FREE NEWSLETTER
Go to main Forum page »
This past week I received notice that my radiologist’s office experienced a “data security event”. Name, social security number, date of birth, driver’s license, incriminating pictures of my herniated lumbar disc, etc., could have been obtained. I’ve lost count of how many similar letters I, my spouse, and my children have received over the past years. For early ones, I took them up on their offer of one free year of credit monitoring. Several years ago, I placed a credit freeze on all three of the credit monitoring bureaus for everyone in my family.
Now I am wondering if I even need to react to this latest data breech, or future ones. The free one-year service offers “basic dark web monitoring” for name, DOB, SSN, email, and also offers “change of address monitoring”. But other than those features, my credit freezes exceed what they offer. If I sign up with “epiq Privacy Data Solutions ID” to use the one-year free monitoring, I have to enter my SSN, DOB, email address, name, & address, exactly the information I do not want to be spreading out to additional companies who could be broken into in the future. I do realize this whole thing could be a scam to obtain my SSN, DOB, email address, name, & address; the letter came from a “Secure Processing Center” in another state and had a header logo and correct lead physician name of the local radiology office. I could call the local office to verify if the letter is legitimate. But if it is legitimate, I come back to asking myself if I even need to react to data breeches anymore, given my credit freezes in place.
I am thinking I will start ignoring these data breeches. Thoughts?
Thanks in advance.
This sobering article in the NYT – why it is important to lock soc sec number. This article is likely behind a paywall and I am not how to get a free version of this
https://www.nytimes.com/2025/11/23/us/undocumented-worker-stolen-identity-dan-kluver.html?smid=nytcore-ios-share
My Fidelity account allows me to put a lock on my accounts so no access is possible without my “unlocking” the accounts.
In addition to freezing credit with the 3 major bureaus, I would also suggest freezing with chexsystems – this is used to open bank accounts.
Thanks rgscl.
I looked into the need for freezing ChexSystems. It would not protect existing bank accounts, and it would prevent buying a Certificate of Deposit from most new banks (brokered CDs not affected).
For some SSA beneficiaries, locking down SSA electronic access by calling 1-800-772-1213 (it cannot be done online) would provide protection against benefit redirection to new bank, or fraudulent application for new benefits. Since SSA uses knowledge-based authentication process for locking, it is most useful to prevent domestic financial abuse (messy divorce proceeding or unauthorized access by other family members). It is very difficult to lift the lock, by design. It does not affect application of Representative Payee (who manages benefits for incapacitated recipient).
Freezing at Chex does protect existing account holders by making account hijack attacks harder.
rgscl, Thanks for this reminder. I had forgotten I had a chexsystem freeze also (likely learned from you in an earlier HD comment). So I spent a bit of time getting back into that account to check it because I had not recorded WHERE the one time code is sent during login (to my text messages, to my email, or to an authenticator app?). What a tangled web we weave.
>> What a tangled web we weave.
indeed, unfortunately we need to get it right every time while the bad actors need to get it right just once.
Also lock your social security number so it can’t be used for employment. Here is how to do this, https://clark.com/protect-your-identity/should-i-create-an-e-verify-gov-account-to-lock-my-social-security-number/.
rgscl, Thanks! I will do this tonight for my family members.
I recently downloaded and reviewed all of our property documents that are publicly accessible online at the county records office. Found that the recorded utility easement that we had to sign when our electrical service was buried in 2000 has our Social Security numbers on it. Good part is that it is a scanned bitmap file and so not directly readable by a computer troll. But OCR software could make the numbers accessible to trolling.
Social Security numbers were used as universal IDs for so long that everyone should assume that anyone who wants your number already has access to it.
For some time now we’ve kept all our credit reports frozen; have 2 factor authentication, use unique randomly generated passwords, and have activity alerts on all financial accounts; have no social media accounts; have an activity alert on our county property records; avoid creating account usernames that are easily guessed (treat usernames like passwords); have multiple email accounts used for specific purposes (like humbledollarreader); do not click on any link in any email (always verify URL from known valid source); do not reply to any unverified email; do not read text from any unknown number; do not answer phone call from any unknown number; do not listen to voice mail from unknown number; keep account information and passwords on physical media that we possess and is connected to computer only when we are using it (do not trust any cloud-based online storage or password manager); and question when anyone requests Personally Identifiable Information that is not legally required.
