- Lynn Hulsey Staff Writer
Theft of personal information has become so commonplace it seems only a matter of time before the next big breach is announced.
Hackers have compromised the identities of millions of people in the past few years with high-profile attacks on such household names as Target, Home Depot, eBay and SnapChat.
The Internal Revenue Service earlier this year reported that thieves accessed the tax returns of 334,000 individuals.
Tax officials nationwide say fraud was responsible for millions of dollars in tax refunds landing in the wrong hands.
“We have been bombed with attempted theft of tax refunds,” said Gary Gudmundson of the Ohio Department of Taxation.
The toll on victims can be both painful and expensive.
Pat Young of Trotwood hired a credit monitoring service after a thief filed for a tax refund using her name. Someone then maxed out a credit card obtained in her name and tried to get a credit line extension. She fielded threatening phone calls from a man falsely claiming to be with the IRS, demanding she pay $3,000. Most recently someone tried to open a fraudulent Amazon account in her name.
It has taken her since 2013 to resolve the issues and she still has no idea how her information was stolen.
“Identity theft is scary,” said Young, a 67-year-old NCR retiree. “I felt helpless.”
Once thieves have someone’s name and Social Security number, or other key information, there is no end to the trouble they can cause — draining bank accounts, opening credit card accounts, taking out loans, applying for tax refunds and even falsely using a victim’s name in criminal cases.
Medical identity theft — the use of someone’s information for expensive medical care or to buy prescription drugs — has emerged as a growing threat. Victims may have no idea it is happening until the bill arrives.
“I think the question is not whether your data has been put in other hands, it’s how many times,” said Seth Hamman, assistant professor of computer science at Cedarville University. “How many people have your personal data?”
The answer is probably more than you think.
This year hackers breached the U.S. Office of Personnel Management, stealing information on 21.5 million people in a federal background investigation database. On Wednesday the government announced thieves also obtained the fingerprints of 5.6 million of those victims.
The mother lode
A massive breach announced by the health insurer Anthem in February gave thieves access to the records of nearly 79 million individuals, including names, birth dates and Social Security numbers.
Experts say medical information is the mother lode. It sells on the black market for up to 10 times what credit card information commands because the information in a medical record opens a floodgate of opportunity to fraudulently obtain medical care or drugs.
“If somebody uses your information to buy 150 bucks worth of shoes that’s obviously a loss that’s bad,” said Tom Hagel, law professor emeritus at the University of Dayton. “But let’s say somebody uses stolen medical information to receive $25,000 worth of medical services, which doesn’t take that long to rack up. You’re talking serious losses.”
Medical identity theft increased nearly 22 percent between 2013 and 2014, with an estimated 2.32 million victims, according to a survey by Ponemon Institute, a Michigan-based cybersecurity research firm.
Unlike credit card fraud, where federal laws limit individual losses, victims of medical identity theft may have to sue medical providers to avoid paying bills racked up by fraudsters, said Ann Patterson of the Medical Identity Fraud Alliance.
With electronic medical records becoming the norm, fraud isn’t the only potential problem — a victim’s health can be put at risk if a thief’s intermingled medical information leads doctors to assume a wrong blood type, miss allergies or think a victim is on certain medications.
Ponemon found that 65 percent of medical ID victims spent, on average, $13,500 for legal counsel, identity protection services or paying health care providers or insurers for services obtained by thieves.
One of the most frustrating hallmarks of identity theft is that victims may no sooner resolve one fraud case when another pops up.
“Unfortunately, it’s like a game of whack-a-mole sometimes,” said Eva Velasquez, president of the Identity Theft Resource Center (ITRC), a nonprofit that helps victims and tracks breaches reported by U.S. companies.
“They may use one credit card that was compromised. Then if your Social Security number’s compromised they may open a new mortgage account,” she said. “Then after you put all your mechanisms in place and did a credit freeze, the next thing you know someone has used your information in the commission of a crime and you can’t pass a background check.”
The ITRC says 5,562 breaches of American companies have been reported since 2005, compromising nearly 819 million records containing individual names along with Social Security numbers, driver’s license numbers, medical records or financial records.
Identity theft, or the use of stolen personal information to commit fraud or crime, was the top category of consumer complaints compiled from state and federal agencies by the Federal Trade Commission in 2014. The federal agency collected 332,646 unverified consumer complaints of identity theft, more than double the amount in 2002. Government documents/benefits fraud — the bulk of it tax- or wage-related fraud — was the most common type of identity theft.
But the actual number of identity theft victims far exceeds the number of complaints filed, according to the U.S. Department of Justice and cybersecurity research firms. About 16.6 million people age 16 or older were victims of identity theft in 2012, according to the most recent National Crime Victimization Survey’s Identity Theft Supplement. Direct and indirect losses totaled $24.7 billion.
Javelin Strategy and Research estimated there were 12.7 million victims last year and the total amount stolen was $16 billion. The California-based company conducts an annual survey in cooperation with identity theft protection company LifeLock.
‘Don’t be low-hanging fruit’
Victims’ advocates want companies and the government to better protect personal information and verify the identities of thieves when they attempt to use stolen information.
“Sensitive personal information has to be adequately safeguarded, and it’s clear that it’s not when you see the number of hacks and other kinds of security breaches that occur,” said Susan Grant of the Consumer Federation of America.
“Consumers are understandably worried about the security of their information. They need to be assured that companies and agencies and organizations that hold it are protecting it reasonably well and that they will be held liable if they don’t.”
Hagel predicts class-action lawsuits by victims of identity theft will become more commonplace.
