Kentucky
Table of Contents
- Identity Theft Statistics
- Top Ten Report Categories
- Top Identity Theft Types
- Fraud & Other Reports by Metropolitan Area
- Kentucky’s Recent Biggest Data Breaches
- What Should You Do if You Are in a Breach?
- Step-by-Step Process for Responding to a Data Breach
- Responsibilities of Companies that Have Been Breached
- Laws
- Resources
Data breaches occur when an unauthorized party accesses sensitive or personal information for their interests. This information is usually resold or held at ransom for financial gain. In some circumstances, human error can be a common enabler for data breaches. In Kentucky, hackers may get most of the spotlight, though most of their success comes from laxity. The most common types of data breaches in the state include loss of critical information-bearing equipment, social engineering or phishing attacks, stolen passwords, and accidental sharing of personal information. That said, Kentucky ranks 31st in America regarding the number of victims, and it lost $48,746,051 in 2023. The most affected areas over the previous years were healthcare, education, and technology-related service providers.
Identity Theft Statistics
Reports
Reports
Losses
Top Ten Report Categories
Top Identity Theft Types
Kentucky's Recent Biggest Data Breaches
Norton Healthcare ransomware attack
In December 2023, Norton Healthcare filed a notice of a data breach following a ransomware incident in May of the same year. An unauthorized party could access information, including names, birth dates, health data, Social Security numbers, insurance data, and medical and financial account numbers. As a result of the breach, 2.5 million patients were exposed. Lawsuits were filed against the Louisville-based healthcare institution because it did not implement the proper security measures. Norton also notified law enforcement and terminated all unauthorized access.
Campbell County Schools Ransomware Attack
Campbell County School District became the target of a ransomware event that affected the functional nature of the network. Though the district did not specify the time the incident occurred, it did clarify that an investigation into the cause and nature of the attack was implemented. The investigation determined that the files accessed included Social Security and financial account numbers from the school employees. Campbell County School District also began mailing notification letters to all affected on December 14th, 2023. These notices instructed how the affected could protect their data by enrolling in already-provided identity monitoring services.
Correctcare Integrated Health, Inc. Network Server Breach
In July 2022, Correct Care determined that two file directories on their web servers were accidentally exposed to the internet. The directories had the health information of particular individuals who were imprisoned. The files exposed included names, inmate numbers, birth dates, diagnostic codes, treatment providers, and dates of treatment. With the assistance of cybersecurity experts, the organization implemented steps to enhance system security and protect client information. In addition to addressing concerns, the institution also provided a 12-month complimentary identity protection service to those directly affected.
University Of Kentucky Data Breach
In June 2021, the University of Kentucky indicated they discovered a security breach in one of their test-taking platforms. Unfortunately, The breach affected the Digital Driver's License platform that the university initiated as part of its Open Source Tools for Instructional Support program. The university reviewed its database and found that usernames, emails, and passwords for the website were stored in the database. The database, though, did not collect birthdates or financial information. For all individuals' security, the university turned off all passwords, and students will have to reset their password the next time they use the account.
Cabinet for Health and Family Services
The Cabinet for Health and Family Services experienced a data breach in July 2012 when an employee responded to a phishing email that a hacker sent. This resulted in unauthorized activity on the account identified within half an hour. A spokesperson for the organization indicated they were quite confident that none of the information was used for nefarious purposes. However, officials could not verify that no confidential information was accessed via email accounts, and the attack was still a viable threat. The Cabinet had to notify 2,500 clients of the potential breach by the state's notification statutes.
What Should You Do if You Are in a Breach?
Unfortunately, data breaches are pretty common now, considering our online connections and dependence on digital service delivery. Criminals work in the shadows to steal your personal information, so sometimes, it's only when you notice certain signs that ongoing fraud becomes apparent. These danger signs apply to both individuals and businesses.
Unfamiliar
Credit Card Charges
If you find unauthorized transactions on your credit card, there is a significant possibility your phone number, email address, or card number has been compromised.
