1. Home
  2. States
  3. Georgia

Georgia

Table of Contents

Data breaches are security violations that occur when an individual or group's information is copied, transmitted, altered, or stolen by unauthorized parties. This can be stolen identities, malware, ransomware, hacking, and phishing. Georgia ranked ninth in the United States, with 13,415 victims in 2022. Complete victim losses totaled $322,638,566. Unfortunately, these numbers do not suggest a reduction in losses in the coming years. Cybercriminals in the state have mainly targeted educational and healthcare facilities, as well as government institutions. Several of these breaches were network-oriented or focused on email infiltrations of crucial personnel.

Identity Theft Statistics

Identity Theft
Reports
1ST
State Rank (Reports per 100K Population)
44,888
Identity Theft Reports
Fraud & Other
Reports
5TH
State Rank (Reports per 100K Population)
79,083
Total Fraud & Other Reports
Fraud
Losses
$32.2M
Total Fraud Losses
$294
Median Fraud Losses

Top Ten Report Categories

Identity Theft
36%
Imposter Scams
11%
Credit Bureaus, Iformation Furnishers and Report Users
9%
Debt Collection
6%
Banks and Lenders
5%
Telephone and Mobile Services
5%
Auto Related
4%
Online Shopping and Negative Reviews
3%
Prizes, Sweepstakes and Lotteries
2%
Internet Services
2%

Top Identity Theft Types

35%
26,038
Other Identity Theft
34%
25,323
Credit Card Fraud
16%
11,892
Loan or Lease Fraud
6%
4,404
Phone or Utilities Fraud
4%
3,308
Bank Fraud
3%
2,374
Employment or Tax-Related Fraud
2%
1,143
Government Documents or Benefits Fraud

Georgia's Recent Biggest Data Breaches

2023
January

Palmetto CBA, Georgia CMS Data Breach

In January 2023, Palmetto CBA, a contractor that settles Medicare claims on behalf of Georgia CMS, experienced a programming problem with the print mail services. It resulted in the MSNs for the final 2022 quarter being mailed to the other beneficiaries in the same zip code. CMS also worked with Palmetto GBA to identify the people affected. The error resulted in 10,011 MSNs intended for beneficiaries in Alabama being sent to the wrong personnel. Part of the information compromised included names, claim numbers, dates of service, the last four digits of Medicare Beneficiary numbers, and procedure descriptions with their billing codes.

2022
October

Urology Of Greater Atlanta, LLC Network Server Breach

On October 7th, 2022, the Urology Center in Atlanta notified the US Department of Health and Human Services Offices they had suffered a data breach. This was after the institution detected suspicious activity within its network. It confirmed unauthorized access where information was reviewed and removed from their computer systems. As a result, it is estimated that 79,795 individuals were affected by the breach. Unfortunately, the extent of information that was stolen from the organization's databases is not known.

2022
April

State Bar of Georgia Data Breach

In April 2022, the State Bar of Georgia fell victim to a ransomware attack. According to a representative, no monetary demand was initially made. At first, the bar also claimed there was no evidence that personal data was compromised, but a statement released in the following weeks revealed some information on current and former employees. This included addresses, dates of birth, names, Social Security numbers, direct deposit information, and license numbers. The bar claimed that some defenses and security protocols in place were evaded, hence the attack's success. However, affected individuals were offered free credit monitoring and identity protection services.

2022
January

Georgia Secretary of State Office Phishing Scam

In January 2022, Georgia Secretary of State Brad Raffensperger gave a statewide notification indicating a phishing scam where cyber criminals were masquerading as representatives from his office. The secretary of state's Corporations Division got complaints of emails pretending to be from their office informing the recipient their annual registration had been successfully processed by the secretary of state's office. The emails had .zip file attachments with the intention that recipients open the attachments. How many individuals have fallen victim to the phishing scam and the information compromised is unclear.

2020
May

Georgia Department of Human Services Data Breach

The Georgia Department of Human Services experienced a data breach in May 2020 when hackers gained unauthorized access to employee email accounts. DHS also found that the attackers could retain certain emails with personally identifiable information. The information compromised depended on the individual, though it included full names of children, members of the household, DFCS case numbers, dates of birth, ages, and counties of residence. The DHS contacted All affected clients directly and provided instructions on how they could protect themselves from further issues. Unfortunately, the state did not disclose how many were directly affected due to the data breach.

What Should You Do if You Are in a Breach?

