Missouri

According to Missouri state law, data breaches involve the unauthorized access of personal, medical, or financial information such as credit cards, names, dates of birth, or Social Security numbers. Cybercriminals seek out this information for personal or financial gain. Unfortunately, Missouri is no stranger to data breaches, considering its significant population and annual data breaches. In 2022, the state ranked 22nd in the total number of victims, totaling losses worth $118 million. Missouri's most common data breaches include credit card information, medical insurance, and other personal information theft. Unauthorized parties typically target government institutions, educational institutions, and medical facilities in Missouri.

Identity Theft Statistics

Identity Theft
Reports
24TH
State Rank (Reports per 100K Population)
7,406
Identity Theft Reports
Fraud & Other
Reports
13TH
State Rank (Reports per 100K Population)
39,843
Total Fraud & Other Reports
Fraud
Losses
$20.8M
Total Fraud Losses
$255
Median Fraud Losses

Top Ten Report Categories

Imposter Scams
19%
Identity Theft
16%
Credit Bureaus, Iformation Furnishers and Report Users
7%
Telephone and Mobile Services
7%
Debt Collection
5%
Online Shopping and Negative Reviews
5%
Prizes, Sweepstakes and Lotteries
5%
Auto Related
5%
Banks and Lenders
5%
Internet Services
2%

Top Identity Theft Types

28%
4,056
Other Identity Theft
23%
3,391
Credit Card Fraud
13%
1,946
Employment or Tax-Related Fraud
13%
1,920
Loan or Lease Fraud
11%
1,634
Bank Fraud
7%
1,006
Phone or Utilities Fraud
5%
758
Government Documents or Benefits Fraud

Missouri's Recent Biggest Data Breaches

2023
May

Missouri Medicaid Data Breach

In May 2023, the Missouri Department of Social Services experienced a data breach entailing Medicaid clientele. The incident occurred at IBM Consulting, a Missouri DSS vendor. Following the MOVEit hacks by the Clop Threat group, the DSS disconnected MOVEit servers from their IT systems. Some information included the person's name, department client number, dates of birth, possible benefit coverage or eligibility, and medical claims information. Following the attack and investigation, the DSS has encouraged Missouri residents to review their credit reports. Residents can also freeze their credit or request a free assessment from the main reporting outlets. Twenty-one thousand three hundred eighty-three individuals were affected by the data breach.

2023
May

Reeds Spring School District data breach

Reeds Spring School District detected unauthorized access to their network in May 2023. During the attack, names, Social Security numbers, health insurance information, and dates of birth were compromised. The district also launched an immediate investigation, including external cybersecurity professionals. It also issued a statement indicating its apologies for the incident. They also confirmed their commitment to maintaining their client's privacy. Reeds pleaded their apologies that the incident occurred and indicated they are continually evaluating their practices to enhance security. Reeds also sent notifications to the Department of Elementary and Secondary Education (DESE) as required by state law.

2023
January

North Kansas City Hospital

North Kansas City Hospital filed a data breach notice in January 2023. During the data breach, an unauthorized party accessed consumer information such as names, genders, phone numbers, health insurance, and clinical information. The healthcare facility immediately launched an investigation into the cause of the breach and sent out notification letters to those affected. During the incident, more than 502,000 people were affected.

2020

BJC Healthcare Data Breach

In 2020, the BJC HealthCare facility learned that an unauthorized user accessed physicians' email accounts in the same month. The facility immediately launched an investigation and found that the infiltrated email accounts had significant data, including birth dates, names, medical record digits, diagnoses, provider names, and treatment locations. Some of the accounts also came with health insurance data, as well as Social Security numbers. The attack affected 288,000 individuals. Following the breach, five class action lawsuits were leveled against the institution, and it paid out $2.7 million to the plaintiffs.

2019
January

Missouri Southern State University Data Breach

In January 2019, the Missouri Southern State University became aware of a data breach following a phishing attack. The attack originated from an email with a link clicked, allowing the unauthorized party to access the personnel's Office 365 account. MSSU immediately contacted law enforcement and a leading forensic organization to investigate. The assessment determined that information, including names, dates of birth, addresses, emails, and Social Security numbers, were compromised. Twenty-two thousand three hundred ninety-six students were affected during the attack. The University also recommended that students remain vigilant in regularly reviewing and monitoring their account statements and credit history.

