Data Breaches: Guidance for SFHSS Members and their Families

A data breach occurs when information held by an organization is stolen or accessed without authorization.

Criminals can then use this information to steal personal data to sell it on the Dark Web or use it for identity theft purposes. Others use it for blackmail, extortion, grandstanding, and activism.

Even if your details are not stolen in the data breach, the criminals will exploit high profile breaches (whilst they are still fresh in people's minds) to try and trick people into clicking on scam messages.

Data breaches can have far-reaching consequences, impacting a variety of information types including, but not limited to:

• financial data, such as credit card information and bank details.
• personally identifiable information (PII), such as full name, full address, IDs, birth certificate information, etc.
• personal health information (PHI), such as full name, home address, or dates related to the health or identity of individuals.
• trade secrets, and intellectual property. 
• sensitive or valuable information, like photos or videos.

Anyone could be a victim. The theft of the information can lead to anything from:

• financial losses
• identity theft
• reputational damage
• legal repercussions

If the breach is related to your employment, you should report the breach to your employer / IT support team immediately and they will take action.  You don't want to turn off the system so that you can allow the breach to be analyzed.

If you believe you are the victim of a personal data breach, the following steps are measures you will need to take:

1. Identify what data was breached.

2. Change your passwords, or other exposed credentials.  You should not use the same credentials on different sites because if one site is breached, the threat actors will also be able to get into the other sites.  If have used the same password that was exposed, change the password anywhere else you have used it.

3. Sign up for two-factor authentication (2FA) (also known as Multi-Factor Authentication - MFA) on sites that offer this.  2FA/MFA is a security system that requires two distinct forms of identification in order to access something.

4. Monitor all your accounts in the days and weeks following a breach to watch for strange activity such as new purchases, password changes or logins from different locations.  If your bank information was exposed, contact your bank to close the account and open a new one.

5. Protect your financial privacy. If the responsible company offers free credit monitoring, take advantage of it.  If free monitoring was not offered, get your free credit reports from annualcreditreport.com.  You may wish to stagger your requests so that you receive a free report by one of the three credit bureaus every four months.  Check for charges you don't recognize.  Monitor your credit reports, and if  necessary place a credit freeze or fraud alert by contacting the three major credit reporting bureaus.  To learn more about credit freezes and fraud alerts, please visit the Federal Trade Commission’s website at https://consumer.ftc.gov/articles/what-know-about-credit-freezes-fraud-alerts.

• Review your credit reports.  Under federal law, you are entitled every 12 months to one free copy of your credit report from each of the major credit reporting agencies.  To obtain a free annual credit report, go to www.annualcreditreport.com or call 1-877-322-8228. You may wish to stagger your requests so that you receive a free report by one of the three credit bureaus every four months.

• You have the right to file a police report if you ever experience identity fraud. Please note that in order to file a crime report or incident report with law enforcement for identity theft, you will likely need to provide some kind of proof that you have been a victim. A police report is often required to dispute fraudulent items. You can report suspected incidents of identity theft to local law enforcement or to the Attorney General.

• https://www.oag.ca.gov/privacy - California Office of Privacy protection provides additional informaiton on protection against identiy theft.

• https://oag.ca.gov/privacy/databreach/list - State of California searchable database of any business, state or local agency who experienced a breach impacting more than 500 California Residents.  

• https://haveibeenpwned.com - This resource allows you to check whether your email address has been in a data breach

• https://consumer.ftc.gov/features/identity-theft - Lost or Stolen is a resource to understand what to do if you are effected by a data breach.

• https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf - Department of Health and Human Services Breach Portal which lists all breaches currently under investigation

SFHSS complies with all federal, state and local requirements regarding breaches.  If SFHSS suffers a breach, we are required to notify the impacted invidivuals within 30 days of the discovery of the breach.    We may also have additional reporting and remeditaion requirements based upon the severity.  

Breaches may occur by vendors of SFHSS and other partners of those vendors essentially, 3rd, 4th and 5th parties to SFHSS.  When SFHSS does not experience the breach directly, the reporting requirement falls upon these other vendors.   In those instances, due to protected information, little is shared with SFHSS regarding what data was breached and who specifically was impacted.  SFHSS will only be informed that a breach impacted our members and the number of impacted members.  In those situations, the member will receive notification directly from the vendor.

If you are concerned whether a letter you receive is legitimate, you may contact HSS.