Over the past few months, many of us have either heard about, or have been directly affected by, the nationwide data breach affecting optometrists and optometry students throughout the country. This article serves as a brief summary of the breach, how to respond if you have already been victimized, as well as suggested ways to better protect yourself from becoming a victim of identity theft in the first place.
At the end of July, reports began circulating of a possible data breach affecting the optometric community. The suspected breach was discovered when victims began receiving unsolicited, fraudulent applications for Chase Amazon cards. In some cases, the new account requests were denied, resulting in a letter being sent to the victim’s home. In other cases, the credit cards arrived in the unsuspecting victim’s mailboxes.
In early August, the AOA alerted its members, warning them about the breach and how best to respond. The AOA also contacted the FBI and the Federal Trade Commission to apprise investigators of the situation. In addition, the AOA immediately conducted its own internal investigation of its databases, reporting that it was not the source of the breach. Importantly, the AOA does not store social security numbers, which are needed to open the Chase Amazon accounts. In addition to the AOA, the AAO, NBEO, and ASCO all independently denied being the source of the breach. Although there is much speculation, as of this writing, the source of the data breach has not yet been confirmed.
Since the initial discovery, it appears that more than 1,000 doctors and students have been victimized. While there appeared to be an initial wave of applications in early August, as well as a second one in late August, the reports of new accounts opening have continued to this day. Some victims have reported multiple attempts to open cards in their names, sometimes several weeks apart. In addition, recent reports have surfaced about other non-Chase credit card accounts being hacked with unauthorized charges being made. It is not known at this time if these are related.
So, what can you do? Since it appears all optometrists and students are at risk, the POA recommends everyone call Chase Bank at 1-888-247-4080 to see if an application using your social security number has been submitted. This is an automated system. You will initially be asked to enter your existing 16 digit card number. Ignore this. You will then be given the option to enter “1” to check on the status of your application. After selecting that option, you will be asked to press “3” to check the application status, then lastly, press “1” again. It will ask for your social security number. After entering it, if you are told they can’t find your application, then there is none pending. If you are told you have one pending or approved, hang up and follow these instructions:
1. Call the Chase fraud line at 1-877-470-9042
2. Have the application or card cancelled immediately and ask Chase to report it to the credit bureaus. Follow up with a certified letter mailed to the following address reporting the fraud and requesting that they report it to the credit bureaus to have it removed.
Chase Card Servicing
Attn: FACT Act Request
P.O. Box 15941
Wilmington, DE 19885
3. Obtain a copy of your credit report
4. Report to the FBI at www.ic3.gov
5. File a police report with your local police department.
6. Visit identitytheft.gov, the federal government’s one-stop resource for identity theft victims.
7. Request a credit freeze by contacting all three credit bureaus listed below. You can do this online, and there is typically a small fee. A credit freeze will restrict access to your credit report, which in turn will make it more difficult for identity thieves to open new accounts in your name. It is important to remember that any activity that may require legitimate access to your credit report, such as buying a house or car, will require you to lift the freeze temporarily, either for a specific time or a specific party. A freeze remains in place until you ask the credit reporting company to temporarily lift it or remove it altogether. The cost and lead times to lift a freeze vary, so it’s best to check with the credit reporting agency in advance.
Experian 1-888 397 3742
8. Submit an Identity Theft Affidavit (IRS form 14039) at
9. Inform your personal bank and credit card companies of the breach.
10. Change your passwords associated with your bank and email accounts.
If you haven’t been victimized by this latest breach, it doesn’t mean that you are completely safe since reports of new fraudulent accounts are still appearing almost daily. Due to the current circumstances, you may want to consider a credit freeze, as described above, and/or a fraud alert. A fraud alert is a consumer statement added to your credit file. This statement alerts creditors that you may be a victim of fraud, including identity theft, as well as requests that they follow certain procedures to protect you in connection with requests for new credit accounts, increasing credit on an existing account, or issuance of a new card on an existing account. There are two types of fraud alerts: an initial fraud alert that lasts for 90 days, and an extended fraud alert that lasts for 7 years. An initial fraud alert is free, and will protect your credit from unverified access for 90 days. To initiate a fraud alert, you only have to ask one of the three credit reporting agencies to put a fraud alert on your credit report. They must tell the other two companies to do the same. Other ways to help protect yourself from identity theft include:
1. Sign up for a credit monitoring service. Examples of these include LifeLock, Identity Guard, Identity Force, Experian and Transunion. There are many others as well. For a monthly fee, these companies offer a wide array of services.
2. Check your credit reports regularly.
3. Never give your social security number or other personal information to strangers who call, text, or email requests to you.
4. Maintain anti-virus and anti-malware software.
5. Don’t open email attachments from senders you don’t trust.
6. Handle financial documents with care. Shred documents with personal financial information on them.
7. Create strong passwords. Use at least 7 characters of lower and upper case letters, numbers and symbols. The more complex, the better. In addition, do not use the same password for all of your accounts.
8. Avoid entering passwords when using unsecured wi-fi.
9. Monitor credit card and bank accounts carefully.
10. Be careful of over-sharing online. Information like your exact birthday and your mother’s maiden name can be used to answer your security questions.
It is recommended that each of you do your own due diligence, allowing you to choose the combination of actions and services that best fits your specific needs.
In 2014, the most recent year in which government data is available, an estimated 17.6 million Americans aged 16 or older were victims of one or more incidents of identity theft. That’s up from 16.5 million in 2012. Also during 2014, 3% of persons experienced at least one incident of misuse of an existing credit card account. As many of you have already learned, responding to identity theft can be time consuming, stressful and expensive. For the rest of us, we can’t afford inaction. As more and more of our lives are stored online, it’s is imperative we be proactive and not reactive. As the old saying goes, the best offense is a good defense.