Ohio

A data breach is defined as the unauthorized access and acquisition of data leading to the compromise of security or confidentiality of the personal information of an entity or person. Being custodians of personal information, organizations in Ohio are frequently targeted by cybercriminals for these reasons, as they are a hub for personal data. Ohio's most common data breach types include online scams, phishing, identity theft, and malware. According to the Federal Bureau of Investigation's 2022 report, Ohio ranked seventh among states afflicted by breaches in the United States, with 13,659 victims.

Identity Theft Statistics

Identity Theft
Reports
26TH
State Rank (Reports per 100K Population)
13,788
Identity Theft Reports
Fraud & Other
Reports
18TH
State Rank (Reports per 100K Population)
72,903
Total Fraud & Other Reports
Fraud
Losses
$32M
Total Fraud Losses
$240
Median Fraud Losses

Top Ten Report Categories

Imposter Scams
19%
Identity Theft
16%
Telephone and Mobile Services
6%
Debt Collection
6%
Prizes, Sweepstakes and Lotteries
5%
Online Shopping and Negative Reviews
5%
Banks and Lenders
5%
Auto Related
5%
Credit Bureaus, Iformation Furnishers and Report Users
5%
Internet Services
3%

Top Identity Theft Types

26%
9,172
Credit Card Fraud
18%
6,499
Other Identity Theft
18%
6,320
Government Documents or Benefits Fraud
15%
5,523
Bank Fraud
10%
3,611
Loan or Lease Fraud
8%
2,865
Employment or Tax-Related Fraud
5%
1,818
Phone or Utilities Fraud

Ohio's Recent Biggest Data Breaches

2022
March

Parker-Hannifin Corporation Group Health Plans

Parker Hannifin Corp is a manufacturer of aerospace hydraulic equipment. In March 2022, it fell victim to a ransomware attack, which resulted in the theft of personal data from 119,513 individuals. The breach entailed information such as names, dates of birth, Social Security numbers, US passport numbers, driver's licenses, dates of coverage, and enrollment information. Parker first detected the activity within its IT systems between March 11 and 14. Due to the nature of the incident and the number of people affected, the organization offered those involved two years of identity theft protection.

2022
March

Allwell Behavioral Health Services Network Server Breach

Allwell Behavioral Health had a breach on March 5, 2022, and cybercriminals stole sensitive data. The company admitted that names, dates of birth, Social Security numbers, and phone numbers were part of the stolen information. Twenty-nine thousand nine hundred seventy-two individuals were affected by the information breach. Unfortunately, the company became involved in a legal battle as a class action suit served it. Though it admitted no wrongdoing, the company settled for $650,000 in payment to the affected individuals.

2022
April

City of Cincinnati Health Plan

In April 2022, the city of Cincinnati was subject to a data breach that may have affected the personal information of current and former employees. It discovered that a Request for Proposal for dental and vision services that included participant census information was posted on the city's procurement sites. The data that was exposed included names, home addresses, vision or dental insurance data, Social Security numbers, and banking information. The city issued a notification alert on the website and to those potentially affected by the incident, as estimates suggest it may be 9,700. It also recommended vigilance from fraud and identity theft incidences by monitoring all received statements.

2022

New Creation Counseling Center Network Server Breach

In 2022, New Creation Counseling Center patients in Ohio fell victim to a data breach when patient and IT systems were compromised. Unfortunately, this attack affected 24,000 individuals. The information exposed included telephone numbers, addresses, names, birth dates, and health insurance data. Patients have been encouraged to seek legal redress following the incidents, but there have not been any indictments as yet.

2011
November

Southern Ohio Medical Center Network Breach

Southern Ohio Medical Center experienced a data breach in November 2011. The cybercriminals accessed the company's data servers and took the electronic medical record system offline. Initial reports suggest that 15,136 individuals were affected by the breach. It was also found that compromised information included birth dates, passport numbers, employer ID numbers, and health insurance information. Contact information had to be verified for the affected persons and completed within four months after the attack was first detected. The health center also indicated that it was reviewing current systems and policies related to their safeguards.

What Should You Do if You Are in a Breach?

