When the human resources department at Kris’s work asked if she was taking time off under Oregon’s new paid leave program, she was a little confused.
“I sit right next door to our human resources, and they informed me that I had applied for paid leave,” Kris said. “And I was like, ‘No, nope, I did not.’”
But she had a pretty good idea what was going on: Fraudsters had used her identity to file a fake Paid Leave Oregon claim. This wasn’t the first time she’d been caught up in data security questions at a state agency.
OPB agreed not to use Kris’s last name because her personal information is already vulnerable to scammers: In 2014 she was among the 850,000 Oregonians whose identities were compromised in an Employment Department data breach. The Oregon Employment Department also administers the Paid Leave program.
Now, scammers are using identities stolen from previous hacks to create fake paid leave claims in an attempt to access benefits. Their efforts are raising concerns among Oregonians about the safety of their personal data. The state’s paid leave program allows eligible Oregon employees to take 12 weeks of paid leave for illness, a new child or to seek safety from domestic violence. The program supports up to 14 weeks for some pregnancy cases. Paid Leave Oregon has sent out nearly $46 million since it started paying out benefits in September.
Already, in the few months since the program started accepting applications, some Oregonians who have been the victim of previous data breaches have reported fake Paid Leave claims in their names. The program is so new that officials say they have yet to quantify how often this is happening, but urge applicants to take steps within their control to protect their data.
Kris said it took a couple of days for the human resources department at her work to sort out the false claims. In addition to two claims made in Kris’s name, there was a pair of claims from employees that did not actually exist.
“In two months we’ve had four fraudulent claims, is my understanding, and two of them were mine,” Kris said. “Lucky me.”
Public benefits have long been a target of scammers, and it took no time at all for fraudsters to start sending in fake Paid Leave claims when the window for applications opened in August. Kris said she has concerns about how the program – and any state benefits program – protects people’s data, including salary information and social security numbers.
Paid Leave Oregon director Karen Madden Humelbaugh said program staff are prepared to deal with these fake claims and identify fraudsters before money is doled out or information is handed over.
“There is not a mechanism where we would be sharing information with a fraudster,” Humelbaugh said. “This is why we have so many multiple layers of things going on in the background, and if you were to call us or to communicate with us, we would be verifying a number of points with you before we would talk to you about your claim. That’s true for every claimant.”
But Humelbaugh said Oregonians should be concerned about the security of their personal data. Even though Paid Leave Oregon has not been subject to a data breach, she said scammers have other ways of obtaining information like the dark web, where identities are bought and sold over and over again.
“Any of us could be a victim of this,” Humelbaugh said. “I personally have also had a paid leave claim filed in my name because my identity got stolen.”
Humelbaugh said the program is not yet able to share how often fake claims are filed because Paid Leave Oregon is new and staff are still collecting and categorizing the information.
But she knows hackers are continually trying to gain access to programs like Paid Leave, and she anticipates they’ll keep trying. Identity thieves have already been successful in Oregon. Earlier this year, 3.5 million Oregonians had their identities compromised in a DMV data breach. In 2019, 600,000 were subject to identity theft when hackers breached the Department of Human Services.
Since 2014 when Kris’s identity was compromised in the employment department data breach, she estimates spending upwards of $5,000 to secure her information. She wants others to know the common suggestion of checking a credit report for suspicious activity once a year is not enough to keep your data safe.
She’s put fraud alerts on her credit. She’s paid to have alerts for when her data shows up on the dark web. She’s put locks on her credit reports, new bank accounts and her social security number — and encourages others to do the same if they’re worried their information has been compromised.
“You have to take control of your own data,” Kris said. “It’s going to make your life a little bit more miserable when you try and go and apply for credit, but you’ve done everything that you can possibly do to lock down your data on your side.”
The extra work might be worth it, she said, if it can save Oregonians time and money dealing with the fake credit, loan or even public benefits accounts created with identities stolen in data breaches.
Copyright 2023 Oregon Public Broadcasting. To see more, visit Oregon Public Broadcasting. 9(MDA4MzU1MzUzMDEzMTkyMzAwMzY5MjY1Mw004))
