Many optometrists and optometry students have reported receiving Chase Bank Amazon credit cards in the mail, even though they never applied for new credit cards from the bank or from Amazon. Many of these same people have received credit alerts on their accounts when they were contacted by credit reference agencies to alert them that there had been a failed attempt to open up other credit accounts in their names. The large numbers of these reports suggests that a serious data breach had occurred, although at the current time it is still unclear as to which organization had been under attack. It could be one or even multiple eye care/optometry organizations.
Reports of the credit card frauds and other fraudulent activity began on August 2, 2016. The American Optometric Association contacted the FBI and the Federal Trade Commission for further information. The AOA also conducted an investigation to determine whether these cyber-attacks had succeeded in compromising its data base network. As of this time, there has been no definitive answer as to why or how this had occurred.
Unfortunately (or, fortunately, since it’s given me some experience with this), I was a victim of credit card fraud several years prior to this. Someone had attempted to charge a tuition bill of $5000 at a San Diego Arts College that I had never authorized. When Citibank called me to ask if I had authorized this tuition bill, I stated “NO”. They credited my account and then issued me a new credit card. I thought that would be the end of this issue, but it was not. Soon afterwards, I was receiving new credit card authorizations for Chase Bank, Sears, J.C. Penny’s, Comenity Bank, Dress Barn, and other companies that I had never heard of and certainly had never applied for credit from them. I then began to realize that I had a major problem that was now unfolding. At the time, I did not have any credit protection as I do now.
Credit According to Who?
Credit bureau agencies, also referred to as consumer reporting agencies (CRAs), are companies that collect financial information in order to establish a personal credit history. The four major CRA’s in the United States are Equifax, Experian, Transunion, and Lifelock. People and companies who loan money use these companies in order to obtain credit scores and to receive previous financial information in order to approve loans for a new house, a car, or when taking out a personal loan. Charges for access to this information varies from company to company. On average, for a fee of $219 per year, a CRA will provide you with monthly access to your FICO score, monthly access to your credit report, monitoring of your credit report, lost wallet protection, full identity restoration, and identity theft insurance.
Your FICO score is the most widely used credit score, which was created by the Fair Isaac Corporation. 90% of major lenders use these scores in order to make credit-related decisions on behalf of companies and consumers. They enable a lender to determine an estimated future risk – how likely someone is to repay a debt. FICO scores have a range of 300-850. The higher the score, the lower the risk and the more your credit looks “better”. It’s important to keep in mind that a good FICO score does not indicate whether a company or a consumer will be a good or a bad customer.
So, What Happened?
I contacted Experian, Equifax, and Trans Union in order to have a professional deal with a crisis that was now unfolding. My main concern was that this may get worse. Of course, I was extremely upset that any personal and financial information had been compromised. How did someone get this very personal information and how can I get out of this financial problem so that it does not affect my credit rating?
These and numerous other questions began to start racing through my mind. I was lucky that I only received about 20 new credit applications in the mail which were never processed. I was also fortunate that my credit rating was not affected and that my name was not used in some other credit fraud, such as that found in health care or insurance fraud.
The credit protection companies had me on the phone on several occasions in order to speak to these unauthorized companies in order to delete any non-processed applications and to remove my name from any further credit applications. This ordeal took several months to be resolved. It was a huge nuisance and a huge waste of my time.
I was contacted by Experian and Protect My Id where I received a reference/case number. My case was referred to their fraud resolution department where a 90 day initial fraud alert made sure that any creditor contacted me first before approving any credit application. I was also informed that the 90 days can be extended to 7 years by faxing a copy of a police report (if initiated) to their Fraud Resolution Department. If a police report was not filed and a 7 year alert is still something that I wanted done, I was also advised that I can also fill out a fraud affidavit with the Federal Trade Commission. More information about this can be viewed on the FTC’s website ( http://www.ftc.gov/bcp/edu/microsites/idtheft/ ).
And again, 2 months ago, I was alerted that Chase Bank was attempting to view my credit information which I had never authorized. When I spoke to someone at Chase Bank, I was told that someone again was trying to open up an Amazon credit card in my name. I immediately got on the Amazon credit card website, notified Chase Bank, Experian, Equifax, and TransUnion and nothing negative occurred to affect my credit status. When I spoke to someone at Chase Bank and I identified myself as an optometrist, the credit person stated, “Oh, another optometrist calling; your application looked suspicious”. I realized then that the profession of optometry was under financial attack and that optometrists were in the middle of a huge problem. I had also seen a few posts on several different professional Facebook groups, where optometrists were also posting that they had been victimized by a data breach from some unknown optometry database. There’s even a specific group for optometrists having suffered from identity theft. This data breach apparently not only affected optometrists, but it was affecting optometry students, as well.