Unfortunately, data breaches are pretty common now, considering our online connections and dependence on digital service delivery. Criminals work in the shadows to steal your personal information, so sometimes, it's only when you notice certain signs that ongoing fraud becomes apparent. These danger signs apply to both individuals and businesses.

Unfamiliar
Credit Card Charges

If you find unauthorized transactions on your credit card, there is a significant possibility your phone number, email address, or card number has been compromised.

Calls from
Debt Collectors

Phone calls or letters from collection agencies seeking debt payment for a loan you do not remember taking are also signs of identity theft.

New Credit Cards
or Loans in Your Name

A new line of credit in your name or a loan taken is a warning sign you are a victim of identity theft.

Surprise Credit
Score Drops

Sudden credit drops with no obvious cause are a sign of suspicious activities.

Unusual Activity on Your
Social Security Account

The federal government also considers social security numbers personal identifiers, so check your social security statement regularly to ensure no one has access to benefits without consent.

Inability to
Sign-in to Accounts

If you are locked out of the account, it is usually because someone has hacked into it and changed the password. You should immediately try all possible recovery options and contact customer support if all fails.

Step-by-Step Process for Responding to a Data Breach

01

Contact Local Law Enforcement

As an individual or a business, report the incident to the police and file a police report.

02

Assess and Secure Compromised Areas

Identify which aspects of your information have been affected, such as emails, passwords, credit card numbers, social security numbers, full names, and phone numbers.

03

Contain the Breach

Isolate the affected system to prevent further damage.

04

Create New, Strong Passwords for All Accounts

This may involve changing usernames and passwords for compromised platforms, using strong passwords with a mix of upper and lower-case letters, digits, and special characters.

05

Notify Affected Institutions

Inform your bank, credit card companies, and other affected institutions. Request they close or freeze any accounts that may be implicated in the breach to reduce financial risk.

06

Update Security on Digital Accounts

Change passwords for all accounts affected by the breach. Make sure each password is totally unique, and you use two-factor verification as an additional layer of security.

07

Check for Malware

Examine your computers and mobile devices for installed malware. Install robust antivirus software to detect and remove any viruses or malicious software.

08

Freeze Your Credit

In cases of identity theft, contact all credit bureaus to freeze your credit.

09

Monitor Your Mail and Credit Reports

Keep an eye out for any unauthorized changes in your mail.

10

Engage Legal Assistance When Applicable

If you are a business, consider hiring a law firm experienced in handling data breaches.

Responsibilities of Companies that Have Been Breached

Under the Security Breach Notification Act, companies are required to alert clients of any security breaches. According to the regulations, the notification cannot be any later than 45 days after discovering the breach. Personal data is defined according to the regulation as when a person's name connects to any of the following information. That is also in the event the data is not redacted:

  1. Driver's license numbers or state identification card digits
  2. Account numbers, credit or debit card numbers
  3. Social security number

Notice types to consumers of affected individuals may depend on the business size. Notifying the clients in writing, by electronic notice, or through a phone call is acceptable. It is also possible to inform the individuals through big media outlets.

A substitute notice, though, is allowed should the expense of notifying residents be more than $250,000 or if over 500,000 people have been affected by the breach. It is also the case if the business needs more contact information on the persons affected.

Companies with 10 or fewer workers and a notification expense of more than $10,000 are exempt from the typical notification process. Instead, the business must provide a notice that satisfies the following conditions:

  1. It has to be a conspicuous posting on the website.
  2. Notification of major media outlets within the same area the business is located.
  3. It could also be a paid quarter-page ad in the local newspaper, published at least once weekly for three weeks.

Laws

  • Ohio Rev. Code, 1347.12, 1349.19 - It is the primary law that pertains to notification of breaches within Ohio. According to the statute, any business within the state is subject to disclosure of security breaches of the system to the individual affected or reflected within the record. The same law mandates that if an entity notifies more than 1,000 residents of the state of Ohio, then it shall be without unreasonable delay.
  • Ohio Revised Code (ORC) Section 1349.18 - This law prevents sellers from printing the expiration dates or more than the last five digits of a consumer's credit or debit card. It applies to restaurants, online retailers, and stores.

Resources