"Date Made Public","Company","City","State","Type of breach","Type of organization","Total Records","Description of incident","Information Source","Source URL","Year of Breach","Latitude","Longitude" "October 21, 2009","Bullitt County Public Schools","Shepherdsville","Kentucky","DISC","EDU","676","A Bullitt County Public Schools employee accidentally sent an e-mail message to about 1,800 school district workers that included the names and Social Security numbers of 676 district employees. The employees were identified as not having completed the district's 2010 open-enrollment process for insurance, and the e-mail was intended as a reminder to complete the process.","Dataloss DB","","2009","37.988399","-85.715792" "October 21, 2009","Roane State Community College ","Harriman","Tennessee","PORT","EDU","14,783","Roane State Community College has announced that the names and Social Security numbers of 9,747 current or former students were on a data storage device stolen from an employee's vehicle, along with 1,194 current/former employees' information. The Social Security numbers alone, with no names, were also stolen for 5,036 additional current or former students. The data was on a 4GB USB drive used for work-related purposes. An employee took it home to do work after hours, and left it in the car. The employee forgot to lock the car doors. The USB drive was stolen along with a personal hand-held device.","Dataloss DB","","2009","35.933964","-84.552436" "October 15, 2009","Halifax Health","Daytona Beach","Florida","PORT","MED","33,000","A laptop computer from a Halifax Health employee's vehicle in Orange County was stolen -- which might have contained password protected patient information.","Dataloss DB","","2009","29.210815","-81.022833" "October 4, 2009","Suffolk Community College","Selden","New York","DISC","EDU","300","Suffolk Community College has agreed to pay a company for the next year to monitor the credit of 300 students whose last names and Social Security numbers were mistakenly listed in an attachment to an e-mail sent to those students last month.","Dataloss DB","","2009","40.866487","-73.035663" "September 28, 2009","Penrose Hospital","Colorado Springs","Colorado","PHYS","MED","175","Officials at Penrose Hospital believe someone has stolen the personal information of 175 patients. The missing information consists of names, addresses, phone numbers, Social Security numbers and the reason for the patients' visits. The information was stored on a computer print-out and kept in a binder stored in a cabinet. The print out has gone missing.","Dataloss DB","","2009","38.833882","-104.821363" "September 23, 2009","Eastern Kentucky University","Richmond","Kentucky","DISC","EDU","5,045","The names and Social Security numbers of about 5,000 Eastern Kentucky University faculty, staff and student workers were posted inadvertently on the Internet last September, where they have been displayed for a year.","Dataloss DB","","2009","37.747857","-84.294654" "September 22, 2009","Bernard Madoff Investors","Dallas","Texas","PORT","BSF","2,246","More than 2,200 Bernard Madoff investors are learning that some of their personal and financial information has potentially been breached after the theft of a laptop in Dallas. The names, addresses, Social Security numbers and some Madoff account information on 2,246 investors was contained in a computer stolen from the car of an employee of AlixPartners Llp.","Dataloss DB","","2009","32.802955","-96.769923" "September 22, 2009","Sagebrush Medical Plaza/Kern Medical Center","Bakersfield","California","PHYS","MED","31,000","Thousands of patients at a Kern County health clinic have been warned their personal information could have been stolen. A break-in happened at the Sagebrush Medical Plaza in July, and Kern Medical Center officials have notified 31,000 patients to take precautions against possible identity theft. One or more unknown individuals broke into a locked storage area that contained confidential patient information. All patient information has now been moved to a location inside the clinic building.","Dataloss DB","","2009","35.373292","-119.018713" "September 21, 2009","Rocky Mountain Bank","Pinedale","Wyoming","DISC","BSF","1,325","A customer of the Rocky Mountain Bank asked a bank employee to send certain loan statements to a representative of the customer. The employee, however, inadvertently sent the e-mail to the wrong Gmail address. Additionally, the employee had attached a sensitive file to the e-mail that should not have been sent at all. The attachment contained confidential information on 1,325 individual and business customers that included their names, addresses, tax identification or Social Security numbers and loan information.","Dataloss DB","","2009","42.866610","-109.860986" "September 14, 2009","University of Florida ","Gainesville","Florida","DISC","EDU","25","In August, the University's Privacy Office was notified of a privacy breach after the discovery of an unprotected computer file containing 34 names and 25 Social Security numbers. It's believed the personal information belongs to trainers working with the Florida Traffic and Bicycle Safety Education program in 2006. The file was immediately removed.","Dataloss DB","","2009","29.651634","-82.324826" "September 14, 2009","Jones General Store/Root of the Hill","Boulder","Colorado","PHYS","BSR","0","Boulder police are investigating two burglaries on University Hill that could have compromised some local shoppers' personal and credit card information. A manager for Jones General Store called police to report an overnight break-in and theft of credit card receipts. A short time later, an owner of Root of the Hill, a business in the same building, called officers to report a break-in, theft and extensive vandalism.","Dataloss DB","","2009","40.014986","-105.270546" "September 2, 2009","Bluegrass Community and Technical College","Danville","Kentucky","UNKN","EDU","100","A file containing the personal information including Social Security numbers of nearly 100 students at the Bluegrass Community and Technical College has been stolen.","Dataloss DB","","2009","37.645633","-84.772170" "September 2, 2009","Naval Hospital Pensacola","Pensacola","Florida","PORT","MED","38,000","Naval Hospital Pensacola will be notifying thousands of beneficiaries who use its pharmacy services, following the disappearance of a laptop computer. The computer's database contains a registry of 38,000 pharmacy service customers' names, Social Security numbers and dates of birth on all patients that used the pharmacy in the last year. It does not contain any personal health information.","Dataloss DB","","2009","30.421309","-87.216915" "August 21, 2009","University of Massachusetts","Amherst","Massachusetts","HACK","EDU","0","Nearly a year ago, hackers broke into a computer server that contained Social Security numbers and a very limited amount of credit card information for graduates of University of Massachusetts. Hackers gained access to one server on the university's computer system, which held information of students who attended UMass between 1982 and 2002, as well as a few who attended before 1982. A UMass spokesman declined to say how many people's records were exposed, except that it was a large number of undergraduate and graduate students who attended the university during the 20-year period.","Dataloss DB","","2009","42.380368","-72.523143" "August 15, 2009","Northern Kentucky University","Highland Heights","Kentucky","PORT","EDU","200","A Northern Kentucky University employee's laptop computer - which contained personal information about some current and former students -- was stolen from a restricted area. The personal information stored on the employee's computer included Social Security numbers of at least 200 current and former students.","Dataloss DB","","2009","39.033117","-84.451885" "August 14, 2009","Calhoun Area Career Center","Battle Creek","Michigan","DISC","EDU","455","Personal information from 455 students at Calhoun Area Career Center during the 2005-2006 school year was available online for more than three years. The information included names, Social Security numbers, 2006 addresses and telephone numbers, birth dates and school information. There were about 1,000 students at the career center during that time, but an investigation by the Calhoun County Intermediate School district found that information for 455 students was available.","Dataloss DB","","2009","42.321152","-85.179714" "August 3, 2009","National Finance Center","Washington","District Of Columbia","DISC","GOV","27,000","An employee with the National Finance Center mistakenly sent an Excel spreadsheet containing the employees' personal information to a co-worker via e-mail in an unencrypted form. The names and Social Security numbers of at least 27,000 Commerce Department employees were exposed.","Media","","2009","38.895112","-77.036366" "July 22, 2009","A Honolulu hospital","Honolulu","Hawaii","INSD","MED","0","In June 2009, a Hawaii woman was sentenced to a year in prison for illegally accessing another woman's medical records and posting on MySpace that she had HIV. The State of Hawaii brought charges under a state law that criminalizes unauthorized access to a computer as a class B felony. The defendant was employed by a hospital and had access to patient medical records.","Media","","2009","21.306944","-157.858333" "July 14, 2009","Canyons School District","Cottonwood Heights","Utah","PORT","EDU","6,000","Canyons School District officials are investigating the disappearance of a thumb drive that contained the personal information of more than 6,000 current and recent employees. The USB flash drive is believed to have contained employee addresses, phone numbers, dates of birth and Social Security numbers. A district-level worker was using it to transfer data for apparently legitimate, job-related purposes.","Dataloss DB","","2009","40.619670","-111.810210" "July 14, 2009","Leander School District","Leander","Texas","UNKN","EDU","0","School officials sent a notice home with special needs students to alert parents that someone gained access to private information. It appears that one individual gained unauthorized electronic access to confidential information.","Media","","2009","30.578806","-97.853069" "July 9, 2009","Mountain Medical Center","Salt Lake","Utah","PHYS","MED","0","Names, credit card numbers, Social Security numbers were found in a dumpster. A man was throwing away some stuff in a dumpster and found it was chock full of medical records. There's everything in there from canceled checks to routing numbers, he said. Salt Lake Police packed away perhaps twenty boxes of papers, and said they would protect the documents, as they dug into the matter.","Media","","2009","40.760779","-111.891047" "July 8, 2009","AT&T","Chicago","Illinois","INSD","BSO","2,100","A temporary employee for AT&T was arrested today on charges she stole personal information on 2,100 co-workers and then pocketed more than $70,000 by taking out short-term payday loans in the names of 130 of them.","Dataloss DB","","2009","41.850033","-87.650052" "June 24, 2009","Florida Department of Revenue","Tallahassee","Florida","PORT","GOV","2,828","The names, addresses and Social Security numbers of about 3,000 people employed by a handful of state businesses were on a password-protected flash drive stolen from the car of a Florida Department of Revenue employee in Georgia. The people were current or past employees of six large corporations that are being audited by the state.","Dataloss DB","","2009","30.438256","-84.280733" "June 24, 2009","Battle Creek City","Battle Creek","Michigan","DISC","GOV","65","Some Battle Creek city employees are getting free identity protection help after the mayor posted a document with personnel information to a public Web site. Information on city workers, including Social Security numbers, was listed on a city check registry that the mayor put online and linked to using his Twitter.com account. The registry is no longer online and the city has worked with law enforcement and Twitter, to remove any archived references to the information.","Media","","2009","42.321152","-85.179714" "June 23, 2009","Cornell University","Ithaca","New York","PORT","EDU","45,277","A stolen Cornell University computer has compromised the personal information of thousands of members of the University community. The computer contains the names and Social Security numbers of current and former students as well as current and former faculty and staff members.","Dataloss DB","","2009","42.440628","-76.496607" "June 18, 2009","Suncoast Schools Federal Credit Union","Tampa","Florida","HACK","BSF","56,000","Some members of Suncoast Schools Federal Credit Union have been notified that their debit card accounts were exposed to fraud. It is the latest casualty of last year's breach of Heartland Payment Systems, one of the country's largest credit card processors, where information from more than 100 million credit and debit card transactions was exposed. Not until the end of May did Suncoast discover that some of its customers who use Visa Check Cards could be in danger. The Tampa credit union is issuing new cards to all members whose accounts were compromised.","Media","","2009","27.947522","-82.458428" "June 16, 2009","Redondo Beach Arco Gas Station","Redondo Beach","California","INSD","BSR","1,000","An organized-crime ring that police believe is Russian or Armenian targeted a high-volume Redondo Beach Arco gas station, assigned a low-level soldier to infiltrate it and waited eight months while he worked himself into a position where he could implant a tiny, high-tech skimmer to steal customers' credit-card information. Armed with a fresh batch of personal-information numbers, the gang began draining thousands of Southern California bank accounts soon after Erick, the model employee who was by then entrusted with opening the station every day at 5 a.m., vanished in late April along with 1,500 packs of cigarettes, $1,000, a laptop, his employee application form - and the two digital video recorders used for surveillance. The skimmer scam left a string of more than 1,000 victims, stretching from Santa Barbara to Newport Beach.","Media","","2009","33.849182","-118.388408" "June 12, 2009","Kirkwood Community College","Cedar Rapids","Iowa","PORT","EDU","1,600","Someone took a storage device from a counselor's office in Iowa City. That device contained names and Social Security numbers for participants in the PROMISE JOBS program.","Dataloss DB","","2009","41.962501","-91.691847" "June 5, 2009","Virginia Commonwealth University","Richmond","Virginia","STAT","EDU","17,214","A desktop computer was stolen from a secured area within Cabell Library in mid-April. The computer may have contained student names, Social Security numbers and test scores dating from October 2005 to the present. VCU discontinued use of Social Security numbers as ID numbers in January 2007. An additional 22,500 students are being notified that their names and test scores may have also been on the computer. No Social Security numbers were recorded with those names, but computer-generated student ID numbers may have been.","Dataloss DB","","2009","37.542979","-77.469092" "June 4, 2009","Maine Office of Information Technology","Augusta","Maine","PHYS","GOV","597","Through a printing error, 597 people receiving unemployment benefits last week got direct-deposit information including Social Security numbers belonging to another person. We received a print job and were running it, and there was an equipment malfunction, Thompson said. In restarting the piece of equipment, a mistake was made and it started one page off. It was an error and our quality assurance didn't pick it up. Recipients received one page with their own information and another page with information belonging to a different person.","Dataloss DB","","2009","44.310624","-69.779490" "May 27, 2009","Warren County Virtual Community School","Lebanon","Ohio","PHYS","EDU","140","Contractors installing fiber on a near by street to the school say they found a four-page list in a recycling dumpster when they went to dump some trash. The list had more than 140 students' names, addresses, Social Security numbers and birth dates listed. Their parents names were on the list too.","Dataloss DB","","2009","39.435337","-84.202992" "May 23, 2009","Indianapolis Department of Workforce Development","Indianapolis","Indiana","DISC","GOV","4,500","The Department of Workforce Development is notifying approximately 4,500 unemployment recipients concerning the accidental disclosure of their Social Security number to the incorrect employer. The release occurred during the printing of DWD's Statement of Benefit Charges by print vendor, Pitney Bowes Management Services Inc. This form is sent to companies listing those who are collecting unemployment benefits against that employer's account. The misprinted statements contained information from individuals who did not work for that company. Approximately 1,200 companies received incorrect statements.","Dataloss DB","","2009","39.767016","-86.156255" "May 18, 2009","NJ Department of Labor and Workforce Development","Trenton","New Jersey","DISC","GOV","28,000","Unemployed New Jersey residents may have had their name and Social Security number accidentally delivered to an employer for which you did not work. The error occurred when department staff last month sent first-quarter reports to businesses that included a list of former employees receiving unemployment benefits. Because some companies had laid off a significant number of employees, the reports were longer than usual, requiring staff members to stuff the envelopes by hand rather by machine. Some reports were placed in the wrong envelopes.","Dataloss DB","","2009","40.217053","-74.742938" "May 18, 2009","Anderson Kia Car Dealership","Boulder","Colorado","PHYS","BSR","0","Police have chained up 10 recycling bins outside Boulder's now-defunct Anderson Kia car dealership after learning that the bins were stuffed with personal information from the dealership's former customers. Green recycling bins were piled full with folders, each headed with an individual's name. All of the folders contained Social Security numbers, driver's license information, photos, phone numbers and financial information for Kia customers.","Dataloss DB","","2009","40.014986","-105.270546" "May 11, 2009","Office of the State Superintendent of Education D.C.","Washington","District Of Columbia","DISC","EDU","2,400","The D.C. agency that handles college financial aid requests had accidentally e-mailed personal information from 2,400 student applicants to more than 1,000 of those applicants. An employee of the agency's Higher Education Financial Services Program inadvertently attached an Excel spreadsheet to an e-mail. The information included student names, e-mail and home addresses, phone and Social Security numbers and dates of birth.","Dataloss DB","","2009","38.895112","-77.036366" "April 29, 2009","Oklahoma Housing Finance Agency","Oklahoma City","Oklahoma","PORT","GOV","225,000","A laptop computer containing the personal information of about 225,000 Oklahomans was stolen from a city home last week. The names, Social Security numbers, tax identification numbers, birth dates and addresses of clients of the Section 8 Housing Voucher Program were on an employee's laptop that was stolen.","Dataloss DB","","2009","35.467560","-97.516428" "April 29, 2009","llinois Department on Aging","Springfield","Illinois","DISC","GOV","170","A spreadsheet with worker names and Social Security numbers was found on the Internet. The data, prepared for an outside auditing firm, was released to a so-called peer-to-peer network during a music transfer to an agency laptop. 160 employees and another 10 or so former staffers were alerted to the breach.","Dataloss DB","","2009","39.801717","-89.643711" "April 27, 2009","Federal Reserve Bank of New York","New York","New York","INSD","BSF","0","A former employee at the Federal Reserve Bank of New York and his brother were arrested on suspicion of obtaining loans using stolen identities. The former employee previously worked as an IT analyst at the bank and had access to sensitive employee information, including names, birthdates, Social Security numbers and photographs. A thumb drive attached to his computer had applications for $73,000 in student loans using two stolen identities. They also found a fake drivers license with the photo of a bank employee who wasn't the person identified in the license.","Media","","2009","40.714269","-74.005973" "April 23, 2009","Oklahoma Department of Human Services ","Oklahoma City","Oklahoma","PORT","GOV","1,000,000","Some personal information may have been contained on a laptop computer stolen from an agency employee. Information on the stolen computer included names, Social Security numbers and dates of birth for people who receive DHS services.","Dataloss DB","","2009","35.467560","-97.516428" "April 22, 2009","Marian Medical Center","Santa Maria","California","PORT","MED","3,200","Recent patients of the emergency room and Urgent Care Center have been alerted that a Blackberry containing patient information was stolen from the hospital. The Blackberry contained an email message that included patient information, such as Social Security numbers, dates of birth and medical histories.","Dataloss DB","","2009","34.953034","-120.435719" "April 22, 2009","New York State Tax Department","New York","New York","INSD","GOV","2,000","A former New York state tax department worker was accused of stealing the identities of thousands of taxpayers and running up more than $200,000 in fraudulent charges. The former employee gathered credit card, brokerage account and Social Security numbers that he used to open more than 90 credit card accounts and lines of credit between 2006 and 2008. Investigators searched the employee's home, they found more than 700 state tax forms containing identifying taxpayer information. They also found more than 300 birth certificates, more than 1,000 Social Security cards, credit card statements and applications, and some 2,000 notes with Social Security numbers, many accompanied by handwritten notes such as good prospect, had money and go with this one.","Media","","2009","40.714269","-74.005973" "April 20, 2009","FairPoint Communications Inc.","Charlotte ","North Carolina","PORT","BSO","4,400","A worker's failure to abide by security precautions caused a portable data-storage device containing employee information to disappear. The device contained information for all current FairPoint employees and some former employees, or about 4,400 individuals in total. Such data may have included names, home addresses and phone numbers, Social Security numbers, birth dates and certain compensation and employment information.","Dataloss DB","","2009","35.227087","-80.843127" "April 16, 2009","MySpace","Los Angeles","California","INSD","BSO","0","Confidential employee information, including at least name, Social Security numbers and compensation, was taken by an employee in the company's benefit's department without authorization, beginning in June 2008 or earlier. The information was used to annoy selected individuals and the now former employee was arrested and is being prosecuted by the High Tech Crimes Division of the Los Angeles County District Attorneys Office.","Dataloss DB","","2009","34.052234","-118.243685" "April 13, 2009","Moses Cone Hospital","Greensboro","North Carolina","PORT","MED","14,380","Moses Cone Hospital is offering free credit monitoring to 14,380 patients after a laptop computer containing confidential information was stolen from a VHA employee's car. The information on the laptop, including patients' Social Security numbers.","Dataloss DB","","2009","36.072635","-79.791975" "April 12, 2009","CBIZ Medical Management Professionals","Chattanooga","Tennessee","STAT","MED","0","The office of CBIZ Medical was broken into on Feb. 23. Among the items stolen was a computer belonging to the hospital with stored radiology reports related to some patients. Patients between December 2007 and Feb. 23, 2009, may have had records saved on the stolen computer.","Dataloss DB","","2009","35.045630","-85.309680" "April 11, 2009","Peninsula Orthopaedic Associates","Salisbury","Maryland","PORT","MED","100,000","As many as 100,000 patients of Peninsula Orthopaedic Associates are being warned to protect themselves against identity theft after tapes containing patient information were stolen. Patients also were advised to keep an eye on benefits statements from their health insurance companies since they may also be at risk for medical identity theft. The records from Peninsula Orthopaedic were stolen March 25 while in transport to an off-site storage facility. Patients' personal information including their Social Security numbers, employers and health insurance plan numbers may have been among the information stolen.","Dataloss DB","","2009","38.360674","-75.599369" "April 10, 2009","Borrego Springs Bank, Vavrinek, Trine, Day and Co.","Borrego Springs","California","PORT","BSF","0","The theft of seven laptop computers from an auditing firm has led the Borrego Springs Bank to send warning letters to all of its customers saying their personal financial information may be in the hands of criminals. The bank would not comment on the name of the accounting firm that was auditing the records or how or where the thefts occurred. The computer files contain sensitive personal financial information including account name, number and balance.","Dataloss DB","","2009","33.255872","-116.375012" "April 9, 2009","Penn State Erie/Behrend College","Erie","Pennsylvania","HACK","EDU","10,868","On March 23, the University confirmed that 10,868 Social Security numbers in historical data on a computer at Penn State Erie, The Behrend College, could have been breached. Longstanding security measures, designed to protect the network and systems from malicious software, alerted the University to the potential breach. As soon as the University became aware of the malicious software on this computer, the computer was immediately taken off line, data was examined and information was removed.","Dataloss DB","","2009","42.129224","-80.085059" "April 8, 2009","Metro Nashville School/Public Consulting Group ","Nashville","Tennessee","DISC","EDU","18,000","Metro Nashville students' names, Social Security numbers, addresses and dates of birth and parents' demographic information were available by searching Google. A private contractor unintentionally put student data on a computer Web server that wasn't secure. The data was available online from Dec. 28 to March 31.","Dataloss DB","","2009","36.165890","-86.784443" "April 6, 2009","City of Culpeper","Culpepper","Virginia","DISC","GOV","7,845","Personal information for 7,845 town taxpayers was exposed on the Internet due to a vendor's mistake. The unidentified vendor had the records to reformat the town's personal property tax file for billing purposes. The files containing the names, addresses and Social Security numbers of residents were on a password-protected site that was compromised.","Dataloss DB","","2009","38.473182","-77.996664" "April 8, 2009","Hawaii Department of Transportation","Kapolei, O'ahu","Hawaii","PORT","GOV","1,892","Holders of Hawai'i commercial driver's licenses are being warned to take measures to prevent identity theft after a state computer containing personal information was stolen three weeks ago. The laptop computer contained the names, addresses, Social Security numbers and other personal information of 1,892 commercial vehicle license drivers.","Dataloss DB","","2009","21.335403","-158.056892" "April 3, 2009","Policy Studies, Inc., Tenn. Dept. of Human Services","Nashville","Tennessee","INSD","GOV","1,600","A former child support worker was arrested after attempting to sell the personal information - including names, Social Security numbers and bank account numbers - of 1,600 people. He sold a total of 35 names, dates of birth and Social Security numbers between October 2008 and last month, all to an undercover operative of the Tennessee Bureau of Investigation. He claimed to the operative that he had similar information that he was willing to sell for an additional 1,500 people, and was arrested while meeting with the operative to deliver the information.","Dataloss DB","","2009","36.165890","-86.784443" "April 1, 2009","Palo Alto Medical Foundation","Palo Alto","California","PORT","MED","1,000","A laptop computer recently stolen at the Palo Alto Medical Foundation's Santa Cruz office contained personal and medical information of 1,000 Santa Cruz County patients.","Dataloss DB","","2009","37.441883","-122.143020" "April 1, 2009","State of Maryland","","Maryland","PHYS","GOV","8,000","The names, Social Security numbers and other personal information of about 8,000 state employees could be compromised. The potential problem came to light when a torn and empty envelope from the company that manages the state's health savings account program arrived by U.S. mail. The envelope was missing an invoice that contains confidential information.","","","2009","39.045755","-76.641271" "March 27, 2009","Pacific University ","Forest Grove","Oregon","PORT","EDU","0","A University-owned laptop was stolen from a staff member's residence. The stolen laptop was password protected and there is no factual evidence that any private information was stored on the laptop. The computer contained names and some personal information. It does not appear that any Social Security numbers were stored on the system.","Media","","2009","45.519836","-123.110663" "March 23, 2009","Maryland Federal Court","Baltimore","Maryland","DISC","GOV","226","A filing error in Maryland's federal court resulted in health insurance information for 226 people - including 42 Social Security numbers - being made available to the public for more than two weeks. The private information of Washington area residents was included in requests for warrants to search the doctors' offices in Suitland, La Plata, Oxon Hill and Falls Church as part of a health care fraud investigation. The warrants were marked as being sealed and, therefore, were not supposed to be made public.","Media","","2009","39.290385","-76.612189" "March 19, 2009","Bailey Middle School","Nashville","Tennessee","PHYS","EDU","21","A Nashville mother who was walking along found confidential paperwork that lists Metro school students' names, Social Security numbers and disabilities. The Metro Schools spokeswoman said they will trace the documents and try to figure out how they got where they weren't supposed to be.","Media","","2009","36.165890","-86.784443" "March 18, 2009","University of West Georgia","Carrollton","Georgia","PORT","EDU","1,300","University of West Georgia officials have notified nearly 1,300 students and faculty members that their personal information was on a laptop stolen from a professor traveling in Italy. The laptop was taken last summer, but university officials say they only recently learned that the computer contained sensitive information, including names, addresses, phone numbers and Social Security numbers.","Dataloss DB","","2009","33.580110","-85.076611" "March 18, 2009","New York City Housing Authority","New York","New York","PHYS","GOV","0","Dozens of confidential files with city public housing residents' birth dates, Social Security numbers, and eviction notices were dumped on an East New York street. City Housing Authority officials are investigating to determine how the files ended up scattered along Atlantic Ave. near Pennsylvania Ave.","Dataloss DB","","2009","40.714269","-74.005973" "March 17, 2009","Penn State Office of Physical Plant","University Park","Pennsylvania","HACK","EDU","1,000","The Social Security numbers of employees working for the Penn State Office of Physical Plant in 2000 may have been stolen. A virus infiltrated an administrative computer that contained more than 1,000 Social Security numbers of OPP employees.","Dataloss DB","","2009","40.802006","-77.856390" "March 11, 2009","Binghamton University","Binghamton","New York","STAT","EDU","100,000","Binghamton University kept payment information for every student, possibly dating back at least ten years in a storage area next to one of the most trafficked lecture halls on campus, behind a door that was not only unlocked but taped open. The information itself contained Social Security numbers, credit card numbers, scans of tax forms, business information (including Social Security numbers and salary information for employees of students' parents), asylum records and more, all kept in a haphazard and disorganized fashion, sprawled out in boxes, in unlocked (yet lockable) filing cabinets and shelving units. If the information inside the room pertained only to the current students enrolled and their parents that would mean the story would effect, roughly, forty-two thousand people. However, because the information goes back at least ten years, if not more, the potential number of people effect lies well in the hundred thousands.","Media","","2009","42.098687","-75.917974" "March 7, 2009","Idaho National Laboratory ","Idaho Falls","Idaho","PORT","GOV","59,000","Idaho's Congressional Delegation this week announced a potential identity theft threat involving information from 59,000 present and former workers at the Idaho National Laboratory at Idaho Falls. DOE notified delegation members that an encoded disc containing personal data from the employees was either lost or stolen in transit via United Parcel Service. The package, originally shipped from New York to Maryland, was found damaged.","Dataloss DB","","2009","43.466581","-112.034137" "March 7, 2009","Oklahoma Department of Human Services","Shawnee","Oklahoma","PHYS","GOV","0","The state Department of Human Services is investigating how a child welfare worker's records ended up with a local TV station. The files, which included names, Social Security numbers, contact information and details on child abuse investigations, reportedly were left behind when a DHS worker was evicted from a rent house in Guthrie.","Dataloss DB","","2009","35.327293","-96.925300" "March 6, 2009","Federal Emergency Management Agency Region 5 Office","Griffith","Indiana","PORT","GOV","50","A laptop containing Social Security numbers and other personal information from dozens of victims of last September's floods was reported stolen from a housing inspector's car. Representatives from the Federal Emergency Management Agency alerted roughly 50 flood victims from Gary, Hammond, Highland, Griffith and Munster whose information was stored in the laptop after they applied for federal disaster assistance. The password-protected laptop was stolen from a housing inspector's car in Griffith on Nov. 4, containing names, Social Security numbers, dates of birth, addresses and phone numbers of people who applied for assistance.","Dataloss DB","","2009","41.528369","-87.423650" "March 5, 2009","St. Rita's Medical Center","Lima","Ohio","PHYS","MED","242","A home-health employee for St. Rita's Medical Center had a bag stolen during an automobile break-in. The bag contained information on some patients, including names, dated of birth, addresses, phone numbers, patient identification numbers, and the names of case managers and physicians. In some cases it also included Social Security numbers and the type of treatment being provided, according to a letter given to the patients involved.","Dataloss DB","","2009","40.742551","-84.105226" "March 4, 2009","Elk Grove Unified School District","Elk Grove","California","PHYS","EDU","520","A document with the Social Security numbers of more than 500 Elk Grove Unified School District employees was lost by a district employee.","Dataloss DB","","2009","38.408799","-121.371618" "March 4, 2009","New York Police Department","New York","New York","INSD","GOV","80,000","A civilian employee of the department's pension fund is accused of stealing eight tapes containing the Social Security numbers and direct-deposit information for 80,000 current and retired cops. The employee, who served as the pension fund's director of communications, has been charged with computer trespass, burglary and grand larceny. He is accused of removing the tapes from a backup data warehouse on Staten Island after disabling security cameras. Police found the missing tapes at his home before arresting him.","Dataloss DB","","2009","40.714269","-74.005973" "March 3, 2009","Western Oklahoma State College","Altus","Oklahoma","DISC","EDU","1,500","A computer breach at Western Oklahoma State College may have exposed Social Security numbers and other identifying information for 1,500 campus library users. An unauthorized program known as a rootkit was installed on a server administered by an outside party. There is no indication that any of the data on the machine was actually compromised - only that the opportunity for someone to access it existed.","Dataloss DB","","2009","34.638126","-99.333975" "March 1, 2009","City of Muskogee","Muskogee","Oklahoma","PORT","GOV","4,500","The city of Muskogee recently discovered that a computer zip disk containing personal information has been in public circulation since 2000. The disk in some cases contained phone numbers and in other cases contained Sociel Security numbers. It's believed that a forgetful employee scooped up the disk while putting together surplus items no longer used by the city.","Dataloss DB","","2009","35.747877","-95.369691" "February 26, 2009","Steamboat Springs School District","Steamboat Springs","Colorado","PORT","EDU","1,300","Social Security numbers for 1,300 past and present employees was compromised when a laptop was stolen from the Steamboat Springs School District office. The laptop had a spreadsheet containing the Social Security numbers and names of their owners. The spreadsheet was created as part of a requirement from a past district audit. The laptop was password-protected, but district officials are warning their employees to be on the lookout for any potential identity theft.","Dataloss DB","","2009","40.484977","-106.831716" "February 23, 2009","University of Florida","Gainesville","Florida","DISC","EDU","101","An undated statement on the University's Web site indicates that on January 20, an LDAP Directory Server configuration error allowed outside access to a directory containing Social Secerity numbers and other personal data. Personal data belonging to about 101 people might have been compromised as a result.","Dataloss DB","","2009","29.651634","-82.324826" "February 23, 2009","Seaview Financial","Corona Del Mar","California","PHYS","BSF","0","Folders with personal information for numerous clients of a local mortgage broker sat for days at a public recycling site. The files contained bank account statements, completed tax forms, credit reports and Social Security numbers.","Dataloss DB","","2009","33.598078","-117.873112" "February 20, 2009","Del Mar College","Del Mar","California","PHYS","EDU","53","A class roster containing the names and Social Security numbers of some 53 Del Mar College students has been stolen. The roster was taken out of a professor's vehicle parked at Cole Park. The G.E.D. teacher was taking work home Sunday, when he stopped at Cole Park and his car was broken into.","Dataloss DB","","2009","32.959489","-117.265315" "February 20, 2009","Arkansas Department of InformationSystems, Information Vaulting Services ","Little Rock","Arkansas","PORT","GOV","807,000","A computer storage tape with data from criminal background checks dating back to the mid-1990s is missing from an information-protection company's vault. The background-check information includes names, dates of birth, Social Security numbers and addresses.","Dataloss DB","","2009","34.746481","-92.289595" "February 19, 2009"," University of Florida ","Gainesville","Florida","HACK","EDU","97,200","A foreign hacker gained access to a University of Florida computer system containing the personal information of students, faculty and staff. The files included the names and Social Security numbers of individuals who used UF's Grove computer system since 1996.","Dataloss DB","","2009","29.651634","-82.324826" "February 18, 2009","Rio Grande Food Project","Albuquerque","New Mexico","PORT","NGO","36,000","A food pantry is warning its clients that tens of thousands of them are at risk for identity theft after a laptop computer containing their personal information was stolen. The computer contained sensitive personal data including addresses, birth dates and Social Security numbers.","Dataloss DB","","2009","35.084491","-106.651137" "February 17, 2009","Broome Community College","Binghamton","New York","DISC","EDU","14,000","Broome Community College, sent out a mailing last week with Social Security number posted prominently on the back cover. The winter/spring 2009 alumni magazine was mailed to 28,000 people, it assumed that less than 14,000 copies had Social Security numbers on the magazine.","Dataloss DB","","2009","42.098687","-75.917974" "February 10, 2009","SemGroup LP","Tulsa","Oklahoma","DISC","BSO","160","Online banking bandits pulled thousands of dollars from the accounts of current and former employees after personal information was inadvertently left on a bankruptcy court document made public.","Dataloss DB","","2009","36.153982","-95.992775" "February 9, 2009","Parkland Memorial Hospital","Dallas","Texas","PORT","MED","9,300","A laptop computer that may have contained the names, birthdates and Social Security numbers of 9,300 employees of Parkland Memorial Hospital was stolen.","Dataloss DB","","2009","32.802955","-96.769923" "February 9, 2009","Federal Aviation Administration","Washington","District Of Columbia","HACK","GOV","48,000","Hackers broke into the Federal Aviation Administration's computer system, accessing the names and Social Security numbers of employees and retirees.","Dataloss DB","","2009","38.895112","-77.036366" "February 9, 2009","U.S. Postal Service Santee","Santee","California","INSD","GOV","0","A mail carrier in San Diego County is accused of stealing dozens of gift cards, debit cards and Social Security documents sent through the mail. Deputies found 30 gift cards, stolen mail, debit cards and money when the carrier was arrested after he finished his route. Detectives also found Social Security documents and W-2 wage and tax statements at carrier's home.","Dataloss DB","","2009","32.838383","-116.973917" "February 8, 2009","Kaspersky","Woburn","Massachusetts","HACK","BSO","0","An unidentified hacker gained access to databases used by the usa.kaspersky.com Web site, allowing access to users' accounts, activation codes and possibly personal data about Kaspersky customers. Kaspersky Lab is a security software company.","Media","","2009","42.479262","-71.152277" "February 6, 2009","Catskill Regional Medical Center","Harris","New York","INSD","MED","431","A woman was fired for allegedly spying. The employee had access to company files. The files included Social Security numbers, birth dates, addresses and financial information.","Dataloss DB","","2009","41.714256","-74.726273" "February 4, 2009","Womancare Inc.","Lathrup Village","Michigan","PHYS","MED","0","Medical records were improperly disposed of. Pro-Life Society found the records in a dumpster behind the office.","Dataloss DB","","2009","42.496424","-83.222707" "February 3, 2009","Baystate Medical Center","Springfield","Massachusetts","PORT","MED","0","Several laptops were stolen from Baystate Medical Center's Pediatrics department. Some of those computers had patient information on them. All of the information is password protected and the computers had no financial or Social Security information on them.","Dataloss DB","","2009","42.101483","-72.589811" "February 3, 2009","SRA International","Fairfax","Virginia","HACK","BSO","0","Malicious software may have allowed hackers to get access to data maintained by SRA, including employee names, addresses, Social Security numbers, dates of birth and healthcare provider information.","Dataloss DB","","2009","38.846224","-77.306373" "February 3, 2009","Georgia State Board of Pardons and Paroles","Atlanta","Georgia","STAT","GOV","0","The offices of a state contractor in Roswell were burglarized and a computer was stolen. Information regarding current and past parolees that was lost in a burglary includes names, dates of birth and Social Security numbers.","Dataloss DB","","2009","33.748995","-84.387982" "February 2, 2009","St. Anthony Central Hospital","Denver","Colorado","INSD","MED","150","Boxes, filing cabinets and trash bags full of hundreds of U.S. passports, birth certificates, driver's licenses, Social Security cards and other documents - most stolen within the past two years were found in a storage unit.  A hospital employee admitted to stealing the records.  Also found were hospital records containing dates of birth, Social Security numbers and copies of the driver's licenses of 150 patients who had been admitted into the emergency room or general surgery.","Dataloss DB","","2009","39.739154","-104.984703" "January 31, 2009"," HoneyBaked Ham","Indianapolis","Indiana","PHYS","BSR","0","A computer server stocked with credit-card information was stolen from a store. Customers might be at risk.","Dataloss DB","","2009","39.767016","-86.156255" "January 31, 2009","Ball State University","Muncie","Indiana","DISC","EDU","19","A employee sent out an e-mail, to verify contact information, to 91 special events staff with an excel spreadsheet attachment that, unbeknownst to the employee, included the Social Security number of 19 of the workers.","Dataloss DB","","2009","40.193377","-85.386360" "January 30, 2009","Kansas State University ","Manhattan","Kansas","DISC","EDU","45","Students who were enrolled in an agricultural economics class in spring 2001 inadvertently had some personal information exposed on the Internet through a K-State departmental Web site. Names, Social Security numbers and grades of those students have been exposed since 2001.","Dataloss DB","","2009","39.183608","-96.571669" "January 30, 2009","Indiana Department of Administration","Indianapolis","Indiana","DISC","GOV","8,775","Social Security numbers of current and former state employees were accidentally posted on a state Web site for about two hours. The Social Security numbers were erroneously included in a contract solicitation file posted on the department's procurement Web site.","Dataloss DB","","2009","39.767016","-86.156255" "January 28, 2009","CityStage","Springfield","Massachusetts","DISC","NGO","60","A computer system might have exposed credit card information of customers on the Internet. The probably occurred in December while the theater's Web contractor was changing servers. Credit card numbers might have been compromised.","Dataloss DB","","2009","42.101483","-72.589811" "January 27, 2009","Beaumont City","Beaumont","Texas","DISC","GOV","500","Personal information of current and former Beaumont city workers was accidentally posted online. The information, including birth dates and Social Security numbers.","Dataloss DB","","2009","30.086046","-94.101846" "January 27, 2009","Citi Habitats","New York","New York","PHYS","BSO","0","During a refurbishing of their office, paper that should have been shredded was improperly placed as trash. Information found blowing in the street included bank statements, 401k statements, credit reports, tax returns, driver's licenses, names, phone numbers and Social Security numbers.","Dataloss DB","","2009","40.714269","-74.005973" "January 26, 2009","Madison, WI. Human Resources Department","Madison","Wisconsin","PORT","GOV","500","An oversight by the city of Madison's personnel office is the reason Social Security numbers of city employees were stored on a laptop computer stolen from a city office. Any official or employee - except those in the police, fire and transit departments - who was issued a new or replacement city identification card from the start of 2004 through 2007 may be at risk. Data on the laptop included photos, names and Social Security numbers.","Dataloss DB","","2009","43.073052","-89.401230" "January 21, 2009","Missouri State University","Springfield","Missouri","DISC","EDU","565","Personal information, including Social Security numbers for 565 foreign students at MSU was leaked this month when a university office sent an e-mail message soliciting their help with language tutoring. The email message they got had a spreadsheet attachment that contained names and Social Security numbers for international students.","Dataloss DB","","2009","37.215326","-93.298244" "January 16, 2009","Southwestern Oregon Community College","Coos Bay","Oregon","PORT","EDU","200","A laptop computer was stolen from the campus putting former and current students at risk.","Dataloss DB","","2009","43.366501","-124.217890" "January 14, 2009","Occidental Petroleum Corporation","Dallas","Texas","INSD","BSO","0","A former employee emailed himself (to personal email account) a spreadsheet of employee names, addresses, empolyee identification numbers, birth dates, starting dates, retirement dates and Social Security numbers.","Dataloss DB","","2009","32.802955","-96.769923" "January 13, 2009","University of Oregon","Eugene","Oregon","PORT","EDU","0","A laptop computer containing data files for Youth Transition Program (YTP) participants was stolen. Those files contained names and social security numbers.","Dataloss DB","","2009","44.052069","-123.086754" "January 13, 2009","Innodata Isogen, Inc.","Hackensack","New Jersey","PORT","BSO","0","Laptop stolen from an employee's car contained names, addresses, Social Security numbers of current and former employees.","Dataloss DB","","2009","40.885933","-74.043474" "January 13, 2009","Seventh-Day Adventist Church","Silver Spring","Maryland","PORT","NGO","292","A Laptop stolen and recovered contained names and Social Security numbers.","Dataloss DB","","2009","38.990666","-77.026088" "January 13, 2009","Continental Airlines","Neward","New Jersey","PORT","BSO","230","A laptop containing fingerprints, Social Security numbers, names, addresses, was stolen from a locked Newark office.","Dataloss DB","","2009","40.735657","-74.172367" "January 13, 2009","Blue Ridge Community Action","Morganton","North Carolina","PORT","NGO","300","Social Security numbers were on an external computer hard drive that is missing or stolen. The hard drive contained information on clients from four counties who have used the organization's services in the past four or five years. The external hard drive was used to back up information on clients.","Dataloss DB","","2009","35.745407","-81.684819" "January 12, 2009","Columbus City Schools","Columbus","Ohio","PHYS","EDU","100","Columbus City Schools experienced a security breach, resulting in employees' Social Security numbers being at risk. CPD officers went to serve drug and auto-theft felony warrants. During the arrest officers learned there might be stolen personal information in the house and found personal information on district employees. It is believed the suspects either stole or intercepted part of a mailing from the payroll division that was en route to annuity companies.","Dataloss DB","","2009","39.961176","-82.998794" "January 11, 2009","University of Rochester","Rochester","New York","HACK","EDU","450","Personal information including Social Security numbers of about 450 current and former University of Rochester students was stolen by hackers this week from a UR database. The information was taken from a non-academic student database and copied illegally to an off-campus IP address.","Dataloss DB","","2009","43.154785","-77.615557" "January 5, 2009","Library of Congress","Washington","Delaware","INSD","GOV","10","An employee in the human resources department of the Library of Congress was charged with conspiring to commit wire fraud in which he stole information on at least 10 employees from library databases. He passed the information to a relative, who used it to open the accounts. Together, the two are alleged to have bought $38,000 worth of goods through the accounts.","Dataloss DB","","2009","39.684007","-74.575988" "January 2, 2009","Merrill Lynch","New York","New York","STAT","BSF","0","A third-party consulting services firm working on behalf of Merrill Lynch reported, one of their employees was burglarized. The burglars took various items, including a computer, which had on it the names and Social Security numbers of current and former Financial Advisors and some applicants for employment.","Dataloss DB","","2009","40.714269","-74.005973" "November 6, 2009","MassMutual","Springfield","Massachusetts","HACK","BSF","0","According to MassMutual, a ""limited amount"" of personal employee information maintained in a database by an outside vendor may have been subject to unauthorized access. The vendor engaged a forensics team to investigate, and at this time they believe that no misuse of the information or fraudulent activity involving the data has occurred. This database does not include client or field representative information; it also did not contain personal Social Security or bank account information, according to the company.","Dataloss DB","","2009","42.101483","-72.589811" "December 15, 2009","U.S. Army","Fort Belvoir","Virginia","PORT","GOV","42,000","A laptop computer belonging to a Family and Morale, Welfare and Recreation Command (FMWRC) employee was stolen.  Types of information compromised included name, Social Security number, home address, date of birth, encrypted credit card information, personal e-mail address, personal telephone number and family member information.","Dataloss DB","","2009","38.709710","-77.146988" "November 10, 2009","Obsidian Financial Group","Woodbury","New York","INSD","BSF","0","A former employee broke into a Woodbury financial services company, photocopied customers' Social Security numbers and bank reference numbers and took the photocopied data with him when he left.","Dataloss DB","","2009","40.825655","-73.467623" "November 19, 2009","TAD Gear","San Francisco","California","HACK","BSR","0","TAD Gear recently learned that their database was illegally accessed from an external source, and it appears that some customer data was taken, which may include customer names, contact information and credit card data. The possibility of a security breach came to their attention when certain customers notified them that unauthorized charges had appeared on their credit cards. Upon learning of the potential breach of security, TAD Gear immediately initiated an investigation, and took corrective steps.","Dataloss DB","","2009","37.774930","-122.419416" "November 26, 2009","Penn State","University Park","Pennsylvania","HACK","EDU","303","A Penn State professor's grade book from 2001 to 2004 that contained 303 students' Social Security numbers, among other personal information, was found to be compromised by a computer virus.","Dataloss DB","","2009","40.802006","-77.856390" "November 29, 2009","Salem Housing and Community Services","Salem","Oregon","DISC","GOV","0","Sloppy handling of confidential records by a state agency in Salem left people's names, Social Security numbers, ages and addresses exposed in an open recycling bin outdoors. In a separate security lapse by another state agency, confidential records with the names and Social Security numbers of former state parks and recreation employees landed in the same recycling bin. ","Dataloss DB","","2009","44.942898","-123.035096" "October 6, 2009","BlueCross BlueShield Assn.","Chicago","Illinois","PORT","MED","187,000","A file containing identifying information for every physician in the country contracted with a Blues-affiliated insurance plan was on a laptop computer stolen from a BlueCross BlueShield Assn. employee. The file included the name, address, tax identification number and national provider identifier number for about 850,000 doctors. Some 16% to 22% of those physicians listed -- as many as 187,000 -- used their Social Security numbers as a tax ID or NPI number.","Dataloss DB","","2009","41.850033","-87.650052" "October 5, 2009","U.S. Army Special Forces","Fort Bragg","North Carolina","DISC","GOV","463","A recent breach involved a U.S. Army Special Forces document containing the names, Social Security numbers, home phone numbers and home addresses of 463 soldiers. The document also contained names and ages of soldiers' spouses and children. The document was discovered in connection with a Congressional move to address the continuing risk of data leaks on peer-to-peer (P2P) networks. Through its research, the firm, Tiversa, turned up the document among 240 others belonging to federal government agencies and military branches, all sitting on P2P networks.","Media","","2009","35.149381","-78.991460" "August 14, 2009","American Express","New York","New York","INSD","BSF","0","Some American Express card members' accounts may have been compromised by an employee's recent theft of data. The former employee has been arrested and the company is investigating how the data was obtained. American Express declined to disclose any more details about the incident. The company has put additional fraud monitoring and protection controls on the accounts at issue.","Media","","2009","40.714269","-74.005973" "August 1, 2009","Williams Cos. Inc.","Tulsa","Oklahoma","PORT","BSO","4,400","A laptop containing personal and compensation information for more than 4,400 current and former employees was stolen from a worker's vehicle. The computer had names, birth dates, Social Security numbers and compensation data for every Williams employee since Jan. 1, 2007.","Dataloss DB","","2009","36.153982","-95.992775" "June 15, 2009","Beam Global Spirits & Wine Inc.","Deerfield","Illinois","INSD","BSR","0","Unauthorization access to a human resources payroll database by a former employee exposes names, addresses and Social Security numbers of past and present employees.","Dataloss DB","","2009","42.171137","-87.844512" "February 24, 2010","Citigroup","New York","New York","DISC","BSF","600,000","About 600,000 Citigroup customers got a shock earlier this month when they received their annual tax documents with their Social Security numbers printed on the outside of the envelope. The digits were not identified as a Social Security number, and they were printed at the lower edge of the mailing envelope with other numbers and letters that together resembled a mail routing number.","Dataloss DB","","2010","40.714269","-74.005973" "May 27, 2009","Batteries.com","Carmel","Indiana","HACK","BSR","865","On March 13th, Batteries.com received notice from a customer about potential unauthorized activity on their credit card. They later discovered the Batteries.com network had been breached from around February 25, 2009 to April 9, 2009. The hackers stole names, addresses and credit card information.","Dataloss DB","","2009","39.978371","-86.118044" "May 21, 2009","Internal Revenue Service","Washington","District Of Columbia","PHYS","GOV","0","The U.S Treasury Inspector General for Tax Administration found in a fiscal year 2008 audit that in more than a dozen IRS document disposal facilities, old taxpayer documents were being tossed out in regular waste containers and dumpsters. In addition, the investigation found that IRS officials failed to consistently verify whether contract employees who have access to taxpayer documents had passed background checks. Further, investigators had difficulty finding anyone responsible for oversight of most of the facilities that the IRS contracted with to burn or shred sensitive taxpayer documents. The review was performed at IRS offices in Phoenix, Tempe, and Tucson, Arizona New Carrollton, Maryland Holtsville, Garden City, and Westbury, New York and Ogden, Utah, and included questionnaires to 14 Territory Managers across the country during the period September 2007 through May 2008.","Media","","2009","38.895112","-77.036366" "December 4, 2009","MedSolutions","Raleigh","North Carolina","DISC","MED","0","For a period of time that has not been clearly defined the name, address, email, and taxpayer ID number (which in some cases is the physician’s Social Security number) for an undetermined number of NC physicians could be viewed on the MedSolutions website. Access to this information apparently was not limited to physicians or physician staff. Based on the information available at the time of this posting, any person with an email address could enter physician names and view the information.","Dataloss DB","","2009","35.772096","-78.638615" "December 5, 2009","Wake County Schools","Raleigh","North Carolina","DISC","EDU","5,000","The Wake County school system accidentally sent out about 5,000 postcards with students' Social Security Numbers printed on the front. Wake schools mailed about 15,000 reminders asking parents to specify if they want to keep their children in magnet or traditional calendar schools. About a third of those cards had the Social Security Numbers printed alongside the child's name - a holdover from recent years when those nine-digit numbers were used to identify students. ","Dataloss DB","","2009","35.772096","-78.638615" "December 10, 2009","Bushland Elementary School","Bushland","Texas","PHYS","EDU","100","A Potter County school district has improved security protecting its student records after paperwork containing Social Security numbers, family incomes and student addresses was discovered at a recycling site in Canyon. The documents listed names of about 100 students at Bushland Elementary School who were eligible for free or reduced-price meals through a federal program during the 2003-04 and 2005-06 school years. Applications for subsidized meals from more than 20 families included their Social Security numbers, incomes, addresses and phone numbers.","Dataloss DB","","2009","35.191998","-102.064639" "October 15, 2009","Virginia Department of Education ","Richmond","Virginia","PORT","EDU","103,000","A flash drive containing the personal information of more than 103,000 former adult education students in Virginia was misplaced. The information included names, Social Security numbers and employment and demographic information. The flash drive contained information on all students who finished an adult education course in Virginia from April 2007 through June 2009 or who passed a high school equivalency test between January 2001 and June 2009.","Dataloss DB","","2009","37.542979","-77.469092" "October 15, 2009","PayChoice","Moorestown","New Jersey","HACK","BSF","0","Hackers broke into the company's servers and stole customer user names and passwords. The attackers then included that information in e-mails to PayChoice's customers warning them that they needed to download a Web browser plug-in in order to maintain uninterrupted access to onlineemployer.com. The plug-in was instead malicious software designed to steal the victim's user names and passwords.","Dataloss DB","","2009","39.967057","-74.942668" "December 11, 2009","Lookout Services","Bellaire","Texas","DISC","BSO","500","The state of Minnesota has directed all of its agencies to stop using a Texas company state officials hired to verify the identities of new employees. A state official told MPR News that it is notifying some 500 employees that their personal data -- including names, dates of birth and Social Security numbers -- may have been accessible on the company's Web site. For more than three months, state agencies have used Lookout Services of Bellaire, Texas, to verify that new hires are authorized to work in the United States. The state had paid the company $1.50 a name to run employee data through the federal Department of Homeland Security's E-Verify program, which confirms that a worker has legal status and a valid Social Security number. ","Dataloss DB","","2009","29.705786","-95.458830" "October 7, 2009","CLP Skilled Trade Solutions","Palm Springs","Florida","PHYS","BSO","0","Boxes full of documents that had the CLP Skilled Trade Solutions logo on them were found in a dumpster in the back of a Newport Café. Some of the information found included Social Security cards, tax papers, driver's licenses and home IDs. Many of the documents were from a company that CLP acquired a few years ago.","Dataloss DB","","2009","26.635901","-80.096154" "October 2, 2009","U.S. Military Veterans","Washington","District Of Columbia","PORT","GOV","76,000,000","The issue involves a defective hard drive the agency sent back to its vendor for repair and recycling without first destroying the data. The hard drive helped power eVetRecs, the system veterans use to request copies of their health records and discharge papers. When the drive failed last year, the agency returned the drive to GMRI, the contractor that sold it to them, for repair. GMRI determined it couldn't be fixed, and ultimately passed it to another firm to be recycled. The drive was part of a RAID array of six drives containing an Oracle database that held detailed records on 76 million veterans, including millions of Social Security numbers dating to 1972, when the military began using individuals' Social Security numbers as their service numbers.","Dataloss DB","","2009","38.895112","-77.036366" "December 28, 2009","Providence Health","Portland","Oregon","DISC","MED","4,500","Providence Health Plans is re-issuing thousands of insurance cards after personal information was accidentally sent to the wrong policy-holders. Officials with Providence Health Plans say about 4,500 mailings were sent out with the incorrect group and member ID numbers, meaning that some policy holders received others’ information. Officials noticed the problem Monday.","Dataloss DB","","2009","45.523452","-122.676207" "August 20, 2009","Cal State Los Angeles ","Los Angeles","California","PORT","EDU","600","The theft of two desktop and 12 laptop computers from an office at Cal State Los Angeles is causing identity theft concerns for more than 600 students and faculty members. Someone broke a window in the office of the university's Minority Opportunities in Research program to steal the computer. The computers stolen contained individual names, Social Security numbers and addresses, according to campus.","Dataloss DB","","2009","34.052234","-118.243685" "August 4, 2009","New Hampshire Department of Corrections","Laconia","New Hampshire","PHYS","GOV","1,000","A 64-page list containing the names and Social Security numbers of about 1,000 employees of the state Department of Corrections ended up under the mattress of a minimum security prisoner. The prison contracts with vendors to shred documents and investigators are trying to find out why documents were not destroyed.","Dataloss DB","","2009","43.527855","-71.470351" "July 24, 2009","Network Solutions","Herndon","Virginia","HACK","BSO","573,000","Hackers have broken into Web servers owned by domain registrar and hosting provider Network Solutions, planting rogue code that resulted in the compromise of more than 573,000 debit and credit card accounts over the past three months. Network Solutions discovered that attackers had hacked into Web servers the company uses to provide e-commerce services - a package that includes everything from Web hosting to payment processing -- to at least 4,343 customers, mostly mom-and-pop online stores. The malicious code left behind by the attackers allowed them to intercept personal and financial information for customers who purchased from those stores.","Dataloss DB","","2009","38.969555","-77.386098" "July 10, 2009","Northern California dumpsters Bay Area to Central Valley","San Francisco","California","PHYS","BSF","1,500","A criminal complaint filed against 30-year-old suspect claims that he made more than 1,000 fake ID cards that he used to rip off people, stores and banks. He also allegedly admitted to stealing the identities of more than 500 people all across Northern California, ranging from the Bay Area to the Central Valley. Federal agents say the man said it was easy to find new victims: All he needed to do was visit a local bank and search their dumpsters. Using the sensitive materials he found in the trash, He was able to use a computer to mock up fake identification cards and blank checks, according to authorities. He also allegedly confessed to stealing between one to two million dollars in cash and merchandise.","Media","","2009","37.774930","-122.419416" "June 17, 2009","Blackbaud Inc. ","Charleston","South Carolina","PORT","BSO","84,000","A computer that was stolen from a car in Charleston, SC, last year contained personal financial information on 84,000 University of North Dakota donors. The missing laptop belonged to Daniel Island-based software giant Blackbaud Inc., which stressed that all of the information was password-protected and encrypted. ","Media","","2009","32.776566","-79.930922" "June 6, 2009","Ohio State Dining Services","Columbus ","Ohio","DISC","EDU","350","Student employees had their Social Security numbers accidentally leaked in an e-mail. The hiring coordinator for Dining Services, an OSU student, received an e-mail with an attachment that included students' names and SSNs. He accidentally sent the attachment in an e-mail reminding student employees to sign their waivers for the Ohio Employees Retirement System. After realizing the mistake, the hiring coordinator called the Office of Information Technology, which stopped the e-mails before all of them were sent.","Dataloss DB","","2009","39.961176","-82.998794" "May 21, 2009","Texas Lottery Commission","Austin","Texas","INSD","GOV","140","A former Texas lottery worker was arrested while training for a new job and charged with illegally possessing personal information on 140 lottery winners and employees, including their names and Social Security numbers. The man was still working for the Lottery Commission in 2007 when he allegedly took the information, which was discovered last year on a state computer at the Comptroller of Public Accounts where he later was employed.","Media","","2009","30.267153","-97.743061" "May 19, 2009","Rudder","Houston","Texas","DISC","BSF","0","Rudder, a financial management company, erred in sending users' confidential financial information to the wrong individuals. Through an online financial planning application, hundreds of individuals were able obtain the full details on others' finances - their salary, debts, bank balance, and where they shop. Bank account numbers were apparently not exposed.","Media","","2009","29.763284","-95.363272" "May 13, 2009","United Food and Commercial Workers Union 555","Tigard","Oregon","PORT","NGO","19,000","A union employee's laptop was stolen on the East Coast. The laptop may have contained personal information of Local 555 members, including birth dates and Social Security numbers.","Dataloss DB","","2009","45.431229","-122.771486" "May 5, 2009","East Burke Christian Ministries","Hildebran","North Carolina","PORT","NGO","1,000","A thief broke into a charity in Burke County and stole a laptop containing more than 1,000 Social Security numbers of individuals seeking help.","Dataloss DB","","2009","35.714021","-81.422033" "May 5, 2009","Fulton County Board of Registration and Elections","Atlanta","Georgia","PHYS","GOV","99,000","Boxes were found in a trash bin at Atlanta Technical College. They contained about 75,000 voter registration application cards and 24,000 precinct cards. Many of the documents contained personal information on active voters, such as full names and Social Security numbers.","Dataloss DB","","2009","33.748995","-84.387982" "April 28, 2009"," West Virginia State Bar","Charleston","West Virginia","HACK","NGO","0","The West Virginia State Bar has hired forensic computer experts in hopes of finding those responsible for hacking into the group's website and internal computer network. Information about the State Bar's current and former members may have been compromised. The hacker was able to access the group's internal database server where there was information concerning lawyer identification numbers, names, mailing addresses, email addresses and some Social Security numbers.","Dataloss DB","","2009","38.349820","-81.632623" "March 31, 2009","Symantec","Cupertino","California","INSD","BSO","200","Symantec is warning a small number of customers that their credit card numbers may have been stolen from an Indian call center used by the security vendor. Symantec sent out warning letters , after the BBC reported that it managed to purchase credit card numbers obtained from Symantec's call center from a Delhi-based man. The letters were sent to just over 200 customers. Most of those notified are in the U.S., but the company also notified a handful of customers in the U.K. and Canada.","Dataloss DB","","2009","37.322998","-122.032182" "March 18, 2009","Central Ohio Transit Authority","Columbus","Ohio","DISC","GOV","900","More than 900 current and former COTA employees recently learned their Social Security numbers had been sent to dozens of health-insurance companies. Central Ohio Transit Authority officials notified administrative employees who have or had worked for COTA since 2004 that personnel workers gave 51 companies their names and identification numbers. The information went to companies proposing to bid on providing long-term disability insurance to COTA. In 2006, COTA also sent information on union employees to 39 potential insurance providers.","Dataloss DB","","2009","39.961176","-82.998794" "May 5, 2009","Spencer House Apartment Complex","Beaverton","Oregon","PHYS","BSO","0","Residents at an apartment complex blamed apartment management Monday for leaving their personal information out in the open. The documents were found in an unlocked public container that was sitting off a side street in their apartment complex. The documents included Social Security numbers, addresses, phone numbers, immigration numbers and names.","Dataloss DB","","2009","45.487062","-122.803710" "April 29, 2009","Orleans Parish Public Schools","New Orleans","Louisiana","PHYS","EDU","0","The confidential records of Orleans Parish public-school employees have been discovered in an abandoned and unsecured warehouse in New Orleans. Personnel files, payroll records, and other documents with private data were uncovered. Inside were countless boxes filled with confidential information, not to mention stacks of other documents lying on the ground, listing payroll information, worker evaluations, notices of personnel action, and investigations into employee discrimination. Also found were full names, home addresses, and Social Security numbers on document after document.","Media","","2009","29.954648","-90.075072" "March 18, 2009","Walgreens Health Initiative","Deerfield","Illinois","DISC","MED","28,000","Names, dates of birth and Social Security numbers of roughly 28,000 state retirees were e-mailed to the Kentucky Retirement Systems without being properly encrypted for security purposes by its pharmacy benefit provider. The e-mail contained dates of birth, Social Security numbers and health insurance claim numbers but not personal health information. The file contained information only on members who were both Medicare-eligible and used the retiree pharmacy benefit through Walgreens in 2007.","Dataloss DB","","2009","42.171137","-87.844512" "March 16, 2009","Comcast","Philadelphia","Pennsylvania","DISC","BSO","4,000","A list of over 8,000 Comcast user names and passwords were available to the public via Scribd for two months, before a Wilkes University professor discovered it over the weekend after doing a search for his identity online. Comcast is saying it looks like the result of a phishing scam and isn't an inside job, and that there are so many duplicate entries on the list that it's closer to 4,000 customers who were exposed.","Media","","2009","39.952335","-75.163789" "March 16, 2009","University of Toledo","Toledo","Ohio","STAT","EDU","450","A computer stolen from the University of Toledo contained personal information for about 24,000 students and 450 faculty during the 2007-08 and 2008-09 academic years. The student data was directory and educational information, such as student identification numbers and grade point averages. The faculty information, however, was more personal and included names, Social Security numbers, birth dates, and more.","Dataloss DB","","2009","41.663938","-83.555212" "March 12, 2009","Dezonia Group","Chicago","Illinois","PORT","BSO","63,000","The city of Chicago bills people for ambulance rides -- $600 and up. It uses a third party, Dezonia Group, for billing. An employee's laptop, containing patient names, addresses and Social Security numbers, was stolen from the company. Reports differ as to whether or not the data was encrypted. ","Dataloss DB","","2009","41.850033","-87.650052" "February 19, 2009","Northeast Orthopaedics, MRecord","Raleigh","North Carolina","DISC","MED","1,000","Records of more than 1,000 patient visits to Northeast Orthopaedics, a large Albany surgical practice, have been posted on the Internet. The records appeared on the Web site visvabpo.com, which seems to be a defunct outsourcing company in India called Visva BPO. Those records include patient names, birth dates and Social Security numbers.","Dataloss DB","","2009","35.772096","-78.638615" "February 11, 2009","Los Alamos National Laboratory","Los Alamos","New Mexico","STAT","GOV","0","The Los Alamos nuclear weapons laboratory in New Mexico is missing 69 computers, including at least a dozen that were stolen last year. The computers are a cybersecurity issue because they may contain personal information like names and addresses. But Los Alamos claims they did not contain classified information. Also missing are three computers that were taken from a scientist's home and a BlackBerry belonging to another employee that was lost in a foreign country considered sensitive.","Dataloss DB","","2009","35.888080","-106.306972" "February 5, 2009","Mooresville's Dry Cleaning Station","Mooresville","North Carolina","INSD","BSO","0","A Mooresville dry cleaner skipped town, taking her clients' clothes and credit card numbers with her.","Dataloss DB","","2009","35.584860","-80.810072" "February 2, 2009","Southern Satellite","Orange City","Florida","PHYS","BSO","0","Hundreds of folders containing names, addresses, Social Security numbers and credit card information were found in a dumpster.","Dataloss DB","","2009","28.948876","-81.298674" "February 4, 2009","Texas Veterans Commission","Waco","Texas","DISC","GOV","20","A Waco individual received a packet in the mail with the application for her daughter's tuition benefits. At the bottom of the packet, was a claims log that listed more than 20 veterans names, Social Security numbers and medical claim information. The Waco Veterans Commission and the VA's regional office were not able to explain how the veterans' personal information found its way into the envelope containing the unrelated information about the tuition benefits for the woman's daughter.","Dataloss DB","","2009","31.549333","-97.146670" "January 27, 2009","U.S. Consulate","","","PHYS","GOV","0","Hundreds of files - with Social Security numbers, bank account numbers and other sensitive U.S. government information - were found in a filing cabinet purchased from the U.S. consulate in Jerusalem through a local auction.","Media","","2009","37.090240","-95.712891" "January 12, 2010","Suffolk County National Bank","Long Island","New York","HACK","BSF","8,373","Hackers have stolen the login credentials for more than 8,300 customers of small New York bank after breaching its security and accessing a server that hosted its online banking system. The intrusion at Suffolk County National Bank happened over a six-day period that started on November 18. It was discovered on December 24 during an internal security review. In all, credentials for 8,378 online accounts were pilfered, a number that represents less than 10 percent of SCNB's total customer base.","Dataloss DB","","2010","40.816803","-73.066149" "January 21, 2010","University of Missouri System","Columbia","Missouri","DISC","EDU","75,000","About 100 people responded to an e-mail notifying students that their Social Security numbers may have been visible in the envelope window of a tax form sent by the University of Missouri System. More than 75,000 Form 1098-Ts were mailed. The four-campus system has no way of assessing how many envelopes displayed the numbers. Form 1098-T is an Internal Revenue Service form that reports tuition billed and paid. Campus Mail Services committed the folding errors.","Dataloss DB","","2010","38.951705","-92.334072" "January 27, 2010","Methodist Hospital","Houston","Texas","PORT","MED","689","Methodist Hospital notified people that someone stole a laptop from an office at the Smith Tower in the Texas Medical Center. A thief took the laptop on January 18. The computer was attached to a medical device that tests pulmonary function and contained private health information and Social Security numbers.","Dataloss DB","","2010","29.763284","-95.363272" "January 28, 2010","Humboldt State University ","Arcata ","California","HACK","EDU","3,500","A Humboldt State University computer infected with a virus may have exposed the personal information of 3,500 people employed by the school between 2002 and 2006. The computer was found to have a sophisticated virus that is used to steal login information.","Dataloss DB","","2010","40.866517","-124.082840" "February 1, 2010","West Virginia University","Morgantown","West Virginia","DISC","EDU","53","Around 53 West Virginia University students’ personal information was available to others following an ""operational error"" during a routine update of tax information. The students’ 1098-T forms, which include their Social Security number and tax identification numbers, among others, were uploaded to the University’s 1098-T Web site. The forms are distributed to WVU students who are U.S. citizens who paid tuition during the 2009 calendar year. They can be used to claim federal tax credit. Students can typically access their forms on the site for tax purposes, but the error made the information viewable to any WVU student on the site.","Dataloss DB","","2010","39.629526","-79.955897" "February 4, 2010","Ozarks Area Community Action Corporation","Springfield","Missouri","DISC","NGO","250","The organization printed two 1099 forms on one piece of paper. They were supposed to separate them and send each to the rightful owner. Instead one person got both. The mistake sent tax forms and Social Security numbers to strangers. More than 500 landlords work with OACAC. On January 28, 2010, half of those landlords didn't receive tax forms. The other half got their forms and someone else's private information.","Dataloss DB","","2010","37.215326","-93.298244" "January 20, 2009","Kanawha-Charleston Health Department","Charleston","West Virginia","INSD","GOV","11,000","People who received flu shots from the agency since October are being warned that their personal information may have been stolen by a former department temporary worker. Information included their names, Social Security numbers, addresses and other personal information.","Dataloss DB","","2009","38.349820","-81.632623" "February 25, 2010","Wyoming Department of Health","Cheyenne","Wyoming","DISC","GOV","9,000","The personal information of about 9,000 children in the state's children's health insurance program could have been exposed on the Internet. The error resulted in the names, birthdays, Social Security numbers, addresses and phone numbers of Kid Care CHIP participants being accessible on an unsecured Web page for months.","Dataloss DB","","2010","41.139981","-104.820246" "February 9, 2010","California Department of Health Care Services","Sacramento","California","DISC","GOV","50,000","The personal security of nearly 50,000 people may have been breached by the California Department of Health Care Services. Social Security numbers were printed on the address labels of letters that were mailed by the department. State employees mistakenly included the numbers in a list of patient addresses. The list was sent to an outside contractor, who printed and mailed the envelopes.","Dataloss DB","","2010","38.581572","-121.494400" "February 9, 2010","Kansas City Art Institute","Kansas City","Kansas","STAT","EDU","145","About 145 employees at the Kansas City Art Institute have been notified of potential identity theft in connection with the disappearance of a computer from the campus. An Apple computer that contained Social Security numbers, dates of birth and other personal information about the school's professors and staff employees was stolen from the human resource office.","Dataloss DB","","2010","39.106667","-94.676389" "February 15, 2010","West Memphis Police Department","Memphis","Tennessee","INSD","GOV","0","FBI is investigating, after the security of the West Memphis Police Department's computer network was apparently compromised. The FBI had information that somebody had used a computer that shouldn't have used it. The suspect in the breach was a detective in the police department. Files containing the names and Social Security numbers of police department employees were stored on the computer network, making the employees vulnerable to identity theft.","Dataloss DB","","2010","35.149534","-90.048980" "February 16, 2010","New York Social Security Administration","New York","New York","PORT","GOV","969","A computer disc containing detailed personal information about 969 New Yorkers was lost by a Social Security Administration employee traveling to Queens from the Bronx. The disc was lost as the employee was going to the Queens Social Security hearing office, and the information on it included administrative decisions, medical evidence and internal agency documents containing people’s names and Social Security numbers.","Dataloss DB","","2010","40.714269","-74.005973" "February 17, 2010","Southern Illinois University","Carbondale","Illinois","HACK","EDU","900","A computer security breach at Southern Illinois University may have put hundreds of alumni at risk of identity theft. A faculty member's computer in the Mathematics Department was found to be infected with malicious software. When the computer files were searched, university officials discovered there were Social Security numbers for approximately 900 students who took introductory math classes at SIU in 2004 and 2005 stored on the hard drive.","Dataloss DB","","2010","37.727273","-89.216750" "February 19, 2010","TennCare","Nashville","Tennessee","DISC","MED","3,900","An electronic error caused information such as Social Security numbers for about 3,900 enrollees to be sent to incorrect addresses. The error was the result of a modification to the system that pulls addresses into an electronic file for TennCare, the state's expanded Medicaid program. Letters and cards that contained one or more pieces of personal information were sent to incorrect addresses.","Dataloss DB","","2010","36.165890","-86.784443" "February 19, 2010","Valdosta State University","Valdosta","Georgia","HACK","EDU","170,000","A Valdosta State server that was reported as being breached could have exposed the information of up to 170,000 students and faculty. Valdosta State officials reported the discovery of a breach on Dec. 11 and estimated it began on Nov. 11. The university said the grades and Social Security numbers of up to 170,000 students and faculty were exposed in the breach.","Dataloss DB","","2010","30.832702","-83.278485" "March 2, 2010","Shands at UF","Gainesville","Florida","PORT","MED","12,500","Shands at UF sent notification letters to about 12,500 people Monday warning them that a laptop containing their personal and medical information was stolen. An employee had uploaded the information onto his home laptop for work-related purposes. The laptop held information about patients referred to the gastroenterology clinical services department. Included were names, addresses, medical record numbers, and in the case of 650 patients, Social Security numbers.","Dataloss DB","","2010","29.651634","-82.324826" "March 5, 2010","UT Southwestern Medical Center","Dallas","Texas","INSD","MED","200","UT Southwestern recently sent out a mass mailing to 10,000 of its patients, claiming that a former employee disclosed patients' information to a third party that intended to use it for credit, loans and open bank accounts. UT Southwestern representatives claim 200 patients were actually affected.","Dataloss DB","","2010","32.802955","-96.769923" "March 6, 2010","Westin Bonaventure Hotel & Suites","Los Angeles","California","HACK","BSO","0","Westin Bonaventure Hotel & Suites four restaurants in Lake View Bistro, Lobby Court Bar, Bonavista Lounge and L.A. Prime., along with its valet parking operation, may have been hacked at some time between April and December, disclosing names, credit card numbers and expiration dates printed on customers' debit and credit cards.","Dataloss DB","","2010","34.052234","-118.243685" "March 10, 2010","Atlanta Veterans Affairs Medical Center","Atlanta","Georgia","INSD","MED","0","An assistant allegedly recorded two sets of patient data on to a personal laptop for research purposes. One set included three years' worth of patient data and another held 18 years of medical information. The physician assistant's laptop was never connected to the VA network and any data she recorded on her laptop was hand entered. The department has not disclosed the number of patients involved in the incident, what kind of personal data was copied, or whether it plans to notify the veterans whose records were downloaded.","Media","","2010","33.748995","-84.387982" "March 11, 2010","monoprice.com","Rancho Cucamonga","California","HACK","BSR","0","The company took their web site offline, after it received e-mails and phone calls from several customers complaining about fraudulent charges on their debit and credit cards that they had used on monoprice.com.","Dataloss DB","","2010","34.106399","-117.593108" "March 13, 2010","St. Louis Metropolitan Police Department","St. Louis","Missouri","HACK","GOV","24","24 people may have had their personal information compromised following the cyber attack of one computer in the St. Louis Metropolitan Police Department. The attack came through an e-mail. The department’s website was not attacked. The names, addresses and Social Security numbers of the 24 people may have been viewed.","Dataloss DB","","2010","38.646991","-90.224967" "March 18, 2010","Vanderbilt University","Nashville","Tennessee","STAT","EDU","7,174","A professor's desktop computer, containing the names and Social Security numbers of 7,174 current and former students was stolen some time during the weekend of Feb. 6.","Dataloss DB","","2010","36.165890","-86.784443" "March 18, 2010","Mary's Pizza Shack","Sonoma","California","HACK","BSO","50","The Plaza location of Mary's Pizza Shack has been identified as the target of Internet hackers who penetrated the restaurant's computer system with a ""logger"" virus that captured credit card numbers at the transaction terminal. Only credit card numbers were taken by the virus, Albano emphasized, no personal identification information, such as Social Security numbers or bank account records were exposed, although VISA and MasterCard debit accounts were apparently raided. Trustwave identified and removed the virus doing the damage.","Dataloss DB","","2010","38.291859","-122.458036" "March 23, 2010","Connecticut Office of Policy and Management","Hartford","Connecticut","INSD","GOV","11,000","Police are investigating the theft of personal information — including Social Security numbers, names and addresses — from as many as 11,000 people who had applied for furnace rebate programs with the state. The investigation by Hartford and state police has led them to a woman who worked at the state Office of Policy and Management from May 2008 until May 2009. There have been no arrests. The state collected Social Security numbers because the refunds are federally taxable and the state was required to send a 1099 tax form to the recipients.","Dataloss DB","","2010","41.763711","-72.685093" "February 17, 2010","Dairy Queen","Hanceville","Alabama","HACK","BSO","0","Hanceville police are cautioning residents to be on guard against a sophisticated debit card wire scam that has leached hundreds of thousands of dollars from customers whose card numbers have been stolen remotely from pay terminals at one or more local businesses. The primary target in the theft so far has been the Dairy Queen restaurant. It's unsure whether this is ultimately involving other businesses. At the Dairy Queen location, somebody has apparently tapped into the Internet server and hacked into the debit card system. They are printing the customers’ debit card numbers and using them all over California and Georgia.","Dataloss DB","","2010","34.060655","-86.767498" "January 1, 2010","Netflix","Los Gatos","California","UNKN","BSO","100,000,000","A class action suit was filed against Netflix, Inc., in United States District Court for the Northern District of California. Plaintiffs in the suit are claiming that Netflix has “perpetrated the largest voluntary privacy breach to date.” According to the Complaint, Netflix knowingly and voluntarily disclosed the sensitive and personal information of approximately 480,000 Netflix subscribers when Netflix provided participants in a contest initiated to improve Netflix’s movie recommendation systems with data sets containing over 100 million subscriber movie ratings and preferences. Netflix has claimed that the data sets provided to the contest participants were anonymized and that the subscribers’ movie ratings were accompanied only by “a numeric identifier unique to the subscriber” (as opposed to the subscriber’s name or other personal information). However, the complaint cites the results of several researchers who, in fact, were able to crack Netflix’s anonymization process and identify individual subscribers.","Media","","2010","37.226611","-121.974680" "October 26, 2009","CalOptima","Orange County","California","PORT","MED","68,000","Personally identifiable information on members of CalOptima, a Medicaid managed care plan, may have been compromised after several CDs containing the information went missing. The unencrypted data on the CDs includes member names, home addresses, dates of birth, medical procedure codes, diagnosis codes and member ID numbers, and an unspecified number of Social Security numbers. The discs had been put in a box and sent via certified mail to CalOptima by one of its claims-scanning vendors, according to a statement by the health plan. CalOptima received the external packaging material minus the box of discs.","Dataloss DB","","2009","33.717471","-117.831143" "October 27, 2009","FirstMerit Bank","Streetsboro","Ohio","PHYS","BSF","0","Police in three Ohio cities are investigating the theft of three large storage bins from bank branches earlier this month. The storage bins were used to store paper waiting to be shredded. Three branches of the FirstMerit Bank in Streetsboro, Westlake and Elyria, OH each reported a bin missing beginning on October 7. One of the three bins contained personal documents of bank customers.","Media","","2009","41.239223","-81.345941" "November 6, 2009","Chaminade University","Honolulu","Hawaii","DISC","EDU","4,500","Chaminade University inadvertently posted confidential information, including Social Security numbers, of thousands of students, on its Web site for months. An investigation determined the report was placed on obscure -- though publicly accessible -- Web pages because of human error, according to a university news release. The information was accessible for about eight months, although there is no evidence of its use, officials said. The university estimates that personally identifiable data for 4,500 students were in the report. Those affected include undergraduate students who attended the university from 1997 to 2006.","Dataloss DB","","2009","21.306944","-157.858333" "February 6, 2009","Purdue University","West Lafayette","Indiana","DISC","EDU","962","A mailing error has resulted in 1099 tax forms being sent to the wrong recipients. The incident affected 248 companies and 962 individuals. Those affected by the incident received letters notifying them that their tax information had either been sent to another or that they themselves had received someone else's information by mistake.","Dataloss DB","","2009","40.425869","-86.908066" "March 25, 2010","Evergreen Public Schools","Vancouver","Washington","INSD","EDU","5,000","A 21-year-old former Evergreen Public Schools student has pleaded guilty to criminal charges in connection with a computerized payroll security breach that put more than 5,000 past and current Vancouver district school employees at risk of identity theft. The man had ""shoulder-surfed"" a password from an Evergreen school employee while still a student there.","Dataloss DB","","2010","45.638728","-122.661486" "November 18, 2009","Universal American Action Network","St. Petersburg","Pennsylvania","DISC","MED","80,000","Thousands of Pennsylvanians are at risk for identity theft because postcards were sent to their homes with their Social Security numbers printed in plain view. The postcards were from the Universal American Action Network, a subsidiary of Universal American Insurance. 80,000 postcards with SSNs on them were sent to Universal clients throughout the country. More than 10,000 were mailed to Medicare participants in Pennsylvania.","Dataloss DB","","2009","41.161524","-79.654421" "December 1, 2009","Children's Hospital of Philadelphia","Philadelphia","Pennsylvania","PORT","MED","942","A laptop computer containing Social Security Numbers and other personal information was stolen from a car outside an employee's home on Oct. 20. The billing information on the computer was password-protected, but an analysis found it was possible to decode the security controls on the laptop and gain access to the personal information.","Dataloss DB","","2009","39.952335","-75.163789" "March 30, 2010","Three Rivers Community College","Norwich","Connecticut","HACK","EDU","0","Three Rivers Community College may have suffered a security breach due to unauthorized access to its computer network. Data made vulnerable in the breach included names and Social Security numbers. Those affected would have been involved in the following programs during these years: 1997-2009: Participants in the Real Estate programs2004-2009: Participants in the Life Long Learners programs 2003-2006: Participants in the Patient Care Technicians programs2004-2006: Participants in the Certified Nursing Assistant programs2004-2005: Participants in the Electric Boat academic programs2007-2008: Participants in the Bridges to Health Care Careers programs2006-2008: Participants in the Photons for Educators programs2004-2009: Faculty or staff members of the Three Rivers Continuing Education office. ","Dataloss DB","","2010","41.524265","-72.075911" "March 23, 2010","H&R Block","Chicago","Illinois","INSD","BSF","60","After Highland, Ind., police pulled over a driver for suspicion of driving under the influence. A search of the car uncovered a treasure-trove of evidence: a file box full of H&R Block client information, numerous blank W-2 forms, more than 100 debit cards and yellow legal pads with columns of Social Security numbers, PIN numbers, dates of tax filings and whether the returns had been accepted or rejected. The two women stole the identities of more than 60 H&R Block customers from the East Chicago branch. Fraudulent tax returns were then filed in their names since January, and refunds went to bank accounts set up by the two, the complaint alleged. IRS agents have found 17 bank accounts with deposits totaling almost $290,000.","Dataloss DB","","2010","41.850033","-87.650052" "April 5, 2010","John Muir Physician Network","Walnut Creek","California","PORT","MED","5,450","John Muir Health, the Walnut Creek-based hospital system, has begun notifying 5,450 patients by mail of a potential breach of their personal and health information. Two months ago two laptop computers at the John Muir Physician Network Perinatal office in Walnut Creek were stolen. The laptops were password protected and contained data in a format that would not be readily accessible. External vendors and internal experts discovered that the missing laptops contained personal and health information going back more than three years.","Dataloss DB","","2010","37.906313","-122.064963" "March 2, 2010","Open Door Clinic of Greater Elgin","Elgin","Illinois","HACK","MED","260","According to a lawsuit, the clinic stores patient information, including Social Security numbers, addresses, telephone numbers, insurance information and medical history on a file-sharing network. That network is accessible to employees’ personal laptops and home computers. A spreadsheet with information of about 260 of its patients was leaked as a result of the installation and use of file sharing software on computers containing patients’ personally identifiable information.","Dataloss DB","","2010","42.037249","-88.281190" "January 1, 2010","collective2.com","Tenafly","New Jersey","HACK","BSO","25,000","Users of the do-it-yourself trading site collective2.com received an “urgent” e-mail notifying them that the company's computer database had been breached by a hacker and that all users should log in to change their passwords immediately. That e-mail stated that the information accessed by the hacker included names, e-mail addresses, passwords and credit card information. ","Media","","2010","40.925377","-73.962915" "December 31, 2009","Eastern Washington University","Cheney","Washington","HACK","EDU","130,000","Eastern Washington University is trying to notify up to 130,000 current or former students whose names, Social Security numbers and dates of birth were on a computer network involved in a security breach. The student information goes back to 1987. The notification process could take up to two weeks. The University recently discovered the breach during an assessment of its network. Information-technology staff also discovered that the hacker installed software to store and share video files on the system. ","Dataloss DB","","2009","47.487390","-117.575762" "December 23, 2009","Penn State University","University Park","Pennsylvania","HACK","EDU","30,000","The University sent out letters notifying those potentially affected by malware infections, which are believed responsible for breaches. The areas and extent of the records involved in the malicious software attack included Eberly College of Science, 7,758 records; the College of Health and Human Development, 6,827 records; and one of Penn State's campuses outside of University Park, approximately 15,000 records.","Dataloss DB","","2009","40.802006","-77.856390" "December 4, 2009","University of Nebraska","Omaha","Nebraska","HACK","EDU","1,400","A computer in the College of Education and Human Sciences at the Lincoln campus was breached. The security breach was discovered last month at the University of Nebraska involving the names, addresses and Social Security Numbers of 1,400 Hinsdale High School District 86 graduates. The University's investigation revealed the computer had not been adequately secured, allowing unauthorized external access to the computer and its information.","Dataloss DB","","2009","41.254006","-95.999258" "November 17, 2009","Nebraska Workers' Compensation Court","Omaha","Nebraska","HACK","GOV","0","Someone broke into a server that temporarily held injury reports. Whenever a worker has a job-related injury, a report is filed with the Workers' Compensation Court and the information is temporarily stored on that server. Personal information, including birth dates and Social Security numbers, would have been on the server.","Dataloss DB","","2009","41.254006","-95.999258" "September 16, 2009","Downeast Energy & Building Supply","Brunswick","Maine","HACK","BSO","800","Downeast sent a notice after discovering that hackers had broken in and stolen more than $200,000 from the company's online bank account. Sometime prior to September, attackers planted keystroke logging malware on Downeast's computer systems, and stole the credentials the company uses to manage its bank accounts online. Hackers had gained access to the bank account the company uses to let customers pay for fuel with electronic transfers from their checking accounts. Then, on or around Sept. 2, the hackers used that access to initiate a series of sub-$10,000 money transfers out of the company's account to at least 20 individuals around the United States who had no prior business with Downeast Energy. The personal information to which the thieves had access included customers' names, banks and checking account numbers","Dataloss DB","","2009","43.914524","-69.965328" "September 5, 2009","Mitsubishi Corp.","New York","New York","HACK","BSR","52,000","A Mitsubishi Corp. Internet shopping unit lost credit card details on 52,000 customers after its servers were hacked from overseas. The company has informed customers and relevant authorities of the leaks and has suspended the Web site until it can improve the system.","Dataloss DB","","2009","40.714269","-74.005973" "July 16, 2009","Moores Cancer Center","San Diego","California","HACK","MED","30,000","A hacker breached the Center's computers and gained access to patients' personal information.  A letter was sent to 30,000 patients informing them that their personal information may have been in the compromised databases.  Types of information in breach included names, dates of birth, medical record number, diagnosis and treatment dates and some Social Security numbers.  The majority of patients' information did not include Social Security numbers.","Dataloss DB","","2009","32.715329","-117.157255" "February 5, 2009","phpBB.com","Bellevue","Washington","HACK","BSO","400,000","A popular bulletin board software package has been taken offline following a security breach that gave an attacker full access to a database containing names, email, address, and hashed passwords for its entire user base. The attacker gained access through an unpatched security bug in PHPlist, a third-party email application.","Media","","2009","47.610377","-122.200679" "January 30, 2009"," Coos Bay Department of Human Services","Coquille","Oregon","HACK","GOV","45","A scammer made off with Social Security numbers after sending a virus online to a computer at the Department of Human Services office. An application that was installed recorded keystrokes and sent them to an external address. The information was taken from Coos County residents.","Media","","2009","43.177054","-124.187608" "January 23, 2009","Monster.com","Maynard","Massachusetts","HACK","BSO","0","Their database was illegally accessed and user IDs, passwords, names, e-mail addresses, birth dates, gender, ethnicity, and in some cases, users' states of residence were stolen.","Media","","2009","42.433427","-71.449507" "January 7, 2009","Genica, Geeks.com","Oceanside","California","HACK","BSO","0","Genica dba Geeks.com (Genica) recently discovered that customer information, including Visa credit card information, may have been compromised. In particular, it is possible that an unauthorized person may be in possession of your names, addresses, telephone numbers, email addresses, credit card numbers, expiration dates, and card verification numbers. They are still investigating the details of this incident, but it appears that an unauthorized individual may have accessed this information by hacking the eCommerce website.","Dataloss DB","","2009","33.195870","-117.379483" "January 6, 2009","CheckFree Corp.","Atlanta","Georgia","HACK","BSF","5,000,000","CheckFree Corp. and some of the banks that use its electronic bill payment service say that criminals took control of several of the company's Internet domains and redirected customer traffic to a malicious Web site hosted in the Ukraine. The company believes that about 160,000 consumers were exposed to the Ukrainian attack site. However, because the company lost control of its Web domains, it doesn't know exactly who was hit. It has warned a much larger number of customers. This breach was reported back in Dec. 3, 2008.","Dataloss DB","","2009","33.748995","-84.387982" "July 1, 2009","Bike Nashbar ","Asheville","North Carolina","HACK","BSR","0","The company's computer servers were hacked and credit card information was compromised. Letters with more details will be mailed to affected customers.","Media","","2009","35.600945","-82.554015" "June 7, 2009","T-Mobile USA","Bellevue","Washington","HACK","BSO","0","T-Mobile USA is investigating claims that a hacker has broken into its data bases and stolen customer and company information. Someone anonymously posted the claims on the security mailing list Full Disclosure. In that post, the hacker claims to have gotten access to everything -- their databases, confidential documents, scripts and programs from their servers, financial documents up to 2009. They claim they have been in touch with the carrier's competitors trying to sell the data, but have been unsuccessful. They threatened to sell it to the highest bidder. T-Mobile later confirmed a hacker obtained a document.","Media","","2009","47.610377","-122.200679" "June 3, 2009","Aviva","Concord","New Hampshire","HACK","BSF","550","The data breach affected customers who opened accounts in the U.S. or beneficiaries of accounts opened in the U.S. The breach, caused by malware on an Aviva computer, happened between Dec. 30 and Feb. 24. A vendor helping Aviva locate policyholders and beneficiaries whose mail was undeliverable found 3 Aviva USA customers' Social Security numbers and other personal information while searching for them. The company believed 550 customers had their Social Security numbers exposed in this manner. Aviva says it has removed the compromised hardware and taken steps to prevent future malware attacks.","Dataloss DB","","2009","43.208137","-71.537572" "May 11, 2009","Multiple financial institutions","New York","New York","CARD","BSF","0","A band of brazen thieves ripped off hundreds of New Yorkers by rigging ATMs to steal account and password information from bank customers. The first - a skimmer - went over the slot where customers insert their ATM cards. The skimmer read, and stored, the personal information kept in the magnetic strip on the back of the bank card. The second device was a tiny camera hidden in the lighted signs over the ATM. The pinhole camera lens pointed directly onto the ATM keypad and filmed victims typing in their supposedly secret PIN codes. The thieves would then create their own phony ATM cards and use their victims' PINs to access accounts.","Media","","2009","40.714269","-74.005973" "May 4, 2009","Virginia Prescription Monitoring Program","Richmond ","Virginia","HACK","MED","531,400","The FBI and Virginia State Police are searching for hackers who demanded that the state pay them a $10 million ransom for the return of millions of personal pharmaceutical records they say they stole from the state's prescription drug database. A notice posted on the DHP Web site acknowledged that the site is currently experiencing technical difficulties which affect computer and e-mail systems. Some customer identification numbers, which may be Social Security numbers, were included, but medical histories were not. UPDATE (6/4/09): The state is mailing individual notifications to 530,000 people whose prescription records may have contained Social Security numbers. In addition, 1,400 registered users of the database, mostly doctors and pharmacists, who may have provided Social Security numbers when they registered for the program, are being notified. The database that was hacked contained records of more than 35 million prescriptions dispensed since 2006 for certain federally controlled drugs with a high potential for abuse.","Media","","2009","37.542979","-77.469092" "May 1, 2009","LexisNexis, Investigative Professionals","Miamisburg","Ohio","CARD","BSO","40,000","Companies Lexis Nexis and Investigative Professionals have notified up to 40,000 individuals whose sensitive and personally identifiable information may have been viewed by individuals who did not have legitimate access. The data breach is linked to a Nigerian scam artist who used the information to incur fraudulent charges on victims' credit cards. Of the 40,000 individuals whose information was accessed, up to 300 were compromised and used to obtain fraudulent credit cards. The private information viewed included names, dates of birth and possibly Social Security numbers.","Dataloss DB","","2009","39.642836","-84.286608" "March 12, 2009","US Army","Washington","District Of Columbia","HACK","GOV","1,600","An Army database that contains personal information about nearly 1,600 soldiers may have been penetrated by unauthorized users. The information that may have been breached includes the service members' names, e-mail messages, phone numbers, home addresses, awards received, ranks, gender, ethnicity, and dates the soldiers deployed and returned from their deployment.","Media","","2009","38.895112","-77.036366" "February 16, 2009","Wyndham Hotels & Resorts","Parsippany","New Jersey","HACK","BSO","21,000","In mid-September 2008, the company discovered that a sophisticated hacker penetrated the computer systems of one of the hotels. By going through the centralized network connection, the hacker was then able to access and download information from several, but not all, of the other WHR properties and create a unique file containing payment card information of a small percentage of WHR customers. Potentially exposed through this breach are guest and/or cardholder names and card numbers, expiration dates and other data from the card's magnetic stripe.","Dataloss DB","","2009","40.857877","-74.425987" "February 13, 2009","University of Alabama","Tuscaloosa","Alabama","HACK","EDU","37,000","Seventeen of 400 databases were tapped by hackers. Personal information may have been stolen. One of those computers contained lab results for people tested at the campus medical center. The servers had a database containing 37,000 records of lab data. They contain the names, addresses, birthdates and Social Security numbers of each person who has had lab work, such as a blood or urine test, done on the UA campus since 1994.","Dataloss DB","","2009","33.209841","-87.569174" "May 28, 2009","Aetna","Hartford","Connecticut","HACK","MED","65,000","Aetna has contacted 65,000 current and former employees whose Social Security numbers may have been compromised in a Web site data breach. The breach was a spam campaign showing that the intruders successfully harvested e-mail addresses from the Web site, although it's not clear if SSNs were also obtained. The spam purported to be a response to a job inquiry and requested more personal information. Aetna sent letters last week notifying the 65,000 people whose SSNs were on the site of the breach. UPDATE (6/11/09): Hartford health insurer Aetna Inc. is being sued. The class-action suit was filed in a Pennsylvania District Court and demands credit monitoring, punitive damages, costs and other relief for current, former and potential employees.","Dataloss DB","","2009","41.763711","-72.685093" "March 7, 2009","Google","Mountain View","California","DISC","BSO","0","Google contacted some of its users to let them know about a situation that affected its Google Docs users. They believe the problem affected less than 0.05% of all documents. Google identified and fixed a bug where a small percentage of users shared some of their documents inadvertently. The bug occurred when the document owner, or a collaborator with sharing rights, selected multiple documents and presentations from the documents list and then changed the sharing permissions. The bug did not affect spreadsheets.","Media","","2009","37.386052","-122.083851" "April 6, 2010","Providence Hospital","Southfield","Minnesota","PORT","MED","12","The hospital has sent letters alerting patients that a hard drive used for backing up data has been ""lost or stolen from a locked office suite. The hospital explained that the data included patient names, medical record numbers and/or clinical information, addresses and phone numbers of some employees, and what the hospital called proprietary businesses information. The hospital would not comment on how many patients may be affected, but said only 12 patients' Social Security numbers were on the hard drive.","Dataloss DB","","2010","46.832005","-96.752165" "March 18, 2010","California State University, Los Angeles (Cal State Los Angeles)","Los Angeles","California","STAT","EDU","232","Cal State Los Angeles has notified 232 former students that a computer stolen from the mathematics department office last month may have contained personal information such as their Social Security numbers and grades.","Dataloss DB","","2010","34.052234","-118.243685" "August 11, 2009","University of California, Berkeley School of Journalism ","Berkeley","California","HACK","EDU","493","Campus officials discovered during a computer security check that a hacker had gained access to the journalism school's primary Web server. The server contained much of the same material visible on the public face of the Web site. However, the server also contained a database with Social Security numbers and/or dates of birth belonging to 493 individuals who applied for admission to the journalism school between September 2007 and May 2009.","Dataloss DB","","2009","37.871593","-122.272747" "July 29, 2009","University of Colorado, Colorado Springs","Colorado Springs","Colorado","PORT","EDU","766","The university is notifying nearly 800 students and alumni that some of their personal information may have been on a stolen laptop. That laptop was taken from a professor's home on July 5th after the home was burglarized. The laptop contained class roster information - name, student ID number, e-mail address, graduating class year and grade information - for current and past UCCS students. No financial information was stored on the laptop, but there is a possibility that Social Security numbers may have been involved for students enrolled prior to summer, 2005.","Dataloss DB","","2009","38.833882","-104.821363" "May 7, 2009","University of California, Berkeley","Berkeley","California","HACK","EDU","160,000","Hackers infiltrated restricted computer databases. Personal information of 160,000 current and former students and alumni may have been stolen. The University says Social Security numbers, health insurance information and non-treatment medical records dating back to 1999 were accessed. The breach was discovered April 21, 2009, when administrators performing routine maintenance identified messages left by the hackers. They found that restricted electronic databases had been illegally accessed by hackers beginning on October 9, 2008 and continued until April 6, 2009. All of the exposed databases were removed from service to prevent further attacks.","Dataloss DB","","2009","37.871593","-122.272747" "April 8, 2010","ManorCare Health Services","Wheaton","Maryland","INSD","MED","0","Montgomery County's Department of Health and Human Services is looking into how numerous Wheaton nursing home papers containing sensitive patient information have made their way into nearby neighbors' yards over the past few months. The county sent a nursing home inspector to investigate complaints from residents in the Wheaton Regional Park Civic Association who said they have found internal documents from the nearby ManorCare Health Services that contain patient conditions, names and Social Security numbers. The inspector cited ManorCare for inappropriate conduct. ","Dataloss DB","","2010","39.039831","-77.055256" "April 13, 2010","Virginia Beach Dept. of Social Services","Virginia Beach","Virginia","INSD","GOV","0","At least eight human services employees, including supervisors, have been fired or disciplined in the past year for wrongfully accessing confidential and personal information about former employees, family members and clients. The violations include a boss who forced her employees to gather information from a state database about her husband's child and a worker who checked on the status of a dead client's Medicaid benefits to help the client's family. Most of the cases stemmed from the agency's financial assistance department, which handles food stamps, Medicaid assistance, grants for the disabled and emergency relief for needy families. As part of their jobs, the 330 employees in the department who provide social services have varying degrees of access to secured databases. They need the information to determine whether a client qualifies for financial help.","Dataloss DB","","2010","36.852926","-75.977985" "April 13, 2010","St. Peter's Hospital","Albany","New York","INSD","MED","0","An East Greenbush man who worked as a medical records clerk at St. Peter's Hospital is accused of stealing personal information from patient's files to open credit card accounts. The man allegedly stole Social Security numbers and other personal information from patient's records, then used the data to open credit card accounts for making personal purchases online. The man was charged April 12 with five counts of felony second-degree forgery, three counts of felony second-degree identity theft and three counts of misdemeanor second-degree criminal impersonation.","Dataloss DB","","2010","42.652579","-73.756232" "January 31, 2009","Columbia University","New York","New York","PORT","EDU","1,400","About 1,400 current, former and prospective students at Columbia University have been told that their personal information, including Social Security numbers, is vulnerable following a security breach. The university said information about the students, as well as some current and past employees, was on three password-protected notebook computers that were stolen from a Columbia College.","Dataloss DB","","2009","40.714269","-74.005973" "April 21, 2010","Brooke Army Medical Center","San Antonio","Texas","PORT","MED","1,272","An Army three-ring binder that may have included detailed information on soldiers and families being treated at Brooke Army Medical Center was stolen on Oct. 16 from a car belonging to a case manager. Names, phone numbers and health information of 1,272 patients being treated at hospitals may have been breached by the car break-in.","Dataloss DB","","2010","29.424122","-98.493628" "January 5, 2010","Housing Authority of New Orleans (HANO)","Algiers","Louisiana","PHYS","GOV","0","Personal documents relating to section 8 were left in an unsecured and abandoned office.  The documents included copies of birth certificates, driver's license numbers, pay stubs, and Social Security cards. ","NAID","","2010","29.944720","-90.046670" "January 21, 2009","First Interstate Mortgage Corporation (FIM), Nevada One Corporation (Nevada One)","","Nevada","PHYS","BSF","0","These mortgage brokers have discarding consumers' tax returns, credit reports, and other sensitive personal and financial information in an unsecured dumpster in December of 2006. Approximately 40 boxes containing consumer records were found in a publicly-accessible dumpster. The records included tax returns, mortgage applications, bank statements, photocopies of credit cards, drivers' licenses, and at least 230 credit reports. The defendant, who has owned numerous companies that handle sensitive consumer information, kept the documents in an insecure manner in his garage before improperly disposing of them.UPDATE (1/20/10): The mortgage broker paid a $35,000 civil penalty to settle FTC charges. The mortgage broker will also have to hire an independent security professional to review the security process every year for 10 years. ","NAID","","2009","38.802610","-116.419389" "January 12, 2010","SouthTrust","Bossier","Louisiana","PHYS","BSF","0","The financial planning company left sensitive retirement information in a publicly accessible dumpster.  The information included account ID numbers, personal addresses, and Social Security numbers. Information about people living in Shreveport, Haughton, Minden, Monroe, Farmerville, Eros and Downsville, Louisiana was found.  Information from people living in Orange, Port Neches, Vidor and Deweyville, Texas was also found.","NAID","","2010","32.755132","-93.662324" "April 9, 2010","Charles Schwab","Albany","New York","HACK","BSF","0","A Russian national was sentenced to 37 months in prison for hacking into victims' brokerage accounts at Charles Schwab, laundering more than $246,000 and sending a portion back to co-conspirators in Russia. The man also sold approximately 180 stolen credit card numbers to a cooperating witness and directed that they be fabricated into credit cards. According to the indictment, from approximately September 2006 through December 2007 two men participated in a scheme to steal funds from bank and brokerage accounts by hacking into those accounts through the Internet, using personal financial information obtained through a Trojan computer viruses and then laundering the stolen proceeds.","Dataloss DB","","2010","42.652579","-73.756232" "April 13, 2009","Irving Independent School District","Irving","Texas","PHYS","EDU","0","Identity thieves using the names and Social Security numbers of Irving Independent School District employees have made thousands of dollars in credit card purchases. At least 64 of the 3,400 teachers and other employees names were on an old benefits report that somehow ended up in the trash.UPDATE (2/4/10): At least one woman involved in the crime was caught in January of 2009 and sentenced on February 4, 2010.","Media","","2009","32.814018","-96.948895" "April 22, 2010","JE Systems Inc.","Fort Smith","Arkansas","HACK","BSF","0","The company in Arkansas lost more than $110,000 this month when hackers stole the firm’s online banking credentials and drained its payroll account. On Wednesday, Apr. 7, Ft. Smith based JE Systems Inc. received a call from its bank stating that the company needed to move more money into its payroll account. Over the course of two days, someone had approved two batches of payroll payments — one for $45,000 and another for $67,000. A few days later, the First National Bank of Fort Smith sent JE Systems a letter saying the bank would not be responsible for the loss. It was their internet address that was used to process the payments, and their online banking user name and password.","Dataloss DB","","2010","35.385924","-94.398548" "April 21, 2010","US Army Reserve","Fort Totten","New York","PHYS","GOV","12,000","The Army is warning about 12,000 military and civilian personnel once associated with a reserve command based at Fort Totten that they should check their credit records, after discovering that it cannot locate files containing information that could make them vulnerable to identity theft. The records cover reservists from Long Island, New York City and upstate who were assigned to the 77th Regional Readiness Command and its subordinate units from 2001 until the unit was absorbed by the 99th Regional Support Command in 2008. The files were discovered missing when the new command asked for an accounting of the old unit’s records. They could have been burned, shredded or stolen.","Dataloss DB","","2010","40.791801","-73.777174" "April 23, 2010","ESB Financial","Ellwood City","Pennsylvania","DISC","BSF","3,097","ESB Financial officials announced that a data backup seven years ago had inadvertently been sent to an unauthorized storage source. Only checking and money-market account information was backed up to the incorrect outside data-storage company. A total of 3,097 customers could have been affected by the backup. Names, addresses, account numbers and, in some cases, Social Security numbers, would have been available to someone who found them on the Internet. However, the jumble of numbers would not have been easily recognizable and ESB was not identified as the source of the information.","Dataloss DB","","2010","40.861730","-80.286452" "April 23, 2010","Blippy.com","Palo Alto","California","DISC","BSO","0","Blippy is a social Web service that lets users share with the world all their credit card transactions. One big problem though: Blippy appears to have inadvertently published some of its users' credit card numbers. Google search resulted in viewing of some of the credit card numbers.","Dataloss DB","","2010","37.441883","-122.143020" "January 28, 2010","University Medical Clinics","Port St. Lucie","Florida","PHYS","MED","0","Files containing Social Security numbers, phone numbers, patient names, and addresses were found in a trash bin outside of the clinic. A woman found the files and notified police after receiving an anonymous tip.","NAID","","2010","27.275772","-80.355029" "April 23, 2010","Chattanooga State","Chattanooga","Tennessee","PHYS","EDU","1,700","Nearly two thousand students records from Chattanooga State are missing. The company hired to scan the documents, mishandled them. The school took the records to a company, United Imaging in Walker County, where the papers would be converted to computer discs. The school was contacted by individuals who said there was something awry going on at this scanning site. That's when the school found their records in disarray, and brought them back. The papers included students' names, Social Security numbers, addresses, phone numbers, some even contained high school transcripts. Chattanooga State went through each item, hand by hand, and found nearly 2000 missing documents from 2007.","Dataloss DB","","2010","35.045630","-85.309680" "April 23, 2010","DRC Physical Therapy Plus","Monticello","New York","PHYS","MED","0","Officials have seized hundreds, perhaps thousands, of files containing Social Security numbers and other private patient information found dumped outside the shuttered office of DRC Physical Therapy Plus. The manila folders, dating back to at least 1998, include information sheets showing the names, addresses and birth dates of patients and, in some cases, Social Security numbers. Deputies impounded a dump truck loaded with patient files and about a dozen or so boxes stacked inside the bucket of a front-loader. ","Dataloss DB","","2010","41.655647","-74.689328" "April 23, 2010","Hutcheson Medical Center","Chattanooga","Tennessee","PHYS","MED","0","Anyone who peered inside the mixed paper bin at the Dupont Recycling Center in May of 2009 got an eyeful. Files, in plain sight, which contained sensitive medical and identity information. Authorities don't know how those thousands of files got there. Some of the records came from Hutcheson and a plastic surgery office in the area. The information inside those files included graphic photos, and Social Security numbers. ","Dataloss DB","","2010","35.045630","-85.309680" "April 28, 2010","Montana Tech","Butte","Montana","DISC","EDU","260","A Montana Tech employee mistakenly included the personal information of former students in an e-mail message sent to faculty, staff and students last week. The e-mail was an invitation to watch students present their research projects. But the file that this year's information was taken from included the names, addresses, Social Security numbers and in some cases birth dates of students whose research projects were done from 1998 through 2005.","Dataloss DB","","2010","46.003917","-112.534446" "August 11, 2009","Bank of America Corp. ","Charlotte","North Carolina","CARD","BSF","0","Charlotte-based BofA (NYSE:BAC) and Citigroup (NYSE:C) each recently issued replacement cards to consumers, telling them that their account numbers may have been compromised. Account information from certain Bank of America debit cards may have been compromised at an undisclosed third-party location. Bank officials are not certain if this is a new breach or a previously disclosed one.","Media","","2009","35.227087","-80.843127" "April 28, 2010","The Medical Center","Bowling Green","Kentucky","PORT","MED","5,418","The Medical Center at Bowling Green is notifying 5,418 patients whose medical information may have been breached when a computer hard drive was stolen. The computer hard drive was taken from the hospital's mammography suite and contained information from patients who underwent bone density testing between 1997 and 2009.","Dataloss DB","","2010","36.990320","-86.443602" "February 17, 2010","Cardiology Consultant Inc.","Pensacola","Florida","PORT","MED","8,000","Cardiology Consultants Inc. today reported that a laptop used to process ultrasound images was stolen from one of its Pensacola offices. The computer did not contain patient financial information or Social Security numbers. The stolen computer did contain the first and last names, dates of birth, medical record numbers, exam dates and in some cases, the reason for the ultrasound.","Dataloss DB","","2010","30.421309","-87.216915" "April 29, 2010","St. Jude Heritage Medical Group","Orange","California","PHYS","MED","20,000","20,000 patients may have had their personal information stolen after a break-in at the St. Jude Heritage Healthcare Clinical Management Services building in Fullerton. The thieves stole five computers. The stolen patient data included Social Security numbers, dates of birth and in some cases, health related information.","Dataloss DB","","2010","33.787794","-117.853112" "April 30, 2010","Our Lady of Peace","Louisville","Kentucky","PHYS","MED","24,600","A flash drive containing personal information on 24,600 patients is missing from Our Lady of Peace psychiatric hospital. The drive contained the following information on patients admitted since 2002: patient names, room numbers, insurance company names and admission and discharge dates. It didn’t include diagnoses or treatments, Social Security numbers, dates of birth, telephone numbers or addresses for these patients. The drive also included the following information on patients assessed since 2009 but never admitted: name, date of assessment, date of birth and the time they left the hospital. For these patients, the information on the drive didn’t include diagnoses or treatments, Social Security numbers, telephone numbers, addresses or insurance information.","Dataloss DB","","2010","38.254238","-85.759407" "March 26, 2010","Educational Credit Management Corporation","ST. Paul","Minnesota","PORT","BSF","3,300,000","ECMC, a guarantor of federal student loans, said that a theft has occurred from its headquarters involving portable media with personally identifiable information. The data was in two stolen safes and contained information on approximately 3.3 million individuals and included names, addresses, dates of birth and Social Security numbers. No bank account or other financial account information was included in the data. UPDATE (4/16/10): The information was recovered shortly after the theft and discovered weeks later in a police evidence room.","Dataloss DB","","2010","44.944410","-93.093274" "May 7, 2010","FHG Finance","Pleasant Hill","California","DISC","BSF","300","The financial and personal details of about 300 property loan applicants were compromised when confidential documents were mistakenly tossed into an outdoor waste bin. The documents, which contained bank account and Social Security numbers, were found by employees at a neighboring store, who alerted FHG. The company padlocked the trash bin until the documents could be shredded.","Dataloss DB","","2010","37.947979","-122.060796" "April 14, 2010","Strategic Workforce Solutions, Tatum SFN division","New York","New York","PORT","BSO","0","The Tatum division of SFN (Strategic Workforce Solutions) notified employees that a portable electronic device was stolen from the trunk of a car.  The device contained unencrypted files with names, addresses and Social Security numbers.","Databreaches.net","","2010","40.714269","-74.005973" "April 14, 2010","Lam Research Corp.","Fremont","California","PORT","BSO","0","A laptop containing the information of people regularly employed at Lam Research Corp. on or after January 1, 2009 was stolen from an employee's car.  Temporary employees and contractors from August 1, 2007 and beyond may have also been affected.  The information included names and Social Security number; however, it was protected by passwords and fingerprints checks.","Databreaches.net","","2010","37.548270","-121.988572" "April 13, 2010","Atlanta Firefighters","Atlanta","Georgia","DISC","GOV","1,000","While attending a seminar on security, Atlanta police officers were astonished to discover that personal information from city firefighters was being used as an example of what could be found on the Internet. The information included Social Security numbers, names and addresses. It is believed that the information was hacked and/or uploaded to a file sharing website from a city employee's off-site laptop.","Databreaches.net","","2010","33.748995","-84.387982" "April 9, 2010","Hollywood Video","Sparks","Nevada","PHYS","BSR","0","This Hollywood Video like many others has closed. Hundreds, perhaps thousands of pieces of paper, receipts, records and worst of all membership forms, were exposed.  It appears they were not even placed in the dumpster, but left out in the open and scattered everywhere by the wind. On these forms were names, addresses, birth dates, I-D numbers, credit card numbers and signatures.","Dataloss DB","","2010","39.534911","-119.752689" "April 8, 2010","HBDirect.com","Waterbury Center","Vermont","HACK","BSO","0","A security breach resulted in the possibility that hackers accessed customer names, addresses, credit card information, email addresses and phone numbers. Customers who used the site between December 1, 2009 and February 10th, 2010 may have been affected.","Databreaches.net","","2010","44.378060","-72.716390" "March 29, 2010","Proxima Alfa Investments LLC","New York","New York","PORT","BSF","0","In November the firm discovered that several backup tapes were missing from its office. The tapes contained customer information such as names, e-mail addresses, addresses, phone numbers, Social Security numbers, bank account information, passport numbers and sometimes scans of passports. The firm ceased operations in mid-2009.","Databreaches.net","","2010","40.714269","-74.005973" "March 9, 2010","LPL Financial","Boston","Massachusetts","PORT","BSF","0","An unencrypted portable hard drive was stolen from a car of an LPL representative. As a result of the theft, private client information, including names, addresses, dates of birth and Social Security numbers may have been breached.","Dataloss DB","","2010","42.358431","-71.059773" "March 19, 2010","MyPilotStore.com","Scottsdale","Arizona","HACK","BSO","0","In February, it was discovered that a database containing customer names, addresses, e-mails, telephone numbers, and credit card information had been hacked. Some customers received phony charges to their accounts as a result of this hack.","Databreaches.net","","2010","33.494170","-111.926052" "December 7, 2009","Gateway Community College","New Haven","Connecticut","HACK","EDU","0","The College attempted to notify potential victims of a breach caused by malware discovered on campus computers. College alumni who donated to the College, potential donors, and students receiving scholarships between 2004 and 2006 may have been affected.","Databreaches.net","","2009","41.308153","-72.928158" "March 25, 2010","Northwestern Medical Faculty Foundation","Chicago","Illinois","INSD","MED","245","The Cook County Sheriff’s Department has uncovered an identity theft ring, a limited part of which may involve an employee of Millard Cleaning Service, the service contracted to clean the Foundation’s offices. The suspect may have stolen information from paper records, including names, dates of birth, Social Security numbers, and addresses. NMFF has reviewed the Sheriff’s Department’s list of identity theft victims in Illinois and other states. It has identified approximately 65 people who were recent patients of NMFF, and it is contacting those who are known identity theft victims and offering assistance. While the Sheriff’s Department has identified hundreds of other identity theft victims, the majority of them have no connection to NMFF and their personal information was not stolen from NMFF. UPDATE (3/25/10): At least seven individuals linked to the Millard Cleaning Service janitor have been connected to the theft ring.","Dataloss DB","","2010","41.850033","-87.650052" "March 25, 2010","Valencia High School","Valencia","California","INSD","EDU","0","A student gained access to the entire district of Hart's system, but only went into his high school's portion. The student claimed he changed some things and then returned them. The student most likely used a password, but it is not known whether he used a district computer or a personal one. The district is providing one year of free credit monitoring services.","Databreaches.net","","2010","34.146677","-117.272543" "March 25, 2010","Yuma Proving Ground","Yuma","Arizona","HACK","GOV","700","A home computer that contained personnel data may have picked up a virus from the Internet. This breach puts employee names and Social Security numbers at risk.","Databreaches.net","","2010","32.725325","-114.624397" "March 25, 2010","Johns Hopkins University School of Education","Baltimore","Maryland","DISC","EDU","0","A file containing student enrollment information was accessible online.  Student names, races, genders, Social Security numbers, identification numbers and dates of birth were accessible for at least one month.","Databreaches.net","","2010","39.290385","-76.612189" "March 22, 2010","Arkansas Crime Information Center","Little Rock","Arkansas","INSD","BSO","0","It appears that the owner of a bail bonds business accessed criminal, family, and financial background information by misusing a police password. The Arkansas Crime Information Center database was fraudulently accessed 1,200 times in less than one year.","Databreaches.net","","2010","34.746481","-92.289595" "March 16, 2010","Albany Police Department (ADP Georgia)","Albany","Georgia","DISC","GOV","0","Sensitive city documents were found near a garbage can in an alley. The documents may have contained Social Security numbers. It is believed that officers failed to shred the documents and dispose of them properly.","Databreaches.net","","2010","31.578507","-84.155741" "March 13, 2010","John Hancock Financial Services","Boston","Massachusetts","PORT","BSF","1,085","A CD that contained customer names, Social Security numbers, and dates of birth went missing. The CD was password protected and encrypted and credit monitoring services were offered to customers who may have been affected.","Databreaches.net","","2010","42.358431","-71.059773" "May 7, 2010","Fast Cash","Knoxville","Tennessee","PHYS","BSF","0","Hundreds, maybe thousands, of documents with personal information were dumped behind a shopping center. The documents scattered around a dumpster behind the business listing Social Security numbers, names, addresses, bank account numbers and signatures.","Dataloss DB","","2010","35.960638","-83.920739" "May 7, 2010","Bureau of Engraving and Printing","Washington","District Of Columbia","HACK","BSF","0","Hackers have caused the Bureau of Engraving and Printing (BEP), a part of the US Department of the Treasury, to shut down a number of websites. The BEP confirmed to IT PRO that the hosting company it uses experienced an intrusion and as a result of the breach numerous websites were affected, including non-BEP sites. Those URLs are: bep.gov; bep.treas.gov; moneyfactory.gov and moneyfactory.com. BEP has since suspended the website. The chief research officer at IT security company AVG, indicated that the BEP websites had a line of code injected into them. Upon accessing the US Treasury website (treas.gov, bep.gov, or moneyfactory.gov), the iframe silently redirects victims through statistic servers and exploit packs which will carry the victim onto the second stage of the attack. The exploit kit determined that Java was the “best method” for infecting his test machine. Once infected, users' web browsers will start directing them to ads and “other nasty things” like rogueware.","Dataloss DB","","2010","38.895112","-77.036366" "January 26, 2009","U.S. Military ","Washington","District Of Columbia","UNKN","GOV","60","A New Zealand man accesses US military secrets on an MP3 player he bought from an Oklahoma thrift shop for $18. When the 29-year-old hooked up the player he discovered a playlist he could never have imagined - 60 files in total, including the names and personal details of American soldiers.","Media","","2009","38.895112","-77.036366" "March 10, 2010","Wickenburg Unified School District","Wickenburg","Arizona","DISC","EDU","1,438","State auditors found that the District's network was accessible to unauthorized users.  Backup servers were kept in an easily accessible room.  Names, Social Security numbers, addresses and birth dates of students were left exposed.","Databreaches.net","","2010","33.968641","-112.729622" "March 2, 2010","Diabetes Direct Inc","Juniper","Florida","INSD","MED","0","A former employee is accused of stealing patient information to commit identity theft. The former employee also had multiple driver's licenses and was able to open utility, bank and credit accounts.","Databreaches.net","","2010","30.542500","-84.753330" "May 11, 2010","New Mexico Medicaid","Santa Fe","New Mexico","PORT","GOV","9,500","A employee of a subcontractor for the company that processes claims and provides dental benefits for the State’s Medicaid program, filed a stolen car report for a vehicle whose trunk contained an ”unencrypted” laptop loaded with patient information. The patient information in the laptop included name, health plan identification number, which in some cases is the individual’s Social Security number, and a provider identification number but not the name of the provider. The agency sent out a message today saying that it was in the process of notifying 9,500 New Mexicans who use its Medicaid Salud plan of a possible security breach.","Dataloss DB","","2010","35.686975","-105.937799" "March 11, 2010","Bennett College","Greensboro","North Carolina","HACK","EDU","1,100","A payroll computer was breached. Names, Social Security numbers, birth dates, pay rates, and bank transit numbers were exposed.","Databreaches.net","","2010","36.072635","-79.791975" "February 27, 2010","AT&T","Chicago","Illinois","INSD","BSF","0","A former employee of an unknown service provided for AT&T removed documents that contained customer credit card information.  The information may have also included Social Security numbers, driver's license numbers, names and addresses.","Databreaches.net","","2010","41.850033","-87.650052" "November 19, 2009","FCI USA","Manchester","New Hampshire","PORT","BSO","2,000","An employee's laptop was stolen.  The laptop contained a spreadsheet with Social Security numbers, dates of birth and names for 2,000 employees.","Databreaches.net","","2009","42.995640","-71.454789" "October 17, 2009","Feeney Insurance Agency","Pittsburgh","Pennsylvania","STAT","BSF","0","A break in resulted in the theft of an unencrypted computer. The computer contained contact information, Social Security numbers, birth dates, and driver's license numbers.","Databreaches.net","","2009","40.440625","-79.995886" "February 24, 2010","University of Washington Medical Center (UWMC)","Seattle","Washington","INSD","MED","210","The UWMC sent letters to patients telling them that their Social Security numbers, credit card information, birth dates and addresses were accessed by dishonest persons. The personal information was found in the possession of a convicted felon who had ties to an employee who works with the hospital. The employee worked at NCO Financial Systems, a company which UWMC uses to process patient payments. ","Databreaches.net","","2010","47.606210","-122.332071" "February 12, 2010","Daedalus Books Inc.","Columbia","Maryland","HACK","BSR","1,285","A hacker accessed a database with customer information.  The information included names, addresses, and credit card numbers from people who made orders between August 25, 2009 and November 23, 2009.","Databreaches.net","","2010","39.203000","-76.857981" "February 11, 2010","Sandwich Board Cafe","Greenwood Village","Colorado","INSD","BSO","0","An employee used customer credit card information to purchase $200,000 worth of Wal-Mart shopping cards.","Databreaches.net","","2010","39.617210","-104.950814" "February 5, 2010","Wyoming Department of Health Kid Care CHIP","Cheyenne","Wyoming","DISC","GOV","5,000","Applicants of the Wyoming Kid Care CHIP program had their information exposed online. Family home addresses and the Social Security numbers of children involved were available to the general public via a Google search.","Databreaches.net","","2010","41.139981","-104.820246" "December 22, 2009","Western Michigan University","Kalamazoo","Michigan","DISC","EDU","0","University officials discovered that student employee information was viewable online. The information included names, addresses and Social Security numbers.","Databreaches.net","","2009","42.291707","-85.587229" "January 5, 2010","Metropark","Los Angeles","California","DISC","BSR","0","Personal documents were found at the Palisades Mall in West Nyack, New York. The documents had names, Social Security numbers, contact information, and other personal information. They appeared to be mishandled applications from a clothing store called Metropark.","Databreaches.net","","2010","34.052234","-118.243685" "January 19, 2010","CHASE","Louisville","Kentucky","DISC","BSF","0","CHASE customer information that was sold to another business was accidentally posted on a website.  The information included names, addresses and bank account numbers.","Databreaches.net","","2010","38.254238","-85.759407" "February 4, 2010","HyCentral Medical Supplies and Equipment","Derry","New Hampshire","INSD","MED","0","The owner of the business used Medicare client information to obtain approximately $1.6 million worth of fraudulent claims.","PHIPrivacy.net","","2010","42.880643","-71.327286" "March 8, 2010","Huntington Place Senior Community","Chalmette","Louisiana","DISC","MED","0","Personal documents were found in the abandoned nursing home. The documents included names, Social Security numbers, medical records and dates of birth of patients.","PHIPrivacy.net","","2010","29.942704","-89.963402" "March 8, 2010","McNair Eye Center","Heber Springs","Arkansas","STAT","MED","9,000","A computer server with patient personal information was stolen.","PHIPrivacy.net","","2010","35.491468","-92.031260" "March 2, 2010","Family Health Center","Reston","Virginia","DISC","MED","0","Boxes containing patient information ended up in a dump.  The easily accessible information included health history, surgeries performed, test results, pictures, insurance cards, bank account information and addresses.  The boxes were traced back to Family Health Center on Town Center Parkway.","PHIPrivacy.net","","2010","38.968721","-77.341096" "May 13, 2010","Army Reserve/Serco Inc.","Morrow","Georgia","PORT","GOV","207,000","A laptop containing the names, address and Social Security numbers of more than 207,000 Army reservists has been stolen from a government contractor in Georgia. A CD-Rom containing the personal identifiable information was in one of three laptops stolen from the Morrow, Ga., offices of Serco Inc., a government contractor based in Reston, Va. The other laptops did not contain sensitive personal information. Serco had a contract with the U.S. Army's Family and Morale, Welfare and Recreation Division, so some of the pilfered information also could belong to reservists' family members.","Dataloss DB","","2010","33.583166","-84.339368" "May 4, 2010","Millennium Medical Management Resources","Westmont","Illinois","PORT","MED","180,111","Health records belonging to patients were stolen in a break-in. The records were on a portable hard drive and stolen from the Westmont office of Millennium Medical Management Resources. Millenium believes the hard drive contained personally identifiable information about EHP patients including name, address, phone, date of birth, and Social Security number.  In some cases other information such as diagnosis, procedure (and/or codes), medical record number, account number, drivers license number and health insurance info. It was NOT encrypted.","Dataloss DB","","2010","41.795864","-87.975618" "May 14, 2010","Department of Veterans Affairs","Washington","District Of Columbia","PORT","GOV","616","The Department of Veterans Affairs has suffered another possible breach of private data as a thief recently stole an unencrypted laptop that had held the Social Security numbers and other information of 616 veterans. Theft of the laptop was owned by a contractor and not the VA.","Dataloss DB","","2010","38.895112","-77.036366" "April 6, 2010","Pediatric Sports and Spine Associates","Brentwood","Tennessee","PORT","MED","955","A laptop was stolen from an employee on February 10. The theft occurred off-site.  The laptop contained names, addresses, phone numbers, dates of birth, medical information and Social Security numbers.","PHIPrivacy.net","","2010","36.033116","-86.782777" "March 19, 2010","National Realty and Investment Advisors, LLC","Hoboken","New Jersey","HACK","BSF","0","Certain consumer information was accessed without proper authorization on March 9, 2010. Names and addresses were accessed, as well as additional information that may have included Social Security numbers, dates of birth and/or account numbers.","Dataloss DB","","2010","40.743991","-74.032363" "March 8, 2010","Arrow Electronics","Melville","New York","PORT","BSO","4,004","The theft of a laptop from the office of Arrow Electronics has resulted in the company notifying 4,004 current and former employees that their personal information was on the laptop. The laptop was stolen during a break-in on February 18. Personal information on the laptop included names, addresses, telephone numbers, and for some of those who used company Blackberry, wireless AirCard and calling card services, their Social Security numbers, some credit card information such as last four digits, security code, and expiration date.","Media","","2010","40.793432","-73.415121" "March 13, 2010","Nuance Communications Inc.","Burlington","Massachusetts","PORT","BSO","1,191","Nuance Communications Inc., a Burlington speech technology company, reported a laptop stolen from a locked car in Burlington may have contained personal information such as names and Social Security numbers of 1,191 Massachusetts residents.The company notified its employees, installed security and encryption software on laptops, and purchased credit monitoring services for those workers whose information was on the laptop.","Dataloss DB","","2010","42.504817","-71.195611" "April 13, 2010","Room Store","Annapolis","Maryland","PHYS","BSR","0","A Maryland man found his own credit application lying on the ground near a dumpster.  The dumpster contained thousands of old credit applications and some newer ones.  The information included Social Security numbers, driver's licence numbers, names, addresses, and phone numbers.  Room Store employees were doing a massive cleanup and unknowingly dumped the bag of documents without shredding them.","Databreaches.net","","2010","38.978445","-76.492183" "March 24, 2010","Wachovia","Alexandria","Washington","CARD","BSF","0","A skimming device was spotted outside a Wachovia branch in Alexandria, Washington. It is estimated that over $60,000 in fraudulent charges was stolen from ATM customers of the Wachovia King Street branch.","Databreaches.net","","2010","38.724521","-83.047954" "March 13, 2010","California Pizza Kitchen","Plymouth Meeting","Pennsylvania","CARD","BSR","0","A credit card thief and his partner used skimming devices to obtain credit card account information. The thief provided his partner with a skimming device while she worked at a California Pizza Kitchen in Plymouth Meeting, Pa. from 2008 to 2009. Around 26 customer credit cards were fraudulently charged.","Databreaches.net","","2010","40.102332","-75.274347" "February 24, 2010","7-Eleven","Sandy","Utah","CARD","BSR","0","A skimming device monitored transactions at a gas station pump in Sandy, Utah. The device could have been active for 60 days before being discovered and was used to steal over $11,000.","Databreaches.net","","2010","40.572415","-111.859610" "May 25, 2010","AT&T/Ferrell Communication","Jacksonville","Florida","DISC","BSO","0","A woman got quite a surprise when she looked in her recycle bin. Someone had dumped hundreds of files of people's personal information. The manila folders that were found contained personal information of AT&T cell phone customers, including credit card numbers, driver's licenses and Social Security numbers. It appears the information was collected by another company called Ferrell Communication, which was located in a strip mall. It's no longer there, and the phone number listed isn't valid. The information is contracts for AT&T wireless service customers dating back to 1999 or 2000. The information is old, but could still be valid.","Dataloss DB","","2010","30.332184","-81.655651" "May 25, 2010","City of Charlotte","Charlotte","North Carolina","PHYS","GOV","5,220","The city of Charlotte says the personal information of 5,220 current and former city employees and elected officials has been lost. The loss affects individuals who received health insurance from the city in early 2002. Two DVDs containing the Social Security numbers of the affected individuals failed to arrive at the offices of Towers Watson & Co., the city’s benefits consulting firm, in Atlanta. The discs also contained prescription-drug information for five individuals.","Dataloss DB","","2010","35.227087","-80.843127" "June 2, 2010","Roanoke City Public Schools","Roanoke","Virginia","PORT","EDU","2,000","Personal information of more than 2,000 Roanoke City Public Schools employees may be at risk. School officials said the hard drives of eight computers were not removed before the units were sold as surplus. ""We believe that we have recovered all of the hard drives,"" said Superintendent Rita Bishop. The drives contained the names, school locations and Social Security numbers of the division's employees as of November 2006. The division will be setting up a hotline for employees to call with questions and concerns. Free credit monitoring service will be offered to affected employees. ","Dataloss DB","","2010","37.270970","-79.941427" "June 2, 2010","University of Louisville","Louisville","Kentucky","DISC","EDU","709","A University of Louisville database of 708 names that included Social Security numbers and dialysis details was available on the Internet without password protection for nearly a year and a half. The Web site was disabled on May 17 when the university discovered the flaw. University officials said in a statement that accessing the database would not have been easy, and no direct links to the database were discovered. The information was available so long because the U of L doctor who set up the Web site thought the information was protected by a password and other precautions. U of L was finally notified when someone outside the university sent an e-mail about open access to the information. The Web site was shut down an hour later.","Dataloss DB","","2010","38.254238","-85.759407" "June 3, 2010","Safe Harbor Med","Santa Cruz","California","PORT","MED","0","Burglars stole client records, a suitcase and two bags of cookies from a medicinal marijuana referral office. Burglars also stole a computer hard drive that contained a client database, including Social Security numbers, ID numbers and other sensitive information. The burglars apparently cut power to the building — so the alarm didn't go off — and shattered a window to get into the office.","Dataloss DB","","2010","36.974117","-122.030796" "June 4, 2010","Digital River Inc.","Eden Prairie","Minnesota","HACK","BSF","200,000","A massive data theft from the e-commerce company Digital River Inc. has led investigators to hackers in India and a 19-year-old in New York who allegedly tried to sell the information to a Colorado marketing firm for half a million dollars. The Eden Prairie company obtained a secret court order last month to block Eric Porat of Brooklyn from selling, destroying, altering or distributing purloined data on nearly 200,000 individuals. Digital River suspects that the information was stolen by hackers in New Delhi, India, possibly with help from a contractor working for Digital River.","Dataloss DB","","2010","44.854686","-93.470786" "June 10, 2010","City of Springfield","Springfield","Illinois","DISC","GOV","0","The city of Springfield put documents online that contained sensitive information such as Social Security numbers, driver’s license numbers, home and work telephone numbers, bank account numbers and the name of someone who called the state anonymously to report suspected child abuse. The documents were posted on the city’s website in response to Freedom of Information Act requests as part of an initiative to make public information available to anyone with a computer. But personal information such as home phone numbers, Social Security numbers and driver’s license numbers are exempt from disclosure under state law.","Dataloss DB","","2010","39.781721","-89.650148" "May 20, 2010","Rockbridge Area Community Services","Lexington","Virginia","STAT","MED","500","On March 3rd, at least one computer and one laptop containing personal information were stolen. Information such as names and Social Security numbers may have been compromised.","Databreaches.net","","2010","37.784021","-79.442816" "May 21, 2010","Aldaco's Mexican Cuisine","San Antonio","Texas","HACK","BSR","0","Aldaco's Mexican Cuisine at Stone Oak had a data security breach.  Customers were notified of fraudulent charges; some were from places outside of the U.S. Aldaco urged customers who had used their credit cards at the restaurant to cancel them.","Databreaches.net","","2010","29.424122","-98.493628" "May 25, 2010","Local Coffee","San Antonio","Texas","HACK","BSR","0","Hackers may have gained access to credit and debit card information by exploiting Aloha software weaknesses. After a purchase at Local Coffee, a customer's debit card was canceled. This prompted Local Coffee to temporarily stop using Aloha.  Another San Antonio eating establishment, Aldaco, also encountered hacking problems while using Aloha software.","Databreaches.net","","2010","29.424122","-98.493628" "May 17, 2010","Silicon Valley Eyecare Optometry and Contact Lenses","Santa Clara","California","STAT","MED","40,000","A computer and a plasma TV were stolen from the office on Friday April 2nd, 2010. The computer server contained patient names, addresses, phone numbers, email addresses, birth dates, family member names, medical insurance information, medical records, and in some cases, Social Security numbers.  The data were password protected.","Databreaches.net","","2010","37.354108","-121.955236" "May 18, 2010","Capitol One","McLean","Virginia","UNKN","BSF","0","A fraud ring may have accessed customer information. The information included names, addresses, Social Security numbers, and other personal information. It is not known how the information was obtained or how many customers were affected. The information may have been accessed sometime between December of 2009 and February of 2010.","Databreaches.net","","2010","38.934278","-77.177480" "June 2, 2010","Avalon Center","Cheektowaga","New York","DISC","MED","0","Sensitive medical information was dumped outside of a DMV office. The medical information came from a eating disorder clinic that had recently closed. Patient information such as medical treatment and Social Security number was exposed. It is unknown how the information ended up in the dumpster.","Databreaches.net","","2010","42.903392","-78.754754" "June 5, 2010","National Highway Traffic Safety Administration (NHTSA)","Washington","District Of Columbia","DISC","GOV","0","A limited search of NHTSA's public complaint database uncovered Social Security numbers, names, birth dates, addresses, VINs, and drivers' license numbers. Public access to the database of 792,000 complaint cases was temporarily ended.","Databreaches.net","","2010","38.895112","-77.036366" "June 12, 2010","Middle Township Municipal Hall","Middle Township","New Jersey","PHYS","GOV","0","Personal information from Municipal Hall was found in a public dumpster. The information was not shredded and included police reports, Social Security numbers, home addresses, telephone numbers, names, and tax records. The improper disposal of information continued after the first dumpster discovery.","Databreaches.net","","2010","39.056389","-74.850278" "June 29, 2010","University of Maine","Orono","Maine","HACK","EDU","4,585","Hackers compromised the personal information of 4,585 students who received services from the school's counseling center. The center provides students with support and mental health services. The information on the servers included names, Social Security numbers and clinical information on every student who sought counseling services from the center between August 8, 2002 and June 21 of this year.","Dataloss DB","","2010","44.883125","-68.671977" "March 4, 2010","Courage to Change","Houston","Texas","INSD","MED","0","The owner of the business used patient Medicaid information to fraudulently claim $968,583 from Medicaid between January of 2003 and September of 2006.","PHIPrivacy.net","","2010","29.762884","-95.383062" "February 25, 2010","Logic World Medical","Houston","Texas","INSD","MED","0","The owner and operator of Logic World Medical used the names, addresses, and account numbers of Medicaid beneficiaries to file false claims for payment of services and goods that he never provided.  Approximately $1,101,865.37 was fraudulently claimed between April of 2004 and August of 2006.","PHIPrivacy.net","","2010","29.762884","-95.383062" "February 27, 2010","California Business Bureau Inc., Medical Billing Services","Monrovia","California","INSD","MED","8,861","A former employee accessed unencrypted files between December of 2006 and March of 2008. The files contained patient Social Security numbers, names, addresses, and dates of birth.","PHIPrivacy.net","","2010","34.144262","-118.001948" "May 25, 2010","Wells Fargo","San Francisco","California","INSD","BSF","1,023","A former stock broker left the firm with the personal information of 1,023 clients. Names, addresses, Social Security numbers and brokerage account numbers were taken.","Databreaches.net","","2010","37.774930","-122.419416" "April 16, 2010","Higher Education Serives Corp.","Albany","New York","DISC","BSF","1,433","A ""process error"" may have lead to Social Security numbers and last names going through Internet servers outside of HESC's control.  Those who may have been affected received letters and free credit monitoring services.","Databreaches.net","","2010","42.652579","-73.756232" "March 5, 2010","Hancock Fabrics","Baldwyn","Mississippi","DISC","BSR","0","Employee documents were found near a dumpster behind the Huntsville, Alabama store. The documents were not shredded and contained payroll records dating back to 2005 with Social Security numbers, names, and pay rates.","Databreaches.net","","2010","34.509544","-88.635331" "June 13, 2010","Butler County Department of Job and Family Services","Middle","Ohio","PHYS","GOV","10,600","The Agency learned in 2008 that confidential records were being left in public dumpsters without being shredded.  Documents from Medicaid, Food Stamps, Ohio Works First, and child care programs included information such as Social Security number, name, address, phone number and pay stub.  The agency failed to notify those who were affected. ","Databreaches.net","","2010","39.714789","-82.596366" "March 11, 2010","First Convenience Bank ","Killeen","Texas","INSD","BSF","0","A former employee sold customer information which led to the theft of at least $53,000 from customer accounts.","Databreaches.net","","2010","31.117119","-97.727796" "February 27, 2010","GroupM","New York","New York","PORT","BSO","1,501","Eight laptops were stolen from an office. They most likely contained unencrypted employee information such as Social Security numbers and bank account information.","Databreaches.net","","2010","40.714269","-74.005973" "February 27, 2010","Ameripath","Palm Beach Gardens","Florida","PORT","MED","0","A laptop containing sensitive information was stolen from an employee. The data included names, Social Security numbers, and addresses for patients, employees, or both.","PHIPrivacy.net","","2010","26.823395","-80.138655" "November 7, 2009","Renal Treatment Centers Southeast, DaVita Inc.","Denver","Colorado","STAT","MED","0","Multiple desktop computers were stolen from a facility in Dallas.  The computers contained the names, addresses, Social Security numbers, insurance numbers, and other personal information of patients.","PHIPrivacy.net","","2009","39.739154","-104.984703" "July 13, 2009","LexisNexis","Dayton","Ohio","UNKN","BSO","13,329","LexisNexis has warned more than 13,000 consumers that a Florida man who is facing charges in an alleged mafia racketeering conspiracy may have accessed some of the same sensitive consumer databases that were once used to track terrorists. The accused would provide names, addresses and account numbers as part of a fake check-cashing operation. But he's also accused of using computer databases to get information on potential extortion or assault targets as well as individuals suspected by the Enterprise members of being involved with law enforcement.","Dataloss DB","","2009","39.758948","-84.191607" "December 18, 2009","Dickinson School of Law","Carlisle","Pennsylvania","HACK","EDU","261","A computer in the Dickinson School of Law that contained 261 Social Security numbers from an archived class list was found to be infected with malware that enabled it to communicate with an unauthorized computer outside the network.","Dataloss DB","","2009","40.201477","-77.188870" "December 15, 2009","Detroit's Health Department","Detroit","Michigan","PORT","GOV","5,000","Police are investigating two incidents in which patients' medical records -- including social security numbers -- were stolen from the city's health department. The first theft occurred in late October when a flash drive was stolen from a health department employee's car. It contained files with birth certificate information for babies born in 2008 and the first half of 2009 whose parents reside in the 48202 and 48205 zip codes. Also a part of the files were information on the mothers' names and health conditions, the fathers' names, addresses, Medicaid numbers and social security numbers. The second incident happened over the Thanksgiving break when five computers were stolen from the immunization program at the department's Herman Kiefer Health Complex. One of the computers contained Medicare and Medicaid seasonal flu billing information for 2008. ","Dataloss DB","","2009","42.331427","-83.045754" "December 4, 2009","Eastern Illinois University","","","HACK","EDU","9,000","A computer was compromised by a virus. That caused the University’s Office of Admissions server to be infected with a number of viruses, including several that could allow an external person to access the server. The incident was discovered during a routine security check. The investigation later determined the breach extended to two other computers with personal data from student files or applications.","","","2009","37.090240","-95.712891" "May 26, 2010","Inovis","Alpharetta","Georgia","PORT","BSO","0","On May 4th a laptop containing employee information was stolen from an employee of GXS who was helping with their merger. A letter notified an unknown number of Inovis employees that their addresses, Social Security numbers, names and salary information were on the laptop.","Databreaches.net","","2010","34.075376","-84.294090" "June 21, 2010","TeleTech, Sony Electronics","Englewood","Colorado","UNKN","BSR","0","Customers who placed orders through Sony Style Telesales Department between May 23rd and June 3rd 2010 may have had their credit card information illegitimately copied and sent to parties outside of the TeleTech network. TeleTech is a third party service provider of Sony.","Databreaches.net","","2010","39.647765","-104.987760" "June 29, 2010","Merrimack Mortgage","Greer","South Carolina","PHYS","BSF","0","Personal documents from Merrimack Mortgage were found in an unsecured public dumpster. The documents were not shredded and contained Social Security numbers, credit scores, bank information, and other personal information.","Databreaches.net","","2010","34.938728","-82.227057" "June 28, 2010","Children's Hospital of Orange County","Orange","California","PHYS","MED","0","The Hospital is checking its database for accuracy after discovering that patient files have been faxed to the wrong location at least twice. Patient records were faxed to an auto shop in 2009, and the wrong doctor on a separate occasion.","PHIPrivacy.net","","2010","33.787794","-117.853112" "June 28, 2010","Eastern Connecticut Health Network Pension Plan","Manchester","Connecticut","PHYS","BSF","3,178","Mercer, the firm's consulting group, provided a subcontractor with a file containing Pension Plan participant addresses and Social Security numbers. The Social Security numbers were exposed on the mailing label.","PHIPrivacy.net","","2010","41.775932","-72.521475" "June 29, 2010","Brooklyn Tech High School","Brooklyn","New York","HACK","EDU","2,416","Hackers accessed PSAT information from the school and posted the names, home addresses, citizenship status, and Social Security numbers of students. The information was discovered on the school's website.","Databreaches.net","","2010","40.650000","-73.950000" "June 20, 2010","Mercy Willard Hospital","Willard","Ohio","INSD","MED","0","A former employee kept patient photographs, videos, memos, schedules, and forms. Some of the documents included patient Social Security numbers and other personal information. The employee is also being accused of voyeurism and possession of child pornography; though this is unrelated to these findings.","PHIPrivacy.net","","2010","41.053111","-82.726291" "June 18, 2010","Ebony Medical Equipment and Supplies, Inc.","Tyler","Texas","INSD","MED","0","The owner used patient medical information to fraudulently obtain over $70,000 from Medicare and Medicaid.  