Compromises in 2013 affecting 10,000 or more

Compromises in 2013 affecting less than 10,000
Compromises in 2013 affecting an unknown, or undisclosed number

01/03/2013 King Drug & Home Care

a healthcare provider or servicer in Owensboro, Kentucky
13,619 non-financial accounts compromised
An employee reported that a portable hard drive was missing on November 23, 2010. The device had last been seen sometime around November 19. The data on the device included information from before July 31, 2009. Client names, Social Security numbers, medical record numbers, account numbers, dates of service, race, insurance carriers and insurance numbers, addresses, phone numbers, sex, dates of birth, diagnosis information, allergies, initial referral forms, patient assessments/plans of care, physician orders and/or delivery ticket information may have been on the hard drive.

01/12/2013 Florida Department of Juvenile Justice

a healthcare provider or servicer in Tallahassee, Florida
100,000 non-financial accounts compromised
On September 6, 2012 it was reported that three computers that contained information from the Florida Department of Juvenile Justice were stolen from an apartment site earlier in the week. A television was also taken at the time of the theft.

UPDATE(01/12/2013): At least one of the devices was neither encrypted nor password protected and held the personal information of over 100,000 youth and employees.

01/12/2013 Florida Department of Juvenile Justice

State Government in Tallahassee, Florida
100,000 non-financial accounts compromised
A mobile device that contained both youth and employee records was reported stolen on January 2, 2013. Over 100,000 records were on the device and may have been exposed. The device was taken from a Department of Juvenile Justice office and was neither encrypted nor password-protected. Department of Juvenile Justice policy requires such devices to be encrypted.


01/28/2013 Cbr Systems

a healthcare provider or servicer in San Bruno, California
300,000 financial accounts compromised
The 2010 theft of a company laptop, a hard drive, and a number of unencrypted backup tapes resulted in the exposure of sensitive information. Social security numbers, credit and debit card numbers, driver’s license numbers, and dates of birth were contained on one or more of the devices. Cbr Systems reached a settlement with the Federal Trade Commission in early 2013. Cbr Systems must establish an information security program and be independently audited every other year for 20 years. The full settlement.

02/02/2013 Twitter

a business other than retail in San Francisco, California
250,000 non-financial accounts compromised
Online attackers were able to access the usernames, email addresses, session tokens, and encrypted passwords of 250,000 users. Twitter notified affected users and told them to create a new password. Anyone who used the same password and username or email combination for other sites is encouraged to change the password on other sites as well.

UPDATE(03/11/2013): Facebook, Microsoft, and Apple were all affected by a similar breach around the same time.

02/11/2013 Lee Miller Rehab Associates

a healthcare provider or servicer in Baltimore, Maryland
10,480 non-financial accounts compromised
A network server was stolen or discovered stolen on January 15, 2012. The incident appeared on the HHS website in February of 2013.

02/20/2013 Central Hudson Gas & Electric

a Non-Governmental Organization (includes non-profits) in Poughkeepsie, New York
110,000 financial accounts compromised
Central Hudson learned of a cyber attack that occurred over President’s Day weekend. Customers were notified the day after the holiday and encouraged to monitor their bank accounts and credit reports. Customer banking information and other personal information may have been accessed during the attack.

02/22/2013 LexisNexis, Sprechman & Associates

a business other than retail in Miami, Florida
20,000 non-financial accounts compromised
LexisNexis informed Sprechman & Associates that the unusual, excessive activity of an associate caused them to eliminate that associate’s access to LexisNexis’ database. The associate was later found to have misused Social Security numbers in order to file over 11 million dollars in fraudulent tax refund claims. The dishonest associate was not immediately fired from Sprechman & Associates and was terminated in July 2012 when law enforcement used a warrant to search his home and office computers.

02/22/2013 Crescent Health Inc., Walgreens

a healthcare provider or servicer in Anaheim, California
100,000 non-financial accounts compromised
Desktop computer hardware was stolen from the Anaheim Billing Center of Crescent Healthcare, Inc. on December 28, 2012. The theft was discovered on Monday, December 31 and reported to law enforcement. Names, Social Security numbers, health insurance identification numbers, health insurance information, dates of birth, diagnoses, other medical information, disability codes, addresses, and phone numbers may have been exposed.

UPDATE(04/03/2013): Over 100,000 people were affected.

03/03/2013 Evernote

a business other than retail in Redwood City, California
50,000,000 non-financial accounts compromised
Evernote, the online note-taking and archiving service, announced it was the victim of a security breach. The California-based company said it “discovered and blocked suspicious activity on the Evernote network that appears to have been a coordinated attempt to access secure areas of the Evernote Service.” Hackers were able to access information for 50+ million users, including user names, e-mail addresses and encrypted passwords. The company said no user content or financial information was accessed. Sophos Security analyst Graham Cluley said in a blog post that it remains unclear how long the hackers had access to Evernote and how they managed to get in.

Note from EverNote [ http://evernote.com/corp/news/password_reset.php ]


03/16/2013 Salem State University

an educational institution in Salem, Massachusetts
25,000 non-financial accounts compromised
A server was found to be infected with a virus. The University computer contained information related to paychecks distributed by the University. Current and former employees who may have been students or staff may have been affected.

03/20/2013 Savannah River Site (SRS)

in Aiken, South Carolina
12,000 financial accounts compromised
A security breach allowed access to the personal records of at least 12,000 SRS workers. The breach does not appear to be the result of a cyber attack. Workers may have had financial information exposed.

April 2013 47K incidents analyzed

INFORMATION: Verizon analyzed 47,000 incidents in 2012 and breaks them down in very interesting ways.


04/03/2013 United HomeCare Services, Inc., United Home Care Services of Southwest Florida, LLC

a healthcare provider or servicer in Fort Myers, Florida
13,617 non-financial accounts compromised
The January 8 theft of a billing manager’s laptop resulted in the exposure of patient information. It was stolen from the manager’s car. It contained client names, Social Security numbers, health plan numbers, dates of birth, and addresses dating as far back as 2002. Some patients may have also had treatment service codes or diagnostic codes on the laptop. A total of 12,299 United HomeCare Services, Inc. clients were affected.Additionally, 1,318 United Home Care Services of Southwest Florida clients were affected.