What Should You Do if You Are in a Breach?

Unfortunately, data breaches are pretty common now, considering our online connections and dependence on digital service delivery. Criminals work in the shadows to steal your personal information, so sometimes, it's only when you notice certain signs that ongoing fraud becomes apparent. These danger signs apply to both individuals and businesses.

Unfamiliar
Credit Card Charges

If you find unauthorized transactions on your credit card, there is a significant possibility your phone number, email address, or card number has been compromised.

Calls from
Debt Collectors

Phone calls or letters from collection agencies seeking debt payment for a loan you do not remember taking are also signs of identity theft.

New Credit Cards
or Loans in Your Name

A new line of credit in your name or a loan taken is a warning sign you are a victim of identity theft.

Surprise Credit
Score Drops

Sudden credit drops with no obvious cause are a sign of suspicious activities.

Unusual Activity on Your
Social Security Account

The federal government also considers social security numbers personal identifiers, so check your social security statement regularly to ensure no one has access to benefits without consent.

Inability to
Sign-in to Accounts

If you are locked out of the account, it is usually because someone has hacked into it and changed the password. You should immediately try all possible recovery options and contact customer support if all fails.

Step-by-Step Process for Responding to a Data Breach

01

Contact Local Law Enforcement

As an individual or a business, report the incident to the police and file a police report.

02

Assess and Secure Compromised Areas

Identify which aspects of your information have been affected, such as emails, passwords, credit card numbers, social security numbers, full names, and phone numbers.

03

Contain the Breach

Isolate the affected system to prevent further damage.

04

Create New, Strong Passwords for All Accounts

This may involve changing usernames and passwords for compromised platforms, using strong passwords with a mix of upper and lower-case letters, digits, and special characters.

05

Notify Affected Institutions

Inform your bank, credit card companies, and other affected institutions. Request they close or freeze any accounts that may be implicated in the breach to reduce financial risk.

06

Update Security on Digital Accounts

Change passwords for all accounts affected by the breach. Make sure each password is totally unique, and you use two-factor verification as an additional layer of security.

07

Check for Malware

Examine your computers and mobile devices for installed malware. Install robust antivirus software to detect and remove any viruses or malicious software.

08

Freeze Your Credit

In cases of identity theft, contact all credit bureaus to freeze your credit.

09

Monitor Your Mail and Credit Reports

Keep an eye out for any unauthorized changes in your mail.

10

Engage Legal Assistance When Applicable

If you are a business, consider hiring a law firm experienced in handling data breaches.

Responsibilities of Companies that Have Been Breached

Missouri's 2021 breach notification law directs businesses to tell affected people if their information has been compromised. According to the regulation, this must be done within a reasonable period. That is within 45 days of the breach discovery, which is longer than what may be needed in other states. Businesses must also notify the attorney general's office should it affect more than 500 residents.

If a business is required to notify more than 1,000 consumers, then they have to alert all nationwide consumer reporting agencies concerning the content of the notice. They must also notify the attorney general's office of the timing, distribution, and notice content.

There are exemptions, though, to the reporting of a data breach according to Missouri Law. Some exemptions include if the data was encrypted and the key was not compromised. There is a good faith acquisition exemption as well, which means if the data breach was because someone obtained personal information by good faith means. Similarly, if a law enforcement agency requests that the notification be kept to avoid interfering with an investigation, it is possible to delay notification.

The state attorney general has the authority to bring an action by exacting damages for an entity's wilful violation of consumer privacy. The civil penalty is not more than $150,000 for every breach in a system or a series of violations of a similar nature discovered during an investigation.

Laws

  • Missouri Revised Statutes 407.1500 was enacted in 2009. These laws require entities with ownership of licensure of personal information to notify the affected residents in case of a data breach. If there are more than 1,000 affected people, the attorney general's office and all consumer reporting agencies nationwide must be notified. The notification also has to be made without any unreasonable delay.
  • Missouri HB 62 of 2009 also concerns data breach notification. It requires that any individual who owns the information of residents of Missouri in any form shall provide notice to them in the event of a breach. The law also modifies apparent provisions, requiring that law enforcement give the Highway Patrol central repository and biometric information on the arrested individuals.

Resources