1. Home
  2. States
  3. Maryland

Maryland

Table of Contents

Data breaches occur when a security violation involving an unauthorized party transmitting or stealing sensitive or confidential data occurs. In Maryland, this is not a new phenomenon, as phishing, hacking, malware, ransomware, and stolen information are frequent occurrences. In 2022, the state ranked 16th in terms of total victims per state, with losses totaling more than $217 million. Cybercriminals typically target healthcare facilities, insurance companies, and government institutions.

Identity Theft Statistics

Identity Theft
Reports
9TH
State Rank (Reports per 100K Population)
12,675
Identity Theft Reports
Fraud & Other
Reports
4TH
State Rank (Reports per 100K Population)
46,503
Total Fraud & Other Reports
Fraud
Losses
$27.7M
Total Fraud Losses
$335
Median Fraud Losses

Top Ten Report Categories

Identity Theft
21%
Imposter Scams
18%
Banks and Lenders
6%
Telephone and Mobile Services
6%
Credit Bureaus, Iformation Furnishers and Report Users
5%
Online Shopping and Negative Reviews
5%
Debt Collection
4%
Auto Related
4%
Prizes, Sweepstakes and Lotteries
4%
Internet Services
2%

Top Identity Theft Types

33%
8,328
Credit Card Fraud
25%
6,142
Other Identity Theft
14%
3,482
Bank Fraud
11%
2,833
Loan or Lease Fraud
6%
1,589
Phone or Utilities Fraud
5%
1,356
Government Documents or Benefits Fraud
5%
1,290
Employment or Tax-Related Fraud

Maryland's Recent Biggest Data Breaches

2022
November

Washington County Systems Breach

In November 2022, Washington County determined there was some suspicious activity happening within its internal computer networks. The county took steps toward securing the network and began an investigation to determine the incident scope. The investigation determined that files may have been copied without authorization. Some specific data attained included names, contact information, Social Security numbers, driver's licenses or state identification numbers, passport numbers, medical information, and financial account data. The county also took steps to report the incident to federal law enforcement. They also mailed notices with more data concerning the event to those for whom they had address information.

2020
September

Arthur J. Gallagher & Co. Data breach

In September 2020, Arthur J. Gallagher & Co. (AJG) detected ransomware, which affected its internal systems. In response, Gallagher took the systems offline as a precaution. AJG started investigating the event and concluded that particular information had been stolen during the incident. In June 2021, the company began providing written notice to affected parties, notifying them of the breach. The infiltrated information included names, credit card information, electronic signatures, driver's licenses, government identification numbers, biometric information, dates of birth, patient account numbers, passports, and tax identification numbers. Gallagher also notified those potentially affected by posting notifications on the company website. AJG also mailed letters to the individuals and organizations that were mentioned.

2020

Ibex Global Solutions Data Breach

In 2020, Ibex Global identified a malware attack on their systems that took them offline. The incident compromised the information of 4,457 people. An investigation following the breach showed that specific data might have been accessed without authorization. However, it was not until June 2021 before the company determined the scope of the information, including names, addresses, Social Security numbers, dates of birth, and medical data. In 2021, Ibex Global proceeded to contact 174,000 potentially affected people.

2019
July

Maryland Department of Labor Data Breach

In July 2019, the Maryland Department of Labor announced that an unauthorized party infiltrated its databases containing personally identifiable information. The criminals accessed documentation from 2009, 2010, and 2014, including names, Social Security numbers, dates of birth, and counties of residence. Subsequently, an investigation was conducted by the Maryland Department of Information Technology, which confirmed the unauthorized access to information. However, the Department of Labor indicated this investigation did not produce evidence to verify that the information was downloaded or accessed. The Department of Labor did contact the affected customers, who numbered 78,000.

2014

Union Labor Life Insurance Company Data Breach

In 2014, Union Labor Life Insurance discovered a data breach when a laptop containing personal information was stolen from the company's offices. The incident affected 46,771 individuals, and the information related to benefit plans, medical stop loss, or group insurance policies between 2012 and 2014. The data involved also included names, addresses, personal health information, and Social Security numbers of affected people. The organization indicated no evidence of misusing information but offered free credit monitoring and protection to those notified.

What Should You Do if You Are in a Breach?

