Idaho

Data breaches occur when an unauthorized party infiltrates individuals' personal or sensitive information. These breaches may occur due to accidental or intentional actions to infiltrate and expose information entrusted to a business. Breaches may come in the form of phishing, hacking, malware, denial of service, or ransomware. In Idaho, data breaches are a costly problem. Despite ranking 42nd in the nation in number of victims, the state lost $50,631,580 in 2023. Breaches in the last few years have been related to the finance, medical, and local government sectors.

Identity Theft Statistics

Identity Theft
Reports
37TH
State Rank (Reports per 100K Population)
1,420
Identity Theft Reports
Fraud & Other
Reports
34TH
State Rank (Reports per 100K Population)
9,460
Total Fraud & Other Reports
Fraud
Losses
$7.3M
Total Fraud Losses
$332
Median Fraud Losses

Top Ten Report Categories

Imposter Scams
25%
Identity Theft
13%
Telephone and Mobile Services
7%
Online Shopping and Negative Reviews
6%
Prizes, Sweepstakes and Lotteries
5%
Banks and Lenders
4%
Debt Collection
4%
Credit Bureaus, Iformation Furnishers and Report Users
3%
Auto Related
3%
Internet Services
3%

Top Identity Theft Types

29%
754
Credit Card Fraud
20%
520
Other Identity Theft
16%
404
Bank Fraud
12%
311
Employment or Tax-Related Fraud
11%
279
Loan or Lease Fraud
10%
246
Phone or Utilities Fraud
3%
67
Government Documents or Benefits Fraud

Idaho's Recent Biggest Data Breaches

2023
November

TIAA-CREF Life Insurance Company Data Breaches

In November 2023, TIAA-CREF Life Insurance Company became aware that it had suffered a cybersecurity incident that prevented its ability to process transactions and other administrative services. The company immediately disconnected and isolated the systems, disrupting the operational support of TIAA. Via TIAA, McCamish sent an email to all of the affected clients to start the business recovery process. TIAA also requested that McCamish's executive leadership attest to a clean environment. TIAA could not determine the scope of personal information, which was compromised as it varied from one individual to the other. In most cases, it included names, birth dates, life insurance numbers, finance account numbers, medical details, and annuity contract numbers. 1,300 members of TIAA life insurance were informed of the data breach.

2023
July

HCA Healthcare Data Breaches

In July 2023, HCA Healthcare determined that information belonging to some of its customer base was made available by an unauthorized party. It was from a storage location utilized to automate email message formatting. The review also found that the exposed documentation contained names, zip codes, emails, birth dates, gender, and the dates of the next appointments. Upon discovering the incident, HCAHealthcare disabled access to the storage location. HCA reported the event to law enforcement and engaged third-party experts for investigative assistance. Customers were also afforded complimentary credit monitoring and identity protection for two years.

2023
April

Idaho Department of Health and Welfare Data Breaches

On April 18th, 2023, unauthorized individuals accessed a payment account that belonged to a Medicaid Provider. Gainwell, the vendor offers fiscal agent options for the Division of Medicaid. Following the discovery of the breach, Gainwell stopped access to its files and immediately began an investigation. It also notified the Federal Bureau of Investigation. The investigation revealed that 2,501 members were directly affected. Member names, billing codes, dates for service, and member identification were compromised. Gainwell and the Idaho Department of Health and Welfare also notified those affected. Free identity theft protection and credit monitoring were also provided to those exposed.

2023
January

City of Waynesboro Data Breaches

In January 2023, the City was alerted to the unusual activity in their network. The City immediately started investigating the incident and protected the network from additional compromise. The city also notified law enforcement agencies and began an investigation to determine the scope of the threat. The investigation showed that names, passport numbers, Social Security numbers, and financial accounts were accessed. The City of Waynesboro indicated that it takes the confidentiality and privacy of its residents seriously. The city also implemented security measures to protect the confidentiality of vendors, employees, and residents.

2021
August

Twin Falls County, Idaho Data Breaches

In August 2021, Twin Falls County discovered unauthorized activity on its systems. The county officials immediately began investigations to determine the scope of the incident. A ransomware attack limited the County's phone networks for a few days. The County Commissioner, Jack Johnson did not say how much the hackers were demanding, as it was an ongoing investigation. He did issue a statement indicating they were restoring everything and getting it up and running. The County did not provide further information on the breach but solved the issue within a short period.

