What to do right now…
Massive data breaches at giant companies have become so commonplace that consumers now tend to shrug them off. But high-tech criminals have ratcheted up the danger—and the steps required to safeguard consumer finances and identities—to a whole new level.
The biggest and most recently revealed example of a much more dangerous hacking incident involves the health insurance provider Anthem—although similar, less publicized invasions have occurred at other companies—and it makes the possible fallout from incidents of credit card and password theft seem mild in comparison.
Bottom Line/Personal asked security expert John Sileo to explain why the dangers are so high now and what consumers can do to protect themselves…
Social Security Numbers Are Key
Unlike the hacking incidents at such companies as Target and The Home Depot, the Anthem breach could lead to long-lasting and even life-altering identity theft for many of the up to 80 million current and former customers potentially affected. That’s because the hackers who invaded Anthem’s computers stole data including names, employment and contact information, health insurance IDs, addresses, birth dates and Social Security numbers.
Social Security number breaches are especially dangerous because they don’t just help crooks gain access to your accounts, the way a credit card breach does. Social Security breaches allow the crooks to pose as you in myriad ways that could wreck your life. Victims might spend the rest of their lives fending off bill collectors about purchases they never made…fighting to remove inaccurate and potentially lethal information from their medical files…explaining to police that it was really someone else who was arrested and skipped bail…and praying that no one steals their tax refunds.
That’s far worse than having your credit card information stolen—credit cards can be quickly canceled, passwords can be changed and any losses usually are covered by the issuer.
If you become a victim of a corporate data breach, don’t be fooled into thinking that you’re safe just because…
Months have passed and your credit reports remain fine. A 2012 survey by consulting company Javelin Strategy & Research found that 22.5% of people who receive a notice informing them that they were the victim of a data breach later become victims of identity theft—but it doesn’t always happen fast. Data thieves sometimes wait years to use stolen data.
You have never been an Anthem customer. There have been other comparable data breaches, and more are sure to follow. Examples: Community Health Systems, a network of more than 200 hospitals across 29 states, had approximately 4.5 million patient records breached. Experian, which maintains confidential credit files, was breached, exposing an unknown number of files.
Possible consequences for victims of the Anthem breach—and other similar breaches—and what to do about each…
Phony Debts In Your Name
An identity thief who has your Social Security number might open new credit accounts in your name or even borrow against the value of your home. You would not be held legally responsible for these debts ultimately, but it could take decades to clear up the mess. In the meantime, your damaged credit score could mean higher interest rates on loans…higher auto insurance rates…and even rejections from potential employers.
What to do: Place a security freeze on your credit files. The usual advice is to put a fraud alert on your files, but that does not provide sufficient protection. Alerts generally expire in 90 days, and while lenders are supposed to take added precautions when an alert is in place, these precautions can fail. A freeze completely blocks your credit report from being accessed and credit from being issued until the freeze is lifted.
Contact all three credit bureaus by phone or online to establish this freeze (Experian.com, Equifax.com and TransUnion.com). You will have to contact the bureaus again and provide a password whenever you wish to temporarily lift the freeze to apply for credit. Costs vary by state, but expect to pay $3 to $10 to each reporting agency each time the freeze is lifted. In some states, there also is a fee to establish or reestablish a freeze.
Helpful: Ask lenders and credit card issuers which credit-reporting agency or agencies they use, and then lift the freeze only with those—generally only mortgage lenders check all three. In some states, you will be exempt from the fees cited above if you are 65 or older (62 or older in Louisiana and North Carolina) and/or can provide a police report showing that you are a victim of ID theft.
If you are unwilling to place a security freeze on your credit—perhaps because you are in the process of applying for loans or jobs—at least sign up for an ID-theft-monitoring service. These services do not prevent ID theft, but they can notify you quickly of certain signs of trouble and help you navigate the often frustrating recovery process.
Warning: The ID-theft-monitoring services provided to the victims of large-scale data breaches for free usually are badly lacking, possibly monitoring credit reports with only one of the three major credit bureaus, for example.
Instead, consider spending around $250 per person a year for a high-quality ID-theft-monitoring service. Choose one that monitors credit reports from all three credit-reporting agencies plus address-change requests, court records, driver’s license activity, payday loan applications and websites where stolen identities are bought and sold. Services that use the underlying monitoring technology of a company called CSID tend to be among the most robust. These include IDT911 and LifeLock.
Phony Debts in Kids’ Names
If your children are covered through your health insurance, they also could be at risk for identity theft if your insurer or one of your medical providers is breached. This wasn’t a risk with retailers such as Target and The Home Depot that do not normally have minors’ confidential information on file.
ID theft can be especially troublesome for minors because it often isn’t noticed for years. One frustrating twist for parents—you generally cannot place a fraud alert or a security freeze on a young child’s credit file. If the child doesn’t yet have credit, he/she probably doesn’t yet have a credit file. If you try to set up a fraud alert or credit freeze for such a child, it could trigger the creation of a credit file, which in some ways makes it easier to steal the child’s identity.
What to do: An ID-theft-monitoring service that includes family protection can monitor databases for signs that the child’s Social Security number is being used by identity thieves. Even the free monitoring product being offered by Anthem likely can do this, though a higher-quality service offered by a pay service probably could do it better.
Phony Health Insurance Bills
Someone could use your health insurance ID number to obtain health services in your name, leaving you to battle health-care providers and bill collectors about co-pays and other fees that you don’t owe. What’s more, your medical records could become corrupted with someone else’s information, leading to a potentially lethal misdiagnosis.
What to do: Read every “Explanation of Benefits” statement you get from your insurer. If any don’t correspond to a medical visit you made or treatment you had, contact the provider and the insurer immediately to alert them to potential medical identity theft. If you have access to your medical records through a health-care provider’s online patient portal, check this every month or so.
Stolen Tax Refunds
An identity thief who has your Social Security number and date of birth could file a phony tax return in your name to claim a tax refund. Not only could this greatly complicate your own tax filing, it might mean that you can’t receive the refund you are due until the situation is cleared up, which could take years.
If you filed taxes last year in Florida, Georgia or Washington, DC—the places with the highest rates of tax-refund identity theft—you can apply for an identity-protection personal identification number, or IP PIN, through the IRS website. On IRS.gov, enter “IP PIN” into the search box, then select “The Identity Protection PIN (IP PIN).” Once you receive your six-digit IP PIN, enter it on your tax return to confirm that the return actually is from you. IP PINs also are available to the approximately 1.7 million taxpayers who received a letter offering them this safeguard because the IRS identified what it considered suspicious activity in their accounts. IP PINs cannot be used on state tax returns, however. For more information on eligibility and rules, go to IRS.gov/Individuals/Get-An-Identity-Protection-PIN.