04/05/2013 Scribd

a business other than retail in San Francisco, California
100,000 non-financial accounts compromised
A hack affected less than 1% of Scribd’s 50 million users. “A few hundred thousand” users had their passwords stolen. Users who were affected received instructions for resetting passwords. The passwords were encrypted and it is unlikely that hackers were able to decrypt and use the passwords before Scribd and Scribd users learned of the breach.

04/09/2013 Kirkwood Community College

an educational institution in Cedar Rapids, Iowa
125,000 non-financial accounts compromised
Hackers accessed Kirkwood Community College’s website and applicant database system on March 13. Anyone who applied to a Kirkwood Campus may have had their names, Social Security numbers, dates of birth, race, and contact information exposed. People who applied to take Kirkwood college-credit classes between February 25, 2005 and March 13, 2013 were affected.

04/24/2013 City of Berkeley

Government or Military in Berkeley, California
11,000 non-financial accounts compromised
A media group who regularly collects public employee salary and benefit information released Social Security numbers after they were mistakenly included in a file that the City of Berkeley provided. The information was sent by Berkeley in March and the mistake was discovered in early April. Around 2,000 active staff members and 9,000 retirees were affected. mistakenly released the Social Security numbers of the employees as well.

04/26/2013 LivingSocial

a business other than retail in Washington, District Of Columbia
29,000,000 non-financial accounts compromised
In a memo to employees, the company said online criminals had gained access to user names, e-mail addresses and dates of birth for some users and encrypted passwords for 50 million people. The company’s databases that store user and merchant credit card and banking information were not compromised in the attack. The count was later refined to as many as 29 million members (some with multiple accounts) may have had their names, email addresses, dates of birth, and encrypted passwords exposed by a cyber attack. Up to 50 million accounts may have been affected.



05/07/2013 Raleigh Orthopaedic Clinic

a healthcare provider or servicer in Raleigh, North Carolina
17,300 non-financial accounts compromised
Raleigh Orthopaedic Clinic contracted with a vendor in order to have information from X-ray films transferred into electronic format. The X-ray film was actually sold by the unnamed vendor and melted for silver by an Ohio recycling company. Patient names and dates of birth were on the film. The Clinic does not believe that personally identifiable information was on the film.

05/09/2013 Administrative Office of the Courts – Washington

Government Olympia, Washington
160,000 non-financial accounts compromised
A breach of the Administrative Office of the Courts’ server resulted in the exposure of one million driver’s license numbers between fall of 2012 and February of 2013. It was confirmed that at least 94 people had their Social Security numbers accessed. Up to 160,000 Social Security numbers could have been accessed. In April the court was able to confirm that public records and confidential information were exposed. People who were booked in a city or county jail within the state of Washington between September 2011 and December 2012 may have had their name and Social Security number accessed. Anyone who received a DUI citation in Washington state between 1989 and 2011, had a superior court criminal case in Washington state that was filed against them or resolved between 2011 and 2012, or had a traffic case in Washington filed or resolved in a district or municipal court between 2011 and 2012 may have had their names and driver’s license numbers exposed. Questions? Call 1-800-448-5584 or visit www.courts.wa.gov/databreach

05/10/2013 Indiana University Health Arnett

a healthcare provider or servicer in Lafayette, Indiana
10,300 non-financial accounts compromised
The theft of an employee’s unencrypted laptop resulted in the exposure of patient information. The laptop was stolen from an employee’s car on April 9 and contained email records. Patient names, medical record numbers, dates of birth, physician names, diagnoses, and dates of service may have been exposed.

05/13/2013 Adobe, Washington Administrative Office of the Courts

a business other than retail in Olympia, Washington
16,000 financial accounts compromised
Up to 160,000 people may have had their information exposed by a breach. Anyone who was booked into a city or county jail int he state of Washington between September of 2011 and December of 2012 may have had their Social Security number exposed.Additionally, three classes of people may have had their names and driver’s license information exposed. First, people who received a DUI citation between 1989 and 2011 in the state of Washington may have had their names and drivers’ license numbers exposed. Anyone who had a traffic case filed or resolved in a district or municipal court between 2011 and 2012 may have been affected. Finally, anyone who had a criminal case in Washington filed against them or resolved between 2011 and 2012 may have had their name and driver’s license number exposed.


05/15/2013 El Centro Regional Medical Center

a healthcare provider or servicer in El Centro, California
189,489 non-financial accounts compromised
El Centro Regional Medical Center is claiming that they were defrauded by an unnamed company. The company was responsible for digitizing El Centro Regional’s x-rays, but never returned the digitized version. The process should have been completed by the end of July. The original x-rays were most likely taken and destroyed to extract silver.

UPDATE(05/18/2013): The information on the records was as recent as February 2011. El Centro Regional Medical Center learned of the issue on March 22, 2013. Patients were notified on May 13.

05/16/2013 City of Akron

City Government in Akron, Ohio
47,452 financial accounts compromised
The City of Akron’s website and internal systems were hacked by a foreign group. Files with 47,452 entries were posted online. Names, Social Security numbers, account numbers, credit card numbers, credit card expiration dates, addresses, and other information were in the files. The hacking attack appears to be part of an organized international effort to hack into various U.S. government websites.

05/16/2013 DENT Neurologic Institute of Amherst

a healthcare provider or servicer in Amherst, New York
10,200 non-financial accounts compromised
An administrative error led to the personal information of 10,200 patients being emailed to 200 patients. Names, addresses, date of last appointment, visit type, primary care physician, referring physician, email addresses, and whether or not the patient was actively receiving treatment were in an Excel attachment of an email that was sent to unspecified parties. The recipients were called and instructed to delete the email.

05/17/2013 Delta Dental of Pennsylvania, ZDI

a healthcare provider or servicer in Mechanicsburg, Pennsylvania
14,829 non-financial accounts compromised
The March 20 loss of paper records may have exposed the information of patients. ZDI lost the records of their associate Delta Dental of Pennsylvania.

