I almost threw away the mailing I got in mid-July from MNGI Digestive Health. I couldn't remember ever patronizing the place. Must be more junk mail.
Then I remembered I'd recently written about MNGI and another Twin Cities medical firm, Consulting Radiologists. They had both been hacked, together exposing personal data of over 1 million people. Turns out I was one of them.
Like millions of Americans, I faced the specter of identity theft. So, I set out to discover more about this increasingly common scourge. I found useful tips — and sobering information about the market for stolen data.
Tracing identity theft to any particular data breach is difficult, said James Lee, chief operating officer of the Identity Theft Resource Center, a nonprofit group based in California. "But we do know that data breach information is the fuel for most identity theft crimes."
Through the first half of 2024, the Identity Theft Resource Center tracked 1,571 U.S. data breaches — 13% higher than the first six months of 2023, a year that ended with a record number of hacks. Over 1 billion people had their data compromised in breaches through June.
In February, an arm of Minnetonka-based UnitedHealth Group was hit by one of the largest U.S. data hacks ever, involving tens of millions of people. In June and July respectively, Consulting Radiologists and then MNGI Digestive disclosed data breaches affecting, respectively, 584,000 and 766,000 people.
In August, three more Minnesota health care providers reported data breaches involving more than 35,000 people: Park Dental (238,667); Fraser Child and Family Center (67,000); and the Dental Specialists (38,442). There have been many more significant Minnesota hacks over the past couple of years.
Companies and governments often struggle for months to determine the nature and extent of a data breach. It took MNGI 11 months. So, your stolen data could be available to fraudsters for a long time before you even know about it.
"Welcome to the new way of life, where no one is safe," said Bob Doyle of Savage, who recently got two letters saying his data had been breached, including from Consulting Radiologists. "The long-held belief of being safe at home has been blown up."
How to decipher your notice
A consumer's data breach odyssey usually starts with a letter from a hacked company or an alert from a credit monitoring service. (The Identity Theft Resource Center, which assists victims and conducts research, has a primer on what to do when you get a notice.)
In a breach letter, companies are required by law to say what happened, why it happened and how consumers can protect themselves, said Michael Bruemmer, Experian's head of global data breach resolution.
The letters often have contact information for Experian, Equifax and TransUnion, the three major U.S. credit bureaus. By law, consumers can get one free credit report annually from each of them.
Breach notifications are typically thin on how a hack occurred. And over the past three years, they have become thinner due to court decisions that encourage companies to report fewer details, Lee said.
With less information, consumers can have more difficulty demonstrating actual harm in a lawsuit over a breach. "Don't give people a road map to sue you" is the way companies look at it, Lee said. (Still, federal courts are rife with data breach lawsuits.)
Breach letters typically give consumers phone numbers to call if they have questions. I had a few, so I called and spoke to a representative from the firm that MNGI hired to manage its breach. He was cordial, reiterating what the letter said: There was no evidence my information had been misused by an identity thief.
Of course, that is a common response. I asked further if my Social Security number had been compromised. He said there was no indication it had. The letter had said only my name, date of birth and medical information had been exposed. (So, my colonoscopy results are out in cyberspace.)
I felt relatively reassured, but experts say I should still be wary. They recommend that data breach targets freeze their credit.
"A credit freeze is a very good solution," Bruemmer said.
It's free. And fraudsters can't access credit profiles that are frozen.
There is a downside: Consumers must temporarily unfreeze their credit information if they want to borrow money.
Consumers also can ask credit bureaus to issue a "fraud alert," which tells lenders to verify your identity before issuing credit.
Other tips from experts include changing account passwords, vigilantly monitoring your financial accounts for signs of suspicious activity and signing up for a credit monitoring service. You'll usually have to pay for credit monitoring, though some hacked organizations will offer it for free over a certain amount of time.
Five states, not including Minnesota, require breached companies to provide one to two years of free crediting monitoring, said Bruemmer.
Questioning the information
Doyle, a retired human resources consultant, got a letter from Consulting Radiologists in June saying his data — name, address, date of birth and health information — had been potentially exposed in a hack.
Shortly after, he got a notice from his credit monitoring service, Experian, indicating that his Social Security number and his email address had been found on the dark web due to a breach at Consulting Radiologists. The letter Doyle got from Consulting Radiologists mentioned nothing about either.
So he said he called Consulting Radiologists. A representative told him to call the vendor that had been hired to manage the breach. A representative for the vendor told him there was no evidence his Social Security number had been compromised.
He called back Consulting Radiologists and brought up the discrepancy, asking for free crediting monitoring, and the company agreed.
Consulting Radiologists didn't respond to requests for comment for this story.
Richard Lentz of Minneapolis had a similar experience with Consulting Radiologists, but with less satisfying results. In July, his Experian credit monitoring service notified him that his Social Security number had been found on the dark web, indicating the stolen data came from the Consulting Radiologists' hack.
Lentz, a retired physician, had not received a letter from Consulting Radiologists itself, so he searched the internet for information. He came across an Allina Health web page about the Consulting Radiologists' breach. (Allina is a major customer of Consulting Radiologists.)
The Allina site had a phone number for a third-party data breach administrator, so Lentz said called it. He was told that if he hadn't gotten a letter from Consulting Radiologists, there was no problem.
"I asked politely how I might reconcile this with Experian's assertion that there was a data breach with my Social Security number on the web," Lentz said. The representative answered that Experian was wrong, there was nothing to discuss, and hung up.
"I'm still not satisfied my Social Security number is not on the dark web," Lentz said.
The dark web is a part of the internet that's not accessible through conventional browsers. You need special software to get there.
"The dark web is basically the bad guys' bazaar," said Experian's Bruemmer. It's an anonymous stretch of cyberspace where thieves traffic in stolen data and other illicit wares.
"Most of us have data out on the dark web," Bruemmer said. "And if your data is on the dark web, there is nothing you can do to get it off the dark web."
Take these steps
Even if your misappropriated data isn't on the dark web, you're not in the clear. Cybercriminals are increasingly using the traditional web, Lee said. Data breaches are "so pervasive, and there is so much information available, that they don't need to hide."
And data pirates are quite innovative. Some will cobble together bits and pieces of stolen data — one person's Social Security number, another's person's driver's license information and so on, Lee said.
"They can create a synthetic identity," he said.
Identity fraudsters will commonly use stolen information — from wherever they get it — to create financial accounts in a person's name without that person knowing about it, Lee said. Hence the importance of freezing your credit report.
"Freezing your credit is the only thing that can stop something bad from happening," he said.
And remember, don't just blow off a data breach letter like another piece of junk mail ― like I almost did.
"If you receive a data breach notice," Lee said, "you are more likely to become a victim of an identity crime."