Health Insurance with a Twist
I'm sure everyone just got that e-mail about personal info stolen from Tang. I'll repost it in the comments. But I've now had my personal info potentially stolen from UCLA and UCB. Cool.
posted by Armen Adzhemyan at 9:51 AM
14 Comments:
Dear Associate of UC Berkeley,
We are writing to you because UC Berkeley`s University Health
Services, UHS, recently learned that criminal computer hackers broke
into electronic databases containing personal information belonging to
some UHS clients and their parents or spouses.
Although the investigation is still underway, we wanted to alert you
as soon as possible that some of your personal information, including
your Social Security number stored on those databases, was stolen,
which puts you at risk for identity theft. It is also possible that
your parents or guardian or spouse`s information was taken if you
waived enrollment in the Student Health Insurance Plan, and they were
the policy holder of your health coverage.
In addition, the criminals may have stolen information related to your
health insurance coverage and some of your non-treatment medical
information such as Hepatitis B immunization history, UHS medical
record number, dates of visits or names of providers seen, or for
participants in the Education Abroad Program, certain information from
the self-reported health history. You will receive a second
notification letter from us if, in addition to your Social Security
number, this information was also stolen.
Please be assured that UHS electronic medical records, including
patient diagnoses, treatments and therapies, are stored in a separate
system and were not affected in this incident.
We sincerely regret and apologize for any difficulty that this theft
may create for you. We have alerted campus police detectives and the
FBI, and we are doing all that we can to investigate this crime. We
are also dedicated to assisting you with information about the
incident and services that can help prevent or minimize the impact
this theft may have on you.
Protecting Your Personal Information
Attached to this letter is a resource sheet to assist you with steps
that you may wish to take to protect your identity and credit. As a
precautionary measure, we urge you to create immediately a no-cost,
formal fraud alert on your consumer credit file. If someone attempts
to open a new credit card account in your name, this service will
monitor activity on your account.
We have also established a Data Theft Hotline, 888-729-3301. Trained
personnel will be available 24 hours a day, 7 days a week to help you
determine the full extent of your personal exposure and assist you
with information about credit and identity protection services. When
you call, you will be asked to provide personal information to
validate your identity.
Additional information can also be found on our dedicated web site:
http://datatheft.berkeley.edu
Background Information about the Theft
UC Berkeley computer administrators determined on April 21, 2009 that
restricted electronic databases had been illegally accessed by
hackers, and that the data thefts began on October 9, 2008, and
continued until April 6, 2009. All of the exposed databases were
immediately removed from service to make sure that they would be
completely protected from any future attacks. To ensure that we fully
understand the nature of the security breach and to determine the
steps that we can take to minimize the risk of a reoccurrence, the
university has hired an outside auditor, Price Waterhouse Coopers, to
support our ongoing investigation of the incident.
Finally, please be aware that sometimes in these situations, dishonest
people falsely identifying themselves as UC Berkeley representatives
may contact you and offer assistance with the intention of obtaining
more personal information from you. If you call our Data Theft Hotline
the operator will need to ask for information to validate your
identity, but we want to assure you that UC Berkeley will not contact
you by phone, e-mail or any other method to ask you for personal
information. If you are uncertain about any inquiry, please call our
hotline directly.
Sincerely,
Steve Lustig
Associate Vice Chancellor, Health and Human Services
Shelton Waggener
Associate Vice Chancellor & Chief Information Officer
Understanding and Protecting Yourself from Identity Theft
People who have had personal information stolen are at risk if they do
not take steps to protect their identity. According to a Federal Trade
Commission report, most identity theft involves the illegal use of
credit card, bank, utilities, and other existing accounts.
Fortunately, there are steps, described below, that you can take to
protect yourself and your credit. In addition, extensive information
on personal identity theft and fraud and protective steps you can take
is available on the Web site of the California Office of Privacy
Protection, a division of the state Department of Consumer Affairs,
http://www.privacy.ca.gov.
PLACING A FRAUD ALERT
By placing a fraud alert on your consumer credit file, you let
creditors know that they should watch for unusual or suspicious
activity in any of your accounts, such as someone trying to open a
credit card account in your name.
To place a free fraud alert, call one of the three major credit
reporting agencies listed below.
