Tennessee
Table of Contents
- Identity Theft Statistics
- Top Ten Report Categories
- Top Identity Theft Types
- Fraud & Other Reports by Metropolitan Area
- Tennessee’s Recent Biggest Data Breaches
- What Should You Do if You Are in a Breach?
- Step-by-Step Process for Responding to a Data Breach
- Responsibilities of Companies that Have Been Breached
- Laws
- Resources
Data breaches occur when an unauthorized party acquires, steals, or views personal information. In cases where a criminal party intentionally accessed the data, it was usually for financial gain or other selfish interests. Tennessee is no stranger to data breaches, considering the state incurred more than $113 million worth of damage in 2022. It also ranked 21st in the country on total number of breach victims. Most data breach incidents within the state occur within the government, healthcare, technological, and educational sectors.
Identity Theft Statistics
Reports
Reports
Losses
Top Ten Report Categories
Top Identity Theft Types
Tennessee's Recent Biggest Data Breaches
BlueCross BlueShield of Tennessee
In 2024, BlueCross BlueShield of Tennessee experienced a data breach that affected their member portal accounts. This attack affected an estimated 2,000 current and former members. In response, BCBST notified these individuals. The remaining 3.4 million members were not affected by the incident. BCBST also arranged to offer identity monitoring services at zero cost to the affected individuals who received a letter concerning the incident. BlueShield itself encourages individuals to remain vigilant against fraud and theft, so they are to review their account statements. BlueShield may be required to provide coverage for the data breach to those affected as well, by the contractual agreement made with the state.
Cleveland City Schools
In August 2023, Cleveland City Schools found a ransomware threat in its network, which affected some devices, although most of the equipment was working. According to the spokesperson for the facility, less than five percent of the faculty and the devices were affected due to the attack. The school district also reassured parents that sensitive information, including PowerSchool Data, was secure offsite, so it was not compromised during the attack. There was also no indication that student, faculty, or parent data had been infiltrated.
HCA Healthcare
Nashville-based Tennessee healthcare provider indicated a cyber attack had affected 11 million patients. This attack occurred on July 10th, 2023, when the personal information of affiliated patients was posted online. HCA Healthcare claimed the information might have been stolen from an external storage location to automate email formatting. This includes reminders to patients to book appointments. It includes personally identifying information such as names, cities, states, telephone numbers, service dates, locations, dates of upcoming appointments, gender, and dates of birth of patients. HCA Healthcare assured patients the attack had not affected company processes and did not believe it would affect business operations or essential results. HCA also stated it launched an investigation into the incident and reported it to the authorities.
Tennessee Consolidated Retirement System
The Tennessee Consolidated Retirement System experienced a data breach in June 2023. It blamed the breach on Pension Benefits Information, which used the MOVEit program to transfer files between users. TCRS issued a statement indicating it was planning to alert its members due to the data breach experienced by MOVEit. On the TCRS's end, the breach affected 172,000 individuals, exposing information like dates of birth, mailing addresses, names, and Social Security numbers. TCRS, however, maintained that no banking information was accessed. TCRS indicated it was working with state and federal law enforcement to ensure its user's information remained protected. The group also offered retired members access to identity restoration and credit monitoring at no cost.
Tennova Healthcare
In January 2023, Tennova's Parent corporation, Community Health Systems, had a data breach. This breach affected 962,884 patients from the parent company and compromised patient information, including names, dates of birth, addresses, insurance information, medical diagnoses, and Social Security data. Individuals whose information was compromised got direct notifications by mail.
What Should You Do if You Are in a Breach?
Unfortunately, data breaches are pretty common now, considering our online connections and dependence on digital service delivery. Criminals work in the shadows to steal your personal information, so sometimes, it's only when you notice certain signs that ongoing fraud becomes apparent. These danger signs apply to both individuals and businesses.
Unfamiliar
Credit Card Charges
If you find unauthorized transactions on your credit card, there is a significant possibility your phone number, email address, or card number has been compromised.
Calls from
Debt Collectors
Phone calls or letters from collection agencies seeking debt payment for a loan you do not remember taking are also signs of identity theft.
