Indiana
Table of Contents
- Identity Theft Statistics
- Top Ten Report Categories
- Top Identity Theft Types
- Fraud & Other Reports by Metropolitan Area
- Indiana’s Recent Biggest Data Breaches
- What Should You Do if You Are in a Breach?
- Step-by-Step Process for Responding to a Data Breach
- Responsibilities of Companies that Have Been Breached
- Laws
- Resources
Indiana state law considers data breaches as the unauthorized acquisition of computerized data leading to the compromise of confidentiality, security, or integrity of personal information that business entities have maintained. Data breaches are motivated by financial gain where the cybercriminals access and sell the information to third parties. Indiana's most common forms of data breaches are phishing, hacking, malware, identity theft, and ransomware. Indiana ranked 15th in the nation in terms of victims in 2022. The total losses incurred were over $73 million the same year. Financial, beauty, and medical sectors were the most affected sectors in terms of data breaches within the state.
Identity Theft Statistics
Reports
Reports
Losses
Top Ten Report Categories
Top Identity Theft Types
Indiana's Recent Biggest Data Breaches
Indiana Medicaid Data Breach
Indiana Family and the Social Services Administration announced software linked to a contractor of theirs suffered a data breach. Unfortunately, 744,000 members of the state's Medicaid platform had their information exposed due to the breach. The information revealed included names, addresses, case numbers, and Medicaid numbers. The contractor, Maximus Health Services, alerted the state's Family and Social Services Association concerning the breach. Those affected also received a communication from the institution concerning the breach regarding selecting a managed care entity.
1st Source Banks
Ist Source Bank, an Indiana-based bank, experienced a data breach where some of the client data, including personal and health information, was exposed. 1st Source Bank first became aware of an alert in June 2023. However, in September, a third-party assessor confirmed that information belonging to individuals associated with the bank was acquired without authorization. The data breach affected 450,000 consumers. 1st Source is still working to notify the affected personnel of this incident. Company developers have also taken remediation measures to enhance data security.
Allied Urological Services, LLC Data Breach
Allied Urological Services indicated they experienced a data breach following an unauthorized access to patient data. The company reviewed all emails and attachments when they discovered sensitive consumer information could be accessed. This attack affected 52,981 people. Though the breached information varies depending on the person, it includes names, addresses, and financial account data. That includes bank account or credit card numbers. The company also sent breach notification letters to everyone whose information was taken because of the incident.
Indiana State Medical Association Data Breach
In 2015, the Medical Informatics Engineering company, a provider of electronic medical records software and services, experienced a data breach. A group of hackers used a compromised username and password to access a server that had the protected health information of more than 3 million people. The hackers could access the network for 19 days in May. The Office for Civil Rights found that the MIE did not do an accurate risk analysis to determine potential data integrity risks. They opened a case against the organization for the breach. Medical Informatics Engineering also paid $100,000 to the Office for Civil Rights at the U.S. Department of Health and Human Services.
Indiana University Data Breach
In 2014, Indiana University experienced a data breach that exposed the information of 146,000 students and recent alumni. The data breach was initiated by three automated computer data mining applications known as WebCrawlers. Some potentially exposed information included Social Security numbers, birthdates, names, addresses, and degree information. The university released a statement indicating it takes the security of all its data, particularly those of its students, seriously. It did not offer credit monitoring services, and there is no evidence that it was a targeted attack.
What Should You Do if You Are in a Breach?
Unfortunately, data breaches are pretty common now, considering our online connections and dependence on digital service delivery. Criminals work in the shadows to steal your personal information, so sometimes, it's only when you notice certain signs that ongoing fraud becomes apparent. These danger signs apply to both individuals and businesses.
Unfamiliar
Credit Card Charges
If you find unauthorized transactions on your credit card, there is a significant possibility your phone number, email address, or card number has been compromised.
Calls from
Debt Collectors
Phone calls or letters from collection agencies seeking debt payment for a loan you do not remember taking are also signs of identity theft.