05/17/2013 Orthopedics and Adult Reconstructive Surgery

a healthcare provider or servicer in , Texas
22,000 non-financial accounts compromised
The Health and Human Services website of medical breaches reports the loss of a portable electronic device by Orthopedics and Adult Reconstructive Surgery. The breach occurred between March 1 and March 13. AssuranceMD is named as a business associate.

05/21/2013 Sovereign Medical Group, LLC

a healthcare provider or servicer in Ridgewood, New Jersey
27,800 non-financial accounts compromised
An October 10, 2012 breach resulted in the exposure of information. The incident or incidents involved one or more network servers, theft, and/or hacking.

05/21/2013 FCC/Lifeline Program, TerraCom Inc., YourTel America Inc.

Federal Communications Commission & two communications providers
Federal Government in Washington, District Of Columbia
44,000 non-financial accounts compromised
Around 44,000 application forms and 127,000 supporting documents for Lifeline were posted online. Lifeline is a federal program that provides discount internet and phone service for low-income Americans. Information such as name, Social Security number, scans of food-stamp cards, driver’s licenses, tax records, pay stubs, and parole letters was available online. The information had been available since at least March 2013 and was removed April 26, 2013. TerraCom customers who have questions may call 1-855-297-0243.

UPDATE(05/23/2013): A Scripps Howard News Service a reporter found completed Lifeline applications with a Google search for TerraCom-related information. Terracom and Yourtel are threatening to hold Scripps accountable for costs associated with the breach. These alleged costs include potentially complying with more than 20 state data breach notification laws.

05/22/2013 Vendini, Inc.

a business other than retail in San Francisco, California
22,900 financial accounts compromised
Anyone who used Vendini for ticket purchases may have had their financial information exposed during a March 2013 breach detected on April 25, 2013. A hacker accessed Vendini’s server and may have obtained customer names, addresses, email addresses, credit card numbers, and credit card expiration dates. 22,900 customers from Augusta, Maine may have been affected. Questions? Call Vendini at 800-836-0473 and view Vendini’s statement is in their blog.

05/22/2013 DHS

Department of Homeland Security
   Customs and Border Protection, Immigration and Customs Enforcement
Federal Government in Washington, DC
10,000+ non-financial accounts compromised
Department of Homeland Security employees working in the headquarters office for Immigration and Customs Enforcement and Customs and Border Protection between 2009 and 2013 may have had their names, Social Security numbers, and dates of birth exposed. Tens of thousands of employees were affected. Though one or more unauthorized users had access to the information, there is no evidence that any employee data was stolen or lost. Law enforcement officials discovered a vulnerability in an unnamed vendor’s system that is used for processing background investigations.

05/30/2013 California Department of Developmental Services

a healthcare provider or servicer in Santa Monica, California
18,100 non-financial accounts compromised
An employee at North Los Angeles County Regional Center left a work laptop, a personal laptop, and an iPhone in their car overnight. The items were stolen during the night. The employee worked for a program that served disabled infants and toddlers. Names, Social Security numbers, and other personal information were on the unencrypted work laptop. The theft occurred in November and patients were notified in January of 2013.

05/31/2013 RentPath, Inc. (Primedia)

a business other than retail in Norcross, Georgia
56,000 financial accounts compromised
An independent contractor with access to Primedia’s network operations group was found to have stolen hardware. The issue was discovered on June 20, 2012. Applicants, employees, and former employees may have had several different types of personal information stolen. Approximately 56,000 Social Security numbers were discovered among the various types of information. Approximately 30,000 former employees, employees, and applicants were identified and notified of the breach. The other 26,000 have yet to be identified.

06/03/2013 Champlain College

an educational institution in Burlington, Vermont
14,217 non-financial accounts compromised
During the weekend of June 3, a hard drive was discovered to have been misplaced. The device had been left unattended in a computer lab for about two days in March. The hard drive contained names, Social Security numbers, and other information related to admissions and financial aid for the Fall 2010 through the February 2013 school terms. Some graduate and continuing professional studies students may have also been affected. 877-643-2062.

06/03/2013 Office of Dr. Lee D. Pollan, DMD, PC.

a healthcare provider or servicer in Rochester, New York
13,806 non-financial accounts compromised
The theft of the doctor’s laptop may have exposed patient information. The theft occurred sometime between November 6, 2012 and November 15, 2012. Information related to patient names, dates of birth, addresses, Social Security numbers, diagnose and surgery billing codes, dates of service, and person responsible for the billing was on the laptop.

06/12/2013 Lucile Packard Children’s Hospital

a healthcare provider or servicer in Palo Alto, California
12,900 non-financial accounts compromised
Between May 2 and May 8, a non-functional laptop computer was stolen from a secured area of the hospital. The laptop was password protected and contained names, ages, medical record numbers, telephone numbers, scheduled surgical procedures, and names of physicians involved in procedures between 2009 and 2012. The URL is a press release from Lucile Packard


06/21/2013 Facebook

a business other than retail in Menlo Park, California
6,000,000 non-financial accounts compromised
Facebook publicly acknowledged that over the last year a security flaw allowed exposure of six million phone numbers and email addresses. Their security team was alerted by an external group of security researches involved with the White Hat program during the week of 6/14/2013. The leak was fixed. According to Facebook the week-long delay between the alert and notifying the public was due to a “company procedure” stipulating that regulators and affected users be notified before a public announcement.

The bug may have allowed unauthorized users to view the personal contact information of Facebook users. The people who could have used the information would have had some kind of connection to them or some kind of contact information, but users may have thought their email and phone numbers were hidden from these connections. People who used the Download Your Information (DYI) tool may have been able to access the contact information.

Facebook’s official notice.


06/24/2013 Florida State University, Florida Department of Education

an educational institution in Tallahassee, Florida
47,000 non-financial accounts compromised
The information of 47,000 Florida teachers was publicly accessible for 14 days after a data transfer at Florida State University. The Department of Education used Florida State University as the contractor for the transfer of teacher data. Participants in Florida’s teacher preparation programs during the 2009 -2010 and 2011-2012 academic years were affected.

