Simpson University Reports Data Breach of Medical, Financial and Student Information

‣ Public notice sent out 10 months after breach

On June 10, 2022, Simpson University, a private university in Redding, California, reported that an unauthorized party gained access to certain Simpson University employee email accounts between July 29, 2021 and September 17, 2021.

According to the university, those email accounts contained student personal and medical information. The university determined which individuals were affected by the breach on February 1, 2022. However, its notice to affected students was not sent until June 9, 2022, 10 months after the breach took place.

Over 6,000 people were affected by Simpson University’s data breach.

What Personal Information Is At Risk in the Simpson University Breach?

According to the notice posted on Simpson University’s website, the following types of personal information may have been found in the compromised email accounts:

  • Name
  • Social Security number
  • Information from Educational Records, including student majors and year in school (Freshman, Sophomore, etc.)
  • Date of Birth
  • Passport number
  • Driver’s license number/state issued ID number
  • Financial account number
  • Debit/credit card number
  • Username/email address with password
  • Health insurance information
  • Medical treatment or diagnosis information

The full notices provided by Simpson University can be viewed here and here.

Simpson University is offering one year of complimentary credit monitoring through Experian IdentityWorks, but only to those individuals who Social Security numbers or driver’s license numbers were involved in the incident. The deadline for enrollment is found in the university’s Data Breach Notice.

Special California Laws Protect You From Data Breach Harms

If you received a Notice of Data Breach from Simpson University you may be entitled to $1,000 plus actual damages resulting from the negligent release of your confidential information depending on the type of information that was accessed.

California has unique state laws, including the California Confidentiality of Medical Information Act (CMIA) that compensate individuals whose confidential and sensitive data have been accessed and offered for sale on the dark web.

Participants in data breach lawsuits can recover damages, injunctive relief (to make sure that the business has reasonable security practices to protect consumer data from being leaked again) and anything else a court concludes is necessary to compensate data breach victims and prevent these harms from occurring again.

As Electronic Personal Data Doesn’t Degrade, One Year Of Identity Theft Services Offered by Simpson University May Not Be Enough

Cybercrimes present an attractive target for hackers: Data can be bought and sold anonymously, and the going rate per personal record is under $20 depending on the type of information, according to Privacy Affairs Dark Web Index of 2021.

Certain critical types of personal information – like Social Security numbers, names, and birth dates – are impossible  or almost impossible to change. Thieves may choose to wait years to capitalize on compromised personal data. The longer cyber thieves can go undetected, the more they stand to profit from their illegal activities. “The effects of a health data breach on consumers outlast the initial breach.”[1]

Thus, once you know your data has been disclosed, it is reasonable to take actions over concerns that your data will be used to cause you significant financial losses. Compromised data also increases the risk of hacking, phishing, and increased anxiety over future losses and identity theft.

Steps You Can Take To Protect Yourself If Your Personal Information Has Been Compromised

  1. Purchase credit monitoring services
  2. Order and review your credit reports – you are entitled to one free report from Experian, TransUnion and Equifax annually
  3. Review your account statements regularly for suspicious activity
  4. Place a “fraud alert” with one of the three major credit bureaus
  5. Place a “security freeze” on your credit report
  6. Get an “identity protection pin” from the IRS
  7. Secure legal representation

What Is The Difference Between A “Credit Freeze” and A “Fraud Alert”?

A credit freeze the strongest step you can take to prevent fraudulent accounts being opened under your name. A credit freeze prevents a credit bureau from sharing your information with others. You can put a credit freeze in place with each of the three major credit bureaus by using the following links: Equifax, Experian, and Transunion.

If you put on a credit freeze, no one will be able to open new credit accounts in your name. You can still use your active credit cards with a freeze in place. It costs nothing to put a credit freeze in place, lasts indefinitely, and will not affect your credit score.

However, if your credit card information has been compromised, a credit freeze will not prevent a cyber-thief from making purchases with your stolen card. Cancelling the card and getting a new card with a different number is the only way to stop such transactions from taking place.

You can also place a fraud alert on all of your credit reports. Fraud alerts are free and are a flag for potential credit providers that you may have been a victim of identity theft. They allow you to apply for new credit cards and other forms of credit without having to unfreeze your account.

Fraud alerts can last one to seven years, and can be lifted by you at any time. Once you put a fraud alert in place at one credit bureau, it will alert the other two for you. You can put a fraud alert in place with any of the three major credit bureaus by using the following links: Equifax, Experian, and Transunion.

What Is An “Identity Protection PIN”?

An Identity Protection PIN (IP PIN) is a six-digit number issued by the U.S. Internal Revenue Service to keep other people from using your Social Security number or Individual Taxpayer Identification Number to fraudulently file a tax return. There is an online tool for obtaining an IP PIN, and also a slower process by mail or in person at a local Taxpayer Assistance Center. An IP PIN is only good for one calendar year. At the end of the year, the IRS generates a new IP PIN for participating accounts.

More information about IP PINs can be found here.