Compromises in 2011 affecting 10,000 or more
Compromises in 2011 affecting less than 10,000
Compromises in 2011 affecting an unknown, or undisclosed number
01/11/2011 University of Connecticut, HuskyDirect.com
an educational institution in Storrs, Connecticut
18,059 financial accounts compromised
Customers who used their credit cards on UConn’s Huskydirect.com sports gear website may have had their personal information exposed in a data security breach. A hacker was able to access the Huskydirect.com customer database and may have viewed billing information with names, addresses, telephone numbers, credit card numbers, expiration dates, security codes and email addresses. The Huskydirect.com database is run by an outside vendor. People who made purchases offline are not at risk.
01/12/2011 Seacoast Radiology
a healthcare provider or servicer in Rochester, New Hampshire
231,400 non-financial accounts compromised
On November 12, Seacoast discovered that a server had been breached. Patient names, Social Security numbers, addresses, phone numbers and other personal information may have been exposed by the breach. Credit card and other financial information were not exposed. Patients and people serving as insurance guarantors were affected. It is believed that the hackers were utilizing Seacoast’s bandwidth to play a popular game called Call of Duty: Black Ops.
[ http://www.seacoastprivacy.com ]
01/13/2011 Green River District Health Department
Fox Technology Group (now part of Intergranetics)
a healthcare provider or servicer in Owensboro, Kentucky
18,871 non-financial accounts compromised
The personal information of people who visited Green River District Health Department was accidentally placed online by Fox Technology. A resident notified the Department after discovering personal information online. Many visitor names were given with dates of birth; around half included Social Security information as well. The information was exposed sometime in October of 2010 or before. The problem was fixed soon after the Department was notified. The number affected was raised from an initial 9,986 to 18,871.
01/18/2011 Tulane University
an educational institution in New Orleans, Louisiana
10,000 non-financial accounts compromised
A University issued laptop was stolen from an employee’s car on December 29, 2010. The laptop was used to process 2010 tax records for employees, students and others who will receive a 2010 W-2. The information included names, Social Security numbers, salary information and addresses.
01/24/2011 Grays Harbor Pediatrics
a healthcare provider or servicer in Aberdeen, Washington
12,000 non-financial accounts compromised
A backup tape was stolen from an employee’s car sometime around November 23. The device was used for storing copies of paper records. Patients may have had their names, Social Security numbers, insurance details, driver’s license information, immunization records, medical history forms, previous doctor records and patient medical records scanned and placed on the backup tape. People with questions about the incident may call 1-877-810-7248.
01/29/2011 Ankle and Foot Center of Tampa Bay, Inc.
a healthcare provider or servicer in Tampa Bay, Florida
156,000 non-financial accounts compromised
Why: The Center experienced a hacking or IT incident on or around November 10, 2010. Scale: The protected health information of 156,000 patients was exposed. Scope: Exopsed information included Names, Social Security numbers, dates of birth, home addresses, account numbers, health care services and related diagnostic codes.
01/29/2011 Benefits Resources, Inc.
a healthcare provider or servicer in Cincinnati, Ohio
16,200 non-financial accounts compromised
A portable electronic device was lost or stolen in South Carolina on or about November 22, 2010. It contained the personal health information of patients. Ohio is the headquarters of Benefits Resources, Inc.
02/07/2011 HBGary Federal
a business other than retail in Sacramento, California
60,000 non-financial accounts compromised
HBGary announced that it had information about the Anonymous hackers collective. Anonymous supporters hacked into HBGary’s network in order to learn what information had been gathered during the investigation. Over 60,000 business emails were extracted and the company’s website was defaced. HBGary’s leader also had his Twitter account hacked and his personal information exposed. Anonymous supporters claim the attack was to prevent HBGary from selling trivial information to the FBI. The hackers published a 23-page document online and claimed that it was the information HBGary was going to sell. HBGary’s email database was also published. Sensitive information about customers may have been exposed.
02/12/2011 North Bronx Healthcare Network
Including Jacobi Medical Center, North Central Bronx Hospital, Tremont Health Center, and Gunhill Health Center, healthcare providers or servicers in New York, New York
1,700,000 non-financial accounts compromised
The New York City Health & Hospitals Corporation’s North Bronx Healthcare Network experienced a breach. Backup tapes were stolen from an unsecured and unlocked van during transport by GRM Information Management Services. The theft occurred during December of 2010. The information on the tapes was from patients, staff members and associated employees and dated back to 1991. Names, Social Security numbers, addresses, patient health information and other patient and employee information may have been exposed. Health and Hospital Corporation is the group that runs the affected hospitals and clinics.
02/12/2011 Saint Francis Broken Arrow
Also known as Broken Arrow Medical Center, a healthcare provider or servicer in Broken Arrow, Oklahoma
84,000 non-financial accounts compromised
A computer that had not been used since May of 2004 was stolen from a secured information systems room. Patient billing information and some employee records were exposed. The information would have included names, Social Security numbers, dates of birth, addresses and patient insurance and diagnostic information.
02/23/2011 Chapman University, Brandman University
an educational institution in Los Angeles, California
13,000 non-financial accounts compromised
A student discovered a document with sensitive information in an unsecured folder. It contained names, Social Security numbers, student ID numbers and financial aid information. Around 11,000 current and former Chapman students, 1,900 applicants and an unspecified number of Brandman students were affected. Only students and people affiliated with the University could have accessed the file, and it appears that the student who reported the incident was the only one who accessed the file.
02/24/2011 Cambridge Who’s Who Publishing, Inc.
a business other than retail in Uniondale, New York
400,000 financial accounts compromised
A former employee made accusations that Who’s Who experienced a breach of 400,000 data tapes with customer information. It is not clear what happened, but the tapes were misplaced during the shipping process sometime before October 20, 2010. The information on the tapes included customer names, Social Security numbers, addresses, driver’s license numbers, payroll data, checking account numbers and credit card information may have been exposed.
03/03/2011 Cord Blood Registry
a healthcare provider or servicer in San Francisco, California
300,000 non-financial accounts compromised
Backup tapes were stolen from an employee’s car in San Francisco on December 13, 2010. Names and Social Security, driver’s license and credit card numbers were on the tapes. The tapes were not encrypted. Customers began receiving notification on February 14 of 2011. A computer and other personal property were stolen during the burglary.
03/04/2011 University of South Carolina
an educational institution in Sumter, South Carolina
31,000 non-financial accounts compromised
A computer security problem may have exposed the information of faculty, staff, retirees and students on eight University system campuses. Social Security numbers and other private information could end up on the internet.
03/06/2011 Alaska Department of Education and Early Development
State Government in Juneau, Alaska
89,519 non-financial accounts compromised
A hard drive with the information of students was stolen. Most of the affected students reside in Fairbanks. Names, dates of birth, student identification numbers, genders, ethnicity, disability status, grade levels, test scores and enrollment information were exposed. The theft is believed to have occurred in early February.
03/11/2011 OrthoMontana
a healthcare provider or servicer in Billings, Montana
37,000 non-financial accounts compromised
The loss or theft of a laptop may have exposed the information of current and past patients.
UPDATE(3/16/2011): About 37,000 patients had their information on the laptop. The types of patient information exposed were not reported, however the laptop did not contain financial information.
03/15/2011 Health Net Inc., International Business Machines (IBM)
a healthcare provider or servicer in Rancho Cordova, California
1,900,000 non-financial accounts compromised
Nine disc drives that contained sensitive health information went missing from Health Net’s data center in Rancho Cordova, California. The drives contained the personal information of 1.9 million current and former policyholders, compromising their names, addresses, health information, Social Security numbers and financial information. The 1.9 million victims include 622,000 California residents enrolled in Health Net HMOs, 223,000 Californians enrolled in Health Net PPOs and people enrolled in Medicare and other plans. The drives were discovered missing on January 21, but affected individuals were not notified until March 14. Customers with questions may call (855) 434-8081.
UPDATE(06/07/2011): A class-action lawsuit seeks $5 million from Health Net Inc. and its vendor IBM. The complaint alleges that Health Net and IBM breached their duty of confidentiality and negligently allowed the release of highly personal and confidential information. The complaint alleges violation of California’s Confidentiality of Medical Information Act, Cal. Civ. Code§ 56; Cal. Civ. Code§ 1798.2, which concerns the unauthorized disclosure of customer records; Cal. Bus. & Prof. Code§ 17200, California’s unfair-competition law; and public disclosure of private facts. The lawsuit is seeking injunctive relief, compensatory damages, declaratory relief, and attorney fees and costs. The citation is Bournas v. Health Net Inc., No.2_11-CV-01262, complaint filed (E.D. Cal. May 11, 2011).