07/08/2013 Internal Revenue Service (IRS)

Federal Government in Washington, DC
10,000 non-financial accounts compromised
Public.Resource.org received 990-T forms with sensitive information during a request for information from the IRS. The IRS acknowledged the mistake and Public.Resource.org became curious about where else the information could be found. Public.Resource.org found multiple incidents of Social Security numbers being exposed on the IRS website and wrote a letter that pointed out the issues to the IRS. The IRS was able to remove some or all of the sensitive files from public view over the course of a few days.

07/11/2013 Texas Health Harris Methodist Hospital Fort Worth, Shred-it

a healthcare provider or servicer in Fort Worth, Texas
277,000 non-financial accounts compromised
A concerned citizen alerted police to a situation on May 11. Old microfiche records were discovered in a park even though they should have been destroyed by the Hospital’s contractor Shred-it. The records contained names, addresses, dates of birth, and health information and were from 1980 to 1990. Some records also contained Social Security numbers. People who may have been affected may call 1-877-216-3789 and use reference code 4537070513.

07/17/2013 Citigroup

a Financial or Insurance Services firm in New York, New York
146,000 non-financial accounts compromised
Citigroup exposed the Social Security numbers, dates of birth, and other sensitive information of customers by not properly redacting the information for court records. Consumers who went into bankruptcy between 2007 and 2011 were affected. The incident was discovered by the bank on April 2011. Roughly 146,000 consumers were notified of the breach in July of 2013.

07/17/2013 Office of the Medicaid Inspector General (OMIG)

a healthcare provider or servicer in Albany, New York
17,743 non-financial accounts compromised
An OMIG employee sent an email that contained sensitive records to their own email account on October 12, 2012. Medicaid patient first and last names, Social Security numbers, dates of birth, and Medicaid client information numbers may have been compromised.URL is to the notice.


07/17/2013 Tumblr 110M (non-financial)

Tumblr passwords were detected in transit on certain versions of the iOS application as the result of a “security vulnerability” put the passwords at risk. Tumblr was “notified” of the vulnerability that could affect its 110 million registered users. At risk is the user identification, email address, and password and other information stored on Tumbr. That does not generally include personal financial information.


Tumblr has 110 million registered users as of mid-May 2013 per


Ironic perhaps that Tumblr hosts a channel devoted to password cracking


07/18/2013 Apple Developers (non-financial)

A technology company in Cupertino, California
275,000 non-financial accounts compromised
Apple disclosed “… some [275,000] developers’ names, mailing addresses, and/or email addresses may have been accessed”. Gratefully this does not include financial information or unauthorized access to the 400 million charge cards Apple has on file. The hack was Thursday 7/18/2013, the announcement was early Monday 7/22/2013.

[ http://finance.yahoo.com/news/apple-says-developer-database-hacked-040000786.html ]
re 400 million credit cards on file

07/19/2013 University of Virginia, Aetna Health Care

an educational institution in Charlottesville, Virginia
18,700 non-financial accounts compromised
A mailing error by a third-party mailing vendor used by Aetna Health Care resulted in the Social Security numbers of students being exposed in open-enrollment brochures.

07/23/2013 Henry Ford Health System

a healthcare provider or servicer in Detroit, Michigan
15,417 non-financial accounts compromised
A warehouse that was not owned by Henry Ford Health System was raided for old X-rays. X-rays can be stripped for silver and these medical X-rays also contained the names, addresses, and dates of birth of patients of Henry Ford Health System. The X-rays dated between 1996 and 2003. Henry Ford Health System learned about the issue on May 24.

07/26/2013 St. Mary’s Bank

a Financial or Insurance Services firm in Manchester, New Hampshire
115,775 non-financial accounts compromised
Current and former members may have had their Social Security numbers, transaction records, and other personal information exposed due ot malware that was found on an employee’s office computer. The malware was discovered on May 26 and St. Mary’s began mailing letters on July 12. The malware could have been on up to 23 work stations as early as February. There has been no evidence of names, Social Security numbers, addresses, account numbers, transaction records, or other sensitive information being accessed by an unauthorized individual so far.

07/30/2013 University of Delaware

an educational institution in Newark, Delaware
74,000 non-financial accounts compromised
Students and staff members may have had their information exposed during a hacking incident. The hacker or hackers were able to exploit a vulnerability in software acquired by a vendor. Names, addresses, Social Security numbers, and university ID numbers were exposed. An additional 2,000 people who were not employees but had received payment from the University of Delaware were exposed. More information from the university.

07/30/2013 US Airways, Advanced Data Processing

a business other than retail in Tempe, Arizona
40,000 non-financial accounts compromised
A programming error at Advanced Data Processing (ADP) caused employee names, Social Security numbers, and total taxable W-2 wages for the tax years 2010, 2011, and 2012 to be exposed. A group of other US Airway employees were able to download the payroll information of their colleagues. ADP corrected the issue in early May and notified US Airways in early June.

08/08/2013 M2ComSys, Cogent Healthcare, Inc.

a healthcare provider or servicer in Brentwood, Tennessee
32,000 non-financial accounts compromised
M2ComSys (M2), a medical transcription company, stored physicians’ notes for Cogent Healthcare. Patient care notes with names, physician names, dates of birth, diagnosis descriptions. summary of treatment, medical history, medical record numbers, and other medical information were exposed. The notes could have been accessed on May 5, 2013 and improper access to the site ended on June 24, 2013. At least 32,000 Cogent Healthcare patients were affected across multiple offices across the country including: Cogent Medical Care, Endion Medical Healthcare (Endion SeniorCare), Parkview Community Hospital Medical Center, Inpatient Specialists of Southwest Florida, and Comprehensive Hospital Physicians of Florida. M2 no longer provides services for Cogent Healthcare.

