2006-detail

Compromises in 2006 affecting 10,000 or more

Compromises in 2006 affecting less than 10,000
Compromises in 2006 affecting an unknown, or undisclosed number

01/12/2006 People’s Bank

a Financial or Insurance Services firm in Bridgeport, Connecticut
90,000 financial accounts compromised
 
A computer tape containing names, addresses, Social Security numbers, and checking account numbers was lost while being transported by UPS. The bank alerted the affected customers and provided them with a credit monitoring service for one year.

01/25/2006 Providence Home Services

a healthcare provider or servicer in Portland, Oregon
365,000 non-financial accounts compromised
 
Backup tapes, laptops and disks containing Social Security numbers, clinical and demographic information were stolen from the car of an employee. In a small number of cases, patient financial data was stolen.

UPDATE (9/26/2006) Providence Health System and the Oregon Attorney General have filed a settlement agreement. Providence will provide affected patients with free credit monitoring, offer credit restoration to patients who are victims of identity fraud, and reimburse patients for direct losses that result from the data breach. The company must also enhance its security programs.

UPDATE (7/15/2008) Providence Health will pay $100,000 and adhere to a compliance plan under the first ever Resolution Agreement negotiated by CMS (Centers for Medicare and Medicaid Services of the U.S. Dept. of Health and Human Services) under the HIPAA Privacy and Security Standards.

UPDATE(4/16/2012): The Oregon Supreme Court struck down a class-action suit against Providence Health Systems.The Oregon Supreme Court claimed that there was no evidence that any of the 365,000 patients who were affected by the breach suffered any financial loss or other adverse consequences.

01/26/2006 College of St. Scholastica

an educational institution in Duluth, Minnesota
12,000 non-financial accounts compromised
 
A computer was stolen from a locked office in the College’s information Technology Department on or around December 24. The computer had Social Security numbers and names of current and former students. The thief was caught and claims that none of the personal information was used.

01/31/2006 Boston Globe (The New York Times Company) and The Worcester Telegram & Gazette

a business other than retail in Boston, Massachusetts
240,000 financial accounts compromised
 
Recycled paper used in wrapping newspaper bundles for distribution turned out to contain credit and debit card information along with routing information for personal checks of subscribers.

01/31/2006 Honeywell International

a business other than retail in Morristown, New Jersey
19,000 financial accounts compromised
 
Personal information of current and former employees including Social Security numbers and bank account information was posted on an Internet Web site. It was not known whether this was the result of a malicious insider or an administrative error. Current and former employees whose information was compromised were informed immediately and offered free credit monitoring and identity theft insurance.

02/13/2006 Ernst & Young

a business other than retail in New York, New York
38,000 non-financial accounts compromised
 
A laptop containing the names, dates of birth, genders, family sizes, Social Security numbers and tax identifiers for current and previous IBM, Sun Microsystems, Cisco, Nokia and BP employees was stolen from a locked car. While Ernst and Young waited until pressured to inform a majority of those affected about the breach, at least one CEO from the affected companies was contacted immediately.

02/15/2006 U.S. Department of Agriculture (USDA)

Government or Military in Washington, District Of Columbia
350,000 non-financial accounts compromised
 
The Social Security numbers of tobacco farmers were accidentally released when the U.S. Department of Agriculture attempted to comply with the Freedom of Information Act. Those who received the information agreed to destroy any copies and return the original discs, which also contained tax identification numbers.

02/16/2006 Blue Cross and Blue Shield

a healthcare provider or servicer in Jacksonville, Florida
27,000 non-financial accounts compromised
 
A contractor sent names and Social Security numbers of current and former employees, vendors and contractors to his home computer in violation of company policies. A judge ordered the former computer consultant to reimburse the Jacksonville-based health insurer $580,000 for expenses related to his theft.

02/17/2006 Mount St. Mary’s Hospital

a healthcare provider or servicer in Lewiston, New York
17,000 non-financial accounts compromised
 
Two laptops containing dates of birth, addresses and Social Security numbers of patients were stolen in an armed robbery in New Jersey. The laptops and sensitive files were password protected. The Hospital contacted those whose information may have been compromised. St. Mary’s is just one of ten hospitals that were affected by the theft.

03/02/2006 Los Angeles County Department of Social Services

Government or Military in Los Angeles, California
2,000,000 non-financial accounts compromised
 
File boxes containing names, dependents, Social Security numbers, telephone numbers, medical information, employer, W-2, and date of birth were left unattended for at least one month. This affects employees and clients. It is unclear if this is the same incident that involved the information of 94,000 people being left next to a recycling bin outside of the Department of Public Social Services in January of 2006.

