On March 25, 2022, Horizon Actuarial Services reported a “privacy incident” involving theft of personal information and extortion that it says “may affect the privacy” of participants in various benefit plans.[1]
Horizon Actuarial Hack and Data Breach Details
The company reported that its computer servers were accessed without authorization on November 10 and 11, 2021. The following day, Horizon “received an email from a group claiming to have stolen copies of personal data from its computer servers.”
According to the Data Breach Notice, Horizon Actuarial then launched an investigation, notified the FBI, and “negotiated with and paid the group in exchange for an agreement that they would delete and not distribute or otherwise misuse the stolen information.” However, the FBI does not suggest companies should pay hackers that hold data for ransom, reminding the public that paying a ransom does not guarantee that a cyber threat actor will actually keep its promises.[2]
The personal information that may have been stolen from Horizon Actuarial includes names, Social Security numbers, addresses, dates of birth, and health plan information. While the company informed affected benefit plans starting in January, it does not appear it started notifying affected individuals until March 2022.
A copy of the Horizon Actuarial Services California Data Breach Notice can be found here.
Individuals who have not received a Data Breach Notice about this cyber event, but are concerned they may be affected, could view a public statement on Horizon Actuarial’s website where it identified benefit plans whose participants and family members may be included.
Benefit Plans Whose Participants and Family Members May Be Affected
- Local 295 IBT Employer Group Welfare Fund
- Major League Baseball Players Benefit Plan
- National Hockey League Players’ Health and Benefits Fund
- OCU Health & Welfare Trust
- OCU Pension Trust
- Rocky Mountain UFCW Health Benefit Plan for Retired Employees
- Rocky Mountain UFCW Retail and Meat Pension Plan
- Teamsters Local 295 Employers Group Welfare Trust
- Twin Cities Bakery Drivers Pension Fund
- UA Local 198 Pension Fund
- UFCW & Employers Benefit Trust
- UFCW Comprehensive Benefit Trust
- UFCW Intermountain Health Fund
- UFCW Local 711 & Retail Food Employers Benefit Fund
California Privacy Laws Protect You and Your Information
If you are a California resident who has received a Data Breach Notice from Horizon Actuarial, California has laws that specifically protect your personal information.
- The California Customer Records Act (CCRA) – this law requires businesses to put into place and maintain reasonable security procedures and practices to protect a consumer’s personal information.
- The California Consumer Privacy Act (CCPA) – the most comprehensive state privacy law in the nation, this law contains many protections for the personal information of California residents.
If certain types of personal information, like Social Security numbers and names, are left unencrypted and are accessed, stolen, or hacked because a business didn’t fulfill its obligation to implement and maintain reasonable security, an affected California resident can sue to protect their rights under the CCPA and CCRA.
Participants in data breach lawsuits can recover damages, injunctive relief (to make sure that the business has reasonable security practices to protect consumer data from being stolen again) and anything else the court concludes is necessary to compensate data breach victims and prevent these harms from reoccurring.
If you received a Data Breach Notice from Horizon Actuarial
Horizon Actuarial suggests steps to take to protect your personal data, and is offering affected consumers a one-year of identity monitoring services by Kroll.
Be aware that the Data Breach Notice says consumers must enroll by the deadline in the Notice to take advantage of this offer.
Will following the steps in the Horizon Actuarial Data Breach Notice prevent my personal information from being sold on the dark web?
“Dark web” monitoring can sometimes tell you if your information is being offered for sale to cyber thieves but cannot actually prevent the sale of that information.
Kroll identity monitoring services may include dark web monitoring. Unfortunately, if you are the victim of a data breach you will still need to be on the lookout. You must remain ever watchful for unapproved credit card charges, identify theft, tax fraud and other illegal uses of your personal information.
One Year Of Identity Monitoring Services May Not Be Enough
Identity theft is on the upswing. In 2018, approximately 23 million people in the United States reported that they had been victims of identity theft within the previous year.[3] By 2021, there were over 50 million personal records compromised nationwide; with the T-Mobile data breach alone affecting 6 million consumers. Even Equifax and Experian, which are in the business of offering credit monitoring services, have experienced massive data breaches, affecting over 150 million people.
Cyber crimes present an attractive target for hackers: Data can be bought and sold anonymously, and the going rate per personal record is low (under $20 per record, depending on the type of information according to Privacy Affairs Dark Web Index of 2021). Certain critical types of personal information – like social security numbers, names, and birth dates – are almost impossible to change. Thieves may choose to wait years to capitalize on compromised personal data. The longer cyber thieves can go undetected, the more they stand to profit from their illegal activities.
Law enforcement is often unable to break the sophisticated encryption hiding these unlawful activities. The FBI’s Internet Crime Compliance Center received almost 800,000 complaints in 2020. This leaves identity theft victims to repair their misused credit scores, health insurance, and social security numbers.
Not every data breach will lead to identity theft. But once you know your data has been disclosed, it is reasonable to be concerned that your data will be used to cause you significant financial losses. Compromised data also increases the risk of hacking, phishing, and increased anxiety over future losses and identity theft.
Businesses Should Be Held Accountable For Data Breaches
When businesses collect and keep personal data about California consumers or their families, under California law they take on the obligation to protect that information and keep it safe from hackers, thieves, and other criminals.
This personal data is incredibly valuable, both to businesses and to criminals who want to sell that information on the dark web to identity thieves and other black marketeers. However, “it is clear that many organizations need to sharpen their security skills, trainings, practices, and procedures to properly protect consumers.”[4] The stakes are high: Data breach victims are more likely to also be victims of additional fraud.[5]
[1] Horizon Actuarial provides technical and actuarial services to some U.S. benefit plans, including the Major League Baseball Benefits Plan and the National Hockey League Players’ Health and Benefits Fund.
[2] See, FBI Scams and Safety, https://www.fbi.gov/scams-and-safety/common-scams-and-crimes/ransomware last accessed April 6, 2022.
[3] Source: E. Harrell, Victims of Identity Theft, 2018. US Department of Justice, Office of Justice Programs, Bureau of Justice Statistics, 2021.
[4] Source: K. Harris, former Attorney General, California DOJ, California Data Breach Report 2012-2015 (2016).
[5] Same
