Hello Lemmy, this is my first time posting instead of commenting so if this is the wrong place or I’m formatting this wrong feel free to let me know how to fix it.
One of my healthcare providers (US) has just alerted me I’ve been affected by a Data breach (from February, so glad to see they took it seriously and alerted people quickly). The breach supposedly affects Full name, address DoB, and health information such as illnesses and medications. They have sent a 2 page information packet that gives recommendations such as calling the three creditors and a “free” 5 year subscription to an experian credit monitoring service. Upon checking the website they want my full name, DoB, SSN, Address, email, phone number, and I’m sure if they could my blood type and fingerprints.
What I would like to know is are these services they are providing me with “safe” for a threat model that involves keeping my information out of the hands of advertisers, bad actors and people who don’t need it? Do they already have this information and are just asking to verify who I am? I’d prefer not to have my identity stolen due to someone else’s computer having a security flaw. What’s my best course of action to preserve my privacy while not having my identity stolen?
Thanks for any help in advance.
Change all your important account passwords, enable encryption where you can at rest and e2ee in transit, and enable 2FA to send to a device you know is in your possession like a SMS to keep an eye out for failed logins and such.
Just out of curiosity what would changing all of my important account logins achieve if the leak was a healthcare provider that doesn’t have anything other than my medical history and insurance card (I never sign up for “patient portals” and the like.)? Not trying to go against what you’re saying as I already do most of what you’re recommending there. In fact I actively avoid 2FA by SMS in favor of Authentication apps (such as Aegis), and use a password manager to randomly generate all my logins.
If your using good 2fa auth. and generated passwords you probably OK. It wasn’t stated you had good measures in place. I was thinking more identity theft situation where someone could compromise your financials. If all they have is some medications, insurance, and basic info you really don’t have major concerns. Now if they have your DoB, Social Security, Address, etc then that’s where locking down all your accounts would be more appropriate. Your post sounded more severe than your reply here so that lead me to believe it was more dire.
Thats fair, I appreciate the input none-the-less :)
Freeze your credit on all three bureaus. IIRC it is free for all of them, just don’t get tricked into enrolling in their credit monitoring service. You’re there to freeze and unfreeze your credit, nothing more. From then on, any time you apply for something that requires a credit check, you need to go thaw each credit bureau temporarily. They all let you schedule thaws, so just open it for a day, apply. And close it back up. Or however long your credit check takes.
The premium service offered by these data breaches is pretty terrible. In some cases, they’ll have a clause that says if you accept, you can’t sue or be part of a class action suit. If you have a credit card with monitoring included, they will notify you way faster if your credit is run. My credit card companies email me within minutes of an application being submitted. The paid service I got from a breach years ago doesn’t let me know till about a week later.
Thanks for the information! I’ll get in contact with the creditors and put a freeze on and disregard the experian monitoring
Yeah, other than freezing credit, there’s not much you can do. It’s a toothpaste out of the tube scenario. It’s basically too late. The offerings always suck and are basically only there so they can say they’re doing something for you.
Other than that, harden your privacy in general. Yeah, it doesn’t help for breaches like this because you can’t hide from your doctors, but simple things like having an alternate email address makes it a tiny bit better.
I use randomly generated aliases for every service I use ;P