03/03/2006 Metropolitan State College of Denver (MSCD)

an educational institution in Denver, Colorado
93,000 non-financial accounts compromised
 
A laptop containing student information was stolen. The information included names and Social Security numbers of students who registered for Metropolitan State courses between the 1996 fall semester and the 2005 summer semester.

[ http://www.mscd.edu/securityalert]

03/05/2006 Georgetown University

an educational institution in Washington, District Of Columbia
41,000 non-financial accounts compromised
 
A server was attacked that housed personal information including names, birthdates and Social Security numbers of District seniors served by the Office on Aging. Georgetown managed the server as part of a grant to manage information services provided by the D. C. Office of Aging.

03/15/2006 Ernst & Young, IBM

a Financial or Insurance Services firm in New York, New York
84,000 non-financial accounts compromised
 
A laptop with sensitive information was stolen from an employee’s car in January. IBM employees who may have been stationed overseas during their careers were affected. Names, Social Security numbers, dates of birth, genders, family sizes and tax identifiers for employees were exposed. Those affected were notified in March.

03/23/2006 Fidelity Investments

a Financial or Insurance Services firm in Boston, Massachusetts
196,000 non-financial accounts compromised
 
A laptop containing names, addresses, birth dates, Social Security numbers and other information of 196,000 Hewlett Packard, Compaq and DEC retirement account customers was stolen. Fidelity contacted the customers and paid for one year of credit monitoring services. Fidelity also pledged to pay for unauthorized transactions in pensions or retirement accounts that occurred due to the theft.

03/24/2006 Vermont State Colleges

an educational institution in Waterbury, Vermont
14,000 non-financial accounts compromised
 
A laptop containing Social Security numbers and payroll data of students, faculty and staff associated with the five-college system was stolen. It contained information from as long ago as 2000.

03/24/2006 California State Employment Development Division

Government or Military in Sacramento, California
64,000 non-financial accounts compromised
 
A computer glitch sent state Employment Development Division 1099 tax forms containing Social Security numbers and income information to the wrong addresses, potentially exposing those taxpayers to identity theft.

03/30/2006 U.S. Marine Corp

Government or Military in Monterey, California
207,750 non-financial accounts compromised
 
A portable drive containing the personal information of Marines was lost in a campus computer lab. The lost drive was being used for research on Marine re-enlistment bonuses and contained names, Social Security numbers, marital status, and enlistment contract details. Enlisted marines on active duty between January 2001 and December of 2005 were affected. The University notified those whose information may have been compromised.

03/30/2006 Georgia Technology Authority (GTA)

Government or Military in Atlanta, Georgia
573,000 financial accounts compromised
 
Hackers exploited a security flaw to gain access to confidential information including Social Security numbers and bank-account details of state pensioners. The State only had contact information for 180,000 of those affected and relied on media coverage to get the word out to others.

04/01/2006 Con Edison

a business other than retail in New York, New York
15,000 non-financial accounts compromised
 
Con Edison shipped two cartridge tapes to JPMorgan Chase in upstate Binghamton so it could input data on behalf of the NY Dept. of Taxation and Finance. One tape was apparently lost and contained employees’ W-2 data, including names, addresses, Social Security numbers, taxes paid and salaries.

04/14/2006 NewTech Imaging

a business other than retail in Honolulu, Hawaii
40,000 non-financial accounts compromised
 
Records containing the names, Social Security numbers and birth dates of more than 40,000 members of Voluntary Employees Benefit Association of Hawaii were illegally reproduced at a copying business before they were to be put onto a compact disc for the State. Police later found the data on a computer that had been confiscated as part of a drug investigation.Those who were on the list and Hawaii Government Employees Association and United Public Workers members who were enrolled in union-sponsored health and group life insurance plans between July and December 1999 were warned. Investigators were only able to speculate that the theft may have occurred in February of 2005.

04/21/2006 University of Alaska, Fairbanks

an educational institution in Fairbanks, Alaska
38,941 financial accounts compromised
 
A hacker had access to names, Social Security numbers, and partial e-mail addresses of current and former students, faculty, and staff. The University reported that it would not contact those affected after a first and second notification. Anyone claiming to be from the University after these notifications should be viewed with suspicion.

04/23/2006 University of Texas McCombs School of Business

an educational institution in Austin, Texas
197,000 non-financial accounts compromised
 
Foreign hackers accessed records containing names, biographical information and, in some cases, Social Security numbers and dates of birth of current and prospective students, alumni, faculty members, corporate recruiters and staff members.

04/26/2006 Pershing LLC

a Financial or Insurance Services firm in Jersey City, New Jersey
92,541 financial accounts compromised
 
A Pershing employee lost a laptop computer. Personal information of clients may have been stored on the laptop. Names, Social Security numbers, addresses, brokerage account numbers and account holdings may have been exposed.

