Skip to content

Victimized for life by a Walgreens data breach

by Neal O'Farrell on April 3rd, 2013

Yesterday I received a call from a victim of identity theft who had been informed through one of those now-common data breach notification letters that thieves had obtained her personal information and she could be a victim of identity theft.

The letter came from a Southern California healthcare company called Crescent Healthcare, owned by pharmacy giant Walgreens. According to the letter, the stolen information could include her Social Security Number, along with her name and address, phone numbers, and her date of birth. And as if that wasn’t enough the worry about, the thieves may have also stolen her medical records and health insurance information.

Although she was now panicked at the thought of how much damage this information could do to her credit and her life, she got little comfort from the letter. No further information, no web site to answer questions, no hotline number for victims, and no offer of any identity protection or credit monitoring.

She was, however, given the phone number of one of the credit bureaus who would gladly freeze her credit for a fee of $10 – for each credit bureau. That’s hardly a robust response to a data breach, given that any consumer in the country can freeze their credit reports for a fee.

According to the victim, the credit bureau did offer to waive the fee if she could produce a police report to verify she was indeed a victim – again, a right every consumer has. The problem with that request is two-fold; as she doesn’t yet know if she’s a victim of identity theft and not just a data breach, her police department refuses to take a report. As far as they’re concerned, she has yet to be the victim of a crime.

Even if she could get a police report, it would probably take a couple of weeks. Then she’d have to mail the report, along with a bunch of other information, to each credit bureau to request the free freeze. By the time the freeze is in place, weeks or even months could have elapsed, giving thieves plenty of time to wreak havoc on her identity and her life.

I tried to learn more about the breach from Crescent, but not surprisingly, they were trying hard to pretend like it never happened. There was no mention of the breach anywhere on their web site, no information for victims, no-one to contact for more information.

When I checked the Walgreens site, I got the same result. Nothing. Complete radio silence. But I wasn’t surprised. There are plenty of CEOs out there who are completely, and probably genetically, unable to do the right thing. They hope that by shifting very quickly into denial mode and ducking behind their executive desks, they can escape the wrath of a data breach.

And they’re probably right. Victims can do little to hold these indifferent executives responsible. And with an average of one new reported data beach every single day in the U.S., there’s little the media can do to publicly shame these companies.

What these heartless executives don’t realize is the enormous long-term emotional impact that data breaches can have on victims, even if the carelessness of the breached business never actually leads to identity theft. Victims of identity theft liken it to severe stalking. You know that someone out there has enough information on you to make life very difficult, but you just don’t know when the manure is going to hit the air conditioning system.

At the end of our conversation the victim asked me directly “If they have all this information, including my Social Security Number, will I have to look over my shoulder for the rest of my life?” I had no good answer for her.

Shame on Walgreens for victimizing their customers, twice in a row. I hear there are rumblings of a class action lawsuit but I doubt this will be of much consolation to the victims, as these lawsuits rarely fix the long term fallout.

From → In the Headlines