Illinois
Table of Contents
- Identity Theft Statistics
- Top Ten Report Categories
- Top Identity Theft Types
- Fraud & Other Reports by Metropolitan Area
- Illinois’ Recent Biggest Data Breaches
- What Should You Do if You Are in a Breach?
- Step-by-Step Process for Responding to a Data Breach
- Responsibilities of Companies that Have Been Breached
- Laws
- Resources
Data breaches are termed as unlawful or the unlawful procuring of personal data that would compromise an individual or group's security and confidentiality. The most common types in Illinois are identity theft, phishing, malware, and ransomware. Though legislation has taken an aggressive approach to combat these problems, cases are still rising. According to the FBI Internet Crime Complaint Center, 96 organizations in the state reported incidences of data breaches in 2022. This figure has grown by more than double, considering 41 reported breaches in Illinois the previous year.
Identity Theft Statistics
Reports
Reports
Losses
Top Ten Report Categories
Top Identity Theft Types
Illinois' Recent Biggest Data Breaches
Illinois Department of Public Health
The Illinois Department of Public Health filed a data breach notice when it discovered information belonging to individuals had been compromised. The attacker hacked a targeted network server, though it is not yet clear whether the target was the Department of Public Health. The IDPH did not specify the compromised files to show which information was leaked. However, it is estimated that the breach affected an estimated 126,000 individuals. In August 2023, the Department of Public Health also sent letters to individuals whose information had been compromised because of the breach.
Perry Johnson & Associates, Inc. (PJ&A) and Cook County Health
Perry Johnson & Associates notified Cook County Health of a data breach on May 2, 2023. They notified the agency on July 26, indicating that the unauthorized party accessed and exfiltrated information concerning Cook County Health patients. Estimates suggest that the data breach affected as many as 1.2 million patients. Cook County Health released a statement that it terminated its relationship with the vendor. It is also in the process of issuing mail notifications to the affected individuals.
Morris Hospital
Morris Hospital discovered in April 2023 that it had experienced a data breach. They disclosed that the incident affected 248,943 patients. According to the investigation, forensic evidence illustrated that before the breach, there were data exported to an external cloud platform by a party that was not authorized to do so. These exports had files with information on current as well as former patients of the hospital. The investigation also revealed that addresses, birth dates, medical records, Social Security numbers, and diagnostic codes were exposed. When Morris Hospital became aware of the incident, they reset all employee accounts and suspended mobile email access. They also mailed a notice to individuals whose information might have been affected by the breach.
Illinois Department of Transportation
From April 6 to April 14, 2022, documents with personal data about IDOT employees were placed on the internal website. The personal data were not visible to all users but restrictions were also not well set. When the department discovered the file, they removed it from InsideIDOT and started investigations. They also coordinated their assessments with the Department of Innovation and Technology. It found no conclusive evidence that the personal information of members was revealed to the public. That is apart from the original discoveries. Information within the file included employee identification numbers, first and last names, and Social Security data.
Illinois Attorney General's Office
On April 10, 2021, the Attorney General's office determined that their computer networks had been compromised by a ransomware attack. There was a subsequent investigation to determine the information exposed and those affected. Though it was not able to state with certainty, preliminary investigations considered that personal information, such as email addresses, names, Social Security numbers, and other account information, was compromised. The review is ongoing, but the attorney general's office has not yet compiled the entity of those affected.
What Should You Do if You Are in a Breach?
Unfortunately, data breaches are pretty common now, considering our online connections and dependence on digital service delivery. Criminals work in the shadows to steal your personal information, so sometimes, it's only when you notice certain signs that ongoing fraud becomes apparent. These danger signs apply to both individuals and businesses.
Unfamiliar
Credit Card Charges
If you find unauthorized transactions on your credit card, there is a significant possibility your phone number, email address, or card number has been compromised.
Calls from
Debt Collectors
Phone calls or letters from collection agencies seeking debt payment for a loan you do not remember taking are also signs of identity theft.
