1. Home
  2. States
  3. New Mexico

New Mexico

A data breach can occur when an unauthorized party accesses sensitive or personal data. These incidents have risen over the past decade due to society's increasing dependence on technology. New Mexico may have a lower-than-average population, but data breaches still significantly affect it. In 2023, it ranked 36th in the number of victims affected due to a violation. The losses sustained that year accumulated to $45,127,386. Most of the targeted areas in the state relate to healthcare, government, or educational institutions rather than small and medium-sized businesses.

Identity Theft Statistics

Identity Theft
Reports
29TH
State Rank (Reports per 100K Population)
2,088
Identity Theft Reports
Fraud & Other
Reports
26TH
State Rank (Reports per 100K Population)
11,948
Total Fraud & Other Reports
Fraud
Losses
$11.2M
Total Fraud Losses
$390
Median Fraud Losses

Top Ten Report Categories

Imposter Scams
24%
Identity Theft
15%
Telephone and Mobile Services
7%
Prizes, Sweepstakes and Lotteries
6%
Online Shopping and Negative Reviews
5%
Debt Collection
5%
Banks and Lenders
5%
Credit Bureaus, Iformation Furnishers and Report Users
4%
Auto Related
4%
Health Care
2%

Top Identity Theft Types

24%
933
Credit Card Fraud
18%
690
Other Identity Theft
18%
679
Employment or Tax-Related Fraud
16%
597
Bank Fraud
10%
396
Loan or Lease Fraud
7%
263
Phone or Utilities Fraud
7%
259
Government Documents or Benefits Fraud

New Mexico's Recent Biggest Data Breaches

2023
July

New Mexico Department of Health

In July 2023, the New Mexico Department of Health discovered that one of their donations to Habitat for Humanity had files with personal information, thereby exposing some patients. Its internal team moved to contain the breach and stop unwanted access to company systems. Habitat also implemented an investigation to ascertain the main scope of the incident. A review of the information revealed that names, addresses, medical records, patient identification numbers, and clinical data were among those that were stolen. At the time, the department claimed it had no evidence to show the exposed data had been misused in any way whatsoever. However, Habitat for Humanity representatives issued notifications to the 637,300 individuals who were affected by the breach. Complimentary credit monitoring and identity theft protection were also provided to the relevant group.

2023
June

Blue Cross and Blue Shield of New Mexico

In June 2023, Blue Cross and Blue Shield discovered unauthorized access to its systems. Immediately, the company discovered personal data was being accessed without its knowledge; TMG Health moved to secure the systems and block further disclosures. TMG also notified local law enforcement to mitigate the event. Information revealed included names, email addresses, birth dates, phone numbers, Social Security data, bank account details, and medical records. The facility also recommended that those affected regularly check their financial accounts. They also provided a year of complimentary personal identity and privacy protection to all involved from the beach.

2022
October

New Mexico State Regulation and Licensing Data Breach

In October 2022, the New Mexico State Regulation and Licensing Department (NM RLD) overseeing business licenses became the target of a cyber-attack. There was evidence of unauthorized access to the agency's systems, though the department did not indicate to which level. NM RLD's cybersecurity professionals worked with experts to protect their staff and consumer base. Following the initial investigation, the department found that accounts belonging to 225,000 individuals may have been accessed. They also indicated that types, including names, addresses, Social Security numbers, and other identifying details, might have been compromised. The licensing and regulation department continued to work with law enforcement and notified everyone affected by the breach.

2021
October

True Health Data Breach

In October 2021, a phishing attack allowed an unauthorized party to access the personal health information of TrueHealth's customers and personnel. Initial investigations showed that the affected data included names, birth dates, medical records, and patient and treatment information. There was no evidence of data misuse at the time, though notification letters were issued to the 62,983 impacted members of True Health's plans. The company also offered complimentary credit monitoring and identity theft protection to this group.

2020

San Juan Regional Medical Centre Data Breach

In the fall of 2020, San Juan Regional Medical Centre determined that an unauthorized party had accessed its files. This resulted in the exposure of the personal information of 68,792 patients. The data was attained from San Juan's billing records. Some exposed information included Social Security details, financial accounts, driver's licenses, and health insurance data. That said, the electronic medical record system was allegedly not affected due to the breach. It took the hospital more than a year to inform the affected patients. The hospital also implemented tighter safeguards to its network to prevent further inappropriate access.

