1. Home
  2. States
  3. Massachusetts

Massachusetts

Table of Contents

Data breaches occur when an unauthorized party gains access to company or personal servers. Most cybercriminals retrieve this data for corporate or financial reasons. In Massachusetts, typical forms of data infiltration include phishing, malware, stolen identities, human error, and insider threats. Massachusetts ranks 21st in the United States in terms of the number of data breach victims. Despite its nearly average rank, the total losses were more than $80 million in 2022.

Identity Theft Statistics

Identity Theft
Reports
23RD
State Rank (Reports per 100K Population)
8,606
Identity Theft Reports
Fraud & Other
Reports
29TH
State Rank (Reports per 100K Population)
38,170
Total Fraud & Other Reports
Fraud
Losses
$25.7M
Total Fraud Losses
$288
Median Fraud Losses

Top Ten Report Categories

Imposter Scams
23%
Identity Theft
18%
Online Shopping and Negative Reviews
7%
Telephone and Mobile Services
6%
Banks and Lenders
6%
Auto Related
4%
Credit Bureaus, Iformation Furnishers and Report Users
3%
Prizes, Sweepstakes and Lotteries
3%
Debt Collection
3%
Internet Services
3%

Top Identity Theft Types

32%
5,682
Credit Card Fraud
30%
5,310
Other Identity Theft
13%
2,385
Bank Fraud
8%
1,330
Employment or Tax-Related Fraud
7%
1,229
Loan or Lease Fraud
5%
879
Phone or Utilities Fraud
5%
872
Government Documents or Benefits Fraud

Massachusetts Recent Biggest Data Breaches

2022
May

Diligent Corporation Data Breach

The company's security team determined a data breach event occurred on May 23, 2022. By the end of the following day, the incident was contained. The unauthorized party involved in this breach used the human resources department to access company files. They obtained names, email addresses, and Social Security numbers. In their initial report, the company indicated that 1,184 individuals were affected. The company also accepted responsibility for the breach and sent notices to the victims. To reduce the risk of similar events, Diligent strengthened its internal systems by moving the accessed files and shutting down irrelevant departments. Affected individuals have also been offered 24 months of credit monitoring.

2022
March

Comstar Ambulance Data Breach

Comstar, a vendor that handles invoices for ambulance transportation in Wilmington, Massachusetts, was the victim of a data breach in March 2022. A network review showed information belonging to 70,000 people was exposed during the attack. Shortly after discovering the breach, the entity notified thetown concerning its intention to issue letters to the affected parties. Unfortunately, some of the affected individuals took legal action against Comstar.

2021
November

Medical Healthcare Solutions Data Breach

The Boston-based healthcare organization became the victim of a cyber attack on November 19, 2021. initial assessments found that an unauthorized person accessed the network between October 1 and October 4, 2021. Some of the information exposed during the attack included date of birth, phone number, Social Security numbers, financial account numbers, routing numbers, procedure types, and insurance ID numbers. The incident affected over 133,000 people, and Medical Healthcare Solutions indicated that notification letters would be issued.

2021
November

Creative Services Inc.

On November 26, 2021, CSI found that cyber criminals copied files without authorization as part of an attack. Data from 164,673 individuals was compromised during the attack. Information, including first and last names, Social Security numbers, dates of birth, and driver's license numbers, was exposed in the breach. A class action suit was subsequently filed against Creative Services after the breach. It resulted in a $1.2 million settlement to reimburse the affected individuals for all out-of-pocket losses.

2021
July

Rockland Trust

In July 2021, Rockland Trust experienced a data breach following a clerical error. This led to client information inadvertently being disclosed to other unauthorized parties. The company also filed a notice of a data security breach to the affected parties. Information revealed included names, addresses, and account numbers. As a financial services company, Rockland Trust provides banking, insurance, and investment products to entities or individuals through various offices. In the notice, the organization recommends that the affected parties monitor their accounts vigilantly over the next one to two years. That means renewing passwords and reviewing all mobile and telephone banking or accounts statements. The company also recommended that individuals update the Federal Trade Commission if they suspected identity theft.

What Should You Do if You Are in a Breach?

Unfortunately, data breaches are pretty common now, considering our online connections and dependence on digital service delivery. Criminals work in the shadows to steal your personal information, so sometimes, it's only when you notice certain signs that ongoing fraud becomes apparent. These danger signs apply to both individuals and businesses.