New Credit Cards
or Loans in Your Name
A new line of credit in your name or a loan taken is a warning sign you are a victim of identity theft.
Surprise Credit
Score Drops
Sudden credit drops with no obvious cause are a sign of suspicious activities.
Unusual Activity on Your
Social Security Account
The federal government also considers social security numbers personal identifiers, so check your social security statement regularly to ensure no one has access to benefits without consent.
Inability to
Sign-in to Accounts
If you are locked out of the account, it is usually because someone has hacked into it and changed the password. You should immediately try all possible recovery options and contact customer support if all fails.
Step-by-Step Process for Responding to a Data Breach
Contact Local Law Enforcement
As an individual or a business, report the incident to the police and file a police report.
Assess and Secure Compromised Areas
Identify which aspects of your information have been affected, such as emails, passwords, credit card numbers, social security numbers, full names, and phone numbers.
Contain the Breach
Isolate the affected system to prevent further damage.
Create New, Strong Passwords for All Accounts
This may involve changing usernames and passwords for compromised platforms, using strong passwords with a mix of upper and lower-case letters, digits, and special characters.
Notify Affected Institutions
Inform your bank, credit card companies, and other affected institutions. Request they close or freeze any accounts that may be implicated in the breach to reduce financial risk.
Update Security on Digital Accounts
Change passwords for all accounts affected by the breach. Make sure each password is totally unique, and you use two-factor verification as an additional layer of security.
Check for Malware
Examine your computers and mobile devices for installed malware. Install robust antivirus software to detect and remove any viruses or malicious software.
Freeze Your Credit
In cases of identity theft, contact all credit bureaus to freeze your credit.
Monitor Your Mail and Credit Reports
Keep an eye out for any unauthorized changes in your mail.
Engage Legal Assistance When Applicable
If you are a business, consider hiring a law firm experienced in handling data breaches.
Responsibilities of Companies that Have Been Breached
Businesses in Illinois are required by law under the 815 Ill. Comp. Stat. 530/5, to notify residents at no charge that a breach has occurred immediately following its discovery. They are required to do so in an expedient manner no later than when the data collector gives notice to consumers.
Organizations, including state agencies, must notify the attorney general concerning data breaches involving more than 250 residents. They are required to give certain information to the attorney general, such as:
- The number of people affected at the time of the notification
- Types of personal data compromised during the breach
- Date and time of the breach
- Steps that the organization intends to take following notice of the breach
Personal information is defined as any of the following:
- Social Security number
- License numbers or state identification digits
- Health insurance information
- Biometric information formed from human body characteristics used to authenticate an individual
- Usernames or email addresses, along with passwords or security questions
There are exceptions for notification policies. If an organization has maintained its procedures for notification due to security policies, which are in league with the timing requirements of the regulation, then it will be found compliant.
Laws
- The Illinois Personal Information Protection Act indicates personal information such as a person's name, Social Security number, driving license, financial account details, medical data, and health insurance.
- The statute indicates that notices will be made within the most suitable time possible.
- Breached third parties also have to notify the data owners or licensees following the discovery
- According to 815 ILCS 530/12, any state agency with personal information on Illinois residents has to notify the resident at no charge that there was a breach.
- The Biometric Information Privacy Act (740 ILCS 14/) concerns private entities possessing these identities. It mandates that organizations within this category have to develop written policies establishing a retention schedule and guidelines for destroying biometric identifiers when the purpose for their collection has been satisfied.
Resources
- 740 ILCS 14/ Biometric Information Privacy Act
- (815 ILCS 530/) Personal Information Protection Act
- Office of the Illinois Attorney General Kwame Raoul For Businesses - Data Breach Reporting for Businesses and State Government Agencies
- Office of the Illinois Attorney General Kwame Raoul-Data Breach
- Data Breach Information
- Notice of Data Security Incident