10,200 (No SSNs or financial information exposed)

An administrative error led to the personal information of 10,200 patients being emailed to 200 patients.  Names, addresses, date of last appointment, visit type, primary care physician, referring physician, email addresses, and whether or not the patient was actively receiving treatment were in an Excel attachment of an email that was sent to unspecified parties. The recipients were called and instructed to delete the email.

Unknown

An unencrypted laptop was stolen from an employee's car.  It may have contained names, Social Security numbers, and personal information related to people who worked at OptiNose.

1,200 

Those with questions may call 1-855-716-3627 for more information.

Some patients who were treated at an outpatient facility between May 1 of 2012 and January 31 of 2013 had their information attached to emails that went out to an unspecified organization or organizations.  Three emails that were not secure were sent on October 29 and November 1 of 2012 and February 4, 2013.  Patient names, Social Security numbers, account numbers, dates of birth, home phone numbers, and reasons for outpatient physical therapy services may have been exposed.

10,300 (No SSNs reported)

The theft of an employee's unencrypted laptop resulted in the exposure of patient information.  The laptop was stolen from an employee's car on April 9 and contained email records.  Patient names, medical record numbers, dates of birth, physician names, diagnoses, and dates of service may have been exposed. 

6,700 

A former employee was indicted on charges related to misuse of applicant and employee personal information.  Employee names, Social Security numbers, dates of birth, telephone numbers, email addresses, addresses, I-9 alien registration numbers, and other personal information may have been exposed.  The issue was discovered on April 3.  

Unknown

A flaw in Coinbase's systems cause the information of some merchants to be exposed.  Any merchant who created a "buy now" button, donate button, or hosted a payment page using Coinbase's Merchant Tools and posted a public link to it online had the page publicly visible on the internet.  The page contained the company name, website, phone number, email address, and mailing address.  Additionally, anyone could search for public Coinbase merchant payment pages and collect the email addresses of merchants. At least one phishing attack targeted merchants with an email that appeared to come from Coinbase.

1,000,000 (160,000 SSNs)

The Administrative Office of the Courts provided a website for additional information: www.courts.wa.gov/databreach

Those with questions may call 1-800-448-5584

A breach of the Administrative Office of the Courts' server resulted in the exposure of one million driver's license numbers between fall of 2012 and February of 2013.  It was confirmed that at least 94 people had their Social Security numbers accessed.  Up to 160,000 Social Security numbers could have been accessed. 

In April the court was able to confirm that public records and confidential information were exposed.  People who were booked in a city or county jail within the state of Washington between September 2011 and December 2012 may have had their name and Social Security number accessed.  Anyone who received a DUI citation in Washington state between 1989 and 2011, had a superior court criminal case in Washington state that was filed against them or resolved between 2011 and 2012, or had a traffic case in Washington filed or resolved in a district or municipal court between 2011 and 2012 may have had their names and driver's license numbers exposed.

7,300

Lutheran Social Services became aware of a malware program that was on its software system.  Resident names, Social Security numbers, dates of birth, Medicare numbers, medical diagnosis codes, payer names, and health insurance numbers may have been exposed.  The breach was discovered in March and Lutheran Social Services had not involved investigators or police as of May 9.

Unknown

Hackers accessed Name.com servers and may have obtained usernames, email addresses, passwords, and credit card account information.  Customer passwords and credit card information were encrypted.  Customers were notified of the breach and received an email asking them to reset their passwords.

Unknown

This notice appeared on Linode's website on April 16, 2013: https://blog.linode.com/2013/04/16/security-incident-update/

Those with questions may email support@linode.com.

Hackers exploited an Adobe vulnerability and used it to access Linode Manager web servers.  One of Linode's web servers, parts of their source code, and their database were accessed.  No other components of the Linode infrastructure were accessed by the hackers.  Encrypted customer credit card numbers and passwords were obtained.  The group HTP claimed responsibility for the hack. 

Unknown

Nearly $41,000 in computer equipment was reported stolen from the Department of Family Support Services on May 7.  The Division on Domestic Violence and a satellite senior center share the building where the theft occurred.  The types of information that may have been on the device or devices were not reported.

Unknown

A server with client information was accessed by an unauthorized outside party between February 21 and March 6, 2013.  The attack was an attempt to use the server for spam emailing.  Client names, Social Security numbers, driver's license information, and FSC broker account numbers may have been accessed.

17,300 

Raleigh Orthopaedic Clinic contracted with a vendor in order to have information from X-ray films transferred into electronic format.  The X-ray film was actually sold by the unnamed vendor and melted harvest for silver by a recycling company in Ohio. Patient names and dates of birth were on the film.  The Clinic does not believe that personally identifiable information was on the film.

Unknown

Customers who made purchases between March 19-25, April 14-15, or April 20-21 may have had their credit or debit card information compromised.  Tennessee and six other Southern states may have been affected by the breach. It is not clear if the payment card information was taken inside the stores or outside of the stores at gas pumps.

2,000

Those with questions may call (855) 737-1796.

A reel containing images of 2,000 State of California Birth Records from May through September of 1974 was found in a publicly accessible location.  Names, Social Security numbers, addresses, and certain types of medical information were in the birth record images.  People in Santa Clara, Santa Cruz, Shasta, Siskiyou, Solano, Sonoma, Stanislaus, Sutter, or Tehama counties and who were born or had a child born in 1974 between May and September were affected.

537 (No SSNs or financial information exposed)

The loss of an unencrypted flash drive exposed sensitive patient information.  The flash drive contained name, date of birth, weight, gender, telephone number, URMC internal medical record number, orthopaedic physician name, date of service, diagnosis, diagnostic study, procedure, and complications.  The flash drive is believed to have been destroyed after ending up in the medical center laundry. It was not found.

Unknown

A ring of middle school students were able to gain access to and control of more than 300 computers by phishing for teacher administrative codes.  At least 18 students were involved.  The breach happened when students used software to imitate a legitimate software update on their computers.  The students then asked teachers to enter administrative account information so that they could complete the software updates or installations.  The phony software then stored teacher credentials.  The students were then able to control 300 laptops belonging to other students by using the administrative credentials.  The school believes that servers and sensitive information were not exposed.  The breach occurred around Friday, April 26 and was discovered on Monday, April 29 when students noticed that other students appeared to be controlling student laptops remotely and reported the issue.

Unknowm

Reputation.com experienced a hack that exposed customer names, email addresses, mailing addresses, date of birth, and employment information. Additionally, some customers had their encrypted passwords stolen.  Reputation.com immediately reset all customer passwords after learning about the breach.  Customers are encouraged to change their passwords on other sites if they reused their Reputation.com password.

Unknown

A disgruntled employee announced his resignation and then was caught copying files from his computer to a flash drive.  Employees at Spellman began experiencing transaction and intranet disruptions after the disgruntled employee left even though his access to company servers was disabled after discovery of his suspicious activities.  The events began to occur sometime around January of 2012.  An investigation of the events led to the arrest of the former employee and federal prosecutors claim that he caused enough mayhem to cost Spellman over $90,000 by using his knowledge of Spellman's computer system and stolen passwords.  The former employee pleaded not guilty.

Unknown

The Department of Labor's website was found to have been infected with malware that spreads to visitors using the web browser Internet Explorer.  Microsoft had already released a patch to address the Internet Explorer vulnerability and the malware targets users who have not taken advantage of the patch.

Unknown

Users of the National Inventory of Dams received notification that their information was reset after a hack may have compromised usernames and passwords.  Hackers obtained non-public information of around 8,100 major dams in the United States by breaching the database.  The information included dam vulnerabilities and could be used by cyber terrorists.  

Unknown

Patient records were found on the floor at an abandoned hospital building named Waterside.  The woman who discovered them was a former Lakeshore employee and she alerted a local news station.  Names, Social Security information, case numbers, dates of birth, and other patient information were exposed.

818 (No SSNs reported)

Those with questions may call CEO Debra Houser-Bruchmiller's office at 800-499-7501.

An employee used an unsecured email to send sensitive patient information.  Two separate administrative violations occurred on December 27, 2012 and on February 22, 2013. The issue was discovered on February 25.  The information was secured on February 28, 2013.  Patient names, referral sources, Hospice admission and discharge dates, the names of insurance providers, and chart numbers may have been exposed. 

50

Those with information or questions about the investigation may call 831-768-3350 or the anonymous tip line at 831-768-3544.

More than 50 reports of credit card fraud have been traced to people who were customers at Gomez Gasoline and Automotive.  Police suspect that a credit-card skimming device was placed on one or more gas pumps.  The skimming devices have been spotted at other gas stations.

Unknown

Proliance Surgeons' breach notice can be found here: http://proliancesurgeons.adhostclient.com/images/PDF/websitenotice.pdf. 

Those with questions may call 1-888-608-7344 or email hipaa@proliancesurgeons.com

An employee's car was the target of an April 1 break-in.  A company laptop and 10 patient files were taken during the car theft.  The paper files were recovered, but the laptop also contained patient information.  Names, Social Security numbers, addresses, telephone numbers, health insurance information, names of providers, and the reasons for patients' appointments may have been included in emails stored on the laptop.

29 million (no SSNs or financial information reported)

As many as 50 million LivingSocial members may have had their names, email addresses, dates of birth, and encrypted passwords exposed by a cyber attack.  Customer credit card information was not compromised.  Customers were encouraged to change their passwords on any other sites on which they used the same or similar passwords.

UPDATE (05/03/2013): As many as 50 million acounts may have been affected.  It is estimated that 29 million people used LivingSocial and many had multiple accounts.

842 (107)

An administrative error caused the information of patients flown by Life Flight helicopters to be available online.  Patients flown during April, May, and June of 2004 may have had unspecified information exposed.  It was confirmed that 107 patients had their Social Security numbers exposed.  It is unclear how long the information was available and if patients flown during additional months may have been affected.  The information was moved to a secure server to address the breach.

283 (No SSNs or financial information reported)

A portable electronic device was stolen from Upstate University Hospital on March 30 or 31.  It contained the names, hospital medical record numbers, dates of birth, and diagnosis information of patients.

23 (No SSNs or financial information exposed)

Someone took 23 files from a secure area in the Child and Family Services of New Hampshire main office sometime between March 15 and March 18.  The breach was discovered on March 19.  The files contained client names, dates of birth, addresses, Medicaid numbers, notes from home visits, and other health information related to home visits.

11,000

A media group who regularly collects public employee salary and benefit information released Social Security numbers after they were mistakenly included in a file that the City of Berkeley provided.  The information was sent by Berkeley in March and the mistake was discovered in early April.  Around 2,000 active staff members and 9,000 retirees were affected.  mistakenly released the Social Security numbers of the employees as well.  

2,300 (No SSNs reported)

Two patients ran a google search of their names and were able to find their medical information online.  Doctors' reports with medications, medical treatments, lab information, future and past treatment plans, physical examination information, and lifestyle information could be downloaded by anyone who found the information online.  The documents were from November 2012 through January 2013 and discovered online in mid-March.  Portal Healthcare secured the sensitive information on its servers on March 14.  A lawsuit was filed against Glens Falls Hospital, Portal Healthcare Solutions LLC, and Carpathia Hosting in mid-April for patient privacy violations.

Unknown

An employee was found to have installed backdoors on more than 2,700 company servers.  The issue was discovered the day after the dishonest employee was dismissed.  He worked for Hostgator from September 2011 to February 15, 2012. The dishonest employee was arrested and charged with breach of computer security.

788 ("a few hundred" SSNs involved)

An assistant manager was forced to open a Kmart safe and give a thief access to $6,000 in cash and an unencrypted backup disk with a day's worth of customer information.  The backup disk contained names, addresses, dates of birth, prescription numbers, prescription providers, insurance cardholder IDs and drug names.  The armed robbery occurred on March 17.

Unknown

A man guessed or accessed the Social Security numbers of Macy's customers in order to exploit a Macy's policy for the purpose of making fraudulent purchases.  He then created ID cards that paired his picture with the customer information.  A Macy's policy allowed him to charge purchases to the accounts of other Macy's customers by using their Social Security numbers and showing his falsified IDs.  

Unknown

A number of inappropriate security practices may have exposed the information of people who called Monroeville's 911 dispatch center, police department, fire department, or EMS department in 2012 or 2013.  Monroeville is being investigated for possible violations of federal health privacy laws.  An August 2012 complaint to the U.S. Department of Health and Human Services' Office for Civil Rights stated that protected health information may have been given to a former police chief via email and that weak and poorly managed usernames and passwords were used to access a database of 911 callers' medical information.

Unknown

A OneWest service provider suffered an unauthorized network intrusion during the first quarter of 2011.  OneWest client names, Social Security numbers, addresses, dates of birth, phone numbers, driver's license numbers, and passport numbers may have been exposed.

87 

Erlanger Health System sent notes to 87 families and apologized for an incident that left the patient records of children exposed.  The records contained names, Social Security numbers, phone numbers, and dianosis information.  Erlanger has not been made aware of the records being used in an unauthorized manner.

3,000 (No SSNs reported)

The home theft of any employee's laptop and external drive resulted in the exposure of patient information.  The theft occurred sometime between March 18 and March 25; other items were stolen besides the laptop and hard drive.  Neither the laptop nor the hard drive were encrypted. Patients who visited either Cenpatico or its contractor ATS between 2011 and 2013 may have had their names, dates of birth, and treatment plans exposed.

UPDATE (04/17/2013): More than 3,000 patients were affected by the breach.

3,000 (no SSNs or financial information reported)

A Schneck Medical Center employee gave a presentation that was later placed online.  People who searched through the files from the presentation could find the names of 3,000 Schneck Medical Center patients.  The presentation was removed from online and Google removed all cached information from the Internet.