The owner is also charged with buying patient information.","PHIPrivacy.net","","2010","32.351260","-95.301062" "June 8, 2010","Tri-City Medical Center","Oceanside","California","INSD","MED","0","Employees shared patient information on Facebook. Differing reports leave it unclear if these employees were nurses, and whether or not they were fired.","PHIPrivacy.net","","2010","33.195870","-117.379483" "August 21, 2009","Battleground Urgent Care/Prompt Med","Greensboro","North Carolina","PHYS","MED","623","Medical files were found in a dumpster. It seems a third party moving company was hired to transfer the boxes from one warehouse to another. It is unknown at this time how the files ended up in the dumpster. The information in the files contained Social Security numbers, driver's license copies, medical histories, and employers. UPDATE (5/24/10): Prompt Med agreed to pay a $50,000 fine to the state of North Carolina.","Dataloss DB","","2009","36.072635","-79.791975" "July 2, 2010","AMR Corporation","Fort Worth","Texas","STAT","BSO","79,000","Retirees, current, and former employees who participated in AMR's pension plan may have had their names, Social Security numbers, addresses, dates of birth, and other personal information stolen by the theft of a hard drive containing microfilm files. Employees and beneficiaries of employees who were enrolled between 1960 and 1995 are at risk.","Databreaches.net","","2010","32.725409","-97.320850" "July 4, 2010","AMR Corporation","Fort Worth ","Texas","PORT","BSO","79,000","American Airlines parent company said Friday the personal information of about 79,000 retirees, former and current employees has been compromised after a hard drive was stolen from its Fort Worth headquarters. No customer data was affected. The data was held by the company's pension department.  The drive contained images of microfilm files, which included names, addresses, dates of birth, Social Security numbers and a ""limited amount"" of bank account information. Some health insurance information may have also been included -- mostly enrollment forms, but also details about coverage, treatment, and other administrative information. The data spans a period from 1960 to 1995. AMR also believes some of the employee files also contained information on beneficiaries, dependents and other employees from 1960 to 1995. ","Dataloss DB","","2010","32.725409","-97.320850" "July 4, 2010","Beautiful Brands International","West Lafayette","Indiana","HACK","BSR","0","Computer hackers have infiltrated the credit card processing system.","Dataloss DB","","2010","40.425869","-86.908066" "July 6, 2010","University of Florida","Gainesville","Florida","PHYS","EDU","2,047","Social Security numbers or Medicaid identification numbers were shared with a telephone survey company and included on address labels sent out to request research participation.  The letters were sent through the U.S. Postal Service on May 24th and the issue was discovered on June 6th.  ","PHIPrivacy.net","","2010","29.651634","-82.324826" "June 2, 2010","Rainbow Hospice and Palliative Care","Park Ridge","Illinois","PORT","MED","0","According to their website: ""On April 12, 2010, one of our laptop computers, which contained personal information, was stolen during a patient visit.  The laptop had security measures in place, but there is a very small chance that protected information such as name, address, date of birth, Social Security number, insurance information, medications, treatment, and diagnoses may have been inappropriately accessed."" ","Dataloss DB","","2010","42.011141","-87.840619" "July 8, 2010","Waukesha County","Big Bend","Wisconsin","PORT","GOV","0","A laptop was stolen from a payroll services provider of the county. It is unknown what types of Big Bend employee payroll information were contained on the laptop.","Dataloss DB","","2010","42.881403","-88.206757" "July 10, 2010","Ohio Department of Developmental Disabilities ","Columbus","Ohio","DISC","MED","200","Within a two week period personal information of 200 people using the Department's services was accidentally posted online. The Social Security numbers, names, addresses, medical records, and treatment information were only available for viewing through the state computer network.","PHIPrivacy.net","","2010","39.961176","-82.998794" "November 23, 2009","Hancock Fabrics","Baldwyn","Mississippi","HACK","BSR","140","Bank customers in California, Wisconsin and Missouri are reporting fraudulent ATM withdrawals that are tied to transactions conducted with the Hancock Fabrics retail chain. The Hancock Fabrics store in Napa was the ""common thread"" among the numerous people who reported credit and debit card fraud. The store had recently replaced its point-of-sale machines. At about the same time, as many as 70 Wisconsin victims reported suspicious ATM withdrawals from their accounts. ","Dataloss DB","","2009","34.509544","-88.635331" "April 9, 2010","Mad Capper Saloon & Eatery","Stillwater","Minnesota","HACK","BSR","200","Police have received about 80 complaints of victims' whose credit cards have been compromised. The police have connected the scam to cards used at the Mad Capper Saloon & Eatery. The owner of the Mad Capper Saloon & Eatery has been cooperating with police, he is frustrated that somehow his 30-year-old business is linked to identity theft. The restaurant's owner, has taken steps to make sure his customers are protected. ""We've looked into our credit card processing. We've looked into our software program -- our routers in the building, We've scanned everything -- combed it with a fine tooth comb and we can't find anything off of it, so its frustrating.""UPDATE (4/10/10): The number of people affected is now nearing 200.","Dataloss DB","","2010","45.056500","-92.822175" "June 11, 2010","Payless Shoe Store","Bellmore","New York","INSD","BSR","11","An employee used a skimming device to obtain customer credit card information. He made fraudulent purchases totaling nearly $11,000 and was charged with grand larceny, possession of a forged device, and identity theft.","Databreaches.net","","2010","40.668713","-73.527071" "May 19, 2009","CompuCredit","Atlanta","Georgia","DISC","BSF","120","A computer processing error created a single image file of 120 account statements for the month of April. Statement files are delivered to the cardholder through the website in Adobe PDF format. Because of a load error, the system failed to detect page breaks between the account statements, thus resulting in the system believing that all of the pages belonged to a single statement. As a result, the PDF image file contained 119 statements in addition to the cardholder's statement. (Note: Monthly account statements do not include customers' Social Security numbers or PINs.)","Dataloss DB","","2009","33.748995","-84.387982" "June 18, 2010","St. Francis Federal Credit Union","Tulsa","Oklahoma","PORT","BSF","8,400","Saint Francis Federal Credit Union has notified 8,400 customers that a backup tape containing customer information was lost.  SFFCU believes the tape was accidentally destroyed and that no member information has been misused as a result of the loss.","Databreaches.net","","2010","36.153982","-95.992775" "May 15, 2010","Mellow Mushroom","Warner Robins","Georgia","HACK","BSR","2,000","Customers of the Mellow Mushroom eatery had their credit and debit card information hacked sometime around March 11th. Customers of other merchants have been affected, but a hack of Mellow Mushroom's processor is believed to be the source.","Databreaches.net","","2010","32.608720","-83.638027" "May 28, 2010","Interior National Business Center","Denver","Colorado","PORT","GOV","7,500","A disc containing employee information was lost or stolen.  The Interior Department reported that it was encrypted and password-protected personally identifiable federal employee information.","Databreaches.net","","2010","39.739154","-104.984703" "June 5, 2010","Marco's Restaurant","Indianapolis","Indiana","HACK","BSR","500","The encrypted Internet connection of a restaurant was breached by hackers outside of the organization. Customer credit and debit card information was lost and fraudulently used.","Databreaches.net","","2010","39.768377","-86.158042" "May 25, 2010","Lincoln Financial Group","Radnor","Pennsylvania","DISC","BSF","1,286","In 2002, 2008, and 2010 records of correspondence between agents and clients were misplaced. Technical errors caused the names, addresses, policies or contract numbers, account values, trade and transaction activities, and dates of birth of the clients to be accessible.","Databreaches.net","","2010","40.046221","-75.359911" "March 13, 2010","Beer and Wine Hobby","Woburn","Massachusetts","HACK","BSR","35,000","Personal information may have been accessed during a breach of Beer and Wine Hobby's computer system. The personal information included partial credit card numbers.","Databreaches.net","","2010","42.479262","-71.152277" "April 30, 2010","North Country Health Services","Bemidji","Minnesota","HACK","MED","349","The online bill payment website was hacked. The credit card and debit card account information of customers who paid online was exposed.","PHIPrivacy.net","","2010","47.473611","-94.880278" "January 14, 2010","Perinton Square Post Office","Perinton","New York","PHYS","GOV","20","A group of thieves was able to obtain letters from an outdoor mailbox. They used the information to forge around $75,000 worth of checks; and affected 20 victims.","Databreaches.net","","2010","43.079663","-77.447250" "May 28, 2010","Cincinnati Children's Hospital Medical Center","Cincinnati","Ohio","PORT","MED","61,000","A laptop containing the names, medical record numbers, and medical services provided of patients was stolen from an employee's car while it was parked at his or her home. As a precaution, no additional laptops will be allowed outside the hospital unless they are encrypted.","Databreaches.net","","2010","39.136111","-84.503056" "March 3, 2010","Small Dog Electronics","Waitsfield","Vermont","HACK","BSR","3,000","After Small Dog began collecting and matching customer donations for Haiti relief efforts, a hacker breached the website and began stealing customer credit card information. The breach lasted from December of 2009 to January of 2010.","Databreaches.net","","2010","44.188889","-72.812500" "March 25, 2010","New York State DMV","","New York","INSD","GOV","200","Seven people, including two former New York State DMV employees from New York City, were indicted in a theft ring. The identify fraud ring involved New York State driver's licenses, learner's permits, and identification cards. The information was then sold to felons.  Fifteen other people were charged with buying the stolen information.","Databreaches.net","","2010","40.714269","-74.005973" "February 11, 2010","Lawrence Welk Resort","Escondido","California","HACK","BSR","1,427","After its security system was disabled, customer credit and debit card information was exposed. The exposure of the information led to some unauthorized transactions.","Databreaches.net","","2010","33.119207","-117.086421" "February 12, 2010","Galeton, Gloves Inc. ","Mansfield","Massachusetts","HACK","BSR","89","The Gloves Inc. website for Galeton was hacked. Customer names, addresses, credit card numbers and expiration dates were exposed.","Databreaches.net","","2010","42.033333","-71.219444" "April 16, 2009","Fox Entertainment Group","Los Angeles","California","INSD","BSO","0","An employee was caught accessing the Social Security numbers, names, compensation information and other personal information of employees.  The former employee misused the information within the organization; but it is not known if they gave it to outside parties.","Dataloss DB","","2009","34.052234","-118.243685" "April 14, 2010","Bay Pines VA Medical Center","Bay Pines","Florida","PHYS","GOV","800","Up to 800 police files were left in an area where the general public could easily access them.  Some of the files contained Social Security numbers, patient addresses, and treatment information. ","Databreaches.net","","2010","27.809223","-82.775162" "July 14, 2010","SunBridge Healthcare","Albuquerque","New Mexico","PORT","MED","3,830","A laptop containing Social Security numbers, medical record numbers, dates of service, health insurance numbers and names was stolen in May. The laptop was password-protected.","PHIPrivacy.net","","2010","35.084491","-106.651137" "July 6, 2010","DentaQuest","Chicago","Illinois","DISC","MED","76,000","In a statement datelined out of Nashville, DentaQuest reported the laptop theft occurred March 20 in Chicago and was informed of the incident April. DentaQuest reported the laptop contained a database which held the personal information of approximately 76,000 clients. The contractor advised most of the data is not considered sensitive, but the device did contain the first names, last names and Social Security Numbers of about 21,000 individuals. Some 10,500 are Tennessee residents.","Dataloss DB","","2010","41.850033","-87.650052" "July 10, 2010","Village of Big Bend","Big Bend","Wisconsin","PORT","BSO","0","A laptop containing payroll information for the village's employees was stolen from the car of the village's payroll provider in Milwaukee. Police have not recovered the laptop. The provider reported the theft and sent letters to employees to inform them their personal information was not secure. The provider recommended that employees contact a credit bureau that would place a 90-day alert on their information to prevent identity theft. ","Dataloss DB","","2010","42.881403","-88.206757" "July 10, 2010","Cisco Live 2010 ","Las Vagas","Nevada","HACK","BSO","0","Someone hacked the list of attendees for the recent Cisco Live 2010 users' conference, a security breach that led Cisco to notify the customers as well as a broader group who have dealings with the company. A vendor told Cisco that someone had made ""an unexpected attempt to access attendee information through ciscolive2010.com,"" the event Web site. That lead to the general notification that Cisco sent to attendees and others who had been invited but did not attend. According to Cisco, details about less than 20% of those on the list were compromised. The breach was closed quickly, ""but not before some conference listings were accessed."" The compromised information consisted of Cisco Live badge numbers, names, titles, company addresses and e-mail addresses. ""No other information was available or accessed,"" according to the warning Cisco Live's event team sent via e-mail.","Dataloss DB","","2010","36.114646","-115.172816" "July 7, 2010","Massachusetts Secretary of State, Securities Division","Boston","Massachusetts","PORT","GOV","139,000","The Massachusetts Secretary of State's office accidentally released confidential personal information earlier this year on 139,000 investment advisers registered with the state. The data, including the advisers' Social Security numbers, were on a CD-ROM sent to IA Week, an investment industry publication that had requested public information from the Securities Division. Secretary of State IA Week had asked for a list of registered investment companies. The Securities Division responded by sending a list of individual investment professionals. In addition to their names and Social Security numbers, this list included their dates and locations of birth, height, weight, hair color, and eye color.","Dataloss DB","","2010","42.358431","-71.059773" "September 17, 2009","Akron Children's Hospital","Akron","Ohio","HACK","MED","0","A 38-year-old Avon Lake, Ohio, man is set to plead guilty to federal charges after spyware he allegedly meant to install on the computer of a woman he'd had a relationship with ended up infecting computers at Akron Children's Hospital. He allegedly sent the spyware to the woman's Yahoo e-mail address, hoping that it would give him a way to monitor what she was doing on her PC. But instead, she opened the spyware on a computer in the hospital's pediatric cardiac surgery department, creating a regulatory nightmare for the hospital. Between March 19 and March 28 the spyware sent more than 1,000 screen captures via e-mail. They included details of medical procedures, diagnostic notes and other confidential information relating to 62 hospital patients. He was also able to obtain e-mail and financial records of four other hospital employees as well, the plea agreement states.","Dataloss DB","","2009","41.081445","-81.519005" "July 15, 2010","Prince William County Intellectual Disabilities Case Management","Woodbridge","Virginia","PORT","GOV","669","On June 18th or 19th, a government-issued Blackberry was stolen from an employee's car. The Blackberry had personal information on patients enrolled in the program. The County notified residents that their Social Security numbers, names, addresses, dates of birth, phone numbers, and Medicaid numbers may have been accessed.","PHIPrivacy.net","","2010","38.658172","-77.249705" "July 15, 2010","NBTY","Bohemia","New York","DISC","BSR","0","An email containing current and former employees' and plan participants' personal information was sent to the wrong recipient on June 15th. The information in the email included names, dates of birth, and Social Security numbers.","Databreaches.net","","2010","40.769265","-73.115112" "July 15, 2010","Alcoa Global Mobility Group","New York","New York","DISC","BSO","0","An electronic folder containing personal information on current and former expatriates and others who received assistance from Alcoa's Global Mobility Group was shared as a public folder within its network.  The personal information included names, dates of birth, family members' names and dates of birth, salary compensation, Social Security numbers, and some people's medical information.","Databreaches.net","","2010","40.714353","-74.005973" "July 14, 2010","Blue Island Radiology","Blue Island","Illinois","PORT","MED","2,000","A backup data tape and compact disc containing protected health information were never received. Individuals demographic, financial and clinical information were on the CD.","PHIPrivacy.net","","2010","41.657256","-87.680049" "July 14, 2010","University of Pittsburgh Student Health Services","Pittsburgh","Pennsylvania","INSD","EDU","8,000","An employee dishonestly took documents containing names and financial information. The employee was fired.","PHIPrivacy.net","","2010","40.440625","-79.995886" "July 14, 2010","Tomah Memorial Hospital","Tomah","Wisconsin","INSD","MED","600","A nurse used patient names and account numbers to illegally obtain narcotics. The nurse was fired.","PHIPrivacy.net","","2010","43.978576","-90.504021" "June 29, 2010","Ridgefield High School","Ridgefield","Connecticut","HACK","EDU","0","Two students were arrested for hacking into their school's computer system. Their goal appears to be changing their own grades; but they had access to the grades and personal information of other students.","Databreaches.net","","2010","41.281484","-73.498179" "July 16, 2010","Buena Vista University","Storm Lake","Iowa","HACK","EDU","93,000","Someone gained unauthorized access to a BVU database. The database contained records of names, Social Security numbers, and driver's license numbers of BVU applicants, current and former students, parents, current and former faculty and staff, alumni and donors. These records go back as far as 1987.","Databreaches.net","","2010","42.645021","-95.199855" "July 1, 2010","NYU Langone Medical Center Hospital for Joint Diseases","New York","New York","PORT","MED","2,563","An unencrypted portable USB was lost or stolen sometime around May 12th. It contained patient names, medical record numbers, sex, age, procedure, attending physician, time of arrival in recovery room and time of discharge from recovery room.","PHIPrivacy.net","","2010","40.714353","-74.005973" "July 20, 2010","Long Island Consultation Center (LICC)","Rego Park","New York","PORT","MED","800","A computer device containing doctor reports was reported missing from a secured area at LICC on May 24th. Names, dates of birth, diagnostic information and treatment information of some patients may have been included on the device. ","PHIPrivacy.net","","2010","40.725572","-73.862489" "November 25, 2009","Aurora St. Luke's Medical Center","Milwaukee","Wisconsin","PORT","MED","6,400","6,400 people who were in-patients at St. Luke's are being warned that their name, Social Security number and other information may have landed in the hands of thieves, due to a stolen laptop computer. All of the at-risk individuals were cared for there at some point by a hospitalist, a physician other than the patient's primary care doctor, who works for an independent physician group called Cogent Healthcare. The computer was stolen from a locked office in a secure physician office building that is located adjacent to the hospital; the computer belonged to an employee of Cogent Healthcare of Wisconsin.","Dataloss DB","","2009","43.038903","-87.906474" "July 19, 2010","LV Financial Services","Orlando","Florida","PHYS","BSF","0","Dozens of boxes of files from medical offices that hired LV to collect unpaid bills were found in an Orlando public dumpster. The files contained names, addresses, Social Security numbers, driver's license copies and credit reports. The collection agency went out of business in 2005 and the location of the files prior to this incident is unknown.","Dataloss DB","","2010","28.538336","-81.379237" "July 22, 2010","Iowa Department of Agriculture and Land Stewardship","Des Moines","Iowa","PORT","GOV","3,404","A laptop containing personal information from Iowa residents was stolen from a locked state vehicle. The computer was encryption protected and contained names, addresses, phone numbers and Social Security numbers. Iowa residents who participate in the Iowa Horse and Dog Breeding Program were notified.","Databreaches.net","","2010","41.600545","-93.609106" "July 22, 2010","Colorado Department of Health Care Policy and Financing","Denver","Colorado","PORT","GOV","105,470","A hard drive containing personal information for clients enrolled in state-provided health insurance was stolen from the Colorado Office of Information Technology. The information included names, state ID number and the name of the client's program. The Agency is certain that contact information, financial information and Social Security numbers were not involved.","Databreaches.net","","2010","39.739154","-104.984703" "July 24, 2010","University of Texas Arlington","Arlington","Texas","HACK","EDU","27,000","Student records dating from 2000 to June 21, 2010 were compromised on a University file server on four separate occasions within the last two years.  The server contained student health center prescription records.","Databreaches.net","","2010","32.735687","-97.108066" "July 26, 2010","Natchez Police Department","Natchez","Mississippi","INSD","GOV","0","A police officer with the Natchez department fraudulently used and encouraged others to use stolen credit and debit cards.","Databreaches.net","","2010","31.560444","-91.403171" "July 15, 2010","Utah Department of Workforce Services","Salt Lake City","Utah","INSD","GOV","1,300","A leak that allowed anti-immigration activists to post and circulate the names, Social Security numbers, medical information, addresses, workplaces, and phone numbers of alleged illegal immigrants in Utah has been linked to Utah's Department of Workforce Services. A large number of employees had access to this information.","Databreaches.net","","2010","40.760779","-111.891047" "July 16, 2010","Connecticut Department of Labor","Bridgeport","Connecticut","PORT","GOV","5,000","A highly encrypted laptop was stolen from the office of the Connecticut Department of Labor. The laptop contained confidential information about unemployment insurance claims, wage discrepancy complaints and some Bridgeport area employers.","Databreaches.net","","2010","41.167041","-73.204835" "July 27, 2010","Rite Aid Corporation","Camp Hill","Pennsylvania","PHYS","BSR","0","Rite Aid paid one million dollars to settle HIPAA privacy violations. Rite Aid also agreed to update corporate policies and procedures so that patient medical information would be properly disposed, employees would be properly trained in disposal of patient information, and employees would be held accountable if they did not dispose of patient information properly.","PHIPrivacy.net","","2010","40.239812","-76.919974" "July 28, 2010","Time Warner Cable","New York","New York","INSD","BSR","0","A former employee was convicted of installing spyware on three company computers. The employee intended to capture the passwords of users who had access to a customer database and a billing system.","Databreaches.net","","2010","40.714353","-74.005973" "July 29, 2010","University of Virginia","Charlottesville","Virginia","PORT","EDU","0","A transient was ordered to spend time in a men's diversion program after pleading guilty to stealing credit cards and electronics. One of the laptops he stole was a University-owned laptop. The man served 12 months in jail before being sentenced and slept in his car and in the University library during the time of the thefts.","Databreaches.net","","2010","38.029306","-78.476678" "July 30, 2010","FIrst Advantage Tax Consulting Services (TCS)","Indianapolis","Indiana","PORT","BSF","32,842","A laptop that contained personal information was lost or stolen during an airport layover.  The Social Security numbers of people who were employed by companies that used TCS for tax help were on the laptop. The laptop did have a password and after it was lost its access to TCS's network was blocked.","Databreaches.net","","2010","39.768377","-86.158042" "July 31, 2010","The Center for Neurosciences","Tucson","Arizona","PORT","MED","1,101","A visitor stole a laptop from an electromyogram and nerve conduction studies exam room on December 15, 2009.  The computer contained names, dates of birth, referring physicians and reasons for neurophysiological tests.","PHIPrivacy.net","","2010","32.221743","-110.926479" "March 23, 2010","Montefiore Medical Center","Bronx","New York","PORT","MED","625","A laptop containing private health information was stolen on February 20th.","PHIPrivacy.net","","2010","40.850100","-73.866246" "August 1, 2010","Guttenberg Housing Authority","Guttenberg","New Jersey","HACK","GOV","0","An unauthorized individual may have accessed sensitive information on housing applicants and residents in late December 2009. The information may have included Social Security numbers, names and other personal identifying information.","Databreaches.net","","2010","40.792045","-74.003751" "July 31, 2010","Montefiore Medical Center","Bronx","New York","STAT","MED","39,000","Two computers were stolen during the weekend of May 22nd. Names, medical record numbers, Social Security numbers, dates of birth, insurers, and hospital admission dates for an unknown number of patients were on the computers.UPDATE (8/3/10): One computer was from the Finance Department and had the information of 16,000 patients; the second computer theft affected the records of 23,000 students from the School Health Program and their families.","PHIPrivacy.net","","2010","40.850100","-73.866246" "January 27, 2010","Department of Commerce","Washington","District Of Columbia","DISC","GOV","0","A Department of Commerce employee inadvertently transmitted over the Internet a file containing the Personally Identifiable Information (PII) of Commerce employees to other Department employees. Although the Department employees were authorized to send and receive the PII, the transmission of the PII over the Internet in unencrypted form may have compromised their name and Social Security numbers.","Dataloss DB","","2010","38.895112","-77.036366" "August 4, 2010","Rockland town government","Rockland","Massachusetts","PHYS","GOV","200","On July 23, canceled payroll checks with Social Security numbers and bank account numbers were lost when wind knocked them off of a recycling truck. Current and former employees of Rockland's government between 1992 and 2002 were affected.","Databreaches.net","","2010","42.130556","-70.916667" "August 3, 2010","Metro Assessor of Property","Nashville","Tennessee","DISC","GOV","68","Flood victims who were applying for property tax cuts had their personal information exposed online. The online application involved uploading canceled checks; these checks, tax returns, and other sensitive information were all available online because the system's password requirements had been removed. According to the Organization: ""The staff were trying to make it easier for people to enter information online.""","Databreaches.net","","2010","36.165890","-86.784443" "July 12, 2010","Connecticut Department of Education, State Teachers' Retirement Board","Hartford","Connecticut","PORT","GOV","58,000","An encrypted flash drive containing 2007-2008 Connecticut Teachers' Retirement Board member annual statement data has been lost or stolen. It is unlikely that outside parties could read the pension and employment credit.UPDATE (8/5/10): The total number of retirees exposed to ID theft is reported as 58,000.","Databreaches.net","","2010","41.763711","-72.685093" "August 10, 2010","College Center for Library Automation (CCLA)","Tallahassee","Florida","DISC","GOV","126,000","Personal data from students, faculty and staff from six colleges was accessible through an Internet search for five days. The information may have included full names, Social Security numbers, driver's license numbers, and Florida identification card numbers. The institutions were Broward College, Florida State College at Jacksonville, Northwest Florida State College, Pensacola State College, South Florida Community College, and Tallahassee Community College.","Databreaches.net","","2010","30.438256","-84.280733" "August 9, 2010","University of North Carolina at Greensboro","Greensboro","North Carolina","HACK","EDU","2,300","In June, it was discovered that a University computer from the Speech and Hearing Center was infected with malware.  Around 2,300 people who received services as far back as 1997 may have had their Social Security numbers, addresses, dates of birth, telephone numbers, insurance companies, and insurance ID numbers exposed. Another computer from the Psychology Clinic was discovered to have a similar problem.  Around 240 people were affected; though no Social Security numbers or financial accounts were involved.","Dataloss DB","","2010","36.072635","-79.791975" "August 12, 2010","Tino's Greek Cafe","Austin","Texas","CARD","BSR","0","Thieves collected debit and credit card information from customers of Tino's.","Databreaches.net","","2010","30.267153","-97.743061" "August 9, 2010","Cathedral Square Corporation","South Burlington","Vermont","HACK","NGO","0","Residents of CSC may have had their names, bank account numbers and routing numbers exposed if they paid their rent electronically. Staff Health Savings Account information may have also been accessed.","Databreaches.net","","2010","44.466994","-73.170960" "August 9, 2010","Ameritas Investment Corp.","Madison","Wisconsin","PORT","BSF","0","On January 27, a backup tape was stolen when the office was burglarized. The backup tape contained names, addresses, Social Security numbers, dates of birth and policy numbers of clients.","Databreaches.net","","2010","43.073052","-89.401230" "August 9, 2010","Paraco Gas","Rye Brook","New York","STAT","BSR","0","On March 16, a computer containing personal information was stolen.  The information included names, Social Security numbers, addresses, dates of birth and bank account numbers.","Databreaches.net","","2010","41.019264","-73.683462" "August 12, 2010","Loma Linda University School of Dentistry","Loma Linda","California","STAT","EDU","10,100","On the weekend of June 12, thieves stole three desktop computers with password protection. The computers did not contain patient treatment records, but did have Social Security numbers, dates of birth and other health information.","PHIPrivacy.net","","2010","34.048347","-117.261153" "August 13, 2010","Doherty Hotel and Convention Center","Clare","Michigan","HACK","BSR","150","Over 150 credit cards used at the Hotel's restaurant were later fraudulently charged. It is believed that the Hotel's database was illegally accessed.","Dataloss DB","","2010","43.819470","-84.768628" "August 13, 2010","Montana Mikes","Clinton","Oklahoma","HACK","BSR","0","Software that gathers credit card information was remotely installed on the Restaurant's computer system. The problem was fixed.","Databreaches.net","","2010","35.515606","-98.967307" "August 13, 2010","Metro Nashville","Nashville","Tennessee","PORT","GOV","500","In February of 2009, an auditor lost a USB device. The bank account information of victims of juvenile crime was on the unencrypted device.","Media","","2010","36.165890","-86.784443" "August 13, 2010","Nashville Career Advancement Center","Nashville","Tennessee","DISC","GOV","160","Outdated software is believed to have caused the Social Security numbers of clients of the Center to be exposed online.","Media","","2010","36.165890","-86.784443" "August 16, 2010","Aultman Health Foundation","Canton","Ohio","PORT","MED","13,800","On June 7, a laptop was stolen. Patient information from the Aultman Healthcare in Your Home program may have been exposed. This information included names, insurance identification numbers, health information, telephone numbers, addresses, dates of birth and Social Security numbers.","Databreaches.net","","2010","40.798947","-81.378447" "August 10, 2010","Baltimore Chesapeake Bay Outward Bound Center","Baltimore","Maryland","STAT","NGO","0","After the theft of two office computers it was discovered that a file cabinet with employment documents was unlocked. The documents included names, Social Security numbers, addresses and bank account numbers. The robbery occurred sometime around February 1.","Databreaches.net","","2010","39.290385","-76.612189" "August 10, 2010","Select Portfolio Servicing (SPS)","Salt Lake City","Utah","DISC","BSF","0","Unencrypted SPS client data was sent to a server. Files of client 1099A and 1099C forms were exposed from January to February.","Databreaches.net","","2010","40.760779","-111.891047" "August 17, 2010","Spring Mill Partners","Conshohocken","Pennsylvania","PORT","BSF","0","Laptops with client information were stolen during a February office burglary.","Databreaches.net","","2010","40.079277","-75.301571" "March 13, 2010","Beecher Carlson","Boston","Massachusetts","PORT","BSO","5,432","Two laptops were stolen from employees attending an off-site company meeting in January. The laptops contained names and Social Security numbers for employees of Beecher Carlson’s clients, including 1,012 people who live in Massachusetts.UPDATE (8/17/10): The number is closer to 5,432 with an additional 2,824 living in New York, 66 living in Maine and 1,530 living in Maryland.","Databreaches.net","","2010","42.358431","-71.059773" "February 11, 2010","Equifax","Atlanta","Georgia","DISC","BSF","35","An unknown number of current and former employees of credit reporting firm Equifax received W-2 forms in the mail with their Social Security numbers visible through a window on the envelope. Some of the tax forms mailed by Equifax's payroll vendor through the U.S. Postal Service had the Social Security number in a Control Number field, which was partially or fully viewable through the return address window.  ","Dataloss DB","","2010","33.748995","-84.387982" "August 11, 2010","NBC Universal","New York","New York","PORT","BSO","0","A laptop containing names, Social Security numbers and other personal information of current and former employees was stolen on February 4, and recovered on February 24.","Databreaches.net","","2010","40.714353","-74.005973" "April 16, 2010","General Motors","Detroit","Michigan","DISC","BSR","0","An electronic file containing Social Security numbers, names and email addresses was accidentally sent.","Databreaches.net","","2010","42.331427","-83.045754" "April 16, 2010","American Sales Company, Ahold USA","Buffalo","New York","PORT","BSR","0","A service provider lost an unencrypted DVD with employee names and Social Security numbers.","Databreaches.net","","2010","42.886447","-78.878369" "July 30, 2010","New York Urology Associates","Cheektowaga","New York","PHYS","MED","0","Someone reported that medical papers were blowing around a parking lot. The documents had Social Security numbers, addresses, and names.","NAID","","2010","42.902614","-78.744572" "August 5, 2010","Ross","Houston","Texas","PHYS","BSR","200","Someone reported a public dumpster full of Ross applications and resumes.  Employees from the Ross were then sent to recover the applications.  The applications dated back to 2002 and contained Social Security numbers and contact information.","NAID","","2010","29.762884","-95.383062" "August 16, 2010","Centric Software","Campbell","California","PORT","BSR","0","A laptop theft resulted in the exposure of employee names, Social Security numbers and possibly contact information and dates of birth.  The laptop was stolen frrom an employee's car on July 23.","Databreaches.net","","2010","37.287165","-121.949957" "December 31, 2009","Time Inc., Harvard Business Review","New York","New York","INSD","MED","0","A customer service center employee may have misused customer credit card information.UPDATE (8/09/10): Harvard Business Review customers were affected as well.","Databreaches.net","","2009","40.714269","-74.005973" "February 17, 2010","T.G.I. Friday's (TGIF)","Coon Rapids","Minnesota","CARD","BSR","0","A former employee used a skimming device to gain credit card information from customers of the Coon Rapids T.G.I. Friday's. The dishonest employee was involved with a partner who used skimming devices in a variety of locations throughout Minnesota.","Databreaches.net","","2010","45.119965","-93.287728" "March 10, 2010","Thrivent Financial for Lutherans","Mechanicsburg","Pennsylvania","PORT","BSF","9,386","Thrivent Financial for Lutherans, Minneapolis, experienced a break-in at one of its offices in Pennsylvania. A laptop computer was among the items stolen. The laptop had safeguards to protect sensitive information, including strong password protection and encryption. But Thrivent Financial says the information stored on the laptop may be at risk. The information on the laptop was personal information, including names, addresses, Social Security numbers and health information.","Dataloss DB","","2010","40.214257","-77.008588" "May 22, 2010","Staff Jennings Boats","Portland","Oregon","DISC","BSR","0","Sales documents dating back 20 years were found in a dumpster. The personal financial information of customers included Social Security numbers and information on purchases. Staff Jennings went out of business in April of 2010.","Databreaches.net","","2010","45.523452","-122.676207" "June 17, 2010","Quantum Corporation","Bellevue","Washington","PORT","BSR","0","Laptops were stolen on June 13th. One of the laptops was password protected and contained sensitive employee information such as Social Security numbers, addresses, and names.","Databreaches.net","","2010","47.610377","-122.200679" "April 9, 2010","Woodbury Financial Services","Woodbury","Minnesota","PORT","BSF","0","A USB containing client names, Social Security numbers, addresses, and dates of birth went missing. The data was unencrypted.  Woodbury is a broker with The Hartford.","Databreaches.net","","2010","44.923855","-92.959380" "June 3, 2010","Penn State","University Park","Pennsylvania","DISC","EDU","40,806","The Pennsylvania State University sent data breach notification letters to 15 806 individuals who at one time had their personal information, including Social Security numbers, stored in a university database. Penn State issued a press release statement on Wednesday informing the university community that a computer in its Outreach Market Research and Data office was found to be actively communicating with a botnet CNC. According to the statement, the database used by the office had previously contained Social Security numbers on individuals. The university, which discontinued use of SSNs for identification purposes in 2005, nevertheless found that an archived copy of the information went undetected in the computer’s cache.UPDATE (6/8/10): An additional 25,000 individuals may have been affected.","Dataloss DB","","2010","40.801944","-77.856389" "August 24, 2010","Mahaska County Hospital","Oskaloosa","Iowa","INSD","MED","0","Two patient-orders coordinators were fired for separate incidents of snooping. One inappropriately accessed at least two patients' data. The other employee inappropriately accessed the data of multiple family members.","PHIPrivacy.net","","2010","41.293889","-92.644444" "August 24, 2010","Riverview Gardens School District","St. Louis","Missouri","PHYS","EDU","0","Hundreds of documents with student Social Security numbers, pictures, phone numbers and ages were left near a dumpster.","Databreaches.net","","2010","38.646991","-90.224967" "August 23, 2010","Wachovia Bank","Atlanta","Georgia","INSD","BSF","0","A former employee was sentenced to prison after being convicted of identity theft and bank fraud. While working at Wachovia's bank fraud detection department in 2007, the employee sold credit card and bank account numbers to an outside accomplice. The former employee was ordered to pay $91,104 in restitution and serve a four and a half years federal prison sentence.","Databreaches.net","","2010","33.748995","-84.387982" "August 24, 2010","Oak Ridge National Laboratory","Columbus","Ohio","STAT","GOV","0","About 1,500 unused hard drives were mismanaged, abandoned, and unsecured in the offices. The hard drives had sensitive information such as names, medical information, dates of birth and salary information. Auditors found hard drives in hallways, unused offices and docks. Only 55 unused hard drives were being stored properly; computer security officers destroyed the others.","Databreaches.net","","2010","39.961176","-82.998794" "July 12, 2010","Marsh and Mercer","Washington","District Of Columbia","PORT","BSF","378,000","The insurance broker and benefits consulting firm reported the loss of a backup tape during transport.  The tape contained employee benefits information for companies that used Marsh and Mercer for consultation. Names, addresses, Social Security numbers, dates of birth, account information and driver's license numbers were on the tape.UPDATE (8/9/10): Three hundred current and former Boise, Idaho city employees were also affected.UPDATE (8/26/10): The Idaho Power website revealed that around 5,000 employees were affected, and a total of 375,000 individuals from other organizations were affected.","Databreaches.net","","2010","38.895112","-77.036366" "August 9, 2010","Jones Lang LaSalle","Chicago","Illinois","PORT","BSF","20","Some employee information was on a stolen laptop.  The laptop was stolen from an employee's car on December 17 of 2009 and contained bank account information, names, and addresses.  ","Databreaches.net","","2010","41.850033","-87.650052" "August 10, 2010","Nationwide Bank","Columbus","Ohio","PHYS","BSF","62","Customers were mailed the cards of other customers. The cards had Social Security numbers and names.","Databreaches.net","","2010","39.961176","-82.998794" "August 9, 2010","HSBC Bank Nevada","Buffalo","New York","UNKN","BSF","14","A caller claiming to be an employee managed to get an employee to change the information on 14 customer accounts.","Databreaches.net","","2010","42.886447","-78.878369" "June 10, 2010","Durham County Government","Durham","North Carolina","PHYS","GOV","8,700","A group of people obtained a list of Durham employees which included Social Security numbers, birth dates, and employment information.  They then used their personal information to commit credit card fraud and identity theft.  Police report that more than 200 employees were victims.","Databreaches.net","","2010","35.994033","-78.898619" "July 29, 2010","Rowland Equipment Co.","Smithfield","Virginia","INSD","BSR","30","Linda Rowland pleaded guilty to wire fraud and identity theft. She used the names and information of over 30 customers to falsify loan agreements for over 10 years.","Databreaches.net","","2010","36.982371","-76.631066" "July 23, 2010","Thomas Jefferson University Hospitals","Philadelphia","Pennsylvania","PORT","EDU","21,000","A password-protected laptop was stolen from the office of an employee on June 14.  The computer should not have contained protected health information, but did.  It also contained the name, birth date, gender, ethnicity, diagnosis, Social Security number, insurance information, and hospital account number of approximately 24,000 patients.","Databreaches.net","","2010","39.952335","-75.163789" "August 19, 2010","University of Connecticut West Hartford","West Hartford","Connecticut","PORT","EDU","10,174","The August 3 office theft of a laptop resulted in the exposure of 10,174 applicants' names, contact information and Social Security numbers. Undergraduate application information from 2004 to July of 2010 could have been accessed through the laptop.","Databreaches.net","","2010","41.762045","-72.742040" "August 11, 2010","ProAssurance Mid-Continent Underwriters","Houston","Texas","DISC","BSF","121","Customer names, Social Security numbers, dates of birth, and addresses were exposed on the Per Diem Insurance web page.","Databreaches.net","","2010","29.762884","-95.383062" "August 19, 2010","Yale School of Medicine","New Haven","Connecticut","PORT","MED","1,000","A stolen laptop resulted in the exposure of patient clinical health information.","PHIPrivacy.net","","2010","41.308153","-72.928158" "July 28, 2010","Wendy's","Tukwila","Washington","INSD","BSR","135","A dishonest employee used a skimmer between September 14, 2009 and July 21, 2010 to commit identity theft and make fraudulent charges to customer credit accounts. At least 135 accounts were fraudulently charged.","Databreaches.net","","2010","47.473988","-122.260956" "August 5, 2010","Blue Cross Blue Shield of Alabama","Birmingham","Alabama","INSD","MED","15","A dishonest employee was charged with identity theft. The employee fraudulently obtained credit by using the health insurance information of at least 15 clients.","PHIPrivacy.net","","2010","33.520661","-86.802490" "May 28, 2010","Aetna","South Windsor","Connecticut","PHYS","BSO","6,372","A cabinet full of documents with sensitive information was found sitting on the side of the road. A woman made the discovery about a month ago and gave the documents to investigators with Aetna Insurance Co. The woman said she saw a bureau on the side of the road in front of Admiral Storage in South Windsor with a sign that said ""free."" She brought it home and discovered the documents. There were eight bags of nothing but Social Security numbers, names, and death benefits. Information also included patient records and medications. Aetna responded by saying, ""Aetna is committed to protecting the privacy of our members and we take this situation seriously. We have policies for properly safeguarding our members’ information, and we are investigating how this incident occurred, but it appears to be human error. The woman contacted us via e-mail on the evening of May 5, and we immediately responded the next morning. She has consistently declined to give us her name or phone number, or to make arrangements to allow us to retrieve the documents at a place convenient for her, or to return them to us. As of today, we now have the files, and will go through each of them to determine the contents and whether any member information has been breached. If it has been, we will notify those members and take steps to mitigate any potential harm."" The woman attempted to arrange the hand-off, however, a short time after she got off the phone with the company, three men from Aetna showed up at her workplace, unannounced, and asked for the documents immediately. The woman said, ""But when they sent the three guys to my work yesterday, it was an intimidation tactic and I didn't appreciate it. So that told me what I was going to do. That they were going to try and hide it."" Aetna said someone from the company made a ""serious human error,"" and it will now go through the files to make sure no sensitive information was lost. What's more troubling, the woman said, is that the bureau wasn't the only piece of furniture offered for free that day. ""Out of the pieces that were up for grabs, whose to say that I've got the only piece that was full of Aetna papers."" The woman has also contacted the state to investigate the situation. Aetna has clients across the country.UPDATE (8/2/10): Aetna notified 7,250 clients of the breach and reported that 6,372 were affected. ","Dataloss DB","","2010","41.832222","-72.569722" "July 20, 2010","Maryland Department of Human Resources","Baltimore","Maryland","INSD","GOV","3,000","An employee posted Social Security numbers and other personal information of around 3,000 clients on an outside website. The organization provides food stamps and other benefits and aid to clients. The employee was placed on administrative leave.","Databreaches.net","","2010","39.290385","-76.612189" "August 4, 2010","Hingham city government","Hingham","Massachusetts","DISC","GOV","1,300","An email with the Social Security numbers, names, and employee identification numbers of Hingham city employees was accidentally emailed to about 30 department heads. Some of the emails were automatically forwarded to personal accounts and personal devices.","Databreaches.net","","2010","42.241767","-70.889768" "August 10, 2010","Jewish Hospital Catheterization Lab","Louisville","Kentucky","PORT","MED","2,089","Two stolen laptops contained personal information on patients who were treated between June 2, 2009 and July 16. 2010. Patient names, Social Security numbers, dates of birth, medical record numbers, addresses, phone numbers, patient account numbers, and insurance carriers.","PHIPrivacy.net","","2010","38.252768","-85.758446" "August 20, 2010","University of Kentucky Newborn Screening Program","Lexington","Kentucky","PORT","EDU","2,027","A laptop with information from the Department of Pediatrics Newborn Screening Program was stolen from a locked private office. Patient dates of birth, names and medical record numbers were on the password-protected laptop.  Some patients also had Social Security numbers on the laptop.","PHIPrivacy.net","","2010","38.031714","-84.495136" "August 20, 2010","Cook County Health and Hospital Systems (CCHHS)","Chicago","Illinois","PORT","GOV","7,000","On June 1, a laptop with patient information was stolen from a locked office in an administration building. The password protected-computer included names, dates of birth and Social Security numbers.","PHIPrivacy.net","","2010","41.850033","-87.650052" "August 7, 2010","Fort Worth Allergy and Asthma Associates","Fort Worth","Texas","STAT","MED","25,000","The June 29th theft of four computers resulted in patient records being exposed. The patient records contained addresses, Social Security numbers and dates of birth.","PHIPrivacy.net","","2010","32.725409","-97.320850" "July 14, 2010","Oregon State University","Corvallis","Oregon","HACK","EDU","34,000","A University computer containing personal information of current and former employees was found to be infected by a virus. Employee records from 1999 to 2005 contained Social Security numbers.","Databreaches.net","","2010","44.564566","-123.262044" "July 22, 2010","The Loft and Comedy Club","Columbus","Georgia","DISC","BSR","60","Names, addresses, phone numbers, and credit card information from customers of The Loft and Comedy Club were discovered through a Google search. Customer data from 2004 to 2008 was posted. The Loft fixed the problem and is working on having the site removed.","Databreaches.net","","2010","32.460976","-84.987709" "June 17, 2010","Ocean Lakes High School","Virgina Beach","Virginia","HACK","EDU","11,388","Because of an incorrect security setting, an Ocean Lakes High School student was able to access a temporary file on a server that contained the names, addresses and Social Security numbers of students at 22 schools. The breach was discovered when the student tried to print some of the information in the school library. In addition to names, addresses and Social Security numbers, the student files also contain parent names, phone numbers, class schedules, birth dates and student ID numbers.","Dataloss DB","","2010","36.852926","-75.977985" "June 7, 2010","Nursing Visioned Medical Services","Nashville","Tennessee","PHYS","MED","2,000","Over two thousand patient records, surgery information, Social Security numbers and bank information were found dumped behind Nashville Center Point Church of the Nazarene. The documents came from the now defunct and bankrupt Nursing Visioned Medical Services group. Maryland-based Impulse Monitoring, Inc. bought the assets to NVMS last year when they filed bankruptcy. They said they are not responsible for the patient information because the services NVMS provided were one-time services. The old owners had shredded a bunch of old documents and the more recent ones had been passed on to the company (Impulse) that bought NVMS back in January. It is unclear where the documents came from.","Dataloss DB","","2010","36.165890","-86.784443" "April 8, 2010","H&R Block","Bronx","New York","INSD","BSF","20","Police are investigating whether former H&R Block employees received fraudulent tax refunds by using customer information. At least customers 20 have come forward, but there could be many more customers who were affected.","Databreaches.net","","2010","40.850100","-73.866246" "July 27, 2010","Citigroup Inc.","New York","New York","DISC","BSR","117,600","Citigroup's mobile banking application for Apple's iphone has a security flaw that saves user account numbers, bill payments and security access codes into a hidden file on the iphone and the user's computer.  An upgrade that will fix the problem is available.","Media","","2010","40.714353","-74.005973" "May 21, 2010","Tufts University","Medford","Massachusetts","HACK","EDU","2,000","Campus computers with former student files were exposed to a virus.  Over two thousand alumni may have had their Social Security numbers and other information exposed.","Databreaches.net","","2010","42.418430","-71.106164" "March 12, 2010","Beecher Carlson Holdings Inc.","Atlanta","Georgia","PORT","BSF","1,012","Two laptops were stolen from employees while they were off-site. The laptops contained employee names and Social Security numbers. Many more people may have been affected since the total number of Massachusetts residents affected is 1,012.","Databreaches.net","","2010","33.748995","-84.387982" "August 9, 2010","Brookings Institution","Washington","District Of Columbia","PORT","NGO","143","A CD with employee W-2 statement information was lost in transit during December of 2009. Employee names, addresses and Social Security numbers were in the W-2 files. Around 143 employees from Maryland alone were affected.","Databreaches.net","","2010","38.895112","-77.036366" "July 29, 2010","DebtStoppers USA, Robert J. Semrad and Associates","Chicago","Illinois","PHYS","BSF","100","A tipster led to the discovery of hundreds of personal and financial documents in a trash bin outside the attorney's office. The documents included Social Security numbers, names, addresses, driver's license numbers, and signed debit card authorizations from clients.","Databreaches.net","","2010","41.850033","-87.650052" "July 14, 2010","Carle Clinic Association","Urbana","Illinois","PHYS","MED","1,300","An impostor posing as a representative of the organization's recycling service removed several barrels of purged x-ray films and film jackets. The health information included approximately 1,300 patient names, dates of birth, gender, clinic medical numbers, internal accession numbers, site locations, physician or provider names, and internal provider numbers.","PHIPrivacy.net","","2010","40.110588","-88.207270" "June 9, 2010","TennCare, New Mexico Human Services Department","Chicago","Illinois","PORT","MED","21,000","An employee from a subcontractor company called West Monroe Partners was robbed of a laptop containing information for a Medicaid billing company named DentaQuest. DentaQuest was responsible for dental benefits of the New Mexico Human Services Department and TennCare. Around 21,000 people had their full names and Social Security numbers on the stolen laptop. Approximately 55,000 others had some form of personal information on the laptop.","Databreaches.net","","2010","41.850033","-87.650052" "July 14, 2010","Blue Cross Blue Shield Association","Chicago","Illinois","PHYS","MED","15,000","An error in the quarterly address update process resulted in the mailing of approximately 15,000 individuals' protected health information to incorrect addresses. The information in the letters included demographic information, explanation of benefits, clinical information, and diagnoses. The returned mail was collected and the organization verified whether or not it had been delivered.","PHIPrivacy.net","","2010","41.850033","-87.650052" "June 18, 2010","University of Nevada","Reno","Nevada","STAT","EDU","7,526","Some patient information from the University Health System may have been accessed after the theft of computer equipment at the Reno office on June 11th. Patient names, Social Security numbers, patient account numbers, medical information, birth dates and addresses may have been viewed.","Databreaches.net","","2010","39.529633","-119.813803" "August 11, 2010","Ambrosia Asian Bistro","Greeley","Colorado","INSD","BSR","50","A waitress admitted to using a skimming device to collect the credit card information of between 50 and 60 customers.","Databreaches.net","","2010","40.423314","-104.709132" "August 11, 2010","LPL Financial","Boston","Massachusetts","DISC","BSF","38","An advisor accidentally sent an email attachment to clients that contained the names and account information of 38 other clients.","Databreaches.net","","2010","42.358431","-71.059773" "June 30, 2010","Lincoln Medical and Mental Health Center","Bronx","New York","PORT","MED","130,495","Multiple CDs containing patient personal information were lost in transit by FedEx. Information included dates of birth, driver's license numbers, descriptions of medical procedures, addresses, and Social Security numbers. Siemens Medical Solutions USA, the Hospital's billing contractor, shipped the CDs around March 16th. They were never received.","PHIPrivacy.net","","2010","40.850100","-73.866246" "June 1, 2010","Brew HaHa!","Wilmington","Delaware","HACK","BSR","30","Outdated and improperly managed software caused customer debit and credit cards to be exposed to fraudulent charges.  Between 20 and 30 customers of one bank had fraudulent charges from overseas added to their statements.  It is not known how many other customers were affected.","Databreaches.net","","2010","39.745833","-75.546667" "May 14, 2010","Principal Financial Group","Des Moines","Iowa","HACK","BSF","0","An unauthorized person using a valid employer password and user name accessed group contract number, member name, Social Security number, age and employment status of certain individuals with a connection to Principal Life Insurance.","Databreaches.net","","2010","41.600545","-93.609106" "April 16, 2010","Blue Cross and Blue Shield of Rhode Island (BCBSRI)","Providence","Rhode Island","PHYS","MED","12,000","A filing cabinet containing survey information from approximately 12,000 BlueCHIP for Medicare members was donated to a local nonprofit organization.  The surveys were from 2001 to early 2004 and contained information such as names, Social Security numbers, telephone numbers, addresses and Medicare Identification numbers.","Databreaches.net","","2010","41.823989","-71.412834" "April 16, 2010","Gap Inc.","Grove City","Ohio","INSD","BSR","18","An employee at the call center was inappropriately accessing customer names, billing addresses, credit card numbers and CVVs.","Databreaches.net","","2010","39.881452","-83.092964" "April 16, 2010","Building Media Inc. (BMI)","Wilmington","Delaware","HACK","BSR","81","A hacking incident exposed customer names and credit card information.","Databreaches.net","","2010","39.745833","-75.546667" "April 18, 2010","Rapid Return Tax ","San Antonio","Texas","PHYS","BSF","0","Dozens of legible tax documents were found among ashes in a dumpster outside of a tax return business.  Social Security numbers may have been on the documents.  This appears to be the result of a failure to burn all of the documents. ","Databreaches.net","","2010","29.424122","-98.493628" "April 16, 2010","Health Net","Los Angeles","California","UNKN","BSF","18","Customer information was sent to the wrong agent. The format of the information is unknown. The information included names and Medicare numbers.","Databreaches.net","","2010","34.052234","-118.243685" "April 21, 2010","St. Mary and Elizabeth Hospital Women's Center","Louisville","Kentucky","STAT","MED","77","A hard drive was stolen from a locked area. Medical information such as biopsy images, patient names, and medical exams were on the stolen hard drive.","PHIPrivacy.net","","2010","38.254238","-85.759407" "April 26, 2010","South Carolina Department of Health and Environmental Control","Columbia","South Carolina","PHYS","GOV","1,824","Over 1,824 people's information was found in a dumpster. It is not known what kind of personal information was included in the documents.","NAID","","2010","34.000710","-81.034814" "May 17, 2010","Edward Waters College","Jacksonville","Florida","DISC","EDU","210","Over 210 staff and prospective student names, Social Security numbers, driver's license numbers, and addresses were accessible to the public through a Google or Yahoo! search.  The cause was a mistake in setting up software. ","Databreaches.net","","2010","30.332184","-81.655651" "May 24, 2010","Lake Ridge Middle School","Woodbridge","Virginia","PORT","EDU","1,200","A USB drive containing student names, identification numbers, phone numbers, and medical information was stolen from the unlocked car of a school administrator at the employee's home. Over 1,200 students were affected.","Databreaches.net","","2010","38.658172","-77.249705" "May 20, 2010","Strong Memorial Hospital","Rochester","New York","DISC","MED","1,250","Around half of all patient medical bills were sent to the wrong address. The billing statements included patient names, name and address of the person responsible for paying the bill, description of services received and the dates of services, dollar amount owed, health insurance plan and subscriber number. Around 1,250 patients were affected.","Databreaches.net","","2010","43.154785","-77.615557" "June 29, 2010","Sparta Board of Education","Sparta Township","New Jersey","DISC","GOV","200","Several vendor Social Security numbers and tax identification numbers were accidentally sent out via email to a local activist requesting information on Sparta Board of Education vendors.  UPDATE (7/8/10): The activist mentioned is Jesse Wolosky and he has not returned the information because ""they could get lost in cyberspace or go to the wrong inbox.""  Wolosky also claims that state agencies are looking into the matter.  The number of Social Security numbers is still unknown since Wolosky claims 600-800 and the district claims 200-300.","Databreaches.net","","2010","41.038333","-74.632222" "June 29, 2010","Cal State San Bernardino (CSSB)","San Bernardino","California","DISC","EDU","36","Information such as names and Social Security numbers was exposed to the public through a web server. The students affected were on the class roster for a computer science and engineering course. The files were discovered and removed on June 10th.","Databreaches.net","","2010","34.108345","-117.289765" "June 29, 2010","Destination Hotels & Resorts","Englewood","Colorado","HACK","BSO","700","Hackers have broken into the payment processing system of Destination Hotels & Resorts, a high-end chain best known for its resort hotels in destinations such as Vail, Colorado; Lake Tahoe, California; and Maui, Hawaii. Destination has uncovered a malicious software program inserted into its credit card processing system from a remote source. Destination Hotels is in the process of notifying victims but will not say how many people have had their credit card numbers stolen. The attackers appear to have hit only point-of-sale processing systems, where credit cards are swiped for purchases. Personal information such as guests' home addresses was not compromised.UPDATE (7/2/10): Around 700 customers were affected nationwide by the hack; including dozens of customers of the Driskill Hotel of Austin, Texas.","Dataloss DB","","2010","39.647765","-104.987760" "July 2, 2010","Cornerstone","Nashville","Tennessee","PHYS","NGO","1,537","According to Cornerstone: ""During the weekend of April 30th, 2010, flood waters broke windows of our administrative office for School-Based Services... As a result of the unprecedented flooding that occurred, some clinical record information, along with name, Centerstone ID#, Social Security number, and date of birth, may have been removed from the building by flood waters.""","PHIPrivacy.net","","2010","36.165890","-86.784443" "July 6, 2010","Massachusetts Secretary of State Office","Boston","Massachusetts","PHYS","GOV","139,000","In an attempt to release public information from the Securities Division, the Massachusetts Secretary of State's office released the Social Security and driver's license information of 139,000 investment advisers registered with the state. The information was sent on a CD-ROM sent to IA Week, an investment industry publication.","Databreaches.net","","2010","42.358431","-71.059773" "July 14, 2010","VHS Genesis Lab","Berwyn","Illinois","PHYS","MED","500","Over 500 client invoices went missing. It does not appear that the month's worth of invoices were mailed. They contained health information such as names, dates of birth, and medical testing information.","PHIPrivacy.net","","2010","41.850587","-87.793669" "July 15, 2010","Nix Check Cashing","Manhattan Beach","California","STAT","BSF","100","The May 17th theft of a computer resulted in the exposure of customer names, addresses, phone numbers, Social Security numbers and driver's license numbers. Affected customers were notified on June 30th. Over one hundred customers from New Hampshire were affected; though the total number of customers affected is unknown.","Databreaches.net","","2010","33.884736","-118.410909" "August 26, 2010","HMS Host","Cleveland","Ohio","INSD","BSR","0","A woman was charged with misusing applicant information to open more than 65 credit cards under different names. The woman made over $115,000 in fraudulent charges between February of 2006 and November of 2008.","Databreaches.net","","2010","41.499495","-81.695409" "August 29, 2010","Rolling Meadows Townhomes ","Saline","Michigan","HACK","BSO","0","Dozens of residents of the Rolling Meadows Townhomes community became identity theft victims. Thieves somehow obtained banking information from checks that residents sent to pay for their co-op properties.","Databreaches.net","","2010","42.166707","-83.781608" "August 31, 2010","P.K. Yonge","Gainesville","Florida","PORT","EDU","8,300","The July 23 theft of a laptop in California resulted in the exposure of current and former student and employee personal information.  The information included Social Security numbers and some driver's license numbers.  The information dates back to 2000.","Databreaches.net","","2010","29.651634","-82.324826" "February 22, 2010","SunTrust Bank","Atlanta","Georgia","CARD","BSF","200","Throughout the summer of 2009, four men put skimming devices on SunTrust Bank ATMs in the Florida counties of Hillsborough and Pinellas. Well over 200 people were affected.","Databreaches.net","","2010","33.748995","-84.387982" "March 5, 2010","University of Texas Southwestern Medical Center ","Dallas","Texas","INSD","GOV","200","A former employee was arrested on patient information and identity theft.  The stolen patient information includes names, Social Security numbers, birth dates, addresses, phone numbers and financial data.  The employee allegedly sold the patient information of at least 200 people to an outside party for the purpose of creating bank accounts and misusing credit and loans.","Databreaches.net","","2010","32.802955","-96.769923" "May 18, 2010","The Vine Tavern and Eatery","Tempe","Arizona","PHYS","BSR","0","Personal documents including applicant names, Social Security numbers, and dates of birth were found in a dumpster. Customer checks with banking information and credit card receipts were also found. Reports indicate that thousands of pages of information were located.","NAID","","2010","33.414768","-111.909310" "August 31, 2010","Armed Forces Recruiting Center","Cape Girardeau","Missouri","PHYS","GOV","8","Dozens of records with high school diplomas were found in a dumpster outside of the recruiting center on William Street. In eight cases, copies of people's birth certificates, Social Security cards, or both were also with their diplomas.","Media","","2010","37.305884","-89.518148" "July 30, 2010","Texas Children's Hospital and Baylor College of Medicine","Houston","Texas","PORT","NGO","694","A physician's laptop was stolen from an office on May 13th.  The laptop contained personal information on cardiology patients.  Affected persons were notified that their names, dates of service, medical record numbers, diagnoses and dates of birth were on the password-protected laptop.UPDATE (9/2/10): Only 694 patients were affected.  The original notice on the website stated that 1600 patients were at risk.","PHIPrivacy.net","","2010","29.762884","-95.383062" "August 24, 2010","Eastmoreland Surgical Clinic and Vein Center","Portland","Oregon","STAT","MED","4,328","Desktop computers were stolen from the office around July 5.  The computers had patient names, addresses, Social Security numbers, phone numbers, reason for visit and insurance carrier information.","PHIPrivacy.net","","2010","45.523452","-122.676207" "September 2, 2010","Chattanooga Family Practice Associates","Chattanooga","Tennessee","PORT","MED","1,711","A missing portable device had the names, dates of birth and purposes of visits for a limited number of patients.","HHS via PHIPrivacy.net","","2010","35.045630","-85.309680" "September 1, 2010","Jason's Deli","Memphis","Tennessee","HACK","BSR","0","Hundreds of customers may have been affected after using their credit or debit cards at the restaurant. The computer server was infected with a new virus. ","Databreaches.net","","2010","35.149534","-90.048980" "September 2, 2010","Kinetic Concepts Inc. (KCI)","San Antonio","Texas","DISC","BSR","4,000","An attachment with sensitive employee information was accidentally emailed to company employees. The information included names, Social Security numbers, addresses, dates of birth and salary information.","Dataloss DB","","2010","29.424122","-98.493628" "September 2, 2010","Arkansas State University","Jonesboro","Arkansas","DISC","EDU","2,484","The full names, driver's license numbers and Social Security numbers of 2,484 full and part-time employees of the University were accidentally emailed to 144 University emails.","Databreaches.net","","2010","35.842297","-90.704279" "March 11, 2009","Sprint","Overland Park","Kansas","INSD","BSO","0","Sprint is warning several thousand customers that a former employee sold or otherwise provided their account data without permission. It appears this employee may have provided customer information to a third party in violation of Sprint policy and state law. They have terminated this employee. The information that may have been compromised includes name, address, wireless phone number, Sprint account number, security question answer, and the name of the authorized point of contact for account.","Dataloss DB","","2009","38.982228","-94.670792" "September 2, 2010","Sprint","Overland Park","Kansas","INSD","BSR","0","Between January 2010 and June 2010 nine former employees inappropriately accessed confidential customer account information and used it to make unauthorized calls. Defrauded customers were credited by the company. Around $15 million dollars in authorized calls resulted from the cellphone cloning scheme.","Databreaches.net","","2010","38.982228","-94.670792" "August 17, 2010","American Fidelity Assurance Company","Edmond","Oklahoma","PHYS","BSF","0","Storage containers with Social Security numbers, names, dates of birth and other information were left on a curb in Edmond, Oklahoma. A couple went to the local news after having stored the hundreds of documents for a few years. The insurance papers are from 2003 and 2004 and have information on employees of multiple companies.","Databreaches.net","","2010","35.652832","-97.478095" "September 4, 2010","Essex Youth Commision Summer Program","Essex","Massachusetts","PHYS","GOV","0","Paper records and digital files with personal health and personally identifiable information from youth participants, parents and staff were reported missing.","PHIPrivacy.net","","2010","42.632039","-70.782826" "August 18, 2010","Beauty Dental, Inc.","Chicago","Illinois","PHYS","MED","657","The paper records of some individuals were lost or stolen on June 5.","HHS via PHIPrivacy.net","","2010","41.850033","-87.650052" "August 18, 2010","Humana Inc, Matrix Imaging","Louisville","Kentucky","PHYS","BSF","2,631","Paper records involving information from business associate Matrix Imaging were lost or stolen on June 25.","HHS via PHIPrivacy.net","","2010","38.252665","-85.758456" "May 25, 2010","Loma Linda University Medical Center","Loma Linda ","California","STAT","MED","584","A thief has stolen personal information regarding more than 500 surgical patients of Loma Linda University Medical Center, according to hospital officials. A desktop computer containing the information disappeared April 5 from the department of surgery's administrative office on Campus Street. The missing information includes each patient's name, medical record number, diagnosis, surgery date, and the type of procedure. ","Dataloss DB","","2010","34.048347","-117.261153" "September 5, 2010","Eastern Michigan University","Ypsilanti","Michigan","HACK","EDU","0","Online banking information may have been exposed because of a computer server hacking incident.  The information included log-ins and personal identification numbers for some employees.","Dataloss DB","","2010","42.241150","-83.612994" "January 31, 2010","Iowa State Racing and Gaming Commission","Des Moines","Iowa","HACK","GOV","80,000","The Iowa Racing and Gaming Commission says someone gained access to a computer server that holds more than 80,000 records containing casino employee information. The person who hacked into the system was traced back to China and had used a computer with an external account. The server contains records including names, birth dates and Social Security numbers.","Dataloss DB","","2010","41.600545","-93.609106" "September 9, 2010","California Department of Health Care Services","Sacramento","California","DISC","GOV","5,000","The California Department of Health Care Services released confidential and identifying information about HIV positive Medi-Cal recipients to a third party service provider.  A network of organizations have deemed this action illegal and unauthorized.  A letter was sent by the network asking for an explanation of how this happened and reassurance that it will not happen again.","PHIPrivacy.net","","2010","38.581572","-121.494400" "September 11, 2010","Cheesecake Factory","White Plains","New York","INSD","BSR","0","A waiter used a skimming device to make $100,000 worth of fraudulent charges to customer credit cards. The waiter committed these crimes in late 2008 and was arrested in September of 2010.","Databreaches.net","","2010","41.033986","-73.762910" "September 9, 2010","Mayo Clinic","Phoenix","Arizona","INSD","MED","1,700","An employee was fired after it was learned that the employee accessed patient records without authorization.  The employee repeatedly accessed information at a location in Arizona between 2006 and 2010, but the Mayo Clinic system allows employees to access patient records from across the country.","PHIPrivacy.net","","2010","33.448377","-112.074037" "September 8, 2010","HEI Hospitality (HEI Hotels and Resorts)","Norwalk","Connecticut","HACK","BSR","3,400","A vulnerability was discovered in the information systems of multiple hotels. Customers who used credit cards between March 25 and April 17 of 2010 may have had their credit card information exposed.","Databreaches.net","","2010","41.117597","-73.407897" "August 12, 2010","Walsh Pharmacy","Fall River","Massachusetts","PORT","MED","11,440","A DVD with patient information was lost in transit.  Information included patient names as well as some Social Security numbers, health insurance information, driver's license numbers and prescription information. The DVD was not in the envelope when the recipient opened it.UPDATE (8/18/10): The incident involved 11,440 patients.","PHIPrivacy.net","","2010","41.701491","-71.155045" "September 13, 2010","Saint Barnabas Health Care Systems and Newark Beth Israel Medical Center","West Orange","New Jersey","PORT","MED","4,586","An employee of Saint Barnabas' accounting partner KPMG lost an unencrypted flash drive. The flash drive had patient names and information about their health, but did not have Social Security numbers or financial information. The incident occurred in June and patients were notified in September.","HHS via PHIPrivacy.net","","2010","40.798711","-74.239035" "September 7, 2010","City University of New York","New York","New York","PORT","EDU","7,000","A computer with student information was stolen. The information included Social Security numbers and names.","Dataloss DB","","2010","40.714353","-74.005973" "September 13, 2010","SunBridge Healthcare Corporation","Albuquerque","New Mexico","PORT","MED","1,000","A BlackBerry mobile device was stolen from an employee's desk.  The device had unencrypted current and former resident and patient information from eight different nursing and rehabilitation facilities in Georgia.  No Social Security numbers or financial information were stored on the device, but it did contain patient names, medical record numbers, medical information, dates of birth, and dates of service.","HHS via PHIPrivacy.net","","2010","35.084491","-106.651137" "September 13, 2010","New York University School of Medicine Aging and Dementia Clinical Research Center","New York","New York","PORT","MED","1,200","A portable electronic device was lost or stolen on April 3.  The health information of 1,200 patients was lost. The incident was reported to the Department of Health and Human Services in September. ","HHS via PHIPrivacy.net","","2010","40.714353","-74.005973" "September 15, 2010","Paul Martin's American Bistro","Roseville","California","HACK","BSR","0","Hundreds of customers who used their credit cards at Paul Martin's were put at risk for credit card fraud.  Hackers accessed the restaurant's credit-card processing system. Customer credit card information was then sold to other criminals and used to make purchases. According to a police news release, the hack did not involve the external financial services network or any third-party data processing service. It appears that the first customers were affected in March of 2010.","Databreaches.net","","2010","38.752124","-121.288006" "September 18, 2010","New York City Human Resources Administration and New York City Department of Health and Mental Hygiene","New York","New York","INSD","GOV","0","Two New York City employees from different agencies were involved in an identity fraud ring. One employee worked for the New York City Human Resources Administration and sold copies of welfare recipients' birth certificates and Social Security numbers. The second employee worked for the New York City Department of Health and Mental Hygiene and sold parental identification information from birth certificates. The employees were sentenced to eight months to two years of prison time and one to two years of probation for identification fraud. These crimes happened between 2005 and 2008.","Databreaches.net","","2010","40.714353","-74.005973" "September 14, 2010","Rice University","Houston","Texas","PORT","EDU","7,250","A portable device with personal information of current and former employees and some students was stolen.  The device had a payroll file which contained the information of students, faculty, and staff on payroll as of January 2010.  Social Security numbers, addresses, names, dates of birth and other employment information may have been exposed. UPDATE (9/18/10): Additionally details reveal that the information was not encrypted.  Approximately 2,270 students were affected.  Four thousand of the Social Security numbers on the device were from faculty or staff, while three were from students.  The banking information of two employees was also on the device.","Databreaches.net","","2010","29.762884","-95.383062" "September 17, 2010","Saint Anselm College","Manchester","New Hampshire","DISC","EDU","0","A number of alumni who received a University newsletter were notified that their Social Security numbers were printed on mailing labels.  The error occurred on the spring 2010 and fall 2009 newsletters. It seems that no one complained about the fall accidental disclosure.","Databreaches.net","","2010","42.995640","-71.454789" "September 16, 2010","Benefit Concepts Inc","East Providence","Rhode Island","PORT","BSF","0","A package containing payroll checks and a CD copy of payroll checks was lost during shipment between July 19 and July 20. Benefit Concepts' vendor CompuPay will encrypt CDs and mask paper records in the future, but this CD was not encrypted. Employee names, Social Security numbers and bank account numbers were in the package.","Databreaches.net","","2010","41.813712","-71.370055" "September 16, 2010","Martin Luther King Jr. Multi-Service Ambulatory Care Center","Los Angeles","California","INSD","GOV","33,000","A janitor removed 14 boxes of patient records and sold them to a recycling center.  The records had names, genders, dates of birth, addresses, medical record numbers and financial batch numbers. Patients who received services from the outpatient facility between January and October of 2008 were affected.  The files were discovered missing on July 29 of 2010 and the custodial worker admitted to selling them.  The custodian is being charged with one count of felony commercial burglary.  Those affected will be mailed notifications during the week of September 20 of 2010.","Databreaches.net","","2010","34.052234","-118.243685" "August 20, 2010","Turley's Restaurant","Boulder","Colorado","PHYS","BSR","0","The owner of Turley's Restaurant went to recycle old employee files. After seeing that the dumpster was full, the owner then left boxes of intact files from former employees near the dumpster. The files included Social Security numbers, birth dates and phone numbers.","NAID","","2010","40.014986","-105.270546" "September 22, 2010","Ault Chiropractic Center","Batesville","Indiana","STAT","MED","2,000","The September 15 theft of a computer may have resulted in the exposure of the protected health information of patients.","HHS via PHIPrivacy.net","","2010","39.300051","-85.222184" "September 27, 2010","Kern Medical Center","Bakersfield","California","HACK","MED","0","An employee opened an email that subsequently affected the entire hospital system in late July. The Kern Medical Center temporarily removed itself from the county computer network to prevent the spread of the attack. Patient records were eventually secured, but it is unknown if any were affected by the 16-day malware attack.","PHIPrivacy.net","","2010","35.373292","-119.018713" "September 25, 2010","St. Vincent Hospital (Saint Vincent)","Indianapolis","Indiana","PORT","MED","1,200","A computer was stolen from an employee's home on July 25.  The computer had patient Social Security numbers and other personal health information.  Patients were notified in late September. ","PHIPrivacy.net","","2010","39.768377","-86.158042" "September 21, 2010","The Kent Center","Warwick","Rhode Island","PHYS","MED","1,361","A briefcase with patient records was stolen from a clinician's car on July 13. The lost documents included client names, dates of birth and some clinical information. The patient records do not appear to have been the target of the theft since other cars were broken into during that night.","HHS via PHIPrivacy.net","","2010","41.700101","-71.416167" "July 27, 2010","Cooper University Hospital","Camden","New Jersey","PORT","MED","0","A flash drive with the personal information of graduate medical residents and fellows was reported missing on July 23.  The personal information included Social Security numbers, dates of birth, race, gender, addresses, phone numbers, marital status, emergency contacts and more. Students enrolled between 2008 and 2010 and current members of staff were affected.","Databreaches.net","","2010","39.925946","-75.119620" "September 28, 2010","Maine Department of Education","Augusta","Maine","DISC","EDU","0","A technology director from the school district was able to access Social Security numbers of staff members in other districts.  The Maine Department of Education has asked school districts to delay submitting student Social Security numbers until the problem has been addressed.  According to reports, ""For the first time, Maine school districts are collecting students' SSNs for a statewide database intended to help policy makers track students' progress throughout school and college and into the workplace."" This practice has been controversial.","Databreaches.net","","2010","44.310624","-69.779490" "September 21, 2010","Pediatric and Adult Allergy, PC","Des Moines","Iowa","PORT","MED","19,222","Patients of Dr. George Caudill (retired), Dr. Veljko Zivkovich (retired) Dr. Robert Colman and Dr. Whitney Molis were notified that a backup tape with their personal information was lost on or around July 11. The patient information included name, address, phone number, date of birth, Social Security number, dates of service, services and diagnoses. Medical records and financial information were not on the backup tape. It appears that all patients with accounts created before July 10, 2010 were affected.","HHS via PHIPrivacy.net","","2010","41.600545","-93.609106" "September 6, 2010","Humana","Louisville","Kentucky","INSD","MED","4","A former employee pleaded guilty to illegally accessing and using patient information in order to support his drug habit. The employee worked in Humana's information technology department. He also agreed to help address internal security flaws.","PHIPrivacy.net","","2010","38.252665","-85.758456" "September 3, 2010","University of Rochester Medical Center (URMC)","Rochester","New York","PORT","MED","837","The loss of a USB device may have exposed current and former patient health information and dates of birth. Patients of a single surgeon were affected.","PHIPrivacy.net","","2010","43.161030","-77.610922" "August 18, 2010","Wright State Physicians","Dayton","Ohio","PORT","MED","1,309","A password-protected laptop with patient information was accidentally thrown in the trash and lost for five days. Names, dates of service, and sometimes treatment description of patients treated for vascular conditions within the last four years were on the laptop. The laptop was thrown out on June 11 and found in a landfill on June 16.","HHS via PHIPrivacy.net","","2010","39.758948","-84.191607" "August 10, 2010","DC Chartered Health Plan","Washington","District Of Columbia","PORT","MED","540","The May 26 theft of a laptop resulted in the exposure of private health information of 540 people.","HHS via PHIPrivacy.net","","2010","38.895112","-77.036366" "August 6, 2010","United HealthGroup","Minneapolis","Minnesota","PHYS","MED","735","It appears that a breach involving paper records and categorized by the Health and Human Services (HHS) website as ""theft, unauthorized access"" occurred when patient documents were stolen on March 2. The incident was reported to HHS on August 4. Little more is known about the incident.","HHS via PHIPrivacy.net","","2010","44.979965","-93.263836" "August 6, 2010","United HealthGroup","Minneapolis","Minnesota","PHYS","MED","16,291","United HealthGroup reported a breach of paper records to Health and Human Services in June. The breach occurred on January 26.","HHS via PHIPrivacy.net","","2010","44.979965","-93.263836" "November 20, 2009","Johns Hopkins Medicine","Baltimore","Maryland","INSD","MED","100","A woman who worked as a patient services coordinator for Johns Hopkins Medicine has been sentenced to 18 months in prison for stealing patient information. The 31 year-old woman of Baltimore was also ordered to pay more than $200,000 in restitution. According to her plea agreement and court documents, from August 2005 to April 2007, the woman provided a conspirator with names, Social Security numbers and other identifying information of more than 100 current and former patients of Johns Hopkins. That information was used to apply for credit. ","Dataloss DB","","2009","39.290385","-76.612189" "May 12, 2009","Johns Hopkins Hospital","Baltimore","Maryland","INSD","MED","10,200","An investigation suggests a former employee who worked in patient registration may have been linked to a scheme to create fake drivers' licenses in Virginia. The employee had access to information such as name, address, telephone number, mother and fathers names, dates of birth and Social Security numbers, but not to any health or medical information.UPDATE (10/1/10 via PHIPrivacy.net): The former employee and four others were indicted for fraud and aggravated identity theft.  They are charged with using patient information to create fraudulent credit accounts. The former employee worked at the hospital between August 2007 and March of 2009.  It is believed that around 600 patients may have been targets for identity theft, but only 50 incidents were linked to the former employee. ","Media","","2009","39.290385","-76.612189" "September 29, 2010","Morgan Keegan & Company","Memphis","Tennessee","PORT","BSF","18,500","An attorney was able to collect a disk with client names and detailed financial information during an investigation. Clients were notified and their accounts are being monitored for unauthorized use. The breach was discovered on September 15 and the disk was later returned by the attorney.","Media","","2010","35.149534","-90.048980" "September 29, 2010","University of Florida","Gainesville","Florida","DISC","EDU","239","The University notified former students who took certain computer science classes in 2003 that their information was available online. Names, Social Security numbers and addresses were included in a web-accessible archive created by a faculty member. The University corrected the problem in August of 2010. Notification letters were sent to most students who may have been affected, but the University was unable to contact 54 former students.","Databreaches.net","","2010","29.651634","-82.324826" "October 2, 2010","Romeus Cuban Restaurant","Southwest Ranches","Florida","CARD","BSR","24","More than two dozen customers had their credit card numbers stolen by a waiter with a skimming device. Authorities believe the former waiter collected information over several months and sold it to a group of identity thieves operating outside of Florida.","Databreaches.net","","2010","26.058700","-80.337273" "May 24, 2010","Cheesecake Factory","Washington","District Of Columbia","INSD","BSR","0","Three servers from a Cheesecake Factory restaurant were charged with using skimming devices to make over $117,000 in fraudulent charges to customer credit card accounts.","Databreaches.net","","2010","38.895112","-77.036366" "September 29, 2010","Cheesecake Factory, PGA Tour Grill, Outback Steakhouse","Washington","District Of Columbia","INSD","BSR","0","Two people have been charged with conspiring to commit bank fraud and aggravated identity theft. They paid servers at multiple restaurants in the Washington D.C. area to use skimming devices to collect customer credit card information. The stolen information was used to fraudulently make purchases.","Databreaches.net","","2010","38.895112","-77.036366" "March 1, 2010","US Bank","Cleveland","Ohio","PORT","BSF","0","A laptop was stolen from the desk of a financial adviser. The laptop contained personal information about bank customers. ","Databreaches.net","","2010","41.499495","-81.695409" "September 28, 2010","US Bank","Eau Claire","Wisconsin","CARD","BSF","0","A scanner was found at an ATM. It was left undetected between 12:30pm and 4:20pm on Friday, September 17. A customer reported the device the next day when it was placed at the same location again. It appears that one customer was directly affected by unauthorized charges. The bank is in the process of canceling cards that were used on September 17 and 18 of 2010.","Databreaches.net","","2010","44.811349","-91.498494" "September 24, 2010","Wilderness Ridge, Hidden Valley Golf","Lincoln","Nebraska","HACK","BSR","225","At least 225 reports of credit and debit card fraud have been linked to a security breach that exposed the information of customers of the two golf courses.  The affected systems were shutdown.  The time of the security breach is unknown. ","Databreaches.net","","2010","40.806862","-96.681679" "September 24, 2010","Comprehensive Accounting","Farmington Hills","Michigan","PHYS","BSF","0","An employee error reportedly caused thousands of intact client files to be left in an easily accessible dumpster.  The files contained client information and employee Social Security numbers, names, addresses, W2s, bank statements and profit reports from 1990 and after.  The files were removed from the dumpster and are scheduled to be shredded.","Databreaches.net","","2010","42.485313","-83.377155" "October 4, 2010","Gulf Pines Hospital","Port St. Joe","Florida","PHYS","MED","0","Former employees are concerned that the hospital was not properly cleared before being sold. People reported abandoned files in the middle of the hospital. An emergency room log, driver's license information, Social Security numbers and other personal files were left in the hospital. Patient medical records were removed. The buyer of the property was contacted, but did not return phone calls.","PHIPrivacy.net","","2010","29.814722","-85.297222" "March 4, 2010","Akel Business Services (also Silva Bookkeeping and Tax Services)","La Mesa","California","INSD","BSF","32","A dishonest business owner filed fraudulent tax returns by using his clients' information. He also created fictitious identities by using the Social Security numbers of his clients' children.  At least 32 people were affected.","Databreaches.net","","2010","32.767829","-117.023084" "October 6, 2010","Gastroenterology Consultants","Omaha","Nebraska","PHYS","MED","0","A local news station responded to a report about patient files being left in a recycling dumpster outside of the clinic. Hundreds of documents with patient names, Social Security numbers, addresses and detailed medical information were found and secured by KMTV Action 3 News. The files appear to be from 2002 and 2003.","PHIPrivacy.net","","2010","41.254006","-95.999258" "October 20, 2009","ChoicePoint ","Alpharetta","Georgia","DISC","BSO","14,023","ChoicePoint has been fined $275,000 by the U.S. Federal Trade Commission for a data breach that exposed personal information of 13,750 people last year. In April 2008, ChoicePoint turned off a key electronic security tool that it used to monitor access to one of its databases and failed to notice the problem for four months, according to an FTC statement. During that period, unauthorized searches were conducted for 30 days on a ChoicePoint database that contained Social Security numbers and other sensitive information.UPDATE (9/22/10): The Federal Trade Commission mailed checks worth $18.17 to 14,023 ChoicePoint customers.  These checks were meant to cover the money and time customers spent monitoring their credit after ChoicePoint's 2008 breach.  ChoicePoint had been ordered to implement a comprehensive information security program after a 2006 breach.  Due to ChoicePoint's failure to do this, they suffered another breach and were fined.","Dataloss DB","","2009","34.075376","-84.294090" "September 22, 2010","Hana Japanese Sushi Bar and Grill","Natchitoches","Louisiana","HACK","BSR","30","Over 30 cases of credit card fraud were linked to the restaurant. The computer server is believed to have been hacked in February of 2010. It appears that the $50,000 in fraudulent credit charges originated from a hacker in Romania.","Databreaches.net","","2010","31.760720","-93.086275" "September 20, 2010","Julie's Place","Tallahassee","Florida","HACK","BSR","100","Around a hundred people reported fraudulent charges to their financial accounts after making purchases at the restaurant. A hacker exploited knowledge of vulnerabilities in the Aloha POS software used by the restaurant and obtained customer information. The restaurant changed and upgraded their computer system.","Databreaches.net","","2010","30.438256","-84.280733" "September 13, 2010","City of Shreveport","Shreveport","Louisiana","PHYS","GOV","0","Personal city government documents were easily accessible during a public auction. Buyers looking for city furniture were able to search through city payroll information, law enforcement reports and a variety of other documents which contained people's names, contact information and Social Security numbers. City employees admit the exposure was a mistake and removed the documents within an hour of notification. It is believed that the documents escaped from a stack that was scheduled to be burned.","Databreaches.net","","2010","32.525152","-93.750179" "September 16, 2010","SanDiegoFit.com","San Diego","California","STAT","BSR","0","On August 30, a computer with customer information was stolen from the building. The password-protected computer had customer names, addresses, phone numbers and credit card numbers.","Databreaches.net","","2010","32.715329","-117.157255" "September 16, 2010","Cardinal Health","Dublin","Ohio","PORT","MED","0","After an investigation into the status of decommissioned computers, it was determined that the locations of 11 were unknown. One laptop contained HR data. Current and former employee identification numbers, Social Security numbers and dates of birth may have been exposed. The investigation began in June when an employee was caught selling a laptop with sensitive information on eBay. Cardinal gave notice of the breach on September 7.","Databreaches.net","","2010","40.099229","-83.114077" "September 14, 2010","JP Morgan Chase Bank","Greenburgh","New York","CARD","BSF","0","On August 17, a customer notified bank employees that a camera was on an ATM. An arrest was made on August 26 when a man was caught using a skimming device at another Chase bank. On September 14, Razvan Apostal was charged with eight counts of Criminal Possession of a Forged Instrument, and one count of Unlawful Possession of a Skimming Device.","Databreaches.net","","2010","41.031944","-73.833056" "September 7, 2009","School for the Physical City High School","New York","New York","PHYS","EDU","0","Boxes of student records were piled in the street in front of the old home of the School for the Physical City. Some records contained the Social Security numbers, grades, signatures and even psychological reports of former students of the public intermediate high school. The boxes contained hundreds of records and were sitting next to a trash bin filled with old desks and other discarded school supplies. The School for the Physical City moved to a new location over the summer and apparently the records were thrown out with the trash during the relocation. UPDATE (9/12/10): A parent and child are suing the New York City Department of Education.","Dataloss DB","","2009","40.714269","-74.005973" "September 8, 2010","SeaChange International","Anton","Massachusetts","INSD","BSR","0","A temporary administrative assistant admitted to stealing the identity of one employee in July. It is unclear how many employees had their information accessed by the temp, but SeaChange sent notification of the incident to employees in 26 states shortly after discovering the breach.","Databreaches.net","","2010","41.677580","-70.443533" "August 30, 2010","Aon Consulting","Chicago","Illinois","DISC","BSF","22,000","The Social Security numbers, genders and dates of birth of retirees in Delaware were accidentally posted online for four days as part of a Request for Proposal for the State of Delaware. Names were not included.UPDATE (9/2/10): A woman affected by Aon's failure to remove personal information from the request has filed a class action lawsuit against Aon Consulting.","Dataloss DB","","2010","41.850033","-87.650052" "September 11, 2010","Corona-Norco Unified School District","Norco","California","DISC","EDU","82","An information privacy watchdog notified administrators that teacher and administrator personal information was available online. Most of the information was immediately removed, but a Google document with Social Security numbers was not removed. It is unknown how long the information was online, but it was discovered on August 31.","Dataloss DB","","2010","33.931126","-117.548661" "October 8, 2010","Mississippi National Guard","Jackson","Mississippi","DISC","GOV","2,672","It was discovered that personnel records had been posted online for several weeks. Administrative information collected from the 155th Brigade Combat Team between 2006 and 2008 was accessible online. Names, Social Security numbers, rank, pay grade, dates of birth and phone numbers were exposed.","Databreaches.net","","2010","32.298757","-90.184810" "October 8, 2010","AmeriCorps","Washington","District Of Columbia","DISC","GOV","0","A website flaw dating back to 2006 may have allowed people to view applicant and participant personal information. Individuals who manipulated the website URL and guessed or knew user log-in names could have accessed participant and applicant contact information, names, and partial or full Social Security numbers.","Databreaches.net","","2010","38.895112","-77.036366" "October 12, 2010","Alliance Inc.","Baltimore","Maryland","PORT","MED","0","A laptop containing client information was stolen from an employee's car on May 3. Client names, addresses, Social Security numbers and diagnoses may have been exposed. The incident was reported on May 10.","PHIPrivacy.net","","2010","39.290385","-76.612189" "June 29, 2010","University of Oklahoma","Norman","Oklahoma","HACK","EDU","0","The university's Information Technology department noticed unusual Internet activity on a laptop computer associated with its network. It determined the computer belonged to an employee and was infected with a virus known as Zeus or Z-Bod. The employee's laptop had access to computer files that contain student names and Social Security numbers.","Dataloss DB","","2010","35.222567","-97.439478" "October 11, 2010","Wright-Patterson Air Force Base","Dayton","Ohio","PHYS","GOV","2,123","Paper records were improperly disposed of on July 29.  The incident affected 2,123 patients.","HHS via PHIPrivacy.net","","2010","39.758948","-84.191607" "October 12, 2010","HomeCall Inc.","Rockville","Maryland","PORT","MED","0","A portable point of care device was stolen from an employee. Client names, addresses, Social Security numbers, medical record numbers, diagnoses and treatment information were on the unencrypted device.","PHIPrivacy.net","","2010","39.083997","-77.152758" "October 11, 2010","University of Oklahoma-Tulsa Neurology Clinic, Neurology Services of Oklahoma, LLC ","Oklahoma City","Oklahoma","HACK","MED","19,264","Malware was discovered on a clinic computer on or around July 28. Patients who saw Dr. John Cattaneo at the clinic and at his former employer Neurology, LLC were notified of the breach. Patient names, Social Security numbers, phone numbers, addresses, dates of birth, medical record numbers, lab reports and dates of service were in documents that may have been accessed by the virus.","PHIPrivacy.net","","2010","35.467560","-97.516428" "September 23, 2010","Alaskan AIDS Assistance Association (Four A's)","Anchorage","Alaska","PORT","NGO","2,000","A data storage device containing client names and contact information was stolen from Four A's executive director's car.  Some clients had their Social Security numbers on the device.","PHIPrivacy.net","","2010","61.218056","-149.900278" "October 11, 2010","Alliance HealthCare Services, Inc.","Newport Beach","California","PORT","MED","1,474","One or more portable devices were lost or stolen between July 31 and August 5. ","HHS via PHIPrivacy.net","","2010","33.618910","-117.928947" "October 11, 2010","St. James Hospital and Health Centers","Chicago","Illinois","PHYS","MED","967","The improper disposal of paper documents may have left the health information of patients of Saint James Hospital and Health Centers exposed. The incident occurred on or around August 10. ","HHS via PHIPrivacy.net","","2010","41.878114","-87.629798" "October 11, 2010","Private Medical Practice","Wichita","Kansas","PORT","MED","1,200","Paper records and at least one laptop with patient information were stolen during an August 20 theft.","HHS via PHIPrivacy.net","","2010","37.692236","-97.337545" "October 11, 2010","Private Counseling and Psychotherapy Practice","Bronx","New York","STAT","MED","9,000","The September 6 theft of a desktop computer resulted in the exposure of patient information.","HHS via PHIPrivacy.net","","2010","40.850100","-73.866246" "October 11, 2010","Private Medical Practice","Inglewood","California","STAT","MED","928","A desktop computer was stolen on or around August 17.","HHS via PHIPrivacy.net","","2010","33.961680","-118.353131" "September 22, 2010","Private Legal Practice","Hudson","New Hampshire","PORT","BSO","25","Mr. LaRocque's home was burglarized on the evening of July 25, 2010. A laptop with names, Social Security numbers, tax identification numbers and other personal information from his family law clients was stolen.","Databreaches.net","","2010","42.764811","-71.439788" "September 21, 2010","Private Medical Practice","Chesapeake","Virginia","PORT","MED","2,739","A laptop was stolen from a doctor's office on July 12. It is unknown if patient files were accessible on the laptop. The files would have contained names, dates of birth, diagnoses, treatments, and other personal information.","HHS via PHIPrivacy.net","","2010","36.768209","-76.287493" "August 16, 2010","Private Dental Practice","Tacoma","Washington","STAT","MED","0","Around July 16, an office break in resulted in the loss of a computer with patient names, addresses, internal account numbers, telephone numbers, Social Security numbers and dates of birth.","PHIPrivacy.net","","2010","47.252877","-122.444291" "July 27, 2010","Private Legal Practice","San Antonio","Texas","PHYS","BSO","75","An attorney left legal files in a public dumpster. The attorney thought it was appropriate to dispose of the files in this way since the accounts were old and closed. The documents contained names, addresses, bank account information, Social Security numbers, driver's license numbers, and dates of birth.","Databreaches.net","","2010","29.424122","-98.493628" "July 15, 2010","Private Dental Practice","Barstow","California","PHYS","MED","0","An anonymous tipster called the Sheriff's Department and reported unattended boxes of personal records outside the dental office. The boxes contained patient records from the early 1990's to the present. These records numbered in the hundreds and had personal information such as Social Security numbers, names, birth dates, credit card numbers, and addresses. The Sheriff's Department destroyed the records and warned patients of dentists Lee, Sang H. Yoon and Patricia Patterson.","Databreaches.net","","2010","34.895796","-117.017283" "June 6, 2010","Private Medical Practice","Chino Hills","California","PHYS","MED","600","Confidential medical files were found in a dumpster near the medical office of the two doctors. The doctors were in the process of moving to a new location.","PHIPrivacy.net","","2010","33.975278","-117.723056" "April 3, 2010","Middletown City Government Building: Public Works, Utilities, Police, and Finance Departments","Middletown","Ohio","PHYS","GOV","0","Personal documents that originated from the city building were left in a dumpster. Most of the documents were from the public works and utilities departments.  An unknown number of Middletown residents had their Social Security numbers, phone numbers, and carbon copies of checks exposed.","Databreaches.net","","2010","39.515058","-84.398276" "March 30, 2010","Boulder Community Hospital, Family Medical Associates","Lafayette","Colorado","PHYS","MED","14","Anonymous letters were sent to at least 14 patients of the Family Medical Associates clinic in Lafayette.  The letters contained Social Security numbers, medical records, dates of birth and names.  The sender claimed that the clinic was improperly disposing patient personal information.","PHIPrivacy.net","","2010","39.993596","-105.089706" "March 17, 2010","Private Medical Practice","Lake Mary","Florida","PHYS","MED","0","Police were looking for evidence of another crime when they found personal documents in the dumpster outside of a doctor's office. The doctor specializes in treating the ear, nose, and throat and claims there was nothing about patients in the documents. The doctor agreed to shred the documents while the police investigated whether or not patient information was compromised.","NAID","","2010","28.758883","-81.317845" "February 3, 2010","Private Dental Practice in Medical Commons One","Greensburg","Pennsylvania","PORT","MED","0","A laptop containing patient information was stolen.","HHS via Databreaches.net","","2010","40.301458","-79.538929" "February 3, 2010","Private Practice in Medical Arts Building","Greensburg","Pennsylvania","PORT","MED","0","A laptop containing patient information was stolen.","HHS via Databreaches.net","","2010","40.301458","-79.538929" "June 9, 2010","St. John's Mercy Medical Group","St. John","Missouri","DISC","MED","1,907","Patient files were found outside a doctor's office. The doctor admitted to failing to shred the old papers and claimed that he ran out of space for the files. UPDATE (8/25/10): Reports state that 1,907 patients were notified.  The patient files included contact and credit card information, Social Security numbers and dates of birth.","NAID","","2010","38.714500","-90.346097" "October 13, 2010","Patuxent River Naval Air Station","Patuxent River","Maryland","INSD","BSF","17","A clinic employee and a co-conspirator used patient information to access financial accounts. The two people were charged with stealing from the Navy Federal Credit Union. The information was stolen between November of 2008 and May of 2009.","PHIPrivacy.net","","2010","38.317839","-76.406237" "October 14, 2010","Citibank","Florence","Kentucky","INSD","BSF","0","Three women have been charged for their roles in defrauding clients of a Citibank in Florence, KY. At least two of the women were employees of Citibanks in other states. One woman stole customer credit card account numbers and changed their addresses, while another used the information to make purchases in another state. The third woman assisted in collecting the purchased goods. The fraud began at the end of 2006 and two of the women were arrested in March of 2007.","Databreaches.net","","2010","38.998950","-84.626611" "October 14, 2010","Plymouth Road Department of Children's Services","Johnson City","Tennessee","PHYS","GOV","0","A person or persons broke into the building during the weekend of October 10. Personal information of clients may have been viewed or recorded, but does not appear to have been stolen. Police believe their suspect entered the building to retrieve a car title document.","Databreaches.net","","2010","36.313440","-82.353473" "October 14, 2010","RBC Bank","Lake County","Florida","INSD","BSF","0","A bank employee used customer credit card information to open fraudulent loans in their names. The deceased and elderly were targeted. The employee has not yet been arrested and appears to have been using the money to pay for the legal defense of her son.","Databreaches.net","","2010","28.702847","-81.778702" "October 12, 2010","ING","Wilmington","Delaware","DISC","BSF","0","An isolated administration error caused an encrypted file with the personnel information of one client's employees to be made available to the HR department of another client. A password-based registration system was already in place to prevent the wrong addressee from opening encrypted email, however, the email was addressed to the wrong client. The total number of employees who may have had their names and Social Security numbers exposed is unknown, but 473 residents of Maryland were notified of the incident.  On June 3, the other HR department notified ING that they had been sent the wrong information.","Databreaches.net","","2010","39.745833","-75.546667" "October 12, 2010","Trade Center Management Associates ","Washington","District Of Columbia","PORT","BSO","0","A June theft at the facility exposed employee information. Employee names, Social Security numbers and some employee fingerprints were on the stolen equipment. It is unknown how many people were affected, but 284 Maryland residents were notified.","Databreaches.net","","2010","38.895112","-77.036366" "October 12, 2010","Farmers Insurance","San Diego","California","STAT","BSF","0","The March 16 theft of office computers may have exposed policyholder information. Names, addresses, Social Security numbers, telephone numbers and driver's license numbers were on the computers. Clients were notified on July 26.","Databreaches.net","","2010","32.715329","-117.157255" "October 16, 2010","University of California Davis (UCD) Medical Center","West Sacramento","California","PHYS","MED","900","UCD patient documents were stolen from an UltraEx courier service in West Sacramento in August. The information consisted of copies of checks and remittance records between the University and insurance companies. Six patients had their full Social Security numbers exposed and 40 patients had some part of their Social Security number exposed. The University now prohibits the courier service from storing documents overnight.","PHIPrivacy.net","","2010","38.580461","-121.530234" "October 17, 2010","New Mexico Tech Community College","Socorro","New Mexico","DISC","EDU","3,000","It appears that anyone with a Tech computer account could have accessed more than 3,000 Social Security numbers over the past four or five years. Copies of an accounting file were mistakenly stored in two public locations on the TCC server.","Databreaches.net","","2010","34.058400","-106.891416" "October 15, 2010","University of North Florida","Jacksonville","Florida","HACK","EDU","52,853","A hacker from outside of the country may have accessed applicant information sometime between September 24 and September 29.  The information was mostly recruiting information and may have involved names, ACT and SAT scores, dates of birth and Social Security numbers.","Databreaches.net","","2010","30.332184","-81.655651" "October 18, 2010","Jackson Hewitt","Jacksonville","Florida","PHYS","BSF","0","An employee discovered old customer and employee documents in the dumpster behind the office.  The documents included employees' W-2 forms, personal bank statements and some tax information from customers.  The former owner admitted to being responsible and eventually had the documents shredded.","Databreaches.net","","2010","30.332184","-81.655651" "October 19, 2010","Chen Financial, KC Realty, and SBC Financial","Westminster","California","INSD","BSF","0","Kathy Chen and co-conspirators took advantage of real estate clients at Chen's three businesses.  Chen primarily obtained personal data from unsuspecting borrowers who new immigrants or senior citizens.  The personal and credit information was then used to obtain 47 fraudulent loans amounting to $17,500,000.  Clients in Kern, Orange and San Bernardino counties were affected between 2005 and 2007.  Chen was sentenced to 68 years in prison for identity theft, grand theft, forgery and conspiracy charges. Her two co-conspirators have not been arrested.","Databreaches.net","","2010","33.759183","-118.006727" "October 19, 2010","Carolina West Wireless","Beaumont","Texas","UNKN","BSO","0","Authorities found customer information in the car of two men.  It is not known if the information was obtained through hacking, from an insider, by collecting documents from the company or by other methods.","Databreaches.net","","2010","30.080174","-94.126556" "October 18, 2010","Milwaukee County","Milwaukee","Wisconsin","INSD","GOV","30","A temporary employee who was hired through the staffing agency Adecco was convicted of identity theft.  Over thirty county employees had their identities stolen.  The temporary employee began working in the human resources department in December of 2009.  ","Databreaches.net","","2010","43.038903","-87.906474" "October 14, 2010","Accomack County Virginia residents","Accomac","Virginia","PORT","GOV","35,000","A stolen laptop contained the names and Social Security numbers of Accomack County, Virginia residents. Full addresses of some residents were also exposed. The laptop was county property and was stolen from an employee's car during a vacation to Las Vegas. The incident happened on October 7; as of October 14, residents had not been notified.","Databreaches.net","","2010","37.719574","-75.665485" "October 20, 2010","University of Arkansas for Medical Sciences","Little Rock","Arkansas","PORT","MED","0","A digital camera used for recording newborn information was stolen from an employee at the hospital. The information included newborn photos, mother names and contact information, dates of birth, insurance status and medical record numbers. The photos are taken as a security measure in case an infant is abducted. Infants born at the hospital between July and October were affected.","PHIPrivacy.net","","2010","34.746481","-92.289595" "October 19, 2010","Cumberland Gastroenterology P.S.C.","Somerset","Kentucky","PHYS","MED","2,207","Paper records were stolen on September 18. The records contained protected health information.","HHS via PHIPrivacy.net","","2010","37.092022","-84.604108" "October 21, 2010","LoneStar Audiology Group","Houston","Texas","PORT","MED","585","The August 11 theft of a laptop resulted in the exposure of patient health information.","HHS via PHIPrivacy.net","","2010","29.762884","-95.383062" "October 21, 2010","Norman Pediactric Associates and Norman Urology","Norman","Oklahoma","PHYS","MED","0","Hundreds of intact medical records and Social Security numbers of oncology patients were found at the Norman Recycling Center. Both organizations believe a common paper shredding company is at fault.  The files were returned to the organizations and affected patients will be contacted.","PHIPrivacy.net","","2010","35.222567","-97.439478" "October 21, 2010","California Men's Colony (CMC)","San Luis Obispo","California","PHYS","GOV","8","An attorney mishandled the records of eight inmates who had been found guilty of murder. The names, criminal history, psychological evaluations, Social Security numbers and observations about their family relationships and behavior in prison were found in a public dumpster.","PHIPrivacy.net","","2010","35.282752","-120.659616" "October 19, 2010","WESTMED Medical Group","Purchase","New York","PORT","MED","578","A laptop with patient information was stolen in August.","HHS via PHIPrivacy.net","","2010","41.040833","-73.715000" "March 19, 2010","PNC Financial Services Group Inc.","Dayton","Ohio","CARD","BSF","0","PNC Financial Services Group is investigating a possible security breach involving some debit cards issued by the former National City Corp., which it acquired in December 2008. The problem surfaced when former National City customers began reporting unauthorized charges on their accounts. The breach involves a small number of cards in the Cincinnati area, and it appears to have been committed by someone outside PNC or National City prior to the merger. It doesn’t involve any PNC-branded cards or longtime PNC customers. PNC has shut down National City debit cards in the Cincinnati area and asks that customers who have not yet done so activate their PNC debit cards. PNC is working one-on-one with customers to refund accounts, and has been returning funds within 24 hours.UPDATE (10/19/10): Three men were charged with using skimming devices at PNCs in Pittsburgh in April and May.","Media","","2010","39.758948","-84.191607" "July 31, 2009","Jackson Memorial Hospital","Miami","Florida","INSD","MED","3,360","A Miami man was charged with buying confidential patient records from a Jackson Memorial Hospital employee over the past two years, and selling them to a lawyer suspected of soliciting the patients to file personal-injury claims.UPDATE (10/26/10): Ruben E. Rodriquez was sentenced to 11 years in prison for selling patient records to lawyers for injury claims.  Rodriquez stole 3,350 patient records in 2008 and 2009.  He may have also sold information in 2007.  The information included name, contact information and medical diagnoses. ","Media","","2009","25.774266","-80.193659" "October 27, 2010","Mount Sinai School of Medicine","New York","New York","STAT","MED","1,500","A hard drive from the World Trade Center Medical Monitoring and Treatment Program at Mt. Sinai Hospital was lost or taken from a computer in the Mental Health Center.  The information included emails with protected health information, patients' names, and possibly treatment and contact information.","PHIPrivacy.net","","2010","40.714353","-74.005973" "October 2, 2010","Has-Camino Travel Agency","South Pasadena","California","STAT","BSR","0","A former employee and her husband were arrested on suspicion of stealing computers from her former employer. The computers contained the personal information of clients and were stolen during an office burglary.","Databreaches.net","","2010","34.116120","-118.150349" "October 28, 2010","Minor Family Clinic","Phoenix","Arizona","UNKN","MED","128","An insurance fraud scheme used medical information from the Clinic. Fraudulent charges to patients' insurance companies totaled $108,000. Two people have been indicted, but their method for accessing patient information has not been reported.","PHIPrivacy.net","","2010","33.448377","-112.074037" "October 28, 2010","Emergency Medical Services Bureau","Baton Rouge","Louisiana","HACK","GOV","56,000","The Louisiana Department of Health and Hospitals notified emergency medical technicians that a hacker may have had access to their names, Social Security numbers and other personal information. The incident occurred on September 17 and a lack of funding for letters and postage caused a delay in notification.","Databreaches.net","","2010","30.450746","-91.154551" "October 28, 2010","Individual Tax Preparer","Laurinburg","North Carolina","PHYS","BSF","0","Eight cabinets full of tax records were stolen from a residence.  The records belonged to a deceased tax preparer named Ester Gaino and go back to at least five years ago.  It seems that the thief or thieves were looking for information that could be used to commit identity theft.","Databreaches.net","","2010","34.774049","-79.462825" "October 28, 2010","University of Connecticut Storrs","Storrs Mansfield","Connecticut","DISC","EDU","23","Student information from a class held in 2000 was discovered online. A faculty member had saved a list of one-time students in the class. The list exposed names and Social Security numbers and was removed from the Internet shortly after the discovery on October 4.","Databreaches.net","","2010","41.808431","-72.249523" "October 29, 2010","Southwest Seattle Orthopaedic and Sports Medicine","Burien","Washington","HACK","MED","9,493","A hacking incident may have exposed the personal information of patients on September 4.","HHS via PHIPrivacy.net","","2010","47.470377","-122.346792" "July 23, 2010","University of California San Francisco (UCSF) Medical Center","San Francisco","California","INSD","EDU","0","A former employee used the Social Security numbers of his colleagues to obtain vouchers for Amazon.com purchases. He secretly used the Social Security numbers to create hundreds of accounts and complete 382 online StayWell health surveys in exchange for $100 online vouchers.UPDATE (10/28/10): The former employee pled guilty to wire fraud and improper use of Social Security numbers.  He was sentenced to 12 one year and one day in prison.  ","Databreaches.net","","2010","37.774930","-122.419416" "October 13, 2010","San Diego Regional Center","San Diego","California","PORT","MED","0","A back-up tape created for the purpose of disaster recovery testing and training was lost during shipping to the California Department of Developmental Services by UPS. Consumers' first and last names, Social Security numbers, contact, diagnostic and medical information may have been exposed. Extracting information from the tape requires sophisticated technology, according to the breach notice letter.","Security Breach Letter","","2010","32.715329","-117.157255" "October 29, 2010","Japanese Foundation of Los Angeles","Los Angeles","California","HACK","BSR","0","An unnamed third-party vendor that hosted the organization's jflac.org website experienced a security incident. Customers who made purchases related to Japanese Language Proficiency Testing for 2009 and 2010 may have had their names, dates of birth and credit card information accessed. The servers containing customer data were shut down and taken offline after the incident was discovered. The incident occurred on or around September 18, 2010 and the organization aimed to notify all affected customers by October 25.","Databreaches.net","","2010","34.052234","-118.243685" "May 4, 2009","Kapiolani Community College","Honolulu","Hawaii","HACK","EDU","15,487","More than 15,000 students at Kapiolani Community College are at risk of identity theft because of an Internet security breach. School officials found that a computer was infected with malware that can steal sensitive data.  The computer contained the personal information of 15,487 students who applied for financial aid between January 2004 and April 15. The computer did not have sensitive information, but it was hooked up to a network that had access to names, addresses, phone numbers dates of birth and Social Security numbers.","Dataloss DB","","2009","21.306944","-157.858333" "October 31, 2010","Robins Airforce Base","Warner Robins","Georgia","HACK","GOV","50","Around 50 employees noticed fraudulent charges on their credit or debit cards after using them on base in August of 2010. Officials became aware of the problem and notified employees within two weeks of the incidents.","Databreaches.net","","2010","32.608611","-83.638056" "November 2, 2010","Seton Hall University","South Orange","New Jersey","DISC","EDU","1,500","An Excel spreadsheet with academic information was accidentally emailed to 400 students. Fifteen hundred students had their names, addresses, emails, student ID numbers, majors, credit hours and GPAs exposed. Students who received the attachment were instructed not to view or distribute it. Students were also informed to meet with the associate dean for Undergraduate Student Services and Enrollment Management if they had already opened the attachment.","Databreaches.net","","2010","40.748990","-74.261258" "November 1, 2010","Thai Cafe","Indianapolis","Indiana","PHYS","BSR","0","An Indianapolis school noticed that their dumpster was being used by someone else. A box of personal information from the Thai Cafe was found to have been illegally dumped. School officials discovered complete payroll stubs from 2000 inside the box and contacted the restaurant owner. The ex-spouse of the restaurant owner apologized for the illegal dumping and claimed that the disposal was handled by a third party.","Databreaches.net","","2010","39.768377","-86.158042" "November 4, 2010","American Federation of Television and Radio Artists (AFTRA)","Los Angeles","California","HACK","BSO","2,811","Hackers were able to access the Join Online portion of AFTRA's website. Hackers may have obtained the names, Social Security numbers, credit card numbers and contact information of people who joined AFTRA online. People who attempted to join online between September 14 and 29 may have also been affected by the breach. AFTRA has disabled the Join Online website. AFTRA's internal membership database and the ""members only"" section of the website were not affected.","Databreaches.net","","2010","34.052234","-118.243685" "November 4, 2010","Bare Escentuals","San Francisco","California","PORT","BSR","0","Sensitive employee data was on an employee's stolen laptop. The employee information on the laptop included name, Social Security number, postal address and historic salary data.","Databreaches.net","","2010","37.774930","-122.419416" "July 7, 2010","University of Hawai'i","Honolulu","Hawaii","STAT","EDU","53,000","53,000 people may have had their personal information exposed after a breach to the University of Hawai'i computer system was discovered. The university released statement  that more than 40,000 Social Security numbers and 200 credit card numbers were part of the exposed information that was housed on a computer server used by the Mānoa campus parking office.","Dataloss DB","","2010","21.306944","-157.858333" "November 6, 2010","General Services Administration","Washington","District Of Columbia","INSD","GOV","12,000","An employee sent an email with the names and Social Security numbers of the entire staff to a private, outside address. Though notification emails were sent at the end of September, many employees learned of the incident in November.","Databreaches.net","","2010","38.895112","-77.036366" "November 6, 2010","Murphy USA","Shelbyville","Indiana","PHYS","BSR","0","A file cabinet with personal information was found in a dumpster near Murphy USA gas station. Most of the files belonged to former employees of the gas station. Dozens of copies of Social Security cards, driver's licenses, contact information and other personnel information were retrieved. A representative from the gas station said that the files should have been shredded and that they are searching for the employee responsible.","Databreaches.net","","2010","39.521437","-85.776924" "November 7, 2010","Richmond Public Schools","Richmond","Virginia","DISC","EDU","110","An employee accidentally sent an email with the names, Social Security numbers and other personal information of 110 employees to 3,300 employees. Administrators began limiting access to the document and the entire email system after the mistake was discovered half an hour later. The email contained personnel changes, but was supposed to be emailed without the personal information of those employees who were moving within the organization.","Databreaches.net","","2010","37.542979","-77.469092" "November 8, 2010","Arista OB-GYN Clinic","Woodstock","Georgia","PHYS","MED","0","Private medical records were dumped outside a closed office. A news team found several hundred documents that appeared to mostly be patient records with names, addresses, sonograms, copies of checks and detailed medical information. The dumpster was confiscated and searched by police. Files were also found under the dumpster. The doctor could face felony charges.","PHIPrivacy.net","","2010","34.101487","-84.519375" "November 9, 2010","New Hanover County","Wilmington","North Carolina","DISC","GOV","0","A list of 9,845 property owner accounts was published online. Social Security numbers were attached to 163 of the accounts, though some people had multiple accounts. The list of delinquent accounts was mistakenly published before the Social Security numbers were removed. It is unclear how long the information was available online.","Databreaches.net","","2010","34.225726","-77.944710" "November 15, 2010","University of Nebraska","Lincoln","Nebraska","DISC","GOV","0","Thousands of students had their financial aid and loan information posted on the state treasurer's website. The office is refusing to remove the information for the time being because of limited staff resources. The treasurer's office also claims that the University was given ample time to edit the data so that student names and financial information were not included. Students who received loans, scholarships and other aid for the 2008-2009 school year had their information posted on the website. Some people are concerned that con artists could contact the students on the list and pretend to be a lender who holds their student loan information. Information for 2009-2010 school year spending was also submitted with detailed student information and is scheduled to be uploaded sometime in November.","Databreaches.net","","2010","40.806862","-96.681679" "November 14, 2010","Northridge Hospital Medical Center","Northridge","California","PHYS","MED","837","A package sent through a national courier was damaged during transit. Because of this damage, patient names, Social Security numbers, addresses, phone numbers, dates of birth, dates of death, physician, financial account number, insurance ID, Medicare and Medicaid charges billed and paid, hospital room and board charges and guarantor Social Security number may have been exposed. People who were patients between September of 2004 and June of 2006 were affected.","Databreaches.net","","2010","34.228330","-118.535830" "November 15, 2010","ECS Learning Systems ","Bulverde","Texas","HACK","BSR","1,300","On October 15, ECS learned that a hacker had accessed their database of online customer order information. Names, addresses, telephone numbers, email addresses, and credit or debit card information may have been accessed. Customers were notified of the breach, but were not offered credit monitoring services or encouraged to cancel their credit and debit cards.","Databreaches.net","","2010","29.743833","-98.453073" "November 15, 2010","Kayser-Roth Corporation","Greensboro","North Carolina","PORT","BSR","0","A laptop with employee information was stolen from the Corporate Payroll Department sometime between the end of the day on October 14 and the beginning of the day on October 15.  Names, addresses, bank account information and Social Security numbers of current and former employees may have been exposed.","Databreaches.net","","2010","36.072635","-79.791975" "November 12, 2010","Visiting Nurse Association of Southeastern Connecticut","Waterford","Connecticut","PORT","MED","12,000","Current and former patients received notification letters stating that their personal information was on a stolen laptop. The laptop was stolen from a nurse's car while it was parked at her home on September 30. The laptop was used to store patient addresses, medical information and names.","Databreaches.net","","2010","41.345700","-72.130714" "November 14, 2010","Aetna of Connecticut","Hartford","Connecticut","UNKN","MED","2,345","A number of insured customers were affected by an unauthorized access or accidental disclosure of personal information in September.","HHS via PHIPrivacy.net","","2010","41.763711","-72.685093" "November 14, 2010","Private Dental Practice","Flower Mound","Texas","PORT","MED","4,700","The August 5 theft of a laptop resulted in the exposure of patient information.","HHS via PHIPrivacy.net","","2010","33.014567","-97.096955" "November 19, 2010","Private Dental Practice","Florissant","Missouri","PORT","MED","1,400","A dentist's laptop was stolen from his car in October. It contained the clinical information for patients who saw him at a St. Charles office. The dentist notified police immediately, but waited about a month to notify patients.","PHIPrivacy.net","","2010","38.789217","-90.322614" "November 16, 2010","Education Department, Department of Veterans Affairs","Bronx","New York","PHYS","GOV","146","A box was left unsecured during an October 25 relocation. Employee names and Social Security numbers may have been accessed by volunteers and employees during that time. The information was from employees who took the Cardiopulmonary Resuscitation (CPR) test.","PHIPrivacy.net","","2010","40.850100","-73.866246" "November 18, 2010","EOD Technology (EODT)","Knoxville","Tennessee","HACK","BSO","0","One or more unauthorized individuals definitely accessed employee names and Social Security numbers in 2008. The breach was not reported until 2010 because EODT did not have evidence that personal information had been accessed during the breach. The firm claims that the breach did not lead to any fraudulent activity during those two years.","Databreaches.net","","2010","35.960638","-83.920739" "November 16, 2010","All Star Lanes","Salina","Kansas","PHYS","BSF","0","A laptop and money bag were stolen during a burglary that occurred between November 14 and November 15.  The bag had thousands of dollar in cash, checks and credit card transactions.","Databreaches.net","","2010","38.840281","-97.611424" "November 16, 2010","Chili's","Dallas","Texas","HACK","BSR","0","Chili's email club service provider InterMundo Media experienced a server breach. No financial information or Social Security numbers were collected for club membership, but full names, email addresses and dates of birth could have been accessed.","Databreaches.net","","2010","32.802955","-96.769923" "November 16, 2010","Monadnock Community Bank","Peterborough","New Hampshire","HACK","BSF","13","At least 13 New Hampshire residents and an unknown number of other U.S. customers were affected by a breach of Monadnock's card processor. Customer debit card numbers, expiration dates, CVC and PIN offsets may have been exposed. The Bank believes there is no evidence that the incident is related to a previous incident that occurred in September of 2010.","Databreaches.net","","2010","42.870639","-71.951746" "November 21, 2010","Coliseum Hospital","Macon","Georgia","INSD","MED","0","A former employee was able to enter a secured area and log onto a hospital computer while attending a social event. The former employee's access code had been left active and patient records were viewed during the incident.","PHIPrivacy.net","","2010","32.840695","-83.632402" "November 16, 2010","Messiah College","Grantham","Pennsylvania","PORT","EDU","43,000","An external hard drive was lost or stolen. Current, former and prospective students and their parents may have had their names, Social Security numbers, dates of birth and transcripts exposed. The information was from the financial aid department and spans from 1994 to 2010. Social Security numbers were not collected for all individuals involved, but exact number of individuals who had their Social Security or financial information exposed was not given.UPDATE (11/21/10): The drive was found by the employee responsible for it.  The likelihood that someone was able to access the information on the drive for a malicious purpose is very low or nonexistent. ","Databreaches.net","","2010","40.156480","-76.996366" "November 19, 2010","1st Source Bank","South Bend","Indiana","UNKN","BSF","0","The Bank's third-party payment service provider had a breach incident.  Customer account numbers and expiration dates may have been exposed.  The Bank sent affected customers a new pin and debit card.","Databreaches.net","","2010","41.683381","-86.250007" "November 19, 2010","American Association of Retired Persons, AARP Insurance ","Washington","District Of Columbia","DISC","BSF","0","A client received another client's information in an insurance policy letter. He attempted to trace the mistake and notified the organization that underwrites AARP's life insurance program, New York Life Insurance. It is unknown how this error occurred and client names, phone numbers, policy numbers, check account information and dates of birth could have been exposed.","Databreaches.net","","2010","38.895112","-77.036366" "April 12, 2010","Kern County Employee's Retirment Association","Bakersfield","California","INSD","GOV","37,000","A former employee was convicted of using the Social Security number of a member to create a false identity. The county employee opened a line of credit and had committed felonies before being hired at KCERA in a position with access to retirees' personal information.","Databreaches.net","","2010","35.373292","-119.018713" "June 16, 2010","AT&T","Dallas","Texas","DISC","BSR","0","AT&T customers who were using their own usernames and passwords to log into their accounts reported being sent to the accounts of other AT&T customers.  The account information did not include Social Security numbers or credit card information.","Databreaches.net","","2010","32.802955","-96.769923" "October 11, 2010","UnitedHealth Group","Minneapolis","Minnesota","PHYS","MED","1,270","A breach involving UnitedHealth Group and its business associate CareCore National was posted on the Health and Human Services (HHS) website.  Unauthorized persons were able to access paper records on or around July 8.  ","HHS via PHIPrivacy.net","","2010","44.979965","-93.263836" "November 19, 2010","Kern Medical Center","Bakersfield","California","PHYS","MED","596","The California Department of Public Health fined Kern Medical Center in Bakersfield, CA, $250,000 for allegedly keeping patient records in an outside, unlocked locker, allowing for the theft of 596 patient records in 2009. For several months in 2009 a Kern Medical Center employee placed the daily lab reports in the broken locker outside the hospital until they were stolen one night. Six additional health facilities were also fined: Biggs Gridley Memorial Hospital, Gridley, Butte County; Children's Hospital of Orange, Orange, Orange County; Delano Regional Medical Center, Delano, Kern County; Kaweah Manor Convalescent Hospital, Visalia, Tulare County; Oroville Hospital, Oroville, Butte County; Pacific Hospital of Long Beach, Long Beach, Los Angeles County. The total amount of fines for the seven health facilities was $792,000.","Media","","2010","35.373292","-119.018713" "April 8, 2010","St. Francis Hospital","Tulsa","Oklahoma","INSD","MED","60","A Sand Springs woman has been indicted on allegations that she used personal identifying information she copied from her then-employer's computer system as part of a scheme involving fraudulent credit cards and stolen mail. The indictment was released Wednesday in federal court in Tulsa and states that the 45 year old woman exceeded her computer-access authority at St. Francis Hospital to obtain information such as Social Security numbers and dates of birth of at least 60 people.UPDATE (11/24/10): A second woman was sentenced for her role in the credit card fraud case. Both women had been employed at Saint Francis.  Patient names, Social Security numbers and addresses obtained between August 6 and December 28 of 2009 were used to illegally obtain credit cards.","Dataloss DB","","2010","36.153982","-95.992775" "November 15, 2010","Henry Ford Health System","Detroit","Michigan","PORT","MED","3,700","An employee's laptop was stolen on September 24. It contained the information of patients who received prostate services between 1997 and 2008. The laptop was stolen from an unlocked urology medical office. No Social Security numbers, full medical records or health insurance identification numbers were on the stolen laptop. Patient names, medical record numbers, dates of birth and treatment information were on the laptop.UPDATE (11/23/10): The breach affected 3,700 patients.","PHIPrivacy.net","","2010","42.331427","-83.045754" "November 24, 2010","Sta-Home Health & Hospice","Jackson","Mississippi","STAT","MED","1,104","A September 15 office burglary resulted in the theft of a desktop computer. The computer once held protected health information of people with state Medicaid claims. Some files included encoded names and diagnostic codes. Medicaid account numbers, financial information and Social Security numbers were not exposed.","HHS via PHIPrivacy.net","","2010","32.298757","-90.184810" "December 1, 2010","State Department of Labor and Industries, Washington State Employees Credit Union, Court of Appeals","Tacoma","Washington","PHYS","GOV","0","Confidential paper files from at least three tenants of the state-owned Rhodes Building were found in an unsecured recycling bin. Some documents included names, Social Security numbers, checking account information, health information and dates of birth. A news report claimed the documents numbered in the dozens. Representatives for some of the organizations claimed that the files were supposed to be shredded.","Databreaches.net","","2010","47.252877","-122.444291" "June 26, 2010","Federal Aviation Administration","Washington","District Of Columbia","DISC","GOV","0","An investigation that was launched in response to the 2009 breach of the Federal Aviation Administration's computer system (see Feb. 9, 2009, entry) was released June 26, 2010.  The findings reveal that the names addresses, Social Security numbers, medical data and other personal information of airmen are still vulnerable and that ""serious security lapses"" exist.NOTE (12/2/2010): This entry has been updated to correct an error. Prior to December 2, 2010, this entry erroneously implied that a new breach had occurred involving 3 million records.  We apologize for our mistake.Information Source: http://www.oig.dot.gov/sites/dot/files/MSS%20Final%20Report%20%28signed%29%206-18-2010.pdf","PHIPrivacy.net","","2010","38.895112","-77.036366" "December 3, 2010","Prime Home Care, LLC","Omaha ","Nebraska","STAT","MED","1,716","The September 13 theft of a desktop may have left patient information exposed.","HHS via PHIPrivacy.net","","2010","41.254006","-95.999258" "December 3, 2010","Manor Care of Indy (South), LLC","Indianapolis","Indiana","PHYS","MED","845","The protected health information of 845 individuals may have been viewed or obtained by an unauthorized person or persons.","HHS via PHIPrivacy.net","","2010","39.768377","-86.158042" "November 23, 2010","Triple-C, Inc. (TCI), Triple-S Salud, Inc. (TSS)","San Juan","Puerto Rico","HACK","MED","406,000","An internet database managed by TCI containing information of some people insured by Triple-S Salud, Inc. was accessed by employees of a competitor. People insured by TSS under the Puerto Rican government's health insurance plan and independent practice associations (IPA) that provided services to those people may have had their information accessed. The breach was the result of the unauthorized use of one or more active user IDs and passwords for the TCI IPA database. TCI believes that financial information related to IPAs was the target of the attack and not the information of individuals. Multiple intrusions happened in September. A TCI competitor notified the organization on September 21.","PHIPrivacy.net","","2010","18.466334","-66.105722" "February 18, 2009","CVS Pharmacies","Woonsocket","Rhode Island","PHYS","MED","0","The CVS Pharmacy chain, the largest in the country with 6,300 outlets, has agreed to a $2.25 million settlement with the U.S. Dept. of Health and Human Services. Indianapolis TV station WTHR engaged in an extensive investigation beginning in 2006 of local CVS Pharmacies and their pharmacies in other cities nationwide including Boston, Chicago, Cleveland, Detroit, Dallas, Louisville, Miami, New Haven (Conn.), Philadelphia, Phoenix, and CVS headquarters in Woonsocket, RI. They found that CVS pharmacies were disposing of documents, such as labels from prescription bottles and old prescriptions, in unsecured dumpsters. The HHS's Office of Civil Rights charged that CVS failed to implement adequate policies and procedures to reasonably and appropriately safeguard protected health information during the disposal process failed to adequately train employees on how to dispose of such information properly and did not maintain and implement a sanctions policy for members of its workforce who failed to comply with its disposal policies and procedures. In a coordinated action, CVS Caremark Corporation, the parent company of the chain, also signed a consent order with the Federal Trade Commission to settle potential violations of the FTC Act. UPDATE (7/16/09): A state board has given final approval to settlements with Indiana's two largest drugstore chains for leaving patient information in the trash. CVS has paid a $2.25 million fine to settle a probe by the U.S. Office of Civil Rights. Also CVS will donate $1,000 to charity as part of the state settlement.","Dataloss DB","","2009","42.002876","-71.514784" "December 4, 2010","Phoenix","Baltimore","Maryland","INSD","BSF","0","Sometime between late 2005 and April of 2009 the owner of the business and a co-conspirator prepared more than 600 fraudulent individual federal income tax returns on behalf of clients. A book with the names, Social Security numbers and dates of birth of various children was found at the owner's home during a police search. The children's information was used to claim false deductions for fictional dependents of her clients. The owner pleaded guilty to conspiracy to file false tax returns and aggravated identity theft.","Databreaches.net","","2010","39.290385","-76.612189" "September 19, 2010","Albrecht Discount (ALDI)","Chicago","Illinois","CARD","BSR","25,000","Several ATMs inside or near grocery stores in the Chicago area were outfitted with skimming devices.  ALDI checked machines nationwide and removed a number of debit card terminals after discovering the problem.UPDATE (10/1/10): A notice on the ALDI Inc. website reveals that customers in Hartford, Atlanta, Chicago, Indianapolis, Maryland, New Jersey, New York state, North Carolina, Pennsylvania, Charlotte (South Carolina), and Washington D.C. were affected by the breach.  The terminals were in stores between June 1 and August 31 of 2010.UPDATE (12/2/10): Eight thousand Maryland residents and 17,000 New York residents were affected.","Databreaches.net","","2010","41.850033","-87.650052" "December 2, 2010","University of Arizona","Tucson","Arizona","PORT","EDU","8,300","An external hard drive was discovered to be missing from a secure records room. It was lost sometime in October or earlier. The hard drive contained former student withdrawal and disciplinary action records. Some Social Security numbers may have also been exposed. The relocation of the records room is one possible cause of the loss.","Databreaches.net","","2010","32.221743","-110.926479" "October 27, 2010","Houston Independent School District (HISD)","Houston","Texas","HACK","EDU","30,000","The HISD may have experienced a hacking incident over the weekend of October 24.  Employees and students were unable to access the Internet, online classes and email until late Tuesday afternoon.  Payroll information of workers and academic information of students may have been compromised along with other personal information.UPDATE (12/2/10): HISD announced an overhaul of the computer system following the breach. Private employee, vendor and student data dating back 10 years could have been accessed by the hacker. Investigators have determined that the private data of one HISD student was viewed by the hacker.  The investigation is ongoing.","Databreaches.net","","2010","29.762884","-95.383062" "November 27, 2010","University of Tennessee Medical Center","Knoxville","Tennessee","PHYS","MED","8,000","An administrative report that should have been shredded was accidentally thrown in the trash. Reports are usually left in a storage location for 45 days and then discarded properly. The Hospital became aware of the breach on October 4. Anyone looking through the report would find names, Social Security numbers and other patient information.","PHIPrivacy.net","","2010","35.960638","-83.920739" "November 30, 2010","Farber Enterprises","Harlingen","Texas","PHYS","BSF","0","Hundreds of documents were abandoned near a bridge in the Harlingen area.  The documents contained receipts, invoices, canceled checks, Social Security numbers, addresses and phone and driver's license numbers. A man whose information was found said that he had applied for employment with Farber two or three years ago.","Databreaches.net","","2010","26.190631","-97.696103" "December 6, 2010","Dartmouth College","Hanover","New Hampshire","PORT","EDU","147","A stolen storage device contained the credit information of 147 parents and freshmen. The device was stolen from a secure room on November 8. Phone numbers, credit card numbers and credit card expiration dates for participants in the Dartmouth Outdoor Club First Year Program were on the device.","Databreaches.net","","2010","43.702293","-72.289535" "December 10, 2010","Memorial Hospital of Gardena","Gardena","California","PHYS","MED","771","The Hospital reported that the unauthorized access or disclosure of paper records affected patients. The incident occurred on or around October 14.","HHS via PHIPrivacy.net","","2010","33.888349","-118.308962" "December 10, 2010","Albert Einstein Healthcare Network","Philadelphia","Pennsylvania","STAT","MED","613","The October 21 theft of a desktop computer may have exposed the protected health information of patients.","HHS via PHIPrivacy.net","","2010","39.952335","-75.163789" "December 10, 2010","Kings County Hospital Center","Brooklyn","New York","STAT","MED","542","The August 22 theft of a desktop computer may have exposed the protected health information of patients.","HHS via PHIPrivacy.net","","2010","40.650000","-73.950000" "December 10, 2010","Newark Beth Israel Medical Center, Professional Transcription Company (PTC), Inc.","Newark","New Jersey","DISC","MED","1,744","Clinical reports with patient names, medical record numbers, hospital account numbers, physician names, dates of birth, diagnosis and other clinical information were accidentally placed on a website by PTC. It is possible that the reports were accessible from January 1 through September. PTC assists the Medical Center in transcribing dictated physician reports.","HHS via PHIPrivacy.net","","2010","40.735657","-74.172367" "December 10, 2010","Ochsner Health System , H.E.L.P. Financial Corporation","New Orleans","Louisiana","PHYS","MED","9,475","On October 4, Oschner was contacted by several patients claiming they had received the patient information of someone else. Letters had been sent on by HELP on September 27 that included incorrect names, medical record numbers, account numbers and account balances. HELP assists Oschner patients with payment arrangements for outstanding hospital and clinical account balances. A programming error at HELP caused the mistake. No patient will be able to access another patient's medical or financial records using the incorrect information from the letters they received.","HHS via PHIPrivacy.net","","2010","29.964722","-90.070556" "December 5, 2010","American Check Cashers of Oklahoma, LLC","Tulsa","Oklahoma","PHYS","BSF","0","Hundreds of blank checks, bank and telephone statements, Social Security card copies and ID copies were found in a dumpster by someone from a a neighboring store. The documents date from 2004 to 2009. The owner of the business said that the mistake occurred when some sensitive documents were sorted in with non-sensitive documents and dumped rather than shredded. It is unclear whether the sorting error was made by the shredding company or the business. Ninety-six of the documents were kept by the neighboring store's owner. He agreed to return the documents to their owners and destroy the ones he cannot return.","Databreaches.net","","2010","36.153982","-95.992775" "December 10, 2010","University of Wisconsin - Madison","Madison","Wisconsin","HACK","EDU","60,000","Some records of people affiliated with UW Madison were hacked into. The University discovered the breach on October 26 and sent notification to many former students, faculty and staff on November 30. One of the files had the photo ID of former students with their Social Security numbers embedded in the ID numbers and cardholder names. Only students enrolled prior to 2008 would have had their Social Security numbers exposed. It is unclear how far back the records date.","Databreaches.net","","2010","43.073052","-89.401230" "December 9, 2010","Methodist Theological School in Ohio","Delaware","Ohio","PORT","EDU","0","The October 13 theft of a laptop resulted in the exposure of personal information of some people with a connection to MTSO.  Names, Social Security numbers, dates of birth, financial payments received and letter grades for completed courses may have been stored on the laptop.  The laptop was stolen from a locked off-campus site.","Databreaches.net","","2010","40.298672","-83.067965" "December 8, 2010","Illinois Secretary of State Drivers License Division","Libertyville","Illinois","INSD","GOV","0","An executive turned himself into authorities after being accused of selling Libertyville customer database information to identity thieves in exchange for sports tickets and gift cards.  The executive faces three counts of conspiracy to commit identity theft.","Databreaches.net","","2010","42.283079","-87.953130" "December 10, 2010","Southwestern Indiana Regional Council on Aging (SWIRCA)","Evansville","Indiana","PORT","NGO","757","Client information was on a case manager's laptop that was stolen from the SWIRCA office. Files on the laptop contained patient names, Social Security numbers, dates of birth, addresses, phone numbers, demographic information, medical condition information and case information. The laptop was stolen sometime between November 4 and 8.","Databreaches.net","","2010","37.974764","-87.555848" "December 13, 2010","Mountain Vista Medical Center","Mesa","Arizona","PORT","MED","2,284","On October 13, multiple memory data cards were discovered to be missing from two endoscopy machines. The information of patients who had procedures performed between January of 2008 and October 12 of 2010 was on the data cards. The information included full name, hospital record number, date of birth, gender, age, date and type or procedure and image(s) related to the procedure.","PHIPrivacy.net","","2010","33.422269","-111.822640" "December 13, 2010","Liberty Tax Service","Portsmouth","Virginia","PHYS","BSF","0","Personal tax documents were left exposed in a dumpster. The tax documents had Social Security numbers, addresses and financial information. The company did not reveal how the documents may have found their way into the dumpster, but said that it was against company policy to leave them exposed and intact. At least one person had their tax information from 2008 exposed.  The number of documents was described as ""mounds"".","Databreaches.net","","2010","36.835426","-76.298274" "December 10, 2010","Walgreens","Deerfield","Illinois","HACK","BSR","0","A hacker managed to obtain Walgreens' email marketing list.  People on the list were sent realistic-looking phishing emails that directed them to a web page under hacker control.  The only information that was stolen during the hack was the email list.  People who fell victim to the phishing scam may have entered other personal information into the phony web page.","Databreaches.net","","2010","42.171137","-87.844512" "December 14, 2010","Home Depot","Tallahassee","Florida","INSD","BSR","0","A loss prevention officer reported that an employee was using a skimming device to steal the credit card information of customers. The officer reported the employee on December 8 and the employee was caught in the act of using a skimmer on December 10. The number of customers affected by these incidents and the length of time the employee worked at the store have not been reported.","Databreaches.net","","2010","30.438256","-84.280733" "December 12, 2010","Gawker","New York","New York","HACK","BSO","1,300,000","Hackers gained access to the Site's database.  Staff and user emails and passwords, the site code and staff messages were made accessible to anyone.  The group claiming responsibility calls themselves Gnosis.  Gawker encouraged users to change their passwords after their information was exposed.  This may also mean changing passwords for other sites where users have similar screen names and passwords.  Gnosis claims they had access to the site for a long time and exposed Gawker's information ""because of their outright arrogance.""","Databreaches.net","","2010","40.714353","-74.005973" "December 11, 2010","Kaplan University","Chicago","Illinois","INSD","EDU","0","The former dean of law and legal studies was convicted of making threats to students, staff and executives via email.  The former University employee hacked into a colleague's email account and sent threats about identity theft and more to people during 2007.  The former employee claims he was framed after threatening to expose the University's misconduct.  ","Databreaches.net","","2010","41.878114","-87.629798" "December 15, 2010","California Department of Public Health","West Covina","California","PORT","MED","2,550","A magnetic tape was lost during shipping between West Covina and Sacremento on or around September 27. The health care facility staff and residents who were determined to have been affected were notified on November 23.  Employee emails, employee background reports, investigative reports, names and diagnosis information on health care facility residents and Social Security numbers for CDPH workers were on the tape.  ","PHIPrivacy.net","","2010","34.068621","-117.938953" "December 14, 2010","Department of Education Federal Student Aid (FSA) Division","Dolton","Illinois","INSD","GOV","0","A former FSA employee repeatedly accessed the National Student Loan Database System (NSLDS) during her employment. The employee searched and viewed confidential student loan records of several hundred people without reason between April of 2006 and May of 2009. The former employee pleaded guilty and is scheduled to be sentenced on February 22 of 2011.","Media","","2010","41.638924","-87.607268" "June 7, 2010","New York City Department of Education","New York","New York","HACK","EDU","0","The New York City’s Special Commissioner Office revealed a hacker stole more than $640,000 from the Department of Education’s petty cash account at JP Morgan Chase and distributed the codes to others to use to pay for student loans, gas bills and other purchases. The hacker allowed individuals to pay personal bills through EFTs and, in turn, he was given cash. The scam was discovered when an unidentified woman informed Chase someone was trying to pay bills using the account.","Dataloss DB","","2010","40.714353","-74.005973" "August 10, 2010","Metropolitan Life Insurance Company (MetLife)","New York","New York","INSD","BSF","0","MetLife wrote ""On January 5, 2010, we learned that one of our employees was sharing individual disability insurance applications with an unauthorized individual. We believe that the shared documents contained sensitive information including name, address, Social Security number, driver's license number, checking account information, and date of birth.""","Databreaches.net","","2010","40.714353","-74.005973" "December 19, 2010","Stony Brook University ","Stony Brook","New York","DISC","EDU","61,001","Student and faculty network and student IDs were posted online on sbuchat.com. A file with all registered student and faculty ID numbers could be downloaded in a PDF or Excel format. A systems engineer undergraduate discovered a flaw in the SOLAR system that allowed him to change students' NetID passwords without knowledge of the original password. The student then accessed the complete list of student and faculty IDs and posted the information.","Databreaches.net","","2010","40.925654","-73.140943" "December 17, 2010","Integrated Biometrics Technology (IBT)","Waco","Texas","INSD","BSO","0","A former employee who had worked as a live scan operator took thousands of background check applications she had processed and used them to obtain fraudulent credit cards and financial accounts.  The applications were from Fingerprint Applicant Services of Texas (FAST) and used for Texas licensing and certification. The former employee is alleged to have conspired with at least three other people.","Databreaches.net","","2010","31.549333","-97.146670" "December 16, 2010","Azteca","Okeechobee","Florida","INSD","BSR","0","A convenience store clerk was indicted on federal conspiracy, wire fraud, credit card fraud and aggravated identity theft charges. He is accused of using a skimmer device to obtain credit card information during normal customer credit card transactions. The stolen information was used to recode gift cards and other credit cards with magnetic strips to create counterfeits. The employee was outed after selling a card to someone who then informed the FBI.","Databreaches.net","","2010","27.243935","-80.829783" "December 16, 2010","Concur Technologies Inc.","Redmond","Washington","STAT","BSO","1,017","Computer equipment and software with employee information were stolen during a November 27 or 28 office burglary.  The information included names, Social Security numbers, addresses and dates of birth.","Databreaches.net","","2010","47.673988","-122.121512" "October 1, 2010","Central Florida Regional Transportation Authority, LYNX ","Orlando","Florida","INSD","BSO","24","A former bus driver pleaded guilty to stealing the identities of some of her disabled passengers.  The driver pleaded guilty to 27 counts of wire fraud, aggravated identity theft and trafficking in a counterfeit device.  The information was stolen between October and November of 2009 and used to open fraudulent credit accounts.UPDATE (12/16/10): The former bus driver was sentenced to three and a half years in prison and ordered to pay $3,667 in restitution.","Databreaches.net","","2010","28.538336","-81.379237" "December 3, 2010","Mesa County, Western Colorado Drug Task Force","Grand Junction","Colorado","DISC","GOV","200,000","A former employee accidentally posted sensitive information in a place that was publicly accessible on the Internet. The home addresses of sheriff's deputies, names of confidential drug informants, confidential emails between officers and other sensitive information were accessible from April until the discovery in November. The FBI is investigating which computer users may have accessed the information. The breach was discovered on November 24 when an individual searched the Internet and found one of the files mentioning his or her name.","Databreaches.net","","2010","39.063871","-108.550649" "December 17, 2010","deviantART, Silverpop Systems Inc.","Hollywood","California","HACK","BSO","13,000,000","Mirroring the Gawker an McDonald's breaches earlier this month, hackers exposed the email addresses, user names and birth dates of the entire deviantART user database.  