On January 28th, the Federal Trade Commission (FTC) announced its latest and improved tools for assisting victims of identity theft. The improvements were announced by FTC Chairwoman Edith Ramirez during a conference call for the media. Consumers can find the announcement on the FTC’s general website: http://www.ftc.gov and more specifics on the site listing the FTC’s identity theft tools: http://www.IdentityTheft.gov.
The FTC has combined its IdentityTheft website with it’s consumer complaint system to make it easier for identity theft victims to file a complaint. The improved website allows affected consumers to create the documents they’ll need to alert the police, the main credit bureaus, the IRS and other agencies about their situation. The FTC website is also available in Spanish; that site is: RobodeIdentidad.gov. At the latter site, consumers can view the same automatically generate letters and other documents in Spanish. Those documents will be printed in English to be forwarded to the relevant agencies.
The FTC has also created a video that walks consumers through the various steps for using IdentityTheft.gov(www.consumer.ftc.gov/blog/report/-identity-theft-and-get-personal-recovery-plan-identitytheftgov). I watched the short video and found it very helpful. There’s no jargon used; the information is concrete; and the describes one of the chief benefits of the improvements.
Consumers using the site will be able to create a personalized recovery plan. The site will pre-fill the letters and forms that the consumer will need to file with various agencies. It will also enable the consumer to keep track of the progress of their complaint. Equally useful, the IdentityTheft.gov website has information about more than 30 types of identity theft and the accompanying recovery plans for each type.
I hope no one ever needs to use this site. However, it’s important to know that it’s there as a central source of critical information and support for identity theft victims.
Patients already have the right to request their medical records under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). But that doesn’t mean it has been easy to do so or that medical and health care providers have complied.
Recognizing that issue, the Department of Health and Human Services (HHS) issued new guidelines on January 7th outlining new requirements intended to make it easier for patients to do so. Those guidelines are titled “Individuals’ Right under HIPAA to Access their Health Information 45 CFR Sec. 164.524” and can be found on the HHS website (www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html).
It’s a very long regulation so here are some of the key points individuals should know:
- Doctors and hospitals, in most cases, have to provide patients with the requested copies within 30 days of getting the request;
- Patients cannot be required to provide a reason for asking for the records;
- Patients cannot be refused access to or copies of the records and information out of a concern that they’ll be upset by getting the requested information;
- Health care providers cannot require that patients pick up the records in person if the patient has asked to have the records mailed or emailed to them;
- Health care providers cannot refuse a patient’s request if the patient has unpaid medical bills;
- Patients can be charged a fee to cover copying costs but cannot be charged for the cost of searching and retrieving the information.
These are important steps so patients understand their situations more fully and, if needed, be better advocates for themselves and their needed health care.
If you’ve used a credit card at a Hyatt Hotel or Hyatt-managed facility between August 13, 2015 and December 8, 2015 — for any purpose— you’ll want to be ever more vigilant about checking your credit card statements. Why? Because hackers breached the payment systems at a staggering number of Hyatt-managed locations during these dates. The thieves stole payment card information — cardholder name, card number, expiration date and internal verification code.
And the hack wasn’t just of those guests who stayed at a Hyatt hotel. The credit card information was stolen from people who charged a meal at a Hyatt hotel restaurant or used a Hyatt facility (e.g,, parking, spa).
On January 14th, the Hyatt Hotels Corporation posted a news release on their website outlining the results of their investigation of this breach (newsroom.hyatt.com/news-releases?item=123453). In that release, Hyatt notes that there are a smaller number of Hyatt locations that were affected beginning on or after July 30, 2015.
Of course, these dates encompass some prime time summer and fall travel so there’s no estimate of how many people were affected.
The Hyatt news release includes a list of the affected Hyatt locations. Hyatt is minimizing the impact but I looked at the list and as I said above, the number of Hyatt locations included is staggeringly large.
That list can be found at: http://www.hyatt.com/protectingour customers. People with questions can also call a toll free number from 7 a.m. to 9 p.m. Eastern Standard Time to speak with a Hyatt customer service representative. That number is: 1-877-218-3036 (for the U.S. and Canada).
In its news release, Hyatt says that it worked with law enforcement and the payment card networks to notify them about the breach and to strengthen its systems.
