Credit breach continues grip on doctors of optometry, students

Another wave of malicious credit-line openings related to an ongoing suspected data breach are impacting students and doctors of optometry within the past week. These affected parties—like the initial group—report receiving unsolicited, fraudulent applications for Chase Amazon.com Visa cards submitted in their name. In some cases, these cards are approved. 

At the direction of the AOA's Board of Trustees, the AOA apprised federal authorities of the breach, including the U.S. Attorney General's Office and Department of Justice. Additionally, the AOA called for a united front among affiliates and others, asking optometric testing organizations and state boards of optometry to immediately discontinue use of SSNs as personal identifiers. This petition resulted in the National Board of Examiners in Optometry (NBEO) eliminating the use of SSNs in favor of "OE Tracker numbers."  

As of Jan. 26, the NBEO announced that its own months-long investigation into its systems found no evidence of compromised personal information.

To date, the source of the breach is still unknown. The AOA continues to closely follow this situation and will provide updates when possible.  

Steps data breach victims should take immediately

Cyberattacks are increasingly familiar in this day and age, whether targeting personal and patient records or financial information. Hacking of health care records skyrocketed 11,000% in 2015, while other figures suggest roughly half of all American adults were the subject of a data breach in 2014 alone.

Data breaches can be financially devastating. Marc Haskelson, president & CEO of Compliancy Group, an AOAExcel^® endorsed business partner, says it's important to take some basic steps to protect privacy in the event of a data breach. The sooner doctors act, the better the chances of mitigating damage to personal or organizational privacy.

If doctors suspect their personal data was breached, Haskelson suggests several steps to take immediately:

• Call personal banks and credit card companies. These entities will put a lock on accounts to prevent fraudulent transactions.
  
  
• Change passwords. Is that old password fewer than seven characters? Make it longer. Increase security by using a mix of capital and lowercase letters, numbers and symbols.
  
  
• Notify credit bureaus  that personal data may be compromised. The bureaus will put a fraud alert on doctors' files so that credit isn't damaged.
  
  
• Obtain a credit report. For documentation purposes, use a credit report service to acquire this paperwork and keep on hand.
  
  
• Enroll in an Identity Theft Recovery Program. This highly advisable move will help doctors begin working on a recovery plan almost immediately. If a doctor's practice or organization's data was breached, follow the same steps above.

However, Haskelson suggests additional steps that may be helpful:

• Notify the IT department or provider. Create an action plan to deal with the breach and identify its scope.
  
  
• Contact external companies. Have business associates, vendors or contractors whose data may have been breached, too? Make sure to notify these parties immediately.
  
  
• Notify appropriate local, state or federal authorities. If any protected health information was breached, research applicable laws that the practice or organization is beholden to; depending on the size of the breach, there are different steps to take toward notifying affected parties.
  
  
• File a police report. If the breach is severe, it may be necessary to file an FTC or police report.
  
  
• Keep documentation. It's critical to fully document pertinent information, as well as every step taken, including the date of the breach, time of notification and the measures taken thereafter.

Learn more about Cyber Liability Insurance from AOAExcel, and learn four ways to protect your patients and practice from cyberattacks.