UPDATE(08/09/2011): Health Net’s chief operating officer apologized to customers after it was discovered that the original analysis of the breach was flawed. Around 124,000 Oregon residents who were current members, former members, or employees were believed to have been affected. Health Net discovered that an additional 6,300 Oregonians had their personal information on the stolen computer drives.
03/16/2011 St. Louis University
an educational institution in St. Louis, Missouri
12,000 non-financial accounts compromised
The University’s network was hacked on December 12, 2010. The breach was discovered on December 13 and a statement was available on the University’s website on January 31, 2011. Eight hundred students and 12,000 current and former employees and contractors were affected. Only people who worked for Saint Louis University at some point had their Social Security numbers exposed. Some students who received counseling through the University’s Student Health Services may have had their names, dates of birth, tests, diagnosis and treatment information exposed.
03/22/2011 Laredo Independent School District
an educational institution in Laredo, Texas
24,903 non-financial accounts compromised
A disk that contained the Social Security numbers of all students in the Laredo Independent School District was lost or stolen sometime prior to February of 2011.
UPDATE (4/7/2011):Between August 2010 and January 2011, CDs that were mailed to the Texas Education Agency (TEA) were lost. The CDs were unencrypted and contained student Social Security numbers, dates of birth and ethnicity. The CDs were sent to TEA so that identifying information could be removed and the information could be passed along to the University of Texas at Dallas Education Research Center. According to a TEA spokesperson, Laredo ISD’s data set is missing from a set of other district information that was sent. Though the TEA claims that only Laredo student information was exposed, the information of 164,406 students from eight Texas school districts was sent. The information on the unencrypted disks goes back 20 years. This information includes current and former students in the top 10% of their class who graduated between 1992-2010 from Crowley, Harlingen, Round Rock, Killeen, Richardson, Irving, Mansfield, and Grand Prairie school districts.
03/29/2011 BP Global
a business other than retail in New Orleans, Louisiana
13,000 non-financial accounts compromised
An employee lost a laptop that contained the personal information of people who were seeking compensation for damages caused by BP’s 2010 oil spill. The laptop was lost on March 1 of 2011 while the employee was traveling for business. It contained a spreadsheet with claimant names, Social Security numbers, addresses and phone numbers.
03/30/2011 Eisenhower Medical Center (EMC)
a healthcare provider or servicer in Rancho Mirage, California
514,330 non-financial accounts compromised
The March 11 theft of a desktop resulted in the exposure of patient names, dates of birth, ages, Eisenhower medical record numbers and the last four digits of patient Social Security numbers. A television was also stolen during the burglary. Patient information from as far back as the 1980’s may have been exposed.
UPDATE (5/22/2014): A California appellate court ruled Wednesday that Eisenhower Medical Center did not violate California’s Confidentiality of Medical Information Act.According to the Fourth District Court of Appeals, “names on a hospital patient index are not “medical information” if they’re not coupled with medical histories, condition or treatment”.If the court had found the medical center in violation, they could have been faced with damages as high as $500 million dollars.
03/31/2011 Adult Industry Medical Healthcare Foundation
Also known as AIM Medical Associates P.C., a healthcare provider or servicer in Sherman Oaks, California
12,000 non-financial accounts compromised
Over 12,000 current and former adult film performers had their names, home addresses and other personally identifying information posted on the internet. It appears that information from people who tested for HIV and other sexually transmitted diseases at the Adult Industry Medical Healthcare Foundation (AIM) was obtained somehow and misused.
UPDATE(5/3/2011):A privacy lawsuit and other troubles caused AIM Healthcare to shut down and file for bankruptcy.
UPDATE (7/26/2011): The website that contained the personal and medical information of porn actors, PornWikiLeaks, was forced to shut down after being targeted by hackers.
04/02/2011 Epsilon
a business other than retail in Irving, Texas
125,000,000 non-financial accounts compromised
Epsilon, an email service provider for companies,reported a breach that affected approximately two percent of its 2,500 clients. People who receive spam should report it to phishing-report@us.cert.gov. There are many more details, including a partial list of affected companies.
Update 3/6/2015
An indictment unsealed today alleges that over ONE BILLION accounts were exposed perhaps including 125M from Epsilon. The indictment isn’t specific in naming the hacked companies, but the numbers and dates are similar and no other exposure was that large. More from Krebs on Security.
04/05/2011 MidState Medical Center
a healthcare provider or servicer in Hartford, Connecticut
93,500 non-financial accounts compromised
A former Hartford Hospital employee misplaced a computer hard drive on February 15. It contained patient names, Social Security numbers, addresses, dates of birth and medical record numbers. Not all of the patients who were affected had their Social Security numbers exposed. (855) 398-6435.
UPDATE(04/07/2011): Connecticut’s Attorney General and Consumer Protection Commissioner are investigating the breach and data security policies of Hartford Medical Center andMidstate Medical Center. Additional details reveal that the hospital employee misplaced the computer hard drive after taking it home. The Connecticut Attorney General is asking that affected patients receive two years of credit monitoring services, identity theft insurance and reimbursement for placing and lifting security freezes.
UPDATE(07/10/2012): The Connecticut Attorney General has decided to end an investigation of MidState’s practices. The Attorney General claimed to base his decision to close the investigation with no further action on the fact that the Hospital had taken significant actions on behalf of the affected patients.
04/08/2011 Family Planning Council
a healthcare provider or servicer in Philadelphia, Pennsylvania
70,000 non-financial accounts compromised
A flashdrive was discovered missing from an office on December 28, 2010. It and other items that did not contain patient personal information are presumed to have been stolen by a former employee who left at the end of December. The former employee has an extensive criminal background and was arrested on February 9. Authorities involved in the criminal investigation requested that notification of the breach be delayed due to the investigation. The flash drive contained the personal and medical records of about 70,000 patients. Patient names, Social Security numbers, addresses, phone numbers, dates of birth and other information, including insurance information and medical information was exposed. As a result of the breach, The Family Planning Council will no longer allow unencrypted information to be stored on removable hardware. The list of affected people includes patients who visited any of these various locations: The Children’s Hospital of Philadelphia between May 1, 2010 and September 30, 2010, any of the Public Health Management Corporation facilities which include PHMC Care Clinic, PHMC Health Connection, Rising Sun Health Center, Mary Howard Health Center, Community Court, Project Salud and several emergency housing location in Philadelphia between July 16, 2009 and October 29, 2010, Spectrum Health Services, Inc. which operates Haddington Health Center and the Broad Street Health Center between October 31, 2009 and November 30, 2010, Planned Parenthood Southeastern Pennsylvania between July 1, 2009 and October 30, 2010, and Planned Parenthood Association of Bucks County between July 1, 2009 and October 31. Those who may have been affected should call 1-888-414-8020 and enter reference number 3720040811 between 8:00 am-5:00 pm Eastern Time.
04/11/2011 Texas Comptroller’s Office
State Government in Austin, Texas
3,500,000 non-financial accounts compromised
The information from three Texas agencies was discovered to be accessible on a public server. Sometime between January and May of 2010, data that was not encrypted was transferred from the Teacher Retirement Center of Texas, the Texas Workforce Commission (TWC) and the Employees Retirement System of Texas. It ended up on a state-controlled public server as early as April 2010 and was not discovered until March 31, 2011. Sensitive information such as names, Social Security numbers, addresses, dates of birth and driver’s license numbers could have been exposed. A spokesperson from the Texas Comptroller’s Office claims that the breach occurred because numerous procedures were not followed. Some employees were fired for their roles in the incident. The data came from the Teacher Retirement Center of Texas, the Texas Workforce Commission and the Employees Retirement System of Texas. Those who have questions about the breach may call 1-855-474-2065.
