Virginia

Data breaches refer to security violations when sensitive or protected data is copied, viewed, altered, or stolen by a person or group that is not authorized to do so. In Virginia especially, this can take several forms, such as fraudulent emails, malware, attacks on websites, unauthorized usage of computers, and typical identity theft. Virginia ranked 12th in the number of data breaches per state in 2022. This translated to over $205 million in losses. Most of the data breaches in Virginia occurred in the health, technology, and government sectors. They centered on the unlawful acquisition of personal details, including names, emails, phone numbers, Social Security numbers, and financial information.

Identity Theft Statistics

Identity Theft
Reports
25TH
State Rank (Reports per 100K Population)
10,284
Identity Theft Reports
Fraud & Other
Reports
9TH
State Rank (Reports per 100K Population)
57,202
Total Fraud & Other Reports
Fraud
Losses
$33.9M
Total Fraud Losses
$300
Median Fraud Losses

Top Ten Report Categories

Imposter Scams
20%
Identity Theft
15%
Banks and Lenders
6%
Telephone and Mobile Services
6%
Online Shopping and Negative Reviews
6%
Debt Collection
5%
Credit Bureaus, Iformation Furnishers and Report Users
5%
Auto Related
4%
Prizes, Sweepstakes and Lotteries
4%
Internet Services
3%

Top Identity Theft Types

30%
7,806
Credit Card Fraud
23%
5,863
Other Identity Theft
20%
5,125
Bank Fraud
9%
2,251
Loan or Lease Fraud
7%
1,916
Government Documents or Benefits Fraud
6%
1,532
Employment or Tax-Related Fraud
5%
1,229
Phone or Utilities Fraud

Virginia's Recent Biggest Data Breaches

2023
September

Virginia Tech

In September 2023, Virginia Tech found that a list of personal information of both current and former students had been revealed online. These files were on a workstation in the Student Affairs Division. This device was quickly taken from the network as the investigation determined that an unauthorized party downloaded the files from that computer. Though the number of affected individuals was not revealed, the university does not believe identity theft or other cybercrime will occur due to the incident. It recommended that those affected monitor their personal information for suspicious activity and be careful of unsolicited emails.

2023
April

Virginia Premier

In April 2023, Virginia Premier provided a notification of a data breach that exposed the personal information of members. Its contracted vendor, NationsBenefits, unfortunately, experienced a data security incident. This event affected over three million consumers, including the company's Medicaid members. The information exposed included names, addresses, phone numbers, and health insurance information. When the vendor confirmed the data had been leaked, it started sending data breach notifications on behalf of Virginia Premier. These were sent to all who were affected by the data breach.

 

Virginia Department of Medical Assistance Services (DMAS)

The Virginia Department of Medical Assistance Services experienced a data breach where the information of more than 1.2 million people was exposed due to a hacking incident. A network server breach made sensitive consumer data accessible to unauthorized parties. The notice filed to the HHS-OCR does not illustrate the information types compromised. This organization oversees the state's Medicaid program. In this event, the organization sent a letter to all affected by the breach.

2020

Blackbaud Virginia Data Breach

A ransomware attack in 2020 exposed user information to unauthorized parties. Blackbaud issues software to nonprofit organizations, including higher education institutions, charities, healthcare organizations, and cultural organizations. The customers utilize this software to connect with donors and manage constituents. This attack compromised the information of approximately 13,000 customers, along with donors and third-party clients. Following an investigation, Attorney General Jason Miyares indicated they had reached a settlement where the company agreed it would overhaul its breach notification practices. It would also issue $1.028 million to the state.

 

Sentara Healthcare Data Breach

Sentara Healthcare posted a data breach notice on its website after becoming aware of an incident at its vendor, R&B Corporation of Virginia (Credit Control Corporation). The incident affected 741 individuals. Unauthorized parties gained access to account numbers, balances, and the dates of service. Following the confirmation of the leakage of consumer data, Sentara sent out breach notification letters to everyone affected by the incident. The CCC also issued data breach letters to everyone potentially compromised because of the data security event.

What Should You Do if You Are in a Breach?

Unfortunately, data breaches are pretty common now, considering our online connections and dependence on digital service delivery. Criminals work in the shadows to steal your personal information, so sometimes, it's only when you notice certain signs that ongoing fraud becomes apparent. These danger signs apply to both individuals and businesses.

