilities for data controllers that process data.

Resources