Let’s hope this is true.
The IRS is preparing to gear up for tax season. In doing so, they have prepared and been publishing a series of tips to help taxpayers protect their personal and financial information at home and online. While these tips are especially relevant during tax season, they are useful year round.
Security Awareness Tax Tip Number 7 is titled “Tips to Protect Your Personal Information While Online” (www.irs.gov; january 4, 2016). This tip reviews steps individuals can take to protect their online activities, including using encryption as well as password protection.
The information in Tip Number 7 is concrete, practical and worth reading.
It doesn’t seem possible that the 2016 elections are only a year away. I’m glad it is as that will provide time for making sure that there are adequate privacy protections when voters use paper ballots. For years I voted using an electronic touch-screen machine and never had a problem. In November, I used a paper ballot that was then optically scanned. Doing so was easy but raised a privacy concern for me.
Most States and many localities are now using 1 of 2 types of voting equipment or a combination of them. These are optically scanned paper ballots; a Direct Recording Electronic System (DRE); and a DRE system that also has a printer so voters may confirm their votes before committing them to the computer’s memory.
The privacy problem is with the physical setup for voters using the digitally scanned paper ballots. Here’s the process used at my local voting site:
- I got a paper ballot and a manila folder in which to put it after I was done;
- I went to a long table where there were several 3-sided cardboard partitions arranged;
- I sat in front of one of the partitions and inked in the boxes next to my voting selections.
Here’s my concern:
- My ballot was completely exposed since the partitions had no top covers; and
- The next voter or voters walking to the same table could easily, albeit inadvertently, see my voting selections.
When I was done, I took the manila folder over to a machine where I inserted my ballot face down so it was digitally scanned.
Voters need to feel secure when casting their votes. Digitally scanned paper ballots may have advantages over the touch-screen and other types of electronic voting machines. Individuals should not be hesitant about raising concerns with election board officials about the lack of physical privacy if they encounter similar physical arrangements as the one described above.
I did so with the election officials at my polling place and learned that the problem was already under discussion for future elections.
Millions of current and former federal employees have received letters letting them know that their personal information was hacked during the two recent incidents. So if you’re a former or current federal employee and haven’t gotten a letter, are you in the clear?
The answer, sadly, is “no.” Beth Cobert, Acting OPM Director, posted a blog on the OPM website on December 1st in which she provides an update (www.opm.gov; “New Cybersecurity Resource Launches”). In her blog, Ms. Cobert wrote that current or former federal employees who think their data might have been stolen, but who haven’t yet been so informed, need to know about the verification center OPM has just implemented. She urges anyone who hasn’t received a letter by the middle of December to use the verification center.
Using the verification center will enable OPM to start an investigation into whether a current or federal employee’s data has been hacked. In order to use the verification center, an individual will need to provide such personal information as his or her name, SSN and other data. To get started, an individual can do so either by going to the verification center website: http://www.opm.gov/cybersecurity; or by calling one of the OPM agents. The agents are available Monday through Friday from 9 a.m. to 9 p.m., Eastern time; that toll-free number is: 1-866-408-4555.
Additional background and information can be found in Ms. Cobert’s blog.
Bottom line: the fallout from the OPM hacks isn’t over yet.
People still like sending postcards which is the innovative service provided by the online service Touchnote. Registered users send digital photos to Touchnote which then converts them into hard copy postcards that get sent to individuals designated by the registered user.
Touchnote learned on November 4th that it had been hacked. As reported by Graham Cluley, Touchnote sent an alert to its registered users warning them of the hack and strongly recommending that they change their Touchnote passwords (grahamcluley.com; “Touchnote hacked –tells users to reset their passwords”; November 6).
Per the Touchnote email alert (reprinted in Mr. Cluley’s report), hackers accessed users’ names, email and postal addresses, and their order histories. Touchnote doesn’t store credit and debit card numbers, or their expiration dates or security codes. Additionally, Touchnote encrypts users’ passwords and doesn’t reveal them in plain text. Nonetheless, Touchnote still strongly recommended that users pick new passwords.
Touchnote also recommended that users keep close tabs on their credit and debit card statements. That and changing passwords is always sound advice when this kind of hacking occurs.