New Credit Cards
or Loans in Your Name
A new line of credit in your name or a loan taken is a warning sign you are a victim of identity theft.
Surprise Credit
Score Drops
Sudden credit drops with no obvious cause are a sign of suspicious activities.
Unusual Activity on Your
Social Security Account
The federal government also considers social security numbers personal identifiers, so check your social security statement regularly to ensure no one has access to benefits without consent.
Inability to
Sign-in to Accounts
If you are locked out of the account, it is usually because someone has hacked into it and changed the password. You should immediately try all possible recovery options and contact customer support if all fails.
Step-by-Step Process for Responding to a Data Breach
Contact Local Law Enforcement
As an individual or a business, report the incident to the police and file a police report.
Assess and Secure Compromised Areas
Identify which aspects of your information have been affected, such as emails, passwords, credit card numbers, social security numbers, full names, and phone numbers.
Contain the Breach
Isolate the affected system to prevent further damage.
Create New, Strong Passwords for All Accounts
This may involve changing usernames and passwords for compromised platforms, using strong passwords with a mix of upper and lower-case letters, digits, and special characters.
Notify Affected Institutions
Inform your bank, credit card companies, and other affected institutions. Request they close or freeze any accounts that may be implicated in the breach to reduce financial risk.
Update Security on Digital Accounts
Change passwords for all accounts affected by the breach. Make sure each password is totally unique, and you use two-factor verification as an additional layer of security.
Check for Malware
Examine your computers and mobile devices for installed malware. Install robust antivirus software to detect and remove any viruses or malicious software.
Freeze Your Credit
In cases of identity theft, contact all credit bureaus to freeze your credit.
Monitor Your Mail and Credit Reports
Keep an eye out for any unauthorized changes in your mail.
Engage Legal Assistance When Applicable
If you are a business, consider hiring a law firm experienced in handling data breaches.
Responsibilities of Companies that Have Been Breached
Consumers are to be notified if a data breach pertains explicitly to them. The data breach notification is to be made by the company in a timely way. It should be made no later than 45 days after discovering the breach. The method of notification is written or electronic notice if that is consistent with provisions concerning electronic records. These regulations are covered under Code section 47-18-2107.
Similarly, if an entity has to notify more than 1,000 individuals at a time, it must notify all consumer reporting agencies. This is to be done promptly. According to the regulation, the personal information of an individual consists:
- Driver's License Numbers
- Social Security Numbers
- Account Numbers, Credit Card Numbers, or Debit Cards
- Access or Security Codes that permit entry to a Financial Account
Should the entity fail to meet the legal obligations described by the law, customers have a private right of action to pursue so they can recover the damages and get relief. According to Code 47-18-2106 any violation of the data breach law violates the Tennessee Consumer Protection Act.
Delay for law enforcement considerations. Notification delays are allowed if a law enforcement agency determines that the notification will affect a criminal investigation negatively. The notification would still be required, but it has to be made no later than 45 days after the law enforcement agency determines it will not hinder investigations.
Laws
- The Tennessee Identity Theft Deterrence Act of 1999 indicates that it is a violation to engage in identity theft or in any unfair or misleading activities to steal an individual's identity.
- Tennessee Information Protection Act defines privacy laws as a category of personal information, processing of biometric information, and information collected from an individual. These are covered under the state, so entities may not expose the information unless they give authorization to do so.
- Tennessee Code 47-18-2107: any information holder is meant to disclose a breach of the security of the system after discovering that there was a breach in data security. This applies to any resident of Tennessee whose unencrypted information is reasonably thought to have been attained by an unauthorized party.
Resources
- BlueCross BlueShield of Tennessee, Inc- Contract
- TCRS alerts retirees of vendor data security breach
- Jonathan Skrmetti, Attorney General & Reporter, Consumer Laws.
- Senate Commerce and Labor Committee 1 Amendment
- HB2097 - Tennessee General Assembly Legislation
- Tennessee General Assembly
- Reporting Cyber and Data Incidents