by Dave Moore, CISSP
01/28/2024
Last week, we looked at placing credit bureau freezes in response to how patients of both Integris and SSM St. Anthony hospitals have been victimized by Internet criminals hacking the hospital’s poorly-secured computer networks.
This creates a full-on bona fide identity theft crisis that cannot be minimized or ignored. The personally identifiable information (PII) of millions of people has been stolen, the type of information criminals use to steal tons of money.
After freezing your accounts at all four major credit bureaus (Equifax, TransUnion, Experian and Innovis), the next step is to place identity theft and fraud alerts with various government agencies.
Remember, you do not need to see current evidence that you are in an identity theft crisis. Because you have not experienced horrible consequences does not mean that you won’t at some time in the future. The fact that you’ve done business with an affected institution is all the evidence you need. Tell everyone you contact about the situation that you are concerned about being an identity theft victim, because you know your personally identifiable information has been compromised. Just because you haven’t had a bad car accident doesn’t mean you shouldn’t repair the brakes you already know are shot.
1. Report identity theft to the Federal Trade Commission (FTC) at identitytheft.gov. Obtain a FTC Identity Theft Report. The FTC is the lead federal agency for reporting and prosecuting identity theft, and there is a wealth of great information and advice on their website.
2. After you complete your FTC Identity Theft Report, make a thorough list of all personal data and accounts, i.e., SSN, bank/credit card numbers, email addresses, user names, passwords, etc.
3. Notify the fraud departments of all your creditors and financial institutions in writing of the ID theft, and all details you know about. Request accounts be flagged. Request up-to-date statements. Guidelines and sample letters are on the FTC website. Enclose a copy of your FTC Fraud Report.
4. Review all statements for suspicious activity: loans, investment accounts, property rentals, utilities, etc. Demand bogus charges and accounts be removed and closed. Ask for a letter stating those things have been done. Contact credit bureaus and correct credit reports. Include a copy of your FTC Identity Theft Report, and proof of ID, like SSN, copy of driver’s license, copy of a utility bill, etc. Request blocking of incorrect and fraudulent information. See identitytheft.gov for more.
5. If the U.S. Mail Service was involved in the identity theft, or your mail was stolen, report the incident(s) to the United States Postal Inspection Service at www.uspis.gov/report/
6. If you suspect your SSN has been used by someone else, review your work history at socialsecurity.gov/myaccount. Report errors to your local Social Security Administration office. Do the same thing for other government benefits you may receive (VA, etc.).
7. Ask the Internal Revenue Service to mark your account to identify any questionable activity by completing Form 14039, Identity Theft Affidavit, found at irs.gov/pub/irs-pdf/f14039.pdf. Apply for an Identity Protection PIN from the IRS at www.irs.gov/identity-theft-fraud-scams/get-an-identity-protection-pin. Go ahead and apply for the PIN even if you think you don’t qualify. You should be put on a list to get one in the future.
How seriously you take the situation determines your level of success. Those who ignore the warnings are the ones I hear from the most; I almost never hear from folks who heed the advice and warnings, except for an occasional “thank you,” which is always nice.
Next week: more on placing fraud and identity theft alerts with government agencies.
Dave Moore, CISSP, has been fixing computers in Oklahoma since 1984. Founder of the non-profit Internet Safety Group Ltd, he also teaches Internet safety community training workshops. He can be reached at 405-919-9901 or www.internetsafetygroup.org