08/09/2013 Northrop Grumman

Northrop Grumman Technical Services, Inc. Balkans Linguist Support Program
a business other than retail in Suwanee, Georgia
70,000 non-financial accounts compromised
Over 70,000 people, including thousands of linguists, or linguist applicants, within Northrop Grumman Technical Services, Inc. Balkans Linguist Support Program may have had their personal information exposed. A database that contained names, Social Security numbers, dates of birth, blood types, contact information, and additionally types of government-issued identification numbers was accessed by unauthorized parties. The breach occurred sometime between November 2012 and May 2013 and was discovered on July 26.

08/14/2013 Michigan Department of Community Health, Michigan Cancer Consortium

a healthcare provider or servicer in Lansing, Michigan
49,000 non-financial accounts compromised
A server for the Michigan Cancer Consortium that housed names, Social Security numbers, dates of birth, cancer screening test results, and testing dates was hacked. The Michigan Department of Community Health claimed that the breach should not fall under strict HIPAA regulations because testing records, rather than medical records, were affected.

08/15/2013 Harris County

County Government in Harris, Texas
16,000 non-financial accounts compromised
The information of current and former Harris County employees was found on electronic files in Vietnam. Names, Social Security numbers, and dates of birth were exposed. The files were from 2005 and 2007 and appear to have been created before Harris County put in place stricter identity theft regulations.

08/16/2013 Ferris State University

an educational institution in Big Rapids, Michigan
62,000 non-financial accounts compromised
An unauthorized person gained access to the school’s computer network. Campus ID numbers, names, and possibly other information of staff and students were exposed. In addition to the 39,000 people who had their files with Social Security numbers exposed, 19,000 more individuals were notified of the breach. The estimate was changed in October to 62,000 affected and a cost of $380,000 in investigating the breach and providing services to those who were affected.

08/16/2013 U.S. Department of Energy

Federal Government in Washington, DC
150,000 non-financial accounts compromised
What? An August 29 memo revealed that the DOEInfo system was hacked. In December 2013 a federal audit revealed that the Department of Energy had received warnings about the security of its information systems, yet failed to act. Scope: Names, Social Security numbers, and dates of birth were exposed. Scale: Initial reports were a total of 2,539 current employees and 3,172 former employees were affected. Updated 9/3/2013 to approximately 53,000 current and former federal employees, employee dependents and contractors. Updated again on 10/22/2013 to 104,000. Updated again to 150,000 on 12/13/2013.

08/20/2013 League of Legends, Riot Games

a business other than retail in Santa Monica, California
120,000 financial accounts compromised
A security breach has resulted in the usernames, email addresses, first and last names, and encrypted passwords of League of Legends users to be exposed. About 120,000 transaction records from 2011 may have been accessed. The transaction records contained hashed and salted (encrypted) credit card numbers. The information was stored on a system that had not been used since 2011.

08/28/2013 Advocate Medical Group, Advocate Health

a healthcare provider or servicer in Park Ridge, Illinois
4,000,000 non-financial accounts compromised
The July 15 office theft of four unencrypted desktop computers resulted in the exposure of patient information. Approximately four million patients who were seen by Advocate Medical Group physicians between the early 1990s and July of 2013 were affected. Names, Social Security numbers, addresses, and dates of birth were exposed. Diagnoses, medical record numbers, medical service codes, and health insurance information was also exposed in some circumstances.

UPDATE(09/06/2013): A class-action lawsuit on behalf of patients in the Chicago area has been filed. It claims that Advocate Medical Center should have done more to protect patient information.

08/28/2013 Health Plus Amerigroup, Brookdale University Hospital and Medical Center

a healthcare provider or servicer in Brooklyn, New York
28,187 non-financial accounts compromised
An accidental exposure of protected health information affected patients. The information was accidentally disclosed to other facilities. The breach was reported in September of 2012.

08/28/2013 Infocrossing Inc, MO HealthNet, Missouri Department of Social Services

a healthcare provider or servicer in Jefferson City, Missouri
25,000 non-financial accounts compromised
An error by Infocrossing, Inc. caused the personal information of a group of patients to be mailed to incorrect addresses. The incident was discovered on June 6, 2013 and impacted correspondence sent between October 16, 2011 and June 7, 2013. Names, dates of birth, MO HealthNet identification account numbers, county names, phone numbers, and the last four digits of Social Security numbers were exposed.

UPDATE(09/23/2013): The breach was originally thought to have affected fewer than 2,000 individuals and last between 2011 and 2013. The Missouri Department of Social Services reported that the breach began when information was sent out in December of 2009. More than 25,000 Missouri residents were affected.

08/28/2013 Missouri Credit Union

a Financial or Insurance Services firm in Columbia, Missouri
39,000 non-financial accounts compromised
A file with customer information was accidentally published on Missouri Credit Union’s website on August 5. The names, Social Security numbers, account numbers, teller and call in passwords, and addresses of Missouri Credit Union members were accessed. The file was accessed 10 times before the issue was discovered and it was taken off of the website.

08/29/2013 Republic Services

a business other than retail in Phoenix, Arizona
82,160 non-financial accounts compromised
What: A laptop was stolen from an employee’s home on August 10. Scope: Exposed information included names and Social Security numbers. Scale: Initially undetermined, by 9/3/2013 it appears as many as 82,160 current and former employees may have been affected.

08/30/2013 Olson & White Orthodontics

a healthcare provider or servicer in O’Fallon, Missouri 855-479-9542
10,000 non-financial accounts compromised
What: July 22, 2013 two desktop computers were stolen from the office. Scope: Patient health information was exposed including names, addresses, Social Security numbers, x-rays, photos, and diagnostic findings. Scale: An estimated 10,000 patients had information compromised.

09/05/2013 Boston Public School (BPS), Plastic Card Systems

City Government in Boston, Massachusetts
20,000 non-financial accounts compromised
Boston Public School students across 36 schools may have had their information compromised by the loss of a flash drive that was misplaced around August 9 by the ID card vendor, Plastic Card Systems.

