Massachusetts
Table of Contents
- Identity Theft Statistics
- Top Ten Report Categories
- Top Identity Theft Types
- Fraud & Other Reports by Metropolitan Area
- Massachusetts Recent Biggest Data Breaches
- What Should You Do if You Are in a Breach?
- Step-by-Step Process for Responding to a Data Breach
- Responsibilities of Companies that Have Been Breached
- Laws
- Resources
Data breaches occur when an unauthorized party gains access to company or personal servers. Most cybercriminals retrieve this data for corporate or financial reasons. In Massachusetts, typical forms of data infiltration include phishing, malware, stolen identities, human error, and insider threats. Massachusetts ranks 21st in the United States in terms of the number of data breach victims. Despite its nearly average rank, the total losses were more than $80 million in 2022.
Identity Theft Statistics
Reports
Reports
Losses
Top Ten Report Categories
Top Identity Theft Types
Massachusetts Recent Biggest Data Breaches
Diligent Corporation Data Breach
The company's security team determined a data breach event occurred on May 23, 2022. By the end of the following day, the incident was contained. The unauthorized party involved in this breach used the human resources department to access company files. They obtained names, email addresses, and Social Security numbers. In their initial report, the company indicated that 1,184 individuals were affected. The company also accepted responsibility for the breach and sent notices to the victims. To reduce the risk of similar events, Diligent strengthened its internal systems by moving the accessed files and shutting down irrelevant departments. Affected individuals have also been offered 24 months of credit monitoring.
Comstar Ambulance Data Breach
Comstar, a vendor that handles invoices for ambulance transportation in Wilmington, Massachusetts, was the victim of a data breach in March 2022. A network review showed information belonging to 70,000 people was exposed during the attack. Shortly after discovering the breach, the entity notified thetown concerning its intention to issue letters to the affected parties. Unfortunately, some of the affected individuals took legal action against Comstar.
Medical Healthcare Solutions Data Breach
The Boston-based healthcare organization became the victim of a cyber attack on November 19, 2021. initial assessments found that an unauthorized person accessed the network between October 1 and October 4, 2021. Some of the information exposed during the attack included date of birth, phone number, Social Security numbers, financial account numbers, routing numbers, procedure types, and insurance ID numbers. The incident affected over 133,000 people, and Medical Healthcare Solutions indicated that notification letters would be issued.
Creative Services Inc.
On November 26, 2021, CSI found that cyber criminals copied files without authorization as part of an attack. Data from 164,673 individuals was compromised during the attack. Information, including first and last names, Social Security numbers, dates of birth, and driver's license numbers, was exposed in the breach. A class action suit was subsequently filed against Creative Services after the breach. It resulted in a $1.2 million settlement to reimburse the affected individuals for all out-of-pocket losses.
Rockland Trust
In July 2021, Rockland Trust experienced a data breach following a clerical error. This led to client information inadvertently being disclosed to other unauthorized parties. The company also filed a notice of a data security breach to the affected parties. Information revealed included names, addresses, and account numbers. As a financial services company, Rockland Trust provides banking, insurance, and investment products to entities or individuals through various offices. In the notice, the organization recommends that the affected parties monitor their accounts vigilantly over the next one to two years. That means renewing passwords and reviewing all mobile and telephone banking or accounts statements. The company also recommended that individuals update the Federal Trade Commission if they suspected identity theft.
What Should You Do if You Are in a Breach?
Unfortunately, data breaches are pretty common now, considering our online connections and dependence on digital service delivery. Criminals work in the shadows to steal your personal information, so sometimes, it's only when you notice certain signs that ongoing fraud becomes apparent. These danger signs apply to both individuals and businesses.
Unfamiliar
Credit Card Charges
If you find unauthorized transactions on your credit card, there is a significant possibility your phone number, email address, or card number has been compromised.
Calls from
Debt Collectors
Phone calls or letters from collection agencies seeking debt payment for a loan you do not remember taking are also signs of identity theft.
New Credit Cards
or Loans in Your Name
A new line of credit in your name or a loan taken is a warning sign you are a victim of identity theft.
Surprise Credit
Score Drops
Sudden credit drops with no obvious cause are a sign of suspicious activities.