Hackers were able to breach deviantART's marketing company Silverpop Systems Inc. Passwords and sensitive information were not exposed, but the breach is expected to increase spam for registered users.","Databreaches.net","","2010","34.098330","-118.325830" "December 16, 2010","Twin America LLC, CitySights NY","New York","New York","HACK","BSO","110,000","On or around October 25 a web programmer discovered that malicious script had been placed on the server. The script appears to have been uploaded on September 26 and had allowed access to the customer database multiple times between that date and October 19. Customer names, credit card numbers, credit card expiration dates, CVV2 data, addresses and email addresses may have been exposed.","Databreaches.net","","2010","40.714353","-74.005973" "December 16, 2010","Wackenhut","Palm Beach Garden","Florida","PORT","BSO","0","Hard drives were stolen during shipment between Iraq and the US. The company became aware of the loss on November 29. The hard drives contained former employee full names, Social Security numbers, passport numbers, addresses and dates of birth.","Databreaches.net","","2010","26.823395","-80.138655" "June 12, 2010","JP Morgan Chase","Hackettstown","New Jersey","INSD","BSF","12","A Chase bank teller sold twelve customer account profiles to outside parties between 2008 and 2009. These customer accounts were then fraudulently charged over $60,000. The former employee and the outside parties were all caught.","Databreaches.net","","2010","40.853988","-74.829056" "December 23, 2010","Mankato Clinic","Mankato","Minnesota","PORT","MED","3,159","A laptop was stolen from the car of a registered nurse sometime between November 1 and 2. It contained a spreadsheet with patient names, dates of birth, medical record numbers, health provider names and diagnosis information. Patients were notified in late December because it took nearly two months to notify patients because the Clinic was determining what was on the laptop.","PHIPrivacy.net","","2010","44.163578","-93.999400" "December 22, 2010","Hospital Auxilio Mutuo","Hato Ray","Puerto Rico","HACK","MED","1,000","The Hospital experienced a breach of one or more computers on or around November 19. The exact nature of the breach was not reported and could have been theft, unauthorized access, hacking, or an IT incident.","HHS via PHIPrivacy.net","","2010","18.429446","-66.060239" "December 22, 2010","Zarzamora Family Dental Care","San Antonio","Texas","STAT","MED","800","The October 15 theft of a desktop computer affected 800 patients.","HHS via PHIPrivacy.net","","2010","29.424122","-98.493628" "December 21, 2010","Department of Veteran's Affairs","Dallas","Texas","PHYS","GOV","140","The names, Social Security numbers and treatment locations of about 140 veterans were mixed in with other paperwork. The paperwork was sent to an EEOC office and viewed by multiple persons there. It appears that the names should not have been visible.","PHIPrivacy.net","","2010","32.802955","-96.769923" "December 21, 2010","St. Paul Veterans Service Center","Saint Paul","Minnesota","DISC","MED","58","Fifty-eight VA guardianship files were accidentally shared by a federal fiduciary office. Fifty-seven veterans were affected when the fiduciary office accidentally sent the files to another fiduciary office that was not authorized to receive the information. The information included names and Social Security numbers.","PHIPrivacy.net","","2010","44.954167","-93.113889" "December 21, 2010","Florida Department of Veterans Affairs","Tampa","Florida","PORT","GOV","55","A digital camera with veteran information was discovered missing on November 21. It contained the names, Social Security numbers, dates of birth and images of patients. Images of veterans who had been photographed in the last three weeks were on the camera.","PHIPrivacy.net","","2010","27.949436","-82.465144" "December 21, 2010","Veterans Affairs Chicago HCS","Chicago","Illinois","DISC","GOV","878","The Orthopedics Department was using Yahoo.com to keep track of patient scheduling. The information had been stored on Yahoo.com since July of 2007 and multiple current and former residents of the center had access to the password and account. Patients had their name, date and type of surgery and final four digits of Social Security number exposed. The information was deleted from the web page on November 29.","PHIPrivacy.net","","2010","41.878114","-87.629798" "December 21, 2010","Newland Medical Associates","Southfield","Michigan","INSD","MED","0","A former employee is accused of stealing patient information and using it to commit identity theft.  The former employee is charged with 15 counts of identity theft and criminal enterprise.  Investigators believe the employee stole the information of cancer patients and used it to obtain credit cards.","PHIPrivacy.net","","2010","42.473369","-83.221873" "December 22, 2010","Cook County Health and Hospital Systems","chicago","Illinois","STAT","MED","556","A desktop computer was found to be missing on or around November 1. It contained the medical record identification numbers, names, dates of birth, clinic names, physician names, and lab results of some patients.","PHIPrivacy.net","","2010","41.878114","-87.629798" "December 20, 2010","Dean Clinic and St. Mary's Hospital","Madison","Wisconsin","PORT","MED","3,288","A laptop was stolen during a home invasion on or around November 8.  Patient names, dates of birth, medical record numbers, dates and types of procedures, diagnoses, and some pathology data were on the laptop.  ","PHIPrivacy.net","","2010","43.073052","-89.401230" "December 25, 2010","Dallas Police Department","Dallas","Texas","PORT","GOV","0","Laptops were stolen from ten decommissioned Dallas police cars.  The decommissioned squad cars were burglarized sometime during the last six months.  The laptops were used to check license plates, receive calls, and check people's records.  Officials believe there is little chance of sensitive information on the laptops or Dallas police network being accessed by unauthorized persons.","Databreaches.net","","2010","32.802955","-96.769923" "December 23, 2010","Stens Corporation","Jasper","Indiana","INSD","BSF","0","Former employees continued to use passwords to access Stens' computer system after they left the company. Both employees left to work for a competitor and are thought to have used information on the computer system for commercial advantage and personal benefit. Stens employees became suspicious and changed the passwords, but the former employees guessed the new passwords. One of the men pleaded guilty to computer intrusion.","Databreaches.net","","2010","38.391442","-86.931109" "December 23, 2010","Louisiana Horsemen's Benevolent and Protective Association (HBPA)","New Orleans","Louisiana","INSD","NGO","0","A former employee admitted that she conspired with others to send fraudulent votes. The woman falsified election ballots for members unlikely to vote, enclosed them in envelopes and marked the envelopes with the members' Social Security numbers. The purpose was to rig the outcome of the 2008 March HBPA election.","Databreaches.net","","2010","29.964722","-90.070556" "December 22, 2010","Digital River Inc., SWReg Inc.","Houston","Texas","HACK","BSR","0","A hacker accessed the SWReg computer system.  The SWReg system is used by Digital Rivers to pay contractors.  The system was altered to transfer money to the hacker's bank account instead of the accounts of contractors.  The hacker faces 20 years on wire fraud charges and 10 years on computer hacking charges.","Databreaches.net","","2010","29.762884","-95.383062" "December 20, 2010","Dino's Pizza, M&T Pizza Inc.","Fayetteville","North Carolina","INSD","BSR","183","The former owner of the restaurant was sentenced to five years and five months in prison for identity theft and skimming charges. The former owner was found to have used more than 183 credit numbers from patrons and generally added a fraudulent charge of $15 to $30 to each credit or debit card.","Databreaches.net","","2010","35.052664","-78.878359" "December 28, 2010","Apothecary of Colorado","Denver","Colorado","PHYS","MED","0","A man handling recyclables near his home found a conspicuous binder in a dumpster.  It turned out that medical marijuana records had been placed there.  The names, Social Security numbers, dates of birth, addresses and phone numbers of patients were in the binder.  The current owners believe the records are from the previous owner or owners.  ""Dozens"" of people were affected.","PHIPrivacy.net","","2010","39.739154","-104.984703" "December 28, 2010","Geisinger Health System","Wilkes-Barre","Pennsylvania","DISC","MED","2,928","A former physician emailed patient medical information to his home email account in an unencrypted manner. The information included patient names, medical record numbers, procedures and indications. The physician deleted the information from his computer, home network and servers.  The incident occurred on or around November 3.","PHIPrivacy.net","","2010","41.245915","-75.881308" "December 27, 2010","Riverside Mercy Hospital, Mercy Health Partners","Toledo","Ohio","PHYS","MED","1,000","Patient and employee records were left in the Hospital after the facility was sold to Toledo Public Schools in 2003. The Hospital closed in 2002 and was sold in 2003. Records were left unsecured in the facility from 2003 until the discovery in November of 2010.","PHIPrivacy.net","","2010","41.663938","-83.555212" "November 20, 2010","Desert Rose Resort","Las Vegas","Nevada","HACK","BSR","0","Some guests and employees were affected by a breach or breaches that occurred between June 2010 and October 2010. Credit and debit card information was stolen and misused.  The method that criminals used to access the information was not disclosed.UPDATE (11/30/10): Other hotels owned by Desert's parent company Shell Vacation Resorts may have been affected.UPDATE (12/22/10): A notice on Shell's website states that the breach occurred because of a malicious software infection.  It was determined that the management system software program of Shell Vacation properties was infected with the malware.","Security Breach Letter","","2010","36.114646","-115.172816" "May 1, 2009","Littleton Regional Hospital","Littleton","New Hampshire","INSD","MED","0","A patient complaint in March of 2009 resulted in the firing of an employee. An audit revealed that the employee inappropriately accessed patient records for unknown reasons at least three times between 2008 and May of 2009. The records contained names, contact information, dates of birth, insurance information and other health information. UPDATE (8/10/10): Another employee was fired for a similar unauthorized access incident during May of 2010.","PHIPrivacy.net","","2009","44.306173","-71.770089" "November 24, 2009","Farmers Insurance","Nashville","Tennessee","HACK","BSF","0","A former insurance agent noticed that it was possible to extract client information from the website. The information included insurance policies, Social Security numbers, names and addresses. The former agent's home was searched by police when it was discovered that client information had been hacked.","Databreaches.net","","2009","36.165890","-86.784443" "January 2, 2009","Pepsi Bottling Group","Somers","New York","PORT","BSR","0","A portable data storage device, which contained personal information, including the names and Social Security numbers of employees in the US is missing or stolen.","Dataloss DB","","2009","41.328150","-73.685686" "December 15, 2010","Social Security Administration Office of Temporary Disability Assistance","New York","New York","INSD","GOV","15,000","A subcontractor illegally downloaded around 15,000 Social Security numbers while performing upgrades. People who had made Social Security disability claims may have been affected.UPDATE (1/4/2011): Dates of birth, addresses and phone numbers may have also been accessed.","Databreaches.net","","2010","40.714353","-74.005973" "December 31, 2010","Sovereign Bank","Wyomissing","Pennsylvania","HACK","BSF","0","The Bank became aware of suspicious online activity on October 15. On December 15, it was determined that a key logger had been installed on a company laptop. Customer names, Social Security numbers and addresses may have been accessed by unauthorized parties. At least 2 New Hampshire residents were affected, but the total number of affected individuals nationwide was not revealed.","Databreaches.net","","2010","40.329537","-75.965212" "December 31, 2010","Samuels, Green, and Steel, LLP","Irvine","California","UNKN","BSO","0","An unauthorized party obtained the law firm's login information and accessed consumer credit reports.","Databreaches.net","","2010","33.683947","-117.794694" "December 31, 2010","CHS, Inc.","St. Paul","Minnesota","DISC","BSR","0","PATR-1099 forms were mailed with names and Social Security numbers visible from the outside of the envelope. The company became aware of the problem after a recipient notified them of the mistake. The error did not affect all recipients.","Databreaches.net","","2010","44.954167","-93.113889" "December 31, 2010","Armstrong Atlantic State University","Savannah","Georgia","PORT","EDU","0","A portable hard drive was stolen from the nursing department in early October.  It contained the Social Security numbers of several hundred alumni.  ","Databreaches.net","","2010","32.083541","-81.099834" "November 17, 2010","Oklahoma Veterans Affairs Medical Center","Oklahoma City","Oklahoma","PHYS","GOV","1,950","An employee noticed that some pages were missing from a laboratory log book on October 15.  The pages may have contained the names, last four digits of Social Security numbers, appointment information and tests of 1,950 VAMC visitors.  Veterans who visited between January 1 and October 8 may have been affected.  The military believes the most likely cause of the loss is that the pages were shredded.UPDATE (12/2/10): An VA investigation determined that the information was most likely accidentally shredded.","PHIPrivacy.net","","2010","35.467560","-97.516428" "January 1, 2011","Kinetic Concepts Inc, (KCI)","San Antonio","Texas","INSD","BSR","0","A call center employee with authorization to access a customer payment card database used some of the information to make fraudulent purchases. The database contained names, addresses, insurance information and dates of birth. The Social Security numbers and payment card information of some customers were also in the database.","PHIPrivacy.net","","2011","29.424122","-98.493628" "January 3, 2011","Half Hitch Tackle","Panama City","Florida","HACK","BSR","0","A breach of the systems security resulted in the exposure of customer credit and debit cards.  It is possible that the breach originated overseas.  ","Databreaches.net","","2011","30.158813","-85.660206" "January 4, 2011","White Rock Networks","Plano","Texas","PHYS","BSO","0","Nearly 50 boxes of medical records, Social Security numbers, addresses, phone numbers and other personal information were found in a paper recycling dumpster behind a library.  White Rock personnel records from 2000 to 2005 were in the boxes. The company went bankrupt in 2006 and was purchased.  A local news crew contacted at least one of the affected people so that she could retrieve her information.","PHIPrivacy.net","","2011","33.019843","-96.698886" "May 15, 2010","Los Angeles Firemen's Credit Union","Los Angeles","California","DISC","BSF","0","An ""extremely small percentage"" of member files were not properly moved when the CU relocated from an old location. The data that could have been compromised included members names, addresses, phone numbers, account numbers, Social Security numbers and other identifiers. The CU sought to reassure members that it did not believe any of their information had been compromised and that the CU had “state of the art protocols” available to validate member identifies. The CU also arranged for CU members who chose to do so to be able to enroll in a credit monitoring service for the next two years at no cost to them.","Dataloss DB","","2010","34.052234","-118.243685" "January 6, 2011","Adventist Behavioral Health ","Rockville","Maryland","PHYS","MED","0","An employee error caused sensitive patient documents to be sent to a recycling facility. Some of the documents, which should have been shredded instead of recycled, were found on December 29 after being blown out of a recycling truck.  The documents included patient names and dates of birth.  The papers that fell off the truck were shredded by Adventist and any documents that remained at the facility were destroyed there.  The employee responsible for the mistake was not fired.","PHIPrivacy.net","","2011","39.083997","-77.152758" "January 6, 2011","Heraeus Incorporated","New York","New York","PORT","BSO","514","A steel cabinet was discovered missing on November 18.  The cabinet had a safe which contained IT data and software backup tapes.  Personal information on the backup tapes included names, Social Security numbers, addresses, financial account numbers, driver's license numbers, medical information and other personal information.  The cabinet was most likely thrown out during a cleaning.  If so, the cabinet and its contents would have been taken to a transfer station, crushed, and then transported to a landfill for further destruction and disposal.","PHIPrivacy.net","","2011","40.714353","-74.005973" "January 6, 2011","Marsh U.S. Consumer, Seabury and Smith, ITT Corporation","Tulsa","Oklahoma","DISC","BSO","0","Some ITT Corporation employees may have been able to view unencrypted personal information of other ITT employees when accessing an ITT website serviced by Marsh U.S. Consumer. The incident resulted from a programming issue and occurred from November 1 through November 8. Employees and their spouses may have had their Social Security numbers and medical history information exposed. Marsh U.S. Consumer is a service of Seabury and Smith. At least nine New Hampshire residents were affected by the breach, but the total number of individuals affected nationwide was not revealed.","PHIPrivacy.net","","2011","36.153982","-95.992775" "January 6, 2011","Private Dental Practice","Germantown","Maryland","HACK","MED","1,000","The office discovered a hacking incident after the computer system shut down on October 14. A hacker accessed the computer system and server. Patient names, Social Security numbers, addresses, dates of birth, dental care and X-ray records, dental insurance member numbers and health insurance member numbers may have been exposed.","HHS via PHIPrivacy.net","","2011","39.173162","-77.271650" "January 6, 2011","PinnacleHealth System, Gair Medical Transportation Services","Harrisburg","Pennsylvania","DISC","MED","1,086","Pinnacle became aware that outpatient information may have been accessed through an independent medical transcription company. Gair provides transcription services for Pinnacle and may have experienced a breach in 2008 that involved its computer server. Gair's server appears to have been open to access through the Internet. Pinnacle became aware of the incident in mid-August when someone reported seeing patient information on the Internet. The information included Social Security numbers, medications, dates of birth, dates of interviews and dates of examinations.","PHIPrivacy.net","","2011","40.273700","-76.884418" "January 5, 2011","Taco Bell","Grand Rapids","Michigan","INSD","BSR","50","Two Taco Bell employees were paid to use skimming devices at their store or stores. Between 50 and 100 customers had their credit card information obtained. It is likely that the scam lasted several weeks during the second half of 2010. Two of the men who bought information from the Taco Bell employees were arrested and charged after one of them was recorded buying pre-paid cards.","Databreaches.net","","2011","42.963360","-85.668086" "December 22, 2010","Community First Credit Union, Cambrium Group","Appleton","Wisconsin","DISC","BSF","1,600","Cambrium Group, a contractor for Community First Credit Union, placed an unsecured Community First job applicant SQL database online. The database was discovered on October 20 of 2010. The employment information included names, dates of birth, education, addresses, telephone numbers, Social Security numbers and other information typical of applications.","Dataloss DB","","2010","44.261931","-88.415385" "January 8, 2011","Race Trac","Melbourne","Florida","CARD","BSR","600","Authorities investigating fraudulent debit and credit card charges discovered a skimming device inside of a gas pump. Only one pump at the station was found to have a skimming device. Gas station employees first learned about the possible existence of a skimmer at their store in December.","Databreaches.net","","2011","28.083627","-80.608109" "January 8, 2011","Campus Suite Apartments ","West Lafayette","Indiana","PHYS","BSO","30","In November of 2008, documents with tenant Social Security numbers and dates of birth were stolen from the office. Many of the tenants were able to avoid fraudulent charges by immediately placing fraud alerts on their accounts. One man pleaded guilty to stealing the information and another pleaded guilty to using the information to commit fraud and identity theft.","Databreaches.net","","2011","40.425869","-86.908066" "January 8, 2011","Washington State Employment Security Division","Olympia","Washington","PHYS","GOV","1,000","Authorities discovered that names and Social Security numbers of hundreds of Employment Security Division state employees were in the possession of a man who intended to misuse and profit from the information. The man was arrested and held on 50 counts of identity theft. It appears that the employee information was stolen from a car parked on the state Capital campus sometime in 2009. Authorities are still notifying those who were affected by incident.","Databreaches.net","","2011","47.037874","-122.900695" "January 8, 2011","Duval Clerk of Courts","Jacksonville","Florida","DISC","GOV","0","Someone discovered sensitive information on the government website. Some Social Security numbers and bank account numbers were viewable. Records entered after and around 2002 are carefully checked for Social Security numbers and bank accounts, but some records prior to that time still contain sensitive information. The clerk's office removed sensitive information from several records after being notified of the problem.","Databreaches.net","","2011","30.332184","-81.655651" "January 3, 2011","EVG Quality Gas","Sierra Madre","California","CARD","BSR","380","On December 27, a customer reported fraudulent charges on her credit card after using it at the station. Later cases of identity theft were also traced to the gas station.UPDATE (1/6/11): The gas station closed shortly before customers started reporting fraudulent charges.  The former owner and two other people are being sought for questioning.  Customers had their debit and credit card information captured by a skimming device when they used their cards at a store ATM or inside the store.UPDATE (1/10/11): The total number of victims is now at 380 and over $109,000 in fraudulent charges have been made.","Databreaches.net","","2011","34.161673","-118.052846" "January 10, 2011","Entertainment Software Rating Board (ESRB)","New York","New York","DISC","BSO","1,000","People who contacted ESRB to complain about a Blizzard Entertainment change in privacy were sent a response that included the emails of other people who had contacted ESRB with similar concerns.  Blizzard had proposed implementing Real ID (required usage of real first and last name) for participation in forums, but abandoned it after a backlash.","Databreaches.net","","2011","40.714353","-74.005973" "June 14, 2010","Franklin County Treasurer's Office","Columbus","Ohio","DISC","GOV","0","Although it has a newer and better protected website for paying property taxes, the Franklin County Treasurer's Office continues to allow taxpayers to use an older URL which was recently discovered to be vulnerable to hackers.  This may expose taxpayer credit card and checking account numbers.  ","Databreaches.net","","2010","39.961176","-82.998794" "December 2, 2010","KMax Systems","Kissimmee","Florida","PHYS","BSR","0","A box of job applications was thrown out by a new manager.  Someone found the applications and showed them to another person who then contacted some of the applicants.  Addresses, Social Security numbers, driver's license numbers, names, phone numbers and other information typical of an employment application were exposed.  Some of the applications also had questionable interview comments that seemed irrelevant to the selection process.","Media","","2010","28.291956","-81.407571" "January 14, 2011","California Therapy Solutions","","California","PORT","MED","1,226","The November 15 theft of a device resulted in the exposure of protected patient health information.","HHS via PHIPrivacy.net","","2011","36.778261","-119.417932" "January 14, 2011","Osceola Medical Center, Hils Transcription Service","Osceola","Wisconsin","HACK","MED","500","The November 25 hack of a Hils Transcription server exposed the health information of 500 patients.","HHS via PHIPrivacy.net","","2011","45.320520","-92.704930" "January 14, 2011","International Union of Operating Engineers Health and Welfare Fund, Zenith Administrators, Inc.","Baltimore","Maryland","PHYS","NGO","800","Papers pertaining to Union's employee benefits program were stolen from Zenith's office on November 3. Zenith administers the benefits program. The papers contained health information.","HHS via PHIPrivacy.net","","2011","39.290385","-76.612189" "January 6, 2011","Grant Medical Center, OhioHealth","Columbus","Ohio","INSD","MED","501","On November 5, several out-of-service computers were determined to be missing from a storage facility.  An investigation revealed that a dishonest employee had stolen the computers, attempted to clear the hard drives and was in the process of reselling them.  Information from patients treated at Grant between 2008 and November 5 of 2010 may have remained on the stolen computers.  UPDATE (1/14/11): The breach affected 501 individuals.","PHIPrivacy.net","","2011","39.961176","-82.998794" "December 20, 2010","Centra","Alpharetta","Georgia","PORT","MED","11,982","A laptop was stolen from the trunk of an employee's rental car overnight on November 11. Patient names and billing information were on the laptop. The delay in notification occurred because of the time it took to determine what information was on the stolen laptop.UPDATE (1/14/11): The total number of affected individuals was changed from 13,964 to 11,982.","PHIPrivacy.net","","2010","34.075376","-84.294090" "January 14, 2011","Azure Acres","New York","New York","PORT","MED","699","The November 12 theft of a physician's laptop resulted in the exposure of client information.  The information included full name and billing information, but did not include addresses or Social Security numbers.  Azure Acres is a drug and alcohol abuse facility.","PHIPrivacy.net","","2011","40.714353","-74.005973" "January 14, 2011","Blue Cross Blue Shield of Michigan (BCBSM), Tstream Software","Harper Woods","Michigan","DISC","MED","2,979","A BCBSM website created by Tstream was the source of a breach.  A BCBSM found her personal information online when searching her name.  People applying for individual health insurance between 2006 and an unclear date had their names, Social Security numbers, addresses and dates of birth exposed. BCBSM was notified of the error on November 17, 2010.  The information was accessible for an unspecified amount of time. Though 6,500 BCBSM members were notified, only 2,979 were affected.","PHIPrivacy.net","","2011","42.433092","-82.924083" "January 12, 2011","Kadlec Regional Medical Center","Richland","Washington","HACK","MED","0","A computer server that contained brain scan and other patient studies was hacked sometime around September 15. Patient names, dates of birth, ages, genders, medical record numbers and doctors' names were exposed. The breach was discovered on November 11 during routine monitoring of computer network backups. The server was removed from service and a firm was hired to investigate the issue.","PHIPrivacy.net","","2011","46.285691","-119.284462" "January 13, 2011","St. Vincent Hospital","Indianapolis","Indiana","UNKN","MED","1,800","In November, Saint Vincent officials learned that several associate email accounts had been breached. A third party managed to obtain email logins. Patient names, dates of service and clinical information may have been accessed.","PHIPrivacy.net","","2011","39.768377","-86.158042" "January 12, 2011","Universal Medical Center","Tucson","Arizona","INSD","MED","0","Three staff members and one contract employee were fired for viewing sensitive patient information without cause. The electronic medical records of patients who were injured during a terrorist shooting spree may have intrigued the workers. There were no reports of confidential patient information being released to the public.","PHIPrivacy.net","","2011","32.221743","-110.926479" "January 15, 2011","Omaha School Employees Retirement System ","Omaha ","Nebraska","HACK","EDU","4,300","A breach of Omaha School Employees Retirement System's website was discovered on December 21. The incident occurred because of an attempt to access administrator log-in information. The hacker or hackers may have obtained a database with names, Social Security numbers, dates of birth, years of service and beneficiary information of current and former Omaha Public Schools employees. The website was shut down within two hours of the discovery.","Databreaches.net","","2011","41.254006","-95.999258" "January 18, 2011","Tulane University","New Orleans","Louisiana","PORT","EDU","10,000","A University issued laptop was stolen from an employee's car on December 29. The laptop was used to process 2010 tax records for employees, students and others who will receive a 2010 W-2. The information included names, Social Security numbers, salary information and addresses.","Databreaches.net","","2011","29.964722","-90.070556" "January 18, 2011","Iowa Telecommunications, Experian","Newtown","Iowa","UNKN","BSO","0","One of Experian's clients experienced a breach that gave unauthorized users access to Experian's pool of consumer names, Social Security numbers, dates of birth and account numbers.  Someone gained access to the Experian login information for Iowa Telecommunications and was able to obtain consumer report information in the company's name.","Databreaches.net","","2011","40.376401","-93.334937" "January 6, 2011","Pentagon Federal Credit Union (PenFed)","Alexandria","Virginia","HACK","BSF","514","On December 12, a laptop was found to be infected with malware.  PenFed current and former employees, beneficiaries, current and former members and joint owners may have had their names, Social Security numbers, addresses, credit and debit card numbers, and PenFed account numbers exposed. At least 514 New Hampshire residents were affected, but the total number of affected individuals nationwide was not reported.UPDATE (1/18/11): The breach affected 674 New Hampshire residents and an unknown number of people nationwide.","Databreaches.net","","2011","38.804836","-77.046921" "January 18, 2011","MIchael's Rock Hill Grille","Rock Hill","South Carolina","HACK","BSR","30","Michael's appears to be the common thread in a number of credit card fraud cases in the Southeast. It is believed that someone accessed credit card information by using malware on or obtaining passwords for the system on which the information was stored. The group of affected people most likely includes customers who used their card between September 16 and early December. Many of the cases involved Florida residents, but people in Texas, Kentucky, Tennessee, Georgia and Washington were also affected.","Databreaches.net","","2011","34.924867","-81.025078" "January 19, 2011","Abbott Medical Optics, Baylor College of Medicine Department of Ophthalmology","Malpitas","California","PORT","MED","0","Backup tapes with information from Ophthalmology department equipment were stolen from Abbott's office after being collected from Baylor. The information on the tapes included the eye contour measurement charts, names and physician names of patients who were preparing for Lasik surgery.","PHIPrivacy.net","","2011","37.428272","-121.906624" "January 19, 2011","Ingenix","Eden Prairie","Minnesota","DISC","BSO","142","A search of health care providers on the Ingenix website revealed that Social Security numbers were sometimes attached to the names of providers as ID numbers. It appears that some health plans or preferred providers had listed the Social Security numbers as ID numbers. People searching for providers covered by their plans would have seen the numbers. Some health care providers may have had their Social Security numbers used as ID numbers for five years. At least 142 New Hampshire residents were affected, but the number of affected individuals nationwide was not revealed.","Databreaches.net","","2011","44.854686","-93.470786" "January 19, 2011","U.S. Postal Service","St. Louis","Missouri","PHYS","GOV","0","The back door of a contractor truck popped open during its journey between a St. Louis distribution center and Memphis, Tennessee. Hundreds of pieces of U.S. mail were scattered across 70 miles of highway.  A recovery effort was launched by police officers and postal workers within 24 hours. Most of the mail included statements and bills that were headed for the West Coast.","Databreaches.net","","2011","38.646991","-90.224967" "January 13, 2011","New Mexico National Guard","Sante Fe","New Mexico","STAT","GOV","650","A computer with the deployment records and Social Security information of soldiers throughout the state was stolen from the National Guard Headquarters in Sante Fe.  The theft occurred sometime between December 23 and 28.  ","Databreaches.net","","2011","35.686975","-105.937799" "January 24, 2011","Grays Harbor Pediatrics","Aberdeen","Washington","PORT","MED","12,000","A backup tape was stolen from an employee's car sometime around November 23.  The device was used for storing copies of paper records.  Patients may have had their names, Social Security numbers, insurance details, driver's license information, immunization records, medical history forms, previous doctor records and patient medical records scanned and placed on the backup tape.","PHIPrivacy.net","","2011","46.975371","-123.815722" "December 27, 2010","American Honda Motor Company","Torrance","California","HACK","BSR","4,900,000","A Honda vendor maintaining a customer mailing list for My Acura and Honda's Owner Link websites was hacked. Names, email addresses, vehicle identification numbers and user IDs may have been exposed. There is speculation that this breach is connected to a hack of Silverpop that exposed the information of McDonald's and deviantART subscribers.UPDATE (1/24/11): Around 2.2 million Honda customers had their information exposed. Around 2.7 million Acura customers had their email addresses exposed, but names and other information were not breached.","Databreaches.net","","2010","33.835849","-118.340629" "January 26, 2011","Temple University School of Medicine","Philadelphia","Pennsylvania","INSD","MED","0","A former Chair of the University's Department of Ophthalmology and Assistant Dean for Medical Affairs faces 144 counts of health care fraud and making false statements in health care matters. The former faculty member and doctor is accused of causing thousands of false claims to be submitted to health care benefits programs between 2002 and 2007.  The former faculty member allegedly instructed staff members to bring patient charts from other doctors to his office.  Patient charts were improperly stored outside of his office and then fraudulently edited to make it seem as though the former faculty member had seen and evaluated the patients. The prosecution claims that after falsifying the documents, the former faculty member collected fees for services he had never performed.  The former faculty member is also accused of falsifying the records of patients he had seen. The false claims may total more than $3,000,000.","PHIPrivacy.net","","2011","39.952335","-75.163789" "January 26, 2011","North Carolina Department of Health and Human Services","Raleigh","North Carolina","PORT","GOV","0","A set of computer disks may have been accidentally discarded during an office renovation.  The disks contained data from the Division of Services for the Deaf and Hard of Hearing and would have been taken to a landfill if they were accidentally discarded.  Those who applied for services from the Division's Equipment Distribution Service between January of 2005 and December of 2008 may have had their information exposed.","PHIPrivacy.net","","2011","35.772096","-78.638615" "January 25, 2011","Presbyterian Health Care Services","Albuquerque","New Mexico","INSD","MED","0","Between May and June of 2008, a PHS pharmacy employee misused the names and identification information of customers.  The former employee had fraudulent prescription reimbursement checks mailed to her friends and relatives, who then gave the proceeds back to the pharmacy employee.  The employee allegedly generate 17 fraudulent checks for a total of $27,129.63.  The woman was sentenced to two years in prison and four years of supervised release.  She will also have to pay restitution to PHS and Medicaid.","PHIPrivacy.net","","2011","35.084491","-106.651137" "January 24, 2011","Wentworth Institute of Technology","Boston","Massachusetts","DISC","EDU","1,300","On December 22 of 2010, Wentworth became aware of a breach that left sensitive student information online. A file was accidentally placed on Wentworth's website at some point. Current and former students may have had their names, Social Security numbers, dates of birth and medical information exposed.","PHIPrivacy.net","","2011","42.358431","-71.059773" "January 24, 2011","University of Missouri, Coventry Health Care","Columbia","Missouri","DISC","EDU","750","A Coventry Health Care computer malfunction caused the names of University of Missouri health insurance program participants to be aligned with incorrect mailing addresses.  Names, member numbers and birth dates were on mailed documents like benefits statements, health services letters and new ID cards.  The erroneous mail was sent out to employees between January 6 and 10.  An employee notified the University on or around January 14.","PHIPrivacy.net","","2011","38.951705","-92.334072" "January 26, 2011","Warner Pacific College","Portland","Oregon","PORT","EDU","1,536","A laptop was stolen from an employee's home on January 3.  It contained the names, Social Security numbers, dates of birth, telephone numbers and addresses of students. ","Databreaches.net","","2011","45.523452","-122.676207" "January 26, 2011","Universal Technical Institute","Phoenix","Arizona","PORT","EDU","98","The names and Social Security numbers of recent applicants were on a stolen laptop. The laptop was stolen from UTI's Phoenix office on November 18. Some applicants may have had their dates of birth and contact information exposed as well.","Databreaches.net","","2011","33.448377","-112.074037" "January 26, 2011","Ember Corporation","Boston","Massachusetts","PHYS","BSO","50","Ember received a package that had been sent from Ceridian via Federal Express.  The package appeared to have been tampered with.  Ceridian processes Ember's payroll information and the package contained individual W-2 forms for current and former Ember employees.  Two corners of the package had opened and the contents were wrinkled, but no documents appeared to be missing or opened. Ember warned its employees that their names, Social Security numbers, addresses and 2010 payroll information may have been exposed.","Databreaches.net","","2011","42.358431","-71.059773" "January 26, 2011","Hamilton Beach Brands, Inc.","Glen Allen","Virginia","HACK","BSR","0","Hacker code was discovered on a server that hosts www.hamiltonbeach.com and www.proctorsilex.com. The server was breached on or around January 5. Customer names, credit card information, addresses, telephone numbers and email addresses were captured. The captured information was sent to hmtbccv@gmail.com and prosilexccv@gmail.com","Databreaches.net","","2011","37.665978","-77.506374" "January 26, 2011","J. Press","New Haven","Connecticut","HACK","BSR","0","An unauthorized party gained access to records of customer online orders placed between January 5 and January 10. Customer names, credit card information, order information and addresses may have been exposed. The website was temporarily shut down after J. Press learned of the breach.","Databreaches.net","","2011","41.308153","-72.928158" "January 26, 2011","KBR, Inc.","Houston","Texas","PORT","BSO","0","A company laptop that contained the personal information of current and former KBR employees and contractors was stolen. Names, Social Security numbers, addresses, dates of birth and employee ID numbers may have been accessed.","Databreaches.net","","2011","29.762884","-95.383062" "January 25, 2011","Plainfield Board of Education","Plainfield","New Jersey","UNKN","EDU","0","Someone posted administrative login information and a link to the login page of the Plainfield District's Genesis Student Information System on a popular online message board. Plainfield did not disclose how the admin user name and password were discovered. An unknown number of people would have had access to student records and maybe even student and parent contact information. The breach was discovered and addressed within 24 hours.","Databreaches.net","","2011","40.633714","-74.407374" "January 29, 2011","Bend Ophthamology","Bend","Oregon","STAT","MED","0","Five desktop computers were stolen from the Bend office during a robbery sometime between January 26 and 27.  The office is located in the Pilot Butte Medical Clinic.  How much information and the kinds of information exposed were not reported.","PHIPrivacy.net","","2011","44.058173","-121.315310" "January 29, 2011","Southern Perioperative Services, P.C.","Pelham","Alabama","PORT","MED","2,000","A device with protected health information of patients was stolen on or around November 17, 2010.","HHS via PHIPrivacy.net","","2011","33.285669","-86.809989" "January 29, 2011","Friendship Center Dental Office","Ocala","Florida","PORT","MED","2,200","A laptop that contained the protected health information of patients was stolen on or around December 20, 2010.","HHS via PHIPrivacy.net","","2011","29.187199","-82.140092" "January 29, 2011","Franciscan Medical Group","Tacoma","Washington","STAT","MED","1,250","A computer that contained the protected health information of patients was stolen on or around November 18, 2010.","HHS via PHIPrivacy.net","","2011","47.252877","-122.444291" "January 29, 2011","Benefits Resources, Inc.","Cincinnati","Ohio","PORT","MED","16,200","A portable electronic device was lost or stolen on or around November 22, 2010. It contained the PHI of patients.","HHS via PHIPrivacy.net","","2011","39.103118","-84.512020" "January 29, 2011","Veteran's Affairs Medical Center","White River Junction","Vermont","DISC","GOV","114","A client device owned by Dartmouth allowed an unknown amount of people to anonymously log on to a computer network. A document that contained Veteran and Dartmouth patient information could be viewed once people had logged on using the client device. The document contained a list of Dartmouth and Veteran patients. Last names, last four digits of Social Security number, clinical diagnosis and comments were exposed. At least one patient had their full name and date of birth exposed. The problem had existed for an unknown amount of time.","PHIPrivacy.net","","2011","43.648960","-72.319258" "January 12, 2011","Seacoast Radiology","Rochester","New Hampshire","HACK","MED","231,400","On November 12, Seacoast discovered that a server had been breached. Patient names, Social Security numbers, addresses, phone numbers and other personal information may have been exposed by the breach. Credit card and other financial information were not exposed. The estimated number of individuals who received notification is 231,400.  Not all people who received a notification letter were affected.  Patients and people serving as insurance guarantors were affected. It is believed that the hackers were utilizing Seacoast's bandwidth to play a popular game called Call of Duty: Black Ops.","PHIPrivacy.net","","2011","43.304526","-70.975619" "January 29, 2011","Dermatology Clinic","Durham","North Carolina","PHYS","MED","55","A log book with patient appointment information was discovered missing.  Patients had their names, last four digits of Social Security number, telephone numbers and names of procedures scheduled exposed.  Two searches did not lead to the recovery of the log book; there is a possibility that a patient took the book.","PHIPrivacy.net","","2011","35.994033","-78.898619" "January 29, 2011","Texas Health Harris Methodist Hospital Azle","Azle","Texas","PORT","MED","0","The loss of a back-up computer disc with patient information was confirmed on April 22, 2010.  The disc contained laboratory chemistry exam results.  Patients who were treated at the Hospital's lab between July 2008 an February 2010 were affected.","PHIPrivacy.net","","2011","32.895126","-97.545857" "January 30, 2011","JP Morgan Chase, Citibank","New York","New York","UNKN","BSF","0","A Staten Island resident somehow obtained the personal information of JPMorgan Chase Bank and Citibank customers.  The woman then used the names, addresses, dates of birth and bank account numbers of the people to steal more than $300,000 from Chase and $30,000 from Citibank.  The woman visited banks in and around Manhattan between November 26, 2007 and April 29, 2010.  She used forged driver's licenses to make fraudulent withdrawals.  ","Databreaches.net","","2011","40.714353","-74.005973" "January 30, 2011","The Minnesota Department of Education","Roseville","Minnesota","DISC","GOV","20","The transcripts of 20 online BlueSky Charter School students were accidentally released in November of 2010.  The breach was not discovered until the week of January 30 when a new data request for the school was being processed.  ","Databreaches.net","","2011","45.006077","-93.156611" "January 29, 2011","Amazon.com","Seattle","Washington","DISC","BSR","0","A security flaw that allows some Amazon customers to log in with variations of their actual passwords was recently discovered. Lowercase and uppercase letters are not distinguished and people could even use passwords with extra characters as long as the incorrect characters came after the 8th character of the password. An example of this problem is that Amazon would accept ""PASSWORD"", ""password"" and ""passwordpassword"" as correct if someone had a password of ""Password"". The problem appears to affect older Amazon.com passwords that have not been changed recently.","Databreaches.net","","2011","47.606210","-122.332071" "January 29, 2011","Ankle and Foot Center of Tampa Bay, Inc.","Tampa Bay","Florida","HACK","MED","156,000","The Center experienced a hacking or IT incident on or around November 10 of 2010. The protected health information of patients was exposed.UPDATE (2/3/2011): Names, Social Security numbers, dates of birth, home addresses, account numbers, and health care services and related diagnostic codes may have also been exposed.","HHS via PHIPrivacy.net","","2011","27.949436","-82.465144" "February 2, 2011","Texas Children's Hospital","Houston","Texas","HACK","MED","0","On December 29, the Harris County District Attorney's Office notified Texas Children's Hospital that its Accounts Payable system may have been breached.  Vendors and employees who received checks between 1999 and 2011 may have had their names and Social Security numbers accessed by an unauthorized third party.  The information seems to have been used to open electricity accounts.","Databreaches.net","","2011","29.762884","-95.383062" "January 28, 2011","Five County Credit Union","Bath","Maine","HACK","BSF","0","Five County decided to send 3,000 credit and debit cards to customers after discovering a breach that affected a third party.  Some customers noticed suspicious transactions on their debit cards.  About 2,500 debit cards were reissued and 500 Visa credit cards were reissued.  The organization that experienced the breach and the number of customers affected were not reported.","Databreaches.net","","2011","43.910635","-69.820602" "February 3, 2011","University of Washington Hospital","Seattle","Washington","PHYS","EDU","17","A customer purchased a piece of furniture from the University's Surplus Store that had the medical records of patients.  The information in the records was mostly x-ray and MRI images of spines.","PHIPrivacy.net","","2011","47.606210","-122.332071" "February 4, 2011","Twitter, Facebook and PayPal","Rapides Parish","Louisiana","HACK","BSO","0","A 17-year old hacker was charged with various computer crimes.  He somehow managed to access the Twitter, Facebook, PayPal and email accounts of multiple celebrities and other people.  The teen was charged with cyberstalking, computer fraud, computer tampering and extortion. ","Databreaches.net","","2011","31.146110","-92.539603" "February 5, 2011","Human Services Agency of San Francisco","San Francisco","California","INSD","GOV","2,400","A former city employee emailed the information of her caseload to her personal computer, two attorneys and two union representatives. The former employee wanted proof that she was fired for low performance because she had been given an unusually high number of cases.  Certain MediCal recipients in San Francisco had their names, Social Security numbers and other personal information exposed.","PHIPrivacy.net","","2011","37.774930","-122.419416" "March 8, 2010","Arrow Electronics","Melville","New York","PORT","BSR","4,044","A laptop containing current and former employee personal information was stolen. The information included names, Social Security numbers, addresses, telephone numbers, and some corporate and personal credit cards.","Databreaches.net","","2010","40.793432","-73.415121" "February 16, 2010","Eclipse Property Solutions","St. Petersburg","Florida","INSD","BSO","0","A St. Petersburg man has been charged with stealing customers' credit card numbers from a marketing company he worked for to buy nearly $30,000 in dinners, limos and other luxuries. The man and another employee listened from their cubicles as co-workers repeated customer credit card information aloud to confirm accounts.","Dataloss DB","","2010","27.782254","-82.667619" "March 7, 2010","Randle Eastern Ambulance Service inc.","Miami","Florida","INSD","MED","0","A man and his wife who were previously charged with selling patient information in 2009, were charged with stealing personal information of individuals transported by Randle Eastern Ambulance Service Inc. (American Medical Response).  The information was then sold to South Florida personal injury attorneys and clinics.  The stolen information included names, telephone numbers, medical diagnoses, and addresses.  They used the help of a former AMR employee.","Databreaches.net","","2010","25.774266","-80.193659" "February 11, 2010","University of Texas Medical Branch","Galveston","Texas","INSD","MED","2,400","The University of Texas Medical Branch has mailed letters notifying 1,200 patients that sensitive information about them had been available to a woman charged with identity theft in an unrelated case. Officials sent out the letters this week after MedAssets, which the medical branch hired to assist with billing from third-party payers, warned of a security breach by one of its employees. Law enforcement officials notified MedAssets that a former employee had been arrested and charged with identity theft. The person also was alleged to have used a stolen identity to misrepresent herself and gain employment at Georgia-based MedAssets and had been involved in other instances of identity theft. That employee is implicated in a widespread identity theft investigation involving cases from Texas to Wisconsin and losses upward of $1 million. UPDATE (3/9/10): Twelve hundred more letters were sent out to people whose financial information may have been exposed.UPDATE (10/14/10): From Databreaches.net: ""Katina Candrick of LaGrange, Texas, was sentences to 15 years in federal prison and ordered to pay $163,185.19 restitution for unlawful possession of fraudulent identification documents and conspiracy to commit identity theft...According to court records Candrick schemed to steal and use for her own benefit personal identification information of others, which she used to pay for living expenses, vehicles and other items.  From July 6, to November 13, 2009, Candrick was employed as a Patient Account Representative by MedAssets.""","Dataloss DB","","2010","29.301348","-94.797696" "February 9, 2010","Ohio Department of Administrative Services","Columbus","Ohio","DISC","GOV","6,000","Personal banking information for 6,000 state employees was inadvertently included in an e-mail distributed to dozens of payroll officers of state agencies. The e-mail from an unnamed administrative-services employee included an attached spreadsheet listing 6,000 state employees whose bank accounts are to be moved from National City Bank, which was bought by PNC Bank.","Media","","2010","39.961176","-82.998794" "February 6, 2010","University of Texas, El Paso","El Paso","Texas","DISC","EDU","15,000","University of Texas at El Paso is notifying students that their Social Security numbers were visible when their tax forms were sent out. The University notified 15,000 students but they don't know exactly how many students were affected. UTEP blames a glitch in a machine used to fold letters when student’s forms were sent out. Some of the forms were folded in such a way that the document shifted on the envelope and allowed for the Social Security numbers to be visible through the mailing window on the envelope.","Dataloss DB","","2010","31.758720","-106.486931" "January 30, 2010","Ameriquest Mortgage Company","Apple Valley","Minnesota","INSD","BSF","100","A man working for Ameriquest Mortgage Company as a mortgage associate for only six weeks used personal information he lifted from mortgage applications. It was a pretty fruitful month and a half for him -- and a pretty costly one to nearly 100 people and several financial institutions. He also used information taken from mail and even some items taken from gym lockers of a couple of hundred more victims. The man eventually stole more than $150,000 from at least eight banks. The man used stolen personal information to create fraudulent identification documents and checks, which he then used to obtain cash, pay for services and buy items. For example, he used one victim's identification to obtain a credit card through U.S. Bank. With that card, he wound up withdrawing $30,529.63 in cash from ATMs throughout Minnesota. Those withdrawals were charged to the victim.","Dataloss DB","","2010","44.731909","-93.217720" "January 22, 2010","Brio Tuscan Grille in Country Club Plaza","Kansas City","Missouri","CARD","BSR","20","A man used a skimming device to obtain the credit card information of customers while working as a waiter at Brio Tuscan Grille of Kansas City, Missouri.UPDATE (7/26/10): The former employee was sentenced to three years of federal prison time for credit card fraud and mail fraud.  He originally gained access to the customer information during July and August of 2008. His fraudulent purchases totaled thousands of dollars.","Databreaches.net","","2010","39.099727","-94.578567" "December 17, 2009","North Carolina Libraries","Raleigh","North Carolina","HACK","EDU","51,000","Library users at 25 campuses were the victims of a security breach in August. The libraries collect driver's license and Social Security numbers to help identify computer users. The information is stored on a central server in Raleigh. Other campuses affected are Alamance, Beaufort, Bladen, Blue Ridge, Brunswick, Central Carolina, College of the Albemarle, Gaston, Halifax, Haywood, Lenoir, Martin, Nash, Pamlico, Piedmont, Richmond, Roanoke-Chowan, Rowan-Cabarrus, Sandhills, Southwestern, Tri-County, Vance Granville and Wilson. ","Dataloss DB","","2009","35.772096","-78.638615" "December 15, 2009","The Beijing Center for Chinese Studies","Chicago","Illinois","PORT","EDU","0","The theft of a laptop exposed applications for study abroad students. Names and Social Security numbers were exposed. An unknown number of NH residents were affected.","Dataloss DB","","2009","41.850033","-87.650052" "December 4, 2009","Deo B. Colburn Foundation Scholarship","Lake Placid","New York","DISC","EDU","341","If you received the Deo B. Colburn scholarship for the 2003-04 academic year, your Social Security number may have been made public. Hundreds of Social Security numbers of former students from all over the northern Adirondacks, including Lake Placid, were released onto the Internet, potentially compromising those people's credit and financial status. Information included names, addresses, academic institutions, the amount of money received and Social Security numbers of the scholarship recipients.","Dataloss DB","","2009","44.279491","-73.979871" "November 21, 2009","Notre Dame University","Notre Dame","Indiana","DISC","EDU","0","Notre Dame is warning university employees to keep an eye on their bank accounts after a security breach. Personal information of some past and current employees - including name, Social Security number and birth date - was accidentally posted onto a public website. The error was corrected and the information removed from the website.","","","2009","41.700191","-86.237933" "November 6, 2009","National Archives and Records Administration","College Park","Maryland","STAT","GOV","250,000","The National Archives and Records Administration violated its information security policies by returning failed hard drives from systems containing personally identifiable information of current government employees and military veterans back to vendors. By agency policy, NARA is supposed to destroy the hard drives rather than return them. On two separate occasions the agency sent defective disk drives back to vendors under a maintenance contract, rather than destroying and disposing of them in-house. UPDATE (1/12/2010):There was a rather large amount of data on this hard drive -- as much as two terabytes of data. The NARA is having to, in effect, do a forensic analysis to try to identify individuals and their information. They had a rolling production of notices to individuals. The total had been 26,000, and then their forensic contractor came up with a new group that contained as many as 150,000 names. UPDATE (1/27/2010) Media stories now put the number of records involved at 250,000.","Dataloss DB","","2009","38.980666","-76.936919" "October 22, 2010","Johns Hopkins University","Baltimore","Maryland","DISC","MED","692","Approximately 85 staff members received an email from the Applied Physics Laboratory on June 15. The email had an attachment with personal benefits information of APL staff dependents. The information included names, Social Security numbers, parent names, dates of birth, marital and disability status and medical and dental coverage. The emails were deleted by the IT department and staff members were asked to reply that they had not made copies or disclosed the information.","PHIPrivacy.net","","2010","39.290385","-76.612189" "November 24, 2009","ACORN","San Diego","California","DISC","BSO","0","Documents that contained personnel information were accidentally thrown away in a dumpster. San Diego staff members were doing an office clean-up in preparation for a major 10-station phone bank program being set up in their offices; it appears that included in the piles of garbage being thrown out there were some documents containing private information.","Dataloss DB","","2009","32.715329","-117.157255" "February 7, 2011","HBGary Federal","Sacramento","California","HACK","BSO","60,000","HBGary announced that it had information about the Anonymous hackers collective.  Anonymous supporters hacked into HBGary's network in order to learn what information had been gathered during the investigation.  Over 60,000 business emails were extracted and the company's website was defaced.  HBGary's leader also had his Twitter account hacked and his personal information exposed.  Anonymous supporters claim the attack was to prevent HBGary from selling trivial information to the FBI.  The hackers published a 23-page document online and claimed that it was the information HBGary was going to sell.  HBGary's email database was also published.  Sensitive information about customers may have been exposed.","Databreaches.net","","2011","38.581572","-121.494400" "February 7, 2011","Marriott Vacation Club International","Orlando","Florida","PHYS","BSR","0","An unknown number of customer payment slips were lost during shipping. Timeshare maintenance fee payment slips were processed by a bank and shipped back to Marriott. The box of slips arrived damaged and had some of the slips missing. Timeshare owners' names, credit card numbers and expiration dates, and addresses were exposed.","Databreaches.net","","2011","28.538336","-81.379237" "February 9, 2011","Oregon Department of Corrections","Madras","Oregon","PORT","GOV","550","An outsider with a thumb drive that contained confidential payroll information contacted the agency on January 27. The thumb drive contained payroll reports with the information of around 550 staff members. Pay stub data with names, Social Security numbers and other payroll information were exposed. People employed at Warner Creek between July 31, 2005 and September 30, 2007 had their Social Security numbers exposed. People employed by Deer Ridge between August 31, 2006 and September 30, 2007 had their Social Security numbers exposed. People employed at Warner Creek, Shutter Creek and Deer Ridge between October 1, 2007 and the time of the breach had personal information other than Social Security numbers exposed. The drive was damaged before being returned to the department and it is unclear what, if any, additional types of information may have been exposed.","Databreaches.net","","2011","44.633454","-121.129487" "October 27, 2009","Baptist Hospital East","Louisville","Kentucky","DISC","MED","350","Hundreds of people in Kentuckiana are worrying about identity theft after their employer accidentally released their Social Security numbers. 350 names and Social Security numbers of hospital employees appear on a list that was circulated in an e-mail.","Dataloss DB","","2009","38.252665","-85.758456" "October 13, 2009","Pitt County Memorial Hospital","Greenville","North Carolina","PORT","MED","1,700","Patient names and Social Security numbers were placed onto a portable computer storage device, used to move the information between different computer systems. Employees have since discovered that USB flash drive is missing from where it was stored.","Dataloss DB","","2009","35.612661","-77.366354" "August 13, 2009","National Guard Bureau","Arlington","Virginia","PORT","GOV","131,000","An Army contractor had a laptop stolen containing personal information on 131,000 soldiers. The stolen laptop contained personal information on soldiers enrolled in the Army National Guard Bonus and Incentives Program. The data includes names, Social Security numbers, incentive payment amounts and payment dates.","Dataloss DB","","2009","38.890390","-77.084145" "July 17, 2009","Francis Howell School District","St. Charles","Missouri","PORT","EDU","1,700","A laptop computer theft could have compromised personal information. The computer could have contained names and Social Security numbers for 1,700 non-certified employees. Anyone who worked for the district from 2005 through 2008 could be affected. The computer belonged to a Francis Howell employee in the district human resources department.","Dataloss DB","","2009","38.783940","-90.481230" "July 16, 2009","Elance","Mountain View","California","HACK","BSO","0","A warning from Elance's customer service was emailed, saying that the site has been hacked or attacked in some way. The data accessed was contact information - specifically name, email address, telephone number, city location and Elance username. This incident did not involve any credit card, bank account, social security or tax ID numbers.","Media","","2009","37.386052","-122.083851" "June 30, 2009","Sutter Health","Sacramento","California","PORT","MED","6,000","Hundreds of current and former employees with Sutter Health had their personal data compromised. The company's Sacramento Sierra region was contacted by a computer repair shop. ""The repair people did the right thing and told us they had our laptop"", said Sutter Communication Coordinator. The laptop contained names and Social Security numbers of 6,000 Sutter Health workers.","Dataloss DB","","2009","38.581572","-121.494400" "June 22, 2009","Broadridge Financial Solutions, Inc.","Jersey City","New Jersey","DISC","BSF","0","Broadridge Financial Solutions, Inc. provides proxy services for clients, including the processing, distribution and tabulation of Annual Meeting Proxy materials for registered shareholders of publicly traded companies. The firm inadvertently disclosed Dynegy shareholder information including name, address, Social Security number and other account information to another client. The total number of share-owners affected was not reported.","Media","","2009","40.728158","-74.077642" "February 12, 2011","Saint Francis Broken Arrow (Broken Arrow Medical Center)","Broken Arrow","Oklahoma","STAT","MED","84,000","A computer that had not been used since May of 2004 was stolen from a secured information systems room. Patient billing information and some employee records were exposed. The information would have included names, Social Security numbers, dates of birth, addresses and patient insurance and diagnostic information.","PHIPrivacy.net","","2011","36.052599","-95.790820" "June 8, 2010","Los Angeles County Department of Public Social Services","Los Angeles","California","INSD","GOV","197","A dishonest employee used welfare beneficiary information to file for two million dollars worth of tax refunds. The employee was caught and charged with 11 counts of identity theft and 11 counts of making false claims to the United States.UPDATE (2/13/11): The former employee pleaded guilty to two counts of filing false claims against the United States.  ","Databreaches.net","","2010","34.052234","-118.243685" "February 13, 2011","Bank of America","Charlotte","North Carolina","DISC","BSF","0","An unknown number of customers were able to see the information of other customers when attempting to access their accounts online. The problem appeared to involve customers who had the same last name. The mistake exposed information for credit, mortgage and home equity accounts. All access to problem accounts was suspended within hours of the discovery.","Databreaches.net","","2011","35.227087","-80.843127" "January 15, 2011","South Carolina State Budget and Control Board Employee Insurance Program","Columbia","South Carolina","HACK","GOV","5,600","People who are covered by South Carolina's state insurance program may have had their personal information obtained. A virus affected one of the Insurance Program's computers. The breach occurred sometime between November 8 and November 18. Insured current and former employees, dependents and survivors may have had their names, Social Security numbers, health information, addresses and dates of birth exposed.","Databreaches.net","","2011","34.000710","-81.034814" "February 15, 2011","Baptist Memorial Hospital","Huntingdon","Tennessee","UNKN","MED","4,800","A number of patients were notified after a breach occurred on November 27, 2010.","HHS via PHIPrivacy.net","","2011","36.000618","-88.428106" "November 18, 2010","Hanger Prosthetics and Orthotics Group","Austin","Texas","PORT","MED","4,486","A laptop was stolen from a human resources employee on November 4. The laptop contained employee names, Social Security numbers, health information and addresses.UPDATE (2/15/11): HHS shows that the breach affected 4,486 people.","Databreaches.net","","2010","30.267153","-97.743061" "February 15, 2011","Lake Woods Nursing and Rehabilitation Center","Muskegon","Michigan","STAT","MED","656","The December 28 theft of a computer may have exposed the health information and other types of information of certain individuals.","HHS via PHIPrivacy.net","","2011","43.234181","-86.248392" "February 15, 2011","Baylor Health Care Systems, Baylor Heart and Vascular System, Baylor University Medical Center","Dallas","Texas","PORT","MED","8,241","A portable ultrasound machine was stolen from the Baylor Jack and Jane Hamilton Heart and Vascular Hospital in Dallas.  The machine was stolen from a patient's room sometime between December 2 and December 3.  Patients who were seen at the hospital between December 26 of 2006 and the date of the theft may have had their names, dates of birth, blood pressure, height, weight and ultrasound images of their hearts on the machine.  It is believed that only a fraction of the 8,000 patients who are at risk actually had their information on the machine at the time of the theft.","PHIPrivacy.net","","2011","32.802955","-96.769923" "February 15, 2011","Day's Jewelers","Waterville","Maine","HACK","BSR","0","A number of Maine residents have experienced credit, bank account and credit union fraud after shopping at Day's Jewelers.  An investigation has revealed that a hacking incident caused the breach and the approximate time of the breach.","Databreaches.net","","2011","44.552011","-69.631712" "February 11, 2011","First Transit, FirstGroup America","Cincinnati","Ohio","PORT","BSO","0","A flash drive with First Transit applicant personal information was lost on a bus on January 21. Applicant names, Social Security numbers, addresses, dates of birth and possibly other employment information such as conviction record and drug test results may have been on the flash drive.","Databreaches.net","","2011","39.103118","-84.512020" "February 20, 2011","Howard Brown Health Center","Chicago","Illinois","INSD","MED","0","A donor database may have been breached. It would have revealed phone numbers and email addresses. It appears that one or more disgruntled organization insiders distributed a libelous letter to people who had their information on the donor database. Several of these people reported receiving the letter.","PHIPrivacy.net","","2011","41.878114","-87.629798" "March 29, 2010","University MRI Diagnostic Center, Holy Cross Hospital, North Ridge Medical Center, and Oncology and Hematology Associates of West Broward","","Florida","INSD","MED","40,000","Two former employees of these organizations were involved in an identity theft scheme with at least three other partners.  Thousands of victims have been confirmed.  The employees had access to emergency room patient records such as names, dates of birth, Social Security numbers, Medicare numbers, and addresses.  The stolen information was used by others to obtain Care Credit accounts and Chevron Visa credit cards.  Victims lost a total of approximately $162,000.","Databreaches.net","","2010","27.664827","-81.515754" "February 19, 2011","Loud Technologies, Inc.","Woodinville","Washington","STAT","BSR","0","The office theft of a computer may have exposed names and Social Security numbers of current and former employees.  Some other items had been taken from the office too.  The theft was discovered on November 15.","Databreaches.net","","2011","47.754265","-122.163458" "February 18, 2011","The Cigarette Box, Colton's General Store","Las Vegas","Nevada","CARD","BSR","0","A suspect was arrested and charged with fraudulent use of a credit card. The suspect is associated with three businesses and investigators are checking to see if customers of those businesses were victims of fraud. Several card skimmers were recovered at the three businesses.","Databreaches.net","","2011","36.114646","-115.172816" "August 18, 2010","Baton Rouge Police Department","Baton Rouge","Louisiana","INSD","GOV","30","A man pled guilty to using a printout with the information of around 30 current and retired Baton Rouge officers to commit credit fraud. An insider sold him the computer printout.  UPDATE (2/18/11): The man was sentenced to seven years in prison.  He did not reveal the name of the person who sold him the printout.","Databreaches.net","","2010","30.450746","-91.154551" "February 22, 2011","Emory Healthcare","Atlanta","Georgia","PHYS","MED","2,400","Seventy-seven patients had their Social Security numbers stolen and used for fraudulent tax returns. Patient names and possibly addresses, dates of birth, clinic numbers, limited health information and health insurance companies were exposed. Patients who were seen in orthopaedics between May of 2008 and January of 2009 for something other than physical therapy were affected.","PHIPrivacy.net","","2011","33.748995","-84.387982" "February 24, 2011","Cambridge Who's Who Publishing, Inc.","Uniondale","New York","PORT","BSO","400,000","A former employee made accusations that Who's Who experienced a breach of 400,000 data tapes with customer information.  It is not clear what happened, but the tapes were misplaced during the shipping process sometime before October 20, 2010.  The information on the tapes included customer names, Social Security numbers, addresses, driver's license numbers, payroll data, checking account numbers and credit card information may have been exposed.","Databreaches.net","","2011","40.700379","-73.592906" "February 24, 2011","Snow Creek","Weston","Missouri","HACK","BSO","0","It appears that a hacker was able to obtain unencrypted customer credit card information around Friday February 18. Online customers of the ski resort were not affected. Information from electronic card transactions that were performed on-site was exposed.","Databreaches.net","","2011","39.411109","-94.901630" "February 23, 2011","Chapman University, Brandman University","Los Angeles","California","DISC","EDU","13,000","A student discovered a document with sensitive information in an unsecured folder. It contained names, Social Security numbers, student ID numbers and financial aid information. Around 11,000 current and former Chapman students, 1,900 applicants and an unspecified number of Brandman students were affected. Only students and people affiliated with the University could have accessed the file, and it appears that the student who reported the incident was the only one who accessed the file.","Databreaches.net","","2011","34.052234","-118.243685" "February 22, 2011","Integrity Bank Plus, MicroBilt Corp","Kennesaw","Georgia","UNKN","BSF","500","Someone gained access to Integrity Bank Plus' MicroBilt account and was able to view the information of consumers connected with MircroBilt. The breach occurred between December 23 and December 28. Consumer credit report information may have been exposed.","Databreaches.net","","2011","34.023434","-84.615490" "February 22, 2011","Jack in the Box","Pearland","Texas","INSD","BSR","0","Investigators determined that a Jack in the Box location had been visited by multiple victims of fraudulent credit and debit card charges. Law enforcement visited the store and found a drive-thru employee with a skimmer in his pocket.","Databreaches.net","","2011","29.563567","-95.286047" "January 14, 2010","Lincoln National Corporation (Lincoln Financial)","Radnor","Pennsylvania","INSD","BSF","1,200,000","Lincoln National Corp. (LNC) last week disclosed a security vulnerability in its portfolio information system that could have compromised the account data of approximately 1.2 million customers. In a disclosure letter sent to the Attorney General of New Hampshire Jan. 4, attorneys for the financial services firm revealed that a breach of the Lincoln portfolio information system had been reported to the Financial Industry Regulatory Authority (FINRA) by an unidentified source. The unidentified source sent FINRA a username and password to the portfolio management system. ""This username and password had been shared among certain employees of [Lincoln Financial Services] and employees of affiliated companies,"" the letter says. ""The sharing of usernames and passwords is not permitted under the LNC security policy.""UPDATE (2/17/2011): Lincoln National Corporation was fined $600,000 by the Financial Industry Regulatory Authority for failing to adequately protect customer information.  Failing to require brokers working remotely to install security software on personal computers led to the fine.","Media","","2010","40.046221","-75.359911" "February 24, 2011","Private Medical Practice","Olathe","Kansas","INSD","GOV","0","An Attorney General who investigated the controversial Dr. Tiller is facing allegations that patient records were improperly stored.  The AG admitted that sensitive patient records from the case had been temporarily stored in a former employee's home at one point.","PHIPrivacy.net","","2011","38.881396","-94.819129" "February 24, 2011","Henry Ford Health Center","Detroit","Michigan","PORT","MED","2,777","An employee misplaced a flash drive with sensitive patient information. The flash drive was lost on January 31 and investigators began the process of determining what happened and what information was on the flash drive on February 8. Patients tested for urinary tract infections between July and October of 2010 may have had their names, medical record numbers, test information and results exposed.","PHIPrivacy.net","","2011","42.331427","-83.045754" "February 24, 2011","Prudential Patterson Realtors","Hazelwood","Missouri","PHYS","BSO","0","Real estate records dating back to 2005 were found in a condominium dumpster by a resident. The records included addresses, phone numbers and copies of personal checks. Prudential Patterson Realtors was sold to Prudential Select Properties in December 2010. Prudential Select said that shredding sensitive documents is their policy.","Databreaches.net","","2011","38.771440","-90.370949" "December 15, 2010","Ohio State University","Columbus","Ohio","HACK","EDU","750,000","Students, professors and other University affiliates were notified that their information may have been accessed by a hacker.  University officials discovered the breach in late October.  Unauthorized individuals logged into an Ohio State server and had access to names, Social Security numbers, dates of birth and addresses of current and former students, faculty, staff, University consultants and University contractors.UPDATE (1/14/11): 517,729 former students and 65,663 current students were affected.  Exact numbers for current and former faculty, staff, consultants and contractors were not given.UPDATE (2/22/2011): As of February 22, OSU was still attempting to find and inform affected individuals of the breach.  Around 226,000 notification letters were mailed to alumni in February.","Databreaches.net","","2010","39.961176","-82.998794" "February 17, 2011","American Airlines","San Jose","California","INSD","BSO","350","An airline employee used a skimming device to obtain customer credit card information and make fraudulent purchases. The employee participated in the fraudulent activity between December of 2007 and October of 2010. Over 2,800 fraudulent transactions using 350 credit card numbers were made. The former employee worked at American Airlines for 20 years and now faces 48 years of prison time.","Databreaches.net","","2011","37.339386","-121.894956" "February 17, 2011","Winamp","New York","New York","HACK","BSO","0","Hackers were able to access forum information, user accounts and emails.  The attack is believed to have been limited to the Winamp forums.  All users are advised to change their Winamp passwords and any similar passwords for other accounts.","Databreaches.net","","2011","40.714353","-74.005973" "February 16, 2011","Alabama Department of Motor Vehicles","","Alabama","DISC","GOV","0","The Alabama DMV used an online tool that allowed people to access personal information of other drivers. There is a record of these individuals since the online search tool required people who used this feature to register their name and credit card information. Users without legal authorization were able to obtain others' personal information association with vehicle registration for approximately three months.","Databreaches.net","","2011","32.318231","-86.902298" "March 3, 2011","Cord Blood Registry","San Francisco","California","PORT","MED","300,000","Backup tapes were stolen from an employee's car in San Francisco on December 13, 2010. Names and Social Security, driver's license and credit card numbers were on the tapes. The tapes were not encrypted. Customers began receiving notification on February 14 of 2011. A computer and other personal property were stolen during the burglary.","PHIPrivacy.net","","2011","37.774930","-122.419416" "March 2, 2011","Beebe Medical Center","","Florida","PHYS","MED","113","An employee placed a briefcase with sensitive documents in her car. The briefcase was stolen from the employee's car on January 1. It contained the names and Medicaid numbers of patients seen at the Beebe Medical Center in Lewes, Delaware. Only a small number of people who were seen between 2005 and 2009 were affected. Around 35 of the patients affected by the breach are deceased.","PHIPrivacy.net","","2011","27.664827","-81.515754" "March 8, 2011","Western Michigan University","Kalamazoo","Michigan","PORT","EDU","0","A backup hard drive that contained student and faculty information was discovered missing on January 25.  Hundreds of current and former students and faculty members had their names and Social Security numbers exposed by the breach.  Academic records were also on the hard drive.","Databreaches.net","","2011","42.291707","-85.587229" "March 3, 2011","Missouri State University","Springfield","Missouri","DISC","EDU","6,030","Nine student lists were accidentally placed on an unsecured server in October and November of 2010. The problem was noticed on February 22. The College of Education lists of students between 2005 and 2009 contained names and Social Security numbers.","Databreaches.net","","2011","37.215326","-93.298244" "March 6, 2011","Alaska Department of Education and Early Development","Juneau","Alaska","PORT","GOV","89,519","A hard drive with the information of students was stolen. Most of the affected students reside in Fairbanks. Names, dates of birth, student identification numbers, genders, ethnicity, disability status, grade levels, test scores and enrollment information were exposed. The theft is believed to have occurred in early February.","Databreaches.net","","2011","58.301944","-134.419722" "March 3, 2011","Racetrac, Seacoast National Bank","Fort Pierce","Florida","CARD","BSR","0","The Seacoast National Bank issued thousands of new debit and credit cards after some customers became victims of skimming. Some customers noticed fraudulent charges after making purchases at Racetrac gas station.","Databreaches.net","","2011","27.446706","-80.325606" "March 5, 2011","Rancho Los Amigos National Rehabilitation Center","Downey","California","PORT","MED","667","A stolen laptop contained patient information.  Patient names, dates of birth and medical record numbers may have been exposed.  The laptop was connected to diagnostic machinery.  The laptop was stolen from the Center on or around February 24.","PHIPrivacy.net","","2011","33.940014","-118.132569" "March 9, 2011","Shell, Chevron","Mountain View","California","CARD","BSR","3,600","Two men were arrested for using skimmers to obtain and use credit cards. Skimmers were found in three Shell and one Chevron gas pumps in Mountain View. The men were charged with conspiracy, altering a computer and acquiring credit card information with the intent to defraud. The breach was first discovered on December 6 of 2010 when a gas attendant found a skimming device on a gas pump.","Databreaches.net","","2011","37.386052","-122.083851" "March 9, 2011","Chapman University","Orange","California","DISC","EDU","0","A file that should have only been available to certain University system users was available to all users. It contained the names, Social Security numbers, student ID numbers and financial aid information of students who applied for financial aid for the 2009-2010 school year.","Databreaches.net","","2011","33.787794","-117.853112" "March 9, 2011","Navy Federal Credit Union","Norfolk","Virginia","UNKN","GOV","0","Two men obtained account information from account holders at NFCU in 2009 and 2010. The men then applied for loans in the names of the account holders. Approximately $460,000 in fraudulent charges were made.  Both men pled guilty.","Databreaches.net","","2011","36.850769","-76.285873" "March 10, 2011","Se San Diego Hotel","San Diego","California","HACK","BSO","0","Malicious software was uploaded to the Hotel's computer system sometime around September of 2010. Customer credit card information was obtained and sold to a group of seven people who used the information to make fraudulent charges primarily in Central Florida.","Databreaches.net","","2011","32.715329","-117.157255" "January 25, 2011","MetLife","Loves Park","Illinois","PHYS","BSF","0","Thousands of papers with names, addresses, Social Security numbers, birth dates and account balances were thrown in a dumpster. The breach appears to be the result of an insurance office moving from one location to another. A man searching for metal in dumpsters made the discovery. Most of the files belonged to one insurance agent. UPDATE (3/1/2011): MetLife has been ordered to provide credit fraud protection for everyone affected by the mistake.  MetLife must also pay a $75,000 fine to the State of Illinois Director of Insurance.  The information had sat in the dumpster for at least four days.  The former insurance agent who was responsible for most of the accounts says that he left 17 filing cabinets with MetLife before he departed the company. He estimated that the filing cabinets contained a thousand accounts.","Databreaches.net","","2011","42.320019","-89.058162" "March 9, 2011","CVS Caremark Corp.","Woonsocket","Rhode Island","INSD","BSR","0","According to a complaint filed against CVS, CVS used the confidential information of customers to push certain drugs.  CVS is accused of receiving payment for promoting certain pharmaceutical drugs to targeted groups of people. CVS may have violated consumer privacy by sending promotions for specific medications to the physicians of customers.  The complaint was filed on March 7.","PHIPrivacy.net","","2011","42.002876","-71.514784" "March 10, 2011","University of Massachusetts Amherst, University Health Services","Amherst","Massachusetts","HACK","EDU","0","A workstation at the campus University Health Services (UHS) was infected with malware. The work station contained patient names, health insurance company names, medical record numbers, and prescription information from January 2, 2009 to November 17, 2009. There is no evidence that the data was copied from the workstation. The malware was on the computer from June 30, 2010 to October 28, 2010. Patients were notified in March.","PHIPrivacy.net","","2011","42.380368","-72.523143" "March 16, 2011","Cancer Care Northwest","Spokane","Washington","DISC","GOV","3,150","A January mistake in mailing led to brochures being mailed to the wrong current and former patients. Everyone who was meant to receive a brochure did; but patients were able to see the name and address of another patient. The brochure and letter provided information on a breast education and support program.","PHIPrivacy.net","","2011","47.658780","-117.426047" "March 16, 2011","Jefferson Center for Mental Health","Wheat Ridge","Colorado","PORT","MED","546","A list with patient information was stolen from an employee's locked car on December 13, 2010.  The employee's purse and work bag were also stolen.","HHS via PHIPrivacy.net","","2011","39.766098","-105.077206" "January 13, 2011","Green River District Health Department, Fox Technology Group (now part of Intergranetics)","Owensboro","Kentucky","DISC","MED","18,871","The personal information of people who visited Green River District Health Department was accidentally placed online by Fox Technology. A resident notified the Department after discovering personal information online. Many visitor names were given with dates of birth; around half included Social Security information as well. The information was exposed sometime in October of 2010 or before. The problem was fixed soon after the Department was notified.UPDATE (3/16/2011): There were 18,871 visitors who were affected, not 9,986.","PHIPrivacy.net","","2011","37.774215","-87.113330" "March 16, 2011","St. Louis University","St. Louis","Missouri","HACK","EDU","12,800","The University's network was hacked on December 12, 2010. The breach was discovered on December 13 and a statement was available on the University's website on January 31, 2011. Eight hundred students and 12,000 current and former employees and contractors were affected. Only people who worked for Saint Louis University at some point had their Social Security numbers exposed. Some students who received counseling through the University's Student Health Services may have had their names, dates of birth, tests, diagnosis and treatment information exposed.","PHIPrivacy.net","","2011","38.646991","-90.224967" "July 1, 2009","Carrell Clinic","Dallas","Texas","HACK","MED","0","An Arlington security guard was arrested on federal charges for hacking into hospital's computer system. The defendant allegedly posted video of himself compromising a hospital's computer system on YouTube. The system and computers contained confidential patient information.UPDATE (3/18/2011): Phiprivacy.net reports that the former security guard was sentenced to nine years in prison for installing malware.  Jesse William McGraw was employed by the security company United Protection Service while working as a security guard for Carrell Clinic. He was also the leader of a hacker gang.","Media","","2009","32.802955","-96.769923" "March 11, 2011","OrthoMontana","Billings","Montana","PORT","MED","37,000","The loss or theft of a laptop may have exposed the information of current and past patients.UPDATE (3/16/2011): About 37,000 patients had their information on the laptop.  The types of patient information exposed were not reported, however the laptop did not contain financial information.","PHIPrivacy.net","","2011","45.783286","-108.500690" "March 18, 2011","City of Cleveland, Texas","Cleveland","Texas","PHYS","GOV","10","Someone found 10 completed job applications in a public recycling dumpster. The applicants had applied for a position as a municipal court judge with the city of Cleveland and had been rejected. The applications included names, Social Security numbers, contact information, driver's license numbers, reference contact information and other information typically found on a job application.","Databreaches.net","","2011","30.341320","-95.085489" "March 18, 2011","Spoiled Rotten Spa","Aptos","California","INSD","BSR","0","The Spoiled Rotten Spa owner was arrested and charged with fraudulently using customer credit card information. Additionally, the owner sold gift certificates to her spa after she had been evicted and could no longer honor them.","Databreaches.net","","2011","36.977173","-121.899402" "March 18, 2011","Wheeler and Associates CPA","Boca Raton","Florida","STAT","BSO","0","Computers and hard drives were stolen during an office burglary that occurred on or around January 3, 2011. The computers contained names, Social Security numbers and addresses. All of the stolen hardware was recovered shortly thereafter, but some of it had already been overwritten with new programs was ready to be resold by the thieves.","Databreaches.net","","2011","26.358689","-80.083098" "March 18, 2011","Randstad Professionals","Wakefield","Massachusetts","DISC","BSO","0","A file with images of 1099 tax forms was sent as an attachment in an email to an outside contractor for Randstad Professionals. It contained the names and Social Security numbers of an unspecified number of consultants. The mistake was realized in less than forty minutes and the contractor was asked to destroy the information from the email.","Databreaches.net","","2011","42.506484","-71.072831" "March 18, 2011","Instant Tax Service","Anderson","Indiana","PHYS","BSF","0","A pile of burned tax documents was found outside of Instant Tax Service.  Names, Social Security numbers, wages and contact information were still visible on the documents.  Employees denied that they were responsible and claimed that their office possessed a shredder.","Databreaches.net","","2011","40.105320","-85.680254" "March 17, 2011","Walnut Township School District","Millersport","Ohio","HACK","GOV","80","A hacker accessed the District's payroll records sometime between March 14 and March 15. Names, Social Security numbers, and other information found on payroll records may have been exposed. The breach affected 2008 school personnel.","Databreaches.net","","2011","39.900064","-82.534048" "March 14, 2011","Virginia Polytechnic Institute and State University (Virginia Tech)","Blacksburg","Virginia","HACK","EDU","370","A virus infected a Virginia Tech computer on February 15 and sent Social Security numbers and some financial information overseas. The virus was discovered on February 23. Certain current and former employees were affected.","Databreaches.net","","2011","37.229573","-80.413939" "March 15, 2011","Nation's Giant Hamburgers","Vacaville","California","CARD","BSR","200","Over 200 cases of identity theft were traced to Nation's Giant Hamburgers in Vacaville, CA. The cause of the breach was said to be a problem with the credit card machines in the store. The time period when customers using credit cards would have been affected was not reported.","Databreaches.net","","2011","38.356577","-121.987744" "March 21, 2011","Portland Veterans Affairs Medical Center","Portland","Oregon","PHYS","GOV","50","Between 50 and 75 patient ID cards were lost in January. Social Security numbers, dates of birth and other personal information were on the cards. The cards had previously been mailed to the wrong addresses and were being stored in the hospital's enrollment office.","PHIPrivacy.net","","2011","45.523452","-122.676207" "March 22, 2011","Bloomfield Hills School District","Bloomfield","Michigan","DISC","GOV","321","An Excel document with the names and Social Security numbers of 321 staff personnel was sent to two parents. Only limited information of staff with salaries of $100,000 or more should have been disclosed. The two parents are upset that they were named in the notification since they played no part in the District's mistake.","Databreaches.net","","2011","42.575567","-83.272411" "March 24, 2011","TripAdvisor","Newton","Massachusetts","HACK","BSO","0","TripAdvisor community members received notification that an unauthorized third party had obtained a list of user emails. Passwords and financial information were not exposed. Only a portion of users were affected and TripAdvisor is not sure when the breach occurred. TripAdvisor.com is the world's largest travel related site.","Media","","2011","42.337041","-71.209221" "March 26, 2011","Maryville Academy","Des Plaines","Illinois","PORT","GOV","3,897","Three secondary back-up portable hard drives were taken from a locked room sometime between January 25, 2011 and February 1, 2011.  The personal information that may have been exposed includes names, dates of birth, family history, medical and behavioral health services, medications, treatment plans, and for some people, Social Security numbers.  Residents and clients who received services between 1992 and January of 2011 may have been affected.","PHIPrivacy.net","","2011","42.033362","-87.883399" "March 28, 2011","The Briar Group LLC","Boston","Massachusetts","HACK","BSR","0","A series of breaches at Briar Group restaurants dating back to 2009 led the company to pay $110,000 in civil penalties to the Commonwealth of Massachusetts. Briar Group was fined for failing to protect the payment card data of tens of thousands of consumers. In addition to having poor data protection practices like allowing employees to share computer passwords and failing to secure network wireless connections, Briar Group was determined to have not responded appropriately when customer data was compromised. A lawsuit alleges that hackers installed and used malicious software to obtain customer debit and credit card information from the Briar Group's computers. The malicious software was on the computers from April 2009 to December of 2009 and the company continued to allow the use of credit and debit cards despite being aware that their computer system had been compromised. The Briar Group agreed to comply with Massachusetts data security regulations, comply with the Payment Card Industry Data Security Standards, develop a secure password management system and implement information security measures.","Databreaches.net","","2011","42.358431","-71.059773" "March 29, 2011","BP Global","New Orleans","Louisiana","PORT","BSO","13,000","An employee lost a laptop that contained the personal information of people who were seeking compensation for damages caused by BP's 2010 oil spill. The laptop was lost on March 1 of 2011 while the employee was traveling for business. It contained a spreadsheet with claimant names, Social Security numbers, addresses and phone numbers.","Databreaches.net","","2011","29.964722","-90.070556" "March 26, 2011","Portland Center for the Performing Arts (PCPA)","Portland","Oregon","HACK","BSO","864","The PCPA website was hacked sometime between December 20, 2010 and March 15, 2011. Ticket purchases for PCPA events were not involved since the Ticketmaster website is responsible for those purchases. Information from a total of 864 gift card purchases from the PCPA website between January 1, 2006 and March 15, 2011 was compromised. The total number of customers affected is likely to be lower than 864 since some customers purchased more than one gift card.","Databreaches.net","","2011","45.523452","-122.676207" "June 26, 2010","New York Life Insurance Company","Sacramento","California","INSD","BSF","114","A woman was sentenced to 30 months in federal prison for access device fraud. Stephanie Fahlgren was arrested in July of 2009 after it was determined that she had obtained and misused the personal and financial information of more than 114 people. She obtained access to the New York Life Insurance Company's computer database by using the login information of a Sacramento insurance agent. The database contained personal and medical information of prospective life insurance purchasers. Fahlgren used the information between June and November of 2008, to open lines of credit and obtain credit cards in the names of those people. The amount of restitution owed to the fraud victims will be determined on in July of 2010.","Databreaches.net","","2010","38.581572","-121.494400" "March 4, 2011","University of South Carolina","Sumter","South Carolina","HACK","EDU","31,000","A computer security problem may have exposed the information of faculty, staff, retirees and students on eight University system campuses. Social Security numbers and other private information could end up on the internet.","Databreaches.net","","2011","33.920435","-80.341469" "March 30, 2011","NYU Langone Medical Center","New York","New York","STAT","MED","670","A desktop computer was stolen from an NYU School of Medicine Faculty Group Practice physician's office on January 27, 2011.  It contained names, dates of birth, medical record numbers, home addresses and patient occupations.   Information from 670 patients who visited the Langone Medical Center between April 4, 1999 and September 30, 2008 was stored on the computer.","PHIPrivacy.net","","2011","40.714353","-74.005973" "April 1, 2011","iTunes (Apple)","Cupertino","California","HACK","BSR","0","Following a wave of iTunes fraud in 2010, iTunes users are experiencing another wave of hackers using their accounts to make fraudulent purchases. The hackers purchase music, gift cards, games, ringtones, and apps by accessing customer credit card information and modifying billing addresses. Some of these incidents result in hundreds of dollars of fraudulent purchases. Apple has yet to comment on the situation.","Databreaches.net","","2011","37.322998","-122.032182" "April 6, 2011","Hartford Life Insurance Company","Hartford","Connecticut","HACK","BSF","300","People who logged into Hartford's server between February 22 and February 28 are being notified of a possible breach. The firm's Windows servers were hacked and employee, contractor and some customer information may have been exposed by the breach. Social Security numbers, user account logins and passwords, bank account numbers and credit card numbers may have been exposed.","Databreaches.net","","2011","41.763711","-72.685093" "April 6, 2011","US Airways","Tempe","Arizona","INSD","BSO","0","The US Airlines Pilot Association (USAPA) is upset that US Airways failed to reveal a breach of sensitive and confidential pilot information.  A management pilot obtained and sent a sensitive database that contained the personal information of thousands of US Airways pilots.  Names, Social Security numbers, and addresses were exposed.  The database was given to a third party pilot group.  The FBI has not determined the extent of the breach. A USAPA member said that there is a possibility that the sensitive information of pilot family members was also exposed since US Airways collects this information as well.  US Airways also collects the credit card numbers of passengers, but there were no reports of this information being exposed by the breach.  USAPA has been working with the FBI since November of 2010 to determine the scope of the breach.  It is possible that someone could use pilot passport numbers and residential addresses to pose as a pilot and create a threat to national security. USAPA is accusing US Airways of denying the breach and failing to discipline the employee responsible for the breach. US Airways has informed USAPA that it is relying on the assurances of the parties responsible for the data breach that the confidential information will not be misused.","Databreaches.net","","2011","33.414768","-111.909310" "April 8, 2011","Family Planning Council","Philadelphia","Pennsylvania","INSD","MED","70,000","A flashdrive was discovered missing from an office on December 28, 2010. It and other items that did not contain patient personal information are presumed to have been stolen by a former employee who left at the end of December. The former employee has an extensive criminal background and was arrested on February 9. Authorities involved in the criminal investigation requested that notification of the breach be delayed due to the investigation. The flash drive contained the personal and medical records of about 70,000 patients. Patient names, Social Security numbers, addresses, phone numbers, dates of birth and other information, including insurance information and medical information was exposed. As a result of the breach, The Family Planning Council will no longer allow unencrypted information to be stored on removable hardware.","Databreaches.net","","2011","39.952335","-75.163789" "April 8, 2011","V.A. Medical Center","Aiken","South Carolina","PHYS","GOV","2,600","A V.A. employee may have thrown the personal information of over 2,600 veterans into the trash. The breach was originally discovered over a month before the official notification and reported by a news channel. The V.A. admitted that appointment records with Social Security numbers, dates of birth and other information were accidentally thrown into the trash instead of being shredded. The records were from January 2010 through January 2011.  All veterans from that period were contacted, but not all were affected.","Databreaches.net","","2011","33.560417","-81.719553" "April 8, 2011","Maine State Prison","Warren","Maine","UNKN","GOV","117","A prisoner filed false individual income tax returns by using the names and Social Security numbers of other prisoners without their permission.  On February 4, 2011 the man pleaded guilty to charges related to submitting 117 false tax returns between 2005 and December 2009. He was sentenced to an additional 57 months in prison and three years of supervised release.  The prisoner filed for $515,000 in false tax refunds while incarcerated. ","Databreaches.net","","2011","44.120358","-69.240045" "April 7, 2011","Town of Barton","Barton","Vermont","HACK","GOV","150","Spyware was discovered on a computer used at the town offices.  A payroll program was affected. It is not clear if Social Security numbers and other personal information were accessed.  About 150 people may have had their personal information exposed.  Current and former town employees were notified about the breach via mail.","Databreaches.net","","2011","44.748105","-72.176213" "March 22, 2011","Laredo Independent School District","Laredo","Texas","PORT","EDU","24,903","A disk that contained the Social Security numbers of all students in the Laredo Independent School District was lost or stolen sometime prior to February of 2011.UPDATE (4/7/2011): Between August 2010 and January 2011, CDs that were mailed to the Texas Education Agency (TEA) were lost.  The CDs were unencrypted and contained student Social Security numbers, dates of birth and ethnicity.  The CDs were sent to TEA so that identifying information could be removed and the information could be passed along to the University of Texas at Dallas Education Research Center.  According to a TEA spokesperson, Laredo ISD’s data set is missing from a set of other district information that was sent. Though the TEA claims that only Laredo student information was exposed, the information of 164,406 students from eight Texas school districts was sent. The information on the unencrypted disks goes back 20 years.  This information includes current and former students in the top 10% of their class who graduated between 1992-2010 from Crowley, Harlingen, Round Rock, Killeen, Richardson, Irving, Mansfield, and Grand Prairie school districts.","Databreaches.net","","2011","27.506407","-99.507542" "July 9, 2010","Emily Morgan Hotel","San Antonio","Texas","PHYS","BSO","17,000","Identity thieves obtained stacks of credit card receipts from one of the hotel's storage rooms in 2006.  Hundreds of thousands of dollars in fraudulent charges were then made in three different states.  Investigators first became aware of a large identity theft issue in the area during the beginning of 2009.UPDATE (12/4/2010): The ringleader pleaded guilty to ID theft fraud conspiracy, access device fraud and conspiracy to launder money. Seven other co-conspirators have been identified.UPDATE (4/7/2011): A former hotel worker faces up to 22 years in prison for stealing customer information and using it to go on a shopping spree.  In 2006, the former employee used credit card receipts from the Emily Morgan hotel in downtown San Antonio to make fraudulent charges totaling $300,000.  This appears to be the one of the largest cases in Alamo City’s history.  The accused former employee pleaded guilty to three charges and is scheduled to be sentenced in July.","Databreaches.net","","2010","29.424122","-98.493628" "April 12, 2011","Oklahoma State Department of Health","Oklahoma City","Oklahoma","PORT","GOV","133,000","An agency laptop and 50 pages of medical information were stolen from an employee's car on April 6. A database with information from the Oklahoma Birth Defects Registry was on the laptop. Data from hospital medical records were recorded on the laptop. The Oklahoma Birth Defects Registry uses the information to track and reduce the prevalence of birth defects. Notifications of the breach state that parent and child names, Social Security numbers, addresses, birth dates, medical records and medical test results may have been exposed. Notifications also warn that any phone calls or mail sent to home addresses that request Social Security numbers should be thoroughly investigated.","PHIPrivacy.net","","2011","35.467560","-97.516428" "April 11, 2011","Private Dental Practice","Longmont","Colorado","PHYS","MED","0","On April 10, a man looking for scrap metal found a stack of patient records from a dental office. The man reported the incident to local news because of the sensitive nature of the information on the documents. The old records were meant to be shredded, but a new office assistant may have accidentally placed them in the trash instead.  Names, Social Security numbers and other information were exposed.  The dentist immediately responded to the breach after being notified of the mistake. The trash bin where the documents were dumped was brought into the office to prevent further access and remove the documents.","PHIPrivacy.net","","2011","40.167207","-105.101928" "January 28, 2011","University of Iowa Hospitals and Clinics","Iowa City","Iowa","INSD","MED","13","University officials launched an investigation to determine if electronic medical records of 13 Iowa Hawkeyes football players receiving care at the facility were accessed inappropriately.  Speculation about the health of the football players and the causes of their illness had been in the media.UPDATE (2/3/2011): It appears that three workers will be fired and two will be suspended because they inappropriately accessed football player information.UPDATE (2/7/2011): One of the fired workers is challenging allegations that she viewed patient information without authorization.  She and her representative claim that she did nothing wrong, and that if the accusations were true, viewing computerized medical records for a few seconds should be treated as a minor infraction.UPDATE (4/5/2011): The nurse who challenged her termination has agreed to resign rather than be fired.","PHIPrivacy.net","","2011","41.661128","-91.530168" "April 14, 2011","Social Security Administration (SSA)","Baltimore","Maryland","DISC","GOV","63,587","The Social Security numbers of living people were made available on the Social Security Administration's Death Master File.  This happened twice.  Between July of 2006 and January 0f 2009 26,930 people had their Social Security numbers and other identifying information exposed. A warning from the SSA's Office of the Inspector General about privacy risks associated with the report was not enough to prevent the second incident. Between May 2007 and April of 2010 36,657 people had their full names, Social Security numbers, dates of birth, and last known ZIP code exposed.","Databreaches.net","","2011","39.290385","-76.612189" "April 15, 2011","Jade House Restaurant","Richmond","Indiana","DISC","BSR","15","Restaurant employees were fooled by a scam artist calling and pretending to be a representative of the credit card service provider that the restaurant uses.  The scammer claimed there was a problem with the system.  One or more restaurant employees disclosed sensitive information to the individual.  Customers and the restaurant began seeing fraudulent credit card charges.","Databreaches.net","","2011","39.828937","-84.890238" "April 14, 2011","WordPress","San Francisco","California","HACK","BSO","18,000,000","Hackers accessed several of WordPress's servers. All information on the servers could have been accessed. Source code, API keys and social media passwords may have been exposed. Blog comments from WordPress spokespeople reveal the stage of the investigation and that phone numbers and financial information were unlikely to have been exposed.","Databreaches.net","","2011","37.774930","-122.419416" "April 13, 2011","Private Medical Practice","San Antonio","Texas","PHYS","MED","100","A man was linked to the theft of at least 100 medical records.  A surgeon had taken old records home to be shredded; they were stolen from his garage.  There were 34 names, 19 driver's license numbers and many dates of birth.  The thief was caught attempting to sell the information for $250 in June of 2010.  The man pleaded guilty to possessing numerous medical files.","Databreaches.net","","2011","29.424122","-98.493628" "April 13, 2011","Urban Institute, Internal Revenue Service","Washington","District Of Columbia","DISC","GOV","2,300","About 2,300 operating and defunct, small non-profits were victims of identity fraud.  The affected non-profits are all falsely linked to a William Alexander and are mostly religious in orientation.  An Urban Institute online system for the IRS had a loophole that allowed users to register under any false or actual name, enter any non-profit's name and tax ID number and then change the contact information of that non-profit.  The IRS may have identified the affected group of non-profits by publicly targeting them (non-profits with an annual revenue lower than $25,000) and encouraging them to file a yearly tax return. Anyone could have read the published list of non-profits facing revocation of non-profit status and realized that there was an opportunity to register under their name.","Databreaches.net","","2011","38.895112","-77.036366" "April 13, 2011","Albright College","Reading","Pennsylvania","PORT","EDU","10,000","Two laptops were stolen from the College’s financial aid office in February.  The first laptop was stolen between February 11 and 14.  The second was stolen between February 18 and 20.  College officials delayed notifying the public of the incident until a risk management firm had assessed the extent of the breach.  The laptops contained names, Social Security numbers, dates of birth and addresses. The information may have belonged to faculty, staff, graduates, current and prospective students, spouses of any of these groups and parents of students.  The laptop believed to have the most personal information was recovered from a man who was selling the item for drug money.  ","Databreaches.net","","2011","40.335648","-75.926875" "November 18, 2010","Federal Reserve Bank of Cleveland, FedComp","Cleveland","Ohio","HACK","GOV","0","A foreign national responsible for fraudulently obtaining or holding 400,000 credit card numbers was caught in the U.S. while attempting to meet hackers and utilize stolen financial information. The man is also accused of hacking into the Cleveland Federal Reserve Bank in June, though the amount of information he was able to obtain is unknown and separate from the 400,000 card numbers found on his computer.UPDATE (4/13/2011): The foreign national pleaded guilty to hacking into a Federal Reserve Bank computer server belonging to the Federal Reserve Bank, and installing a malicious code onto that server.  The man had compromised many other computer servers that belonged to large corporations, financial institutions, defense contractors and other groups, and selling or trading the information. Because FedComp, a data processor for federal credit unions was affected, financial information from federal credit unions in various states may have been inappropriately accessed.","Databreaches.net","","2010","41.499495","-81.695409" "April 15, 2011","Rolling Stone, Radar, Corrupted Justice, Nettica, the Rick Ross Institute of New Jersey","","","HACK","BSO","100,000","After a falling out among members of Perverted Justice, a former member attempted to bury two unflattering articles about himself.  The articles were about his infidelity and were originally published in Rolling Stone and Radar Magazine.  The former member created a virus that spread  over the internet and infected computers across the world.  Approximately 100,000 computers were affected and a botnet was created.  The botnet's goal was to attack websites that published the two articles so that no one could access them.  The former member was sentenced to three years of supervised release and ordered to pay $90,386.34 in restitution.","Databreaches.net","","2011","37.090240","-95.712891" "April 4, 2011","Applied Micro Circuits Corporation","Sunnyvale","California","PORT","BSR","0","The February 23, 2011 theft of a laptop may have exposed the names and Social Security numbers of current and former employees. The laptop was stolen from an employee’s car. Those who were affected were sent notification on March 23.","Databreaches.net","","2011","37.368830","-122.036350" "March 26, 2011","Killeen Independent School District (KISD)","Killeen","Texas","PHYS","EDU","58","A man found student documents near a freeway. A list of student names and their Social Security numbers was found; but it is unclear if teacher evaluations and grade books were also found. KISD said that there were no specific policies for shredding confidential KISD information.UPDATE (4/13/2011):  Notification letters were sent to the homes of 58 students. The Social Security numbers of those students may have been exposed.","Databreaches.net","","2011","31.117119","-97.727796" "April 18, 2011","UMass Memorial Healthcare","Worcester","Massachusetts","DISC","MED","13,500","Employees were able to access the pay stub information of other employees at shared workstations.  Any UMass Memorial employee who accessed their HRConnect by using one of the 10 malfunctioning kiosks or shared workstations between October 7 and March 11, 2011 may have been affected.  The problem was fixed as of March 16.  Employees were able to access the names, bank names, bank transit numbers and bank account numbers of previous employees who had used the kiosks to connect to HRConnect. The portion of the 13,500 employees who were affected is unknown.","Databreaches.net","","2011","42.262593","-71.802293" "April 20, 2011","Texas Health Arlington Memorial Hospital","Arlington","Texas","DISC","MED","654","Patient information was exposed during the process of converting information systems and processes to the same system as the other hospitals in the Texas Health group.  A switch between Texas Health Arlington and SandlotConnect was turned on December 23, 2010.  This allowed health information to go to SandlotConnect, a health information exchange, after patients signed an authorization form and the patients' accounts were marked to permit the exchange of information.  It was later determined that the SandlotConnect authorization form was not presented to patients at the time of registration since Texas Health Arlington employees were not aware that the switch had been turned on; registration employees were also marking patients' accounts incorrectly.  The switch was turned off and no further health information was sent after the breach was discovered on January 26, 2011.  Each of the affected patients had their accounts marked as not participating in the health information exchange and Texas Health Arlington worked with Sandlot to shield the information from being further used or disclosed.  Texas Health Arlington registration employees also received additional training on the Sandlot Connect health information exchange process.  It appears that a majority of the accounts were accessed by Sandlot employees in order to shield the affected patients' health information.  Some SandlotConnect accounts were accessed by authorized health care providers for treatment purposes.  ","HHS via PHIPrivacy.net","","2011","32.735687","-97.108066" "April 18, 2011","Southwest Ambulance","Mesa","Arizona","INSD","MED","581","Patient files dating back several years were discovered in the vacated residence of a former employee of Southwest Ambulance.  The employee used the records for training purposes.  The records included patient names, financial information and medical treatment information.  There is no evidence that the information was used in an inappropriate manner.","PHIPrivacy.net","","2011","33.422269","-111.822640" "April 14, 2011","Central Brooklyn Medical Group PC, Preferred Health Partners","New York","New York","PHYS","MED","500","On August 3, 2010 paper records were discovered stolen. It is not clear who the paper records belonged to, where they were stolen from, and what type of information the records contained. ","HHS via PHIPrivacy.net","","2011","40.714353","-74.005973" "April 14, 2011","Fairview Health Services","Minneapolis","Minnesota","PHYS","MED","1,200","About 1,200 patient records were stored in a box and marked for shipping to a new office location. The box never arrived and was reported missing on February 21, 2011. Patient billing records with names, dates of birth and medical information may have been exposed. The records are used to process insurance claims. Any patient admitted to Fairview Southdale Hospital in Edina between April of 2010 and February of 2011 may have had their information exposed.","PHIPrivacy.net","","2011","44.979965","-93.263836" "March 26, 2011","Memorial Health Services, MemorialCare Health System","Long Beach","California","INSD","MED","2,250","Patient information was inappropriately accessed by a former employee.  The information included patient names, Social Security numbers, addresses, phone numbers, dates of birth, account numbers and reasons for admission.  The former employee appears to have caused breach incidents in 2009 and 2010. ","HHS via PHIPrivacy.net","","2011","33.804167","-118.158056" "March 3, 2010","7-Eleven","Martinez","California","CARD","BSR","200","Two men were charged with placing skimming devices on 7-Eleven gas pumps across central and northern California.  The men both face 32 counts of identity theft and conspiracy charges. At least eleven skimmers were found on gas pumps.UPDATE (10/13/10):  A third suspect has been linked to these incidents and now faces similar charges.UPDATE (1/11/11): Over 200 people were affected.  Two of the four members of the fraud group were sentenced.  Two other members await sentencing.","Databreaches.net","","2010","38.019366","-122.134132" "April 22, 2011","U.S. District Court for the Middle District of Alabama","Montgomery","Alabama","DISC","GOV","40","U.S. District Court personnel mistakenly believed that sealed records could be made available on a system called PACER.  PACER is a web-based records system.  Nearly a million defense lawyers, prosecutors, journalists, private investigators, government officials and researchers who use PACER could have accessed about 40 sealed records for as long as nine months.  The records were sealed court applications filed by 10 separate federal prosecutors in Alabama. Information in the records included installing hidden surveillance cameras, examining Facebook records, obtaining credit information, procuring telephone records and tracking calls. Specific names, addresses, and phone numbers were exposed. The information was removed from PACER on April 21.","Databreaches.net","","2011","32.366805","-86.299969" "April 21, 2011","ABM Industries","Atlanta","Georgia","STAT","BSO","91","Televisions, mobile telephones and computers were stolen during a March 5, 2011 office burglary.  One of the stolen computers contained tax reporting information, including Social Security numbers, for individuals employed by ABM in 2007 and 2008.  One suspect was arrested sometime around March 22. The stolen computer was not recovered and ABM began notifying current and former employees of the breach on April 15.","Databreaches.net","","2011","33.748995","-84.387982" "April 21, 2011","Infogroup","Omaha ","Nebraska","HACK","BSO","0","A small number of computers used to process customer orders were discovered to be infected with a virus. The virus may have compromised a small number of payment transactions which included credit card numbers and related information collected to process transactions. The total number of customers affected and the date the computers were first infected with the virus were not disclosed.","Databreaches.net","","2011","41.252363","-95.997988" "April 29, 2011","Omnicare Inc.","Covington","Kentucky","PORT","MED","8,845","The January 19, 2011 theft of a laptop resulted in the exposure of patient information.  The laptop was used by a Consultant Pharmacist who routinely visits nursing homes and rehabilitation facilities in South Carolina to assist physicians in prescribing appropriate medication therapies. Social Security numbers and an undisclosed amount of health information from residents were stored in a database on the laptop.","PHIPrivacy.net","","2011","39.083671","-84.508554" "April 21, 2011","GoGrid LLC.","San Francisco","California","HACK","BSO","40","An unauthorized third party may have viewed account information sometime between November 2008 and the end of March 2011. The intrusion was discovered during a regular review of system activity by GoGrid's Security Team. Names, addresses, and payment card data such as cardholder name, card account number and expiration date were involved. The number of unauthorized access incidents between November 2008 and March 2011 was not revealed.","Databreaches.net","","2011","37.774930","-122.419416" "April 21, 2011","Qdoba Mexican Grill","Clive","Iowa","HACK","BSR","12","Over a dozen customers of Qdoba discovered fraudulent charges to their bank accounts after making purchases at the restaurant. The number of affected individuals appears to be 12-18 as of April 21.  People discovered charges ranging from a few hundred dollars to one thousand dollars.  The cause of the breach may be a computer hacker who somehow accessed the financial clearing house used by Qdoba to process credit and debit card transactions.  ","Databreaches.net","","2011","41.607590","-93.798782" "March 9, 2011","Penn Mutual Life Insurance","Philadelphia","Pennsylvania","INSD","BSF","0","In late January or early February, Penn Mutual sent notification that a dishonest employee is likely to have accessed and disclosed customer information.  Names, Social Security numbers, addresses, dates of birth and bank account information may have been exposed. Penn Mutual was unable to determine which customers were affected. UPDATE (4/21/2011): The employee and 15 others involved in an identity theft ring have been identified.  The Penn Mutual employee and insiders from other organizations sold customer information to the ring leader.","Databreaches.net","","2011","39.952335","-75.163789" "April 19, 2011","Central Ohio Technical College (COTC)","Newark","Ohio","PHYS","EDU","617","An enclosed file cabinet with student registration cards was left unattended for a short period of time. The cabinet was moved to a temporary storage facility while the Student Records Management Office prepared to move to a new location in the same building. The cabinet should not have been left unattended; it contained Social Security numbers for students who registered for the fall quarter of 2010 at any COTC campus.  The incident occurred on March 10 and notifications were sent to students on April 14.","Databreaches.net","","2011","40.058121","-82.401264" "April 20, 2011","Institute of Electrical and Electronics Engineers (IEEE)","Piscataway","New Jersey","HACK","NGO","828","In mid December of 2010, IEEE learned that its database had been compromised multiple times. On or around February 10 of 2011, a team of investigators discovered that a file containing customer credit card information had been deleted on or around November 17, 2010.  An unauthorized person may have obtained access to credit card numbers and the associated names, expiration dates and security numbers located on this file.","Databreaches.net","","2011","40.539717","-74.466419" "April 20, 2011","Blockbuster Inc.","San Diego","California","PHYS","BSR","0","A box of employee files and completed job applications was found outside of a Blockbuster store by a concerned citizen. The store was scheduled to close. The documents inside the boxes should have been shredded. Names, addresses, Social Security numbers and other information associated with employees and job applicants were exposed. Some of the information included surveillance descriptions about and confessions from employees who were fired from the Blockbuster. Blockbuster stated that the incident was against their corporate policies and agreed to shred the information.","Databreaches.net","","2011","32.715329","-117.157255" "November 18, 2009","Health Net","Shelton","Connecticut","PORT","MED","1,500,000","The personal information for almost half a million Connecticut residents could be at risk after a portable disk drive disappeared from Health Net in May of 2009. Health Net is a regional health plan and the drive included health information, Social Security number and bank account numbers for all 446,000 Connecticut patients, 1.5 million nationally. The information had been compressed, but not encrypted, although a specialized computer program is required to read it. Patients in Arizona, New Jersey and New York were also affected. UPDATE (1/22/2010): Connecticut Attorney General (AG) Richard Blumenthal is suing Health Net of Connecticut for failing to secure private patient medical records and financial information involving 446,000 Connecticut enrollees and promptly notify consumers exposed by the security breach. The AG is seeking a court order blocking Health Net from continued violations of HIPAA by requiring that any protected health information contained on a portable electronic device be encrypted. This case marks the first action by a state attorney general involving violations of HIPAA since the Health Information Technology for Economic and Clinical Health (HITECH) Act, which authorized state attorneys general to enforce HIPAA. UPDATE (7/7/2010): Health Net and the Connecticut AG reached a $250,000 settlement in connection with this incident.UPDATE (10/8/2010): Health Net faces an additional $375,000 fine for failing to safeguard the personal information of its members from misuse by third parties.UPDATE (1/20/2011): The Vermont Attorney General filed a complaint and proposed settlement with Health Net, Inc. and Health Net of the Northeast, Inc. It would require Health Net to pay $55,000 in state fees, submit to a data-security audit and submit reports about the company's information security programs throughout the next two years.","Dataloss DB","","2009","41.316486","-73.093164" "January 6, 2010","Eugene School District","Eugene","Oregon","HACK","EDU","13,000","Hackers breached the security of a computer server containing the names, phone numbers and employee ID numbers of current and former Eugene School District employees. The server in question did not contain other personal information but was attached to servers that contain Social Security numbers and other sensitive data. It is possible that the individuals responsible may have accessed names, addresses, dates of birth, Social Security numbers, tax identification numbers and direct-deposit bank account information for current and former staff members.","Dataloss DB","","2010","44.052069","-123.086754" "December 4, 2009","Eastern Illinois University","Charleston","Illinois","HACK","EDU","9,000","A computer was compromised by a virus. It caused the University’s Office of Admissions server to be infected with a number of viruses, including several that could allow an external person to access the server. The incident was discovered during a routine security check. The investigation later determined the breach extended to two other computers with personal data from student files or applications. ","Dataloss DB","","2009","39.496146","-88.176152" "January 27, 2010","University of California, San Francisco (UCSF) School of Medicine","San Francisco","California","PORT","MED","7,300","A laptop containing files with information on 4,400 patients was stolen from a UCSF School of Medicine employee. Information “potentially exposed” included name, medical record number, age and clinical information, but the stolen laptop did not contain any Social Security numbers or other financial data. The same laptop also contained data for approximately 2,900 patients at Beth Israel Deaconess Medical Center in Boston","Dataloss DB","","2010","37.774930","-122.419416" "January 28, 2010","PricewaterhouseCoopers","New York","New York","UNKN","BSO","77,000","The names, birth dates and Social Security numbers of 77,000 people were lost in their Chicago office. The people at risk for identify theft are those who were in the PERS and TRS system in 2003-04 as active or inactive employees or retirees. Price Waterhouse Coopers has agreed in a settlement to pay for credit monitoring and other security measures and cover any losses to individuals caused by its mishandling of the information. A number of people associated with the State of Alaska had their information exposed.","Dataloss DB","","2010","40.714269","-74.005973" "November 20, 2009","University Medical Center","Las Vegas","Nevada","INSD","MED","0","Someone at UMC is selling a compilation of the hospital’s daily registration forms for accident patients. This is confidential information — including names, birth dates, Social Security numbers and injuries. Private information about accident victims treated at University Medical Center has apparently been leaking for months; allegedly so ambulance-chasing attorneys could mine for clients. UPDATE (4/29/10): A man was indicted today by a federal grand jury in an alleged conspiracy to pay a University Medical Center employee for private information about traffic accident victims that was used to drum up clients. The man was indicted on one count of conspiracy to illegally disclose personal health information, in violation of the Health Insurance Portability and Accountability Act, better known as HIPAA. Between January and November 19, 2009 the man allegedly conspired with people, including a UMC employee, to use hospital ""face sheets"" to solicit personal injury cases for attorneys. The UMC employee faxed the registration sheets of trauma patients to the man on at least 55 occasions and was paid about $8,000, the indictment said. The U.S. Attorney's press release said the man has been summoned for a May 14 hearing. If convicted, he faces up to five years in prison and a $250,000 fine.UPDATE (5/11/2011): A man responsible for the breach was sentenced to 33 months in prison and three years of supervised release.  He had been charged with conspiracy to illegally disclose personal health information.","Dataloss DB","","2009","36.114646","-115.172816" "May 6, 2011","E-Pro Tax Service, Emory Healthcare","Chicago","Illinois","INSD","BSF","13,079","An investigation into a few stolen Social Security checks that had been fraudulently deposited into Duluth banks uncovered three separate identity theft rings.  At least six conspirators managed to defraud 5,779 people.  A former real estate broker created a tax service company in order to access credit reports from a third-party credit reporting agency.  Names, dates of birth and Social Security numbers were exposed.  The former real estate agent then made about $2.5 million by stealing Social Security checks, filing 393 fraudulent tax returns and passing counterfeit checks.  After police linked her to the stolen Social Security checks, they searched her home and found boxes of financial documents which included old mortgage applications, tax forms and HUD documents.  Investigators have not charged any other conspirators and do not believe that the woman was the head of the operations.UPDATE (10/24/2011): More organizations were linked to the breach when investigators searched the dishonest employee's home.  The dishonest employee had a connection with a someone who used to work as a clerk at the hospital.  More than 3,000 patient bills containing names, Social Security numbers, dates of birth, and other confidential information were printed by the inside contact.  The hospital bills of at least 32 Emory orthopedic clinic patients were stolen and used to file fraudulent tax returns.  Nine patients became identity theft victims. Emory notified 7,300 employees of the breach and had fired the dishonest clerk in July.","Databreaches.net","","2011","41.878114","-87.629798" "January 1, 2010","Washington Department of Corrections, Larch Corrections Center","Tumwater","Washington","PHYS","GOV","43","A briefcase full of sensitive personnel records was stolen from the vehicle of a Larch Corrections Center manager. Larch human resources manager reportedly took the records home over last weekend to review them, then left his briefcase on the seat of his car while he worked out at the 24-Hour Fitness Center. While he was inside, someone smashed a window in the car. He returned to find the briefcase and 43 files missing. Others had spilled out of the briefcase inside the car. He took the files home to conduct an annual review required by the U.S. Department of Homeland Security. The files contained forms known as I-9s, which provide documentation that employees are legally able to work in the United States. They included driver’s license and Social Security information such as home addresses and dates of birth.","Dataloss DB","","2010","47.007319","-122.909306" "February 4, 2010","Ceridian Corporation","Bloomington","Minnesota","HACK","BSF","27,000","A hacker attack at payroll processing firm Ceridian Corp. of Bloomington has potentially revealed the names, Social Security numbers, and, in some cases, the birth dates and bank accounts of 27,000 employees working at 1,900 companies nationwide. In a Jan. 29 letter to an affected worker obtained by the Star Tribune, Ceridian said a hacker attacked its Internet payroll system Dec. 22 and 23.UPDATE (6/1/2011): The Federal Trade Commission reached a settlement agreement with Ceridian.  According to the FTC, Ceridian did not adequately protect its network from reasonably foreseeable attacks and failed to encrypt the sensitive personal information that was stored on its network.  The settlement requires the company to establish a comprehensive information security program and to undergo 20 years of independent security audits.  Ceridian provides payroll and HR services.","Dataloss DB","","2010","44.840798","-93.298280" "January 12, 2010","Valley Kaiser, Kaiser Permanente","Sacramento ","California","PORT","MED","15,500","An electronic storage device stolen from an employee's car in Sacramento last month contained health information from 15,500 patients, including about 800 in the Fresno area. Information included patient names, medical-record numbers and, for some individuals, ages, dates of birth, gender, phone numbers and other information related to their care and treatment.","Dataloss DB","","2010","38.581572","-121.494400" "January 3, 2010","Logan International Airport ","Boston","Massachusetts","INSD","GOV","16","A Lynn couple is accused of selling the identities of at least 16 TSA workers at Logan. The ID data was taken by a female TSA contract worker who is related to one of the two Lynn suspects. The couple got the stolen TSA employee names from their niece, a contract clerical worker in the TSA human resources department at Logan. She no longer works there. The couple sold the names, Social Security numbers and dates of birth for $40 each to a contact who set up phony cable, gas and cell phone accounts.UPDATE (12/17/10): One member of the couple pleaded guilty to conspiracy, misrepresenting a Social Security number with intent to defraud, possessing 15 or more unauthorized access devices with intent to defraud and aggravated identity theft. The other member of the couple previously pleaded guilty to other charges.  Sentencing is scheduled for February and March of 2011.UPDATE (5/17/2011): Michael Derring, AKA Michael Washington, was sentenced to five years of prison for his role in selling personal information of TSA workers. He was also sentenced to three years of supervised release and ordered to pay more than $50,000 in restitution.  ","Dataloss DB","","2010","42.358431","-71.059773" "March 4, 2010","Wake Forest United Baptist Medical Center (WFUBMC)","Winston-Salem","North Carolina","PORT","MED","554","A bag containing a document with the names and Social Security numbers of 554 patients was stolen from an employee's locked car.UPDATE (6/2/2011): The theft occurred on February 15 at an outpatient clinic parking lot.  ","HHS via Databreaches.net","","2010","36.099860","-80.244216" "January 14, 2010","Defense Finance and Accounting Service/ Defense Department’s Document Automation and Production Service","Arlington","Virginia","DISC","GOV","18,000","An error at the U.S. Department of Defense Document Automation and Production Service caused pay statements containing names and sensitive information about the finances of about 18,000 recipients of a special pay for disabled retirees to be sent to wrong addressees. The statements, a page of which contained information about annual increases in Concurrent Retirement and Disability Pay, mistakenly listed data including at least a portion of another recipient’s name, their bank or insurance company name, the amount of their allotment and the allotment type. There is “no indication” that any Social Security numbers, bank account numbers or phone numbers were listed on the erroneously mailed pages.","Media","","2010","38.890390","-77.084145" "January 27, 2010","Seattle Municipal Court","Seattle","Washington","INSD","GOV","0","A former customer service representative sold the names and credit card information of court customers to ID thieves who then used the information to make fake credit cards in the victims' names.UPDATE (6/24/2011):  The leader of an ID theft ring was sentenced to five years in prison, five years of supervised release and over $220,000 in restitution for bank fraud and aggravated identity theft on June 17, 2011.  The information that the ID thieves obtained from the Seattle Municipal Court employee included the personal information and credit card numbers of people who used credit cards to pay parking and traffic fines.  One member of the ID theft ring also managed to obtain financial information from the customers of an unnamed fast food restaurant where the defendant worked.  At least five people participated in the ID theft ring.","Databreaches.net","","2010","47.606210","-122.332071" "March 13, 2010","TD Bank","Mount Laurel","New Jersey","INSD","BSF","0","A former TD Bank employee provided information to outside accomplices who stole over $200,000 from customer accounts. The insider passed along driver's license numbers and bank account numbers.UPDATE (8/7/2011): A fraud ring involving insiders at multiple TD Banks in South Jersey was uncovered.  A federal trial will begin in October.  The members of the fraud group are accused of stealing more than $400,000 from customers and banks between November 2005 and May 2010.  Six members are part of the 148-count indictment.  The scheme involved obtaining customer ID data, creating false ID photos with customer data and using the phony IDs to access customer accounts. Investigators were able to raid the ring leader's home on June 7 after catching a few of the ring members posing as customers.","Databreaches.net","","2010","40.008333","-74.791389" "September 2, 2010","Carpenters' District Council of Greater St. Louis and Vicinity","St. Louis","Missouri","DISC","BSO","0","Social Security numbers were printed on the outside of envelopes mailed to beneficiaries of the pension fund. It is unclear how many of the 24,000 members had their information mailed before the error was discovered.","Databreaches.net","","2010","38.646991","-90.224967" "July 21, 2010","Lincoln National Life Insurance","Radnor","Pennsylvania","DISC","BSF","26,840","A vendor printed a user name and password for agents and authorized brokers in a brochure.  The brochure was also posted on an agent's public website.  The login information enable access to a website containing medical records and other personal information from individuals seeking life insurance.  Applicant name, Social Security number, address, policy number, driver's license number and credit information is also on the website.  ","Databreaches.net","","2010","40.046221","-75.359911" "July 13, 2010","Carolina Center for Development and Rehabilitation","Charlotte","North Carolina","PHYS","MED","1,590","After a doctor left office cleaning to his sons, they mistakenly threw out hundreds of medical records. The medical records were left in a public recycling bin and included medical histories, pictures of patients and Social Security numbers.UPDATE (7/31/10): The psychologist has contacted 1,590 of his patients.UPDATE (9/7/2011): The psychologist has paid $40,000 for violating state regulations by illegally dumping files containing patients' financial and medical information.  This information included names, Social Security numbers, addresses, dates of birth, drivers' license numbers, insurance account numbers, and health information.","NAID","","2010","35.227087","-80.843127" "February 2, 2010","P.F. Chang's Bistro","Scottsdale","Arizona","STAT","BSR","8,181","According to notification letters from the company: ""Password protected electronic equipment belonging to the Company was stolen"" on December 19 of 2009.  Some current and former employee information was on the equipment. Employee dates of birth and Social Security numbers may be at risk. Reports state that 73 employees from New Hampshire, 1,823 from Massachusetts, and 3,080 from New York were affected.UPDATE (8/09/10): Another 3,205 people who are residents of Maryland were affected.","Databreaches.net","","2010","33.494170","-111.926052" "January 18, 2010","Goodwill Industries of Grand Rapids ","Kentwood","Michigan","PORT","NGO","10,000","A man broke into a Goodwill store and stole a safe, but instead of money that thief got the names, addresses, dates of birth, and Social Security numbers from thousands of people.","Dataloss DB","","2010","42.869473","-85.644749" "January 18, 2010","City of Oakridge","Oakridge","Oregon","DISC","GOV","0","A list of the names, addresses and Social Security numbers of employees of the City of Oakridge was sent out with monthly water bills. The town has about 1,400 households. The city has signed up all employees for a credit monitoring service. The city does not know how many people received the list of employee information in a newsletter included with their water bill.","Dataloss DB","","2010","43.746512","-122.461716" "May 19, 2009","National Archives and Records Administration","College Park","Maryland","PORT","GOV","250,000","The National Archives lost a computer hard drive containing massive amounts of sensitive data from the Clinton administration, including Social Security numbers, addresses, and Secret Service and White House operating procedures. The Archives had been converting the Clinton administration information to a digital records system when the hard drive went missing. The hard drive was left on a shelf and unused for an uncertain period of time. When the employee tried to resume work, the hard drive was missing.","Dataloss DB","","2009","38.980666","-76.936919" "June 1, 2009","University of Nevada - Las Vegas","Las Vegas","Nevada","HACK","EDU","20","A UNLV computer was compromised and may have allowed loss of some personal data. The College of Sciences recently sent a letter to about 20 students as officials became aware of a virus affecting a computer in the College. The College found no information was leaked, but for legal reasons they still sent the letter.","Media","","2009","36.114646","-115.172816" "June 8, 2010","Bank of America","Sun City","Florida","INSD","BSF","0","An employee in one of Bank of America's customer call centers has admitted he stole sensitive account information and tried to sell it for cash. The man met with two individuals whom he later learned were undercover FBI agents and offered to sell them names, dates of birth, telephonic passwords, and other details for Bank of America customers, according to court records. He was looking for accomplices who knew how to milk the accounts by establishing phony credit cards in the customers' names or through other means.","Dataloss DB","","2010","27.678056","-82.478889" "July 24, 2009","Hampton Redevelopment and Housing Authority","Hampton","Virginia","DISC","NGO","900","The Social Security numbers and other personal information of nearly 900 people who were banned from public housing in Hampton were accidentally given to a resident who requested the information. A housing authority employee printed a spreadsheet and mailed it but forgot to exclude the personal information.","Dataloss DB","","2009","37.029869","-76.345222" "August 11, 2009","Citigroup Inc.","New York","New York","CARD","BSF","0","Citigroup (NYSE:C) recently issued replacement cards to consumers and told them that their account numbers may have been compromised. Citigroup told credit-card customers in Massachusetts that their account numbers may have been illegally obtained as a result of a merchant database compromise and could be at risk for unauthorized use. Bank officials are not certain if this is a new breach or a previously disclosed one.","Media","","2009","40.714269","-74.005973" "January 21, 2010","Columbus Public Health","Columbus","Ohio","UNKN","GOV","400","An investigation is under way after hundreds of city health workers’ personal information was stolen. Investigators have identified a person of interest in connection with the stolen information. The person of interest was an employee within the department over the past three years. Current employees and those who previously worked at the department within the last three years may be affected","Dataloss DB","","2010","39.961176","-82.998794" "February 6, 2009","Kaiser Permanente","Oakland","California","INSD","MED","29,500","A law enforcement agency seized a computer file with Kaiser data from a person who was subsequently arrested. The suspect was not a Kaiser employee. Kaiser Permanente is notifying nearly 30,000 Northern California employees that the security breach may have led to the release of their personal information. The stolen information included names, addresses, dates of birth and Social Security numbers for Kaiser employees.UPDATE (9/28/2011): A former benefits clerk from Service Employees International Union-affiliated United Healthcare Workers West (SEIU-UHW) was sentenced to 12 years and four months in prison for stealing Kaiser union employee information.","Databreaches.net","","2009","37.804372","-122.270803" "September 25, 2009","University of North Carolina, Chapel Hill","Chapel Hill","North Carolina","HACK","EDU","236,000","A hacker has infiltrated a computer server housing the personal data of 236,000 women enrolled in a UNC Chapel Hill research study. The Social Security numbers of 163,000 participants were among the information exposed. The data is part of the Carolina Mammography Registry, a 14-year-old project that compiles and analyzes mammography data submitted by radiologists across North Carolina.UPDATE (10/6/10): A lead researcher at the University is fighting a demotion and pay cut that resulted from the data breach in the medical study she directs.  It appears that the incident first occurred in 2007 and was not discovered until 2009.  An attorney representing the researcher claims that his client is not at fault because the University knew that the program's computer system had security deficiencies in 2006.  The University claims that the researcher acted negligently, but the attorney claims that the researcher was not alerted to the security flaws and there is no evidence that the researcher violated or ignored rules in obtaining patient information.UPDATE (5/9/2011): The researcher and University reached a settlement.  The researcher agreed to retire at the end of 2011 and will receive her full rank and salary until that time.","Dataloss DB","","2009","35.913200","-79.055845" "June 18, 2010","Family Care Center","Clinton","Washington","PORT","MED","8,000","A thief or thieves entered the physical therapy office on June 12th.  Cash, other items, and a laptop containing encrypted patient information such as names and account numbers were stolen.  It appears that a door was left unlocked.","PHIPrivacy.net","","2010","47.978428","-122.355696" "July 1, 2011","Concord Hospital","Concord","New Hampshire","INSD","MED","40","An audit of Concord's system revealed that an employee accessed the records of 40 patients without proper authorization. It appears that the employee was checking the files of friends and family.  Concord discovered the breach on May 11.","PHIPrivacy.net","","2011","43.208137","-71.537572" "December 20, 2010","Saint Louis University","St. Louis","Missouri","HACK","EDU","0","St. Louis University's network was breached during the week. At least some Social Security numbers and personal information of employees were exposed, but students also received notification of the breach. Employees who had been with the University for at least five years were affected.","Databreaches.net","","2010","38.627003","-90.199404" "September 13, 2010","Florida Department of Children and Families, Department of Juvenile Justice","Tallahassee","Florida","INSD","GOV","550","Seven people worked together to collect 880 fraudulent tax refunds between 2006 and 2008. It is believed that people served through the Florida Department of Children and Families and people connected to the Department of Juvenile Justice were affected. The conspirators somehow gained access to names, Social Security numbers and other information on the state databases.UPDATE (9/15/2011): The source of the breach was found to be two dishonest employees.  On October 28, 2010 a call center supervisor was fired for negotiating to sell the Medicare numbers of disabled and elderly Floridians to an informant. A second Department of Children and Families (DCF) employee was also caught selling sensitive information. Each employee repeatedly misused access to a DCF computer system to obtain the information of people who applied to DCF for food stamps, cash benefits, and Medicaid. One dishonest employee was sentenced to 36 months in prison and three years of supervised release on June 30, 2011.  The other is scheduled to be sentenced on November 21, 2011 and faces a maximum of ten years in prison for health care fraud charges, five years for authentication feature fraud, and two years for each aggravated identity theft charge.","Databreaches.net","","2010","30.438256","-84.280733" "December 14, 2010","McDonald's, Arc Worldwide, Silverpop Systems Inc.","Atlanta","Georgia","HACK","BSR","0","Hackers were able to access the information of McDonald's customers.  People who signed up for online promotions or newsletter subscriptions may have had their email addresses, contact information and birth dates exposed.  McDonald's uses a company called Arc Worldwide for its marketing services.  The breach was through Arc Worldwide's business partner Silverpop Systems Inc.","Databreaches.net","","2010","33.748995","-84.387982" "September 18, 2010","University of Pittsburgh Medical Center Shadyside Hospital","Pittsburgh","Pennsylvania","INSD","MED","19","In February of 2008, an employee disclosed the names, dates of birth and Social Security numbers of patients in exchange for personal gains. The patient information was eventually used to file false tax returns. The former employee was indicted on 14 counts.UPDATE (7/05/2011): A former employee has pleaded guilty to taking the names, Social Security numbers and dates of birth of 19 Shadyside patients.  The employee gave the patient information to other people who then filed fraudulent 2008 tax returns.UPDATE (10/21/2011): The former employee was sentenced to one year of probation for disclosing the information of 19 UPMC patients.  He claims he was intimidated into giving away the information and that the people who collected $84,190 in fraudulent tax returns returned to Zambia.","PHIPrivacy.net","","2010","40.440625","-79.995886" "November 10, 2010","Holy Cross Hospital, Office of Dr. Elliot Stein","Fort Lauderdale","Florida","INSD","MED","44,000","A criminal investigation uncovered 38 patient files. The files contained names, addresses, Social Security numbers, dates of birth and descriptions of initial diagnosis from Emergency Room visits. An investigation that began in June showed that an employee was responsible; that employee was fired. The employee may have inappropriately accessed 1,500 patient files between April 2009 and September of 2010. The Hospital now limits the amount of key personal data included in the type of documents involved in the incident.UPDATE (2/17/2011): Five other suspects have been arrested within the past month.  Authorities learned of the fraud ring in May of 2010.UPDATE (4/15/2011): A former Holy Cross Hospital employee was sentenced to prison for disclosing patient information.  The woman was sentenced to 24 months in prison with 12 months of home confinement, followed by three years of supervised release.  After being caught selling patient information from her employer, she pleaded guilty to disclosing individually identifiable health information.UPDATE (6/21/2011): It was revealed that one of the other suspects is being charged with selling information from the office of Dr. Elliot Stein in Aventura. A criminal investigation uncovered lists of patient information from Dr. Stein that included names, Social Security numbers, addresses, dates of birth, and health information.","Databreaches.net","","2010","26.122308","-80.143379" "March 22, 2011","Lone Star Business Solutions","Wichita","Kansas","PHYS","BSO","0","Thousands of personnel documents were found in a dumpster.  W-4 forms, employment applications, and other employee documents were found by the news team FactFinder 12.  Social Security numbers, addresses, and phone numbers of people across the country were exposed.  It appears that the files were dumped because the office was closing.UPDATE (11/29/2011): Lone Star Funds (LSF) owned Lone Star Business Solutions.  Lone Star Business Solutions managed the LSF restaurants which included Lone Star Steakhouse & Saloon, Texas Land & Cattle Steak House, Del Frisco's Double Eagle Steak House, and Sullivan's Steakhouse.  The documents exposed in this breach were left behind after LSF decided to move the restaurant management business to Dallas.The Kansas attorney general's office investigated the breach and Lone Star Steakhouse (LS Management Inc.) was fine $200,000 for the improper disposal of confidential employee records.","Databreaches.net","","2011","37.692236","-97.337545" "January 11, 2011","University of Connecticut, HuskyDirect.com","Storrs","Connecticut","HACK","EDU","18,059","Customers who used their credit cards on UConn's Huskydirect.com sports gear website may have had their personal information exposed in a data security breach. A hacker was able to access the Huskydirect.com customer database and may have viewed billing information with names, addresses, telephone numbers, credit card numbers, expiration dates, security codes and email addresses. The Huskydirect.com database is run by an outside vendor. People who made purchases offline are not at risk.UPDATE (1/31/2011): Some people who were affected by the breach have recently reported fraudulent charges.UPDATE (2/19/2011): Additional details reveal the exact number of names that were on the customer database, the fact that the perpetrator used an administrative password, and the fact that Fandotech, the company that was hosting and managing the site, was not following correct web security procedures.","Databreaches.net","","2011","41.808431","-72.249523" "March 31, 2011","Adult Industry Medical Healthcare Foundation (AIM Medical Associates P.C.)","Sherman Oaks","California","UNKN","MED","12,000","Over 12,000 current and former adult film performers had their names, home addresses and other personally identifying information posted on the internet. It appears that information from people who tested for HIV and other sexually transmitted diseases at the Adult Industry Medical Healthcare Foundation (AIM) was obtained somehow and misused.UPDATE (5/3/2011):A privacy lawsuit and other troubles caused AIM Healthcare to shut down and file for bankruptcy. UPDATE (7/26/2011): The website that contained the personal and medical information of porn actors, PornWikiLeaks, was forced to shut down after being targeted by hackers.","PHIPrivacy.net","","2011","34.151117","-118.449248" "March 10, 2011","TD Bank","Elmwood Park","New Jersey","INSD","BSF","0","A dishonest employee was charged with selling the account information of seven to ten customers. The former employee sold account numbers between November of 2010 and February. Approximately $39,000 in fraudulent charges may have been caused because of the former employee's actions.","Databreaches.net","","2011","40.903988","-74.118476" "January 20, 2011","Chase Bank","San Luis Obispo","California","CARD","BSF","100","Three people were arrested for tampering with ATMs and making fraudulent charges on customer cards.  They allegedly accomplished this by placing small cameras and card readers on at least two ATMs in the San Luis Obispo area. Over 100 people discovered that fraudulent charges had been made on their cards. Investigators first became aware of the situation on January 13.","Databreaches.net","","2011","35.282752","-120.659616" "February 2, 2011","University Book Exchange","Greenville","North Carolina","CARD","BSR","100","People who used their credit or debit cards to make purchases at the University Book Exchange may have had their financial information taken. A number of victims have contacted the police, but investigators are still not completely sure that the source of the fraudulent activity is a breach at the U.B.E. store. All or nearly all of those affected by the breach were connected to East Carolina University.UPDATE (2/13/2011): At least 100 East Carolina University students have reported fraudulent charges to their accounts.  The breach is believed to have occurred between January 5 and 25.  ","Databreaches.net","","2011","35.612661","-77.366354" "February 3, 2011","SettlementOne Credit Corporation, Sackett National Holdings Inc., ACRAnet Inc., Fajilan and Associates Inc. (Statewide Credit Services and Robert Fajilan)","","","HACK","BSO","1,800","Three companies who resell consumer credit reports have agreed to settle with the FTC over charges that computer hackers could easily access consumer data through their weak information security systems.  Hackers accessed more than 1,800 credit reports via security flaws in the computer networks used by the companies' clients.UPDATE (8/22/2011): FTS has approved the final orders settling charges against the three credit report resellers.  The approval comes after a period of public comment.  The companies will be required to strengthen their data security procedures and submiit to audits for 20 years.","Databreaches.net","","2011","37.090240","-95.712891" "March 9, 2011","Eastern Michigan University","Ypsilanti","Michigan","INSD","EDU","45","Two former student employees may have obtained student information and provided it to outsiders. Names, Social Security numbers and dates of birth may have been exposed.UPDATE (10/25/2011): A former student was charged with eight counts of felonies related to the breach. The charges include identity theft and using a computer to commit a crime.  A warrant was issued for a second student. ","Databreaches.net","","2011","42.241150","-83.612994" "February 15, 2011","Affiliated Computer Services (ACS)","Columbus","Ohio","DISC","BSO","8,000","ACS handles the state of Ohio's automated system for paying and tracking child care providers.  An ACS mistake meant that over 8,000 providers were mailed letters with Social Security numbers visible from the outside of the envelope.  Some of the providers were childcare centers and only had ID numbers revealed; smaller providers who had their Social Security numbers as IDs face a greater risk.","Databreaches.net","","2011","39.961176","-82.998794" "February 16, 2011","Charleston Area Medical Center (CAMC)","Charleston","West Virginia","DISC","MED","3,655","Someone discovered that they could find information about a relative's name, address, patient ID, date of birth, Social Security number and other sensitive information through an online search that brought up WVChamps.com.  WVChamps.com is a CAMC website relating to respiratory and pulmonary rehabilitation for seniors.  The information was accidentally posted in a report on September 1, 2010 and appears to have been accessed a total of 94 times.  The error was discovered on February 8 of 2011.  The breach occurred within the CAMC subsidiary CAMC Health Education Research Institute.UPDATE (5/5/2011): Five patients who were affected by the breach filed a lawsuit seeking class action status for all affected patients.  The lawsuit alleges four counts against the hospital: breach of the duty of confidentiality, invasion of privacy by intrusion upon the seclusion of the plaintiffs, invasion of privacy by unreasonable publicity into the plaintiff's private life, and negligence.","PHIPrivacy.net","","2011","38.349820","-81.632623" "April 2, 2011","Epsilon","Irving","Texas","HACK","BSO","250,000,000","Epsilon, an email service provider for companies, reported a breach that affected approximately two percent of its 2,500 clients. Only e-mail addresses and names were stolen. Epsilon has not disclosed the names of the companies affected or the total number of names stolen. However, millions of customers have received notices from a growing list of affected companies (http://www.databreaches.net/?p=17374), making this the largest security breach ever.The Secret Service is investigating this breach. Customers are expected to receive targeted spam that has their name and email address, and appears to come from one of the affected companies. These phishing attempts could result in further loss of consumer personal information. People who receive spam should report it to phishing-report@us.cert.gov.UPDATE (05/02/2011): The original estimate of companies affected was changed from 2% to 3% of Epsilon customers.  A total of 75 companies were affected and these companies may end up paying a combined amount of $412 million in damage control. Epsilon itself could pay $225 million. Some estimate the total cost of the Epsilon breach could run as high as $3-$4 billion in forensic audits and monitoring, fines, litigation, and lost business for provider and customers.  Conservative estimates place the number of customer email addresses breached at 50-60 million.  The total of customer emails exposed could reach 250 million.","Databreaches.net","","2011","32.814018","-96.948895" "February 28, 2011","Delray Beach and Oakland Park Fire Fighters and Police Officers","Oakland Park","Florida","UNKN","GOV","400","A Miami man was caught using fraudulently obtained debit cards.  The investigation began when 31 Oakland Park firefighters discovered fraudulent tax returns had been filed in their names.  The cause of the breach is unknown, but current and former firefighters and police officers of Oakland Park and Delray Beach had the same retirement plan administrator at one point.","Databreaches.net","","2011","26.172307","-80.131989" "April 8, 2011","Broward County School Board, Private Medical Practices","","Florida","INSD","BSO","0","Two former employees from different private medical practice offices were charged with providing confidential patient information to other members of an identity theft and fraud ring.  Both of these people participated in the identity theft and fraud ring from early 2009 until February 2, 2011.  A former employee who worked for the Broward County School Board passed along information from a teacher certification database, which included names, Social Security numbers and dates of birth.  The information was used to fraudulently add people as authorized users to the victims’ credit card and bank accounts. The bank accounts of victims were depleted and one person discovered fraudulent credit card charges of $128,000.  In addition to the three former employees, eight other people and the ringleader were also indicted on March 15, 2011.UPDATE (9/30/2011): The former Broward School District employee was sentenced to just over five years in federal prison for accessing and selling teacher personal information to identity theives.  At least 42 people in Florida had their information stolen; the fraudulent credit card charges that resulted totalled $408,000.  The former employee admitted to selling five to 10 Social Security numbers and dates of birth at a time for $100.","Databreaches.net","","2011","27.664827","-81.515754" "April 11, 2011","GunnAllen Financial","Tampa","Florida","INSD","BSF","16,000","Former employees of GunnAllen Financial have been fined by the U.S. Securities and Exchange Commission (SEC) for failing to adequately protect customer data.  The former president and national sales manager broke privacy by transferring the information of GunnAllen Financial clients over to a new business after or during GunnAllen’s November 2010 liquidation.  The sales manager was authorized by the president to take a thumb drive with the information of about 16,000 clients with him to his new job.  The two former employees were fined $20,000 each and a third former chief compliance officer was fined $15,000 for failing “to ensure that the firm’s policies and procedures were reasonably designed to safeguard confidential customer information.” The fines are based on violations of the SEC’s Safeguard Rule, which requires institutions and financial advisers under SEC jurisdiction to protect customer data and give customers the opportunity to opt out of having their information shared with unaffiliated third parties.","Media","","2011","27.949436","-82.465144" "April 13, 2011","PNC Automated Teller Machines","Pittsburgh","Pennsylvania","CARD","BSF","211","During April and May 2010, two men placed skimmers on PNC ATMs in Harmar and Waterworks Plaza. Both men were arrested in April 2011 and face charges of conspiracy, access device fraud and attempt to commit access device fraud. One man resided in Pompano Beach, Florida and the other in Astoria, New York.UPDATE (5/11/2011): One of the two men was sentenced to 23 months in prison and three years of supervised release for conspiring to commit bank fraud and access device fraud.  Court records reveal that the two men installed electronic skimming equipment onto multiple PNC ATMS in the Western Pennsylvania area.  The illegally installed equipment allowed them to record customer bank account information contained on the magnetic strips of debit and credit cards used at ATMs.  Fraudulent debit and credit cards were created with this information and approximately $208,000 was skimmed from at least 211 accounts.","Databreaches.net","","2011","40.440625","-79.995886" "April 14, 2011","Private Medical Practice","","Oklahoma","STAT","MED","600","A desktop computer, a portable electronic device, or both were discovered lost on November 24, 2010.  It is unclear who the data belonged to and what kind of information was lost.","HHS via PHIPrivacy.net","","2011","35.007752","-97.092877" "April 29, 2011","Office of Brian J. Daniels, D.D.S. and Paul R. Daniels D.D.S.","Phoenix","Arizona","PORT","MED","10,000","The March 2, 2011 theft of a portable electronic device resulted in the exposure of electronically stored patient protected health information.","HHS via PHIPrivacy.net","","2011","33.448377","-112.074037" "May 5, 2011","Private Legal Practice, Baker Moving and Storage","San Rafael","California","PHYS","BSO","0","Twenty boxes of documents with sensitive medical and financial information were lost during transportation sometime around Saturday, April 30.  The information was mostly from the office of a family lawyer, but other sensitive documents may have been lost on Highway 101 during the incident.  The boxes were being transported to a new Baker storage facility. Baker did not inform the lawyer that the documents had been lost and the incident was discovered when the lawyer's son saw a news report about the incident.  The documents appear to be from the 1980's and early 1990's.  An unknown amount of Social Security numbers were also exposed.","PHIPrivacy.net","","2011","37.973535","-122.531087" "May 4, 2011","Rape and Brooks Orthodontics, P.C.","Columbus","Ohio","STAT","MED","20,744","An office burglary was discovered on the morning of February 4.  A server with patient personal and health information was among the stolen items.  Patients who were seen by the dentists during the past 30 years were affected.  The names of patients and patient guardians, home addresses and dates of birth for patients under 18 were on the server.  Account holders who provided insurance information may have had their Social Security numbers and dates of birth on the server.  Patients who used AllKids with Blue Cross & Blue Shield of Alabama may have had their Social Security number included in the exposed insurance information. An unspecified amount of customer credit card numbers were also stored on the server.","PHIPrivacy.net","","2011","39.961176","-82.998794" "May 4, 2011","Catholic Social Services","","","PORT","EDU","1,700","The February 1 theft of a contractor's laptop may have exposed client personal and health information.  The laptop was stolen from the car of an out of state contractor working for the Pregnancy Support and Adoption Services program.  It contained personal information that included names, addresses, phone numbers, email addresses, dates of birth, driver's license information, health information, family histories, financial statuses and recommendation for readiness to adopt. Individuals who requested a home study in order to adopt a child between 2008 and 2010 were among those affected.  ","HHS via PHIPrivacy.net","","2011","37.090240","-95.712891" "May 5, 2011","Union Security Insurance Company","Las Vegas","Nevada","UNKN","BSF","935","On February 18 of 2011, it was discovered that patient health and personal information had accidentally been disclosed.","HHS via PHIPrivacy.net","","2011","36.114646","-115.172816" "May 5, 2011","Park Avenue Obstetrics and Gynecology, PC","","","PORT","MED","635","A portable electronic device was discovered stolen on March 25, 2011. It contained personal and health information.","HHS via PHIPrivacy.net","","2011","37.090240","-95.712891" "May 7, 2011","Allina Hospitals and Clinics","Hartford","Connecticut","INSD","MED","11","Twenty-eight employees from Unity Hospital and four from Mercy Hospital were fired for snooping.  The employees each accessed patient medical information without authorization.  Eleven teens and young adults were taken to the two hospitals on March 17 after overdosing at a party. Allegations that employees were accessing electronic medical records for no legitimate reason first surfaced in April.UPDATE (6/1/2011): It appears that a total of 32 employees, including 15 nurses, were fired in a single day for snooping.","PHIPrivacy.net","","2011","41.763711","-72.685093" "May 6, 2011","Lockerman Family Chiropractic","New Orleans","Louisiana","INSD","MED","0","Dr. Christopher Lockerman was arrested and charged with eight counts of financial identity fraud and one count of theft by deception.  Victims lost over $264,000 due to identity theft.  Patients of Lockerman's clinic had fraudulent J.P. Morgan Chase lines of credit established in their names. The period during which this took place was not revealed.","PHIPrivacy.net","","2011","29.951066","-90.071532" "May 3, 2011","Speare Memorial Hospital","Gambrills","Maryland","PORT","MED","6,000","The April 3 theft of a laptop from an employee's locked car resulted in the exposure of patient information.  The information on the laptop's hard drive should not have been moved from the Hospital's secure server.  The employee resigned after the theft of the laptop.  Names, addresses, hospital account numbers, medical record numbers, physician names, dates of service, procedure codes, and diagnosis codes were exposed. Speare has committed to checking for the misuse of patient information.UPDATE (5/12/2011): People who were not patients of Speare may have also been affected by this breach.  Names, New Hampshire Medical License Numbers, Drug Enforcement Administration (DEA) numbers and National Provider Identifiers may have also been exposed.","PHIPrivacy.net","","2011","39.066944","-76.665556" "May 9, 2011","Reid Hospital","Milford","Connecticut","STAT","MED","20,000","A computer was stolen from an employee's home during an early April burglary.  It may have contained information from patients who visited the hospital between 1999 and 2008. Patients covered under Medicaid or Medicare may have had their Social Security numbers as well as unspecified information contained in patient reports.","PHIPrivacy.net","","2011","41.230895","-73.063584" "May 7, 2011","Office of Dr. Jeffry Barnes","","Illinois","PHYS","MED","60","A woman found the sensitive information of more than 60 people in a recycling bin. Social Security numbers, prescription information, patient names and medical histories were all easily accessible.  The employee responsible for the incident resigned after the mistake and Dr. Barnes agreed to upgrade his shredding practices.","PHIPrivacy.net","","2011","40.633125","-89.398528" "May 9, 2011","Huntington National Bank","Bellwood","Illinois","INSD","BSF","2,000","Several employees of Huntington Bank resigned and took customer information to a competing financial business.  The employees had been downloading and printing confidential customer records from Huntington's secure database for weeks before they departed.  The customer records included customer names, addresses, telephone numbers, Social Security numbers, dates of birth, bank account numbers and additional personal information.  Former employees also took the files of some customers who had filed active mortgage loan applications.  These files would have included customer pay stubs, W-2s, tax returns and other sensitive information.Huntington is suing the ex-employees for theft of trade secrets.  ","Databreaches.net","","2011","41.881420","-87.883117" "May 9, 2011","Eastern Illinois University","Las Vegas","Nevada","PHYS","EDU","0","Partially-shredded personnel records were dumped alongside a roadside. Names and Social Security numbers from University employees employed during 2002 were exposed.A student employee from the Records Management Office had taken two bags of personnel documents for use in a prank.  Both bags were eventually found.  ","Databreaches.net","","2011","36.114646","-115.172816" "May 6, 2011","Best Buy","San Francisco","California","HACK","BSR","0","Though Best Buy was affected by the large Epsilon breach, it had a second, separate breach of customer emails.  A former third party vendor experienced a breach that may have exposed customer email addresses.  Best Buy is pursuing legal action and had already ended its business relationship with the vendor. It is unclear why the vendor still had Best Buy customer information.  It is likely that the unnamed vendor's breach affected customers of other businesses as well.","Databreaches.net","","2011","37.774930","-122.419416" "May 7, 2011","Central Oregon Community College (COCC)","Montpelier","Vermont","HACK","EDU","0","COCC's website experienced an unauthorized intrusion. Students who applied to the COCC nursing program for the current school year, and for a COCC Foundation scholarship for the following school year may have had their personal information exposed.  The potentially exposed information does not include Social Security numbers, credit card numbers, email addresses or COCC ID numbers.  It is unclear which information may have been exposed.","Databreaches.net","","2011","44.260059","-72.575387" "May 6, 2011","Newington Police Department","Santa Maria","California","PORT","GOV","0","A marked cruiser was left at an autodealership for service.  Its on-board camera was damaged and a laptop used for duty was stolen.  The vehicle was left outside after hours because the dealership manager expecteda police officer to pick the vehicle up after hours.","Databreaches.net","","2011","34.953034","-120.435719" "May 10, 2011","Dunes Family Health Care P.C.","Sacramento","California","PORT","MED","16,000","The March 11 theft of an external hard drive used for backing up the Clinic's electronic files may have exposed patient information.  The hard drive was stored in a locked, fire-protected building with very limited access.  Many of the files contained patient Social Security numbers in addition to names, dates of birth, addresses and other clinical information.  There was a delay in notification due to the fact that there were duplicate files and patient contact information had to be updated. The Clinic has begun to encrypt records and raised the physical security of the files since the incident.","Databreaches.net","","2011","38.581572","-121.494400" "May 4, 2011","Netflix","Redwood City","California","INSD","BSR","0","An employee working in a call center accessed customer credit card information for two months without authorization.  Customer names, credit card numbers and other credit card information could have been misused by the employee. The employee's actions were discovered on April 4, the employee was terminated, and a criminal investigation was launched.","Databreaches.net","","2011","37.485215","-122.236355" "May 9, 2011","Assurant Employee Benefits","Schenectady","New York","DISC","BSF","0","Policy holders in the Kansas City area were notified that their personal information was accidentally made available to another business client administrator.  An employee error causes customer names, addresses, Social Security numbers, dates of birth and types of coverage to be made available to a business client other than the employer of those customers. The incident occurred in March and was corrected within a few minutes.  Affected policy holders were notified in early May.","Databreaches.net","","2011","42.814243","-73.939569" "May 3, 2011","Office of Dr. Leslie Coleman, Staff Providers","Atlanta","Georgia","INSD","MED","0","A temporary employee from Staff Providers misused patient information.  The temporary employee took co-payments from patients while the manager was out of the office. The temporary employee did not have authorization to collect the financial information and made print copies of each customer's credit card during transactions.  Patients later called the medical office and complained about fraudulent charges.  The temporary employee made at least $1,400 worth of fraudulent charges, but was caught and charged with 11 counts of third-degree identity theft, illegal use of a credit card, and sixth-degree larceny almost immediately.  ","PHIPrivacy.net","","2011","33.748995","-84.387982" "May 2, 2011","Woman to Woman Healthcare","San Francisco","California","INSD","MED","26","Two women were arrested for their part in an identity theft ring.  At least 26 patients who visited Woman to Woman had their identities stolen by a receptionist.  Another worker at the clinic was spotted withdrawing money by using fake IDs. Both women had prior fraud convictions. The two women stole a total of $125,000.  It does not appear that the owner of Woman to Woman Healthcare was involved in the identity theft operation.","PHIPrivacy.net","","2011","37.774930","-122.419416" "May 10, 2011","Fox.com","Winchester","Virginia","HACK","BSO","363","Hackers accessed the email accounts of 363 Fox.com employees and managed to deface the Linkedin accounts of 16 of them. This same group has attacked multiple Fox related groups such as the Twitter account of Fox15 TV, and the names, phone numbers and email addresses of 73,000 people auditioning for The X-Factor television show on Fox.  A text file of the information from The X-Factor participants was placed on a site called Pirate Bay.  The hacking group calls themselves Lulzsec. Four Lulzsec hackers searched Fox.com's servers for vulnerabilities and attacked on April 19.  Fox.com noticed the breach a week later. Lulzsec claims that it plans to release more hacked information soon.","Media","","2011","39.185660","-78.163334" "May 17, 2011","Eye Care Associates of the San Ramon Valley","San Antonio","Texas","PORT","MED","611","A laptop with a lock to prevent theft was stolen from the ophthalmology office on the night of May 8.  It contained eye photos and names of 611 patients. The laptop was not recovered.","PHIPrivacy.net","","2011","29.424122","-98.493628" "May 16, 2011","SunTrust Bank","Chicago","Illinois","INSD","BSF","0","An employee is accused of stealing more than $170,000 from several customers.  The woman was indicted on 15 counts of theft by a bank employee and four counts of aggravated identity theft.  While employed at SunTrust between October 2006 and August 2008 the woman allegedly created a loan for someone without their knowledge and forged the person's signature in order to use $15,175 of their money for herself.  At least five other people were victimized in similar ways. Another customer had the money from their CD taken.  ","Databreaches.net","","2011","41.878114","-87.629798" "May 17, 2011","Regions Bank","","","INSD","BSF","149","A woman who worked at Regions is accused of creating 184 fraudulent bank accounts by using the names, dates of birth and Social Security numbers of 149 customers.  The woman then filed fraudulent tax returns totaling more than a million dollars and deposited the money into accounts.  Her boyfriend withdrew more than $65,000 of this money before the couple was arrested.  ","Databreaches.net","","2011","37.090240","-95.712891" "May 12, 2011","Ohio Auditor of State Dave Yost","","","PORT","GOV","0","A state-owned laptop was stolen from the home of a regional auditor for the state Auditor's Office.  Financial audits of public offices in northwest Ohio were on the laptop.  The employee was suspended for 15 days because a password that opens the password-protected information on the computer was attached to the computer.  This was in violation of the office policy and allowed access to the financial records on the laptop.","Databreaches.net","","2011","37.090240","-95.712891" "May 20, 2011","Flanigan's","Loma Linda","California","INSD","BSR","85","Four people were sentenced for their roles in an identity theft operation.  Between April 30, 2010 and May 29, 2010 an employee of the restaurant was paid $20 per card to use a skimmer to collect customer credit card numbers.  The stolen credit card information was used to make fraudulent purchases.  The criminals managed to cause between $120,000 and $200,000 in fraudulent charges.","Databreaches.net","","2011","34.048347","-117.261153" "May 20, 2011","LaMar's Donuts","Kokomo","Indiana","HACK","BSR","50","Someone may have hacked into LaMar's credit card processing system and used the information to make fraudulent credit and debit cards.  Other businesses in the Omaha area who use a similar credit card processor may be at risk.","Databreaches.net","","2011","40.486427","-86.133603" "May 20, 2011","Excel Academy","Castroville","Texas","INSD","EDU","0","A group of employees left Excel Academy and took student information with them to a rival organization.  School district superintendents were solicited by the rival academy, Eagle Wings, and shown student information that Eagle Wings should not have possessed. Student names and Social Security numbers were exposed.  Excel reported the incident and police launched an investigation. Excel has student information from 33 districts.","Databreaches.net","","2011","29.355790","-98.878639" "May 19, 2011","Delta Dental, The Smile Center","Mount Pleasant","Texas","PORT","MED","0","Thousands of patients had their medical records compromised by the theft of a laptop. It was being used by an expert witness in a court case between Delta Dental and The Smile Center. The laptop contained a disc with patient information.  Names, Social Security numbers, dates of birth and health information were on the disc.  Patients of the St. Paul office of The Smile Center who used Delta Dental between January 1, 2003 and June 30, 2010 were affected by the breach.  The theft happened in early 2011, but patients were not notified until May.  Neither organization is claiming responsibility for the breach, but Delta Dental is offering credit monitoring services to affected patients.UPDATE (5/31/2011): Delta Dental first learned of an incident on February 24.  The theft occurred on February 22. The Smile Center has refused to notify patients of the incident.","Databreaches.net","","2011","33.156786","-94.968269" "May 20, 2011","HarborOne Credit Union","","","PHYS","BSF","800","A courier was attacked on May 9.  The attacker managed to steal the courier's bag and its contents. The transaction records of 800 bank customers were exposed.  The information was from May 5 transactions and includes names, addresses, account numbers and any other information on checks processed at the bank.  Although a suspect was apprehended, the bag was not found. HarborOne flagged the accounts of customers who may have been affected by the incident.","Databreaches.net","","2011","37.090240","-95.712891" "May 18, 2011","The Securities and Exchange Commission","Denver","Colorado","DISC","GOV","4,000","On May 4, a contractor working for the Interior Department's National Business Center accidentally sent an unencrypted email.  There was a security feature in the system software that was designed to prevent such mistakes, but it failed to stop the email from going through.  Any information in the unencrypted email was vulnerable for about 60 seconds.  The email contained agency employee Social Security numbers and other payroll information.  ","Databreaches.net","","2011","39.739154","-104.984703" "May 12, 2011","Domino's Pizza, KB Pizza","Fishers","Indiana","PHYS","BSR","0","A woman looking for coupons in a grocery store dumpster found folders of hundreds of employment applications.  Insurance information, copies of Social Security cards, driver's licenses and birth certificates were left in the dumpster along with typical information found in employee records.  The information was from employees who worked for KB Pizza and the Domino's Pizza stores that were at one time owned by KB Pizza.  Neither Domino's nor KB know what caused the information to end up in the dumpster.  The Attorney General's office launched its own investigation into KB Pizza to find out how the files ended up in the dumpster.","Databreaches.net","","2011","39.955593","-86.013873" "May 4, 2011","Merlin Information Services","Kalispell","Montana","HACK","BSO","0","One of Merlin's customers had their login information compromised.  Merlin detected inappropriate search activity on March 22, 2011.  Someone without authorization was able to access Merlin's databases for 21 hours.  Names, addresses, phone numbers and Social Security numbers were exposed.  Merlin began sending notification letters on April 11, 2011.","Databreaches.net","","2011","48.200531","-114.315102" "April 29, 2011","Peace Officers Research Association of California (PORAC)","Sacramento","California","HACK","BSO","2,000","Hackers stole the names, Social Security numbers, dates of birth, phone numbers, email addresses, mailing addresses and credit card information of around 2,000 retired public safety officers who were part of the Peace Officers Research Association of California (PORAC). Hackers breached the PORAC data server in early April.  Retired associate members from the present back to 2008 were affected by the breach.","Databreaches.net","","2011","38.581572","-121.494400" "April 28, 2011","DSLReports.com","","","HACK","BSO","8,000","Subscribers to the ISP news and review site DSLReports.com have been notified that their email addresses and passwords may have been exposed during a hacker attack on the website during the last part of April.  The site was targeted in an SQL injection attack and about eight percent of DSLReports.com subscriber emails and passwords were taken.  There are around 9,000 active DSLReports.com accounts and 90,000 inactive accounts.","Databreaches.net","","2011","37.090240","-95.712891" "May 21, 2011","Community Action Partnership of Natrona County","Casper","Wyoming","UNKN","MED","15,000","On February 23, 2011, The Community Action Partnership experienced a breach that involved unauthorized access to the information of 15,000 clients.  The type of information and the cause of the breach are currently not available; however a notice that has since been removed appeared on their website on April 7.  ","HHS via PHIPrivacy.net","","2011","42.866632","-106.313081" "May 21, 2011","Office of Dr. Edalji and Dr. Komer","Brookline","Massachusetts","PORT","MED","563","The April 12 theft of a laptop resulted in the exposure of patient PHI.  ","HHS via PHIPrivacy.net","","2011","42.331764","-71.121164" "May 21, 2011","TRICARE Management Activity","Aurora","Colorado","PHYS","MED","4,500","Paper records with sensitive information were stolen on June 25, 2010.  The types of information the paper records contained was not revealed.  The breach does not appear to have been disclosed until May of 2011.","HHS via PHIPrivacy.net","","2011","39.729432","-104.831920" "May 21, 2011","Keith & Fisher, DDS, PA","Greensboro","North Carolina","UNKN","MED","6,000","On February 16, 2011, an IT incident caused patient information to be exposed.  It is not known if the breach resulted from a hack or an accidental release of information.  The type of patient information exposed was not revealed.","HHS via PHIPrivacy.net","","2011","36.072635","-79.791975" "May 21, 2011","Methodist Charlton Medical Center","Dallas","Texas","PORT","MED","1,500","The April 16 theft of a laptop resulted in the exposure of patient information. Multiple items were taken during the office burglary.  Patients who were part of Methodist Charlton's palliative care program between June 6, 2006, and September 30, 2010 were affected.  Patient names, ages, sexes, race, marital status, admission and discharge information, hospital account number, physician, insurance company, date of death, chief complaint and type of cancer may have been revealed.  Patient religion may have also been exposed.  It does not appear that any Social Security numbers were attached to hospital account number or insurance company information.  ","HHS via PHIPrivacy.net","","2011","32.802955","-96.769923" "May 27, 2011","Loyola University Medical Center","Chicago","Illinois","PORT","MED","0","A flash drive was stolen from an employee's car.  It contained the names, dates of birth, Social Security numbers, addresses and phone numbers of fewer than 100 patients.","PHIPrivacy.net","","2011","41.878114","-87.629798" "May 25, 2011","United Healthcare Inc.","Pleasant Grove","Alabama","UNKN","MED","0","A man was sentenced to six years in prison for his role in an identity theft scheme.  The man and an unknown number of accomplices somehow obtained the personal information of people who had Flexible Spending Accounts administered by United Healthcare Inc.  The group then created counterfeit prescriptions for controlled substances by using the information of patients covered by a prescription drug plan sponsored by the Federal Employees Health Benefit Plan. The group sold the prescribed drugs to third parties from September 2008 through April 2009.  The Federal Employees Health Benefit Plan lost $72,746 on drugs and services obtained by the criminals.","PHIPrivacy.net","","2011","33.490941","-86.970271" "May 28, 2011","Provena Covenant Medical Center","Urbana","Illinois","INSD","MED","100","An employee responsible for moving patients around Provena Covenant was sentenced to eight years in federal prison for identity theft.  The former employee accessed patient names, Social Security numbers, dates of birth and other personal information by stealing patient wallets and through other methods.  She also used at least one patient's credit card information to pay for access to victims outside of Provena Covenant.  At least 100 different names were found at the woman's home.  It is not clear if all of those names were related to the former employee's misdeeds at Provena Covenant between 2007 and 2008.","PHIPrivacy.net","","2011","40.110588","-88.207270" "May 19, 2011","Comfort Dental Offices","Indianapolis","Indiana","PHYS","MED","0","Someone broke into a storage barn on or around Monday, May 16 and took some of its contents.  The thief took a bike and may have taken medical records as well.  There were several years worth of medical records from dental patients of Comfort Dental.  Unfortunately, the owner had not properly secured the barn and could not determine how many records were taken.","PHIPrivacy.net","","2011","39.768377","-86.158042" "May 27, 2011","Spartanburg Regional Hospital","Spartanburg","South Carolina","PORT","MED","400,000","The March 28 theft of a laptop resulted in the exposure of patient information.  The laptop was stolen from an employee's car on March 28.  It contained patient names, Social Security numbers, addresses, dates of birth and medical billing codes. Spartanburg Regional has not revealed the number of affected patients.UPDATE (7/03/2011): Spartanburg Regional notified HHS that 400,000 patients were affected.","PHIPrivacy.net","","2011","34.949567","-81.932048" "June 1, 2011","Tax Matters","El Paso","Texas","PHYS","BSF","0","Someone noticed that thousands of intact personal documents had been dumped in an unsealed dumpster.  He called a local news crew and they came to recover and store the documents.  The personal documents included applications, resumes, check books, federal income tax forms, and even patient diagnosis forms.  The information covered a period between 2003 and 2007.  A new employee of Tax Matters dumped the documents without shredding them.","Databreaches.net","","2011","31.758720","-106.486931" "May 27, 2011","Valley National Bank","New York","New York","CARD","BSF","348","A man pleaded guilty to conspiracy to commit bank fraud and aggravated identity theft.  He admitted to installing skimmers and cameras on Valley National ATMs in September of 2008. He then used the account and identification information to make fake ATM cards.  The man and his co-conspirators accessed around 348 accounts and defrauded Valley National of $278,144.","Databreaches.net","","2011","40.714353","-74.005973" "June 2, 2011","Wake Forest Baptist Medical Center","Winston-Salem","South Carolina","INSD","MED","357","A renter discovered that an employee had taken over 20 boxes of patient information home.  The renter had been asked by the owner not to go into the basement of the home, but wanted to clean after a flood.  He found the boxes, informed Wake Forest and the employee was fired.  The medical records date back at least 10 years.  They contained patient names, phone numbers, Medicaid numbers, medical record numbers, medical histories, diagnoses and medications.  Wake Forest is filing a larceny report.UPDATE (6/4/2011): More boxes have been removed from three additional residential and storage units owned by the employee.  The employee was fired on June 1 and has been cooperating with investigators.  Wake Forest denied that Social Security numbers were found in the former employee's home.  Based on the response of the former employee and other observations, investigators believe that the former employee is a hoarder with no desire to misuse the information.  Only 3-4% of the contents of the boxes were sensitive information.UPDATE (7/14/2011): A total of 136 patients and 221 medical center employees were affected.","PHIPrivacy.net","","2011","36.099860","-80.244216" "May 27, 2011","San Juan Unified School District","Carmichael","California","DISC","EDU","4,000","A human resources employee of San Juan Unified uploaded sensitive employee information onto a flash drive.  Somehow the information was uploaded onto a website when the employee used the flash drive to perform volunteer work at her church.  An employee who Googled their own name discovered that they could also see their Social Security number and other sensitive information.  The information was available for six months.   San Juan Unified decided to ban flash drives as a result of the incident.","Databreaches.net","","2011","38.617127","-121.328284" "May 25, 2011","Bank of America","New York","New York","INSD","BSF","300","An employee leaked customer information to members of an identity theft ring. Customer names, Social Security numbers, driver's license numbers, bank account numbers, PINs, account balances, dates of birth, addresses, and phone numbers were obtained.  More than $10 million was lost.  Bank of America first learned about the breach in 2010; but waited until 95 suspects had been arrested. The group of thieves used the information to modify bank account information and hide the fraudulent accounts they were creating in the names of victims.","Databreaches.net","","2011","40.714353","-74.005973" "June 3, 2011","Indiana Regional Medical Center","Indiana","Pennsylvania","PHYS","MED","500","A former employee stole more than 500 patient records for the purpose of using them as evidence in a legal dispute with a physician.  The theft occurred in September of 2010 and included the medical information of three or four patients, as well as administrative information related to hundreds of other patients.","HHS via PHIPrivacy.net","","2011","40.621455","-79.152535" "June 3, 2011","PMC Medicare Choice","San Juan","Puerto Rico","STAT","MED","22,568","The March 8 theft of a computer resulted in the exposure of the protected health information of patients.","HHS via PHIPrivacy.net","","2011","18.466334","-66.105722" "June 3, 2011","MMM Healthcare, Inc.","San Juan","Puerto Rico","STAT","MED","29,143","The March 8 theft of a computer resulted in the exposure of protected patient information.  ","HHS via PHIPrivacy.net","","2011","18.466334","-66.105722" "June 9, 2011","The VA Caribbean Healthcare System","San Juan","Puerto Rico","PHYS","MED","1,691","Veterans and staff had their personal information left unsecured in an open area in the San Juan VA Medical Center. Some of the information included patient care assignment documents with names and Social Security numbers an counseling letters.  It is not clear what type of staff information was exposed.  The information was supposed to have been shredded. The incident occurred sometime before March 30 and VA Caribbean placed a notification on their website on May 20.","PHIPrivacy.net","","2011","18.466334","-66.105722" "June 9, 2011","Healthcare Partners","Long Beach","California","STAT","MED","15,727","Nineteen computers were stolen during an office burglary on Monday, April 18.  Administrative information such as names, addresses, dates of birth, medical record numbers, and health insurance plan ID numbers were exposed.  Sensitive medical information such as treating physician names, diagnoses, treatment plans, progress notes, prescriptions, referrals, and authorizations were also exposed. A safe with 16 patient checks and 60 patient credit card receipts was also stolen.","PHIPrivacy.net","","2011","33.804167","-118.158056" "June 9, 2011","Murphy USA","Suffolk","Virginia","UNKN","BSR","42","At least 42 people who used their debit or credit cards at the same Murphy USA gas station have reported fraudulent charges to their financial accounts.  A local credit union claims that hundreds of people were affected.  Reports of fraudulent charges began in late May.  An investigation of the card reading devices at the gas station did not reveal any evidence that a skimmer had been used.  Thieves are using the financial information of victims to make fraudulent ATM withdrawals in California.","Databreaches.net","","2011","36.728205","-76.583562" "June 10, 2011","Ravenel Elementary School","Seneca","South Carolina","PORT","EDU","15","A Memorial Day weekend office burglary resulted in the theft of two laptops and a flash drive.  The flash drive may have contained student information.  This potential exposure includes copies of Medicaid release forms with student names, parent names and Medicaid numbers.","Databreaches.net","","2011","34.685656","-82.953204" "June 10, 2011","Texas Department of Assistive and Rehabilitative Services","Austin","Texas","UNKN","GOV","4,900","Current and former employees may have had their personal information exposed.  Notification of the incident was sent as soon as Department of Assistive and Rehabilitative Services (DARS) officials learned of the breach.  Though a law enforcement investigation is taking place, no information regarding the date of the breach, the cause of the breach or the type of information exposed has been disclosed.  ","Databreaches.net","","2011","30.267153","-97.743061" "June 9, 2011","Burke County Courthouse","Morganton","North Carolina","INSD","GOV","0","A night custodian made copies of sensitive documents pertaining to criminal cases.  He then traded the documents to an outsider in exchange for drugs.  Documents were stolen or copied from the district attorney's office between January and June of 2011.  The outsider, her boyfriend and the custodian were charged.  The woman wanted to use the court records as aids to help her decide who not to sell methamphetamine to. The custodian was on an assignment from Patton Cleaning Co. Inc.  The county has a monthly contract with the company.  ","Databreaches.net","","2011","35.745407","-81.684819" "June 8, 2011","University of Mary Washington (UMW)","Fredericksburg","Virginia","DISC","EDU","7,566","A student discovered student data files on a departmental EagleNet site while searching the EagleNet portal for his own information.  A total of three students accessed the sensitive files and were interviewed.  Student names, Social Security numbers and dates of birth were accessible.  The information was accidentally placed their by a faculty or staff member and reported on May 23.","Databreaches.net","","2011","38.303184","-77.460540" "June 8, 2011","LexisNexis, Onyx Collections and Locators Services Inc.","Boca Raton","Florida","HACK","BSO","74","Sensitive information was exposed by a breach at Onyx Collections.  Someone connected to Onyx Collections was misusing Onyx Collections' search account to access the personal information of people.  LexisNexis discovered the problem after conducting an audit of Onyx Collections. From September 10, 2009 through March 2, 2011, Onyx Collections had access to names, addresses, dates of birth, driver's license numbers and Social Security numbers of at least 74 people from New Hampshire.  The total number of people affected nationwide has not been revealed.","Databreaches.net","","2011","26.358689","-80.083098" "June 12, 2011","Southern California Medical-Legal Consultants, Inc. (SCMLC)","Seal Beach","California","DISC","BSO","300,000","A data security firm discovered that SCMLC data was available online.  The names and Social Security numbers of around 300,000 people who applied for California workers' compensation benefits may have been accessed by unauthorized parties.","Databreaches.net","","2011","33.741406","-118.104787" "June 11, 2011","Epic Games","Cary","North Carolina","HACK","BSR","0","The Epic Games websites and forums were hacked.  Hackers may have obtained the email addresses and encrypted passwords of forum users.  There is a possibility that hackers may be able to decrypt the passwords.  Epic Games reset all passwords and sent new ones to users.  Users should also make different passwords for other accounts if their Epic password is the same as the one used for those accounts.  No financial information was exposed by the attack.","Databreaches.net","","2011","35.791540","-78.781117" "June 11, 2011","Penn State Altoona","Altoona","Pennsylvania","HACK","EDU","12,000","A virus infected a Penn State Altoona computer that contained the names, addresses and Social Security numbers of alumni, faculty and staff members.  The virus appeared on the computer sometime during the spring semester and was discovered on March 15.  Those who were affected were not notified until June because the full list of affected people and their contact information had to be obtained by investigators.  Only alumni with identical Social Security numbers and student IDs were affected.","Databreaches.net","","2011","40.518681","-78.394736" "June 7, 2011","Victor Victoria's Restaurant, Renteria Catering","Bakersfield","California","INSD","BSR","0","A husband and wife who owned the two businesses are accused of conspiracy to commit wire fraud, wire fraud, and credit card fraud.  The business owners allegedly made additional, unauthorized charges onto customer credit cards after they charged them for legitimate business transactions.  Victor Victoria's was open from August 2009 to July 2010 and Renteria was open from August 2009 to September 2010.  ","Databreaches.net","","2011","35.373292","-119.018713" "June 6, 2011","Ravelry.com","Boston","Massachusetts","HACK","BSO","0","Hackers accessed one of Ravelry's second servers and obtained names, encrypted passwords, and possibly email addresses. Business transactions occur on the site, but no financial information was exposed during the breach.  Since hackers may be able to decrypt the passwords and link them to names and email addresses, Ravelry suggested that users immediately change their Ravelry passwords.  Users should also make different passwords for other accounts if their Ravelry password is the same as the one used for those accounts.","Databreaches.net","","2011","42.358431","-71.059773" "June 8, 2011","Denver Players, Denver Sugar","Denver","Colorado","PHYS","BSO","0","Hundreds of documents were stolen from the home of the former owner of the escort services.  A computer and a large container of files were stolen during the Monday, June 6 burglary.  The files contained the names and numbers of clientele as well as appointment logs, schedule books and credit card receipts.  Some of the clients used fake names and some had high profile status.  Denver Players and Denver Sugar had previously been exposed as prostitution operations.","Databreaches.net","","2011","39.739154","-104.984703" "June 5, 2011","Casa Grande Justic Court","Casa Grande","Arizona","INSD","GOV","200","A court clerk took court documents home in an attempt to hide the fact that she had not done the work.  The employee was fired and could be charged with tampering with public records.  No malicious intent is suspected.  It is believed that the employee hid years of backlogged records and eventually took them home to continue concealing them.","Databreaches.net","","2011","32.879502","-111.757352" "June 4, 2011","Infragard","Atlanta","Georgia","HACK","BSO","180","The hacking group known as LulzSec published 180 usernames, hashed passwords, plain text passwords, names and email addresses from the organization.  Infragard is a non-profit that attempts to serve as an interface between the private sector, individuals and the FBI.  LulzSec targeted the organization because of its connection to the FBI.UPDATE (6/24/2011): Infragard Connecticut may have also been breached during June.  Lulz Security (LulzSec) claims to have the information for over 1,000 accounts.","Databreaches.net","","2011","33.748995","-84.387982" "June 17, 2011","Area Agency on Aging, Inc.","Mansfield","Ohio","PORT","MED","78,000","The June 3 theft of a laptop from an employee's car resulted in the exposure of consumer information.  The laptop was assigned to a PASSPORT case manager.  It contained the health information of 43,000 consumers and the personal contact information of 35,000 related clients' personal representatives.  ","PHIPrivacy.net","","2011","40.758390","-82.515447" "June 17, 2011","Boulder Community Hospital","Boulder","Colorado","INSD","MED","74","A contract nurse is accused of accessing patient information without authorization.  He faces a 90-count felony indictment.  He allegedly used the Social Security numbers and other private information found in patient files to open credit cards in patients' names.  The nurse was hired through a staffing agency.  He worked at Boulder Community between May 1, 2010 and January 7, 2011.  Police later notified Boulder Community on May 11, 2011 that the former employee was suspected of stealing patient demographic information from other hospitals.UPDATE (9/27/2011): The nurse faces five counts of identity theft and 46 counts of theft of medical records in connection to this incident.  The former employee worked at a staffing agency and performed work for numerous Centura Health facilities, the Platte Valley Medical Center, and Boulder Community Hospital.  UPDATE (12/6/2011): The nurse was sentenced to six years probation after being charged with multiple felony counts of identity theft and theft of medical records.  It was also revealed that the dishonest employee worked at St. Anthony's Hospital in Lakewood, Colorado.  ","PHIPrivacy.net","","2011","40.014986","-105.270546" "June 15, 2011","Office of Dr. Morgan Camp and Associates","Mill Valley","California","STAT","MED","0","An office computer was discovered missing on the morning of June 6.  A burglar entered the office and searched through papers and equipment.  There was no sign of forced entry.  A credit card verification machine and approximately $150 in cash were also taken.  Patient information, credit card information and other personal details were stored on the computer.  Patients are advised to cancel any cards they had on file with Dr. Camp's office.","PHIPrivacy.net","","2011","37.906037","-122.544976" "June 20, 2011","Lending Company","Phoenix","Arizona","UNKN","BSF","0","The Lending Company's secure database was breached on May 4.  A manager reported seeing a computer transferring customer personal information to an external source.  Thousands of customers and employees may have had their names, contact information, Social Security numbers and other sensitive personal information downloaded.  Customers were originally told that the system had been hacked, but one or more company insiders may have been the source of the breach.","Databreaches.net","","2011","33.448377","-112.074037" "June 20, 2011","Associated Credit Union","Norcross","Georgia","HACK","BSF","100","About 100 Associated Credit Union members have experienced fraudulent checking account charges.  A breach of check and ATM card information may have been caused by a breach of Associated Credit's processing company.  This could mean that customers of other financial institutions connected to the transaction processing company are at risk.  The customer information was used to make fake cards and the cards were sold throughout the country.  The date the breach occurred is unknown.","Databreaches.net","","2011","33.941213","-84.213531" "June 21, 2011","Foothills Nephrology Associates","Spartanburg","South Carolina","PORT","MED","1,280","A company laptop was stolen from physician's vehicle on the night of April 27.  Patient names, dates of birth and clinical information were on the laptop.  It did not contain Social Security numbers or financial information.","PHIPrivacy.net","","2011","34.949567","-81.932048" "June 19, 2011","Sega ","London","London","HACK","BSR","1,290,000","The SEGA Pass website was hit by hackers sometime around June 16.  Sega Europe in London operates the website, but customers worldwide may have been affected.  No credit card information was exposed, but names, dates of birth, email addresses and encrypted passwords were stolen by the hackers. Sega recommends that customers change login information for other sites if they used the same login information for SEGA Pass. Sega reported that 1,290,755 customers were affected.","Databreaches.net","","2011","51.507351","-0.127758" "June 17, 2011","Teachers Retirement System of Texas","Austin","Texas","DISC","GOV","0","A breach of the Teachers Retirement System (TRS) of Texas has been discovered.  A retired principal learned that the TRS had mailed an envelope to her bank.  Due to the window-style of the envelope, her personal information was clearly visible through the TRS envelope.  The number of people affected by TRS's practice is unknown.  TRS changed their procedures so that content cannot be seen from the outside of the envelope.  TRS also plans to take the sensitive information off of letters in the future.","Databreaches.net","","2011","30.267153","-97.743061" "June 25, 2011","Nashville Zoo","Nashville","Tennessee","HACK","NGO","0","People who made purchases on the Nashville Zoo website within the past two years are being warned about a website security breach.  Investigators discovered that the website was the source of several credit card fraud incidents; the Nashville Zoo is now warning patrons to check their credit card statements. It is unclear when the breach occurred.","Databreaches.net","","2011","36.165890","-86.784443" "June 26, 2011","Public Broadcasting Service (PBS)","Arlington","Virginia","HACK","NGO","69,000","Hackers managed to obtain a number of administrative usernames and passwords for the PBS website.  PBS became aware of the intrusion when a phony news story was placed on the website in late May.  The login information for over 200 database users was later posted on the internet.  Hackers then began releasing additional information on the PBS website and member database.  The names, addresses, email addresses of subscribers. The hackers claim that they may release phone numbers and passwords of PBS members as well.  Wyoming PBS was also breached.","Databreaches.net","","2011","38.879970","-77.106770" "May 27, 2011","Lockheed Martin","Bethesda","Maryland","HACK","BSO","0","Lockheed Martin experienced a ""significant and tenacious attack.""  Lockheed's security team quickly detected the intrusion and updated security.  No customer, program or employee data was compromised, but the attack did cause unspecified damage.  A breach at RSA may have led to the Lockheed Martin breach since Lockheed Martin was using RSA's security product or products.","Databreaches.net","","2011","38.984652","-77.094709" "June 24, 2011","California Department of Public Health (CDPH)","Sacramento","California","PORT","GOV","9,000","The workers' compensation information of 9,000 current and former state employees was copied onto a private hard drive without authorization.  The hard drive was removed from the state offices by an employee, but was recovered.  The CDPH security system detected unusual activity on April 5 and the employee responsible was discovered.  The employee was placed on administrative leave until the completion of the investigation.  Most current CDPH and California Department of Health Care Services (DHCS) employees were affected.  an additional 3,000 employees of the former Department of Health Services (DHS) were also affected.  Names, Social Security numbers, addresses, dates of birth, ethnicity, addresses of individuals listed as next of kin of employees and other workers' compensation information was exposed. ","Databreaches.net","","2011","38.581572","-121.494400" "June 24, 2011","Harrisburg Project, West Aurora School District, Kaneland School District","Palatine","Illinois","PORT","EDU","10,000","Two laptops were stolen from a car on or around June 7.  The laptops were from an Illinois State Board of Education (ISBE) subcontractor called Harrisburg Project.  The ISBE uses the Harrisburg Project as a subcontractor for special education reimbursement purposes. The laptops contained the personal information of over 10,000 students and staff from northern Illinois.  Employees were using the laptops for training in data entry.UPDATE (6/29/2011): It appears that both student and staff Social Security numbers were on the laptops.  Additionally, student names, dates of birth, residential school district and other educational information were on the laptops.  Staff names, demographics, teacher certification numbers and work assignments were on the laptops.","Databreaches.net","","2011","42.110304","-88.034240" "June 23, 2011","University of Central Missouri","Warrensburg","Missouri","HACK","EDU","0","Two former students conspired to obtain and sell large databases of faculty and alumni information, change grades and steal funds from the accounts of other students.  The two students developed malware that allowed them to capture passwords and gain unauthorized access to the University's network.  The students were able to install the malware in a variety of ways.  For example, the students obtained the information of other students by inserting a thumb drive into public PCs and personal laptops.  Malware was installed on at least one University administrator's computer and the login credentials of a residence hall director were stolen.One of the men pleaded guilty to charges of computer hacking conspiracy and computer intrusion. Charges are pending against the student's alleged accomplice.  ","Databreaches.net","","2011","38.762789","-93.736050" "July 3, 2011","Barnes-Jewish Hospital, The Siteman Cancer Center, Washington University","Saint Louis","Montana","PORT","MED","0","A laptop containing unencrypted patient information was stolen during the weekend of December 4, 2010.  It contained the names, Social Security numbers, dates of birth, addresses, phone numbers, email addresses, medical records, diagnoses, lab results, insurance information and employment information.  The Siteman Cancer Center is a joint venture between Washington University and Barnes-Jewish Hospital.  A group of patients is suing all three groups for notifying patients eight weeks after the theft.  At least one patient experienced identity theft as a result of the breach.","PHIPrivacy.net","","2011","38.583368","-90.241542" "July 3, 2011","Tuba City Regional Health Care Corporation","Tuba City","Arizona","PHYS","MED","2,000","Patient dietician treatment cards were discovered missing.  The cards contained patient names, dates of birth, phone numbers, medical record numbers, treatment plans, progress notes, medications, diagnoses, procedures, heights, weights, visit dates, and other diagnostic findings.  Tuba City Regional suspects that the cards were misplaced during a relocation and inadvertently destroyed in the facility's trash compactor.  The approximate date of the disappearance was not reported; but the discovery was made on or around April 1, 2011.","HHS via PHIPrivacy.net","","2011","36.134993","-111.239863" "July 3, 2011","Cahaba Government Benefit Administrators LLC","Birmingham","Alabama","PHYS","BSO","13,412","On April 11, 2011, someone discovered that sensitive paper records had been disclosed to outside parties or accessed without authorization.  Centers for Medicare and Medicaid Services (CMS) uses Cahaba for administration of Medicare fee-for-service programs.","HHS via PHIPrivacy.net","","2011","33.520661","-86.802490" "July 7, 2011","Hurley Medical Center","Flint","Michigan","PORT","MED","1,938","A laptop was discovered missing in May.  It was held in a locked room in Hurley, but it was not encrypted or password protected.  The laptop contained the names, heights, weights, dates of birth, medical record numbers and lung function test results of 1,938 patients who visited Hurley between 2007 and May of 2011.  A total of 10 out of 150 of Hurley's laptops were not encrypted at the time of the discovery.","PHIPrivacy.net","","2011","43.012527","-83.687456" "July 3, 2011","Navos Mental Health Solutions","Seattle","Washington","PHYS","MED","2,700","Paper records with sensitive information were misplaced, stolen, or improperly accessed sometime around March 15, 2011.","HHS via PHIPrivacy.net","","2011","47.606210","-122.332071" "July 5, 2011","Sutter Gould Medical Foundation (SGMF)","Stockton","California","PHYS","MED","1,200","Around 1,200 patient records were misplaced on May 27 and were buried in a landfill.  The box of records contained patient names, Social Security numbers, addresses, diagnostic test results, provider notes and correspondence, disability forms and insurance information.  An unnamed SGMF vendor is responsible for displacing the box.","PHIPrivacy.net","","2011","37.957702","-121.290780" "July 1, 2011","Colorado Department of Health Care Policy and Financing (HCPF)","Denver","Colorado","PORT","GOV","3,590","A disk with the information of medical-aid applicants was lost on its way between HCPF and another agency. It contained applicant names, state identification numbers, and addresses. The disk was discovered missing on May 6.","PHIPrivacy.net","","2011","39.739154","-104.984703" "July 9, 2011","Geoff Gray Corporation (GGC)","Hampstead","New Hampshire","HACK","BSF","0","GGC became aware of a potential security breach that could have occurred between June 9 and June 14.  A server collocated by 14Market may have been disabled by an outside party sometime during this time frame.  It appears that any attempt to hack information from the server during this time failed.  Notification letters were sent to customers on July 5.  ","Databreaches.net","","2011","42.874532","-71.181171" "July 8, 2011","Excela Health","Jeannette","Pennsylvania","PORT","MED","0","A computer was stolen from the radiology department of the Jeannette campus of Excela.  It contained patient names, dates of birth and types of exam performed.","PHIPrivacy.net","","2011","40.328125","-79.615320" "June 30, 2011","Blue Cross and Blue Shield of Florida (BCBSF)","Jacksonville","Florida","DISC","MED","3,500","An April 2011 mailing error caused 3,500 member healthcare statements to be mailed to incorrect addresses.  The statements were mailed to the former addresses of members and contained names, insurance numbers, diagnoses codes and descriptions, procedure codes and descriptions, prescription names and provider names.","PHIPrivacy.net","","2011","30.332184","-81.655651" "July 8, 2011","Capital Grille","Orlando","Florida","HACK","BSR","0","A man hacked into the websites of multiple businesses; one of them was the Capital Grill website.  He was able to obtain email addresses and passwords of registered customers.  A total of 250 people from across the businesses had their information stolen.  He then tried to use the login information on financial websites.  He was able to access the financial accounts of people who used the same email and password combination.  A federal judge sentenced him to 10 years in prison. ","Databreaches.net","","2011","28.538336","-81.379237" "July 8, 2011","Kiplinger Washington Editors Inc.","Washington","District Of Columbia","HACK","BSO","142,000","A computer breach was discovered on June 25.  Hackers may have obtained encrypted customer credit card numbers, user names and passwords.","Databreaches.net","","2011","38.895112","-77.036366" "July 8, 2011","Universal Music","Universal City","California","HACK","BSO","0","An attack by the hacktivist group Anonymous resulted in the exposure of user names, and passwords.  Anyone who signed up on the Universal Music website in order to receive updates about musicians was affected. Anonymous hacked the website as part of its AntiSec campaign, the goal of which is to expose weak spots in the internet security of governments and large businesses.","Databreaches.net","","2011","34.138890","-118.352500" "July 8, 2011","All Pets Club","Branford","Connecticut","HACK","BSR","0","A hacker infiltrated All Pets Club's computer system.  Customer credit card numbers are encrypted after the computer system stores them, but are vulnerable for a short time once they have been swiped.  The hacker was able to access the credit card numbers as they were swiped.  Police reported that a significant portion of the complaints about fraudulent credit charges in the Branford area have come from All Pets Club customers during the past few months.","Databreaches.net","","2011","41.277893","-72.799397" "July 7, 2011","Morgan Stanley Smith Barney, New York State Department of Taxation and Finance","Albany","New York","PORT","BSF","34,000","Two CD-ROMs were lost after being mailed from Morgan Stanley to the New York State Department of Taxation and Finance.  It is not clear if the CDs were never shipped, fell out of the packaging during shipping, or were lost after being received by the New York State Department of Taxation and Finance. The affected Morgan Stanely clients had their names, addresses, account and tax identification numbers, and income earned on Morgan Stanley investments in 2010 exposed.  Some clients also had their Social Security numbers exposed.  ","Databreaches.net","","2011","42.652579","-73.756232" "July 7, 2011","Clark College","Vancouver","Washington","HACK","EDU","250","An unauthorized access resulted in the exposure of faculty, student and staff information.  Student names and identification numbers were exposed.  The types of faculty and staff information that may have been exposed were not reported.","Databreaches.net","","2011","45.638728","-122.661486" "July 7, 2011","The Tech","San Jose","California","HACK","BSO","800","A hacker broke into three older files on the Museum's computer system.  Member names, email addresses, home addresses and phone numbers were posted on Twitter for a period of time.  People who signed up for membership events in 2006 and nominees for the Museum's tech awards in 2009 were among those affected.","Databreaches.net","","2011","37.339386","-121.894956" "July 13, 2011","Metropolitan Health District","San Antonio","Texas","INSD","MED","0","Two San Antonio city employees pleaded guilty to charges related to using stolen Social Security numbers.  One member of the couple stole Social Security numbers from patients at a Metropolitan Health District. Multiple Social Security cards with different numbers were found during a raid of the couple's home.  The other member of the couple worked for the San Antonio Public Works Department.UPDATE (12/17/2011): One member of the couple received five months in jail, five months of house arrest, and two years of federal supervision for her crimes and for violating her position of trust as a city employee. She had been hired to work as an administrative assistant for a tuberculosis program at the Metropolitan Health District clinic through a temp agency.  The other member received five years of probation with six months of home confinement.  ","PHIPrivacy.net","","2011","29.424122","-98.493628" "July 13, 2011","Walgreens.com","Deerfield","Illinois","DISC","BSR","0","Walgreens customers saw the prescription information of other customers when they attempted to log into their accounts on the Walgreens.com site.  The website problem existed for at least two months and also allowed customers to see the phone numbers, names of prescribing doctors, names of medications, the amount the prescriptions were purchased for and the dates of the purchases. A customer alerted a local store to the problem, but had to contact the media when the problem persisted two months later.","PHIPrivacy.net","","2011","42.171137","-87.844512" "July 12, 2011","Colorado Springs Hospital - Memorial Health System","Colorado Springs","Colorado","INSD","MED","2,500","A nurse from the occupational health clinic accessed the records of 2,500 Memorial Hospital patients without cause.  The nurse had access to patient records through Physician Link, but was not a Memorial employee, and had no medical or work-related reason for accessing the records. She was fired and claims to have used the database to look up contact information for family and friends, as well as for other reasons. The nurse also feels that she was singled out and claims that many other employees in the medical community use databases in this way.","PHIPrivacy.net","","2011","38.833882","-104.821363" "July 13, 2011","Meridian Health System","Asbury Park","New Jersey","PORT","MED","0","A laptop with employee information was taken from another employee's home on June 25. An unspecified amount of employee information was exposed.","Databreaches.net","","2011","40.220391","-74.012082" "July 15, 2011","Psychiatric Times","Minneapolis","Minnesota","DISC","BSO","1,400","Users who responded to a survey on ethical dilemmas may have had their names and email addresses exposed for approximately 16 hours.  The survey results were posted on the Psychiatry Times website on June 7th.  The website post contained a link to the responses to the survey questions.  This somehow provided enough information for the names and emails or respondents to be determined.  The link was deleted and the survey was disabled shortly after the discovery.  Users were notified of the error on June 10.","PHIPrivacy.net","","2011","44.979965","-93.263836" "July 16, 2011","DeKalb Medical - Hillandale","Hillandale","Georgia","UNKN","MED","7,500","Patient information was stolen from the Hillandale facility and used to file fraudulent tax returns with the Internal Revenue Service.  Patients who visited DeKalb's Hillandale facility between July and October 2010 may have had their information exposed.  It appears that affected individuals between the ages of 17 and 20 were the group affected by the filing of fraudulent tax returns.  The United States Secret Service alerted DeKalb and it is believed that the breach was just one of many similar breaches in Georgia and Alabama.  DeKalb did not reveal how the information was taken.","PHIPrivacy.net","","2011","33.590667","-84.481595" "July 16, 2011","College Choice, UPromise Investments","Indianapolis","Indiana","INSD","BSF","300","An employee with College Choice's program manager UPromise Investments accessed names, Social Security numbers, dates of birth and other contact information for seven months while on the job.  The former employee was in charge of withdrawals and deposits.  It does not appear that the employee was able to withdraw money from any of the accounts in the Indiana plan.  Security measures were in place that prevented the employee from printing or emailing the information.","Databreaches.net","","2011","39.768377","-86.158042" "July 18, 2011","Beth Israel Deaconess Medical Center","Boston","Massachusetts","HACK","MED","2,012","A vendor failed to restore computer security controls following routine maintenance.  A virus was later discovered on a computer that contained names, medical record numbers, genders, dates of birth, and the date and name of radiology procedures for patients.  The virus transmitted encrypted data files to an unknown location.  The computer was cleaned and had its software re-installed to clear the virus. ","PHIPrivacy.net","","2011","42.358431","-71.059773" "July 18, 2011","Kitchen Place","Norfolk","Nebraska","PHYS","BSR","0","Items on display at a bankruptcy auction involving the Kitchen Place included two cabinets with customer information and shelved boxes with employee information.  Past customer credit card and bank account numbers, methods of payment and home floor plans were kept in the cabinets.  Shelves for sale carried boxes of employee information which included names, Social Security numbers and other personal and payroll information. Anyone looking over the auction items could have accessed the information.  At least one person purchased an item that held customer information and subsequently dumped the papers in the parking lot.","PHIPrivacy.net","","2011","42.029640","-97.416870" "July 21, 2011","Mountain Mike's Pizza","Martell","California","HACK","BSR","0","Widespread credit and ATM card fraud has been linked to a hack of Mountain Mike's Pizza.  The website was infected by malicious software in October; it was detected and removed in April of 2011.  Customers who paid by debit or credit card between October of 2010 and April of 2011 are advised to call their financial institution and have their debit or credit card number changed as a precautionary step.","Databreaches.net","","2011","38.366857","-120.796047" "July 21, 2011","Extreme Pizza","San Francisco","California","HACK","BSR","0","On February 28, 2011 Extreme Pizza discovered that hackers had accessed the point of sales systems of several west coast franchises. The attacks occurred in August and the customer information was misused between that time and January of 2011.","Databreaches.net","","2011","37.774930","-122.419416" "July 21, 2011","Zpizza","Irvine","California","HACK","BSR","0","Zpizza was affected by malware on the point of sales system used to process credit and debit card transactions.  The breach affected customers who used their credit or ATM cards between September of 2010 and January of 2011 at 12 locations. Customers in California, Montana and Virginia were affected.  ","Databreaches.net","","2011","33.683947","-117.794694" "July 21, 2011","StudentCity.com","Peabody","Massachusetts","HACK","BSR","266","Several customers reported problems with their credit and ATM cards after purchasing vacation trips on the website.  Customer names, passport numbers and dates of birth were also exposed.  The breach appears to be the result of a hacking attack.  StudentCity.com first became aware of the problem on June 9.  Though 266 New Hampshire residents were affected by the breach, the total number of affected US customers was not reported.","Databreaches.net","","2011","42.527873","-70.928661" "July 20, 2011","Swedish Medical Center","Seattle","Washington","DISC","MED","19,799","The full names and Social Security numbers of current and former employees were accessible online for nearly nine weeks. Employees who worked for Swedish, but not Swedish Physician Division,  in 1994, 1995, 2002, 2003, 2004 and 2006 had their information posted sometime between the middle of April and June 17, 2011. The cause of the accidental disclosure was not reported.","Databreaches.net","","2011","47.606210","-122.332071" "July 23, 2011","Margarita's Mexican Restaurant","Huntsville","Texas","HACK","BSR","0","A number of people reported fraudulent debit and credit card purchases.  The problems were traced back to a Margarita's computer that had been infected by a virus.  Investigators discovered that criminals had sold a number of the customer credit and debit card numbers that were stolen from the system.  Margarita's had no obvious security flaws at the time of the breach and has since upgraded its firewall protection.","Databreaches.net","","2011","30.723526","-95.550777" "July 14, 2011","Sky Harbor PHX","Phoenix","Arizona","CARD","BSO","10","At least 10 TSA employees who worked at the same terminal had their financial information stolen when they used their credit or debit cards at a compromised machine.  Investigators are unsure of the scope of the breach.","Databreaches.net","","2011","33.448377","-112.074037" "January 29, 2010","Rabjohns Financial Group, MedHQ LLC, Lindy Manufacturing","Des Plaines","Illinois","PHYS","BSF","0","Hundreds of papers were found along a road in Des Plaines. Some were job applications for Rabjohns Financial Group/New England Financial in Chicago and corresponsing UF forms.  W-2 forms and investment statements from 2009 were also among the papers.  It is unclear how the information ended up in the road.","Dataloss DB","","2010","42.033362","-87.883399" "January 1, 2010","Ashley and Gray DDS","Independence","Missouri","STAT","MED","9,309","Patients were notified on that a computer or laptop was stolen.  The protected health information of patients was on the computer. The location of the theft was not reported.","Dataloss DB","","2010","39.091116","-94.415507" "January 3, 2010","Eastern Bank","Lynn","Massachusetts","DISC","BSF","2,499","The bank account information of 2,499 customers was incorrectly mailed.","Dataloss DB","","2010","42.466763","-70.949494" "January 19, 2010","Minnesota Department of Labor & Industry","St. Paul","Minnesota","INSD","GOV","759","It was discovered that an hourly employee of 19 years was forging checks by using the information of companies who were fined for OSHA violations.  The employee had handled checks for 12 years and may have been involved in a larger fraud operation.  The employee was arrested and fraudulently obtained less than a thousand dollars on average from each company.  A total of 759 companies who paid OSHA fines between January 1, 2009 and November 18, 2010 were affected.  One business owner discovered that a fraudulent check had been cashed for $745 after he paid an OSHA fine of $315.","Dataloss DB","","2010","44.954167","-93.113889" "January 6, 2010","Association of the Blind and Visually Impaired (ABVI)","Grand Rapids","Michigan","INSD","NGO","50","The names, addresses and bank account numbers of people who wrote checks to the ABVI were misused by a former employee in 2008 and 2009.  The employee was part of a larger check fraud and identity theft operation that was uncovered by police. Clients and donors generally had fewer than one thousand dollars taken from their accounts.","Dataloss DB","","2010","42.963360","-85.668086" "January 29, 2010","Curian Capital","Denver","Colorado","DISC","BSF","706","On January 19, 2010, a technical error caused client data to be mismatched during a posting of routine fee statements to the secure online filing cabinets of individual financial professionals.  A limited number of customer fee statements which included client names, Curian account numbers and account balances, and Social Security numbers were made available to other clients for less than a day. ","Dataloss DB","","2010","39.739154","-104.984703" "January 5, 2010","Milagros II Home Health","Alamo","Texas","PHYS","MED","0","A man found files with names, Social Security numbers, addresses, and phone numbers on his way to the grocery store.  Some were blowing in the wind and others were lying in the street.  All appear to be from Milagros II Home Health in Weslaco.  ","Dataloss DB","","2010","29.425690","-98.485030" "June 24, 2011","RxAmerica and Accendo Insurance Company","Salt Lake City","Utah","DISC","MED","176,300","Medicare Part D beneficiaries enrolled in Prescription Drug Plans may have had their information exposed.  A formatting mistake made member names, ID numbers, drug names and dates of birth viewable through the envelope window of letters sent.UPDATE (7/27/2011): Current and former Molina Medicare, Healthy Advantage HMO SNP, and ChoicePartners Medicare HMO members were also affected.UPDATE (10/28/2011): An additional 1,378 Windsor Health Plan enrollees were affected as well.","PHIPrivacy.net","","2011","40.760779","-111.891047" "January 6, 2010","Passaic County Jail","Paterson","New Jersey","DISC","GOV","0","Inmates used the library logs at Passaic to obtain the personal information of other inmates. The inmates then called outside conspirators in order to defraud American Express and inmates of over $450,000.  Fake American Express credit cards were created from the information and used to deposit funds into Bank of America accounts or to make purchases. The scheme occurred between September of 2007 and April of 2008.","Dataloss DB","","2010","40.916765","-74.171811" "June 17, 2011","Platte Valley Medical Center (PVMC), Centura Health","Brighton","Colorado","PHYS","MED","265","A contract nurse who was employed by PVMC between May of 2010 and January of 2011 misused patient information.  At least 76 PVMC patients became victims of identity theft.  The nurse was employed at multiple locations.  The former employee may have accessed a total of 142 patient records while at PVMC, and 123 while working in the Centura Health system. He faces 90 felony counts related to illegally accessing patient files and identity theft.","PHIPrivacy.net","","2011","39.985262","-104.820528" "July 30, 2011","Wellness Centers of Atlanta","Alpharetta","Georgia","PHYS","MED","0","Patient records were left in an abandoned pain clinic.  The new owner reported the discovery to police.  Hundreds of files with medical information of former patients were discovered.  It is unclear if anyone else accessed the information.","PHIPrivacy.net","","2011","34.075376","-84.294090" "July 30, 2011","Nyack Hospital","Nyack","New York","PORT","MED","1,400","The hospital theft of a hard drive resulted in the exposure of current and former employee information.  The names, Social Security numbers, addresses, dates of birth and other information related to employees and their families were on a human resources department computer.  A flood on June 23 caused the HR department to temporarily relocate.  Workers returned on July 6 and discovered that the hard drive had been stolen.  The information dates back at least 12 years.","Databreaches.net","","2011","41.090652","-73.917915" "July 30, 2011","Belmont Savings Bank (BSB)","Boston","Massachusetts","PORT","BSF","13,000","Belmont Savings Bank has agreed to pay a fine of $7,500 related to a consumer data breach case with the Massachusetts attorney general's office.  In May, a bank employee left a backup tape on a desk rather than storing it.  A cleaning crew disposed of the tape later that night.  Names, Social Security numbers and account numbers were exposed.  The tape contained the personal information of over 13,000 customers, but is believed to have been incinerated after disposal along with other sensitive materials from BSB.","Databreaches.net","","2011","42.358431","-71.059773" "July 26, 2011","Esteé Lauder","New York","New York","PORT","BSR","0","A company-issued laptop was determined to be missing.  A notification letter was sent to current and former employees on July 13. Names and Social Security numbers were exposed.  The number of employees affected is unclear.","Databreaches.net","","2011","40.714353","-74.005973" "July 26, 2011","University of Nevada - Las Vegas (UNLV)","Las Vegas","Nevada","HACK","EDU","2,000","Current and former UNLV employees may have been affected by a breach.  It is possible that an unauthorized user gained access to a former employee's computer in December of 2008.  Employee information that included Social Security numbers would have been exposed.  The potential breach was discovered in 2011 during maintenance on a computer in UNLV's Controller's Office.","Databreaches.net","","2011","36.114646","-115.172816" "July 26, 2011","Lincoln National Life Insurance Company, Lincoln Life & Annuity Company of New York","New York","New York","DISC","BSF","705","On April 29, an employee accidentally attached a sensitive file to an encrypted email that was sent to a third-party payroll provider.  It contained the names and Social Security numbers of pension plan participants of multiple payroll vendors.  The error was discovered on May 17, and notifications were sent in July.","Databreaches.net","","2011","40.714353","-74.005973" "July 31, 2011","Tufts University, Massachusetts General Hospital (MGH)","Boston","Massachusetts","PORT","EDU","0","A research associate's laptop was stolen during the course of research with a Tufts professor.  The research was being conducted at MGH.  The laptop was mostly used for research, but a sensitive file had been uploaded in early 2010.  It contained a spreadsheet with the information of applicants who applied to the Graduate School of Arts and Sciences at Tufts.  Applicant Social Security numbers were included in the spreadsheet.  The theft occurred in April of 2011 and was reported to MGH.  Tufts learned of the breach on June 16, 2011.","Databreaches.net","","2011","42.358431","-71.059773" "July 31, 2011","Ascensus","Dresher","Pennsylvania","HACK","BSF","0","On April 15, 2011, law enforcement notified Ascensus of a cyber attack that had affected Ascensus' network and those of other companies.  The virus was determined to be a new type of malware and was immediately blocked from Ascensus' network.  However, the virus created and may have been able to export files with client names and Social Security numbers. ","Databreaches.net","","2011","40.140943","-75.166841" "July 30, 2011","Chase Bank","Rancho Peñasquitos","California","CARD","BSF","950","A man was charged with using a skimming device to take over $200,000 from customer accounts.  He was arraigned on 45 counts of identity theft, grant theft, burglary, making fake ID cards and causing losses that exceeded $200,000.  He was caught when bank investigators discovered that someone was installing an ATM skimming device on the door of the bank's ATM lobby every Saturday after closing.  The device was then removed by the thief early on Mondays.  This happened for at least six consecutive weeks.  Hidden cameras were also used to record customer pins at the ATMs.  Agents were able to arrest the man as he returned to retrieve the skimming device.","Media","","2011","32.959490","-117.115311" "August 3, 2011","Department of Veterans Affairs","Washington","District Of Columbia","INSD","GOV","0","The inspector general at the VA found that IT contractors had accessed the VA's electronic health record system without appropriate security clearances.  An tipster had left a message about the situation on a departmental hotline in the summer of 2010.  Contractor personnel were found to be improperly sharing user accounts when accessing VA networks and the Veterans Health Information System and Technology Architecture systems. Employees of the contracting company were unaware of proper IT security protocol.","PHIPrivacy.net","","2011","38.895112","-77.036366" "August 2, 2011","New River Health Association","","West Virginia","UNKN","MED","950","The disclosure of sensitive paper records resulted in unauthorized access to personal information.  The breach either occurred or was discovered around April 1, 2011.","HHS via PHIPrivacy.net","","2011","38.597626","-80.454903" "August 2, 2011","SilverPop","Atlanta","Georgia","PORT","BSO","884","A laptop that contained information related to SilverPop's Health and Welfare Plan was stolen on April 15.  Affected individuals may have had their protected health information exposed.","HHS via PHIPrivacy.net","","2011","33.748995","-84.387982" "August 1, 2011","Mills-Peninsula Medical Center","Burlingame","California","INSD","MED","1,438","A relative of a mail room employee discovered sensitive documents at the employee's residence and returned them in June of 2011.  The employee had taken home medical documents between November of 2009 and September of 2010.  The records consisted of patient names and diagnostic test results.  Fifteen of the documents included patient addresses and insurance identification or Social Security numbers.  The employee was fired.  UPDATE (10/22/2011): A total of 1,438 people were affected by the breach.  The former employee was charged with embezzlement and forgery.  She claims that she was overwhelmed with sorting the documents at work and that she planned to dispose of them properly.","PHIPrivacy.net","","2011","37.584103","-122.366083" "August 5, 2011","The Brigham, Women's/Faulkner Hospital","Boston","Massachusetts","PORT","MED","638","A physician who worked for both hospitals left an external hard drive in a piece of luggage.  The luggage was lost in a cab on or around June 21. Information related to inpatient hospital stays from July 10, 2009, to January 28, 2011, may have been on the hard drive.  The types of information that could have been on the device include patient names, medical record numbers, dates of admission, medications, and information about diagnosis and treatment.","PHIPrivacy.net","","2011","42.358431","-71.059773" "August 8, 2011","Department of Veterans Affairs","Fayetteville","North Carolina","INSD","GOV","0","A dishonest VA worker used his tax return preparation business to submit fraudulent tax returns.  VA patient personal information such as names, Social Security numbers and birth dates were used to create fake dependents on people's tax returns.  The VA worker then collected fees from customers in exchange for fraudulently increasing the dollar amount of their tax returns. He was convicted in February and sentenced to 11 years in federal prison. The employee handled information from VA patients in North Carolina and Virginia.","PHIPrivacy.net","","2011","35.052664","-78.878359" "August 4, 2011","University of Arizona","Tucson","Arizona","HACK","GOV","0","A hacker accessed the employee listserv on or around August 4.  This allowed an unauthorized party to send an offensive photo and additional lewd messages through the University's mailing list.  The listserv is normally only used by administrators to transmit official University business.  It is unclear if any information was exposed.","Databreaches.net","","2011","32.221743","-110.926479" "August 1, 2011","University of North Carolina - Chapel Hill","Chapel Hill","North Carolina","PHYS","EDU","30","Someone broke into the UNC-Chapel Hill judicial office and took the files of 30 students. The break-in was discovered at the beginning of the day on Monday. University student affairs officials contacted each of the students who had their records stolen.UPDATE (8/9/2011): A suspect was caught. He was arrested on charges of breaking-and entering, larceny and possession of stolen goods.","Databreaches.net","","2011","35.913200","-79.055845" "August 3, 2011","Franklin County Children Services, Parenthesis Family Advocates","Columbus","Ohio","PHYS","GOV","0","A boxes of files were found by a recycling bin.  The files contained sensitive information from children with Franklin County Children Services.  Medical information, criminal records and other personal documents were left out in the open.  The papers have been linked to someone with access to Parenthesis' documents; however the cause of the breach is unknown.","Databreaches.net","","2011","39.961176","-82.998794" "August 1, 2011","City of Pittsburgh","Pittsburgh","Pennsylvania","UNKN","GOV","29","Someone obtained employee names, addresses and possibly Social Security numbers.  Fraudulent accounts could be set up with this information.  Multiple city employees from different departments received bills from PayPal for purchases they did not make.  The fraudulent charges range from $40 to $3,000.  It is not clear how the thieves accessed Pittsburgh city employee information. Police officers and other Department of Public Safety employees are among those who were affected.","Databreaches.net","","2011","40.440625","-79.995886" "August 10, 2011","University of Wisconsin - Milwaukee","Milwaukee","Wisconsin","HACK","EDU","79,000","On May 25, University technology staff learned that unauthorized individuals had installed computer viruses on a University server.  It housed a software system for managing confidential information.  The names and Social Security numbers or people associated with the University could have been exposed.  There was no evidence that unauthorized parties had attempted to download the confidential information.","Databreaches.net","","2011","43.038903","-87.906474" "August 10, 2011","Cal Poly Pomona","Pomona","California","DISC","EDU","38","On August 2, a lecturer working in a student lab discovered that two files on a server could be accessed by faculty members, staffers and students from the College of Business Administration.  The files were confidential and included personal information such as names and Social Security numbers.  A total of 38 current and former faculty members were affected by the breach.  The University determined that the information had not been digitally copied by anyone.","Databreaches.net","","2011","34.060833","-117.755833" "August 10, 2011","Department of Social and Health Services - Washington","Seattle","Washington","DISC","GOV","3,950","A coding error caused mailing mistakes to be made in July.  Medical enrollment forms with the addresses of custodial parents were sent to non-custodial parents.  However, no addresses were disclosed in cases involving foster care of domestic violence.","Databreaches.net","","2011","47.606210","-122.332071" "August 13, 2011","St. Francis Hospital","Wilmington","Delaware","PORT","MED","474","A doctor lost a thumb drive that contained the personal health care information of 474 maternity patients.  It did not contain names, financial information or SSNs.  The thumb drive was returned to the doctor on June 11 by an anonymous sender.  The doctor had not realized it was missing and reported the incident to St. Francis on June 13.  The doctor was authorized to remove the thumb drive from the Hospital, but it should have been encrypted and password protected.","PHIPrivacy.net","","2011","39.745833","-75.546667" "August 16, 2011","Purdue University","West Lafayette","Indiana","HACK","EDU","7,093","An unauthorized person broke into Purdue's computer system on April 5, 2010, and tried to use the server to attack other servers.  Purdue staff learned of the breach three days latter and began an assessment. The server was taken offline and staff later determined that Social Security numbers belonging to current and former students who took mathematics courses and a limited number of faculty, faculty family members and contractors were exposed.  The Social Security numbers were then matched to their owners and notification was sent to the Attorney General's office in June of 2011.  ","Databreaches.net","","2011","40.425869","-86.908066" "August 12, 2011","Reznick Group, AssureCare Risk Management Inc, Colonial Healthcare Inc, Gypsum Management and Supply","Plymouth","Minnesota","HACK","BSF","25,330","Reznick's former service provider AssureCare reported a breach of a server that contained Reznick information.  The information from employee benefits plans from 2001 to 2006 could have been accessed by outside parties.  Current and former employees and their spouses may have had their names, Social Security numbers, addresses, dates of birth and medical information exposed.  The server was accessed by external intruders on May 9 and May 10 of 2011.UPDATE (10/13/2011): Employees enrolled in Gypsum's health and dental care plans were also affected.","PHIPrivacy.net","","2011","45.010519","-93.455509" "August 15, 2011","North Carolina State University (NCSU), Gardners Elementary School, Wells Elementary School, Ashley Chapel Elementary School","Raleigh","North Carolina","DISC","EDU","1,800","A server that contained data from school children in Wilson and Richmond counties was mistakenly put online.  The information was gathered between 2003 and 2006 as part of a research study on classroom practices.  It included names, Social Security numbers and dates of birth.  A concerned parent notified the state Department of Public Instruction after finding the information online. The error was fixed in July, though it is unclear how long the information was available online.","Databreaches.net","","2011","35.772096","-78.638615" "August 14, 2011","Bay Area Rapid Transit (BART)","San Francisco","California","HACK","GOV","2,450","Anonymous has claimed responsibility for a hack of BART's user database.  A list with the first and last names, email addresses, passwords, phone numbers, full addresses and other personal information of MyBart.gov users was posted publicly.  MyBart.gov users should change their login information for other sites if they used the same login information for MyBart.gov. Anonymous exposed the security holes in BART's database in order to protest BART's temporary suspension of wireless service throughout BART stations.  BART had already been criticized for disabling wireless service in an attempt to counter protests over a fatal officer-involved shooting.  The MyBart.gov homepage was also defaced.","Databreaches.net","","2011","37.774930","-122.419416" "June 13, 2011","Bethesda Softworks","Rockville","Maryland","HACK","BSR","200,000","The Bethesda website was hacked sometime during the weekend of June 11.  User names, email addresses and passwords may have been exposed.  Users should change their login information for other sites if they used the same login information for Bethesda.  The hacker group LulzSec claimed that it had obtained the personal data of over 200,000 users of the game Bethesda game Brink.","Databreaches.net","","2011","39.083997","-77.152758" "June 13, 2011","Jackson Memorial Hospital, Jackson Health System","Miami","Florida","INSD","MED","1,800","An unidentified former employee inappropriately accessed the the financial information of hospital patients.  The employee was fired and the department they worked in was not revealed.","Databreaches.net","","2011","25.788969","-80.226439" "June 14, 2011","St. Louis University (SLU)","St. Louis","Missouri","PHYS","EDU","0","Someone noticed a pile of discarded paperwork and informed a local news station after it had not been removed within a week. Documents with the personal information of dozens of former St. Louis University students were exposed near a dumpster in a back alley.  Most appeared to date back to the mid 1990's and correspond to library fines for late or lost books.  An SLU security team picked up the papers after hearing about the incident.","Databreaches.net","","2011","38.627003","-90.199404" "August 14, 2011","Bethesda Softworks","Rockville","Maryland","HACK","BSR","0","Bethesda's website was hacked for the second time in three months.  No groups have claimed responsibility for the hack.  The breach affected Bethesda's forum user database and occurred on the morning of August 12.  Information in the database was encrypted, but all user forum passwords were reset as a precaution.  Bethesda is recommending that users alter their passwords for other sites if they were similar to the ones used in the forum.","Databreaches.net","","2011","39.083997","-77.152758" "June 15, 2011","Jackson National Life Insurance Company","Lansing","Michigan","DISC","BSF","0","On April 12, 2011 a report containing the personal information of customers was inadvertently mislabeled and emailed to an incorrect broker-dealer.  The report contained information about customer transactions during March 2011.  Names, policy numbers, policy values, transaction dates and transaction amounts were exposed.  An internal review on May 2 uncovered the breach. ","Databreaches.net","","2011","42.732535","-84.555535" "August 19, 2011","The Health Plan of San Mateo (HPSM)","San Mateo","California","DISC","MED","694","Member notifications of approval of medical procedures were sent to the incorrect addresses.  Each approval letter contained the member's name, address, service requested, and HPSM member ID number.  The mistake was discovered on June 9, 2011 and the programming error that caused it was immediately fixed.  ","HHS via PHIPrivacy.net","","2011","37.562992","-122.325525" "August 19, 2011","Mount Sinai Multispecialty Physicians Practice","New York City","New York","PORT","MED","720","Two laptop computers were discovered missing from Mount Sinai's office in Long Island City, Queens.  A public notice was made on July 11 of 2011.  The laptops contained the names, Social Security numbers and diagnosis information of patients.  Mount Sinai encrypted all hard drives that contained confidential information in order to protect patients in the future.","PHIPrivacy.net","","2011","40.714353","-74.005973" "August 11, 2011","Eye Safety Systems","Sun Valley","Idaho","HACK","BSR","0","A May 2011 website breach of a third party vendor may have compromised the credit card transaction data of Eye Safety Systems' customers.  Customer names, phone numbers, email addresses, addresses, and credit card information may have been accessed.  Customers were notified on May 28 and Eye Safety Systems took measures to improve online security.","Databreaches.net","","2011","43.697129","-114.351717" "August 11, 2011","Energy Federation, Inc.","Westborough","Massachusetts","HACK","BSO","20","Two malware pieces were discovered on Energy Federation's server on July 12.  They appear to have been inserted on July 7 and July 10.  The purpose of the malware was to collect information on the server. Customer names, credit card numbers and expiration dates, and contact information could have been exposed.  At least 20 New Hampshire residents were affected by the breach, but the total number of affected customers nationwide was not revealed.","Databreaches.net","","2011","42.269539","-71.616178" "August 11, 2011","TGI Fridays","Laurel","Maryland","INSD","BSR","73","A former waiter was indicted on charges of copying and selling the numbers from 73 customer credit cards.  The 16 charges include theft, identity theft, and conspiracy to commit theft.  The former employee is believed to have used a skimmer to copy the credit card numbers of restaurant patrons between December of 2009 and April 2010.  The employee was caught when two Secret Service employees who had eaten at the restaurant noticed unauthorized charges on their credit cards.  ","Databreaches.net","","2011","39.099275","-76.848306" "August 13, 2011","University of Hawaii - Kapi'olani Community College","Honolulu","Hawaii","PHYS","EDU","2,000","A worker noticed that boxes of sensitive financial records were out of place.  Some boxes were discovered to be missing and officials began searching for them on July 1.  The breach was reported to students during the first week of August.  It is unclear when the boxes were taken and there was no sign of forced entry into the area where they were stored.  The files contained names, addresses, Social Security numbers and credit cards.  People who made transactions with credit cards between February and November of 2010 for non-credit classes, transcript requests, or payment of non-resident fees were effected.  ","Databreaches.net","","2011","21.306944","-157.858333" "August 11, 2011","Country Corner Market","Amherst","Virginia","HACK","BSR","125","A hacker or hackers were able to access Country Corner's website and obtain customer information.  Customers may have been tricked into giving their financial information through emails that appeared to be from Country Corner, a fake Country Corner website set up by hackers, or some other method of phishing.  It is also possible that customer data was taken directly from Country Corner's computer system.  Customers began reporting fraudulent charges and Country Corner's computer system was discovered to contain malware.","Databreaches.net","","2011","37.585141","-79.051413" "August 17, 2011","Bay Area Rapid Transit (BART)","San Francisco","California","HACK","GOV","100","A BART Police Officers Association database was hacked.  The names, postal addresses and email addresses of officers were posted online. A French national claimed responsibility for the hack and described the BART site as having zero security in place.","Databreaches.net","","2011","37.774930","-122.419416" "August 17, 2011","Yale University","New Haven","Connecticut","DISC","EDU","43,000","A computer file containing the names and Social Security numbers of former faculty, staff and students was accidentally made accessible online.  The file contained information from 1999 and could be located through a Google search for 10 months.  A change in Google's search engine made the file accessible from September 2010 to July 1, 2011.  A person who performed a Google search on his name discovered the breach on June 30.","Databreaches.net","","2011","41.308153","-72.928158" "August 18, 2011","Fort Dodge Correctional Facility","Vinton","Iowa","DISC","GOV","23","Hundreds of inmates could have viewed the names and Social Security numbers of guards at Fort Dodge.  The information was located inside a desk in an area used as an inmate barber shop.  The area was once used as an office, but the furniture was not checked, cleaned or removed before the conversion.  The information had been sitting in the desk for three or four months before an officer found it.","Databreaches.net","","2011","42.164167","-92.026111" "August 22, 2011","Texas Health Presbyterian Hospital Flower Mound, Texas Health Partners","Flower Mound","Texas","PORT","MED","10,345","An employee's company-issued laptop was stolen on June 21, 2011.  The theft was reported immediately, but the laptop was not recovered.  It contained 1) physical descriptions such as age, gender, weight, and height, 2) medical information such as date and time of admission, date and time of laboratory order, lab results, dates of service, diagnosis, discharge instruction and summary, name of physician, insurance, procedure, room number, medical history, and medical record number, and 3) personal information that included employer, marital status, phone number, name of account guarantor, and Social Security number for a small number of patients.","PHIPrivacy.net","","2011","33.014567","-97.096955" "August 20, 2011","Thirty-One Gifts, LLC","Johnstown","Ohio","PORT","BSR","27","A laptop was discovered missing while another breach was being investigated.  The two breaches appear to be unrelated.  Consultants may have had their names, addresses and bank account information exposed.  At least 27 New Hampshire residents were notified of the breach, but the total number of affected people nationwide was not reported.","Databreaches.net","","2011","40.153674","-82.685170" "August 20, 2011","Thirty-One Gifts, LLC","Johnstown","Ohio","UNKN","BSR","28","An unidentified suspected may have accessed the names, Social Security numbers, addresses, and bank account information of 28 consultants.  The breach was discovered when commission funds were fraudulently transferred into an unfamiliar bank account; this occurred over two commission cycles in late 2010.  The cause of the breach is not known.","Databreaches.net","","2011","40.153674","-82.685170" "June 23, 2011","Arizona Department of Public Safety (AZDPS)","Phoenix","Arizona","HACK","GOV","0","LulzSec has claimed responsibility for a hack of AZDPS.  Hundreds of private intelligence bulletins, training manuals, personal email correspondence, names, phone numbers, addresses and passwords belonging to Arizona law enforcement and spouses were released.  LulzSec targeted the AZDPS in order to protest SB1070, an Arizona policy they call racial profiling and anti-immigrant.UPDATE (6/30/2011): A second computer attack affected the personal email addresses and passwords of officers. The initial breach of official AZDPS email accounts allowed a hacking group to access the outside accounts of some officers.  Hackers were able to post some of the information from the personal accounts, including email messages and pictures.","Databreaches.net","","2011","33.448377","-112.074037" "August 18, 2011","Citigroup, Inc., Bank of America, Corp. ","New York","New York","UNKN","BSR","0","A breach of an unnamed merchant or merchants may have resulted in the exposure of customer credit and debit card information.  Citigroup deactivated the credit cards of affected customers and notified them that Citigroup had been informed of a security breach at a retailer.  Within a week, Bank of America also sent new debit cards to some customers after learning that some accounts may have been compromised at a merchant.","Media","","2011","40.714353","-74.005973" "August 27, 2011","Living Healthy Clinic, University of Wisconsin - Oshkosh College of Nursing","Oshkosh","Wisconsin","HACK","MED","3,000","A computer security breach that occurred in July may have exposed the information of uninsured Winnebago County residents who sought health services.  The information included names, Social Security numbers, addresses, and the health records of a limited number of people. The breach was discovered when University technology staff identified evidence of a computer virus on a desktop computer. There was no indication that unauthorized parties attempted to download information.","PHIPrivacy.net","","2011","44.024706","-88.542614" "August 23, 2011","meridianEMR","Livingston","New Jersey","HACK","BSR","0","On June 16, 2011, meridianEMR announced that it had filed a lawsuit against Intuitive Medical Software (UroChart).  meridianEMR's Advanced Monitoring System detected copying activities on meridianEMR's server.  meridianEMR immediately contacted Intuitive in response to the discovery.  A second group called The Shappley Clinic was also accused of accessing meridianEMR's data and placing patients in meridianEMR's system at risk.  The lawsuit contends that UroChart and another party have and have had unlawful access to patient information in violation of patient privacy rights.  UroChart is accused of violating New Jersey's Computer Related Offenses Act and behaving willfully and intentionally with malice.","PHIPrivacy.net","","2011","40.785567","-74.329513" "August 27, 2011","The Lexington VA Medical Center","Lexington","Kentucky","PORT","MED","1,900","An employee took a laptop home without authorization.  It contained patient names, dates of birth, the last four digits of patient Social Security numbers, and medical diagnoses.  The employee's actions were not believed to be intentionally malicious.","PHIPrivacy.net","","2011","38.031714","-84.495136" "August 23, 2011","Northwestern Counseling and Support Services","St. Albans","Vermont","PHYS","MED","12","A thief stole a petty cash lockbox from Northwestern Counseling's office sometime between June 18 and June 27.  The lockbox contained cash, as well as itemized receipts with client Social Security numbers.  Affected clients were notified of the breach in early July.","PHIPrivacy.net","","2011","44.809722","-73.087222" "August 23, 2011","Lincoln Financial Group, Lincoln National Life Insurance Company, Lincoln Life and Annuity Company of New York","New York","New York","DISC","BSF","91,763","A programming error caused the names and Social Security numbers of current and former retirement plan enrollees to be accessible to unauthorized plan administrators.  The error had existed in the database's search function since October 2009.  A plan administrator notified Lincoln Financial Group of the issue on July 18.  ","Databreaches.net","","2011","40.714353","-74.005973" "August 23, 2011","Allstate Financial","Norwalk","Connecticut","PORT","BSF","0","A personal financial representative lost his laptop on May 23, 2011, and then reported the loss to Allstate Financial on June 13, 2011.  Customer policy information may have been stored on the laptop's hard drive.  On July 25, customers were notified that their policy information may have been exposed.","Databreaches.net","","2011","41.093889","-73.419722" "August 23, 2011","Berkshire Bank","Pittsfield","Massachusetts","DISC","BSF","0","Loan account numbers were printed on the outside of envelopes sent to customers.  The account numbers were on the line just above customer name and address.","Databreaches.net","","2011","42.450085","-73.245382" "July 21, 2008","Hawaii State Department of Public Safety","Honolulu","Hawaii","DISC","GOV","4,200","A reporter requested statistics from the State Department of Public Safety.  Though the reporter only wanted the number of people who use medical marijuana, he was sent an email with patient names, addresses, plant locations, certificate numbers, and the names of prescribing physicians.  Patients became aware of the issue when information was printed in a front-page news story, though no patients were identified.","Databreaches.net","","2011","21.306944","-157.858333" "April 26, 2010","Child Protective Services, Texas Department of Family and Protective Services","Austin","Texas","INSD","GOV","70","An administrative technician working for Child Protective Services under the Texas Department of Family and Protective Services misused the personal information of at least 70 adoptive and foster parent applicants.  The dishonest employee would exchange the information for gifts and money and another person used the information to make fake drivers' licenses.  This allowed fraudulent credit card accounts to be opened in victims' names.  Both people were caught.","Databreaches.net","","2010","30.267153","-97.743061" "March 21, 2011","Tesoro High School","Las Flores","California","HACK","EDU","0","A 21-year old was sentenced to jail after it was discovered that he had broken into his high school's computer system in 2008.  He stole tests and changed his grades. He was ordered to pay $15,000, serve 30 days in jail and serve 500 hours of community service.UPDATE (8/26/2011): The former student successfully paid the fine in August.","Media","","2011","33.588079","-117.626716" "August 27, 2011","Avalon Centers","Depew","New York","PHYS","MED","172","A former judge was arrested for making false statements to a federal agent.  The former judge was attempting to reopen an eating-disorder clinic and tossed old records into a nearby dumpster in June of 2010.  Authorities found 15 to 20 boxes of papers with patient names, Social Security numbers, addresses, dates of birth, medical complaints, medical diagnosis, treatment information and other health information.  When a federal agent asked the former judge about the boxes, he responded that they contained business information without any sensitive medical information.","Media","","2011","42.903948","-78.692252" "September 2, 2011","Pacific Retina Specialists","Seattle","Washington","INSD","MED","60","At least 60 patients had their records stolen by a billing technician during late 2010.  The information included names, Social Security numbers, dates of birth, addresses and health insurance policy numbers.  Many patients who used Medicare Advantage plans at the clinic were affected.  The former employee and an accomplice also forged the names of three doctors on prescription forms.  The patient prescription information was then used to obtain narcotic prescription drugs worth thousands of dollars.  The former employee was sentenced to five years in prison.  ","PHIPrivacy.net","","2011","47.606210","-122.332071" "September 2, 2011","Texas Police Chief Association","Elgin","Texas","HACK","GOV","0","Private emails from police officers and other information may have been exposed after the Texas Police Chief Association website was hacked.  The hacking group Anonymous claimed responsibility for the attack as retaliation for the arrest of dozens of people suspected of being involved with Anonymous.  Specifically, Anonymous claimed that ""For every defendant in the Anonymous 'conspiracy' we are attacking two top Texas police chiefs, leaking 3GB of their private emails and attachments.""","Databreaches.net","","2011","30.349653","-97.370274" "September 3, 2011","New Horizons General Partnership","Granbury","Texas","INSD","MED","12","A couple who worked with New Horizons pleaded guilty to one count of conspiracy to commit false statements relating to health care matters.  They each face up to five years in prison, a $250,000 fine, and the possibility of restitution.  From at least January 1999 through April 2010, they defrauded the Texas Medicaid program by using the names and Social Security numbers of at least 12 inmates and other persons to create ""ghost"" employees for New Horizons.  The false time sheets and inaccurate payroll reports allowed the couple to collect pay checks from the ""ghost"" employees.  One member of the couple also submitted false claims for ICF/MR services to Medicaid.  A total of $1,820,359 was fraudulently obtained from the Texas Medicaid program.    ","Databreaches.net","","2011","32.442083","-97.794197" "September 1, 2011","Birdville ","Haltom City","Texas","HACK","EDU","14,500","Two students may face criminal charges for hacking into the Birdville School District's network server and accessing a file with 14,500 student names and Social Security numbers.  The students are a high school junior and a senior.  Students who attended during the 2008-2009 school year may have been affected.","Databreaches.net","","2011","32.799574","-97.269182" "September 1, 2011","North Macomb PLUS Office, Southwest Macomb PLUS Office","","Michigan","PHYS","GOV","14,000","Almost 14,000 documents related to drivers license and state identification applications were stolen from two separate offices over a total of two years.  The applications included names, dates of birth, addresses, and in some cases Social Security numbers.  The documents were stolen in May or June from secured areas at the North Macomb PLUS Office in Chesterfield Township and from the Southwest Macomb PLUS Office in Warren.  The information dates back to 2009.","Databreaches.net","","2011","44.314844","-85.602364" "September 1, 2011","Harvard University","Cambridge","Massachusetts","DISC","EDU","0","Harvard's switch to Google ""@college"" email accounts resulted in the potential compromise of some student emails.  Fewer than ten students reported that emails from other students with similar names were forwarded to them.  The problem occurred because the email system did not distinguish between the older ""@fas"" accounts and the newer ""@college"" accounts.  For example, the system would forward emails from ctucker@fas.harvard.edu to the new address of ctucker@college.harvard.com even if the ""@harvard"" email had been taken by a different student. Students with ""@harvard"" emails also had their emails forwarded to other students' accounts.","Databreaches.net","","2011","42.372640","-71.109653" "September 9, 2011","Indiana University School of Medicine","Indianapolis","Indiana","PORT","EDU","3,192","A laptop with sensitive information was stolen from a physician's car on Tuesday, August 16 of 2011.  It contained patient information such as name, age, sex, diagnosis, medical record number, and in 178 cases, Social Security numbers.  Individuals were notified on September 2.","PHIPrivacy.net","","2011","39.768377","-86.158042" "September 9, 2011","Methodist Hospital","Houston","Texas","PHYS","MED","0","Three people are accused of using cancer and transplant patient files from Methodist Hospital to make fraudulent purchases.  A dishonest employee took the birth dates and Social Security numbers of patients and passed them along to two co-conspirators.  The trio then opened accounts and took out loans in the names of at least five patients.  They face life in prison if convicted.","PHIPrivacy.net","","2011","29.760193","-95.369390" "September 8, 2011","Stanford University Hospital and Clinics","Palo Alto","California","DISC","MED","20,000","The medical records of about 20,000 emergency room patients were posted on a commercial website for nearly a year.  It is unclear how the spreadsheet with names, account numbers, admission and discharge dates, billing charges and diagnosis codes came to be on the website.  The information was not financially sensitive.  The website was called ""Student of Fortune"" and allowed students to pay for assistance with their school work.  The spreadsheet was posted in relation to a question about how to convert the data into a bar graph.  A former patient reported the availability of the spreadsheet on August 22.UPDATE (10/3/2011): A class-action lawsuit for $20 million has been filed against Stanford University Hospitals and Clinics (SHC) and Multi-Speciality Collection Services, LLC (MSCS). It was filed on September 28 and about $1,000 for each of the 20,000 affected is sought.  MSCS is a former billing vendor of SHC and was operating under a contract that specifically required it to protect the privacy of patient information.    UPDATE (10/5/2011): The source of the breach was confirmed by the Hospital and contractors.  MSCS's marketing agent sent the electronic spreadsheet to a job prospect as part of a skills test.  The applicant asked for help through the Student of Fortune website.  ","PHIPrivacy.net","","2011","37.441883","-122.143020" "September 8, 2011","Treatment Services Northwest","Portland","Oregon","STAT","MED","1,200","A computer was stolen on or around July 29, 2011.  It contained the protected health information of 1,200 patients who visited for outpatient alcohol and drug treatment services.","HHS via PHIPrivacy.net","","2011","45.523452","-122.676207" "September 8, 2011","Austin Center for Therapy and Assessment","Austin","Texas","PORT","MED","1,870","The July 8 theft of a laptop resulted in the exposure of private patient information.  Patient names, addresses, Social Security numbers and treatment information may have been obtained from the stolen laptop.","HHS via PHIPrivacy.net","","2011","30.267153","-97.743061" "September 16, 2011","Veterans Administration Medical Center (Biloxi)","Biloxi","Mississippi","PHYS","GOV","1,814","The VA believes an employee's office at the Veterans Administration Medical Center in Biloxi was inappropriately accessed without proper authorization on July 21.  A number of medical files with veteran names, Social Security numbers, dates of birth and other personal information like medical diagnoses were found spread on the office floor.  The breach could affect veterans, deceased veterans and VA employees in seven counties in southern Mississippi, four counties in southern Alabama, and seven counties in the Florida Panhandle. ","PHIPrivacy.net","","2011","30.396032","-88.885308" "September 13, 2011","Bonney Lake Medical Center","Bonney Lake","Washington","STAT","MED","2,370","An August 12 office burglary resulted in the loss of several computers and a main computer server with patient information.  Patient names, Social Security numbers, addresses, insurance information, and medical records may have been exposed.  ","PHIPrivacy.net","","2011","47.177046","-122.186506" "September 15, 2011","Brandywyne Healthcare Center","Winter Haven","Florida","INSD","MED","83","A nurse was arrested and charged with grand larceny, ID theft, and scheming to defraud several elderly patients.  The nurse collected patient information and texted it to a co-conspirator.  The co-conspirator then used the information to obtain fraudulent tax returns in the names of the victims.  Over 30 of the 83 victim records found at the co-conspirator's home were from the Brandywyne Health Center.","PHIPrivacy.net","","2011","28.022244","-81.732857" "April 8, 2010","Private Dental Practice","San Clara","California","INSD","MED","20","Dishonest employees who worked at an unnamed dental office and an unnamed law office in the Bay Area were part of an identity theft ring.  A total of seven people are facing charges for their involvement in the ring.  The charges include identity theft, conspiracy, possession of stolen property, and grand theft.  Over $170,000 in cash and fraudulent purchases was taken through the use of sensitive patient and client information from the dental office and law office.  UPDATE (9/06/2011): The former employee of the dental office was sentenced. He will serve four years in prison for supplying patient information between June and December of 2009.  The information was then used to create false driver's licenses and to file illegal change-of address forms.  ","PHIPrivacy.net","","2011","-0.178063","-78.478775" "September 16, 2011","Xavier University","Cincinnati","Ohio","PHYS","EDU","0","Sensitive student athlete medical records were misplaced by a coach who was transplanting them to an athletic event.  A recently released prisoner found the documents and attempted to sell them back to the University for $20,000.  The man was caught, pled guilty to extortion, and was sentenced to two years in prison.","PHIPrivacy.net","","2011","39.103118","-84.512020" "September 15, 2011","Montgomery County Department of Job and Family Services","Dayton","Ohio","PORT","GOV","1,200","A flash drive with sensitive information was discovered missing on August 24.  It contained the names and Social Security numbers of people who sought assistance from the Transition Center.  ","Databreaches.net","","2011","39.758948","-84.191607" "September 16, 2011","Guilford County Tax Department","Greensboro","North Carolina","DISC","GOV","1,000","On September 9, Guilford County became aware of the accidental placement of Tax Department files online.  The names, bank account numbers, Social Security numbers, and addresses of citizens who had garnishments from the Tax Department were available online.  The mistake affected people who submitted checks to the Tax Department between July 2010 and December 2010.  The information was available as early as December of 2010 and taken down on September 9 of 2011.UPDATE (9/16/2011): At least 1,000 people were affected by the breach.","Databreaches.net","","2011","36.072635","-79.791975" "September 15, 2011","United States Army","Alexandria","Virginia","PORT","GOV","25,000","A CD with sensitive Non-Appropriated Fund retiree information was lost in the mail between Alexandria, Virginia and San Antonio, Texas.  The CD never officially arrived after being sent during the last week of August.  It contained retiree records with names, Social Security numbers, retirement date, type of retirement, amount of life insurance carried, term data, dates of service, and other retirement data.","Databreaches.net","","2011","38.804836","-77.046921" "September 18, 2011","Intelligence and National Security Alliance (INSA)","Arlington","Virginia","HACK","NGO","95","Hackers posted the names and email addresses of hundreds of U.S. Intelligence officials.  At least 95 individuals with email addresses from the high security National Security Agency were affected, as well as many others in key positions at the White House, Pentagon, CIA, FBI, the Office of Director of National Intelligence and the State Department.  Hundreds of executives at major government contracting firms that specialize in national security projects also had their names, emails, and possibly telephone numbers exposed and work addresses exposed.  These organizations include Northrop Grunman, Boeing, General Dynamics, SAIC and CACI.","Databreaches.net","","2011","38.879970","-77.106770" "September 12, 2011","McDonald's","Monticello","Minnesota","INSD","BSR","0","A minor working at a McDonald's drive-thru repeatedly used a skimming device to obtain the credit card numbers of customers.  The dishonest employee swiped credit cards in the skimmer as customers paid for their meals throughout July and August.  The credit card information was then used by identity thieves to create duplicate cards with false names.  Investigators are actively looking for more victims.  Those who may have been affected should call the Sheriff's Office (763) 682-7733.","Media","","2011","45.305520","-93.794138" "September 17, 2011","Legislative Data Center","Sacramento","California","HACK","GOV","50","Over 50 employees of the California State Assembly were warned that their personal information may have been obtained by a hacker.  Some lawmakers were affected by the breach.  On Friday, officials learned that one of the servers had been breached.  It appears that the goal of the hacker or hackers was to overload the Capitol's Internet service.  People who participated in a flexible-benefits program were affected by the breach.  The type of data exposed was not reported.","Databreaches.net","","2011","38.581572","-121.494400" "September 12, 2011","Vacationland Vendors, Inc.","WIsconsin Dells","Wisconsin","HACK","BSR","40,000","A hacker gained unauthorized access to Vacationland Vendors' card processing systems at Wilderness Waterpark Resort in the Dells and Wilderness at the Smokies in Sevierville.  The breach occurred on march 22.  Customers who used a credit or debit card at one of the resorts between December 12, 2008 and May 25, 2011 were affected.  ","Databreaches.net","","2011","43.627479","-89.770958" "September 20, 2011","Good Samaritan Hospital","Baltimore","Maryland","PHYS","MED","0","A man posing as a vendor took two barrels of old X-ray film.  The film contained medical data from over five years ago.  It had been put aside for destruction or recycling.  Authorities believe the thief wanted to extract the silver contained in the films.","PHIPrivacy.net","","2011","39.290385","-76.612189" "September 10, 2011","Tampa Signal","Tampa","Florida","INSD","BSR","0","The actions of at least one dishonest employee put the personal information of thousands of homeowners into the hands of identity thieves.  People who purchased an ADT home security system through Tampa Signal in February may have had their information sold by one or more employees.  The personal information exposed included Social Security numbers and dates of birth.  fraudulent tax returns were filed in the names of an unknown number of victims.  ","Databreaches.net","","2011","27.950575","-82.457178" "September 20, 2011","Ashley Industrial Molding, Inc., AssureCare Risk Management (ARM)","Ashley","Indiana","HACK","BSR","506","A hacker or hackers were able to access Ashley Industrial Molding benefit plan information through AssureCare Risk Management (ARM) on August 9.  It is unclear if this incident is related to the ARM incident reported here on August 12, 2011.","HHS via PHIPrivacy.net","","2011","41.527273","-85.065523" "September 20, 2011","ProMedica","Toledo","Ohio","DISC","MED","14","A mail sorting machine mistake caused sensitive information to be mailed to unintended patients.  The breach was discovered when a patient opened a letter that contained her name and address, but the financial assistance application of a different patient.  Names, addresses, dates of birth, phone numbers, and Social Security numbers were exposed.","PHIPrivacy.net","","2011","41.663938","-83.555212" "September 19, 2011","Yanez Dental Corporation","Hanford","California","STAT","MED","10,190","A May 22 office burglary resulted in the loss of three computers with patient information.  Patient names, Social Security numbers, dates of birth, addresses, telephone numbers, and other personal information were exposed.  A notification dated June 15 was posted on Yanez's website.","HHS via PHIPrivacy.net","","2011","36.327450","-119.645684" "September 23, 2011","Veterans Affairs Illiana Health Care System","Illiana","Illinois","PHYS","MED","518","An appointment book was discovered missing on July 14.  It contained the last names and last four digits of veterans' Social Security numbers.  It is unclear where the book was taken from, but it is clear that it was not properly safeguarded.","PHIPrivacy.net","","2011","40.196426","-87.531962" "September 19, 2011","Medassets Inc., Saint Barnabas Health Care System, Cook County Health and Hospitals (CCHHS)","Alpharetta","Georgia","PORT","BSO","82,265","An external computer hard drive was stolen from a MedAsset employee's car on June 24.  MedAsset provides administrative and business services to medical centers.  The hard drive contained the personal information of patients who were being considered for governmental benefits at six Saint Barnabas acute care hospitals and patient information from Cook County Health and Hospitals System in Chicago.  Patient names, medical center account numbers, medical record numbers, dates of birth, medical center charges, amount paid, health insurance information and discharge dates were exposed.  Approximately seven percent of the Saint Barnabas System patients who were affected had their Social Security numbers exposed as well.  The six Saint Barnabas Health Care System clinics are:Clara Maass Medical Center - 8,795Community Medical Center - 6,950Kimball Medical Center - 6,785Monmouth Medical Center - 6,443Newark Beth Israel Medical Center - 15,015Saint Barnabas Medical Center - 6,179Also, 32,008 CCHHS patients were affected.","HHS via PHIPrivacy.net","","2011","34.075376","-84.294090" "September 23, 2011","United States Steel and Carnegie Pension Fund, Benefits Administration Services","New York","New York","PORT","BSO","4,000","A CD with the names, Social Security numbers and dates of birth of U.S. Steel Mining retirees and dependents was lost in the mail.  Benefits Administration Services (BAS) mailed the CD in August, but it was not received.  BAS is still working with the U.S. Postal service to recover the CD.","Databreaches.net","","2011","40.714353","-74.005973" "September 23, 2011","University of Texas San Antonio (UTSA)","San Antonio","Texas","DISC","EDU","688","Students and prospective students who enrolled in or applied to courses in UTSA's Honors College may have had their information exposed.  On August 2, a UTSA employee discovered that a system misconfiguration allowed unauthorized users to access names, dates of birth, addresses, phone numbers, email addresses, GPAs and other personal information of students and prospective students. Between June 20 and August 2, Honors College users as well as all other UTSA employees with access to the online system could view student information.","Databreaches.net","","2011","29.424122","-98.493628" "September 25, 2011","Two Georges' Restaurant","Corpus Christi","Texas","INSD","BSR","16","At least 16 people reported fraudulent credit card charges after using their cards at the restaurant.  The fraudulent charges total $20,000.  The owners of the restaurant were evicted for not paying rent and have not been located.  Former employees of the restaurant are still waiting for their final paychecks.","Databreaches.net","","2011","27.800583","-97.396381" "September 14, 2011","Bright House Network","St. Petersburg","Florida","HACK","BSR","0","Bright House servers which process Video on Demand (VOD) orders were breached.  Historical customer data from as far back as June 22, 2011 was exposed.  Customer names, addresses, phone numbers, and Bright House Network account numbers could have been exposed.  Customers were notified in September.","Databreaches.net","","2011","27.773056","-82.640000" "August 24, 2011","Allianceforbiz.com, ShoWorks, Inc.","Spokane","Washington","HACK","BSO","20,000","A hacker accessed a database of sensitive customer information.  An Excel spreadsheet with usernames, passwords, email addresses, company names, and other types of personal or business information of 20,000 people was posted online on August 22. No credit cards were accessed and the website was closed until all passwords were changed.","Databreaches.net","","2011","47.658780","-117.426047" "September 28, 2011","Summit Medical Group, Emory Family Practice, Fountain City Family Physicians, Office of Dr. Kenneth Reese","Knoxville","Tennessee","PHYS","MED","750","The September 4 theft of documents from an employee's car resulted in the exposure of patient names and diagnoses.  The car was parked at the employee's home.  Summit Medical Group account numbers, dates of birth, primary physician's names, names of hospitals, and dates of discharges were exposed.","PHIPrivacy.net","","2011","35.960638","-83.920739" "October 3, 2011","Dentistry at the Crest","Aurora","Colorado","PHYS","MED","0","Hundreds of sensitive dental patient records were found by a street sweeper.  They were scattered near a dumpster behind a shopping center.  The records appear to be from a dental practice in Lone Tree, a 20 mile journey.  The party responsible for the breach is unknown.  Billing records with patient names, Social Security numbers, dates of birth, and addresses were exposed.","PHIPrivacy.net","","2011","39.729432","-104.831920" "September 30, 2011","First Priority Life Insurance Company, Blue Cross of Northeastern Pennsylvania, Penn Foster","Scranton","Pennsylvania","PHYS","MED","500","Around 500 employees were affected by the home theft of a laptop and sensitive papers.  A Blue Cross business associate took home reports that contained names, Social Security numbers, and addresses of First Priority policyholders.  The reports and laptop were stolen while the home was vacated due to flooding.  The laptop was recovered a few days later.","PHIPrivacy.net","","2011","41.408969","-75.662412" "October 7, 2011","James A. Haley Veterans Hospital","Tampa Bay","Florida","PHYS","MED","0","Hundreds of paper patient forms were compromised in May.  An off-duty Tampa police officer discovered the records in a Motel 6 in May. The occupants of the motel room were detained on identity theft charges.  The forms contained patient names, Social Security numbers, and dates of birth. The papers included Turbo Tax cards, receipts, and medical records from the Veterans Affairs hospital. At least one veteran had a fraudulent debit card charge. ","PHIPrivacy.net","","2011","27.950575","-82.457178" "October 11, 2011","Genentech Inc.","San Francisco","California","HACK","BSR","0","An unauthorized person may have gained access to Genentech's list of personal information for patients who used Genentech assistance to pay for their drugs.  The breach was discovered on August 17.  Names, Social Security numbers, addresses, phone numbers, dates of birth, email addresses, driver's licence numbers, medical information, and health insurance information may have been exposed.  ","PHIPrivacy.net","","2011","37.774930","-122.419416" "October 14, 2011","Diversified Resources Inc.","Waycross","Georgia","PORT","BSO","863","The theft of a laptop on or around August 11, 2011 resulted in the exposure of protected health information.","HHS via PHIPrivacy.net","","2011","31.213551","-82.354018" "October 14, 2011","Health Research Institute, Inc., Pfeiffer Treatment Center","","Illinois","STAT","MED","2,000","The July 1, 2011 theft of a desktop computer and network server resulted in the exposure of patient information.","HHS via PHIPrivacy.net","","2011","40.633125","-89.398528" "October 14, 2011","Freda J. Bowman MD, PA","","Texas","UNKN","MED","1,300","Protected health information from a network server was breached on or around August 8, 2011.  The incident may have been an unintended disclosure which allowed unauthorized users to view information, or it may ahve been a hacking attack.","HHS via PHIPrivacy.net","","2011","31.968599","-99.901813" "October 14, 2011","NEA Baptist Clinic","Jonesboro","Arkansas","HACK","MED","3,116","NEA's former public website was compromised by a hacker or hackers on July 12, 2011.  People who previously registered with the website in order to use the website's special functions may have had their email addresses and user name and password combinations exposed.  Some individuals also had their names, addresses, and dates of birth compromised.  Since passwords may have been obtained, individuals who may have been affected should not use their NEA website password for any other accounts.","HHS via PHIPrivacy.net","","2011","35.842297","-90.704279" "October 13, 2011","Texas Health and Human Services","Austin","Texas","PORT","GOV","1,696","The theft of a laptop from a nurse's car may have exposed names, dates of birth, genders, Medicaid client identification numbers, procedure codes, diagnoses codes, and other health information.  The theft took place on March 10, 2011, but it was not until August that the risk to patient privacy was discovered.  A notice was sent on September 9.","PHIPrivacy.net","","2011","30.267153","-97.743061" "October 13, 2011","Neurological Institute of Savannah and Center for Spine (NIOS)","Savannah","Georgia","PORT","MED","63,425","The July 2 car theft of a computer hard drive may have exposed patient information.  Patients who visited NIOS between January 1, 2006 and July 2, 2011 could have had their names, Social Security numbers, addresses, dates of birth, telephone numbers, and billing account data obtained. ","PHIPrivacy.net","","2011","32.083541","-81.099834" "October 15, 2011","San Antonio Independent School District (SAISD)","San Antonio","Texas","DISC","GOV","70","Dozens of students had their names, Social Security numbers, phone numbers, dates of birth, home addresses, and dropout likelihood posted online for several months.  The dropout likelihood was included in reports along with other personal details such as academic problems, homelessness, and history of running away from home.  The reports were never meant to be posted and a note that read ""All student information is confidential. This report must be SHREDDED when no longer in use"" was clearly visible at the bottom of each report.  An administrator accidentally changed the SAISD site settings and exposed the information at an unspecified time.  The total number of students affected was not reported, but it appears that several reports each contained confidential information for 60-70 students.  Students appeared in multiple reports.","Databreaches.net","","2011","29.424122","-98.493628" "October 14, 2011","Securities and Exchange Commission (SEC), Financial Tracking Technologies (FTT)","Washington","District Of Columbia","DISC","GOV","0","FTT, a contractor working with SEC's ethics compliance program, violated its agreement with SEC by providing names and account numbers to a subcontractor, or subcontractors without permission.  An SEC September 16 security review revealed that FTT had failed to comply with contractual obligations.  The system was taken offline and FTT was told to terminate all third party access to SEC systems.","Databreaches.net","","2011","38.895112","-77.036366" "October 13, 2011","The Social Security Administration","Washington","District Of Columbia","DISC","GOV","31,931","It appears that the Social Security Administration accidentally releases the names, Social Security numbers, and birth dates of thousands of living U.S. citizens each year in a database called the ""Death Master File"".  Social Security officials revealed that the number of U.S. citizens mistakenly listed each year is about 14,000, while 90 million are accurately reported.  A Scripps Howard News Service review of three recent copies revealed 31,931 living U.S. citizens who'd had their Social Security numbers released to U.S. business groups.","Databreaches.net","","2011","38.895112","-77.036366" "October 22, 2011","Concordia Plan Services (CPS)","St. Louis","Missouri","PORT","MED","0","Microfilm that contained the plan enrollment information of benefits members was lost by a delivery service sometime between February and May of 2011.  It contained names, addresses, dates of birth and in some cases Social Security numbers and limited medical information from the 1960's and 1970's.  A vendor received the microfilm from CPS on February 3rd.  The vendor attempted to transfer the microfilm to another company, but learned that the microfilm had been misplaced sometime prior to or during May.  CPS's vendor informed them of the situation on August 23.","PHIPrivacy.net","","2011","38.627003","-90.199404" "October 23, 2011","Hazleton Community Ambulance Association","Hazleton","Pennsylvania","PHYS","MED","0","Hundreds of sheets were found inside of folders in improperly discarded boxes.  The sheets were easily visible and accessible through sliding doors on either side of the dumpster and a firefighter alerted a local newspaper to the incident.  The records contained names, Social Security numbers, payroll information, addresses, phone numbers, insurance information, dates of birth, and medical histories from employees and former patients of the Ambulance Association.  It appears that all of the records are from 2003 and 2004.  An Ambulance Association officer admitted to placing the boxes in a dumpster rather than following usual procedure and shredding them.","PHIPrivacy.net","","2011","40.958418","-75.974647" "October 17, 2011","Spectrum Health Systems, Inc.","Worcester","Massachusetts","PORT","MED","0","The August 24 office theft of a hard drive resulted in the exposure of patient information.  No patient information was believed to have been exposed, but an investigation of the breach revealed that the hard drive had been stolen along with a laptop and a desktop computer.  It contained information from people who received Spectrum program services at the Westborough, Worcester, Milford, Framingham, Southbridge, Fitchburg, and Weymouth locations between 2002 and March of 2011.  Inpatient and outpatient names, Social Security numbers, diagnostic codes, medical insurance numbers, addresses, phone numbers, and dates of birth were exposed.","PHIPrivacy.net","","2011","42.262593","-71.802293" "October 22, 2011","International Association of Chiefs of Police (IACP), Boston Police Patrolmen's Association, Baldwin County Sheriff's Office in Alabama, Matrix Group","","","HACK","GOV","0","Factions of Anonymous and Antisec posted sensitive law enforcement files on the internet on Friday October 21.  Data from multiple law enforcement vendors' and agencies' computer systems were compromised.  At least four groups were affected.  An IACP membership roster , Birmingham and Jefferson County police officer names, Social Security numbers, ranks, addresses, and phone numbers, Matrix Group client and financial information, and data from an unnamed web design and marketing firm with law enforcement customers were exposed.","Databreaches.net","","2011","37.090240","-95.712891" "October 20, 2011","Wells Fargo","Jacksonville","Florida","DISC","BSF","0","A mailing error exposed customer bank account information to other customers.  Pages from other customer accounts which included bank account numbers, balances, and transactions were accidentally mailed to other customers in September paper statements.  The error was caused by a printer malfunction.  Wells Fargo temporarily took the printer out of service after the breach was discovered.  At least 50 customers noticed the problem.","Databreaches.net","","2011","30.332184","-81.655651" "October 25, 2011","Indalex","Modesto","California","PHYS","BSO","0","An abandoned Indalex plant still contained personnel records. Employee names, Social Security numbers, medical records, addresses, and other sensitive information were exposed when scavengers looking for aluminum and other materials ravaged the abandoned plant.  The plant was closed in 2008 and Indalex filed for bankruptcy in 2009.  Indalex received clearance from a bankruptcy court to officially abandon the plant in 2010.  The damage was discovered when 40 workers from the Stanislaus County jail alternative work program cleared the plant.  ","Databreaches.net","","2011","37.639097","-120.996878" "October 27, 2011","Ocala Police Department","Ocala","Florida","INSD","GOV","149","A police officer was linked to a tax fraud ring.  The officer accessed the Drivers And Vehicle Information Database (DAVID) in order to give the personal information of around 149 drivers to co-conspirators.  The information was then used to open 184 bank accounts where fraudulent tax return checks could be cashed. An investigation was opened when the insider attempted to recruit someone else.  The insider was suspended without pay until the investigation is completed.","Databreaches.net","","2011","29.187199","-82.140092" "October 28, 2011","Muir Orthopaedic Specialists","Oakland","California","PHYS","MED","1,800","The July 27 theft of a binder exposed patient information.  The binder contained surgical patient labels from August 2004 to July 2011, corresponding dates of birth, and medical record numbers. ","PHIPrivacy.net","","2011","37.804364","-122.271114" "October 28, 2011","Henry Ford Health System","Troy","Michigan","STAT","MED","520","A computer with sensitive patient information was stolen sometime between August 5 and August 7.  It held patient names, physician names, medical record numbers, and genotype test results.  ","PHIPrivacy.net","","2011","42.605589","-83.149930" "October 28, 2011","Mama's Boy Italian Ristorante","Durango","Colorado","HACK","BSR","100","A hacker accessed the restaurant's computer system in early August and infected it with a virus.  Customer debit and credit card numbers to be sent to outside parties.  The virus was not discovered until mid-October.  Over 60 of the credit and debit numbers that were duplicated to fraudulent cards were used in Florida.  ","Databreaches.net","","2011","37.275280","-107.880067" "October 27, 2011","Clarinda Bank Iowa","Clarinda","Iowa","UNKN","BSF","0","A breach of a data processor affected Clarinda Bank Iowa.  The type of breach was not reported, and it is possible that other banks were affected by the data processor breach.  Specific bank customers were notified of the breach by letter on October 25.","Databreaches.net","","2011","40.741935","-95.038313" "October 26, 2011","Indigo Joes'","Shelby","Alabama","PHYS","BSR","0","The information of hundreds of people was discovered in a trash storage location.  The documents appear to be connected to employees of a defunct restaurant named Indigo Joes'.  Paycheck stubs, Social Security numbers, Driver's licenses, and other personal information were discovered.","Databreaches.net","","2011","33.110396","-86.584149" "October 27, 2011","Department of Education","Washington","District Of Columbia","DISC","GOV","5,000","As many as 5,000 users of the Department of Education's website may have had their information viewed by other users who logged in to the website.  The breach lasted for six to seven minutes and exposed Social Security numbers and other student information.  The site was shut down and examined for 48 hours after the incident.","Databreaches.net","","2011","38.895112","-77.036366" "October 24, 2011","Pan American Games","","","DISC","BSR","1,400","An anonymous tipster alerted reporters to a breach that allowed the personal information of journalists covering the Pan American Games to be viewed.  The tipster claimed that reporter names, dates of birth, the first five digits of passports, photos, family numbers, and addresses were accessible.  Reporters from across the Americas were affected.  The Guadalajara 2011 Organizing Committee stated that they had deleted the personal information from their database after the discovery.","Databreaches.net","","2011","37.090240","-95.712891" "October 20, 2011","College of the Holy Cross","Worcester","Massachusetts","UNKN","EDU","493","Seven Holy Cross employees fell for phishing attempts.  The employees had their email accounts attacked and emails containing personal information for hundreds of people were exposed.  Though Holy Cross has a policy of encrypting all emails that contain personal information, these emails were not encrypted.  Those who could have been affected were notified that their Social Security numbers, driver's license numbers, dates of birth, financial information and other types of information were at risk.  ","Databreaches.net","","2011","42.262593","-71.802293" "October 20, 2011","PSEG","Newark","New Jersey","PORT","BSO","0","The September 25 home theft of an employee's laptop resulted in the exposure of PSEG employee information.  Names, Social Security numbers and other personnel information were exposed.  ","Databreaches.net","","2011","40.735657","-74.172367" "October 20, 2011","AdvancePierre Foods","Cincinnati","Ohio","PORT","BSR","0","An unecrypted flash drive with sensitive employee information was lost during transportation.  It was mailed to the company's 401k provider, Milliman, on September 8.  An envelope arrived on September 12 without the flash drive.  Employees were notified on October 5.  Current and former employees may have had their names, Social Security numbers, dates of birth, dates of hire, and compensation amounts from 2009 and 2010 exposed.","Databreaches.net","","2011","39.103118","-84.512020" "October 11, 2011","Community & Southern Bank","Alabama","Georgia","INSD","BSF","0","An employee who worked at three different branches for Community & Southern Bank was indicted on five counts of theft by taking and seven counts of identity fraud.  The dishonest employee was fired after an internal audit uncovered discrepancies.  Police allege that the employee took $60,000 from client bank accounts, and the total taken could be more than $100,000 if fraudulent loans are included.  Most customers who were affected had fraudulent withdrawals and loans under $1,000.","Databreaches.net","","2011","33.259020","-84.264203" "October 11, 2011","St. Joseph Medical Center, Baxter, Baker, Sidle, Conn & Jones","Towson","Maryland","PORT","BSO","161","A Baltimore law firm called Baxter, Baker, Sidle, Conn and Jones lost a hard drive with patient records.  It contained patient names, Social Security numbers, medical records, addresses, dates of birth, and insurance information.  The law firm was using the medical records of patients who were suing a cardiologist at St. Joseph Medical Center.  The hard drive was lost by an employee during travel on August 4.  Patients were informed in early October.","Databreaches.net","","2011","39.401496","-76.601913" "October 11, 2011","TechCentral","Arlington","Texas","PORT","BSO","0","A laptop was stolen from an employee on August 27.  It contained the names, Social Security numbers, and credit card account numbers of some customers.  Notifications were mailed on September 28.  ","Databreaches.net","","2011","32.735687","-97.108066" "November 1, 2011","High Point Regional Health System, Premier Imaging LLC","High Point","North Carolina","INSD","MED","47","A former employee was fired after taking patient files home sometime between September 14 and October 6.  The files contained patient names, Social Security numbers, dates of birth, addresses, driver's license numbers and insurance information.  A total of 47 patient records were returned, but it is unclear if the employee may still have others.","Databreaches.net","","2011","35.955692","-80.005318" "November 3, 2011","Kunz Opera House","Pinckneyville","Illinois","PHYS","MED","4,200","A physician kept 14 boxes of medical records from former patients in the front window of his building.  A fire that struck the building, the Kunz Opera House, damaged the records and personal property.  Some records were found in the street.  An unspecified number of the damaged records were then buried in a secure location.  ","PHIPrivacy.net","","2011","38.080329","-89.382032" "November 2, 2011","Avia Dental Plan, Inc.","Wheeling","West Virginia","UNKN","NGO","2,500","Avia received notification of a breach involving an intruder or intruders using a password for the administrative software suite.  The United State Secret Service became aware of the theft of a password that allowed outsider access to Avia Dental Plan member information.  Names, Social Security numbers, dates of birth, addresses, phone numbers, email addresses, credit card information, and in some cases dependent information, were exposed.","PHIPrivacy.net","","2011","40.063962","-80.720915" "November 4, 2011","Lawrence Memorial Hospital, Mid Continent Credit Servies, Inc. (Blue Sky Credit), BrickWire LLC","Lawrence","Kansas","DISC","MED","10,000","A breach of a website hosted by BrickWire LLC resulted in the exposure of patient names, phone numbers, email addresses, health care providers, payment amounts, dates of payment, credit card information and checking account information.  Lawrence Memorial Hospital's vendor Blue Sky Credit used BrickWire LLC for the online bill-pay service offered to Lawrence Memorial's patients.  The personal and financial information of patients who paid through the website was accidentally made available on the Internet between September 20, 2011 and October 28, 2011.  UDPATE (11/17/2011): It appears that BrickWire left a portal open that contained payment records from 28 LMG patients after doing a system upgrade on September 20.  However, the information of every patient who used the online bill pay system between 2005 and September of 2011 was available in a database that was accessible through the portal.  ","PHIPrivacy.net","","2011","38.971669","-95.235250" "November 4, 2011","www.podiatry.com, PRESENT e-Learning Systems","Boca Raton","Florida","HACK","BSO","382","The names, email addresses, and affiliations of certain people who registered with PRESENT e-Learning Systems' Podiatry program were posted online at Pastebin.com.  An additional 86 people had their names and mailing addresses posted on Pastie.org after registering for a podiatry online tutoring course.  A hacker called ""Teku"" claimed responsibility. ","PHIPrivacy.net","","2011","26.358689","-80.083098" "November 4, 2011","Thomas Jefferson University Hospitals","Philadelphia","Pennsylvania","PHYS","MED","3,150","On September 6, X-ray films were stolen from the Hospital by thieves posing as representatives of an X-ray recycling vendor.  The thieves were most likely looking to strip the silver from the old films.  If any information had been taken from the X-rays it would include patient names, gender, dates of birth, dates of services, medical record numbers, and areas x-rayed.  ","HHS via PHIPrivacy.net","","2011","39.952335","-75.163789" "November 9, 2011","Behavioral Health Services of Pickens County","Pickens","South Carolina","PORT","MED","200","A man who purchased a used computer hard drive discovered that it had detailed clinical assessments for patients referred to Behavioral Health Services of Pickens County and a monthly monitoring list of patient referrals from the Pickens County Department of Social Services.  Information about patient drug and emotional problems and pending litigations was on the hard drive.","PHIPrivacy.net","","2011","34.883449","-82.707357" "November 4, 2011","Portsmouth Hospital","Manchester","New Hampshire","PHYS","MED","0","A man tried to steal X-rays.  Investigators believe he wanted the X-rays for the tiny amount of silver inside rather than the protected health information of patients.  The incident may have been related to other thefts in the Massachusetts and New Hampshire areas.  ","PHIPrivacy.net","","2011","42.995640","-71.454789" "November 14, 2011","Smokers Choice","New York","New York","HACK","BSR","200","A man was arrested for his role in the unauthorized collection and use of credit card numbers from over 200 Columbia County residents.  Investigators began searching for a common link between the affected residents in August.  Results of the investigation lead them to overseas activity in Russia and video surveillance from Wal-mart security.  ","Databreaches.net","","2011","40.714353","-74.005973" "November 13, 2011","Brownsville Independent School District","Brownsville","Texas","DISC","EDU","0","Brownsville ISD discovered that a number of employees had their names, Social Security numbers, disability plan information, and salary information available on a publicly accessible website.  Employees who were enrolled for disability insurance had their information posted in April 2011 on the Employee Benefits/Risk Management website.  ","Databreaches.net","","2011","25.901747","-97.497484" "November 18, 2011","Sawicki and Phelps","Minneapolis","Minnesota","PHYS","BSO","0","  Detailed medical information was discovered on the back of a drawing from a student of Hale Elementary.  An attorney from Sawicki and Phelps donated the firm's old paper to her child's school. A local news team contacted the school after discovering the incident and additional pieces of paper were collected and stored in a secure location.  The number of people affected was not revealed.","PHIPrivacy.net","","2011","44.979965","-93.263836" "November 22, 2011","Virtual Radiological Professionals (vRad)","Eden Prairie","Minnesota","PORT","MED","0","The October 14 car theft of an employee's laptop resulted in exposed physician and patient information.  Though the laptop had a self-encrypting drive, it was not functioning properly.  Patient and physician names, addresses, Social Security numbers, and bank account numbers or credit card numbers were exposed.  Some patients also had unspecified medical information exposed as well.  ","PHIPrivacy.net","","2011","44.854686","-93.470786" "November 18, 2011","Parkland Memorial Hospital","Dallas","Texas","INSD","MED","1,311","Thousands of patient records were stolen by a former employee.  Names, ages, genders, Medicare coverage information, phone numbers, and dates of birth were exposed.  The employee did not steal the records for ID theft purposes, but rather for their usefulness in contacting potential clients.  The unnamed former employee owns a home health care agency.  ","PHIPrivacy.net","","2011","32.802955","-96.769923" "November 20, 2011","Morris Heights Health Center","New York","New York","PORT","MED","927","A laptop was stolen from the area of MS 399/MS 459.  It contained student information from the 2009-2010 school year such as names, dates of birth, genders, heights, weights, body mass indexes, ethnicity, asthma diagnoses, and influenza vaccination information. ","PHIPrivacy.net","","2011","40.714353","-74.005973" "November 23, 2011","University of Kentucky HealthCare","Lexington","Kentucky","PORT","MED","878","An employee's phone was lost or stolen on September 25, 2011.  Patient health conditions, medical record numbers, and possibly even names could be accessed from the phone.  ","PHIPrivacy.net","","2011","38.040584","-84.503716" "November 23, 2011","Sitka Wellness Center, EMR4Doctors.com","Sitka","Alaska","DISC","MED","566","A patient discovered their own personal information and that of 565 others online.  Patient names, Social Security numbers, addresses, and dates of birth were exposed.  A chiropractor from the Sitka Wellness Center claims that an electornic medical record software vendor known as EMR4Doctors.com stored the patient information for 9 months in 2008.  The company stopped doing business in 2009.  The information was removed from the Internet.","PHIPrivacy.net","","2011","57.053056","-135.330000" "November 19, 2011","Lebanon Internal Medicine Associates, P.C.","Lebanon","Pennsylvania","STAT","MED","0","Contractors responsible for cleaning out the medical office after a storm improperly disposed of a computer that contained sensitive patient information.  Lebanon Internal Medicine Associates left no specific instructions for the removal of the damaged computer.  Patient information dating between November 1999 and August 25, 2011 was exposed and included full names, Social Security numbers, dates of birth, home addresses, account numbers, diagnoses, laboratory test results, and medical insurance information. It is believed that the information was inaccessible due to security measures within the server and flood damage.","PHIPrivacy.net","","2011","40.340925","-76.411350" "November 17, 2011","Medcenter One","Bismarck","North Dakota","PORT","MED","650","On the weekend of October 21, 2011, a Medcenter One laptop computer and a bag containing 11 internal paper forms for processing patient charges were stolen from an employee's car along with valuable personal items.  The forms contained patient name, date of birth, address, phone number, insurance company and policy number, Medicare number, and patient hearing diagnoses. The stolen laptop contained the names and dates of birth for 650 hearing aid patients from 2003 up to the time of the theft.  ","PHIPrivacy.net","","2011","46.808327","-100.783739" "November 15, 2011","Berkely HeartLab (BHL)","Berkeley","California","INSD","MED","0","Several former employees were found to have accessed patient information without authorization and taken the data to a competitor.  Patient names, Social Security numbers, addresses, dates of birth, lab tests, and lab results were exposed.  In January of 2010, BHL filed a lawsuit against Health Diagnostic Laboratory, Inc., and two former employees for trade secret violations and breach of contract.  ","PHIPrivacy.net","","2011","37.871593","-122.272747" "November 9, 2011","Columbia-St. Mary's Ozaukee Hospital","Mequon","Wisconsin","INSD","MED","30","A janitor sold patient records to gang members.  The janitor was able to use a master key to access boxes of sensitive information that were due to be shredded.  Some of the locks to the restricted boxes were also broken.  The scheme went on for up to eight months and investigators were able to seize nearly 30 patient records.","PHIPrivacy.net","","2011","43.235883","-87.989257" "November 23, 2011","MassBay Community College","Wellesley","Massachusetts","DISC","EDU","0","A glitch allowed nearly 400 workers from 2002 to 2011 to view the personal information of any employees in MassBay's worker database system.  The information included Social security numbers, home addresses, and other personnel information.  ","Databreaches.net","","2011","42.296787","-71.292338" "November 26, 2011","Skagit County Health Department","Mount Vernon","Washington","DISC","GOV","0","A student ran a Google search on her own name in mid-September and discovered some of her private information online.  Skagit County Health Department was notified.  People who used services at other county departments also had information exposed.  The types of information did not include credit card numbers, Social Security numbers, dates of birth, or addresses, but did include information from receipts for department services.","Databreaches.net","","2011","48.421216","-122.334047" "November 22, 2011","Gary Vaynerchuk's Wine Library","Springfield","New Jersey","HACK","BSR","0","Customers who used credit cards to sign up for WineLibrary.com may have had their financial information compromised.  Wine Library began investigating the possibility of a breach in October when they received initial customer complaints.  All credit card data was removed from the site on November 11th after an increase in customer complaints.  The hacking incident(s) was traced back to China.","Databreaches.net","","2011","40.699863","-74.329420" "November 22, 2011","YMCA of Metro Atlanta","Atlanta","Georgia","PORT","NGO","0","A software testing vendor was robbed of several computers on November 9.  One of the computers contained personal information of YMCA members active in 2008.  Addresses, phone numbers, email addresses, dates of birth, bank account numbers, and credit card numbers were exposed.  ","Databreaches.net","","2011","33.748995","-84.387982" "November 27, 2011","Cabarjal Realty, Inc.","Waco","Texas","HACK","BSO","625","A hacker named Kahuna posted three data dumps from the realty company.  The names, email addresses, rental addresses, and payment information for approximately 625 renters were revealed.","Databreaches.net","","2011","31.549333","-97.146670" "November 27, 2011","101Domain.com","Carlsbad","California","HACK","BSO","10,000","A phishing attack exposed the personal information of users with domain names.  The unauthorized access was discovered by 101domain.com when a vendor contacted them to inform them of a breach that affected multiple vendors, including 101Domain.com.  UPDATE (12/20/2011): The websites 101domain.com, bluesit.com, free-domain.com, rerundomains.com, RWGUSA.com, and RWGUSA.net could have all been affected by a server breach at one of 101Domain, Inc.'s vendors.  Encrypted customer names, addresses, email addresses, and in some cases, credit card or PayPal account information could have been compromised.  ","Databreaches.net","","2011","33.158093","-117.350594" "November 28, 2011","Jewish Community Services of South Florida","Miami","Florida","INSD","NGO","30","A coordinator at the Jewish Community Services office was arrested on charges of selling Holocaust survivor identity information.  The dishonest employee misused access privileges to collect client names, addresses, Social Security numbers, and dates of birth of clients who regularly seek help from the Holocaust Survivors Assistance program.  A police informant was offered the information of five clients after contacting the dishonest employee.  The informant told the employee that he wanted the information for tax fraud purposes and was able to obtain 30 identifications for $1,000.  The dishonest employee was captured after handing over 32 sheets of identity information.","Databreaches.net","","2011","25.788969","-80.226439" "November 29, 2011","University of California Riverside (UCR)","Riverside","California","HACK","EDU","5,000","Several customers of the UCR Dining Services location reported fraudulent credit and debit card activity to UCR.  On or around November 16, it became clear that registers at UCR food services locations were compromised by a cyber hacker.  Anyone who used a card, including visitors, between the summer of 2011 and November 16, 2011 may have had their financial information obtained. The information includes cardholder names, numbers, expiration dates, and an encrypted version of debit PINs.","Databreaches.net","","2011","33.953349","-117.396156" "November 30, 2011","The College of New Jersey","Ewing","New Jersey","DISC","EDU","12,815","The College's On-Campus Student Employment System had a vulnerability that allowed student applicants to see the personal information of other students.  A student applicant notified the College of the problem on November 2 after seeing the information of 12 other students.  The system flaw was fixed within hours, but no duration was given for the breach.","Databreaches.net","","2011","40.259997","-74.790868" "November 21, 2011","Blairsville High School","Blairsville","Pennsylvania","HACK","EDU","0","Two students managed to obtain the login credentials for Blairsville High's online security system by repeatedly guessing.  Their attempts began in May and were only discovered during the fall term when one of the students revealed his teacher's Social Security number in class.  Teacher addresses, Social Security numbers, and salaries were exposed.","Databreaches.net","","2011","40.431180","-79.260869" "December 2, 2011","University of Kansas (KU)","Lawrence","Kansas","PHYS","EDU","0","Documents containing the personal information of current and former student housing residents was stolen during a burglary at the Department of Student Housing office on November 30.  Names, dates of birth, apartment numbers, email addresses, KU ID numbers, and other information, some of it related to student dependents, were on the documents.  The number of affected students was not revealed, but those who were affected were told to be cautious of identity theft.","Databreaches.net","","2011","38.971669","-95.235250" "December 3, 2011","Contra Costa County","Martinez","California","DISC","GOV","0","Residents who owed money to the county health department had their names inadvertently published in a public document.  The names were published in a report to the Board of Supervisors dated July 27, 2010.  The error was discovered at the end of November, 2011.  No patient information was exposed, but the publication of the names in the report constitutes a breach of patient confidentiality laws.  The information was removed from the online report.","PHIPrivacy.net","","2011","38.019366","-122.134132" "December 1, 2011","Extreme Pizza","Omaha","Nebraska","HACK","BSR","0","Someone hacked into the Extreme Pizza computer system and took information from cards that had been swiped by Extreme Pizza. The thefts date back to September of 2011.  Credit card transactions were moved to a different type of card reader in response to the breach.  ","Databreaches.net","","2011","41.252363","-95.997988" "December 2, 2011","Transcend Capital","Dallas","Texas","PORT","BSF","0","A laptop was stolen from an employee's office after a brief absence during working hours at a Dallas branch. The theft occurred on October 31 and those who were affected were notified on November 11. Some affected clients may have had their Social Security numbers exposed, but most could have had their names and account numbers exposed.  Transcend Capital informed clients that their account numbers would be changed in response to the incident and that their accounts would be monitored for suspicious activity.  Transcend Capital also implemented a policy of securing laptops to desks as a result of the breach.","Databreaches.net","","2011","32.802955","-96.769923" "November 21, 2011","Ohio Rehabilitation Services Commission","Columbus","Ohio","PHYS","GOV","0","A state government watchdog revealed that confidential personal information was located in an outdoor trash bin.  The documents contained documents related to a job agency for Ohioans with disabilities.  The extent of the breach and the cause of the breach are being investigated.","Databreaches.net","","2011","39.961176","-82.998794" "November 21, 2011","AT&T","Dallas","Texas","HACK","BSO","0","Some of AT&T's customers experienced coordinated hacking attacks. The hackers were trying to gain customer account information and appear to have used ""auto script"" technology to determine if AT&T telephone numbers were linked to online AT&T accounts.  Fewer than 1% of customers were affected.  No accounts were successfully breached.","Databreaches.net","","2011","32.802955","-96.769923" "December 3, 2011","Pulaski County Special School District","LIttle Rock","Arkansas","PORT","GOV","1,100","A former employee's laptop was stolen during a home burglary sometime in mid November.  On November 30, the District learned that the former employee's laptop contained confidential records.  Current and former District employees had their names, Social Security numbers and other confidential information exposed.  UPDATE (12/22/2011): It was revealed that a finance director loaded private information onto a personal laptop and took it home to finish work.  Though the finance director's last day with the School District was September 2, 2011, the laptop still contained sensitive data when it was stolen on November 11.","Databreaches.net","","2011","34.746481","-92.289595" "November 5, 2011","McDonald's","Peoria","Illinois","INSD","BSR","0","A dishonest employee was arrested for using customer debit and credit card numbers to make online purchases.  The employee was charged with 21 counts of deceptive practice, 21 counts of identity theft, four counts of felony theft, and 17 counts of misdemeanor theft.  Anyone who used debit or credit cards at the Peoria Heights McDonald's between September 15 and October 30, 2011 may be at risk.  The stolen account numbers came from CEFCU debit cards.","Databreaches.net","","2011","40.693649","-89.588986" "November 18, 2011","McDonald's","Olympia","Washington","INSD","BSR","16","An employee was arrested for using a skimming device to collect customer credit card information.  At least 16 people were affected, but more are expected to come forward.  The dishonest employee was underage at the time of the crimes and was held on suspicion of identity theft and forgery.  Customers who used cards at the McDonald's drive through between October 10 and November 9 of 2011 may have been affected.  Investigators became aware of the breach when members of the Washington State Employees Credit Union began filing claims for fraudulent use of their credit cards.","Databreaches.net","","2011","47.037874","-122.900695" "November 18, 2011","McDonald's","Savannah","Georgia","INSD","BSR","0","A restaurant manager was found to have sold the identities of U.S. citizens to illegal aliens employed at multiple McDonald's restaurants.  The employee was sentenced in U.S. District Court to 32 months in federal prison for her role in the identity theft scheme.  Fourteen arrests were made and five suspects face federal identity theft charges.  The rest were charged with immigration violations.  It is unclear how many people were involved in the identity theft scheme. Other Mcdonald's managers also stole and sold the identities of U.S. citizens.","Databreaches.net","","2011","32.083541","-81.099834" "November 18, 2011","Honolulu Asia-Pacific Economic Cooperation (APEC), East West Center","Honolulu","Hawaii","HACK","BSO","40","Members of Honolulu's APEC Host Committee may have had their personal information exposed after requesting security clearances to meet with President Barack Obama.  Someone gained unauthorized access to eight East-West Center computers beginning on October 25 by using ""unusually sophisticated methods."" Committee member names, Social Security numbers, and dates of birth could have been acquired.  ","Databreaches.net","","2011","21.306944","-157.858333" "November 18, 2011","Community Tax","Wetumpka","Alabama","INSD","BSF","0","Between 2009 and July 2011, the owner of Community Tax used confidential information to file false tax returns through Community Tax.  Nearly 1,400 tax returns were linked to the owner over those two years.  On August 31, 2011, the owner was indicted on 32 counts. She faces between two and 27 years in prison, along with three or less years of supervised release, mandatory restitution, and up to $750,000 in fines or twice the cost of her crimes.The dishonest owner illegally obtained names, Social Security numbers, and dates of birth, then used the information to file tax returns.  The refunds from the tax returns went to her bank accounts and debit cards.  She also used online filing websites to file false tax returns.  The scheme was uncovered when a criminal complaint was filed.","Databreaches.net","","2011","32.543745","-86.211913" "November 16, 2011","McDonald's","Oak Park","Michigan","INSD","BSR","100","A supervisor noticed a drive-thru cashier using a skimming device.  The dishonest employee admitted to stealing the information from more than 100 customer cards, and stealing between 15 and 20 accounts during each drive-thru shift.  Another person provided the skimming device and paid the employee $15 per credit account.","Databreaches.net","","2011","42.459480","-83.182705" "November 18, 2011","Smith and Wollensky, Capital Grille, Wolfgang's Steakhouse, JoJo, Morton's, The Bicycle Club","New York","New York","INSD","BSR","50","An identity theft ring that targeted wealthy customers of steakhouses was uncovered.  At least 28 current and former waiters and associates were arrested.  Waiters used credit card skimmers to steal the credit card information of customers who paid with American Express Black cards and other high-limit credit cards.  The crimes occurred between April 2010 and November 2011.  At least 50 victims have been identified.","Databreaches.net","","2011","40.714353","-74.005973" "November 15, 2011","The Public School Employees' Retirement System","Harrisburg","Pennsylvania","DISC","GOV","2,000","About 2,000 pension fund members had their information placed online when an employee accidentally posted an unencrypted file on a public website.  At least one person saw the information.  The date of this error was not reported.  Member names and Social Security numbers were exposed.  ","Databreaches.net","","2011","40.273700","-76.884418" "November 15, 2011","Citizens Equity First Credit Union (CEFCU)","Peoria","Illinois","PORT","BSF","0","The theft of a laptop resulted in the exposure of customer names, Valley Credit Union account numbers, Social Security numbers, and addresses. The laptop was stolen outside of the office sometime before November 4.  No information was given about the number of customers who were affected or who the laptop was stolen from.","Databreaches.net","","2011","40.693649","-89.588986" "June 26, 2009","Massachusetts Technology Collaborative","Boston","Massachusetts","DISC","GOV","810","Residents who applied for the Massachusetts Commonwealth Solar rebate program had their personal information posted on a government website for 50 minutes.  One user accessed the file during the incident. Names and Social Security numbers were exposed.","Dataloss DB","","2011","42.358431","-71.059773" "November 15, 2011","Stephen F. Austin Hotel","Austin","Texas","INSD","BSO","0","An employee was caught with a skimming device after hotel guests complained about fraudulent charges on their credit and debit cards.  The employee managed to get the information after cleaning the rooms of hotel guests. Hotel security was able to determine which employee had taken the credit card information by checking key card information for room activity.  A hidden camera in a mock room showed that the employee was checking the personal belongings of guests and using the skimmer on any cards that were found.","Databreaches.net","","2011","30.267153","-97.743061" "December 6, 2011","Massachusetts eHealth Collaborative","Waltham","Massachusetts","PORT","BSO","14,475","A briefcase was stolen from an employee's car during lunch sometime during the spring of 2011.  The briefcase contained a company laptop that had not yet been encrypted and paper copies of appointment schedules. The laptop contained the information of patients and providers from 18 practices. A recent backup of the laptop files revealed that 5,338 subscriber numbers, 2,777 names with no other information, and 222 names with associated Social Security numbers, dates of birth, subscriber numbers, and phone numbers had been on the laptop. Seventy of the 222 who had their names, Social Security numbers, dates of birth, subscriber numbers, and phone numbers exposed also had their addresses exposed.","PHIPrivacy.net","","2011","42.376485","-71.235611" "December 7, 2011","Jeanne D'Arc Credit Union","Lowell","Massachusetts","INSD","BSF","327","An employee took a flash drive with customer information on December 27, 2010.  Someone at the former employee's new company noticed that files from Jeanne D'Arc were installed on a computer at the new company.  Copies of the files were sent back to Jeanne D'Arc.  Jeanne customer names, Social Security numbers, and loan account numbers were exposed.","Databreaches.net","","2011","42.633425","-71.316172" "December 9, 2011","Amerigroup Community Care of New Mexico, Inc.","Albuquerque","New Mexico","PHYS","MED","1,537","Papers were discovered stolen on or around July 15, 2011.","HHS via PHIPrivacy.net","","2011","35.084491","-106.651137" "December 7, 2011","Veterans Administration Medical Center","Miami","Florida","INSD","MED","22","An employee was charged with selling the personal identities of disabled hospital patients.  At least 22 military veterans who received services at the VA in Miami had their information sold.  The employee was worked at the VA Travel Benefits Sections and had access to the names, Social Security numbers, addresses, and dates of birth of disabled veterans who had been reimbursed for travel expenses related to their medical treatment.  The employee was caught late in 2010 after several veterans complained about unauthorized credit card accounts opened in their names.","PHIPrivacy.net","","2011","25.788969","-80.226439" "December 9, 2011","Conway Regional Medical Center","Conway","Arizona","PORT","MED","1,472","CDs with personal information were discovered lost on or around August 24, 2011.  Other items with personal information may have been lost as well.","HHS via PHIPrivacy.net","","2011","35.067271","-92.469996" "December 9, 2011","Logan County Emergency Ambulance Service Authority (LEASA)","Logan","West Virginia","PORT","MED","12,563","A laptop was discovered missing on October 1, 2011.  It was either lost or stolen.  