UPDATE(4/13/2011):Approximately two million of the 3.5 million possibly affected are unemployed insurance claimants who may have had their names, Social Security numbers and mailing addresses exposed. The birth dates and driver’s license numbers of some of these people were also exposed. The information was accidentally disclosed on a Comptroller’s publicly accessible server. TWC provided uninsured claimant records from December 31, 2006 December 31, 2009 to the Comptroller’s office in April of 2010 to assist in identifying individuals who may have unclaimed property. The information was sent in a protected manner using Secure File Transfer Protocol (SFTP), which encrypts the data during transmission over a state controlled network used by state agencies and universities.
UPDATE(5/6/2011): Two class action lawsuits have been filed on behalf of 3.5 million Texans who had their information exposed by the breach. The second class action lawsuit seeks a $1,000 statutory penalty for each affected individual.
UPDATE (2/13/2012): The cost of the credit monitoring services provided to those affected has passed $600,000. Currently, no taxpayers have linked fraudulent charges to the breach.
04/11/2011 GunnAllen Financial
a Financial or Insurance Services firm in Tampa, Florida
16,000 financial accounts compromised
Former employees of GunnAllen Financial have been fined by the U.S. Securities and Exchange Commission (SEC) for failing to adequately protect customer data.The former president and national sales manager broke privacy by transferring the information of GunnAllen Financial clients over to a new business after or during GunnAllen’s November 2010 liquidation.The sales manager was authorized by the president to take a thumb drive with the information of about 16,000 clients with him to his new job. The two former employees were fined $20,000 each and a third former chief compliance officer was fined $15,000 for failing to ensure that the firm’s policies and procedures were reasonably designed to safeguard confidential customer information. The fines are based on violations of the SEC’s Safeguard Rule, which requires institutions and financial advisers under SEC jurisdiction to protect customer data and give customers the opportunity to opt out of having their information shared with unaffiliated third parties.
04/12/2011 Oklahoma State Department of Health
State Government in Oklahoma City, Oklahoma
133,000 non-financial accounts compromised
An agency laptop and 50 pages of medical information were stolen from an employee’s car on April 6. A database with information from the Oklahoma Birth Defects Registry was on the laptop. Data from hospital medical records were recorded on the laptop. The Oklahoma Birth Defects Registry uses the information to track and reduce the prevalence of birth defects. Notifications of the breach state that parent and child names, Social Security numbers, addresses, birth dates, medical records and medical test results may have been exposed. Notifications also warn that any phone calls or mail sent to home addresses that request Social Security numbers should be thoroughly investigated. People who might have been affected may call 1-888-278-7134 or email contactosdh@health.ok.gov.
04/13/2011 Albright College
an educational institution in Reading, Pennsylvania
10,000 non-financial accounts compromised
Two laptops were stolen from the College’s financial aid office in February. The first laptop was stolen between February 11 and 14. The second was stolen between February 18 and 20. College officials delayed notifying the public of the incident until a risk management firm had assessed the extent of the breach. The laptops contained names, Social Security numbers, dates of birth and addresses. The information may have belonged to faculty, staff, graduates, current and prospective students, spouses of any of these groups and parents of students. The laptop believed to have the most personal information was recovered from a man who was selling the item for drug money.
04/14/2011 Social Security Administration (SSA)
Federal Government in Baltimore, Maryland
63,587 non-financial accounts compromised
The Social Security numbers of living people were made available on the Social Security Administration’s Death Master File. This happened twice. Between July of 2006 and January 0f 2009 26,930 people had their Social Security numbers and other identifying information exposed.A warning from the SSA’s Office of the Inspector General about privacy risks associated with the report was not enough to prevent the second incident.Between May 2007 and April of 2010 36,657 people had their full names, Social Security numbers, dates of birth, and last known ZIP code exposed.
04/14/2011 WordPress
a business other than retail in San Francisco, California
18,000,000 non-financial accounts compromised
Hackers accessed several of WordPress’s servers. All information on the servers could have been accessed. Source code, API keys and social media passwords may have been exposed. Blog comments from WordPressspokespeople reveal the stage of the investigation and that phone numbers and financial information were unlikely to have been exposed.
04/15/2011 Rolling Stone, Radar, Corrupted Justice, Nettica, the Rick Ross Institute of New Jersey
a business other than retail in multiple states
100,000 non-financial accounts compromised
After a falling out among members of Perverted Justice, a former member attempted to bury two unflattering articles about himself. The articles were about his infidelity and were originally published in Rolling Stone and Radar Magazine. The former member created a virus that spread over the internet and infected computers across the world. Approximately 100,000 computers were affected and a botnet was created. The botnet’s goal was to attack websites that published the two articles so that no one could access them. The former member was sentenced to three years of supervised release and ordered to pay $90,386.34 in restitution. Any website that mentioned a September 2006 article called “Strange Bedfellows” from Radar Magazine or a July 2007 article entitled “To Catch a Predator: The New American Witch Hunt for Dangerous Pedophiles” may have been affected.
04/18/2011 UMass Memorial Healthcare
a healthcare provider or servicer in Worcester, Massachusetts
13,500 financial accounts compromised
Employees were able to access the pay stub information of other employees at shared workstations. Any UMass Memorial employee who accessed their HRConnect by using one of the 10 malfunctioning kiosks or shared workstations between October 7 and March 11, 2011 may have been affected. The problem was fixed as of March 16. Employees were able to access the names, bank names, bank transit numbers and bank account numbers of previous employees who had used the kiosks to connect to HRConnect. The portion of the 13,500 employees who were affected is unknown.
04/27/2011 Sony, PlayStation Network (PSN), Sony Online Entertainment (SOE)
a retail business in New York, New York
12,000,000 financial accounts compromised
24,600,000 non-financial accounts compromised
There is considerable information on this page.
04/29/2011 Office of Brian J. Daniels, D.D.S. and Paul R. Daniels D.D.S.
a healthcare provider or servicer in Phoenix, Arizona
10,000 non-financial accounts compromised
The March 2, 2011 theft of a portable electronic device resulted in the exposure of electronically stored patient protected health information. Those with questions may call 602-265-8751.
05/04/2011 Rape and Brooks Orthodontics, P.C.
a healthcare provider or servicer in Columbus, Ohio
20,744 financial accounts compromised
An office burglary was discovered on the morning of February 4. A server with patient personal and health information was among the stolen items. Patients who were seen by the dentists during the past 30 years were affected. The names of patients and patient guardians, home addresses and dates of birth for patients under 18 were on the server. Account holders who provided insurance information may have had their Social Security numbers and dates of birth on the server. Patients who used AllKids with Blue Cross & Blue Shield of Alabama may have had their Social Security number included in the exposed insurance information. An unspecified amount of customer credit card numbers were also stored on the server. Information from patients who were seen at the dentists’ other practices (Luther T. Cale and W. Gregory Rape, Orthodontics, P.C.; St. Clair Orthodontics, LLC and Luther T. Cale, DMD Orthodontics, P.A.) may have also been exposed.
05/06/2011 E-Pro Tax Service, Emory Healthcare
a Financial or Insurance Services firm in Chicago, Illinois
13,079 financial accounts compromised
An investigation into a few stolen Social Security checks that had been fraudulently deposited into Duluth banks uncovered three separate identity theft rings. At least six conspirators managed to defraud 5,779 people. A former real estate broker created a tax service company in order to access credit reports from a third-party credit reporting agency. Names, dates of birth and Social Security numbers were exposed. The former real estate agent then made about $2.5 million by stealing Social Security checks, filing 393 fraudulent tax returns and passing counterfeit checks. After police linked her to the stolen Social Security checks, they searched her home and found boxes of financial documents which included old mortgage applications, tax forms and HUD documents. Investigators have not charged any other conspirators and do notbelieve that the woman was the head of the operations.
UPDATE (10/24/2011): More organizations were linked to the breach when investigators searched the dishonest employee’s home. The dishonest employee had a connection with a someone who used to work as a clerk at the hospital. More than 3,000 patient bills containing names, Social Security numbers, dates of birth, and other confidential information were printed by the inside contact. The hospital bills of at least 32 Emory orthopedic clinic patients were stolen and used to file fraudulent tax returns. Nine patients became identity theft victims. Emory notified 7,300 employees of the breach and had fired the dishonest clerk in July.
05/09/2011 Reid Hospital
a healthcare provider or servicer in Milford, Connecticut
20,000 non-financial accounts compromised
A computer was stolen from an employee’s home during an early April burglary. It may have contained information from patients who visited the hospital between 1999 and 2008. Patients covered under Medicaid or Medicare may have had their Social Security numbers as well as unspecified information contained in patient reports.
