Question: My wife and I have “freezes” on our individual credit reports from the three major credit reporting agencies. That should be significant preventive measures against the Navvis breach, right?
Answer: Yes, in terms of preventing criminals from impersonating you to fraudulently obtain any good or service that requires a credit check, which may include credit cards, car loans, personal loans, cellphone accounts, mortgages, etc. A credit freeze restricts access to your credit report, so any prospective creditor that checks an applicant’s credit history wouldn’t approve an application in your name unless you lift the freeze. However, not all prospective creditors check credit histories before approving account applications, and there are other crimes committed by identity thieves that a credit freeze won’t deter. Cybersecurity experts and consumer advocates say people should take multiple steps after a data breach like the one affecting former and current HMSA members, whose personally identifying information and health records held by Navvis & Co. LLC, an HMSA vendor, were hacked last summer. Some HMSA members are just learning about the problem now, in letters from Navvis.
We’ll review some recommended steps from the Federal Trade Commission, especially when medical records are breached, but first point out that the Navvis letters we’ve seen overstate the requirements for placing a credit freeze; we’ve reported the mistake to HMSA. The process is simpler than the letter says; no police report is required. You don’t have to be a victim of identity theft to freeze your credit, which you can unfreeze if you need to apply for credit. Experts we’ve interviewed over the years — including a former identity thief — recommend freezing your credit (or placing a credit lock, as some credit-monitoring services offer) as a proactive step. The FTC has instructions on placing a credit freeze at 808ne.ws/crfreeze.
The letters from Navvis we’ve seen conflate a credit freeze with an extended fraud alert, which the letters also mention. An extended fraud alert lasts seven years and is available only to victims of ID theft who have reported the crime to local police or the FTC, according to the FTC website. This alert makes it harder “for someone to open a new credit account in your name and removes you from unsolicited credit and insurance offers for five years,” the website says.
The cyberattack on Navvis’ computer systems gained unauthorized access to patient names, birth dates, Medicaid/Medicare ID numbers, health plan information, medical treatment information, medical record numbers, patient account numbers, case identification numbers, provider and doctor information, and health record information, and in some cases, Social Security numbers, according to Navvis. The breach, which occurred July 12-25, 2023, affects health care organizations in multiple states, including HMSA in Hawaii.
As after any data breach, affected individuals should review their credit reports for suspicious activity, keep track of activity on all their financial accounts, and also keep an eye out for signs of fraud involving Medicare, Medicaid or other medical insurers, which could include being billed for services they didn’t use or receiving medical equipment they didn’t order. Be on guard for scam texts, emails and phone calls as well. “Social engineering” scammers use information bought on the dark web, gleaned from diverse data breaches, to reel in their victims. For more information, see identitytheft.gov.
Mahalo
Mahalo to the driver in the blue-green sedan who made room for me in the exit lane during a very stressful highway commute. I had a flat tire and they were the only one who seemed to care. — A reader
Write to Kokua Line at Honolulu Star-Advertiser, 500 Ala Moana Blvd., Suite 7-500, Honolulu, HI 96813; call 808-529-4773; or email kokualine@staradvertiser.com.
