I almost threw away the mailing I got in mid-July from MNGI Digestive Health. I couldn’t remember ever patronizing the place. Must be more junk mail.
Then I remembered I’d recently written about MNGI and another Twin Cities medical firm, Consulting Radiologists. They had both been hacked, together exposing personal data of over 1 million people. Turns out I was one of them.
Like millions of Americans, I faced the specter of identity theft. So, I set out to discover more about this increasingly common scourge. I found useful tips — and sobering information about the market for stolen data.
How to decipher your notice
A consumer’s data-breach odyssey usually starts with a letter from a hacked company or an alert from a credit monitoring service. (The Identity Theft Resource Center, which assists victims and conducts research, has a primer on what to do when you get a notice. )
In a breach letter, companies are required by law to say what happened, why it happened and how consumers can protect themselves, said Michael Bruemmer, Experian’s head of global data-breach resolution.
The letters often have contact information for Experian, Equifax and Trans-Union, the three major U.S. credit bureaus. By law, consumers can get one free credit report annually from each of them.
Breach notifications are typically thin on how a hack occurred. And over the past three years, they have become thinner due to court decisions that encourage companies to report fewer details, Lee said.
With less information, consumers can have more difficulty demonstrating actual harm in a lawsuit over a breach. “Don’t give people a road map to sue you” is the way companies look at it, Lee said. (Still, federal courts are rife with data-breach lawsuits.)
Breach letters typically give consumers phone numbers to call if they have questions. I had a few, so I called and spoke to a representative from the firm that MNGI hired to manage its breach. He was cordial, reiterating what the letter said: There was no evidence my information had been misused by an identity thief.
Of course, that is a common response. I asked further if my Social Security number had been compromised. He said there was no indication it had. The letter had said only my name, date of birth and medical information had been exposed. (So, my colonoscopy results are out in cyberspace, apparently.)
I felt relatively reassured, but experts say I should still be wary. They recommend that data-breach targets freeze their credit.
“A credit freeze is a very good solution,” Bruemmer said.
It’s free. And fraudsters can’t access credit profiles that are frozen.
There is a downside: Consumers must temporarily unfreeze their credit information if they want to borrow money.
Consumers also can ask credit bureaus to issue a “fraud alert,” which tells lenders to verify your identity before issuing credit.
Other tips from experts include changing account passwords, vigilantly monitoring your financial accounts for signs of suspicious activity and signing up for a credit monitoring service. You’ll usually have to pay for credit monitoring, though some hacked organizations will offer it for free over a certain amount of time.
Five states require breached companies to provide one to two years of free crediting monitoring, Bruemmer said.
Questioning the information
Bob Doyle of Savage, Minn., a retired human resources consultant, got a letter from Consulting Radiologists in June saying his data — name, address, date of birth and health information — had been potentially exposed in a hack.
Shortly after, he got a notice from his credit monitoring service, Experian, indicating that his Social Security number and his email address had been found on the dark web due to a breach at Consulting Radiologists. The letter Doyle got from Consulting Radiologists mentioned nothing about either.
So he said he called Consulting Radiologists. A representative told him to call the vendor that had been hired to manage the breach. A representative for the vendor told him there was no evidence his Social Security number had been compromised.
He called Consulting Radiologists again and brought up the discrepancy, asking for free crediting monitoring, and the company agreed.
Consulting Radiologists didn’t respond to requests for comment for this story.
The dark web is a part of the internet that’s not accessible through conventional browsers. You need special software to get there.
“The dark web is basically the bad guys’ bazaar,” Experian’s Bruemmer said. It’s an anonymous stretch of cyberspace where thieves traffic in stolen data and other illicit wares.
“If your data is on the dark web, there is nothing you can do to get it off the dark web,” Bruemmer said.