04/26/2006 Aetna, Omni Hotels and the Department of Defense NAF

a healthcare provider or servicer in Hartford, Connecticut
38,253 non-financial accounts compromised
 
A laptop containing personal information including names, addresses and Social Security numbers of Department of Defense (35,253) and Omni Hotel employees (3,000) was stolen from an Aetna employee’s car. Members were notified and Aetna offered to pay for the credit monitoring services of those who were affected.

04/27/2006 Long Island Railroad via contractor Iron Mountain

Government or Military in Jamaica, New York
17,000 non-financial accounts compromised
 
Data tapes containing personal information including names, addresses, Social Security numbers and salary figures of virtually everyone who worked for or currently works for the agency were lost. The lost occurred during delivery by contractor Iron Mountain. Data tapes belonging to the U.S. Department of Veteran’s Affairs may also have been affected.

04/28/2006 U.S. Department of Defense

Government or Military in Washington, District Of Columbia
14,000 non-financial accounts compromised
 
A hacker accessed a Tricare Management Activity (TMA) public server containing personal information about military employees. TMA is used to provide health care services to military personnel and their families.

05/02/2006 Ohio University

an educational institution in Athens, Ohio
137,000 non-financial accounts compromised
 
Hackers accessed a computer system of the school’s alumni relations department that included biographical information and 137,000 Social Security numbers of alum.

UPDATE (8/30/2007) : An Ohio judge has granted a motion to dismiss a case against Ohio University (OU) regarding security breaches of the school’s computer systems that compromised alumni data. The two alumni who filed the lawsuit wanted OU to pay for credit monitoring services for everyone whose data were compromised. The judge said the pair had not proven that they had suffered damages for which they could be compensated.

http://www.ohio.edu/datasecurity/

05/11/2006 Merrill Lynch

a Financial or Insurance Services firm in New York, New York
10,500 non-financial accounts compromised
 
An employee’s laptop computer was stolen during a burglary. The computer contained limited personal information of some current and former Merrill Lynch clients and prospects. The information included names, addresses, account and loan numbers, account and loan balances and the name of clients’ financial advisors.

05/11/2006 Ohio University Hudson Health Center

a healthcare provider or servicer in Athens, Ohio
70,000 non-financial accounts compromised
 
Names, birth dates, Social Security numbers and medical information were accessed in records of students dating back to 2001, plus faculty, workers and regional campus students.

http://www.ohio.edu/datasecurity

05/12/2006 Mercantile Potomac Bank

a Financial or Insurance Services firm in Gaithersburg, Maryland
48,000 non-financial accounts compromised
 
A laptop containing confidential information about customers, including Social Security numbers and account numbers was stolen when a bank employee removed it from the premises, in violation of the bank’s policies. The computer did not contain customer passwords, personal identification numbers (PIN numbers) or account expiration dates. The bank contacted affected customers and offered them one year of free credit monitoring services.

05/16/2006 American Institute of Certified Public Accountants (AICPA)

a Non-Governmental Organization (includes non-profits) in New York, New York
330,000 non-financial accounts compromised
 
An unencrypted hard drive containing names, addresses and Social Security numbers of AICPA members was lost when it was shipped back to the organization by a computer repair company. AICPA offered one year of free credit monitoring services to affected members.

05/18/2006 American Red Cross, St. Louis Chapter

a Non-Governmental Organization (includes non-profits) in St. Louis, Missouri
1,000,000 non-financial accounts compromised
 
A dishonest employee had access to Social Security numbers of donors. The database was used to call previous donors and urge them to give blood again. The employee misused the personal information of at least three people to perpetrate identity theft and had access to the personal information of one million donors.

05/22/2006 U.S. Department of Veterans Affairs

Government or Military in Washington, District Of Columbia
26,500,000 non-financial accounts compromised
 
On May 3, data of all American veterans who were discharged since 1975 including names, Social Security numbers, dates of birth and in many cases phone numbers and addresses, were stolen from a VA employee’s home. Theft of the laptop and computer storage device included data of 26.5 million veterans. The data did not contain medical or financial information, but may have disability numerical rankings. (800) 827-1000

UPDATE (6/29/2006): The stolen laptop computer and the external hard drive were recovered.

UPDATE (7/14/2006): FBI claims no data had been taken from stolen computer.

UPDATE(8/5/2006): Two teens were arrested in the theft of the laptop.

UPDATE (8/25/2006): In an Aug. 25 letter, Secretary Nicholson told veterans of the decision to not offer them credit monitoring services. Rather the VA has contracted with a company to conduct breach analysis to monitor for patterns of misuse.