05/10/2011 Dunes Family Health Care P.C.
a healthcare provider or servicer in Sacramento, California
16,000 non-financial accounts compromised
The March 11 theft of an external hard drive used for backing up the Clinic’s electronic files may have exposed patient information. The hard drive was stored in a locked, fire-protected building with very limited access. Many of the files contained patient Social Security numbers in addition to names, dates of birth, addresses and other clinical information. There was a delay in notification due to the fact that there were duplicate files and patient contact information had to be
UPDATEd. The Clinic has begun to encrypt records and raised the physical security of the files since the incident. Current and former patients with questions may call 1-855-569-2669.
05/11/2011 Michaels Stores Inc.
a retail business in New York, New York
94,000 financial accounts compromised
Unlike a retained records breach, these credit and debit account numbers and personal identification numbers (PINs) were taken by altered keypads in the store. The information was stolen by hackers who broke into the keypads in front of registers where customers swipe their credit cards and enter their personal identification numbers, or PINs. There were “… thousands and thousands of victims.” The stolen information was used to create counterfeit cards, which were then used to make ATM withdrawals in Nevada and California. Estimated the losses were already in the millions of dollars. At least 70 compromised POS terminals have been discovered so far in Michaels stores from Washington D.C. to the West Coast. (later updated to about 90)
www.technewsdaily.com/6835-pin-pads-hacked-michaels-stores-nationwide.html
http://krebsonsecurity.com/2011/05/breach-at-michaels-stores-extends-nationwide/
Number of compromised later revealed to be about 94,000
http://www.reuters.com/article/2014/01/25/us-michaels-databreach-idUSBREA0O0N320140125 Much more information
05/13/2011 Anthem Blue Cross
a Financial or Insurance Services firm in Westlake Village, California
31,125 non-financial accounts compromised
Letters soliciting dental and vision coverage were mailed to current Anthem customers. A priority code composed of the customer’s Social Security number and two extra digits was printed on the outside of each envelope. One customer noticed the error and contacted the media. Anthem admits that an error occurred, but did not reveal the cause. Anthem is working to prevent this type of breach from happening again and was in the process of notifying customers of the error as of May 12.
UPDATE(10/01/2012): Anthem experienced the marketing mailer error on April 27, 2011. The State of California settled with Anthem in September of 2012. Anthem agreed to pay $150,000 and to make significant improvements to its data security procedures to prevent future errors of a similar type..
05/17/2011 Office of Labor and Workforce Development
Massachusetts Executive Office of Labor and Workforce Development (EOLWD)
State Government in Harrisburg, Pennsylvania
210,000 non-financial accounts compromised
Why: The W32.QAKBOT A computer virus called infected computers as early as April 20, 2011. Even though it was detected quick and stopped, it was not completely eradicated. Scope: Names, Social Security numbers, email addresses, residential or business addresses, Employer Identification Numbers (EIN) and employer bank information may have been exposed. Scale: Twelve hundred employers representing approximately 210,000 people were affected. A hotline has been set up at 1-877-232-6200.
05/21/2011 Community Action Partnership of Natrona County
a healthcare provider or servicer in Casper, Wyoming
15,000 non-financial accounts compromised
On February 23, 2011, The Community Action Partnership experienced a breach that involved unauthorized access to the information of 15,000 clients. The type of information and the cause of the breach are currently not available; however a notice that has since been removed appeared on their website on April 7.
05/27/2011 Spartanburg Regional Hospital
a healthcare provider or servicer in Spartanburg, South Carolina
400,000 non-financial accounts compromised
The March 28 theft of a laptop resulted in the exposure of patient information. The laptop was stolen from an employee’s car on March 28. It contained patient names, Social Security numbers, addresses, dates of birth and medical billing codes. Spartanburg Regional has not revealed the number of affected patients.
UPDATE(7/03/2011): Spartanburg Regional notified HHS that 400,000 patients were affected.
06/03/2011 MMM Healthcare, Inc.
a healthcare provider or servicer in San Juan, Puerto Rico
29,143 non-financial accounts compromised
The March 8 theft of a computer resulted in the exposure of protected patient information.
06/06/2011 Sony Pictures, Sony Corporation of America
a business other than retail in New York, New York
1,000,000 non-financial accounts compromised
Hackers called LulzSec obtained over one million Sony customer passwords. The hackers located data that included passwords, email addresses, phone numbers, home addresses, and dates of birth. The information was not encrypted and was posted on LulzSec’s website. People wishing to enter online sweepstakes entered their real or fake information. Anyone who used their Sony Pictures sweepstakes password for another account should immediately change their passwords so that they do not match each other.
UPDATE(08/28/2012): A second suspect has been arrested for his alleged role in a computer breach at Sony Pictures Entertainment. He faces one count of conspiracy and once count of unauthorized impairment of a protected computer. Sony claims that 37,500 of the one million users affected had personal information exposed.
UPDATE(04/18/2013): One of the hackers involved in the breach was sentenced to one year in prison. He was also sentenced to 13 months of home detention and 1,000 hours of community service after release.
UPDATE(08/08/2013): The hacker who was sentenced on April 18 was also ordered to pay $605,663 in restitution.
06/09/2011 Citibank
a Financial or Insurance Services firm in New York, New York
360,000 financial accounts compromised
Hackers accessed information of approximately 1% of Citibank’s 21 million users including customer names, account numbers, and contact information. Security codes and dates of birth were not exposed. The breach occurred sometime in May 2011. Hackers obtained customer names, account numbers and transaction information by logging into the customer credit card site and guessing the account numbers of other customers. Much more information
06/11/2011 Penn State Altoona
an educational institution in Altoona, Pennsylvania
12,000 non-financial accounts compromised
A virus infected a Penn State Altoona computer that contained the names, addresses and Social Security numbers of alumni, faculty and staff members. The virus appeared on the computer sometime during the spring semester and was discovered on March 15. Those who were affected were not notified until June because the full list of affected people and their contact information had to be obtained by investigators. Only alumni with identical Social Security numbers and student IDs were affected.
06/12/2011 Southern California Medical-Legal Consultants, Inc. (SCMLC)
a business other than retail in Seal Beach, California
300,000 non-financial accounts compromised
A data security firm discovered that SCMLC data was available online. The names and Social Security numbers of around 300,000 people who applied for California workers’ compensation benefits may have been accessed by unauthorized parties. Those with questions may call 562-493-0851 or email notify@scmlc.com.
06/13/2011 Bethesda Softworks
a retail business in Rockville, Maryland
200,000 non-financial accounts compromised
The Bethesda website was hacked sometime during the weekend of June 11. User names, email addresses and passwords may have been exposed. Users should change their login information for other sites if they used the same login information for Bethesda. The hacker group LulzSec claimed that it had obtained the personal data of over 200,000 users of the game Bethesda game Brink.
06/17/2011 Area Agency on Aging, Inc.
a healthcare provider or servicer in Mansfield, Ohio
78,000 non-financial accounts compromised
The June 3 theft of a laptop from an employee’s car resulted in the exposure of consumer information. The laptop was assigned to a PASSPORT case manager. It contained the health information of 43,000 consumers and the personal contact information of 35,000 related clients’ personal representatives. Those with questions may call 800-522-5680 ext: 1234
06/19/2011 Sega
a retail business in London, England
1,290,000 non-financial accounts compromised
The SEGA Pass website was hit by hackers sometime around June 16. Sega Europe in London operates the website, but customers worldwide may have been affected. No credit card information was exposed, but names, dates of birth, email addresses and encrypted passwords were stolen by the hackers. Sega recommends that customers change login information for other sites if they used the same login information for SEGA Pass. Sega reported that 1,290,755 customers were affected. The location listed is the European headquarters of Sega.
06/24/2011 Harrisburg Project, West Aurora School District, Kaneland School District
an educational institution in Palatine, Illinois
10,000 non-financial accounts compromised
Two laptops were stolen from a car on or around June 7. The laptops were from an Illinois State Board of Education (ISBE) subcontractor called Harrisburg Project. The ISBE uses the Harrisburg Project as a subcontractor for special education reimbursement purposes. The laptops contained the personal information of over 10,000 students and staff from northern Illinois. Employees were using the laptops for training in data entry. The West Aurora school district headquarters is in Aurora, Illinois and the Kaneland school district is in Maple Park, Illinois. The theft occurred in Palatine, Illinois.
