Utah
Table of Contents
- Identity Theft Statistics
- Top Ten Report Categories
- Top Identity Theft Types
- Fraud & Other Reports by Metropolitan Area
- Utah’s Recent Biggest Data Breaches
- What Should You Do if You Are in a Breach?
- Step-by-Step Process for Responding to a Data Breach
- Responsibilities of Companies that Have Been Breached
- Laws
- Resources
Cyber attacks have increased for several years due to the importance placed on sensitive or personal information. Perpetrators of these crimes rely on the laxity of small opportunities to infiltrate organization systems. Despite Utah's smaller-than-average population, it still experiences many data breaches. In 2023, it ranked 28th in the nation, with losses totaling $132,257,035. Most large-scale data breaches are focused on social engineering, ransomware or denial of service attacks, and malware. In Utah, the attacks focused on healthcare, educational, and government institutions.
Identity Theft Statistics
Reports
Reports
Losses
Top Ten Report Categories
Top Identity Theft Types
Utah's Recent Biggest Data Breaches
University of Utah Data Breach
The University of Utah experienced a data breach when three vendors reported unauthorized network access. That means the cybercriminals could access information belonging to employees, donors, and students. The three vendors were TMG, TIAA Kaspick, and the National Student Clearinghouse. In the first case, TMG reported that 3,900 patient records were accessed, exposing email addresses, phone numbers, birth dates, Social Security numbers, and banking information. The TIAA alerted the university leaders of their data breach, impacting 30 legacy issuing donors and 13,800 students. Their names, dates of birth, and Social Security numbers were exposed. The National Student Clearinghouse also indicated that Social Security numbers, dates of birth, and student identification numbers of an undisclosed number were revealed. All three vendors wrote notification letters to those affected by the breach.
Utah Imaging Associates Data Breach
The Utah-based radiology center revealed there was a data breach affecting more than 580,000 individuals. The attack happened in August 2021, when the cybercriminals explored internal systems and stole data from the company for a week. An external cybersecurity organization investigated the incident and found that the exposed data included names, mailing addresses, birth dates, Social Security numbers, health insurance data, and medical data. Utah Imaging Associates also declared that there were no reports of the data being leaked online months after the incident. UIA also provided 12 months of credit monitoring.
Premier Family Medica Data Breach
In July 2019, Premier Family Medica experienced a data breach that temporarily prevented access to patient information. However, the notice on its website did not illustrate the type of ransomware used or the amount demanded. Premier also did not specify whether they contacted the data breachers or not. The company did engage law enforcement and technical consultants to regain access to its systems. The breach did affect ten county locations, though. According to the chief administrator, Robert Edwards, there was no reason to believe that patient information was taken, and the organization took steps to enhance its security.
Utah Medicaid Data Breach
In March 2012, unauthorized parties illegally accessed the Utah Department of Technological Services. They stole Medicaid and CHIP claims information of 6,000 patients. This breach happened because of an error on the server during password authentication. It allowed hackers to bypass the security system and access the data. Other information, including names, birth dates, and addresses, were also stored on the server. The victims obtained a letter from the Utah Department of Health. Victims were also advised to monitor their credit and other financial accounts closely.
Central Utah Clinic Data Breach
In June 2010, hackers compromised one of the servers that had radiology reports. There was no evidence to show files were copied from the server, though. Initial investigations also determined that one of the healthcare provider servers was affected. Some of the information that was potentially revealed included names, Social Security addresses, and phone numbers. The breach affected 21,677 patients who were contacted by mail to advise them of the potential data breach. Central Utah Clinic advised all of those affected there was no indication that any personal data was copied or viewed to unauthorized locations. Regardless, patients were offered credit monitoring services to counter any damage caused to their financial accounts.
What Should You Do if You Are in a Breach?
Unfortunately, data breaches are pretty common now, considering our online connections and dependence on digital service delivery. Criminals work in the shadows to steal your personal information, so sometimes, it's only when you notice certain signs that ongoing fraud becomes apparent. These danger signs apply to both individuals and businesses.
Unfamiliar
Credit Card Charges
If you find unauthorized transactions on your credit card, there is a significant possibility your phone number, email address, or card number has been compromised.
Calls from
Debt Collectors
Phone calls or letters from collection agencies seeking debt payment for a loan you do not remember taking are also signs of identity theft.
New Credit Cards
or Loans in Your Name
A new line of credit in your name or a loan taken is a warning sign you are a victim of identity theft.
Surprise Credit
Score Drops
Sudden credit drops with no obvious cause are a sign of suspicious activities.
Unusual Activity on Your
Social Security Account
The federal government also considers social security numbers personal identifiers, so check your social security statement regularly to ensure no one has access to benefits without consent.
Inability to
Sign-in to Accounts
If you are locked out of the account, it is usually because someone has hacked into it and changed the password. You should immediately try all possible recovery options and contact customer support if all fails.
Step-by-Step Process for Responding to a Data Breach
Contact Local Law Enforcement
As an individual or a business, report the incident to the police and file a police report.
Assess and Secure Compromised Areas
Identify which aspects of your information have been affected, such as emails, passwords, credit card numbers, social security numbers, full names, and phone numbers.
Contain the Breach
Isolate the affected system to prevent further damage.
Create New, Strong Passwords for All Accounts
This may involve changing usernames and passwords for compromised platforms, using strong passwords with a mix of upper and lower-case letters, digits, and special characters.
Notify Affected Institutions
Inform your bank, credit card companies, and other affected institutions. Request they close or freeze any accounts that may be implicated in the breach to reduce financial risk.
Update Security on Digital Accounts
Change passwords for all accounts affected by the breach. Make sure each password is totally unique, and you use two-factor verification as an additional layer of security.
Check for Malware
Examine your computers and mobile devices for installed malware. Install robust antivirus software to detect and remove any viruses or malicious software.
Freeze Your Credit
In cases of identity theft, contact all credit bureaus to freeze your credit.
Monitor Your Mail and Credit Reports
Keep an eye out for any unauthorized changes in your mail.
Engage Legal Assistance When Applicable
If you are a business, consider hiring a law firm experienced in handling data breaches.
Responsibilities of Companies that Have Been Breached
Utah state regulations mandate that all entities are to provide notifications in the event of a data breach to each affected resident. While, notification is not needed if, following good faith and a prompt comprehensive investigation, the business finds that it is not likely the personal information has been accessed and misused. The entities that have experienced a data breach are to do so as quickly as possible. Delays will only be allowed if a law enforcement agency indicates that the notification will impede the ongoing investigations.
Written, telephone, and email notices are allowed during notifications. The organization can issue a substitute notice if they do not have current contact information for those affected. Substitute notices can be made by publicly posting the incident on the business's website and alerting statewide media.
If the entity has to alert more than 500 Utah residents concerning the data breach, it must also notify the Utah Attorney General's office. They must also notify consumer reporting agencies if the number to be informed is over 1,000.
Laws
- The Utah Protection of Personal Information Act shows the notification procedures when an entity must respond to a data breach. A breach of information must be reported when a compromise has occurred. According to Code Chapter 44, of the state legislation, personal information is defined as first, names, initials, and last names combined with a data element. These include Social Security numbers, driver's licenses, state identification numbers, credit cards, debit cards, and other financial account details.
- The S.B. 227 Consumer Privacy Act issues consumers rights to their sensitive or private information. A consumer has the right to confirm whether a business is processing their information or not. If a business is processing its data, then there is the right to access it, and in certain circumstances, that data can be deleted by request.