UPDATE (11/23/2007): A federal judge questioned the Veterans Affairs Department’s computer security and ruled Friday that lawsuits can go forward over the theft of computer equipment containing data on 26.5 million veterans. The lawsuits have been filed as potential class-action cases representing every veteran whose data was released.

UPDATE (1/23/2009): The Department of Veterans Affairs has agreed to pay $20 million to current and former military personnel to settle a class action lawsuit.

UPDATE (6/16/2009): No less than $75 will be paid for any valid claim, up to a cap of $1,500. If your expenses were higher than that, you might want to opt out of the class-action portion so you can file for your actual damages. In that case, you need to file a letter so it is received by June 29, 2009. You have until Nov. 27, 2009, to mail your claim form to VA Settlement Claims, P.O. Box 6727, Portland, OR 97228-9767. Be sure to keep a copy of the claim form, along with your proof of mailing. To download the claim form and to get more information, go to www.veteransclass.com. Read the FAQ and note the particulars on out-of-pocket expenses and actual damages. You also can call (888) 288-9625.

UPDATE(10/19/2012): An investigation into the VA revealed that encryption software has only been installed on 16% of VA computers since the 2006 breach. Six million dollars has been spent on encryption software since the 2006 breach. The investigation began after a 2011 anonymous tip.

05/23/2006 Mortgage Lenders Network USA

a Financial or Insurance Services firm in Middletown, Connecticut
231,000 non-financial accounts compromised
 
A former employee was arrested for extortion for attempting to blackmail his former employer for $6.9 million. He threatened to expose company files containing sensitive customer information – including customers’ names, addresses, Social Security numbers, loan numbers, and loan types – if the company didn’t pay him. He stole the files over the 16 months he worked there.

05/25/2006 VyStar Credit Union

a Financial or Insurance Services firm in Jacksonville, Florida
34,400 non-financial accounts compromised
 
Hacker gained access to member accounts a and stole personal information including names, addresses, birth dates, mother’s maiden names, Social Security numbers and/or email addresses. Less than 10% of VyStar’s 344,000 members were affected.

05/31/2006 Texas Guaranteed Student Loan Corp. via subcontractor Hummingbird

a Financial or Insurance Services firm in Round Rock, Texas
1,700,000 non-financial accounts compromised
 
Texas Guaranteed (TG) was notified by subcontractor Hummingbird that on May 24, an employee had lost a piece of equipment containing names and Social Security numbers of TG borrowers. In addition to Texas persons in Toronto, Canada were also affected.

UPDATE (6/16/2006):TG now says a total of 1.7 million people’s information was compromised, 400,000 more than original estimate of 1.3 million.

06/01/2006 YMCA of Greater Providence

a Non-Governmental Organization (includes non-profits) in Providence, Rhode Island
65,000 financial accounts compromised
 
A laptop computer containing personal information of members was stolen. The information included credit card and debit card numbers, checking account information, Social Security numbers, the names and addresses of children in daycare programs and medical information about the children, such as allergies and the medicine they take, though the type of stolen information about each person varies. Those affected were notified.

06/01/2006 Ernst & Young

a business other than retail in New York, New York
243,000 financial accounts compromised
 
A laptop containing names, addresses and credit or debit card information of Hotels.com customers was stolen from an employee’s car in Texas.

06/02/2006 Ahold USA, parent company of Stop & Shop, Giant stores and Tops stores via subcontractor Electronic Data Systems (EDS)

a retail business in Landover, Maryland
92,000 non-financial accounts compromised
 
An EDS employee lost a laptop computer during a commercial flight that contained pension data of former employees of Ahold’s supermarket chains including Social Security numbers, birth dates and benefit amounts. The laptop was lost form the checked baggage of a domestic commercial airline flight on May 2, 2006.The laptop was not recovered even though the incident was reported immediately.

06/03/2006 Humana

a healthcare provider or servicer in Louisville, Kentucky
17,000 non-financial accounts compromised
 
Personal information of Humana customers enrolled in the company’s Medicare prescription drug plans could have been compromised when an insurance company employee called up the data through a hotel computer and then failed to delete the file.

06/03/2006 Buckeye Community Health Plan

a healthcare provider or servicer in Columbus, Ohio
72,000 non-financial accounts compromised
 
Four laptop computers containing customer names, Social Security numbers, and addresses were stolen from the Medicaid insurance provider.

06/05/2006 Kingsbrook Jewish Medical Center

a healthcare provider or servicer in Brooklyn, New York
34,863 non-financial accounts compromised
 
A personal computer was stolen from the Hospital’s outpatient billing office on December 26, 2005. It is likely that the computer contained spreadsheets with patient names and Social Security numbers embedded in insurance numbers. Those affected were notified May 26, 2006.