More than 90 percent of breaches in 2014 would have been avoidable if security controls and best practices had been in place, according to the Online Trust Alliance, a nonprofit that assists businesses with cybersecurity. But the OTC also said in a recent report that even “the most cyber-savvy organizations have found themselves exposed and ill prepared to manage the effects and impact of a data breach.”
Velasquez and other experts said individuals also bear responsibility for being careless with information, failing to monitor financial and health insurance records, and not following basic internet safety protocol, such as keeping separate passwords for financial transactions and less sensitive uses, and limiting personal information posted on social media.
“The bad guys are going to be looking,” said David Salisbury, a University of Dayton professor of information systems. “So what you want to do is control the size of your ‘footprint’ in terms of the amount of stuff that is out there and limit the vulnerabilities on any machines that you are using that you control.”
Velasquez advocates what she calls “good identity hygiene” to thwart thieves or catch fraud quickly.
“Make sure you are paying attention to how you are engaged online, to your financial accounts, looking for red flags and just being overall aware of the fact that your identity has value and you should protect it,” Velasquez said.
“Thieves go for low-hanging fruit. Don’t be the low-hanging fruit.”
While data breaches are highly publicized, Ohio Attorney General Mike DeWine said identity thieves also use low-tech methods such as breaking into homes and cars to steal information, rooting through trash or snatching applications at job fairs.
DeWine added an identity theft unit to his consumer complaint division in September 2012. Since then, he said, his office has handled nearly 3,500 complaints and helped victims clear more than $1 million in fraudulent debt.
“Any kind of theft is bad, but I think this one is particularly bad because people don’t know what to do to pick up the pieces,” DeWine said. “It is an invasion of your privacy, an invasion of your personal life and you feel violated.”
Ohio’s identity theft unit helped Kenneth Schug of Kettering when his then-89 year old mother, Freda, discovered that two fraudulent credit cards had been taken out in her name by someone in Florida last year and had racked up $1,168 in charges. She then received a call from a man demanding she pay $2,000 or he would “go after her.”
Her son said resolving the problems and clearing the debt took from August 2014 to February 2015, even with DeWine’s help. Schug said he thought having DeWine’s office backing him got the attention of the credit bureaus. Even so, Schug said it was extremely time consuming as he repeatedly made calls and sent letters to companies and had to re-send documentation to a credit bureau.
At one point he got a letter from a credit bureau saying it had changed his mother’s official address to one given by fraudsters in Florida. He had to get that corrected to keep the credit bureau from sending his mom’s mail to the people in Florida.
Schug’s mother, now 90 and in an assisted living facility, had him to fight her battle, but he worries about other elderly victims.
“It was hard enough for me, and there is just no way she could have dealt with that on her own,” Schug said. “What happens to people who don’t have an advocate?”
Victims play role
National surveys have found far more victims of identity theft than the number of complaints filed. The Federal Trade Commission says fewer than one-third of those who file complaints with state or federal consumer protection agencies also report to law enforcement.
Failing to report identity theft is a crucial mistake that leaves consumers ill equipped to get fraudulent charges removed, clear credit reports or respond if the theft occurs again, experts say. Filing a complaint with the FTC and with law enforcement gives the consumer an Identity Theft Report that becomes a key document in the often-lengthy process of clearing a victim’s name.
Victims are responsible for contacting merchants, medical providers, financial institutions and credit bureaus. Speed is essential as some consumer protections — such as those covering fraudulent withdrawals from bank accounts — have short deadlines to limit losses. Fraud alerts or credit freezes need to be placed at the three national credit bureaus, although there is no central location or alert system for medical identity theft victims.
Victims of identity breaches often are offered free credit monitoring services by the responsible company or government agency, but only about 10 percent accept the help, said Michael Bruemmer, vice president of consumer protection at credit bureau Experian. He said about one-third of those who have been breached do nothing different afterward, such as changing passwords or bank information.
“The most important thing is consumers should always take action, especially if they have been the victim of a data breach,” Experian spokeswoman Sandra Bernardo said.
‘Year of the Breach’
There are some signs of hope. Javelin Strategy and Research’s 2014 survey showed a 3 percent decline in ID theft and an 11 percent decline in the amount stolen compared to 2013. The decline was attributed to stronger anti-fraud efforts by industry and consumers, and quicker fraud detection.
Both IRS and Ohio Department of Taxation officials said they’ve had success thwarting thieves and prosecuting those who’ve obtained fraudulent tax refunds, and they’ve put in place additional safeguards to help protect taxpayers. The medical industry also is responding.
“I’ve branded 2015 as the ‘Year of the Breach,’ ” said Michael Berry, director of information security at Kettering Health Network. “I think with the increased awareness, it will force our industry to be more careful as well as increase the cautiousness of the consumer in protecting that information.”
Kettering is piloting an additional way of verifying identities, requesting that patients in the emergency room allow a photo to be taken, although the person can refuse. Intake staffers ask a variety of questions designed to determine if information is accurate.
Officials are considering “biometrics” options, such as requiring a fingerprint ID, said Jane Mixon, executive director for access and scheduling. She said it would be helpful if health insurers issued photo IDs.
Biometrics and multi-factor authentication — requiring multiple bits of information to verify an identity — are among the practices experts say would help thwart identity thieves. But Velasquez said there is no substitute for vigilance, especially for people who have already had their information stolen.
“In the case of those persistent thieves you really don’t have any choice but do do that, sort of like managing a disease,” said Velasquez. “It goes into remission. You have to be aware that you have to manage it and you just have to take care of it.”
Staff writer Ken McCall contributed to this report.