‣ SSNs and Financial Information Exposed
Biolase, Inc., based in Foothill Ranch, California, recently began notifying affected individuals about a data breach involving Social Security numbers, financial information, and other sensitive data.
The company, which manufactures and markets dental laser systems, just recently reported the breach to various state governmental authorities, including the California Attorney General’s Office on May 31, 2022.
According to Biolase, on December 29, 2021, it identified unusual activity on its network. An investigation of this activity revealed that “an unauthorized actor accessed the Biolase network and removed certain files from the network sometime between December 21, 2021 and December 29, 2021.”
The company reports that it completed its investigation around April 20, 2022. The Texas Attorney General’s Office reports that the following personal information was impacted by the breach:
- Individual Names
- Social Security Numbers
- Driver’s License Numbers
- Financial Information (such as account numbers and credit or debit card numbers)
- Health Insurance Information
The full notice provided by Biolase can be viewed here.
Biolase did not begin to notify affected individuals until almost five months after they discovered the data breach. Biolase is now belatedly offering affected individuals complimentary identity monitoring services through Equifax. The deadline to enroll in this service is listed in the Notice.
Special California Laws Protect You
California has laws that specifically protect your personal information from unauthorized disclosure and provides remedies for those who are victims of data breach attacks.
- The California Customer Records Act (CCRA) requires businesses to put into place and maintain reasonable security procedures and practices to protect consumer’s personal information. Companies must also notify affected California consumers quickly and without unreasonable delay.
- The California Consumer Privacy Act (CCPA) contains many protections for personal information of California residents, including the implementation and maintenance of reasonable security procedures.
If certain types of personal information, like Social Security numbers and names, are left unencrypted and are accessed, stolen, or hacked because a business didn’t fulfill its obligation to implement and maintain reasonable security, an affected California resident can sue to protect their rights under the CCPA and CCRA.
In addition, if certain types of medical information were compromised, the Confidentiality of Medical Information Act (CMIA) contains protections against the negligent release of personal medical information and requires companies that maintain certain types of medical information to do so in a manner that reasonably preserves its confidentiality.
If you are a California resident and received a Recent Notice of Data Breach from Biolase and think you may have had your data improperly compromised, you may be entitled to between $100 and $750 or your actual damages, whichever is greater, and possibly more if certain types of health insurance information were compromised.
Participants in data breach lawsuits can recover damages, injunctive relief (to make sure that the business has reasonable security practices to protect consumer data from being leaked again), and anything else the court concludes is necessary to compensate data breach victims and prevent these harms from reoccurring.
A Compromised SSN Can Be a Complicated Problem
- A hacker with your SSN can use it to get other personal information about you.
- Identity thieves can use your SSN and name to apply for credit under your name. When the new credit cards are used by the thieves and they don’t pay, it damages your credit. You may not become aware of the scam until creditors start contacting you for non-payment of the thief’s bills, or you are denied credit.
- Stolen SSNs can be used to fraudulently file taxes, apply for jobs, and receive other government benefits.
“Keep in mind that a new [SSN] probably won’t solve all your problems. This is because other governmental agencies (such as the IRS and state motor vehicle agencies) and private businesses (such as banks and credit reporting companies) will have records under your old number. Along with other personal information, credit reporting companies use the number to identify your credit record. So, using a new number won’t guarantee you a fresh start. This is especially true if your other personal information, such as your name and address, remains the same.”
(Social Security Administration Publication No. 05-10064 July 2021.)
As Electronic Personal Data Doesn’t Degrade, One or Two Years of Identity Theft Services May Not Be Enough
Cyber-crimes present an attractive target for hackers: Data can be bought and sold anonymously, and the going rate per personal record is about $20 per record, depending on the type of information according to Privacy Affairs Dark Web Index of 2021.
Personal data is valuable to criminals who want to sell that information on the dark web to identity thieves and other black marketeers. Thieves may choose to wait years to capitalize on compromised personal data. The longer cyber thieves can go undetected, the more they stand to profit from their illegal activities. This is particularly true for numbers that can’t be easily replaced, like driver’s license numbers or Social Security numbers.
Once you know your data has been disclosed, it is reasonable to be concerned that your data will be used to cause you significant financial losses. Compromised data also increases the risk of hacking, phishing, and increased anxiety over future losses and identity theft.
Signs that your identity may have been stolen include:
- you see unfamiliar charges on your credit or debit cards
- claims are made by people using your driver’s license or ID card.
- you have bank account withdrawals that you can’t account for
- you are getting medical bills for services you didn’t get
- you are getting called by debt collectors for debts that aren’t yours
- shops won’t take your personal checks
- you stop getting bills that you usually get in the mail
- you get a notice from that IRS that (1) there is more than one tax return filed in your name or (2) you have income you failed to report and don’t recognize³
- your email address or phone number come up on http://haveibeenpwned.com/ as part of a data breach
“It is clear that many organizations need to sharpen their security skills, trainings, practices, and procedures to properly protect consumers.” The stakes are high: Data breach victims are more likely to also be victims of additional fraud.
 Source: K. Harris, former Attorney General, California DOJ, California Data Breach Report 2012-2015 (2016).