06/11/2006 Denver Election Commission

Government or Military in Denver, Colorado
150,000 non-financial accounts compromised
 
Records containing personal information on more than 150,000 voters are missing at city election offices. The microfilmed voter registration files from 1989 to 1998 were in a 500-pound cabinet that disappeared when the commission moved to new offices in February. The files contain voters’ Social Security numbers, addresses and other personal information.

06/14/2006 American International Group (AIG), Indiana Office of Medical Excess, LLC

a Financial or Insurance Services firm in New York, New York
930,000 non-financial accounts compromised
 
The computer server was stolen on March 31 containing personal information including names, Social Security numbers, birth dates, and some medical and disability information.

UPDATE(1/12/2010) A 28-year-old Indianapolis man was sentenced today to two years in state prison for trying to extort $208,00 from an insurance company after stealing a computer server. In March 2006, the man burglarized the Indianapolis office of AIG Medical Excess, threatening to release clients’ personal data on the Internet. The server contained the names of more than 900,000 insured persons, as well as their personal identifying information, and confidential medical information and e-mail communications. At the time of the burglary, the man was an employee of a private security firm that provided security services to the insurance company. On July 23, 2008, Stewart delivered a package to the insurance company. The package included a letter stating that he possessed the stolen server and its confidential data. He asked for $1,000 a week for four years, but the FBI and others intervened. The Indiana State Police, the Indiana Department of Natural Resources, Indianapolis Metropolitan Police Department, and Attorney General also were part of the investigation.

06/16/2006 Union Pacific

a business other than retail in Omaha, Nebraska
30,000 non-financial accounts compromised
 
On April 29th, an employee’s laptop was stolen that contained data for current and former Union Pacific employees, including names, birth dates and Social Security numbers.

06/17/2006 Western Illinois University

an educational institution in Macomb, Illinois
180,000 financial accounts compromised
 
On June 5th, a hacker compromised a University server that contained names, addresses, credit card numbers and Social Security numbers of people connected to the University. Initial reports were 240,000 affected, but that was reduced to 180,000.

[ http://www.wiu.edu/securityalert ]
[ http://news.cnet.com/Illinois-university-hit-with-security-breach/2100-7349_3-6090860.html ]

06/18/2006 ING U.S. Financial Services, Jackson Health System

a Financial or Insurance Services firm in Miami, Florida
13,000 non-financial accounts compromised
 
Two ING laptops that carried sensitive data affecting Jackson Health System hospital workers were stolen in December 2005. The computers, belonging to financial services provider ING, contained information gathered during a voluntary life insurance enrollment drive in December and included names, birth dates and Social Security numbers.

06/18/2006 ING U.S. Financial Services

a Financial or Insurance Services firm in Washington, District Of Columbia
13,000 non-financial accounts compromised
 
A laptop was stolen from an employee’s home. It contained retirement plan information including Social Security numbers of D.C. city employees.

06/21/2006 Cumberland County Emergency Medical Service

a healthcare provider or servicer in Fayetteville, North Carolina
24,350 non-financial accounts compromised
 
Portable computer containing personal information of more than 24,000 people was stolen from ambulance of Cumberland Co. Emergency Medical Services on June 8th. It contained information on people treated by the EMS, including names, addresses and birthdates, plus SSNs of 84% of those listed.

06/22/2006 U.S. Department of Agriculture (USDA)

Government or Military in Washington, District Of Columbia
26,000 non-financial accounts compromised
 
During the first week in June, a hacker broke into the Department’s computer system and may have obtained names, Social Security numbers and photos of current and former employees and contractors.

[ www.firstgov.gov/usdainfo.shtml ]

06/23/2006 U.S. Navy

Government or Military in Washington, District Of Columbia
28,000 non-financial accounts compromised
 
Navy personnel were notified on June 22 that a civilian website contained files with personal information of Navy members and dependents including names, birth dates and Social Security numbers.

06/26/2006 AAAAA Rent-A-Space

a business other than retail in Colma, California
13,000 financial accounts compromised
 
Customer’s account information including name, address, credit card, and Social Security number was easily accessible due to a security gap in AAAAA’s online payment system.

06/29/2006 Nebraska Treasurer’s Office

Government or Military in Lincoln, Nebraska
309,000 non-financial accounts compromised
 
A hacker broke into a child-support computer system and may have obtained names, Social Security numbers and other information such as tax identification numbers for 9,000 businesses.

06/29/2006 AllState Insurance Huntsville branch

a Financial or Insurance Services firm in Huntsville, Alabama
27,000 non-financial accounts compromised
 
Over Memorial Day weekend, a computer containing personal data including images of insurance policies, correspondence and Social Security numbers was stolen.