UPDATE(6/29/2011): It appears that both student and staff Social Security numbers were on the laptops. Additionally, student names, dates of birth, residential school district and other educational information were on the laptops. Staff names, demographics, teacher certification numbers and work assignments were on the laptops.
06/24/2011 RxAmerica and Accendo Insurance Company
a healthcare provider or servicer in Salt Lake City, Utah
176,300 non-financial accounts compromised
Medicare Part D beneficiaries enrolled in Prescription Drug Plans may have had their information exposed. A formatting mistake made member names, ID numbers, drug names and dates of birth viewable through the envelope window of letters sent.
UPDATE(7/27/2011): Current and former Molina Medicare, Healthy Advantage HMO SNP, and ChoicePartners Medicare HMO members were also affected.
UPDATE (10/28/2011): An additional 1,378 Windsor Health Plan enrollees were affected as well.
06/26/2011 Public Broadcasting Service (PBS)
a Non-Governmental Organization (includes non-profits) in Arlington, Virginia
69,000 non-financial accounts compromised
Hackers managed to obtain a number of administrative usernames and passwords for the PBS website. PBS became aware of the intrusion when a phony news story was placed on the website in late May. The login information for over 200 database users was later posted on the internet. Hackers then began releasing additional information on the PBS website and member database. The names, addresses, email addresses of subscribers. The hackers claim that they may release phone numbers and passwords of PBS members as well. Wyoming PBS was also breached.
07/03/2011 Cahaba Government Benefit Administrators LLC
a business other than retail in Birmingham, Alabama
13,412 non-financial accounts compromised
On April 11, 2011, someone discovered that sensitive paper records had been disclosed to outside parties or accessed without authorization. Centers for Medicare and Medicaid Services (CMS) uses Cahaba for administration of Medicare fee-for-service programs.
07/07/2011 Morgan Stanley Smith Barney, New York State Department of Taxation and Finance
a Financial or Insurance Services firm in Albany, New York
34,000 non-financial accounts compromised
Two CD-ROMs were lost after being mailed from Morgan Stanley to the New York State Department of Taxation and Finance. It is not clear if the CDs were never shipped, fell out of the packaging during shipping, or were lost after being received by the New York State Department of Taxation and Finance. The affected Morgan Stanely clients had their names, addresses, account and tax identification numbers, and income earned on Morgan Stanley investments in 2010 exposed. Some clients also had their Social Security numbers exposed.
07/08/2011 Kiplinger Washington Editors Inc.
a business other than retail in Washington, District Of Columbia
142,000 financial accounts compromised
A computer breach was discovered on June 25. Hackers may have obtained encrypted customer credit card numbers, user names and passwords.
07/20/2011 Swedish Medical Center
a healthcare provider or servicer in Seattle, Washington
19,799 non-financial accounts compromised
The full names and Social Security numbers of current and former employees were accessible online for nearly nine weeks. Employees who worked for Swedish, but not Swedish Physician Division, in 1994, 1995, 2002, 2003, 2004 and 2006 had their information posted sometime between the middle of April and June 17, 2011. The cause of the accidental disclosure was not reported.
07/30/2011 Belmont Savings Bank (BSB)
a Financial or Insurance Services firm in Boston, Massachusetts
13,000 non-financial accounts compromised
Belmont Savings Bank has agreed to pay a fine of $7,500 related to a consumer data breach case with the Massachusetts attorney general’s office. In May, a bank employee left a backup tape on a desk rather than storing it. A cleaning crew disposed of the tape later that night. Names, Social Security numbers and account numbers were exposed. The tape contained the personal information of over 13,000 customers, but is believed to have been incinerated after disposal along with other sensitive materials from BSB.
08/10/2011 University of Wisconsin – Milwaukee
an educational institution in Milwaukee, Wisconsin
79,000 non-financial accounts compromised
On May 25, University technology staff learned that unauthorized individuals had installed computer viruses on a University server. It housed a software system for managing confidential information. The names and Social Security numbers or people associated with the University could have been exposed. There was no evidence that unauthorized parties had attempted to download the confidential information.
08/12/2011 Reznick Group, AssureCare Risk Management Inc, Colonial Healthcare Inc, Gypsum Management and Supply
a Financial or Insurance Services firm in Plymouth, Minnesota
25,330 non-financial accounts compromised
Reznick’s former service provider AssureCare reported a breach of a server that contained Reznick information. The information from employee benefits plans from 2001 to 2006 could have been accessed by outside parties. Current and former employees and their spouses may have had their names, Social Security numbers, addresses, dates of birth and medical information exposed. The server was accessed by external intruders on May 9 and May 10 of 2011. The location listed is that of Assurecare Risk Management Inc. Though 25,330 Gypsum employees were affected, the total number of individuals affected across companies was not reported.
UPDATE(10/13/2011): Employees enrolled in Gypsum’s health and dental care plans were also affected.
08/17/2011 Yale University
an educational institution in New Haven, Connecticut
43,000 non-financial accounts compromised
A computer file containing the names and Social Security numbers of former faculty, staff and students was accidentally made accessible online. The file contained information from 1999 and could be located through a Google search for 10 months. A change in Google’s search engine made the file accessible from September 2010 to July 1, 2011. A person who performed a Google search on his name discovered the breach on June 30.
08/22/2011 Texas Health Presbyterian Hospital Flower Mound, Texas Health Partners
a healthcare provider or servicer in Flower Mound, Texas
10,345 non-financial accounts compromised
An employee’s company-issued laptop was stolen on June 21, 2011. The theft was reported immediately, but the laptop was not recovered. It contained 1) physical descriptions such as age, gender, weight, and height, 2) medical information such as date and time of admission, date and time of laboratory order, lab results, dates of service, diagnosis, discharge instruction and summary, name of physician, insurance, procedure, room number, medical history, and medical record number, and 3) personal information that included employer, marital status, phone number, name of account guarantor, and Social Security number for a small number of patients. Those with questions may call 1-855-419-1525.
08/23/2011 Lincoln Financial Group, Lincoln National Life Insurance Company, Lincoln Life and Annuity Company of New York
a Financial or Insurance Services firm in New York, New York
91,763 non-financial accounts compromised
A programming error caused the names and Social Security numbers of current and former retirement plan enrollees to be accessible to unauthorized plan administrators. The error had existed in the database’s search function since October 2009. A plan administrator notified Lincoln Financial Group of the issue on July 18.
08/24/2011 Allianceforbiz.com, ShoWorks, Inc.
a business other than retail in Spokane, Washington
20,000 non-financial accounts compromised
A hacker accessed a database of sensitive customer information. An Excel spreadsheet with usernames, passwords, email addresses, company names, and other types of personal or business information of 20,000 people was posted online on August 22. No credit cards were accessed and the website was closed until all passwords were changed.
09/01/2011 Birdville
an educational institution in Haltom City, Texas
14,500 non-financial accounts compromised
Two students may face criminal charges for hacking into the Birdville School District’s network server and accessing a file with 14,500 student names and Social Security numbers. The students are a high school junior and a senior. Students who attended during the 2008-2009 school year may have been affected.
09/01/2011 El Paso Independent School DIstrict (EPISD)
an educational institution in El Paso, Texas
72,000 non-financial accounts compromised
Hackers accessed the EPISD server and were able to collect the personal information of students, teachers and other employees. There were names, Social Security numbers, and addresses from approximately 63,000 students and 9,000 teachers on the district’s internal network (myepisd.org). EPISD was not aware of the breach until a computer security company noticed hackers bragging about breaking into EPISD’s system. Names, ethnicity codes, and student ID numbers for 26 students were posted by hackers named Sy5t3mF41lur3 & t3hblackhatter of H05t_Bu5t0rz.
UPDATE(09/07/2012): A hacker accused of carrying out the attack is scheduled to plead guilty to two counts of computer fraud and one count of fraud linked to identification documents.
09/01/2011 PLUS Offices in North Macomb and Southwest Macomb
State Government Michigan
14,000 non-financial accounts compromised
Almost 14,000 documents dated back to 2009 and related to drivers license and state identification applications were stolen from two separate offices over a total of two years. The applications included names, dates of birth, addresses, and in some cases Social Security numbers. The documents were stolen in May or June from secured areas at the North Macomb PLUS Office in Chesterfield Township and from the Southwest Macomb PLUS Office in Warren, MI.
