While optometry continues reeling from a suspected data breach, AOA urges not only the affected parties to take immediate action against damages, but also the responsible actor.
Anecdotal reports suggest a possible second wave of malicious credit-line openings related to the ongoing situation are impacting students and doctors of optometry within the past week. These affected parties—like the initial group—report receiving unsolicited, fraudulent applications for Chase Amazon.com Visa cards submitted in their name. In some cases, these cards are approved.
Out of an abundance of concern for members, AOA contacted the FBI and Federal Trade Commission amid the initial reports circulating Aug. 2, 2016, to apprise investigators of the situation. In turn, AOA conducted its own immediate, internal investigation of its databases and remains certain that it is not the source of this potential breach. Barbara L. Horn, O.D., AOA secretary-treasurer, says members should feel assured that AOA employs stringent cybersecurity measures to protect personal information, and additionally, AOA neither gathers nor stores Social Security numbers.
Now a month into the possible breach, AOA President Andrea P. Thau, O.D., says it's time for the compromised party to step forward and claim responsibility.
"The profession deserves to know as promptly as possible the sources and extent of the breach, and the remedy offered by the compromised party," Dr. Thau says.
Affected parties need to take immediate action to hedge against possible damages. Even if doctors and students think they were unaffected by the potential breach, it may be wise taking steps to protect credit.
Vinny Troia, CEO and principal security consultant with Night Lion Security, offers three steps for affected parties to take immediately (find more in-depth information below):
- Obtain your credit report.
- Contact local police with a list of the fraudulent uses of your information.
- Request a credit freeze—To do this, contact all three credit bureaus, Equifax, Experian, and TransUnion. Note: some states require a small fee to "unfreeze" credit.
The AOA is following this situation closely and will provide updates when possible. See the FTC's step-by-step process to report identity theft and develop a recovery plan.
Steps data breach victims should take immediately
Cyberattacks are increasingly familiar in this day and age, whether targeting personal and patient records or financial information. Hacking of health care records skyrocketed 11,000% in 2015, while other figures suggest roughly half of all American adults were the subject of a data breach in 2014 alone.
Data breaches can be financially devastating. Marc Haskelson, president & CEO of Compliancy Group, an AOAExcel® endorsed business partner, says it's important to take some basic steps to protect privacy in the event of a data breach. The sooner doctors act, the better the chances of mitigating damage to personal or organizational privacy.
If doctors suspect their personal data was breached, Haskelson suggests several steps to take immediately:
- Call personal banks and credit card companies. These entities will put a lock on accounts to prevent fraudulent transactions.
- Change passwords. Is that old password fewer than seven characters? Make it longer. Increase security by using a mix of capital and lowercase letters, numbers and symbols.
- Notify credit bureaus that personal data may be compromised. The bureaus will put a fraud alert on doctors' files so that credit isn't damaged.
- Obtain a credit report. For documentation purposes, use a credit report service to acquire this paperwork and keep on hand.
- Enroll in an Identity Theft Recovery Program. This highly advisable move will help doctors begin working on a recovery plan almost immediately. If a doctor's practice or organization's data was breached, follow the same steps above.
However, Haskelson suggests additional steps that may be helpful:
- Notify the IT department or provider. Create an action plan to deal with the breach and identify its scope.
- Contact external companies. Have business associates, vendors or contractors whose data may have been breached, too? Make sure to notify these parties immediately.
- Notify appropriate local, state or federal authorities. If any protected health information was breached, research applicable laws that the practice or organization is beholden to; depending on the size of the breach, there are different steps to take toward notifying affected parties.
- File a police report. If the breach is severe, it may be necessary to file an FTC or police report.
- Keep documentation. It's critical to fully document pertinent information, as well as every step taken, including the date of the breach, time of notification and the measures taken thereafter.
Learn more about Cyber Liability Insurance from AOAExcel, and learn four ways to protect your patients and practice from cyberattacks .