To try and stem the tide of problems, I have a credit card alert program with Citibank. If there are ever any large or questionable charges, Citibank will alert me by e-mail or by a text message. Balance notifications alert me when my balance is approaching the credit limit or if my balance exceeds a certain amount. Over credit limit notifications informs me when my balance is equal to or above my total credit limit.
If there seems to be a lot of optical professionals that have been compromised, the first question might be “What is the AOA doing about it?”. According to their website, they have conducted their own internal investigation to be sure that they are not the source of the potential data breach (1). According to them, they employ stringent cyber security measures to protect personal information. They also don’t store social security numbers, which is usually a key element in identity theft.
According to the website, “anecdotal reports suggest a possible second wave of malicious credit-line openings related to the ongoing situation that are impacting students and doctors of optometry. These affected parties, like the initial group report receiving unsolicited, fraudulent applications for Chase Amazon.com Visa cards submitted in their name. In some cases, these cards are approved. Out of an abundance of concerns for members, The AOA (the American Optometric Association) contacted the FBI and the Federal Trade Commission amid the initial reports circulating on August 2, 2016 to apprise investigators of the situation. In turn, the AOA conducted its own immediate internal investigation of its databases and remains certain that it tis not the source of this potential breach. Barbara Horn, O.D., AOA security-treasurer, say that members should feel assured that the AOA employs stringent cybersecurity measures to protect personal information, and additionally, the AOA neither gathers nor stores social security numbers.”
The source of the data breach is still unknown, the American Optometric Association (AOA), American Academy of Optometry (AAO), the Association for Schools and Colleges of Optometry (ASCO) and National Board of Examiners in Optometry (NBEO) all assured members that their databases have not been hacked (2). The executive director of ASCO stated that “we received confirmation from our three vendors for our OAT (Optometry Admission Test), OR Match (Optometry Residency Match) and Optom CAS (Optometry Centralized Application Service) programs, and none were able to find any evidence of activity that would have led to a breach of data security or the release of personal information that could fraudulently be used to open the multitudes of credit card accounts that have come to light over the last few days.”
Even in 2014 Time Magazine was talking about “a Russian crime ring is suspected of obtaining access to a record 1.2 billion username and password combinations” (3). As we approach 2017, it’s more and more obvious that this type of cybercrime is becoming a larger and larger global business. This business is estimated to cost the world economy $400 billion a year.
It Wont’ Happen to Me
But it might. Earlier this year, Forbes magazine has said that “91% of health care organizations have had at least 1 data breach in the last 2 years, and 59% of their business associates experienced the same.” (4) It may not be inevitable, but that doesn’t mean it can’t happen. For example, how likely is it that someone drives their car through the front of your business? Probably not very likely. However, it’s happened before. So, what do you do about it?
Fortunately, there are numerous ways that you and your company can protect yourself against the ever-present dangers of cyber-criminal activity. Copies of medical records should be reviewed regularly for accuracy. Health care bills should be reviewed in detail for accuracy. We all have received medical documents in the mail that says “this is not a bill”. Review the document for the accuracies of services and the dates the services were performed. Social security numbers should only be provided when absolutely necessary. As eye care providers, some insurance plans require social security numbers. These numbers should only be given to the provider in person, safely, and privately in the office. Credit ratings should be reviewed regularly by an appropriate credit agency. And when needed, use a medical identity monitoring service. Health care fraud continues to be a continuing problem everywhere.
Do not forget HIPAA. Eye care providers and optical businesses must have a designated “security” person who ensures that the business is 100% safe concerning patient’s privacy and protecting private medical information. Cybercrime, identity theft, and credit card fraud, are thriving criminal enterprises that are economically beneficial to criminals worldwide. For those that have been victimized, what can happen to your life economically, professionally, and personally can take years to clear up. A specific crime can also cost large amounts of time and money if a lawyer is needed to undo the damage. Someone who has been victimized, resulting in a lowering of their FICO score, may not be able to get a credit card and may be unable to receive a car, home, or personal loan.
This has been, and is now the world that we live in. We are globally interconnected by laptops, desktops, and smartphones. The hope is that both technology companies, major banking institutions, and major internet companies of the world will create newer and better barriers to protect us. The problem is that the criminals always seem to be one step ahead.
– Dr. Jason Smith, O.D., M.S.