09/08/2011 Stanford University Hospital and Clinics
a healthcare provider or servicer in Palo Alto, California
20,000 non-financial accounts compromised
The medical records of about 20,000 emergency room patients were posted on a commercial website for nearly a year. It is unclear how the spreadsheet with names, account numbers, admission and discharge dates, billing charges and diagnosis codes came to be on the website. The information was not financially sensitive. The website was called “Student of Fortune” and allowed students to pay for assistance with their school work. The spreadsheet was posted in relation to a question about how to convert the data into a bar graph. A former patient reported the availability of the spreadsheet on August 22.
UPDATE(10/3/2011): A class-action lawsuit for $20 million has been filed against Stanford University Hospitals and Clinics (SHC) and Multi-Speciality Collection Services, LLC (MSCS). It was filed on September 28 and about $1,000 for each of the 20,000 affected is sought. MSCS is a former billing vendor of SHC and was operating under a contract that specifically required it to protect the privacy of patient information.
UPDATE(10/5/2011): The source of the breach was confirmed by the Hospital and contractors. MSCS’s marketing agent sent the electronic spreadsheet to a job prospect as part of a skills test. The applicant asked for help through the Student of Fortune website.
09/12/2011 Vacationland Vendors, Inc.
a retail business in Wisconsin Dells, Wisconsin
40,000 financial accounts compromised
A hacker gained unauthorized access to Vacationland Vendors’ card processing systems at Wilderness Waterpark Resort in the Dells and Wilderness at the Smokies in Sevierville. The breach occurred on march 22. Customers who used a credit or debit card at one of the resorts between December 12, 2008 and May 25, 2011 were affected. The arcade equipment used in Sevierville, Tennessee was also made by Vacationland Vendors, Inc. and was also affected.
09/15/2011 United States Army
Military in Alexandria, Virginia
25,000 non-financial accounts compromised
A CD with sensitive Non-Appropriated Fund retiree information was lost in the mail between Alexandria, Virginia and San Antonio, Texas. The CD never officially arrived after being sent during the last week of August. It contained retiree records with names, Social Security numbers, retirement date, type of retirement, amount of life insurance carried, term data, dates of service, and other retirement data.
09/19/2011 Yanez Dental Corporation
a healthcare provider or servicer in Hanford, California
10,190 non-financial accounts compromised
A May 22 office burglary resulted in the loss of three computers with patient information. Patient names, Social Security numbers, dates of birth, addresses, telephone numbers, and other personal information were exposed. A notification dated June 15 was posted on Yanez’s website.
09/28/2011 Fairview and North Memorial Hospitals, Accretive
a healthcare provider or servicer in Minneapolis,
14,000 financial accounts compromised
The July 25 theft of a laptop resulted in the exposure of patient information. It was stolen from a rental car parked in the parking lot of a Minneapolis restaurant. The laptop was in the possession of an employee of the contractor Accretive. It contained the names, addresses, dates of birth, medical information, and Social Security numbers of patients. A total of 14,000 Fairview patients were affected. Approximately 2,800 North Memorial patients were affected, but did not have their Social Security numbers exposed.
UPDATE(1/20/2012): A lawsuit was filed against Accretive Health, Inc. as a result of the breach.Approximately 23,500 patients in Minnesota were affected by the breach.The Minnesota Attorney General claims that Accretive failed to protect patient health care records and failed to disclose its extensive involvement in patient health care. According to the Minnesota Attorney General, Accretive gained access to sensitive patient data through contracts with the two hospitals and numerically scored patients’ risk of hospitalization and medical complexity, graded their “frailty,” compiled per-patient profit and loss reports, and identified patients deemed to be “outliers.” The physical and mental health information included a checklist of 22 different chronic medical conditions that patients did or did not have. This was without the knowledge or consent of patients and the Attorney General argues that patients had the right to know how their information was being used and to have it kept confidential. Accretive tells investors that its contracts with hospitals include risk scoring patients, reducing avoidable hospital admissions, identifying the sickest and most impact-able patients for proactive management, and identifying real-time interventions with significant revenue or cost impact. The lawsuit alleges that Accretive violated state and federal health privacy laws, state debt collection laws, and state consumer protection laws. It seeks an order requiring Accretive to fully disclose to patients: 1) what information it has about Minnesota patients; 2) what information it has lost about Minnesota patients; 3) where and to whom it has sent information about Minnesota patients; and 4) the purposes for which it amasses and uses information about Minnesota patients. In addition, the lawsuit asks Accretive to disclose whether it has sent health data about Minnesota patients to an offshore site in new Delhi, India and requests that restrictions be applied to how Accretive treats and uses patient data.The press release from the Office of Minnesota Attorney General Lori Swanson can be found here.
UPDATE(08/24/2012): A settlement agreement with Accretive Health was announced at the end of July, 2012 requiring Accretive to stop doing business in Minnesota for two years and to pay approximately $2.5 million to the State of Minnesota, a portion of which will be used to compensate patients.
09/30/2011 Florida Hospital
a healthcare provider or servicer in Orlando, Florida
Patients in Orange, Osceola, and Seminole counties were affected.
12,000 financial accounts compromised
Patients who visited emergency departments of three Central Florida county Florida Hospitals between January 1, 2010 and August 15, 2011 may have had their information improperly accessed by one or more employees. Patients with questions may call (855) 366-0141.
Patient names, Social Security numbers, dates of birth and insurance information were exposed. Several employees were fired for misconduct, but one employee was fired for viewing patient information without authorization for the purpose of identifying motor vehicle accident victims. The hospital launched an investigation after a car-accident victim felt that a soliciting attorney had somehow obtained his medical information.
UPDATE (10/19/2011): The FBI is now investigating the disclosure of patient information. It appears that three employees sold accident victim data to an attorney referral service. Former patients have also been contacted by funeral homes and at least one patient became an identity theft victim.
UPDATE(08/18/2012): One dishonest employee who worked at Florida Hospital Celebration allegedly viewed the emergency room records of 763,000 patients. A total of 12,000 patients from the group of 763,000 were contacted by the Hospital and notified of the risk of identity theft.
UPDATE(10/22/2012): The former employee worked at Florida Hospital from July 2006 until July 2011 and was responsible for registering emergency patients. The scam involved patient phone referrals to a lawyer or chiropractor who knew details about car accidents and hospital treatments. The dishonest employee had illegally gathered the patient information during emergency visits. He pleaded guilty to conspiracy to obtain health information and wrongful disclosure of health information.
UPDATE(01/07/2013): A man associated with Metro Chiropractic and Wellness Center and City Lights Medical Center pleaded guilty to charges related to illegally obtaining patient information from two spouses who worked at Florida Hospital Celebration. He was charged with one count of conspiracy to defraud the United States and four counts of makinga payment to a non-licensed physician.
UPDATE(04/12/2013): One former patient affected by the breach has brought a lawsuit against Adventist Health System/Sunbelt, Inc. Florida Hospital Celebration and 36 other hospitals compose the Adventist network. The former patient is alleging that their privacy rights as a patient were violated when Adventist Health System/Sunbelt Inc. failed to prevent emergency room works from selling access to their medical records.
UPDATE(07/12/2013): The lawsuit that was filed in April was dismissed by a judge on July 3. Another lawsuit was then filed in Orange County Circuit Court in Orlando.
09/30/2011 TRICARE Management Activity
formerly Civilian Health and Medical Program of the Uniformed Services (CHAMPUS)
Science Applications International Corporation (SAIC)
5,117,799 financial accounts compromised nationwide
The car theft of backup tapes resulted in the exposure of protected health information from patients of military hospitals and clinics. Uniformed Service members, retirees and their families were affected. Patient data from the military health system that dates from 1992 to September 7, 2011 could have been exposed. The personally identifiable and protected health information of those who received care in the San Antonio area military treatment facilities and others whose laboratory workups were processed in these facilities was exposed. It includes Social Security numbers, addresses, phone numbers, clinical notes, laboratory tests, prescriptions, and other medical information. The information was stolen from the car of an SAIC employee, along with a stereo system and a GPS device on September 13.
UPDATE(10/16/2011): Four people have filed a $4.9 billion lawsuit over the improper disclosure of active and retired military personnel and family data. The lawsuit would give $1000 to each of the 4.9 million affected individuals.