Unusual Activity on Your
Social Security Account
The federal government also considers social security numbers personal identifiers, so check your social security statement regularly to ensure no one has access to benefits without consent.
Inability to
Sign-in to Accounts
If you are locked out of the account, it is usually because someone has hacked into it and changed the password. You should immediately try all possible recovery options and contact customer support if all fails.
Step-by-Step Process for Responding to a Data Breach
Contact Local Law Enforcement
As an individual or a business, report the incident to the police and file a police report.
Assess and Secure Compromised Areas
Identify which aspects of your information have been affected, such as emails, passwords, credit card numbers, social security numbers, full names, and phone numbers.
Contain the Breach
Isolate the affected system to prevent further damage.
Create New, Strong Passwords for All Accounts
This may involve changing usernames and passwords for compromised platforms, using strong passwords with a mix of upper and lower-case letters, digits, and special characters.
Notify Affected Institutions
Inform your bank, credit card companies, and other affected institutions. Request they close or freeze any accounts that may be implicated in the breach to reduce financial risk.
Update Security on Digital Accounts
Change passwords for all accounts affected by the breach. Make sure each password is totally unique, and you use two-factor verification as an additional layer of security.
Check for Malware
Examine your computers and mobile devices for installed malware. Install robust antivirus software to detect and remove any viruses or malicious software.
Freeze Your Credit
In cases of identity theft, contact all credit bureaus to freeze your credit.
Monitor Your Mail and Credit Reports
Keep an eye out for any unauthorized changes in your mail.
Engage Legal Assistance When Applicable
If you are a business, consider hiring a law firm experienced in handling data breaches.
Responsibilities of Companies that Have Been Breached
Data breach notification statutes in Massachusetts mandate that businesses and others that have ownership of the personal information of state residents are required to notify the relevant parties in the event of a data breach. The affected residents must also be informed on the Office of Consumer Affairs and Business Regulation website.
- This notice is to include information on how to request security freezes
- The consumer's right to get a police report.
- Information on complimentary credit monitoring services
- Name of the organizations affected by the breach
It is also possible to suffer a breach from sensitive print material, which necessitates extra compliance. A privacy breach notification has to be issued to the attorney general, consumer reporting, or appropriate state agencies, if any. The notification will consider the following:
- The breach's nature
- The number of residents who have been affected by the breach.
- Steps that the person or the agency has taken to combat the incident and to remedy the situation for affected individuals.
Every entity or person that owns information concerning a resident of the commonwealth has to develop, implement, and maintain an information security program. Following a breach, it is essential that the entity involved develops or reviews a risk-based information security program that is written down. The standards for the protection of resident information would require each business to:
- Come up with an information security program and issue training
- Designate a security officer for the maintenance of the security plan
- Do an annual risk assessment
- Implement procedures for offboarding to prevent the terminated workers from accessing previous information.
- Encrypt all traffic in transit and at rest that contains personal data
- Patch firewalls and operating systems frequently
Laws
- Massachusetts General Law Chapter 93H has specific notification requirements that businesses should know. That includes notifying all affected individuals of a data breach within a timely period. There should be no unreasonable delays.
- In Chapter 93A, consumers can sue for damages under the unfair trade practices statute. That provides for treble damages when a person can assert a claim under this section in district court.
- Chapter 444 is an act relative to consumer protection from security breaches. This statute allows customers to request security freezes on their consumer reports. This prohibits a consumer reporting agency from being able to reveal information in a report without the authorization of the said individual.
Resources
- Comstar Ambulance Billing Security Breach
- Open PDF file, 489.37 KB, Assigned Data Breach Number - 28961 - Rockland Trust
- Diligent Notice of Data Breach
- Requirements for Data Breach Notifications
- The 193rd General Court of the Commonwealth of Massachusetts: Chapter 93H
- The 193rd General Court of the Commonwealth of Massachusetts: Chapter 93A: Regulation of Business Practices For Consumers Protection
- The 193rd General Court of the Commonwealth of Massachusetts Chapter 444 An Act Relative to Consumer Protection from Security Breaches
- Creative Services, Inc. - Notice of Data Event - MA OCABR