5,100 (No SSNs or financial information reported)

A hack of Iberdrola USA's recruitment website may have exposed the information of anyone who applied for a job at Central Maine Power or any of its sister companies since January 2007.  Rochester Gas and Electric Corp and New York State Electric and Gas Corp. were also affected.

Unknown

Customers who shopped at a Wawa on Salem Road in Burlington, New Jersey noticed fraudulent purchases on their credit cards.  Investigators were able to trace the fraud to four people and arrest them. The four men were charged with credit card theft, credit card fraud, identity theft, and having electronic devices for criminal use.  More victims are expected to be found.

Unknown

An administrative error caused the personal information of some students to be exposed online.  The issue was discovered on February 27.  Authenticated users of Chapman's on-campus network could have viewed names, Social Security numbers, student identification numbers, and dates of birth.  The documents were blocked from access by unauthorized users once the breach was discovered.

Unknown

Lawyers working with Guantanamo Bay detainees had to pause their work after being told to stop using the Pentagon's computer system.  An unspecified issue left over 500,000 emails unsafe to access or deleted from a Pentagon common drive. The breach left defense files unsecured and it may have been possible for prosecutors to view confidential defense emails.

Unknown

A lawsuit was filed against Schnucks Markets Inc. after customers learned that Schnucks failed to warn customers about a data breach within two weeks.  On March 15, Schnucks learned that a portion of their loyalty cards were affected, but waited until March 30 to send a press release.   Customer payment card numbers and expiration dates were exposed through a magnetic strip swiping security breach. No customer names were exposed.

UPDATE (04/15/2013): The breach affected about 2.4 million customer debit and credit cards at 79 Schnucks locations.  Payment cardholders' contact and identifying information were not exposed.  Customers who visited a Schnucks between December of 2012 and March 29, 2013 may have been affected.

Unknown

Those with questions may call 855-968-8838 or email passwordreset@vudu.com.

A March 24, 2013 VUDU office theft resulted in the exposure of customer information.  Hard drives with customer names, addresses, email addresses, account activity, dates of birth, and encrypted passwords were stolen.  Customers who used their VUDU passwords for other sites should change the passwords on other sides as well.

125,000

Hackers accessed Kirkwood Community College's website and applicant database system on March 13.  Anyone who applied to a Kirkwood Campus may have had their names, Social Security numbers, dates of birth, race, and contact information exposed.  People who applied to take Kirkwood college-credit classes between February 25, 2005 and March 13, 2013 were affected.

5,300 (Unknown number of Social Security numbers)

The February 24 burglary of three laptops resulted in the exposure of patient information.  The laptops were stolen from the hospital in addition to needles, syringes, and miscellaneous items.  The unencrypted laptops contained emails that had sensitive patient information.

6,000

A Connextions employee used Social Security numbers from a number of other organizations for criminal activity.  At least four members of Anthem Blue Cross and Blue Shield were affected by the criminal activity.  The breach was reported on HHS as affecting 4,814 patients, but more were affected.

Unknown

Customers who used a debit or credit card at any Works Bakery Cafe location are advised to check their payment cards for fraudulent activity.  A breach occurred when malware was introduced to the Works Bakery Cafe computer system.  Locations in Durham, Manchester, Keene, Concord, Brattleboro Vermont, and Portland Maine were affected.

Unknown

On, January 19, Agincourt Wallboard notified employees of a breach of its payroll system.  Agincourt Wallboard became aware of the issue on January 17 when eight employees reported receiving a physical payroll check.  Someone had entered Agincourt Wallboard's payroll vendor and edited information without authorization so that the employees received a physical check rather than an electronic deposit.  The person who hacked into the payroll vendor also attempted to change the bank routing information for 10 of its employees.  Agincourt Wallboard is investigating how the hacker could have obtained the administrator's credentials and notified employees of the issue immediately.  Agincourt Wallboard also learned that five of the computers on its network were infected with malware called a Trojan horse.

100,000 (No SSNs or financial information exposed)

A hack affected less than 1% of Scribd's 50 million users. "A few hundred thousand" users had their passwords stolen.  Users who were affected received instructions for resetting passwords.  The passwords were encrypted and it is unlikely that hackers were able to decrypt and use the passwords before Scribd and Scribd users learned of the breach.

7,405

The February 11 theft of an unencrypted laptop from the respiratory department resulted in the exposure of patient information.  Veterans who were patients may have had their name, Social Security number, age, race, weight, and medical test results on the laptop.  The laptop was taken during regular clinic hours.

UPDATE (05/01/2013): A lawsuit has been filed by two veterans on behalf of people who were affected by the breach.

13,617

A total of 12,299 United HomeCare Services, Inc. clients were affected. Additionally, 1,318 United Home Care Services of Southwest Florida clients were affected. 

The January 8 theft of a billing manager's laptop resulted in the exposure of patient information.  It was stolen from the manager's car.  It contained client names, Social Security numbers, health plan numbers, dates of birth, and addresses dating as far back as 2002.  Some patients may have also had treatment service codes or diagnostic codes on the laptop.

Unknown

A thumb drive with information from the Medicare Exclusion Database was placed on a thumb drive.  The thumb drive was discovered to be missing from the CSC facilities in Raleigh, North Carolina in early March; it had most likely been lost in late February.  The thumb drive contained names, Social Security numbers, federal tax Employer Identification numbers, dates of birth, and other information.

Unknown

A hacker may have accessed credit card information, names, and addresses associated with Shoplet accounts.  The breach was discovered on January 11, 2013.  A new firewall was installed and Ellison Systems, Inc. moved their database server to a more secure zone.

4,022 (Nine Social Security Numbers reported)

The theft of a surgeon's unencrypted laptop resulted in the exposure of patient information.

UPDATE (04/25/2013): The laptop was stolen from a surgeon's Hawaii rental home and was used for research purposes.  Any laptops used for patient care are required to be encrypted while laptops used for research are not required to be encrypted.  The laptop was used to access emails related to patient care such as patient names, medical record numbers, types of surgery and dates of surgery, times and locations of surgery, gender, age, and name of surgeon and anesthesiologist information.  Nine patients had their Social Security numbers exposed.

2,600 (No SSNs or financial information reported)

A total of 2,600 medical appointment records disappeared before they could be shredded.  The records contained patient names, dates of appointments, times of appointments, and reason for appointment.  No medical claim information, financial information, or Social Security numbers were exposed.

Unkown

A hacker or hackers accessed Tennis Expresses computer network on or around December 19, 2012.  The breach was discovered in mid-February of 2013.  The issue was caused by a vulnerability in a third party vendor program.  Names, addresses, credit card numbers, verification value, and expiration dates may have been exposed.

1,100

An administrative error caused the Social Security numbers and other personal information of Allen County employees to be available online for less than an hour.

652

A private contractor working for the Department of Social and Health Services discovered that their laptop had been stolen on February 4.  The laptop was recovered in a pawn shop on February 14.  It contained the names, ID numbers, psychological evaluations, dates of birth, diagnoses, dates of services, addresses, and last four digits of Social Security numbers of clients.

Unknown

Hackers were able to access and disrupt American Express' website. American Express was offline for two hours.  

18 (Three Social Security Numbers reported)

A paper file was stolen from the car of a dental assistant who was treating residents at the MedStar Good Samaritan Nursing Center.  The file contained names, dates of birth, medical and dental evaluation information, medical and dental providers' names and license numbers, and the Social Security numbers of three residents.

200

A former employee received a CD with the names and Social Security numbers of around 200 current and former employees when he requested his personnel file.  The disc may have held the information of employees who signed up for a specific dental insurance plan in 1996 and workers who joined the Utah Public Employees Association in 1999.  When the HR department realized their mistake they requested that the former employee return the CD.  He initially refused; he then gave the CD to the Tooele County Attorney's office.  

Unknown

Current and former parties involved in a bankruptcy proceeding for a Citi loan may have had their information exposed.  Citi filed legal documents that should have been concealed but were accidentally made available online.  The information, which included personally identifiable and loan related information, could be exposed and read by any person who accessed court records.  The issue was addressed and Citi is not aware of any  instances where information was accessed.

Unknown

JPMorgan Chase's website was taken offline by a hacker or hackers. The website was made unavailable by a denial-of-service attack.  Chase.com was down for around a day.

Unknown

The theft of a laptop resulted in the exposure of patient information.  Names, Social Security numbers, dates of birth, residential facility names, and digital oral x-ray images may have been exposed.  Specific details of the case are being withheld until the breach investigation has concluded.  

The location of the breach is listed as the corporate headquarters of MAH.  Those with questions or concerns may contact the MAH Compliance Department at 1-855-224-0004.

Unknown

An administrative error caused a mailing distribution to contain the Social Security numbers of some people.  Rollins learned of the issue on March 12.  The Rollins TODAY quarterly issue mailed during the week of March 4 contained Social Security numbers within a number sequence on the mailing label.

700

Patients with questions may call (877) 272-0570.

An administrative error caused the billing statements of around 700 patients to be sent to the mailing addresses of other patients.  Patient names, account numbers, invoice numbers, charge amounts, dates of service, department and provider names, adjustment amounts, payments from insurance companies, amounts due, and total account balances may have been exposed.

Unknown

The January 11 theft of an employee's laptop resulted in the exposure of sensitive information.  The laptop was stolen from the employee's vehicle and contained names, Social Security numbers, and other information related to current and former Finish Line staff.

Unknown

A dishonest employee working at a Comfort Inn and Suites in Willard, Missouri during 2009 worked with a conspirator to misuse the information of hotel customers.  They were ordered to pay restitution of $23,000.  The dishonest employee was sentenced to three years of probation and her accomplice was sentenced to 42 months for aggravated identity theft and conspiracy to commit wire fraud.

Unknown

A laptop used by UMMC clinicians was discovered missing on January 22.  The password-protected laptop contained information from patients who entered the hospital between 2008 and 2013.  Patient names, Social Security numbers, addresses, diagnoses, medications, treatments, dates of birth, and other personal information may have been exposed.

UPDATE (04/25/2013): The laptop may have been lost or stolen in November of 2012.

3,300

Federal investigators informed Tallahassee Community College that a hacker gained access to their main computer system.  The personal information of students who applied for financial aid may have been accessed.  It appears that an insider hacked into the computer system. Hacked 2011 TCC financial aid records were misused to file fraudulent tax refunds.  Federal Investigators told TCC when they traced where the information came from.

Unknown

A computer intrusion resulted in the exposure of names, Social Security numbers, contact information, dates of birth, driver's license numbers, and financial account information. The breach occurred sometime around December 2, 2012. 

Unknown

A phishing attack affected an OCS America computer on March 4, 2013.  The computer contained names, Social Security numbers, addresses, telephone numbers, dates of birth, job titles, and salary information.  It appears that only one computer was affected. 

Unknown

On January 15, 2013 TLO discovered that there had been limited fraudulent access to their system.  A hacker or hackers were able to access names, Social Security numbers, and driver's license numbers between August 2012 and January 2013. 

Unknown

A Chinese national who worked as a contractor for the National Institute of Aerospace had access to NASA's Langley Research Center.  He was caught boarding a plane with two external hard drives, two laptops, a memory stick, and an SIM card on March 16.  He originally did not reveal the second laptop, hard drive, and SIM card when detained.  The information he was attempting to steal was not revealed.  

Unknown

Confidential medical records were found under a freeway by a concerned citizen. A local news team investigation traced the documents back to the insurance claims processor ICW. ICW reported that the issue occurred on February 28 when a bin with files broke open on the way to a disposal site.  An unnamed document destruction company responsible for the documents was replaced. Names, dates of birth, Social Security numbers, and other sensitive and medical information were on the documents. 

12,000

A security breach allowed access to the personal records of at least 12,000 SRS workers.  The breach does not appear to be the result of a cyber attack.  Workers may have had financial information exposed.

Unknown

No specific California city was involved.  Subway restaurants in California, Massachusetts, and Wyoming were involved.

A former owner of a Subway franchise used software from his new job to access the computer systems of Subway restaurants.  The former owner sold point-of-sale software to Subway restaurants across the country and then worked with an accomplice to remotely hack into at least 13 Subway point-of-sale systems.  The fraud began in 2011.  Fraudulent Subway gift cards totaling at least $40,000 were created.  Two of the California participants were indicted on March 6.

Unknown

GSA users may have been able to view the financial information and trade secrets of other GSA users due to a security vulnerability.  The specific database that was affected is called the System for Award Management (SAM).  Contractor and vendor registration records are cataloged by SAM.  It is not clear how GSA became aware of the issue or how long it was a problem.  Agency officials revealed that users could purposefully or inadvertently view the information of other users after following a series of steps.

UPDATE (03/23/2013):  Users had Social Security numbers and tax identification numbers exposed.

25,000

A server was found to be infected with a virus.  The University computer contained information related to paychecks distributed by the University.  Current and former employees who may have been students or staff may have been affected.

Unknown

Patients at Baystate Gastroenterology, Hallmark Health Medical Associates, Main Street Family Practice, and Womens Healthcare Associates were affected.  Patients of Maury Goldman, MD and John Mudrock, MD were also affected.

An employee of Lawrence Melrose accessed patient information for reasons unrelated to their work.  It is unclear what type of patient information was exposed and how many patients were affected.  

Unknown

A former employee revealed a password and username combination for Tribune Co. to hackers.  The hackers were part of anonymous and used the information to access Tribune Co.'s servers in 2010.  A number of online stories that had been published through Tribune Co. were defaced by hackers as a result.  

The former employee of a TV station owned by Tribune Co. was indicted on charges of conspiracy to cause damage to a protected computer, transmission of malicious code, and attempted transmission of malicious code.

UPDATE (04/23/2013): The former employee worked at Reuters as a deputy social media editor at the time of the cyber attack.  He was fired from Reuters in April of 2013.

Unknown

Those with questions or concerns may contact (877) 795-2356.