It contained names, Social Security numbers, addresses, and health information from patients. The laptop appears to have not been used to connect to the internet since October 1 and LEAS is attempting to block potential use of the device.","HHS via PHIPrivacy.net","","2011","37.848715","-81.993458" "December 10, 2011","Office of Gene S. J. Liaw, MD.","Seattle","Washington","PORT","MED","1,105","An unencrypted USB drive was determined to be missing on April 4, 2011. It contained patient names, Social Security number, addresses, phone numbers, dates of birth, diagnosis codes, and insurance information.  ","HHS via PHIPrivacy.net","","2011","47.606210","-122.332071" "December 9, 2011","Knox Community Hospital","Mount Vernon","Ohio","PHYS","MED","500","X-ray records were discovered to have been improperly disposed of on or around October 1, 2011. Patient information may have been exposed.","HHS via PHIPrivacy.net","","2011","40.393396","-82.485718" "December 9, 2011","Julie A. Kennedy, D.M.D.","West Palm Beach","Florida","STAT","MED","2,900","A network server was discovered to have been stolen on or around September 30, 2011. It may have contained patient information.","HHS via PHIPrivacy.net","","2011","26.715342","-80.053375" "December 12, 2011","Metabasis Therapeutics","La Jolla","California","INSD","BSO","90","A temporary employee of Metabasis Therapeutics was assigned to computer help-desk support in 2008.  The dishonest employee somehow obtained unauthorized access to the names and personal-identification information of Metabasis Therapeutics employees and their relatives.  The information was used to open credit cards; the credit cards were used to purchase travel packages, which were then resold. A total of $250,000 worth of Las Vegas air, hotel, and show-ticket packages were purchased on Travelocity.com. The former temporary employee was given a four year sentence in federal prison after being convicted for credit card fraud and aggravated identity theft.","Media","","2011","32.840678","-117.258794" "December 9, 2011","Centro de Ortodancia","Aguadilla","Puerto Rico","PHYS","MED","2,000","Paper records were found to have been exposed to unauthorized parties on or around May 6, 2010.","HHS via PHIPrivacy.net","","2011","18.427445","-67.154070" "December 17, 2011","Office of Paul C. Brown, M.D., P.S.","Renton","Washington","PORT","MED","0","An October 14, 2011 office burglary resulted in the exposure of patient information dating from 1993 to 2004.  Office equipment and CDs with patient information were discovered missing on October 17.  Affected patients were mailed notification letters on December 13, 2011 and informed that their names, Social Security numbers, dates of birth, addresses, diagnoses, medical conditions, lab results, medications, surgery records, radiological tests, and other clinical treatment information could have been on the stolen CDs.  The office now plans to install encryption technology and update physical security systems in order to protect patient data from more breaches.","PHIPrivacy.net","","2011","47.482878","-122.217066" "December 9, 2011","InStep Foot Clinic","Edina","Minnesota","PORT","MED","2,600","Electronic medical records may have been exposed as a result of the theft of a laptop on or around August 28, 2011.  ","HHS via PHIPrivacy.net","","2011","44.889687","-93.349949" "December 12, 2011","Fletcher Allen Health Care","Burlington","Vermont","INSD","MED","0","A physician pleaded guilty to unlawfully obtaining the private medical information of another person.  The former employee accessed the records of several women who were not his patients.  In one case, he was in a sexual relationship with a woman and accessed her information to check if she carried sexually transmitted diseases.  The crime occurred in 2008.  The physician is scheduled to be sentenced on March 26, 2012 and faces a maximum sentence of one year in prison and a $50,000 fine.  ","PHIPrivacy.net","","2011","44.475883","-73.212072" "December 9, 2011","Gail Gillespie and Associates, LLC","","Texas","PORT","MED","2,334","On or around June 25, 2011, a breach involving a laptop, a computer, and a network server was discovered.  Patient information was exposed as a result of the breach.","HHS via PHIPrivacy.net","","2011","31.968599","-99.901813" "December 9, 2011","Health Care Service Corporation (HCSC)","Chicago","Illinois","PHYS","MED","501","The theft of paper records on or around June 28, 2011 resulted in the exposure of patient information.","HHS via PHIPrivacy.net","","2011","41.878114","-87.629798" "December 9, 2011","Capron Rescue Squad District","Capron","Illinois","PORT","MED","815","Unauthorized access or disclosure of patient information resulted after a breach involving a laptop.  The breach was discovered on or around February 5, 2011.","HHS via PHIPrivacy.net","","2011","42.399741","-88.740379" "December 9, 2011","Silverpop Systems, Inc. Health and Welfare Plan","Atlanta","Georgia","PORT","MED","884","A burglary that occurred on or around April 15, 2011 resulted in the theft of laptop with patient information.","HHS via PHIPrivacy.net","","2011","33.748995","-84.387982" "December 21, 2011","St. Charles Bend and Redmond","Bend","Oregon","PORT","MED","140","A laptop was stolen from a St. Charles employee's car in late October.  It contained the personal information of 140 patients who were seen in the St. Charles Bend or St. Charles Redmond emergency room.  The laptop was discovered in brush by an elementary school student in late November.  After the laptop was returned on December 16, it was discovered that attempts to gain unauthorized access to its contents had failed.","PHIPrivacy.net","","2011","44.058173","-121.315310" "December 20, 2011","University of Mississippi Medical Center and Mississippi State Department of Health","Jackson","Mississippi","PORT","MED","1,475","Research study participants may have had their personal information exposed by the theft of a laptop.  The laptop was stolen when UMMC employees left the laptop unsecured for a short period of time against departmental guidelines.  It was reported stolen on October 31, and the employees who left it unsecured were disciplined.  Two databases with research related health information were on the laptop.  One had the age, sex, race, medical record number, zip code, and lab results of 1,400 patients.  The other database contained unspecified protected health information from 75 patients.","PHIPrivacy.net","","2011","32.298757","-90.184810" "December 22, 2011","Department of Human Services (DHS) Gateway Center","Springfield","Oregon","STAT","GOV","3,000","The theft of a computer resulted in the exposure of sensitive information from DHS staff, volunteers, adoptive placements, respite providers, in-home care providers, and foster parents.  People who were fingerprinted at The Gateway Center in Springfield, Oregon between August 2010 and December 8, 2011 may have been affected.  People fingerprinted at The Willamette Street office in Eugene, Oregon between August 2008 and August 2010 may have also been affected.","Databreaches.net","","2011","44.046236","-123.022029" "December 22, 2011","Pearl River Resort","Neshoba","Mississippi","UNKN","BSO","0","A possible breach in the security systems used for processing credit card transactions is being investigated.  There is no information on the type of breach or how many customers may have been affected.  The cause of the breach is also unknown.","Databreaches.net","","2011","32.805716","-89.170600" "December 23, 2011","Provo School District","Provo","Utah","HACK","GOV","3,200","The email addresses of around 3,200 parents and students were exposed by a computer security breach.  The parents and students received an official looking email that linked to a survey about satisfaction with the school district.  The survey had not been authorized for release.","Databreaches.net","","2011","40.233844","-111.658534" "December 22, 2011","Good News Garage","Burlington","Vermont","PORT","NGO","14,000","A November 25 home burglary resulted in the loss of an encrypted data tape.  The tape was inside a backpack that was stolen from an employee's locked car while it was parked at home.  The data tape had names, addresses, and in some cases Social Security numbers of Good News Garage donors dating back 15 years.  ","Databreaches.net","","2011","44.475883","-73.212072" "December 23, 2011","Virginia Department of General Services","Richmond","Virginia","DISC","GOV","639","Social Security numbers, tax identification numbers, and other types of personal information were exposed on the Virginia Department of General Services website since 2001.  The database was not accessible via search engines, but an employee discovered that the information could be found by anyone doing a focused search on the actual website.  The information was removed after the discovery.","Databreaches.net","","2011","37.540725","-77.436048" "December 21, 2011","Ridgewood Public Schools","Ridgewood","New Jersey","HACK","GOV","0"," Someone was able to enter a Ridgewood school building through a compromised computer password.  The breach was discovered during the week of December 14. It is unclear if a data breach occurred during the incident.  Six students have been identified as possible participants in the breach.  ","Databreaches.net","","2011","40.979265","-74.116531" "December 22, 2011","Oahu District Tax Office, State Tax Department","Oahu","Hawaii","INSD","GOV","0","Fourteen Department of Taxation employees were placed on administrative leave without pay following the discovery of an internal security breach of the department's tax database.  The breach was found during an audit of the department's security systems and internal controls.  The incidents date from 2008 to present.  It is unclear what types of information could have been exposed.","Databreaches.net","","2011","21.438912","-158.000057" "December 16, 2011","North Penn School District (NPSD)","Lansdale","Pennsylvania","HACK","GOV","0","A student is being investigated by the North Penn School District (NPSD) and Towamencin Township Police Department for hacking into the NPSD computer network.  Computer devices are being analyzed to determine what types of information may have been accessed.  No further information is available due to the ongoing investigation.","Databreaches.net","","2011","40.241495","-75.283786" "December 20, 2011","MyVetDirect.com, Butler Schein Animal Health (BSAH)","Dublin","Ohio","HACK","BSO","0","A breach of Butler Schein Animal Health's (BSAH) systems (MyVetDirect.com) may have affected clients whose veterinarian's websites were hosted by MyVetDirect.com.  People who placed orders on veterinarian websites that were hosted by MyVetDirect.com may have had their names, credit card information and numbers, addresses, telephone numbers, email addresses, billing and delivery information, and other purchase information obtained.","Databreaches.net","","2011","40.099229","-83.114077" "December 16, 2011","Peoples Gas, North Shore","Chicago","Illinois","INSD","BSO","100","A contract worker or employee of a contractor may have stolen and misused the personal information of an undisclosed number of customers.  The natural gas utilities serve nearly one million customers in the Chicago area, but state law bars the utilities from disclosing the number of customers affected. However, a November news report revealed that the theft of information had occurred in October and over 100 people were affected.  An employee working in iQor's human resources department was linked to the incident. The employee was fired and faces criminal investigation and prosecution.","Databreaches.net","","2011","41.878114","-87.629798" "December 16, 2011","Restaurant Depot, Jetro Cash & Carry","College Point","New York","HACK","BSR","300,000","People who shopped at Jetro or Restaurant Depot between September 21 and November 18 may have had their credit or debit card information taken by a hacker.  Customer names, card numbers, expiration dates, and verification codes were exposed.  The breach investigation began on November 9 when the parent company became aware of customers experiencing card fraud.","Databreaches.net","","2011","40.786395","-73.838966" "January 7, 2012","Ohio State University Medical Center","Columbus","Ohio","HACK","MED","180","A hacker or hackers outside of the US attempted to gain access to an OSU Internet server. Information on the server included names, medical record numbers, and dianoses of 30 patients who visited the pathology department between the late 1980s and 2004.  A roster of students who had received training at the medical center in 2006 was also on the server.  Officials do not believe that any personal information was taken during the attempt. A total of 30 patients and 150 students were notified.","PHIPrivacy.net","","2012","39.961176","-82.998794" "September 28, 2011","Atlanta Perinatal Associates","","","INSD","MED","0","A former employee hacked into APA's database, copied patient information, and deleted APA's list.  It is not clear exactly how the former employee was able to access the database, but the purpose was to benefit the former employee's new employer.  Names, telephone numbers, and addresses of APA patients were taken.  APA's competitor, SeeBaby, used the information to create a direct-mail marketing list.UPDATE (1/10/2012): The former employee was sentenced to serve 13 months in prison for hacking into the competitor's computer in order to lure away patients.  ","PHIPrivacy.net","","2011","37.090240","-95.712891" "January 6, 2012","Pure Med Spa, Brite Smile Brite Skin","Las Vegas","Nevada","PHYS","MED","0","A woman alerted a local news station to a stash of improperly disposed information.  Credit card applications, patient names, addresses, Social Security numbers, and possibly medical records were found sitting next to a dumpster in a parking lot.  The paperwork came from multiple organizations.  Among the organizations were two closed branches of Pure Med Spa and Brite Smile Brite Skin.  ","PHIPrivacy.net","","2012","36.114646","-115.172816" "January 5, 2012","Ochsner Medical Center","New Orleans","Louisiana","INSD","MED","0","A janitor who worked at the Ochsner Medical Center in new Orleans and his girlfriend have pleaded guilty to charges related to stealing patient information for personal gain.  The janitor stole printouts containing patient names, Social Security numbers, dates of birth, and other types of personal information.  The stolen information was then used by the janitor's girlfriend to open online accounts under the patients' names. The online accounts were used to make thousands of dollars in fraudulent purchases. The date of the breach is unknown, but the janitor was employed between November of 2008 and June of 2009. Federal prosecutors first brought charges in early December of 2011.  ","PHIPrivacy.net","","2012","29.951066","-90.071532" "January 12, 2012","Chesapeake Wound Care Center","Gambrills","Maryland","INSD","MED","200","A podiatrist licensed in the state of Maryland operated a podiatry practice called Chesapeake Wound Care Center from his home.  Between April 1, 2002 and October 11, 2004, he submitted 80 fraudulent claims to Medicare for podiatry services that had not been performed at nursing facilities.  The podiatrist signed a Settlement Agreement with the government on October 30, 2007 after being caught, but then fraudulently billed Medicare advantage plans between October 31, 2007 and July 20, 2010.  The podiatrist admitted to submitting false bills for podiatry care by misusing the names and personal information of about 200 nursing home patients. He was subsequently charged with health care fraud and aggravated identity theft. He was sentenced to 54 months in prison, three years of supervised release, and ordered to pay $1,122,992.08  in restitution for the fraudulent billing of Medicare.","PHIPrivacy.net","","2012","39.066944","-76.665556" "January 11, 2012","Advanced Occupation Medicine Specialists (AOMS)","Bellwood","Illinois","DISC","MED","7,226","Letters dictated by AOMS providers were accidentally uploaded onto a non-secure server in Europe. The information then became publicly searchable via internet.  AOMS learned of the breach on October 12, 2011.  People who were seen at AOMS for injuries and/or work-related examinations from July, 2009 through October 12, 2011 may have been affected by the breach.  No names, contact information, personal information, test results, financial information or Social Security numbers were exposed.","HHS via PHIPrivacy.net","","2012","41.881420","-87.883117" "January 13, 2012","City College of San Francisco","San Francisco","California","HACK","EDU","0","The College's electronic systems have been affected by a series of dangerous viruses since 1999.  The problem was noticed in 2012 when the College's data security monitoring service detected an unusual pattern of computer traffic. Further investigation revealed that servers and desktops had been infected across administrative, instructional, and wireless networks.  Officials believe that it is likely that using a flash drive to transmit information between a campus computer and a personal computer resulted in exposed personal information.  It appears that the viruses searched and transmitted data to sites in Russia, China, and at least eight other countries. Banking information and any other personal information that may have been accessed by visitors, students, staff, and faculty on campus computers between 1999 and January of 2012 could have been exposed.","Databreaches.net","","2012","37.774930","-122.419416" "January 11, 2012","Vermont Department of Taxes","Montpelier","Vermont","DISC","GOV","1,332","The Vermont Department of Taxes website accidentally displayed the Social Security numbers of 1,332 individuals and the federal ID numbers of 245 businesses for two hours.  The personal data was contained in a weekly group of property transfer tax returns.  The three parties who were able to access the information were identified and contacted.  ","Databreaches.net","","2012","44.260059","-72.575387" "January 4, 2012","New York Police Department - 40th Precinct ","New York","New York","PHYS","GOV","0","A precinct employee trashed a number of documents after they had been damaged by a flood in the basement of the building.  Dumpster divers found the documents and reported that they were readable.  The documents, which contained at least one domestic violence report, stolen property records, criminal complaints, and mug shots, were then recovered, secured, and presumably shredded.","Databreaches.net","","2012","40.714353","-74.005973" "December 30, 2011","United Airlines","Chicago","Illinois","DISC","BSO","20","A customer checking frequent flyer miles on United Airlines' mobile website was able to view the names, Mileage Plus numbers, future flight itineraries with confirmation codes, and previous trips of other Unite Airlines customers.  The information could have allowed anyone to change another passenger's seating assignment or cancel a flight by using confirmation codes and last names.  ","Databreaches.net","","2012","41.878114","-87.629798" "December 30, 2011","Care2.com","Redwood City","California","HACK","BSR","0","On December 27, Care2 discovered that their website had been breached.  Hackers accessed member login information.  Care2 emailed new passwords once members had logged into their accounts.  Members should change the passwords of any accounts that share the password that was previously used on Care2.  Though Care2 has 17,900,617 members, a ""limited number"" were affected by the breach.","Databreaches.net","","2011","37.485215","-122.236355" "December 28, 2011","Automatic Data Processing (ADP), A.W. Hastings'","Westlake Village","California","PORT","BSO","0","On November 12, 2011, an encrypted laptop was stolen from the home of an ADP associate.  The laptop was encrypted and password-protected.  It contained files with the personal information of A.W. Hastings & Co. employees which had been given to ADP for payroll processing.  Names, Social Security numbers, and addresses may have been exposed.","Databreaches.net","","2011","34.138456","-118.849985" "December 28, 2011","Guide Publishing Group, GuideYou.com","San Francisco","California","HACK","BSO","11","Hackers inserted code onto the server that hosts GuideYou.com and accessed customer credit card numbers.  The CVC2/CVV2/CID codes, customer names, and addresses associated with the credit card numbers were also accessible through the server.  The breach was discovered on October 28, but the malicious code had been present since November 19, 2010.  ","Databreaches.net","","2011","37.774930","-122.419416" "December 28, 2011","N/L Entertainment, Alamo Drafthouse Cinemas","Winchester","Virginia","HACK","BSO","0","Customers who went to Alamo Drafthouse Cinemas may have had their debit and credit card information stolen due to a theft of information from N/L Entertainment.  The Bank of Charles Town is suing N/L Entertainment for failing to prevent the theft, which lead to at least 232 fraudulent purchases made using Bank of Charles Town customer debit cards.  The Bank of Charles Town is seeking $29,919.74 in damages plus an unspecified amount in interest. The breach was first noticed and reported to the public in September.  Thieves had taken financial information from people who used their debit or credit cards to make transactions between the end of June 2011 to late August of 2011.  ","Databreaches.net","","2011","39.185660","-78.163334" "January 12, 2012","Open MRI of Chicago, Nation Wise Machine Buyers","Chicago","Illinois","PHYS","MED","2,000","The improper disposal of paper documents resulted in the exposure of health and/or other personal information.  The breach was discovered on September 6, 2011.","HHS via PHIPrivacy.net","","2012","41.878114","-87.629798" "January 12, 2012","RIte Aid Corporation","Harrisburg","Pennsylvania","PHYS","BSR","2,900","The misplacement of paper documents resulted in the exposure of health and/or other personal information.  The breach was discovered on October 7, 2011.","HHS via PHIPrivacy.net","","2012","40.273700","-76.884418" "January 11, 2012","KCI USA, Inc.","San Antonio","Texas","PORT","MED","567","A portable electronic device was discovered to have been stolen on or around September 8, 2011. The device may have contained health and/or other personal information. ","HHS via PHIPrivacy.net","","2012","29.424122","-98.493628" "December 28, 2011","Loma Linda Medical University","Loma Linda","California","INSD","MED","1,336","An employee was fired after taking sensitive documents home on or around December 19.  Medical records and other documents with patient dates of birth, addresses, driver's license numbers, medical record numbers, and in some cases, Social Security numbers were removed from the hospital against hospital policy. The records were recovered.","PHIPrivacy.net","","2011","34.048347","-117.261153" "June 29, 2010","A Woman's Place","Ketchikan","Alaska","DISC","MED","400","An ACLU lawsuit claims that police acted inappropriately during a raid of A Woman's Place clinic. The lawsuit claims that police not only confiscated around 400 medical records, but read them and revealed sensitive medical information about patients to outside parties.UPDATE (12/28/2012): ACLU is asking that the records be returned.  The police were investigating the clinic because it's owner is accused of billing state Medicaid program for services to 37 patients after having her license suspended.  Seven pharmacies billed Medicaid for prescriptions she had written after the owner's prescription authority was also suspended.","PHIPrivacy.net","","2010","55.342222","-131.646111" "January 20, 2012","Family Chiropractic Center","Kokomo","Indiana","PHYS","MED","450","Between 400 and 450 medical records were stolen from a chiropractic clinic during a January 2 burglary.  Files for patients with last names ending in DOD through DRI; ending in ELL through GAT; and ending in GIF through HAL and who had been to the clinic since January 1, 2008 were taken.","PHIPrivacy.net","","2012","40.486427","-86.133603" "January 20, 2012","Ayuda Medical Case Management","Castroville","Texas","PHYS","MED","2,000","Thousands of patient records were found in an unsecured trash can.  They contained names, Social Security numbers, addresses, phone numbers, medical conditions, and treatment information.  The boxes of medical records were traced to Ayuda, whose owner claimed to have been doing little or no business after losing a state contract in September.  The boxes were auctioned off after the owner failed to pay the rental fee on a storage unit. ","PHIPrivacy.net","","2012","29.355790","-98.878639" "January 21, 2012","Titus Regional Medical Center (TRMC)","Mount Pleasant","Texas","INSD","MED","108","A nurse was fired after accessing patient medical records without cause.  The unauthorized access exposed patient vital signs, diagnoses, and treatment notes.  Patient Social Security numbers may have also been exposed.  The breach was uncovered in November during an audit.","PHIPrivacy.net","","2012","33.156786","-94.968269" "January 20, 2012","Arizona State University (ASU)","Tempe","Arizona","HACK","EDU","300,000","ASU shutdown its online computer system after discovering a breach.  An encrypted file containing user names and passwords was downloaded on Wednesday, January 18 by an unauthorized party.  All online services were suspended until the night of Thursday, January 19.  Students and staff will be required to enter new passwords to access their accounts since there is a chance that some information could have been compromised.  ","Databreaches.net","","2012","33.425510","-111.940005" "January 20, 2012","Ward's Nursery & Garden Center","Great Barrington","Massachusetts","UNKN","BSR","0","Customers who used debit or credit cards at Ward's Nursery and Garden Center may have had their information taken.  Dozens of people from various banks reported fraudulent activity on their cards and Ward's Nursery and Garden Center appears to be a common link.  Reports of fraudulent activity date back to December and people who visited Ward's Nursery and Garden Center are urged to check their cards for fraud until the cause of the breach is determined.","Databreaches.net","","2012","42.195980","-73.362008" "January 20, 2012","Department of Veterans Affairs, Ancestry.com","Washington","District Of Columbia","DISC","GOV","2,200","VA officials gave veteran Social Security numbers, names, and possibly other information to Ancestry.com in March of 2011 in response to a Freedom of Information Act request from the genealogy site.  The records should have only contained the information of deceased veterans, but instead contained the information of over 2,200 living veterans. The information was then posted in 2011 and taken down in January of 2012.","Databreaches.net","","2012","38.895112","-77.036366" "January 24, 2012","City of Point Pleasant","Point Pleasant","West Virginia","HACK","GOV","0","A potential security breach to the City of Point Pleasant's computer system was discovered by an outside agency.  Pleasant officials were contacted and an investigation began.  Little is known about the breach, though it is believed to have originated from an outside source.","Databreaches.net","","2012","38.844525","-82.137089" "December 24, 2011","Office of the New York City Public Advocate","New York","New York","HACK","NGO","0","The group Anonymous claimed responsibility for hacking and publishing a data base. The database consisted of names, addresses, telephone numbers, email addresses, medical conditions, domestic violence and abuse reports, descriptions of financial hardship, complaints about residential issues, and other very personal details of people who submitted this information via the public advocate's website.  The submissions for assistance date from April 2010. UPDATE (12/28/2011): The NYC Office of the Public Advocate released a public notice.","Databreaches.net","","2011","40.714353","-74.005973" "December 16, 2011","United Jewish Appeal - Federation of Jewish Philanthropies of New York Inc. (UJA-Federation)","New York","New York","INSD","NGO","0","People who donated to UJA-Federation may have had their bank account information taken by a dishonest worker.  A worker who led a $2million identity theft ring surreptitiously took pictures of checks given to UJA-Federation during her two years of employment.  The dishonest worker also collected donor names, addresses, and account numbers. The information was then sold to other members of the identity theft ring and used to create fraudulent checks and open credit cards.  The dishonest worker was fired when the crimes were discovered.","Databreaches.net","","2011","40.714353","-74.005973" "December 15, 2011","Jefferson County Public Schools","Louisville","Kentucky","DISC","EDU","6,500","Around 6,500 ACT Explore test results for 8th graders were mailed to incorrect addresses.  The breach was discovered when parents began calling the district.  Parents were asked to shred the tests.  The exact cause of the mailing error is unknown.","Databreaches.net","","2011","38.252665","-85.758456" "December 14, 2011","Trilegiant Corporation","Stamford","Connecticut","INSD","BSO","0","A call center employee who worked for a Trilegiant vendor used his phone to take pictures of customer names and credit or debit card numbers.  The dishonest employee was seen doing this at least once, but no misuse of customer information had been reported as of December 14, 2011.","Databreaches.net","","2011","41.053430","-73.538734" "December 13, 2011","Mr. Janitor, Eagle Harbor Country Club","St. Augustine","Florida","INSD","BSO","0","The owner of a cleaning company called ""Mr. Janitor"" was arrested for stealing personal information from Eagle Harbor Country Club members.  An unknown number of members had their information stolen and used to open fraudulent credit cards and bank accounts in their names.  The owner of the cleaning company was charged with identity theft of more than $50,000 and/or affecting more than twenty persons.","Databreaches.net","","2011","29.894264","-81.313208" "December 12, 2011","Florida Family Association (FFA)","","Florida","HACK","NGO","22","Anonymous and AntiSec released FFA information which included 22 email addresses linked to IP addresses of newsletter subscribers, 13 email addresses linked to type of credit card and security code number, and administrator login information which included encrypted passwords.  The attack was in response to FFA's successful efforts to pressure Home Depot and Lowe's into removing advertisement on a TLC show called ""All-American Muslim.""  The FFA strongly opposed the idea of having a Muslim family featured in a positive way on TV.Anonymous also hinted at an attack on Lowe's for caving into the FFA's demands.","Databreaches.net","","2011","27.664827","-81.515754" "December 11, 2011","Coalition of Law Enforcement and Retail (CLEAR)","Deerfield Beach","Florida","HACK","NGO","2,400","A hacker released member information that had been stored on the CLEAR website. Member phone numbers, residential and email addresses, and place of employment were exposed. Administrator passwords that had easily been decrypted were also released. One person claimed to have used the information to access the email of a police department. The hacker claimed that the attack was a response to the mistreatment of Occupy protesters. ","Databreaches.net","","2011","26.318412","-80.099766" "August 19, 2011","University of Missouri Health Care","Columbia","Missouri","PHYS","MED","1,288","On June 14, University of Missouri Health Care officials failed to receive an expected delivery of copies of patient billing information and immediately notified the University of Missouri Police Department.  The package had been sent via private courier to University of Missouri Health Care from a Kansas City bank that serves as the clearinghouse for the University of Missouri Health Care’s billing.  The package included copies of payments received by the bank between June 6 and June 13 and would have exposed bank account numbers, partial credit card numbers, names and addresses.  Notification letters were sent on June 21. University of Missouri Health Care has terminated its contract with the courier responsible for delivering the missing package.  Affected parties are advised to contact their banks or credit card companies and change their account or card numbers.UPDATE (1/26/2012): Privacy Rights Clearinghouse received documentation that revealed people in Columbia were affected by the breach.","PHIPrivacy.net","","2011","38.951705","-92.334072" "February 12, 2010","ING Fund","Amsterdam","Noord Holland","DISC","BSF","106","Customer information was accessible through a web search from August of 2008 through January of 2010.  The information included names, Social Security numbers, addresses, and account numbers of shareholders in New Hampshire and other locations.","Databreaches.net","","2010","52.370216","4.895168" "December 9, 2011","Stone Oak Urgent Care and Family Practice","","","STAT","MED","3,079","A computer or laptop was discovered to have been lost or stolen on or around October 23, 2011. UPDATE (12/28/2011): A total of five computers containing medical and personal information were stolen from a physician's office during the breach.  A thief had pried open an office door during the weekend of October 22-23.  Patients were informed on December 5 that their names, Social Security numbers, dates of birth, account numbers, disability codes, and diagnoses were stored on the computers.","HHS via PHIPrivacy.net","","2011","37.090240","-95.712891" "December 3, 2011","State of Tennessee Sponsored Group Health Plan","","","DISC","GOV","1,770","State employees who canceled their health or dental insurance had their information mailed to the wrong address in October.  Each mailing included a certificate containing the information of the recipient and three other letters aimed at other members of the plan.  Names, Social Security numbers, addresses, employee ID numbers, and healthcare insurance coverage dates were exposed. The error was discovered on October 6, 2011.","Databreaches.net","","2011","37.090240","-95.712891" "November 14, 2011","Santa Clara University","Santa Clara","California","HACK","EDU","60","The academic records database of Santa Clara University was hacked in order to change the grades of over 60 current and former undergraduate students.  The breach was discovered when a former student pointed out that her current transcript showed a grade better than the one on a transcript that had previously been printed. Tens of thousands of student records dating back more than a decade were examined.  The ""sophisticated"" hacking incident or incidents had altered student transcripts from all three of the University's schools and changed some grades for courses taken as far back as 2006.  The incident or incidents is believed to have occurred between June 2010 and July 2011.  Some students received subtle upgrades and others had their grades changed from F's to A's.","Databreaches.net","","2011","37.354108","-121.955236" "November 13, 2011","Providencenightlife.net","Providence","Rhode Island","HACK","BSO","50,000","Hackers posted data from providencenightlife.net users onto Pastebin.  The data included usernames, clear-text passwords, and email addresses.  ","Databreaches.net","","2011","41.823989","-71.412834" "November 12, 2011","United States Postal Service (USPS)","Washington","District Of Columbia","DISC","GOV","5,400","A customer logged onto her USPS online store account and was able to see the name, address, and the final four digits of another customer's credit card number.  The customer alerted the USPS customer service, but was told that the error had already been noted. On October 28, USPS became aware that a coding issue during an update had resulted in an error that exposed credit card information.  Customers were notified of the problem on November 8.  The error was subsequently fixed.","Databreaches.net","","2011","38.895112","-77.036366" "November 11, 2011","University of Texas-Pan American","Edinburg","Texas","DISC","EDU","19,276","On September 1, 2011, a spreadsheet containing information on 19,276 students was accidentally made accessible from the internet due to a administrative error.  The spreadsheet contained the names, addresses, phone numbers, email addresses, majors, class or classes, levels, colleges, student ID numbers, and GPAs of students enrolled as of September 1 of 2011.  The problem was corrected on November 2 soon after it was discovered. The spreadsheet had been accessed 15 times by unknown parties between September 1 and November 2.  ","Databreaches.net","","2011","26.301737","-98.163343" "November 11, 2011","Virginia Commonwealth University","Richmond","Virginia","HACK","EDU","176,567","Hackers were able to access a Virginia Commonwealth University (VCU) computer server.  It contained files with the personal information of current and former VCU and VCU Health System faculty, staff, students and affiliates.  Suspicious files were discovered on the server on October 24.  It was taken offline and subsequent investigation revealed that two unauthorized accounts had been created on a second server.  While the first server did not contain personal data, the second server did and had been compromised through the first server.  Data included either a name or eID, Social Security number, and in some cases, date of birth, contact information, and various programmatic or departmental information.  ","Databreaches.net","","2011","37.540725","-77.436048" "November 10, 2011","Wakulla County School Board","Crawfordville","Florida","DISC","EDU","2,400","The information of 2,400 students in grades four through ten was accidentally posted online.  A parent discovered the breach after searching their child's name.  The student's FCAT scores and Social Security number appeared on a public site.  The cause of the unintended disclosure was not reported.","Databreaches.net","","2011","30.194484","-84.371121" "November 9, 2011","ValueOptions, National Elevator Industry","Newtown Square","Pennsylvania","PORT","BSO","7,019","On July 6, 2011, four tape cartridges with sensitive information were shipped in a container from VOI.  The container was placed into a cardboard shipping box and shipped.  ValueOptions Inc. (VOI) was informed that the package had not arrive as of August 1. An outside agency investigated the loss of the packages until September 22.  Notification that the tapes had been lost was sent on November 4.  The tapes contained names, addresses, phone numbers, dates of birth, Social Security numbers, and plan subscriber ID numbers. VOI processes the benefits information for National elevator Industry's Health Benefit Plan, as well as other organizations.  A total of 350 New Hampshire residents were affected by the breach and 6,669 New York residents were affected as well.  The total number of people affected from different organizations and across the United States was not reported.","Databreaches.net","","2011","39.986667","-75.401389" "November 9, 2011","Habitat for Humanity Delaware County ReStore","Delaware","Ohio","HACK","NGO","444","A number of identity thefts were linked to Habitat for Humanity of Delaware County ReStore.  An investigation revealed that hackers had accessed the store's computer system and took customer names and credit card numbers.  Detectives believe there are other sources of identity theft that have yet to be identified. The date of the access was not reported, but as many as 444 customers could have had their information taken.","Databreaches.net","","2011","40.298672","-83.067965" "January 30, 2012","University of Miami Miller School of Medicine","Miami","Florida","PORT","MED","1,219","A briefcase containing an unencrypted flash drive was stolen from the vehicle of a University of Miami Miller School of Medicine pathologist on November 24, 2011.  It contained the names, medical record numbers, ages, sexes, diagnosis information, and treatment information of patients who had specimens reviewed by the department of pathology between 2005 and 2011.  ","PHIPrivacy.net","","2012","25.788969","-80.226439" "January 30, 2012","Lexington Clinic","Lexington","Kentucky","PORT","MED","1,018","A December 7 overnight office burglary resulted in the theft of a laptop with patient data. It contained names, contact information, and diagnoses of patients receiving services within the neurology department.  The locks to the neurology department were changed after the theft was discovered.  ","PHIPrivacy.net","","2012","38.040584","-84.503716" "January 28, 2012","Oldendorf Medical Services","Albany","New York","PORT","MED","640","An office burglary on or around January 18 resulted in the theft of two laptops.  The laptops contained the records of about 640 patients and had been used for cardiac tests. Though the laptops contained minimal clinical data, they did contain some Social Security numbers and demographic information.","PHIPrivacy.net","","2012","42.652579","-73.756232" "January 27, 2012","Preferred Skin Solutions","Tulsa","Oklahoma","PORT","MED","400","An office burglary that occurred on or around January 24 resulted in the loss of a laptop. The laptop held client records.  The company sent a breach notification through Facebook and email.  No financial information was on the laptop, but Preferred Skin Solutions still warned their clients about the risk of identity theft.","PHIPrivacy.net","","2012","36.153982","-95.992775" "January 24, 2012","Metropolitan Life Insurance Company (MetLife) of Connecticut","Bloomfield","Connecticut","DISC","BSF","0","in November of 2009, a customer discovered that spreadsheet with current and former MetLife customer information had been posted online.  MetLife corrected the problem after being notified by the customer and provided two years of credit monitoring and identity theft insurance to customers who had been affected by the breach.  The type of information exposed in the spreadsheet and the length of time it was available online were not revealed.  Additional negotiations with Attorney General George Jepsen and Consumer Protection Commissioner William Rubenstein resulted in an agreement for MetLife to offer additional protection.  MetLife paid an additional $10,000 for a special fund that will reimburse the state of Connecticut's investigative and enforcement costs, or reimburse losses for consumers in the future. Additionally, customers who paid for a security freeze to be lifted or placed will be eligible for reimbursement and Metlife agreed to improve employee personal information protection training policies and procedures.","Databreaches.net","","2012","41.844167","-72.741389" "August 9, 2011","McDonald's","Norfolk","Virginia","INSD","BSR","185","A cashier pleaded guilty to conspiracy to commit access device fraud and aggravated identity theft.  The cashier was part of a group of friends who used stolen credit card numbers to make $50,000 in purchases.  The cashier's job was to swipe customer debit and credit cards while working at McDonald's.UPDATE (2/03/2012): The man who was the ring leader of the credit card scam and recruited the McDonald's employee was sentenced to seven years in federal prison on February 3.  He reportedly paid a female employee $10 for each credit card she swiped at the restaurant.  About 185 customers were affected and $163,000 in fraudulent charges were made. The dishonest employee pleaded guilty and was sentenced to two years in prison. Three other people were sentenced for their involvement, but the extent of their involvement was not revealed.  A fourth remains a fugitive.","Databreaches.net","","2011","36.850769","-76.285873" "June 3, 2011","Trinity Medical Center (Montclair Baptist Medical Center)","Birmingham","Alabama","PHYS","MED","4,500","A former employee woman was caught stealing patient information for the purpose of identity theft.  Hundreds of pages of information with patient names, Social Security numbers, dates of birth, and some medical information such as scheduled procedure were found at the employee's woman's residential address. The information is from stolen surgery schedules and was taken between March 22 and April 1. The former employee woman was charged with violating the federal Health Insurance Portability and Accountability Act (HIPAA).UPDATE (2/01/2012): Additional details reveal that the woman was most likely not an employee of Trinity Medical Center and stole the logs of patient information while supposedly visiting a patient. The paper documents were stolen in a flamboyant way as the woman reportedly jumped over a counter to steal the logs.  The files included information from people who had visited in 2006 when Trinity was known as Montclair Baptist Medical Center.  The logs were recovered on April 8 through a USPS investigation.She pleaded guilty to the theft and was sentenced to 39 months in federal prison on February 1, 2012.  She will also serve five years of supervised release after her prison time is served.  ","PHIPrivacy.net","","2011","33.520661","-86.802490" "February 3, 2012","Security Savings Systems, Inc.","New Cumberland","Pennsylvania","DISC","BSO","2,038","A printing error caused thousands of taxpayers to receive 1099-G forms from 2011 with the Social Security number and tax refund of another taxpayer.  The mistake occurred because the company was trying to conserve paper.  The forms were supposed to be cut below a certain point, but the bottom half remained attached.  ","Databreaches.net","","2012","40.232312","-76.884696" "February 2, 2012","Flores Mexican Restaurant","Lakeway","Texas","HACK","BSR","50","Over 50 people who ate at Flores' were victims of fraudulent credit card activity.  The damages total nearly $50,000.  Hackers used a computer virus to infiltrate Flores' credit card system in December.  The owner noticed a drop in business of 15 percent after the breach was disclosed.","Databreaches.net","","2012","30.367979","-97.991679" "February 2, 2012","VeriSign Inc.","Reston","Virginia","HACK","BSO","0","VeriSign was hacked repeatedly in 2010. The hackers stole undisclosed information.  VeriSign is responsible for the integrity of web addresses ending in.com, .net, and .gov. If hackers were able to obtain certain information, it is possible that .com, .net, and .gov websites could be imitated more easily.  Hackers may be able to direct people to faked website and intercept email from federal employees or corporate executives using the .gov addresses.  VeriSign officials do not believe that the attacks breaches the servers that support the Domain Name System network, but did not reveal many details about the breach.  VeriSign offers a number of services that defend customer websites from attacks and manage website traffic.  VeriSign also researchers international cybercrime groups.  The security staff responded to the attack quickly, but the breach was not disclosed throughout the company until September 2011.","Databreaches.net","","2012","38.958631","-77.357003" "January 27, 2012","President's Challenge, Indiana University","","Indiana","HACK","GOV","650,000","A security breach caused the personal information of 650,000 President's Challenge participants nationwide to be exposed.  Hackers may have accessed participant names, email addresses, dates of birth, and nutritional data.  People throughout Indiana University were participating in a Health IU fitness inter-campus competition.  No financial information was available to the hacker or hackers.  A small percentage and unknown number of Social Security numbers may have been available through other organizations that participate in President's Challenge programs.  It is unclear how many other organizations were affected by the President's Challenge hack.  ","Databreaches.net","","2012","40.267194","-86.134902" "January 27, 2012","Craigslist","Hempstead","New York","UNKN","BSO","250","More than 250 people in 30 states were victims of scams perpetrated on Craigslist.com by two New York residents.  The women posted phony Craigslist ads for nonexistent jobs and apartments to gather the personal information of victims between February of 2010 and October of 2011.  That information was then used to obtain fraudulent state income tax returns, bank loans, and credit cards.  More than $75,000 was fraudulently obtained.  Early in 2011, workers in the Buffalo office of the state Department of Taxation and Finance discovered that hundreds of state tax refunds were being claimed from only about 10 addresses in the county.  The two women were indicted by a grand jury on grand larceny and scheme to defraud charges.  The women face up to 15 years in prison if convicted.","Databreaches.net","","2012","40.706213","-73.618740" "January 27, 2012","Sequoia Hospital, Towers Watson","San Mateo","California","DISC","MED","391","An employee of Towers Watson posted unspecified personal information of current and former Sequoia Hospital employees online in October of 2007.  Towers Watson is a Sequoia Hospital contractor.  The types of information that were posted were not disclosed, but full names and Social Security numbers were included.  The information remained online until December 2 of 2011.  ","Databreaches.net","","2012","37.562992","-122.325525" "January 28, 2012","Naperville Unit District 203","Naperville","Illinois","DISC","EDU","101","The report cards of 101 high school students were accidentally sent to the person listed as their emergency contact.  A vendor made an unauthorized change to the computer program that generates report cards.  If a parent had a high school student attending the district and was listed as an emergency contact for another high school student, then they received two report cards.  Parent names were listed on the report cards of each student, but parents listed as emergency contacts mistakenly received the report cards anyway. No Social Security numbers were exposed.  Student ID numbers, schedules, and grades were exposed.","Databreaches.net","","2012","41.785863","-88.147289" "January 29, 2012","Palos Verdes High School","Palos Verdes","California","HACK","EDU","0","Three students were caught selling quiz answers to students.  It was discovered that they had stolen and copied a master key from the janitor's office.  They then used the copy of the master key to install keylogging hardware onto the computers of four teachers.  The keylogging hardware revealed passwords, which were then used to access the central files of the school network.  It is unclear what types of information the students had access to.  They used their access to electronically change their grades slightly. The master key copy was also used to access 20 paper tests before they were given.  A student who became aware of the black market for quiz materiala reported the students.  ","Databreaches.net","","2012","33.744461","-118.387017" "January 31, 2012","Regions Financial Corp., Ernst & Young","Birmingham","Alabama","PORT","BSF","0","The personal information of current and former Regions employees was lost in November after an auditor from Ernst & Young mailed a flash drive and decryption code. The envelope arrived with the decryption code, but no flash drive. The data included information related to 401k retirement plans.  Names, Social Security numbers, and possibly dates of birth were on the flash drive.  Regions employs about 27,000 people in 16 states.","Databreaches.net","","2012","33.520661","-86.802490" "January 31, 2012","East Baton Rouge Acceleration Academy","Baton Rouge","Louisiana","UNKN","EDU","159","Police stopped a high school student and discovered several sheets of papers with student names, dates of birth, and Social Security numbers in a vehicle.  It is unclear how the student obtained the printout and she is accused of using the information to file fraudulent federal income tax returns.  ","Databreaches.net","","2012","30.458283","-91.140320" "January 31, 2012","SegMark Solutions","Fairfield","Connecticut","HACK","BSO","0","A former employee was able to access the Segmark Solutions computer system.  It is unclear if the former employee guessed passwords, used passwords that had not been changed, or used some other method to access the computer system.  He then used credit card information in the system to make fraudulent purchases. Damages caused a total of $7,000.  The former employee was caught after a six-month investigation and charged with second degree computer crime and illegal use of credit cards.","Databreaches.net","","2012","41.140836","-73.261262" "October 29, 2010","University of Hawai'i West O'ahu (UHWO)","Pearl City","Hawaii","DISC","EDU","40,101","Unencrypted files that were placed on the faculty web server exposed student information. Student names, Social Security numbers, birth dates, addresses and academic information were placed on the server in December of 2009.  Students who attended UHWO in Fall of 1994 or graduated between 1988 and 1993 were affected. A much larger number of students who attended the University of Hawai'i Mānoa between 1990 and 1998 were also affected. The files were removed on October 18 after a privacy group notified the University. The server was quickly removed from the network.  The faculty member who accidentally placed the file on the server retired before the breach was discovered. UPDATE (11/19/10): A former student is filing a class-action lawsuit on behalf of students affected by the University of Hawaii's multiple breaches.  The man attended the Mānoa campus between 1990 and 1998 and claims that he was affected by the this breach and one that occurred in June of 2009.  The names of four other people are attached to his Social Security number and his credit has been used in Georgia. Around 259,000 private records have been exposed by the University of Hawai'i since 2005.UPDATE (1/27/2012): The University of Hawaii will provide two years of credit protection services and credit restoration services to settle a class-action lawsuit involving data breaches that affected nearly 100,000 students, faculty, alumni, and staff between 2009 and 2011.  The settlement is still subject to court approval.","Databreaches.net","","2010","21.397222","-157.973333" "January 27, 2012","Windstream","Kannapolis","North Carolina","INSD","BSR","0","A concerned neighbor noticed that packages were being delivered to an abandoned house. Law enforcement confronted a man who was collecting the packages and found that he had stolen old Windstream customer files and used the information to open fraudulent accounts with online retailers.  The man was an employee of Windstream and had taken paper documents from the mid to late 1990s.  A second vacant home that served as a delivery location was also found.  The former employee was charged with felony identity theft.","Databreaches.net","","2012","35.487361","-80.621734" "February 6, 2012","Office of Robert S. Smith, M.D., Inc.","Atlanta","Georgia","PORT","MED","17,000","An October 17 office burglary resulted in the theft of a laptop.  The laptop contained patient names, dates of birth, physicians, and diagnosis information.  ","HHS via PHIPrivacy.net","","2012","33.748995","-84.387982" "February 6, 2012","Molina Healthcare of California","Long Beach","California","DISC","MED","11,081","An unauthorized disclosure of paper documents occurred on January 31, 2011.  The breach may have affected records that date from September 23, 2009 through October 18, 2011. No further details are available.","HHS via PHIPrivacy.net","","2012","33.804167","-118.158056" "December 28, 2011","Aegis Science Corporation","Atlanta","Georgia","PORT","BSO","2,184","A laptop and external hard drive containing patient information were stolen from a locked vehicle owned by an Aegis employee on November 22, 2011.  The external hard drive contained names and Social Security numbers. It may have also contained driver's license numbers, dates of birth, and phone numbers.  Though Aegis provides lab tests, results and medical records were not exposed.  ","Databreaches.net","","2011","33.748995","-84.387982" "February 6, 2012","Smile Designs","Wellington","Florida","STAT","MED","1,670","The theft of a computer on or aroudn December 1, 2011 resulted in the exposure of personal information.","HHS via PHIPrivacy.net","","2012","26.655231","-80.254251" "February 6, 2012","Muskogee Regional Medical Center","Muskogee","Oklahoma","PHYS","MED","844","A binder containing forms with flu test results for 2011 went missing sometime around December 5, 2011.  It contained the information of patients who received a flu test between January 1, 2011, and December 5, 2011.  patient names, internal hospital department and internal account numbers, gender, medical record numbers, dates of birth, age, dates of tests, and flu test results.  ","HHS via PHIPrivacy.net","","2012","35.747877","-95.369691" "February 6, 2012","Foundation Medical Partners","Nashua","New Hampshire","UNKN","MED","771","A total of 771 patient records may have been exposed as a result of a breach that occurred on November 19, 2011.  No further details were disclosed.","HHS via PHIPrivacy.net","","2012","42.765366","-71.467566" "February 4, 2012","Triumph LLC","Raleigh","North Carolina","PORT","MED","2,070","A laptop with Triumph client and family member information was stolen on December 13.  The office burglary was committed by three men.  Two of them distracted the receptionist while the third entered a hallway and stole the laptop.  People in Davie, Forsyth, and Stoke counties were affected.  The laptop contained spreadsheets with names, dates of birth, medical record numbers, insurance numbers, and Medicaid numbers.  Notifications went out on February 2 after it was determined that the laptop would most likely not be recovered.","PHIPrivacy.net","","2012","35.772096","-78.638615" "February 3, 2012","Motorola Mobility, Inc.","Libertyville","Illinois","DISC","BSR","100","Approximately 100 out of a batch of 6,200 refurbished Motorola XOOM Wi-Fi tablets were sent to new customers without being completely wiped by Motorola.  The affected tablets were resold by Woot.com between October and December 2011.  Previous owners may have stored user names, passwords, email addresses, videos, photographs, and documents on the tablets.  There is also a possibility that any password-protected sites and applications could be accessed by people who bought the device refurbished. Any customers who purchased and returned the tablet between March and October of 2011 are eligible for two-years of paid credit monitoring services if both transactions took place at Amazon.com, Best Buy, BJ's Wholesale, eBay, Office Max, Radio Shack, Sam's Club, Staples, or a few other independent retailers.  Those users are also encouraged to change email passwords, social media passwords, and any passwords used to access sensitive applications on the tablet.  Additionally, customers who purchased the refurbished tablets and discover that there is information from a previous user may mail the device back to Motorola for free, have the device reset, and receive a $100 American Express gift card.","Databreaches.net","","2012","42.283079","-87.953130" "January 27, 2012","Bamastuff.com","Tuscaloosa","Alabama","HACK","BSR","0","Bamastuff.com notified its customers that a breach in its database had been discovered.  Customer names, email addresses, billing and shipping addresses, telephone numbers, credit card information, and/or cryptographically scrambled passwords may have been exposed.  Customers who bought items between August 1, 2009 and January 16, 2012 may have been affected. Some customers have already experienced fraudulent charges.","Databreaches.net","","2012","33.209841","-87.569174" "November 8, 2011","IQCR","Rock Hill","South Carolina","INSD","BSO","100","An employee of IQCR wrote down names, Social Security numbers, and dates of birth from records. The records came from a gas company in Chicago and were processed by IQCR.  That information was then used to apply for credit cards.  This occurred in October of 2011.  The dishonest employee and her partner were caught after people alerted authorities about being declined for credit cards they had not requested.  Authorities discovered that the fraudulent credit requests all came from the same computer IP address and went to the same residential address. The couple face 10 years in prison per-identity stolen.  Over 100 people were affected by the breach.","Databreaches.net","","2011","34.924867","-81.025078" "November 6, 2011","Sam's Club","Apple Valley","Minnesota","INSD","BSR","98","A dishonest employee swiped customer credit cards after initial transactions, then processed a second transaction for cash back and pocketed the amount of the second fraudulent transaction from the cash register.  A store manager noticed the employee stealing money and reported her. A customer complaint about an unauthorized transaction then revealed the extent of the breach.  The fraudulent transaction complains date from May 25 to June 10. Store records reveal that $6,197 was stolen in this way.","Databreaches.net","","2011","44.731909","-93.217720" "November 4, 2011","Amsterdam Hospitality Group","New York","New York","INSD","BSO","237","An auditor for the Amsterdam Hospitality Group sold credit card information to another man for identity theft purposes. As an employee for the Amsterdam Hospitality Group, the auditor had access to the credit card account information and identifying information of people who stayed at a number of Manhattan hotels.  It is unclear which hotels were affected. Over $840,000 in fraudulent credit card purchases were made with the stolen information.","Databreaches.net","","2011","40.714353","-74.005973" "November 3, 2011","Top of the Line Marketing","Rockville","Maryland","INSD","BSO","1,200","Between the summer of 2010 and February of 2011, a dishonest employee of Top of the Line Marketing passed along names, Social Security numbers, and dates of birth for the purpose of identity theft.  A police raid uncovered 42 debit cards and a list of 1,200 Maryland residents that had been distributed by the dishonest employee. Some of the information had been used to collect unemployment benefits on prepaid Visa cards. The person who was found with the fraudulent debit cards and list pleaded guilty to one count of conspiracy to commit access device fraud and one count of aggravated identity theft. He faces a maximum of five years in prison for the first count and a mandatory two-year sentence for the second.  ","Databreaches.net","","2011","39.083997","-77.152758" "November 2, 2011","University of Alabama","Tuscaloosa","Alabama","DISC","EDU","0","On October 26, students who had at least one failing midterm grade during the Fall 2011 semester received an email from the office of the assistant dean of students.  The email, which informed students of their grade, was not blind copied.  Each email recipient could see the email addresses of other students who received the email.  No other information was exposed.","Databreaches.net","","2011","33.209841","-87.569174" "November 2, 2011","Aaron's","Fresno","California","STAT","BSR","1,008","On September 26, Aaron's became aware of an office burglary that resulted in the theft of computers, TVs, electronic gaming devices, and other goods. Customer names and Social Security numbers were on one of the computers.  At least 1,008 New Hampshire residents were affected, but the total number of affected people nationwide was not revealed.","Databreaches.net","","2011","36.747727","-119.772366" "December 10, 2010","Chicken Express","Tyler","Texas","INSD","BSR","500","An employee brought a skimming device to work and swiped customer debit or credit cards at the drive-thru window. The information was then sold to others who used it to make hundreds of fraudulent bank and gift cards. Authorities became aware of the situation in the summer of 2010.  Five hundred customers in Tyler were affected, but customers in other areas were also affected.UPDATE (8/10/2011): One of the people associated with the restaurant-related fraud ring was sentenced to four years in prison.  He pleaded guilty in May to access device fraud and was ordered to pay nearly $95,000 in restitution.  He was caught when law officers discovered counterfeit charge card making equipment and hundreds of fraudulent cards during a raid of his home.UPDATE (11/02/2011): The dishonest Chicken Express employee who skimmed customer credit card numbers was sentenced to two years in prison and ordered to pay $95,000 in restitution to victims.  ","Databreaches.net","","2010","32.351260","-95.301062" "November 2, 2011","MetroLux, Metropolitan Theatres","Loveland","Colorado","HACK","BSO","1,180","The parent company of MetroLux, Metropolitan Theatres, reported an external breach of the local theater's computer system.  Someone attacked the data transmission system and stole customer financial information via computer.  The issue was first noticed on October 21.  The breach was analyzed and new servers were installed. Though the system was confirmed to have been compromised, not all of the 1,180 people who reported fraud had used their credit or debit cards there.","Databreaches.net","","2011","40.397761","-105.074980" "February 9, 2012","Cardinal Fitness","Indianapolis","Indiana","PHYS","BSO","0","Receipts, credit card numbers, addresses, phone numbers, and other information were found in an easily accessible dumpster that sat outside the closed fitness center.  A local news station was contacted and followed up on the story.  The dumpster was removed, but it is unclear if the documents were properly disposed. The news story received attention from the attorney general's office and Cardinal Fitness may now face a fine of up to $305,000 for dumping the information.","Databreaches.net","","2012","39.768516","-86.158074" "February 7, 2012","Department of Child Services","Avon","Indiana","PORT","GOV","0","The office burglary during the weekend of February 4 resulted in the theft of 10 encrypted laptops. The laptops had other safeguards as well as encryption codes. Additional items were stolen. The types of confidential and personal client information that were on the computers were not disclosed, nor was the possible number of people affected.  ","Databreaches.net","","2012","39.762823","-86.399717" "February 7, 2012","Valencia College","Orlando","Florida","DISC","EDU","9,000","An Excel spreadsheet with student names, addresses, dates of birth, and college ID's was listed online on a password-protected website.  The password protection eventually expired and anyone could access the information online.  Valencia College hired an unnamed contractor to create a custom page for prospective students to communicate with the college.  The contractor then hired an unnamed sub-contractor to work on some of the website.The breach can be linked to that unnamed sub-contractor.","Databreaches.net","","2012","28.538336","-81.379237" "February 2, 2012","Metro Community Provider Network","Denver","Colorado","HACK","MED","2,000","Hackers were able to access patient names, phone numbers, dates of birth, Metro Community Provider Network internal account numbers, and medical conditions through phishing emails sent to several Metro Community Provider Network employees.  Employees received an email that appeared to be from a trusted source and contained a link.  Multiple employees clicked the link, which then asked for their email login information.  The breach was detected on the same day that it occurred, December 5th, 2011.  ","PHIPrivacy.net","","2012","39.739154","-104.984703" "February 10, 2012","Lakeview Medical Center","Rice Lake","Wisconsin","PORT","MED","500","More than 500 patients of Lakeview Medical Center homecare and hospice programs had their personal information exposed by the theft of a laptop.  The laptop was stolen from a car belonging to a Lakeview nurse.  It contained names, Social Security numbers, dates of birth, home addresses, medicare ID numbers, and diagnostic information. It is unclear when the laptop was stolen, but the nurse who was involved no longer works for Lakeview.","PHIPrivacy.net","","2012","45.506068","-91.738225" "February 10, 2012","C.D. Peacock","Chicago","Illinois","HACK","BSR","0","C.D. Peacock is suing BridgePoint Technologies for faulty IT services.  BridgePoint Technologies was hired in August 2009 and in March of 2010, a breach of C.D. Peacock's virtual private network (VPN) was discovered.  The private network was designed to give remote users access to a centralized network. C.D. Peacock was allegedly advised by BridgePoint Technologies to go around the VPN since it could not be fixed.  Though BridgePoint Technologies allegedly said that this move would be safe, C.D. Peacock experienced a serious security breach almost immediately.  Hackers installed malicious software on its credit card processing system and other network computers in early April 2010.  According to the lawsuit, this allowed hackers to ""access the confidential personal data and financial information of"" C.D. Peacock customers.  The stolen data was transfered to the hackers' remote system.  The breach was discovered in August of 2010.  BridgePoint Technologies claimed that it had not received a copy of the lawsuit as of February 10, 2012. ","Databreaches.net","","2012","41.878114","-87.629798" "February 8, 2012","Dallas Police Department","Dallas","Texas","HACK","BSO","23","Hackers targeted the Dallas Police Department in response to an officer being placed on leave after crashing his vehicle while intoxicated.  A total of 21 full names with employee ID numbers and hire dates, as well as 23 user IDs, email addresses, and passwords were posted online by the hackers.","Databreaches.net","","2012","32.802955","-96.769923" "February 8, 2012","Wisconsin Chiefs of Police Association","","Wisconsin","HACK","BSO","540","Three hackers posted an administrative login and password on a public website. A fourth hacker released three logins and password combinations and 540 email addresses. The fourth hacker did not work with the other three hackers, but posted the information on the same day.","Databreaches.net","","2012","43.784440","-88.787868" "January 3, 2012","Department of Social Services Supplemental Nutrition Assistance Program","Hartford","Connecticut","DISC","GOV","130","A subpoena by the Department of Social Services revealed the names and Social Security numbers of multiple people.  The subpoena was in response to reports that state employees had engaged in food stamp fraud.  Instead of separate subpoenas for each individual, a sheet with 40 names and a sheet with 90 names were sent.  This allowed state employees who are under investigation to learn that their fellow employees were under investigation, as well as their Social Security numbers.","Media","","2012","41.763711","-72.685093" "January 6, 2012","Spotsylvania County","Spotsylvania","Virginia","DISC","EDU","4,289","An employee discovered that it was possible to access current and former employee W-2 forms online via a Google search.  The W-2 form contained employee name, Social Security number, address, earnings, and taxes paid for 2009 and 2010.  The discovery was made on December 23 of 2011.  ","Media","","2012","38.197743","-77.588167" "February 15, 2012","Doshi Diagnostic Center","New York","New York","PHYS","MED","0","Sensitive documents were placed in public trash bags.  The bags were opened and the documents were found scattered across a sidewalk.  Confidential patient records which included names, Social Security numbers, unemployment compensation records, copies of benefits cards, and other patient personal information were exposed. Patients dating back to 2006 were affected.  ","PHIPrivacy.net","","2012","40.714353","-74.005973" "November 5, 2011","St. Joseph Medical Center","Twoson","Maryland","PORT","MED","5,000","Someone stole thousands of X-rays from Saint Jospeh medical Center.  Authorities believe the X-rays were taken for their silver content rather than for identity theft purposes. They contained patient names, dates of birth, medical record numbers, dates of service, physicians, and some diagnostic information.  Patients who were X-rayed between 2004 and 2005, as well as sometime during 2007 may have been affected.","PHIPrivacy.net","","2011","39.401496","-76.601913" "February 16, 2012","Central Connecticut State University (CCSU)","New Britain","Connecticut","HACK","EDU","18,763","A computer breach in a CCSU Business Office exposed the information of current and former faculty, staff, and student workers.  A Z-Bot virus designed to relay information was discovered on the computer on December 6, 2011.  The computer had been exposed for eight days and only exposed the Social Security numbers of those who were affected. People associated with CCSU as far back as 1998 were affected.","Databreaches.net","","2012","41.661210","-72.779542" "February 13, 2012","City of Rye","Rye","New York","DISC","GOV","0","An unknown number of employee Social Security numbers were mistakenly disclosed after the City responded to a Freedom of Information law request.  The Social Security numbers were included along with payroll data to the entity that requested the information.  City officials verified that the information would not be passed on after the breach was discovered.","Databreaches.net","","2012","40.980654","-73.683740" "February 14, 2012","Solitude Mountain Resort","Salt Lake City","Utah","HACK","BSO","0","Hackers stole credit card information during an attack on Solitude Mountain's credit card system.  The breach was short-lived and a small, but undisclosed number of people saw fraudulent charges on their credit cards.  Anyone who used a credit card at Solitude during the week of February 7 should check their statements for unusual activity.","Databreaches.net","","2012","40.760779","-111.891047" "April 11, 2011","Texas Comptroller's Office","Austin","Texas","DISC","GOV","3,500,000","The information from three Texas agencies was discovered to be accessible on a public server. Sometime between January and May of 2010, data that was not encrypted was transferred from the Teacher Retirement Center of Texas, the Texas Workforce Commission (TWC) and the Employees Retirement System of Texas. It ended up on a state-controlled public server as early as April 2010 and was not discovered until March 31, 2011. Sensitive information such as names, Social Security numbers, addresses, dates of birth and driver's license numbers could have been exposed.  A spokesperson from the Texas Comptroller's Office claims that the breach occurred because numerous procedures were not followed.  Some employees were fired for their roles in the incident.UPDATE (4/13/2011): Approximately two million of the 3.5 million possibly affected are unemployed insurance claimants who may have had their names, Social Security numbers and mailing addresses exposed.  The birth dates and driver's license numbers of some of these people were also exposed. The information was accidentally disclosed on a Comptroller's publicly accessible server. TWC provided uninsured claimant records from December 31, 2006 December 31, 2009 to the Comptroller's office in April of 2010 to assist in identifying individuals who may have unclaimed property.  The information was sent in a protected manner using Secure File Transfer Protocol (SFTP), which encrypts the data during transmission over a state controlled network used by state agencies and universities.UPDATE(5/6/2011): Two class action lawsuits have been filed on behalf of 3.5 million Texans who had their information exposed by the breach. The second class action lawsuit seeks a $1,000 statutory penalty for each affected individual.UPDATE (2/13/2012): The cost of the credit monitoring services provided to those affected has passed $600,000. Currently, no taxpayers have linked fraudulent charges to the breach.","Databreaches.net","","2011","30.267153","-97.743061" "November 4, 2011","Washington South Supervisory Union","Northfield","Vermont","HACK","GOV","0","Supervisory Union notified all employees that a serious security breach on its financial computer system was discovered and that their financial information may have been compromised.  The breach was not described in detail, but employees were informed that payroll would be temporarily using paychecks.  Supervisory Union contacted all banking institutions that were involved in direct deposit and informed them that client data may have been compromised.  Employees were also encouraged to contact all banking institutions to review their financial accounts, contact their banks, change their email passwords, and avoid clicking on suspicious emails.  ","Databreaches.net","","2011","44.151202","-72.656747" "February 21, 2012","Ochsner Medical Center","New Orleans","Louisiana","PORT","MED","0","A hard drive was discovered missing on February 19.  It contained patient personal and medical information related to a bone density machine.  Medical information, names, dates of birth, addresses, medical record numbers, and medications from patients who had bone density scans between November 2005 and January 2012 were exposed.  The hard drive was designed to work with the bone density machine and specialized software would be needed to extract information.","PHIPrivacy.net","","2012","29.951066","-90.071532" "February 21, 2012","Ochsner Medical Center","New Orleans","Louisiana","PORT","MED","0","A hard drive was discovered missing on February 19.  It contained patient personal and medical information related to a bone density machine.  Medical information, names, dates of birth, addresses, medical record numbers, and medications from patients who had bone density scans between November 2005 and January 2012 were exposed.  The hard drive was designed to work with the bone density machine and specialized software would be needed to extract information.","PHIPrivacy.net","","2012","29.951066","-90.071532" "February 21, 2012","Mo' Money Taxes","Memphis","Tennessee","PHYS","BSF","0","Thousands of documents with sensitive information were found in a publicly accessible dumpster. An investigation began on February 20 when officers were alerted to three dumpsters filled with documents dating back to 2005.  The information included Social Security numbers, driver's licenses, phone numbers, and addresses. The landlord of the space leased by Mo' Money appears to have mistakenly cleaned out the office space before Mo' Money's shredding service could access the documents. The IRS is now conducting a federal investigation related to identity theft.","Databreaches.net","","2012","35.149534","-90.048980" "February 25, 2012","Piedmont Behavioral Healthcare (PBH), Alamance-Caswell LME (AC LME)","Concord","North Carolina","DISC","MED","50,000","A miscommunication caused AC LME to lose access to servers containing sensitive health information.  An Alamance County employee mistakenly changed a lock on the facility that housed data servers for AC LME.  It appears that AC LME forgot to inform the county that AC LME was extending a contract for server maintenance.  Former consumers of AC LME, including those who became PBH consumers on October 1, 2011, may have had their personal health information stored on these servers. The servers are now in the possession of the county and could contain the names, Social Security numbers, medical record identification numbers, addresses, and diagnoses of AC LME consumers. LME officials have not had access to the server room without being monitored by a county employee or with the forensics team assigned to examine the servers.","HHS via PHIPrivacy.net","","2012","35.408752","-80.579511" "February 25, 2012","Burger King","Gresham","Oregon","INSD","BSR","30","A former Burger King employee used a skimming device to capture customer information.  Customers who used their credit cards at the drive-through during the late-night shift had their information copied, sold, and used to make fraudulent purchases. The dishonest employee, the person who misused the data to create forged credit cards, and two others who made fraudulent purchases were all arrested.  A total of $14,000 in goods were purchased.","Databreaches.net","","2012","45.500136","-122.430201" "February 25, 2012","Weather Shield","Ladysmith","Wisconsin","UNKN","BSF","0","A steady flow of employees of Weather Shield have been reporting identity theft in the form of fraudulent tax returns. The company, or one of the company's affiliates that had access to employee financial information, must have experienced some type of breach or breaches. Over 60 employees have discovered that someone had already filed and collected their tax returns. Employees experienced the problem for 2010 and 2011 tax returns, but no one has been charged for the crimes.","Databreaches.net","","2012","45.463023","-91.104036" "February 27, 2012","Robley Rex VA Medical Center","Louisville","Kentucky","PHYS","MED","1,182","Documents with names, Social Security numbers, and discharge dates of veterans were discovered unattended in the lobby entrance of Robley Rex VA. An extensive review was conducted by VA officials and they concluded there was no reason to believe any information was misused or that any malicious activity was involved.  Neither the reason for the breach nor the details of the breach discovery were revealed.","PHIPrivacy.net","","2012","38.252665","-85.758456" "October 16, 2011","Law Office of Ashley Bell, Department of Family and Children Services, Court Appointed Special Advocates (CASA)","Gainesville","Florida","PHYS","BSO","0","Sensitive client files were found in a newspaper recycling bin at The Gainesville Times.  The files were related to the physical and sexual abuse of juveniles and client Social Security and phone numbers were exposed.  The breach may have been caused by a college intern who disposed of the files inappropriately.  Some files were as recent as 2009, but all cases were closed.","PHIPrivacy.net","","2011","29.651634","-82.324826" "February 22, 2012","University of Florida","Gainesville","Florida","DISC","EDU","719","People who had an unclaimed check or refund from the University of Florida had their Social Security numbers posted on Florida's Unclaimed Property website.  The information had been posted in July of 2005 and is from debts prior to that time, but had been posted through January 12, 2012.  The University submitted its Annual Unclaimed Property Report to the Florida State Department of Financial Services.  The state accidentally posted the Social Security numbers in addition to the usual information.  The University of Florida was the only entity affected by the mistake.  Students, employees, and vendors may have been affected.","Databreaches.net","","2012","29.651634","-82.324826" "February 28, 2012","Fun Publications, Transformers Club","Fort Worth","Texas","HACK","BSO","0","People who were members of the Transformers Club run by Fun Publications became aware that their credit card information had been compromised. Fun Publications conducted an investigation and determined that their e-commerce database had been compromised sometime around January 31.  Members were encouraged to monitor their credit cards closely and to consider replacing any cards that were used with Fun Publications for event registration, club store purchases, or other purchases. One member who used similar login information for both the Transformers Club and PayPal realized that his PayPal account had been compromised. ","Databreaches.net","","2012","32.725409","-97.320850" "February 28, 2012","Los Angeles County Police Canine Association","Los Angeles","California","HACK","GOV","100","The FBI is investigating an incident that resulted in the information of over 100 law enforcement officers being posted online.  Hackers obtained the names, addresses, and phone numbers of officers who are part of the Los Angeles County Police Canine Association (LACPCA).  Private emails from officers may have also been obtained.    ","Databreaches.net","","2012","34.052234","-118.243685" "December 8, 2011","Los Angeles Police Department (LAPD)","Los Angeles","California","HACK","GOV","24","The personal information of over 24 members of the LAPD's command staff was posted on a website.  Officers had their property records, campaign contributions, biographical information and, in a few cases, the names of their family members posted.  This breach appears to be different from the one that affected members of Coalition of Law Enforcement and Retail (CLEAR) on or around December 11.","Media","","2011","34.052234","-118.243685" "March 2, 2012","Office of Dr. Jeremiah J. Twomey ","Houston","Texas","PORT","MED","0","An office burglary that occurred sometime during the weekend of December 31, 2011 resulted in the theft of an external hard drive.  The hard drive contained patient names, addresses, medical conditions, and diagnoses.  The hard drive also held an unspecified number of patient Social Security numbers and dates of birth.","PHIPrivacy.net","","2012","29.760193","-95.369390" "March 2, 2012","Hackensack University Medical Center","Hackensack","New Jersey","INSD","MED","445","On September 26, 2011, Hackensack University Medical Center became aware that a dishonest employee had accessed patient information prior to September 1, 2011.  A former employee working as a clerk took confidential patient files from an outpatient clinic.  The files contained names, Social Security numbers, addresses, dates of birth, driver's license numbers, health insurance cards, and other insurance information.  No medical records were taken.","PHIPrivacy.net","","2012","40.885933","-74.043474" "June 26, 2009","University of Central Missouri Police Department (UCM)","Warrensburg","Missouri","INSD","EDU","250","After two documents containing student personal information were stolen, it was discovered that a former University police officer and his wife were responsible. They used the names, Social Security numbers, and birth dates of students enrolled in 2005 and 2006 summer sessions. The thieves fraudulently opened bank accounts, received student loans, and applied for credit and debit cards. The losses total more than $30,000.","Databreaches.net","","2009","38.762789","-93.736050" "March 3, 2012","Miami-Dade County Public Schools","Miami","Florida","INSD","EDU","0","A former worker for the Miami-Dade school board misused student information.  The dishonest employee worked as a clerk and accessed the student information for the purpose of obtaining fraudulent credit cards with her boyfriend. An unknown number of student Social Security numbers were accessed and used.  She was caught in the act of stealing the Social Security numbers in 2009.","Media","","2012","25.788969","-80.226439" "March 3, 2012","Miami Central High School, Miami Northwestern High School, Golden Glades Elementary, Divine Sports Inc.","Miami","Florida","INSD","EDU","0","Divine Sports marketed itself as a non-profit that tutored at-risk youth.  It appears that the owner of the company billed the Miami-Dade School District for hours of tutoring that never occurred. The company even created reports for students that did not exist by using the information of real students.  Hundreds of thousands of dollars may have been fraudulently obtained over multiple years. The fraud was discovered in 2010.  Divine is located in multiple states and the corporate office denied any control over the day-to-day operations of Divine Sports in Miami.","Media","","2012","25.788969","-80.226439" "March 2, 2012","Blue Cross Blue Shield (BCBS) of North Carolina","Durham","North Carolina","DISC","MED","1,000","An employee of BCBS North Carolina accidentally sent an email that revealed the email addresses of all customers who received the email.  Customers received the email as notification of changes to their billing cycle on Wednesday, February 29.  The employee error meant that anyone who received the email could then send unwanted messages referencing BCBS or unrelated content to other customers who received the email.","Media","","2012","35.994033","-78.898619" "March 9, 2012","Office of Dr. David Turner","Portland","Oregon","PORT","MED","480","An office burglary in October of 2011 resulted in the theft of a laptop and other items.  The laptop contained the information of current and former patients. It is unclear what type of information the laptop contained.  A widespread notification of the breach was released in March after many patients could not be reached by mail.","PHIPrivacy.net","","2012","45.523452","-122.676207" "March 7, 2012","Lindenwood University","Belleville","Illinois","HACK","EDU","184","Someone accessed student information and posted it on Twitter @LindenLeaks.  The information was from the Fall 2011 semester and included grades, majors, phone numbers, and email addresses.  The account was eventually deleted from Twitter.  The person who originally posted the information online commented that the document had been downloaded nearly 140 times since being posted.","Databreaches.net","","2012","38.520050","-89.983994" "February 21, 2012","Trident University International","Cypress","California","HACK","EDU","81,000","An unsuccessful attempt to access a database was detected by Trident University on November 29, 2011.  It contained usernames and passwords of current and former students.  The attempt appeared to be unsuccessful and no other information was contained in the database.  Trident University offered credit monitoring services despite the belief that the attempt to access non-financial information had been unsuccessful.  ","Dataloss DB","","2012","33.816960","-118.037285" "January 30, 2012","TryMedia (TM Acquisition)","Seattle","Washington","HACK","BSR","12,456","Try Media's ActiveStore application was attacked by intruders who were able to intercept and obtain the credit card information of customers.  Credit card numbers, expiration dates, security codes, addresses, email addresses, and passwords to user accounts for transactions that occurred between November 4, 2011 and December 2, 2011 were accessed.  ","Databreaches.net","","2012","47.606210","-122.332071" "November 6, 2011","Jackson Hewitt","San Francisco","California","PHYS","BSF","100","A woman found tax return information lying on the ground in front of an abandoned Jackson Hewitt on or around October 22. Hundreds of documents were exposed. The building owner called a shredding company to dispose of the documents, but ended up leaving them outdoors until the disposal company arrived.  The person responsible claimed that all the records were over four years old and were difficult to transport from the office.  The paperwork came from the Jackson Hewitt office at 1734 Divisadero St.","Databreaches.net","","2011","37.774930","-122.419416" "March 14, 2012","RJL Insurance Services, LLC, RJL Wealth Management","San Diego","California","DISC","BSF","0","RJL Insurance Services became aware of a vulnerability in its computer network that may have resulted in the exposure of some electronic files.  The information was secured, but some RJL files were accessible for a period of two weeks in late September and early October of 2011.  Client names, Social Security numbers, driver's license numbers, and medical conditions may have been exposed.  ","California Attorney General","","2012","32.715329","-117.157255" "March 12, 2012","Impairment Resources, LLC","San Diego","California","PORT","MED","14,000","An office burglary on New Year's Eve 2011 resulted in the loss of hardware that contained sensitive personal information.  The full names, addresses, Social Security numbers, and medical information of clients were on the hardware.  Impairment Resources notified patients in February and then filed for bankruptcy in March. The high cost of handling the breach led directly to the decision to file for bankruptcy.","California Attorney General","","2012","32.715329","-117.157255" "January 4, 2012","SF Fire Credit Union, Pacifica-Coastside Credit Union","San Francisco","California","PORT","BSF","0","The December 29, 2011 theft of a laptop from a parked car in San Francisco resulted in the loss of personal information.  The information was being used in preparation for a merger between SF Fire Credit Union and Pacifica-Coastside Credit Union.  Current and former account holders had their names, Social Security numbers, dates of birth, addresses, and Pacifica-Coastside Credit Union account information.","California Attorney General","","2012","37.774930","-122.419416" "February 18, 2012","BDO USA, Rubio's Restaurants, Inc.","San Diego","California","PORT","BSR","0","BDO was contracted by Rubio's to perform financial auditing services.  A BDO employee accidentally removed one or more CD-ROMs from the office.  The CD-ROM or CD-ROMs contained a list of Rubio's workers' compensation claimants and a list of people who owned equity shares in Rubio's Restaurants, Inc.  The CD-ROM or CD-ROMS appear to have been stolen from the BDO employee's vehicle.  The workers' compensation information contained names, claim numbers, medical status, and date of loss.  The medical status information included the employees' claim for injuries or illnesses.  No Social Security numbers were involved.  The partial equity roll list contained names and Social Security numbers.","California Attorney General","","2012","32.715329","-117.157255" "March 19, 2012","IndyMac Bank, IndyMac Resources, Inc.","Dallas","Texas","DISC","BSF","0","A security company searching the web for sensitive data uncovered personally identifiable information from IndyMac Bank and Indy Mac Resources employees, and possibly others associated with the firms.  IndyMac Bank failed sometime around July of 2008.  The information is related to IndyMac employee pension benefits analysis and appears to have been placed on a public web server by an employee of a contractor for IndyMac.  People who were employed by either IndyMac firm between January 1, 1999 and January 1, 2005 had their names, Social Security numbers, dates of birth, earnings, hire dates, and other employment related information exposed.  It was available as early as January of 2007 and as recently as December of 2011.  ","California Attorney General","","2012","32.802955","-96.769923" "February 22, 2012","DHI Mortgage Company, Ltd.","Austin","Texas","HACK","BSF","0","On February 10, 2012, DHI Mortgage became aware that a software security breach by external sources had occurred in its Internet Loan Prequalification System.  DHI Mortgage immediately isolated the affected server, purged certain affected files, and modified the electronic security measures.  People who provided their information online for pre-qualification may have had their names, Social Security numbers, dates of birth, contact information, marital status, employment information, income, asset information, and liability information exposed.","California Attorney General","","2012","30.267153","-97.743061" "March 15, 2012","Georgia Health Sciences University","Augusta","Georgia","PORT","MED","513","A laptop was stolen from the home of a nurse on January 18, 2012.  It contained the names, dates of birth, partial diagnosis information, and internal codes associated with patients' laboratory tests.  The information is from patients of the Adult Sickle Cell Clinic.  ","PHIPrivacy.net","","2012","33.474246","-82.009670" "March 16, 2012","Huntsville Hospital","Huntsville","Alabama","PORT","MED","125","A thief or thieves entered Huntsville Hospital and impersonated a vendor in order to collect old barrels of X-rays.  Thieves commonly use this tactic to obtain X-rays.  The X-rays are then stripped for silver.  The X-rays contained patient names, dates of birth, and medical records.  There were over 1,000 X-rays, but only 125 to 175 patients were affected.","PHIPrivacy.net","","2012","34.730369","-86.586104" "January 14, 2010","BlueCross BlueShield (BCBST)","Chattanooga","Tennessee","PORT","MED","1,023,210","The theft of 57 hard drives from a BlueCross BlueShield of Tennessee training facility last October has put at risk the private information of approximately 500,000 customers in at least 32 states. The hard drives contained 1.3 million audio files and 300,000 video files. The files contained customers' personal data and protected health information that was encoded but not encrypted, including: names and BlueCross ID numbers. In some recordings-but not all-diagnostic information, date of birth, and/or a Social Security number were exposed. BCBS of TN estimates that the Social Security numbers of approximately 220,000 customers may be at risk. UPDATE (4/29/10): The number of plan members whose data were exposed has grown from 521,761, an estimate made in March, to nearly one million, as of April 2, according to a report issued by Mary Thompson, spokeswoman for the Tennessee Blues.UPDATE (11/3/10): According to a letter sent to the New Hampshire Attorney General's Office, the total number of individuals affected was 1,023,209.  BCBS used a three-tier system to categorize individuals affected by the breach.  The total includes 451,274 clients whose Social Security numbers were involved, 319,325 clients whose personal and diagnostic health information was involved and 239,730 clients who had personally identifiable information that was neither medical nor their Social Security number.  BlueCross Blue Shield also reported receiving fewer than 10 requests for credit restoration services from those who had their Social Security numbers exposed.UPDATE (3/14/2012): Blue Cross Blue Shield of Tennessee (BCBST) reached a $1.5 million resolution agreement with the U.S. Department of Health and Human Services. BCBS of Tennessee kept the drives and network data closet in a facility that was secured by a property management company.  The closet was secured by biometric and keycard scan security with a magnetic look and an additional door with a keyed lock.  BCBST eventually vacated most of the leased office space. Thieves may have taken the opportunity to steal the 57 unencrypted hard drives from the closet while the space was not fully occupied.","Dataloss DB","","2010","35.045630","-85.309680" "March 22, 2012","Delta Dental","Sacramento","California","DISC","MED","11,646","The unauthorized disclosure of paper records sometime around December 22, 2011 may have resulted in the exposure of protected health information.  ","HHS via PHIPrivacy.net","","2012","38.581572","-121.494400" "March 22, 2012","Medco Health Solutions, Inc.","Willingboro","New Jersey","DISC","MED","1,287","The unauthorized disclosure of paper records on November 30, 2011 may have resulted in the exposure of protected health information.  ","HHS via PHIPrivacy.net","","2012","40.027500","-74.883611" "March 22, 2012","Department of Medical Assistance Services, Affiliated Computer Services (ACS), Inc.","Richmond","Virginia","DISC","MED","1,444","The unauthorized disclosure of paper records may have resulted in the exposure of the protected health information of people associated with Department of Medical Assistance Services (DMAS). The incident related to DMAS's relationship with Affiliated Computer Services (ACS) and occurred sometime between November 2, 2011 and November 16, 2011. ","HHS via PHIPrivacy.net","","2012","37.540725","-77.436048" "March 22, 2012","Indiana Internal Medicine Consultants","Greenwood","Indiana","PORT","MED","20,000","The February 11, 2012 theft of a laptop resulted in the exposure of protected health information.","HHS via PHIPrivacy.net","","2012","39.613658","-86.106653" "March 22, 2012","CardioNet, Inc.","Conshohocken","Pennsylvania","PORT","MED","1,300","The theft of a laptop on or around November 10, 2011 may have resulted in the exposure of protected health information.  It is unclear if this incident is related to a December 29, 2011 incident that also resulted in the theft of a laptop that contained protected health information.","HHS via PHIPrivacy.net","","2012","40.079277","-75.301571" "March 22, 2012","CardioNet, Inc.","Conshohocken","Pennsylvania","PORT","MED","728","The December 29, 2011 theft of a laptop may have resulted in the exposure of protected health information.  It is unclear if this incident is related to a November 10, 2011 theft of a laptop that contained protected health information.","HHS via PHIPrivacy.net","","2012","40.079277","-75.301571" "March 13, 2012","Brigham Young University (BYU)","Provo","Utah","DISC","EDU","1,300","A staff member of the University Advisement Center at BYU accidentally included a complete list of international student names, email addresses, phone numbers, and student ID numbers in an email notification about a career workshop.  BYU immediately apologized for the error and noted that all of the student information except for student ID numbers could easily be found in the BYU directory.","Databreaches.net","","2012","40.233844","-111.658534" "March 14, 2012","Humboldt State University","Arcata","California","DISC","EDU","5,700","The personal information of students was accidentally sent in an email attachment as a response to a request for data.  The mistake was noticed immediately and all copies of the file were removed from the system of the party requesting data.  Student names, addresses, and Social Security numbers were exposed. Humboldt State University warned students to be vigilant about phishing, but stated that it is unlikely the data was misused.","Databreaches.net","","2012","40.866517","-124.082840" "March 15, 2012","Edmund Optics","Barrington","New Jersey","HACK","MED","0","Edmund Optics identified suspicious activity on their website on February 26, 2012.  It was determined that a security breach had occurred and that some customer accounts had been compromised.  The breach most likely occurred on February 8 and resulted in the theft of some customers' credit card information. The website was secured and preventative measures were increased.  ","Databreaches.net","","2012","39.864836","-75.055171" "March 16, 2012","Milk Inc.","San Francisco","California","DISC","BSO","0","An employee of another company discovered a security issue in Oink.  Oink is a ""rate everything"" application from mobile application developer Milk Inc.  The security issue allowed anyone to download personal information of another Oink user by entering another person's username.  Folders with associated email addresses, photos, and other user site information may have been exposed. Oink shutdown and the employees of Milk Inc. joined Google for a new project shortly after the issue was discovered.","Databreaches.net","","2012","37.774930","-122.419416" "March 17, 2012","Kennedy Space Center","Orlando","Florida","PORT","GOV","2,300","The theft of a company-issued laptop from an employee's car resulted in the exposure of sensitive information.  The laptop was stolen from the employee's car while it was at home and contained the names, Social Security numbers, races, national origins, genders, dates of birth, contact information, college affiliations, grade-point averages, and other information of employees.  The hard drive was not encrypted.  The Kennedy Space Center had planned to have all hard drives encrypted by September 2012 prior to the breach.","Databreaches.net","","2012","28.538336","-81.379237" "March 22, 2012","Flex Physical Therapy","Bothell","Washington","STAT","MED","3,100","Three computers were stolen on December 30, 2011.  One of the computers contained the protected health information of patients.  ","HHS via PHIPrivacy.net","","2012","47.762320","-122.205404" "February 22, 2012","Coca-Cola Company Family Federal Credit Union","Atlanta","Georgia","PORT","BSR","13,800","The theft of two laptops resulted in the exposure of credit union member information. The laptops were stolen on December 21, 2011 and contained names and Social Security numbers, as well as credit card numbers in some cases.","Dataloss DB","","2012","33.748995","-84.387982" "March 27, 2012","Affordable Medical and Surgical Services","Overland Park","Kansas","PHYS","MED","1,000","A woman found over 1,000 detailed abortion records in a dumpster when she went to dump her recycling near a local elementary school.  The records included names, Social Security numbers, birth dates, telephone numbers, emergency family contacts, patient health histories, number of children, term of pregnancies, number of previous abortions, reasons for failing to go through with the abortion procedures, and fees paid for the procedures. Many of the records were from 2001 and 2002.  The physician who ran the practice admitted to dumping the records without attempting to properly destroy them.  His clinic had closed in 2005 after he lost his medical license.  The county district attorney commented that he will most likely not pursue a criminal case against the former physician.","PHIPrivacy.net","","2012","38.982228","-94.670792" "December 15, 2009","RockYou","Redwood City","California","HACK","BSR","32,000,000","The security firm Imperva issued a warning to RockYou that there was a serious SQL Injection flaw in their database. Such a flaw could grant hackers access to the service's entire list of user names and passwords in the database. Imperva said that after it notified RockYou about the flaw, it was apparently fixed over the weekend. But that's not before at least one hacker gained access to what they claim is all of the 32 million accounts; 32,603,388 to be exact. The database included a full list of unprotected plain text passwords and email addresses.UPDATE (4/21/2011): The 32 million email addresses and passwords exposed include log in information from social networking sites like Facebook and MySpace.  On April 18, 2011 a court ruled that the loss of information caused injury. The court determined that ""the unauthorized disclosure of personal information via the Internet is itself relatively new, and therefore more likely to raise issues of law not yet settled in the courts.""  The court also found that RockYou.com's privacy policy language, which stated that RockYou.com's servers were secure, did not automatically preclude the plaintiff's allegation that a contract had been breached because the plaintiff alleged that the servers were not secure.UPDATE (3/27/2012): The Federal Trade Commission is alleging that RockYou violated the Children's Online Privacy Protection Act Rule (COPPA Rule) by collecting information from approximately 179,000 children.  A proposed FTC settlement order requires RockYou to pay a civil penalty of $250,000 to settle COPPA charges. In addition to the penalty, the company would be barred from future deceptive claims regarding company privacy and data security, required to implement and maintain a data security program, and barred from future violations of the COPPA rule.","Databreaches.net","","2009","37.485215","-122.236355" "November 2, 2011","Maloney Properties, Inc.","Wellesley","Massachusetts","PORT","BSO","621","The October 15 theft of a laptop resulted in the exposure of unencrypted personal information.  Residential housing data was on the laptop. This included names, the full Social Security numbers of some people, and the last four digits of most.  UPDATE (3/26/2012): Maloney Properties, Inc. agreed to pay $15,000 in civil penalties.  The property management firm must also ensure that personal information is not unnecessarily stored on portable devices, ensure that all personal information stored on portable devices is properly encrypted, ensure that all portable devices containing personal information are stored in a secure location, and effectively train employees on the policies and procedures with respect to maintaining the security of personal information. Up to 621 people were affected by the car theft of an employee's unencrypted laptop.","Databreaches.net","","2011","42.296797","-71.292388" "March 23, 2012","Pure","Austin","Texas","CARD","BSR","100","A man stole 100 debit and credit cards, some bottles of alcohol, and cash from the office of a bar called Pure. The thief managed to use one of the stolen cards at a convenience store before being caught for a separate incident involving robbery by assault. Cameras showed that the man had entered through a ventilation shaft connected to the bar's office.","Databreaches.net","","2012","30.267153","-97.743061" "March 23, 2012","H&R Block","Van Nuys","California","INSD","BSF","0","An H&R Block office manager was caught wearing a disguise near the ATMs of three banks. The employee's vehicle was searched and contained $2,960 in cash, and client records with dates of birth, names, and Social Security numbers. A total of $6,900 cash, H&R Block Emerald Cards, and the personal information of additional people were found at the home of the employee's girlfriend. The number of fraudulent tax returns, victims, and years the employee worked for H&R Block were not revealed.","Databreaches.net","","2012","34.189857","-118.451357" "March 29, 2012","Department of Child Support Services, International Business Machines (IBM), Iron Mountain, Inc.","Boulder","Colorado","PORT","GOV","800,000","On March 12, 2012, the Department of Child Support Services (DCSS) was notified that contractors International Business Machines (IBM) and Iron Mountain, Inc. could not locate several computer devices that had been shipped from Colorado to California. Californians who used state child support services were affected by the loss.  Names, Social Security numbers, addresses, driver's licenses, names of health insurance providers, health insurance plan membership identification numbers, and employer information may have been exposed.  ","PHIPrivacy.net","","2012","40.014986","-105.270546" "March 15, 2011","Health Net Inc., International Business Machines (IBM)","Rancho Cordova","California","PORT","MED","1,900,000","Nine disc drives that contained sensitive health information went missing from Health Net's data center in Rancho Cordova, California.  The drives contained the personal information of 1.9 million current and former policyholders, compromising their names, addresses, health information, Social Security numbers and financial information. The 1.9 million victims include 622,000 California residents enrolled in Health Net HMOs, 223,000 Californians enrolled in Health Net PPOs and people enrolled in Medicare and other plans. The drives were discovered missing on January 21, but affected individuals were not notified until March 14.UPDATE (06/07/2011): A class-action lawsuit seeks $5 million from Health Net Inc. and its vendor IBM.  The complaint alleges that Health Net and IBM breached their duty of confidentiality and negligently allowed the release of highly personal and confidential information. The complaint alleges violation of California's Confidentiality of Medical Information Act, Cal. Civ. Code § 56; Cal. Civ. Code § 1798.2, which concerns the unauthorized disclosure of customer records; Cal. Bus. & Prof. Code § 17200, California's unfair-competition law; and public disclosure of private facts.  The lawsuit is seeking injunctive relief, compensatory damages, declaratory relief, and attorney fees and costs.  The citation is Bournas v. Health Net Inc., No.2_11-CV-01262, complaint filed (E.D. Cal. May 11, 2011).UPDATE (08/09/2011): Health Net's chief operating officer apologized to customers after it was discovered that the original analysis of the breach was flawed.  Around 124,000 Oregon residents who were current members, former members, or employees were believed to have been affected.  Health Net discovered that an additional 6,300 Oregonians had their personal information on the stolen computer drives.  ","PHIPrivacy.net","","2011","38.589072","-121.302728" "March 25, 2012","MilitarySingles.com","New York","New York","HACK","BSR","171,000","Hackers affiliated with LulzSec (Reborn) claimed responsibility for revealing a database of militarysingles.com names, usernames, email addresses, IP addresses, and passwords on the Internet.  People who used their same email and password combination for Militarysingles.com and other sites are encouraged to change their passwords. Militarysingles.com is owned by ESingles, Inc.  An ESingles executive claimed that no evidence of an attack had been found as of March 28; however, a number of sources revealed that they could download and decrypt sensitive information by following a Twitter announcement.UPDATE (3/28/2012): ESingles released a statement claiming that a thorough investigation revealed that the database had not been hacked. A discrepancy between the number of users in the militarysingles.com database, the use of encrypted user passwords, and the fact that the website was already scheduled to be down for maintenance during the time the hackers claimed to have taken it down led ESingles to this conclusion.","Databreaches.net","","2012","40.714353","-74.005973" "March 31, 2012","Sacramento Area Fire Fighters Local 522","Sacramento","California","DISC","BSO","0","On or around March 6, a spreadsheet containing the names and contact information of active and retired Local 522 members was sent by a Local 522 employee to the Sacramento Central Labor Council (CLC).  The spreadsheet contained member Social Security numbers, but was only supposed to provide member mailing addresses.  The email did not stop at CLC and was forwarded to Capitol Mailing, Inc.  The mistake was discovered on March 23 after Local 522 members received mailing labels that displayed their Social Security numbers.  ","California Attorney General","","2012","38.581572","-121.494400" "June 10, 2011","Lafrance Hospitality Corporation","Westport","Massachusetts","HACK","BSO","100","Around 100 customers have reported fraudulent charges to their financial accounts.  Investigators believe that Lafrance's credit and debit system was breached electronically in early February 2011. Lafrance Hospitality consists of many businesses.  Anyone who has used a debit or credit card at White's of Westport or Bittersweet Farm since February could be at risk.  Lafrance updated its security after the incident.","Databreaches.net","","2011","41.637115","-71.050308" "March 31, 2012","San Francisco Head Start, San Francisco State University","San Francisco","California","UNKN","GOV","0","The San Francisco Head Start/Early Head Start database was accessed by one or more unauthorized parties between August 2011 and November 2011.  Names, Social Security numbers, addresses, contact information, health data, dates of birth, and other personal information may have been exposed.  Head Start claimed that the delay in notification of the breach was due to an ongoing law enforcement investigation.  It is unclear how San Francisco State University was involved.","California Attorney General","","2012","37.774930","-122.419416" "October 12, 2011","United Healthcare Inc., Futurity First Insurance Group","Minnetonka","Minnesota","PORT","MED","7,602","A hard drive containing information on United Healthcare Medicare plan members was stolen from Futurity First Insurance Group.  Member names, Social Security numbers, and in some cases, birth dates and private health information were exposed.  Futurity First, United Healthcare's sales and marketing services provider, sent the hard drive to a vendor for repair.  The hard drive was stolen from the vendor on or around June 28 July 28 and reported stolen on August 12.  Futurity First then told United Healthcare on September 14. UPDATE (10/30/2011): Three additional organizations were affected by the breach.  A total of 705 members from Mutual of Omaha Insurance Company, 1,631 United of Omaha Life Insurance Company enrollees, and 3,994 United Health Group Health Plan in Minnesota enrollees were also affected in addition to the 582 originally reported.  Information from the Health and Human Services website also reveals that the hard drive was lost on July 28.UPDATE (11/4/2011): A total of 690 American Continental Insurance Company members from Tennessee were also affected by the breach.","PHIPrivacy.net","","2011","44.921184","-93.468749" "March 21, 2012","City of Providence","Providence","Rhode Island","DISC","GOV","3,000","The city of Providence accidentally provided the Social Security numbers of almost 3,000 former employees when releasing information for a public records request.  GoLocalProv filed an Access to Public Records Act request in order to obtain information about pension recipients in Providence.  The city's legal team responded by emailing a .pdf file with retiree names, dates of retirement, dates for cost-of-living-adjustments, and monthly pension received each month.  Social security numbers and employee identification numbers were displayed as redacted in the document, but could easily be read when the .pdf file was expanded or when the highlight color of the document was changed to a light color.","Media","","2012","41.823989","-71.412834" "March 16, 2012","University of Tampa","Tampa","Florida","DISC","EDU","30,000","A server management error caused files containing sensitive information to be made publicly accessible between July of 2011 and the breach's discovery on March 13, 2012.  A classroom exercise revealed that the information was compromised and the University of Tampa's IT office was immediately informed of the discovery.  The University of Tampa then notified Google and asked that the cached file be removed from the search engine. One file included 6,818 records of students who attended in Fall of 2011.  Two other files contained the information of an additional 29,540 people and included University ID numbers, names, Social Security numbers, and photos.  Some people also had their dates of birth exposed.The IT office at the University of Tampa concluded that the files had only been accessed by the people who reported the breach.UPDATE (3/22/2012): Additionally, 22,722 current and former faculty, staff, and students who were associated with the University between January 29, 2000 and July 11, 2011 may have had their information exposed. The IT office confirmed that these files had only been accessed by University insiders as well. The University will not cover the cost of credit monitoring services for those who were affected.","Databreaches.net","","2012","27.950575","-82.457178" "March 23, 2012","Manhattan Prep","New York","New York","HACK","BSR","0","A hacker was able to access the names, mailing addresses, email addresses, dates of birth, usernames, passwords, phone numbers, and credit card details of customers.  The breach occurred and was detected on Sunday, March 25.  Manhattan Prep removed all credit card information previously associated with compromised customer accounts from their database.  Customer account passwords were automatically reset.  Customers were also encouraged to change any passwords that were used for both Manhattan Prep and other accounts.  ","California Attorney General","","2012","40.714353","-74.005973" "October 12, 2010","State Farm Insurance","Bloomington","Illinois","INSD","BSF","0","A dishonest Florida State Farm agent was caught selling customer information to a third party. The former employee was terminated and arrested. The agent's buyer and purpose for wanting the information was not reported.","Databreaches.net","","2010","40.484203","-88.993687" "April 3, 2012","State Farm Insurance","Bloomington","Illinois","INSD","BSF","0","On March 6, 2012, an investigation confirmed that an employee of an unnamed State Farm office may have used customer information in an inappropriate manner.  An unknown number of customers may have had their names, addresses, credit card numbers, and Social Security numbers misused by the dishonest employee.","California Attorney General","","2012","40.484203","-88.993687" "April 5, 2012","Union Bank","San Francisco","California","INSD","BSF","0","On February 15, 2012, Union Bank discovered that a former contractor kept proprietary bank data in his possession after leaving the company on January 31, 2012.  The bank data included some customer information such as names, account numbers, home addresses, phone numbers, and email addresses.","California Attorney General","","2012","37.774930","-122.419416" "April 6, 2012","Massachusetts Registry of Motor Vehicles","Lawrence","Massachusetts","PHYS","GOV","0","Two masked men stole several bags of documents and records from a state courier truck outside the Lawrence Registry of Motor Vehicle (RMV) branch on Wednesday April 4.  However, the trash included records from the Wilmington branch of the RMV. Registration transactions, duplicate titles, crash reports, citation payments, rebate requests, and municipal parking records from transactions that occurred between Friday March, 30 and Monday, April 2 were stolen.","Dataloss DB","","2012","42.707035","-71.163114" "April 6, 2012","University of California Riverside","Riverside","California","HACK","EDU","40","A hacker or hackers accessed information from the University of California Riverside.  A total of 40 email addresses and corresponding passwords were posted online.","Dataloss DB","","2012","33.953349","-117.396156" "April 6, 2012","Vote Sex!","","Illinois","HACK","BSO","35,959","A hacker or hackers posted 35,959 usernames, email addresses, and passwords online.","","","2012","40.633125","-89.398528" "April 2, 2010","Naval Facilities Engineering Service Center","Port Hueneme","California","PHYS","GOV","244","More than 200 employees were notified that a non-government entity may have seen their personal information. The non-government entity were lawyers for two of three workers who fought a security access suspension against them. It take the Navy 17 months to inform employees at the Naval Facilities Engineering Service Center in Port Hueneme, California, that their Social Security numbers had been inadvertently released.","Dataloss DB","","2010","34.147783","-119.195107" "March 5, 2012","Town of Plainfield Indiana","Plainfield","Indiana","HACK","GOV","250","A hacker or hackers posted administrator usernames and corresponding passwords, as well as the email addresses of 250 state and Plainfield employees online.  Some of the information included addresses, phone numbers, and email passwords, and some information was from employee contacts. ","Dataloss DB","","2012","39.704212","-86.399439" "March 6, 2012","Minuteman Civil Defense Corps, Declaration Alliance","","Pennsylvania","HACK","NGO","30","A hacker or hackers posted 30 names, telephone numbers, email addresses, and corresponding passwords online.  ","","","2012","41.203322","-77.194525" "March 7, 2012","Pacific Gas and Electric (PG&E)","Lodi","California","PHYS","BSO","100","A payment drop box was broken into sometime during the weekend of March 5. Customers who used the box around that time may have had their banking institution information, check account numbers, addresses, names, phone numbers, and driver's license numbers stolen.  PG&E will change the account numbers and passwords of customers who had their information stolen.","Dataloss DB","","2012","38.130197","-121.272447" "March 8, 2012","New York Ironworks","New York","New York","HACK","BSR","434","A hacker or hackers posted 434 usernames and corresponding passwords, as well as email addresses online.","Dataloss DB","","2012","40.714353","-74.005973" "March 5, 2010","Arkansas Army National Guard","Camp Robinson","Arkansas","PORT","GOV","35,000","An external hard drive has gone missing. Approximately 35,000 current and former members of the Arkansas Army National Guard are affected by the loss. The drive included names, Social Security numbers and other personal information which potentially places the affected soldiers at risk for identity theft.UPDATE (5/18/10): The external hard drive containing personal information on over 32,000 current and former Arkansas Guardsmen that was reported missing on February 22 has now been recovered and destroyed. The drive was reported missing by an Arkansas Soldier who used the device as a personal backup of his work related information. This included a copy of the Guard's personnel database which contained personal information on all Soldiers who have served in the Arkansas Army National Guard since 1991.","Dataloss DB","","2010","34.791283","-92.275542" "March 9, 2012","Texas-DSM.com","","Texas","HACK","BSO","647","A hacker or hackers posted email addresses, passwords, and usernames online.  Members of similar online forums recommended that users change their passwords for other sites since members often use the same email address, password, and username combination for multiple sites.","","","2012","31.968599","-99.901813" "April 12, 2012","Indiana University Medical Group","Indianapolis","Indiana","PHYS","MED","0","A concerned citizen found a box of sensitive medical documents in a dumpster and contacted a local news team.  The box contained hundreds of documents that included copies of driver's licenses, prescriptions, signatures, and other patient information.  The box was removed by Indiana University Medical Group before investigators arrived.  Indiana University Medical Group claimed that the information was accidentally discarded rather than shredded. The documents were properly disposed after being collected.","PHIPrivacy.net","","2012","39.768516","-86.158074" "November 16, 2011","Bright Directions College Savings Program, Illinois State Treasurer's Office","Springfield","Illinois","DISC","GOV","36,000","A mailing error led to the Social Security numbers of over 36,000 people to be visible from the outside of envelopes mailed in October.  Those who were enrolled in the Illinois Treasurer's Office Bright Directions college savings program were affected.","Databreaches.net","","2011","39.781721","-89.650148" "October 14, 2010","Boston Veterans Benefits Administration Regional Office","Boston","Massachusetts","DISC","GOV","3,936","Some veteran benefit information was mailed to the wrong addresses on August 25. Of the 6,299 letters sent to incorrect addresses, 3,913 had full Social Security numbers and 2,386 had Veterans Benefits Administration claim numbers. A program error caused some of the letters to be mailed to the incorrect addresses.","Databreaches.net","","2010","42.358431","-71.059773" "May 26, 2010","Children's Hospital and Research Center at Oakland","Oakland","California","DISC","MED","1,000","Approximately 1,000 patients received information about themselves and other patients in the mail. According to the Hospital's website ""equipment designed to generate, fold and stuff documents for mailing was programmed to fold and stuff two pages rather than one. This programming error caused guarantor billing statements prepared on May 25 and May 26 to be collated and mailed incorrectly.""","PHIPrivacy.net","","2010","37.804372","-122.270803" "February 4, 2010","Highmark Insurance","Pittsburgh","Pennsylvania","PHYS","MED","3,700","Highmark notified 3,700 members that documents containing their names, policy identification and Social Security numbers were missing. This is the second such data spill involving the region’s dominant health insurer in four months. In January, the company mailed a premium billing statement to Boscov’s Department Store, a client in Reading, according to Highmark. The envelope arrived damaged and torn; pages were also missing. The pages included the names and other identifying information for 3,700 members.","Dataloss DB","","2010","40.440625","-79.995886" "April 20, 2011","Institute of Electrical and Electronics Engineers (IEEE)","New York","New York","DISC","NGO","0","Notifications of a mailing error are being sent to an unknown number of members who signed up for Term Life insurance underwritten by New York Life Insurance.  Offers to upgrade insurance plans were sent to the homes of other members.  People's names, member numbers and coverage amounts were exposed.","Databreaches.net","","2011","40.714353","-74.005973" "July 16, 2010","United Healthcare (UnitedHealthcare), Deere and Company","Minneapolis","Minnesota","DISC","MED","1,097","United Healthcare notified members of a Deere and Company employee benefits plan of a mistake that led to claims summary statements being sent to the wrong addresses. Dates of services, categories of service, cost of service, and physician names were included.","PHIPrivacy.net","","2010","44.979965","-93.263836" "April 10, 2012","Thomas Jefferson University Hospitals (TJUH)","Philadelphia","Pennsylvania","PHYS","MED","600","Law enforcement informed TJUH management that sensitive documents had been recovered during an investigation.  Radiology registration documents with patient names, Social Security numbers, addresses, home phone numbers, work phone numbers, dates of birth, TJUH account numbers, TJUH medical record numbers, insurance information, emergency contact information, and special radiology studies performed had been stolen from TJUH.  It is unclear when the theft occurred.  Patients who received services between February 4 and March 22, 2005 were affected.  ","PHIPrivacy.net","","2012","39.952335","-75.163789" "April 9, 2012","Pono Products, Inc. (Reuseit.com)","Chicago","Illinois","HACK","BSR","1,000","A hacker or hackers were able to intercept customer information online between August 22 and September 28 of 2011.  Customers who were affected may have had their login, password, and credit card information obtained.  Anyone who used the same login and password combination for reuseit.com and other websites should change their password.  ","California Attorney General","","2012","41.878114","-87.629798" "April 11, 2012","X-Rite Incorporated, Pantone.com","Grand Rapids","Michigan","HACK","BSR","0","On March 23, 2012, X-Rite learned that a database server had been attacked by a malicious third party.  The names, contact information, and credit card information of customers who made purchases on X-Rite's website pantone.com may have been exposed.  ","California Attorney General","","2012","42.963360","-85.668086" "April 12, 2012","Perry Dental","Riverside","California","PORT","MED","0","Computer equipment that contained patient insurance information was taken during an office burglary.","California Attorney General","","2012","33.953349","-117.396156" "April 4, 2012","Baylor Law School","Waco","Texas","DISC","EDU","442","An administrative error resulted in recently admitted students receiving an email with the information of all recently admitted students.  Student names, addresses, grades, LSAT scores, race, scholarship amount, and other types of personal information were available in the email attachment. No Social Security numbers or dates of birth were in the emailed spreadsheet.  Students were encouraged to treat the data with the confidentiality of a lawyer and immediately delete the email.  ","Databreaches.net","","2012","31.549333","-97.146670" "March 21, 2012","Wayne County ","Detroit","Michigan","DISC","GOV","1,000","An employee of Wayne County's personnel department accidentally sent an email with a sensitive attachment.  People who were members of AFSCME Locals 25, 409, 1659, and 3309 received an email about health insurance with employee names, ID numbers, Social Security numbers, dates of birth, addresses, and other information available in an attached file.  The mistake was noticed immediately and a follow-up email was sent with instructions to destroy the previous email. UPDATE (4/16/2012): About 1,300 union members received the email and it contained the information of over 1,000 employees.","Databreaches.net","","2012","42.331427","-83.045754" "April 15, 2012","Berrien County Sheriff's Department","Niles","Michigan","HACK","GOV","0","A hacker or hackers accessed information from the Berrien County Sheriff's Department.  An unspecified number of people had unspecified types of information posted online.","Dataloss DB","","2012","41.829769","-86.254177" "April 12, 2012","Housatonic Community College","Bridgeport","Connecticut","HACK","EDU","87,667","Two campus computers were determined to have been infected by malware.  The breach occurred when a faculty or staff member opened an email that contained a virus.  The virus was immediately detected.  Faculty, staff, and students affiliated with the school between the early 1990's and the day of the breach may have had their names, Social Security numbers, dates of birth, and addresses exposed.  Housatonic's president acknowledged that the cost of handling the breach could be as much as $500,000.","Dataloss DB","","2012","41.186548","-73.195177" "April 12, 2012","Desmond Hotel","Albany","New York","HACK","BSO","0","A foreign hacker accessed the information of guests who stayed at the hotel between May 21, 2011 and March 10, 2012.  An unspecified number of credit and debit card numbers with corresponding names were accessed, but their associated PINs were not compromised. ","Dataloss DB","","2012","42.652579","-73.756232" "April 12, 2012","Associated Surveyors","","Oklahoma","PHYS","BSF","0","Owners of a mini-storage business discovered that Associated Surveyors had abandoned sensitive information.  The rent on the storage space had not been paid for over a year and Associated Surveyors and the items in the space were set to be auctioned off. The mini-storage owners decided to properly dispose of the documents in the unit when they found Social Security numbers, Social Security card applications, checks, bank account numbers, tax return forms, and copies of other documents with sensitive personal information.  ","","","2012","35.007752","-97.092877" "April 17, 2012","Virginia Military Institute","Lexington","Virginia","DISC","EDU","258","A Virginia Military Institute (VMI) administrator emailed a spreadsheet with the grade point average of every member of VMI's senior class to the VMI student president.  The email should have only contained an attachment with the names and hometowns of potential 2012 graduates.  The second attachment was not only emailed to the student president, but was then forwarded to 258 senior students before the student president and VMI administration realized the mistake.","Dataloss DB","","2012","37.784021","-79.442816" "April 17, 2012","Ruby's Diner","Glen Mills","Pennsylvania","HACK","BSR","0","Someone managed to install malware on a Ruby's computer system.  Customer credit and debit card information was obtained and used to make fraudulent purchases across the United States and internationally.  The breach may have occurred as early as December 2011.  ","Dataloss DB","","2012","39.917595","-75.489311" "April 20, 2012","University of Arkansas for Medical Sciences (UAMS)","Little Rock","Arkansas","DISC","MED","7,000","A UAMS physician sent financial data to an individual who was not a member of UAMS's workforce in February of 2012.  Patient identifiers had not been removed from the data and UAMS learned of the error on April 6.  Patients of interventional radiology seen at UAMS between 2009 and 2011 had their names, UAMS account numbers, dates of service, interventional radiology procedures, diagnosis codes, charges, and payments exposed.","PHIPrivacy.net","","2012","34.746481","-92.289595" "April 20, 2012","Under Armour Inc., PricewaterhouseCoopers","Baltimore","Maryland","PORT","BSR","0","A flash drive that contained Under Armour employee payroll information was lost by PricewaterhouseCoopers.  The information was being transmitted via mail for auditing purposes and went missing on or around April 12. Employee names, Social Security numbers, and salary information could have been exposed. it is unclear how many people were affected in the U.S. Under Armour employs 5,400 people worldwide.","Dataloss DB","","2012","39.290385","-76.612189" "April 4, 2012","Glenwood IGA","Orofino","Idaho","UNKN","BSR","300","Investigators determined that a breach must have occurred at the grocery store Glenwood IGA after nearly 300 people reported fraudulent charges on their credit cards. The credit card fraud began in early February and unauthorized purchase attempts were made across the globe. The method of the breach is not clear. ","Dataloss DB","","2012","46.479347","-116.255140" "April 1, 2012","Bethesda Softworks, Bethesda Blog","Rockville","Maryland","HACK","BSO","3,657","A hacker or hackers posted the login information of two website administrators.  The information of 8 job users was posted, as well as an additional 3,647 usernames, passwords, and emails. Anyone who used the same username, password, and/or email combination for other sites is encouraged to change them immediately.","Dataloss DB","","2012","39.083997","-77.152758" "April 1, 2012","Onehitplay.com","Brea","California","HACK","BSO","687","A hacker or hackers posted the information of users online.  It is unclear if this is related to an identical incident that occurred on October 23, 2011.","Dataloss DB","","2012","33.916681","-117.900060" "April 23, 2012","Office of Dr. Gloria Traje-Quitoriano","Fresno","California","PORT","MED","0","A physician's laptop was stolen from her husband's car.  The laptop contained patient names, Social Security numbers, dates of birth, phone numbers, and addresses. The laptop was not encrypted.  ","PHIPrivacy.net","","2012","36.747727","-119.772366" "April 23, 2012","Saint Mary's Hospital, Naugatuck Valley Community College","Waterbury","Connecticut","DISC","MED","0","A Naugatuck Valley Community College instructor used patient X-rays from St. Mary's Hospital to teach radiology technology.  The instructor obtained the X-rays by using his Saint Mary's employee login to access medical records.  The X-rays were used without permission and contained patient names, dates of birth, and physician notes.  The instructor told students not to disclose the practice.","PHIPrivacy.net","","2012","41.558153","-73.051497" "April 24, 2012","Oregon State Hospital","","Oregon","PHYS","MED","550","The theft of sensitive documents from an Oregon State Hospital supervisor's car resulted in the exposure of patient information.  On Friday, April 13, a printed list of 550 hospital patients that included names, treating physicians, hospital identification numbers, and geographic information was stolen. Additionally, progress notes for 20 patients were stolen that included patient dates of birth, diagnoses, and other information.  It is not clear if patients who visited either the Salem Oregon State Hospital or the Portland Oregon State Hospital were affected by the breach.","PHIPrivacy.net","","2012","43.804133","-120.554201" "April 24, 2012","Sheppard Air Force Base","Wichita Falls","Texas","PHYS","MED","721","I man found medical records stacked in a bag in a closet while checking for financial records in the home of his estranged wife. The records date from 2003 to 2007 and involve the information of patients of Sheppard Air Force Base's 82nd Medical Group.  Names, Social Security numbers, addresses, phone numbers, and in some cases, patient diagnoses were on the documents.","PHIPrivacy.net","","2012","33.913709","-98.493387" "March 5, 2012","Kern Medical Center","Bakersfield","California","PHYS","MED","1,500","A resident physician printed out the records of 1,500 patients for research purposes.  The paper records were stored in a computer bag and the bag was stolen from the physician's car on February 25.  The records contained names, health information, and test results. They may have also contained the insurance information of some patients.UPDATE (4/20/2012): Medical record numbers, dates of treatments, diagnoses sites, cocci clinical numbers, and test results for HIV, AIDS, Hepatitis, and pregnancy may have also been exposed.","PHIPrivacy.net","","2012","35.373292","-119.018713" "April 19, 2012","Cigna Dental","Bloomfield","Connecticut","INSD","MED","0","On March 23, 2012, an employee sent an unencrypted document to the personal emails of herself and her son.  The document contained the first names of customers and their Social security numbers.  Cigna became aware of the incident on March 27 and took immediate action.  The employee claimed that she had sent the document to obtain help with work from her son. She confirmed that both she and her son had deleted the email and was fired.","California Attorney General","","2012","41.844167","-72.741389" "April 20, 2012","Indie Research LLC, BullMarket.com","Princeton","New Jersey","HACK","BSF","0","An unauthorized person or persons was able to access electronically-stored information relevant to BullMarket.com.  User names, credit card information, billing addresses, email addresses, and/or login information were compromised.  The breach occurred sometime between April 3 and April 7, 2012 and was discovered on April 11. Information as recent as June 2005 may have been exposed, but users with recent information appear to have not been affected.","California Attorney General","","2012","40.357298","-74.667223" "April 25, 2012","Rent-A-Center, Inc.","Plano","Texas","STAT","BSR","0","An April 1, 2012 office burglary resulted in the theft of computer equipment with sensitive information.  A server that contained customer names and Social Security numbers or driver's license numbers was stolen. Additional information related to customer applications was also on the server.","California Attorney General","","2012","33.019843","-96.698886" "April 26, 2012","Choice Hotels Internationals","Silver Spring","Maryland","DISC","BSO","0","An unknown number of customers had their personal information entered into the wrong field in a database.  The information should have been encrypted but was not because of the error. Customers may have received mail with their credit card number, driver's license number, Social Security number, passport number, or any combination of these elements printed on the outside of envelopes. The issue was discovered in late December of 2011.","California Attorney General","","2012","38.990666","-77.026088" "March 31, 2012","St. Joseph's Medical Center","Stockton","California","PHYS","MED","712","A storeroom window at Saint Joseph's HealthCare Clinical Laboratory (HCCL) was discovered broken on February 2, 2012.  Two storage boxes containing HCCL lab requisition forms were missing from the center.  People who received laboratory services between October 24, 2011 and November 18, 2011, between December 13, 2012 and January 5, 2012, and also between January 17, 2012 and January 31, 2012, may have had their names, Social Security numbers, phone numbers, addresses, and insurance information exposed.UPDATE (4/26/2012): At least 700 patients were affected.  Two boxes were discovered missing immediately after the robbery and a third was discovered missing on March 16.","California Attorney General","","2012","37.957702","-121.290780" "April 17, 2012","Phoenix Cardiac Surgery, P.C.","Phoenix","Arizona","DISC","MED","0","Phoenix Cardiac Surgery inadvertently posted the clinical and surgical appointments of patients on an Internet-based calendar that was publicly accessible.  The error went unnoticed for an unspecified amount of time.  The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) investigated the error and determined that Phoenix Cardiac Surgery had a number of Health Insurance Portability and Accountability Act (HIPAA) violations.  Phoenix Cardiac Surgery agreed to pay HHS a settlement totalling $100,000 and to comply with HIPAA. The resolution agreement can be found here.","PHIPrivacy.net","","2012","33.448377","-112.074037" "April 30, 2012","Volunteer State Community College","Gallatin","Tennessee","DISC","EDU","14,000","The University became aware of an unintended disclosure.  Files with the information of current and former faculty and former students were placed on a web server that was not secure.  The information could have been accessed anytime between 2008 and the discovery of the error.  Names and Social Security numbers were exposed.","Databreaches.net","","2012","36.388381","-86.446660" "April 27, 2012","Office of the Texas Attorney General","Austin","Texas","DISC","GOV","6,500,000","Lawyers responsible for challenging a voter ID law in Texas requested the Texas voter database for analysis.  The Texas Attorney General's office released encrypted discs with the personal records of 13 million Texas voters, but half still contained Social Security numbers.  A state police officer was dispatched to New York, Washington D.C., and Boston to retrieve the encrypted discs when the opposing lawyers revealed that a mistake had occurred.","Media","","2012","30.267153","-97.743061" "March 23, 2012","Lake Worth Independent School District","Lake Worth","Texas","INSD","EDU","0","Employees of Lake Worth School District received email notification of a possible computer security breach.  It appears that a former employee may have accessed the personal information of employees and could have misused it.  It is unclear if a breach actually occurred. It is also unclear how the former employee may have compromised the district's computer system.","Databreaches.net","","2012","32.804851","-97.445020" "April 14, 2012","Texas A&M University","College Station","Texas","DISC","EDU","4,000","Alumni who graduated before 1985 and requested copies of their transcripts may have been affected by a breach involving accidental disclosure.  Certain alumni had their names, Social Security numbers, addresses, and telephone numbers in an electronic file that was emailed to an individual who would not normally have access to such information.  The person who received the email notified the University.UPDATE (5/03/2012): This breach was erroneously listed as occurring in Corpus Christi, Texas on this site. The breach affected those who were associated with Texas A&M University in College Station, Texas.","Dataloss DB","","2012","30.627977","-96.334407" "May 4, 2012","Booker T. Washington High School","Atlanta","Georgia","HACK","EDU","18","A high school student used the login credentials of his father to change student records.  The student's father worked at the school as a counselor.  At least 18 students paid for their attendance and course assignment records to be altered. The students who paid for the alterations were suspended.  It is unclear if other students had their information accessed or altered.  ","Databreaches.net","","2012","33.748995","-84.387982" "May 8, 2012","IntraCare North Hospital","Houston","Texas","INSD","MED","741","A former employee used patient information to file false income tax returns. The information of 741 patients was accessible in a binder.  The employee worked as an intake coordinator at the Hospital from March 15 to August 18 of 2011.  The breach was not discovered until April 18 of 2012.  ","PHIPrivacy.net","","2012","29.760193","-95.369390" "May 11, 2012","California Department of Justice, Computer and Technology Crime High-Tech Response Team (CATCH)","San Diego","California","HACK","GOV","0","In November 2011, hackers accessed and released private email accounts belonging to a retired agent for the Department of Justice.  The retired agent was a member of the CATCH.  Some of the emails that the hackers released included data that contained the names, Social Security numbers, addresses, dates of birth, and other personal information of an unknown number of consumers.","California Attorney General","","2012","32.715329","-117.157255" "May 9, 2012","Capital One Bank","Houston","Texas","INSD","BSF","0","A former employee pled guilty to conspiracy to commit bank fraud and aggravated identity theft.  The former employee received $3,000 for his role in the conspiracy and his co-conspirators fraudulently made $84,169.37 from customers.  ","Databreaches.net","","2012","29.760193","-95.369390" "May 9, 2012","Key Bank","Springfield","Oregon","INSD","BSF","2,937","A former manager of the Thurston Branch of Key Bank pled guilty to charges related to opening a Key Bank account in the name of someone else. He will be sentenced for identity theft and bank fraud.  The manager obtained and transferred customer names, Social Security numbers, and dates of birth between January and May of 2007.  He eventual threatened and intimidated witnesses in August 2010. Key Bank had a total of $44,937.66 in expenses related to the breach.","Databreaches.net","","2012","44.046236","-123.022029" "May 7, 2012","Lake County Sheriff's Office","Tavares","Florida","HACK","GOV","0","Hackers were able to access and publicly post over 16,000 law enforcement files online.  Sensitive 911 calls, witness and victim statements, names of young crime victims, names and personal phone numbers of SWAT team members, a blueprint that could allow sex predators to avoid arrest, and possibly sheriff employee passwords were posted. SWAT team information such as the unit's operating guide and number of snipers was also posted.  Personal information including Swat team member home and cell phone numbers was posted as well. The breach occurred sometime around April 28, 2012.","Databreaches.net","","2012","28.804158","-81.725632" "May 14, 2012","Northwestern Memorial Hospital","Chicago","Illinois","INSD","MED","50","A Northwestern Memorial Hospital employee was charged with one count of aggravated identity and one count of identity theft. The dishonest employee is accused of stealing the identities of patients to pay off personal bills.  Paperwork with the Social Security numbers, credit card numbers, and dates of birth of over 50 patients was found in the employee's home.  The dishonest employee's scheme was discovered when suspicious credit card activity related to the opening of utilities in the employee's name.","PHIPrivacy.net","","2012","41.878114","-87.629798" "February 15, 2012","University of North Carolina at Charlotte","Charlotte","North Carolina","DISC","EDU","350,000","An online security breach occurred at the UNC-Charlotte campus and was discovered on January 31.  It is unclear how much information could have been accessed. The number of people affected was not revealed.  An email alert was sent to students and staff on February 15 in order to inform them that a ""potentially significant data exposure of its Information Systems"" had occurred.  The University also stated that it had corrected the known issues related to the breach.UPDATE (5/09/2012): Around 350,000 people had their Social Security numbers exposed. Financial information was also exposed.  A system misconfiguration and incorrect access settings caused a large amount of electronic data hosted by the University to be accessible from the Internet. One exposure issue affected general University systems over a period of about three months.  A second exposure issue affected the college of engineering systems for over a decade.","Databreaches.net","","2012","35.227087","-80.843127" "March 31, 2012","Opening Ceremony Online, LLC.","New York","New York","UNKN","BSR","0","Opening Ceremony discovered that an inadvertent breach of security resulted in the exposure of customer names, addresses, credit card numbers, credit card expiration dates, and credit card security codes.  The breach was discovered sometime in March and first occurred on or around February 16, 2012.UPDATE (5/11/2012): The breach lasted between February 16 and March 21 of 2012. Malware was discovered on the website on March 21.  Affected customers were mailed notification letters on May 4.  Either the credit card information was stored in an unencrypted format on the site in violation of Payment Card Industry Data Security Standard (PCI-DSS) practices, or a hacker was able to place something on the site to get credit card information after it was transmitted. It is more likely that Open Ceremony, an online clothing retailer, was not in compliance with PCI.","California Attorney General","","2012","40.714353","-74.005973" "May 18, 2012","Reading Hospital","Reading","Pennsylvania","INSD","MED","12","A Reading Hospital employee made paper copies of sensitive information and used them for training purposes at an unaffiliated educational facility.  The incident was discovered the next day and the employee was fired.  Patient medical test results, diagnoses, prescribed medications, Social Security numbers, medical histories, and other personal information were exposed.","PHIPrivacy.net","","2012","40.335648","-75.926875" "May 18, 2012","Lady of the Lake Regional Medical Center","Baton Rouge","Louisiana","PORT","MED","17,130","A laptop went missing from a physician's office sometime between March 16 and March 20 of 2012.  The laptop contained patient outcomes data from patients in the adult ICU from 2000 to 2008.  Patient names, race, age, dates of admission and discharge from the Intensive Care Unit, and results of treatment may have been exposed.","PHIPrivacy.net","","2012","30.458283","-91.140320" "May 19, 2012","Massachusetts Eye and Ear","Boston","Massachusetts","INSD","MED","3,600","An employee was fired after police informed Massachusetts Eye and Ear that the employee was being investigated for identity theft.  The employee had taken and misused patient names, Social Security numbers, and dates of birth. At least four of the employee's victims came from Massachusetts Eye and Ear, but she had access to the information of approximately 3,600 patients.","PHIPrivacy.net","","2012","42.358431","-71.059773" "October 19, 2011","Well United Methodist Church, Iowa Correctional Institute for Women","Mitchellville","Iowa","INSD","GOV","48","A former inmate was able to obtain and misuse the information of prison church volunteers.  The former inmate had held a leadership role in the congregation and was hired as an administrative assistant after being released in 2007.  Her position as administrative assistant may have allowed her to misuse the personal information that volunteers were required to submit in order to obtain prison security clearance.UPDATE (05/19/2012): The former inmate was sentenced to four years in prison for using the personal information of other church members to fraudulently obtain credit accounts.  She had worked as an administrative assistant in the program between her 2007 release and a 2008 probation that sent her back to prison.  She was able to misuse the information of 48 people once leaving prison.","Databreaches.net","","2011","41.667222","-93.360278" "May 2, 2012","Florida Department of Children and Families","Tallahassee","Florida","DISC","GOV","100,000","The information of Florida child care workers was placed on a state website.  The information was not password protected and could have been found through an internet search. An unnamed vendor working for the state of Florida was responsible for placing the information online.  Florida daycare workers may have had their dates of birth, names, and Social Security numbers exposed. It is not clear how long the information was exposed.","Databreaches.net","","2012","30.438256","-84.280733" "April 25, 2012","Cryptic Studios, Perfect World","Los Gatos","California","HACK","BSO","0","Cryptic Studios detected evidence of unauthorized access to a user database that occurred in December 2010.  Users may have had their account names, handles, encrypted versions of their passwords, dates of birth, email addresses, billing addresses, and partial credit card numbers exposed.  Some of the passwords that were exposed were decrypted.  Cryptic Studios reset all customer passwords that could have been affected after discovering the breach by performing security analysis. Anyone who uses the same password and email combination for other accounts is encouraged to change their password for those accounts as well. ","Databreaches.net","","2012","37.235808","-121.962375" "May 20, 2012","Comcast","Philadelphia","Pennsylvania","HACK","BSO","294","A hacker or hackers posted email addresses, plain-text passwords, and ID numbers online.","Dataloss DB","","2012","39.952335","-75.163789" "July 20, 2010","South Shore Hospital, Active Data Solutions","South Weymouth","Massachusetts","PORT","MED","800,000","Computer files containing personal, health and financial information of volunteers, patients, vendors, business partners and employees from January 1996 through January 2010 may have been lost by a professional data management company. Depending on the person's association with the hospital, the information exposed could be full name, address, phone number, date of birth, Social Security number, driver's license number, medical record number, patient number, bank account information, credit card number, diagnoses and treatment.UPDATE (9/10/10): Archive Data Solutions (formerly Iron Mountain Data Products) was revealed to be the company responsible for disposing of South Shore Hospital's records. Archive Data Solutions subcontracted the process to Graham Magnetics, who then lost the tapes in shipping.  The tapes may have also had patient information from Harbor Medical Associates and patient and vendor information from South Shore Physician Hospital Organization.After investigating the incident the hospital decided not to mail notices or offer credit monitoring and identity theft services to those who may have been affected by the loss.  It was determined that the risk of the data being accessed was extremely low and that notifications inside the hospital, on websites, via email and in newspapers would be enough.  In addition, the Attorney General's office of Massachusetts has spoken out against the hospital's decision to skip precautions.UPDATE (5/24/2012): South Shore Hospital will pay $750,000 to settle HIPAA violation and state law charges.  The breach involved the loss of two of three boxes containing 473 unencrypted back-up computer tapes with sensitive information sometime between February 2010 and June of 2010.  A total of $250,000 in civil penalty fines and a payment of $225,000 for an education fund to be used by the Attorney General's Office to promote education concerning the protection of personal information and protected health information was determined. South Shore Hospital was given a credit of $275,000 to reflect the cost of security measures it had already taken subsequent to the breach.","PHIPrivacy.net","","2010","42.175100","-70.949490" "May 24, 2012","Physicians Automated Laboratory","Bakersfield","California","PHYS","MED","745","An office burglary on or around March 26 resulted in the exposure of patient information.  Patient files containing names, phone numbers, dates of birth, addresses, and lab work were stolen from a laboratory. It is unclear why affected patients were not notified until two months after the incident.","PHIPrivacy.net","","2012","35.373292","-119.018713" "May 23, 2012","Boston Children's Hospital","Buenos Aires","","PORT","MED","2,159","A Boston Children's Hospital employee misplaced an unencrypted laptop during a conference in Buenos Aires.  It contained the names, dates of birth, diagnoses, and treatment information of patients were exposed.","PHIPrivacy.net","","2012","-34.603684","-58.381559" "May 24, 2012","Altrec, Inc.","Redmond","Oregon","HACK","BSR","0","Altrec discovered a potential information security incident involving the American Express credit cards of people who used the site. Customer information may have been compromised between June 2010 and March 2012.  The potential breach was discovered on May 7, but a detailed forensic investigation did not uncover any evidence of a security breach.  Customer names, addresses, American Express card account numbers, expiration dates, and four digit security codes were stored in Altrec's database and could have been exposed if anyone had accessed it.","California Attorney General","","2012","44.272620","-121.173921" "May 24, 2012","General Communication Inc. (GCI)","Anchorage","Alaska","INSD","BSR","400","A former customer service representative gathered account information directly from two customers during telephone calls and later attempted to use the information for personal purchases.  GCI decided to notify all other customers who may have been contacted by the dishonest former employee and warn them to check their accounts for any unusual activity.  ","Databreaches.net","","2012","61.218056","-149.900278" "May 22, 2012","Glade County Sheriff's Office","Moore Haven","Florida","HACK","GOV","200","Hackers accessed sensitive information from the Glade County Sheriff's Department.  Ten names with associated email addresses, plain-text passwords, and usernames were posted online.  The information of 192 prisoners was also posted, but most of it could already be found through public records.  Prisoner names, genders, birth dates, hair and eye colors, heights, weights, last known addresses, and other details were posted. ","Databreaches.net","","2012","26.833117","-81.093123" "April 30, 2012","Accurate Accounting","Hesperia","California","PHYS","BSF","0","A member of law enforcement found a black canvas bag full of payroll files.  The bag may have been stolen or misplaced and carried worker names, Social Security numbers, and other personnel information related to taxes. Stacks of files were photographed behind Accurate Accounting. This led to the belief that the files had not been properly stored.","Databreaches.net","","2012","34.426389","-117.300878" "May 25, 2012","Duane Reade","New York","New York","INSD","BSR","0","Employees at two Duane Reade stores were caught participating in a credit card fraud ring.  One employee at each store was found to have used an unauthorized device to scan customer credit cards prior to processing them through the store's system. People who made purchases at the stores between October 1, 2011 and February 16, 2012 may have been affected.","Dataloss DB","","2012","40.714353","-74.005973" "May 22, 2012","United States Bureau of Justice Statistics (BJS)","Washington","District Of Columbia","HACK","GOV","0","Hackers from Anonymous claim to have leaked 1.7 gigabytes of data belonging to the United States Bureau of Justice Statistics.  The United States Bureau of Justice Statistics is part of the U.S. Department of Justice and analyzes data related to crimes in the U.S. The data file was posted on The Pirate Bay. It contained internal emails and the website's entire database.","Dataloss DB","","2012","38.895112","-77.036366" "May 11, 2012","First Data Corporation","Atlanta","Georgia","DISC","BSF","15,399","On April 25, 2012, First Data learned that certain limited personal information about approximately 108,500 merchants who currently process with First Data or who applied for processing services had been shared outside of the company. The names, addresses, and Social Security numbers of merchants who submitted applications to First Data for merchant processing services were purposely disclosed to an outside party in January and February of 2012.  First Data later discovered that this action was not clearly permitted in some merchant contracts.UPDATE: (5/29/2012): Bank of America Merchant Services (BAMS), a joint venture between First Data Corporation and Bank of America, was also involved in the breach.  The personal information of 15,399 California residents was involved.  Of the 15,399 California residents affected, a total of 4,058 residents were merchant customers of BAMS.","California Attorney General","","2012","33.748995","-84.387982" "May 25, 2012","Serco, Inc., Federal Retirement Thrift Investment Board","Reston","Virginia","HACK","BSF","123,201","One of the computers used by the contractor Serco to support the Federal Retirement Thrift Investment Board (FRTIB) was the target of a sophisticated cyber attack.  Thrift Savings Plan participants and others who received TSP payments may have had their information exposed. However, there is no evidence that the entire TSP network of 4.5 million participants was breached. A total of 43,587 participants may have had their Social Security numbers, names, and addresses compromised. An additional 80,000 may have had their Social Security numbers and no other information compromised. The attack appears to have occurred in July of 2011 and was discovered through an FBI investigation in April of 2012.","Databreaches.net","","2012","38.958631","-77.357003" "May 30, 2012","American Advertising Federation (AAF)","Washington","District Of Columbia","HACK","NGO","555","A hacker or hackers posted member names, email addresses, and contact information online.","Dataloss DB","","2012","38.895112","-77.036366" "June 1, 2012","Charlie Norwood VA Medical Center","Augusta","Georgia","PORT","GOV","824","The March 30 theft of a physician's laptop resulted in the exposure of personal information. The physician had violated VA policy by placing the personal information on his own laptop.  Veterans may have had the last four digits of their Social Security number, discharge date, and medical provider name exposed.","PHIPrivacy.net","","2012","33.474246","-82.009670" "June 6, 2012","University of Virginia","Charlottesville","Virginia","DISC","EDU","300","Between 300 and 350 transcripts from Summer Language Institute applicants were accessible through the University of Virginia website.  The human error was discovered when a student searched Google for an image of himself.  Students who applied to the University's program within the last two years may have had their names, transcript information, and Social Security numbers exposed.  Technology experts at the University blocked public access to the information and asked Google to remove its cache of the sensitive pages on June 5, 2012.  It is unclear how long the information was available.","Databreaches.net","","2012","38.029306","-78.476678" "June 1, 2012","MOAB Training International","Kulpsville","Pennsylvania","HACK","BSO","1,442","A hacker or hackers accessed and publicly posted usernames, email addresses, and encrypted passwords from MOAB. Many law enforcement officials and heads of security were among the users who were affected.","Dataloss DB","","2012","40.242883","-75.336564" "May 2, 2012","Rackspace, Incorporating Services, Ltd.","Dover","Delaware","HACK","BSO","0","On April 2, 2012, Incorporating Services learned that one of their servers was compromised by a malware attack.  Incorporating Services began investigating the breach after being informed by their internet hosting vendor and discovered that malicious software had allowed an unauthorized party to access data stored on the server.  Corporate officer Social Security numbers and names may have been exposed.UPDATE (6/06/2012): Rackspace has been identified as the internet hosting vendor.  Social Security numbers, credit card payment information such as expiration date and CVV, and possibly Automatic Clearing House (ACH) payment information were compromised.","California Attorney General","","2012","39.158168","-75.524368" "May 2, 2012","Valencia Self Storage","Valencia","California","PHYS","BSO","0","Two people were charged with stealing more than $16,000 from 20 businesses and individuals in the Santa Clarita Valley area.  The man and woman were able to commit identity theft and run a check counterfeiting operation by retrieving and reassembling shredded checks from the trash bin of Valencia Self Storage.  Hundreds of bank account numbers, fake and stolen IDs and identity profiles, check making equipment, and counterfeiting checks were discovered at their residence.  A criminal complaint was filed on April 18 alleging felony counts of identity theft, check forgery, commercial burglary, grand theft, false impersonation, receiving stolen property, and unauthorized credit card use.","Dataloss DB","","2012","34.389816","-118.564229" "May 5, 2012","The Complete Pianist","Tucson","Arizona","HACK","BSO","16","A hacker or hackers accessed and posted sensitive information online.  Sixteen names, passwords, and email addresses were exposed.  The hack took place on or around February 24 and was reported on May 5.","Dataloss DB","","2012","32.221743","-110.926479" "May 4, 2012","Boca Ski Club","Palm Beach","Florida","HACK","BSR","39","A hacker or hackers accessed and posted sensitive information online. Seven administrators' login information including names, usernames, email addresses, postal addresses, and plain-text passwords was posted. The names, email addresses, and reservation information of 32 customers were also posted. The incident took place on or around April 8 and was reported on May 4.","Dataloss DB","","2012","26.705621","-80.036430" "May 4, 2012","Emerson (Funai Corporation)","Torrance","California","HACK","BSR","18","A hacker or hackers accessed and posted sensitive information online.  A total of 18 employee names, email addresses, and passwords were exposed.","Dataloss DB","","2012","33.835849","-118.340629" "June 7, 2012","eHarmony.com","Santa Monica","California","HACK","BSO","0","An unspecified number of eHarmony users were found to have had their passwords exposed after eHarmony investigated reports of passwords being posted on a hacker site.  Those who were affected had their passwords reset.","Dataloss DB","","2012","34.019454","-118.491191" "May 9, 2012","Tarpon Springs High School","Tarpon Springs","Florida","DISC","EDU","400","A guidance counselor accidentally sent an attachment with sensitive information to students via email.  The email was sent to members of the senior class and the attachment contained the names and student ID numbers of seniors.  Student Social Security numbers were used as student ID numbers in most cases.","Dataloss DB","","2012","28.146125","-82.756768" "May 27, 2011","LA Boxing","Ahwatukee","Arizona","PHYS","BSO","0","Someone threw out hundreds of customer documents after the local LA Boxing was taken over by corporate.  The documents were found and reported by someone who witnessed another person going through the dumpster.  Names, addresses, credit card numbers and account numbers of people who were once gym members were left in a dumpster.","Databreaches.net","","2011","33.341670","-111.983330" "May 12, 2012","LA Fitness, Fitness 1","Phoenix","Arizona","PHYS","BSR","0","A concerned citizen found a dumpster overflowing with old gym memberships.  Member credit card information, Social Security numbers, addresses, and other information.  The information dates back from the late 1990s and early 2000s.  Memberships were originally from Fitness 1, but Fitness 1 sold the location to LA Fitness in 2000.  The hundreds of sensitive documents appear to have been abandoned by LA Fitness when it vacated the space.  A former Fitness 1 attorney took the exposed documents out of the dumpster after the discovery.","Dataloss DB","","2012","33.448377","-112.074037" "June 5, 2012","California Department of Public Health, Bakersfield Memorial Hospital","Bakersfield","California","PHYS","GOV","0","The theft of a binder from an employee's car resulted in the exposure of sensitive patient information.  The binder was stolen on or around May 7 and had information from a survey conducted at the Bakersfield Memorial Hospital.  Patient names, dates of birth, ages, medications, room numbers, and medical record numbers were exposed.","California Attorney General","","2012","35.373292","-119.018713" "June 6, 2012","Next Day Flyers (Postcard Press, Inc.)","Torrance","California","HACK","BSO","0","On April 2, 2012, an electronic file was discovered on Next Day Flyer's system.  The file was storing transaction information for customers who placed orders through the company's website between March 23, 2012 and April 2, 2012.  It was discovered when the company found out that an unauthorized person was trying to disrupt traffic to Next Day Flyer's website.  The file was removed, but customer names, credit card information, email addresses, and postal addresses may have been exposed.  ","California Attorney General","","2012","33.835849","-118.340629" "June 9, 2012","Office of Dr. Robert Witham","Port Angeles","Washington","STAT","MED","0","An April 16 office burglary resulted in the theft of two computers that contained sensitive patient information.  Patient names, Social Security numbers, addresses, medical billings, ICD-9 diagnosis codes, and dates of birth were exposed.  It is unclear if patients who saw the doctor as far back as 1979 were affected by the breach.  Letters to patients who were affected were mailed on June 7.","PHIPrivacy.net","","2012","48.118146","-123.430741" "April 18, 2012","Emory Healthcare, Emory University Hospital","Atlanta","Georgia","PORT","MED","315,000","Emory Healthcare revealed that 10 backup discs that contained patient information are missing from a storage location at Emory University Hospital.  The discs were determined to have been removed sometime between February 7, 2012, and February 20, 2012.  