Data breaches occur following unauthorized access of sensitive or personal information by criminal actors. These crimes are rising due to increasing dependence on technology for information storage. In Arkansas, data breaches have occurred in the healthcare, educational, and local government networks most prevalently recently. In 2023, the state was ranked 34th in the nation regarding the number of breach victims. It lost $46,585,087 in the same year. The most common types of breaches in the state are related to phishing, email hacking, malware, ransomware, or denial of service attacks.

Identity Theft Statistics

Identity Theft
State Rank (Reports per 100K Population)
Identity Theft Reports
Fraud & Other
State Rank (Reports per 100K Population)
Total Fraud & Other Reports
Total Fraud Losses
Median Fraud Losses

Top Ten Report Categories

Identity Theft
Imposter Scams
Prizes, Sweepstakes and Lotteries
Telephone and Mobile Services
Debt Collection
Online Shopping and Negative Reviews
Credit Bureaus, Iformation Furnishers and Report Users
Banks and Lenders
Auto Related
Internet Services

Top Identity Theft Types

Credit Card Fraud
Other Identity Theft
Loan or Lease Fraud
Bank Fraud
Employment or Tax-Related Fraud
Phone or Utilities Fraud
Government Documents or Benefits Fraud

Arkansas's Recent Biggest Data Breaches


Ricoh Data Breach

In July 2023, Arkansas Total Care determined that one of their vendors, Ricoh, experienced a system breach. The initial supposition was member information may have been exposed, viewed, or downloaded by an unauthorized party. Immediately after they learned of the incident, Ricoh took steps to stop the infiltration and started an investigation with the help of an external cybersecurity expert. Ricoh also reported the incident to the Department of Homeland Security. Some information exposed in the breach included member IDs, addresses, birth dates, gender, phone numbers, diagnoses, Social Security numbers, and claims data. The organization indicated they had no reason yet to believe that the information was used for criminal purposes, but they sent a letter to all the potentially affected. They also offered credit reporting options to all the victims of the cybersecurity incident.


Howard Memorial Hospital (HMH) Data Breach

In December 2022, Howard Memorial Hospital issued a notice of a data breach following infiltration by an unauthorized party that stole patient information. The incident affected 54,000 patients and current or former employees. The information types potentially affected by the breach included names, birth dates, Social Security numbers, and bank account data. This breach also affected particular information belonging to current and former employees, such as contact data, birth dates, Social Security numbers, names, and direct deposit accounts. Howard Memorial also sent out data breach letters to all whose information may have been compromised.


Mena Regional Health System Network Server Breach

In November 2022, Mena Regional Health System determined that an unauthorized party removed its files. Upon realizing there was unauthorized access to their systems, Mena initiated an investigation and shut down further access. The investigation revealed that files containing names, birth dates, financial account data, treatment details, medical provider names, prescriptions, and health insurance were exposed. Mena Regional sent out data breach notifications to the 84,814 affected patients, though they indicated they were unaware of any improper use of the exposed data.


Arkansas Department of Human Services Email Breach

In September 2022, the Department of Human Services became aware that an employee sent emails from their DHS email to their personal Yahoo account. The email had client information with attachments indicating the number of Medicaid clients diagnosed with the flu. Further investigation found that the exposed information included birth dates, gender, counties, zip codes, and flu diagnoses for 925 patients. It was noted that no financial information was disclosed in the breach. Names, Social Security details, and physical addresses were also not exposed. The DHS claimed they take clients' privacy seriously and took steps to mitigate the risk accordingly.


University of Arkansas for Medical Sciences Email Breach

In November 2021, the University of Arkansas for Medical Sciences discovered that one of their former personnel sent emails from her designated work account to her personal Gmail account. This email had patient information, including billing statements, attached to it. It also had the names, account details, insurance, and claim data of 518 patients. Birth dates and medication information were also exposed in some cases. The university reiterated that no credit card data, driver's licenses, or Social Security numbers were stolen. It notified all affected patients by mail or through its website. The university also filed a report with the local police department.