Your phone call will take you to an automated phone system. Be sure to
listen carefully to the selections and indicate that you are at risk
for credit fraud. You need only contact one of these agencies, which
will automatically forward the fraud alert to the other two. These
agencies offer the initial fraud alerts at no charge.
Equifax
888-766-0008
Consumer Fraud Division
P.O. Box 740256
Atlanta, GA 30374
http://www.equifax.com
Equifax home page
http://www.equifax.com/answers/set-fraud-alerts/en_efx
Equifax fraud alert information page
Experian
888-397-3742
Credit Fraud Center
P.O. Box 1017
Allen, TX 75013
http://www.experian.com
Experian home page
https://www.experian.com/consumer/cac/InvalidateSession.do?code=SECURITYALERT
Experian credit fraud page
http://www.experian.com/consumer/fraud_faqs.html#security
Experian credit fraud FAQ
TransUnion
800-680-7289
Fraud Victim Assistance Department
P.O. Box 6790
Fullerton, CA 92834
http://www.tuc.com
TransUnion home page
http://www.transunion.com/corporate/personal/fraudIdentityTheft/fraudPrevention/fraudAlert.page
TransUnion fraud page
Soon after you place a fraud alert, you will receive credit reports by
mail from all three reporting agencies. In the credit report, check
your personal information, including home address, Social Security
number, etc., for accuracy. Look for any charges that you did not
make. Watch for any accounts that you did not open. Note any
inquiries from creditors that you did not initiate.
If you find anything that looks suspicious or that you do not
understand, call the credit agency at the telephone number listed on
your credit report. You may also wish to call your local police or
sheriff`s office to file a report of identity theft.
PLACING A SECURITY FREEZE
A security freeze means that your credit file cannot be shared with
potential creditors unless you give your consent. If your credit files
are frozen, even someone who has your name and Social Security number
would probably not be able to obtain credit in your name. If you take
this step any new creditors that request your file from one of the
three credit bureaus will only obtain a message or a code indicating
that the file is frozen. While you will be able to lift the freeze for
legitimate inquiries, you should be aware that this can slow any
credit approval process.
A security freeze is free to those who have a police report of
verified identity theft. To obtain a police report, contact your local
police department. Give the police as much information on the theft as
possible. One way to do this is to provide copies of your credit
reports showing the items related to identity theft. Black out other
items not related to identity theft. Give the police any new evidence
you collect to add to your report. Be sure to obtain a copy of your
police report. You will need to give copies to creditors and the
credit bureaus.
If you do not have a police report, it costs $10 to place a freeze with each
credit bureau, for a total of $30. The credit bureaus require that freeze
requests be made in writing.
Samples of freeze request letters can be found at:
http://www.oispp.ca.gov/consumer_privacy/consumer/documents/pdf/cis10securityfreeze.pdf
Equifax Security Freeze
P.O. Box 105788
Atlanta, GA 30348
Send by certified mail.
Include name, current and former address, Social Security number and
date of birth. Pay by check, money order or credit card, Visa, Master
Card, American Express or Discover only. Give name of credit card,
account number and expiration date.
Experian Security Freeze
P. O. Box 9554
Allen, TX 75013
Send by certified mail.
Include full name, with middle initial and Jr./Sr., etc. Include
current address and home addresses for past five years, Social
Security number, birth date and two proofs of residence, such as a
copy of driver's license, utility bill, insurance statement, bank
statement. Pay by check, money order or credit card. Give name of
credit card, account number and expiration date.
TransUnion Security Freeze
P. O. Box 6790
Fullerton, CA 92834
Send by regular or certified mail.
Include first name, middle initial, last name, Jr./Sr., etc. Current
home address and addresses for past five years, Social Security number
and birth date. Pay by check, money order or credit card. Give name
of credit card, account number and expiration date.
Additional information on how to initiate a Security Freeze can be
found on the Web site of the California Office of Privacy Protection:
http://www.oispp.ca.gov/consumer_privacy/consumer/documents/pdf/cis10securityfreeze.pdf
CREDIT MONITORING
This service will send you e-mail alerts when new accounts, inquiries,
negative information, credit-limit changes, and other items appear on
your credit report. The following firms all offer credit monitoring
services on a monthly basis with prices ranging from $4.95 to $14.95 a
month. Please note that Federal Trade Commission and country`s
leading consumer groups do not endorse this particular service. They
suggest that signing up for a free Fraud Alert and placing a Security
Freeze on your credit file offers a higher level of protection.