The theft of an employee's laptop resulted in the exposure of information from employees and people who received checks from Stanley Black & Decker.  Names, and the account numbers and routing numbers associated with direct deposits may have been exposed. The laptop was stolen from a finance employee on January 28.  

1,400 (Unknown number of Social Security numbers)

An employee accessed patient records for reasons unrelated to their job function.  The Heath Center became aware of an unauthorized access in January of 2013.  Patient names, addresses, dates of birth, and in some cases health information and Social Security numbers may have been exposed.

Unknown

A hacker or hackers accessed patient information and posted it online.  The breach was discovered by a data privacy expert. Uniontown indirectly notified the public of the breach and breach containment after the privacy expert attempted to reach Uniontown Hospital for several days.  Names, encrypted passwords, contact names, email addresses, and usernames may have been exposed.  It is unclear how long the information was available.

Unknown

Two backup tapes with customer and customer dependent names, Social Security numbers, addresses, account numbers, debit card numbers, and credit card numbers went missing while being transported between two TD Bank office locations in March of 2012.  

Unknown

An administrative error resulted in documents with sensitive information from Unisys members being emailed to an incorrect party associated with Unisys. The mistake occurred on December 13, 2012.  The document may have contained names, Social Security numbers, dates of birth, and salary information. The mistake was immediately noticed by the recipient and the information was deleted from their computer.

Unknown

A caller contacted a local news team member and an investigation of mishandled medical documents began.  The documents were in an unlocked dumpster and contained Social Security numbers, bank account information, addresses, dates of birth, and health information.  The documents were associated with Family Intervention Services and an unnamed orthopedic office.

50,000,000 (No SSNs or financial information reported)

Evernote's breach notice can be found here: http://evernote.com/corp/news/password_reset.php.

A hacker or hackers attacked and may have accessed Evernote's online system. Evernote reset all user passwords as a precaution.  User names, email addresses, and encrypted passwords may have been exposed. 

UPDATE (03/09/2013): A total of 50 million users were told to reset their passwords.

Unknown

A nursing supervisor of Rensselaer County Jail was found to have misused credentials to access patient records without cause.  The Rensselaer County Jail information is maintained by Samaritan Hospital.  The hospital learned of the breach in November 2011, disabled the employee's account, and notified the sheriff's office immediately.  Subsequently, the Hospital may have delayed notifying patients because of the ongoing investigation.  Notifications were sent out during the first week of March in 2013.

UPDATE (04/01/2013): A total of 48 people have been notified.  Patients from as far back as 2006 may have been affected.

834

A dishonest hospital employee misused patient records that were dated from June 2011 to February of 2012.  Patients may have had their names, Social Security numbers, and dates of birth exposed.

UPDATE (03/15/2013): A respiratory therapist provided Social Security numbers, dates of birth, patient names, and other patient data in exchange for payment. The patient data was then used to file fraudulent tax returns.  The dishonest employee now faces charges for selling the information to two others.

UPDATE (04/26/2013): Two women who purchased patient information from a Hospital employee were sentenced for their roles in the breach.  One woman was sentenced to 26 years and five months in federal prison in addition to being ordered to pay over $1.9 million in restitution.  She was convicted of 33 fraud and identity theft charges in January.  The other was sentenced to 10 years and one month in prison after pleading guilty to conspiracy to defraud the government and aggravated identity theft.  The fraud ring produced fraudulent income tax refunds totalling $11.7 million.

Unknown

An unnamed restaurant in Oahu experienced a computer system breach.  Customers who visited the restaurant during a period in February had their credit and debit cards blocked by Bank of Hawaii and First Hawaiian Bank when the breach was discovered.  Not all of the payment cards that were blocked had been compromised.

Unknown

On January 7, 2013 Fabric Depot became aware of a breach that had occurred sometime around October 16, 2012.  Fabric Depot changed their online payment system and notified customers.  Customer names, credit card numbers, credit card verification codes, debit card numbers, and account billing addresses may have been exposed.

Unknown

The city in which the theft occurred was not revealed.

A back-up tape that contained First National Bank of Southern California client information was stolen on February 1, 2013 from a data service provider.  Social Security numbers, taxpayer identification numbers, account balances, and account numbers were exposed.

Unknown

Hackers breached the servers of IHS and may have been able to access credit card, customer, and nuclear information.  IHS does not believe that confidential information was compromised.  However, the hacker group claimed to have obtained the records of 8,500 customers. The hacker group is known to attack sites in order to further their goal of revealing sensitive nuclear data to pressure the Israeli government and others into disclosing their nuclear activities.

Unknown

Hackers were able to exploit a vulnerability in a web application and use an SQL injection.  The breach occurred in July of 2012, however the server was shut down until January of 2013. Hackers then used Bit9's systems to attack other organizations who relied on Bit9 as a security platform vendor.  Three unnamed companies were affected.  The vulnerability was caused by Bit9 failing to install its own security software.

Unknown

An error at Convey Compliance Systems, Inc. resulted in 1099 forms being mailed to incorrect addresses.  The 1099 forms contained names, Social Security numbers, tax identification numbers, and addresses.  The financial information of some Massachusetts Mutual Life Insurance Company clients was exposed.

Unknown

A group of co-conspirators used Medicaid information from Medicare beneficiaries in and near Detroit to defraud Medicaid and file for $24.7 million in fraudulent claims.  The fraud took place between 2008 and May of 2012.  Hundreds of patients had their information misused so that co-conspirators could bill Medicare for psychotherapy, home health services, and other medical services.

Unknown

A February 7 or 8 office burglary at Mercedes-Benz of Walnut Creek resulted in the exposure of customer information.  Locked file cabinets that contained customer deal files were burglarized and customer files were taken from the Service Department.  The theft was discovered on the morning of February 8 and immediately reported.  Customer names, Social Security numbers, addresses, credit reports, driver's license information, insurance information, and credit card numbers may have been exposed.

Unknown

A number of credit card terminals in 19 California and Arizona stores were affected by point-of-sale malware between January 25 and 29.  Credit card and debit card numbers were exposed.  Customer PINs associated with the payment cards were not affected. Sprouts identified the issue within a few days of the breach and updated customer information protection procedures in all of its stores.

Unknown

Capella University's official breach notice can be found here: http://www.atg.state.vt.us/assets/files/Capella%20University%20Security%20Breach

%20Notice%20to%20consumer.pdf

A collection department employee sent sensitive information to a personal email account.  The incident was discovered on January 28 and the employee was fired.  A small group of learners may have had their names, Social Security numbers, and other information that was kept by Capella's collection department exposed.

100,000

Desktop computer hardware was stolen from the Anaheim Billing Center of Crescent Healthcare, Inc. on December 28, 2012.  The theft was discovered on Monday, December 31 and reported to law enforcement.  Names, Social Security numbers, health insurance identification numbers, health insurance information, dates of birth, diagnoses, other medical information, disability codes, addresses, and phone numbers may have been exposed.

UPDATE (04/03/2013): Over 100,000 people were affected.

Unknown

NBC's website was attacked by malware in the form of a Citadel Trojan.  The purpose of the attack was most likely to steal usernames, passwords, and other personal information.  NBC is unclear on how the malware entered their system.

5,000 (No SSNs or financial information reported)

An employee working as an administrative manager in the Enforcement Division viewed the information of around 5,000 people outside of work hours and for no job-related reason.  His activities between January 2008 and October 2012 were discovered and he was discharged on January 11, 2013.  It is believed that the driver's license and other motor vehicle record information was viewed for curiosity and not malicious purposes.

UPDATE (05/01/2013): A group of people who had their driver's license information accessed filed lawsuits against Minnesota.  The state asked the federal judge hearing the case to dismiss the motions and argued that the state isn't liable under a federal law that protects the privacy of driver's license data.  The employee responsible for the breach is facing criminal charges; though the breach may not have been for malicious purposes.

20,000

LexisNexis informed Sprechman & Associates that the unusual, excessive activity of an associate caused them to eliminate that associate's access to LexisNexis' database.  The associate was later found to have misused Social Security numbers in order to file over 11 million dollars in fraudulent tax refund claims. The dishonest associate was not immediately fired from Sprechman & Associates and was terminated in July 2012 when law enforcement used a warrant to search his home and office computers.  

Unknown

Microsoft's official notice can be found here: https://blogs.technet.com/b/msrc/archive/2013/02/22/recent-cyberattacks.aspx?Redirected=true

Microsoft security discovered that a number of employee devices were affected by malware.  The employees had visited unsafe websites and downloaded material. It is unclear if the employee devices spread the infection to other areas of Microsoft's network, but Microsoft found no evidence of customer data being affected. Facebook, Twitter, and Apple were affected by a similar issue around the same time.

Unknown

An official notice can be found here: http://www.zendesk.com/blog/weve-been-hacked.

Those with questions may call (415) 287-9976.

A hacker accessed Zendesk information that was online.  Three clients who use Zendesk to store information had user lists downloaded by the hacker.  Users who contacted those clients for support may have had their email addresses and the subject lines of those email addresses accessed.

UPDATE (02/22/2013): Tumblr, Twitter, and Pinterest were the affected clients. Twitter let users know that emails, phone numbers, Twitter usernames, and any other information that was provided to Twitter may have been exposed.  Passwords were not compromised.

200

Students who paid tuition for education programs may have had their 1098T tax forms sent to the incorrect address.  Between 150 and 200 people out of 2,000 were sent to the wrong address because a group of the tax forms were placed in envelopes without being properly separated.  Some people received the forms of several people while others never got their tax forms.  The district implemented a new step of sampling some of the envelopes in order to review the process before completing an entire batch.

Unknown

A dishonest employee misused patient information in order to claim them as her children and receive insurance compensation.  The dishonest employee was charged with insurance fraud and ID theft.

UPDATE (02/22/2013): Orlando Health patient records were accessed.  The Orlando Health hospitals include MD Anderson Cancer Center Orlando, Orlando Regional Medical Center, Winnie Palmer Hospital for Women and Babies, Dr. P. Phillips Hospital, Arnold Palmer Hospital for Children, South Seminole Hospital, South Lake Hospital, and Health Center Hospital.

110,000

Central Hudson learned of a cyber attack that occurred over President's Day weekend.  Customers were notified the day after the holiday and encouraged to monitor their bank accounts and credit reports.  Customer banking information and other personal information may have been accessed during the attack.

Unknown

Hotusa Group is headquartered in Barcelona, Spain.

A server breach or other incident related to credit cards may have affected people who used their American Express cards at locations linked to Hotusa Group's servers.  Account numbers, names, credit card expiration date, and other credit card information may have been exposed for American Express and other cards. The incident occurred on August 24, 2012.

Unknown

Fraudulent activity on the accounts of DePauw University students was linked to Kork and Keg.  It is not clear how the store's payment system was compromised; however it was a common link among those who had their accounts breached.  Kork and Keg did not make a statement.

Unknown

Apple detected malware on employee computers.  A small number of employee computers had been affected after their users went to a website for software developers.  Facebook, Microsoft, and Twitter experienced the same breach around the same time.

Unknown

A partner at Ernst & Young is accused of sneaking into the headquarters of Express Scripts Holding Co.  It is not clear how the Ernst & Young partner got into the headquarters, but it is believed that he emailed over 20,000 pages of data to a personal account.  Express Scripts Holding Co. accused Ernst & Young of stealing the information in order to develop its health care division. Express Scripts Holding filed a lawsuit; the accused partner is no longer employed by Ernst & Young.

Unknown

The Information Technology Department at Sierra View District Hospital detected unusual activity on its computer network.  Patient information may have been affected and the investigation is ongoing.

Unknown

The theft of a password-protected laptop from an employee's car may have resulted in the exposure of patient information.  The theft occurred on January 4, 2013 and was reported immediately.  Patients who were treated between July 1, 2006 and January 3, 2013 may have had their names, Social Security numbers, addresses, phone numbers, dates of birth, insurance policy numbers, diagnoses, visit notes, physician names, caregiver names, and advance directives exposed.

Unknown

A Walgreens pharmacist used patient information to obtain prescriptions for powerful drugs.  The fraudulent activity occurred between April 2011 and January 2012.  The dishonest pharmacist pleaded guilty to aggravated identity theft, wire fraud, and fraudulently acquiring controlled substances on November 19, 2012.

She was sentenced to 25 months in prison and one month of supervised release.

Unknown

Facebook's official notification can be found here: http://www.facebook.com/notes/facebook-security/protecting-people-on-facebook/10151249208250766

Facebook discovered that hackers had exploited a vulnerability and accessed unspecified data.  Facebook found no evidence that Facebook user data was compromised.  Malware was installed on a number of employee laptops after a small number of them visited a mobile developer website that turned out to be unsafe. Microsoft, Twitter, and Apple were affected by the same issue around the same time.

43,000 (less than 3% contained SSNs)

A computer virus was discovered on an employee's work computer account on December 14, 2012.  One of the files on the employee's computer contained patient names, addresses, telephone numbers, dates of birth, medical record numbers, names of health insurers, diagnoses, and other clinical information.  A limited number of Social Security numbers were also exposed.

Unknown

The Emergency Alert Systems (EAS) of several TV stations nationwide were hacked and alerted people to a fictitious zombie attack.  The FCC ordered local broadcasters to change their passwords on EAS equipment and check the security of firewalls before resuming normal internet connections.

Unknown

Anyone who made a purchase at the Häagen-Daz inside the food court in International Plaza since April of 2012 may have been affected by identity theft.  A flash drive that contained key-logger software was connected to a register at the store.  It recorded payment card transactions and allowed thieves to make counterfeit credit cards.  Two men were arrested in June of 2012 for using fraudulent card information and that information was later linked to the Häagen-Daz shop.