What Should You Do if You Are in a Breach?

Unfortunately, data breaches are pretty common now, considering our online connections and dependence on digital service delivery. Criminals work in the shadows to steal your personal information, so sometimes, it's only when you notice certain signs that ongoing fraud becomes apparent. These danger signs apply to both individuals and businesses.

Credit Card Charges

If you find unauthorized transactions on your credit card, there is a significant possibility your phone number, email address, or card number has been compromised.

Calls from
Debt Collectors

Phone calls or letters from collection agencies seeking debt payment for a loan you do not remember taking are also signs of identity theft.

New Credit Cards
or Loans in Your Name

A new line of credit in your name or a loan taken is a warning sign you are a victim of identity theft.

Surprise Credit
Score Drops

Sudden credit drops with no obvious cause are a sign of suspicious activities.

Unusual Activity on Your
Social Security Account

The federal government also considers social security numbers personal identifiers, so check your social security statement regularly to ensure no one has access to benefits without consent.

Inability to
to Accounts

If you are locked out of the account, it is usually because someone has hacked into it and changed the password. You should immediately try all possible recovery options and contact customer support if all fails.

Step-by-Step Process for Responding to a Data Breach


Contact Local Law Enforcement

As an individual or a business, report the incident to the police and file a police report.


Assess and Secure Compromised Areas

Identify which aspects of your information have been affected, such as emails, passwords, credit card numbers, social security numbers, full names, and phone numbers.


Contain the Breach

Isolate the affected system to prevent further damage.


Create New, Strong Passwords for All Accounts

This may involve changing usernames and passwords for compromised platforms, using strong passwords with a mix of upper and lower-case letters, digits, and special characters.


Notify Affected Institutions

Inform your bank, credit card companies, and other affected institutions. Request they close or freeze any accounts that may be implicated in the breach to reduce financial risk.


Update Security on Digital Accounts

Change passwords for all accounts affected by the breach. Make sure each password is totally unique, and you use two-factor verification as an additional layer of security.


Check for Malware

Examine your computers and mobile devices for installed malware. Install robust antivirus software to detect and remove any viruses or malicious software.


Freeze Your Credit

In cases of identity theft, contact all credit bureaus to freeze your credit.


Monitor Your Mail and Credit Reports

Keep an eye out for any unauthorized changes in your mail.


Engage Legal Assistance When Applicable

If you are a business, consider hiring a law firm experienced in handling data breaches.

Responsibilities of Companies that Have Been Breached

Businesses in Arkansas must notify residents when their personal information is compromised. The acceptable notification methods are email, telephone, or written letter. Personal information may include Social Security numbers, driver's licenses, names, birth dates, account numbers, medical information, and biometrics. All notifications are to include dates of the breach, descriptions of the information exposed, contact details of the business, and toll-free numbers of consumer reporting agencies. If the number of those affected is more than 1,000, the businesses must notify the attorney general's office. They also have to inform consumer reporting agencies and all relevant state agencies. When notifying the attorney general's office, they must use a specific Data Breach notification form.

Substitute notices are also available for entities provided the cost to send traditional notifications is more than $250,000, or the number of those impacted is more than 500,000.

A substitute notice would entail email notices when the business has addresses for those affected. It may also be a conspicuous posting of the notice on the business's website. Similarly, the entity is required to notify statewide media outlets. The notification has to be done within 45 days following the discovery of the breach. Delays are only permitted if the notification would interfere with ongoing law enforcement investigations.


  • The Arkansas Personal Information Protection Act requires businesses and individuals licensed to collect or handle personal information to use reasonable security protocols and practices to protect their details. This regulation also mandates that if information is compromised, those responsible for the data must notify the affected promptly.
  • The Arkansas Deceptive Trade Practices law provides a right of action for all deceptive practices. It also defines a deceptive trade practice a business may engage in, including violating the breach notification regulations in such an event. The attorney general's office investigates and prosecutes all violations of this law.