UPDATE (11/4/2011): SAIC reported that 5,117,799 people were affected by the breach.
UPDATE(01/06/2012): A second class action lawsuit filed in the Superior Court of California in San Diego seeks unspecified monetary damages related to the theft of the computer tapes targets SAIC. The suit was filed in December and seeks certification as a class action for all TRICARE beneficiaries in California whose personal identity and health care information were compromised by the September 2011 theft of the tapes.
UPDATE(03/14/2012): Some of the people affected by the breach have become victims of identity theft. The class action lawsuit against the Department of Defense and SAIC was amended to reflect the new information about fraudulent charges appearing on credit cards.
UPDATE(04/08/2012): SAIC’s insurance will most likely be enough to cover any judgments or settlements that result from the data breach. SAIC also revealed that the Office for Civil Rights in the Health and Human Services Department opened an investigation into the tape theft on November 17, 2011.
UPDATE(07/10/2012): Eight class action lawsuits have been consolidated into one case alleging that personal information was mishandled. The case will be handled by the U.S. District Court in Washington, D.C.
UPDATE (5.13.2014): On Friday, “a federal district judge dismissed the majority of a consolidated class-action lawsuit filed against the Department of Defense, its TRICARE health insurance program and a contractor following a 2011 data breach that affected over 4.7 million individuals. In his ruling, U.S. District Judge James Boasberg wrote that the case raises “thorny standing issues regarding … when is a consumer actually harmed by a data breach — the moment data [are] lost or stolen or only after the data [have] been accessed or used by a third party?” He noted that most courts “have agreed that the mere loss of data — without evidence that [the information] has been either viewed or misused — does not constitute an injury sufficient to confer standing,” adding, “This court agrees.” (Kolbasuk McGee, GovInfoSecurity, 5/2013)”.
SAIC may be contacted at (855) 366-0140 for domestic calls and (952) 556-8312 for international calls. SAIC’s website is http://www.saic.com/
10/07/2011 The Nemours Foundation
a healthcare provider or servicer in Wilmington, Delaware
1,600,000 financial accounts compromised
Three unencrypted computer backup tapes were reported missing on September 8. The tapes were stored in a locked cabinet, which had been temporarily relocated on or around August 10 for a facility remodeling project. The cabinet was not found. The tapes had been stored in the cabinet since 2004 and contained patient information stored between 1994 and 2004. Names, Social Security numbers, addresses, dates of birth, insurance information, medical treatment information, and direct deposit bank account information were exposed.
UPDATE (10/12/2011): Patients and their guarantors, vendors, and employees at Nemours facilities in Delaware, Pennsylvania, New Jersey, and Florida were affected. In addition to medical treatment information, the payroll information of current and former employees was exposed. Nemours took steps to encrypt all computer backup tapes and move non-essential computer backup tapes to a secure, off-site storage facility after the breach.
10/10/2011 University of Georgia (UGA)
an educational institution in Athens, Georgia
18,931 non-financial accounts compromised
A data file that contained employment information such as names, Social Security numbers, dates of birth, dates of employment, gender, race, home phone numbers, and addresses was accidentally placed on a publicly available web server. The information was available from 2008 until 2011. Faculty and staff who worked at UGA in 2002 were affected.
10/13/2011 Neurological Institute of Savannah and Center for Spine (NIOS)
a healthcare provider or servicer in Savannah, Georgia
63,425 non-financial accounts compromised
The July 2 car theft of a computer hard drive may have exposed patient information. Patients who visited NIOS between January 1, 2006 and July 2, 2011 could have had their names, Social Security numbers, addresses, dates of birth, telephone numbers, and billing account data obtained. Patients with questions may call 1 (888) 613-3688.
10/13/2011 The Social Security Administration
Federal Government in Washington, District Of Columbia
31,931 non-financial accounts compromised
It appears that the Social Security Administration accidentally releases the names, Social Security numbers, and birth dates of thousands of living U.S. citizens each year in a database called the “Death Master File”. Social Security officials revealed that the number of U.S. citizens mistakenly listed each year is about 14,000, while 90 million are accurately reported. A Scripps Howard News Service review of three recent copies revealed 31,931 living U.S. citizens who’d had their Social Security numbers released to U.S. business groups.
11/04/2011 University of California Los Angeles (UCLA) Health System
a healthcare provider or servicer in Los Angeles, California
16,288 non-financial accounts compromised
A September 6 home theft resulted in the loss of an external computer hard drive. It contained the first and last names, birth dates, medical record numbers, addresses, and other medical record information of patients. The information dated from July 2007 to July 2011 and belonged to an individual who maintained the information in order to fulfill job duties. Other items were taken during the theft, but none have been recovered.
UPDATE (12/20/2011): A class action lawsuit was filed on December 14. It alleges that the UCLA Health System violated California’s Confidentiality of Medical Information Act. Since the act provides for statutory damages of $1,000 per person, the UCLA Health System could owe nearly $16.3 million to the 16,288 patients who were affected.
UPDATE (12/22/2011): A total of 16,288 people had some type of information on the laptop, but 2,761 had enough information on the laptop to cause “more than a minimal amount of financial, reputational, or other harm” if accessed.
UPDATE (10/17/2013): A state appellate court dismissed the class action lawsuit. The ruling was that health care providers are not necessarily liable when medical information is misused or stolen unless the information is accessed by unauthorized parties.
11/04/2011 Lawrence Memorial Hospital, Mid Continent Credit Servies, Inc. (Blue Sky Credit), BrickWire LLC
a healthcare provider or servicer in Lawrence, Kansas
10,000 financial accounts compromised
A breach of a website hosted by BrickWire LLC resulted in the exposure of patient names, phone numbers, email addresses, health care providers, payment amounts, dates of payment, credit card information and checking account information. Lawrence Memorial Hospital’s vendor Blue Sky Credit used BrickWire LLC for the online bill-pay service offered to Lawrence Memorial’s patients. The personal and financial information of patients who paid through the website was accidentally made available on the Internet between September 20, 2011 and October 28, 2011. UDPATE (11/17/2011): It appears that BrickWire left a portal open that contained payment records from 28 LMG patients after doing a system upgrade on September 20. However, the information of every patient who used the online bill pay system between 2005 and September of 2011 was available in a database that was accessible through the portal. 785-505-4945 lmhcompliance@lmh.org.
11/10/2011 Steam (The Valve Corporation)
a retail business in Bellevue, Washington
35,000,000 non-financial accounts compromised
The November 6 defacement of Steam forums led to an investigation that revealed hackers had accessed a Steam database with sensitive user information. The database contained user names, hashed and salted passwords, game purchases, email addresses, billing addresses, and encrypted credit card information. Users were prompted to change their Steam forum passwords and encouraged to change their Steam account passwords. Anyone using their Steam forum password for other websites should change their password since hackers could have obtained email address and password combinations.Steam is the Valve Corporation’s social-distribution network. People who use the company’s online gaming content were affected.
UPDATE(11/16/2012): A judge dismissed a class action lawsuit related to the November 6, 2011 breach. The plaintiffs of the lawsuit used Steam to purchase and access online gaming content. They alleged present and future harm as a result of the breach. According to the judge who dismissed the lawsuit, the plaintiffs did not prove that they were harmed by the Steam breach.
11/11/2011 Virginia Commonwealth University
an educational institution in Richmond, Virginia
176,567 non-financial accounts compromised
Hackers were able to access a Virginia Commonwealth University (VCU) computer server. It contained files with the personal information of current and former VCU and VCU Health System faculty, staff, students and affiliates. Suspicious files were discovered on the server on October 24. It was taken offline and subsequent investigation revealed that two unauthorized accounts had been created on a second server. While the first server did not contain personal data, the second server did and had been compromised through the first server. Data included either a name or eID, Social Security number, and in some cases, date of birth, contact information, and various programmatic or departmental information. (855) 886-2931 or email responseteam@vcu.edu.
11/11/2011 University of Texas-Pan American
an educational institution in Edinburg, Texas
19,276 non-financial accounts compromised
On September 1, 2011, a spreadsheet containing information on 19,276 students was accidentally made accessible from the internet due to a administrative error. The spreadsheet contained the names, addresses, phone numbers, email addresses, majors, class or classes, levels, colleges, student ID numbers, and GPAs of students enrolled as of September 1 of 2011. The problem was corrected on November 2 soon after it was discovered. The spreadsheet had been accessed 15 times by unknown parties between September 1 and November 2. infosecurity@utpa.edu.