09/06/2013 Conexis, State of Virginia

an educational institution in Blacksburg, Virginia
13,000 non-financial accounts compromised
Employees of the state of Virginia who are enrolled in the Commonwealth’s 2014 Flexible Spending Account had their information exposed. Conexis erroneously sent summary reports of Blue Cross/Blue Shield Flexible Spending Account Services to 11 state human resources and payroll employees. The reports included participants from across the state rather than from specific locations related to the human resources and payroll employees’ work. The human resources and payroll employees who received information that was not intended for them signed a certification confirming that they had deleted or destroyed the information.

09/18/2013 Minne-Tohe Health Center/Elbowoods Memorial Health Center

a healthcare provider or servicer in New Town, North Dakota
10,000 non-financial accounts compromised
An October 1, 2011 breach resulted in the exposure of protected health information.

09/25/2013 Kaiser Permanente

a healthcare provider or servicer in Oakland, California
A thumb drive, used for backups, was lost from a secured area at Anaheim Medical Center in Orange County, California that required a security badge for entry. The drive contained medical data for about 49,000 individuals.

Update 11/27/2013

Press release [ http:/share.kaiserpermanente.org/article/kaiser-permanente-takes-action-on-patient-privacy-issue-2/#sthash.x6N5w9zS.dpuf ]

Update 12/10/2013

Kaiser Permanente started to notify patients that their personal medical data may have been compromised.

09/28/2013 Virginia Polytechnic Institute and State University (Virginia Tech)

an educational institution in Blacksburg, Virginia
144,963 non-financial accounts compromised
The computer server of Virginia Tech’s Department of Human Resources was accessed on August 28. The information of people who applied online to Virginia Tech between 2003 and 2013 may have been accessed. No Social Security numbers or financial information was exposed. A total of 16,642 job applicants had their driver’s license numbers exposed. The remaining job applicants had not submitted this information. URL is the University’s statement.


10/02/2013 University Of Washington Hospital

90,000 accounts compromised

On October 2nd, 2013 an employee opened an email containing malicious malware. Almost two months later the hospital at the University of Washington warned some 90,000 patients that their personal information had been compromised. The letter sent to patients said social security numbers and other financial information were not compromised. This is contradicted by their own news release that indicates the compromise may have included medical record number, address, telephone number, SSN, birthday, dates of service, charges and financial information. A local news article and the UW bulletin [ http://www.uwmedicine.org/Global/News/Announcements/2013/Pages/UWMedicine-Notice-of-Computer-Security-Breach.aspx ]

10/04/2013 Adobe, PR Newswire, National White Collar Crime Center

a retail business in San Jose, California
38,000,000 non-financial accounts compromised
2,900,000 financial accounts compromised
Adobe announced it was hacked allowing criminals to access credit card information and personal data from 2.9 million customers as well as steal source code for Cold Fusion and other products. This was discovered a week ago by journalists/investigators Brian Krebs (www.KrebsOnSecurity.Com) and Alex Holden (Hold Security) not Adobe. Also compromised were non-financial account information for users of Revel and Creative Cloud. Krebs Announcement and Adobe’s Announcement

Hackers obtained the customer information of nearly 3 million Adobe customers who used Photoshop, InDesign, Premiere, and other Adobe software products. Customer IDs, encrypted passwords, names, encrypted credit or debit card numbers, expiration dates, and other information related to customer orders were exposed. Anyone who bought software directly from Adobe’s website is advised to change their Adobe account passwords.

UPDATE (10/11/2013): Hackers kept the source code on a hidden, but unencrypted server.

UPDATE (10/21/2013): A second breach related to the initial one in early October caused Adobe to reset client passwords.

UPDATE (10/29/2013): An investigation revealed that the encrypted passwords of approximately 38 million active users were also exposed. Adobe IDs were also compromised and were reset by Adobe after the breach.

UPDATE (11/20/2013): Around 42 million passwords for the Australian-based online dating service Cupid Media were also found on the same server that contained stolen Adobe, PR Newswire, and National White Collar Crime Center information. [ found on same server does not mean that data was also exposed – ed. ]

UPDATE (11/25/2013): Some estimate that 152 million Adobe ID accounts were in a file that began circulating the internet in late October. Adobe systems Inc has encountered delays in trying to notify all customers of the issue since it was discovered 10 weeks ago.

UPDATE (3/17/2014) Add car maker Citroen to the list of affected companies per security researcher Brian Krebs and The Guardian

10/10/2013 City of Wichita – Electronic Procurement Website

City Government in Wichita, Kansas
29,000 financial accounts compromised
Hackers accessed the city of Wichita’s electronic procurement website during the weekend of October 5-6 exposing about 29,000 current and former vendors who had worked with the city and employees who had been reimbursed for expenses since 1997 were affected. Social Security numbers, taxpayer ID numbers, and bank account information may have been exposed. In November 2013 it was determined that this breach was a result of the Dun & Bradstreet breach (see 2013-Unknown for 9/26/2013).

10/21/2013 Court Ventures (now owned by Experian)

a business other than retail in Anaheim, California
200,000,000 financial accounts compromised
The Experian subsidiary Court Ventures was found to have sold information to unauthorized parties. Consumer Social Security numbers, driver’s license numbers, bank account information, dates of birth, and credit card data were given to foreign criminals posing as a legitimate private investigator for over a year. The information was then resold to Superget.info, Findget.met, and possibly other underground cybercrime sites. For more information and updates …

10/22/2013 AHMC Healthcare, Inc.

a healthcare provider or servicer in Alhambra, California
73,000 non-financial accounts compromised
The October 12 office theft of two laptops resulted in the exposure of patient information from a number of facilities. Authorities believe a well-known transient was responsible for the thefts. San Gabriel Valley Medical Center, Garfield Medical Center, Moneterey Park Hospital, Whittier Hospital Medical Center, Greater El Monte Community Hospital, and Anaheim Regional Medical Center patients were affected. Names, Social Security numbers, diagnosis and procedure codes, insurance identification numbers, and insurance payments were exposed.