The patient information was related to surgery and included names, Social Security numbers, diagnoses, dates of surgery, procedure codes or the name of the surgical procedures, surgeon names, anesthesiologist names, device implant information, and other protected health information.  Patients treated at Emory University Hospital, Emory University Hospital Midtown (formerly known as Emory Crawford Long Hospital) and Emory Clinic Ambulatory Surgery Center between September of 1990 and April of 2007 were affected.UPDATE (6/09/2012): A suit seeking class action status was filed on June 4.  The suit seeks unspecified damages over the loss of 10 computer disks containing the personal and health information of between 250,000 and 315,000 patients treated between 1999 and 2007.","PHIPrivacy.net","","2012","33.748995","-84.387982" "June 9, 2012","New York State Office of Children and Family Services","Albany","New York","INSD","GOV","0","Investigators were able to arrest an employee of the New York State Office of Children and Family Services after learning about a case of identity theft.  The dishonest employee is accused of selling personal information to an outside person and was arraigned on one felony count of receiving a reward for official misconduct in the second degree. He received $500 for accessing and providing the sensitive information of multiple individuals through his workplace.","Databreaches.net","","2012","42.652579","-73.756232" "June 9, 2012","EPN, Inc.","Provo","Utah","DISC","BSF","3,800","The FTC has fined EPN, Inc. for failing to implement reasonable security measures. The agency charged that the company did not have an appropriate information security plan, failed to assess risks to the consumer information it stored, did not adequately train employees, did not use reasonable measures to enforce compliance with its security policies, and did not use reasonable methods to prevent, detect and investigate unauthorized access to personal information on its networks.  The FTC claims that this failure to implement reasonable and appropriate data security measures was an unfair act or practice and violated federal law.  EPN's chief operating office installed peer-to-peer file-sharing software on EPN's computer system and left patient information vulnerable to unauthorized access. Hospital patient Social Security numbers, health insurance numbers, and medical diagnosis codes were accessible on any computer connected to the peer-to-peer network.  EPN was barred from misrepresenting the privacy, security, confidentiality, and integrity of personal information they collected.  EPN was also required to undergo data security audits and establish and maintain a comprehensive information security program.","Databreaches.net","","2012","40.233844","-111.658534" "June 9, 2012","Franklin's Budget Car Sales, Inc.","Statesboro","Georgia","DISC","BSR","95,000","The FTC fined Franklin's Budget Car Sales for compromising consumers' personal information by allowing peer-to-peer software to be installed on its network.  Any computers that were connected to the peer-to-peer network could have accessed Franklin's network of consumer names, Social Security numbers, addresses, dates of birth, and driver's license numbers.  The FTC claimed that Franklin's failed to assess risks to the consumer information it collected and stored online and failed to adopt policies to prevent or limit unauthorized disclosure of information.  Franklin's also allegedly failed to prevent, detect and investigate unauthorized access to personal information on its networks, failed to adequately train employees and failed to employe reasonable measures to respond to unauthorized access to personal information.  Franklin's settlement agreement bars Franklin's from misrepresentations about the privacy, security, confidentiality, and integrity of personal information it collected from consumers.  Franklin's must also establish and maintain a comprehensive information security program and undergo data security audits.","Databreaches.net","","2012","32.448788","-81.783167" "March 24, 2009","Massachusetts General Hospital","Boston","Massachusetts","PHYS","MED","192","Massachusetts General Hospital has put dozens of patients on notice that it has lost some of their confidential medical records, which were left on an MBTA Red Line train by a hospital employee. The MGH employee left the hospital, taking the records with her to do billing work on them over the weekend. The records belonged to at least 66 patients and included private information such as the patients' diagnoses, their names, birth dates and billing information.UPDATE (2/24/2011): Massachusetts General Hospital agreed to pay one million dollars to settle violation of privacy charges. http://www.hhs.gov/ocr/privacy/hipaa/news/mghnews.htmlUPDATE (6/08/2012): The lost documents consisted of a patient schedule with names and medical record numbers for 192 patients.  There were also billing encounter forms with names, dates of birth, medical record numbers, health insurer and policy numbers, diagnoses, and provider names for 66 of those patients.","Dataloss DB","","2009","42.358431","-71.059773" "June 9, 2012","DocuSign, Inc.","San Francisco","California","DISC","BSO","0","DocuSign user information was discovered to be accessible through a Google search. The information goes as far back as January 2012, and some information could be even older.  It is possible to see private emails, signatures, times, dates, locations, addresses, document names, and email addresses.  DocuSign claims that the information is available because a small number of DocuSign users have saved their own personal copies of their signed documents to publicly accessible and searchable locations outside of DocuSign's secure global network.  ","Databreaches.net","","2012","37.774930","-122.419416" "May 12, 2012","Warren County Iowa, Iowa Department of Human Services","Indianola","Iowa","PHYS","GOV","3,000","Warren County residents had their names, Social Security numbers, addresses, phone numbers, and other information exposed.  A fire destroyed a Warren County human services office on December 4, 2011.  Records from the location that were due to be shredded were moved to a secure facility owned by warren County.  A county maintenance worker mistakenly moved a container full of the damaged sensitive records back to the destroyed building in early February of 2012.  The mistake was discovered on March 14 when the department received a call from a resident near the area who found a DHS paper in her yard.","Databreaches.net","","2012","41.358048","-93.557438" "May 10, 2012","The Neighborhood Christian Clinic","Phoenix","Arizona","PORT","MED","9,565","A portable electronic device was lost or discovered missing sometime around February 7, 2012. It contained sensitive information. The incident was reported on the HHS website. ","Dataloss DB","","2012","33.448377","-112.074037" "May 10, 2012","Office of Dr. Roy E. Gondo","Yakima","Washington","STAT","MED","2,100","A desktop computer and electronic medical records were stolen or discovered stolen sometime around February 21, 2012. They contained sensitive information. The incident was reported on the HHS website.","Dataloss DB","","2012","46.602071","-120.505899" "June 1, 2012","Masons of California","San Francisco","California","HACK","NGO","4,056","A hacker or hackers accessed and posted sensitive information from the Masons of California.  Names, addresses, phone numbers, and emails were exposed.","Dataloss DB","","2012","37.774930","-122.419416" "May 7, 2012","Friendping.com","Denver","Colorado","HACK","BSO","647","A hacker or hackers accessed and posted sensitive information from Friendping.com.  Passwords and email addresses were exposed.","Dataloss DB","","2012","39.737567","-104.984718" "May 13, 2012","University of New Mexico","Albuquerque","New Mexico","HACK","EDU","81","A hacker or hackers accessed and posted sensitive information from the University of New Mexico's electrical and computer engineering department.  Usernames, emails, and encrypted passwords were exposed.","Dataloss DB","","2012","35.084491","-106.651137" "May 16, 2012","Chrome Crazy","Park City","Kentucky","HACK","BSR","219","A hacker or hackers accessed and posted sensitive information from Chrome Crazy online.  Customer order details, billing and shipping details, types of motorcycles owned, and email addresses were exposed.","Dataloss DB","","2012","37.093938","-86.046367" "May 18, 2012","University of Louisiana Monroe (ULM)","Monroe","Louisiana","HACK","EDU","121","A University of Louisiana Monroe employee's email account was hacked.  The hacker or hackers could have accessed the sensitive information of people enrolled in the Upward Bound program.  A file in the employee's email included the names, addresses, telephone numbers, and other personal information of 83 high school prospects for the Upward Bound program, two former ULM employees who worked within a related program, a current ULM employee working in a related program, and 35 post-secondary ULM students.","Dataloss DB","","2012","32.509311","-92.119301" "May 20, 2012","www.SD.gov (South Dakota)","Pierre","South Dakota","HACK","GOV","11","A hacker or hackers accessed and posted sensitive information from the South Dakota state website online.  Usernames, user IDs, plain-text passwords, and email addresses were exposed.","Dataloss DB","","2012","44.368316","-100.350967" "May 19, 2012","Iwacu Online","Baltimore","Maryland","HACK","BSO","948","A hacker or hackers accessed and posted sensitive information from Iwacu Online.  Usernames, first names, email addresses, and passwords were exposed.","Dataloss DB","","2012","39.290385","-76.612189" "June 13, 2012","Gressler Clinic","Winter Haven","Florida","PHYS","MED","1,400","A May 3 office burglary resulted in the theft of sensitive documents.  The stolen documents were charge tickets and contained Social Security numbers, addresses, phone numbers, dates of birth, insurance information, and diagnosis and treatment information.","PHIPrivacy.net","","2012","28.022244","-81.732857" "June 13, 2012","Memorial Sloan-Kettering Cancer Center","New York","New York","DISC","MED","880","A routine check for sensitive information by Memorial Sloan-Kettering revealed that a PowerPoint presentation that was posted on two medical professional websites in 2006 contained embedded private information.  The information included patient names, phone numbers, addresses, and in some cases, Social Security numbers.  Anyone who accessed and manipulated the PowerPoint presentation could have viewed the information that was used to create certain graphs.  A total of five PowerPoint files contained sensitive information.  The largest file had data from 568 patients from various states; the second largest contained 112.  Three others contained the data of 37, 59, and 112 individuals.","PHIPrivacy.net","","2012","40.714353","-74.005973" "June 19, 2012","ECS Tuning Inc.","Wadsworth","Ohio","HACK","BSR","0","An unauthorized person or persons accessed customer personal information between May 6 and May 10, 2012.  The information was associated with pending and recently shipped orders.  Customer names, addresses, email addresses, phone numbers, ECS customer account passwords, and debit and credit card information may have been exposed. Specifically, credit and debit card expiration dates, security codes, or access codes may have been exposed.  ECS Tuning integrated PayPal's Payflow Pro to add additional security to the ECS checkout process and stopped the storing credit and debit cards for any length of time regardless of order status.","California Attorney General","","2012","41.025610","-81.729852" "June 20, 2012","Delta Dental of Illinois","Naperville","Illinois","PHYS","MED","650","A box that contained paper claims information and X-rays was lost during shipping between an unnamed subcontractor and Delta Dental of Illinois.  The paperwork included enrollees' dates of birth, Social Security numbers, and other information that dentists provided on their claims.","PHIPrivacy.net","","2012","41.785863","-88.147289" "April 30, 2012","Columbia University","New York","New York","DISC","EDU","3,500","A programmer erroneously saved an internal test file onto a public server in January 2010.  Current and former employees had their names, Social Security numbers, addresses, and bank account numbers available on the internet from January 2010 until April of 2012.  A total of 3,000 current and former employees were affected, but an additional 500 sole proprietors were also affected.  It appears that the file was not accessed at anytime between January 2010 and March 10, 2012.  ","Dataloss DB","","2012","40.714353","-74.005973" "May 15, 2012","L-3 Communications Corporation","New York","New York","PORT","BSO","0","A thumb drive containing information from a small number of current employees, former employees, and applicants was discovered to have been misplaced from the workstation of an employee sometime around April 16.  The drive contained names and Social Security numbers. Those who were affected were mailed notifications on May 16.  ","Dataloss DB","","2012","40.714353","-74.005973" "May 2, 2012","Bimbo Bakeries","Horsham","Pennsylvania","PORT","BSR","22","The theft of a laptop from the trunk of an employee's car resulted in the exposure of sensitive information.  Current and former associates may have had their names and Social Security numbers on the stolen laptop.  ","Dataloss DB","","2012","40.178442","-75.128506" "June 11, 2012","University of North Florida (UNF)","Jacksonville ","Florida","HACK","EDU","23,246","UNF became aware of a server breach that exposed Social Security numbers and other sensitive information.  Students who submitted housing contracts between 1997 and spring 2011 may have had their information exposed. Multiple servers were affected and secured upon discovery. The information may have been accessed as early as spring of 2011.","Databreaches.net","","2012","30.332184","-81.655651" "October 30, 2009","Alaska Department of Health and Social Services (DHSS)","Juneau","Alaska","PORT","GOV","501","A portable electronic device that may have contained protected health information was stolen from the vehicle of a DHSS employee on or around October 12, 2009.  The Health and Human Services (HHS) Office for Civil Rights (OCR) began an investigation after the incident.  OCR found evidence that DHSS did not have adequate policies and procedures in place to safeguard ePHI.  DHSS was also found to have not completed a risk analysis, implemented sufficient risk management measures, completed security training for its workforce members, implemented device and media controls, or addressed device and media encryption as required by the HIPAA Security Rule.  Alaska DHSS agreed to pay a $1,700,000 settlement.  ","Dataloss DB","","2009","58.301944","-134.419722" "June 25, 2012","BlueCross Blue Shield of North Carolina","Durham","North Carolina","DISC","MED","100","A mailing software error caused the private information of current and former Blue Cross Blue Shield members to be mailed to other members.  The error was discovered on April 12.  The records were more than 10 years old and included patient names, Social Security numbers, type of medical care received, and other protected health information.","PHIPrivacy.net","","2012","35.994033","-78.898619" "March 29, 2010","Griffin Hospital","Derby","Connecticut","INSD","MED","957","A former employee appears to have continued accessing patient names, medical information, dates of birth and medical record numbers.  Patients received soliciting phone calls from a physician at another hospital.UPDATE (06/212012): The physician and radiologist responsible for the breach has been fined $20,000 for downloading patient information and using it to promote radiology services at Advanced Mobile Imaging Radiology.","PHIPrivacy.net","","2010","41.320652","-73.088997" "June 22, 2012","Minnesota Board of Psychology","Minneapolis","Minnesota","INSD","NGO","42","A dishonest employee working as a receptionist for the Minnesota Board of Psychology was part of a fraud ring that included nearly 30 co-conspirators.  The receptionist was employed from December 2006 until May 2011. She pled guilty to conspiracy to commit bank fraud and aggravated identity theft and faces six years in prison.  Those convicted in the case will be jointly responsible for $358,780 in restitution to victims.  Fifteen people have pleaded guilty and 10 others have pleaded not guilty in the case.  The identity fraud ring was able to make at least $2 million in fraudulent purchases and bank withdrawals. The fraud ring used a variety of methods that included dishonest employees and theft of sensitive information from cars, businesses, trash cans, and mailboxes.  ","Databreaches.net","","2012","44.983334","-93.266670" "April 7, 2010","Bank of America","Charlotte","North Carolina","INSD","BSF","0","An IT staff member of Bank of America pled guilty to installing illegal software on Bank of America ATMs. The software caused the ATMs to erroneously dispense money; some of it may have affected customer accounts.","Databreaches.net","","2010","35.227087","-80.843127" "June 16, 2012","Bob Wilson Dodge","Tampa","Florida","PHYS","BSR","0","Vandals broke into a car dealership that had been closed for four years.  Sensitive documents were found scattered all over the parking lot.  It appears that the primary purpose of the break in was vandalism, but former customers are being warned to check their credit reports for fraudulent activity.","Databreaches.net","","2012","27.950575","-82.457178" "June 1, 2012","Penn Station East Coast Subs","Milford","Ohio","CARD","BSR","0","Forty-three restaurants nationwide may have been affected by a data breach involving unauthorized access to credit and debit card information. Customers who used credit or debit cards between early March and the end of April may have had their financial information obtained by unauthorized parties.UPDATE (06/15/2012): Penn Station updated the number of franchise locations affected.  They now claim that 80 restaurants in Illinois, Indiana, Kentucky, Michigan, Missouri, North Carolina, Ohio, Pennsylvania, Tennessee, Virginia, and West Virginia were affected by a point-of-sale processing hack.","Databreaches.net","","2012","39.175338","-84.294382" "June 13, 2012","The Tilted Kilt","San Antonio","Texas","HACK","BSR","0","A theft ring hacked into the computer system of a Tilted Kilt restaurant.  Customers who used a debit or credit card are encouraged to check their bank statements for suspicious activity such as double billing.  Fraudulent charges have already appeared on the statements of some customers.  It is unclear when the breach occurred, but the Secret Services alerted the pub of the investigation on June 7.","Databreaches.net","","2012","29.424122","-98.493628" "June 12, 2012","Bethpage Federal Credit Union","Bethpage","New York","DISC","BSF","86,000","An employee accidentally posted data onto a file transfer protocol site that was not secure on May 3.  The data contained customer VISA debit card names, addresses, dates of birth, card expiration dates and checking and savings account numbers.  The error was discovered on June 3. The data was accessed, but there was no evidence of identity theft or fraud as of June 12.  New cards were issued to 25% of the affected members and the remaining members will have their affected cards deactivated on June 30.","Databreaches.net","","2012","40.744266","-73.482069" "May 20, 2012","National Endowment for the Arts","Washington","District Of Columbia","HACK","NGO","13","A hacker or hackers accessed the database information of National Endowment for the Arts and posted the information online.  The leaked data included 13 names, email addresses, and passwords.","Dataloss DB","","2012","38.895112","-77.036366" "June 3, 2012","Holy Family University","Philadelphia","Pennsylvania","HACK","EDU","12","A hacker or hackers accessed the database information of Holy Family University and posted the information online.  The leaked data included a table with 12 usernames and encrypted passwords.","","","2012","40.059220","-74.988648" "May 22, 2012","Eastern Buffet","West Des Moines","Iowa","INSD","BSR","30","Victims who reported fraudulent charges on their debit and credit cards were found to have had their payment cards compromised at the Eastern Buffet. The cards were compromised sometime before May 11.  Two employees were fired for their roles in the breach and were found to have been working at the restaurant under fake identities.","Dataloss DB","","2012","41.577212","-93.711332" "May 7, 2012","Crowne Plaza","Columbus","Ohio","HACK","BSO","0","A hotel employee accidentally downloaded malware to front desk computers.  The malware was active for about ten days during the first half of March of 2012.  Customer names, addresses, credit card numbers, and credit card expiration dates may have been exposed.  ","Dataloss DB","","2012","39.961176","-82.998794" "May 9, 2012","InfoLink, ServerPronto, CloudPronto","Fort Lauderdale","Florida","HACK","BSO","1,926","A hacker or hackers accessed the database information of InfoLink and posted the information online.  The intrusion appears to have taken place in November of 2011.  The leaked data included 46 administrator names, passwords and email addresses.  A total of 1,820 client names, email addresses, passwords, payment methods, card types, last four digits of payment cards, and encrypted full payment card numbers were exposed.  ServerPronto and CloudPronto affiliates were also affected.","Dataloss DB","","2012","26.122308","-80.143379" "May 17, 2012","Experian","Costa Mesa","California","UNKN","BSF","0","An unauthorized user or users was able to access credit reporting information after managing to pass Experian's authentication process.  The unauthorized access incidents took place sometime between October 19, 2011 and February 13, 2012, as well as sometime between November 2010 and March 2012.   Consumers may have had their names, addresses, and truncated Social Security numbers, years of birth, and account numbers exposed.","Dataloss DB","","2012","33.641132","-117.918669" "May 24, 2012","University of California Los Angeles (UCLA) Health System","Los Angeles","California","DISC","MED","0","The UCLA Health System placed an audit report on billing practices online in May.  It was later discovered that an employee had accidentally attached information containing the first name, last name, and five-digit billing code related to at least one patient's emergency department visit in May of 2011.  It is unclear how many people were affected and if others may have had additional information exposed.","PHIPrivacy.net","","2012","34.052234","-118.243685" "May 23, 2012","U.S. Office of Personnel Management","Washington","District Of Columbia","HACK","GOV","37","A hacker or hackers accessed the database information of U.S. Office of Personnel Management and posted the information online.  The leaked data included 37 user IDs and plain-text passwords on the internet.","Dataloss DB","","2012","38.895112","-77.036366" "May 24, 2012","Stanford University","Stanford","California","HACK","EDU","1,593","A hacker or hackers accessed the database information of Stanford University and posted the information online.  The leaked data included a list of contact information for donors.  Names, company association, contact details, and notes about the donors were exposed.","Dataloss DB","","2012","37.423150","-122.176642" "May 26, 2012","Direct TV","Greenwood Village","Colorado","HACK","BSR","32","A hacker or hackers accessed the server information of Direct TV and posted the information online.  The leaked data included administration account information such as 32 email addresses, usernames, encrypted passwords, and a list of IPs that could belong to Direct TV servers.","Dataloss DB","","2012","39.617210","-104.950814" "May 25, 2012","T&M Protection Resources","New York","New York","HACK","BSO","10","A hacker or hackers accessed the database information of T&M Protection Resources and posted the information online.  The leaked data included 10 uersnames and passwords.","Dataloss DB","","2012","40.714353","-74.005973" "May 15, 2012","Sierra County, California","Downieville","California","HACK","GOV","15","A hacker or hackers accessed the database information of Sierra County and posted the information online.  The leaked data included 15 email addresses and passwords; some of the passwords had been decrypted.","Dataloss DB","","2012","39.559520","-120.827697" "May 29, 2012","Alaska Structures","Anchorage","Alaska","HACK","BSO","0","A hacker or hackers accessed the website database information of Alaska Structures and defaced the website.  Some password information was posted online, but it is unclear how many usernames and passwords were obtained and distributed. ","Dataloss DB","","2012","61.218056","-149.900278" "May 23, 2012","Sears Portrait Studio","Trotwood","Ohio","PHYS","BSR","0","An interesting photo caught the attention of a man passing by a trash container.  The photo was among other photos, names, phone numbers, and receipts.  The records were tracked to Sears Portrait Studio and the man eventually contacted the local media after failing to get a response from the company.  Sears responded to media inquiries and claimed that this was an unusual incident that was against company policy.","Dataloss DB","","2012","39.797279","-84.311333" "May 31, 2012","United States Navy","Washington","District Of Columbia","HACK","GOV","36","A hacker or hackers accessed the database information of the US Navy and posted the information online.  The leaked data included 36 email addresses and passwords.","Dataloss DB","","2012","38.895112","-77.036366" "May 26, 2012","Gridiron Strategies","North Palm Beach","Florida","HACK","BSO","2,109","A hacker or hackers accessed the database information of Gridiron Strategies and posted the information online.  The leaked data included 2,109 email addresses and passwords.","Dataloss DB","","2012","26.819200","-80.056669" "April 2, 2012","Applegate Valley Family Medicine","Grants Pass","Oregon","PORT","MED","2,300","A stolen laptop contained patient information.  The theft occurred sometime between December 1, 2011 and December 17, 2011.","Dataloss DB","","2012","42.439007","-123.328393" "April 4, 2012","World of Warcraft Latino America","Lower Merion","Pennsylvania","HACK","GOV","256","A hacker or hackers accessed the database information of World of Warcraft Latino America and posted the information online.  The leaked data included 256 usernames, email addresses, and passwords.","Dataloss DB","","2012","40.024967","-75.282905" "May 31, 2012","Paper Street Media, LLC","","Florida","HACK","BSO","6,378","A hacker or hackers accessed Paper Street Media data and posted it online.  A total of 6,209 user names and passwords were posted.  Additionally, 169 emails were posted.","","","2012","27.664827","-81.515754" "April 4, 2012","Mosler Automotive","Riviera Beach","Florida","HACK","BSR","218","A hacker or hackers accessed Mosler Automotive data and posted it online.  A total of 218 usernames and hashed and salted passwords were exposed.","Dataloss DB","","2012","26.775341","-80.058097" "April 11, 2012","ACEware Systems Inc., Lewis-Clark State College, ","Lewiston","Idaho","HACK","EDU","0","An unauthorized party was able to access student records from ACEware Systems' server.  It contained student registration records from the Lewis-Clark workforce training center.   The records included the last four digits of students' Social Security numbers and partial credit card numbers.  ","Dataloss DB","","2012","46.400409","-117.001189" "April 8, 2012","Wilson County School District","Wilson","Tennessee","DISC","EDU","0","The names and schools of students who met with graduation coaches, as well as their reasons for meeting were not completely removed from distributed meeting materials.  ","Dataloss DB","","2012","36.162624","-86.297100" "May 14, 2012","York County, South Carolina","York","South Carolina","HACK","GOV","17,000","Hackers gained access to York County's web application server.  It contained two databases with the information of 17,000 job applicants and vendors.  The first database contained about 12,500 names from as far back as 15 years ago.  The second database was newer and contained information that had been collected up until August 29, 2011.  The intrusion was discovered by the county on August 29 and no new applicants or vendors were affected by the breach.  Those who may have been affected were not notified until after a thorough investigation by York County's IT department.  No definitive evidence was found for a breach after the nine-month investigation.","Dataloss DB","","2012","34.994302","-81.242018" "April 2, 2012","BJ's Wholesale Club","Westborough","Massachusetts","UNKN","BSR","0","ON or around March 1, 2012, BJ's Wholesale learned that an unauthorized party had used the names, addresses, and membership numbers of an unknown number of members to create new online profiles on BJs.com.  Goods were then fraudulently purchased on the website between November 2011 and March 2012.  The membership profile information that may have been accessed included Social Security numbers.","Dataloss DB","","2012","42.269522","-71.616129" "April 3, 2012","StandardAero","Tempe","Arizona","PORT","BSO","0","The March 20 theft of a laptop and registration forms resulted in the exposure of customer information.  Customer credit card numbers were included in the registration information.  ","Dataloss DB","","2012","33.425510","-111.940005" "April 12, 2012","Triangle Tax Services","Miami","Florida","INSD","BSF","0","A tax preparer for Triangle Tax Services was found to have information in her possession for the purpose of identity theft.  A county deputy pulled the dishonest employee over for a traffic stop and found that she had checks, tax return credit cards, and handwritten names, dates of birth, and Social Security numbers.  She faces at least eight counts of identity theft; though it is unclear how many of her 300 potential victims are connected to Triangle Tax Services.","Dataloss DB","","2012","25.788969","-80.226439" "April 19, 2012","The Commercial Bank","Meridian","Mississippi","INSD","BSF","0","A former bank vice president and branch manager was sentenced for falsifying loans.  She used the names, Social Security numbers, and other personal information of family members and bank customers to falsify financial documents between June of 2008 and May of 2009.  The woman's fraudulent activities were discovered in 2009 and she eventually pled guilty on February 3, 2012.  Her charges included mail fraud, wire fraud, bank fraud, and aggravated identity theft.  The dishonest employee was sentenced to 51 months in federal prison, three years of supervised release, and ordered to pay $237,657.88 in restitution.","Dataloss DB","","2012","32.364310","-88.703656" "April 24, 2012","University of Houston College of Optometry Clinic, La Nueva Casa de Amigos Eye Clinic","Houston","Texas","HACK","MED","7,000","The University of Houston College of Optometry became aware that one of their computers was infected with a virus on February 23, 2012.  The person responsible for the breach may have been able to access the information for 24 hours.  Patient records dating between January 2006 and February 13, 2012 could be accessed from the computer.  Patient names, phone numbers, addresses, dates of birth, insurance information, future appointments, current medications, diagnoses, treatment information, vision test results, vision history information, letters from referring doctors, costs of medical services or goods, method of payment, occupation/job, gender, and languages spoken were in the patient records.","PHIPrivacy.net","","2012","29.760193","-95.369390" "March 24, 2012","CVS Caremark","Woonsocket","Rhode Island","DISC","BSR","3,482","People who were members of Tufts Health Plan (Tufts Associated Health Maintenance Organization, Tufts Insurance Company) received letters meant for other members.  A programming error caused the addresses of members to be incorrect.  Names, medical conditions, and medications were exposed.","PHIPrivacy.net","","2011","42.002876","-71.514784" "April 17, 2012","Office of Dr. William F. DeLuca Jr. ","Latham","New York","PORT","MED","577","The theft of a laptop on or around January 16, 2012 resulted in the exposure of patient protected health information.  The incident was reported in the HHS website.","Dataloss DB","","2012","42.747023","-73.759009" "April 9, 2012","Ernst & Young LLP, Cisco Systems, Inc.","New York","New York","PORT","BSF","0","Cisco's service provider Ernst & Young experienced a breach involving the information of current and former Cisco employees on March 26.  On March 28, Cisco learned that a laptop with employee names, Social Security numbers, addresses, and the stock administration information of a select few had been stolen from an Ernst & Young employee's home.","Dataloss DB","","2012","40.714353","-74.005973" "April 13, 2012","The Home Depot","Suwanee","Georgia","INSD","BSR","36","A dishonest employee accessed HR information with the intention of misusing the information to obtain fraudulent credit.  At least 36 Home Depot employees had their names, Social Security numbers, contact information, driver's license numbers, and possibly their financial account information accessed.  The incident was discovered on March 15.","Dataloss DB","","2012","34.051490","-84.071300" "April 23, 2012","F1-racers.net","Vancouver","Washington","HACK","BSR","72","Hackers launched an attack against the Formula One website in response to a decision to stage the Grand Prix in Behrain.  In addition to a denial of service attack on the official website, government websites were also attacked.  The hackers managed to access a database with the names, passport numbers, email addresses, and home addresses of people who purchased tickets for the Grand Prix.  The information the hackers posted was altered to protect privacy.","Dataloss DB","","2012","45.638728","-122.661486" "April 26, 2012","North East School of the Arts","San Antonio","Texas","PORT","EDU","1,253","An April 19 car burglary resulted in the exposure of student information.  An external hard drive containing letters associated with students who applied to the North East School of the Arts was stolen from a teacher's car.  The letters contained applicant names, Social Security numbers, dates of birth, home addresses, phone numbers, and previous school district information.","Dataloss DB","","2012","29.424122","-98.493628" "April 28, 2012","TwoPlusTwo.com","Henderson","Nevada","HACK","BSO","0","A hacker accessed passwords and associated email addresses of users of Two Plus Two Forums.  It is unclear what types of data and how much were accessed.  Anyone who used the same email and password combination for Two Plus Two Forums and other sites should change their password for Two Plus Two Forums as well as the other sites.","Dataloss DB","","2012","36.039525","-114.981721" "April 13, 2012","State University of New York - Brockport College","Brockport","New York","HACK","EDU","200","Hackers accessed Brockport College's payment system by inserting malware into Brockport College's computer system.  Anyone who made a purchase on the campus may have had their credit or debit account information exposed.  Brockport College responded by switching to cash payment for all purchases for the rest of the school term.","Dataloss DB","","2012","43.213671","-77.939180" "April 27, 2012","Three Rivers Park District","Maple Plain","Minnesota","HACK","GOV","82,000","Hackers were able to access the user names and passwords located on the Three Rivers Park District database.  Anyone who has ever made a reservation or registered for a program associated with with the districts 21 parks was affected.  No financial information, names, or addresses was exposed.  The breach was discovered on April 19 and immediately addressed.","Dataloss DB","","2012","45.007222","-93.655833" "April 28, 2012","Taco Bell, McDonald's, Wrigley Field, Ralph Lauren Restaurant (RL Restaurant)","Chicago","Illinois","INSD","BSR","0","Six defendants face criminal charges for their roles in a fraud ring that utilized skimming devices in the Chicago area.  Some of the defendants were dishonest employees who used a skimming device to read and record customer information as customers made purchases.  Others recruited these dishonest employees and some used the card information to make fake cards and fraudulent purchases.","Dataloss DB","","2012","41.878114","-87.629798" "April 10, 2012","Case Western Reserve University","Cleveland","Ohio","PORT","EDU","600","The campus theft of two university-issued laptops resulted in the exposure of alumni information.  Though University policy required data security measures, the laptops were not encrypted and did not have a program installed that would allow sensitive information to be deleted remotely.  Master's of arts and bachelor's of arts alumni from 1987 through the date of the theft were affected.  ","Databreaches.net","","2012","41.499495","-81.695409" "September 19, 2011","New York University Langone Medical Center Hospital for Join Diseases (HJD)","New York","New York","PHYS","MED","2,600","Paper tracking records of tissue issued in orthopaedic surgeries performed at HJD in 2009 and 2010 were mistakenly discarded on or around June 23.  It appears that the papers were then compacted and buried in a landfill rather than properly disposed.  Patients who were affected had their name, date of birth, gender, hospital, date of surgery, and clinical surgery information exposed.  ","HHS via PHIPrivacy.net","","2011","40.714353","-74.005973" "June 29, 2012","www.ThePartsBin.com","Ord","Nebraska","HACK","BSR","0","The servers of ThePartsBin.com were hacked between April 9 and June 12, 2012.  Customer names and credit card information may have been exposed.  ","California Attorney General","","2012","41.602500","-98.930000" "April 28, 2010","Accretive Health","Roseville","Minnesota","PORT","MED","0","An employee's laptop was stolen from a rental car that was left unattended in a restaurant parking lot.  The theft occurred on June 2, 2010.  The laptop was rendered inoperable within two hours of the discovery of the theft.  It contained data related to Fairview health system billing issues and was encrypted.  ","PHIPrivacy.net","","2012","45.006077","-93.156611" "July 2, 2012","Restart Behavioral Health Care","Greenville","North Carolina","PHYS","MED","0","Sensitive paperwork was left in a publicly accessible dumpster after Restart Behavioral Health Care moved to a new location. Contact information and financial information such as email addresses, phone numbers, names, and check receipts could be found.  Social Security card information and Medicaid numbers were also in the dumpster.  A local news team contacted the owner of Restart.  He refused to comment on the situation, but demanded the return of the documents.","PHIPrivacy.net","","2012","35.612661","-77.366354" "July 2, 2012","Dayton VA Medical Center","Dayton","Ohio","PHYS","GOV","16","Documents with Social Security numbers, dates of birth, and other sensitive information were found in the home of a deceased VA employee in May.  The records were found in a box in the attic of the home.  It is unclear why the employee took the information home.","PHIPrivacy.net","","2012","39.758948","-84.191607" "July 2, 2012","University of Texas M.D. Anderson Cancer Center (M.D. Anderson)","Houston","Texas","PORT","MED","30,000","A laptop with sensitive patient information was stolen from the home of an M.D. Anderson faculty member on April 30.  The laptop was not encrypted and contained patient names, medical record numbers, treatment and/or research information, and in some instances Social Security numbers.  Notifications were mailed to patients who were affected on June 28.","PHIPrivacy.net","","2012","29.760193","-95.369390" "July 2, 2012","San Jose State University (SJSU) Associated Students","San Jose","California","HACK","EDU","0","A hacker was able to access SJSU's Associated Students information.  Associated Students is a student-run non-profit that manages and hosts many SJSU campus services, but it's IT infrastructure is separate from SJSU's.  The hacker claimed to have 10,000 student Social Security numbers and driver's license numbers, but it is unclear if this information was actually exposed.  The hacker claimed to use an SQL injection to access the information.  In addition to Social Security numbers and driver's license numbers, information such as administrative materials, job applications, work schedules, email addresses and passwords from the past 10 years may have been accessed. SJSU denies that information this sensitive was accessed.","Databreaches.net","","2012","37.339386","-121.894956" "July 2, 2012","University of Florida","Gainesville","Florida","DISC","EDU","220","The information of former students and applicants was available online.  Former students and applicants who signed up for a roommate service online through Levin College of Law in the early 2000s had their Social Security numbers exposed.  The breach was discovered in May of 2012; the College of Law stopped using the software for the roommate service in the mid-2000s. Former students and applicants were mailed notifications on June 25.","Databreaches.net","","2012","29.651634","-82.324826" "July 2, 2012","Chinese Gourmet Express","Roseville","Minnesota","CARD","BSR","300","Police are investigating an identity theft and credit and debit card skimming operation involving a Chinese Gourmet Express.  A total of $100,000 in losses caused by fraudulent payment card charges had been reported by financial institutions.  At least 300 mall employees and shoppers reported fraudulent transactions between March and June.  ","Databreaches.net","","2012","45.006077","-93.156611" "March 9, 2012","McDonald's","Tulsa","Oklahoma","INSD","BSR","282","A dishonest McDonald's employee confessed to using a handheld skimming device for three weeks to capture drive-thru customer credit and debit card numbers. He then passed the information along to others who used the numbers to produce fraudulent cards and make purchases.  A total of 282 card numbers were discovered on a suspect's laptop.UPDATE (07/02/2012): The former employee pleaded guilty to an aggravated identity-theft charge.  He agreed to playing a part in causing a total loss of more than $51,000. Four other defendants were first caught in October of 2011.  They were arrested on suspicion of trying to buy merchandise with counterfeit cards and were caught with a laptop that contained stolen credit and debit card numbers.","Dataloss DB","","2012","36.153982","-95.992775" "July 2, 2012","Groupon","Chicago","Illinois","DISC","BSR","170","An ongoing flaw in Groupon's email link encryption exposes the emails of some Groupon users when specific terms are added into Google searches of Groupon's site.  Groupon believes that the problem is caused by users publicly pasting their Groupon deals online.  Groupon is working on a solution to exclude the results.","Databreaches.net","","2012","41.878114","-87.629798" "April 8, 2012","Contempo Enterprises, LLC","West Des Moines","Iowa","HACK","BSO","330","A hacker or hackers accessed and posted sensitive Contempo Enterprises information online.  Login credentials, names, email addresses, and customer data were exposed.","Dataloss DB","","2012","41.577212","-93.711332" "April 25, 2012","University of Alabama - Birmingham (UAB)","Birmingham","Alabama","DISC","EDU","8,000","People who were undergraduate students at UAB between 1995 and 2006 may have had their information accessed online.  The information included Social Security numbers and academic records.  It was accidentally made available on a publicly accessible server for an unspecified amount of time.  The breach was discovered on March 27. ","Dataloss DB","","2012","33.520661","-86.802490" "April 5, 2012","Experian, Crown Financial Group","Costa Mesa","California","UNKN","BSF","2,067","An unauthorized user or users was able to access credit reporting information after managing to pass Experian's authentication process.  The unauthorized access incidents took place sometime between August 2, 2011 and August 9, 2011. Consumers may have had their names, addresses, Social Security numbers, years of birth, and account numbers exposed.","Dataloss DB","","2012","33.641132","-117.918669" "July 4, 2012","North Point Dental Care","Winston Salem","North Carolina","INSD","MED","10,000","The owner of North Point Dental accused a former colleague of stealing the information of about 10,000 current and former patients.  The men worked together on a political campaign and the former colleague used the patient information to call patients for campaign support as part of his role as the campaign manager.  The former campaign manager countered that he had received an email from the dentist encouraging him to take information from an office computer and use it to call the patients.  Patients had their names, email addresses, treatment dates, and home addresses distributed to third parties.  The information was also uploaded to an online data storage service.","PHIPrivacy.net","","2012","36.099860","-80.244216" "April 13, 2012","American Stock Transfer & Trust Company, LLC","Brooklyn","New York","DISC","BSF","0","Mail packages containing the beneficiary statements of certain shareholders for the year of 2011 were mailed to incorrect addresses on April 2, 2012.  The statements contained names, tax identification numbers of the intended shareholders, and addresses.  Shareholders of a single, unnamed issuer that used American Stock Transfer as a sub-transfer agent most likely had their information mailed to a different shareholder than the shareholder listed on the beneficiary statement.","Dataloss DB","","2012","40.650000","-73.950000" "April 26, 2012","Claire's Stores","Hoffman Estates","Illinois","PORT","BSR","150","A CD-ROM disk with IRS W-2 information for Claire's employees was discovered missing from a designated human resources-only area.  Claire employee Social Security numbers, 2011 salary, and other W-2 information were on the disk. A total of 150 New Hampshire residents were notified of the breach, but the total number of affected individuals nationwide was not revealed.","Dataloss DB","","2012","42.062992","-88.122720" "April 18, 2012","Knoxville Medical Clinic, DRD Management","Knoxville","Tennessee","PHYS","MED","1,000","A former employee took paper documents with patient information without permission.  It is unclear if the former employee meant to use the information for fraud purposes.  Patient names, dates of clinic visits, dates for scheduled opiate addiction dosages, and the dosage amounts were in the paper documents.  The documents were recovered.","Dataloss DB","","2012","35.960638","-83.920739" "April 10, 2012","Seton Healthcare Family, HealthLOGIX","Austin","Texas","DISC","MED","555","A computer mailing error caused Seton member Medicaid health plan cards to be sent to incorrect addresses.  The cards were mailed by Seton's vendor HealthLOGIX on March 9. Seton became aware of the breach when members began calling about receiving the incorrect cards a week after the mistake.  Seton Health Plan members enrolled in the STAR/Medicaid plan were affected and may have had their names and dates of birth exposed.","PHIPrivacy.net","","2012","30.267153","-97.743061" "April 12, 2012","Rhinebeck Health Center, Center for Progressive Medicine","Rhinebeck","New York","HACK","MED","6,745","On February 15, 2012, Rhinebeck learned that their unnamed computer vendor experienced a computer security breach.  An unauthorized party or parties may have accessed any patient information between November 15, 2011 and December 14, 2011 that was on the Rhinebeck and Center for Progressive Medicine computer network.  Patient full names, Social Security numbers, dates of birth, home addresses, phone numbers, account information, health insurance information, credit card information, laboratory tests, and diagnosis information may have been exposed. Anyone who visited either center between January 1, 2002 and December 22, 2011 may have been affected.","Dataloss DB","","2012","41.931829","-73.907437" "April 17, 2012","Catalyst Health Solutions, Alliant Health Plans, Inc.","Calhoun","Georgia","UNKN","MED","632","An unauthorized disclosure resulted in the exposure of protected health information.  The breach occurred on or around January 1, 2012 and was reported on April 17.  This incident was reported on the HHS website.","Dataloss DB","","2012","34.502587","-84.951054" "April 17, 2012","Anchorage Community Mental Health Services, Inc.","Anchorage","Alaska","UNKN","MED","2,743","An unauthorized disclosure involving a computer or computers resulted in the exposure of protected health information.  The breach occurred sometime between December 20, 2011 and January 4, 2012.  This breach was reported on the HHS website.","Dataloss DB","","2012","61.218056","-149.900278" "May 29, 2012","Investacorp, Inc.","Miami","Florida","DISC","BSF","0","A vendor of the broker-dealer, National Financial Services (NFS), used by Investacorp was involved in a data security breach.  On or around March 12, 2012, Investacorp learned that an NFS vendor had inadvertently shared electronic files with another federally regulated broker-dealer that also uses NFS's services.  The incident occurred on November 29, 2011 and was first noticed on February 13, 2012. The information included client names, Social Security numbers, and certain types of account data. Five Investacorp clients from California may have been affected, but the total number of affected individuals nationwide was not reported.  The vendor responsible for the mistake worked with the other broker-dealer to delete the client files from their system. Investacorp then received an executed affidavit from the broker-dealer certifying the destruction of the electronic files.  ","California Attorney General","","2012","25.788969","-80.226439" "March 3, 2012","University of Washington","Seattle","Washington","HACK","EDU","56","A team of hackers revealed that they had attacked the University of Washington's system with multiple SQL injections.  The first one was detected and fixed by the University of Washington, but a second one went unnoticed.  The team of hackers released 31 login and password combinations from a user database and 25 WordPress user login, password, and email address combinations.  The attack comes a few weeks after a hacker identified nearly 20 university systems that were vulnerable to SQLi attacks.","Databreaches.net","","2012","47.606210","-122.332071" "March 7, 2012","Gila County Health and Emergency Services (Payson WIC Office)","Payson","Arizona","PHYS","GOV","1,000","A woman found thousands of applications for Women, infants, and Children (WIC) support in a dumpster.  Around 1,000 documents were originally reported in the dumpster.  Additional documents were discovered when a local news team joined the woman at the dumpster a few days later. The applications included copies of drivers licenses, Social Security numbers, medical information, and many other types of sensitive information.  An employee of the state agency said that the forms would normally be properly shredded, but were thrown out in a hurry without being checked.","Databreaches.net","","2012","34.230868","-111.325136" "March 4, 2012","Cambridge Eastern Education and Development Society (CEEDS)","Seattle","Washington","HACK","EDU","13","A hacker or hackers accessed and posted the database information of Cambridge Eastern Education and Development Society (CEEDS) online.  The leaked data included 12 email addresses and one administrator login and (salted) password combination.","Dataloss DB","","2012","47.606210","-122.332071" "March 4, 2012","Epson America","Long Beach","California","HACK","BSR","66","A hacker or hackers accessed and posted the database information of Epson online.  The leaked data included 66 administrator user logins and password combinations.  Many of the passwords were weak and stored in an easily readable plain-text format.","Dataloss DB","","2012","33.768321","-118.195617" "March 7, 2012","University of California Los Angeles (UCLA)","Los Angeles","California","HACK","EDU","168","Hackers accessed and posted the usernames and passwords of individuals who had access to the UCLA.edu MySQL database. A total of 128 regular users had their names, titles, email addresses, logins, and password hashes posted online. Additionally, the IDs, usernames, salts, and password hashes from 37 staffers were posted online. Three database users also had their usernames and password hashes posted online.","Dataloss DB","","2012","34.052234","-118.243685" "March 9, 2012","Gaming Perfection","Bronx","New York","HACK","BSO","1,784","A hacker or hackers accessed and posted the database information of Gaming Perfection online.  A total of 1,784 email addresses, passwords with associated salts, and usernames were exposed.","Dataloss DB","","2012","40.850000","-73.866667" "March 18, 2012","National Capital Planning Commission (NCPC)","Washington","District Of Columbia","HACK","GOV","21","A hacker or hackers accessed and posted the database information of NCPC online.  A total of 21 names, email addresses, telephone numbers, passwords, and job titles were leaked.","Dataloss DB","","2012","38.895112","-77.036366" "March 9, 2012","LifeSize Communications","Austin","Texas","STAT","BSR","0","A computer that contained unencrypted personal information was stolen from LifeSize Communications on January 26, 2012.  Names, Social Security numbers and other information were on the stolen computer.  Those who were affected were sent notifications on March 9.","Dataloss DB","","2012","30.267153","-97.743061" "March 15, 2012","Iran Defense Forum, Irandefence.net","Plano","Texas","HACK","NGO","3,212","A hacker or hackers accessed and posted the database information of Irandefence.net online.  The leaked information included usernames, email addresses, passwords, and associated password salts.","Dataloss DB","","2012","33.019843","-96.698886" "November 4, 2011","Harvard University Health Services, Anna Jacques Hospital, Lowell General Hospital, Saints Medical Center","","Massachusetts","PHYS","MED","0","Two men were arrested for posing as employees of an X-ray removal company in order to steal old X-ray films.  The two men hit multiple locations.  It is believed that their primary focus was the silver contained in the films, however patient medical and personal information was also linked to the X-ray films.  Around 1,000 X-rays were stolen from Harvard University Health Services and a barrel of X-rays was taken from Anna Jaques Hospital.  The men were charged with conspiracy and larceny from a building. The thefts occurred in August, but it is unclear how many other organizations were affected. The men were also linked to a crime or crimes in New Hampshire.UPDATE (03/05/2012): The men were tied to thefts and theft attempts at Anna Jaques Hospital in Newburyport and Saints Medical Center in Lowell.  ","HHS via PHIPrivacy.net","","2011","42.407211","-71.382437" "March 16, 2012","Arizona Sports Fans, Arizonasportsfans.com","Bernardsville","New Jersey","HACK","BSO","8,855","A hacker or hackers accessed and posted database information from arizonasportsfans.com online.  The leaked information included email addresses, passwords, salts for passwords, and usernames.","Dataloss DB","","2012","40.718712","-74.569324" "March 19, 2012","Adult Insider Network, Adultinsider.com","Killeen","Texas","HACK","BSO","10,704","A hacker or hackers accessed and posted information from the adultinsider.com database online.  The leaked information included email addresses, passwords with associated salts, and usernames.","Dataloss DB","","2012","31.117119","-97.727796" "March 15, 2012","vBCoderz.com","Provo","Utah","HACK","BSO","1,290","A hacker or hackers accessed and posted the database information of vBCoderz.com online.  A total of 1,290 email addresses, usernames, and passwords with associated salts were exposed.","Dataloss DB","","2012","40.233844","-111.658534" "March 21, 2012","Georgetown University Hospital","Washington","District Of Columbia","PORT","MED","1,549","A technician's USB thumb drive with patient information was misplaced at Georgetown University Hospital.  People who were associated with the Department of Laboratory Medicine and visited the Hospital between September of 2004 and September of 2009 may have had their names, medical record numbers, dates of birth, blood types, dates of blood tests, blood test results, summary of clinical histories, and clinician names exposed. The thumb drive was last seen on September 9, 2011, and was discovered missing on the morning of September 14, 2011.","PHIPrivacy.net","","2012","38.895112","-77.036366" "March 21, 2012","Comfort Inn & Suites","San Antonio","Texas","PHYS","BSO","500","Police officers discovered a large number of credit card receipts and other items during a traffic stop in June of 2011.  The driver was then arrested and admitted to using stolen credit card receipts from Comfort Inn & Suites to make fraudulent credit cards.  He had stolen around 500 receipts and successfully used two counterfeit credit cards.  He was sentenced to five years and 10 months in federal prison and ordered to pay $3,606 in restitution.UPDATE (03/22/2012): Additional credit card receipts were found and connected to Brownsville, Texas.","Databreaches.net","","2012","29.424122","-98.493628" "March 9, 2012","Bad Boy Tires","","Massachusetts","HACK","BSR","111","A hacker or hackers accessed and posted database information from Bad Boy Tires online.  A total of 111 names, emails, postal addresses, phone numbers, and plain-text passwords were exposed.","","","2012","42.407211","-71.382437" "March 17, 2012","Georgia Obstetrical and Gynecological Society","Suwanee","Georgia","PORT","MED","1,000","Two laptops with member information were stolen during an office burglary. Financial and other administrative information were also on the laptops. The laptops did not contain any patient information. It is unclear if the theft of the equipment was politically motivated.UPDATE (3/26/2012): The breach appears to have been politically motivated.  Two other OB-GYNs had laptops stolen from their offices after speaking out against a controversial Georgia bill.","Databreaches.net","","2012","34.051490","-84.071300" "March 28, 2012","Hawaii Community Federal Credit Union (HCFCU)","Kailua-Kona","Hawaii","INSD","BSF","0","An HCFCU member filed a complaint in 2011 after suspecting that their information had been improperly used for an HCFCU board nomination process. It became apparent that several employees had added names to nomination petitions, then went to credit union members to have them sign the petitions. Fewer than 500 of the 40,000 HCFCU members had their account information and the last four digits of their Social Security numbers accessed. The employees involved were disciplined and/or had their employment terminated. HCFCU employees are now required to go through a new training process to reinforce policies that prohibit accessing members' information.","Dataloss DB","","2012","19.640556","-155.995556" "March 29, 2012","Greenville County School District","Greenville","South Carolina","PHYS","GOV","100","A filing cabinet that was full of personnel information was accidentally locked, wrapped, and shipped to a prison in February of 2012.  The prison supervisor unlocked the filing cabinet, noticed that it still contained files, and immediately sent it back.  Employee driver's license and Social Security numbers were in the cabinet.","Dataloss DB","","2012","34.852618","-82.394010" "March 28, 2012","Douglas County Probation Office","Omaha","Nebraska","PHYS","GOV","0","A county clerk was the victim of a car theft. She had left sensitive documents for homicide trials in the trunk of her car.  The documents were recovered from the car wreckage.  Personal information for police officers associated with the homicide trials and names and addresses of witnesses could have been exposed. Documents will be scanned and never physically taken from the courthouse again as a result of the breach.","Dataloss DB","","2012","41.252363","-95.997988" "March 30, 2012","Eclipse AeroSpace","Albuquerque","New Mexico","HACK","BSO","0","A hacker or hackers accessed and posted Eclipse AeroSpace database information online.  The leaked information included email addresses, usernames, names, and passwords.  ","Dataloss DB","","2012","35.084491","-106.651137" "March 30, 2012","Savvyinsider.com","Trenton","New Jersey","HACK","BSO","24","A hacker or hackers accessed and posted savvyinsider.com database information online.  A total of 24 usernames, email addresses, and passwords were exposed.","Dataloss DB","","2012","40.217053","-74.742938" "July 12, 2012","SwedishAmerican Hospital","Rockford","Illinois","PHYS","MED","0","Around 1,500 X-ray films were stolen from SwedishAmerican Hospital on May 31. Someone claiming to be the person responsible for picking up and destroying the films was able to steal them.  Patient names, medical record numbers, dates of service, and dates of birth were exposed. Representatives believe the risk of identity theft is low since extracting the silver from X-ray films is usually the motive for similar thefts.","PHIPrivacy.net","","2012","42.271131","-89.093995" "July 12, 2012","Scripps College Financial Aid Office","Claremont","California","INSD","EDU","0","A former employee of Scripps College allowed a personal contact outside of the College to access financial aid application information.  The issue was discovered during a review of Scripps College Financial Aid Office processes.  It appears that the former employee shared the information to obtain assistance in evaluating applications and preparing potential aid packages.  Names, Social Security numbers, dates of birth, and other financial information may have been exposed at various times between 2008 and 2012.","California Attorney General","","2012","34.096676","-117.719779" "July 16, 2012","Pulaski Bank, Pulaski Financial","Creve Couer","Missouri","INSD","BSF","0","Three former Pulaski employees are accused of accessing and exporting the mortgage data of customers.  A former loan officer emailed a large file to an outside email account a month before leaving Pulaski.  A former closing supervisor also allegedly transferred documents onto a portable electronic storage device before resigning.  The data appears to have been taken to a competitor.  Pulaski Financial filed a lawsuit against three former employees and their possible new employer, First State Bank of St. Charles, Missouri.","Databreaches.net","","2012","38.660886","-90.422618" "April 20, 2012","Office of Dr. Rex Smith","Eugene","Oregon","STAT","MED","20,915","An office burglary that occurred on or around February 19 resulted in the theft of medications and a computer.  The computer contained patient names, Social Security numbers, and dates of birth. It is unclear if the computer was encrypted.  The total number of patients affected and all types of information exposed are also unclear.","PHIPrivacy.net","","2012","44.052069","-123.086754" "July 17, 2012","Awklein","","California","PHYS","MED","2,000","Sensitive health information in an unspecified format was stolen or discovered stolen on or around February 1, 2011. The incident was posted on the HHS website on June 8.","HHS via PHIPrivacy.net","","2012","36.778261","-119.417932" "July 17, 2012","St. Mary Medical Center","","California","PORT","MED","3,900","An unencrypted thumb drive was lost on May 7 and discovered missing on May 8.  It contained the names, account numbers, diagnoses, dates of admission and discharge, physician's name, account numbers, and medical record numbers of patients.  It is unclear if only one Saint Mary Medical Center in California was affected, and if so, which one.  The incident was posted on the HHS website on June 8.","HHS via PHIPrivacy.net","","2012","36.778261","-119.417932" "July 17, 2012","Office of Dr. Stephen Haggard, DPM Podiatry","Federal Way","Washington","STAT","MED","1,597","A theft, possibly of a network server, resulted in the exposure of sensitive patient health information.  The theft occurred on or around March 4, 2012 and notifications were available for a limited time after April 22. The incident was posted on the HHS website on June 8.","HHS via PHIPrivacy.net","","2011","47.322322","-122.312622" "July 17, 2012","Safe Ride Services, Inc. ","Phoenix","Arizona","INSD","MED","42,000","A former employee may have accessed computer systems without authorization and accessed service files.  The incident or incidents occurred between August 31, 2011 and January 31, 2012. Employee personal information as well as patient demographic and insurance information were exposed.  It is unclear if the former employee was currently employed at the time of the incidents.  The incident was posted on the HHS website on June 8.","HHS via PHIPrivacy.net","","2012","33.448377","-112.074037" "July 17, 2012","SHIELDS For Families","Los Angeles","California","STAT","MED","961","A February 27 office burglary resulted in the theft of a computer server.  Sensitive client health information such as dates of birth, addresses, treatment plans, and other types of personal information were exposed.  The server was not recovered, but the theft was discovered the next morning and a police report was filed. The incident was posted on the HHS website on June 8.","HHS via PHIPrivacy.net","","2012","34.052234","-118.243685" "July 17, 2012","Hogan Services Inc.","Saint Louis","Missouri","HACK","BSO","1,134","An email or emails with sensitive health information related to a health care premium plan was mistakenly emailed to or accessed by unauthorized people.  The incident occurred or was discovered sometime around March 30, 2012.  The incident was posted on the HHS website on June 8.","HHS via PHIPrivacy.net","","2012","38.627003","-90.199404" "July 14, 2012","Orcutt Burger Restaurant","Orcutt","California","CARD","BSR","0","People who used debit cards to make purchases at Orcutt Burgers may have had their information stolen.  Coast Hills Federal Credit Union sent out an alert to clients and reissued an unspecified number of debit cards.  It is unclear how the debit card data was accessed and how long the information was at risk.  It is also unclear if credit cards were also compromised.","Databreaches.net","","2012","34.865257","-120.435997" "January 24, 2012","New York State Electric & Gas (NYSEG), Rochester Gas and Electric (RG&E), Iberdrola USA","Rochester","New York","DISC","GOV","1,245,000","An employee at a software development consulting firm that was contracted by Iberdrola USA, the parent company of both NYSEG and RG&E, allowed the information systems of clients to be accessed by an unauthorized party.  Customer Social Security numbers, birth dates, and in some cases, financial institution account numbers were exposed.  A total of 878,000 NYSEG customers and 367,000 RG&E electricity customers were affected.  An unknown number of additional customers from both companies who signed up for gas services, but not electricity services were also affected.UPDATE (07/12/2012): The Department of Public Service reviewed the NYSEG/FG&E incident and concluded that there was no evidence that any confidential customer information was misused.  In addition, the Department of Public Service recommended that both companies further refine their policies, processes, and procedures regarding confidentiality safeguards.  The companies were ordered to send plans for handling the costs incurred in responding to the breach and progress reports about the implementation of recommendations.","Databreaches.net","","2012","43.161030","-77.610922" "July 10, 2012","Puerta Grande","Winchester","Kentucky","HACK","BSR","50","Customers who used their debit and credit cards at Puerta Grande may have had their payment card information stolen by hackers.  Between 50 and 100 people reported fraudulent activity on their payment cards after visiting the restaurant. The restaurant stopped accepting payment cards until a new and secure system could be installed.  Only one of the three Puerta Grande restaurants in Winchester were affected.","Databreaches.net","","2012","37.990079","-84.179650" "July 12, 2011","Toshiba, Toshiba America Information Systems, Inc. (TAIS)","Irvine","California","HACK","BSR","7,971","Eleven admin email addresses with corresponding plain-text passwords and ID numbers were posted online.  A total of 451 email addresses and plain-text passwords were posted.  The hacking group VOID claimed responsibility.UPDATE (7/18/2011): Toshiba confirmed that records of 7,520 customers were hacked. Customers may have had their email addresses, passwords and phone numbers taken.  It was confirmed that 681 customers had their email addresses and passwords taken. ","Databreaches.net","","2011","33.683947","-117.794694" "March 5, 2012","Digital Playground","Van Nuys","California","HACK","BSR","72,794","A group of hackers accessed customer details, credit card numbers, and administrator information.  At least a) 28 administrator names, usernames, email addresses, and encrypted passwords, b) 85 affiliate usernames, plain-text passwords, c) 100 user email addresses, usernames, and plain-text passwords, and d) 82 .gov and .mil email addresses and plain-text passwords were posted. The hackers criticized the ease of obtaining the credit card numbers, expiration dates, cvvs, and customer billing addresses which were all in plain text.  The hackers chose not to post customer credit card numbers.","Databreaches.net","","2012","34.189857","-118.451357" "July 13, 2012","American Express Travel Related Services Company, Inc. (AXP)","Los Angeles","California","CARD","BSF","27,257","A man was arrested in his Los Angeles home for allegedly purchasing and using stolen payment card numbers.  The credit and debit card numbers from American Express, Visa, MasterCard, and Discover were in the man's possession between January 11, 2012 and February 26, 2012.  The payment card numbers came from hacking the computer systems of a restaurant and a restaurant supply business in the Seattle area.  Two people who were associated with the hacking incidents had already been arrested. The man who purchased the payment card numbers is charged with conspiracy to access protected computers to further fraud, to commit access device fraud, and to commit bank fraud; eight counts of bank fraud; six counts of access device fraud; five counts of aggravated identity theft; and two counts of accessing a protected computer without authorization.UPDATE (07/20/2012): Customer names and payment card expiration dates were also compromised.","Databreaches.net","","2012","34.052234","-118.243685" "July 20, 2012","Israel Deaconess Medical Center","Boston","Massachusetts","PORT","MED","3,900","The May 22 office theft of a physician's laptop resulted in the exposure of patient information. It is unclear what type of information was on the laptop, but the chief information officer said that ""nothing that would be used from an identity theft perspective"" was on the laptop.","PHIPrivacy.net","","2012","42.358431","-71.059773" "May 30, 2012","American Pharmacist Association (APhA), Pharmacist.com","Washington","District Of Columbia","HACK","NGO","28,000","Hackers associated with the group Anonymous posted donations, emails, personal account information, server information, and other information from APhA's online database.  The hackers also claim to have accessed the records of 16,000 patients by hacking the website, but did not post that information. Anonymous claims that the organization was targeted due to its connection to government officials.UPDATE (6/09/2012): Some names and addresses were also posted.  The data posted included information on over 28,000 visitors, donors, and members.UPDATE (07/18/2012): The website was defaced on May 28.  APhA immediately noticed and shut down the website and related computer servers.  However, names, addresses, and credit card information (excluding security codes) stored on computer servers may have been accessed between April 23 and May 28.","Dataloss DB","","2012","38.895112","-77.036366" "July 19, 2012","Department of Health and Human Services Maine","Augusta","Maine","DISC","GOV","79","A computer system glitch caused the personal information of public assistance applicants to be sent to random addresses in the department's system.  The error occurred in December, but was not noticed until June.  Multiple rounds of forms had been mailed out by that time.  A total of 31 forms contained the Social Security numbers, bank account numbers, and other information of 79 household members.","PHIPrivacy.net","","2012","44.310624","-69.779490" "July 19, 2012","Yale University","New Haven","Connecticut","HACK","EDU","1,200","Hackers accessed at least one Yale database and obtained the details of 1,200 students and staff.  Hackers may have obtained names, Social Security numbers, addresses, and phone numbers. Additionally, usernames, passwords, and email addresses were published as proof of the hack.","Databreaches.net","","2012","41.308153","-72.928158" "June 20, 2011","Dropbox","San Francisco","California","HACK","BSR","0","At least one customer reported a glitch that allowed users to log into the accounts of other users without using a valid password. The bug that affected the password authentication mechanism was active from 1:54pm to 5:46pm Pacific time on June 19, 2011.UPDATE (6/30/2011): It appears that an intrusion created the security issue that allowed people to log into user accounts without using a password. Someone logged into multiple customer accounts without authorization on June 19, 2011.  Fewer than 100 customers had data downloaded from their Dropbox accounts.UPDATE (7/15/2011): A class-action suit was filed that claims Dropbox Inc. failed to secure users' private data or to notify the majority of them about the breach.  The plaintiff class would consist of all current or former Dropbox users as of June 19, 2011 whose accounts were breached.  Dropbox Inc. is accused of violating California's unfair-competition law, invasion of privacy (including intrusion), public disclosure of private facts, misappropriation of likeness and identity, violation of the state constitutional right to privacy, negligence, and breach of express and implied warranties.  The legal citation is Wong et al. v. Dropbox Inc., No. 11-CV-3092-LB, complaint filed (N.D. Cal. June 22, 2011) ","Dataloss DB","","2011","37.774930","-122.419416" "April 5, 2011","MidState Medical Center","Hartford","Connecticut","PORT","MED","93,500","A former Hartford Hospital employee misplaced a computer hard drive on February 15. It contained patient names, Social Security numbers, addresses, dates of birth and medical record numbers. Not all of the patients who were affected had their Social Security numbers exposed.UPDATE (04/07/2011): Connecticut's Attorney General and Consumer Protection Commissioner are investigating the breach and data security policies of Hartford Medical Center and Midstate Medical Center.  Additional details reveal that the hospital employee misplaced the computer hard drive after taking it home. The Connecticut Attorney General is asking that affected patients receive two years of credit monitoring services, identity theft insurance and reimbursement for placing and lifting security freezes.UPDATE (07/10/2012): The Connecticut Attorney General has decided to end an investigation of MidState's practices.  The Attorney General claimed to base his decision to close the investigation with no further action on the fact that the Hospital had taken significant actions on behalf of the affected patients.","PHIPrivacy.net","","2011","41.763711","-72.685093" "July 25, 2012","Oregon State University","Corvallis","Oregon","INSD","EDU","21,000","An unnamed check printing vendor for the University copied data from the University's cashier's office during software upgrades.  The information included 30,000 to 40,000 checks that contained student and employee names, University IDs, check numbers, and check amounts.  Current and former student, faculty, and staff records older than 2004 may have included Social Security numbers. it does not appear that the vendor acted with malicious intent.","Media","","2012","44.564566","-123.262044" "July 23, 2012","Gamigo","Hamburg","","HACK","BSR","3,000,000","Hackers were able to access Gamigo's server in February of 2012.  Notification of the breach was sent on March 1.  Gamigo warned users and advised that they change any passwords for emails associated with Gamigo.  The hacked information was released on July 6.  A total of 8,243,809 user email addresses and encrypted passwords were posted online. ","Media","","2012","53.551085","9.993682" "July 20, 2012","Mission Linen Supply","Santa Barbara","California","HACK","BSR","0","A customer notified Mission Linen Supply of unauthorized charges on the credit cards of several other customers.  Mission Linen Supply discovered that the third party vendor who stores and maintains purchase information for their web stores had a data breach.  The unnamed vendor experienced an unauthorized access of their file servers.  Customers who made online purchases may have had their credit or debit card numbers, expiration dates, and possibly name and other payment card information compromised. The customer contacted Mission Linen Supply on June 29, but it is unclear when the vendor experienced the data breach.","California Attorney General","","2012","34.420831","-119.698190" "July 26, 2012","Petco Animal Supplies, Inc.","Chanhassen","Minnesota","PORT","BSR","0","Five laptops were stolen from an unnamed auditor of Petco's 401(k) Plan between May 18 and May 20.  The auditor informed Petco on July3.  Current and former employee names, Social Security numbers, and other 401(k) account information may have been exposed. Anyone who was issued a Petco paycheck in 2010, had a 401(k) account and received a distribution, or had a fee deducted from their account in 2011 may have been affected.","California Attorney General","","2012","44.861965","-93.532310" "July 27, 2012","Northwestern Memorial Hospital Home Hospice","Chicago","Illinois","PORT","MED","0","A June 11 office burglary resulted in the theft of six laptops and a tablet. One or more of the computer devices included the personal health information of current and former Home Health patients.  Information included names, Social Security numbers, addresses, dates of birth, demographics, patient medical treatment profiles, diagnoses, symptoms, medications, treatment notes, and health insurance information.  The standard laptop security controls had been temporarily suspended on the devices since they were undergoing a software upgrade. ","PHIPrivacy.net","","2012","41.878114","-87.629798" "July 27, 2012","Upper Valley Medical Center, Data Image","Troy","Ohio","UNKN","MED","15,000","A data breach of Data Image's online billing system may have exposed the private information of Upper Valley Medical Center patients.  Names, addresses, hospital account numbers, and balances owed could have been obtained during an 18-month period.  Current and former patients were notified that the breach was discovered on March 21, 2012, but could have occurred as early as October 1, 2010.  ","PHIPrivacy.net","","2012","40.039498","-84.203277" "July 26, 2012","Hillsborough Health Department","Tampa","Florida","INSD","GOV","291","An employee printed and removed sensitive client information for unknown purposes.  The employee was dismissed and steps were taken to reduce the risk of similar employee thefts occurring.  The employee removed the documents on February 15, 2012 and was not discovered until Hillsborough County Health Department was notified on May 25.  Client names, Social Security numbers, dates of birth, phone numbers, patient identification numbers, type of visit, and other protected health information were exposed.","PHIPrivacy.net","","2012","27.950575","-82.457178" "July 27, 2012","Upper Valley Medical Center","Troy","Ohio","PORT","MED","0","The May 16 office theft of a hard drive resulted in the exposure of patient information.  The theft was discovered the next day and a suspect was caught on tape.  Upper Valley Medical Center does not believe any patient information was contained on the hard drive.","PHIPrivacy.net","","2012","40.039498","-84.203277" "July 24, 2012","New York University Langone Medical Center, Office of Dr. Eric C. Parker, Office of Dr. Patrick J. Kelly","New York","New York","STAT","MED","5,000","The May 23 office theft of a desktop computer resulted in the exposure of patient information.  The computer was password protected and had security software, but was not encrypted. Patient names, addresses, dates of birth, telephone numbers, insurance information, and clinical information may have been exposed.  Additionally, approximately 5,000 patients had their Social Security numbers exposed.","PHIPrivacy.net","","2012","40.714353","-74.005973" "July 23, 2012","Office of Dr. Luz Colon, DPM Podiatry","Miami","Florida","PORT","MED","1,137","The theft or loss of a laptop or laptops resulted in the exposure of protected health information.  The data breach occurred sometime around March 20, 2012, and was reported on July 3, 2012.","HHS via PHIPrivacy.net","","2012","25.788969","-80.226439" "July 23, 2012","Independence Physical Therapy","Mystic","Connecticut","STAT","MED","925","A desktop computer was stolen or discovered stolen on August 1, 2011.  It contained protected health information.  The incident was disclosed on July 3.","HHS via PHIPrivacy.net","","2012","41.354266","-71.966462" "July 23, 2012","Titus Regional Medical Center (TRMC)","Mount Pleasant","Texas","PORT","MED","500","The March 28, 2012 loss of a laptop during a routine patient transportation resulted in the exposure of protected health information.  It was encrypted and password protected.  The laptop was most likely let on the fender of an ambulance and lost during a route.  Patient names, Social Security numbers, addresses, and medical data related to services provided by the EMS department may have been on the laptop. Notice of the breach was given on May 24.","HHS via PHIPrivacy.net","","2012","33.156786","-94.968269" "July 23, 2012","Titus Regional Medical Center (TRMC)","Mount Pleasant","Texas","PHYS","MED","0","The March 29 theft of an unknown number of x-ray films resulted in the exposure of protected health information.  Thieves were able to access the secured storage location that contained the old x-ray films.  These thefts usually occur for the purpose of extracting valuable precious metals from the films by destroying them.  Most of the information on the films was more than five years old.  It is unclear what type of patient information the x-ray films contained, but they did not include Social Security numbers. Notice of the breach was given on May 24.","PHIPrivacy.net","","2012","33.156786","-94.968269" "July 23, 2012","Lutheran Community Services Northwest","Bremerton","Washington","STAT","MED","3,040","An office burglary that occurred on or around March 30, 2012 resulted in the theft of several computers and electronic devices.  The computers and devices may have contained the names, Social Security numbers, addresses, phone numbers, email addresses, dates of birth, driver's license numbers, Washington state ID numbers, income or payment information about services, conditions, treatments, or diagnosis information about clients, volunteers, and staff.","HHS via PHIPrivacy.net","","2012","47.570000","-122.652500" "July 23, 2012","West Dermatology","Redlands","California","UNKN","MED","1,900","A theft that occurred sometime around April 22, 2012 resulted in the exposure of protected health information.  The breach was posted on the HHS website on July 3.","HHS via PHIPrivacy.net","","2012","34.055569","-117.182538" "July 23, 2012","Physician's Automated Laboratory","Bakersfield","California","PHYS","MED","745","An office burglary was discovered on March 26.  The theft of lab requisition forms that were kept in a locked cabinet resulted in the exposure of information of patients who received laboratory services between February 1 and March 23.  Patient names, addresses, phone numbers, dates of birth, insurance information, ordering practitioner's name, and types of laboratory tests ordered may have been accessed. ","HHS via PHIPrivacy.net","","2012","35.373292","-119.018713" "July 23, 2012","Volunteer State Health Plan, Inc. (VSHP), Comprehensive Counseling Network","Chattanooga","Tennessee","PHYS","MED","1,102","Envelopes containing BlueCare member protected health information were damaged while being sent to Comprehensive Counseling Network.  Lists of claims containing patient protected health information became separated from the envelopes and were lost. Patient names, BlueCare ID numbers, dates of services, procedure codes, claim numbers, totals charged, amounts paid, provider names and provider addresses may have been exposed.  The envelopes also contained check to pay for medical visits that were listed on the claims, but the checks were not lost.","HHS via PHIPrivacy.net","","2012","35.045630","-85.309680" "July 31, 2012","Massachusetts Mutual Life Insurance Company (MassMutual)","Springfield","Massachusetts","HACK","BSF","0","On July 13, MassMutual inadvertently sent a report via secure email that included client information to an incorrect retirement Plan Sponsor.  Client names, Social Security numbers, and 401(k) balance information were exposed.  The individual who received the plan information informed MassMutual of the error immediately and claimed to have deleted the information without storing or printing it.","California Attorney General","","2012","42.101483","-72.589811" "July 30, 2012","Hartford Hospital, VNA HealthCare, Greenplum","San Mateo","California","PORT","MED","9,558","An employee of Greenplum was robbed of a laptop during a home burglary on or around June 26.  Greenplum is a subsidiary of a hospital vendor known as EMC Corp.  The laptop contained the information of 7,461 VNA HealthCare patients and 2,097 Hartford Hospital patients.  Patients had their names, Social Security numbers, addresses, dates of birth, marital status, Medicaid and Medicare numbers, medical record numbers, and certain diagnosis and treatment information exposed.","PHIPrivacy.net","","2012","37.562992","-122.325525" "July 24, 2012","Wisconsin Department of Revenue","Madison","Wisconsin","DISC","GOV","110,795","An annual sales report contained the Social Security and tax identification numbers of people and businesses who sold property in Wisconsin in 2011.  The report was available online between April 5, 2012 and July 23, 2012 and meant for real estate professionals.  The report was accessed a total of 138 times before being taken down.  Sensitive seller information was in an an embedded file included in an Microsoft Access file which showed sales data. A total of 110,795 sales were made in Wisconsin in 2011, but not everyone who made a sale provided their Social Security or tax identification number for the paperwork.","Media","","2012","43.073052","-89.401230" "July 12, 2012","Yahoo! Voices","Sunnyvale","California","HACK","BSO","453,492","A hacker or hackers used an SQL injection technique to access the plain-text passwords of over 450,000 Yahoo! Voices (formerly known as Associated Content) users.  The information was then posted online.  Yahoo! Voice users are encouraged to change their Yahoo! passwords immediately. Users from as far back as 2006 or earlier may have had their passwords exposed.UPDATE (08/02/2012): A Yahoo! user is suing Yahoo! Inc. for negligence.  The user claims that Yahoo!'s failure to adequately safeguard his personal information should result in compensation for himself and other users who experienced account fraud and had to take measures to protect accounts put at risk by the Yahoo! breach.","Databreaches.net","","2012","37.368830","-122.036350" "August 1, 2012","Tarleton State University","Stephenville","Texas","PHYS","EDU","0","Financial aid documents with student information were found scattered in the street.  It is unclear how the documents got there.  Hundreds of current and former students who applied for or received financial aid during 1997 and 1998 may have had their Social Security numbers, dates of birth, federal Pell grant disbursements, and other personal information exposed.  ","Databreaches.net","","2012","32.220696","-98.202263" "July 17, 2012","Dropbox","San Francisco","California","UNKN","BSR","68,000,000","Dropbox users began receiving spam from email sources posing as Dropbox.  Many users claim that Dropbox must have suffered a breach because email addresses they used specifically and solely for Dropbox were compromised.UPDATE (07/20/2012): Dropbox investigated customer concerns of a data breach but could not find any evidence of an unauthorized intrusion or activity as of July 20.UPDATE (07/31/2012): Dropbox has confirmed that some accounts were accessed by hackers. One of the compromised accounts was that of a Dropbox employee.  The employee's account contained a project document of user email addresses.  Dropbox required some users to change their passwords and increased their security by adding a two-factor authentication system, new automated mechanisms to help identify suspicious activity, and a page that allows users to monitor active logins to their accounts.UPDATE (8/31/2016): Per a recent report on the Dropbox breach in 2012, 68 million of the user account details were leaked on the dark web four years later. The information leaked included email addresses and passwords which were hashed. ""It was not previously known how many users were affected by the 2012 hack, according to Motherboard, which says that the leaked data does not appear to be posted on the dark web. A senior Dropbox employee told Motherboard that the data is legitimate.""","Media","","2012","37.774930","-122.419416" "August 3, 2012","Wolf & Yun","Elizabethtown","Kentucky","PORT","MED","824","The April 24 office theft of a laptop resulted in the exposure of patient information.  The laptop contained names, dates of birth, and auditory testing data.  A public notice was posted on July 20.","HHS via PHIPrivacy.net","","2012","37.703065","-85.864941" "April 12, 2012","Memorial Healthcare System (MHS)","Hollywood","Florida","INSD","MED","9,500","On January 27, 2012, MHS learned that at least one employee may have accessed patient information in order to receive fraudulent tax returns.  A second employee was later identified and both employees were terminated.  Patient names, Social Security numbers, and dates of birth may have been accessed between 2011 and early 2012.  Medical information was not involved. Law enforcement requested that MHS delay notifying patients.  On April 12, 2012, letters were mailed to patients who may have been affected.","PHIPrivacy.net","","2012","26.011201","-80.149490" "July 17, 2012","Patterson Dental, River Arch Dental, Hamner Square Dental","Ontario","California","PORT","MED","3,645","An unencrypted USB memory chip was shipped against company policy.  The envelope that contained it arrived at its destination on May 14 with a tear and missing the USB memory chip.  Names, home addresses, telephone numbers, email addresses, ID numbers, dates of birth, driver's license numbers, Social Security numbers, dental information, and dental insurance information of patients was exposed.UPDATE (08/03/2012): A total of 1,112 Hamner Square Dental patients and 2,533 River Arch Dental patients were affected.","California Attorney General","","2012","34.063344","-117.650888" "August 3, 2012","The Surgeons of Lake County, LLC","Libertyville","Illinois","HACK","MED","7,067","A hacker or hackers accessed and encrypted the computer server of The Surgeons of Lake County.  The incident occurred between June 22 and June 25 and was an attempt to force payment from The Surgeons of Lake County in exchange for the password needed to regain access to the server.  The unauthorized user or users had access to names, Social Security numbers, addresses, credit card numbers, and medical information.  ","HHS via PHIPrivacy.net","","2012","42.283079","-87.953130" "August 3, 2012","Memorial Healthcare System (MHS)","","","INSD","MED","102,153","MHS discovered a second breach during the process of investigating a dishonest employee's misuse of patient data in January of 2012.  Employees of affiliated physicians' offices may have improperly accessed patient information through a web portal used by physicians who provide care and treatment at MHS.  Patient names, Social security numbers, and dates of birth may have been accessed during the period between January 1, 2011 and July 5, 2012.  ","HHS via PHIPrivacy.net","","2012","37.090240","-95.712891" "August 3, 2012","Pamlico Medical Equipment, LLC (Now Vidant Internal Medicine)","Washington","North Carolina","PORT","MED","2,917","A flash drive was lost during transit on or around May 16. Patient names, Social Security numbers, Medicaid numbers, insurance carrier contact information, medical equipment being provided by Pamlico Medical Equipment, service date, price of the equipment rental, and other miscellaneous billing information may have been on the flash drive. The flash drive is believed to have been place with compacted trash that was transported to a landfill.  ","HHS via PHIPrivacy.net","","2012","35.546552","-77.052174" "August 3, 2012","University of Kentucky HealthCare","Lexington","Kentucky","PORT","MED","4,490","The May first theft of an employee's password-protected laptop resulted in the possible exposure of protected health information.  Patient medical records, reasons for visits, and dates of visits may have been exposed. A notification was placed on the UKHealthCare website on June 21.","HHS via PHIPrivacy.net","","2012","38.040584","-84.503716" "August 6, 2012","Steamboat Ski and Resort Corp.","Steamboat Springs","Colorado","DISC","BSO","0","A former employee received W-2 information of current and former employees.  Names, Social Security numbers, addresses, payroll information, and other W-2 information were accidentally emailed to the former employee.  The former employee immediately notified the human resources department and confirmed that the information had not been mishandled.","Databreaches.net","","2012","40.484977","-106.831716" "July 13, 2009","Florida Department of Education","Tallahassee","Florida","PHYS","GOV","475","The agency is notifying 475 student-loan borrowers of a breach that involved their financial records.  The Office of Student Financial Assistance lost or misplaced 1,186 promissory notes that students signed while enrolled.  The missing files include Social Security numbers, names, addresses, birth dates, personal references, and other private and financial information that could be used for identity thief.","Dataloss DB","","2009","30.438256","-84.280733" "February 12, 2011","Jacobi Medical Center, North Central Bronx Hospital, Tremont Health Center, and Gunhill Health Center","New York","New York","PORT","MED","1,700,000","The New York City Health & Hospitals Corporation's North Bronx Healthcare Network experienced a breach.  Backup tapes were stolen from an unsecured and unlocked van during transport by GRM Information Management Services.  The theft occurred during December of 2010.  The information on the tapes was from patients, staff members and associated employees and dated back to 1991.  Names, Social Security numbers, addresses, patient health information and other patient and employee information may have been exposed.","PHIPrivacy.net","","2011","40.714353","-74.005973" "February 10, 2010","WellPoint, Anthem/Blue Cross and Blue Shield","Chicago","Illinois","INSD","MED","40","A former employee accessed health care professionals' Social Security numbers, names, dates of birth, and home addresses. Between 2007 and 2010, the employee created fictitious identities and created e-mail addresses, opened bank accounts and credit card accounts.UPDATE (05/10/2010): The former employee was sentenced to 28 months in prison followed by three years of supervised release.  She was also ordered to pay $2,914.95 in restitution.  She pleaded guilty to one count of mail fraud and once count of aggravated identity theft on February 9.  Around 40 health care professionals such as doctors, psychologists, nurses, and dietitians were victims of fraudulent financial activity.","Databreaches.net","","2010","41.850033","-87.650052" "September 25, 2009","Tennessee Department of Human Services","Nashville","Tennessee","DISC","GOV","0","Doctors' offices in Tennessee have been accidentally sending patient information, including Social Security numbers and medical histories, to an Indiana businessman's fax machine for the past three years. The sensitive medical information was supposed to be sent to the Tennessee Department of Human Services, but the owner of SunRise Solar Inc. in Indiana, says hundreds of confidential medical faxes having been coming to him.","Dataloss DB","","2009","36.165890","-86.784443" "October 7, 2011","The Nemours Foundation","Wilmington","Delaware","PORT","MED","1,600,000","Three unencrypted computer backup tapes were reported missing on September 8.  The tapes were stored in a locked cabinet, which had been temporarily relocated on or around August 10 for a facility remodeling project.  The cabinet was not found.  The tapes had been stored in the cabinet since 2004 and contained patient information stored between 1994 and 2004.  Names, Social Security numbers, addresses, dates of birth, insurance information, medical treatment information, and direct deposit bank account information were exposed.UPDATE (10/12/2011): Patients and their guarantors, vendors, and employees at Nemours facilities in Delaware, Pennsylvania, New Jersey, and Florida were affected.  In addition to medical treatment information, the payroll information of current and former employees was exposed.  Nemours took steps to encrypt all computer backup tapes and move non-essential computer backup tapes to a secure, off-site storage facility after the breach.","PHIPrivacy.net","","2011","39.745833","-75.546667" "July 17, 2012","Ameritas Life Insurance Corp.","Lincoln","Nebraska","PORT","MED","3,000","A laptop was stolen or discovered stolen sometime around March 21, 2012.  It contained the sensitive health information of 3,000 people. The incident was posted on the HHS website on June 8.UPDATE (08/03/2012): An official notice states that an employee notified Ameritas that their laptop and other items were stolen from their car on March 21.  The laptop contained information used to provide group dental and vision quotes, as well as individual member enrollment information for employer-sponsored group health plans.  The laptop was password protected but not encrypted.  Names, Social Security numbers, addresses, dates of birth, and places of employment may have been exposed.","HHS via PHIPrivacy.net","","2012","40.806862","-96.681679" "August 7, 2012","Nordstrom Bank, Nordstrom fsb","Centennial","Colorado","DISC","BSF","2,457","A total of 2,457 Nordstrom fsb customers in California were affected by a mailing error caused by an administrative error.  Cardholder statements, replacement credit cards, or other correspondence were mistakenly sent to addresses other than those of intended cardholders. The issue was discovered on June 7 and was the result of an attempt to reformat addresses to U.S. Postal Service standards.  Those who were affected were notified in June and July.","California Attorney General","","2012","39.580745","-104.877173" "January 20, 2012","Kansas Department of Aging","Wichita","Kansas","PORT","GOV","7,100","Paper files, a laptop, and a flash drive were stolen from an employee's vehicle in Wichita.  A total of 100 seniors who participated in the Senior Care Act program had their Social Security numbers exposed.  An additional 7,000 seniors who participated in the Older American Act program including Meals on Wheels had personal information other than Social Security numbers stolen. This personal information may have included full names, addresses, birth dates, gender, Medicaid identification numbers, case manager name and case manager telephone number.","Databreaches.net","","2012","37.692236","-97.337545" "August 7, 2012","California Correctional Health Care Services (CCHCS) Regional Administration","Fresno","California","PHYS","MED","0","A June 11 theft of materials inside of a kiosk mailbox located outside of the CCHCS Regional Administration building may have resulted in the exposure of sensitive information.  Documents that included prospective employment candidate responses to employment inquiries with personally identifiable information may have been in the mailbox.  California State Employment Application forms and applicable documents include names, Social Security numbers, driver's license numbers, residential addresses, dates of birth, telephone numbers, email addresses, employment histories, education histories, and other employment information of prospective candidates. ","California Attorney General","","2012","36.746842","-119.772587" "August 8, 2012","Bear Valley Community Hospital","Big Bear Lake","California","INSD","MED","102","An employee was fired after an investigation revealed that patient records were accessed without legitimate cause.  The breach was discovered during a routine audit.","PHIPrivacy.net","","2012","34.243896","-116.911422" "August 9, 2012","CQ Roll Call, The Economist Group, Bloomberg","Washington","District Of Columbia","DISC","BSF","0","A group of former CQ employees were able to continue using log-ins and passwords to access sensitive information from The Economist Group after they left.  CQ Roll Call is owned by The Economist Group.  Many or all of the former CQ employees accessed the information while employed at Bloomberg.  Bloomberg has already paid an unspecified amount to The Economist Group as compensation for the unauthorized access incident or incidents.  It is not clear what type of information was exposed.","Databreaches.net","","2012","38.895112","-77.036366" "August 9, 2012","AmericInn","Medford","Wisconsin","INSD","MED","0","A dishonest employee faces six charges of fraudulently using a credit card and 59 counts of identity theft.  The former employee apparently used customer credit card numbers to pay tuition and insurance bills. ","Databreaches.net","","2012","45.138580","-90.340140" "August 9, 2012","BNSF Railway Company","Fort Worth","Texas","UNKN","BSO","100","Around 100 BNSF Railway employees in North Dakota and adjacent states have reported fraudulent Paypal accounts and credit cards being opened in their names. it is unclear how long this issue has been occurring, what sensitive employee information may have been accessed, and how the information was accessed.","Databreaches.net","","2012","32.725409","-97.320850" "July 2, 2012","Wave House","San Diego","California","INSD","BSR","200","A former employee allegedly stole hundreds of applications and contracts while employed between May 2010 and January 2012. He is accused of making at least $40,000 in online purchases and pleaded not guilty to 17 counts of identity theft and one count each of grand theft, false personation, and a drug charge. He faces 15 years and eight months in prison if convicted.UPDATE (08/08/2012): The dishonest employee entered a plea of guilty. He faces at least 180 days and up to one year in jail.  He is scheduled to be sentenced on September 6.","Databreaches.net","","2012","32.715329","-117.157255" "August 8, 2012","University of Arizona (UA)","Tucson","Arizona","DISC","EDU","7,700","A UA student ran a Google search and found her private information posted publicly.  The data belonged to several thousand people who had submitted their names and tax ID numbers to UA in order to receive payments or reimbursements.  Vendors, consultants, guest speakers, and UA students had their names and tax ID numbers exposed in February and early March.  Some people had their Social Security numbers exposed in lieu of tax ID numbers. The sensitive data was embedded within a larger set of files being transferred to the UA new financial system.  The files were thought to only contain public information.","Databreaches.net","","2012","32.221743","-110.926479" "March 28, 2012","Capital Area Community Action Agency","Tallahassee","Florida","PHYS","NGO","100","About 100 client files were discovered missing from a file cabinet in a restricted area.  The files contained Social Security numbers and other personal information.  A spokesperson for Capital Area Community said that a disgruntled former or current employee may be to blame.","Dataloss DB","","2012","30.438256","-84.280733" "March 29, 2012","Go-Kart Records","New York","New York","HACK","BSR","227","A hacker or hackers accessed and published sensitive information from a Go-Kart Records database.  A total of 218 usernames, email addresses, and passwords were posted. Additionally, nine employee usernames, email addresses, and plain text passwords were posted.","Dataloss DB","","2012","40.714353","-74.005973" "March 13, 2012","Citibank","New York","New York","HACK","BSF","0","An unauthorized party was able to illegally access information maintained by Citi through a source other than Citi.  The unauthorized party logged onto Citi's credit card online account access system by using passwords and user IDs.  Customer names, addresses, email addresses, account numbers, and transaction information may have been viewed.  Customers who were affected were notified, issued replacement cards, and required to create new account login credentials.","Dataloss DB","","2012","40.714353","-74.005973" "March 29, 2012","Grant Income Tax Bookkeeping and Check Cash","Macon","Georgia","INSD","BSF","10","The dishonest owner of the tax preparation business used names and Social security numbers to file fraudulent tax returns for at least 10 people between 2007 and 2009.  He is accused of using nearly $8,000 in fraudulent tax refunds for his own purposes.  He was indicted on 23 counts of making false claims for tax refunds, four counts of theft of government money, and four counts of aggravated identity theft on March 15, 2012.  He pleaded guilty and faces a maximum sentence of 10 year sin prison and a $250,000 fine for each count of theft of government money, a minimum of two years in prison for the identity theft charges, and a maximum of five years in prison with a $250,000 fine for each count of false claims.","Dataloss DB","","2012","32.840695","-83.632402" "August 3, 2012","Stanford University Medical Center, Stanford Hospital and Clinics, Stanford School of Medicine","Stanford","California","STAT","MED","2,500","A burglary sometime around July 15 resulted in the theft of a computer from a Stanford faculty member's locked office.The computer contained patient information. No medical records or health histories were stored on the computer, but it may have held the Social security numbers of some patients.  The computer was outfitted with security software that would detect when and where the computer connected to the internet.UPDATE (08/13/2012): The stolen computer was also password-protected. It may have contained medical record numbers, dates of service, and the names of providers and clinics relating to care provided at Stanford Hospital and Clinics or research conducted by the Stanford School of Medicine.","PHIPrivacy.net","","2012","37.424106","-122.166076" "August 13, 2012","Employee Benefits, Atlanta Police, MARTA Police, Atlanta Fire Department","Atlanta","Georgia","DISC","GOV","39","Two representatives of Employee Benefits attempted to gather sensitive information from employees of Atlanta Police, MARTA Police, and Atlanta fire department employees.  They visited several locations and offered upgraded insurance and benefits packages through AFLAC insurance.  Employee Benefits is a legitimate provider of insurance, but not of AFLAC insurance.  The representatives handed out business cards and their supervisor was called when a police lieutenant noticed that the representatives appeared to be frauds.  They were arrested and at least 39 information packets that contain sensitive information were recovered.  The two representatives face multiple counts of identity theft and racketeering.","Databreaches.net","","2012","33.748995","-84.387982" "August 1, 2012","Queens College","New York","New York","HACK","EDU","15","A hacker or hackers accessed and posted sensitive information online.  A total of 15 administrator user names and encrypted passwords were exposed.  Three email addresses were also posted.","Dataloss DB","","2012","40.714353","-74.005973" "August 3, 2012","General Motors Co.","Detroit","Michigan","INSD","BSR","883","It was determined that an employee who retired in May copied two electronic spreadsheets with names and Social Security numbers of active and retired GM workers.  The file was found on the former employee's computer.  It is unclear if the information was misused or if the former employee acted with malicious intent.","Dataloss DB","","2012","42.331427","-83.045754" "July 3, 2012","Miami Northwestern Senior High School","Miami","Florida","PHYS","EDU","0","A group of volunteers discovered school materials inside of a public dumpster.  There were folders containing sensitive student records among textbooks, novels, and workbooks. The folders contained student Social Security numbers, health records, grade reports, and student education forms.  An administrative error meant that custodians discarded obsolete materials that had been stored.  The items should have been delivered to the district's central warehouse or sold to used-book dealers. The items were recovered and transmitted to the correct locations.","Dataloss DB","","2012","25.788969","-80.226439" "July 11, 2012","Formspring","San Francisco","California","HACK","BSO","420,000","A hacker or hackers accessed Formspring's development server and posted the password hashes of 420,000 users online.  Formspring immediately reset all 28 million user passwords and addressed the security issues upon confirming that a breach had occurred.","Databreaches.net","","2012","37.774930","-122.419416" "July 10, 2012","Phandroid, Androidforums.com","Inverness","Florida","HACK","BSO","0","Phandroid user account details were accessed and posted online by a hacker or hackers.  Hackers breached a back end database that powers Androidforums.com.  Androidforum usernames, email addresses, hashed passwords, member IP addresses, forum group memberships, and other data may have been accessed.","Dataloss DB","","2012","28.839167","-82.340278" "July 13, 2012","Nvidia","Santa Clara","California","HACK","BSR","400,000","A security breach affected Nvidia's developer forums. Hashed passwords and other sensitive information may have been obtained.  Public information such as birthdays, gender, and location may have been exposed. People who used the forums were given temporary passwords and instructed to choose a new forum password.UPDATE (07/13/2012): A Nvidia representative said that its forum has 290,000 registered accounts, its DevZone site has 100,000 accounts, and its research site has 1,200 accounts.","Media","","2012","37.354108","-121.955236" "July 15, 2012","High Tech Crime Solutions","Atlanta","Georgia","HACK","BSO","32,000","A hacker or hackers accessed and posted information from High Tech Crime Solutions Inc.'s website by using an SQL injection cyber attack.  A total of 8,900 names and phone numbers were posted online.  Over 32,000 private messages were also exposed.","Dataloss DB","","2012","33.748995","-84.387982" "July 9, 2012","Acronis","Woburn","Massachusetts","DISC","BSR","0","A technical error caused a spreadsheet containing an unspecified number of email addresses and upgrade serial numbers to be indexed by search engines.  The email addresses from the spreadsheet were not accompanied with any personal information.  The spreadsheet was downloaded by 14 different IP addresses and the owners of those IP addresses were contacted.","Dataloss DB","","2012","42.479262","-71.152277" "July 3, 2012","Olympic College","Bremerton","Washington","CARD","EDU","16","Close to 20 Olympic College students and employees notified college personnel that their credit or debit card numbers were used fraudulently.  The payment cards had all been used at Olympic College. The reports began in late June and the exact cause of the breach was not identified.  Credit card transaction systems were removed from the main merchant network as a precaution.","Dataloss DB","","2012","47.570000","-122.652500" "July 20, 2012","Oregonwine.com","Portland","Oregon","HACK","BSR","1,313","A hacker or hackers accessed and posted sensitive information online.  A total of 1,313 user names and passwords were posted publicly.  The account details and name of one administrator were also posted.","Dataloss DB","","2012","45.523452","-122.676207" "August 14, 2012","First Republic Bank","San Francisco","California","PHYS","BSF","0","Sensitive information that may have been in the form of paper records was improperly disposed of on August 2.  Client names, account types, account numbers, tax payer identification numbers, and Social Security numbers may have been exposed.  ","California Attorney General","","2012","37.774930","-122.419416" "August 16, 2012","Kindred Healthcare Inc. (Kindred Transitional Care and Rehabilitation)","Sellersburg","Indiana","PHYS","MED","1,504","An office burglary sometime around June 4 resulted in the theft of a safe.  The safe held tapes used for backing up Kindred data related to past, present, and prospective patients.  Diagnosis information, Social Security numbers, clinical information, bank account and other financial information, addresses, dates of birth, insurance numbers, dates that services were received from Kindred, discharge locations, daily activities, collections letters, and medications received may have been exposed.  People admitted between 2009 and 2012 may have been exposed.  ","PHIPrivacy.net","","2012","38.398122","-85.754964" "April 16, 2012","Kindred Transitional Care and Rehabilitation-Highgate","Dedham","Massachusetts","PHYS","MED","0","An office burglary resulted in the theft of a safe on January 26.  The safe contained unencrypted backup tapes that require specialized software and equipment to read.  The tapes contained patient names, dates of birth, genders, diagnoses, and progress notes.  ","PHIPrivacy.net","","2012","42.241192","-71.166143" "August 3, 2012","Adult and Child Care Center, Choices, Inc., Diversified Support Services, Midtown Mental Health Center","Indianapolis","Indiana","HACK","MED","1,945","A hacking incident that occurred on or around May 10 may have exposed the protected health information of patients.  The incident was reported by HHS on July 27.UPDATE (08/16/2012): A total of 505 clients and family members of clients of Diversified Support Services and 890 clients and family members of clients of Midtown Mental Health Center were affected.  Social Security numbers, private health information, and demographic information were exposed.","HHS via PHIPrivacy.net","","2012","39.768516","-86.158074" "August 3, 2012","Office of Dr. Sharon L. Rogers","Corpus Christi","Texas","PORT","MED","585","The June 16 theft of a laptop may have resulted in the exposure of protected health information from psychology patients.  The incident was reported on the HHS website on July 27, 2012.","HHS via PHIPrivacy.net","","2012","27.800583","-97.396381" "August 16, 2012","Office of Dr. Jeffrey Paul Edelstein","Chandler","Arizona","STAT","MED","4,800","Someone who had key access to a building containing a computer server stole the server on May 28.  Patient data including names, Social Security numbers, dates of birth, addresses, telephone numbers, account numbers, and diagnoses were on the server.  The server contained multiple layers of password protection.  ","PHIPrivacy.net","","2012","33.306161","-111.841250" "August 17, 2012","University of Texas M.D. Anderson Cancer Center (M.D. Anderson)","Houston","Texas","PORT","MED","2,200","An unencrypted flash drive was discovered missing.  It had last been seen on an employee shuttle bus on July 13.  It contained patient names, dates of birth, medical record number, diagnoses and treatment information, and research information.  ","PHIPrivacy.net","","2012","29.760193","-95.369390" "August 17, 2012","Wright-Patterson Medical Center","Dayton","Ohio","PHYS","MED","3,800","A notebook containing names and Social Security numbers was misplaced after a blood drive.  It was left in a limited-use conference room late in the afternoon and recovered the next morning behind a chair.","PHIPrivacy.net","","2012","39.758948","-84.191607" "June 16, 2012","U.S. Department of the Interior National Business Center","Denver","Colorado","PORT","GOV","7,500","A compact disc was discovered missing on or around May 26.  It had been sent to the National Business Center in Denver, but may not have arrived. The data on the CD was encrypted and password-protected.  Unspecified types of personal information may have been exposed.","Media","","2012","39.737567","-104.984718" "June 24, 2012","Commodity Futures Trading Commission (CFTC)","Washington","District Of Columbia","HACK","GOV","700","A CFTC employee received an email on May 21 that linked to a fraudulent website.  The employee failed to recognize the email as a phishing attempt and mistakenly entered information on the website.  An unauthorized third party was then able to use the employee's account information to access emails and attachments that contained sensitive employee information such as names and Social Security numbers.  The incident was confirmed by the CTC in mid June.","Media","","2012","38.895112","-77.036366" "June 15, 2012","Atkinson & Company LLP Consultants and Certified Public Accountants, The Public Employees Retirement Association (PERA) of New Mexico","Albuquerque","New Mexico","STAT","BSF","100,000","A computer containing PERA information was stolen from Atkinson & Company.  The information was related to a PERA annual audit that Atkinson & Company were hired to perform.  PERA current and former members, as well as retirees may have had their personal information on a file on the computer.  UPDATE (06/15/2012): Names, addresses, financial institution routing numbers, account types, account numbers, payment amounts, and PERA identification numbers may have been exposed. Family members of current and former PERA members may have also been affected.","Dataloss DB","","2012","35.084491","-106.651137" "June 22, 2010","Oregon National Guard","Portland","Oregon","PORT","GOV","3,500","A laptop belonging to an Oregon National Guard member was stolen and the military is contacting service members who might be affected by the theft. According to the Oregon National Guard, the laptop was stolen from a vehicle. The Guard member had been using the laptop to conduct work from home. Although this laptop is password protected, there is still potential for exposure of individual personal information. UPDATE (7/1/10): The 3,500 National Guard members who were affected have been notified.","Dataloss DB","","2010","45.523452","-122.676207" "June 25, 2012","Towards Employment","Cleveland","Ohio","PORT","NGO","26,000","The May theft of a laptop that contained Towards Employment client data may have exposed personal information.  The laptop was password protected and contained the names, Social Security numbers, and addresses of clients. Towards Employment is altering its policy so that only the last four digits of clients' Social Security numbers are tracked and used.","Media","","2012","41.499495","-81.695409" "June 25, 2010","Sacramento Department of Parks and Recreation","Sacramento","California","PHYS","GOV","100","A local news team investigated a pile of materials in a dumpster outside of a parks building.  Unused, unopened books and learning materials were thrown out along with sensitive personal information.  Names, Social Security numbers, phone numbers, dates of birth, addresses, monthly incomes, and copies of driver's licenses dating back to 2005 were found in several abandoned folders.  ","Databreaches.net","","2010","38.581572","-121.494400" "April 13, 2010","Lorillard Tobacco, General Agencies Welfare Benefits Program, National Gypsum, Towers Watson","Greensboro","North Carolina","PORT","BSR","1,874","Two unencrypted DVDs containing employee information were lost in transit by a benefits consulting firm. Multiple organizations were involved.  Benefits consulting firm Towers Watson notified Lorillard and the General Council on Finance and Administration, which administers the General Agencies Welfare Benefits Program, of the loss in February.  The DVDs contained names, addresses, dates of birth, and Social Security numbers of current and former employees and their family members.UPDATE (6/22/2010): National Gypsum notified the New Hampshire Attorney General Office of the possible exposure of employee data related to this incident in June.","Databreaches.net","","2010","36.072635","-79.791975" "July 30, 2012","Neurocare, Inc.","Newton","Massachusetts","HACK","MED","0","A malware attack on a Neurocare CPU resulted in unauthorized intrusion into Neurocare's computer systems.  The attack compromised Neurocare's credentials for accessing a third party paryoll processor.  Unauthorized access to Neurocare's payroll system occurred sometime around June 26, but Neurocare's payroll processor immediately noticed the suspicious account activity and addressed the issue.  Neurocare was notified and immediately changed system passwords, sent notifications, and began investigations. A total of 19 employees had their personal information accessed, but all Neurocare employees may have been affected.","Media","","2012","42.337041","-71.209221" "July 13, 2012","New York State Comptroller's Office, New York State Assembly","Albany","New York","DISC","GOV","300","The New York state Comptroller's Office accidentally released the personal information of over 300 current and former state lawmakers and their staff.  The information was intended to fulfill a reporter's request for per diem payments collected by lawmakers.  The information was posted in a spreadsheet online. The Social Security numbers were accessible on hidden pages within the spreadsheet; though they were initially believed to be hidden from public view. The private information was available for less than a day.","Media","","2012","42.652579","-73.756232" "August 1, 2012","Office of the Circuit Clerk of Madison County, Illinois","Edwardsville","Illinois","PHYS","GOV","0","Sensitive court documents remained in a recycling dumpster for two weeks because of a missed scheduled pick-up.  The court respondent documents included Social Security numbers, dates of birth, addresses, telephone numbers, and detailed accounts of why an order of protection was needed.  They were removed upon discovery. Some files were from 2007, though the exact group of people who may have been affected is unclear.  The information was from closed cases and could be found in the public record.","Databreaches.net","","2012","38.811436","-89.953157" "August 13, 2012","Office of Peggy Garland-Coleman","Spartanburg","South Carolina","PHYS","BSF","0","The owner of a tax preparation business that closed three years ago accidentally discarded several boxes of sensitive records.  The records had been picked over before tossed, but sensitive information still ended up in a public dumpster.  A concerned citizen found them in a recycling bin in an old supermarket lot.  Names, Social Security numbers, dates of birth, and invoices were exposed.","NAID","","2012","34.949567","-81.932048" "August 20, 2012","U.S. District Court, Los Angeles California","Los Angeles","California","INSD","GOV","0","A Los Angeles federal court clerk was identified as the source of leaked confidential information.  The clerk was married to a convicted felon who then sold the information from sealed criminal case documents to an identity theft ring.  The federal court clerk, her husband, and at least 60 others from the theft ring were caught by an FBI investigation.","Databreaches.net","","2012","34.052234","-118.243685" "March 9, 2012","Kelly Services","Troy","Michigan","INSD","BSO","0","People who signed up for employment through the Kelly Services staffing agency may have had their personal information retained by a former Kelly Services employee.  Kelly Services retrieved all of the sensitive information from the former employee upon learning of the breach.  Names and Social Security numbers may have been exposed.  ","Dataloss DB","","2012","42.605589","-83.149930" "March 23, 2012","Suddenlink Communications, AAT Communications","Overland Park","Kansas","INSD","BSO","0","On February 24, 2012, law enforcement notified Suddenlink management of an incident involving a former employee.  The employee had obtained the personal information of individuals who worked at Suddenlink and AAT Communications between May 22, 2006 and July 21, 2006.  Names, Social Security numbers, addresses, dates of birth, wage information, and banking information may have been exposed.  The former employee was using the information for fraudulent purposes and an investigation uncovered isolated instances of information misuse between 2006 and 2012.  The former employee was arrested.","Dataloss DB","","2012","38.982228","-94.670792" "March 15, 2012","Washington University","St. Louis","Missouri","INSD","EDU","4,100","A University employee was discovered copying electronic files onto an external hard drive on February 17, 2012.  The hard drive was recovered and the employee was fired.  The hard drive contained the names, Social Security numbers, addresses, and dates of birth of University employees and job applicants.  It is unclear if the hard drive information was used for fraudulent purposes.","Dataloss DB","","2012","38.627003","-90.199404" "March 27, 2012","WorldPass","El Dorado Hills","California","HACK","BSR","0","A hacker or hackers accessed WorldPass' online database in early July of 2010 and was not detected until March 5, 2012.  The hacker may have obtained the credit card numbers, user names, email addresses, billing addresses, and payment information of customers.","Dataloss DB","","2012","38.685737","-121.082167" "August 21, 2012","Bellacor.com, Inc.","Mendota Heights","Minnesota","HACK","BSR","0","A breach by an unauthorized party was discovered and contained on July 26.  The unauthorized party injected malicious code into the Bellacor website on June 7.  Temporary files including customer names, addresses, phone numbers, and encrypted credit card information may have been exposed.","California Attorney General","","2012","44.883577","-93.138275" "August 21, 2012","Colorado State University - Pueblo","Pueblo","Colorado","DISC","EDU","19,000","A few students accidentally gained access to sensitive student files.  It is not clear if the files were physical or electronic.  The students notified school authorities immediately and the problem was fixed.  It is not clear what types of student information were exposed.  ","Databreaches.net","","2012","38.254447","-104.609141" "August 22, 2012","South Bend Community School Corporation","South Bend","Indiana","DISC","EDU","0","A computer glitch that occurred when the district changed its student management systems caused some employee Social Security numbers to be exposed.  The numbers could only be seen by other employees who were being trained on the new computer program.  Employees were notified of the breach.","Databreaches.net","","2012","41.683381","-86.250007" "March 20, 2012","Sailboat Owners Inc.","Seattle","Washington","HACK","BSR","2,258","Unusual activity was noticed on Sailboat Owner's web servers on the morning of February 23.  The website was immediately shut down, but sensitive information may have been accessed. Malware had been uploaded to the web server on the morning of February 22.  A total of 2,258 unencrypted credit card records were on the server and dated from 2007 until the day of the incident.  CVV codes and expiration dates were also exposed.","Dataloss DB","","2012","47.606210","-122.332071" "March 23, 2012","Duke University Health System (DUHS)","Durham","North Carolina","PHYS","MED","0","ON or around January 25, DUHS received notice that its billing subsidiary staff attached copies of outstanding billing statement(s) for services provided by DUHS facilities and/or DUHS-affiliated physicians to support proofs of claim filed in Chapter 13 bankruptcy actions by patients of DUHS.  Patient and patient dependent names, addresses, DUHS medical record number, health insurance carriers, and clinical information were exposed.  Some patients and patient dependents had their Social Security numbers and dates of birth exposed as well.  Notification letters were mailed on March 23 and again on May 18.","Dataloss DB","","2012","35.994033","-78.898619" "May 18, 2012","UnitedHealthcare (United Health Group Plan)","Minneapolis","Minnesota","INSD","MED","19,100","A dishonest employee used the names, Social Security numbers, addresses, phone numbers, dates of birth, and Medicare Health Insurance Claim Numbers to steal the identities of at least 24 Idaho customers enrolled in UnitedHealthcare Medicare plans. On January 30, 2012, it was discovered that the former employee may have accessed the information in the United Health Care database in a way that was inconsistent with his job duties and possibly for fraud purposes.  The information was taken between June 28 and December 12 of 2011. Affected patients were notified on March 30.","PHIPrivacy.net","","2012","44.983334","-93.266670" "March 30, 2012","Advanced Clinical Research Institute","Anaheim","California","PHYS","MED","875","A vehicle containing paper records was impounded overnight.  Some papers with the sensitive information of research participants were discovered missing when the vehicle was reclaimed. The breach occurred on or around January 26.","Dataloss DB","","2012","33.835293","-117.914504" "September 28, 2011","Fairview and North Memorial Hospitals, Accretive","","","PORT","MED","23,500","The July 25 theft of a laptop resulted in the exposure of patient information.  It was stolen from a rental car parked in the parking lot of a Minneapolis restaurant.  The laptop was in the possession of an employee of the contractor Accretive.  It contained the names, addresses, dates of birth, medical information, and Social Security numbers of patients.  A total of 14,000 Fairview patients were affected.  Approximately 2,800 North Memorial patients were affected, but did not have their Social Security numbers exposed.UPDATE (1/20/2012): A lawsuit was filed against Accretive Health, Inc. as a result of the breach. Approximately 23,500 patients in Minnesota were affected by the breach.  The Minnesota Attorney General claims that Accretive failed to protect patient health care records and failed to disclose its extensive involvement in patient health care.  According to the Minnesota Attorney General, Accretive gained access to sensitive patient data through contracts with the two hospitals and numerically scored patients' risk of hospitalization and medical complexity, graded their ""frailty,"" compiled per-patient profit and loss reports, and identified patients deemed to be ""outliers."" The physical and mental health information included a checklist of 22 different chronic medical conditions that patients did or did not have.  This was without the knowledge or consent of patients and the Attorney General argues that patients had the right to know how their information was being used and to have it kept confidential.Accretive tells investors that its contracts with hospitals include risk scoring patients, reducing avoidable hospital admissions, identifying the sickest and most impact-able patients for proactive management, and identifying real-time interventions with significant revenue or cost impact. The lawsuit alleges that Accretive violated state and federal health privacy laws, state debt collection laws, and state consumer protection laws.  It seeks an order requiring Accretive to fully disclose to patients: 1) what information it has about Minnesota patients; 2) what information it has lost about Minnesota patients; 3) where and to whom it has sent information about Minnesota patients; and 4) the purposes for which it amasses and uses information about Minnesota patients. In addition, the lawsuit asks Accretive to disclose whether it has sent health data about Minnesota patients to an offshore site in new Delhi, India and requests that restrictions be applied to how Accretive treats and uses patient data.The press release from the Office of Minnesota Attorney General Lori Swanson can be found here.UPDATE (08/24/2012): A settlement agreement with Accretive Health was announced at the end of July.  The settlement requires Accretive to stop doing business in Minnesota for two years and to pay approximately $2.5 million to the State of Minnesota, a portion of which will be used to compensate patients.","Databreaches.net","","2011","37.090240","-95.712891" "August 23, 2012","State Farm Insurance","Bloomington","Illinois","INSD","BSF","0","An employee was caught misusing customer information on July 28.  The dishonest employee had been improperly using customer names, Social Security numbers, addresses, dates of birth, and credit card numbers for at least two months. An unspecified number of customers had fraudulent online purchases made in their names.","California Attorney General","","2012","40.484203","-88.993687" "August 23, 2012","John Stewart Company (JSCo)","San Francisco","California","DISC","BSO","0","A set of internal emails were sent to various JSCo employees on August 7 and August 13.  The emails contained the names, Social Security numbers, and in some cases, dates of birth of other employees.  Employees were instructed to delete the email upon discovery.  ","California Attorney General","","2012","37.774930","-122.419416" "August 24, 2012","Main Street Pharmacy","Corona","California","INSD","MED","15","A doctor was convicted of prescription drug fraud, identity theft, illegal possession of controlled substances, and burglary.  She was arrested in January 2009 following a yearlong narcotics investigation and subsequently pleaded guilty to 272 felony counts. The doctor had a drug addiction. She forged the signatures of several doctors and stole the identity of at least 15 patients in order to maintain her drug habit. She was sentenced to a year in jail, five years of probation, completion of a drug rehabilitation program, and completion of 1,000 hours of community service. The dishonest doctor's license was also permanently revoked.  ","PHIPrivacy.net","","2012","33.875294","-117.566438" "June 11, 2012","Eugene School District 4J","Eugene","Oregon","HACK","EDU","16,000","An unauthorized person accessed confidential files that contained current and former students' personal information.  Names, Social Security numbers, Dates of birth, student ID numbers, phone numbers, students' free or reduced-price school lunch status, and addresses may have been exposed.  Eugene School District 4J's notification can be read here: http://www.4j.lane.edu/communications/story/2012/06/11/securitybreachinf...UPDATE (07/12/2012): A minor was arrested for possible involvement in the breach.  It appears that the teenager may have obtained the login credentials of an employee and used them to access the computer system.  Records for approximately 16,000 current students, as well as free and reduced-price lunch records from 2007 were exposed.UPDATE (08/25/2012): The student was released from custody and expelled by North Eugene High School.  He also posted hundreds of students' confidential information on a computer account to taunt district officials. He is on house arrest and his attorney entered not guilty pleas.","Databreaches.net","","2012","44.052069","-123.086754" "March 22, 2012","Zybez","Huntsville","Alabama","HACK","BSO","353","A hacker or hackers accessed and exposed information from Zybez.  Usernames, email addresses, IP addresses, and passwords were exposed.","Dataloss DB","","2012","34.730369","-86.586104" "March 2, 2012","Experian, Independent Capital Management","Costa Mesa","California","HACK","BSF","123","A user ID assigned to Independent Capital Management used to access consumer reports was compromised by an unknown individual. New user IDs were assigned and security was increased. The unauthorized access took place sometime between February 13 and February 15.","Dataloss DB","","2012","33.641132","-117.918669" "March 23, 2012","BenefitsEvent, Orvis Company","Peck Slip","New York","HACK","BSR","0","Orvis' hosting company notified Orvis that it may have experienced a breach.  It received reports from other clients that fraudulent charges had appeared on their customers' credit cards.  The customer credit cards had been used for hosted events. The computer database was encrypted, though it appears to have been compromised.","Dataloss DB","","2012","40.708178","-74.001872" "August 27, 2012","University of Rhode Island","Kingston","Rhode Island","DISC","EDU","1,000","Students and faculty who were associated with the University of Rhode island after April of 2007 may have had their personal information exposed.  The information was placed on a server that was not set-up or intended to be used for storing sensitive information.  The information was on the College of Business Administration's computer server and included names, Social Security numbers, dates of birth, hire year, rank, and limited compensation information.  The information was discovered to be publicly accessible on July 31. It is unclear how long the information was available, but unauthorized access had occurred sometime while the information was exposed.","Databreaches.net","","2012","41.480379","-71.522560" "January 20, 2012","DreamHost","Brea","California","HACK","BSO","0","Customers were told to login and change all passwords after unauthorized activity was detected on a database.  There was no evidence initially that customer passwords were taken, but customer passwords were immediately reset after the discovery.UPDATE (2/07/2012): Hundreds of PHPs (Personal Home Page) have been created in order to redirect users to work-at-home scams. The Russian scam page tricks users into buying a starter kit for a phony internet-based job.  Though Dreamhost took steps to ensure that user web pages could not be stolen by resetting the FTP and shell access passwords of all customers, a number of websites hosted by the company have been hijacked to redirect users to the scam page. An analysis of some of the compromised web pages revealed that the January 20 DreamHost breach may not have been what allowed hackers to access the pages. Hackers had installed backdoor PHP scripts in order to access the pages on December 26.","Databreaches.net","","2012","33.916681","-117.900060" "March 12, 2012","TransUnion LLC, Manufacturers Life Insurance Company (ManuLife)","Chicago","Illinois","HACK","BSF","461","An unauthorized access occurred sometime between January 22 and February 15, 2012.  Trans Union learned of the breach through its subscriber The Manufacturers Life Insurance Company (Manulife).  Consumers may have had their credit reports accessed by someone using a client's login credentials.  Names, Social Security numbers, and addresses would have been exposed.","Dataloss DB","","2012","41.878114","-87.629798" "February 2, 2012","Staples (Staples Business Depot)","Mamaroneck","New York","INSD","BSR","50","A Staples cashier is accused of using a skimming device to obtain the credit card information of customers.  She is also accused of selling the numbers to another party. A total of $181,000 in fraudulent credit card purchases resulted from the breach. The dishonest employee faces two felonies for criminal possession of a forgery device and first-degree scheme to defraud.  She also faces 50 counts of unlawful possession of personal identification and 50 counts of petite larceny.","Databreaches.net","","2012","40.948710","-73.732631" "February 11, 2012","Manwin Holding SARL (Brazzers)","Waltham","Massachusetts","HACK","BSR","350,000","A hacker or hackers were able to access user records from the inactive forum of a website run by Brazzers. A portion of the compromised emails, usernames, and encrypted passwords were posted online.","Dataloss DB","","2012","42.376485","-71.235611" "February 2, 2012","Syracuse Police Department","Syracuse","New York","HACK","GOV","39","A hacker or hackers accessed and posted the information from a public Syracuse Police Department website. The usernames and plain text passwords of 39 police officers were exposed.","Dataloss DB","","2012","43.048122","-76.147424" "February 10, 2012","Intel, Inc.","Santa Clara","California","HACK","BSF","0","A hacker accessed user information on an Intel website through a vulnerability.  The hacker had access to credit card data, Social Security numbers, emails, passwords, and other details.","Dataloss DB","","2012","37.354108","-121.955236" "February 13, 2012","Combined Systems","Jamestown","Pennsylvania","HACK","BSR","0","A hacker or hackers accessed the Combined Systems website and shut it down.  The hackers claim to have struck in honor of the anniversary of the February 14, 2011 Bahrain uprising and to have wiped out the company's web servers.  Administrator logins, customer data, and emails were posted online.","Dataloss DB","","2012","41.484776","-80.437569" "February 13, 2012","Gossip Girl","Providence","Utah","HACK","BSR","2,480","The official fan website for the Gossip Girl TV show was hacked and defaced. Usernames, IDs, emails, and encrypted passwords were posted online.  Another hacker followed up on the attack by decrypting many of the publicly posted password hashes.","Dataloss DB","","2012","41.706320","-111.817165" "February 25, 2012","Wallace Community College","Dothan","Alabama","HACK","EDU","284","Information from Wallace Community College was posted online by a hacker. The College became aware of the breach after being notified by Databreaches.net.  Eight username, email address, and password combinations were posted in addition to 276 username, password, and full name combinations.  People who used their same email and password combination for Wallace Community and other sites are encouraged to change their passwords.","Databreaches.net","","2012","31.223231","-85.390489" "February 8, 2012","Indianapolis Super Bowl (indianapolissuperbowl.com)","Indianapolis","Indiana","HACK","BSO","2,026","A hacker or hackers accessed and posted information from indianapolissuperbowl.com.  In addition to 10 administrator accounts, 2,016 usernames, email addresses, and cell phone numbers were publicly posted.","Dataloss DB","","2012","39.768516","-86.158074" "February 8, 2012","Internet Marketing Strategies (Internet Marketing Tools), Power-blog.com","Tampa","Florida","HACK","BSO","5,860","A hacker or hackers accessed and posted information from the Internet Marketing Strategies website Power-blog.com.  Emails, usernames, and encrypted passwords were exposed.","Dataloss DB","","2012","27.950575","-82.457178" "February 16, 2012","Drago's Seafood Restaurant","Metairie","Louisiana","INSD","BSR","0","A waiter was arrested for using a skimming device to steal customer credit card information.  The dishonest employee was linked to two men who were arrested for using the information. The men would purchase electronic equipment with the stolen credit card information and then attempt to resell it for cash.","Dataloss DB","","2012","29.984092","-90.152852" "February 17, 2012","Islamic Finder","Anaheim","California","HACK","BSO","279","A hacker or hackers accessed and posted information from islamicfinder.org online.  Usernames, names, passwords, and email addresses were exposed.","Dataloss DB","","2012","33.835293","-117.914504" "February 19, 2012","LABusinessConnect.com, AdultStaffing.com","Phoenix","Arizona","HACK","BSO","686","A hacker or hackers hacked LABusinessconnect.com with the intention of exposing the company's wrong doings.  A database for adultstaffing.com was contained within LABusinessconnect.com.  Administrator information from LABusinessConnect.com was posted. A total of 686 usernames, email addresses, and passwords were exposed.","Dataloss DB","","2012","33.448377","-112.074037" "August 28, 2012","Cancer Care Group","Indianapolis","Indiana","PORT","MED","55,000","An employee's computer bag was stolen on July 19.  The bag contained a computer server back-up that had patient and employee names, Social Security numbers, dates of birth, insurance information, medical record numbers, limited clinical information, and addresses.","PHIPrivacy.net","","2012","39.768516","-86.158074" "August 28, 2012","Wilkinson County Schools","Irwinton","Georgia","HACK","EDU","0","A student was able to access and distribute information from a classroom management system called PowerTeacher.  The student used user names and passwords to access grades, demographics, Social Security numbers, and other personal information.  Some parents reported receiving strange calls that disclosed personal information.","Databreaches.net","","2012","32.811259","-83.172654" "August 28, 2012","Charter One, Dollar Bank, Fifth Third, First Merit, Key, PNC, Total Merchant Services","Cleveland","Ohio","INSD","BSF","0","Ten people consisting of assistant managers, sales representatives, and other employees of banks were arrested for participating in an identity theft ring.  Information was stolen and misused between November 2011 and February 2012.  ","Databreaches.net","","2012","41.499495","-81.695409" "March 30, 2012","Public Broadcasting System","Arlington","Virginia","HACK","NGO","1,871","A hacker or hackers accessed and published information from a Public Broadcasting System server or database.  A total of 1,598 press usernames, plain-text passwords, and email addresses were posted online.  Thirty-six administrator names, usernames, email addresses and passwords were also publicly posted.  Finally, 237 names, emails, passwords, and usernames from other sources were posted online.","Dataloss DB","","2012","38.879970","-77.106770" "July 18, 2012","ITWallStreet.ccom","New York","New York","HACK","BSO","50,000","A hacker may have accessed as many as 12 data files containing detailed information on IT professionals searching for work with Wall Street.  First and last names, mailing addresses, email addresses, usernames, hashed passwords, and phone numbers were posted online.  Many of the passwords were decrypted and displayed in plain-text. Past salaries, salary expectations, contact information for references, and other types of job search information were also exposed.","Media","","2012","40.714353","-74.005973" "February 20, 2012","Yamaha Commercial Audio Systems","Colombus","Ohio","HACK","BSR","1,755","A hacker or hackers accessed and posted sensitive information from an official Yamaha music website.  A total of eight administrator accounts, as well as 1,755 email addresses and plain-text passwords were exposed.  ","Dataloss DB","","2012","39.961176","-82.998794" "February 3, 2012","Patriot Self Storage (CubeSmart Management, LLC)","Boston","Massachusetts","PHYS","BSR","0","Files containing customer lease documents were discovered missing.  The information was several years old and included customer names and addresses.  Drivers' license numbers and Social Security numbers may have also been exposed.","Dataloss DB","","2012","42.358431","-71.059773" "February 7, 2012","David Yurman (Yurman Design, Inc.)","New York","New York","DISC","BSR","0","Yurman mailed some 1099 forms to the wrong addresses.  Names, tax information, and Social Security numbers were exposed.","Dataloss DB","","2012","40.714353","-74.005973" "August 28, 2012","Arizona Oncology","Oro Valley","Arizona","INSD","MED","15","A dishonest employee obtained and misused the personal information of patients during her employment.  She pleaded guilty to one count of aggravated identity and will be sentenced in October.  She faces between two and 8.75 years in prison for using the credit card information of cancer patients to make fraudulent purchases.","PHIPrivacy.net","","2012","32.390907","-110.966488" "August 29, 2012","Chili's","Coral Springs","Florida","INSD","BSR","0","A dishonest employee was arrested for using a skimming device to steal customer credit card numbers at Chili's.  Investigators were able to link another fraudulent credit card crime to a credit card stored in the dishonest employee's skimmer.  This led to the discovery of a credit card making machine, a credit card skimmer, laptops, blank credit cards, and pages of names, Social Security numbers, and dates of birth at a separate residence.","Databreaches.net","","2012","26.271192","-80.270604" "August 28, 2012","Del Mar College (East Campus)","Corpus Christi","Texas","PHYS","EDU","400","Documents dating from 1996 to 2007 were found in a recycling bin by a student.  Del Mar employee and student names, Social Security numbers, and mailing addresses were exposed. The student reported the discovery immediately and campus officials began an investigation.","Databreaches.net","","2012","27.800583","-97.396381" "October 27, 2011","Eaton Group","Baton Rouge","Louisiana","PHYS","BSO","0","A local news team was alerted to a group of scattered documents near a lake and an interstate.  Most of the documents were labeled with an ""Eaton Group"" stamp.  The owner of the law group and collection service was not sure how the documents came to be exposed rather than properly disposed of.  The court case documents exposed names, Social Security numbers, addresses, bank statements, bank account numbers, Mastercard account numbers, and other sensitive information.  The papers were collected and properly destroyed, but the owner did not see a reason for concern since most of the information was available in the public record.","Databreaches.net","","2011","30.458283","-91.140320" "February 8, 2012","Eaton Vance Management","Boston","Massachusetts","DISC","BSF","0","A mailing error caused the Social Security numbers of some employees to be visible through the window of mailed envelopes. The employee stock and tax documents were mailed on January 25, 2011 and notification was posted on February 6.","Dataloss DB","","2012","42.358431","-71.059773" "February 14, 2012","Valley National Bank, American Stock Transfer and Trust Company, LLC","New York","New York","DISC","BSF","0","A mailing error caused 1099 forms to be sent to the wrong addresses on January 17, 2012.  Names, tax identification numbers, and addresses were exposed because incorrect or multiple addresses were printed on the forms.  Information on stock dividends and phone numbers was also exposed.  The error was discovered when some of the forms were returned by the post office as undeliverable.","Dataloss DB","","2012","40.714353","-74.005973" "February 22, 2012","Accucom Corporation","Boston","Massachusetts","HACK","BSF","12","An unauthorized party misused Accucom credentials to make fraudulent $1.00 charges on customer payment cards that were used on affiliated websites.  Credit card numbers, names, and billing addresses may have been accessed. At least 12 New Hampshire residents were affected, but the total number nationwide was not revealed.","Dataloss DB","","2012","42.358431","-71.059773" "February 13, 2012","Alicare, National Retirement Fund","White Plains","New York","DISC","BSF","0","A mailing error caused the Social Security numbers of National Retirement Fund participants to be printed on the outside of a mailed envelope.  Names and mailing addresses were also exposed.","Dataloss DB","","2012","41.033986","-73.762910" "September 1, 2012","Temple Community Hospital","Los Angeles","California","STAT","MED","600","The July 3 office theft of a computer from the Radiology Department resulted in the exposure of patient information. The computer was used to store CT examination images taken between January 1, 2012 and July 2, 2012.  It contained pictures of CT scans performed, reasons for the scans, patient names, ordering doctors' names, and patient hospital account numbers.","PHIPrivacy.net","","2012","34.052234","-118.243685" "August 30, 2012","Harris County Hospital District","Houston","Texas","INSD","MED","0","The Harris County Hospital District was alerted to an issue when they received a grand jury subpoena on February 11, 2011.  A dishonest employee was immediately fired for viewing and possibly sharing patient names, Social Security and member numbers, medical record numbers, addresses, phone numbers, dates of birth, sexes, emergency contact information, payer information, and other medical care information. The Harris County Hospital District decided to send patients notifications on July 20, 2012 after receiving additional information about the breach. The former employee was indicted and will be tried on criminal charges related to the stolen and misused information on September 24, 2012.","PHIPrivacy.net","","2012","29.760193","-95.369390" "August 30, 2012","BMO Harris Bank","Milwaukee","Wisconsin","PORT","BSF","0","The laptop of an employee who works for a BMO Harris Bank vendor was stolen.  It contained customer names, addresses, and dates of birth. BMO learned of the breach on June 20.","Databreaches.net","","2012","43.038903","-87.906474" "September 1, 2012","New Hampshire Department of Corrections","Concord","New Hampshire","HACK","GOV","0","A staff member found that a cable line hooked to the computers used by inmates had been connected to a line connecting to the entire Concord prison computer system.  This may have allowed one or more prisoners to view, steal, or change sensitive records. The network is used to track invoiced and billing for Correctional Industries contracts. Information from the offender management database system ""Corrections Offender Records and Information System"" may have been compromised as well.","Databreaches.net","","2012","43.208137","-71.537572" "June 8, 2012","City of New Haven, Rent Rebate","New Haven","Connecticut","PORT","GOV","0","The May 23 theft of an employee's laptop resulted in the loss of sensitive information.  The laptop was stolen from the Mitchell Branch Library and contained the personal information of people enrolled in New Haven's Rent Rebate program.  UPDATE (09/01/2012): Names, Social Security numbers, addresses, dates of birth, and other personal information was exposed.  A total of 21,000 Connecticut Rent Rebate program participants were affected.","Databreaches.net","","2012","41.308153","-72.928158" "September 4, 2012","Twinspires.com (Churchill Downs Technology Initiatives Company)","Louisville","Kentucky","HACK","BSF","0","TwinSpires.com computer records were breached on August 3, 2012.  Customer names, cryptographically hashed Social Security numbers, dates of birth, and email addresses may have been exposed.  ","California Attorney General","","2012","38.252665","-85.758456" "September 7, 2012","Cumberland County Sheriff's Office","Portland","Maine","DISC","GOV","180","Around 180 people who were arrested between August 27 and September 4 of 2012 had their Social Security numbers exposed by an administrative error. A new software update intended to automatically post regular arrest lists on the department's Facebook page and distribute them to media outlets also released Social Security numbers of those who were arrested. The error was discovered within 45 minutes, but between 70 and 50 individuals accessed the information during that time.","Databreaches.net","","2012","43.661471","-70.255326" "September 1, 2011","El Paso Independent School DIstrict (EPISD)","El Paso","Texas","HACK","EDU","72,000","Hackers accessed the EPISD server and were able to collect the personal information of students, teachers and other employees.  There were names, Social Security numbers, and addresses from approximately 63,000 students and 9,000 teachers on the district's internal network (myepisd.org). EPISD was not aware of the breach until a computer security company noticed hackers bragging about breaking into EPISD's system.  Names, ethnicity codes, and student ID numbers for 26 students were posted by hackers named Sy5t3mF41lur3 & t3hblackhatter of H05t_Bu5t0rz.UPDATE (09/07/2012): A hacker accused of carrying out the attack is scheduled to plead guilty to two counts of computer fraud and one count of fraud linked to identification documents.","Databreaches.net","","2011","31.758720","-106.486931" "April 27, 2012","Minnesota Department of Public Safety Driver and Vehicle Services","St. Paul","Minnesota","INSD","GOV","3,700","An internal audit revealed that an employee at an unnamed Minnesota car dealership allowed an unauthorized friend to use his login information.  The login information provided access to a vehicle database for processing consumer sales.  Consumer vehicle identification numbers, names, addresses, and dates of birth may have been exposed.  The employee's friend worked at a vehicle repossession company and may have allowed additional individuals to use the login credentials.  The employee who revealed his login information may face criminal charges.","Dataloss DB","","2012","44.953703","-93.089958" "September 4, 2012","CWI Railroad System Specialists","Barto","Pennsylvania","HACK","BSR","0","A hacker accessed the company's banking system and issued separate payments totalling $190,000 to banks in Virginia.  It is likely that the hacker placed malware in the system in order to make the withdrawal.  The malware has yet to be discovered and it is unclear how long ago the hacker first breached the system.","Databreaches.net","","2012","40.390925","-75.610872" "September 6, 2012","Boston Water and Sewer Commission","Boston","Massachusetts","PORT","GOV","0","A contractor working for Boston Water and Sewer Commission misplaced a hard drive.  The hard drive may have contained customer names, account numbers, meter numbers, phone numbers, addresses, and other information the utility organization recorded. Residents were also warned to be aware of possible calls from people pretending to be from the Commission.","Databreaches.net","","2012","42.358431","-71.059773" "May 3, 2012","University of Pittsburgh","Pittsburgh","Pennsylvania","HACK","EDU","0","Hackers associating themselves with Anonymous claimed to have obtained the private information of University of Pittsburgh students and alumni. The hackers threatened to release the information publicly unless the University apologized to students, law enforcement, and professors.  The University was involved in the arrest of several supporters of Anonymous. Student passwords, dorm information, payment and credit information, parent information, coursework and grades, as well as alumni information may be exposed.UPDATE (08/28/2012): Two men were arrested for allegedly participating in a hack of University of Pittsburgh. One entered a plea of not guilty.","Databreaches.net","","2012","40.440625","-79.995886" "September 4, 2012","Apple","Cupertino","California","HACK","BSR","1,000,000","Hackers associating themselves with Anonymous claim to have obtained 12 million Apple Unique Device Identifiers (UDIDs) by hacking an FBI agent's laptop.  The hackers offered proof of the breach by posting over one million UDIDs. However, both Apple and the FBI are denying that an FBI agent would have access to that information and keep it on a laptop. The hack occurred in March. Apple replaced the types of identifiers the hackers appear to have obtained and will discontinue their use.","Media","","2012","37.322998","-122.032182" "May 11, 2011","Michaels Stores Inc.","New York","New York","CARD","BSR","94,000","A number of PIN pads in Chicago-area Michaels stores were found to have been tampered with.  Michaels checked 7,200 PIN pads in 964 US stores.  Fewer than 90 pads were found to have been compromised, but the affected pads were in 20 states. Michaels expects the process of replacing the pads to last about 15 days. The number of affected customers is in the tens of thousands. PIN pads in Canada will also be checked.The Chicago-area was the hardest hit; 14 stores had compromised PIN pads. Customers who used their debit or credit cards at Michaels are encouraged to monitor their transaction records. Michaels Stores released an official statement.UPDATE (05/19/2011): A suit seeks class-action status and more than $5 million in damages for people whose credit and debit accounts were compromised by the breach.  The lawsuit claims that Michaels failed to protect customers from ""cyber-pickpockets"" who stole sensitive banking information from checkout keypads at stores in 20 states. Michaels is accused of knowingly violating federal and state law by failing to take reasonable steps to safeguard customers' personal information.  Michaels is also accused of failing to alert customers as soon as the security breach was discovered. There is now a theory that thieves used a combination of  ""false card readers"", wireless cameras or electronic membranes placed over keypads to collect the PINs and card information of MIchaels' customers. This allowed them to create fraudulent debit and credit cards.UPDATE (05/31/2011): A second lawsuit was filed in late May.  The new suit also seeks class-action status.  It alleges that Michaels failed to safeguard shoppers' credit and debit PINs and other information.  The second lawsuit was filed by an Illinois resident who saw over $1,000 in fraudulent charges after making an $18.16 purchase at Michaels.UPDATE (06/20/2011): An extensive fraud case has hit multiple areas of Oregon.  Over 250 people have reported fraudulent charges related to cards that were used at Michaels stores.UPDATE (06/27/2011): Four suspects were caught making fraudulent debit card transactions on camera.  The images have been distributed by investigators hoping that someone in the Beaverton, Oregon area will recognize one or more of the people.  Additionally, Michaels now faces a total of four lawsuits related to the data breach.UPDATE (07/13/2011): A number of Iowa residents began reporting debit card fraud that could potentially be related to the Michaels breach.UPDATE (03/21/2012): Two men will be sentenced for their roles in setting up phony debit and credit card pads in the 84 Michaels stores.  Each pleaded guilty to one count of conspiracy to commit bank fraud, one count of bank fraud, and one count of aggravated identity theft. A total of 94,000 credit and debit card account numbers were stolen.UPDATE (07/30/2012): The two men were each sentenced to 36 months in prison for conspiracy to commit bank fraud.  An additional 24 months were added for aggravated identity theft.  The must also pay $42,000 in restitution and will have five years of supervised release.","Databreaches.net","","2011","40.714353","-74.005973" "September 11, 2012","WhatGreatSkin.com (Healing Touch Day Spa Inc.)","Nipomo","California","HACK","BSR","0","The WhatGreatSkin.com servers were hit by an organized attack on the afternoon of August 28.  Hackers may have accessed customer names, addresses, and credit card details. Customers were warned to be cautious of phishing attempts for Social Security numbers, credit card information, or any other personal information.","California Attorney General","","2012","35.042755","-120.475999" "September 11, 2012","Carmichael Company","Vallejo","California","PORT","BSF","0","An electronic filing report was found during a raid.  The report contained tax return information such as Social Security numbers. ","California Attorney General","","2012","38.104086","-122.256637" "September 11, 2012","Local 2/Hospitality Industry Child & Elder Care Plan","San Francisco","California","PORT","MED","0","A USB drive was determined to be lost on August 13, 2012. Information from the non-medical program within the SF Culinary, Bartetenders, and Service Employees Welfare Plan was on the flash drive.  People who participated in the Child and Elder Care Plan may ahve had their names, Social Security numbers, and addresses exposed.","California Attorney General","","2012","37.774930","-122.419416" "September 11, 2012","Northwestern Mutual and One America - American United Life","Indianapolis","Indiana","INSD","BSF","3,000","A former financial planner stole sensitive information from approximately 3,000 clients and used it to open new accounts, make purchases, receive cash advances, and reroute client mail until his arrest in August of 2011.  Client names, Social Security numbers, contact information, and financial account information were exposed. He was sentenced to two years in prison and three years of probation.  He will also have to pay $48,488.66 in restitution.  ","Databreaches.net","","2012","39.768516","-86.158074" "September 12, 2012","Education Resources Information Center (ERIC)","Washington","District Of Columbia","DISC","NGO","0","ERIC began an effort to remove personally identifiable information from their full text documents in August of 2012.  The information had been publicly available through other means, but it was appearing more frequently in internet searches and becoming easier to access because of web advances.  Access to many full text documents on ERIC's database was temporarily disabled. Every document will be checked for personally identifiable information before being restored. ","Databreaches.net","","2012","38.895112","-77.036366" "February 16, 2012","Horry Telephone Cooperative, Inc. (HTC)","Conway","South Carolina","HACK","BSR","0","Unauthorized attempts were made to illegally transfer funds from an HTC bank account between February 1 and February 3 of 2012. The unauthorized party or parties were able to view a limited amount of automated payment records being processed by a third party vendor.  Names on customer bank accounts used for automated payments to HTC, customer bank account numbers used for automated payments to HTC, bank routing numbers used for automated payments to HTC, and customer HTC account numbers were exposed. HTC internal databases were not accessed.","Dataloss DB","","2012","33.836003","-79.047814" "February 1, 2012","Greene County","Greene","Ohio","HACK","GOV","250","A hacker or hackers accessed information from Greene County's web server.  Names, email addresses, user names, and passwords may have been compromised.  Users who registered the same username, email address, and password combination for other accounts are encouraged to change those passwords as well.","Dataloss DB","","2012","39.697399","-83.889706" "February 24, 2012","Grimmer Middle School","Schererville","Indiana","HACK","EDU","54","A hacker or hackers accessed faculty and staff usernames, email addresses, and passwords.  The information was then posted online.","Dataloss DB","","2012","41.478925","-87.454761" "February 24, 2012","Lake Central Clark Middle School","Saint John","Indiana","HACK","EDU","31","A hacker or hackers accessed faculty and staff usernames, email addresses, and passwords.  The information was posted online.","Dataloss DB","","2012","41.447024","-87.475848" "February 21, 2012","Hagerty Insurance Agency, LLC","Traverse City","Michigan","DISC","BSF","0","An administrative change on www.hagerty.com exposed the personal information of consumers.  Names, addresses, driver's license numbers, policy numbers, email addresses, phone numbers, and dates of birth were temporarily available online.  The error occurred late in the afternoon of February 14 and was corrected during the afternoon of the following day.","Dataloss DB","","2012","44.763057","-85.620632" "February 3, 2012","American Third Position (A3P)","Las Vegas","Nevada","HACK","NGO","0","Activists who use hacking (hactivists) targeted several American White supremacist groups.  A partial list of officers, political candidate information, financial data, and other member information was exposed.  ","Dataloss DB","","2012","36.255123","-115.238349" "February 16, 2012","D.R. Horton Inc. (DHI Mortgage)","Fort Worth","Texas","UNKN","BSF","0","A software security incident caused the personal information of mortgage applicants to be exposed. Unknown external sources caused a breach that compromised customer Social Security numbers, dates of birth, income data, and assets and liabilities information. The breach was discovered on February 10 at DHI's Internet Loan Prequalification System.","Dataloss DB","","2012","32.725409","-97.320850" "September 14, 2012","U.S. Postal Service","Miami","Florida","PHYS","GOV","0","A man shot and killed a postal worker in December of 2010 in order to steal his master key. The key was then used by the the man and his partner to access apartment complex mailboxes in the North Miami-Dade area.  An unknown number of people then became victims of tax refund fraud.The man was found guilty of 14 counts of homicide, carjacking, robbery, possession of a firearm, and aggravated identity theft in September of 2012.  He faces a sentence of up to life in prison.","Databreaches.net","","2012","25.788969","-80.226439" "September 14, 2012","Lucille Hendricks Elementary School","McAllen","Texas","PHYS","EDU","20","A local news team was contacted when a concerned citizen noticed folders with student information in a dumpster.  Former student names, Social Security numbers, dates of birth, addresses, and phone numbers were exposed.  McAllen School District launched an investigation. The news team held the folders and decided to forward them to the Texas Attorney General's office.","Databreaches.net","","2012","26.203407","-98.230012" "September 16, 2012","Quest Diagnostics","Madison","New Jersey","INSD","MED","0","A dishonest employee was discovered to have forwarded emails that contained sensitive personal information in late July.  The emails included names, Social Security numbers, addresses, dates of birth, driver's license numbers, financial account information, and medical/health insurance information.  ","PHIPrivacy.net","","2012","40.759823","-74.417097" "September 16, 2012","Lahey Clinic","Burlington","Massachusetts","PORT","MED","0","The loss of a physician's unencrypted, password-free Blackberry at an airport on July 1 resulted in the exposure of patient names, dates of birth, medical record numbers, diagnosis information, procedure names, and test results.  Lahey Clinic was able to remove all data from the device remotely on July 6. Affected patients were notified in late August.","PHIPrivacy.net","","2012","42.504716","-71.195621" "September 16, 2012","Lincoln Financial Securities Corporation, Red Boat Advisor Resources","Concord","New Hampshire","HACK","BSF","4,657","A server that held TIFF images of customer financial applications was accessed by an unauthorized party between January and early April of 2012. Customers who applied for brokerage accounts, life insurance and annuities, and provided other financial applications may have had their names, Social Security numbers, addresses, email addresses, government issued identification numbers, and financial account information exposed.  Named beneficiaries and other family members may have also had their information exposed.","PHIPrivacy.net","","2012","43.208137","-71.537572" "February 21, 2012","China East","Wauwatosa","Wisconsin","INSD","BSR","0","A dishonest employee was caught with a backpack full of customer financial information.  A resident reported the employee when he saw someone checking his mail for packages.  Police investigated and were able to uncover fraudulent activity.  