3,500

A cyber attack on two servers resulted in the exposure of employee information.  The servers were at the UNC Lineberger Comprehensive Cancer Center.  Employees, contractors, and visiting lecturers at the Lineberger Center may have had their Social Security numbers or passport numbers exposed.  The breach was discovered in May of 2012 and notifications were sent in December of 2012.  Fewer than 15 people who were subjects in research studies were also affected by the breach.

Unknown

A pediatrician misused patient information in order to defraud Medicaid of nearly one million dollars.  The pediatrician owned Sinai Medical Center and billed Medicaid for wound repairs and other procedures that were never performed.  Police arrested the dishonest pediatrician on January 16, 2013.  

Unknown

The Los Angeles Times learned that a segment of its website housed malicious code for six weeks.  The subdomain OffersandDeals.latimes.com redirected visitors to a malicious website.  The website then used code to receive compensation for web traffic.  The compromise appears to have occurred sometime before December 23, 2012.  An LA Times spokesperson initially responded to the breach by claiming that a glitch in Google's display ad exchange had caused a malicious script warning rather than actual malicious script.

Unknown

Hackers were able to access Jawbone's MyTALK customer accounts for several hours.  Names, email addresses, and encrypted passwords were exposed.  Any customers who were affected received an email warning them to reset their passwords.

2,800

Patients with questions may call (561) 671-4014

A senior desk clerk was arrested for obtaining and releasing patient information for identity theft purposes.  The dishonest employee took home client lists with names, Social Security numbers, and dates of birth.  Patients born between 1991 and 1996 may have had their personal information misused.

6,000

ATMs in New Jersey, Illinois, and Wisconsin were also compromised.

Two men face charges of conspiracy to commit bank fraud, conspiracy to commit access device fraud, and aggravated identity theft after being indicted for attaching skimming devices to ATMs in New York, New Jersey, Illinois, and Wisconsin.  At least nine other people are believed to have participated in the bank fraud scheme.  Over 6,000 J.P. Morgan Chase and Capital One bank accounts were defrauded for over $3 million.

Unknown

Customers who had credit card numbers on file after using them at Knitpicks.com, ArtistsClub.com, or ConnectingThreads.com may have had their information exposed.  A file on the Crafts Americana Group, Inc. servers was accessible for a period of time before being removed on January 25, 2013.  The file contained names, credit card numbers, addresses, and phone numbers.

10,480 (No SSNs or financial information reported)

A network server was stolen or discovered stolen on January 15, 2012.  The incident appeared on the HHS website in February of 2013.

1,103 (No SSNs or financial information reported)

A laptop was stolen or discovered stolen on October 11, 2012.  The incident appeared on the HHS website in February of 2013.

3,230 (No SSNs or financial information reported)

Five laptops were stolen during the weekend of November 17, 2012.  They did not contain Social Security numbers and did contain unspecified personal information of patients.  A notice about the incident was sent on January 18, 2013 and the breach appeared on the HHS website in February of 2013.

Unknown

A computer network attack resulted in the exposure of customer information.  The cyber attack was discovered on December 13, 2012 and affected customer databases with names, Social Security numbers, credit and debit card numbers, payment card expiration dates, payment card security codes, addresses, telephone numbers, dates of birth, and mothers' maiden names may have been exposed.

Unknown

The hacking group known as Anonymous claimed responsibility for a hack of the Alabama Criminal Justice Center and indicated that they had access to US Federal Reserve servers. Some internal documents were also exposed.  The hack attack was a response to the US Federal Reserve's reaction, or failure to react, to the February 4 hack of the Alabama Criminal Justice Center.  Anonymous released a document showing that they had extensive access to US Federal Reserve servers and internal documents.  Anonymous hacked into the Grand Banks Yachts website and used it to host a file that contained the document. 

Unknown

Hackers were able to access customer credit card information stored on computer servers.  The cyber attack affected customers who made purchases on www.thorlo.com between November 14, 2012 and January 22, 2013.  Credit card numbers, credit card expiration dates, credit card security codes, names, and contact information were exposed. 

Unknown

A vendor's mailing error resulted in the exposure of employee Social Security numbers.  Call for Candidacy letters were mailed sometime around January 16 that had Social Security numbers, names, and addresses visible through the address window of the letter.  

1,182 (No SSNs or financial information reported)

An unencrypted disc that contained patient information was lost in transit.  The disc had names, Medicare account numbers, and outstanding account balances from patients who visited the Honesdale hospital between 2007 and 2012.  A legal envelope that contained the disc was mailed on November 28 and arrived at Novitas Solutions in Pittsburgh in a cardboard box without the disc. 

Unknown

Dishonest employees from multiple cities and states were involved. The location listed is the state where many fraudulent purchases took place.

Eleven people were charged with participating in an identity theft ring.  Some of the defendants obtained customer credit and debit card information by using skimmers at their places of employment.  Others used the stolen information to make fraudulent payment cards.  The ring was in action between June of 2009 and November of 2010.

Unknown

The location of the breach is listed as the corporate headquarters of Bashas'

Bashas' online systems suffered an online breach.  Customers in Lake Havasu City and Pinal County who entered their credit and debit card information online have been affected.  All customers are being warned to check their payment card transactions for suspicious activity.

Unknown

Eight people were charged for participating in an identity theft ring.  One of the members was employed as a scheduler at Boca Raton Regional Hospital.  She passed along patient information in exchange for payments.  One member allegedly filed 57 fraudulent tax returns with the stolen information in attempt to get $306,720 in refunds.  Another member is accused of filing 75 fraudulent returns for $750,469 in refunds.  

Unknown

The U.S. Department of Energy discovered that unidentified malicious activity had been detected on 14 servers and 20 workstations in January.  The personal information of several hundred employees was exposed.  The U.S. Department of Energy had known about the need to patch computers, network ssytems, and servers since 2012.

4,000 (No SSNs or financial information reported)

Information related to over 4,000 American bank executive accounts was exposed by hackers.  Hackers placed an Alabama Criminal Justice Information Center spreadsheet with the login information, credentials, contact information, and IP addresses of bank executives online.

Unknown

The area of Alabama where the breach occurred is unclear.

Six people who worked in tax preparation were charged with fraud and filing false tax returns in March of 2012.  Over 1,000 false tax returns were filed between October 2009 and April 2012.  The fraudulent returns totalled more than $1.7 million.  

UPDATE (01/29/2013): Two others were linked to the conspiracy and charged.  One of them was an employee of an unnamed Alabama state agency. She was able to access a state database of personal information and provide it to others in the identity theft ring.

2,400 (unknown number of SSNs)

River Falls Medical Clinic officials reported a burglary during the summer of 2012.  The equipment and paper documents that were stolen were recovered by police on November 28.  An employee of a cleaning service that subcontracted with the Clinic is the main suspect.  The items were found in the employee's home and he was charged with felonies associated with theft and drug possession.  It is believed that the documents were intended to be shredded.  They contained patient names, dates of birth, patient account and billing account information, diagnosis codes, insurance information, account numbers, medical chart numbers, and scheduling information.  An unspecified number of patients also had their Social Security numbers, home addresses, and phone numbers exposed.

250,000 (no SSNs or financial information exposed)

Online attackers were able to access the usernames, email addresses, session tokens, and encrypted passwords of 250,000 users.  Twitter notified affected users and told them to create a new password.  Anyone who used the same password and username or email combination for other sites is encouraged to change the password on other sites as well.

UPDATE (03/11/2013): Facebook, Microsoft, and Apple were all affected by a similar breach around the same time.

Unknown

A document with sensitive Worker's Compensation claim information was accidentally sent out with an email to a limited number of Antioch Unified School District employees.  Social Security numbers and other information related to current and former employees that reported injuries were exposed.  The incident occurred on January 18 and people who received the email were instructed to remove and destroy any saved information contain in the email. Those who received the email were also instructed to provide written verification that they had removed and destroyed the information.

124

A former Tallahassee Memorial HealthCare food service employee was indicted on 31 counts of filing false tax returns, wire fraud, false claims, and aggravated identity theft.  He and two others are believed to have participated in a conspiracy that led to $818,000 in fraudulent claims.  The employee worked for Tallahassee Memorial HealthCare for three years.  He gathered patient names and dates of birth from food tray receipts when he delivered food to the rooms of patients in August of 2011 and stole emergency room data sheets from the trash. The information was then passed to the two others who participated in the conspiracy.

Unknown

A home burglary resulted in the theft of a CD that contained the information of over 30,000 beneficiaries.  The CD contained names, Social Security numbers, and dates of birth and was taken from the home of an accountant at an unnamed counting firm.  The three funds sued the accounting firm for $200,000 to cover the cost of credit monitoring and insurance. 

200

Customers were affected by an ATM hacking scheme. A skimming device is believed to have been placed on the bank's ATM at a food store.  A suspect was arrested after being seen using stolen card information at an ATM.

25

The owner of Silver Star Motors was charged with seven counts of identity theft and may have been involved in 25 cases of identity theft.  Customer information was used to defraud lending companies associated with the used-car dealership.

UPDATE (02/13/2013): At least 44 people have had their information misused. The dishonest owner also operated Edge Auto Sales at one time.

Unknown

The New York Times' computer system was hacked after Chinese government officials warned the Times about consequences for investigating the wealth of government family members.  The Times began monitoring its system closely on October 24 and noticed unusual activity on October 25 when an article about the wealth of a Chinese official's family was published.  The breach began on September 13 and was allowed to continue until January so that the hackers' behavior could be studied.  It appears that the passwords of every Times employee were compromised and 53 Times employees had their personal computers accessed.  The 53 employees were located outside of the United States and appear to have been the ones who may have covered the Chinese stories.

100

A police activity log for the period of January 7 through January 13 was published on the Littleton department's website. Someone forgot to remove personal details from the log and the sensitive information was available online for 10 days.  Names, Social Security numbers, dates of birth, and addresses, were available between January 14 and January 24.

Unknown

The November 13, 2012 theft of a laptop resulted in the exposure of consumer information.  Names, addresses, phone numbers, dates of birth, residential information, and medical information may have been exposed.

Unknown

Those with questions may call (877) 288-8057.

A hacker accessed the webserver used to host stethoscope.com on December 3.  The breach was discovered in mid-December during routine server maintenance.  Customer names, addresses, email addresses, and credit card information such as numbers, expiration dates, and security codes may have been exposed.

Unknown

UnitedHealthcare has established a hotline for those with questions: 1-866-896-4209.

An unencrypted desktop computer was stolen from an RR Donnelley facility sometime between mid September and the end of November, 2012.  RR Donnelley is a vendor of UnitedHealthcare.  It is unclear why the breach was not noticed until December 3, 2012.  The stolen computer contained UnitedHealthcare member information that was related to participation in the Boy Scouts of America 2003 health benefit plan.  Names, Social Security numbers, and addresses may have been exposed.

Unknown

A concerned citizen found hundreds of documents in a recycling center and notified a local news team.  The documents included criminal histories, depositions, medical records, personal phone numbers, and addresses.  Most were from the 1990's.  Most or all of the information did not need to be shredded because it was considered public record.  The local news team contacted a director from the solid waste division and the documents were removed for shredding.

300,000

The 2010 theft of a company laptop, a hard drive, and a number of unencrypted backup tapes resulted in the exposure of sensitive information.  Social security numbers, credit and debit card numbers, driver's license numbers, and dates of birth were contained on one or more of the devices.

Cbr Systems reached a settlement with the Federal Trade Commission in early 2013.  Cbr Systems must establish an information security program and be independently audited every other year for 20 years.  The full settlement can be found here: http://ftc.gov/opa/2013/01/cbr.shtm

132 (64 individuals had fraudulent tax returns filed)

A dishonest employee pleaded guilty to using a Los Angeles County computer system to file fraudulent tax refunds.  The fraudulent activity occurred between July 2009 and the 2011 tax year.  The IRS found 44 pages of screen prints with the information of 132 assistance participants in the employee's home. The employee, her spouse, and three others were indicted in January of 2012.    

Unknown

Customers who made purchases on www.wilton.com between October 8, 2012 and January 8, 2013 may have had their credit or debit card information exposed.  A Wilton service provider discovered the issue on or around January 8, 2013.  A malicious user accessed the website information and payment card numbers, expiration dates, and security codes may have been exposed.  Customer names, addresses, and telephone numbers are also at risk.

This incident is in addition to the hacking incident that took place between July and October of 2012.  That incident was reported on December 12, 2012.

261

A dishonest intern was caught using a cell phone to illegally photograph patient Social Security numbers and names.  The photos were then sent to another person; presumably for fraudulent activity.  The office intern was charged with fraudulent use of personal identification information. It is unclear when the breach was discovered since the photos were taken between May 7 and June 19.

430 (No SSNs or financial information reported)

At least 65 students received information about the grade point average of 430 students during early January 2013.  The breach occurred when a spreadsheet that contained the information and the E-number of 430 students was accidentally made available online.  

Unknown

NECA/IBEM Family Medical Care Plan (FMCP) participants received disclosure documents related to benefits coverage and modifications.  The outside of the envelopes in which the documents arrived displayed participant Social Security numbers.

Unknown

Those with questions may call 1-855-731-6016.

The January 9 theft of a laptop from a physician's car may have exposed sensitive information.  The laptop may have contained some combination of patient names, dates of birth, and contact information.

UPDATE (01/22/2013): A total of 57,000 patients are being notified. Medical information and medical record numbers were exposed.  A limited number of patients had their contact information exposed.  Most of the information on the laptop was from 2009.

2,988

An employee's computer was found to contain malware.  The malware infection began on May 21, 2012 and was discovered on November 15, 2012.  Files stored on the computer contained billing information with patient names, Social Security numbers, account numbers, medical record numbers, dates of birth, gender, treatment dates, insurance provider names, and account balances.