What Should You Do if You Are in a Breach?

Unfortunately, data breaches are pretty common now, considering our online connections and dependence on digital service delivery. Criminals work in the shadows to steal your personal information, so sometimes, it's only when you notice certain signs that ongoing fraud becomes apparent. These danger signs apply to both individuals and businesses.

Unfamiliar
Credit Card Charges

If you find unauthorized transactions on your credit card, there is a significant possibility your phone number, email address, or card number has been compromised.

Calls from
Debt Collectors

Phone calls or letters from collection agencies seeking debt payment for a loan you do not remember taking are also signs of identity theft.

New Credit Cards
or Loans in Your Name

A new line of credit in your name or a loan taken is a warning sign you are a victim of identity theft.

Surprise Credit
Score Drops

Sudden credit drops with no obvious cause are a sign of suspicious activities.

Unusual Activity on Your
Social Security Account

The federal government also considers social security numbers personal identifiers, so check your social security statement regularly to ensure no one has access to benefits without consent.

Inability to
Sign-in to Accounts

If you are locked out of the account, it is usually because someone has hacked into it and changed the password. You should immediately try all possible recovery options and contact customer support if all fails.

Step-by-Step Process for Responding to a Data Breach

01

Contact Local Law Enforcement

As an individual or a business, report the incident to the police and file a police report.

02

Assess and Secure Compromised Areas

Identify which aspects of your information have been affected, such as emails, passwords, credit card numbers, social security numbers, full names, and phone numbers.

03

Contain the Breach

Isolate the affected system to prevent further damage.

04

Create New, Strong Passwords for All Accounts

This may involve changing usernames and passwords for compromised platforms, using strong passwords with a mix of upper and lower-case letters, digits, and special characters.

05

Notify Affected Institutions

Inform your bank, credit card companies, and other affected institutions. Request they close or freeze any accounts that may be implicated in the breach to reduce financial risk.

06

Update Security on Digital Accounts

Change passwords for all accounts affected by the breach. Make sure each password is totally unique, and you use two-factor verification as an additional layer of security.

07

Check for Malware

Examine your computers and mobile devices for installed malware. Install robust antivirus software to detect and remove any viruses or malicious software.

08

Freeze Your Credit

In cases of identity theft, contact all credit bureaus to freeze your credit.

09

Monitor Your Mail and Credit Reports

Keep an eye out for any unauthorized changes in your mail.

10

Engage Legal Assistance When Applicable

If you are a business, consider hiring a law firm experienced in handling data breaches.

Responsibilities of Companies that Have Been Breached

All businesses or entities that license or handle personal information in New Mexico must notify affected clients in the event of a data breach. New Mexico state law indicates that personal data includes names in combination with driver's licenses, Social Security numbers, account numbers, and biometric details. They are to notify individuals within the most expedient time, meaning it should not be later than 45 days after discovering a breach. If the number of those to be notified is more than 1,000, then the business must inform the attorney general's office and other consumer reporting agencies.

Businesses are permitted to issue notices via written or electronic means. Substitute notices are also permitted if the notification expense exceeds $100,000 or if over 50,000 individuals were affected. Similarly, a substitute notice can be issued if the entity does not have sufficient contact information for the consumers involved in the breach. Substitute notices may issued via a conspicuous posting on the entity's website, notifying state media outlets as well as, the state attorney general. In the event of a data breach, the state attorney general can issue remedies by injunction or exacting damages on the company that violates the issued laws.

Laws

  • The New Mexico Consumer Information Privacy Act relates to consumer protection, issuing definitions, and establishing consumer rights. It also establishes obligations for the businesses that collect or utilize personal data.
  • New Mexico Statutes Section 57-12C-6 (2021) deals with the notification of individuals when there is a data breach. People or groups licensed to possess a resident's computerized information shall notify the owner of any security breach within an expedient time.
  • New Mexico's Trade Practices Act mandates that unfair or misleading business practices are prohibited. This law prevents unfair, competitive, or deceptive types of business practices. It also investigates complaints on these practices and issues remedies to the aggrieved parties.

Resources