And, do not log-in when online reading, browsing or shopping (stay anonymous) until actually making a purchase or only when required. And log-off immediately afterwards and close browser to “break” the connection. Browser is configured to clear all cookies at close. Also close then re-open browser when switching between financial accounts.
Humble Reader, thanks for your many good ideas, most of which I am doing, although I will review usernames and make them more random as well, I’ve only made them completely random in a few places. I will look into whether I can have an alert on property records with our county. The ideas of ”do not read text from any unknown number; & do not listen to voice mail from unknown number” are tough because I’ve noticed often legitimate companies I work with will send me a message from an automated system that comes from a number which is not the phone number I have for their office. Once I know the message number is tied to the company, I can enter it in my contact list as “Mssg from XXX”. But me reading or listening to it once is needed to determine this. Do you know if I read a text or listen to a message if the sender receives verification that I did so, and so that action can verify the phone number works if the sender is a spam source contacting random numbers? As Kathy also suggested , I will be more aware to questions when anyone requests Personally Identifiable Information that is not legally required.
Reference your query on voicemail. My understanding is with landlines and cell phones the sender can’t tell you’ve listened to the message, but if it’s a voice note via WhatsApp or a similar system then yes, it’s a possibility if notification receipts are turned on.
Due to multiple data breaches, I operate under the assumption that everybody has everything on me that they need. The best defense is a good offense. Quan Nguyen outlined it best below.
Bob, thanks for your thoughts. Agreed.
I have experienced three data breaches including the Equifax one.
I have repeatedly said that this will continue until congress passes a bill in which companies are severely punished financially. At this point companies that are breached just shrug their shoulders, offer free credit monitoring and then walk away.
Data breaches will on decrease once companies face heavy fines, maybe base on a percentage of their capitalization.
Wise suspicion about “this whole thing could be a scam”
I would not ignore any such notice, but use this notice as a reminder to check on the internet security steps:
Freeze credit, all 3 major credit agencies
Secure financial accounts with 2 factor authentication and activity alerts
Secure passwords, preferably with password manager (I use Bitwarden)
Minimize online footprint – stay discreet or uninteresting
I don’t rely on “free credit monitoring”
I never give more personal information in exchange for protection
Reddit sub-group r/Privacy has more, but I wouldn’t act like I am a high value target.
Stay safe, everyone.
Quan, thanks for your response. Fortunately, I previously had taken all the steps you recommend. Which leads me to agree with you that I don’t need anything further in response to the current event.
Did you actually give your SSN to the radiologist’s office? If not, this could well be a scam. I refuse to give my SSN to medical practitioners. They have my Medicare number, which is now different, no reason they should have anything more. I did get some push back the last time, but that’s rare.
Kathy, thanks for your response. The radiology visit was several years ago so I don’t specifically remember, but I expect SSN was a question on the intake form. I had medical insurance so payment wasn’t an issue. I will remember your good idea next time that I don’t need to answer every question on the intake form.
Any ideas on how to force a medical provider to delete a SSN they obtained decades ago before Medicare went to a unique account number?
I happened to be going to my primary care provider today and so I asked the front desk receptionist if she could remove my social security number from their records. She was unable to, so she messaged a person in the back office, and they immediately removed it. The receptionist said to me that they no longer ask for SSNs. Great, but the thought of generating a list of all the physician offices we have visited in the last decades, then contacting each one is daunting.
I don’t think you can “force” them. My understanding is that they have no legal right to it, but they do have a right to refuse to do business with you. Certainly worth asking.
When I was a practicing PT I was appalled that patients’ SSN were in their chart.
Here is a good article on the issue. An internet search indicates they want it so they can track you down if you owe them money. I’ve also seen suggestions that they want it so they can run a credit check.