6,000 (No SSNs or financial information reported)

An employee of Goold Health Systems lost an unencrypted USB memory stick that contained the information of around 6,000 Medicaid recipients in Utah.  Goold Health Systems is a contractor for the Utah Department of Health.  Medicaid recipient names, Medicaid identification numbers, ages, and recent prescription drug use were on the memory stick.  The memory stick was lost during travel between Salt Lake City, Denver, and Washington.  The loss was confirmed on Tuesday, January 15.  

Unknown

Four managers who left AMD to work for Nvidia are being sued by AMD for intellectual property theft.  AMD accused the former employees of setting up a spying ring in the company before leaving to work for rivaling company Nvidia.  One of the managers is accused of using two external hard drives to download Microsoft Outlook email files, licensing agreements, and strategic plans from his work computer before leaving AMD in July of 2012. Another employee is accused of taking an AMD technical work and development database with over 200 files.  The four employees are accused of taking over 150,000 documents.

Unknown

Over 108 Zaxby's restaurants experienced a breach related to customer credit and debit cards.  A number of people experienced credit card fraud and an investigation led to Zaxby's as a common point of purchase.  Suspicious files were found on Zaxby's system during the subsequent investigation.  

100,000 (No SSNs or financial information reported)

A press release can be found here: http://www.djj.state.fl.us/news/press-releases/press-release-detail/2013/01/11/information-security-breach-reported-at-djj

A mobile device that contained both youth and employee records was reported stolen on January 2, 2013.  Over 100,000 records were on the device and may have been exposed.  The device was taken from a Department of Juvenile Justice office and was neither encrypted nor password-protected.  Department of Juvenile Justice policy requires such devices to be encrypted.

100,000 (No SSNs or financial information reported)

On September 6, 2012 it was reported that three computers that contained information from the Florida Department of Juvenile Justice were stolen from an apartment site earlier in the week.  A television was also taken at the time of the theft.

UPDATE (01/12/2013): At least one of the devices was neither encrypted nor password protected and held the personal information of over 100,000 youth and employees.

Unknown

Customers who used credit or debit cards at EJ Phair discovered fraudulent chargers on their payment cards.  A hacker or hackers managed to access and misuse payment card numbers once they ran through EJ Phair's system.  It appears that customers who used cards at the location between September and late November of 2012 may have been affected.

Unknown

A computer repair shop bought used computers on govdeals.com in 2011.  The computers were found to have information from city employees when they were removed from storage on January 5.  Social Security numbers, pension information, and other personal information from Macon police officers were on the computers.  Information from local businesses that was used for city purposes was also on the computers.  A total of 39 hard drives, two servers, and two CPUs were purchased and may have contained sensitive information.

Unknown

Texas Southern University's radio station KTSU gave a volunteer position to a person with a criminal history of credit card fraud.  The volunteer was later arrested for allegedly using the radio station's donation drive to steal credit card information.  The dishonest volunteer faces up to 300 counts of credit card fraud for attempting to misuse the information on donor pledge sheets.

Unknown

Employees accidentally threw out hundreds of patient records.  The dental records were found by someone looking through a dumpster and the incident was reported to a local news team.  Names, Social Security numbers, dates of birth and addresses were exposed. Employees from Bujanda-Wagner's office came to recover the documents.

Unknown

An unencrypted flash drive was stolen from a teacher's car.  It contained student Social Security numbers and other information.  

80

An employee working in human resources was robbed while transporting information between school districts.  The employee stopped for lunch and discovered that personnel files containing names, Social Security numbers, addresses, dates of birth, and driver's license numbers had been stolen from their car.

Unknown

A dishonest employee was arrested on suspicion of misusing client information to apply for credit cards.  The dishonest employee was able to pose as different clients seeking immunizations and other services.  She was charged with fraudulent use or possession of identifying information and credit card abuse.  

UPDATE (01/31/2013): The employee was working for the Northeast Texas Public Health district when she was arrested for stealing the identities of patients at a clinic in Mount Pleasant.  She began working in the Texas Department of State Health Services clinic in 2008.

Unknown

It is not clear if this breach is related to the August 2010 theft of a laptop from Centric Software in Campbell, California.

Those with questions may call 1-800-416-4601.

Anyone who purchased items on www.accesscatalog.com using a credit card may have been affected by a breach that began in August 2010.  An unauthorized party may have obtained names, credit or debit card numbers, expiration dates, and payment card verification codes.  Centric Group learned of the incident on or around December 13, 2012.

532 (No SSNs or financial information reported)

Those with questions may call Dr. Schuster's office at 1-855-638-1443.

A computer was stolen during an office burglary that occurred sometime around November 5, 2012.  The computer contained patient names, dates of birth, and a minimal amount of patient medical information.

Unknown

An employee kept 200 pages of confidential information in an effort to prove that Woodwinds Hospital was trying to conceal evidence of medical misconduct.  The employee was discharged in 2010 for reasons unrelated to removing the information.  She claims to have taken them home after being ordered to destroy any information related to incidents that could damage Woodwinds Hospital's reputation.

5,083

A laptop was stolen from an employee's car on or around December 10.  APG employees may have had their names, Social Security numbers, bank account information, and other information exposed.  

Unknown

Those with questions may call Reyes Holdings Ethics Hotline at (888) 295-6392 or email ethicshotline@reyesholdings.com

A report containing the names and Social Security numbers of a group of Reyes Beverage Group's California employees was accidentally sent to the personal email address of an employee of Reinhart Foodservice.  Reinhart Foodservice is a Reyes Holdings company as well.  It is unclear how the email was accidentally sent and why it ended up in the personal email of an employee at a different division.

Unknown

The owner of a group of childcare services pleaded guilty to defrauding Medicaid of $8 million.  She and a co-defendant targeted medicaid recipients in order to enroll them in a program and make fraudulent Medicaid claims for mental and behavioral health services.  Additionally, the owner pleaded guilty to misusing at least one therapist's credentials in order to make the claims for mental and behavioral health services.  The scheme took place between 2008 and 2012.

Unknown

Someone called Mission Hospital on August 28, 2012 and claimed that he found a flash drive with sensitive patient information in his garage.  The flash drive was returned to Mission Hospital via mailed envelope on September 11, 2012.  Patients who received services at Mission Hospital between September and November of 2008 may have had their information exposed. The notice that was sent to patients was dated September 14, 2012.  It appears that a contractor or employee misplaced the unencrypted flash drive.

The flash drive contained names, medical record numbers, and account numbers. Additionally, the flash drive may have contained some combination of date of admission, age, birth date, vital readings, physical examination, gender, race, name of physician, medical history, past and current treatment and illnesses, history of substance use, family history, lab tests and results, imaging tests and results, body weight, physician notes on patient, care plan, employment status and employer, prognosis, diagnosis, treatment recommendations, allergies, medications, comments about patient's appearance, patient health complaint, symptoms, reason for referral, and reason for admission information.

13,619

An employee reported that a portable hard drive was missing on November 23, 2010.  The device had last been seen sometime around November 19.  The data on the device included information from before July 31, 2009.  Client names, Social Security numbers, medical record numbers, account numbers, dates of service, race, insurance carriers and insurance numbers, addresses, phone numbers, sex, dates of birth, diagnosis information, allergies, initial referral forms, patient assessments/plans of care, physician orders and/or delivery ticket information may have been on the hard drive.

Unknown

Anyone who suspects they were a victim of identity theft because of this incident should report it to Rosenthal Collins Group at creditprotection@rcgdirect.com.

An unauthorized intrusion was detected on the morning of Tuesday November 27.  The unauthorized access began on November 26 and access to the breached web application was immediately shut down upon discovery.  Customers who completed Rosenthal Collins Group account forms online may have had their names, Social Security numbers, addresses, dates of birth, range of net worth and income, bank names, passwords for accessing the web application, and email addresses exposed.

441 (No SSNs or financial information reported)

Read the full agreement between HHS and HONI here: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/honi-agreement.pdf

The June 2010 theft of an unencrypted laptop from an employee's car resulted in the exposure of patient information.  The HHS Office for Civil Rights investigated the breach and found that HONI had not conducted a risk analysis to safeguard electronic protected health information.  It was also discovered that HONI did not meet a HIPAA Security Rule that required them to have policies or procedures in place to address mobile device security.  HONI agreed to pay the U.S. Department of Health and Human Services' (HHS) $50,000 regarding potential Health Insurance Portability and Accountability Act of 1996 Security Rule violations.  HONI also began taking extensive steps to improve their HIPAA Privacy and Security compliance program since the June 2010 breach.

Unknown

An office theft of an unencrypted laptop on or around December 15 resulted in the exposure of confidential personal information.  The laptop contained an Excel spreadsheet with workers' compensation information such as names, Social Security numbers, telephone numbers, and other workers' compensation claim or injury information.

36,000

Those with questions may call (443) 861-6571.

Hackers were able to access database information from Command, Control, Communications, Intelligence, Surveillance and Reconnaissance as well as nongovernmental personnel and people who visited Fort Monmouth.  The breach was discovered and addressed on December 6.  names, Social Security numbers, dates of birth, places of birth, home addresses, and salaries were exposed.

Unknown

A sensitive document was accidentally attached to an email that was sent to students.  The attachment contained names, Social Security numbers, dates of birth, student attendance information, and information regarding their program.  The email was intended to inform students about open positions.

29,000

The November 27 theft of a laptop may have resulted in the exposure of patient information.  Names, Social Security numbers, addresses, and clinical information may have been exposed.  Patients who have received services since 2007 may have been affected.

1,090 (unknown number of SSNs)

An employee responded to a telephone computer phishing scam.  The person was employed by a subcontractor of Hewlett-Packard Enterprise Services (HP ES) named Carewise Health.  Unauthorized users were able to remotely access a database of Medicaid client information as a result of the phishing attempt.  Eventually HP ES and Carewise Health were able to disable the laptop and notify the Cabinet for Health and Family Services of the breach.

UPDATE (01/02/2013): The employee revealed information to the hacker in mid-November.

Unknown

A team of cyber security consultants discovered vulnerabilities in the Omnicell web system.  Unauthorized users could gain control of certain hospital operations run by Integris Health.  The issue was immediately addressed by Omnicell.

Unknown

Those who were affected may call DHCS at (855) 297-5064.

Beneficiary Identification Cards (BICs) were mailed to the wrong recipients between December 10 and December 18.  A computer programming error caused the BICs of children being moved from Healthy Families program enrollment to Medi-Cal enrollment to be sent to households of other Medi-Cal and Healthy Families participants.  Names, Client Index Numbers, dates of birth, genders, and card issue dates were exposed.  People who received incorrect cards were instructed to return them.  Stamped envelopes that were addressed to DHCS were sent out with breach notifications. 

3,997 (No SSNs or financial information reported)

An electronic device was stolen from an Omnicell employee's car on November 14.  The device was not encrypted and contained the medication, demographic, and health information of 4,000 patients from three hospitals in the University of Michigan Health System.  

UPDATE (1/2/2013): A total of 3,997 people who were treated between October 24 and November 13 at three hospitals in the University of Michigan Health System were affected.  However, patients of at least 10 Sentara Healthcare and South Jersey Healthcare medical facilities were also affected. A total of 56,000 Sentara Healthcare patients from Sentara CarePlex, Sentara Leigh Hospital, Sentara Norfolk General Hospital, Sentara Obici Hospital, Sentara Princess Anne Hospital, Sentara Virginia Beach General Hospital, Sentara Williamsburg Regional Medical Center, Sentara Belle Harbour, Sentara Independence, and Sentara Port Warwick who were treated between October 18, 2012 and November 9, 2012 were affected.  A total of 8,555 patients from South Jersey Healthcare who were either treated or scheduled for admission between June 1, 2012 and November 12, 2012 were affected.

4,907 (No SSNs or financial information reported)

Numerous documents containing patient information were found in a vehicle during a traffic stop.  A law enforcement officer notified Coastal Behavioral Healthcare of the potential breach on October 10, 2012.  The documents contained a list of 136 Coastal Behavioral Healthcare patient names and identifying information dated April 2011.  It is unclear how the information was breached and how many additional patients may have been affected.

1,306 (No SSNs or financial information reported)

The September 19 theft of paper records may have resulted in the exposure of dental patient information.  

1,749 (No SSNs or financial information reported)

The data of 1,749 patients was stolen during an October 7 incident.  

1,100 (No SSNs or financial information reported)

Paper jackets that held radiology films were thrown away with office trash instead of being properly discarded.  The paper jackets contained names, addresses, dates of birth, ages, sex, race, and information on dates and names of radiology procedures prior to May of 2012.  The paper jackets are believed to have been picked up by a sanitation company and discarded in a landfill.

615 (No SSNs or financial information reported)

The October 16 theft of a desktop computer may have resulted in the exposure of patient information.

UPDATE (12/28/2012): The computer was stolen from the Brigham and Women's Hospital office.  Medical record numbers, age, medications, laboratory values and other clinical information may have been on the computer.  Up to 615 people may have been affected by the theft.

Unknown

An employee of Grand Teton Storage removed documents from The Children's Center's storage facility after they failed to pay storage bills.  A concerned citizen found seven boxes of the old medical records and other personal information next to a dumpster.  The information was seven to eight years old and included names, Social Security numbers, addresses, dates of birth, and payroll information.  A Grand Teton Storage employee acknowledged that a mistake had been made and the employee who improperly disposed of the records will face disciplinary action.  Idaho Department of Health and Welfare eventually recovered and secured the records.

23

The breach occurred in Florida and the location listed is that of CCS Medical's headquarters.

An employee reported that another employee appeared to have been misusing patient information.  The dishonest employee may have accessed, recorded, and disclosed Social Security numbers and other personal information for the purpose of obtaining fraudulent tax returns.  The employee was reported on September 20 and the possibility that the employee had engaged in dishonest behavior was confirmed on October 17.  Patient information that was maintained by CCS Medical between May 1, and September 21, 2012 may have been accessed.  Notifications were sent to patients on December 7, 2012.  