06/29/2006 Minnesota Department of Revenue

Government or Military in St. Paul, Minnesota
50,400 non-financial accounts compromised
 
On May 16, a package containing a data tape used to back up the regional office’s computers went missing during delivery. The tape contained personal information including individuals’ names, addresses, and Social Security numbers. The package was reported delivered two months later, having apparently been temporarily lost by the U.S. Postal Service.

http://www.taxes.state.mn.us/taxes/publications/press_releases/content/taxpayer_information.shtml

06/30/2006 National Institutes of Health Federal Credit Union

a Financial or Insurance Services firm in Rockville, Maryland
41,000 non-financial accounts compromised
 
NIHFCU and law enforcement are investigating the identity theft of some of its 41,000 members. No details were given on the type of information stolen, or how it was stolen.

06/30/2006 U.S. Department of Veteran Affairs

Government or Military in Washington, District Of Columbia
16,500 non-financial accounts compromised
 
A data tape disappeared from a VA facility in Indianapolis, IN that contained information on legal cases involving U.S. veterans and included veterans’ Social Security numbers, dates of birth and legal documents. The VA’s Office of the General Counsel is offering identity theft protection services to those affected by the missing tape.

07/05/2006 Bisys Group Inc.

a Financial or Insurance Services firm in Roseland, New Jersey
61,000 non-financial accounts compromised
 
Personal details about 61,000 hedge fund investors were lost when an employee’s truck carrying backup tapes was stolen. The data included SSNs of 35,000 individuals. The tapes were being moved from one Bisys facility to another on June 8 when the theft occurred.

07/07/2006 Naval Safety Center, United States Navy

Government or Military in Norfolk, Virginia
100,000 non-financial accounts compromised
 
The SSNs and other personal information of more than 100,000 naval and Marine Corps aviators and air crew, both active and reserve, were exposed on the Center website and on 1,100 computer discs mailed to naval commands.

07/07/2006 University of Tennessee

an educational institution in Knoxville, Tennessee
36,000 non-financial accounts compromised
 
Hacker broke into a UT computer containing names, addresses and SSNs of about 36,000 past and current employees. The intruder used the computer from August 2005 to May 2006 to store and transmit movies. (866) 748-1680

http://security.tennessee.edu

07/14/2006 Northwestern University

an educational institution in Evanston, Illinois
17,000 non-financial accounts compromised
 
Files containing names and some personal information including SSNs were on 9 desktop computers that had been accessed by unauthorized persons outside the University. The computers were in the Office of Admissions and Financial Aid. (888) 209-0097.

http://www.northwestern.edu/newscenter/stories/2006/07/data.html

07/18/2006 Nelnet Inc., UPS

a business other than retail in Lincoln, Nebraska
188,000 non-financial accounts compromised
 
A computer tape containing personal information of student loan customers and parents, mostly from Colorado, was lost when shipped via UPS. The loans were previously serviced by College Access Network between November 1, 2002 and May 31, 2006. (800) 552-7925

07/18/2006 CS Stars, subsidiary of insurance company Marsh Inc.

a Financial or Insurance Services firm in Chicago, Illinois
722,000 non-financial accounts compromised
 
On May 9, CS Stars lost track of a personal computer containing records of more than a half million New Yorkers who made claims to a special workers’ comp fund. The lost data includes SSNs and date of birth but apparently no medical information. In April of 2007 the New York Attorney General’s office found that CS Stars violated the state’s security breach law. CS Stars must pay the Attorney General’s office $60,000 for investigation costs. It was determined that the computer had been stolen by an employee of a cleaning contractor, the missing computer was located and recovered, and that the data on the missing computer had not been improperly accessed.

07/19/2006 Group 1 Automotive Inc, Weinstein Spira & Company, P.C.

a Financial or Insurance Services firm in Houston, Texas
14,000 non-financial accounts compromised
 
Five laptops were stolen from a Weinstein Spira office sometime between the night of July 10 and the morning of July 11. The laptops contained personal information of clients and the employees of clients. Names, addresses, Social Security numbers and financial data were accessed.

07/25/2006 Cablevision Systems Corp., ACS, FedEx

a business other than retail in Bethpage, New York
13,700 non-financial accounts compromised
 
A tape en route to the company’s 401(k) plan record-keeper ACS was lost when shipped by FedEx to Dallas TX. No customer data was on the tape.

07/25/2006 Georgetown University Hospital

a healthcare provider or servicer in Washington, District Of Columbia
23,000 non-financial accounts compromised
 
Patient data was exposed online via the computers of an e-prescription provider, InstantDx. Data included names, addresses, SSNs, and dates of birth, but not medical or prescription data. GUH suspended the trial program with InstantDX.