At least 10 purchases were made with customer debit and credit cards between January and February.","Dataloss DB","","2012","43.049457","-88.007588" "August 6, 2012","City of Ocoee","Ocoee","Florida","DISC","GOV","350","Over 350 city workers had their information posted on a public server in January.  An employee inadvertently uploaded the sensitive information to a public domain server as part of an annual audit.  Names, Social Security numbers, salaries, and addresses were exposed.","Media","","2012","28.569168","-81.543962" "April 21, 2010","Massachusetts Eye and Ear Infirmary","Boston","Massachusetts","PORT","MED","3,526","On February 19, 2010, a laptop belonging to a physician affiliated with the Massachusetts Eye and Ear Infirmary was stolen while the physician was lecturing in South Korea. The laptop belonged to a neurologist with a particular focus on ringing in the ears, or tinnitus. The following types of information about affected individuals associated with Mass. Eye and Ear may have been present on laptop, names, addresses, telephone numbers, emails, date of birth and age, sex, medical record numbers, dates of service, medical information, including diagnoses, symptoms, test results, and prescriptions, name and contact information for patient pharmacies, and research participant status. In addition, four individuals’ information also included their pharmacy insurance account number.UPDATE (09/17/2012): Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates Inc. agreed to pay the U.S. Department of Health and Human Services (HHS) $1.5 million to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.  An HHS Office for Civil Rights investigation indicated that Mass. Eye and Ear failed to take necessary steps to comply with certain requirements of the Security Rule.  These steps include conducting a thorough analysis of the risk to the confidentiality of electronic protected health information (ePHI) maintained on portable devices, implementing security measures sufficient to ensure the confidentiality of ePHI that Mass. Ear and Eye created, maintained, and transmitted using portable devices, adopting and implementing policies and procedures to restrict access to ePHI to authorized users of portable devices, and adopting and implementing policies and procedures to address security incident identification, reporting, and response. Mass. Ear and Eye will also have to adhere to a corrective action plan to address these issues. The full HHS disclosure can be read here: http://www.hhs.gov/news/press/2012pres/09/20120917a.html","Dataloss DB","","2010","42.358431","-71.059773" "September 20, 2012","Transcend Capital","Austin","Texas","HACK","BSF","236","A hacker breached a data server located at a Transcend Capital branch during the week of August 20.  Client names, Social Security numbers, addresses, account numbers, telephone numbers, email addresses, security positions, and cash positions may have been exposed.  Clients were encouraged to change their passwords.  A total of 236 clients who are California residents were affected, but the total number of clients affected nationwide was not disclosed.","California Attorney General","","2012","30.267153","-97.743061" "September 17, 2012","St. Therese Medical Group","Bakersfield","California","STAT","MED","0","A July 22 Saint Therese office theft of a computer resulted in the exposure of patient information.  The computer was unencrypted; however, it was password protected.Names, Social Security numbers, dates of birth, health insurer names, dates of treatment, amount billed, and account balances were exposed. Notifications were sent on September 17.","California Attorney General","","2012","35.373292","-119.018713" "September 7, 2012","University of Miami Health System","Miami","Florida","INSD","MED","64,846","Two University of Miami Hospital employees were using patient registration sheets to inappropriately access patient information.  Anyone who was seen at University of Miami Hospital between October 2010 and July 2012 may have been affected.  Patient names, addresses, dates of birth, insurance policy numbers, and reasons for visits were exposed.  The last four digits of patients' Social Security numbers, were exposed in many cases and full Social Security numbers were exposed in some cases. The dishonest employees were terminated immediately and may have sold some of the information to unauthorized parties.","PHIPrivacy.net","","2012","25.788969","-80.226439" "March 27, 2012","Howard University Hospital","Washington","District Of Columbia","PORT","MED","66,601","The January 27 theft of a laptop from a former contractor's vehicle resulted in the loss of patient information.  The patient files included Social Security numbers, names, addresses, identification numbers, medical record numbers, dates of birth, admission dates, diagnosis-related information, and discharge dates. The majority of those affected were patients who were treated at the Hospital between December 2010 and October 2011.  Some patients who received treatment as far back as 2007 were also affected. The patient files had been downloaded onto the contractor's personal laptop in violation of the Hospital's policy. The contractor stopped working for the hospital in December of 2011.UPDATE (09/21/2012): The number of patients who were notified was revised from 34,503 to 66,601.","Databreaches.net","","2012","38.895112","-77.036366" "September 21, 2012","Central States Southeast and Southwest Areas Health and Welfare Fund","Des Plaines","Illinois","PHYS","NGO","754","An incident occurred on July 31 that may have caused sensitive health information to be exposed. The information was in the form of paper records that were exposed in some undisclosed way.","HHS via PHIPrivacy.net","","2012","42.033362","-87.883399" "August 1, 2012","Marquette University","Milwaukee","Wisconsin","HACK","EDU","15","A hacker or hackers accessed and posted sensitive Marquette University information online.  Fifteen names, addresses, email addresses, and passwords were exposed.","Dataloss DB","","2012","43.038903","-87.906474" "September 18, 2012","Northstar Healthcare","Chicago","Illinois","DISC","MED","170","An email that was sent to patients displayed the names of all patients who received the email.  The email was sent to patients being treated for HIV or AIDS and inadvertently revealed names and HIV status.","PHIPrivacy.net","","2012","41.878114","-87.629798" "September 19, 2012","Cabinet for Health and Family Services","Frankfort","Kentucky","HACK","MED","2,500","An employee was the victim of a phishing attack via email sent by a hacker.  The employee's account was then compromised.  Unauthorized activity was identified on the account within half an hour and the account was immediately disabled.  ","PHIPrivacy.net","","2012","38.200906","-84.873284" "September 21, 2012","Lana Medical Care","Ormond Beach","Florida","PORT","MED","500","The August 18th theft of a laptop resulted in the exposure of patient information.","HHS via PHIPrivacy.net","","2012","29.285813","-81.055889" "September 21, 2012","Library Resources, Inc. (LRI)","Philadelphia","Pennsylvania","PORT","MED","3,183","The August 4th theft of a laptop resulted in the exposure of sensitive information. The laptop contained names, Medicaid numbers, and short summary information used for administrative purposes. ","HHS via PHIPrivacy.net","","2012","39.952335","-75.163789" "September 29, 2012","Health and Sports Rehab, Inc.","Dorchester","Massachusetts","INSD","MED","0","A dishonest intern stole personal information while working at the clinic.  The information was used to create and cash fraudulent checks and the dishonest intern pled guilty.","PHIPrivacy.net","","2012","42.301631","-71.067605" "September 27, 2012","Apex Laboratory","Farmingdale","New York","HACK","MED","0","Apex Laboratory learned from law enforcement investigators on July 30 that an unauthorized party or parties accessed their computer systems.  Patients may have had their names, Social Security numbers, addresses, phone numbers, dates of birth, gender, and insurance identification numbers were exposed.","PHIPrivacy.net","","2012","40.732600","-73.445401" "September 27, 2012","Rite Aid Corporation","Camp Hill","Pennsylvania","DISC","BSR","0","A customer using RiteAid's mobile app to check a prescription noticed that he was able to access the names, addresses, and prescription records of other customers.  The customer was able to identify some of the problems by using his computer science background.  He noticed there was no secure login tied to web service calls made from the smartphone application.  The customer was able to correspond with several RiteAid representatives and RiteAid began to address some of the security concerns.","PHIPrivacy.net","","2012","40.239812","-76.919974" "May 15, 2012","Howard University Hospital","Washington","District Of Columbia","INSD","MED","40","A dishonest employee working as a technician in the surgery department at Howard University Health Sciences sold patient information between August 2010 and December of 2011. The employee was charged with one count of wrongful disclosure of individually identifiable health information.  Patient names, Medicare numbers, addresses, and dates of birth may have been exposed.UPDATE (09/24/2012): The dishonest employee was sentenced to 100 hours of community service and three years of probation. The probation term includes six months in a halfway house followed by six months of home confinement.  She was also fined $2,100.  Her illegal activities involved taking the records of hospital patients, selling their names, addresses, dates of birth, and medical numbers to an unauthorized party, and providing blank hospital prescription forms as well. The dishonest employee was paid between $500 and $800 in cash for each transaction. The information was used for fraudulent oxycodone prescriptions.  ","PHIPrivacy.net","","2012","38.895112","-77.036366" "September 21, 2012","Tricounty Behavioral Health Clinic","Acworth","Georgia","PORT","MED","4,000","An August 26 office theft of a laptop resulted in the exposure of patient information. ","HHS via PHIPrivacy.net","","2012","34.065933","-84.676880" "September 21, 2012","Office of Dr. Clark-Neitzel","Olympia","Washington","PORT","MED","942","A July 24 office burglary resulted in the theft of medical bags and a laptop.  Affected patients were mailed notification letters on September 7.  Patient names, Social Security numbers, addresses, dates of birth, and medical information was exposed.  ","HHS via PHIPrivacy.net","","2012","47.037874","-122.900695" "October 2, 2012","Town Council of Chapel Hill","Chapel Hill","North Carolina","DISC","GOV","12","A licensed clinical social worked accidentally attached confidential client information to an email that was forwarded to town council colleagues. A copy of her and her husband's 2011 income tax returns was also in the email. The email automatically became available to the public and the error was noticed nearly a week later.  Unfortunately, the email was also forwarded a second time to a public account.  Consequently, the information was publicly available for a week.  Many of the affected clients were University of North Carolina students.  Names, Social Security numbers, clinical notes about client mental health, payment amounts, and insurance forms were exposed.","PHIPrivacy.net","","2012","35.913200","-79.055845" "June 23, 2010","Florida International University","Miami","Florida","DISC","EDU","19,495","Florida International University is in the process of sending notification letters to 19,407 students and 88 faculty members after the university’s IT Security Office discovered personal data may have been exposed over the internet via a database’s external search function. An announcement posted on the FIU website lists the personal data as GPAs, test scores, and Social Security numbers that were stored on the College of Education’s E-Folio software app. This database kept track of student data related to state mastery standards, grade tracking, assignments, and Social Security numbers for both students and faculty.","Dataloss DB","","2010","25.774266","-80.193659" "May 13, 2011","Anthem Blue Cross","Westlake Village","California","DISC","BSF","31,125","Letters soliciting dental and vision coverage were mailed to current Anthem customers.  A priority code composed of the customer's Social Security number and two extra digits was printed on the outside of each envelope.  One customer noticed the error and contacted the media.  Anthem admits that an error occurred, but did not reveal the cause. Anthem is working to prevent this type of breach from happening again and was in the process of notifying customers of the error as of May 12. UPDATE (10/01/2012): Anthem experienced the marketing mailer error on April 27, 2011.  The State of California settled with Anthem in September of 2012. Anthem agreed to pay $150,000 and to make significant improvements to its data security procedures to prevent future errors of a similar type..","PHIPrivacy.net","","2011","34.138456","-118.849985" "October 2, 2012","Robeson County Board of Elections","Lumberton","North Carolina","PORT","GOV","71,000","Five password-protected laptop computers that contained personal information of registered voters in Robeson County were discovered stolen in September.  Voters had their names, addresses, dates of birth, and the last four digits of their Social Security numbers exposed.  The computers went missing between July 18 and September 4. They were most likely taken while outside of their normally secured area and left with unsupervised community volunteers.  Driver's license numbers may have also been exposed.  Those who were affected were mailed letters on September 12.","Databreaches.net","","2012","34.618220","-79.008642" "October 1, 2012","San Mateo Union High School District","San Mateo","California","HACK","EDU","0","Hackers accessed San Mateo Union High School District's computer system and attempted to use it to infiltrate FBI and CIA electronic systems. The District became aware of the problem when United States Naval Intelligence informed them that the District's servers had been compromised.  The hackers appear to have used additional organizations in their scheme.","Databreaches.net","","2012","37.562992","-122.325525" "September 28, 2012","University of Chicago","Chicago","Illinois","DISC","EDU","9,100","A postcard mailed to University of Chicago employees contained their Social Security numbers. The cards were mailed on September 24 to remind employees about open enrollment, but also had Social Security numbers printed on the outside.","Databreaches.net","","2012","41.878114","-87.629798" "September 28, 2012","Brightline Interactive, Army Chief of Public Affairs","Alexandria","Virginia","DISC","GOV","518","An army awards database was found to be available online.  The database was being handled by the defense contractor Brightline Interactive and was mistakenly uploaded to a public server at an unknown time.  Those who received awards for actions since September 11, 2001 were affected.","Databreaches.net","","2012","38.804836","-77.046921" "September 27, 2012","Center 4 Health Enlightenment Enrichment Empowerment Renewal Services (CHEERS)","Phoenix","Arizona","INSD","NGO","180","A dishonest employee accessed and misused CHEERS client names, Social Security numbers, and birth dates.  She, her sister, and her husband filed 180 tax returns under stolen identities and claimed over $1 million in tax refunds. The three face between three years and five years in prison.","Databreaches.net","","2012","33.448377","-112.074037" "September 26, 2012","American Heart Association, Olive Crest","Las Vegas","Nevada","PORT","NGO","0","An office burglary resulted in the exposure of personal information.  Two or more laptops with donor information and a docking station were stolen.","Databreaches.net","","2012","36.114646","-115.172816" "October 8, 2012","GreenStone Homes","Columbus","Ohio","PHYS","BSO","0","A pile of thousands of documents were found in the street. Two bags were stuffed with financial information such as tax returns with Social Security numbers. The information was found in the driveway of a model home that had been foreclosed in July 2011.","Databreaches.net","","2012","39.961176","-82.998794" "October 4, 2012","Monterey Institute of International Studies, Middlebury College","Monterey","California","PORT","EDU","0","A September 14, 2012 home burglary resulted in the theft of a laptop.  The laptop was password-protected and was stolen along with other items.  Student names and Social Security numbers were on the laptop.  ","California Attorney General","","2012","36.600238","-121.894676" "October 10, 2012","Northwest Florida State College","Niceville","Florida","HACK","EDU","200,050","An internal review revealed a hack of Northwest College servers.  One or more hackers accessed at least one folder in the server between May 21, 2012 and September 24, 2012.  Over 3,000 employees, 76,000 Northwest College student records, and 200,000 students eligible for Bright Future scholarships in 2005-06 and 2006-07 were affected.  Bright Future scholarship data included names, Social Security numbers, dates of birth, ethnicity, and genders.  Current and former employees that have used direct deposit anytime since 2002 may have had some information exposed. At least 50 employees had enough information in the folder to be at risk for identity theft.","Databreaches.net","","2012","30.516864","-86.482172" "February 17, 2012","Speedy Recovery Services","Lithonia","Georgia","HACK","BSO","454","An unauthorized party or parties used Speedy Recovery Services' Experian login to view consumer information.  The unauthorized access took place between December 12, 2010 and January 21, 2012.  Social Security numbers, dates of birth, and account numbers may have been exposed.","Dataloss DB","","2012","33.712331","-84.105194" "February 14, 2012","American Stock Transfer & Trust Company, LLC, Mesa Royalty Trust","New York","New York","DISC","BSF","0","A mailing error caused personal information to be exposed.  Beneficiary statements containing tax information for 2011 were sent by postal mail on April 2, 2012.  The statements were mailed to incorrect addresses and exposed names, home addresses, and tax identification numbers of intended shareholders. The error was discovered on April 6.","Dataloss DB","","2012","40.714353","-74.005973" "February 14, 2012","America Stock Transfer & Trust Company, LLC","New York","New York","HACK","BSF","0","Shareholder 1099 forms were sent to the wrong addresses due to a mailing error.  Names, home addresses, and tax identification numbers could have been viewed by incorrect parties.  The forms were mailed on January 17 and the error was discovered on January 18.  ","Dataloss DB","","2012","40.714353","-74.005973" "February 13, 2012","#1 Chat Avenue","","Kansas","HACK","BSO","39","A hacker or hackers accessed and posted online information.  A total of 39 administrator and moderator usernames, email addresses, and salted passwords were exposed.","","","2012","39.011902","-98.484247" "January 6, 2012","Planet Smoothie","Atlanta","Georgia","INSD","BSR","130","A dishonest employee used a skimming device to copy customer credit and debit card information.  The former employee was arrested for stealing and misusing the customer payment information.  The fraudulent activity occurred throughout 2011.","Dataloss DB","","2012","33.748995","-84.387982" "January 8, 2012","Hydrogen Software","Columbia","Montana","HACK","BSR","201","A hacker or hackers accessed and posted online information.  A total of 201 usernames and hashed passwords were exposed.","Dataloss DB","","2012","0.883370","-70.433350" "January 10, 2012","Isaac Miller Elementary School, Santa Maria-Benita School District","Santa Maria","California","PHYS","EDU","0","A man noticed dozens of books and documents inside a dumpster near Miller Elementary.  The documents contained personal and financial information related to applications for free and recuded-price meals.  The books were new and federally-funded.  School officials claimed that the documents should have been shredded and recovered the documents and books. The books were donated.","Databreaches.net","","2012","34.953034","-120.435719" "January 9, 2012","Employ Bridge (Staffing Solutions), Tempo Real Estate Corporation","Atlanta","Georgia","PHYS","BSO","0","Thousands of personal documents were found in a recycling dumpster.  The documents likely contained employment information such as full names, addresses, phone numbers, email addresses, and work histories. They were taken from an office in Alpharetta without the company's knowledge or permission.  A landlord with Temp Real Estate Corporation sent a cleaning crew to clean out the office after incorrectly believing Employ Bridge's lease had expired.  ","Media","","2012","33.748995","-84.387982" "January 10, 2012","B-K Lighting","Madera","California","HACK","BSO","3,410","A hacker or hackers accessed and posted online information.  A total of 3,410 names, addresses, usernames, passwords, phone numbers, and email addresses were taken from bklighting.com and exposed.","Dataloss DB","","2012","36.961336","-120.060718" "January 12, 2012","FileDen","Palo Alto","California","HACK","BSO","4,504","A hacker or hackers accessed and posted online information from the popular file sharing website.   A total of 4,504 usernames, passwords, and email addresses were exposed.","Dataloss DB","","2012","37.441883","-122.143020" "January 11, 2012","Virtual Jerusalem","Los Angeles","California","HACK","BSO","214","A hacker or hackers accessed and posted information online.  A total of 214 usernames, email addresses, and hashed passwords were exposed.","Dataloss DB","","2012","34.052234","-118.243685" "January 16, 2012","T-Mobile","Bellevue","Washington","HACK","BSR","44","A hacker or hackers accessed and posted online information.  A total of 44 employee names, email addresses, phone numbers, and passwords were exposed.","Dataloss DB","","2012","47.610377","-122.200679" "October 11, 2012","Centers for Medicare & Medicaid Services (CMS)","Baltimore","Maryland","UNKN","GOV","363","The CMS experienced 13 breaches between September 23, 2009 and December 31, 2011.  The CMS failed to notify beneficiaries of seven of the breaches in a timely manner.  The HHS's Office of the Inspector General (OIG) also alleges that the notifications mailed to beneficiaries did not disclose what type of information had been exposed, the date the breach occurred, or how CMS was working to prevent future breaches.","PHIPrivacy.net","","2012","39.290385","-76.612189" "October 10, 2012","PlaySpan","Foster City","California","HACK","BSR","100,000","A hacker or hackers accessed PlaySpans computer system.  User IDs, encrypted passwords, and email addresses of online players were exposed.  Users are advised to immediately change their passwords and also any similar passwords for other logins associated with compromised email addresses. PlaySpan Marketplace may have also been affected and could be linked to user financial information.","Media","","2012","37.558547","-122.271079" "October 12, 2012","AutoCarry","North Bergen","New Jersey","PHYS","BSO","100","An office burglary that occurred on October 10 resulted in the exposure of customer information.  Paper documents that contained credit card numbers, addresses, and other personal information were taken.","Databreaches.net","","2012","40.794175","-74.024960" "October 12, 2012","Korn/Ferry International","Los Angeles","California","HACK","BSO","0","A cyber breach affected Korn/Ferry databases.  Names, Social Security numbers, driver's license numbers, government-issued identification numbers, credit card numbers, and health information may have been exposed.  The information may have been available to unauthorized parties for months before the breach was discovered in August of 2012.","Databreaches.net","","2012","34.052234","-118.243685" "October 11, 2012","PST Services, Inc., Litton and Giddings Radiological Associates, P.C.","Springfield","Montana","PHYS","MED","0","Litton and Giddings' janitorial service, PST Services, failed to shred patient billing records before sending them to a Springfield recycling company.  The records may have been viewed by unauthorized parties before being destroyed at the recycling center.  ","PHIPrivacy.net","","2012","27.548414","-99.484233" "July 15, 2011","University of Maryland Medical Center","Baltimore","Maryland","INSD","MED","0","A former employee of the University of Maryland Medical Center and three other people collaborated to steal the identities of patients.  The former medical center employee allegedly stole the patient information of people who had paid for medical treatment between July 2009 and June 2011.  His co-conspirators then used the information to open credit cards, obtain cash advances and make purchases in victims' names.  The four people were arrested and face a maximum sentence of 30 years in prison for conspiracy, in addition to charges related to bank fraud and aggravated identity theft.UPDATE (10/12/2012): A former employee was sentenced to six months of home detention and ordered to pay $22,000 in restitution.  He claimed that he took the patient records home in order to conceal work that he had not completed and submit false reports.  At least two other people used the patient records to commit fraud. ","PHIPrivacy.net","","2011","39.290385","-76.612189" "October 13, 2012","City of Burlington, Washington","Burlington","Washington","HACK","GOV","0","A hacker or hackers managed to transfer $400,000 in city funds to accounts across the country. The cyber attack occurred sometime between Tuesday night and Wednesday morning.  City employees may have also had their direct deposit bank account information compromised.","Databreaches.net","","2012","48.475662","-122.325438" "October 18, 2012","Southern Environmental Law Center","Charlottesville","Virginia","HACK","NGO","0","Sensitive information from Southern Environmental Law Center was placed online.  Credit card, medical, and donor information such as addresses, phone numbers, and client files were exposed.  The data was accessible via Google search for an unspecified amount of time.  Southern Environmental Law Center is warning people not to open emails about the security failure or click on any links in emails that appear to be from Southern Environmental Law Center.","Databreaches.net","","2012","38.029306","-78.476678" "September 19, 2012","United States Navy, Smart Web Move","Washington","District Of Columbia","HACK","GOV","200,000","A hacker or hackers accessed sensitive information and posted it online.  Former and current Navy personnel who used Smart Web Move to arrange household moves could have been affected.  The compromised database stored 11 years of private information, but only 20 people had their information publicly posted.  Usernames, email addresses, security questions and corresponding answers were exposed.","Databreaches.net","","2012","38.895112","-77.036366" "September 23, 2012","Town of Willimantic, Connecticut","Willimantic","Connecticut","PORT","GOV","0","An employee's laptop was stolen from his unattended office between 10 a.m. and noon on September 17.  The laptop was password-protected.  It contained the information of town employees.  Social Security and bank account numbers may have been exposed.","Media","","2012","41.710654","-72.208134" "October 18, 2012","Blount memorial Hospital","Maryville","Tennessee","PORT","MED","27,000","A password-protected laptop was stolen from an employee's home on August 25.  It contained two groups of patient data.  Patient names, dates of birth, responsible party names, patient addresses, physician names, and billing information for 22,000 patients were on the laptop. An additional 5,000 patients had similar information exposed as well as their Social Security numbers and other non-medical information.","PHIPrivacy.net","","2012","35.756472","-83.970459" "September 19, 2012","Blue Cross Blue Shield of Massachusetts (BCBS)","Boston","Massachusetts","INSD","MED","15,000","A BCBS vendor misused BCBS employee information.  The misuse appears to have been limited to one instance.  Names, Social Security numbers, dates of birth, compensation information, and bank account information may have been exposed.","Media","","2012","42.358431","-71.059773" "October 19, 2012","Valley Plastic Surgery, P.C.","harrisonburg","Virginia","PORT","MED","4,873","The July 15 theft of an electronic device exposed patient information.","HHS via PHIPrivacy.net","","2012","38.449569","-78.868916" "October 19, 2012","Ecco Health, LLC, Colon & Digestive Health Specialists","Scottsdale","Arizona","PORT","MED","5,713","A vendor working with patient data for digital conversion from Colon & Digestive lost a flash drive on or around July 16.  It contained patient names, Social Security numbers, dates of birth, addresses, telephone numbers, account numbers, diagnoses, and other protected health information.","HHS via PHIPrivacy.net","","2012","33.494170","-111.926052" "October 22, 2012","UPMC","Monroeville","Pennsylvania","DISC","GOV","0","An assistant police chief filed a complaint alleging that the chief of policed breached federal privacy law.  The complaint alleges that the chief of police received information about ambulance dispatches that was primarily intended for paramedics and other active first responders.  He also claims the chief of police forwarded the information to a third party.","PHIPrivacy.net","","2012","40.421180","-79.788102" "October 22, 2012","Office of Dr. Philip P. Corneliuson","Fresno","California","STAT","MED","0","An office burglary resulted in the theft of a computer.  The incident was discovered on September 15, 2012.  Patient names and Social Security numbers were on the computer.UPDATE (10/24/2012): The computer contained medical records and insurance information.","California Attorney General","","2012","36.746842","-119.772587" "October 24, 2012","Vermont State Employee's Credit Union (VSECU)","Montplier","Vermont","PORT","BSF","0","Two unencrypted backup tapes were discovered missing on September 10.  They were lost sometime between August 27, and September 10.  Names, Social Security numbers, financial account information, driver's license numbers, and transaction records were exposed.","Databreaches.net","","2012","44.260059","-72.575387" "October 25, 2012","Waipahu Aloha Clubhouse","Waipahu","Hawaii","HACK","MED","600","An employee noticed unusual activity on a computer on September 25, 2012.  It is possible that former and current members of the Waipahu Aloha Clubhouse had information on the computer that was remotely accessed by an unauthorized party.  Names, Social Security numbers, dates of birth, addresses, phone numbers, and consumer record numbers dating back to 1997 may have been exposed. Though the Clubhouse services people living with severe and persistent mental illness, no medical records were exposed.","PHIPrivacy.net","","2012","21.386667","-158.009167" "October 26, 2012","Alabama Department of Human Resources, Vinson Guard Service Inc., Jefferson Davis High School","Montgomery","Alabama","UNKN","BSO","0","An alert stating that the United States Attorney's Office is prosecuting cases related to the theft of personal identifying information and misuse of that personal identifying information was released.  The information was stolen between January 1, 2009 and March 25, 2011.  People from various organizations may have had their information misused to prepare fraudulent tax returns.","PHIPrivacy.net","","2012","32.366805","-86.299969" "October 25, 2012","L&D Chinese Buffet","Butte","Montana","INSD","BSR","0","Two dishonest employees misused customer credit card information to make more than $26,000 in fraudulent purchases.  The two men face a maximum of 10 years in prison and a $50,000 fine for each of six counts of deceptive practices. The men were arrested on July 29.  ","Databreaches.net","","2012","46.003823","-112.534778" "October 28, 2012","Optimum HealthCare Inc.","Tampa","Florida","INSD","MED","32","An Optimum HealthCare claims specialist stole the personal information of at least 32 clients.  The documents information was later found on a man who was arrested after a traffic stop in 2011.  The man who was arrested never worked for Optimum and the dishonest employee who stole the documents is believed to have separated from Optimum.","PHIPrivacy.net","","2012","27.950575","-82.457178" "October 28, 2012","Prescription Monitoring Program","Olympia","Washington","UNKN","MED","34","An unauthorized party gained access to a physician's identity in order to view patient records.  A fraudulent account was created under the doctor's identity in the Washington medical system.  Medical information such as drugs dispensed and quantity dispensed may have been accessed before the fraudulent account was shut down.","PHIPrivacy.net","","2012","47.037874","-122.900695" "October 29, 2012","Massachusetts Eye and Ear Infirmary ","Boston","Massachusetts","INSD","MED","3,600","A dishonest employee was arrested and fired in March after stealing patient information from Massachusetts Eye and Ear Infirmary.  The former employee opened fake accounts to avoid paying for electricity. The investigation began in January when one of the victims noticed that her Social Security number had been used to open an account.  Names and dates of birth were also compromised.","PHIPrivacy.net","","2012","42.358431","-71.059773" "October 29, 2012","Abilene Telco Federal Credit Union, Experian","Abilene","Texas","HACK","BSF","847","A hacker or hackers were able to access an Abilene Telco Federal Credit Union employee's computer in September 2011.  The Bank's online account with Experian was then used to download the credit reports of 847 people.  Social Security numbers, dates of birth and detailed financial data were exposed.","Dataloss DB","","2012","32.448736","-99.733144" "October 22, 2012","Compete Inc","Boston","Massachusetts","DISC","BSO","0","Compete Inc. reached an agreement with the Federal Trade Commission regarding the collection of consumer information. Compete agreed to obtain end users' consent before collecting future online browsing data.  Compete will also delete or anonymize consumer data already collected and provide direction for removing tracking software installed on the computers of those who had their data collected. FTC charged that Compete failed to adequately describe two products used to collect details about end users' browsing habits.  A toolbar and input panel were used to collect extensive information about consumer activities and transmit the information in clear readable text to Compete's servers.  All websites visited by, links followed by, and advertisements displayed to Compete consumers were collected and stored.","Dataloss DB","","2012","42.358431","-71.059773" "October 24, 2012","Aultman Hospital","Canton","Ohio","HACK","MED","0","Hardware at Aultman was discovered to have been infected by a cyber attack.  Unauthorized parties may have been able to access credit and debit card information from Aultman gift shop purchases between February and September of 2012.  ","Dataloss DB","","2012","40.798947","-81.378447" "October 19, 2012","U.S. National Weather Service, Weather.gov","Silver Spring","Maryland","HACK","GOV","0","Hackers targeted the U.S. National Weather Service website Weather.gov in an attempt to exploit vulnerabilities in U.S. government online systems.  The hackers claim to have begun a campaign in response to U.S. cyber attacks in Muslim nations.  Partial login credentials and system and network configuration files were accessed and posted online.","Dataloss DB","","2012","38.990666","-77.026088" "October 16, 2012","University of Georgia (UGA)","Athens","Georgia","HACK","EDU","8,500","The passwords of two University of Georgia (UGA) IT employees were reset and misused by an intruder.  Names, Social Security numbers, and other sensitive data of current and former school employees may have been exposed. The breach may have begun as early as September 28, 2012.","Media","","2012","33.950000","-83.383333" "October 10, 2011","University of Georgia (UGA)","Athens","Georgia","DISC","EDU","18,931","A data file that contained employment information such as names, Social Security numbers, dates of birth, dates of employment, gender, race, home phone numbers, and addresses was accidentally placed on a publicly available web server. The information was available from 2008 until 2011. Faculty and staff who worked at UGA in 2002 were affected.","Media","","2012","33.950000","-83.383333" "October 10, 2012","Equifax","Atlanta","Georgia","DISC","BSF","17,000","Equifax settled charges with the Federal Trade Commission after it was discovered that Equifax Information Services improperly sold lists of consumer data.  People who were late on their mortgage payments had their information sold to firms that should not have received the information and subsequently resold it to other firms.  Equifax agreed to pay nearly $1.6 million to resolve charges that it violated the FTC and Fair Credit Reporting Acts. The settlement prohibits Equifax from providing prescreened lists to unauthorized parties, having poor procedures for releasing prescreened lists, and selling prescreened lists in certain circumstances.","Media","","2012","33.748995","-84.387982" "November 2, 2012","Cornell University","Ithaca","New York","DISC","EDU","2,000","Names and Social Security numbers of people associated with Cornell were publicly available for five days.  The information was on a computer in Cornell's athletics department and was accidentally placed online from September 5, 2012 until September 10, 2012.","Media","","2012","42.443961","-76.501881" "October 8, 2012","www.naperville.il.us","Naperville","Illinois","HACK","GOV","0","A cyber intruder injected a virus into the website of the city of Naperville.  City officials claim that no resident credit card information was compromised.  There is no evidence that any type of information was stolen from the website.","Dataloss DB","","2012","41.785863","-88.147289" "October 30, 2012","HSBC Bank USA National Association","New York","New York","INSD","BSF","0","An employee resigned and left with customer account information.  Names, Account numbers, account types, and phone numbers may have been exposed.  The breach occurred in late July.","California Attorney General","","2012","40.714353","-74.005973" "November 1, 2012","Salinas Valley State Prison (SVSP)","Soledad","California","DISC","GOV","0","Sensitive staff information on a database file was found to have been accessible to all SVSP staff.  Staff names, Social Security numbers, phone numbers, addresses, and institutional-position information were exposed.  The breach was discovered on September 26 and it is unclear how long the information was available.","California Attorney General","","2012","36.424687","-121.326319" "November 5, 2012","Illinois Department of Healthcare and Family Services","Springfield","Illinois","PHYS","MED","508","The August 31 theft of a briefcase from the home of a contractor resulted in the exposure of nursing home residents.  The briefcase contained names, Social Security numbers, Medicaid recipient numbers, and dates of birth.  ","PHIPrivacy.net","","2012","39.781721","-89.650148" "November 7, 2012","4Access, National Processing Company","Louisville","Kentucky","HACK","BSF","0","An unauthorized person may have gained access to the computer network that supported certain 4Access terminals.  These terminals were connected to a computer network that allowed merchant transaction processing.  The unauthorized entry was discovered on September 24.  Check processing information stored in the network such as check writer's name, checking account and routing numbers, address, and driver's license number may have been accessed. No credit card information was exposed.  ","California Attorney General","","2012","38.252665","-85.758456" "November 9, 2012","Memorial Hospital","Colorado Springs","Colorado","PHYS","MED","6,400","Laboratory reports for about 6,400 patients were discovered missing.  The reports contained bill processing information and charges for laboratory services.  Patients who had lab work done between May 1, 2012 and August 31, 2012 had their names, Memorial internal account numbers, lab work dates, and types of lab work exposed.","PHIPrivacy.net","","2012","38.833882","-104.821363" "November 6, 2012","Women & Infants Hospital","Providence","Rhode Island","PORT","MED","14,004","Unencrypted backup tapes containing ultrasound images from ambulatory sites were discovered missing on September 13.  The information was from Providence, Rhode Island between 1993 and 1997 and New Bedford, Massachusetts between 2002 and 2007.  Patient names, dates of birth, dates of exams, physicians' names, and patient ultrasound images were exposed.  A limited number of current and former patients also had their Social Security numbers exposed. Notifications began on November 5.UPDATE (11/10/2012): A total of 14,004 patients were affected.","PHIPrivacy.net","","2012","41.823989","-71.412834" "November 10, 2012","Alere Home Monitoring, Inc.","Livermore","California","PORT","MED","100,000","The September 23 theft of an employee's unencrypted laptop resulted in the exposure of information of over 100,000 patients.  The laptop was stolen from the employee's home.  Names, Social Security numbers, addresses, and diagnosis information of patients taking drugs to prevent blood clots were exposed. Alere became aware of the breach on October 1.","PHIPrivacy.net","","2012","37.681875","-121.768009" "November 4, 2012","Symantec, ImageShack","Mountain View","California","HACK","BSO","1,000","A hacking spree resulted in unauthorized access to the ImageShack server and a Symantec portal. Names, phone numbers, emails, domains, passwords, usernames, and other information were exposed.","Dataloss DB","","2012","37.386052","-122.083851" "November 13, 2012","Sprechman & Associates, P.A. ","Miami","Florida","INSD","BSF","0","An employee may have performed unauthorized searches on clients.  The employee is no longer with the company.  Names, Social Security numbers, addresses, dates of birth, and driver's license numbers may have been exposed.  The potential breach was discovered in July and clients were notified in October after their contact information was confirmed.","California Attorney General","","2012","25.788969","-80.226439" "November 14, 2012","Highlandtown Community Health Center, Johns Hopkins Hospital","Baltimore","Maryland","INSD","MED","250","At least four people were involved in an identity theft ring that affected over 250 people.  One member of the ring was employed by Highlandtown Community Health Center and provided personal and financial patient information that he accessed through his position. The information was used by other ring members to create counterfeit checks and fraudulent state identification cards. The fraud occurred between August and October of 2009.Another member of the ring was employed by Johns Hopkins Hospital and provided the information of doctors who applied for fellowships there.  Several ring members rented apartments under the identities of doctors. Two of the members pleaded guilty to conspiring to commit wire fraud and aggravated identity theft.  The four members of the ring are required to collectively pay restitution for fraudulently obtained cash, merchandise, and services worth over $188,000.","PHIPrivacy.net","","2012","39.290385","-76.612189" "November 10, 2012","Baptist Physicians Lexington","Lexington","Kentucky","PORT","MED","2,376","A device with patient information was discovered lost or stolen on August 15.  ","HHS via PHIPrivacy.net","","2012","38.040584","-84.503716" "November 13, 2012","Chicago Board of Elections Commissioners","Chicago","Illinois","DISC","GOV","1,200","The sensitive information of Chicago voters was exposed online due to a mistake by the election authority. A database that included names, the last four digits of Social Security numbers, addresses, and drivers license numbers was accidentally placed online in a publicly accessible place.  Only people who applied to work for the board in Chicago polling places on Election Day were determined to have been affected.  A forensic investigation firm believes that as many as 1.7 million registered voters had their names, addresses, and voter registration numbers exposed. However the Chicago Board does not believe that information should be considered sensitive.","Databreaches.net","","2012","41.878114","-87.629798" "November 11, 2012","Labelmaster (American Labelmark Company)","Chicago","Illinois","HACK","BSO","0","A hacker accessed the e-commerce site labelmaster.com.  Customer names, addresses, credit card numbers, and credit card expiration dates were exposed.  ","Databreaches.net","","2012","41.878114","-87.629798" "November 10, 2012","Bob Ward & Sons","Bozeman","Montana","HACK","BSR","0","The Bob Ward & Sons website was hacked on June 6, 2011.  Customers who made online purchases between May 31 and August 3 of 2012 may have had their names, addresses, and credit card information exposed.  Ward became aware of the issue when he received a notice from Discover that revealed some customers had experienced fraudulent charges.  ","Databreaches.net","","2012","45.683460","-111.050499" "October 27, 2012","Department of State Bureau of Consular Affairs","Washington","District Of Columbia","INSD","GOV","0","A dishonest employee misused sensitive information in a State Department database to obtain fraudulent credit cards.  He was part of a conspiracy sometime during his employment between September 2007 and March 2008.  The group of conspirators successfully obtained $71,774 and attempted to obtain an additional $133,494 in fraudulent transactions.  The dishonest employee pled guilty to conducting illegal transaction with credit cards and agreed to pay $71,774 in restitution.","Databreaches.net","","2012","38.895112","-77.036366" "October 12, 2012","Army Material Command","Huntsville","Alabama","PHYS","GOV","400","An employee transported a hard copy of sensitive employee documents home.  The employee is not believed to have took the information for fraudulent or criminal activity.","Databreaches.net","","2012","34.730369","-86.586104" "October 12, 2012","FEI Company","Hillsboro","Oregon","PORT","BSR","0","The August 29 theft of a laptop resulted in the exposure of employee information.  Employee names, Social Security numbers, information related to taxpayer I.D., dates of birth, home addresses, and employment information such as salaries were exposed.","Databreaches.net","","2012","45.522894","-122.989827" "November 19, 2012","American Tool Supply (ATS)","Suwanee","Georgia","HACK","BSR","617","A hacker gained access to the ATS system and may have accessed financial information.  The attack was discovered on August 1 and financial information was immediately removed from the ATS online system.  ","California Attorney General","","2012","34.051490","-84.071300" "November 14, 2012","Adobe","San Jose","California","HACK","BSO","230","A hacker released the names, email addresses, and encrypted passwords of 230 members of Adobe's company database.  The hacker claimed to have access to over 150,000 records.  Adobe announced that it would reset approximately 150,000 passwords of members of the Connectusers.com site.UPDATE (11/14/2012): The 230 people who were affected also had their titles, affiliated organizations, and usernames exposed.  A number of those affected were associated with U.S. government agencies such as the Department of Transportation, the Department of Homeland Security, the U.S. State Department, and the Federal Aviation Administration.","Databreaches.net","","2012","37.339386","-121.894956" "November 10, 2011","Steam (The Valve Corporation)","Bellevue","Washington","HACK","BSR","35,000,000","The November 6 defacement of Steam forums led to an investigation that revealed hackers had accessed a Steam database with sensitive user information. The database contained user names, hashed and salted passwords, game purchases, email addresses, billing addresses, and encrypted credit card information.  Users were prompted to change their Steam forum passwords and encouraged to change their Steam account passwords.  Anyone using their Steam forum password for other websites should change their password since hackers could have obtained email address and password combinations. Steam is the Valve Corporation's social-distribution network.  People who use the company's online gaming content were affected.UPDATE (11/16/2012): A judge dismissed a class action lawsuit related to the November 6, 2011 breach.  The plaintiffs of the lawsuit used Steam to purchase and access online gaming content. They alleged present and future harm as a result of the breach.  According to the judge who dismissed the lawsuit, the plaintiffs did not prove that they were harmed by the Steam breach.","Databreaches.net","","2011","47.610377","-122.200679" "November 29, 2012","WestCoast Children's Clinic","Oakland","California","DISC","MED","0","A referral document containing sensitive information was accidentally sent in an email to an unauthorized recipient.  Patient names, Social Security numbers, dates of birth, addresses, and health concerns were sent to a county social worker. The county social worker deleted the sensitive email and any other existing copies of the document were securely deleted from the network.  The WestCoast Children's Clinic will not provide referral forms to outside agencies in order to protect against future inadvertent sharing of private information.  Disciplinary actions will also be taken against the employees involved in the privacy breach.","California Attorney General","","2012","37.804364","-122.271114" "November 30, 2012","Inova Fairfax Hospital Cardiac Care Center, Inova Fair Oaks Hospital","Fairfax","Virginia","CARD","MED","0","Someone discovered card skimming devices at an ATM near a gift shop of the Inova Fairfax Hospital Cardiac Care Center and at an ATM next to the Inova Fair Oaks Hospital cafeteria.  One device was discovered by a hospital employee who attempted to use the ATM and witnessed the skimmer fall from the ATM.  A skimming device was previously discovered at the same Inova Fairfax Hospital Cardiac Care Center ATM in September.  It is unclear how long the devices were there and people who used them are urged to check their financial statements.","PHIPrivacy.net","","2012","38.846224","-77.306373" "November 30, 2012","Florida Hospital Tampa (formerly University Community Hospital Medical Center), Crothall Healthcare, Naval Medical Center (Bob Wilson Naval Hospital)","Tampa","Florida","INSD","MED","45","Three people were arrested for their roles in filing 225 fraudulent tax returns.  They face charges of conspiracy, theft of government property, and aggravated identity theft.  About $555,000 in refund money was obtained.  One of the defendants worked at Florida Hospital Tampa through a maintenance and housekeeping company.  Information came from a variety of medical centers in California and Florida.  There was an incident where the dishonest worker provided her co-conspirators with a list of names and Social Security numbers from patients seen at Florida Hospital Tampa on January 17 of 2012 and another incident where ER patient names, Social Security numbers, and other information was stolen from Crothall Healthcare in January.  ","PHIPrivacy.net","","2012","27.950575","-82.457178" "November 29, 2012","St. Catherine Medical Center","Ashland","Pennsylvania","PHYS","MED","0","Sensitive patient and employee records were left unsecured in the abandoned medical center.  A November 10 auction of office equipment and computers was held in the medical center, but one person reported seeing piles of sensitive documents and being able to access sensitive items like badges of former employees. The person provided pictures of personnel records and other items that should have been secured. A representative speaking on behalf of those responsible for safeguarding private information responded that the pictures were taken behind an area that had been secured with a rope. Additionally, the person claims that one of the computers that was purchased at the auction still contained sensitive information.","PHIPrivacy.net","","2012","40.781754","-76.345783" "November 29, 2012","Vidant Pungo Hospital","Belhaven","North Carolina","PHYS","MED","1,100","Patient information was exposed by the accidental disposal of paper jackets with old radiology films.  Patient information such as name, address, age, date of birth, race, sex, name of radiology procedure and radiology procedure date was exposed.  The paper jackets were sent to a local landfill.","PHIPrivacy.net","","2012","35.540165","-76.622987" "November 28, 2012","Westside Park Elementary School Based Health Center","Adelanto","California","PHYS","MED","1,370","A burglary sometime around October 1 may have resulted in the exposure of patient names, Social Security numbers, phone numbers, addresses, dates of birth, health conditions, medications, and other health information.  The information was in a locked room that was accessed, but it appears that none of the paper records were stolen.  Thieves took a television and other items. ","PHIPrivacy.net","","2012","34.582770","-117.409215" "October 19, 2012","Sierra Plastic Surgery","Reno","Nevada","HACK","MED","800","A computer system error caused sensitive information to be exposed.  The breach occurred sometime between August 19, 2011 and September 20, 2011.UPDATE (11/28/2012): It appears that the breach was related to a terminated employee who could still access Sierra Plastic Surgery's network after leaving the company.  The former employee accessed Social Security numbers, personal contact information, payment information, and other sensitive information in less than 50 instances.  It also appears that some copies of patient surgery estimates were printed and subsequently surrendered by the former employee when the breach was discovered in August of 2012.  The former employee was seeking information on compensation owed.","HHS via PHIPrivacy.net","","2012","39.529633","-119.813803" "November 27, 2012","Soundental Associates P.C.","West Haven","Connecticut","PORT","MED","0","A bag of personal items and back-up media cartridges from Soundental was stolen from an employee's car on September 24.  The back-up cartridges had patient names, addresses, treatment records, and dates of birth.  Social Security numbers were also exposed in some cases.  The cartridges had been scrambled to prevent easy access.","PHIPrivacy.net","","2012","41.270653","-72.947047" "November 27, 2012","Long Chiropractic","Dayton","Ohio","PHYS","MED","0","A November 26 office burglary may have resulted in the theft of patient records.  A safe with computer disks and a laptop computer were stolen.  It is unclear if either contained sensitive patient information.  The burglars were in the office for 15 minutes and may have taken or viewed sensitive patient information in other areas.","PHIPrivacy.net","","2012","39.758948","-84.191607" "November 27, 2012","University of Arkansas for Medical Sciences (UAMS)","Little Rock","Arkansas","INSD","MED","1,500","A former resident doctor kept the personal information of about 1,500 patients as part of a lawsuit she filed against UAMS.  She also claimed to have kept the information for research purposes.  UAMS became aware of the issue on October 9 when the former resident doctor used the documents as part of her lawsuit.  UAMS learned that she kept additional documents on November 7 and had provided them to UAMS attorneys on June 25. Some patients had their names, addresses, dates of birth, medical record numbers, and dates of service exposed.  Other patients had their ages, locations of care, dates of service, diagnoses, medications, surgical procedures, procedure names, and lab results exposed.","PHIPrivacy.net","","2012","34.746481","-92.289595" "November 10, 2012","Gulf Coast Health Care Services","Pensacola","Florida","INSD","MED","13,000","A network security incident resulted in the expose of patient information.  The breach occurred on August 17.UPDATE (11/26/2012): An employee accessed and downloaded patient information without authorization or a legitimate purpose on five occasions between June 29 and September 20 of 2012.  Gulf Coast Health Care Services discovered the issue on September 26.  Patients who were seen between 1992 and September 20, 2012 may have had their names, addresses, dates of birth, and phone numbers accessed.  It appears that the employee was accessing the data for the purpose of helping outside practitioners recruit patients to their own practices.  The incident was reported to the FBI, the Sarasota Police Department, and the Florida Department of Law Enforcement. This entry on the Privacy Rights Clearinghouse Chronology of Data Breaches was previously listed as a hack and was reclassified as an insider breach based on new information.","HHS via PHIPrivacy.net","","2012","30.421309","-87.216915" "November 24, 2012","CHRISTUS St. John Hospital","Houston","Texas","PORT","MED","0","An unencrypted flash drive was discovered lost or stolen on September 25.  It contained patient names, Social Security numbers, dates of birth, health insurance information, diagnoses, and progress notes.  The information came from patients who participated in the St. John Sports Medicine Program and were treated between January 1, 2011 and July 31, 2012.","PHIPrivacy.net","","2012","29.760193","-95.369390" "December 1, 2012","University of Virginia Medical Center, Continuum Home Infusion","Charlottesville","Virginia","PORT","MED","1,846","A handheld electronic devices used by Continuum pharmacists was discovered missing on October 5.  The device was not encrypted and contained patient names, addresses, diagnoses, medications, and health insurance identification numbers.  Some health insurance identification numbers were Social Security numbers or contained Social Security numbers.  Patients who received services from Continuum during the month of September 2012 and potential patients who were referred to Continuum between August 2007 and September 2012.  Notifications were sent on November 30.","PHIPrivacy.net","","2012","38.029306","-78.476678" "June 20, 2012","Gotickets, Inc.","Libertyville","Illinois","HACK","BSR","0","Customers who used a payment card on www.gotickets.com may have had their personal and financial information exposed. An investigation revealed that an unauthorized group accessed shipping, billing, and credit card data related to purchases made through the website between May 22 and May 30, 2012.  UPDATE (11/30/2012): At least 105 customers in Maryland may have been affected. It is unclear how many people nationwide are at risk.  It appears that GoTickets continued to experience online breaches in July.  GoTickets updated their online system to increase password security, reduce the number of administrative accounts used, and took additional precautions against future attacks.","California Attorney General","","2012","42.283079","-87.953130" "September 14, 2012","Wounded Warrior Project","Jacksonville","Florida","PORT","NGO","0","A July 25 office burglary resulted in the theft of at least 33 laptops and iPads. The personal information of an unspecified number of former employees may have been affected.UPDATE (11/28/2012): The laptops contained employee names, Social Security numbers, addresses, dates of birth, passport numbers, credit card information, bank account numbers, and possibly life insurance dependent information.  The IT department remotely locked access to the devices after discovering they had been stolen earlier in the same day.","Databreaches.net","","2012","30.332184","-81.655651" "November 27, 2012","Pinnacle Foods Group, LLC","Clinton","Wisconsin","PORT","BSR","1,818","A laptop taken from an employee's home on October 11 contained sensitive information.  It contained names, Social Security numbers, driver's license numbers, credit card numbers , and other personal information.","Databreaches.net","","2012","42.557793","-88.865107" "December 7, 2012","Pinkerton Government Services (PGS)","Washington","District Of Columbia","STAT","BSO","0","The November 15 office theft of several computers may have resulted in the exposure of current and former employee information.  PGS believes that the computers were stolen for their hardware and software value rather than the information they contained.  Some former and current PGS employees had their names, addresses, Social Security numbers, and possibly other types of information exposed.","California Attorney General","","2012","38.895112","-77.036366" "December 10, 2012","Accume Partners, WeiserMazars","Moorestown","New Jersey","PORT","BSF","0","The October 10 theft of a laptop resulted in the exposure of sensitive information.  A WeiserMazars employee had a laptop stolen that contained names, Social Security numbers, and in some cases, addresses, dates of birth, 401(k) information, and payroll information for Accume Partner 401(l) Plan participants.  WeiserMazars audits the statement of net assets available for Accume Partner's 401(k) plan.  WeiserMazars notified Accume Partners on October 31 and Accume Partners sent notifications to those who may have been affected on November 16.","California Attorney General","","2012","39.968882","-74.948886" "December 10, 2012","ABQ Health Partners","Albuquerque","New Mexico","PORT","MED","0","A laptop computer was discovered lost or stolen.  It contained a spreadsheet of patient names, dates of birth, health plan ID numbers, and diagnosis information.","PHIPrivacy.net","","2012","35.084491","-106.651137" "December 5, 2012","California Department of Healthcare Services","Sacramento","California","DISC","MED","14,000","Names and Social Security numbers were discovered on the website of the Department of Health Care Services.  People who sent their information in order to become a provider of In-Home Supportive Services (IHSS) may have had their information exposed online between November 5, 2012 and November 20.  The issue was discovered on November 14 and was not fully addressed until November 20.  The list should have only contained provider names, addresses, and provider types. It also contained Social Security numbers that were listed in the column for Provider Billing Numbers.  The Social Security numbers were not easily recognizable in this format.UPDATE (12/11/2012): Nearly 14,000 people were affected.","California Attorney General","","2012","38.581572","-121.494400" "December 10, 2012","West Pittsburgh Partnership","Pittsburgh","Pennsylvania","PHYS","NGO","0","A concerned citizen investigated a pile of documents next to a dumpster.  The documents contained names and Social Security numbers.  A local news team responded to the story and contacted a representative from West Pittsburgh Partnership.  West Pittsburgh Partnership began an investigation into how the job placement program documents dating back to 1992 were exposed.","Databreaches.net","","2012","40.440625","-79.995886" "December 12, 2012","Wilton Brands, LLC.","Woodridge","Illinois","HACK","BSR","0","Wilton learned that a malicious user was able to view user information between July 19 and October 2 of 2012.  The user had added a file to a computer server that hosts www.wilton.com and www.copco.com.  Names, addresses, telephone numbers, and payment card numbers, expiration dates, and security codes may have been accessed.  The discovery was made sometime around October 31 and notifications were sent on December 10.The malicious user was unable to access payment card information between October 2 and the discovery of the breach on October 31 because Wilton changed its payment processing system on October 2.  Wilton took additional security measures after learning of the breach on or around October 31.","California Attorney General","","2012","41.746975","-88.050341" "December 12, 2012","Mt. Diablo Unified School District","Concord","California","STAT","EDU","0","A December 1 office burglary resulted in the theft of an unencrypted computer.  The computer contained files that included current and former Mt. Diablo Unified School District employee names, Social Security numbers, dates of birth, and addresses.  People who were employees between 1998 and 2010 may have been affected.","California Attorney General","","2012","37.977978","-122.031073" "December 17, 2012","Library Systems and Services, LLC","Germantown","Maryland","PORT","BSO","0","A laptop was discovered lost or stolen on November 5, 2012.  The possible theft is presumed to have taken place sometime around October 31, 2012.  The laptop may have contained employee names, Social Security numbers, addresses, and dates of birth.","California Attorney General","","2012","39.173162","-77.271650" "April 14, 2012","Head Injury Association","Long Island","New York","INSD","MED","56","A former manager was indicted for stealing the identities of patients.  He faces a 48-count indictment alleging grand larceny in the third degree, identity theft in the second degree, offering a false instrument for filing in the first degree, and possession of a forged instrument in the second degree.  He allegedly used the names and Social Security numbers of patients to e-file fraudulent tax returns and obtain over $200,000 in federal, New York, and New Jersey tax refunds. The scam occurred in 2006 and 2007. It was not discovered until recently since those who were affected were unable to work with investigators.  The manager was convicted for similar crimes in the past.  He used the information of a deceased and developmentally disabled individual from a Nassau County group home to obtain a fraudulent debit card and was also arrested for credit card fraud near Atlanta, Georgia.UPDATE (12/19/2012): The former manager pleaded guilty to 20 counts of second-degree identity theft and offering a false instrument for filing, as well as six counts of criminal possession of a forged instrument and additional charges. He will pay $20,000 in restitution.  His sentencing is expected to be on January 25, 2013 and he faces up to four years in prison.","","","2012","40.789142","-73.134961" "December 19, 2012","New Jersey Department of Health","Trenton","New Jersey","DISC","GOV","480","Over 480 registered medical marijuana patients received an email from the New Jersey Department of Health.  The email instructed them not to call New Jersey or the dispensary in Montclair to make an appointment.  The email did not hide the email addresses of the recipients.","PHIPrivacy.net","","2012","40.217053","-74.742938" "December 18, 2012","A Caring Hand Home Health Care Services, Inc.","Suffolk","Virginia","INSD","MED","30","A staffing manager collaborated with the owner of A Caring Hand Home Health Care Services, Inc. (A Caring Hand) to hide Medicaid fraud.  Between January of 2008 and October of 2011 the owner of A Caring Hand submitted about 900 fraudulent Medicaid claims for payment for services provided to 30 Medicaid recipients.  The Medicaid recipients never received those services and around $630,000 was fraudulently obtained by the owner of A Caring Hand.  The staffing manager and other staff members falsified office records at A Caring Hand to cover up the fraud between September 2010 and October 6 of 2011.  The staffing manager was sentenced and the owner of A Caring Hand will be sentenced in January of 2013.","PHIPrivacy.net","","2012","36.728205","-76.583562" "December 11, 2012","Pepperdine University","Malibu","California","PORT","EDU","8,300","A University laptop was stolen from an employee's locked car.  Pepperdine learned of the theft on November 12, 2012.  The laptop may have contained names, Social Security numbers, addresses, and/or dates of birth.UPDATE (12/11/2012): As many as 8,300 people may have been affected.  The laptop had been used for work related to the IRS and contained data from as far back as 2008.  About 75 percent of the people affected were students.","California Attorney General","","2012","34.005008","-118.810089" "December 18, 2012","Western University of Health Sciences","Pomona","California","DISC","EDU","0","Western University of Health Sciences' BanWeb Self-Service Federal Work Study reports were accessible to people who used BanWeb with a Western University of Health Sciences user ID and password.  The reports contained names, Social Security numbers, and direct deposit bank account information in some cases. The information was available for an unspecified amount of time. Western University of Health Sciences conducted an investigation and reported that there was no reason to believe sensitive information was accessed by unauthorized BanWeb users.  Western University of Health Sciences disabled access to the reports after learning about the breach on November 14. Notifications were sent on December 18.","California Attorney General","","2012","34.055227","-117.752305" "December 20, 2012","Jetro, Restaurant Depot","College Point","New York","CARD","BSR","0","Customers who used payment cards in several store locations discovered fraudulent charges on their debit and credit cards.  It is unclear if a breach affected the physical machines in the stores or if the payment processing system was hacked.  The company discovered the issue on December 4 and an investigation revealed that the intrusions began on November 7, 2012.  Anyone who used their payment card in a store between November 7 and December 5 of 2012 should closely review their financial statements.  Customers are also warned to be suspicious of phishing emails or phone calls.  Customers should not give their information out over the phone or respond to emails asking for sensitive information.","California Attorney General","","2012","40.786395","-73.838966" "December 22, 2012","Coastal Behavioral Healthcare, Inc.","Sarasota","Florida","PHYS","MED","4,907","Numerous documents containing patient information were found in a vehicle during a traffic stop.  A law enforcement officer notified Coastal Behavioral Healthcare of the potential breach on October 10, 2012.  The documents contained a list of 136 Coastal Behavioral Healthcare patient names and identifying information dated April 2011.  It is unclear how the information was breached and how many additional patients may have been affected.","HHS via PHIPrivacy.net","","2012","27.336435","-82.530653" "December 22, 2012","Robbins Eye Center","Bridgeport","Connecticut","UNKN","MED","1,749","The data of 1,749 patients was stolen during an October 7 incident.  ","HHS via PHIPrivacy.net","","2012","41.186548","-73.195177" "December 22, 2012","Vidant Pungo Hospital","Belhaven","North Carolina","PHYS","MED","1,100","Paper jackets that held radiology films were thrown away with office trash instead of being properly discarded.  The paper jackets contained names, addresses, dates of birth, ages, sex, race, and information on dates and names of radiology procedures prior to May of 2012.  The paper jackets are believed to have been picked up by a sanitation company and discarded in a landfill.","HHS via PHIPrivacy.net","","2012","35.540165","-76.622987" "December 22, 2012","Office of Dr. James M. McGee","Stone Mountain","Georgia","PHYS","MED","1,306","The September 19 theft of paper records may have resulted in the exposure of dental patient information.  ","HHS via PHIPrivacy.net","","2012","33.808161","-84.170196" "December 21, 2012","The Children's Center","Ammon","Idaho","PHYS","MED","0","An employee of Grand Teton Storage removed documents from The Children's Center's storage facility after they failed to pay storage bills.  A concerned citizen found seven boxes of the old medical records and other personal information next to a dumpster.  The information was seven to eight years old and included names, Social Security numbers, addresses, dates of birth, and payroll information.  A Grand Teton Storage employee acknowledged that a mistake had been made and the employee who improperly disposed of the records will face disciplinary action.  Idaho Department of Health and Welfare eventually recovered and secured the records.","PHIPrivacy.net","","2012","43.469637","-111.966636" "December 13, 2012","Yolo Federal Credit Union","Woodland","California","CARD","BSF","0","A skimming device on an ATM resulted in fraudulent transactions on over 800 accounts.  The fraudulent transactions appear to date from October 27, 2012 to November 7, 2012. It is not clear how many skimming devices were involved and where they were located.","California Attorney General","","2012","38.678516","-121.773297" "December 17, 2012","World Travel Holdings (WTH)","Wilmington","Massachusetts","HACK","BSO","0","An unauthorized party accessed WTH's booking system by misusing the log-in credentials of an authorized user.  Encrypted credit card numbers and expiration dates that were stored and could be decrypted in the system were exposed.","California Attorney General","","2012","42.548171","-71.172447" "December 17, 2012","EZ Step","San Jose","California","INSD","MED","0","The owner of EZ Step and an employee were both charged with conspiracy to commit health care fraud.  They were also charged on multiple counts of health care fraud.  The charges come from allegations that the two people sought reimbursement by forging physician signatures, fabricating prescriptions and equipment orders, forging patient signatures on delivery forms to misrepresent prescription medication and durable equipment deliveries, and altering valid prescriptions between 2005 and 2007.  Arrests were first made in July of 2011.","PHIPrivacy.net","","2012","37.339386","-121.894956" "December 21, 2012","Skagit Valley Casino Resort, Bally Technologies Inc.","Las Vegas","Nevada","PORT","BSR","0","An electronic device was stolen from the home office of an employee of Bally Technologies.  The electronic equipment contained names, Social Security numbers, driver's license numbers, and bank account information.  The equipment may have been stolen for its resell value rather than the value of the information.","California Attorney General","","2012","36.114646","-115.172816" "December 24, 2012","State of California Department of Health Care Services (DHCS)","Sacramento","California","DISC","MED","0","Beneficiary Identification Cards (BICs) were mailed to the wrong recipients between December 10 and December 18.  A computer programming error caused the BICs of children being moved from Healthy Families program enrollment to Medi-Cal enrollment to be sent to households of other Medi-Cal and Healthy Families participants.  Names, Client Index Numbers, dates of birth, genders, and card issue dates were exposed.  People who received incorrect cards were instructed to return them.  Stamped envelopes that were addressed to DHCS were sent out with breach notifications. ","California Attorney General","","2012","38.581572","-121.494400" "March 11, 2011","Walgreens Co.","Deerfield","Illinois","INSD","BSR","0","According to a complaint filed against Walgreens, Walgreens sold confidential information of customers to data mining companies who resold it to pharmaceutical companies.  Walgreens is accused of receiving payment for prescription information that only patients had the right to sell. Walgreens sells patient data that includes sex, age group, state, ID number of the providing doctor and the name of the drug that is taken.","PHIPrivacy.net","","2011","42.171137","-87.844512" "December 13, 2012","Walgreens","San Diego","California","PHYS","BSR","0","Walgreens was ordered to pay $16.57 million as a part of a settlement of a civil environmental prosecution.  Walgreens was accused of illegally dumping hazardous waste as well as confidential customer medical information.  It is unclear what type of customer medical information was mishandled.UPDATE (12/13/2012): The civil enforcement lawsuit was first filed in Alameda County in June of 2012.  It was the result of investigations that took place in San Diego County in the summer and fall of 2011. Investigators discovered that ""Walgreens routinely and systematically sent hazardous waste to local landfills and failed to take measures to protect"" customer medical privacy.","PHIPrivacy.net","","2012","32.715329","-117.157255" "December 28, 2012","East San Gabriel Valley Regional Occupational Program and Technical Center","West Covina","California","DISC","GOV","0","A sensitive document was accidentally attached to an email that was sent to students.  The attachment contained names, Social Security numbers, dates of birth, student attendance information, and information regarding their program.  The email was intended to inform students about open positions.","California Attorney General","","2012","34.068621","-117.938953" "December 31, 2012","Sunview Vineyards Of California, Inc.","Delano","California","PORT","BSR","0","An office theft of an unencrypted laptop on or around December 15 resulted in the exposure of confidential personal information.  The laptop contained an Excel spreadsheet with workers' compensation information such as names, Social Security numbers, telephone numbers, and other workers' compensation claim or injury information.","California Attorney General","","2012","35.768843","-119.247054" "January 2, 2013","Rosenthal Collins Group","Chicago","Illinois","HACK","BSF","0","An unauthorized intrusion was detected on the morning of Tuesday November 27.  The unauthorized access began on November 26 and access to the breached web application was immediately shut down upon discovery.  Customers who completed Rosenthal Collins Group account forms online may have had their names, Social Security numbers, addresses, dates of birth, range of net worth and income, bank names, passwords for accessing the web application, and email addresses exposed.","California Attorney General","","2013","41.878114","-87.629798" "January 3, 2013","King Drug & Home Care","Owensboro","Kentucky","PORT","MED","13,619","An employee reported that a portable hard drive was missing on November 23, 2010.  The device had last been seen sometime around November 19.  The data on the device included information from before July 31, 2009.  Client names, Social Security numbers, medical record numbers, account numbers, dates of service, race, insurance carriers and insurance numbers, addresses, phone numbers, sex, dates of birth, diagnosis information, allergies, initial referral forms, patient assessments/plans of care, physician orders and/or delivery ticket information may have been on the hard drive.","PHIPrivacy.net","","2013","37.771907","-87.111168" "January 3, 2013","Mission Hospital, St. Joseph Health","Mission Laguna Beach","California","PORT","MED","0","Someone called Mission Hospital on August 28, 2012 and claimed that he found a flash drive with sensitive patient information in his garage.  The flash drive was returned to Mission Hospital via mailed envelope on September 11, 2012.  Patients who received services at Mission Hospital between September and November of 2008 may have had their information exposed. The notice that was sent to patients was dated September 14, 2012.  It appears that a contractor or employee misplaced the unencrypted flash drive.The flash drive contained names, medical record numbers, and account numbers. Additionally, the flash drive may have contained some combination of date of admission, age, birth date, vital readings, physical examination, gender, race, name of physician, medical history, past and current treatment and illnesses, history of substance use, family history, lab tests and results, imaging tests and results, body weight, physician notes on patient, care plan, employment status and employer, prognosis, diagnosis, treatment recommendations, allergies, medications, comments about patient's appearance, patient health complaint, symptoms, reason for referral, and reason for admission information.","PHIPrivacy.net","","2013","33.500432","-117.740636" "January 4, 2013","Reyes Beverage Group","Rosemont","Illinois","DISC","BSR","0","A report containing the names and Social Security numbers of a group of Reyes Beverage Group's California employees was accidentally sent to the personal email address of an employee of Reinhart Foodservice.  Reinhart Foodservice is a Reyes Holdings company as well.  It is unclear how the email was accidentally sent and why it ended up in the personal email of an employee at a different division.","California Attorney General","","2013","41.989100","-87.871474" "January 4, 2013","Healing Hearts","Jacksonville","North Carolina","INSD","MED","0","The owner of a group of childcare services pleaded guilty to defrauding Medicaid of $8 million.  She and a co-defendant targeted medicaid recipients in order to enroll them in a program and make fraudulent Medicaid claims for mental and behavioral health services.  Additionally, the owner pleaded guilty to misusing at least one therapist's credentials in order to make the claims for mental and behavioral health services.  The scheme took place between 2008 and 2012.","California Attorney General","","2013","34.754052","-77.430241" "December 28, 2012","Gibson General Hospital","Princeton","Indiana","PORT","MED","29,000","The November 27 theft of a laptop may have resulted in the exposure of patient information.  Names, Social Security numbers, addresses, and clinical information may have been exposed.  Patients who have received services since 2007 may have been affected.","PHIPrivacy.net","","2012","38.355324","-87.567522" "December 22, 2012","Brigham and Women's Hospital","Boston","Massachusetts","STAT","MED","615","The October 16 theft of a desktop computer may have resulted in the exposure of patient information.UPDATE (12/28/2012): The computer was stolen from the Brigham and Women's Hospital office.  Medical record numbers, age, medications, laboratory values and other clinical information may have been on the computer.  Up to 615 people may have been affected by the theft.","HHS via PHIPrivacy.net","","2012","42.358431","-71.059773" "December 26, 2012","Integris Health","Oklahoma City","Oklahoma","HACK","MED","0","A team of cyber security consultants discovered vulnerabilities in the Omnicell web system.  Unauthorized users could gain control of certain hospital operations run by Integris Health.  The issue was immediately addressed by Omnicell.","PHIPrivacy.net","","2012","35.467560","-97.516428" "December 4, 2012","CVS Caremark","Woonsocket","Rhode Island","PHYS","MED","955","The theft of paper records may have resulted in the exposure of patient information.  The theft may have occurred on August 13, 2012 and was reported or discovered on November 16, 2012.","HHS via PHIPrivacy.net","","2012","42.002876","-71.514784" "December 4, 2012","First Step Counseling, Inc.","Metuchen","New Jersey","PHYS","MED","638","An unauthorized disclosure of paper records may have exposed patient information.  The breach may have taken place between May 1, 2011 and August 5, 2011.  It was discovered or reported on November 16 of 2012.","HHS via PHIPrivacy.net","","2012","40.543160","-74.363205" "November 16, 2012","Landmark Medical Center","Woonsocket","Rhode Island","PORT","MED","683","The office theft of a laptop resulted in the exposure of patient information.  A spreadsheet with sensitive information that could be easily accessed was on the stolen laptop. It is unclear what type of information was exposed, but Social Security numbers, addresses, and medical information were not involved.UPDATE (12/21/2012): A Health and Human Services (HHS) notice reveals that the theft occurred on October 1.  A total of 683 patients were affected by the breach.","PHIPrivacy.net","","2012","42.002876","-71.514784" "December 22, 2012","Omnicell, University of Michigan Health System","Ann Arbor","Michigan","PORT","MED","3,997","An electronic device was stolen from an Omnicell employee's car on November 14.  The device was not encrypted and contained the medication, demographic, and health information of 4,000 patients from three hospitals in the University of Michigan Health System.  UPDATE (1/2/2013): A total of 3,997 people who were treated between October 24 and November 13 at three hospitals in the University of Michigan Health System were affected.  However, patients of at least 10 Sentara Healthcare and South Jersey Healthcare medical facilities were also affected. A total of 56,000 Sentara Healthcare patients from Sentara CarePlex, Sentara Leigh Hospital, Sentara Norfolk General Hospital, Sentara Obici Hospital, Sentara Princess Anne Hospital, Sentara Virginia Beach General Hospital, Sentara Williamsburg Regional Medical Center, Sentara Belle Harbour, Sentara Independence, and Sentara Port Warwick who were treated between October 18, 2012 and November 9, 2012 were affected.  A total of 8,555 patients from South Jersey Healthcare who were either treated or scheduled for admission between June 1, 2012 and November 12, 2012 were affected.","PHIPrivacy.net","","2012","42.280826","-83.743038" "November 27, 2012","Sourcefire","Columbia","Maryland","PORT","BSO","500","The November 6 theft of an unencrypted laptop may have resulted in the exposure of employee Social security numbers.  It is unclear if other types of information were also exposed.  A total of 500 employees may have been affected.  ","Media","","2012","39.203714","-76.861046" "October 29, 2012","Kaiser Permanente","Oakland","California","DISC","MED","0","A Kaiser Permanente Northern California Region Recruitment employee mistakenly sent an email to unauthorized parties on August 24.  Former Northern California Kaiser employees who left Kaiser between 1990 and 2006 may have had their names and Social Security numbers exposed. Kaiser IT Security conducted a detailed analysis to confirm that the recipient did not forward or print the email. The analysis also revealed that the email had been deleted and could no longer be accessed.","California Attorney General","","2012","37.804364","-122.271114" "January 10, 2013","City of Macon Georgia","Macon","Georgia","STAT","GOV","0","A computer repair shop bought used computers on govdeals.com in 2011.  The computers were found to have information from city employees when they were removed from storage on January 5.  Social Security numbers, pension information, and other personal information from Macon police officers were on the computers.  Information from local businesses that was used for city purposes was also on the computers.  A total of 39 hard drives, two servers, and two CPUs were purchased and may have contained sensitive information.","Databreaches.net","","2013","32.840695","-83.632402" "January 10, 2013","KTSU Texas Southern University","Houston","Texas","INSD","EDU","0","Texas Southern University's radio station KTSU gave a volunteer position to a person with a criminal history of credit card fraud.  The volunteer was later arrested for allegedly using the radio station's donation drive to steal credit card information.  The dishonest volunteer faces up to 300 counts of credit card fraud for attempting to misuse the information on donor pledge sheets.","Databreaches.net","","2013","29.760193","-95.369390" "January 8, 2013","Morgan Road Middle School","Hephzibah","Georgia","PORT","EDU","0","An unencrypted flash drive was stolen from a teacher's car.  It contained student Social Security numbers and other information.  ","Databreaches.net","","2013","33.314031","-82.096786" "January 8, 2013","Charlotte-Mecklenburg Schools","Charlotte","North Carolina","PHYS","EDU","80","An employee working in human resources was robbed while transporting information between school districts.  The employee stopped for lunch and discovered that personnel files containing names, Social Security numbers, addresses, dates of birth, and driver's license numbers had been stolen from their car.","Databreaches.net","","2013","35.227087","-80.843127" "January 6, 2013","Oldcastle APG, Inc.","Atlanta","Georgia","PORT","BSR","5,083","A laptop was stolen from an employee's car on or around December 10.  APG employees may have had their names, Social Security numbers, bank account information, and other information exposed.  ","Databreaches.net","","2013","33.748995","-84.387982" "December 21, 2012","Fairfax High School","Fairfax","Virginia","HACK","EDU","0","Fairfax County Public Schools discovered that student names, ID numbers, grades, and other information were posted online.  Students enrolled in 9th, 10th, and 11th grade were affected.  The information may have only been available for a day before Fairfax County Public Schools began the process of removing it from online.  ","Databreaches.net","","2012","38.846224","-77.306373" "September 24, 2011","Electronic Data Systems, Hewlett-Packard Enterprise Services, Alabama Department of Corrections","Montgomery","Alabama","INSD","BSF","250","A dishonest employee accessed the Electronic Data System's database of names and Social Security numbers of student loan borrowers.  The former employee then used the information to file false tax returns in 2009.  Sentencing is scheduled for December 19, 2011 and involves a minimum of two years in prison, a maximum of 354 years in prison, and a maximum fine of $6,250,000.UPDATE (12/22/2011): The dishonest employee was sentenced to 94 months in federal prison for stealing the identities of student loan borrowers, and for giving them to a co-conspirator who used them to file false tax returns. Tens of thousands of names and Social Security numbers were stored at the employee's home.UPDATE (12/17/2012): A second person was sentenced to federal prison for participating in the identity theft scheme.  She worked in the central records office for the Alabama Department of Corrections and was able to provide other conspirators with sensitive information from state databases. She was sentenced to 50 months in prison for conspiracy, wire fraud, and aggravated identity theft. Restitution in the amount of $113,000 was also required.","Databreaches.net","","2011","32.366805","-86.299969" "December 7, 2012","Rock Bottom Auto Sales","Hudson","Florida","PHYS","BSR","0","At least eight garbage bags that were left unattended on a dirt road contained sensitive documents.  A woman found the bags and reported the issue to a local news team.  The paperwork included credit applications with names, driver's license information, and Social Security numbers.  ","Databreaches.net","","2012","28.364449","-82.693434" "November 27, 2012","Pulaski Bank","Overland Park","Kansas","PHYS","BSF","0","An employee left sensitive loan application documents in a vehicle while at the gym.  The documents were stolen and included loan applicant tax returns. The breach occurred in September.","Databreaches.net","","2012","38.982228","-94.670792" "November 21, 2012","Oak River Insurance Institute","San Francisco","California","INSD","BSF","2,700","An employee disclosed personal information about workers compensation claimants between October 2011 and March 2012.  Workers compensation claimants who received spinal surgery in Southern California between 2004 and 2011 or had urinalysis testing, diagnostics or medical services performed in California between 2006 and 2011 may have had their information exposed.It does not appear that Social Security numbers or other identifying information exposed were used to compromise the security, confidentiality, or integrity of the personal information. UPDATE (11/23/2012): About 2,700 workers' compensation claimants were affected.","California Attorney General","","2012","37.774930","-122.419416" "November 16, 2012","Nationwide Mutual Insurance Company and Allied Insurance","Columbus","Ohio","HACK","BSF","1,000,000","A portion of the computer network used by Nationwide and Allied Insurance agents was breached by cyber criminals on October 3.  The attack was discovered on the same day and contained.  On October 16, it was determined that names, Social Security numbers, driver's license numbers, dates of birth, marital status, gender, occupation, and employer information had been stolen.  Affected parties were identified on November 2 and notifications were sent on November 16.UPDATE (11/20/2012): At least 28,000 people in Georgia were affected.  The total number of affected people is not known.UDPATE (12/10/2012): A total of 28,468 people in Georgia, 534 in Oklahoma, 12,490 in South Carolina, 286 in Maryland, 5,050 in California, 91,000 in Iowa, 170 in Hawaii, 8,000 in New Mexico, and 98,191 in Minnesota were affected. This brings the known total to 244,188.  Nationwide/Allied Group reported that the breach compromised the information of one million policyholders and non-policyholders nationwide.","California Attorney General","","2012","39.961176","-82.998794" "November 22, 2012","Scripps College","Anaheim","California","PHYS","EDU","940","Sensitive records were stolen from a tote bag in a staff member's vehicle on the night of November 18.  The records included names, dates of birth, cell phone numbers, email addresses, and emergency contact information.","Databreaches.net","","2012","33.835293","-117.914504" "October 19, 2012","The College of St. Scholastica ","Duluth","Minnesota","HACK","EDU","28","Hackers were able to guess the answers to student account challenge questions.  The email account passwords of at least 28 students were reset and their account information was most likely accessed. The hackers may have been based in Beijing and most likely gathered the information needed to pass the challenge questions from information on the students' Facebook pages.","Databreaches.net","","2012","46.786672","-92.100485" "October 15, 2012","District 202, Plainfield School District","Plainfield","Illinois","HACK","EDU","23,000","People who applied online at www.applitrack.com for a job in District 202 may have had their information accessed by a hacker.  The hacker sent messages to former and current job applicants and informed them that the Plainfield School District 202 website was breached. UPDATE (10/19/2012): A 14-year-old Joliet West High School student was removed from class and taken to a juvenile detention center for his alleged involvement in the breach.","Databreaches.net","","2012","41.615915","-88.204069" "October 8, 2012","Ohio State University, Harvard University, Stanford University, Cornell University, Princeton University, John Hopkins University, University of Michigan, University of Wisconsin, University of Houston, New York University, University of Maryland","","","HACK","EDU","0","A hacking group called Team GhostShell targeted universities around the world.  A total of 53 universities were affected.  Most of the data exposed was publicly available, but student, staff, and faculty usernames and passwords were also exposed. It is unclear if any financial information or Social Security numbers were taken from universities.","Databreaches.net","","2012","37.090240","-95.712891" "September 24, 2012","CIty of Tulsa, Oklahoma","Tulsa","Oklahoma","HACK","GOV","0","A hacker or hacker managed to infiltrate and bring down the City of Tulsa's website.  It is unclear if any information was accessed, but notifications were sent to people who applied online for jobs or submitted online police reports.  Names, Social Security numbers, addresses, and driver's license numbers may have been exposed.UPDATE (10/01/2012): A member or members of the IT department used a third-party firm to test the City's computer system.  There was no unauthorized access.","Media","","2012","36.153982","-95.992775" "December 28, 2012","Carewise Health, Hewlett-Packard Enterprise Services","Louisville","Kentucky","HACK","MED","1,090","An employee responded to a telephone computer phishing scam.  The person was employed by a subcontractor of Hewlett-Packard Enterprise Services (HP ES) named Carewise Health.  Unauthorized users were able to remotely access a database of Medicaid client information as a result of the phishing attempt.  Eventually HP ES and Carewise Health were able to disable the laptop and notify the Cabinet for Health and Family Services of the breach.UPDATE (01/02/2013): The employee revealed information to the hacker in mid-November.","PHIPrivacy.net","","2012","38.252665","-85.758456" "January 2, 2013","Hospice of North Idaho (HONI)","Hayden","Idaho","PORT","MED","441","The June 2010 theft of an unencrypted laptop from an employee's car resulted in the exposure of patient information.  The HHS Office for Civil Rights investigated the breach and found that HONI had not conducted a risk analysis to safeguard electronic protected health information.  It was also discovered that HONI did not meet a HIPAA Security Rule that required them to have policies or procedures in place to address mobile device security.  HONI agreed to pay the U.S. Department of Health and Human Services' (HHS) $50,000 regarding potential Health Insurance Portability and Accountability Act of 1996 Security Rule violations.  HONI also began taking extensive steps to improve their HIPAA Privacy and Security compliance program since the June 2010 breach.","PHIPrivacy.net","","2013","47.766016","-116.786582" "January 7, 2013","Centric Group, LLC","St. Louis","Missouri","UNKN","BSR","0","Anyone who purchased items on www.accesscatalog.com using a credit card may have been affected by a breach that began in August 2010.  An unauthorized party may have obtained names, credit or debit card numbers, expiration dates, and payment card verification codes.  Centric Group learned of the incident on or around December 13, 2012.","California Attorney General","","2013","38.627003","-90.199404" "January 7, 2013","Office of Dr. Calvin L. Schuster","Reedley","California","STAT","MED","532","A computer was stolen during an office burglary that occurred sometime around November 5, 2012.  The computer contained patient names, dates of birth, and a minimal amount of patient medical information.","California Attorney General","","2013","36.596340","-119.450403" "January 11, 2013","EJ Phair Brewing Company and Alehouse","Concord","California","HACK","BSR","0","Customers who used credit or debit cards at EJ Phair discovered fraudulent chargers on their payment cards.  A hacker or hackers managed to access and misuse payment card numbers once they ran through EJ Phair's system.  It appears that customers who used cards at the location between September and late November of 2012 may have been affected.","California Attorney General","","2013","37.977978","-122.031073" "June 29, 2012","University of Southern California (USC)","Los Angeles","California","HACK","EDU","0","A breach in a third-party software system used to process credit card transactions in some USC dining halls, including Ronald Tutor Campus Center, Seeds, the Lab on Figueroa St., and Starbucks on the Health Sciences Campus resulted in the exposure of credit card numbers.  The breach of USC Hospitality most likely occurred from May 21 to June 21, but may have occurred earlier.  Names and contact information were not associated with the credit card numbers.","California Attorney General","","2012","34.052234","-118.243685" "August 14, 2012","Creative Croissants","San Jose","California","UNKN","BSR","0","A breach at Creative Croissants results in the exposure of customer credit card information.  It is unclear how the breach occurred and the date of the breach was March 2, 2012.","California Attorney General","","2012","37.339386","-121.894956" "January 10, 2013","Office of Dr. Sandra Bujanda-Wagner","Aurora","Colorado","PHYS","MED","0","Employees accidentally threw out hundreds of patient records.  The dental records were found by someone looking through a dumpster and the incident was reported to a local news team.  Names, Social Security numbers, dates of birth and addresses were exposed. Employees from Bujanda-Wagner's office came to recover the documents.","PHIPrivacy.net","","2013","39.729432","-104.831920" "August 3, 2012","Palm Beach County Health Department","Palm Beach","Florida","INSD","MED","86","An employee was fired in May for creating and attempting to mail a list of names and Social Security numbers for purposes of identity fraud.  It is unclear if the dishonest employee disclosed the information of other people before being caught. Some patients had already experienced fraudulent activity. People who may have been a patient in one of the Health Department Health Centers could have been affected.  UPDATE (01/09/2013): The employee worked as a records clerk and was arrested on January 5, 2013.  She had worked for Palm Beach County Health Department since 2006 and was charged with several counts of fraud.","PHIPrivacy.net","","2012","26.705621","-80.036430" "August 13, 2010","Holyoke Medical Center, Caritas Carney Hospital, Milton Hospital, Milford Hospital","Georgetown","Massachusetts","PHYS","MED","45,600","A large pile of medical records was found at Georgetown Transfer Station public dump. The reports contained names, addresses, diagnosis, Social Security numbers, and insurance information. A medical billing company known as Goldthwait Associates is believed to be responsible. The medical records are mostly from pathology patients served at the hospitals between 2007 and March of 2010.UPDATE (9/2/10): Holyoke reported that 24,750 patients were affected.  The exact number of patients affected from other medical centers is still unknown. Between 8,000 and 12,000 patients of Milton Hospital were affected.UPDATE (10/11/10): Milton Pathology Associates, P.C. reported that a prior owner of Goldthwait Associates improperly disposed of patient information. Eleven thousand patients were affected.  Milford Regional Medical Center reports that the incident affected 19,750 patients.UPDATE (01/07/2013): People associated with Goldthwait Associates, Chestnust Pathology Services, Milford Pathology Associates, Milton Pathology Associates, and Pioneer Valley Pathology Associates agreed to collectively pay $140,000 to settle allegations related to the breach.","PHIPrivacy.net","","2010","42.725000","-70.991667" "January 7, 2013","Woodwinds Hospital","Woodbury","Minnesota","INSD","MED","0","An employee kept 200 pages of confidential information in an effort to prove that Woodwinds Hospital was trying to conceal evidence of medical misconduct.  The employee was discharged in 2010 for reasons unrelated to removing the information.  She claims to have taken them home after being ordered to destroy any information related to incidents that could damage Woodwinds Hospital's reputation.","PHIPrivacy.net","","2013","44.923855","-92.959380" "December 21, 2012","Workers United","New York","New York","PORT","BSO","0","The theft of a hard drive from the office of an unnamed independent contractor resulted in the exposure of sensitive information.  The theft occurred on either October 13 or 14 of 2012 and Workers United learned of the issue on October 25.  A database with former Workers United member names and Social Security numbers was on the hard drive.","Databreaches.net","","2012","40.714353","-74.005973" "December 29, 2012","US Army Fort Monmouth","Oceanport","New Jersey","HACK","GOV","36,000","Hackers were able to access database information from Command, Control, Communications, Intelligence, Surveillance and Reconnaissance as well as nongovernmental personnel and people who visited Fort Monmouth.  The breach was discovered and addressed on December 6.  names, Social Security numbers, dates of birth, places of birth, home addresses, and salaries were exposed.","Media","","2012","40.318166","-74.015138" "January 17, 2013","St. Mark's Medical Center","La Grange","Texas","HACK","MED","2,988","An employee's computer was found to contain malware.  The malware infection began on May 21, 2012 and was discovered on November 15, 2012.  Files stored on the computer contained billing information with patient names, Social Security numbers, account numbers, medical record numbers, dates of birth, gender, treatment dates, insurance provider names, and account balances.","PHIPrivacy.net","","2013","29.905503","-96.876647" "January 22, 2013","NECA/IBEW Family Medical Care Plan","Rockville","Maryland","DISC","MED","0","NECA/IBEM Family Medical Care Plan (FMCP) participants received disclosure documents related to benefits coverage and modifications.  The outside of the envelopes in which the documents arrived displayed participant Social Security numbers.","California Attorney General","","2013","39.083997","-77.152758" "January 26, 2013","Wilton Brands LLC, www.wilton.com","Woodridge","Illinois","HACK","BSR","0","Customers who made purchases on www.wilton.com between October 8, 2012 and January 8, 2013 may have had their credit or debit card information exposed.  A Wilton service provider discovered the issue on or around January 8, 2013.  A malicious user accessed the website information and payment card numbers, expiration dates, and security codes may have been exposed.  Customer names, addresses, and telephone numbers are also at risk.This incident is in addition to the hacking incident that took place between July and October of 2012.  That incident was reported on December 12, 2012.","California Attorney General","","2013","41.746975","-88.050341" "January 24, 2013","Brentwood Primary Care Clinic","Jacksonville","Florida","INSD","MED","261","A dishonest intern was caught using a cell phone to illegally photograph patient Social Security numbers and names.  The photos were then sent to another person; presumably for fraudulent activity.  The office intern was charged with fraudulent use of personal identification information. It is unclear when the breach was discovered since the photos were taken between May 7 and June 19.","PHIPrivacy.net","","2013","30.332184","-81.655651" "December 1, 2012","Jackson North Medical Center, Jackson Health System","Miami","Florida","INSD","MED","566","A dishonest volunteer was caught passing patient information to people who used it to file fraudulent tax returns.  The volunteer used his smart phone to capture patient records while working in an emergency room.  Around 1,200 photos of 566 patient records were found on his phone. The breach was discovered when three men were caught using free wi-fi at McDonald's to file fraudulent tax returns in March.UPDATE (01/11/2013): Jackson Health banned volunteers from using cell phone in patient areas in order to prevent similar events from occurring.","PHIPrivacy.net","","2012","25.788969","-80.226439" "February 8, 2012","West Virginia Chiefs of Police Association, Alabama Department of Public Safety, Texas Department of Public Safety, City of Mobile Police Department, Texas Police Chiefs Association, Texas Police Association","","West Virginia","HACK","BSR","46,943","A hacker obtained and revealed 156 home addresses, phone numbers, cell phone numbers, email addresses, and usernames of police officers associated with the West Virginia Chiefs of Police Association. Retired police chiefs, and every current police chief in West Virginia had their information exposed. The hacker was associated with Anonymous.UPDATE (08/24/2012): A hacker associated with the attack on West Virginia Chiefs of Police Association and several other law enforcement associations was caught and sentenced to 27 months in federal prison.  He was also ordered to pay $14,062.17 in restitution.  Alabama Department of Public Safety spreadsheets with information on sex crimes and a database listing descriptions of offenders' cars were posted online. Over 46,000 citizens in the state of Alabama may have had their names, Social Security numbers, license plate numbers, dates of birth, phone numbers, addresses, and criminal records accessed by hackers who attacked the City of Mobile Police Department. A total of 787 police officer names, usernames, plain text passwords, addresses, and other agency information from The Texas Police Association was posted online.  The Wisconsin Chiefs of Police Association, the Texas Department of Public Safety, the Dallas Police Department, and the Texas Police Chiefs Association also experienced hack attacks.","Databreaches.net","","2012","38.597626","-80.454903" "January 24, 2013","Eastern Illinois University","Charleston","Illinois","DISC","EDU","430","At least 65 students received information about the grade point average of 430 students during early January 2013.  The breach occurred when a spreadsheet that contained the information and the E-number of 430 students was accidentally made available online.  ","Databreaches.net","","2013","39.496146","-88.176152" "January 12, 2013","Zaxby's","Athens","Georgia","HACK","BSR","0","Over 108 Zaxby's restaurants experienced a breach related to customer credit and debit cards.  A number of people experienced credit card fraud and an investigation led to Zaxby's as a common point of purchase.  Suspicious files were found on Zaxby's system during the subsequent investigation.  ","Databreaches.net","","2013","33.950000","-83.383333" "January 12, 2013","Florida Department of Juvenile Justice","Tallahassee","Florida","PORT","GOV","100,000","A mobile device that contained both youth and employee records was reported stolen on January 2, 2013.  Over 100,000 records were on the device and may have been exposed.  The device was taken from a Department of Juvenile Justice office and was neither encrypted nor password-protected.  Department of Juvenile Justice policy requires such devices to be encrypted.","Databreaches.net","","2013","30.438256","-84.280733" "June 22, 2009","Baptist Medical Center","Montgomery","Alabama","PHYS","MED","0","Many folders that were found in a landfill dump site were labeled ""Radiology Department, Baptist Medical Center."" Hundreds of medical records were out in the open, all with sensitive information. Sensitive patient information that was thrown out included names, x-rays, ultrasounds, MRIs, and Social Security numbers.  Files from at least five other facilities were found at the same site; however Baptist Medical Center is believed to be the source of the breach.UPDATE (8/5/08): A former employee of Baptist Hospital has been sentenced to two years and one day in federal prison for wire fraud and stealing the identities of patients, according to a Department of Justice press release. Adrienne Denise Stovall, 30, pled guilty in January to one count of wire fraud and one count of aggravated identity theft, which carries a mandatory sentence of two years. Stovall worked at Montgomery's Baptist Hospital from August 2006 to early 2007. Her position gave her access to the hospital's computer system. The system contained confidential information including patient names, dates of birth, and Social Security numbers. Stovall used the information to apply for credit lines and credit cards. http://www.justice.gov/usao/alm/press/current_press/2010_05_05_stovall.pdf","Media","","2009","32.366805","-86.299969" "January 29, 2013","North Los Angeles County Regional Center (NLACRC)","Van Nuys","California","PORT","MED","0","The November 13, 2012 theft of a laptop resulted in the exposure of consumer information.  Names, addresses, phone numbers, dates of birth, residential information, and medical information may have been exposed.","California Attorney General","","2013","34.189857","-118.451357" "January 28, 2013","Walz and Associates Law Firm","Albuquerque","New Mexico","PHYS","BSO","0","A concerned citizen found hundreds of documents in a recycling center and notified a local news team.  The documents included criminal histories, depositions, medical records, personal phone numbers, and addresses.  Most were from the 1990's.  Most or all of the information did not need to be shredded because it was considered public record.  The local news team contacted a director from the solid waste division and the documents were removed for shredding.","PHIPrivacy.net","","2013","35.110703","-106.609991" "January 28, 2013","Cbr Systems","San Bruno","California","PORT","MED","300,000","The 2010 theft of a company laptop, a hard drive, and a number of unencrypted backup tapes resulted in the exposure of sensitive information.  Social security numbers, credit and debit card numbers, driver's license numbers, and dates of birth were contained on one or more of the devices.Cbr Systems reached a settlement with the Federal Trade Commission in early 2013.  Cbr Systems must establish an information security program and be independently audited every other year for 20 years.  The full settlement can be found here: http://ftc.gov/opa/2013/01/cbr.shtm","Media","","2013","37.630490","-122.411084" "January 29, 2013","Stethescope.com","Natick","Massachusetts","HACK","BSR","0","A hacker accessed the webserver used to host stethoscope.com on December 3.  The breach was discovered in mid-December during routine server maintenance.  Customer names, addresses, email addresses, and credit card information such as numbers, expiration dates, and security codes may have been exposed.","California Attorney General","","2013","42.283333","-71.350000" "February 1, 2013","Antioch Unified School District","Antioch","California","DISC","EDU","0","A document with sensitive Worker's Compensation claim information was accidentally sent out with an email to a limited number of Antioch Unified School District employees.  Social Security numbers and other information related to current and former employees that reported injuries were exposed.  The incident occurred on January 18 and people who received the email were instructed to remove and destroy any saved information contain in the email. Those who received the email were also instructed to provide written verification that they had removed and destroyed the information.","California Attorney General","","2013","38.004921","-121.805789" "February 1, 2013","Tallahassee Memorial HealthCare","Tallahassee","Florida","INSD","MED","124","A former Tallahassee Memorial HealthCare food service employee was indicted on 31 counts of filing false tax returns, wire fraud, false claims, and aggravated identity theft.  He and two others are believed to have participated in a conspiracy that led to $818,000 in fraudulent claims.  The employee worked for Tallahassee Memorial HealthCare for three years.  He gathered patient names and dates of birth from food tray receipts when he delivered food to the rooms of patients in August of 2011 and stole emergency room data sheets from the trash. The information was then passed to the two others who participated in the conspiracy.","PHIPrivacy.net","","2013","30.438256","-84.280733" "January 8, 2013","Texas Department of Health and Human Services","Austin","Texas","INSD","MED","0","A dishonest employee was arrested on suspicion of misusing client information to apply for credit cards.  The dishonest employee was able to pose as different clients seeking immunizations and other services.  She was charged with fraudulent use or possession of identifying information and credit card abuse.  UPDATE (01/31/2013): The employee was working for the Northeast Texas Public Health district when she was arrested for stealing the identities of patients at a clinic in Mount Pleasant.  She began working in the Texas Department of State Health Services clinic in 2008.","PHIPrivacy.net","","2013","30.267153","-97.743061" "February 1, 2013","Central Laborers' Pension Fund, Central Laborers' Welfare Fund, Central Laborers' Annuity Fund","","Illinois","PORT","BSF","0","A home burglary resulted in the theft of a CD that contained the information of over 30,000 beneficiaries.  The CD contained names, Social Security numbers, and dates of birth and was taken from the home of an accountant at an unnamed counting firm.  The three funds sued the accounting firm for $200,000 to cover the cost of credit monitoring and insurance. ","Databreaches.net","","2013","40.633125","-89.398528" "January 28, 2013","Los Angeles County Department of Public Social Services","Los Angeles","California","INSD","GOV","132","A dishonest employee pleaded guilty to using a Los Angeles County computer system to file fraudulent tax refunds.  The fraudulent activity occurred between July 2009 and the 2011 tax year.  The IRS found 44 pages of screen prints with the information of 132 assistance participants in the employee's home. The employee, her spouse, and three others were indicted in January of 2012.    ","Databreaches.net","","2013","34.052234","-118.243685" "February 3, 2013","Premier Tax","Montgomery","Alabama","INSD","BSF","0","Six people who worked in tax preparation were charged with fraud and filing false tax returns in March of 2012.  Over 1,000 false tax returns were filed between October 2009 and April 2012.  The fraudulent returns totalled more than $1.7 million.  More Information: https://www.databreaches.net/alabama-woman-pleads-guilty-in-id-theft-and...UPDATE (01/29/2013): Two others were linked to the conspiracy and charged.  One of them was an employee of an unnamed Alabama state agency. She was able to access a state database of personal information and provide it to others in the identity theft ring.UPDATE (3/13/2013): ""Bruce King, the founder and operator of Premier Tax, was sentenced today in Montgomery, Ala., to 70 months in prison and ordered to pay $781,305 in restitution to the Internal Revenue Service (IRS) for orchestrating a tax fraud scheme at his business, the Justice Department and the IRS announced. King had previously pleaded guilty to charges of conspiring to defraud the United States and filing false tax returns. According to court documents, Premier Tax was a tax preparation business operated by King that had several locations in Alabama and Georgia. King held training sessions in which he taught preparers how to falsify tax returns in order to fraudulently increase clients’ tax refunds. Those he taught went on to work at Premier Tax and filed numerous false tax returns. According to court documents, the tax loss caused by these fraudulent returns exceeded $1 million. To date, seven return preparers trained by King have also pleaded guilty and been sentenced.""More Information: https://www.justice.gov/opa/pr/owner-tax-preparation-business-sentenced-...UPDATE (4/15/2014): ""The United States has requested that the federal district court in Montgomery, Ala., permanently bar Tonja Renee Toney and Jenika Williams from preparing federal income tax returns for others, the Justice Department announced today.   According to the complaint, which was filed yesterday in the U.S. District Court for the Middle District of Alabama, Toney and Williams each prepared tax returns as employees of Premier Tax in Montgomery in 2007 and 2008, and both pleaded guilty to charges related to their work at Premier Tax.  The complaint further alleges that both prepared false and fraudulent tax returns after being interviewed by Internal Revenue Service (IRS) agents in connection with their activities at Premier Tax.   The complaint alleges that both defendants have knowingly prepared federal income tax returns for customers that understated the customers’ tax liability by reporting false income in order to inflate the taxpayer’s claim to an Earned Income Tax Credit."" More Information: https://www.justice.gov/opa/pr/justice-department-sues-shut-down-alabama...","Government Agency","","2013","32.366805","-86.299969" "January 30, 2013","The New York Times","New York","New York","HACK","BSO","0","The New York Times' computer system was hacked after Chinese government officials warned the Times about consequences for investigating the wealth of government family members.  The Times began monitoring its system closely on October 24 and noticed unusual activity on October 25 when an article about the wealth of a Chinese official's family was published.  The breach began on September 13 and was allowed to continue until January so that the hackers' behavior could be studied.  It appears that the passwords of every Times employee were compromised and 53 Times employees had their personal computers accessed.  The 53 employees were located outside of the United States and appear to have been the ones who may have covered the Chinese stories.","Media","","2013","40.714353","-74.005973" "December 21, 2011","United States Chamber of Commerce","Washington","District Of Columbia","HACK","NGO","3,000,000","Hackers in China were able to breach the computer system of the United States Chamber of Commerce.  The hackers had access to the information of roughly three million members from November 2009 to May 2010.  Though the breach was discovered in May of 2010, there is evidence that some systems were still compromised in March of 2011.  Email communications with no more than 50 of the Chambers' members were compromised. Company names, key company contacts, trade-policy documents, meeting notes, trip reports, and schedules were in the email communications.","Media","","2011","38.895112","-77.036366" "February 6, 2013","Bashas'","Chandler","Arizona","HACK","BSR","0","Bashas' online systems suffered an online breach.  Customers in Lake Havasu City and Pinal County who entered their credit and debit card information online have been affected.  All customers are being warned to check their payment card transactions for suspicious activity.","Dataloss DB","","2013","33.306161","-111.841250" "February 2, 2013","River Falls Medical Clinic","River Falls","Wisconsin","PHYS","MED","2,400","River Falls Medical Clinic officials reported a burglary during the summer of 2012.  The equipment and paper documents that were stolen were recovered by police on November 28.  An employee of a cleaning service that subcontracted with the Clinic is the main suspect.  The items were found in the employee's home and he was charged with felonies associated with theft and drug possession.  It is believed that the documents were intended to be shredded.  They contained patient names, dates of birth, patient account and billing account information, diagnosis codes, insurance information, account numbers, medical chart numbers, and scheduling information.  An unspecified number of patients also had their Social Security numbers, home addresses, and phone numbers exposed.","PHIPrivacy.net","","2013","44.861356","-92.623808" "February 7, 2013","THORLO","Statesville","North Carolina","HACK","BSR","0","Hackers were able to access customer credit card information stored on computer servers.  The cyber attack affected customers who made purchases on www.thorlo.com between November 14, 2012 and January 22, 2013.  Credit card numbers, credit card expiration dates, credit card security codes, names, and contact information were exposed. ","California Attorney General","","2013","35.782636","-80.887296" "February 7, 2013","Schneider-Electric","Palatine","Illinois","DISC","BSO","0","A vendor's mailing error resulted in the exposure of employee Social Security numbers.  Call for Candidacy letters were mailed sometime around January 16 that had Social Security numbers, names, and addresses visible through the address window of the letter.  ","California Attorney General","","2013","42.110304","-88.034240" "February 7, 2013","Wayne Memorial Hospital","Honesdale","Pennsylvania","PORT","MED","1,182","An unencrypted disc that contained patient information was lost in transit.  The disc had names, Medicare account numbers, and outstanding account balances from patients who visited the Honesdale hospital between 2007 and 2012.  A legal envelope that contained the disc was mailed on November 28 and arrived at Novitas Solutions in Pittsburgh in a cardboard box without the disc. ","PHIPrivacy.net","","2013","41.576755","-75.258787" "February 4, 2013","Alabama Criminal Justice Information Center","Montgomery","Alabama","HACK","NGO","4,000","Information related to over 4,000 American bank executive accounts was exposed by hackers.  Hackers placed an Alabama Criminal Justice Information Center spreadsheet with the login information, credentials, contact information, and IP addresses of bank executives online.","Dataloss DB","","2013","32.366805","-86.299969" "January 31, 2013","Bank of Prairie du Sac","Prairie du Sac","Wisconsin","HACK","BSF","200","Customers were affected by an ATM hacking scheme. A skimming device is believed to have been placed on the bank's ATM at a food store.  A suspect was arrested after being seen using stolen card information at an ATM.","Dataloss DB","","2013","43.286933","-89.724012" "February 13, 2013","University of North Carolina","Chapel Hill","North Carolina","HACK","EDU","3,500","A cyber attack on two servers resulted in the exposure of employee information.  The servers were at the UNC Lineberger Comprehensive Cancer Center.  Employees, contractors, and visiting lecturers at the Lineberger Center may have had their Social Security numbers or passport numbers exposed.  The breach was discovered in May of 2012 and notifications were sent in December of 2012.  Fewer than 15 people who were subjects in research studies were also affected by the breach.","Media","","2013","35.913200","-79.055845" "January 12, 2013","Florida Department of Juvenile Justice","Tallahassee","Florida","STAT","MED","100,000","On September 6, 2012 it was reported that three computers that contained information from the Florida Department of Juvenile Justice were stolen from an apartment site earlier in the week.  A television was also taken at the time of the theft.UPDATE (01/12/2013): At least one of the devices was neither encrypted nor password protected and held the personal information of over 100,000 youth and employees.","Databreaches.net","","2013","30.438256","-84.280733" "February 8, 2013","Talk Fusion","Brandon","Florida","HACK","BSO","0","A computer network attack resulted in the exposure of customer information.  The cyber attack was discovered on December 13, 2012 and affected customer databases with names, Social Security numbers, credit and debit card numbers, payment card expiration dates, payment card security codes, addresses, telephone numbers, dates of birth, and mothers' maiden names may have been exposed.","California Attorney General","","2013","27.937801","-82.285925" "February 11, 2013","Crafts Americana Group, Inc. (Knitpicks.com, ArtistsClub.com, ConnectingThreads.com)","Columbus","Ohio","DISC","BSR","0","Customers who had credit card numbers on file after using them at Knitpicks.com, ArtistsClub.com, or ConnectingThreads.com may have had their information exposed.  A file on the Crafts Americana Group, Inc. servers was accessible for a period of time before being removed on January 25, 2013.  The file contained names, credit card numbers, addresses, and phone numbers.","California Attorney General","","2013","39.961176","-82.998794" "February 17, 2013","Sierra View District Hospital","Porterville","California","HACK","MED","0","The Information Technology Department at Sierra View District Hospital detected unusual activity on its computer network.  Patient information may have been affected and the investigation is ongoing.","PHIPrivacy.net","","2013","36.065230","-119.016768" "February 17, 2013","Heyman HospiceCare, Floyd Medical Center","Rome","Georgia","PORT","MED","0","The theft of a password-protected laptop from an employee's car may have resulted in the exposure of patient information.  The theft occurred on January 4, 2013 and was reported immediately.  Patients who were treated between July 1, 2006 and January 3, 2013 may have had their names, Social Security numbers, addresses, phone numbers, dates of birth, insurance policy numbers, diagnoses, visit notes, physician names, caregiver names, and advance directives exposed.","PHIPrivacy.net","","2013","34.257038","-85.164673" "February 14, 2013","Froedtert Health","Milwaukee","Wisconsin","HACK","MED","43,000","A computer virus was discovered on an employee's work computer account on December 14, 2012.  One of the files on the employee's computer contained patient names, addresses, telephone numbers, dates of birth, medical record numbers, names of health insurers, diagnoses, and other clinical information.  A limited number of Social Security numbers were also exposed.","PHIPrivacy.net","","2013","43.038903","-87.906474" "February 13, 2013","Sinai Medical Center of Jersey City LLC","Jersey City","New Jersey","INSD","MED","0","A pediatrician misused patient information in order to defraud Medicaid of nearly one million dollars.  The pediatrician owned Sinai Medical Center and billed Medicaid for wound repairs and other procedures that were never performed.  Police arrested the dishonest pediatrician on January 16, 2013.  ","PHIPrivacy.net","","2013","40.728158","-74.077642" "February 12, 2013","Palm Beach County Health Department","Palm Beach","Florida","INSD","MED","2,800","A senior desk clerk was arrested for obtaining and releasing patient information for identity theft purposes.  The dishonest employee took home client lists with names, Social Security numbers, and dates of birth.  Patients born between 1991 and 1996 may have had their personal information misused.","PHIPrivacy.net","","2013","26.705621","-80.036430" "February 11, 2013","Lee Miller Rehab Associates","Baltimore","Maryland","STAT","MED","10,480","A network server was stolen or discovered stolen on January 15, 2012.  The incident appeared on the HHS website in February of 2013.","HHS via PHIPrivacy.net","","2013","39.290385","-76.612189" "February 11, 2013","American HomePatient Inc., LifeGas","Brentwood","Tennessee","PORT","MED","1,103","A laptop was stolen or discovered stolen on October 11, 2012.  The incident appeared on the HHS website in February of 2013.","HHS via PHIPrivacy.net","","2013","36.033116","-86.782777" "February 11, 2013","Riderwood Village","Baltimore","Maryland","PORT","MED","3,230","Five laptops were stolen during the weekend of November 17, 2012.  They did not contain Social Security numbers and did contain unspecified personal information of patients.  A notice about the incident was sent on January 18, 2013 and the breach appeared on the HHS website in February of 2013.","HHS via PHIPrivacy.net","","2013","39.290385","-76.612189" "February 19, 2013","Hotusa Group","","","HACK","BSR","0","A server breach or other incident related to credit cards may have affected people who used their American Express cards at locations linked to Hotusa Group's servers.  Account numbers, names, credit card expiration date, and other credit card information may have been exposed for American Express and other cards. The incident occurred on August 24, 2012.","California Attorney General","","2013","37.090240","-95.712891" "February 15, 2013","Walgreens","Richmond","Kentucky","INSD","BSR","0","A Walgreens pharmacist used patient information to obtain prescriptions for powerful drugs.  The fraudulent activity occurred between April 2011 and January 2012.  The dishonest pharmacist pleaded guilty to aggravated identity theft, wire fraud, and fraudulently acquiring controlled substances on November 19, 2012.She was sentenced to 25 months in prison and one month of supervised release.","PHIPrivacy.net","","2013","37.747857","-84.294654" "February 20, 2013","Central Hudson Gas & Electric","Poughkeepsie","New York","HACK","NGO","110,000","Central Hudson learned of a cyber attack that occurred over President's Day weekend.  Customers were notified the day after the holiday and encouraged to monitor their bank accounts and credit reports.  Customer banking information and other personal information may have been accessed during the attack.","Databreaches.net","","2013","41.700371","-73.920970" "November 13, 2012","National Aeronautics and Space Administration (NASA)","Washington","District Of Columbia","PORT","GOV","10,000","An October 31 theft of a NASA laptop and sensitive NASA documents from an employee's locked car resulted in the exposure of employee information.  Contractors and other non-employees associated with NASA were also affected.  Employees are encouraged to be suspicious of communication from individuals claiming to be from NASA. It may take up to 60 days to send official notifications to those who were affected.UPDATE (12/14/2012): Up to 10,000 employees and people associated with NASA may have been affected.  ","Databreaches.net","","2012","38.895112","-77.036366" "May 3, 2012","Glenn Research Center - National Aeronautics and Space Administration (NASA)","Cleveland","Ohio","HACK","GOV","700","Hackers managed to obtain staff details from Glenn Research Center. Home addresses and telephone numbers of more than 700 US government staff were stolen and published online.  Most of the uploaded data was unclassified material such as expense forms and details on flight missions by the US Civil Air Patrol.  ","Media","","2012","41.499495","-81.695409" "February 20, 2013","Mid-Florida Urological Associates","Orlando","Florida","INSD","MED","0","A dishonest employee misused patient information in order to claim them as her children and receive insurance compensation.  The dishonest employee was charged with insurance fraud and ID theft.UPDATE (02/22/2013): Orlando Health patient records were accessed.  The Orlando Health hospitals include MD Anderson Cancer Center Orlando, Orlando Regional Medical Center, Winnie Palmer Hospital for Women and Babies, Dr. P. Phillips Hospital, Arnold Palmer Hospital for Children, South Seminole Hospital, South Lake Hospital, and Health Center Hospital.","PHIPrivacy.net","","2013","28.538336","-81.379237" "February 21, 2013","Polk County School District","Bartow","Florida","DISC","EDU","200","Students who paid tuition for education programs may have had their 1098T tax forms sent to the incorrect address.  Between 150 and 200 people out of 2,000 were sent to the wrong address because a group of the tax forms were placed in envelopes without being properly separated.  Some people received the forms of several people while others never got their tax forms.  The district implemented a new step of sampling some of the envelopes in order to review the process before completing an entire batch.","Media","","2013","27.896415","-81.843137" "February 21, 2013","Zendesk","San Francisco","California","HACK","BSR","0","A hacker accessed Zendesk information that was online.  Three clients who use Zendesk to store information had user lists downloaded by the hacker.  Users who contacted those clients for support may have had their email addresses and the subject lines of those email addresses accessed.UPDATE (02/22/2013): Tumblr, Twitter, and Pinterest were the affected clients. Twitter let users know that emails, phone numbers, Twitter usernames, and any other information that was provided to Twitter may have been exposed.  Passwords were not compromised.","Media","","2013","37.774930","-122.419416" "February 22, 2013","NBC.com","New York","New York","HACK","BSO","0","NBC's website was attacked by malware in the form of a Citadel Trojan.  The purpose of the attack was most likely to steal usernames, passwords, and other personal information.  NBC is unclear on how the malware entered their system.","Media","","2013","40.714353","-74.005973" "February 19, 2013","Kork and Keg","Greencastle","Indiana","HACK","BSR","0","Fraudulent activity on the accounts of DePauw University students was linked to Kork and Keg.  It is not clear how the store's payment system was compromised; however it was a common link among those who had their accounts breached.  Kork and Keg did not make a statement.","Media","","2013","39.644490","-86.864732" "February 18, 2013","Express Scripts, Ernst & Young","St. Louis","Missouri","DISC","BSF","0","A partner at Ernst & Young is accused of sneaking into the headquarters of Express Scripts Holding Co.  It is not clear how the Ernst & Young partner got into the headquarters, but it is believed that he emailed over 20,000 pages of data to a personal account.  Express Scripts Holding Co. accused Ernst & Young of stealing the information in order to develop its health care division. Express Scripts Holding filed a lawsuit; the accused partner is no longer employed by Ernst & Young.","Media","","2013","38.627003","-90.199404" "February 5, 2013","U.S. Department of Energy","Washington","District Of Columbia","HACK","GOV","0","The U.S. Department of Energy discovered that unidentified malicious activity had been detected on 14 servers and 20 workstations in January.  The personal information of several hundred employees was exposed.  The U.S. Department of Energy had known about the need to patch computers, network ssytems, and servers since 2012.","Media","","2013","38.895112","-77.036366" "February 12, 2013","J.P. Morgan Chase, Capital One","New York","New York","CARD","BSF","6,000","Two men face charges of conspiracy to commit bank fraud, conspiracy to commit access device fraud, and aggravated identity theft after being indicted for attaching skimming devices to ATMs in New York, New Jersey, Illinois, and Wisconsin.  At least nine other people are believed to have participated in the bank fraud scheme.  Over 6,000 J.P. Morgan Chase and Capital One bank accounts were defrauded for over $3 million.","Media","","2013","40.714353","-74.005973" "February 13, 2013","Los Angeles Times, OffersandDeals.latimes.com","Los Angeles","California","HACK","BSO","0","The Los Angeles Times learned that a segment of its website housed malicious code for six weeks.  The subdomain OffersandDeals.latimes.com redirected visitors to a malicious website.  The website then used code to receive compensation for web traffic.  The compromise appears to have occurred sometime before December 23, 2012.  An LA Times spokesperson initially responded to the breach by claiming that a glitch in Google's display ad exchange had caused a malicious script warning rather than actual malicious script.","Media","","2013","34.052234","-118.243685" "February 14, 2013","FCC, Emergency Alert System","Washington","District Of Columbia","HACK","GOV","0","The Emergency Alert Systems (EAS) of several TV stations nationwide were hacked and alerted people to a fictitious zombie attack.  The FCC ordered local broadcasters to change their passwords on EAS equipment and check the security of firewalls before resuming normal internet connections.","Media","","2013","38.895112","-77.036366" "February 14, 2013","Häagen-Daz","Tampa","Florida","HACK","BSR","0","Anyone who made a purchase at the Häagen-Daz inside the food court in International Plaza since April of 2012 may have been affected by identity theft.  A flash drive that contained key-logger software was connected to a register at the store.  It recorded payment card transactions and allowed thieves to make counterfeit credit cards.  Two men were arrested in June of 2012 for using fraudulent card information and that information was later linked to the Häagen-Daz shop.","Media","","2013","27.950575","-82.457178" "February 13, 2013","Jawbone","San Francisco","California","HACK","BSR","0","Hackers were able to access Jawbone's MyTALK customer accounts for several hours.  Names, email addresses, and encrypted passwords were exposed.  Any customers who were affected received an email warning them to reset their passwords.","Media","","2013","37.774930","-122.419416" "January 31, 2013","Silver Star Motors","Cortland","Illinois","INSD","BSR","25","The owner of Silver Star Motors was charged with seven counts of identity theft and may have been involved in 25 cases of identity theft.  Customer information was used to defraud lending companies associated with the used-car dealership.UPDATE (02/13/2013): At least 44 people have had their information misused. The dishonest owner also operated Edge Auto Sales at one time.","Dataloss DB","","2013","41.920029","-88.688696" "February 25, 2013","Mercedes-Benz of Walnut Creek","Walnut Creek","California","PHYS","BSR","0","A February 7 or 8 office burglary at Mercedes-Benz of Walnut Creek resulted in the exposure of customer information.  Locked file cabinets that contained customer deal files were burglarized and customer files were taken from the Service Department.  The theft was discovered on the morning of February 8 and immediately reported.  Customer names, Social Security numbers, addresses, credit reports, driver's license information, insurance information, and credit card numbers may have been exposed.","California Attorney General","","2013","37.906313","-122.064963" "February 28, 2013","First National Bank of Southern California","","California","PORT","BSF","0","A back-up tape that contained First National Bank of Southern California client information was stolen on February 1, 2013 from a data service provider.  Social Security numbers, taxpayer identification numbers, account balances, and account numbers were exposed.","California Attorney General","","2013","36.778261","-119.417932" "January 18, 2013","Stanford School of Medicine, Lucile Packard Children's Hospital","Palo Alto","California","PORT","MED","0","The January 9 theft of a laptop from a physician's car may have exposed sensitive information.  The laptop may have contained some combination of patient names, dates of birth, and contact information.UPDATE (01/22/2013): A total of 57,000 patients are being notified. Medical information and medical record numbers were exposed.  A limited number of patients had their contact information exposed.  Most of the information on the laptop was from 2009.","California Attorney General","","2013","37.441883","-122.143020" "September 7, 2011","North Bay Regional Health Centre","Napa","California","INSD","MED","5,800","A privacy audit uncovered a breach caused by an employee.  The employee accessed health information for persons other than those with whom they provided care.  These inappropriate accesses date back to 2004.  Only affected patients received a letter notifying them of the breach and offering suggestions for personal security.UPDATE (03/02/2013): The employee was a registered nurse and will receive a hearing in June of 2013.  No prosecution has occurred.","PHIPrivacy.net","","2011","38.304722","-122.298889" "February 26, 2013","First Choice Home Health Care Services Inc., Reliance Home Care, LLC","Detroit","Michigan","INSD","MED","0","A group of co-conspirators used Medicaid information from Medicare beneficiaries in and near Detroit to defraud Medicaid and file for $24.7 million in fraudulent claims.  The fraud took place between 2008 and May of 2012.  Hundreds of patients had their information misused so that co-conspirators could bill Medicare for psychotherapy, home health services, and other medical services.","PHIPrivacy.net","","2013","42.331427","-83.045754" "March 1, 2013","Bank of Hawaii, First Hawaiian Bank","Oahu","Hawaii","HACK","BSR","0","An unnamed restaurant in Oahu experienced a computer system breach.  Customers who visited the restaurant during a period in February had their credit and debit cards blocked by Bank of Hawaii and First Hawaiian Bank when the breach was discovered.  Not all of the payment cards that were blocked had been compromised.","Media","","2013","21.438912","-158.000057" "February 27, 2013","Bit9, Inc.","Waltham","Massachusetts","HACK","BSO","0","Hackers were able to exploit a vulnerability in a web application and use an SQL injection.  The breach occurred in July of 2012, however the server was shut down until January of 2013. Hackers then used Bit9's systems to attack other organizations who relied on Bit9 as a security platform vendor.  Three unnamed companies were affected.  The vulnerability was caused by Bit9 failing to install its own security software.","Media","","2013","42.376485","-71.235611" "March 4, 2013","TD Bank, N.A.","Cherry Hill","New Jersey","PORT","BSF","0","Two backup tapes with customer and customer dependent names, Social Security numbers, addresses, account numbers, debit card numbers, and credit card numbers went missing while being transported between two TD Bank office locations in March of 2012.  ","California Attorney General","","2013","39.926813","-75.024631" "March 4, 2013","The Prudential Insurance Company of America, Unisys","Newark","New Jersey","DISC","BSF","0","An administrative error resulted in documents with sensitive information from Unisys members being emailed to an incorrect party associated with Unisys. The mistake occurred on December 13, 2012.  The document may have contained names, Social Security numbers, dates of birth, and salary information. The mistake was immediately noticed by the recipient and the information was deleted from their computer.","California Attorney General","","2013","40.735657","-74.172367" "March 1, 2013","Fabric Depot","Portland","Oregon","HACK","BSR","0","On January 7, 2013 Fabric Depot became aware of a breach that had occurred sometime around October 16, 2012.  Fabric Depot changed their online payment system and notified customers.  Customer names, credit card numbers, credit card verification codes, debit card numbers, and account billing addresses may have been exposed.","California Attorney General","","2013","45.523452","-122.676207" "February 26, 2013","Massachusetts Mutual Life Insurance Company, Convey Compliance Systems, Inc.","Springfield","Massachusetts","DISC","BSF","0","An error at Convey Compliance Systems, Inc. resulted in 1099 forms being mailed to incorrect addresses.  The 1099 forms contained names, Social Security numbers, tax identification numbers, and addresses.  The financial information of some Massachusetts Mutual Life Insurance Company clients was exposed.","California Attorney General","","2013","42.101483","-72.589811" "March 8, 2013","University of Connecticut Health Center","Farmington","Connecticut","INSD","MED","1,400","An employee accessed patient records for reasons unrelated to their job function.  The Heath Center became aware of an unauthorized access in January of 2013.  Patient names, addresses, dates of birth, and in some cases health information and Social Security numbers may have been exposed.","Media","","2013","41.736031","-72.795027" "March 3, 2013","Evernote","Redwood City","California","HACK","BSO","50,000,000","A hacker or hackers attacked and may have accessed Evernote's online system. Evernote reset all user passwords as a precaution.  User names, email addresses, and encrypted passwords may have been exposed. UPDATE (03/09/2013): A total of 50 million users were told to reset their passwords.","Media","","2013","37.485215","-122.236355" "February 25, 2013","Capella University","Minneapolis","Minnesota","INSD","EDU","0","A collection department employee sent sensitive information to a personal email account.  The incident was discovered on January 28 and the employee was fired.  A small group of learners may have had their names, Social Security numbers, and other information that was kept by Capella's collection department exposed.","Security Breach Letter","","2013","44.977753","-93.265011" "March 11, 2013","Stanley Black & Decker, Inc.","New Britain","Connecticut","PORT","BSR","0","The theft of an employee's laptop resulted in the exposure of information from employees and people who received checks from Stanley Black & Decker.  Names, and the account numbers and routing numbers associated with direct deposits may have been exposed. The laptop was stolen from a finance employee on January 28.  ","California Attorney General","","2013","41.661210","-72.779542" "February 22, 2013","Microsoft","Redmond","Washington","HACK","BSR","0","Microsoft security discovered that a number of employee devices were affected by malware.  The employees had visited unsafe websites and downloaded material. It is unclear if the employee devices spread the infection to other areas of Microsoft's network, but Microsoft found no evidence of customer data being affected. Facebook, Twitter, and Apple were affected by a similar issue around the same time.","Media","","2013","47.673988","-122.121512" "February 15, 2013","Facebook","Menlo Park","California","HACK","BSO","0","Facebook discovered that hackers had exploited a vulnerability and accessed unspecified data.  Facebook found no evidence that Facebook user data was compromised.  Malware was installed on a number of employee laptops after a small number of them visited a mobile developer website that turned out to be unsafe. Microsoft, Twitter, and Apple were affected by the same issue around the same time.","Media","","2013","37.452960","-122.181725" "February 2, 2013","Twitter","San Francisco","California","HACK","BSO","250,000","Online attackers were able to access the usernames, email addresses, session tokens, and encrypted passwords of 250,000 users.  Twitter notified affected users and told them to create a new password.  Anyone who used the same password and username or email combination for other sites is encouraged to change the password on other sites as well.UPDATE (03/11/2013): Facebook, Microsoft, and Apple were all affected by a similar breach around the same time.","Media","","2013","37.774930","-122.419416" "February 19, 2013","Apple","Cupertino","California","HACK","BSR","0","Apple detected malware on employee computers.  A small number of employee computers had been affected after their users went to a website for software developers.  Facebook, Microsoft, and Twitter experienced the same breach around the same time.","Media","","2013","37.322998","-122.032182" "January 30, 2013","Police Department of Littleton, Massachusetts","Littleton","Massachusetts","DISC","GOV","100","A police activity log for the period of January 7 through January 13 was published on the Littleton department's website. Someone forgot to remove personal details from the log and the sensitive information was available online for 10 days.  Names, Social Security numbers, dates of birth, and addresses, were available between January 14 and January 24.","Media","","2013","42.537289","-71.512802" "January 16, 2013","Utah Department of Health, Goold Health Systems","Salt Lake City","Utah","PORT","MED","6,000","An employee of Goold Health Systems lost an unencrypted USB memory stick that contained the information of around 6,000 Medicaid recipients in Utah.  Goold Health Systems is a contractor for the Utah Department of Health.  Medicaid recipient names, Medicaid identification numbers, ages, and recent prescription drug use were on the memory stick.  The memory stick was lost during travel between Salt Lake City, Denver, and Washington.  The loss was confirmed on Tuesday, January 15.  ","Media","","2013","40.760779","-111.891047" "January 11, 2012","MDwise","Indianapolis","Indiana","DISC","MED","2,700","An upgrade of MDwise's customer record computer system in February 2011 resulted in the leak of records from several organizations.  Anyone searching by name could have accessed the information online.  Members of Healthy Indiana Plan, Care Select, and Hoosier Healthwise may have had their names, addresses, Medicaid numbers, and doctors' names and addresses exposed online.  Administrators corrected the error as soon as it was detected.  ","PHIPrivacy.net","","2012","39.768516","-86.158074" "February 15, 2012","St. Joseph Health System","Irvine","California","DISC","MED","31,800","Protected patient information may have been available on the internet for one year.  A patient's attorney contacted St. Jude officials to inform them that the information was available online. The patient health records included names, body mass index, blood pressure, lab results, smoking status, diagnoses lists, medication allergies, and demographic information such as gender, date of birth, language spoken, ethnicity, and race.  The information was removed from online and co no longer be accessed by unauthorized parties.  A total of 6,235 patients from Santa Rosa Memorial Hospital, two from Petaluma Valley Hospital, 4,263 from Queen of the Valley in Napa, and an unknown number of patients from St. Jude Medical Center in Fullerton, and Mission Hospitals in Laguna Beach and Mission Viejo were affected.UPDATE (07/10/2012): The California Department of Public Health was still investigating Queen of the Valley Medical Center as of July 10, 2012.  Additionally, two patients who were treated at Santa Rosa Memorial Hospital, filed a class action lawsuit on behalf of the 31,800 patients who were affected.  They seek $31.8 million, or $1,000 per patient.UPDATE (10/18/2016): ""St. Joseph Health (SJH) has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules following the report that files containing electronic protected health information (ePHI) were publicly accessible through internet search engines from 2011 until 2012. SJH, a nonprofit integrated Catholic health care delivery system sponsored by the St. Joseph Health Ministry, will pay a settlement amount of $2,140,500 and adopt a comprehensive corrective action plan. SJH’s range of services includes 14 acute care hospitals, home health agencies, hospice care, outpatient services, skilled nursing facilities, community clinics and physician organizations throughout California and in parts of Texas and New Mexico.""More Information: http://www.hhs.gov/about/news/2016/10/18/214-million-hipaa-settlement-un...","PHIPrivacy.net","","2012","33.683947","-117.794694" "December 7, 2012","Carolinas HealthCare System","Charlotte","North Carolina","HACK","MED","6,300","An unauthorized electronic intrusion may have affected up to 6,300 patients from Carolinas Medical Center-Randolph. The intruder accessed a provider's email account and could have obtained patient names, dates and times of service, dates of birth, diagnosis and prognosis information, medications, results, and referrals.  The Social Security numbers of five patients who had their Social Security numbers sent through or received by the email account may have also been obtained. The issue was discovered on October 8 and the intruder is believed to have accessed emails from the account between March 11, 2012 and October 8, 2012.","PHIPrivacy.net","","2012","35.227087","-80.843127" "February 7, 2013","McDonald's, Shogun Japanese Steakhouse, Krystal, Polished Nail Salon","","Georgia","INSD","BSR","0","Eleven people were charged with participating in an identity theft ring.  Some of the defendants obtained customer credit and debit card information by using skimmers at their places of employment.  Others used the stolen information to make fraudulent payment cards.  The ring was in action between June of 2009 and November of 2010.","","","2013","32.165622","-82.900075" "January 13, 2013","Advanced Micro Devices (AMD), Nvidia","Sunnyvale","California","INSD","BSR","0","Four managers who left AMD to work for Nvidia are being sued by AMD for intellectual property theft.  AMD accused the former employees of setting up a spying ring in the company before leaving to work for rivaling company Nvidia.  One of the managers is accused of using two external hard drives to download Microsoft Outlook email files, licensing agreements, and strategic plans from his work computer before leaving AMD in July of 2012. Another employee is accused of taking an AMD technical work and development database with over 200 files.  The four employees are accused of taking over 150,000 documents.","Media","","2013","37.368830","-122.036350" "April 9, 2012","Intel, Advanced Micro Devices (AMD)","Hudson","Massachusetts","INSD","BSR","0","A former Intel employees pleaded guilty to stealing documents for competitive advantage.  The employee worked for AMD at the time of the theft and was able to retain access to some of Intel's processor designs and chip fabrication process documents.  He used his vacation time from Intel to begin working at AMD.  The dishonest employee was charged with one count of stealing trade secrets for stealing a stack of documents in 2008 and four counts of wire fraud.  Intel valued the documents at between $200 million and $400 million.","Media","","2013","42.391736","-71.566139" "March 16, 2013","Salem State University","Salem","Massachusetts","HACK","EDU","25,000","A server was found to be infected with a virus.  The University computer contained information related to paychecks distributed by the University.  Current and former employees who may have been students or staff may have been affected.","Media","","2013","42.519540","-70.896716" "August 11, 2010","Thomson Reuters","New York","New York","INSD","BSO","0","Police found Thomson CompuMark customer information in the home of a former employee. The information included names, addresses and credit card information. The employee processed customer payments between May and December of 2009.","Databreaches.net","","2010","40.714353","-74.005973" "December 8, 2011","Subway","Milford","Connecticut","HACK","BSR","80,000","Over 150 Subway franchises and at least 50 other small retailers had customer data hacked from their point-of-sale (POS) systems.  Four Romanian hackers were indicted for hacking and misusing the credit card information between 2008 and May of 2011.  Over $3 million in fraudulent charges on customer cards was obtained by scanning the internet for vulnerable POS systems and then easily breaking the passwords to these systems. Keyloggers and a backdoor were also installed to allow further access to the system.  Retailers who were hit had used a certain type or types of basic POS software and many had failed to change the default password for the software.UPDATE (01/08/2013): A Romanian national was arrested and sentenced for his role in the POS system hack of Subway.  Three other Romanians face charges related to the breach.UPDATE (03/19/2013): The scheme may have affected 150 restaurants and may have led to $10 million in fraudulent charges.  Two additional hackers were sentenced on conspiracy to commit computer fraud and conspiracy to commit access device fraud charges.","Databreaches.net","","2011","41.230895","-73.063584" "March 19, 2013","Subway","","California","HACK","BSR","0","A former owner of a Subway franchise used software from his new job to access the computer systems of Subway restaurants.  The former owner sold point-of-sale software to Subway restaurants across the country and then worked with an accomplice to remotely hack into at least 13 Subway point-of-sale systems.  The fraud began in 2011.  Fraudulent Subway gift cards totaling at least $40,000 were created.  Two of the California participants were indicted on March 6.","Media","","2013","36.778261","-119.417932" "June 9, 2010","Apple Inc., AT&T","Cupertino","California","HACK","BSR","120,000","A security breach has exposed iPad owner information. Dozens of CEOs, military officials, and top politicians may have been affected. They—and every other buyer of the cellular-enabled tablet—could be vulnerable to spam marketing and malicious hacking. The breach exposed the most exclusive email list on the planet, a collection of early-adopter iPad 3G subscribers that includes thousands of A-listers in finance, politics and media, from New York Times Co. CEO Janet Robinson to Diane Sawyer of ABC News to film mogul Harvey Weinstein to Mayor Michael Bloomberg. It even appears that White House Chief of Staff Rahm Emanuel's information was compromised. It doesn't stop there. According to the data given by the web security group that exploited vulnerabilities on the AT&T network, 114,000 user accounts have been compromised, although it's possible that confidential information about every iPad 3G owner in the U.S. has been exposed.UPDATE (01/18/2011): Chat logs of the accused iPad hackers were turned over to investigators.  It appears that two men used an ""account slurper"" to conduct a ""brute force"" attack that lasted five days and extracted data from iPad users who accessed the Internet through AT&T's 3G network.  Each of the two men were charged with one count of conspiracy to access a computer without authorization and one count of fraud.UPDATE (06/23/2011): One of the people responsible for writing the malicious code used to breach AT&T's computer servers pleaded guilty to his part in the attack.UPDATE (11/20/2012): The second person responsible for discovering and exploiting a security weakness was found guilty.  AT&T iPad subscribers had their emails exposed because of the security issue.UPDATE (03/19/2013): One of the conspirators was sentenced to 41 months in prison for identity theft and conspiracy to gain unauthorized access to computers.","Dataloss DB","","2010","37.322998","-122.032182" "March 16, 2013","Lawrence Melrose Medical Electronic Record, Inc.","Melrose","Massachusetts","INSD","MED","0","An employee of Lawrence Melrose accessed patient information for reasons unrelated to their work.  It is unclear what type of patient information was exposed and how many patients were affected.  ","PHIPrivacy.net","","2013","42.458429","-71.066163" "March 22, 2013","Comfort Inn and Suites","Willard","Missouri","INSD","BSO","0","A dishonest employee working at a Comfort Inn and Suites in Willard, Missouri during 2009 worked with a conspirator to misuse the information of hotel customers.  They were ordered to pay restitution of $23,000.  The dishonest employee was sentenced to three years of probation and her accomplice was sentenced to 42 months for aggravated identity theft and conspiracy to commit wire fraud.","Media","","2013","37.305047","-93.428527" "March 20, 2013","Savannah River Site (SRS)","Aiken","South Carolina","DISC","GOV","12,000","A security breach allowed access to the personal records of at least 12,000 SRS workers.  The breach does not appear to be the result of a cyber attack.  Workers may have had financial information exposed.","Media","","2013","33.560417","-81.719553" "March 19, 2013","General Services Administration (GSA)","Washington","District Of Columbia","DISC","GOV","0","GSA users may have been able to view the financial information and trade secrets of other GSA users due to a security vulnerability.  The specific database that was affected is called the System for Award Management (SAM).  Contractor and vendor registration records are cataloged by SAM.  It is not clear how GSA became aware of the issue or how long it was a problem.  Agency officials revealed that users could purposefully or inadvertently view the information of other users after following a series of steps.UPDATE (03/23/2013):  Users had Social Security numbers and tax identification numbers exposed.","Media","","2013","38.907192","-77.036871" "May 5, 2012","Ford-Motor Websites (Connect With Fiesta, Unleashfiesta)","Dearborn","Michigan","HACK","BSR","0","Hackers targeted various websites owned by Ford and posted sensitive information online.  Usernames, passwords, and administrator information may have been exposed.","Databreaches.net","","2012","42.322260","-83.176315" "May 5, 2012","United States Naval Research Laboratory","Washington","District Of Columbia","HACK","GOV","30","A hacker or hackers accessed and posted sensitive information online.  A total of 30 names, usernames, email addresses, and passwords were exposed.","Dataloss DB","","2012","38.895112","-77.036366" "May 17, 2011","Massachusetts Executive Office of Labor and Workforce Development (EOLWD)","Harrisburg","Pennsylvania","HACK","GOV","210,000","A computer virus called W32.QAKBOT infected various computer terminals and individual computers at the Department of Unemployment Assistance, the Department of Career Services, and multiple One Stop Career Centers. The virus first infected the computers and network on April 20.  Though the virus was detected within a short period of time and stopped, it was later discovered that it had not been completely eradicated.  Names, Social Security numbers, email addresses, residential or business addresses, Employer Identification Numbers (EIN) and employer bank information may have been exposed.  Twelve hundred employers who manually filed with the EOLWD may be affected. If a staff member keyed in sensitive claimant information at a work station infected with the virus then that claimant's information may have been exposed.UPDATE (5/18/2011): Approximately 210,000 people were affected by the breach.","Databreaches.net","","2011","40.273700","-76.884418" "May 14, 2011","Oregon Department of Motor Vehicles","Indianapolis","Indiana","DISC","GOV","0","The Oregon DMV sold DMV database information to marketing companies prior to the late 1990s.  A man gained access to this information and used it to create fake Oregon identification cards and print fake checks.  He was charged with 26 counts of aggravated identity; this represents one count per victim for each letter of the alphabet.  The databases includes 1.6 million names, addresses, dates of birth, genders and ages of people who registered with the DMV.  The database of publicly available information is over a decade old. The Oregon DMV says it is not the first time one of their databases has been used illegally.","Databreaches.net","","2011","39.768516","-86.158074" "December 4, 2012","Louisiana State University (LSU) Hospital System","Baton Rouge","Louisiana","INSD","MED","416","A dishonest employee working in the billing department used her position to access account information.  She scanned checks and identification information from the LSU hospital system database and passed them on to at least four women.  The scheme was discovered when the four women were allegedly caught on camera making purchases with fake checks.  Handwritten Social Security numbers, check and ID card printing items, computers, and copies of scanned checks were found when the womens' homes were searched.At least seven people face charges that include identity theft, conspiracy to commit identity theft, conspiracy to commit monetary abuse, and possession of fraudulent documents for identification purposes.  The dishonest employee was charged with 377 counts of identity theft.UPDATE (01/02/2013): LSU Health notified 416 patients after a hospital employee discovered fraudulent activity on her checking account.","PHIPrivacy.net","","2012","30.458283","-91.140320" "December 4, 2012","Surgical Associates of Utica, Quanterion Solutions, Inc.","Utica","New York","STAT","MED","1,017","The theft of a network server on or around September 18 may have resulted in the exposure of sensitive patient information.  A notification was sent to the US Department of Health and Human Services (HHS) on November 16.","HHS via PHIPrivacy.net","","2012","43.100903","-75.232664" "March 14, 2012","Forte Interactive, Children's Service Council of Palm Beach County, Ocean Reef Community Association","West Palm Beach","Florida","DISC","BSO","0","Information Forte Interactive inadvertently copied from web applications used by Children's Service Council and Ocean Reef Community accidentally became publicly accessible after a system upgrade.  Names, Social Security numbers, driver's license numbers, and dates of birth of individuals whose information was contained in the web portal or web portals was publicly accessible between December 7, 2011 and February 3, 2012. The issue was discovered on January 30, 2012.  ","Dataloss DB","","2012","26.715342","-80.053375" "May 24, 2011","Soy Capital Bank and Trust","Decatur","Illinois","CARD","BSF","0","Five MIdwest financial institutions have seen fraudulent charges show up on their customers' MasterCard-issued debit cards.  Soy Capital Bank and Trust is responding quickly to the breach; it appears to have occurred over the weekend of May 21.  Fraudulent charges that emptied the accounts of some customers have been appearing in places ranging from Australia to Texas.  Soy Capital is blocking transactions on old MasterCards and giving clients new debit cards.  Soy Capital expects minimal losses from the breach and will be able to reinstate customer funds within 10 days.  Customers who were affected could end up paying as much as $50.  ","Media","","2011","39.840315","-88.954800" "June 7, 2011","Greenville Hospital System University Medical Center, Allen Bennett Memorial Hospital","Greer","South Carolina","PHYS","MED","0","Exposed boxes of patient information were reported to Greenville Hospital System on December 31, 2010 by someone wishing to remain anonymous.  The boxes were in a storage structure behind the building of an abandoned hospital.  The hospital was Allen Bennett Memorial Hospital; it closed in August of 2008. Greenville Hospital System collected the boxes and notified patients in February.  The 22 boxes contained information from Allen Bennett Memorial dating from 1990 to 1999.  The information in the boxes included patient names, reasons and dates for visits, amount paid, patient insurance information with diagnosis and treatment, and admission reports with patient dates of birth and some Social Security numbers.  An investigation revealed that the information in the boxes was probably not used for criminal purposes and that no one was sure how the boxes had gotten there.","PHIPrivacy.net","","2011","34.938728","-82.227057" "June 22, 2011","Conor O'Neills Restaurant","Ann Arbor","Michigan","HACK","BSR","0","Conor O'Neills' computer system was hacked.  Customers may have had their credit and debit card numbers accessed.  A number of the fraudulent charges came from Texas between April 22 and June 10 of 2011.  There is also a possibility that the hackers originated in Europe.  The date of the breach and the number of customers affected were not reported.  ","Databreaches.net","","2011","42.270872","-83.726329" "October 14, 2011","Scott County Memorial Hospital","Scottsburg","Indiana","PORT","MED","2,059","A surgeon, had a palm pilot device stolen from his parked vehicle on or around the morning of July 13, 2011.  It held patient names, dates of birth, surgical procedures, diagnoses, and anesthesia.  Patients who had seen the surgeon between December 27, 2007 and June 24, 2011 were affected.","HHS via PHIPrivacy.net","","2011","38.685614","-85.770245" "October 27, 2011","James A. Haley VA Hospital","Tampa","Florida","PORT","MED","0","A camera from the Plastic Surgery Clinic was discovered missing in November of 2010.  It contained Social Security numbers and graphic photos of female patients before and after surgery for breast cancer.  The same investigation that uncovered the missing camera also revealed that laptops, televisions, thumb drives, microscopes, a hospital surveillance system, and other equipment had been lost or stolen within the past two years.  One missing thumb drive contained additional patient information.","PHIPrivacy.net","","2011","27.950575","-82.457178" "March 22, 2013","Tallahassee Community College (TCC)","Tallahassee","Florida","HACK","EDU","3,300","Federal investigators informed Tallahassee Community College that a hacker gained access to their main computer system.  The personal information of students who applied for financial aid may have been accessed.  It appears that an insider hacked into the computer system. Hacked 2011 TCC financial aid records were misused to file fraudulent tax refunds.  Federal Investigators told TCC when they traced where the information came from.","Media","","2013","30.438256","-84.280733" "April 6, 2012","Utah Department of Health","Salt Lake City","Utah","HACK","GOV","780,000","Utah Medicaid clients have had their information exposed by a hack of an improperly protected Utah Department of Health computer server.  The breach was discovered when an unusual amount of data was found to be streaming out of the server on April 2. Medicaid clients who had not had their Social Security numbers transitioned into the system had their Social Security numbers exposed.  A majority of the affected individuals had medical claims, dates of birth, addresses, physicians' names, and other forms of medical information exposed, but not Social Security numbers. Two out of three of those who were affected were children.  The cost of working with the credit-reporting company Experian to contain the breach is estimated to be $460,000.UPDATE (04/10/2012): Though the number of affected individuals was originally reported as 181,604 with 25,096 Social Security numbers exposed, Utah Department of Health reported that nearly 280,000 people had their Social Security numbers exposed by the breach.  