Utah

Cyber attacks have increased for several years due to the importance placed on sensitive or personal information. Perpetrators of these crimes rely on the laxity of small opportunities to infiltrate organization systems. Despite Utah's smaller-than-average population, it still experiences many data breaches. In 2023, it ranked 28th in the nation, with losses totaling $132,257,035. Most large-scale data breaches are focused on social engineering, ransomware or denial of service attacks, and malware. In Utah, the attacks focused on healthcare, educational, and government institutions.

Identity Theft Statistics

Identity Theft
Reports
20TH
State Rank (Reports per 100K Population)
4,702
Identity Theft Reports
Fraud & Other
Reports
31ST
State Rank (Reports per 100K Population)
17,228
Total Fraud & Other Reports
Fraud
Losses
$9.1M
Total Fraud Losses
$300
Median Fraud Losses

Top Ten Report Categories

Identity Theft
21%
Imposter Scams
17%
Credit Bureaus, Iformation Furnishers and Report Users
10%
Telephone and Mobile Services
7%
Prizes, Sweepstakes and Lotteries
5%
Online Shopping and Negative Reviews
5%
Debt Collection
4%
Banks and Lenders
4%
Auto Related
3%
Internet Services
2%

Top Identity Theft Types

27%
1,844
Credit Card Fraud
26%
1,775
Other Identity Theft
14%
942
Loan or Lease Fraud
12%
805
Bank Fraud
8%
546
Government Documents or Benefits Fraud
8%
544
Employment or Tax-Related Fraud
5%
324
Phone or Utilities Fraud

Utah's Recent Biggest Data Breaches

2023
June

University of Utah Data Breach

The University of Utah experienced a data breach when three vendors reported unauthorized network access. That means the cybercriminals could access information belonging to employees, donors, and students. The three vendors were TMG, TIAA Kaspick, and the National Student Clearinghouse. In the first case, TMG reported that 3,900 patient records were accessed, exposing email addresses, phone numbers, birth dates, Social Security numbers, and banking information. The TIAA alerted the university leaders of their data breach, impacting 30 legacy issuing donors and 13,800 students. Their names, dates of birth, and Social Security numbers were exposed. The National Student Clearinghouse also indicated that Social Security numbers, dates of birth, and student identification numbers of an undisclosed number were revealed. All three vendors wrote notification letters to those affected by the breach.

2021
August

Utah Imaging Associates Data Breach

The Utah-based radiology center revealed there was a data breach affecting more than 580,000 individuals. The attack happened in August 2021, when the cybercriminals explored internal systems and stole data from the company for a week. An external cybersecurity organization investigated the incident and found that the exposed data included names, mailing addresses, birth dates, Social Security numbers, health insurance data, and medical data. Utah Imaging Associates also declared that there were no reports of the data being leaked online months after the incident. UIA also provided 12 months of credit monitoring.

2019
July

Premier Family Medica Data Breach

In July 2019, Premier Family Medica experienced a data breach that temporarily prevented access to patient information. However, the notice on its website did not illustrate the type of ransomware used or the amount demanded. Premier also did not specify whether they contacted the data breachers or not. The company did engage law enforcement and technical consultants to regain access to its systems. The breach did affect ten county locations, though. According to the chief administrator, Robert Edwards, there was no reason to believe that patient information was taken, and the organization took steps to enhance its security.

2012
March

Utah Medicaid Data Breach

In March 2012, unauthorized parties illegally accessed the Utah Department of Technological Services. They stole Medicaid and CHIP claims information of 6,000 patients. This breach happened because of an error on the server during password authentication. It allowed hackers to bypass the security system and access the data. Other information, including names, birth dates, and addresses, were also stored on the server. The victims obtained a letter from the Utah Department of Health. Victims were also advised to monitor their credit and other financial accounts closely.

2010
June

Central Utah Clinic Data Breach

In June 2010, hackers compromised one of the servers that had radiology reports. There was no evidence to show files were copied from the server, though. Initial investigations also determined that one of the healthcare provider servers was affected. Some of the information that was potentially revealed included names, Social Security addresses, and phone numbers. The breach affected 21,677 patients who were contacted by mail to advise them of the potential data breach. Central Utah Clinic advised all of those affected there was no indication that any personal data was copied or viewed to unauthorized locations. Regardless, patients were offered credit monitoring services to counter any damage caused to their financial accounts.