07/25/2006 Armstrong World Industries, Deloitte & Touche

a business other than retail in Lancaster County, Pennsylvania
12,000 non-financial accounts compromised
 
A laptop containing personal information of current and former employers was stolen. The computer was in the possession of the company’s auditor, Deloitte & Touche. Data included names, home addresses, phone numbers, SSNs, employee ID numbers, salary data, and bank account numbers of employees who have their checks directly deposited.

07/27/2006 Kaiser Permanente Northern California Office

a healthcare provider or servicer in Oakland, California
160,000 non-financial accounts compromised
 
A laptop was stolen containing names, phone numbers, and the Kaiser number for each HMO member. The data file did not include SSNs. The data was being used to market Hearing Aid Services to Health Plan members. (866) 453-3934

07/29/2006 Sentry Insurance

a Financial or Insurance Services firm in Stevens Point, Wisconsin
112,270 non-financial accounts compromised
 
Personal information including SSNs on worker’s compensation claimants was stolen, some of which was later sold on the Internet. At least 72 claimants of the 112,270 who may have had their information accessed had their information sold. No medical records were included. The thief was a lead programmer-consultant who had access to claimants’ data. The consultant was arrested and faces felony charges.

08/01/2006 Ron Tonkin Nissan

a retail business in Portland, Oregon
16,000 non-financial accounts compromised
 
Several months ago the car dealership experienced a security breach affecting the personal information of those who bought cars or applied for credit between 2001 and March 2006. Questions? Call: (503) 251-3349

08/04/2006 PSA HealthCare

a healthcare provider or servicer in Norcross, Georgia
51,000 non-financial accounts compromised
 
A company laptop was stolen from an employee’s vehicle in a public parking lot July 15. It contained names, addresses, SSNs, and medical diagnostic and treatment information used in reimbursement claims. (866) 752-5259

08/07/2006 U.S. Department of Veterans Affairs via contractor Unisys Corporation

Government or Military in Reston, Virginia
18,000 non-financial accounts compromised
 
A computer at contractor’s office was reported missing Aug. 3. It contained billing records with names, addresses, SSNs, and dates of birth of veterans at two Pennsylvania locations. ive thousand Philadelphia patients, 11,000 Pittsburgh patients and 2,000 deceased patients were affected. There is a possibility that 20,000 others were also affected.

UPDATE (9/15/2006): Law enforcement recovered the computer and arrested an individual who had worked for a company that provides temporary labor to Unisys.

08/09/2006 Hoffman-La Roche Inc, McCladrey and Pullen LLP

a retail business in Washington, District Of Columbia
26,000 non-financial accounts compromised
 
A laptop computer belonging to an employee of McCladrey and Pullen LLP was stolen on July 18. McCladrey conducts audits of Roche Savings and Pay Deferral Plan. The laptop included names, Social Security numbers, affiliation with the plan, plan account balance and 2005 plan withdrawal amounts.

08/09/2006 U.S. Department of Transportation

Government or Military in Washington, District Of Columbia
132,470 non-financial accounts compromised
 
The DOT’s Office of the Inspector General reported a special agent’s laptop was stolen on July 27 from a government-owned vehicle in Miami, FL, parked in a restaurant parking lot. It contained names, addresses, SSNs, and dates of birth for 80,670 persons issued commercial drivers licenses in Miami-Dade County, 42,800 persons in FL with FAA pilot certificates and 9,000 persons with FL driver’s licenses. (800) 424-9071, hotline@oig.dot.gov

08/22/2006 Beaumont Hospital

a healthcare provider or servicer in Troy, Michigan
28,473 non-financial accounts compromised
 
A vehicle of a home health care nurse was stolen from outside a senior center Aug. 5. Although it was recovered nearby, a laptop left in the rear of the car was not recovered. It contained names, addresses, SSNs, and insurance information of home health care patients.

08/23/2006 U.S. Department of Education, Direct Loan Servicing Online

Federal Government in Atlanta, Georgia
21,000 non-financial accounts compromised
 
A faulty Web site software upgrade resulted in personal information of 21,000 student loan holders being exposed on the U.S. Department of Education’s loan Web site. Information included names, birthdates, SSNs, addresses, phone numbers, and in some cases, account information. Affiliated Computer Services Inc. is the contractor responsible for the breach. The breach did not include those whose loans are managed through private companies.

[ http://www.dlssonline.com ]

08/28/2006 Copart, Inc.

a retail business in Fairfield, California
43,764 non-financial accounts compromised
 
Hackers may have acquired the full names of customers, business and home addresses, telephone numbers, email addresses, driver’s license numbers and possibly driver’s license photographs. The website breach was discovered on July 17 and customers were notified on August 28. No Social Security numbers or financial information was accessed.