New Credit Cards
or Loans in Your Name
A new line of credit in your name or a loan taken is a warning sign you are a victim of identity theft.
Surprise Credit
Score Drops
Sudden credit drops with no obvious cause are a sign of suspicious activities.
Unusual Activity on Your
Social Security Account
The federal government also considers social security numbers personal identifiers, so check your social security statement regularly to ensure no one has access to benefits without consent.
Inability to
Sign-in to Accounts
If you are locked out of the account, it is usually because someone has hacked into it and changed the password. You should immediately try all possible recovery options and contact customer support if all fails.
Step-by-Step Process for Responding to a Data Breach
Contact Local Law Enforcement
As an individual or a business, report the incident to the police and file a police report.
Assess and Secure Compromised Areas
Identify which aspects of your information have been affected, such as emails, passwords, credit card numbers, social security numbers, full names, and phone numbers.
Contain the Breach
Isolate the affected system to prevent further damage.
Create New, Strong Passwords for All Accounts
This may involve changing usernames and passwords for compromised platforms, using strong passwords with a mix of upper and lower-case letters, digits, and special characters.
Notify Affected Institutions
Inform your bank, credit card companies, and other affected institutions. Request they close or freeze any accounts that may be implicated in the breach to reduce financial risk.
Update Security on Digital Accounts
Change passwords for all accounts affected by the breach. Make sure each password is totally unique, and you use two-factor verification as an additional layer of security.
Check for Malware
Examine your computers and mobile devices for installed malware. Install robust antivirus software to detect and remove any viruses or malicious software.
Freeze Your Credit
In cases of identity theft, contact all credit bureaus to freeze your credit.
Monitor Your Mail and Credit Reports
Keep an eye out for any unauthorized changes in your mail.
Engage Legal Assistance When Applicable
If you are a business, consider hiring a law firm experienced in handling data breaches.
Responsibilities of Companies that Have Been Breached
The Indiana security breach statute gives residents the right to ascertain if a breach has resulted in information exposure. The information covered by the statutes
includes Social Security numbers, names, driver's license numbers, state identification numbers, credit card numbers, and financial account numbers. Following a breach affected consumers should be notified immediately. That is without unreasonable delay. The law also stipulates that affected individuals would be reported using the following methods: telephone notification, electronic mail notice, telephonic notification, or facsimile.
Businesses must also notify the Office of the Indiana Attorney General following a data breach. Failure to do so would result in penalties under the breach notification statute. If more than 1,000 Indiana residents are to be notified, consumer reporting agencies must also be alerted concerning the data breach. The law provides for exceptions to notification requirements or substitutes. One exception occurs if the business shows the Indiana attorney general that the cost of providing regular notice would exceed $250,000 or the affected individuals would be more than $500,000. When the costs are too high for a traditional notification, the substituted notification would include conspicuous posting on the entry's website and notifying the relevant media outlets. Indiana's attorney general can also seek relief against businesses for violating the law. If the court determines this consideration violated, there may be a civil penalty of not more than $150,000 per criminal act.
Laws
- Code Ann 4-1-11 provides particular requirements of penalties that would be applied for government agencies. That applies to consumer reporting agencies if the number of individuals affected is more than 1,000.
- The Indiana Code § 24-4.9-3-1. Disclosure of Breach deals with knowledge concerning the breach. If the database owner knows or should have known the unauthorized acquisition entailing the breach resulted in or could result in identity theft, then they must make a disclosure. If the database owner makes a disclosure, they must also disclose the breach to the attorney general.
- The disclosure of security breach law provides residents with the right to know the time a breach has resulted in the exposure of personal information in Indiana.
Resources
- Indiana Medical Records Service Pays $100,000 to Settle HIPAA Breach - May 23, 2019
- FSSA News Release
- Indiana Attorney General Todd Rokita; Security Breach FAQs & Notification Form for Businesses
- Indiana Attorney General Todd Rokita: Security Breaches
- Survey of Indiana Cyber Laws
- Indiana General Assembly 2024