11/04/2013 CorporateCarOnline.com

a business other than retail in Kirkwood, Missouri
850,000 financial accounts compromised
Hackers stole and stored information online related to customers who used limousine and other ground transportation. The online information included plain text archives of credit card numbers, expiration dates, names, and addresses. Many of the customers were wealthy and used credit cards that would be attractive to identity thieves.

11/7/2013 PCI DSS 3.0

INFORMATION: Good news: the standards setting body has improved security standards. The less than good news: the jewels are still in the vault.

See more details


11/08/2013 Baltimore County

County Government in Baltimore, Maryland
12,000 non-financial accounts compromised
A contractor who worked for Baltimore County between December of 2011 and July of 2012 was found to have saved the personal information of 12,000 county employees to computers for reasons unrelated to work. The information was discovered during an investigation in Florida and came from payroll files dated between January and March of 2007. Employees who had their paychecks direct deposited were affected and the bank account information of 6,633 employees was exposed. Baltimore county employees are no longer allowed to download personal information to county computers and more than 5,000 county hard drives will be cleared of related data.

11/08/2013 Region Ten Community Services Board

a healthcare provider or servicer in Charlottesville, Virginia
10,228 non-financial accounts compromised
A hacker obtained the passwords to several employees’ emails on July 29. The email accounts may have contained the health information of patients.

11/12/2013 Rotech Healthcare

a healthcare provider or servicer in Orlando, Florida
10,680 non-financial accounts compromised
On August 30, 2013 Rotech discovered that a former employee had taken employee files when her employment ended on November 26 of 2010. Rotech employees and their dependents may have had their names, Social Security numbers, addresses, and certain medical insurance information exposed. This medical information may have included the carrier that administered health care coverage, pharmacy services received, and other medical services received. The information was not removed with malicious intent and there has been no evidence of misuse. By 12/16/2013 it was estimated 10,680 employees and their dependents were affected.

11/17/2013 MacRumors, vBulletin

a business other than retail somewhere in the internet
860,000 non-financial accounts compromised
A group of hackers claimed responsibility for compromising usernames, emails, and passwords associated with MacRumors and vBulletin Forum. The hackers used a Zero Day exploit. A total of 860,000 MacRumors users were affected. It is unclear how many vBulletin Forum users were affected.

11/19/2013 Sachem Central School District

an educational institution in Lake Ronkonkoma, New York
15,000 non-financial accounts compromised
Two breaches in the summer of 2013 and November of 2013 resulted in the exposure of student information. The sensitive information that was exposed in July may have been accidentally exposed through an administrative error. A second breach was discovered on November 8 when the Superintendent learned that student information had been posted on a publicly accessible webpage. The investigation of the November breach is ongoing. Student names and ID numbers were the primary types of data that were exposed in both incidents.

UPDATE (11/23/2013): A student of Sachem North High School pleaded not guilty to computer trespass and was released without bail. The student may have also accessed information in 2012. A list of 15,000 students’ information that dated back to the early 2000s was discovered online. A list of 130 students who received instructional services in an alternative setting in the 2010-2011 school year was also discovered online.


11/26/2013 Anthem Blue Cross

a healthcare provider or servicer in , California
24,500 non-financial accounts compromised
The Social Security numbers and tax identification numbers of around 24,500 doctors all over California were accidentally posted in Anthem’s online provider directory for about 24 hours at the end of October.

11/27/2013 Maricopa County Community College District

an educational institution in Phoenix, Arizona
2,490,000 financial accounts compromised
An unspecified data breach may have exposed the information of current and former students, employees, and vendors. Names, Social Security numbers, bank account information, and dates of birth may have been viewed by unauthorized parties.

UPDATE(12/02/2013): Student academic information may have also been exposed. The Maricopa County Community College District’s governing board will spend as much as $7 million to notify and offer credit monitoring to those who may have been affected.

UPDATE(12/07/2013): Estimations for the cost of the breach are as high as $14 million.

UPDATE (4/22/2014): Maricopa County Community College District waited seven months to inform 2.5 millions individuals (students, staff, graduates) of the security breach. The District is now in a class action lawsuit. The lawsuit claims that the “FBI warned the Maricopa County Community College District in January of 2011 that a number of its databases had been breached and made available for sale on the Internet”. It was also reported that “the district’s Information Technology Services employee also became aware of the security breach in January 2011, and repeatedly reported their findings to Vice Chancellor George Kahkedjian”.

11/29/2013 University of Washington Medicine

a healthcare provider or servicer in Seattle, Washington
90,000 non-financial accounts compromised
An employee at UW Medicine opened an email attachment that contained malicious software in early October. The malware affected the employee’s computer and any information on the computer may have been compromised. Patient names, Social Security numbers, phone numbers, addresses, and medical record numbers may have been affected. Patients who were seen at UW Medicine dating back to at least 2008 could have had their information exposed. Notifications of the breach were sent at the end of November.

12/3/2013 Multiple Entities / Pony Botnet

Variants of the Pony Botnet Controller, a keystroke logging virus, compromised about two million accounts from some 93,000 web sites. Because these were access credentials the compromises could be, or not be, financial in nature. See more details

12/04/2013 ADP, Facebook, Gmail, LinkedIn, Twitter, Yahoo, YouTube

businesses other than retail around the country and on the internet
2,000,000 non-financial accounts compromised
A breach that involved keylogging software affected at least 93,000 websites. The virus may have originated on a server located in the Netherlands. It first started collecting passwords and usernames on October 21. Approximately 860 computers in the United States were affected. More than 99% of the computers that were affected were outside of the United States.

12/05/2013 JPMorgan Chase

a Financial or Insurance Services firm in New York, New York
465,000 financial accounts compromised
The information associated with JPMorgan Chase prepaid cash cards (Ucards) that were issued to corporations for employee payments and for government issued tax refunds, unemployment, and other benefits may have been accessed by hackers. The breach happened back in July of 2013 and JPMorgan learned of the breach sometime during the middle of September. The breach was disclosed after an investigation revealed which customer accounts may have been affected.