What Should You Do if You Are in a Breach?

Unfortunately, data breaches are pretty common now, considering our online connections and dependence on digital service delivery. Criminals work in the shadows to steal your personal information, so sometimes, it's only when you notice certain signs that ongoing fraud becomes apparent. These danger signs apply to both individuals and businesses.

Unfamiliar
Credit Card Charges

If you find unauthorized transactions on your credit card, there is a significant possibility your phone number, email address, or card number has been compromised.

Calls from
Debt Collectors

Phone calls or letters from collection agencies seeking debt payment for a loan you do not remember taking are also signs of identity theft.

New Credit Cards
or Loans in Your Name

A new line of credit in your name or a loan taken is a warning sign you are a victim of identity theft.

Surprise Credit
Score Drops

Sudden credit drops with no obvious cause are a sign of suspicious activities.

Unusual Activity on Your
Social Security Account

The federal government also considers social security numbers personal identifiers, so check your social security statement regularly to ensure no one has access to benefits without consent.

Inability to
Sign-in to Accounts

If you are locked out of the account, it is usually because someone has hacked into it and changed the password. You should immediately try all possible recovery options and contact customer support if all fails.

Step-by-Step Process for Responding to a Data Breach

01

Contact Local Law Enforcement

As an individual or a business, report the incident to the police and file a police report.

02

Assess and Secure Compromised Areas

Identify which aspects of your information have been affected, such as emails, passwords, credit card numbers, social security numbers, full names, and phone numbers.

03

Contain the Breach

Isolate the affected system to prevent further damage.

04

Create New, Strong Passwords for All Accounts

This may involve changing usernames and passwords for compromised platforms, using strong passwords with a mix of upper and lower-case letters, digits, and special characters.

05

Notify Affected Institutions

Inform your bank, credit card companies, and other affected institutions. Request they close or freeze any accounts that may be implicated in the breach to reduce financial risk.

06

Update Security on Digital Accounts

Change passwords for all accounts affected by the breach. Make sure each password is totally unique, and you use two-factor verification as an additional layer of security.

07

Check for Malware

Examine your computers and mobile devices for installed malware. Install robust antivirus software to detect and remove any viruses or malicious software.

08

Freeze Your Credit

In cases of identity theft, contact all credit bureaus to freeze your credit.

09

Monitor Your Mail and Credit Reports

Keep an eye out for any unauthorized changes in your mail.

10

Engage Legal Assistance When Applicable

If you are a business, consider hiring a law firm experienced in handling data breaches.

Responsibilities of Companies that Have Been Breached

Utah state regulations mandate that all entities are to provide notifications in the event of a data breach to each affected resident. While, notification is not needed if, following good faith and a prompt comprehensive investigation, the business finds that it is not likely the personal information has been accessed and misused. The entities that have experienced a data breach are to do so as quickly as possible. Delays will only be allowed if a law enforcement agency indicates that the notification will impede the ongoing investigations.

Written, telephone, and email notices are allowed during notifications. The organization can issue a substitute notice if they do not have current contact information for those affected. Substitute notices can be made by publicly posting the incident on the business's website and alerting statewide media.

If the entity has to alert more than 500 Utah residents concerning the data breach, it must also notify the Utah Attorney General's office. They must also notify consumer reporting agencies if the number to be informed is over 1,000.

Laws

  • The Utah Protection of Personal Information Act shows the notification procedures when an entity must respond to a data breach. A breach of information must be reported when a compromise has occurred. According to Code Chapter 44, of the state legislation, personal information is defined as first, names, initials, and last names combined with a data element. These include Social Security numbers, driver's licenses, state identification numbers, credit cards, debit cards, and other financial account details.
  • The S.B. 227 Consumer Privacy Act issues consumers rights to their sensitive or private information. A consumer has the right to confirm whether a business is processing their information or not. If a business is processing its data, then there is the right to access it, and in certain circumstances, that data can be deleted by request.

Resources