At least 23 New Hampshire residents may have been affected.  The total number of affected patients nationwide was not reported.

Unknown

An electronic device was stolen from the home office of an employee of Bally Technologies.  The electronic equipment contained names, Social Security numbers, driver's license numbers, and bank account information.  The equipment may have been stolen for its resell value rather than the value of the information.

Unknown

Fairfax County Public Schools discovered that student names, ID numbers, grades, and other information were posted online.  Students enrolled in 9th, 10th, and 11th grade were affected.  The information may have only been available for a day before Fairfax County Public Schools began the process of removing it from online.  

Unknown

The theft of a hard drive from the office of an unnamed independent contractor resulted in the exposure of sensitive information.  The theft occurred on either October 13 or 14 of 2012 and Workers United learned of the issue on October 25.  A database with former Workers United member names and Social Security numbers was on the hard drive.

Unknown

Customers who used payment cards in several store locations discovered fraudulent charges on their debit and credit cards.  It is unclear if a breach affected the physical machines in the stores or if the payment processing system was hacked.  The company discovered the issue on December 4 and an investigation revealed that the intrusions began on November 7, 2012.  Anyone who used their payment card in a store between November 7 and December 5 of 2012 should closely review their financial statements.  Customers are also warned to be suspicious of phishing emails or phone calls.  Customers should not give their information out over the phone or respond to emails asking for sensitive information.

480 (No SSNs or financial information reported)

Over 480 registered medical marijuana patients received an email from the New Jersey Department of Health.  The email instructed them not to call New Jersey or the dispensary in Montclair to make an appointment.  The email did not hide the email addresses of the recipients.

30

A staffing manager collaborated with the owner of A Caring Hand Home Health Care Services, Inc. (A Caring Hand) to hide Medicaid fraud.  Between January of 2008 and October of 2011 the owner of A Caring Hand submitted about 900 fraudulent Medicaid claims for payment for services provided to 30 Medicaid recipients.  The Medicaid recipients never received those services and around $630,000 was fraudulently obtained by the owner of A Caring Hand.  The staffing manager and other staff members falsified office records at A Caring Hand to cover up the fraud between September 2010 and October 6 of 2011.  The staffing manager was sentenced and the owner of A Caring Hand will be sentenced in January of 2013.

Unknown

Western University of Health Sciences' BanWeb Self-Service Federal Work Study reports were accessible to people who used BanWeb with a Western University of Health Sciences user ID and password.  The reports contained names, Social Security numbers, and direct deposit bank account information in some cases. The information was available for an unspecified amount of time. Western University of Health Sciences conducted an investigation and reported that there was no reason to believe sensitive information was accessed by unauthorized BanWeb users.  Western University of Health Sciences disabled access to the reports after learning about the breach on November 14. Notifications were sent on December 18.

Unknown

A laptop was discovered lost or stolen on November 5, 2012.  The possible theft is presumed to have taken place sometime around October 31, 2012.  The laptop may have contained employee names, Social Security numbers, addresses, and dates of birth.

Unknown

CruiseOne and Crusies Inc. are affiliated with WTH and also mailed notifications to their customers.

An unauthorized party accessed WTH's booking system by misusing the log-in credentials of an authorized user.  Encrypted credit card numbers and expiration dates that were stored and could be decrypted in the system were exposed.

Unknown

The owner of EZ Step and an employee were both charged with conspiracy to commit health care fraud.  They were also charged on multiple counts of health care fraud.  The charges come from allegations that the two people sought reimbursement by forging physician signatures, fabricating prescriptions and equipment orders, forging patient signatures on delivery forms to misrepresent prescription medication and durable equipment deliveries, and altering valid prescriptions between 2005 and 2007.  Arrests were first made in July of 2011.

Unknown

At least 36 Walgreens stores in San Diego County had violations.  Over 600 Walgreens stores in California counties such as Alameda, Riverside, Los Angeles, San Joaquin, Solano, Monterey, and Yolo were also involved in the lawsuit.

Walgreens was ordered to pay $16.57 million as a part of a settlement of a civil environmental prosecution.  Walgreens was accused of illegally dumping hazardous waste as well as confidential customer medical information.  It is unclear what type of customer medical information was mishandled.

UPDATE (12/13/2012): The civil enforcement lawsuit was first filed in Alameda County in June of 2012.  It was the result of investigations that took place in San Diego County in the summer and fall of 2011. Investigators discovered that "Walgreens routinely and systematically sent hazardous waste to local landfills and failed to take measures to protect" customer medical privacy.

Unknown

A skimming device on an ATM resulted in fraudulent transactions on over 800 accounts.  The fraudulent transactions appear to date from October 27, 2012 to November 7, 2012. It is not clear how many skimming devices were involved and where they were located.

Unknown

Wilton learned that a malicious user was able to view user information between July 19 and October 2 of 2012.  The user had added a file to a computer server that hosts www.wilton.com and www.copco.com.  Names, addresses, telephone numbers, and payment card numbers, expiration dates, and security codes may have been accessed.  The discovery was made sometime around October 31 and notifications were sent on December 10.

The malicious user was unable to access payment card information between October 2 and the discovery of the breach on October 31 because Wilton changed its payment processing system on October 2.  Wilton took additional security measures after learning of the breach on or around October 31.

Unknown

A December 1 office burglary resulted in the theft of an unencrypted computer.  The computer contained files that included current and former Mt. Diablo Unified School District employee names, Social Security numbers, dates of birth, and addresses.  People who were employees between 1998 and 2010 may have been affected.

8,300

A University laptop was stolen from an employee's locked car.  Pepperdine learned of the theft on November 12, 2012.  The laptop may have contained names, Social Security numbers, addresses, and/or dates of birth.

UPDATE (12/11/2012): As many as 8,300 people may have been affected.  The laptop had been used for work related to the IRS and contained data from as far back as 2008.  About 75 percent of the people affected were students.

Unknown

The October 10 theft of a laptop resulted in the exposure of sensitive information.  A WeiserMazars employee had a laptop stolen that contained names, Social Security numbers, and in some cases, addresses, dates of birth, 401(k) information, and payroll information for Accume Partner 401(l) Plan participants.  WeiserMazars audits the statement of net assets available for Accume Partner's 401(k) plan.  WeiserMazars notified Accume Partners on October 31 and Accume Partners sent notifications to those who may have been affected on November 16.

Unknown

A laptop computer was discovered lost or stolen.  It contained a spreadsheet of patient names, dates of birth, health plan ID numbers, and diagnosis information.

Unknown

A concerned citizen investigated a pile of documents next to a dumpster.  The documents contained names and Social Security numbers.  A local news team responded to the story and contacted a representative from West Pittsburgh Partnership.  West Pittsburgh Partnership began an investigation into how the job placement program documents dating back to 1992 were exposed.

Unknown

The November 15 office theft of several computers may have resulted in the exposure of current and former employee information.  PGS believes that the computers were stolen for their hardware and software value rather than the information they contained.  Some former and current PGS employees had their names, addresses, Social Security numbers, and possibly other types of information exposed.

6,300 (5 SSNs reported)

An unauthorized electronic intrusion may have affected up to 6,300 patients from Carolinas Medical Center-Randolph. The intruder accessed a provider's email account and could have obtained patient names, dates and times of service, dates of birth, diagnosis and prognosis information, medications, results, and referrals.  The Social Security numbers of five patients who had their Social Security numbers sent through or received by the email account may have also been obtained.

The issue was discovered on October 8 and the intruder is believed to have accessed emails from the account between March 11, 2012 and October 8, 2012.

Unknown

At least eight garbage bags that were left unattended on a dirt road contained sensitive documents.  A woman found the bags and reported the issue to a local news team.  The paperwork included credit applications with names, driver's license information, and Social Security numbers.  

14,000

Those who may have been affected may call 1-855-297-5064 for assistance from DHCS.

Names and Social Security numbers were discovered on the website of the Department of Health Care Services.  People who sent their information in order to become a provider of In-Home Supportive Services (IHSS) may have had their information exposed online between November 5, 2012 and November 20.  The issue was discovered on November 14 and was not fully addressed until November 20.  

The list should have only contained provider names, addresses, and provider types. It also contained Social Security numbers that were listed in the column for Provider Billing Numbers.  The Social Security numbers were not easily recognizable in this format.

UPDATE (12/11/2012): Nearly 14,000 people were affected.

416

A dishonest employee working in the billing department used her position to access account information.  She scanned checks and identification information from the LSU hospital system database and passed them on to at least four women.  The scheme was discovered when the four women were allegedly caught on camera making purchases with fake checks.  Handwritten Social Security numbers, check and ID card printing items, computers, and copies of scanned checks were found when the womens' homes were searched.

At least seven people face charges that include identity theft, conspiracy to commit identity theft, conspiracy to commit monetary abuse, and possession of fraudulent documents for identification purposes.  The dishonest employee was charged with 377 counts of identity theft.

UPDATE (01/02/2013): LSU Health notified 416 patients after a hospital employee discovered fraudulent activity on her checking account.

1,017 (No SSNs or financial information reported)

The theft of a network server on or around September 18 may have resulted in the exposure of sensitive patient information.  A notification was sent to the US Department of Health and Human Services (HHS) on November 16.

638 (No SSNs or financial information reported)

An unauthorized disclosure of paper records may have exposed patient information.  The breach may have taken place between May 1, 2011 and August 5, 2011.  It was discovered or reported on November 16 of 2012.

955 (No SSNs or financial information reported)

The theft of paper records may have resulted in the exposure of patient information.  The theft may have occurred on August 13, 2012 and was reported or discovered on November 16, 2012.

1,846 (Unknown number of SSNs)

A handheld electronic devices used by Continuum pharmacists was discovered missing on October 5.  The device was not encrypted and contained patient names, addresses, diagnoses, medications, and health insurance identification numbers.  Some health insurance identification numbers were Social Security numbers or contained Social Security numbers.  Patients who received services from Continuum during the month of September 2012 and potential patients who were referred to Continuum between August 2007 and September 2012.  Notifications were sent on November 30.

566

A dishonest volunteer was caught passing patient information to people who used it to file fraudulent tax returns.  The volunteer used his smart phone to capture patient records while working in an emergency room.  Around 1,200 photos of 566 patient records were found on his phone. The breach was discovered when three men were caught using free wi-fi at McDonald's to file fraudulent tax returns in March.

UPDATE (01/11/2013): Jackson Health banned volunteers from using cell phone in patient areas in order to prevent similar events from occurring.

Unknown

Someone discovered card skimming devices at an ATM near a gift shop of the Inova Fairfax Hospital Cardiac Care Center and at an ATM next to the Inova Fair Oaks Hospital cafeteria.  One device was discovered by a hospital employee who attempted to use the ATM and witnessed the skimmer fall from the ATM.  A skimming device was previously discovered at the same Inova Fairfax Hospital Cardiac Care Center ATM in September.  It is unclear how long the devices were there and people who used them are urged to check their financial statements.

45

Three people were arrested for their roles in filing 225 fraudulent tax returns.  They face charges of conspiracy, theft of government property, and aggravated identity theft.  About $555,000 in refund money was obtained.  One of the defendants worked at Florida Hospital Tampa through a maintenance and housekeeping company.  Information came from a variety of medical centers in California and Florida.  There was an incident where the dishonest worker provided her co-conspirators with a list of names and Social Security numbers from patients seen at Florida Hospital Tampa on January 17 of 2012 and another incident where ER patient names, Social Security numbers, and other information was stolen from Crothall Healthcare in January.  

Unknown

A referral document containing sensitive information was accidentally sent in an email to an unauthorized recipient.  Patient names, Social Security numbers, dates of birth, addresses, and health concerns were sent to a county social worker. The county social worker deleted the sensitive email and any other existing copies of the document were securely deleted from the network.  

The WestCoast Children's Clinic will not provide referral forms to outside agencies in order to protect against future inadvertent sharing of private information.  Disciplinary actions will also be taken against the employees involved in the privacy breach.

Unknown

Sensitive patient and employee records were left unsecured in the abandoned medical center.  A November 10 auction of office equipment and computers was held in the medical center, but one person reported seeing piles of sensitive documents and being able to access sensitive items like badges of former employees. The person provided pictures of personnel records and other items that should have been secured. A representative speaking on behalf of those responsible for safeguarding private information responded that the pictures were taken behind an area that had been secured with a rope. Additionally, the person claims that one of the computers that was purchased at the auction still contained sensitive information.

1,100 (No SSNs or financial information reported)

Patient information was exposed by the accidental disposal of paper jackets with old radiology films.  Patient information such as name, address, age, date of birth, race, sex, name of radiology procedure and radiology procedure date was exposed.  The paper jackets were sent to a local landfill.

Unknown

El Centro Regional Medical Center is claiming that they were defrauded by an unnamed company.  The company was responsible for digitizing El Centro Regional's x-rays, but never returned the digitized version.  The process should have been completed by the end of July.  The original x-rays were most likely taken and destroyed to extract silver.

Unknown

Information from certain ambulance agencies was inappropriately accessed and disclosed.  Patient account information such as names, Social Security numbers, dates of birth, and record identifiers were exposed by a dishonest ADPI employee. ADPI learned of the breach on October 1. The dishonest employee was fired and apprehended by authorities.

UPDATE (12/04/2012): The former ADPI employee stole information associated with Grady EMS ambulance service. About 900 Grady EMS patients had their information exposed between June 15, 2012 and October 12, 2012.

UPDATE (01/05/2013): A detailed list of the organizations and number of people who were affected is available on phiprivacy.net here: http://www.phiprivacy.net/?p=10825

UPDATE (03/08/2013): Osceola County EMS released a notification in March of 2013 here: http://tinyurl.com/a335kak

UPDATE (03/14/2013): The Yuma, Arizona Fire Department was also affected by the breach.  ADP handles the billing for Yuma's emergency medical services.  Names, Social Security numbers, dates of birth, and record identifiers may have been accessed.

