Puerto Rico
Table of Contents
- Identity Theft Statistics
- Top Ten Report Categories
- Top Identity Theft Types
- Fraud & Other Reports by Metropolitan Area
- Puerto Rico’s Recent Biggest Data Breaches
- What Should You Do if You Are in a Breach?
- Step-by-Step Process for Responding to a Data Breach
- Responsibilities of Companies that Have Been Breached
- Laws
- Resources
Data breaches occur when an unauthorized party accesses an individual's or company's networks to obtain sensitive data. This can be for personal, ideological, or financial reasons. In Puerto Rico, the problem is not as prevalent as in other states, considering it ranks 39th in terms of the number of victims affected as of 2023. That said, it did incur more than $30 million in losses during the same year following data breach events. Most data breach types here are related to hacking, malware, phishing, denial of service, and stolen identities. Cybercriminals in Puerto Rico also tend to focus on banking, healthcare, and government institutions.
Identity Theft Statistics
Reports
Reports
Losses
Top Ten Report Categories
Top Identity Theft Types
Puerto Rico's Recent Biggest Data Breaches
First Bank Puerto Rico Data Breach
In June 2023, the Mortgage Industry Advisory Corporation, a First Bank vendor, filed a data breach notice when they discovered an attack had exposed the institution's customer information. The MIAC immediately began mitigating actions to investigate the incident. They also reviewed the affected files to assess the information types that were affected during the breach. It did not determine the types of data exposed. However, they sent letters to First Bank clientele to alert them of the breach.
Doctor's Centre Hospital
The Doctor Center Hospital, which is a recognized hospital network, experienced a data breach incident in 2022. This attack compromised the personal health information of 1,195,220 patients. They did file the notification with the US Department of Health and Human Services, Office of Civil Rights, though it only provided limited information concerning the event. The Doctors Center Hospital reviewed the affected files to ascertain which information was compromised, and they determined that the information accessed was protected health information. They also moved to send out data breach letters to all whose information was found to have been compromised because of the data security event.
Puerto Rico Firefighting Department Servers Data Breach
In 2020, unauthorized parties gained access to the Puerto Rico Firefighting Department's database. Their objective was to hold the data ransom for $600,000. According to the department's director, Alberto Cruz, the situation has not affected its general ability to respond to emergencies. Law enforcement stated that the fire department got an email notifying them that hackers had encrypted the database servers and that they would not release this information until they got paid. The investigation did not reveal the amount of data taken for ransom, though the department declined to offer further details, indicating the inquiry was still ongoing.
Bayamón Medical Centre Data Breach
In July 2019, the Bayamo Medical Centre and Puerto Rico Women and Children's Hospital stated that they had experienced a data incident where patient information was exposed. When they learned of the breach, the hospitals hired an external expert to assist in decrypting the affected record. They also did concurrent internal investigations to assess which information was taken. From the inquiry, Bayamon Medical Centre claimed that 422,496 patients were affected. Puerto Rico's Women and Children's Hospital indicated that 99,943 patients were victims of the data breach incident.
Puerto Rico Health Plan Triple-S Advantage Data Breach
In December 2017, Triple S Management Corporation, which runs Blue Cross and Shield plans, indicated a data breach following a mailing error that revealed sensitive information from plan members being disclosed to unauthorized parties. An investigation was shortly launched to tackle the situation and to determine how the error occurred in the first place. Action has already been taken to ensure the same error does not occur again. Some of the information exposed because of the mailing included Social Security numbers, financial information, names, dates of service, and treatment codes. This incident affected 36,000 plan members, and a substitute notice was filed because it did not have the contact information of all involved. Triple-S indicated within their breach notice that mailing processes were altered, and these have been tested appropriately.
What Should You Do if You Are in a Breach?
Unfortunately, data breaches are pretty common now, considering our online connections and dependence on digital service delivery. Criminals work in the shadows to steal your personal information, so sometimes, it's only when you notice certain signs that ongoing fraud becomes apparent. These danger signs apply to both individuals and businesses.