11/13/2011 Providencenightlife.net
a business other than retail in Providence, Rhode Island
50,000 non-financial accounts compromised
Hackers posted data from providencenightlife.net users onto Pastebin. The data included usernames, clear-text passwords, and email addresses.
11/16/2011 Sutter Physicians Services (SPS) and Sutter Medical Foundation (SMF)
a healthcare provider or servicer in Sacramento, California
4,240,000 non-financial accounts compromised
A company-issued password-protected unencrypted desktop computer was stolen from SMF’s administrative offices during the weekend of October 15, 2011. Approximately 3.3 million patients whose health care provider is supported by SPS had their names, addresses, dates of birth, phone numbers, email addresses, medical record numbers and health insurance plan name exposed. The information dated from 1995 to January of 2011. An additional 934,000 SMF patients had dates of services and description of medical diagnoses and/or procedures used for business operations in addition the the previously listed information exposed. This information dated from January 2005 to January 2011. Patients will receive notification letters no later than December 5. Patients with questions may call (855) 770-0003 and enter a digital reference code: 7637111511.
UPDATE (11/23/2011): Two lawsuits have been filed against Sutter Health. One class-action suit alleges that Sutter Health was negligent in safeguarding its computers and data and then did not notify the millions of patients whose data went missing within the time required by state law. The suit seeks $1,000 for each member of the class and attorneys’ fees.
UPDATE (07/21/2014): “A state appellate court Monday ordered the dismissal of a lawsuit [ http://www.modbee.com/2014/07/21/3450039/court-halts-4-billion-privacy.html#storylink=cpy ] that could have cost Sutter Health more than $4 billion when it ruled that millions of the health care giants patients had no right to sue over the theft of a computer with their personal, medical and insurance records on its hard drive. The court decided it has not been shown and the patients have not alleged that any unauthorized persons have actually viewed the contents of the hard drive, a fact that deprives the patients of grounds to seek civil damages.
11/16/2011 Illinois State Treasurer’s Office
State Government in Springfield, Illinois
36,000 non-financial accounts of the Bright Directions College Savings Program were compromised
A mailing error led to the Social Security numbers of over 36,000 people to be visible from the outside of envelopes mailed in October. Those who were enrolled in the Illinois Treasurer’s Office Bright Directions college savings program were affected.
11/27/2011 101Domain.com
a business other than retail in Carlsbad, California
10,000 financial accounts compromised
A phishing attack exposed the personal information of users with domain names. The unauthorized access was discovered by 101domain.com when a vendor contacted them to inform them of a breach that affected multiple vendors, including 101Domain.com.
UPDATE (12/20/2011): The websites 101domain.com, bluesit.com, free-domain.com, rerundomains.com, RWGUSA.com, and RWGUSA.net could have all been affected by a server breach at one of 101Domain, Inc.’s vendors. Encrypted customer names, addresses, email addresses, and in some cases, credit card or PayPal account information could have been compromised.
11/30/2011 The College of New Jersey
an educational institution in Ewing, New Jersey
12,815 non-financial accounts compromised
The College’s On-Campus Student Employment System had a vulnerability that allowed student applicants to see the personal information of other students. A student applicant notified the College of the problem on November 2 after seeing the information of 12 other students. The system flaw was fixed within hours, but no duration was given for the breach.
12/07/2011 Lost Drive Study
Australia’s RailCorp, actually the Rail Corporation New South Wales (no of) has operated continuously for over 160 years with lots of misplaced personal material. Rare items include an 1865 violin which never connected with its owner, giving rise to the legend the violin was delayed by years of trackwork. Today USB drives are lost on RailCorp trains much more frequently. Replacing a lost USB drive is about 7.20$US (4.50 British Pounds or 7$AU) costs less than a many a beer. So lost drives tend to go unclaimed and are resold at auction sometimes at higher than new prices. Sophos bought several lots totaling 57 devices. 5 were broken and 2 unreliable leaving 50 to test. The drives had capacities between 256MB and 8GB, the most common was 2GB. The total capacity was 137.5GB. 33 (67%) contained one or more of the 62 infected files found. The worst had six infected files, representing four separate items of malware. With a most cursory automated analysis they uncovered a good deal of personal information about the people who lost the drives, about their families, friends and colleagues. How many were encrypted? ZERO. None of the drives or files were encrypted. More at Sophos …
[ So what does this mean for YOU? If you find a drive presume it to be infected with malware. Assume you are going to lose your drive. Use encryption to protect your data. -ed ]
12/08/2011 Subway
a retail business in Milford, Connecticut
80,000 financial accounts compromised
Over 150 Subway franchises and at least 50 other small retailers had customer data hacked from their point-of-sale (POS) systems. Four Romanian hackers were indicted for hacking and misusing the credit card information between 2008 and May of 2011. Over $3 million in fraudulent charges on customer cards was obtained by scanning the internet for vulnerable POS systems and then easily breaking the passwords to these systems. Keyloggers and a backdoor were also installed to allow further access to the system. Retailers who were hit had used a certain type or types of basic POS software and many had failed to change the default password for the software.
UPDATE(01/08/2013): A Romanian national was arrested and sentenced for his role in the POS system hack of Subway. Three other Romanians face charges related to the breach.
UPDATE(03/19/2013): The scheme may have affected 150 restaurants and may have led to $10 million in fraudulent charges. Two additional hackers were sentenced on conspiracy to commit computer fraud and conspiracy to commit access device fraud charges.
12/09/2011 Logan County Emergency Ambulance Service Authority (LEASA)
a healthcare provider or servicer in Logan, West Virginia
12,563 non-financial accounts compromised
A laptop was discovered missing on October 1, 2011. It was either lost or stolen. It contained names, Social Security numbers, addresses, and health information from patients. The laptop appears to have not been used to connect to the internet since October 1 and LEAS is attempting to block potential use of the device. Affected patients may call (304) 792-0191 (ext. 201) or email psheppard@leasa.org for more information.
12/16/2011 Restaurant Depot, Jetro Cash & Carry
a retail business in College Point, New York
300,000 financial accounts compromised
People who shopped at Jetro or Restaurant Depot between September 21 and November 18 may have had their credit or debit card information taken by a hacker. Customer names, card numbers, expiration dates, and verification codes were exposed. The breach investigation began on November 9 when the parent company became aware of customers experiencing card fraud. The location listed is that of Restaurant Depot’s corporate location.
12/21/2011 United States Chamber of Commerce
a Non-Governmental Organization (includes non-profits) in Washington, DC
3,000,000 non-financial accounts compromised
Hackers in China were able to breach the computer system of the United States Chamber of Commerce. The hackers had access to the information of roughly three million members from November 2009 to May 2010. Though the breach was discovered in May of 2010, there is evidence that some systems were still compromised in March of 2011. Email communications with no more than 50 of the Chambers’ members were compromised. Company names, key company contacts, trade-policy documents, meeting notes, trip reports, and schedules were in the email communications.
12/22/2011 Good News Garage
a Non-Governmental Organization (includes non-profits) in Burlington, Vermont
14,000 non-financial accounts compromised
A November 25 home burglary resulted in the loss of an encrypted data tape. The tape was inside a backpack that was stolen from an employee’s locked car while it was parked at home. The data tape had names, addresses, and in some cases Social Security numbers of Good News Garage donors dating back 15 years.
12/25/2011 Stratfor.com, Strategic Forecasting Inc.
a business other than retail in Austin, Texas
68,063 financial accounts compromised
Anonymous and #AntiSec claimed responsibility for the hack of a global intelligence company named Stratfor. Hackers were able to obtain tens of thousands of credit card numbers with security codes, addresses, names, and 200GB of emails. The hackers also claim to have used the credit card information to make over $1 million in donations to charities. More detailed information is on this page.
In addition to sources cited above the Chronology of Data Base Breaches maintained by the Privacy Rights Clearinghouse was used. Their website is a valuable resource for those seeking information on basic privacy, identity theft, medical privacy and much more. They are highly recommended.
View the 2011 summary
Return to References page
Return to Year links page
Links above were active at the time they were gathered. Links shown in non-hypertext (not clickable) are known to be no longer supported on their hosts.