1,370 (No SSNs or financial information reported)

A burglary sometime around October 1 may have resulted in the exposure of patient names, Social Security numbers, phone numbers, addresses, dates of birth, health conditions, medications, and other health information.  The information was in a locked room that was accessed, but it appears that none of the paper records were stolen.  Thieves took a television and other items. 

Unknown

A bag of personal items and back-up media cartridges from Soundental was stolen from an employee's car on September 24.  The back-up cartridges had patient names, addresses, treatment records, and dates of birth.  Social Security numbers were also exposed in some cases.  The cartridges had been scrambled to prevent easy access.

Unknown

A November 26 office burglary may have resulted in the theft of patient records.  A safe with computer disks and a laptop computer were stolen.  It is unclear if either contained sensitive patient information.  The burglars were in the office for 15 minutes and may have taken or viewed sensitive patient information in other areas.

1,500 (No SSNs or financial information reported)

Anyone who was a patient at UAMS and had surgery or was seen by a neurosurgeon from January 2010 to June 2010 may call UAMS toll-free hotline at 888-729-2755 to learn if they were affected by the breach.

A former resident doctor kept the personal information of about 1,500 patients as part of a lawsuit she filed against UAMS.  She also claimed to have kept the information for research purposes.  UAMS became aware of the issue on October 9 when the former resident doctor used the documents as part of her lawsuit.  UAMS learned that she kept additional documents on November 7 and had provided them to UAMS attorneys on June 25. Some patients had their names, addresses, dates of birth, medical record numbers, and dates of service exposed.  Other patients had their ages, locations of care, dates of service, diagnoses, medications, surgical procedures, procedure names, and lab results exposed.

1,818

Those with questions may call Pinnacle at (855) 477-6879.

A laptop taken from an employee's home on October 11 contained sensitive information.  It contained names, Social Security numbers, driver's license numbers, credit card numbers , and other personal information.

500

The November 6 theft of an unencrypted laptop may have resulted in the exposure of employee Social security numbers.  It is unclear if other types of information were also exposed.  A total of 500 employees may have been affected.  

Unknown

An employee left sensitive loan application documents in a vehicle while at the gym.  The documents were stolen and included loan applicant tax returns. The breach occurred in September.

Unknown

An unencrypted flash drive was discovered lost or stolen on September 25.  It contained patient names, Social Security numbers, dates of birth, health insurance information, diagnoses, and progress notes.  The information came from patients who participated in the St. John Sports Medicine Program and were treated between January 1, 2011 and July 31, 2012.

940 (No SSNs or financial information reported)

Scripps College is located in Claremont, California and the theft took place in Anaheim, California.

Sensitive records were stolen from a tote bag in a staff member's vehicle on the night of November 18.  The records included names, dates of birth, cell phone numbers, email addresses, and emergency contact information.

2,700

An employee disclosed personal information about workers compensation claimants between October 2011 and March 2012.  Workers compensation claimants who received spinal surgery in Southern California between 2004 and 2011 or had urinalysis testing, diagnostics or medical services performed in California between 2006 and 2011 may have had their information exposed.

It does not appear that Social Security numbers or other identifying information exposed were used to compromise the security, confidentiality, or integrity of the personal information. 

UPDATE (11/23/2012): About 2,700 workers' compensation claimants were affected.

617

A hacker gained access to the ATS system and may have accessed financial information.  The attack was discovered on August 1 and financial information was immediately removed from the ATS online system.  

1,000,000

Affected Georgia consumers may call 1-800-760-1125. Other consumers with questions may call 1-800-656-2298.

A portion of the computer network used by Nationwide and Allied Insurance agents was breached by cyber criminals on October 3.  The attack was discovered on the same day and contained.  On October 16, it was determined that names, Social Security numbers, driver's license numbers, dates of birth, marital status, gender, occupation, and employer information had been stolen.  Affected parties were identified on November 2 and notifications were sent on November 16.

UPDATE (11/20/2012): At least 28,000 people in Georgia were affected.  The total number of affected people is not known.

UDPATE (12/10/2012): A total of 28,468 people in Georgia, 534 in Oklahoma, 12,490 in South Carolina, 286 in Maryland, 5,050 in California, 91,000 in Iowa, 170 in Hawaii, 8,000 in New Mexico, and 98,191 in Minnesota were affected. This brings the known total to 244,188.  Nationwide/Allied Group reported that the breach compromised the information of one million policyholders and non-policyholders nationwide.

683

The office theft of a laptop resulted in the exposure of patient information.  A spreadsheet with sensitive information that could be easily accessed was on the stolen laptop. It is unclear what type of information was exposed, but Social Security numbers, addresses, and medical information were not involved.

UPDATE (12/21/2012): A Health and Human Services (HHS) notice reveals that the theft occurred on October 1.  A total of 683 patients were affected by the breach.

250

At least four people were involved in an identity theft ring that affected over 250 people.  One member of the ring was employed by Highlandtown Community Health Center and provided personal and financial patient information that he accessed through his position. The information was used by other ring members to create counterfeit checks and fraudulent state identification cards. The fraud occurred between August and October of 2009.

Another member of the ring was employed by Johns Hopkins Hospital and provided the information of doctors who applied for fellowships there.  Several ring members rented apartments under the identities of doctors. Two of the members pleaded guilty to conspiring to commit wire fraud and aggravated identity theft.  The four members of the ring are required to collectively pay restitution for fraudulently obtained cash, merchandise, and services worth over $188,000.

230 (No SSNs or financial information reported)

A hacker released the names, email addresses, and encrypted passwords of 230 members of Adobe's company database.  The hacker claimed to have access to over 150,000 records.  Adobe announced that it would reset approximately 150,000 passwords of members of the Connectusers.com site.

UPDATE (11/14/2012): The 230 people who were affected also had their titles, affiliated organizations, and usernames exposed.  A number of those affected were associated with U.S. government agencies such as the Department of Transportation, the Department of Homeland Security, the U.S. State Department, and the Federal Aviation Administration.

Unknown

An employee may have performed unauthorized searches on clients.  The employee is no longer with the company.  Names, Social Security numbers, addresses, dates of birth, and driver's license numbers may have been exposed.  The potential breach was discovered in July and clients were notified in October after their contact information was confirmed.

10,000 (No SSNs or financial information reported)

An October 31 theft of a NASA laptop and sensitive NASA documents from an employee's locked car resulted in the exposure of employee information.  Contractors and other non-employees associated with NASA were also affected.  Employees are encouraged to be suspicious of communication from individuals claiming to be from NASA. It may take up to 60 days to send official notifications to those who were affected.

UPDATE (12/14/2012): Up to 10,000 employees and people associated with NASA may have been affected.  

1,200 (No SSNs or financial information reported)

The sensitive information of Chicago voters was exposed online due to a mistake by the election authority. A database that included names, the last four digits of Social Security numbers, addresses, and drivers license numbers was accidentally placed online in a publicly accessible place.  Only people who applied to work for the board in Chicago polling places on Election Day were determined to have been affected.  

A forensic investigation firm believes that as many as 1.7 million registered voters had their names, addresses, and voter registration numbers exposed. However the Chicago Board does not believe that information should be considered sensitive.

Unknown

A hacker accessed the e-commerce site labelmaster.com.  Customer names, addresses, credit card numbers, and credit card expiration dates were exposed.  

100,000

The September 23 theft of an employee's unencrypted laptop resulted in the exposure of information of over 100,000 patients.  The laptop was stolen from the employee's home.  Names, Social Security numbers, addresses, and diagnosis information of patients taking drugs to prevent blood clots were exposed. Alere became aware of the breach on October 1.

13,000 (No SSNs or financial information reported)

A network security incident resulted in the expose of patient information.  The breach occurred on August 17.

UPDATE (11/26/2012): An employee accessed and downloaded patient information without authorization or a legitimate purpose on five occasions between June 29 and September 20 of 2012.  Gulf Coast Health Care Services discovered the issue on September 26.  Patients who were seen between 1992 and September 20, 2012 may have had their names, addresses, dates of birth, and phone numbers accessed.  It appears that the employee was accessing the data for the purpose of helping outside practitioners recruit patients to their own practices.  The incident was reported to the FBI, the Sarasota Police Department, and the Florida Department of Law Enforcement. 

This entry on the Privacy Rights Clearinghouse Chronology of Data Breaches was previously listed as a hack and was reclassified as an insider breach based on new information.

2,376 (No SSNs or financial information exposed)

A device with patient information was discovered lost or stolen on August 15.  

Unknown

The Bob Ward & Sons website was hacked on June 6, 2011.  Customers who made online purchases between May 31 and August 3 of 2012 may have had their names, addresses, and credit card information exposed.  Ward became aware of the issue when he received a notice from Discover that revealed some customers had experienced fraudulent charges.  

6,400 (No SSNs or financial information reported)

Concerned patients may call 1-866-283-9930

Laboratory reports for about 6,400 patients were discovered missing.  The reports contained bill processing information and charges for laboratory services.  Patients who had lab work done between May 1, 2012 and August 31, 2012 had their names, Memorial internal account numbers, lab work dates, and types of lab work exposed.

Unknown

An unauthorized person may have gained access to the computer network that supported certain 4Access terminals.  These terminals were connected to a computer network that allowed merchant transaction processing.  The unauthorized entry was discovered on September 24.  Check processing information stored in the network such as check writer's name, checking account and routing numbers, address, and driver's license number may have been accessed. No credit card information was exposed.  

14,004 (Unknown number of SSNs)

WomenandInfants.org posted a notice: http://www.womenandinfants.org/news/Confidentiality-Notice-for-Patients.cfm

Those with questions may call 1-877-810-7928.

Unencrypted backup tapes containing ultrasound images from ambulatory sites were discovered missing on September 13.  The information was from Providence, Rhode Island between 1993 and 1997 and New Bedford, Massachusetts between 2002 and 2007.  Patient names, dates of birth, dates of exams, physicians' names, and patient ultrasound images were exposed.  A limited number of current and former patients also had their Social Security numbers exposed. Notifications began on November 5.

UPDATE (11/10/2012): A total of 14,004 patients were affected.

508

The August 31 theft of a briefcase from the home of a contractor resulted in the exposure of nursing home residents.  The briefcase contained names, Social Security numbers, Medicaid recipient numbers, and dates of birth.  

1,000 (No SSNs or financial information exposed)

A hacking spree resulted in unauthorized access to the ImageShack server and a Symantec portal. Names, phone numbers, emails, domains, passwords, usernames, and other information were exposed.

2,000

Names and Social Security numbers of people associated with Cornell were publicly available for five days.  The information was on a computer in Cornell's athletics department and was accidentally placed online from September 5, 2012 until September 10, 2012.

Unknown

Sensitive staff information on a database file was found to have been accessible to all SVSP staff.  Staff names, Social Security numbers, phone numbers, addresses, and institutional-position information were exposed.  The breach was discovered on September 26 and it is unclear how long the information was available.

Unknown

An employee resigned and left with customer account information.  Names, Account numbers, account types, and phone numbers may have been exposed.  The breach occurred in late July.

Unknown

Those with questions may call 866-578-5413.

A Kaiser Permanente Northern California Region Recruitment employee mistakenly sent an email to unauthorized parties on August 24.  Former Northern California Kaiser employees who left Kaiser between 1990 and 2006 may have had their names and Social Security numbers exposed. Kaiser IT Security conducted a detailed analysis to confirm that the recipient did not forward or print the email. The analysis also revealed that the email had been deleted and could no longer be accessed.

3,600

A dishonest employee was arrested and fired in March after stealing patient information from Massachusetts Eye and Ear Infirmary.  The former employee opened fake accounts to avoid paying for electricity. The investigation began in January when one of the victims noticed that her Social Security number had been used to open an account.  Names and dates of birth were also compromised.

847

A hacker or hackers were able to access an Abilene Telco Federal Credit Union employee's computer in September 2011.  The Bank's online account with Experian was then used to download the credit reports of 847 people.  Social Security numbers, dates of birth and detailed financial data were exposed.

32

An Optimum HealthCare claims specialist stole the personal information of at least 32 clients.  The documents information was later found on a man who was arrested after a traffic stop in 2011.  The man who was arrested never worked for Optimum and the dishonest employee who stole the documents is believed to have separated from Optimum.

34

An unauthorized party gained access to a physician's identity in order to view patient records.  A fraudulent account was created under the doctor's identity in the Washington medical system.  Medical information such as drugs dispensed and quantity dispensed may have been accessed before the fraudulent account was shut down.

Unknown

A dishonest employee misused sensitive information in a State Department database to obtain fraudulent credit cards.  He was part of a conspiracy sometime during his employment between September 2007 and March 2008.  The group of conspirators successfully obtained $71,774 and attempted to obtain an additional $133,494 in fraudulent transactions.  The dishonest employee pled guilty to conducting illegal transaction with credit cards and agreed to pay $71,774 in restitution.

Unknown

A notice from The United States Attorney's Office Middle District of Alabama can be found here: http://www.justice.gov/usao/alm/programs/vwa/victimnotification.html

An alert stating that the United States Attorney's Office is prosecuting cases related to the theft of personal identifying information and misuse of that personal identifying information was released.  The information was stolen between January 1, 2009 and March 25, 2011.  People from various organizations may have had their information misused to prepare fraudulent tax returns.

6.4 million 

Citizens concerned about exposure may visit protectmyid.com/scdor and enter the code SCDOR123 or call 1-866-578-5422.

South Carolina Department of Revenue's website was hacked by a foreign hacker.  The hack most likely began on August 27, was discovered on October 10, and was neutralized on October 20.  Around 3.6 million Social Security numbers and 387,999 credit card and debit card numbers were exposed. A total of 16,000 payment card numbers were not encrypted.