Unfamiliar
Credit Card Charges

If you find unauthorized transactions on your credit card, there is a significant possibility your phone number, email address, or card number has been compromised.

Calls from
Debt Collectors

Phone calls or letters from collection agencies seeking debt payment for a loan you do not remember taking are also signs of identity theft.

New Credit Cards
or Loans in Your Name

A new line of credit in your name or a loan taken is a warning sign you are a victim of identity theft.

Surprise Credit
Score Drops

Sudden credit drops with no obvious cause are a sign of suspicious activities.

Unusual Activity on Your
Social Security Account

The federal government also considers social security numbers personal identifiers, so check your social security statement regularly to ensure no one has access to benefits without consent.

Inability to
Sign-in to Accounts

If you are locked out of the account, it is usually because someone has hacked into it and changed the password. You should immediately try all possible recovery options and contact customer support if all fails.

Step-by-Step Process for Responding to a Data Breach

01

Contact Local Law Enforcement

As an individual or a business, report the incident to the police and file a police report.

02

Assess and Secure Compromised Areas

Identify which aspects of your information have been affected, such as emails, passwords, credit card numbers, social security numbers, full names, and phone numbers.

03

Contain the Breach

Isolate the affected system to prevent further damage.

04

Create New, Strong Passwords for All Accounts

This may involve changing usernames and passwords for compromised platforms, using strong passwords with a mix of upper and lower-case letters, digits, and special characters.

05

Notify Affected Institutions

Inform your bank, credit card companies, and other affected institutions. Request they close or freeze any accounts that may be implicated in the breach to reduce financial risk.

06

Update Security on Digital Accounts

Change passwords for all accounts affected by the breach. Make sure each password is totally unique, and you use two-factor verification as an additional layer of security.

07

Check for Malware

Examine your computers and mobile devices for installed malware. Install robust antivirus software to detect and remove any viruses or malicious software.

08

Freeze Your Credit

In cases of identity theft, contact all credit bureaus to freeze your credit.

09

Monitor Your Mail and Credit Reports

Keep an eye out for any unauthorized changes in your mail.

10

Engage Legal Assistance When Applicable

If you are a business, consider hiring a law firm experienced in handling data breaches.

Responsibilities of Companies that Have Been Breached

Data breach notification statutes in Massachusetts mandate that businesses and others that have ownership of the personal information of state residents are required to notify the relevant parties in the event of a data breach. The affected residents must also be informed on the Office of Consumer Affairs and Business Regulation website.

  1. This notice is to include information on how to request security freezes
  2. The consumer's right to get a police report.
  3. Information on complimentary credit monitoring services
  4. Name of the organizations affected by the breach

It is also possible to suffer a breach from sensitive print material, which necessitates extra compliance. A privacy breach notification has to be issued to the attorney general, consumer reporting, or appropriate state agencies, if any. The notification will consider the following:

  1. The breach's nature
  2. The number of residents who have been affected by the breach.
  3. Steps that the person or the agency has taken to combat the incident and to remedy the situation for affected individuals.

Every entity or person that owns information concerning a resident of the commonwealth has to develop, implement, and maintain an information security program. Following a breach, it is essential that the entity involved develops or reviews a risk-based information security program that is written down. The standards for the protection of resident information would require each business to:

  1. Come up with an information security program and issue training
  2. Designate a security officer for the maintenance of the security plan
  3. Do an annual risk assessment
  4. Implement procedures for offboarding to prevent the terminated workers from accessing previous information.
  5. Encrypt all traffic in transit and at rest that contains personal data
  6. Patch firewalls and operating systems frequently

Laws

  • Massachusetts General Law Chapter 93H has specific notification requirements that businesses should know. That includes notifying all affected individuals of a data breach within a timely period. There should be no unreasonable delays.
  • In Chapter 93A, consumers can sue for damages under the unfair trade practices statute. That provides for treble damages when a person can assert a claim under this section in district court.
  • Chapter 444 is an act relative to consumer protection from security breaches. This statute allows customers to request security freezes on their consumer reports. This prohibits a consumer reporting agency from being able to reveal information in a report without the authorization of the said individual.

Resources

Table of Contents