New Mexico
Table of Contents
- Identity Theft Statistics
- Top Ten Report Categories
- Top Identity Theft Types
- Fraud & Other Reports by Metropolitan Area
- New Mexico’s Recent Biggest Data Breaches
- What Should You Do if You Are in a Breach?
- Step-by-Step Process for Responding to a Data Breach
- Responsibilities of Companies that Have Been Breached
- Laws
- Resources
A data breach can occur when an unauthorized party accesses sensitive or personal data. These incidents have risen over the past decade due to society's increasing dependence on technology. New Mexico may have a lower-than-average population, but data breaches still significantly affect it. In 2023, it ranked 36th in the number of victims affected due to a violation. The losses sustained that year accumulated to $45,127,386. Most of the targeted areas in the state relate to healthcare, government, or educational institutions rather than small and medium-sized businesses.
Identity Theft Statistics
Reports
Reports
Losses
Top Ten Report Categories
Top Identity Theft Types
New Mexico's Recent Biggest Data Breaches
New Mexico Department of Health
In July 2023, the New Mexico Department of Health discovered that one of their donations to Habitat for Humanity had files with personal information, thereby exposing some patients. Its internal team moved to contain the breach and stop unwanted access to company systems. Habitat also implemented an investigation to ascertain the main scope of the incident. A review of the information revealed that names, addresses, medical records, patient identification numbers, and clinical data were among those that were stolen. At the time, the department claimed it had no evidence to show the exposed data had been misused in any way whatsoever. However, Habitat for Humanity representatives issued notifications to the 637,300 individuals who were affected by the breach. Complimentary credit monitoring and identity theft protection were also provided to the relevant group.
Blue Cross and Blue Shield of New Mexico
In June 2023, Blue Cross and Blue Shield discovered unauthorized access to its systems. Immediately, the company discovered personal data was being accessed without its knowledge; TMG Health moved to secure the systems and block further disclosures. TMG also notified local law enforcement to mitigate the event. Information revealed included names, email addresses, birth dates, phone numbers, Social Security data, bank account details, and medical records. The facility also recommended that those affected regularly check their financial accounts. They also provided a year of complimentary personal identity and privacy protection to all involved from the beach.
New Mexico State Regulation and Licensing Data Breach
In October 2022, the New Mexico State Regulation and Licensing Department (NM RLD) overseeing business licenses became the target of a cyber-attack. There was evidence of unauthorized access to the agency's systems, though the department did not indicate to which level. NM RLD's cybersecurity professionals worked with experts to protect their staff and consumer base. Following the initial investigation, the department found that accounts belonging to 225,000 individuals may have been accessed. They also indicated that types, including names, addresses, Social Security numbers, and other identifying details, might have been compromised. The licensing and regulation department continued to work with law enforcement and notified everyone affected by the breach.
True Health Data Breach
In October 2021, a phishing attack allowed an unauthorized party to access the personal health information of TrueHealth's customers and personnel. Initial investigations showed that the affected data included names, birth dates, medical records, and patient and treatment information. There was no evidence of data misuse at the time, though notification letters were issued to the 62,983 impacted members of True Health's plans. The company also offered complimentary credit monitoring and identity theft protection to this group.
San Juan Regional Medical Centre Data Breach
In the fall of 2020, San Juan Regional Medical Centre determined that an unauthorized party had accessed its files. This resulted in the exposure of the personal information of 68,792 patients. The data was attained from San Juan's billing records. Some exposed information included Social Security details, financial accounts, driver's licenses, and health insurance data. That said, the electronic medical record system was allegedly not affected due to the breach. It took the hospital more than a year to inform the affected patients. The hospital also implemented tighter safeguards to its network to prevent further inappropriate access.
What Should You Do if You Are in a Breach?
Unfortunately, data breaches are pretty common now, considering our online connections and dependence on digital service delivery. Criminals work in the shadows to steal your personal information, so sometimes, it's only when you notice certain signs that ongoing fraud becomes apparent. These danger signs apply to both individuals and businesses.