UPDATE (10/31/2012): Tax records dating back to 1998 were exposed.  A lawsuit alleging that South Carolina failed to protect citizens of South Carolina and failed to disclose the breach quickly enough was announced on October 31.

UPDATE (11/05/2012): Trustwave was named as the data security contractor who handled the South Carolina website and added to the group being sued over the breach.  Trustwave is an international company based in Chicago.

UPDATE (11/15/2012): Over 4.5 million consumers and businesses may have had their tax records stolen by hackers.  It appears that Trustwave focused on helping the Southern Carolina Department of Revenue comply with regulations regarding how credit card information is handled.  Neither Trustwave nor the Southern Carolina Department of Revenue detected the breach.

UPDATE (11/29/2012): The total number of people or businesses affected was updated to 6.4 million. Approximately 3.8 million taxpayers and 1.9 million of their dependents had their information exposed.  Additionally, 3.3 million tax payers had bank account information obtained.  It is unclear how much overlap there is between the 3.8 million taxpayers and the 3.3 million tax payers who had bank account information obtained.

UPDATE (01/11/2013): A State IT division director reported that the SCDOR's former chief information officer and current computer security chief were notified on August 13 that 22 computers were infected with malicious code.  The State's division of IT recommended that passwords be reset after the discovery, but they were not reset.

UPDATE (03/01/2013): A lawsuit brought against TrustWave and SCDOR by a former state senator has been dismissed by a judge.  The former senator accused the agencies of conspiring to hide the fact that a massive breach had occurred and failing to adequately protect taxpayers from a potential hack.

UPDATE (04/02/2013): About 1,448,798 people signed up for free individual credit monitoring and 41,446 signed up for free family credit monitoring.

600 (No SSNs or financial information exposed)

An employee noticed unusual activity on a computer on September 25, 2012.  It is possible that former and current members of the Waipahu Aloha Clubhouse had information on the computer that was remotely accessed by an unauthorized party.  Names, Social Security numbers, dates of birth, addresses, phone numbers, and consumer record numbers dating back to 1997 may have been exposed. Though the Clubhouse services people living with severe and persistent mental illness, no medical records were exposed.

Unknown

Two dishonest employees misused customer credit card information to make more than $26,000 in fraudulent purchases.  The two men face a maximum of 10 years in prison and a $50,000 fine for each of six counts of deceptive practices. The men were arrested on July 29.  

Unknown

Concerned customers may call 1-888-471-7809 or visit www.barnesandnobleinc.com

PIN pad devices used to process credit and debit card information in stores were compromised.  The breach was discovered around September 14 during maintenance and inspection of the devices.  Anyone who used a credit or debit card at a Barnes & Noble may have been affected by a sophisticated criminal effort to steal that information.  Names, payment card account numbers, and PINs may have been exposed.  Barnes & Noble removed all PIN pads. Fewer than 1% of the inspected PIN pads had been affected.

UPDATE (10/24/2012): A total of 63 Barnes and Noble stores in nine states had at least one compromised PIN pad device.  Malicious code was installed on the PIN pads.

Unknown

Two unencrypted backup tapes were discovered missing on September 10.  They were lost sometime between August 27, and September 10.  Names, Social Security numbers, financial account information, driver's license numbers, and transaction records were exposed.

Unknown

People who made purchases at Aultman Hospital's gift shop may call 330-363-5319.

Hardware at Aultman was discovered to have been infected by a cyber attack.  Unauthorized parties may have been able to access credit and debit card information from Aultman gift shop purchases between February and September of 2012.  

Unknown

A mailing error caused ID cards to be mailed to the wrong members.  The cards were mailed on September 17, 2012 and the problem was discovered on September 18, 2012.  Names, member ID numbers, and dates of birth were exposed.  

Unknown

Those with questions may call (559) 261-0185.

An office burglary resulted in the theft of a computer.  The incident was discovered on September 15, 2012.  Patient names and Social Security numbers were on the computer.

UPDATE (10/24/2012): The computer contained medical records and insurance information.

Unknown

An assistant police chief filed a complaint alleging that the chief of policed breached federal privacy law.  The complaint alleges that the chief of police received information about ambulance dispatches that was primarily intended for paramedics and other active first responders.  He also claims the chief of police forwarded the information to a third party.

Unknown

Compete Inc. reached an agreement with the Federal Trade Commission regarding the collection of consumer information. Compete agreed to obtain end users' consent before collecting future online browsing data.  Compete will also delete or anonymize consumer data already collected and provide direction for removing tracking software installed on the computers of those who had their data collected.

FTC charged that Compete failed to adequately describe two products used to collect details about end users' browsing habits.  A toolbar and input panel were used to collect extensive information about consumer activities and transmit the information in clear readable text to Compete's servers.  All websites visited by, links followed by, and advertisements displayed to Compete consumers were collected and stored.

800 (25 cases of sensitive payment or SSN information)

Patients with questions or concerns about their information may call Sierra Plastic Surgery's hotline at (866) 979-2596.

A computer system error caused sensitive information to be exposed.  The breach occurred sometime between August 19, 2011 and September 20, 2011.

UPDATE (11/28/2012): It appears that the breach was related to a terminated employee who could still access Sierra Plastic Surgery's network after leaving the company.  The former employee accessed Social Security numbers, personal contact information, payment information, and other sensitive information in less than 50 instances.  It also appears that some copies of patient surgery estimates were printed and subsequently surrendered by the former employee when the breach was discovered in August of 2012.  The former employee was seeking information on compensation owed.

4,873 (No SSNs or financial information reported)

The July 15 theft of an electronic device exposed patient information.

5,713 (No SSNs or financial information reported)

A vendor working with patient data for digital conversion from Colon & Digestive lost a flash drive on or around July 16.  It contained patient names, Social Security numbers, dates of birth, addresses, telephone numbers, account numbers, diagnoses, and other protected health information.

Unknown

Hackers targeted the U.S. National Weather Service website Weather.gov in an attempt to exploit vulnerabilities in U.S. government online systems.  The hackers claim to have begun a campaign in response to U.S. cyber attacks in Muslim nations.  Partial login credentials and system and network configuration files were accessed and posted online.

28 (No SSNs or financial information exposed)

Hackers were able to guess the answers to student account challenge questions.  The email account passwords of at least 28 students were reset and their account information was most likely accessed. The hackers may have been based in Beijing and most likely gathered the information needed to pass the challenge questions from information on the students' Facebook pages.

27,000 (5,000 SSNs reported)

A password-protected laptop was stolen from an employee's home on August 25.  It contained two groups of patient data.  Patient names, dates of birth, responsible party names, patient addresses, physician names, and billing information for 22,000 patients were on the laptop. An additional 5,000 patients had similar information exposed as well as their Social Security numbers and other non-medical information.

Unknown

Sensitive information from Southern Environmental Law Center was placed online.  Credit card, medical, and donor information such as addresses, phone numbers, and client files were exposed.  The data was accessible via Google search for an unspecified amount of time.  Southern Environmental Law Center is warning people not to open emails about the security failure or click on any links in emails that appear to be from Southern Environmental Law Center.

8,500

The passwords of two University of Georgia (UGA) IT employees were reset and misused by an intruder.  Names, Social Security numbers, and other sensitive data of current and former school employees may have been exposed. The breach may have begun as early as September 28, 2012.

23,000 (No SSNs or financial information exposed)

People who applied online at www.applitrack.com for a job in District 202 may have had their information accessed by a hacker.  The hacker sent messages to former and current job applicants and informed them that the Plainfield School District 202 website was breached. 

UPDATE (10/19/2012): A 14-year-old Joliet West High School student was removed from class and taken to a juvenile detention center for his alleged involvement in the breach.

Unknown

A hacker or hackers managed to transfer $400,000 in city funds to accounts across the country. The cyber attack occurred sometime between Tuesday night and Wednesday morning.  City employees may have also had their direct deposit bank account information compromised.

100

An office burglary that occurred on October 10 resulted in the exposure of customer information.  Paper documents that contained credit card numbers, addresses, and other personal information were taken.

Unknown

Those with questions may call 1-800-971-5875.

A cyber breach affected Korn/Ferry databases.  Names, Social Security numbers, driver's license numbers, government-issued identification numbers, credit card numbers, and health information may have been exposed.  The information may have been available to unauthorized parties for months before the breach was discovered in August of 2012.

400 (Unknown number of SSNs)

An employee transported a hard copy of sensitive employee documents home.  The employee is not believed to have took the information for fraudulent or criminal activity.

Unknown

The August 29 theft of a laptop resulted in the exposure of employee information.  Employee names, Social Security numbers, information related to taxpayer I.D., dates of birth, home addresses, and employment information such as salaries were exposed.

363 (No SSNs or financial information reported)

The CMS experienced 13 breaches between September 23, 2009 and December 31, 2011.  The CMS failed to notify beneficiaries of seven of the breaches in a timely manner.  The HHS's Office of the Inspector General (OIG) also alleges that the notifications mailed to beneficiaries did not disclose what type of information had been exposed, the date the breach occurred, or how CMS was working to prevent future breaches.

Unknown

Litton and Giddings' janitorial service, PST Services, failed to shred patient billing records before sending them to a Springfield recycling company.  The records may have been viewed by unauthorized parties before being destroyed at the recycling center.  

279,000 (At least 200,050 SSNs exposed)

An internal review revealed a hack of Northwest College servers.  One or more hackers accessed at least one folder in the server between May 21, 2012 and September 24, 2012.  Over 3,000 employees, 76,000 Northwest College student records, and 200,000 students eligible for Bright Future scholarships in 2005-06 and 2006-07 were affected.  Bright Future scholarship data included names, Social Security numbers, dates of birth, ethnicity, and genders.  Current and former employees that have used direct deposit anytime since 2002 may have had some information exposed. At least 50 employees had enough information in the folder to be at risk for identity theft.

100,000 (No SSNs or financial information exposed)

A hacker or hackers accessed PlaySpans computer system.  User IDs, encrypted passwords, and email addresses of online players were exposed.  Users are advised to immediately change their passwords and also any similar passwords for other logins associated with compromised email addresses. PlaySpan Marketplace may have also been affected and could be linked to user financial information.

17,000

Equifax settled charges with the Federal Trade Commission after it was discovered that Equifax Information Services improperly sold lists of consumer data.  People who were late on their mortgage payments had their information sold to firms that should not have received the information and subsequently resold it to other firms.  Equifax agreed to pay nearly $1.6 million to resolve charges that it violated the FTC and Fair Credit Reporting Acts. The settlement prohibits Equifax from providing prescreened lists to unauthorized parties, having poor procedures for releasing prescreened lists, and selling prescreened lists in certain circumstances.

260,000

Two data backup tapes were lost during shipping in late March 2012.  The tapes included customer names, Social Security numbers, addresses, account numbers, debit card numbers, and credit card numbers.

UPDATE (10/13/2012): A total of 260,000 customers from Maine to Florida were notified.  

Unknown

A pile of thousands of documents were found in the street. Two bags were stuffed with financial information such as tax returns with Social Security numbers. The information was found in the driveway of a model home that had been foreclosed in July 2011.

Unknown

There is no specific location for this breach.

The University of Texas, University of Colorado, University of Pennsylvania, Duke University, Rutgers University, University of Pittsburgh, University of Florida, Case Western Reserve University, Texas A&M University, Boston University, Purdue University, University of Arizona, Arizona State University, University of Utah, Ohio State College of Dentistry, and additional universities were affected.  Universities outside of the United States were also affected.

Each affected university is listed here: http://pastebin.com/AQWhu8Ek

A hacking group called Team GhostShell targeted universities around the world.  A total of 53 universities were affected.  Most of the data exposed was publicly available, but student, staff, and faculty usernames and passwords were also exposed. It is unclear if any financial information or Social Security numbers were taken from universities.

Unknown

A cyber intruder injected a virus into the website of the city of Naperville.  City officials claim that no resident credit card information was compromised.  There is no evidence that any type of information was stolen from the website.

Unknown

A September 14, 2012 home burglary resulted in the theft of a laptop.  The laptop was password-protected and was stolen along with other items.  Student names and Social Security numbers were on the laptop.  

12

A licensed clinical social worked accidentally attached confidential client information to an email that was forwarded to town council colleagues. A copy of her and her husband's 2011 income tax returns was also in the email. The email automatically became available to the public and the error was noticed nearly a week later.  Unfortunately, the email was also forwarded a second time to a public account.  Consequently, the information was publicly available for a week.  

Many of the affected clients were University of North Carolina students.  Names, Social Security numbers, clinical notes about client mental health, payment amounts, and insurance forms were exposed.

71,000 (Partial SSNs exposed)

Five password-protected laptop computers that contained personal information of registered voters in Robeson County were discovered stolen in September.  Voters had their names, addresses, dates of birth, and the last four digits of their Social Security numbers exposed.  The computers went missing between July 18 and September 4. They were most likely taken while outside of their normally secured area and left with unsupervised community volunteers.  Driver's license numbers may have also been exposed.  Those who were affected were mailed letters on September 12.

Unknown

Hackers accessed San Mateo Union High School District's computer system and attempted to use it to infiltrate FBI and CIA electronic systems. The District became aware of the problem when United States Naval Intelligence informed them that the District's servers had been compromised.  The hackers appear to have used additional organizations in their scheme.

Unknown

A dishonest intern stole personal information while working at the clinic.  The information was used to create and cash fraudulent checks and the dishonest intern pled guilty.

9,100

A postcard mailed to University of Chicago employees contained their Social Security numbers. The cards were mailed on September 24 to remind employees about open enrollment, but also had Social Security numbers printed on the outside.

518 (31 SSNs reported)

An army awards database was found to be available online.  The database was being handled by the defense contractor Brightline Interactive and was mistakenly uploaded to a public server at an unknown time.  Those who received awards for actions since September 11, 2001 were affected.