Unfamiliar
Credit Card Charges
If you find unauthorized transactions on your credit card, there is a significant possibility your phone number, email address, or card number has been compromised.
Calls from
Debt Collectors
Phone calls or letters from collection agencies seeking debt payment for a loan you do not remember taking are also signs of identity theft.
New Credit Cards
or Loans in Your Name
A new line of credit in your name or a loan taken is a warning sign you are a victim of identity theft.
Surprise Credit
Score Drops
Sudden credit drops with no obvious cause are a sign of suspicious activities.
Unusual Activity on Your
Social Security Account
The federal government also considers social security numbers personal identifiers, so check your social security statement regularly to ensure no one has access to benefits without consent.
Inability to
Sign-in to Accounts
If you are locked out of the account, it is usually because someone has hacked into it and changed the password. You should immediately try all possible recovery options and contact customer support if all fails.
Step-by-Step Process for Responding to a Data Breach
Contact Local Law Enforcement
As an individual or a business, report the incident to the police and file a police report.
Assess and Secure Compromised Areas
Identify which aspects of your information have been affected, such as emails, passwords, credit card numbers, social security numbers, full names, and phone numbers.
Contain the Breach
Isolate the affected system to prevent further damage.
Create New, Strong Passwords for All Accounts
This may involve changing usernames and passwords for compromised platforms, using strong passwords with a mix of upper and lower-case letters, digits, and special characters.
Notify Affected Institutions
Inform your bank, credit card companies, and other affected institutions. Request they close or freeze any accounts that may be implicated in the breach to reduce financial risk.
Update Security on Digital Accounts
Change passwords for all accounts affected by the breach. Make sure each password is totally unique, and you use two-factor verification as an additional layer of security.
Check for Malware
Examine your computers and mobile devices for installed malware. Install robust antivirus software to detect and remove any viruses or malicious software.
Freeze Your Credit
In cases of identity theft, contact all credit bureaus to freeze your credit.
Monitor Your Mail and Credit Reports
Keep an eye out for any unauthorized changes in your mail.
Engage Legal Assistance When Applicable
If you are a business, consider hiring a law firm experienced in handling data breaches.
Responsibilities of Companies that Have Been Breached
All businesses must report incidences of data breaches to the affected parties. In Puerto Rico, the obligation applies to any entity that owns, licenses, or maintains personal information protected by encryption or password. The clients are to be notified as soon as possible, though this should also be in consideration of the needs of law enforcement. It can be delayed if the notification is in contravention of an ongoing law enforcement investigation.
According to the definitions, personal information will include such things as first or surnames, driver's licenses, banking or financial information, names of users and passwords, and any tax information. The notification is to be issued clearly, describing the general terms and information which was compromised. It will be given either in written or authenticated electronic form.
Substitute notices can also be issued when the cost of notifying the state's residents is more than $100,000. Similarly, if the number of people who ought to be informed is more than 100,000, there are grounds for issuing a substitute notice. The substitute notice can be carried out in the following ways. One is a display of an announcement to the entity's premises on its website. That is through a published flier, mailing lists, and electronic aid. It could also be done in the form of communication with the media, informing them of the situation and illustrating how to contact the entity so there would be follow-up.
If a business does not comply with these set regulations, the Secretary can impose fines of between $500 to $5,000 for every violation committed. The penalties do not necessarily affect consumer rights to implement actions for damages.
Laws
- The 10 P.R. Laws Ann. §§ 4051–4055 concern the definition of data breaches, notification regulations, and consumer and substitute notice requirements. It also gives the requirements of a delayed notice or what would be needed to notify the government.
- The Citizen Information of Data Banks Security Act mandates that an entity that is the proprietor or custodian of a data bank for commercial use, including personal information of citizens in Puerto Rico, has to notify them concerning any violation of the system's security when the data bank security has been violated.