Unfamiliar
Credit Card Charges
If you find unauthorized transactions on your credit card, there is a significant possibility your phone number, email address, or card number has been compromised.
Calls from
Debt Collectors
Phone calls or letters from collection agencies seeking debt payment for a loan you do not remember taking are also signs of identity theft.
New Credit Cards
or Loans in Your Name
A new line of credit in your name or a loan taken is a warning sign you are a victim of identity theft.
Surprise Credit
Score Drops
Sudden credit drops with no obvious cause are a sign of suspicious activities.
Unusual Activity on Your
Social Security Account
The federal government also considers social security numbers personal identifiers, so check your social security statement regularly to ensure no one has access to benefits without consent.
Inability to
Sign-in to Accounts
If you are locked out of the account, it is usually because someone has hacked into it and changed the password. You should immediately try all possible recovery options and contact customer support if all fails.
Step-by-Step Process for Responding to a Data Breach
Contact Local Law Enforcement
As an individual or a business, report the incident to the police and file a police report.
Assess and Secure Compromised Areas
Identify which aspects of your information have been affected, such as emails, passwords, credit card numbers, social security numbers, full names, and phone numbers.
Contain the Breach
Isolate the affected system to prevent further damage.
Create New, Strong Passwords for All Accounts
This may involve changing usernames and passwords for compromised platforms, using strong passwords with a mix of upper and lower-case letters, digits, and special characters.
Notify Affected Institutions
Inform your bank, credit card companies, and other affected institutions. Request they close or freeze any accounts that may be implicated in the breach to reduce financial risk.
Update Security on Digital Accounts
Change passwords for all accounts affected by the breach. Make sure each password is totally unique, and you use two-factor verification as an additional layer of security.
Check for Malware
Examine your computers and mobile devices for installed malware. Install robust antivirus software to detect and remove any viruses or malicious software.
Freeze Your Credit
In cases of identity theft, contact all credit bureaus to freeze your credit.
Monitor Your Mail and Credit Reports
Keep an eye out for any unauthorized changes in your mail.
Engage Legal Assistance When Applicable
If you are a business, consider hiring a law firm experienced in handling data breaches.
Responsibilities of Companies that Have Been Breached
All businesses or entities that license or handle personal information in New Mexico must notify affected clients in the event of a data breach. New Mexico state law indicates that personal data includes names in combination with driver's licenses, Social Security numbers, account numbers, and biometric details. They are to notify individuals within the most expedient time, meaning it should not be later than 45 days after discovering a breach. If the number of those to be notified is more than 1,000, then the business must inform the attorney general's office and other consumer reporting agencies.
Businesses are permitted to issue notices via written or electronic means. Substitute notices are also permitted if the notification expense exceeds $100,000 or if over 50,000 individuals were affected. Similarly, a substitute notice can be issued if the entity does not have sufficient contact information for the consumers involved in the breach. Substitute notices may issued via a conspicuous posting on the entity's website, notifying state media outlets as well as, the state attorney general. In the event of a data breach, the state attorney general can issue remedies by injunction or exacting damages on the company that violates the issued laws.
Laws
- The New Mexico Consumer Information Privacy Act relates to consumer protection, issuing definitions, and establishing consumer rights. It also establishes obligations for the businesses that collect or utilize personal data.
- New Mexico Statutes Section 57-12C-6 (2021) deals with the notification of individuals when there is a data breach. People or groups licensed to possess a resident's computerized information shall notify the owner of any security breach within an expedient time.
- New Mexico's Trade Practices Act mandates that unfair or misleading business practices are prohibited. This law prevents unfair, competitive, or deceptive types of business practices. It also investigates complaints on these practices and issues remedies to the aggrieved parties.
Resources
- DOH addresses data security incident with transparency and vigilance
- Federal Bureau of Investigation Internet Crime Report 2023
- True Health New Mexico Data Breach Settlement
- Office of the attorney general
- NM Stat § 57-12C-6 (2021)
- Consumer Information Privacy Act - New Mexico Legislature
- NMSA 1978, § 57-12-1