Cross-posted from phiprivacy.net:
Over on DataBreaches.net, a number of people are reporting that they have received notification letters for the Maricopa Community Colleges breach, but that they’ve never attended the college and have no idea why they’re receiving letters.
Today, I got an email about a breach reported on this site (phiprivacy.net). I’m redacting it, but it says:
Dear Dissent,
I found your web site when I was investigating a letter from the above doctor. In the letter, he claims that his laptop was stolen and “my” records may be on his laptop. I don’t know this doc.
In the meantime, the letter offers me free “<name of company redacted>” services.
This looks like spam, but much classier. Do you know about this?
Thanks for your diligence.
Under HITECH’s breach notification rule, breached entities must include a phone number where you can call for more information about what data a breached entity held on you. If you ever receive a breach notification letter and have no idea who the entity is or why they have data on you, call them and ask. If the phone number is for the credit monitoring service and they can’t answer your question about how the doctor got your information, call the doctor’s office directly and ask them to explain how/why they have information on you. If they won’t tell you, remember that you can file a HIPAA complaint with HHS using HHS’s online complaint system.
And don’t hesitate to google the name of any free credit monitoring service you are being offered if you suspect spam or something evil. The service mentioned in this correspondent’s email is a legitimate service, but if you’re leery that you’re being sent to a site that could steal your personal information, just check first to make sure they’re on the up and up.