ST. PETERSBURG, Fla. — Getting a letter in the mail saying your personal information was likely made available to hackers in a data breach can be a lot to take in. There are so many questions: Am I in danger of identity theft? What do I do now?
Sometimes you may not even recognize the company or organization that sent the letter and had your information in the first place.
VERIFY viewer Joan E. in Largo wanted to know if the notice she recently received was real, or just another ploy by scammers.
Joan received a letter informing her that personal information associated with her Medicare plan was "likely affected" in a "sophisticated cyberattack" involving a firm contracted by the U.S. Department of Justice called Greylock McKinnon Associates Inc.
She was told scammers could have gotten a hold of her name, birth date, address, Medicare Health Insurance Claim Number (which includes her social security number) and some other medical/health insurance information.
VERIFY looked into whether this breach actually happened, and how to protect yourself from identity fraud.
THE QUESTION
Was there really a data breach at Greylock McKinnon Associates, Inc. (GMA) involving Medicare information stored by the Department of Justice?
THE SOURCES
- The Office of the Maine Attorney General
- Kylie Mason – Communications Director, Office of the Attorney General Ashely Moody
- Erich Kron – Security Awareness Advocate, KnowBe4
- Florida Statute
- Federal Trade Commission
THE ANSWER
Yes, GMA formally began notifying consumers of a data breach on April 5, 2024.
WHAT WE FOUND
The firm, which provides consulting for civil litigation services, sent a notice to the Office of the Maine Attorney General saying an investigation found 341,650 Americans were affected by a cyberattack on May 30, 2023.
In the letter sent to those impacted, GMA said it had been contracted by the U.S. Department of Justice "as part of a civil litigation matter." The firm received the personal information of at least hundreds of thousands of Medicare recipients "in support of that matter," the letter read.
GMA clarified those whose information was shared with GMA were not part of the litigation in question, and their Medicare benefits or coverage had not been impacted by the breach.
What now?
GMA offered two years of free credit monitoring to victims of the data breach to get notified of any changes to their credit profile. This is a common procedure for companies that get hit with cyberattacks that jeopardize consumers' personal information.
Erich Kron, a security awareness advocate at Clearwater-based KnowBe4, said this service is a drop in the ocean compared to what victims have to protect themselves against.
"It's great that you got a year or three years or whatever of credit monitoring, but you got a lifetime of having to watch your back now," he told 10 Tampa Bay.
"That information is going to be used against you probably at some point in time. It's going to be part of information that's being sold and bought on the dark web. It's going to come back to bite you."
What took so long?
VERIFY viewer John E. in Zephyrhills reached out about a letter he got notifying him of a separate data breach. He wanted to know how companies can wait nearly a year from when suspicious activity was detected before letting consumers know.
"A lot of stuff can happen in the meantime," he said in his email to VERIFY. "We have many elderly people here in our area and I am betting that most of them will not know what to do when they suspect their information has been compromised."
Each state has its own regulations on how quickly companies need to notify consumers of a data breach.
Florida law states that a business organization must send a notice to the attorney general if at least 500 Floridians' information was affected in a cyberattack. That notification must be filed "no later than 30 days after the determination of the breach or reason to believe a breach occurred."
Kylie Mason, Communication Director for the Office of Attorney General Ashley Moody confirmed to VERIFY that GMA had not sent a notice to them, indicating this breach did not impact more than 500 Floridians. Mason said their office was aware of the breach, however.
Juliana Henderson from the Federal Trade Commission told VERIFY that when a breach involves personal health records, an entity must let consumers know no later than 60 days after the breach was discovered. She said that if letters are sent out later than 60 days, the FTC would be able to bring a civil action against the company, depending on "the facts of the case."
So if GMA "detected unusual activity" on their network in May of 2023, how were they able to wait until April of 2024 to let affected consumers know?
In the letter, the company said it immediately opened an investigation and later confirmed which consumers' information was compromised on February 7, 2024.
"If they continue to say, 'Oh, we're investigating, we're investigating, we're investigating,' they can really drag it on for a long time...before they say 'OK, we're sure data was breached," Kron said. "And unfortunately, the recourse for individuals and the victims generally has to be through legal means, such as a civil suit or something along those lines."
What recourse do you have?
Class-action lawsuits against companies that suffer data breaches are extremely common.
After consumers started getting letters, an investigation was opened into whether civil action could be taken against GMA, and a website was launched where attorneys asked to hear from victims.
Even then, Kron says the amount of money you'd likely get from a settlement might not be enough to protect your information from fraudsters once it's out there.
"When you see what they pay out, it's like $5 or $10 or something ridiculous like that...It's never going to amount to what it is that people are going to have to suffer over this," he said.
"Unfortunately, in my experience, and I know this is going to sound kind of pessimistic, but when it comes to class action lawsuits, the people that benefit are the lawyers," Kron explained. "They make the money off the deal. They benefit from it. The individuals — not so much, usually."
In terms of what the government and security agencies are doing to help protect your information, Kron said there needs to be more pressure on them to act, especially because cyberattacks are getting more complex and advanced.
"You have a fast problem with slow regulation coming around to try to deal with it. There's going to be gaps where people are left exposed and potentially at risk," he said.
How can you protect yourself?
Kron's advice: be vigilant, especially in cases when information is being shared with third-party organizations you may have never heard of before.
The issue, Kron said, is that that third-party organizations often don't have enough security in place to protect against data breaches and cyberattacks. That puts much of the responsibility on you, which Kron said is "a shame, but it is what it is."
He said knowing how to spot phishing attacks coming into your email inbox is crucial, and avoiding reused passwords can be the difference of you getting locked out of your Instagram or Facebook account or getting locked out of other accounts as well that hold more valuable and personal information.