UPDATE(12/06/2013): Hackers were able to breach the www.ucard.chase.com website and access personal information. The passwords appeared in plain text during the course of the attack. Child support payments may have also been affected. The Department of Social Services, the Department of Labor, and the Department of Children and Families sent out prepaid cards that were affected. The breach affected people nationwide. Government agencies in Maine, Utah, Connecticut, and Pennsylvania confirmed they were affected.

UPDATE(12/09/2013): Rhode Island residents were also affected.

UPDATE(12/12/2013): Michigan residents were also affected. Beneficiaries were affected nationwide. Each state has a different number of residents who were affected.

12/06/2013 Horizon Healthcare Services, Inc. (Horizon Blue Cross Blue Shield)

a Financial or Insurance Services firm in Newark, New Jersey
840,000 non-financial accounts compromised
Sometime between November 1 and 3, two unencrypted laptops were stolen from employee workstations. The laptops were password-protected and cable-locked to the workstations. Names, Social Security numbers, addresses, dates of birth, Horizon Blue Cross Blue Shield New Jersey identification numbers, and demographic information may have been exposed. Almost 840,000 Horizon Blue Cross Blue Shield members were affected.

12/11/2013 Los Angeles Gay & Lesbian Center

a Non-Governmental Organization (includes non-profits) in Los Angeles, California
59,000 financial accounts compromised
A cyber attack caused the information of clients associated with the L.A. Gay and Lesbian Center to be affected between September 17, 2013 and November 8, 2013. Names, Social Security numbers, credit card information, dates of birth, contact information, medical information, and health insurance account numbers may have been exposed.

12/12/2013 inSync, Cottage Hospital, Cottage Health System

a healthcare provider or servicer in Santa Barbara, California
32,755 non-financial accounts compromised
A Cottage Hospital vendor removed an electronic security device without notifying Cottage Hospital. The removal may have exposed patient information. Patients treated at centers in Goleta, Santa Ynez, and Santa Barbara between September 29, 2009 and December 2, 2013 may have had their lab results, procedures performed, and other medical details relating to diagnosis exposed.

UPDATE(12/13/2013): Patient names, dates of birth, addresses, and health information may have been exposed.

UPDATE(12/15/2013): Cottage Hospital’s vendor was inSync.

12/13/2013 Target Corp.

a retail business in Minneapolis, Minnesota
40,000,000 financial accounts compromised
70,000,000 non-financial accounts compromised
Too much information for this page.Read about it here!

12/14/2013 Lanap and Implant Center of Pennsylvania

a healthcare provider or servicer in Collegeville, Pennsylvania
11,000 non-financial accounts compromised
The Lanap and Implant Center learned of a breach on September 17, 2012. Patient information had been uploaded to websites in February of 2010 where it could be downloaded by anyone. Names, Social Security numbers, addresses, dates of birth, phone numbers, dates of appointments, types of services provided, dental insurance information, and other patient records were available. At least 5,000 patients were informed of the breach sometime around November 1, 2012. The information appears to still be available for download. Those who want to know if they were affected may call 1-(570)-704-5854.

12/16/2013 Dr. Martin Luther King Jr. Health Center, Bahoo.net, Professional Transcription Company

a healthcare provider or servicer in Bronx, New York
37,000 non-financial accounts compromised
Dr. Martin Luther King Jr. Health Center learned that a transcription vendor named Professional Transcription Company hired a subcontractor named Bahoo.net to work on data transcription. Bahoo.net inadvertently made patient information viewable through public internet search engines. The breach occurred in 2009. Patient names, treatments, procedures, diagnosis information, and dates of services may have been accessed. Bahoo closed its website and destroyed the hard drive so that the public could no longer view the personal information. It is unclear what types of data were on the hard drive and when it was posted because the hard drive was destroyed. Those with questions may call 1-(877)-451-9361.

12/17/2013 Colorado Governor’s Office of Information Technology

State Government in Denver, Colorado
18,800 non-financial accounts compromised
A Colorado state employee lost a flash drive that contained the information of current and former Colorado state employees. It contained names, Social Security numbers, and a limited number of home addresses. The flash drive was discovered missing in late November and is believed to have been lost while the employee traveled between work sites. Approximately 8,000 of those who were affected were current employees while 10,800 were former employees.

12/12/2013 Bank Apps are Weak

INFORMATION: More than half of US adults bank on line. 32% use mobile banking according to a Pew Research Center report in August 2013. Many of them used ready-to-download banking applications of which 8 of 10 were improperly configured leaving significant security vulnerabilities. See more details  

12/25/2013 SnapChat

4,600,000 non-financial accounts compromised
SnapChat users had their name and phone numbers disclosed. For a brief time the entire database of compromised information was available to the public. The “find friends” exploit used had been disclosed to the company months before, but the security gaps were not then fixed. The hacker or group known as “Lightcontact” is claiming to have hacked Snapchat.com. Reportedly, the group published a database containing Snapchat user names and phone numbers and posted it to several public forums such as Reddit.com. According to security vendor AdaptivMobile, the compromised accounts are concentrated mostly in California and New York, with the two states accounting for nearly 2.3 million accounts. Other regions affected include Illinois, Colorado and Florida. Read more details

2013 Smartphone Sales

Gartner reported that smartphone sales grew from 680.108 million in 2012 to 967.776 million in 2013 world wide. For 2013 smartphone sales were 53.6 percent of overall mobile phone sales in 2013.

By operating system Android grew from 66.4% (461.621 million units) of the market in 2012 to 78.4% (758.720 million units) of the market in 2013. iOS shrunk from 19.1% (130.133 million units in 2012) to 15.6% (150. 786 million units in 2013).

The Gartner summary

Also see


In addition to sources cited above the Chronology of Data Base Breaches maintained by the Privacy Rights Clearinghouse was used. Their website is a valuable resource for those seeking information on basic privacy, identity theft, medical privacy and much more. They are highly recommended.


View the 2013 summary
Return to References page
Return to Year links page

Links above were active at the time they were gathered. Links shown in non-hypertext (not clickable) are known to be no longer supported on their hosts.