08/29/2006 AT&T via vendor that operates an order processing computer

a business other than retail in San Francisco, California
19,000 financial accounts compromised
 
Computer hackers accessed credit card account data and other personal information of customers who purchased DSL equipment from AT&T’s online store. The company is notifying fewer than 19,000 customers.

UPDATE (9/1/2006). The breach was followed by a bogus phishing e-mail to those customers that attempted to trick them into revealing more info such as SSN and birthdate — essential for crime of identity theft.

http://www.identityalert.ucla.edu

12/12/2006 University of Texas, Dallas

an educational institution in Dallas, Texas
35,000 non-financial accounts compromised
 
The University discovered that personal information of current and former students, faculty members, and staff may have been exposed by a computer network intrusion — including names, SSNs, home addresses, phone numbers and e-mail addresses. Affected individuals can call (972) 883-4325.The initial estimate of compromised accounts was 5,000 then raised to 6,000 then raise again to 35,000.

[ http://www.utdallas.edu/datacompromise/form.html ]

12/13/2006 Boeing

a business other than retail in Seattle, Washington
382,000 non-financial accounts compromised
 
In early December, a laptop was stolen from an employee’s car. Files contained names, salary information, SSNs, home addresses, phone numbers and dates of birth of current and former employees.

12/14/2006 Electronic Registry Systems

a healthcare provider or servicer in Atlanta, Georgia
63,000 non-financial accounts compromised
 
On Nov. 23, 2006, two computers (one desktop, one laptop) were stolen from Electronic Registry Systems, a business contractor in suburban Springdale, OH, that provides cancer patient registry data processing services. It contained the personal information (name, date of birth, Social Security number, address, medical record number, medical data and treatment information) of cancer patients from hospitals in Pennsylvania, Tennessee, Ohio and Georgia, some dating back to 1977. Initial estimates of compromised accounts was 25,000 and later raised to over 63,000. Hospitals include Emory Hospital, Emory Crawford Long Hospital, Grady Memorial Hospital, as well as Geisinger Health System (PA) and Williamson Medical Center (TN) and other facilities in Danville, PA and Nashville, TN

12/15/2006 University of Colorado, Boulder, Academic Advising Center

an educational institution in Boulder, Colorado
17,500 non-financial accounts compromised
 
A server in the Academic Advising Center was the subject of a hacking attack. Personal information exposed included names and SSNs for individuals who attended orientation sessions from 2002-2004. CU-Boulder has since ceased using SSNs as identifiers for students, faculty, staff, and administrators.

[ http://www.colorado.edu/its/security/awareness/privacy/identitytheft.pdf ]

12/20/2006 Lakeland Library Cooperative

Government or Military in Grand Rapids, Michigan
15,000 non-financial accounts compromised
 
Personal information of 15,000 library users in West Michigan was displayed on the Cooperative’s Web site due to a technical problem. Information exposed included names, phone numbers, e-mail addresses, street addresses, and library card numbers. Children’s names were also listed along with their parents names on a spreadsheet document. The information has since been removed. Lakeland Library Cooperative serves 80 libraries in eight counties.

12/21/2006 Goal Financial, LLC

a Financial or Insurance Services firm in San Diego, California
34,000 non-financial accounts compromised
 
A portion of borrowers’ names and Social Security numbers were on four hard drives that were accidentally sold before being wiped clean. Employees transferred more than 7,000 files with consumer information to third parties without authorization, and one employee sold the hard drives to the public surplus. The hard drives were retrieved after the mistake was realized on June 13. Affected individuals were notified in June. The student loan company agreed to settle FTC charges in December. The company violated the FTC’s Privacy Rule by failing to take reasonable and appropriate measures to protect personal information. The location listed is the headquarters. It is not clear where the incident took place.

12/22/2006 Texas Woman’s University

an educational institution in Dallas, Texas
15,000 non-financial accounts compromised
 
A document containing names, addresses and SSNs of 15,000 TWU students was transmitted over a non-secure connection.

12/22/2006 Utah Valley State College

an educational institution in Orem, Utah
15,000 non-financial accounts compromised
 
Social Security numbers and other personal information of students and faculty were accessible via Yahoo’s search engine. The information was removed from UVSC’s servers. Some Distance Education instructors and some students enrolled in UVSC courses between January 2002 and January 2005 were affected.

 
 

In addition to sources cited above the Chronology of Data Base Breaches maintained by the Privacy Rights Clearinghouse was used. Their website is a valuable resource for those seeking information on basic privacy, identity theft, medical privacy and much more. They are highly recommended.

 
 

View the 2006 summary
Return to References page
Return to Year links page

Links above were active at the time they were gathered. Links shown in non-hypertext (not clickable) are known to be no longer supported on their hosts.

Visit Us On FacebookVisit Us On Twitter