Experian: http://www.experiandirect.com/triplealert/default.aspx?sc=668715
True Credit:
https://www.truecredit.com/products/optimizedOrder.jsp?package=TriBureauCMU
Identity Guard: http://www.identityguard.com/getprotected/landing.aspx
Equifax: http://www.equifax.com/id-patrol/
when asked whether UCB would reimbursed costs for checking credit the response was "i don't know at this time"
what. the. F*&$.
Also, the email clearly states that "some of your personal information, including your Social Security number stored on those databases, was stolen..." Yet when I called the hotline, they said this wasn't necessarily the case. They should really be a lot more clear.
New project for the SLTPPC?
Oh boy, this should be fun. I just called and they confirmed that my data was, indeed stolen, but couldn't give me any more information. Apparently the people from their hotline can't do anything more than tell you 1) whether your info was on a compromised database, and 2) refer you to "resources," which turned out to be Experian/Equifax/TransUnion and all the same resources listed in the
I had a bunch of questions about what type of data was stolen, how I should proceed given my specific circumstances, etc., and the person on the phone had NO clue. She kept referring me to Equifax.
They're refusing to provide credit monitoring services, which is bogus. Collective or class action, anyone? I wish I paid more attention in torts.
I talked with the health hotline people, who also told me they're refusing to provide credit monitoring services.
They suggested I might have more luck writing a letter to Risk Management at this address:
UC Berkeley Risk Management
131 University Hall
Berkeley CA 94702
I had a similar situation happen to me a few years ago. The company responsible sent a link to a website from which I was able to put out a fraud alert to all three bureaus (I don't have it though). I believe there is a standard procedure in the case of fraud which allows you to get all three for free. (You don't get scores though). You can then look over the report to determine if in fact any fraudulent activity has occurred before you freeze your credit. Additionally everyone is entitled to one free credit report (again, sans scores) from each bureau at www.annualcreditreport.com. It's a legit site, not to be confused with freecreditreport.com and the like.
According to Armen's post if you call any of the big three and report fraud, they'll call the others and take care of it (and get you reports). Having the university pay for credit reports or monitoring is totally worthless and unnecessary.
I wish schools would stop using social security numbers to index their students.
It's silly we use the same identification number for credit markets and for everything else.
Presumably they need our SSNs to authorize billing.
Oh, automated answering systems. Call the Equifax hotline, and here's what you get:
"Please listen carefully . . . if you suspect that you are a victim of fraud, please say, 'fraud victim' or press 1 now."
Turns out that if you're laughing out loud when you try to say it, the machine won't understand you. But WTF? I mean, take a moment and just picture that. Say it out loud to yourself a few times, if that helps. How very comforting, no?
okay lawyers, the way this is being handled is totally unacceptable and the school needs to be called out on it. First, they've known about this since April 21, and yet we are just being contacted now? How is that for mitigation? Second, they should and will cover account monitoring costs--they just released social security numbers, people. Not okay. Why are those intermingled with health records anyway? Third, the so-called trained individuals at the hotline are trained to not give any information other than call credit agencies. We need to know exactly what was stolen so that we are empowered to make informed decisions about how to deal with the risk of theft. If it takes a class action, Boalties should be able to handle that, no? It would be much preferable if the administration took initiative to make these things happen without litigation.
Not to be disheartening, but the first step is to find someone who actually had their identity stolen and used to their detriment. To argue mitigation, you'll have to show that the detriment happend in the window of time between the 21st and May 10th, and that the student would have taken steps that would have actually prevented the loss, had they only known.
Absent the mitigation argument, step two is to show that not only could the UC have handled this better, but they also were under a duty to do so. Given that every university in the country likely engages in equally reckless databasing of sensitive information (a collection of SSN's and birthdays for alumni? really? why???) this might be difficult.
Step three is to engage in oh, about ten years of appellate litigation. If the result of that litigation is favorable, the UC will pay millions and then promptly shift that cost to the hapless innocents in the class of 2020. No real sting there, just more paper shuffling for the pointy headed bureaucrats and another round of fee raises for law students. If it's unfavorable, on the other hand, your lawyers will cheerfully bill you on the easy payment plan, until doomsday.
See Kashmiri v. UC Regents for details.
*they = the student. I know it's difficult for Armen to sort that out sometimes.
Post a Comment
<< Home