Unfortunately, data breaches are pretty common now, considering our online connections and dependence on digital service delivery. Criminals work in the shadows to steal your personal information, so sometimes, it's only when you notice certain signs that ongoing fraud becomes apparent. These danger signs apply to both individuals and businesses.

Unfamiliar
Credit Card Charges

If you find unauthorized transactions on your credit card, there is a significant possibility your phone number, email address, or card number has been compromised.

Calls from
Debt Collectors

Phone calls or letters from collection agencies seeking debt payment for a loan you do not remember taking are also signs of identity theft.

New Credit Cards
or Loans in Your Name

A new line of credit in your name or a loan taken is a warning sign you are a victim of identity theft.

Surprise Credit
Score Drops

Sudden credit drops with no obvious cause are a sign of suspicious activities.

Unusual Activity on Your
Social Security Account

The federal government also considers social security numbers personal identifiers, so check your social security statement regularly to ensure no one has access to benefits without consent.

Inability to
Sign-in to Accounts

If you are locked out of the account, it is usually because someone has hacked into it and changed the password. You should immediately try all possible recovery options and contact customer support if all fails.

Step-by-Step Process for Responding to a Data Breach

01

Contact Local Law Enforcement

As an individual or a business, report the incident to the police and file a police report.

02

Assess and Secure Compromised Areas

Identify which aspects of your information have been affected, such as emails, passwords, credit card numbers, social security numbers, full names, and phone numbers.

03

Contain the Breach

Isolate the affected system to prevent further damage.

04

Create New, Strong Passwords for All Accounts

This may involve changing usernames and passwords for compromised platforms, using strong passwords with a mix of upper and lower-case letters, digits, and special characters.

05

Notify Affected Institutions

Inform your bank, credit card companies, and other affected institutions. Request they close or freeze any accounts that may be implicated in the breach to reduce financial risk.

06

Update Security on Digital Accounts

Change passwords for all accounts affected by the breach. Make sure each password is totally unique, and you use two-factor verification as an additional layer of security.

07

Check for Malware

Examine your computers and mobile devices for installed malware. Install robust antivirus software to detect and remove any viruses or malicious software.

08

Freeze Your Credit

In cases of identity theft, contact all credit bureaus to freeze your credit.

09

Monitor Your Mail and Credit Reports

Keep an eye out for any unauthorized changes in your mail.

10

Engage Legal Assistance When Applicable

If you are a business, consider hiring a law firm experienced in handling data breaches.

Responsibilities of Companies that Have Been Breached

When a security breach is detected, a business has to act in good faith and notify all affected individuals of the incident. It also must perform an investigation. Should the evaluation show a reasonable chance of data misuse, a mitigative and protective course of action must be implemented. Businesses in Maryland must also notify the affected parties within 45 days of their discovery of the breach. A notification might be delayed if law enforcement agencies request that the business do so. A delay may also be accepted so the company can identify all affected people or restore the system's integrity.

Notices to the consumer have to include the following:

  1. A basic description of what was compromised
  2. Numbers and addresses for the credit reporting agencies
  3. The business's contact information
  4. Toll-free contacts and websites for the attorney general's office in each state containing affected individuals

The notice sent to the consumer must be in writing and be relayed to the most recent address or via the most recent mobile phone number. Notices can be sent by email if the party has consented to get electronic notices or if the business operates primarily via the Internet. Electronic notices or postings on the business's website are also permitted if the cost of notifying all the affected clients exceeds $100,000 or if the number of the affected is more than 175,000. Businesses are also required to report incidences of data breaches to the Maryland attorney general via mail, email, or fax machine.

Third-party notice requirements also apply to the state. Any business in Maryland that maintains personal information that it does not own or license has to notify the owner as soon as possible. It should not be any later than 45 days after the discovery. They must also share any data related to the breach with the licensee.

Laws

  • The Maryland Personal Information Protection Act was enacted to ensure that all consumer data within the state is protected within reasonable means. Initiated in 2008, the regulation requires that all businesses with electronic records containing residents' personal identifying information notify them in case information is compromised.
  • Maryland's Consumer Protection Act, which is Md. Code Ann., Com. Law §§ 13-101 et seq covers the rights of clients. A consumer may file a complaint with the attorney general's consumer protection division. They also have the right to bring claims for damages as well as legal fees for any violations. The attorney general may also seek an injunction or bring an action for a violation.

Resources

Table of Contents