What Should You Do if You Are in a Breach?

Unfortunately, data breaches are pretty common now, considering our online connections and dependence on digital service delivery. Criminals work in the shadows to steal your personal information, so sometimes, it's only when you notice certain signs that ongoing fraud becomes apparent. These danger signs apply to both individuals and businesses.

Unfamiliar
Credit Card Charges

If you find unauthorized transactions on your credit card, there is a significant possibility your phone number, email address, or card number has been compromised.

Calls from
Debt Collectors

Phone calls or letters from collection agencies seeking debt payment for a loan you do not remember taking are also signs of identity theft.

New Credit Cards
or Loans in Your Name

A new line of credit in your name or a loan taken is a warning sign you are a victim of identity theft.

Surprise Credit
Score Drops

Sudden credit drops with no obvious cause are a sign of suspicious activities.

Unusual Activity on Your
Social Security Account

The federal government also considers social security numbers personal identifiers, so check your social security statement regularly to ensure no one has access to benefits without consent.

Inability to
Sign-in to Accounts

If you are locked out of the account, it is usually because someone has hacked into it and changed the password. You should immediately try all possible recovery options and contact customer support if all fails.

Step-by-Step Process for Responding to a Data Breach

01

Contact Local Law Enforcement

As an individual or a business, report the incident to the police and file a police report.

02

Assess and Secure Compromised Areas

Identify which aspects of your information have been affected, such as emails, passwords, credit card numbers, social security numbers, full names, and phone numbers.

03

Contain the Breach

Isolate the affected system to prevent further damage.

04

Create New, Strong Passwords for All Accounts

This may involve changing usernames and passwords for compromised platforms, using strong passwords with a mix of upper and lower-case letters, digits, and special characters.

05

Notify Affected Institutions

Inform your bank, credit card companies, and other affected institutions. Request they close or freeze any accounts that may be implicated in the breach to reduce financial risk.

06

Update Security on Digital Accounts

Change passwords for all accounts affected by the breach. Make sure each password is totally unique, and you use two-factor verification as an additional layer of security.

07

Check for Malware

Examine your computers and mobile devices for installed malware. Install robust antivirus software to detect and remove any viruses or malicious software.

08

Freeze Your Credit

In cases of identity theft, contact all credit bureaus to freeze your credit.

09

Monitor Your Mail and Credit Reports

Keep an eye out for any unauthorized changes in your mail.

10

Engage Legal Assistance When Applicable

If you are a business, consider hiring a law firm experienced in handling data breaches.

Responsibilities of Companies that Have Been Breached

According to state law, all businesses must notify their customer base in case of a data breach if it involves their personal data. Personal information is defined as first or last names in combination with driver's licenses, Social Security, and financial account numbers. Data breaches must be reported within the shortest time possible without unreasonable delay. Delay in this case would only be allowed if doing the notification will interfere with an ongoing law enforcement investigation.

Notices to the affected parties can be issued by written notice to the most recent address, telephone, or electronically if it is consistent with the provisions regarding these records. A substitute notice is also possible if the entity demonstrates the cost of providing the notice is more than $25,000 or the number of those affected is more than 50,000. Similarly, if the business does not have enough contact details for the people affected, it can be allowed to provide a substitute notice. The substitute notice is done via email and must be conspicuously posted on the business's website page. It can also be via a notice to major statewide media. If an entity maintains its notice protocols for treating personal information and they are consistent with the statutes of Idaho then it will be found to comply.

Laws

  • Title 28 Chapter 51 of Idaho regulations defines security breach as the illegal obtaining of unencrypted information that compromises the confidentiality and integrity of personal information. That is where the personal information is maintained by an agency, person, or commercial enterprise.
  • Idaho Code 28-51-105(1) requires that a public agency is required to notify the attorney general's Office within 24 hours of the discovery of a breach within its system. If a commercial entity has experienced a data breach, they are not required to notify the attorney general's office.
  • Title 48 Monopolies and Trade Practices prohibits deceptive business practices such as false advertising. It also provides a mechanism for investigating complaints of patterns of illegal activity in trade and commerce.

Resources