Unfamiliar
Credit Card Charges

If you find unauthorized transactions on your credit card, there is a significant possibility your phone number, email address, or card number has been compromised.

Calls from
Debt Collectors

Phone calls or letters from collection agencies seeking debt payment for a loan you do not remember taking are also signs of identity theft.

New Credit Cards
or Loans in Your Name

A new line of credit in your name or a loan taken is a warning sign you are a victim of identity theft.

Surprise Credit
Score Drops

Sudden credit drops with no obvious cause are a sign of suspicious activities.

Unusual Activity on Your
Social Security Account

The federal government also considers social security numbers personal identifiers, so check your social security statement regularly to ensure no one has access to benefits without consent.

Inability to
Sign-in to Accounts

If you are locked out of the account, it is usually because someone has hacked into it and changed the password. You should immediately try all possible recovery options and contact customer support if all fails.

Step-by-Step Process for Responding to a Data Breach

01

Contact Local Law Enforcement

As an individual or a business, report the incident to the police and file a police report.

02

Assess and Secure Compromised Areas

Identify which aspects of your information have been affected, such as emails, passwords, credit card numbers, social security numbers, full names, and phone numbers.

03

Contain the Breach

Isolate the affected system to prevent further damage.

04

Create New, Strong Passwords for All Accounts

This may involve changing usernames and passwords for compromised platforms, using strong passwords with a mix of upper and lower-case letters, digits, and special characters.

05

Notify Affected Institutions

Inform your bank, credit card companies, and other affected institutions. Request they close or freeze any accounts that may be implicated in the breach to reduce financial risk.

06

Update Security on Digital Accounts

Change passwords for all accounts affected by the breach. Make sure each password is totally unique, and you use two-factor verification as an additional layer of security.

07

Check for Malware

Examine your computers and mobile devices for installed malware. Install robust antivirus software to detect and remove any viruses or malicious software.

08

Freeze Your Credit

In cases of identity theft, contact all credit bureaus to freeze your credit.

09

Monitor Your Mail and Credit Reports

Keep an eye out for any unauthorized changes in your mail.

10

Engage Legal Assistance When Applicable

If you are a business, consider hiring a law firm experienced in handling data breaches.

Responsibilities of Companies that Have Been Breached

Businesses are required to disclose a breach of a system if an unauthorized party accesses encrypted information. The statute does not require the information to have been stolen in the first place. Organizations must comply with mandatory notice even if the organization only has a reasonable belief the data was accessed or acquired by an unauthorized party.

Businesses must also inform the affected parties promptly. These notifications will be submitted to the Office of the Virginia Attorney General, as well. Notification can be delayed while the entity determines the breach scope or if the law enforcement agency finds that notification will affect the overall investigation of the breach.

Should the data breach affect more than 1,000 people simultaneously, the business will notify the relevant consumer reporting agencies that are compiling client files. Substitute notice options are available as well. Substitute notices can also be provided if the entity shows the cost of giving notice to its consumer base is more than $50,000 or if affected residents are more than 100,000. That is by email notice if the entity has the addresses for all affected members of the class of residents. There should also be a conscious posting on the website and a notice to statewide media.

Entities that maintain their notification procedures as part of an information privacy or security-related policy consistent with the timing requirements of this section will be said to comply with the notification requirements.

Laws

  • The Personal Information Privacy Act maintains that no merchant will sell to any third person information concerning the purchaser without giving notice to the purchaser. No merchant likewise will sell information as the result of customer payment by personal check, merchant records, or credit cards.

    Section 18.2-186.6 on Breach of personal information notification deals with the scope of data breach. According to the regulation, a notice means:

    • Written notice to the last known address of the entity or individual
    • Electronic notification
    • Telephone notification
  • The Virginia Consumer Data Consumer Protection Act became law in January 2023. It provides Virginia residents with rights concerning personal data collected by businesses. It allows for consumers to request that the controller process their personal information. They also have the right to have their data deleted if it is within the request parameters.

  • Virginia Health Records Privacy Act - the law protects the privacy of medical records, requiring providers and insurers to get patient consent before they disclose medical information to third parties.

Resources