Unfortunately, data breaches are pretty common now, considering our online connections and dependence on digital service delivery. Criminals work in the shadows to steal your personal information, so sometimes, it's only when you notice certain signs that ongoing fraud becomes apparent. These danger signs apply to both individuals and businesses.

Unfamiliar
Credit Card Charges

If you find unauthorized transactions on your credit card, there is a significant possibility your phone number, email address, or card number has been compromised.

Calls from
Debt Collectors

Phone calls or letters from collection agencies seeking debt payment for a loan you do not remember taking are also signs of identity theft.

New Credit Cards
or Loans in Your Name

A new line of credit in your name or a loan taken is a warning sign you are a victim of identity theft.

Surprise Credit
Score Drops

Sudden credit drops with no obvious cause are a sign of suspicious activities.

Unusual Activity on Your
Social Security Account

The federal government also considers social security numbers personal identifiers, so check your social security statement regularly to ensure no one has access to benefits without consent.

Inability to
Sign-in to Accounts

If you are locked out of the account, it is usually because someone has hacked into it and changed the password. You should immediately try all possible recovery options and contact customer support if all fails.

Step-by-Step Process for Responding to a Data Breach

01

Contact Local Law Enforcement

As an individual or a business, report the incident to the police and file a police report.

02

Assess and Secure Compromised Areas

Identify which aspects of your information have been affected, such as emails, passwords, credit card numbers, social security numbers, full names, and phone numbers.

03

Contain the Breach

Isolate the affected system to prevent further damage.

04

Create New, Strong Passwords for All Accounts

This may involve changing usernames and passwords for compromised platforms, using strong passwords with a mix of upper and lower-case letters, digits, and special characters.

05

Notify Affected Institutions

Inform your bank, credit card companies, and other affected institutions. Request they close or freeze any accounts that may be implicated in the breach to reduce financial risk.

06

Update Security on Digital Accounts

Change passwords for all accounts affected by the breach. Make sure each password is totally unique, and you use two-factor verification as an additional layer of security.

07

Check for Malware

Examine your computers and mobile devices for installed malware. Install robust antivirus software to detect and remove any viruses or malicious software.

08

Freeze Your Credit

In cases of identity theft, contact all credit bureaus to freeze your credit.

09

Monitor Your Mail and Credit Reports

Keep an eye out for any unauthorized changes in your mail.

10

Engage Legal Assistance When Applicable

If you are a business, consider hiring a law firm experienced in handling data breaches.

Responsibilities of Companies that Have Been Breached

In Georgia, businesses are required to give notice of any breaches to their systems if they maintain the computerized data of stakeholders. It should be done immediately following the discovery of the breach. The notification requirements extend to consumer reporting agencies if an organization discovers that it must notify more than 10,000 residents in the state at once. While meeting these requirements, businesses must also notify all consumer reporting agencies concerning the timing, distribution, and content nature of these notices.

Notices to the public and reporting agencies may be done in three ways:

  1. Written notices
  2. Electronic notice if it is consistent with what is provided concerning electronic records and signatures in the 15. U.S.C § 7001
  3. Telephone notices

Third-party notification should also be sent if the business maintains computerized data on an organization's behalf. If the vendor experiences a breach, they notify the client within 24 hours of the discovery.

There are instances where substitute notices are allowed, though, if the cost of issuing the notice conventionally is more than $50,000. Similarly, if the affected group is more than 100,000 people, substitute methods may be employed, especially if the organization does not have sufficient information to issue notices. Substitute notices can be issued in the following manner:

  1. A conspicuous posting of the notice of the breach on the company's web page.
  2. Notification to statewide media outlets
  3. Email notices if the entity has all email addresses of the people affected by the breach.

Laws

  • The Georgia Personal Identity Protection Act of 2007 entails protecting personal information. That is an individual's name, Social Security number, driver's license, credit card number, account password, or other access codes.
  • According to Ga. Code Ann. §§ 10-1-910 to -912, the problem of identity theft is defined. It also endorses the implementation of technology security plans and software as part of security policies to issue protection to clients as well as the public. Information brokers must also define standards for users of their data so breaches are easily identified.
  • Code O.C.G.A. 10-1-912 (2010) maintains that computerized data entailing personal information of individuals shall issue notice of any breach of security following notification in the security of the data to any resident of the state whose unencrypted personal information was believed to have been acquired by an unauthorized person.

Resources

Table of Contents