Calls from
Debt Collectors
Phone calls or letters from collection agencies seeking debt payment for a loan you do not remember taking are also signs of identity theft.
New Credit Cards
or Loans in Your Name
A new line of credit in your name or a loan taken is a warning sign you are a victim of identity theft.
Surprise Credit
Score Drops
Sudden credit drops with no obvious cause are a sign of suspicious activities.
Unusual Activity on Your
Social Security Account
The federal government also considers social security numbers personal identifiers, so check your social security statement regularly to ensure no one has access to benefits without consent.
Inability to
Sign-in to Accounts
If you are locked out of the account, it is usually because someone has hacked into it and changed the password. You should immediately try all possible recovery options and contact customer support if all fails.
Step-by-Step Process for Responding to a Data Breach
Contact Local Law Enforcement
As an individual or a business, report the incident to the police and file a police report.
Assess and Secure Compromised Areas
Identify which aspects of your information have been affected, such as emails, passwords, credit card numbers, social security numbers, full names, and phone numbers.
Contain the Breach
Isolate the affected system to prevent further damage.
Create New, Strong Passwords for All Accounts
This may involve changing usernames and passwords for compromised platforms, using strong passwords with a mix of upper and lower-case letters, digits, and special characters.
Notify Affected Institutions
Inform your bank, credit card companies, and other affected institutions. Request they close or freeze any accounts that may be implicated in the breach to reduce financial risk.
Update Security on Digital Accounts
Change passwords for all accounts affected by the breach. Make sure each password is totally unique, and you use two-factor verification as an additional layer of security.
Check for Malware
Examine your computers and mobile devices for installed malware. Install robust antivirus software to detect and remove any viruses or malicious software.
Freeze Your Credit
In cases of identity theft, contact all credit bureaus to freeze your credit.
Monitor Your Mail and Credit Reports
Keep an eye out for any unauthorized changes in your mail.
Engage Legal Assistance When Applicable
If you are a business, consider hiring a law firm experienced in handling data breaches.
Responsibilities of Companies that Have Been Breached
In Kentucky, any information holder is required to notify individuals who are potentially impacted upon discovery of a data breach. The information must also be disclosed at the most suitable time possible and without unreasonable delay. Modes of notice for information disclosure include written, electronic, or substitute. An electronic notice is allowed if the notice is consistent with provisions concerning electronic records and signatures. Substitute notices are also permitted if standard notices would cost the information holder more than $250,000 or if more than 500,000 individuals must be notified. Substitute notices may include a conspicuous posting of the notice on the company's website, an email notice when the information holder has a recorded email address, or a notification from the main statewide media.
Notification of the affected individuals from a data breach may be delayed if a law enforcement agency finds that it is impeding an ongoing criminal investigation. In the case of a delayed notification, a full notification would still have to be made immediately following the investigation.
If the breach affects more than 1,000 people, business entities must also notify consumer reporting agencies and credit bureaus of the event.
Laws
- Code KRS 365.732 concerns the notification of the directly affected following a security breach involving their personal information.
- Code 61.932 on Personal information security and breach investigation procedures concerns beach notification requirements and protocols for businesses as well as third parties. Reasonable security and breach procedures, as implemented by organizational units of the state governments, are to be set by the Commonwealth Office of Technology.
- Kentucky code HB 474 is an Insurance data security law that requires the state's licensed insurers to develop and implement security programs. They must also investigate cybersecurity incidences and notify the insurance commissioner and other clients of any data breach events.
Resources
- A Quick Guide to Top Secret Personal Information and Data Breach Awareness
- Campbell School District - Ransomware Incident Notice
- 365.732 Notification to affected persons of a computer security breach involving their unencrypted personally identifiable information
- 61.932 Personal information security and breach investigation procedures and practices for certain public agencies and nonaffiliated third parties
- Kentucky General Assembly House Bill 474