An additional 500,000 victims did not have their Social Security numbers exposed, but had some form of personal information such as date of birth, name, and address exposed. People who visited a health care provider in the past four months is likely to have been affected by the breach.UPDATE (05/15/2012): The governor of Utah fired the Director of the Department of Technology Services and appointed a new employee, an ombudsman, to shepherd victims through the process of protecting their identities and credit.  Two other members of the technology services department are under review.  The vulnerability that caused the breach was partly, if not fully, due to failure to change a default password. Additionally, data will now be encrypted while it is on Utah servers as well as when it is in transit.UPDATE (07/22/2012): Those who wish to learn more about the Utah Department of Health breach will be able to attend a series of statewide workshops running from July 26 until August 22.  Information on Utah's Data Breach Security Tour can be found here.UPDATE (03/25/2013): The state of legislature of Utah added an second year of free credit monitoring to those who were affected by the breach.  Additionally, a Utah health department official revealed that only 59,500 people had taken advantage of the first year of free credit monitoring service.  Those who did not enroll in 2012 may call 801-538-6923 or email ombudsman@utah.gov to sign up for the 2013-2014 term.","PHIPrivacy.net","","2012","40.760779","-111.891047" "March 21, 2013","National Institute of Aerospace, National Aeronautics and Space Administration (NASA)","Hampton","Virginia","INSD","NGO","0","A Chinese national who worked as a contractor for the National Institute of Aerospace had access to NASA's Langley Research Center.  He was caught boarding a plane with two external hard drives, two laptops, a memory stick, and an SIM card on March 16.  He originally did not reveal the second laptop, hard drive, and SIM card when detained.  The information he was attempting to steal was not revealed.  ","Media","","2013","37.029869","-76.345222" "July 31, 2012","Oregon Health and Science University Hospital (OHSU)","Portland","Oregon","PORT","MED","14,495","The July 4 or 5 burglary of an OHSU empoyee's home resulted in the theft of a briefcase, a thumb drive, and several other items.  The thumb drive was used to back up data from OHSU computer systems and would normally be locked in a secure location on campus.  Pediatric patient information such as name, date of birth, phone number, address, OHSU medical record number, patient medical condition code, or family medical history was exposed. A total of 702 patients had additional information exposed that was more sensitive.  The thumb drive also contained a database of OHSU staff information that included names, Social Security numbers, addresses, and employment-related vaccination information of 195 OHSU employees.","PHIPrivacy.net","","2012","45.523452","-122.676207" "March 26, 2013","Texas Tech University Health Sciences Center (TTUHSC)","Lubbock","Texas","DISC","MED","700","An administrative error caused the billing statements of around 700 patients to be sent to the mailing addresses of other patients.  Patient names, account numbers, invoice numbers, charge amounts, dates of service, department and provider names, adjustment amounts, payments from insurance companies, amounts due, and total account balances may have been exposed.","PHIPrivacy.net","","2013","33.577863","-101.855167" "June 12, 2009","Oregon Health and Science University","Portland ","Oregon","PORT","EDU","4,000","A physician's laptop was stolen from a car parked at the doctor's home. Patient names, treatment dates, short medical treatment summaries and medical record numbers were stored on the computer. There were no home addresses, billing information or Social Security numbers stored on the laptop.UPDATE (08/11/10): It seems that as many as 4,000 patients may have been affected and Social Security numbers were involved.","Dataloss DB","","2009","45.523452","-122.676207" "March 31, 2013","Allen County","Lima","Ohio","DISC","GOV","1,100","An administrative error caused the Social Security numbers and other personal information of Allen County employees to be available online for less than an hour.","Media","","2013","40.742551","-84.105226" "August 13, 2012","Apria","Phoenix","Arizona","PORT","MED","65,700","An employee's laptop was stolen from a locked vehicle in June.  It contained billing information about Apria patients in California, Arizona, New Mexico, and Nevada.  Patient names, Social Security numbers, dates of birth, and other personal or health information may have been exposed.UPDATE (09/29/2012): The laptop was stolen on June 14 and was password-protected.  Current and past patients were affected.UPDATE (04/03/2013): Billing information for 65,700 patients was stored on the laptop.","PHIPrivacy.net","","2012","33.448377","-112.074037" "February 22, 2013","Crescent Health Inc., Walgreens","Anaheim","California","STAT","MED","100,000","Desktop computer hardware was stolen from the Anaheim Billing Center of Crescent Healthcare, Inc. on December 28, 2012.  The theft was discovered on Monday, December 31 and reported to law enforcement.  Names, Social Security numbers, health insurance identification numbers, health insurance information, dates of birth, diagnoses, other medical information, disability codes, addresses, and phone numbers may have been exposed.UPDATE (04/03/2013): Over 100,000 people were affected.","California Attorney General","","2013","33.835293","-117.914504" "April 3, 2013","United HomeCare Services, Inc., United Home Care Services of Southwest Florida, LLC","Fort Myers","Florida","PORT","MED","13,617","The January 8 theft of a billing manager's laptop resulted in the exposure of patient information.  It was stolen from the manager's car.  It contained client names, Social Security numbers, health plan numbers, dates of birth, and addresses dating as far back as 2002.  Some patients may have also had treatment service codes or diagnostic codes on the laptop.","HHS via PHIPrivacy.net","","2013","26.640628","-81.872308" "April 5, 2013","Scribd","San Francisco","California","HACK","BSO","100,000","A hack affected less than 1% of Scribd's 50 million users. ""A few hundred thousand"" users had their passwords stolen.  Users who were affected received instructions for resetting passwords.  The passwords were encrypted and it is unlikely that hackers were able to decrypt and use the passwords before Scribd and Scribd users learned of the breach.","Media","","2013","37.774930","-122.419416" "February 22, 2013","LexisNexis, Sprechman & Associates","Miami","Florida","INSD","BSO","20,000","LexisNexis informed Sprechman & Associates that the unusual, excessive activity of an associate caused them to eliminate that associate's access to LexisNexis' database.  The associate was later found to have misused Social Security numbers in order to file over 11 million dollars in fraudulent tax refund claims. The dishonest associate was not immediately fired from Sprechman & Associates and was terminated in July 2012 when law enforcement used a warrant to search his home and office computers.  ","Databreaches.net","","2013","25.788969","-80.226439" "February 25, 2013","Sprouts","Phoenix","Arizona","CARD","BSR","0","A number of credit card terminals in 19 California and Arizona stores were affected by point-of-sale malware between January 25 and 29.  Credit card and debit card numbers were exposed.  Customer PINs associated with the payment cards were not affected. Sprouts identified the issue within a few days of the breach and updated customer information protection procedures in all of its stores.","Media","","2013","33.448377","-112.074037" "March 1, 2013","Samaritan Hospital, Rensselaer County Jail","Troy","New York","INSD","MED","0","A nursing supervisor of Rensselaer County Jail was found to have misused credentials to access patient records without cause.  The Rensselaer County Jail information is maintained by Samaritan Hospital.  The hospital learned of the breach in November 2011, disabled the employee's account, and notified the sheriff's office immediately.  Subsequently, the Hospital may have delayed notifying patients because of the ongoing investigation.  Notifications were sent out during the first week of March in 2013.UPDATE (04/01/2013): A total of 48 people have been notified.  Patients from as far back as 2006 may have been affected.","PHIPrivacy.net","","2013","42.728412","-73.691785" "March 4, 2013","Family Intervention Services","Hiram","Georgia","PHYS","MED","0","A caller contacted a local news team member and an investigation of mishandled medical documents began.  The documents were in an unlocked dumpster and contained Social Security numbers, bank account information, addresses, dates of birth, and health information.  The documents were associated with Family Intervention Services and an unnamed orthopedic office.","PHIPrivacy.net","","2013","33.875660","-84.762159" "May 7, 2012","Demon Thesis","San Francisco","California","HACK","BSO","203","A hacker or hackers accessed and posted sensitive information online.  Usernames, email addresses, and MD5 passwords were exposed.","Dataloss DB","","2012","37.774930","-122.419416" "April 1, 2013","Granger Medical Clinic","West Valley City","Utah","PHYS","MED","2,600","A total of 2,600 medical appointment records disappeared before they could be shredded.  The records contained patient names, dates of appointments, times of appointments, and reason for appointment.  No medical claim information, financial information, or Social Security numbers were exposed.","Media","","2013","40.691613","-112.001050" "March 28, 2013","Tooele County","Tooele","Utah","PORT","GOV","200","A former employee received a CD with the names and Social Security numbers of around 200 current and former employees when he requested his personnel file.  The disc may have held the information of employees who signed up for a specific dental insurance plan in 1996 and workers who joined the Utah Public Employees Association in 1999.  When the HR department realized their mistake they requested that the former employee return the CD.  He initially refused; he then gave the CD to the Tooele County Attorney's office.  ","Media","","2013","40.530778","-112.298280" "March 7, 2013","Uniontown Hospital","Uniontown","Pennsylvania","HACK","MED","0","A hacker or hackers accessed patient information and posted it online.  The breach was discovered by a data privacy expert. Uniontown indirectly notified the public of the breach and breach containment after the privacy expert attempted to reach Uniontown Hospital for several days.  Names, encrypted passwords, contact names, email addresses, and usernames may have been exposed.  It is unclear how long the information was available.","PHIPrivacy.net","","2013","39.900076","-79.716433" "April 16, 2013","Schneck Medical Center","Seymour","Indiana","DISC","MED","3,000","A Schneck Medical Center employee gave a presentation that was later placed online.  People who searched through the files from the presentation could find the names of 3,000 Schneck Medical Center patients.  The presentation was removed from online and Google removed all cached information from the Internet.","PHIPrivacy.net","","2013","38.959220","-85.890255" "September 27, 2012","Medical Solutions Management, Inc.","Hicksville","New York","PHYS","MED","1,000","The owner of Medical Solutions Management, Inc. was convicted of wrongful disclosure of private patient information and Medicare fraud. The owner stole private patient information from nursing homes in Long Island and used the information to submit fraudulent claims to Medicare over the course of four and a half years.  Over 1,000 people were affected. She faces a sentence of up to 10 years per count and could be fined up to $250,000 for each conviction count.UPDATE (04/11/2013): The dishonest owner was sentenced to 12 years in prison. A total of 1.3 million dollars was seized from the owner and she was ordered to forfeit it at her sentencing. She had submitted 10 million dollars in fraudulent Medicare billings.","PHIPrivacy.net","","2012","40.768433","-73.525125" "April 17, 2013","Erlanger Health System, Erlanger Hospital","Chattanooga","Tennessee","PHYS","MED","87","Erlanger Health System sent notes to 87 families and apologized for an incident that left the patient records of children exposed.  The records contained names, Social Security numbers, phone numbers, and dianosis information.  Erlanger has not been made aware of the records being used in an unauthorized manner.","PHIPrivacy.net","","2013","35.045630","-85.309680" "March 22, 2013","United Shore Financial Services, LLC","Troy","Michigan","HACK","BSF","0","A computer intrusion resulted in the exposure of names, Social Security numbers, contact information, dates of birth, driver's license numbers, and financial account information. The breach occurred sometime around December 2, 2012. ","California Attorney General","","2013","42.606410","-83.149775" "March 21, 2013","Insurance Co. of the West (ICW)","Del Mar","California","PHYS","BSF","0","Confidential medical records were found under a freeway by a concerned citizen. A local news team investigation traced the documents back to the insurance claims processor ICW. ICW reported that the issue occurred on February 28 when a bin with files broke open on the way to a disposal site.  An unnamed document destruction company responsible for the documents was replaced. Names, dates of birth, Social Security numbers, and other sensitive and medical information were on the documents. ","Media","","2013","32.959489","-117.265315" "March 22, 2013","OCS America, Inc.","Long Island City","New York","HACK","BSF","0","A phishing attack affected an OCS America computer on March 4, 2013.  The computer contained names, Social Security numbers, addresses, telephone numbers, dates of birth, job titles, and salary information.  It appears that only one computer was affected. ","California Attorney General","","2013","40.744679","-73.948542" "March 22, 2013","TLO, LLC","Boca Raton","Florida","HACK","BSO","0","On January 15, 2013 TLO discovered that there had been limited fraudulent access to their system.  A hacker or hackers were able to access names, Social Security numbers, and driver's license numbers between August 2012 and January 2013. ","California Attorney General","","2013","26.368306","-80.128932" "March 26, 2013","The Finish Line, Inc.","Indianapolis","Indiana","PORT","BSR","0","The January 11 theft of an employee's laptop resulted in the exposure of sensitive information.  The laptop was stolen from the employee's vehicle and contained names, Social Security numbers, and other information related to current and former Finish Line staff.","California Attorney General","","2013","39.768403","-86.158068" "March 27, 2013","Rollins, Inc.","Atlanta","Georgia","DISC","BSO","0","An administrative error caused a mailing distribution to contain the Social Security numbers of some people.  Rollins learned of the issue on March 12.  The Rollins TODAY quarterly issue mailed during the week of March 4 contained Social Security numbers within a number sequence on the mailing label.","California Attorney General","","2013","33.748995","-84.387982" "March 28, 2013","Citi","Irving","Texas","DISC","BSF","0","Current and former parties involved in a bankruptcy proceeding for a Citi loan may have had their information exposed.  Citi filed legal documents that should have been concealed but were accidentally made available online.  The information, which included personally identifiable and loan related information, could be exposed and read by any person who accessed court records.  The issue was addressed and Citi is not aware of any  instances where information was accessed.","California Attorney General","","2013","32.814018","-96.948895" "April 1, 2013","Tennis Express, American Express","Houston","Texas","HACK","BSR","0","A hacker or hackers accessed Tennis Expresses computer network on or around December 19, 2012.  The breach was discovered in mid-February of 2013.  The issue was caused by a vulnerability in a third party vendor program.  Names, addresses, credit card numbers, verification value, and expiration dates may have been exposed.","California Attorney General","","2013","29.760427","-95.369803" "April 2, 2013","Ellison Systems, Inc., Shoplet.com","New York","New York","HACK","BSR","0","A hacker may have accessed credit card information, names, and addresses associated with Shoplet accounts.  The breach was discovered on January 11, 2013.  A new firewall was installed and Ellison Systems, Inc. moved their database server to a more secure zone.","California Attorney General","","2013","40.712784","-74.005941" "April 3, 2013","Computer Sciences Corporation","Raleigh","North Carolina","PORT","BSO","0","A thumb drive with information from the Medicare Exclusion Database was placed on a thumb drive.  The thumb drive was discovered to be missing from the CSC facilities in Raleigh, North Carolina in early March; it had most likely been lost in late February.  The thumb drive contained names, Social Security numbers, federal tax Employer Identification numbers, dates of birth, and other information.","California Attorney General","","2013","35.779590","-78.638179" "April 12, 2013","Chapman University","Orange","California","DISC","EDU","0","An administrative error caused the personal information of some students to be exposed online.  The issue was discovered on February 27.  Authenticated users of Chapman's on-campus network could have viewed names, Social Security numbers, student identification numbers, and dates of birth.  The documents were blocked from access by unauthorized users once the breach was discovered.","California Attorney General","","2013","33.787914","-117.853101" "March 29, 2013","American Express","New York","New York","HACK","BSF","0","Hackers were able to access and disrupt American Express' website. American Express was offline for two hours.  ","Media","","2013","40.712784","-74.005941" "March 28, 2013","JPMorgan Chase","New York","New York","HACK","BSF","0","JPMorgan Chase's website was taken offline by a hacker or hackers. The website was made unavailable by a denial-of-service attack.  Chase.com was down for around a day.","Media","","2013","40.712784","-74.005941" "April 7, 2013","Works Bakery Cafe","Portland","Maine","HACK","BSR","0","Customers who used a debit or credit card at any Works Bakery Cafe location are advised to check their payment cards for fraudulent activity.  A breach occurred when malware was introduced to the Works Bakery Cafe computer system.  Locations in Durham, Manchester, Keene, Concord, Brattleboro Vermont, and Portland Maine were affected.","Media","","2013","43.661471","-70.255326" "April 7, 2013","Agincourt Wallboard","Westbrook","Maine","HACK","BSR","0","On, January 19, Agincourt Wallboard notified employees of a breach of its payroll system.  Agincourt Wallboard became aware of the issue on January 17 when eight employees reported receiving a physical payroll check.  Someone had entered Agincourt Wallboard's payroll vendor and edited information without authorization so that the employees received a physical check rather than an electronic deposit.  The person who hacked into the payroll vendor also attempted to change the bank routing information for 10 of its employees.  Agincourt Wallboard is investigating how the hacker could have obtained the administrator's credentials and notified employees of the issue immediately.  Agincourt Wallboard also learned that five of the computers on its network were infected with malware called a Trojan horse.","Media","","2013","43.677025","-70.371162" "April 9, 2013","VUDU","Santa Clara","California","PORT","BSO","0","A March 24, 2013 VUDU office theft resulted in the exposure of customer information.  Hard drives with customer names, addresses, email addresses, account activity, dates of birth, and encrypted passwords were stolen.  Customers who used their VUDU passwords for other sites should change the passwords on other sides as well.","Media","","2013","37.354108","-121.955236" "April 9, 2013","Kirkwood Community College","Cedar Rapids","Iowa","HACK","EDU","125,000","Hackers accessed Kirkwood Community College's website and applicant database system on March 13.  Anyone who applied to a Kirkwood Campus may have had their names, Social Security numbers, dates of birth, race, and contact information exposed.  People who applied to take Kirkwood college-credit classes between February 25, 2005 and March 13, 2013 were affected.","Media","","2013","41.977880","-91.665623" "April 9, 2013","Hospice Palliative Care of Alamance-Caswell, LifePath Home Health","Burlington","North Carolina","PORT","MED","5,300","The February 24 burglary of three laptops resulted in the exposure of patient information.  The laptops were stolen from the hospital in addition to needles, syringes, and miscellaneous items.  The unencrypted laptops contained emails that had sensitive patient information.","Media","","2013","36.095692","-79.437799" "April 9, 2013","Connextions, Anthem Blue Cross Blue Shield of Indiana, Anthem Blue Cross Blue Shield of Ohio, Empire Blue Cross Blue Shield of Indiana","Orlando","Florida","INSD","MED","6,000","A Connextions employee used Social Security numbers from a number of other organizations for criminal activity.  At least four members of Anthem Blue Cross and Blue Shield were affected by the criminal activity.  The breach was reported on HHS as affecting 4,814 patients, but more were affected.","HHS via PHIPrivacy.net","","2013","28.538336","-81.379237" "April 12, 2013","Pentagon","Washington","District Of Columbia","UNKN","GOV","0","Lawyers working with Guantanamo Bay detainees had to pause their work after being told to stop using the Pentagon's computer system.  An unspecified issue left over 500,000 emails unsafe to access or deleted from a Pentagon common drive. The breach left defense files unsecured and it may have been possible for prosecutors to view confidential defense emails.","Media","","2013","38.907192","-77.036871" "April 15, 2013","Wawa","Burlington","New Jersey","CARD","BSF","0","Customers who shopped at a Wawa on Salem Road in Burlington, New Jersey noticed fraudulent purchases on their credit cards.  Investigators were able to trace the fraud to four people and arrest them. The four men were charged with credit card theft, credit card fraud, identity theft, and having electronic devices for criminal use.  More victims are expected to be found.","Media","","2013","40.071222","-74.864887" "March 30, 2012","Global Payments Inc.","Atlanta","Georgia","CARD","BSF","7,000,000","Global Payments discovered a massive breach of their systems in early March 2012.  Global Payments processes credit and debit cards for banks and merchants and a number of credit and debit cards issued to businesses were determined to be compromised.  The breach was discovered when Global Payments' security systems detected unusual activity.UPDATE (04/02/2012): Global Payments created a breach information website for consumers. Global Payments claimed that only a few of their North American servers were affected by the breach.  They also claimed that around 1.5 million users had Track 2 data (card expiration date and credit card number) exposed. Media reports that up to 10 million consumers had their names, addresses, and Social Security numbers credit exposed were denied by Global Payments.  Visa has removed Global Payments from their list of compliant service providers as a result of the breach.  UPDATE (04/05/2012): The breach occurred sometime between January 21 and February 25 of 2012 (REVISED TO JUNE OF 2011).  Fraudulent activity has already been detected on around 800 cards.UPDATE (05/01/2012): It appears that a hacker or hackers were first able to access Global Payments Inc. in June of 2011.  Global Payments revised their initial estimate and believe that card holders and banks were affected at least as far back as June 2011. This could mean that at least seven million card accounts are vulnerable; though Global Payments still believe that only 1.5 million were affected.UPDATE (07/26/2012): In addition to being dropped from Visa and Mastercard's lists of compliant companies, Global Payments spent nearly $85 million on security repairs and upgrades.UPDATE (07/30/2012: Global Payments informed Comerica Bank in June that their ongoing investigation revealed a potential unauthorized access to its servers that contain merchant application data.UPDATE (01/10/2013): Global Payments has incurred $94 million in fees associated with the breach.  A total of $60 million was paid for professional fees and other costs associated with investigating the breach and remediation for its effects.  The $60 million was also used to cover incentive payments to business partners and the cost of providing credit monitoring and identity protection insurance.  An additional $35.9 million went towards estimated fraud losses, fines, and charges imposed on Global Payments by card networks.  Global Payments received $2 million from insurance recoveries.Global Payments also reported that it has now paid all fines related to non-compliance and has updated its systems and processes in order to be returned to the payment card network list of PCI-DSS compliant service providers.UPDATE (04/15/2013): An April 2012 class action lawsuit related to the breach was dismissed on March 6.  Global Payments also confirmed that the expenses associated with the breach totaled $92.7 million.  A total of $20 million in breach losses was recuperated through insurance recoveries.  In April 2013, Global Payments closed its investigation of the breach.","Databreaches.net","","2012","33.748995","-84.387982" "April 17, 2013","Arizona Counseling and Treatment Services (ACTS), Cenpatico Behavioral Health of Arizona","Yuma","Arizona","PORT","MED","3,000","The home theft of any employee's laptop and external drive resulted in the exposure of patient information.  The theft occurred sometime between March 18 and March 25; other items were stolen besides the laptop and hard drive.  Neither the laptop nor the hard drive were encrypted. Patients who visited either Cenpatico or its contractor ATS between 2011 and 2013 may have had their names, dates of birth, and treatment plans exposed.UPDATE (04/17/2013): More than 3,000 patients were affected by the breach.","Media","","2013","32.692651","-114.627692" "April 23, 2013","Portal Healthcare Solutions, Glens Falls Hospital","Glens Falls","New York","DISC","MED","2,300","Two patients ran a google search of their names and were able to find their medical information online.  Doctors' reports with medications, medical treatments, lab information, future and past treatment plans, physical examination information, and lifestyle information could be downloaded by anyone who found the information online.  The documents were from November 2012 through January 2013 and discovered online in mid-March.  Portal Healthcare secured the sensitive information on its servers on March 14.  A lawsuit was filed against Glens Falls Hospital, Portal Healthcare Solutions LLC, and Carpathia Hosting in mid-April for patient privacy violations.","PHIPrivacy.net","","2013","43.309516","-73.644006" "April 23, 2013","Hostgator","Houston","Texas","INSD","BSO","0","An employee was found to have installed backdoors on more than 2,700 company servers.  The issue was discovered the day after the dishonest employee was dismissed.  He worked for Hostgator from September 2011 to February 15, 2012. The dishonest employee was arrested and charged with breach of computer security.","Media","","2013","29.760427","-95.369803" "March 15, 2013","Tribune Co.","Sacramento","California","INSD","BSO","0","A former employee revealed a password and username combination for Tribune Co. to hackers.  The hackers were part of anonymous and used the information to access Tribune Co.'s servers in 2010.  A number of online stories that had been published through Tribune Co. were defaced by hackers as a result.  The former employee of a TV station owned by Tribune Co. was indicted on charges of conspiracy to cause damage to a protected computer, transmission of malicious code, and attempted transmission of malicious code.UPDATE (04/23/2013): The former employee worked at Reuters as a deputy social media editor at the time of the cyber attack.  He was fired from Reuters in April of 2013.","Media","","2013","38.581572","-121.494400" "April 23, 2013","Kmart, Sears","Little Rock","Arkansas","PORT","BSR","788","An assistant manager was forced to open a Kmart safe and give a thief access to $6,000 in cash and an unencrypted backup disk with a day's worth of customer information.  The backup disk contained names, addresses, dates of birth, prescription numbers, prescription providers, insurance cardholder IDs and drug names.  The armed robbery occurred on March 17.","Media","","2013","34.746481","-92.289595" "April 23, 2013","Macy's","Lafayette","Indiana","DISC","BSR","0","A man guessed or accessed the Social Security numbers of Macy's customers in order to exploit a Macy's policy for the purpose of making fraudulent purchases.  He then created ID cards that paired his picture with the customer information.  A Macy's policy allowed him to charge purchases to the accounts of other Macy's customers by using their Social Security numbers and showing his falsified IDs.  ","Media","","2013","40.416702","-86.875287" "April 28, 2013","Orthopedic Physician Associates, Proliance Surgeons","Seattle","Washington","PORT","MED","0","An employee's car was the target of an April 1 break-in.  A company laptop and 10 patient files were taken during the car theft.  The paper files were recovered, but the laptop also contained patient information.  Names, Social Security numbers, addresses, telephone numbers, health insurance information, names of providers, and the reasons for patients' appointments may have been included in emails stored on the laptop.","PHIPrivacy.net","","2013","47.606210","-122.332071" "April 26, 2013","Upstate University Hospital","Syracuse","New York","PORT","MED","283","A portable electronic device was stolen from Upstate University Hospital on March 30 or 31.  It contained the names, hospital medical record numbers, dates of birth, and diagnosis information of patients.","PHIPrivacy.net","","2013","43.048122","-76.147424" "April 23, 2013","OneWest Bank","Pasadena","California","HACK","BSF","0","A OneWest service provider suffered an unauthorized network intrusion during the first quarter of 2011.  OneWest client names, Social Security numbers, addresses, dates of birth, phone numbers, driver's license numbers, and passport numbers may have been exposed.","California Attorney General","","2013","34.147785","-118.144516" "April 29, 2013","Hope Hospice","New Braunfels","Texas","DISC","MED","818","An employee used an unsecured email to send sensitive patient information.  Two separate administrative violations occurred on December 27, 2012 and on February 22, 2013. The issue was discovered on February 25.  The information was secured on February 28, 2013.  Patient names, referral sources, Hospice admission and discharge dates, the names of insurance providers, and chart numbers may have been exposed. ","PHIPrivacy.net","","2013","29.703002","-98.124453" "April 29, 2013","Gomez Gasoline and Automotive","Watsonville","California","CARD","BSR","50","More than 50 reports of credit card fraud have been traced to people who were customers at Gomez Gasoline and Automotive.  Police suspect that a credit-card skimming device was placed on one or more gas pumps.  The skimming devices have been spotted at other gas stations.","Media","","2013","36.910231","-121.756895" "May 2, 2013","Reputations.com","Redwood","California","HACK","BSO","0","Reputation.com experienced a hack that exposed customer names, email addresses, mailing addresses, date of birth, and employment information. Additionally, some customers had their encrypted passwords stolen.  Reputation.com immediately reset all customer passwords after learning about the breach.  Customers are encouraged to change their passwords on other sites if they reused their Reputation.com password.","Media","","2013","37.485215","-122.236355" "May 2, 2013","Spellman High Voltage Electronics Corporation","Valhalla","New York","INSD","BSR","0","A disgruntled employee announced his resignation and then was caught copying files from his computer to a flash drive.  Employees at Spellman began experiencing transaction and intranet disruptions after the disgruntled employee left even though his access to company servers was disabled after discovery of his suspicious activities.  The events began to occur sometime around January of 2012.  An investigation of the events led to the arrest of the former employee and federal prosecutors claim that he caused enough mayhem to cost Spellman over $90,000 by using his knowledge of Spellman's computer system and stolen passwords.  The former employee pleaded not guilty.","Media","","2013","41.074819","-73.775133" "May 1, 2013","U.S. Department of Labor","Washington","District Of Columbia","HACK","GOV","0","The Department of Labor's website was found to have been infected with malware that spreads to visitors using the web browser Internet Explorer.  Microsoft had already released a patch to address the Internet Explorer vulnerability and the malware targets users who have not taken advantage of the patch.","Media","","2013","38.907192","-77.036871" "May 1, 2013","U.S. Army Corps of Engineers' National Inventory of Dams","Washington","District Of Columbia","HACK","GOV","0","Users of the National Inventory of Dams received notification that their information was reset after a hack may have compromised usernames and passwords.  Hackers obtained non-public information of around 8,100 major dams in the United States by breaching the database.  The information included dam vulnerabilities and could be used by cyber terrorists.  ","Media","","2013","38.907192","-77.036871" "May 3, 2013","University of Rochester Medical Center","Rochester","New York","PORT","MED","537","The loss of an unencrypted flash drive exposed sensitive patient information.  The flash drive contained name, date of birth, weight, gender, telephone number, URMC internal medical record number, orthopaedic physician name, date of service, diagnosis, diagnostic study, procedure, and complications.  The flash drive is believed to have been destroyed after ending up in the medical center laundry. It was not found.","PHIPrivacy.net","","2013","43.161030","-77.610922" "April 25, 2013","Child and Family Services of New Hampshire","Manchester","New Hampshire","PHYS","MED","23","Someone took 23 files from a secure area in the Child and Family Services of New Hampshire main office sometime between March 15 and March 18.  The breach was discovered on March 19.  The files contained client names, dates of birth, addresses, Medicaid numbers, notes from home visits, and other health information related to home visits.","PHIPrivacy.net","","2013","42.995640","-71.454789" "May 7, 2013","Tomren Wealth Management","San Ramon","California","HACK","BSF","0","A server with client information was accessed by an unauthorized outside party between February 21 and March 6, 2013.  The attack was an attempt to use the server for spam emailing.  Client names, Social Security numbers, driver's license information, and FSC broker account numbers may have been accessed.","California Attorney General","","2013","37.779927","-121.978015" "May 3, 2013","Schoenbar Middle School","Ketchikan","Alaska","HACK","EDU","0","A ring of middle school students were able to gain access to and control of more than 300 computers by phishing for teacher administrative codes.  At least 18 students were involved.  The breach happened when students used software to imitate a legitimate software update on their computers.  The students then asked teachers to enter administrative account information so that they could complete the software updates or installations.  The phony software then stored teacher credentials.  The students were then able to control 300 laptops belonging to other students by using the administrative credentials.  The school believes that servers and sensitive information were not exposed.  The breach occurred around Friday, April 26 and was discovered on Monday, April 29 when students noticed that other students appeared to be controlling student laptops remotely and reported the issue.","California Attorney General","","2013","55.342222","-131.646111" "May 7, 2013","Raleigh Orthopaedic Clinic","Raleigh","North Carolina","PHYS","MED","17,300","Raleigh Orthopaedic Clinic contracted with a vendor in order to have information from X-ray films transferred into electronic format.  The X-ray film was actually sold by the unnamed vendor and melted harvest for silver by a recycling company in Ohio. Patient names and dates of birth were on the film.  The Clinic does not believe that personally identifiable information was on the film.","Media","","2013","35.779590","-78.638179" "May 8, 2013","Name.com","Denver","Colorado","HACK","BSO","0","Hackers accessed Name.com servers and may have obtained usernames, email addresses, passwords, and credit card account information.  Customer passwords and credit card information were encrypted.  Customers were notified of the breach and received an email asking them to reset their passwords.","Media","","2013","39.739236","-104.990251" "May 8, 2013","Linode.com","Galloway","New Jersey","HACK","BSO","0","Hackers exploited an Adobe vulnerability and used it to access Linode Manager web servers.  One of Linode's web servers, parts of their source code, and their database were accessed.  No other components of the Linode infrastructure were accessed by the hackers.  Encrypted customer credit card numbers and passwords were obtained.  The group HTP claimed responsibility for the hack. ","Media","","2013","39.492824","-74.559688" "May 8, 2013","Department of Family and Support Services (DFSS)","Chicago","Illinois","STAT","GOV","0","Nearly $41,000 in computer equipment was reported stolen from the Department of Family Support Services on May 7.  The Division on Domestic Violence and a satellite senior center share the building where the theft occurred.  The types of information that may have been on the device or devices were not reported.","PHIPrivacy.net","","2013","41.878114","-87.629798" "May 9, 2013","Administrative Office of the Courts - Washington","Olympia","Washington","HACK","GOV","1,000,000","A breach of the Administrative Office of the Courts' server resulted in the exposure of one million driver's license numbers between fall of 2012 and February of 2013.  It was confirmed that at least 94 people had their Social Security numbers accessed.  Up to 160,000 Social Security numbers could have been accessed. In April the court was able to confirm that public records and confidential information were exposed.  People who were booked in a city or county jail within the state of Washington between September 2011 and December 2012 may have had their name and Social Security number accessed.  Anyone who received a DUI citation in Washington state between 1989 and 2011, had a superior court criminal case in Washington state that was filed against them or resolved between 2011 and 2012, or had a traffic case in Washington filed or resolved in a district or municipal court between 2011 and 2012 may have had their names and driver's license numbers exposed.","Media","","2013","47.037874","-122.900695" "May 9, 2013","Lutheran Social Services of South Central Pennsylvania","York","Pennsylvania","HACK","MED","7,300","Lutheran Social Services became aware of a malware program that was on its software system.  Resident names, Social Security numbers, dates of birth, Medicare numbers, medical diagnosis codes, payer names, and health insurance numbers may have been exposed.  The breach was discovered in March and Lutheran Social Services had not involved investigators or police as of May 9.","Media","","2013","39.962598","-76.727745" "May 10, 2013","Indiana University Health Arnett","Lafayette","Indiana","PORT","MED","10,300","The theft of an employee's unencrypted laptop resulted in the exposure of patient information.  The laptop was stolen from an employee's car on April 9 and contained email records.  Patient names, medical record numbers, dates of birth, physician names, diagnoses, and dates of service may have been exposed. ","Media","","2013","40.416702","-86.875287" "May 6, 2013","California Department of Public Health (CDPH)","Sacramento","California","PHYS","GOV","2,000","A reel containing images of 2,000 State of California Birth Records from May through September of 1974 was found in a publicly accessible location.  Names, Social Security numbers, addresses, and certain types of medical information were in the birth record images.  People in Santa Clara, Santa Cruz, Shasta, Siskiyou, Solano, Sonoma, Stanislaus, Sutter, or Tehama counties and who were born or had a child born in 1974 between May and September were affected.","PHIPrivacy.net","","2013","38.581572","-121.494400" "May 11, 2013","Regional Medical Center","Memphis","Tennessee","DISC","MED","1,200","Some patients who were treated at an outpatient facility between May 1 of 2012 and January 31 of 2013 had their information attached to emails that went out to an unspecified organization or organizations.  Three emails that were not secure were sent on October 29 and November 1 of 2012 and February 4, 2013.  Patient names, Social Security numbers, account numbers, dates of birth, home phone numbers, and reasons for outpatient physical therapy services may have been exposed.","PHIPrivacy.net","","2013","35.149534","-90.048980" "April 1, 2013","Oregon Health and Science University","Portland","Oregon","PORT","MED","4,022","The theft of a surgeon's unencrypted laptop resulted in the exposure of patient information.UPDATE (07/6/2016): ""The Department of Health and Human Services hit the University of Mississippi Medical Center (UMMC) with a $2.75 million fine over a health data breach, its second major privacy action in a week.The HHS Office for Civil Rights (OCR) is penalizing UMMC for a series of alleged privacy and security violations of the Health Insurance Portability and Accountability Act, also known as HIPAA. The settlement relates to a password-protected laptop that went missing from the hospital’s intensive care unit in March 2013. After an investigation, the medical center determined the computer was likely stolen by a visitor who had asked to borrow it.""UPDATE (04/25/2013): The laptop was stolen from a surgeon's Hawaii rental home and was used for research purposes.  Any laptops used for patient care are required to be encrypted while laptops used for research are not required to be encrypted.  The laptop was used to access emails related to patient care such as patient names, medical record numbers, types of surgery and dates of surgery, times and locations of surgery, gender, age, and name of surgeon and anesthesiologist information. Nine patients had their Social Security numbers exposed.","Media","","2013","45.523062","-122.676482" "March 22, 2013","University of Mississippi Medical Center (UMMC)","Jackson","Mississippi","PORT","EDU","10,000","A laptop used by UMMC clinicians was discovered missing on January 22.  The password-protected laptop contained information from patients who entered the hospital between 2008 and 2013.  Patient names, Social Security numbers, addresses, diagnoses, medications, treatments, dates of birth, and other personal information may have been exposed.UPDATE (7/26/2046): ""The Department of Health and Human Services hit the University of Mississippi Medical Center (UMMC) with a $2.75 million fine over a health data breach, its second major privacy action in a week.The HHS Office for Civil Rights (OCR) is penalizing UMMC for a series of alleged privacy and security violations of the Health Insurance Portability and Accountability Act, also known as HIPAA. The settlement relates to a password-protected laptop that went missing from the hospital’s intensive care unit in March 2013. After an investigation, the medical center determined the computer was likely stolen by a visitor who had asked to borrow it.""UPDATE (04/25/2013): The laptop may have been lost or stolen in November of 2012. ","Media","","2013","32.298757","-90.184810" "March 28, 2013","MedStar Good Samaritan Nursing Center, Mid America Health, Inc. (MAH)","Baltimore","Maryland","PHYS","MED","18","A paper file was stolen from the car of a dental assistant who was treating residents at the MedStar Good Samaritan Nursing Center.  The file contained names, dates of birth, medical and dental evaluation information, medical and dental providers' names and license numbers, and the Social Security numbers of three residents.","PHIPrivacy.net","","2013","39.290385","-76.612189" "March 28, 2013","Mid America Health","Greenwood","Indiana","PORT","MED","0","The theft of a laptop resulted in the exposure of patient information.  Names, Social Security numbers, dates of birth, residential facility names, and digital oral x-ray images may have been exposed.  Specific details of the case are being withheld until the breach investigation has concluded.  The location of the breach is listed as the corporate headquarters of MAH.  Those with questions or concerns may contact the MAH Compliance Department at 1-855-224-0004.","PHIPrivacy.net","","2013","39.613658","-86.106653" "May 10, 2013","PHH Corporation","Suwanee","Georgia","INSD","MED","6,700","A former employee was indicted on charges related to misuse of applicant and employee personal information.  Employee names, Social Security numbers, dates of birth, telephone numbers, email addresses, addresses, I-9 alien registration numbers, and other personal information may have been exposed.  The issue was discovered on April 3.  ","California Attorney General","","2013","34.051490","-84.071300" "April 16, 2013","Iberdola USA, Central Maine Power","Augusta","Maine","HACK","BSO","5,100","A hack of Iberdrola USA's recruitment website may have exposed the information of anyone who applied for a job at Central Maine Power or any of its sister companies since January 2007.  Rochester Gas and Electric Corp and New York State Electric and Gas Corp. were also affected.","Media","","2013","44.310624","-69.779490" "May 15, 2013","OptiNose US Inc.","Yardley","Pennsylvania","PORT","MED","0","An unencrypted laptop was stolen from an employee's car.  It may have contained names, Social Security numbers, and personal information related to people who worked at OptiNose.","Media","","2013","40.245664","-74.845997" "April 24, 2013","City of Berkeley","Berkeley","California","DISC","GOV","11,000","A media group who regularly collects public employee salary and benefit information released Social Security numbers after they were mistakenly included in a file that the City of Berkeley provided.  The information was sent by Berkeley in March and the mistake was discovered in early April.  Around 2,000 active staff members and 9,000 retirees were affected.  mistakenly released the Social Security numbers of the employees as well.  ","Media","","2013","37.871593","-122.272747" "May 16, 2013","DENT Neurologic Institute of Amherst","Amherst","New York","DISC","MED","10,200","An administrative error led to the personal information of 10,200 patients being emailed to 200 patients.  Names, addresses, date of last appointment, visit type, primary care physician, referring physician, email addresses, and whether or not the patient was actively receiving treatment were in an Excel attachment of an email that was sent to unspecified parties. The recipients were called and instructed to delete the email.","Media","","2013","42.979007","-78.792272" "May 10, 2013","Coinbase","San Francisco","California","DISC","BSR","0","A flaw in Coinbase's systems cause the information of some merchants to be exposed.  Any merchant who created a ""buy now"" button, donate button, or hosted a payment page using Coinbase's Merchant Tools and posted a public link to it online had the page publicly visible on the internet.  The page contained the company name, website, phone number, email address, and mailing address.  Additionally, anyone could search for public Coinbase merchant payment pages and collect the email addresses of merchants. At least one phishing attack targeted merchants with an email that appeared to come from Coinbase.","Media","","2013","37.774930","-122.419416" "May 15, 2013","El Centro Regional Medical Center","El Centro","California","PHYS","MED","189,489","El Centro Regional Medical Center is claiming that they were defrauded by an unnamed company.  The company was responsible for digitizing El Centro Regional's x-rays, but never returned the digitized version.  The process should have been completed by the end of July.  The original x-rays were most likely taken and destroyed to extract silver.UPDATE (05/18/2013): The information on the records was as recent as February 2011.  El Centro Regional Medical Center learned of the issue on March 22, 2013.  Patients were notified on May 13.","PHIPrivacy.net","","2012","32.792000","-115.563051" "April 26, 2013","Life Flight (IHC Health Services Inc.)","Aurora","Oregon","DISC","MED","842","An administrative error caused the information of patients flown by Life Flight helicopters to be available online.  Patients flown during April, May, and June of 2004 may have had unspecified information exposed.  It was confirmed that 107 patients had their Social Security numbers exposed.  It is unclear how long the information was available and if patients flown during additional months may have been affected.  The information was moved to a secure server to address the breach.UPDATE (05/17/2013): The sensitive information was available online as early as October 12, 2009.","PHIPrivacy.net","","2013","45.230954","-122.755927" "May 17, 2013","Delta Dental of Pennsylvania, ZDI","Mechanicsburg","Pennsylvania","PHYS","MED","14,829","The March 20 loss of paper records may have exposed the information of patients. ZDI lost the records of their associate Delta Dental of Pennsylvania.","HHS via PHIPrivacy.net","","2013","40.214257","-77.008588" "May 17, 2013","Public Health - Seattle and King County","Seattle","Washington","PHYS","MED","750","A custodian improperly disposed of client medical information on March 7.  The records were from the Refugee Screening, WIC, and Needle Exchange programs.  Patient names, dates of birth, phone numbers, addresses, medical record numbers, appointment dates, and medical condition or treatment may have been accessed.","HHS via PHIPrivacy.net","","2013","47.606210","-122.332071" "May 17, 2013","Valley Mental Health","Murray","Utah","STAT","MED","700","The February 27 theft of a computer resulted in the exposure of patient information.","HHS via PHIPrivacy.net","","2013","40.666892","-111.887991" "May 17, 2013","Wood County Hospital","Bowling Green","Ohio","PHYS","MED","2,500","The March theft of radiology films resulted in the exposure of patient information.  The films were most likely stolen from the Hospital's storage room in order to be stripped of their silver.  The films contained patient names, medical record numbers, dates of exams, and in some cases, dates of birth.  The thieves posed as recycling subcontractors.  ","HHS via PHIPrivacy.net","","2013","41.374774","-83.651323" "May 17, 2013","The Guidance Center of Westchester, Inc.","New Rochelle","New York","STAT","MED","1,416","On February 22, 2013, the Guidance Center of Westchester discovered that a central processing unit (CPU) had been removed form a staff member's office.  The CPU was removed on February 21 and contained, names, Social Security numbers, dates of birth, dates of admittance to the Center, names of insurance carriers, home addresses, diagnoses, outpatient treatment authorization request, doctors' names, case numbers, and whether or not a patient was prescribed medication.","HHS via PHIPrivacy.net","","2013","40.911488","-73.782355" "May 17, 2013","Stronghold Counseling Services, Inc.","Sioux Falls","South Dakota","STAT","MED","8,500","The December 24, 2012 theft of a computer resulted in the exposure of patient information.","HHS via PHIPrivacy.net","","2013","43.544596","-96.731103" "May 17, 2013","Community Health Network, Community Health Medcheck","Speedway","Indiana","INSD","MED","180","A dishonest employee of Community Health Medcheck accessed the medical records of up to 180 people between mid-March and mid-April.  Social Security numbers, dates of birth, credit card numbers, and other information may have been exposed.","PHIPrivacy.net","","2013","39.792738","-86.250822" "May 16, 2013","Weather Shield","Medford","Wisconsin","UNKN","BSO","0","A total of 55 current and former Weather Shield employees across the country discovered that someone had stolen their identities and filed fraudulent tax refunds.  Several employees who were victims of identity theft in 2012 discovered that they had been affected again when filing their taxes in April of 2013. It is unclear how the 2012 or 2013 breaches occurred.","Media","","2013","45.138580","-90.340140" "May 18, 2013","Goldman Sachs, Bloomberg LP","New York","New York","DISC","BSO","0","Bloomberg News reporters were able to monitor clients' usage of data terminals leased from Bloomberg LP.  Goldman Sachs is one of the companies that has complained publicly while JP Morgan Chase, the Federal Reserve, and the United States Treasury Department have started investigations. It is unclear how many other organizations may have been affected.  Reporters may have routinely retrieved login and contact information from data-services clients over the past 20 years.  Some reporters had access to information on when and how often clients logged into their terminals, their most frequently used functions and contact information.","Media","","2013","40.712784","-74.005941" "May 21, 2013","Lifeline (Federal Communications Commission), TerraCom Inc., YourTel America Inc.","Washington","District Of Columbia","DISC","GOV","127,000","Around 44,000 application forms and 127,000 supporting documents for Lifeline were posted online.  Lifeline is a federal program that provides discount internet and phone service for low-income Americans.  Information such as name, Social Security number, scans of food-stamp cards, driver's licenses, tax records, pay stubs, and parole letters was available online. the information had been available since at least March and was removed April 26.UPDATE (05/23/2013): The story was originally released by Scripps Howard News Service when a reporter found completed Lifeline applications by searching Google for TerraCom-related information.  Terracom and Yourtel are threatening to hold Scripps accountable for costs associated with the breach.  These alleged costs include potentially complying with more than 20 state data breach notification laws.","Media","","2013","38.907192","-77.036871" "May 23, 2013","Institutional Shareholder Services","Boston","Massachusetts","INSD","BSO","100","An employee of Institutional Shareholder Services (ISS) shared nonpublic voting data in exchange for $15,000 in concert tickets and $20,000 in meals.  From 2007 through early 2012 an ISS employee provided nonpublic information on how over 100 ISS clients were voting on proxy ballots to a firm that gathers shareholder votes.  ISS will pay The Securities and Exchange Commission $300,000 to settle civil charges and penalties.  ISS neither admitted nor denied Securities and Exchange Commission allegations that it violated financial adviser rules designed to prevent misuse of non-public consumer information.","Media","","2013","42.360083","-71.058880" "May 22, 2013","Department of Homeland Security (Customs and Border Protection, Immigration and Customs Enforcement)","Washington","District Of Columbia","HACK","GOV","10,000","Department of Homeland Security employees working in the headquarters office for Immigration and Customs Enforcement and Customs and Border Protection between 2009 and 2013 may have had their names, Social Security numbers, and dates of birth exposed.  Tens of thousands of employees were affected. Though one or more unauthorized users had access to the information, there is no evidence that any employee data was stolen or lost. Law enforcement officials discovered a vulnerability in an unnamed vendor's system that is used for processing background investigations.","Media","","2013","38.907192","-77.036871" "May 29, 2013","University of Florida","Gainesville","Florida","INSD","MED","5,682","A dishonest employee working at University of Florida Health Pediatrics at Tower Square is suspected of participating in an identity theft ring.  The former employee had access to pediatric patient records that included names, Social Security numbers, addresses, and dates of birth. The University of Florida learned about the issue on April 11.","Media","","2013","29.651634","-82.324826" "August 2, 2011","Pocatello Family Medicine, Idaho State University","Pocatello","Idaho","DISC","MED","0","The firewall protecting computerized records was accidentally left inactive for nine months.  It was disabled during maintenance in August of 2010, but was never restored.  The problem was discovered when IT staff assisted an employee on May 18, 2011.  It appears that an electronic medical record for the clinic that was stored on the server was never accessed during that time.  Other information on the server included scanned images of drivers licenses and insurance cards.  There is also no evidence that these records were accessed, downloaded or printed. It does appear that someone downloaded movies and a television program onto the site in order to use the storage space and illegally sell access to the material.  UPDATE (05/22/2013): The information of 17,500 patients was exposed.  The Department of Health and Human Services released a resolution agreement on May 21 for HIPAA violations related to the breach.  The release can be found here: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/isu-agreement.pdfUPDATE (05/30/2013): The University of Idaho agreed to pay $400,000 and upgrade security procedures in the settlement agreement.","PHIPrivacy.net","","2011","42.871303","-112.445534" "May 31, 2013","Bon Secours Hampton Roads Health System, Bon Secours Mary Immaculate Hospital","Newport News","Virginia","INSD","MED","5,000","An April 2013 audit revealed that a patient's medical record had been accessed in a way that was inconsistent with hospital policy.  A further investigation revealed that two team members of the patient care team had accessed the records of multiple patients in ways that were inconsistent with their job function.  The employees were fired.   Patient names, dates and times of service, provider and facility names, Social Security numbers, internal hospital medical records and account numbers, dates of birth, diagnosis, medications, vital signs, and other treatment information may have been accessed.","PHIPrivacy.net","","2013","37.087082","-76.473012" "June 3, 2013","Health Information Trust Alliance","Frisko","Texas","HACK","MED","111","A hacking incident resulted in the exposure of 111 records.  Names, phone numbers, addresses, email addresses, and company names were exposed.","Media","","2013","33.150674","-96.823612" "June 3, 2013","Office of Dr. Lee D. Pollan, DMD, PC.","Rochester","New York","PORT","MED","13,806","The theft of the doctor's laptop may have exposed patient information.  The theft occurred sometime between November 6, 2012 and November 15, 2012.  Information related to patient names, dates of birth, addresses, Social Security numbers, diagnose and surgery billing codes, dates of service, and person responsible for the billing was on the laptop.  ","PHIPrivacy.net","","2013","43.161030","-77.610922" "May 30, 2013","California Department of Developmental Services","Sacramento","California","PHYS","MED","0","Stacks of patient and billing records were left in an unsecured and abandoned office in March of 2012. Credit card and Social Security numbers may have been exposed.","Media","","2013","38.581572","-121.494400" "April 20, 2012","Desert AIDS Project (D.A.P.)","Palm Springs","California","PORT","NGO","4,400","An April 12, 2012 office burglary resulted in the theft of a laptop with sensitive information. The computer assigned to the receptionist was stolen and contained a spreadsheet with client name, client status (active, discharged, etc.), internal client identification number, date of birth, and assigned staff person.  However the document was not labeled as a D.A.P. document. If someone saw the spreadsheet by itself they would not know it was linked to D.A.P.UPDATE (05/30/2013): Approximately 4,400 patients were affected.","California Attorney General","","2012","33.830296","-116.545292" "May 12, 2012","Hewlett, Packard, California Department of Social Services","Riverside","California","PORT","GOV","701,000","Around 700,000 caregivers and care recipients had their information lost or stolen during transit between Hewlett Packard and the State Compensation Insurance Fund in Riverside, California.  A package that originally contained microfiche with payroll data entries and possibly other sensitive information arrived via U.S. Postal Service damaged and missing thousands of payroll data entries. Names, wages, Social Security numbers, and state identification numbers were exposed. A total of 375,000 In-Home Supportive Services workers were affected and 326,000 recipients of In-Home Supportive Services care were affected.UPDATE (05/30/2013): A total of 748,902 elderly home care recipients and their caretakers were affected.","Databreaches.net","","2012","33.953349","-117.396156" "May 30, 2013","California Department of Developmental Services","Santa Monica","California","PORT","MED","18,100","An employee at North Los Angeles County Regional Center left a work laptop, a personal laptop, and an iPhone in their car overnight. The items were stolen during the night.  The employee worked for a program that served disabled infants and toddlers.  Names, Social Security numbers, and other personal information were on the unencrypted work laptop.  The theft occurred in November and patients were notified in January of 2013. ","Media","","2013","34.019454","-118.491191" "May 21, 2013","DENT Neurological Institute","Buffalo","New York","DISC","MED","10,000","DENT Neurological Institute accidentally emailed the private information of more than 10,000 patients.  No sensitive medical files or Social Security numbers were involved.","Media","","2013","42.886447","-78.878369" "May 21, 2013","Erie County Department of Social Services","Buffalo","New York","PHYS","MED","0","An audit revealed that several employees had not been following correct protocol for patient record disposal.  Employees had inadvertently exposed Social Security numbers, copies of birth certificates, personal medical records, tax returns, bank account information, inmate records, payroll information, court records, and passports.  Employees should have been using locked disposal totes for shredding and were discarding documents in recycling totes instead.","Media","","2013","42.886447","-78.878369" "June 5, 2013","University of Massachusetts - Amherst","Amherst","Massachusetts","HACK","EDU","1,700","The information of almost 1,700 clients of the Center for Language, Speech, and Hearing may have been exposed.  A computer workstation was found to be infected by a malicious software program.  Client Social Security numbers, addresses, names of health insurers, and primary health care or referring doctors may have been accessible because the computer was compromised.UPDATE (11/22/2016): ""The University of Massachusetts Amherst (UMass) has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules.  The settlement includes a corrective action plan and a monetary payment of $650,000, which is reflective of the fact that the University operated at a financial loss in 2015.""More information: http://www.hhs.gov/about/news/2016/11/22/umass-settles-potential-hipaa-v...","Media","","2013","42.373222","-72.519854" "June 5, 2013","Massachusetts Mutual Life Insurance Company, MassMutual Financial Group","Springfield","Massachusetts","DISC","BSF","0","The 401(k) retirement plan information of certain clients was inadvertently exposed when a MassMutual account manager sent an email on May 8.  Names, Social Security numbers, investment elections, and account balances were included in the email.  A third party provider received the email and confirmed that the information was deleted without being saved or copied. The employee who accidentally sent the sensitive email received training on proper security procedures.","California Attorney General","","2013","42.101483","-72.589811" "May 31, 2013","RentPath, Inc. (Primedia)","Norcross","Georgia","INSD","BSO","56,000","An independent contractor with access to Primedia's network operations group was found to have stolen hardware.  The issue was discovered on June 20, 2012.  Applicants, employees, and former employees may have had several different types of personal information stolen. Approximately 56,000 Social Security numbers were discovered among the various types of information.  Approximately 30,000 former employees, employees, and applicants were identified and notified of the breach.  The other 26,000 have yet to be identified.","California Attorney General","","2013","33.941213","-84.213531" "May 30, 2013","Drupal.org","","","HACK","BSO","0","A hacker or hackers exploited a vulnerability in a third-party software and used it to access accounts on drupal.org. The hackers were able to upload files to the association.drupal.org and compromised Drupal's serer. Accounts on groups.drupal.org may have also been exposed. Usernames, email addresses, hashed passwords, and country information may have been exposed.","Media","","2013","37.090240","-95.712891" "May 30, 2013","Anasazi Hotel, LLC","Sante Fe","New Mexico","HACK","BSO","0","Anasazi Hotel learned that it was a common link in a number of fraudulent credit card activities.  An investigation revealed that Anasazi's network had been accessed and customer credit card information had been accessed.  Malware that could transmit customer names and credit card information was on Anasazi's system.  Anyone who used a credit card at Anasazi between June 18, 2012 and March 21, 2013 may have been affected.","California Attorney General","","2013","35.686975","-105.937799" "May 29, 2013","TJG, Inc., Target Marketing","Ashland","Virginia","HACK","BSO","0","The Target Marketing website was accessed by unauthorized parties on May 14.  People who used debit or credit cards on the online e-commerce platform may have had their names, email addresses, payment card numbers, expiration dates, and CVV codes accessed.UPDATE (05/29/2013): Shumsky in Dayton, Ohio was also affected. Shumsky customers may have had their names, addresses, email addresses, credit/debit card numbers, payment card expiration dates, and CVV codes accessed.","California Attorney General","","2013","37.759032","-77.479984" "May 28, 2013","Beachbody","Santa Monica","California","HACK","BSR","0","Hackers accessed Beachbody's Powder Blue website. Beachbody learned of the incident on April 17 and found that customer credit card numbers, email addresses, mailing addresses, telephone numbers, full names, and CVV numbers may have been accessed.","California Attorney General","","2013","34.019454","-118.491191" "February 27, 2013","Information Handling Services, Inc. (IHS)","Englewood","Colorado","HACK","BSO","0","Hackers breached the servers of IHS and may have been able to access credit card, customer, and nuclear information.  IHS does not believe that confidential information was compromised.  However, the hacker group claimed to have obtained the records of 8,500 customers. The hacker group is known to attack sites in order to further their goal of revealing sensitive nuclear data to pressure the Israeli government and others into disclosing their nuclear activities.UPDATE (05/13/2013): The unauthorized parties acquired the relevant data from the IHS Jane's environment on or about November 22, 2012.","Media","","2013","39.647765","-104.987760" "May 13, 2013","80sTees.com","Mount Pleasant","Pennsylvania","HACK","BSR","0","Unauthorized activity was detected on the 80sTees.com website.  Customers may have had their credit or debit card information exposed.","California Attorney General","","2013","40.148961","-79.541150" "May 10, 2013","Equity Trust Company","Elyria","Ohio","HACK","BSF","0","An unauthorized third party accessed Equity Trust Company's computer network.  The breach was discovered at the end of January 2013 and notification letters were sent on April 15.  Equity Trust customers may have had their names, Social Security numbers, addresses, and other information viewed by online intruders.","California Attorney General","","2013","41.368380","-82.107649" "April 11, 2013","Chapman University","Orange","California","DISC","EDU","0","Sensitive documents could have been viewed electronically by authenticated users of the on-campus network.  The issue was discovered on February 27. Names, Social Security numbers, student identification numbers, and dates of birth may have been viewed by people who could log into Chapman's system, but shouldn't have been able to access the information.","California Attorney General","","2013","33.787914","-117.853101" "June 6, 2013","Town of Brookhaven","Brookhaven","New York","DISC","GOV","78","A law enforcement employee made a clerical error that caused the Social Security numbers of 78 ambulance workers and beneficiaries to be available on the town website for five days.  The information was accidentally attached to a resolution.  A very similar error had occurred before and this one was caused by a failure to click on the ""no public access"" check box in the computer system to privatize the information.","Media","","2013","40.885835","-72.993297" "June 12, 2013","Sentara Virginia Beach General Hospital","Virginia Beach","Virginia","PHYS","MED","0","Two men claimed to be from a recycling company and stole over 200 pounds of x-ray film that contained sensitive patient information.  The men transported the x-rays from the hospital without incident by using a moving truck. The breach occurred in 2012 and affected less than 500 patients.","Databreaches.net","","2013","36.852926","-75.977985" "June 12, 2013","Wyndham Vacation Ownership","Orlando","Florida","INSD","BSR","0","The Orlando Police Department notified Wyndham Vacation Ownership that a Wyndham employee had been arrested for participating in fraudulent credit card purchases.  The dishonest employee was fired the next day and may have obtained customer credit card numbers.  Wyndham learned of the issue on January 18.","Media","","2013","28.538336","-81.379237" "June 12, 2013","Lucile Packard Children's Hospital","Palo Alto","California","PORT","MED","12,900","Between May 2 and May 8, a non-functional laptop computer was stolen from a secured area of the hospital.  The laptop was password protected and contained names, ages, medical record numbers, telephone numbers, scheduled surgical procedures, and names of physicians involved in procedures between 2009 and 2012.  ","PHIPrivacy.net","","2013","37.441883","-122.143020" "June 14, 2013","Fayetteville Veterans Affairs Medical Center","Fayetteville","North Carolina","PHYS","MED","1,093","Optical shop consultation reports were placed in a publicly accessible recycling bin over a period of three months rather than properly disposed.  The documents contained names, Social Security numbers, addresses, dates of birth, and prescriptions.  The issue was discovered on April 17 and most likely started in January of 2013.","PHIPrivacy.net","","2013","35.052664","-78.878359" "September 9, 2010","Lucile Packard Children's Hospital at Stanford University","Palo Alto","California","STAT","MED","532","A former employee took a hospital desktop computer with patient records home around January 11 of 2010. In February it was determined that the computer could not be recovered and patients were notified of the incident.  The hospital was fined $250,000 by the California Department of Public Health for the delay in reporting the incident. As of September 9 2010, the hospital was in the process of appealing the fine.UPDATE(9/10/10): The desktop did contain patient Social Security numbers, medical record numbers, names, insurance information, diagnoses and treatment information.","PHIPrivacy.net","","2010","37.441883","-122.143020" "June 6, 2012","LinkedIn.com","Mountain View","California","HACK","BSO","167,000,000","A file containing 6,458,020 encrypted passwords was posted online by a group of hackers. It is unclear what other types of information were taken from Linkedin users.  LinkedIn recommends that users change their passwords.UPDATE (08/30/2012): Four potential class actions against LinkedInCorp. were consolidated.  The consolidated suits allege that LinkedIn violated its user agreement and privacy policy by failing to properly safeguard digitally stored user data. LinkedIn is also accused of not publicizing the attack in a timely manner.UPDATE (03/06/2013): A lawsuit that was filed in a federal court in San Jose, California in 2012 was dismissed.  The lawsuit was based on negligence claims, California consumer protection statutes, and breach of contract. The judge dismissed the lawsuit because the plaintiffs failed to demonstrate that any alleged misrepresentation by Linkedin was connected to the harm the plaintiffs suffered.UPDATE (06/17/2013): A second class-action lawsuit against LinkedIn is in the making.  Linkedin is accused of of failing to use basic encryption techniques to secure personally identifiable information.  LinkedIn is trying to stop the second lawsuit form proceeding in federal court because the lead plaintiff has been able to show that she suffered an injury.UPDATE (05/23/2016): Cory Scott, LinkeIn's Chief Information Security Officer posted that the company was notified of additional emails and passwords compromised of more then 100 million members. More Information: http://fortune.com/2016/05/18/linkedin-data-breach-email-password/","Media","","2012","37.386052","-122.083851" "June 14, 2013","Florida Department of Health","Florida","","DISC","MED","3,300","Information on personal drug prescriptions from the Florida Department of Health somehow ended up in the hands of prosecution lawyers.  Names, addresses, phone numbers, pharmacies, and drug dosages were obtained by lawyers involved in six prescription-drug fraud cases. The American Civil Liberties Union of Florida began an investigation into how the records were exposed.","Media","","2013","30.438256","-84.280733" "February 3, 2012","Salt Like City Police Department","Salt Lake City","Utah","HACK","GOV","1,073","Hackers obtained police officer and non-police related civilian information from the Salt Lake City Police Department.  The attack was in response to a proposed Utah bill that would have criminalized the possession of graffiti tools with the intent to deface property.  The hackers did release the names, phone numbers, usernames, titles, email addresses, and hashed passwords of over 1,000 police officers.  The information of civilians was never released and the hackers eventually deleted their copies.  The never released data was from people who had provided crime tips or other information to the Salt Lake City Police Department.UPDATE (06/12/2013): A member of Anonymous was charged in 2012 for using SQL injections on multiple law enforcement and public agency websites.  He agreed to a plea bargain in April and will serve 36 months in prison for violating a section of federal law addressing computer fraud.  He will also pay nearly $230,000 in restitution to a number of agencies that were hacked.","Databreaches.net","","2012","40.760779","-111.891047" "May 13, 2013","Adobe, Washington Administrative Office of the Courts","Olympia","Washington","HACK","BSO","160,000","Up to 160,000 people may have had their information exposed by a breach.  Anyone who was booked into a city or county jail int he state of Washington between September of 2011 and December of 2012 may have had their Social Security number exposed.Additionally, three classes of people may have had their names and driver's license information exposed.  First, people who received a DUI citation between 1989 and 2011 in the state of Washington may have had their names and drivers' license numbers exposed. Anyone who had a traffic case filed or resolved in a district or municipal court between 2011 and 2012 may have been affected. Finally, anyone who had a criminal case in Washington filed against them or resolved between 2011 and 2012 may have had their name and driver's license number exposed. ","Media","","2013","47.037874","-122.900695" "June 19, 2013","Ephrata Community Hospital","Ephrata","Pennsylvania","INSD","MED","0","An employee inappropriately accessed patient information.  The incident or incidents were discovered on April 16. Patient clinical and other medical information may have been exposed. No Social Security numbers were exposed.","Media","","2013","40.179817","-76.178839" "June 17, 2013","Yolo Federal Credit Union","Woodland","California","UNKN","BSF","0","Yolo was notified by Visa that there may have been a breach at several merchant locations.  Yolo was not the sight of the breach, but customers were issued new payment cards.  The issue was reported to Yolo on May 31.  ","Media","","2013","38.678516","-121.773297" "May 22, 2013","Vendini, Inc.","San Francisco","California","HACK","BSO","22,900","Anyone who used Vendini for ticket purchases may have had their financial information exposed during a March breach.  A hacker accessed Vendini's server and may have obtained customer names, addresses, email addresses, credit card numbers, and credit card expiration dates.  A total of 22,900 customers from Augusta, Maine may have been affected.  It is unclear if people from other states were also affected.UPDATE (06/12/2013): The unauthorized intrusion was first detected on April 25.  ","Media","","2013","37.774930","-122.419416" "June 12, 2013","comScore","Reston","Virginia","DISC","BSR","0","Two comScore panelists filed a lawsuit in August of 2011 after downloading comScore software.  Allegedly, comScore collected and sold consumers' Social Security numbers, credit card numbers, financial information, retail transactions, and other personal information.  The action may have violated the Stored Communications Act, the Computer Fraud and Abuse Act, the Electronics Communications Privacy Act, and the Illinois Consumer Fraud and Deceptive Practices act. The lawsuit might cover tens of millions of people who have downloaded comScore software since 2005.  In June of 2013, the Seventh Circuit Court of Appeals in Chicago denied comScore's request to overturn a lower court's decision that had allowed the suit to proceed as a class action suit.","Media","","2013","38.958631","-77.357003" "June 12, 2013","comScore","Reston","","DISC","BSR","0","Two comScore panelists filed a lawsuit in August of 2011 after downloading comScore software.  Allegedly, comScore collected and sold consumers' Social Security numbers, credit card numbers, financial information, retail transactions, and other personal information.  The action may have violated the Stored Communications Act, the Computer Fraud and Abuse Act, the Electronics Communications Privacy Act, and the Illinois Consumer Fraud and Deceptive Practices act. The lawsuit might cover tens of millions of people who have downloaded comScore software since 2005.  In June of 2013, the Seventh Circuit Court of Appeals in Chicago denied comScore's request to overturn a lower court's decision that had allowed the suit to proceed as a class action suit.","Media","","2013","38.958631","-77.357003" "August 26, 2011","Fidelity National Information Services, Inc. (FIS)","Jacksonville","Florida","HACK","BSF","22","After breaking into FIS's network and gaining access to FIS's database, a group of criminals obtained 22 legitimate ATM cards.  Copies of the cards were made and shipped to Greece, Russia, Spain, Sweden, Ukraine and the United Kingdom.  The criminals altered the cards so that they could be used to withdraw an unlimited amount of cash.  A total of $13 million was taken from accounts between the evening of Saturday March 5 and Sunday evening.UPDATE (06/04/2013): An additional 7,170 pre-paid accounts may have been at risk.  It appears that approximately 100 client financial institutions also had sensitive data exposed during the breach.","Media","","2011","30.332184","-81.655651" "June 21, 2013","Facebook","Menlo Park","California","DISC","BSO","6,000,000","Facebook discovered a bug that may have allowed unauthorized users to view the personal contact information of Facebook users.  The people who could have used the information would have had some kind of connection to them or some kind of contact information, but users may have thought their email and phone numbers were hidden from these connections.  People who used the Download Your Information (DYI) tool may have been able to access the contact information.  The issue was discovered by an external group of security researches involved with the White Hat program. The breach began sometime in 2012.","Media","","2013","37.452960","-122.181725" "June 3, 2013","Champlain College","Burlington","Vermont","PORT","EDU","14,217","During the weekend of June 3, a hard drive was discovered to have been misplaced.  The device had been left unattended in a computer lab for about two days in March.  The hard drive contained names, Social Security numbers, and other information related to admissions and financial aid for the Fall 2010 through the February 2013 school terms.  Some graduate and continuing professional studies students may have also been affected.","Media","","2013","44.475883","-73.212072" "June 27, 2013","Millimaki Eggert, LLP","San Diego","California","PORT","BSF","0","The April 27 office burglary of two password-protected laptops resulted in the exposure of sensitive client information.  Names, Social Security numbers, and addresses may have been involved.  ","California Attorney General","","2013","32.715738","-117.161084" "June 27, 2013","Citi Prepaid Services","New York","New York","DISC","BSF","0","A code change in the prepaid cardholder website impacted the security features that authenticate cardholder logins.  Anyone who logged into the prepaid cardholder website between June 2 and June 13 was affected.  The issue was remediated and it does not appear that unauthorized charges have occurred on any of the affected accounts.","California Attorney General","","2013","40.712784","-74.005941" "May 1, 2013","Lakeshore Mental Health Institute, Middle Tennessee Mental Health Institute","Knoxville","Tennessee","PHYS","MED","0","Patient records were found on the floor at an abandoned hospital building named Waterside.  The woman who discovered them was a former Lakeshore employee and she alerted a local news station.  Names, Social Security information, case numbers, dates of birth, and other patient information were exposed.UPDATE (06/27/2013): At least 20 boxes of patient records were found in an abandoned building at the Clover Bottom Campus of the Middle Tennessee Mental Health Institute.  The records dated back to the 1980's and had been reviewed to confirm which had sensitive information that needed to be destroyed.","PHIPrivacy.net","","2013","35.960638","-83.920739" "June 25, 2013","Baptist Health South Florida, West Kendall Baptist Hospital","Miami","Florida","INSD","MED","0","An employee of West Kendall Baptist Hospital sold patient information to a man who used the information to file fraudulent tax returns.  Patients may have had their names, Social Security numbers, and dates of birth exposed.  The man who purchased and used the information was sentenced to 31 months in federal prison after pleading guilty to possessing 15 or more Social Security numbers.","PHIPrivacy.net","","2013","25.761680","-80.191790" "June 21, 2013","North Lincoln Community Health Center Clinic","Lincoln City","Oregon","PHYS","MED","1,000","An April 17 burglary resulted in the possible exposure of patient information.  Someone entered locked rooms and cabinets in order to take money.  No records or electronic devices were taken; however the room where client medical charts were stored was accessed.  Social Security numbers, health information, and other personal information may have been exposed.","PHIPrivacy.net","","2013","44.958164","-124.017891" "June 10, 2013","Independence Care System","New York","New York","PORT","MED","2,434","The May 7 home burglary of an employee's home resulted in the theft of a laptop that contained patient information.  Fewer than 60% of the affected members had their names, zip codes, and Independence Care System (ICS) Member ID numbers exposed.  Approximately 40% of those affected also had their street address, phone number, Medicaid ID number, and enrollment and/or disenrollment date exposed.  ICS plans to implement a two-factor authentication system for network access by September of 2013 to prevent the issued from occurring again.","PHIPrivacy.net","","2013","40.712784","-74.005941" "June 9, 2013","Emmorton Associates","Abingdon","Maryland","PHYS","MED","75","A counselor's file cabinet was burglarized sometime between December 10 and December 21.  It contained client files with names, Social Security numbers, dates of birth, addresses, telephone numbers, diagnosis, treatment information, insurance information, and emergency contact information.","PHIPrivacy.net","","2013","39.462236","-76.277222" "June 9, 2013","Health Resources of Arkansas","Heber Springs","Arkansas","PHYS","MED","1,911","On April 14, 2013 staff members discovered that their location had been burglarized.  Names, Social Security numbers, addresses, dates of birth, diagnosis information, types of treatments, classes attended, court information, services provided, or insurance information of persons served by the location could have been accessed during the burglary.  Notifications were sent during the week of May 20. ","HHS via PHIPrivacy.net","","2013","35.491468","-92.031260" "June 9, 2013","Integrity Oncology, Baptist Medical Group, North Atlantic Telecom","","Tennessee","UNKN","MED","539","Integrity Oncology's business associate North Atlantic Telecom discovered a breach incident on March 5.  ","HHS via PHIPrivacy.net","","2013","35.517491","-86.580447" "June 9, 2013","City of Norwood","Norwood","Ohio","PORT","MED","500","A laptop that contained protected health information was lost between the dates of April 4 and April 19.  ","HHS via PHIPrivacy.net","","2013","39.164480","-84.454280" "June 28, 2013","University of South Carolina","Columbia","South Carolina","PORT","EDU","6,300","The April theft of a faculty laptop resulted in the exposure of current and former student information.  The laptop was stolen from a locked room in the Department of Physics and Astronomy.  It contained a file with the names, emails, and Social Security numbers of up to 6,300 University of South Carolina students who had taken one of four physics courses between January of 2010 and the fall 2012 semester.","Media","","2013","34.000710","-81.034814" "June 28, 2013","Greensboro ABC Stores, Triad ABC ","","","HACK","BSR","0","Greensboro ABC stores and Triad ABC stores discovered that the software used by cash registers had been hacked.  The malware was discovered after customers complained about fraudulent charges on their debit and credit card accounts.  The ABC stores stopped accepting credit and debit cards while investigating the issue.","Media","","2013","37.090240","-95.712891" "June 24, 2013","King County Sheriff's Office","Seattle","Washington","PORT","GOV","2,300","A laptop and portable hard drive were stolen from the truck of an undercover officer in March of 2013.  The devices were not encrypted and contained Social Security numbers, drivers license numbers, and personal information about victims, suspects, witnesses, and police officers. The officer received disciplinary action for leaving the laptop unattended in the backseat of a truck.","Media","","2013","47.606210","-122.332071" "June 21, 2013","Gulf Breeze Family Eyecare (Sight and Sun Eyeworks Gulf Breeze)","Gulf Breeze","Florida","INSD","MED","0","Sight and Sun learned of a patient privacy breach on May 17.  Patient names, Social Security numbers, addresses, medical record numbers, and other personal information may have been exposed.  An employee accessed and copied patients' electronic medical records without legitimate purpose.UDPATE (06/26/2013): A total of 9,000 patients were affected.  It appears that the records were accessed to target patients for other medical service offerings.","Media","","2013","30.357144","-87.163857" "June 24, 2013","Florida State University, Florida Department of Education","Tallahassee","Florida","DISC","EDU","47,000","The information of 47,000 Florida teachers was publicly accessible for 14 days after a data transfer at Florida State University.  The information was from teachers participating in state prep programs.  The Department of Education used Florida State University as the contractor for the transfer of teacher data.UPDATE (06/26/2013): People who participated in Florida teacher preparation programs during the 2009 -2010 and 2011-2012 academic years were affected.","Media","","2013","30.438256","-84.280733" "July 5, 2013","Morningstar Document Research","Chicago","Illinois","HACK","BSF","182,000","Client information may have been compromised by an intrusion that took place around April 3.  Client email addresses, passwords, credit card numbers, and other information may have been exposed.","Media","","2013","41.878114","-87.629798" "July 3, 2013","Indiana Family and Social Services Administration (FSSA), RCR Technology Corporation","Indianapolis","Indiana","DISC","GOV","3,926","A computer programming glitch resulted in the exposure of client health, financial, and employment information.  Personal and private documents that belonged to certain clients were accidentally made available to other clients between April 6 and May 21 when FSSA contractor RCR Technology Corporation made a programming error.  The issue was discovered on May 10 and addressed on May 21.  Patients of clients may have had their names, addresses, dates of birth, demographic information, contact information, types of benefits received, monthly benefit amount, employer information, monthly income and expenses, bank balances and other assets, medical providers, medical conditions, and information about household members exposed.","Media","","2013","39.768403","-86.158068" "July 8, 2013","Roy's Holdings, Inc. ","Honolulu","Hawaii","STAT","BSR","0","Malware infected an employee's desktop computer.  Roy's restaurants in Ko'Olina, Waikiki, Kaanapali, Poipu, and Waikoloa were affected.  Anyone who used a debit or credit card at those locations between February, 1, 2013 and February 25, 2013 may have had their payment card information compromised.","California Attorney General","","2013","21.306944","-157.858333" "July 11, 2013","Texas Health Harris Methodist Hospital Fort Worth, Shred-it","Fort Worth","Texas","PHYS","MED","277,000","A concerned citizen alerted police to a situation on May 11.  Old microfiche records were discovered in a park even though they should have been destroyed by the Hospital's contractor Shred-it.  The records contained names, addresses, dates of birth, and health information and were from 1980 to 1990. Some records also contained Social Security numbers.  ","Media","","2013","32.755488","-97.330766" "July 3, 2013","Bureau of Automotive Repair (BAR)","Rancho Cordova","California","HACK","GOV","0","An unauthorized individual accessed the network of a BAR service provider between May 2012 and March 2013.  The bank routing information of Smog Check stations licensed with the BAR was exposed.  Those who may have had their accounts accessed are encouraged to close their old accounts and open new accounts with new PINs or passwords.UPDATE (07/11/2013): Approximately 7,500 Smog Check stations had bank account and routing numbers associated with the businesses exposed.","California Attorney General","","2013","38.589072","-121.302728" "July 11, 2013","Guildford County Schools, Page High School","Greensboro","North Carolina","DISC","EDU","456","A Guildford County Schools employee accidentally emailed a PDF file that contained Page High School student personal information.  Student names, addresses, phone numbers, course enrollments, grades, school district identification numbers, and other transcript data were in the PDF file. The information was emailed to a single guardian on July 2, 2013.","Media","","2013","36.072635","-79.791975" "June 23, 2010","Anthem Blue Cross, WellPoint","Pasadena","California","DISC","MED","470,000","More than 200,000 Anthem Blue Cross customers this week received letters informing them that their personal information might have been accessed during a security breach of the company's website. Only customers who had pending insurance applications in the system are being contacted because information was viewed through an on-line tool that allows users to track the status of their application. Social Security and credit card numbers were potentially viewed.  Anthem Blue Cross merged with WellPoint in 2004.UPDATE (6/29/2010): Around 470,000 customers in 10 states were notified of the breach.  The original story states that only applicants were affected, but existing customers also received notification of a possible breach of their information.UPDATE (7/12/2010): 20,000 Louisville, Kentucky residents received notification that a security mistake online resulted in the exposure of their Social Security numbers and financial information.  It is unclear whether these residents are included in the original 470,000 customers.  Only customers who were self insured were affected. WellPoint is claiming that this and other recent breaches were committed by an attorney or attorneys attempting to gain information for a lawsuit against WellPoint.UPDATE (9/17/2010): An Anthem applicant whose information was exposed by the breach filed a lawsuit against Anthem at the Los Angeles County Superior Court. The lawsuit claims that the breach exposed applicants and clients to identity theft.  An applicant behind the lawsuit is seeking class action status.UPDATE (10/29/2010): The office of the Attorney General of Indiana is suing WellPoint Inc. because of the company's delay in notifying customers of the breach. WellPoint is accused of violating an Indiana law that requires businesses to provide notification of breaches in a timely manner and faces $300,000 in fines.  State officials believe WellPoint was aware of the exposure in late February, but waited until June to notify customers. UPDATE (7/5/2011): WellPoint Inc. will pay Indiana a $100,000 settlement for violating a 2009 data breach notification law.  Customer data was accessible between October 23, 2009 and March 8, 2010.  One or more consumers informed WellPoint of the problem on February 22, 2010 and again on March 8, 2010.  WellPoint began notifying consumers on June 18, 2010.UPDATE (07/13/2013): About 612,000 individuals may have had their names, Social Security numbers, dates of birth, addresses, telephone numbers, health information, and other electronic protected health information exposed.  WellPoint paid HHS $1.7 million in fines.  ","Dataloss DB","","2010","34.147785","-118.144516" "September 30, 2011","Florida Hospital","Orlando","Florida","INSD","MED","12,000","Patients who visited emergency departments of three Central Florida county Florida Hospitals between January 1, 2010 and August 15, 2011 may have had their information improperly accessed by one or more employees.  Patient names, Social Security numbers, dates of birth and insurance information were exposed.  Several employees were fired for misconduct, but one employee was fired for viewing patient information without authorization for the purpose of identifying motor vehicle accident victims.  The hospital launched an investigation after a car-accident victim felt that a soliciting attorney had somehow obtained his medical information.UPDATE (10/19/2011): The FBI is now investigating the disclosure of patient information.  It appears that three employees sold accident victim data to an attorney referral service.  Former patients have also been contacted by funeral homes and at least one patient became an identity theft victim.UPDATE (08/18/2012): One dishonest employee who worked at Florida Hospital Celebration allegedly viewed the emergency room records of 763,000 patients. A total of 12,000 patients from the group of 763,000 were contacted by the Hospital and notified of the risk of identity theft.UPDATE (10/22/2012): The former employee worked at Florida Hospital from July 2006 until July 2011 and was responsible for registering emergency patients.  The scam involved patient phone referrals to a lawyer or chiropractor who knew details about car accidents and hospital treatments. The dishonest employee had illegally gathered the patient information during emergency visits. He pleaded guilty to conspiracy to obtain health information and wrongful disclosure of health information. UPDATE (01/07/2013): A man associated with Metro Chiropractic and Wellness Center and City Lights Medical Center pleaded guilty to charges related to illegally obtaining patient information from two spouses who worked at Florida Hospital Celebration. He was charged with one count of conspiracy to defraud the United States and four counts of making a payment to a non-licensed physician.UPDATE (04/12/2013): One former patient affected by the breach has brought a lawsuit against Adventist Health System/Sunbelt, Inc.  Florida Hospital Celebration and 36 other hospitals compose the Adventist network. The former patient is alleging that their privacy rights as a patient were violated when Adventist Health System/Sunbelt Inc. failed to prevent emergency room works from selling access to their medical records.UPDATE (07/12/2013): The lawsuit that was filed in April was dismissed by a judge on July 3. Another lawsuit was then filed in Orange County Circuit Court in Orlando.","PHIPrivacy.net","","2011","28.538336","-81.379237" "July 12, 2013","Long Beach Memorial Medical Center","Long Beach","California","INSD","MED","2,864","Patients who received treatment between September 2012 to June 2013 may have had their information exposed by a breach related to an employee.  Names, sex, dates of birth, home addresses, phone numbers, account numbers, insurance information, and the reason for admission were exposed.  There is currently no reason to believe that the information was used in a malicious manner.","Media","","2013","33.770050","-118.193740" "July 17, 2013","Office of the Medicaid Inspector General (OMIG)","Albany","New York","INSD","MED","17,743","An OMIG employee sent an email that contained sensitive records to their own email account on October 12, 2012.  Medicaid paitient first and last names, Social Security numbers, dates of birth, and Medicaid client information numbers may have been compromised. ","Media","","2013","42.652579","-73.756232" "May 16, 2013","City of Akron","Akron","Ohio","HACK","GOV","47,452","The City of Akron's website and internal systems were hacked by a foreign group.  Files with 47,452 entries were posted online.  Names, Social Security numbers, account numbers, credit card numbers, credit card expiration dates, addresses, and other information were in the files.  The hacking attack appears to be part of an organized international effort to hack into various U.S. government websites.","Media","","2013","41.081445","-81.519005" "April 23, 2013","City of Monroeville","Monroeville","Pennsylvania","DISC","MED","0","A number of inappropriate security practices may have exposed the information of people who called Monroeville's 911 dispatch center, police department, fire department, or EMS department in 2012 or 2013.  Monroeville is being investigated for possible violations of federal health privacy laws.  An August 2012 complaint to the U.S. Department of Health and Human Services' Office for Civil Rights stated that protected health information may have been given to a former police chief via email and that weak and poorly managed usernames and passwords were used to access a database of 911 callers' medical information.UPDATE (07/18/2013): Monroeville 911 records from August 2010 through February 2013 were available to volunteer firefighters and former and inacitive emergency responders.  There was no protocol in place for removing the former personnel from the list of people who received 911 dispatch data.","Media","","2013","40.421180","-79.788102" "March 1, 2013","South Miami Hospital, Baptist Health","Miami","Florida","INSD","MED","834","A dishonest hospital employee misused patient records that were dated from June 2011 to February of 2012.  Patients may have had their names, Social Security numbers, and dates of birth exposed.UPDATE (03/15/2013): A respiratory therapist provided Social Security numbers, dates of birth, patient names, and other patient data in exchange for payment. The patient data was then used to file fraudulent tax returns.  The dishonest employee now faces charges for selling the information to two others.UPDATE (04/26/2013): Two women who purchased patient information from a Hospital employee were sentenced for their roles in the breach.  One woman was sentenced to 26 years and five months in federal prison in addition to being ordered to pay over $1.9 million in restitution.  She was convicted of 33 fraud and identity theft charges in January.  The other was sentenced to 10 years and one month in prison after pleading guilty to conspiracy to defraud the government and aggravated identity theft.  The fraud ring produced fraudulent income tax refunds totalling $11.7 million.UPDATE (07/18/2013): A respiratory therapist who engaged in the theft of patient information between June of 2011 and February of 2012 pleaded guilty.  She faces up to seven years in federal prison and is scheduled to receive a lightened sentence for cooperating with authorities in the investigation of the tax fraud ring's leaders.","PHIPrivacy.net","","2013","25.788969","-80.226439" "July 8, 2013","Internal Revenue Service (IRS)","Washington","District Of Columbia","DISC","GOV","10,000","Public.Resource.org received 990-T forms with sensitive information during a request for information from the IRS.  The IRS acknowledged the mistake and Public.Resource.org became curious about where else the information could be found.  Public.Resource.org found multiple incidents of Social Security numbers being exposed on the IRS website and wrote a letter that pointed out the issues to the IRS.  The IRS was able to remove some or all of the sensitive files from public view over the course of a few days.","Media","","2013","38.907192","-77.036871" "July 22, 2013","Apple Inc.","Cupertino","California","HACK","BSR","0","Apple's website for developers was accessed by unauthorized parties.  Registered developer names, mailing addresses, and email addresses may have been accessed on Thursday, July 18.  Encrypted customer information was not affected.","Media","","2013","37.322998","-122.032182" "July 19, 2013","University of Virginia, Aetna Health Care","Charlottesville","Virginia","DISC","EDU","18,700","A mailing error by a third-party mailing vendor used by Aetna Health Care resulted in the Social Security numbers of students being exposed in open-enrollment brochures.","Media","","2013","38.029306","-78.476678" "July 18, 2013","NASDAQ.com","New York","New York","HACK","BSO","0","Hackers were able to steal passwords from a NASDAQ Community forum.  It is likely that only passwords  and non-financial inforimation was stolen.  NASDAQ alerted users to the issue and took the website offline to upgrade its security.  There is concern that the hackers will use the email and password information to send phishing messages and obtain access to various financial accounts.","Media","","2013","40.712784","-74.005941" "November 30, 2012","Western Connecticut State University","Danbury","Connecticut","DISC","EDU","235,000","A computer vulnerability allowed the information of students, student families, and other people affiliated with the University to be exposed. The records covered a 13 year period and included Social Security numbers.  High school students who had associations with the University may have had their SAT scores exposed as well.  The issue existed between April 2009 and September 2012.  ","Media","","2012","41.394817","-73.454011" "July 23, 2013","Henry Ford Health System","Detroit","Michigan","PHYS","MED","15,417","A warehouse that was not owned by Henry Ford Health System was raided for old X-rays.  X-rays can be stripped for silver and these medical X-rays also contained the names, addresses, and dates of birth of patients of Henry Ford Health System.  The X-rays dated between 1996 and 2003.  Henry Ford Health System learned about the issue on May 24.","Media","","2013","42.331427","-83.045754" "April 5, 2013","William Jennings Bryan Dorn VA Medical Center","Columbia","South Carolina","PORT","MED","7,405","The February 11 theft of an unencrypted laptop from the respiratory department resulted in the exposure of patient information.  Veterans who were patients may have had their name, Social Security number, age, race, weight, and medical test results on the laptop.  The laptop was taken during regular clinic hours.UPDATE (05/01/2013): A lawsuit has been filed by two veterans on behalf of people who were affected by the breach.UPDATE (07/22/2013): The Dorn VA has motioned to dismiss the case.  On July 16 the Dorn VA said that it has not been proven that the records were improperly disclosed. It also argued that the plaintiffs never asserted that the records had been shown to another or unauthorized person.","PHIPrivacy.net","","2013","34.000710","-81.034814" "July 24, 2013","NYC Bike Share, Citibike","New York","New York","DISC","BSR","1,200","NYC Bike Share discovered that customer credit card numbers, names, and addresses had been posted on a publicly accessible page of its website.  The glitch was corrected after being active between April 15 and late May.  Customers who initially entered their information incorrectly had their information posted online for 24 hours.  The data was cleared every 24 hours between April 15 and late May.","Media","","2013","40.712784","-74.005941" "July 26, 2013","NASDAQ OMX Group Inc.","New York","New York","INSD","BSF","0","Malware was installed on servers between November of 2008 and October of 2010.  This allowed one or more hackers to execut commands to delte, change, and steal data from the computers used by NASDAQ.  A total of five foreign hackers were charged for involvement in a series of financial incidents.  They were all collaborating in a scheme to target major corporate networks and were able to steal more than 160 million credit card numbers across corporations.","Media","","2013","40.712784","-74.005941" "July 17, 2013","Citigroup","New York","New York","DISC","BSF","146,000","Citigroup exposed the Social Security numbers, dates of birth, and other sensitive information of customers by not properly redacting the information for court records.  Consumers who went into bankruptcy between 2007 and 2011 were affected.  The incident was discovered by the bank on April 2011.  Roughly 146,000 consumers were notified of the breach in July of 2013.","Media","","2013","40.712784","-74.005941" "July 24, 2013","Tinder","West Hollywood","California","DISC","BSO","0","Tinder advertises to users that their physical location information is never shown to other users.  An outside engineer discovered an issue with the Tinder app that allowed the locations of users to be available for at least two weeks.  Last known locations, Facebook IDs, dates of birth, gender, and names were available.  ","Media","","2013","34.090009","-118.361744" "July 24, 2013","Tinder","West Hollywood","California","DISC","BSO","0","Tinder advertises to users that their physical location information is never shown to other users.  An outside engineer discovered an issue with the Tinder app that allowed the locations of users to be available for at least two weeks.  Last known locations, Facebook IDs, dates of birth, gender, and names were available.  ","Media","","2013","34.090009","-118.361744" "July 29, 2013","Fairfax County Public Schools","Falls Church","Virginia","PORT","MED","2,000","The July 15 theft of a laptop resulted in the exposure of student information.  The laptop was stolen from the car of a school nurse and contained school, health and other confidential information.  Student names, school identification numbers, allergies, and other medical conditions were on a spreadsheet on the health-department-issued laptop.","Media","","2013","38.882334","-77.171091" "June 7, 2010","Wal-Mart, Sam's Club ","Bentonville","Arkansas","HACK","BSR","117","During a credit card fraud scheme, a man obtained and misused customer information.  His scheme involved using customer information to impersonate customers and open new lines of store credit in their names.  Total loses amounted to $781,571.80.","Databreaches.net","","2010","36.372854","-94.208817" "July 29, 2013","Wal-Mart","","Oklahoma","CARD","BSR","0","Two men were indicted for their role in a skimming plot.  They are accused of fraudulently obtaining $400,000 by placing skimming devices at gas pumps at Wal-Mart stores for up to two months at a time.  The then created counterfeit cards by using hte legitimate card information obtained through skimming.  The skimming ring ran from April 2012 through January 2013.","Media","","2013","35.007752","-97.092877" "July 26, 2013","Stanford University","Stanford","California","HACK","EDU","0","People who used Stanford University's computer network have been asked to reset their passwords. Stanford released few details but stated that it does not appear that Social Security numbers and financilai nformation were accessed or exposed.","Media","","2013","37.424106","-122.166076" "July 29, 2013","Oregon Health & Science University (OHSU)","Portland","Oregon","DISC","MED","3,000","Patient data could have been accessed due to a storage error.  The information of patients admitted between January 2011 and July 3 of 2013 was placed on Google's cloud computing system.  The information was password-protected, but could have still been used for promotional and other purposes because OHSU does not have a contract with Google.  OSHU removed the information from the cloud.","Media","","2013","45.523062","-122.676482" "July 25, 2013","Securities and Exchange Commission (SEC)","Washington","District Of Columbia","DISC","BSF","0","A July 8 letter warned current and former employees that SEC employee data had been found on the networks of another federal agency.  The outside federal agency was not named. It appears that a former SEC employee inadvertently and unknowingly downloaded the names, Social Security numbers, and dates of birth of SEC employees onto a thumb drive and then transferred them to another agency.  The employee wanted a template of the document rather than the actual employee data that it contained.  The accidental upload of sensitive information occured in April of 2012 and again in June of either 2012 or 2013.  Employees who were with SEC before October of 2009 were affected. The breach lasted for 10 months before being noticed. The SEC confiscated the flash drive when the breach was uncovered.","Media","","2013","38.907192","-77.036871" "January 20, 2009","Heartland Payment Systems","Princeton","New Jersey","HACK","BSF","130,000,000","After being alerted by Visa and MasterCard of suspicious activity surrounding processed card transactions, the company last week found evidence of malicious software that compromised card data that crossed Heartland's network. This incident may be the result of a global cyberfraud operation. UPDATE (01/26/2009): Heartland Payment Systems has been sued. The lawsuit seeks damages and relief for the inexplicable delay, questionable timing, and inaccuracies concerning the disclosures with regard to the data breach, which is believed to be the largest in U.S. history. UPDATE (02/12/2009): According to BankInfoSecurity.com, the number of financial institutions that have come forward to say they have been contacted by their credit card companies Visa and MasterCard in relation to the breach has jumped from fewer than 50 to more than 200. UPDATE (06/04/2009): While it's hard to get a handle on just how many consumers were affected by the Heartland Payment Systems (HPY) data breach, the total number of institutions now reporting card compromises is at 656. UPDATE (06/16/2009): Heartland lawsuits to be heard in Texas. The Judicial Panel on Multidistrict Litigation in Louisville, KY issued its decision to consolidate the class action suits. The lawsuits will be heard in the Southern District Court of Texas in Houston. Thirty-one separate lawsuits, on behalf of consumers, investors, banks and credit unions, have been filed against Princeton,N.J.-based Heartland. UPDATE (07/06/2009): Heartland Payment Systems successfully completed the first phase of an end-to-end encryption pilot project designed to enhance its security. UPDATE (08/20/2009): Albert Segvec Gonzalez has been indicted by a federal grand jury in New Jersey - along with two unnamed Russian conspirators - on charges of hacking into Heartland Payment Systems, the New Jersey-based card processing company, as well as Hannaford Brothers, 7-Eleven and two unnamed national retailers, according to the indictment unsealed Monday. Gonzalez, a former Secret Service informant, is already awaiting trial over his involvement in the TJX hack.Total records breached: 100 million transactions per month. It is unclear how many account numbers have been compromised, and how many are represented by multiple transactions. The number of records breached is an estimate, subject to revision. UPDATE (08/20/2009): According to the court document, hackers stole more than 130 million credit and debit card numbers from Heartland and Hannaford combined.UPDATE (05/12/2010): The costs to Heartland Payment Systems Inc. from the massive data breach that it disclosed in January 2009 appear to be steadily adding up. Quarterly financial results released by Heartland last week show that the card payment processor has accrued $139.4 million in breach-related expenses. The figure includes a settlement totaling nearly $60 million with Visa, another of about $3.5 million with American Express and more than $26 million in legal fees. That total also includes $42.8 million that Heartland has set aside to fund proposed settlements with several other litigants over the breach. One example of what the fund is set up for is Heartland's offer to settle several consumer class action lawsuits against it for four million. So far, Heartland has recovered about $30 million from insurance companies.UPDATE (06/02/2010): Heartland Payment Systems has made a third settlement deal, this time with MasterCard, related to a massive data breach two years ago at the card payments processor. As part of the deal, Heartland has agreed to pay as much as US$41.1 million to MasterCard issuers that lost money as a result of the data breach. The deal is contingent on financial institutions representing 80 percent of the affected MasterCard accounts accepting the offer by June 25. MasterCard is recommending that issuers accept the offer.UPDATE (09/01/2010): Heartland Payment Systems has agreed to settle with Discover for five million dollars.  Discover will use the money to cover costs of fraud incidents and reissuing cards.UPDATE (09/19/2010): Jerome Abaquin Gonzales is expected to surrender to police and serve jail time for participating in a credit card forgery ring which used information from the Heartland breach.  The information came from the 4.2 million Discover credit card customers who used their cards at Hannaford Brothers.UPDATE (09/22/2010): Thomas Michio Taniguchi was sentenced to prison for his role in the forgery ring in which Jerome Abaquin Gonzales also participated.UPDATE (12/07/2011): Heartland legal representatives were able to successfully argue that most of the claims against Heartland that were filed by nine banks should be dismissed. All but one claim was dismissed.UPDATE (02/12/2012): The nine banks may have had their claims against Heartland dismissed because Heartland reported that sharing a contractual relationship with the banks defeats their appeal. However, the credit-card-issuing banks are arguing that a New Jersey economic loss rule only bars claims for foreseeable economic losses when the parties are in a contractual relationship and does not bar their negligence claim against Heartland.UPDATE (07/25/2013): Five more foreign hackers were charged for their role in stealing information from Heartland Payment Systems, NASDAQ, Dow Jones, JetBlue, and J.C. Penney.","Dataloss DB","","2009","40.348718","-74.659047" "July 26, 2013","St. Mary's Bank","Manchester","New Hampshire","HACK","BSF","115,775","Current and former members may have had their Social Security numbers, transaction records, and other personal information exposed due ot malware that was found on an employee's office computer.  The malware was discovered on May 26 and St. Mary's began mailing letters on July 12.  The malware could have been on up to 23 work stations as early as February.  There has been no evidence of names, Social Security numbers, addresses, account numbers, transaction records, or other sensitive information being accessed by an unauthorized individual so far.","Media","","2013","42.995640","-71.454789" "June 25, 2010","University Hospital","Augusta","Georgia","PORT","MED","13,000","Two backup tapes containing personal information have gone missing. The hospital does not suspect theft and does believe that there is a very low probability that the personal information on the tapes can be misused. However, credit monitoring services are being offered to those who were affected. The hospital gave up looking for the tapes on May 7th and began notifying patients in late June.  Per phone interview with University Hospital, Social Security number were involved but they are unaware of any financial data involved in this breach.","Dataloss DB","","2010","33.470000","-81.975000" "August 2, 2013","Clark Memorial Hospital","Jeffersonville","Indiana","DISC","MED","1,087","A third-party mailing error resulted in the exposure of patient health information.  Billing statements with names, dates of service, insurance information, billing information, and financial status were mailed to incorect addresses.","Media","","2013","38.277570","-85.737185" "July 31, 2013","Rocky Mountain Spine Clinic","Lone Tree","Colorado","INSD","MED","532","An employee in the billing department was fired for sending sensitive patient information to their personal email. The incident occurred in June and it does not appear that the email was sent with malicious intent.","Media","","2013","39.536482","-104.897068" "July 30, 2013","US Airways, Advanced Data Processing","Tempe","Arizona","DISC","BSO","40,000","A programming error at Advanced Data Processing (ADP) caused employee names, Social Security numbers, and total taxable W-2 wages for the tax years 2010, 2011, and 2012 to be exposed.  A group of other US Airway employees were able to download the payroll information of their colleagues.  ADP corrected the issue in early May and notified US Airways in early June.","Media","","2013","33.425510","-111.940005" "May 28, 2013","Godiva","New York","New York","PORT","BSR","2,638","An individual contact Godiva sometime around April 15 and informed them that a flash drive with Godiva employee information had been found.  The information included employee ID numbers, Social Security numbers, dates of birth, phone numbers, resumes, and photos for people who worked at or applied to Godiva sometime prior to August 5, 2010.  The flash drive was once used by an employee with access to human resources data and an investigation revealed that there was nor eason to suspect that the information had been misused.  A total of 2,638 California residents may have been affected. It is not clear how many people were affected nationwide.","Media","","2013","40.712784","-74.005941" "August 9, 2013","Auburn University - School of Forestry and Wildlife Sciences","Auburn","Alabama","DISC","EDU","0","Spreadsheets with donor and alumni information were accidentally uploaded to a publicly accessible server after an administrative error.  The error was discovered on June 19 and Auburn's IT office removed the information.  Names, Social Security numbers, maiden names, mailing addresses, first year at Auburn, graduation year, alumni status, email addresses, and phone numbers were exposed.","Databreaches.net","","2013","32.609857","-85.480783" "April 18, 2012","California State University San Marcos","San Marcos","California","HACK","EDU","700","A candidate for student body president was accused of tampering with University computers in order to access student ID numbers and passwords.  The information could have been used to alter election results.  The University isolated and monitored the compromised accounts and rescheduled the election.  The student was arrested in March on suspicion of election fraud, identity theft, and unlawful access to a computer.  The student was released and no chargers were filed.UPDATE (04/20/2012): The student was first arrested after allegedly being caught with a password stealing device at a campus computer.UPDATE (03/22/2013): The student pleaded guilty to wire fraud, access device fraud, and unauthorized use of a computer. He faces between 27 and 33 months in federal custody.UPDATE (08/06/2013): The former student received a one-year sentence and is scheduled for a restitution hearing on August 12.","Dataloss DB","","2012","33.143372","-117.166145" "August 8, 2013","US Airways Group","Tempe","Arizona","HACK","BSO","7,700","US Airways customers with Divident Miles accounts may have had their information compromised.  Dates of birth, security question answers, last four digits of credit card numbers, and frequent-flier miles may have been accessed and compromised.UPDATE (08/02/2013): Names, email addresses, and Known Traveler numbers were exposed.  in some cases mileage was stolen from the accessed accounts.","Media","","2013","33.425510","-111.940005" "July 2, 2013","Health Net, CalViva Health","Suwanee","Georgia","DISC","MED","0","A number of member identification cards were mailed to incorrect addresses.  The problem occurred because of a programming error.  The member identification cards contained names, dates of enrollment, addresses, telephone numbers of primary care physicians, issue dates of cards, and Medi-Cal client identification numbers.  ","California Attorney General","","2013","34.051490","-84.071300" "July 31, 2013","South Central Los Angeles Regional Center","Los Angeles","California","PORT","MED","0","The July 6 theft of an employee's vehicle resulted in the exposure of client information.  The stolen car contained an Ipad with client names and UCI numbers.  ","California Attorney General","","2013","34.052234","-118.243685" "July 31, 2013","Fidelity Investments, Oracle","Redwood","California","DISC","BSF","0","Current and former Oracle employees may have had their 401(k) information viewed by a plan administrator at the firm of another Fidelity client.  Names, Social Security numbers, compensation, and other 401(k) savings and investmant plan information was briefly viewed by accident.  The issue was discovered on July 10, 2013.  ","California Attorney General","","2013","37.485215","-122.236355" "July 30, 2013","California Correctional Health Care Services","Sacramento","California","PHYS","MED","0","An employee lost dental records while outside of California Correctional Health Care Services on June 19, 2013.  The records contained patient names, CDCR numbers, dates of birth, and dental treatment plan information.","California Attorney General","","2013","38.581572","-121.494400" "May 24, 2013","Sonoma Valley Hospital","Sonoma","California","DISC","MED","1,350","An employee error caused patient information from surgeries to appear on the internet.  Names, dates of service, procedures, surgeons, hospital charges, and names of insurance companies were accidentally uploaded.  The breach occurred on February 14 and was discovered on April 17.  UPDATE (07/10/2013): Surgical services covering information from July 1, 2011 to June 30, 2012 was posted on the Sonoma Valley Hospital website.","PHIPrivacy.net","","2013","38.291859","-122.458036" "July 2, 2013","Quayside Publishing Group","Minneapolis","Minnesota","CARD","BSO","0","A credit card breach resulted in the exposure of information. Customers who made online purchases at Quayside Publishing Group had their information exposed sometime around April 29.  Names, addresses, and credit card numbers were exposed until June 17.","California Attorney General","","2013","44.977753","-93.265011" "August 14, 2013","Michigan Department of Community Health, Michigan Cancer Consortium ","Lansing","Michigan","HACK","MED","49,000","A server for the Michican Cancer Consortium that housed names, Social Security numbers, dates of birth, cancer screening test results, and testing dates was hacked.  The Michigan Department of Community Health claimed that the breach should not fall under strict HIPAA regulations because testing records, rather than medical records, were affected.","Media","","2013","42.732535","-84.555535" "August 12, 2013","Income and Capital Growth Strategies Inc.","Van Nuys","California","HACK","BSF","0","An employee was the target of a computer network intrustion sometime between July 12 and July 15.  Information about clients and their dependents may have also been exposed.  Names, Social Security numbers, addresses, dates of birth, drivers' license numbers, and bank account information may have been accessed.  ","California Attorney General","","2013","34.189857","-118.451357" "August 16, 2013","Exelixis","San Francisco","California","PORT","BSR","0","The theft of one or more pieces of company electronic equipment exposed client information.  The theft was discovered on July 30 and names, Social Security numbers, financial account numbers, addresses, and dates of birth may have been exposed.","California Attorney General","","2013","37.774930","-122.419416" "October 11, 2011","Indiana University School of Optometry","Bloomington","Indiana","DISC","MED","757","Health information stored on a computer server was accidentally made available to the public online between August and September of 2011.  Patients who were seen by a former faculty member of the school were affected because of a configuration error that occurred on August 12.  The issue was discovered on September 9 and had been corrected by September 10.  Patients seen by a certain doctor between January of 2007 and June of 2011 at clinics in Carmel and Indianapolis, Indiana were affected.  Some hospital inpatients seen between August 2007 and August 2008 were also affected.","Media","","2011","39.165325","-86.526386" "July 25, 2013","Baltimore City","Baltimore","Maryland","PHYS","GOV","0","Thousands of current and former Baltimore City employees are at risk after a box was found with Baltimore City personnel information.  Records been discarded in a publicly accessible place for trash.  Names, Social Security numbers, dates of birth, drivers' license information, and other vital and personal employee information was contained in the records. The Department of Public Works obtained the box of information and is attempting to contact people based on lists of class attendants that were among the records.","Databreaches.net","","2013","39.290385","-76.612189" "August 15, 2013","Harris County","Harris","Texas","HACK","GOV","16,000","The information of current and former Harris County employees was found on electronic files in Vietnam.  Names, Social Security numers, and dates of birth were exposed.  The files were from 2005 and 2007 and appear to have been created before Harris County put in place stricter identity theft regulations.","Media","","2013","29.775183","-95.310251" "August 21, 2013","Hope Community Resources (HCR)","Anchorage","Alaska","DISC","MED","3,700","The health information of disabled patients was accidnetally released in an email on the night of August 19.  A survey was sent via email to supporters of HCR. The email also contained names, dates of birth, guardians and parents, addresses, and other patient information.","Media","","2013","61.218056","-149.900278" "August 21, 2013","Emory University","Atlanta","Georgia","HACK","EDU","0","Anyone with an Emory University netID/username is being advised to change their account password due to a breach.  Emory University stated that it appears the attack on their information technology infrastructure is similar to attacks that similar organizations have seen in the past few months.  Emory University also stated that it does not appear that sensitive information was accessed.  ","Media","","2013","33.748995","-84.387982" "February 8, 2013","United States Federal Reserve, Grand Banks Yachts","Washington","District Of Columbia","HACK","GOV","0","The hacking group known as Anonymous claimed responsibility for a hack of the Alabama Criminal Justice Center and indicated that they had access to US Federal Reserve servers. Some internal documents were also exposed.  The hack attack was a response to the US Federal Reserve's reaction, or failure to react, to the February 4 hack of the Alabama Criminal Justice Center.  Anonymous released a document showing that they had extensive access to US Federal Reserve servers and internal documents.  Anonymous hacked into the Grand Banks Yachts website and used it to host a file that contained the document.UPDATE (08/23/2013): Federal Reserve employee data was posted on a website.  Phone numbers, emails, and other Federal Reserve employee information was placed on a publicly accessible spreadsheet.  Anonymous claims to have full details of every Federal Reserve Bank of America employee.  The information may have been from the breach in February.  ","Media","","2013","38.895112","-77.036366" "August 9, 2012","Blizzard Entertainment","Irvine","California","HACK","BSO","0","Blizzard's security team found an unauthorized party or parties had accessed the Blizzard internal network.  Blizzard immediately addressed the security issue and found no evidence that credit card, billing address, or name information had been accessed. Players using North American servers may have had scrambled versions of Battle.net passwords, answers to personal security questions, and information relating to Mobile and Dial-In Authenticators accessed.  Users are encouraged to change their passwords immediately and to change the passwords of other accounts if they are similar to the compromised Battle.net passwords.  A list of email addresses for global Battle.net users outside of China was also accessed.UPDATE (11/12/2012): Two people have filed a suit alleging that Blizzard's $6.50 protection charge is inadequate and that Blizzard did not take the necessary measures required to secure the private information of customers that was stored online. The lawsuit also alleges that Blizzard continues to fail to disclose to consumers that additional security products must be acquired after buying games in order to ensure that information stored in online accounts is secured.UPDATE (07/11/2013): The U.S. District Court for the Central District of California dismissed most of the claims that were brought against Blizzard Entertainment.UPDATE (08/23/2013): At least six out of eight claims from the lawsuit against Blizzard have been dismissed.  Blizzard still faces litigation for failing to fully disclose the importance of an authenticator to users.","Dataloss DB","","2012","33.683947","-117.794694" "August 23, 2013","Hill Air Force Base","Ogden","Utah","DISC","GOV","500","An administrative employee sent the names and Social Security numbers of 500 Hill Air Force Base employees to a personal email account. The administrative employee planned to finish a project at home but transferring the information to an unprotected email address may have resulted in the exposure of information. The employee's actions were against Hill Air Force Base policy.","Media","","2013","41.223000","-111.973830" "April 21, 2010","Affinity Health Plan","Bronx","New York","PORT","MED","409,262","Affinity Health Plan, a New York managed care service, is notifying more than 400,000 current and former customers employees that their personal data might have been leaked through the loss of an unerased digital copier hard drive. Some personal records were found on the hard drive of a copier found in a New Jersey warehouse. The copier had previously been leased by Affinity and was then returned to the leasing company. Affinity Health Plan says it has not had a chance to review the data found on the copier. The figure of 409,262 notifications includes former and current employees, providers, applicants for jobs, members, and applicants for coverage.UPDATE (08/15/2013): Affinity Health Plan will pay more than $1.2 million in HIPAA violations as a result of the breach.","Dataloss DB","","2010","40.850100","-73.866246" "August 27, 2013","Bonneville Power Administration (BPA)","Portland","Oregon","HACK","GOV","3,100","Up to 3,100 BPA employees were affected by a cyber attack.  The attack appears to be related to the attack on the Department of Energy's website.  Names, Social Security numbers, and dates of birth were distributed as a result of the Department of Energy breach.","Media","","2013","45.523062","-122.676482" "August 27, 2013","University of Mississippi Medical Center","Jackson","Mississippi","DISC","MED","2,279","An employee of the University of Mississippi Medical Center accidentally attached a spreadsheet with sensitive information to an email that went out to students.  The email was sent on August 21 and the spreadsheet contained student names, Social Security numbers, GPAs, race, gender, dates of birth, mailing addresses, and phone numbers.  The breach was discovered within hours and the University used a combination of asking students to delete the email and manually removing the email from students' webmail accounts.  The email was meant to alert students to changes being made to the school's health insurance.","Media","","2013","32.298757","-90.184810" "May 17, 2013","Orthopedics and Adult Reconstructive Surgery","","Texas","PORT","MED","22,000","The Health and Human Services website of medical breaches reports the loss of a portable electronic device by Orthopedics and Adult Reconstructive Surgery.  The breach occurred between March 1 and March 13.  AssuranceMD is named as a business associate.","HHS via PHIPrivacy.net","","2013","31.968599","-99.901813" "August 30, 2013","Osprey Packs","Cortez","Colorado","HACK","BSR","0","Customer information may have been exposed when Osprey Packs' Pro Deal website was hacked.  Customer names, phone numbers, email addresses, billing and shipping addresses, and credit card information may have been exposed.  Osprey Packs learned of the issue on August 7, 2013 when a customer discovered unauthorized activity on their credit card and connected it to Osprey Packs.  Other customers have also noticed fraudulent charges.  The attack may have happened as early as July 9, 2013.","Media","","2013","37.348883","-108.585927" "August 31, 2013","John F. Kennedy International Airport","New York","New York","INSD","BSO","0","Seven contract baggage handlers were arrested for stealing valuables from customer luggage.  The thefts were caught on camera between April 1 and August 28.  Items such as iPads, iPhones, cash, and jewelrey were discovered in the defendants' homes and cars.","Media","","2013","40.712784","-74.005941" "April 10, 2013","Schnuck Markets Inc.","St. Louis","Missouri","HACK","BSR","0","A lawsuit was filed against Schnucks Markets Inc. after customers learned that Schnucks failed to warn customers about a data breach within two weeks.  On March 15, Schnucks learned that a portion of their loyalty cards were affected, but waited until March 30 to send a press release.   Customer payment card numbers and expiration dates were exposed through a magnetic strip swiping security breach. No customer names were exposed.UPDATE (04/15/2013): The breach affected about 2.4 million customer debit and credit cards at 79 Schnucks locations.  Payment cardholders' contact and identifying information were not exposed.  Customers who visited a Schnucks between December of 2012 and March 29, 2013 may have been affected.UPDATE (05/24/2013): A class action lawsuit was filed against Schnuck Markets in early May.  Schnuck Markets claims that the the lawsuit belongs in federal court because of the case's scope and damages.  The lawsuit sought damages from Schnucks for time and effort that affected individuals had to put into monitoring and managing compromised credit card information.  The lawsuit also alleges Schnucks of willful and wanton neglect, a charge for which punitive damages are available under Illinois law.  However Schnucks states that the ""time and effort"" claims for Illinois alone easily exceed the $5 million threshold for federal consideration.UPDATE (06/21/2013): A new estimate from Schnucks states that 500,000 unique credit or debit cards may have been involved.UPDATE (07/11/2013): After a review, the Missouri Attorney General's office has stated that Schnuck Markets did not violate state data security law.UPDATE (08/31/2013): Liberty Mutual Insurance Co. is suing Schnuck Markets Inc. Liberty Mutual claims that it should not be held liable for eight lawsuits filed against Schnucks.","Media","","2013","38.627003","-90.199404" "August 29, 2013","University of Texas, Texas Health Science Center at Houston Medical School","Houston","Texas","PORT","MED","596","An unencrypted laptop that was housed in a locked closet was discovered missing on August 2.  The computer contained names, dates of birth, medical record numbers, and hand and arm image data taken between February 2010 and July 13.  The laptop had not been used since July 19.","Media","","2013","29.760427","-95.369803" "August 28, 2013","Missouri Credit Union","Columbia","Missouri","DISC","BSF","39,000","A file with customer information was accidentally published on Missouri Credit Union's website on August 5.  The names, Social Security numbers, account numbers, teller and call in passwords, and addresses of Missouri Credit Union members were accessed.  The file was accessed 10 times before the issue was discovered and it was taken off of the website.","Media","","2013","38.951705","-92.334072" "August 27, 2013","The New York Times, Melbourne IT","New York","New York","HACK","BSO","0","A domain or domains belonging to The New York Times was attacked after activist hackers found a way to access the login credentials of service provider Melbourne IT.  Melbourne IT is an Australian domain name registrar that provides hosting and data services for The New York Times and other media sites.  The New York Times website was shutdown for approximately six hours.","Media","","2013","40.712784","-74.005941" "December 10, 2010","Genesco Inc.","Nashville","Tennessee","HACK","BSF","0","Customers who used credit or debit cards at United States Journeys, Journeys Kidz, Johnston and Murphy, Shi by Journeys and some Underground Stations stores may have had their information gathered during a criminal intrusion of Genesco's computer network. It is possible that credit and debit card numbers, expiration dates and card verification codes were accessed.UPDATE (01/17/2013): Genesco has spent $2.1 million on consulting and legal fees related to the breach.UPDATE (03/08/2013): Genesco also owns Lids.  Genesco sued VISA for $13 million in unnecessary fines associated with the data breach.  VISA fined banks for their role in failing to comply with industry-wide credit card security standards.  The banks then took money from Genesco to address fines and breach recovery.","Databreaches.net","","2010","36.165890","-86.784443" "August 20, 2013","League of Legends, Riot Games","Santa Monica","California","HACK","BSO","120,000","A security breach has resulted in the usernames, email addresses, first and last names, and encrypted passwords of League of Legends users to be exposed.  About 120,000 transaction records from 2011 may have been accessed.  The transaction records contained hashed and salted (encrypted) credit card numbers. The information was stored on a system that had not been used since 2011.","Media","","2013","34.019454","-118.491191" "August 22, 2013","San Francisco State University - College of Extended Learning","San Francisco","California","HACK","EDU","0","A server that contained the personal information of students was breached on March 25, 2013.  Federal law enforcement notified San Francisco State University of the breach on June 11.  The College of Extended Learning notified students of the issue on August 12.  An unspecified number of names, Social Security numbers, and other personal information was exposed.","Media","","2013","37.774930","-122.419416" "July 30, 2013","University of Delaware","Newark","Delaware","HACK","EDU","74,000","Students and staff members may have had their information exposed during a hacking incident. The hacker or hackers were able to exploit a vulnerability in software acquired by a vendor.  Names, addresses, Social Security numbers, and university ID numbers were exposed.UPDATE (08/19/2013): An additional 2,000 people were affected.  They were not employees but had received payment from the University of Delaware.","Media","","2013","39.683723","-75.749657" "August 9, 2013","Northrop Grunman","Suwanee","Georgia","HACK","BSO","70,000","People who were linguists or applied to be linguists within Northrop Grunman Technical Services, inc. Balkans Linguist Support Program may have had their personal information exposed. A database that contained names, Social Security numbers, dates of birth, blood types, contact information, and additionaly types of government-issued identification numbers was accessed by unauthorized parties.  The breach occured sometime between November 2012 and May 2013 and was discovered on July 26.UPDATE (08/15/2013): Over 70,000 people, including thousands of linguists, were affected.","Media","","2013","34.051490","-84.071300" "August 13, 2013","Caledonia Home Health and Hospice","Saint Johnsbury","Vermont","PORT","MED","0","The theft of an employee's Netbook on July 20 resulted in the exposure of patient information.  The Netbook was stolen from the employee's home and contained Social Security numbers and other protected patient information. ","Media","","2013","44.419263","-72.015118" "July 16, 2013","Gap, Banana Republic","San Francisco","California","DISC","BSR","20","A customer received a package from Banana Republic that contained documents with employee Social Security numbers, tax forms, resignation letters, legal notices, doctors' notes, and performance reviews.  The package was meant for HR administration and contained the information of around 20 sales support associates who work at Gap.  The customers were expecting a tie and pocket square.  it appears that the package had been mislabeled.","Media","","2013","37.774930","-122.419416" "June 19, 2013","City of Houston, Automatic Data Processing","Houston","Texas","DISC","GOV","6,300","A software code error caused W-2 information to be exposed.  Approximately 1,300 classified Houston Police Department employees and 5,000 other local government workers were affected.  Names and Social Security numbers were exposed.","Media","","2013","29.760427","-95.369803" "July 7, 2011","Troy Regional Medical Center (TRMC), Southern Records Management Inc.","Troy","Alabama","INSD","MED","880","TRMC discovered that someone had removed paper records that contained the information of approximately 880 patients.  The unauthorized access and removal happened in early 2011 and was reported to TRMC by law enforcement on May 20, 2011. Affected patients had their names, Social Security numbers, addresses, dates of birth and medical record numbers exposed.  It appears that some of the personal information was used to file fraudulent income tax returns with the IRS.UPDATE (06/13/2012): A woman was arrested on felony charges for allegedly conspiring with others to steal the information of 880 patients while she worked with Southern Records Management at TRMC.  The 22-count felony indictment includes allegations of fraud against the U.S. government as part of a tax fraud scheme.  UPDATE (10/26/2012): A former Southern Records Management employee working for Troy between June 13, 2010 and March 25, 2011 pled guilty to one count of conspiring to defraud the government regarding claims, one count of fraud in connection with identification documents, a count of fraud in connection with computers, and a count of aggravated identity theft.UPDATE (02/07/2013): The dishonest employee was sentenced to 65 months in prison.UPDATE (05/24/2013): A second co-conspirator pleaded guilty to the theft of government money, fraudulent use of debit cards, and aggravated identity theft.  She received 10 years in prison.  A total sum of $1,198,063 was fraudulently obtained through fake tax refunds.UPDATE (06/13/2013): Another conspirator was convicted of ID theft and tax fraud after pleading guilty to theft of government money, fraudulent use of debit cards, and aggravated identity theft.  The court ordered a 10-year prison sentence for the conspirator.","PHIPrivacy.net","","2011","31.808768","-85.969951" "July 16, 2013","Calvert Internal Medicine Group","Prince Frederick","Maryland","DISC","MED","0","A finance department employee contacted ADP for troubleshooting and an ADP representative removed the firewall of Calvert Internal Medicine Group during the service call.  The firewall was not restored after the call and employees began receiving spam emails from the finance department employee's email account.  Malware was also detected in the spam inbox of the employee's computer.  Names, Social Security numbers, addresses, and other payroll information of current and former employees may have been exposed.","Media","","2013","38.540400","-76.584402" "July 16, 2013","Academy Studios","Novato","California","PHYS","BSO","0","Personnel records were discarded in a public dumpster after Academy Studios. The non-profit closed in April and many of its assets were sold in an online auction on May 21.  The personnel paperwork included names, Social Security numbers, dates of birth, copies of passports, copies of drivers' licenses, I-9 forms, and other employee information.","Media","","2013","38.107420","-122.569703" "May 7, 2013","Mapco","Brentwood","Tennessee","CARD","BSR","0","Customers who made purchases between March 19-25, April 14-15, or April 20-21 may have had their credit or debit card information compromised.  Tennessee and six other Southern states may have been affected by the breach. It is not clear if the payment card information was taken inside the stores or outside of the stores at gas pumps.UPDATE (06/10/2013): The accounts of consumers who used payment cards at 373 Mapco Express stores may have been affected. Two additional locations in Tennessee were affected on April 14 and 15. There are unnamed stores that may have been affected on April 20 and 21.UPDATE (07/08/2013): Three lawsuits have been filed as a result of data stolen in three MAPCO breaches that occurred in March, April, and June.","Media","","2013","36.033116","-86.782777" "May 30, 2013","Utah Division of Motor Vehicles (DMV)","Salt Lake City","Utah","INSD","GOV","0","An employee of the Utah Division of Motor Vehicles was fired in March for releasing confidential, personal information from DMV databases.  The former employee was a customer service clerk who had worked for the division for 14 years.  Investigators also took the former employee's work hard drive, computer, printer, and other items that might have contained sensitive data.  The items will be investigated in a forensics lab.","Media","","2013","40.760779","-111.891047" "December 11, 2012","Jackson Health System, Jackson South Community Hospital","Miami","Florida","DISC","MED","566","Approximately 1,200 photo records of 566 patients were publicly posted on November 30.  The information was removed and two managers resigned as a result of the breach.","Media","","2012","25.761680","-80.191790" "May 29, 2013","Jackson Health System","Miami","Florida","PHYS","MED","1,407","A box that contained patient medical records was determined to have been missing since January.  Patient medical diagnoses, surgical procedures, and other personal health information may have been exposed. The missing records were either on their way to be electronically scanned or returning from being scanned.","Media","","2013","25.761680","-80.191790" "September 3, 2013","InterContinental Mark Hopkins San Francisco","San Francisco","California","PORT","BSO","0","A July 4 burglary resulted in the exposure of guest information.  The names, addresses, email addresses, phone numbers, and credit and debit card numbers of guests were on a computer hard drive that was stolen.  The hotel learned of the possibility of a breach of guest data on July 14 and alerted guests around August 8.","Media","","2013","37.774930","-122.419416" "September 3, 2013","St. Anthony","St. Louis","Missouri","PORT","MED","2,600","The July 29 car burglary of a laptop computer and flash drive resulted in the exposure of patient information.  Patient names, dates of birth, and other information contained in medical records were exposed.","Media","","2013","38.627003","-90.199404" "June 9, 2011","Citibank","New York","New York","HACK","BSF","360,000","Hackers have managed to access the information of approximately 1% of Citibank's 21 million users. U.S. Customer names, account numbers, and contact information were exposed.  Security codes and dates of birth were not exposed.  The breach occurred sometime in May.  UPDATE (6/13/2011): Citibank released an official statement on the Citigroup website.UPDATE (6/14/2011): It has been revealed that hackers obtained customer names, account numbers and transaction information by logging into the customer credit card site and guessing the account numbers of other customers.  Since the account number appeared in the web address browser bar, simply altering an account number allowed the hackers to access a different account.  The hackers also utilized an automatic computer program to guess account numbers quickly. This incident appears to have occurred in early May.UPDATE (6/14/2011): Connecticut Attorney General George Jepsen asked Citigroup Inc. to provide more information about the data breach.  Jepsen feels that more information about the types of account information exposed, the cause of the breach, the steps taken to notify affected individuals and the steps to prevent future breaches is needed.  He requested the additional information by June 22.UPDATE (6/16/2011): The number of affected individuals has been raised from 210,000 to 360,000.  Further investigation of and information about the breach revealed that the breach was discovered on May 10.  By May 24, Citigroup officials concluded that the data thieves had captured names, account numbers, and email addresses of about 360,000 customer accounts.  Social Security numbers, expiration dates, and three-digit security passwords found on the back of credit cards were not exposed.UPDATE (6/24/2011): At least 3,400 of the customers whose credit card information was stolen have suffered a combined loss of $2,700,000.UPDATE (09/03/2013): Citibank has agreed to pay $15,000 in civil penalties to Connecticut's Privacy Protection Guaranty and Enforcement Account and $40,000 to the General Fund of Connecticut.  Citibank will also hire a third party to conduct an information security audit of the Account Online section of Citibank's website.","Databreaches.net","","2011","40.714353","-74.005973" "August 30, 2013","Olson & White Orthodontics","O'Fallon","Missouri","STAT","MED","10,000","The July 22 office theft of several computers resulted in the exposure of patient health information.  Names, addresses, X-rays, photos, and diagnostic findings were exposed.UPDATE (09/04/2013): Two desktops were stolen.  Social Security numbers were also exposed.","Media","","2013","38.810608","-90.699848" "August 29, 2013","Republic Services","Phoenix","Arizona","PORT","BSO","82,160","An unspecified number of current and former employees were affected by the theft of a laptop.  The laptop was stolen from an employee's home on August 10.  The laptop contained names and Social Security numbers.UPDATE (09/03/2013): As many as 82,160 current and former employees may have been affected.","Media","","2013","33.448377","-112.074037" "September 2, 2013","Creative Banner Assemblies","Minneapolis","Minnesota","HACK","BSO","232","A website breach that occurred on June 1 and was discovered on July 22 resulted in the exposure of customer informaiton.  Names, addresses, phone numbers, unencrypted credit card information, and other information stored on temporary data files may have been accessed due to malicious code on the website.","Media","","2013","44.977753","-93.265011" "October 24, 2012","Barnes & Noble","New York","New York","CARD","BSR","0","PIN pad devices used to process credit and debit card information in stores were compromised.  The breach was discovered around September 14 during maintenance and inspection of the devices.  Anyone who used a credit or debit card at a Barnes & Noble may have been affected by a sophisticated criminal effort to steal that information.  Names, payment card account numbers, and PINs may have been exposed.  Barnes & Noble removed all PIN pads. Fewer than 1% of the inspected PIN pads had been affected.UPDATE (10/24/2012): A total of 63 Barnes and Noble stores in nine states had at least one compromised PIN pad device.  Malicious code was installed on the PIN pads.UPDATE (09/05/2013): A federal judge ruled that customers failed to show that their personal information was stolen in the data breach.","California Attorney General","","2012","40.714353","-74.005973" "September 6, 2013","Conexis, State of Virginia","Blacksburg","Virginia","DISC","EDU","13,000","Employees of the state of Virginia who are enrolled in the Commonwealth's 2014 Flexible Spending Account had their information exposed.  Conexis erroneously sent summary reports of Blue Cross/Blue Shield Flexible Spending Account Services to 11 state human resources and payroll employees.  The reports included participants from across the state rather than from specific locations related to the human resources and payroll employees' work.  The human resources and payroll employees who received information that was not intended for them signed a certification confirming that they had deleted or destroyed the information.","Media","","2013","37.229573","-80.413939" "June 6, 2011","Sony Pictures, Sony Corporation of America","New York","New York","HACK","BSO","1,000,000","Hackers called LulzSec obtained over one million Sony customer passwords.  The hackers located data that included passwords, email addresses, phone numbers, home addresses, and dates of birth.  The information was not encrypted and was posted on LulzSec's website.  People wishing to enter online sweepstakes entered their real or fake information.  Anyone who used their Sony Pictures sweepstakes password for another account should immediately change their passwords so that they do not match each other.UPDATE (08/28/2012): A second suspect has been arrested for his alleged role in a computer breach at Sony Pictures Entertainment.  He faces one count of conspiracy and once count of unauthorized impairment of a protected computer. Sony claims that 37,500 of the one million users affected had personal information exposed.UPDATE (04/18/2013): One of the hackers involved in the breach was sentenced to one year in prison.  He was also sentenced to 13 months of home detention and 1,000 hours of community service after release.UPDATE (08/08/2013): The hacker who was sentenced on April 18 was also ordered to pay $605,663 in restitution.","Databreaches.net","","2011","40.714353","-74.005973" "September 5, 2013","Boston Public School (BPS), Plastic Card Systems","Boston","Massachusetts","PORT","GOV","20,000","Boston Public School students across 36 schools may have had their information compromised by the loss of a flash drive.  The flash drive was misplaced sometime around August 9 by BPS's ID card vendor Plastic Card Systems.","Media","","2013","42.360083","-71.058880" "August 9, 2013","Smartphone Experts","Inverness","Florida","HACK","BSR","0","A hacker was able to access the computer system Smartphone Experts used to process online payments on June 13.  Customer names, addresses, credit and debit card account numbers, CVV codes, and payment card experiation dates were accessed.  The credit card information was encrypted, but the hacker may have used a decryption feature within the online payment processing system to access customer information.UPDATE (09/06/2013): The breach occurred on June 13.  This entry originally listed it as having occurred on July 12.","California Attorney General","","2013","28.835451","-82.331396" "September 10, 2013","Outdoor Network, LLC, Boats.net, Partzilla.com","Lake Placid","Florida","HACK","BSR","0","A website breach exposed an unspecified number of customer names, addresses, credit card numbers, credit card expiration dates, and CVV codes.  Hackers put malware on Outdoor Network's Boats.net and Partzilla.com websites and were able to access information from credit card transactions between December 2012 and July 2013.","Media","","2013","27.293100","-81.362850" "September 13, 2013","Argotec","Greenfield","Massachusetts","UNKN","BSR","0","An unspecified incident occurred on or around July 26 that may have exposed the confidential information of current and former employees.  Names, Social Security numbers, and bank account information may have been exposed.  Current employees were sent notification on August 6.","Media","","2013","42.587915","-72.599410" "August 1, 2013","Bridgewater Associates, LP, Ceridian","Westport","Connecticut","DISC","BSF","0","An unauthorized individual accessed a database of employee information used for COBRA.  Names, Social Security numbers, dates of birth, addresses, and other benefit plan information of employees and their dependents may have been accessed on the Ceridian database.  The breach was discovered when a Bridgewater consultant reported that their password for the Ceridian database had been changed and someone else had used the credentials to access the database on three separate occassions.  The breach occurred sometime before April 12, 2013.","PHIPrivacy.net","","2013","41.141472","-73.357905" "February 28, 2012","City of Springfield, Springfieldmo.gov","Springfield","Missouri","HACK","GOV","2,100","Two hackers claimed responsibility for hacking the website of the city of Springfield, Missouri.  The breach occurred on February 17, and the databases on the server contained over 300,000 entries.  It appears that not all databases were accessed as the total number of citizens affected was reported as 2,100.  Hackers claimed to have acquired 6,071 entries related to the date of birth, weight, height, race, hair color, skin tone, phone number, address, and Social Security number of people listed in online police reports. A total of 15,887 entries related to warrants that included age, date of birth, address, employer, eye color, hair color, race, sex, weight, height, and other details were obtained.  Databases with 1,041 vehicle descriptions from online police reports and details related to 284,618 summons were also obtained.  The hackers posted a significant amount of information, but voluntarily removed any sensitive information that could cause problems for consumers. UPDATE (06/12/2013): A member of Anonymous, John Anthony Borell III, was charged in 2012 for using SQL injections on multiple law enforcement and public agency websites.  He agreed to a plea bargain in April and will serve 36 months in prison for violating a section of federal law addressing computer fraud.  He pleaded guilty to five charges related to hacking and will also pay nearly $230,000 in restitution to a number of agencies that were hacked.","Databreaches.net","","2012","37.208957","-93.292299" "July 26, 2012","Natural Provisions Market","Williston","Vermont","HACK","BSR","350","Investigators are fairly certain that people who used their credit or debit cards at Natural Provisions Market may be the targets of payment card fraud.  Anyone who used a debit or credit card at the store before July 2, and possibly as early as January 2012, should check their bank statements for phony charges.  It appears that hackers accessed Natural Provisions' credit card processors.UPDATE (09/11/2013): The Attorney General of Vermont reached a settlement with Natural Provisions. The store will pay $15,000 to the state and agreed to spend $15,000 to upgrade its computer security system.","Databreaches.net","","2012","44.445278","-73.099167" "September 11, 2013","Edgewood Partners Insurance Center (EPIC)","San Mateo","California","PORT","BSF","0","Five laptops were stolen during a July 16 office burglary.  The laptops contained confidential information and were password-protected but unencrypted.  Current and former employees and their beneficiaries and dependents, contractors, and job applicants were affected. Names, Social Security numbers, addresses, dates of birth, drivers' license numbers, benefits information, bank account information, and health information were exposed.","Media","","2013","37.562992","-122.325525" "September 10, 2013","Pierce County Housing Authority","Tacoma","Washington","DISC","BSO","979","A human error resulted in the exposure of client information.  A client found a file with Social Security numbers on the website.  The site was shut down while the file was removed.  It is unclear how long the information was available and the error was caused by a former employee. ","Media","","2013","47.252877","-122.444291" "September 10, 2013","University of South Florida (USF) Health","Tampa","Florida","INSD","EDU","140","Police searched the car of a University custodial employee and found USF Physicians Group patient billing information.  Names, Social Security numbers, and dates of birth had been exposed.  The employee no longer works for the University and patients were sent a notification letter in late July.","Media","","2013","27.950575","-82.457178" "September 6, 2013","Georgia Department of Labor","Marrieta","Georgia","DISC","GOV","4,457","An employee accidentally emailed a document with the names and Social Security numbers of 4,457 Cobb-Cherokee Career Center customers to 1,000 people.  Recipients were notified and instructed to delete the email immediately without reading it.UPDATE (09/06/2013): The employee who accidentally sent the email attachment was suspended. The Georgia Department of Labor is also reviewing its internal policies for handling sensitive information.","Media","","2013","33.952602","-84.549933" "September 7, 2013","Rockland Federal Credit Union","Rockland","Massachusetts","HACK","BSF","0","Rockland Federal Credit Union is sending customers new debit cards with new PINs as a result of a merchant who discovered a breach in their computer system.  All old debit cards will be deactivated on September 26.","Media","","2013","42.130656","-70.916155" "September 6, 2013","James A. Haley Veterans Hospital","Tampa","Florida","INSD","MED","106","A volunteer allegedly stole the names and Social Security numbers of 106 patients and used the information to file $550,000 worth of fraudulent tax returns.  The volunteer had a co-conspirator and the breach began in late January of 2012.  ","Media","","2013","27.950575","-82.457178" "September 11, 2013","Kaiser Permanente","Oakland","California","DISC","MED","0","Participants in a Wellness Screening competition pilot may have had their information exposed.  A Kaiser Permanente employee accidentally included confidential information in an email sent to a member of the pilot planning team. In addition to a summary of the competition, it included names, Kaiser Permanente medical record numbers, phone numbers, email addresses, names of employers, department names, and dates and times of health screenings.  The pilot planning team member was not authorized to receive the confidential information.","California Attorney General","","2013","37.804364","-122.271114" "August 29, 2013","Midwest Supplies","Roseville","Minnesota","HACK","BSR","0","Customer names, addresses, email addresses, phone numbers, credit card numbers, expiration dates, and security codes may have been exposed after Midwest Supplies' website was hacked.  All affected customers were offered a $25 coupon for future purchases.","Media","","2013","45.006077","-93.156611" "August 22, 2013","United Shore Financial Services, Shore Mortgage","Troy","Michigan","HACK","BSF","0","The servers of an unnamed Shore Mortgage vendor were affected by a computer intrusion.  The incident may have began on June 2 and client information was accessed on August 15.  Names, Social Security numbers, contact information, dates of birth, drivers' license information, and financial account information were accessed.","California Attorney General","","2013","42.606410","-83.149775" "May 25, 2012","Phoebe Putney Memorial Hospital","Albany","Georgia","INSD","MED","0","On April 9, 2012, Phoebe Putney Home Health Care (PPMH) learned from law enforcement officials that a former employee had improperly accessed patient information with the intent to file fraudulent tax returns.  The dishonest employee may have accessed the names, Social Security numbers, and dates of birth of patients some time between June 2010 and April 2012.  Patients who were treated through PPMH between July 2005 and April 2012 may have been affected.UPDATE (09/03/2013): The dishonest former employee pleaded guilty to embezzlement of government property and aggravated identity theft on August 23, 2012. She was sentenced to 70 months in prison and ordered to pay $110,431 in restitution to the IRS on August 12, 2013.","PHIPrivacy.net","","2012","31.578507","-84.155741" "August 28, 2013","Washington Inventory Service","Merriam","Kansas","PHYS","BSO","0","A box of hundred of employee records was found in a publicly accessible recycling dumpster.  The box was later recovered by an employee, but the records were still left behind.  ","PHIPrivacy.net","","2013","39.023617","-94.693570" "August 7, 2013","Retinal Consultants Medical Group (Vitreo-Retinal Medical Group)","Sacramento","California","PORT","MED","1,837","The theft of a laptop resulted in the exposure of patient information.  The laptop was stolen from the medical group's offices sometime between June 5 and June 6.  Patient names, dates of birth, gender, race, and medical images were exposed.  UPDATE (08/28/2013): The breach affected 1,837 patients.","Media","","2013","38.581572","-121.494400" "August 16, 2013","California Department of Corrections and Rehabilitation, Centinela State Prison","Imperial","California","DISC","MED","0","A file containing staff names, Social Security numbers, and dates of birth was saved to a Centinela State Prison server that was accessible to all staff.  It was on the server between July 26 and July 29 before being removed.","California Attorney General","","2013","32.847553","-115.569439" "August 28, 2013","Office of Janna Benkelman","Denver","Colorado","PORT","MED","1,500","An office burglary resulted in the exposure of patient information.  A laptop was stolen from the office of Janna Benkelman, a licensed professional counselor.  The laptop was password-protected. ","PHIPrivacy.net","","2013","39.739236","-104.990251" "August 28, 2013","Brookdale University Hospital and Medical Center","Brooklyn","New York","PORT","MED","2,700","The May 24 loss of a portable device resulted in the exposure of patient information.  ","HHS via PHIPrivacy.net","","2013","40.678178","-73.944158" "August 28, 2013","Standard Register, Brookdale University Hospital and Medical Center","Brooklyn","New York","PHYS","MED","2,261","The exposure of patient paper records resulted in a breach that was reported in August 2012.","HHS via PHIPrivacy.net","","2013","40.678178","-73.944158" "August 28, 2013","Health Plus Amerigroup, Brookdale University Hospital and Medical Center","Brooklyn","New York","DISC","MED","28,187","An accidental exposure of protected health information affected patients. The information was accidentally disclosed to other facilities.  The breach was reported in September of 2012.","HHS via PHIPrivacy.net","","2013","40.678178","-73.944158" "August 28, 2013","Young Family Medicine Inc. ","Sidney","Ohio","PORT","MED","2,045","The June 12 theft of a laptop resulted in the exposure of patient information.","HHS via PHIPrivacy.net","","2013","40.284216","-84.155499" "August 28, 2013","Hancock OB/GYN","Greenfield","Indiana","INSD","MED","1,396","An employee was found to have accessed physician notes without a work-related reason.  The breach began on November 9, 2011 and lasted until June 17, 2013.  Names, dates of service, medical record numbers, clinical information were exposed.","HHS via PHIPrivacy.net","","2013","39.785043","-85.769423" "September 19, 2013","DiscountMugs.com (BEL USA LLC)","Medley","Florida","HACK","BSR","0","Customers who placed an order online or by phone between March 1, 2013 and July 15, 2013 may have had their information exposed.  Customer names, debit and credit card numbers, addresses, phone numbers, expieration dates and CVV codes may have been accessed by hackers.","Media","","2013","25.840653","-80.326440" "September 18, 2013","Logan Community Resources, Inc.","South Bend","Indiana","UNKN","MED","2,900","An August 24, 2012 breach resulted in the exposure of patient information.","HHS via PHIPrivacy.net","","2013","41.676355","-86.251990" "September 18, 2013","Minne-Tohe Health Center/Elbowoods Memorial Health Center","New Town","North Dakota","UNKN","MED","10,000","An October 1, 2011 breach resulted in the exposure of protected health information.","HHS via PHIPrivacy.net","","2013","47.980848","-102.490180" "October 11, 2013","Google Chrome","Mountain View","California","DISC","BSO","0","A data management firm discovered that Chrome browser users may have had their personal information stored on the hard drives of their computers without their knowledge or consent.  Google Chrome regularly stores names, street addresses, email addresses, phone numbers, bank account numbers, credit card numbers, and Social Security numbers in web browsers for later use.  It was not known that Chrome's cache also stores the information in plain text.","Media","","2013","37.386052","-122.083851" "October 10, 2013","Nordstrom","Aventura","Florida","CARD","BSR","0","Six skimmers were found on registers in one Nordstrom store in Aventura.  Six people were seen tending to the devices on the afternoon of October 5. They came in groups of three and distracted sales people while tampering with the registers, twice.  Skimmers and tiny cameras were installed to collect credit card information.  The information can be used to make fraudulent credit cards.","Media","","2013","25.956481","-80.139212" "October 11, 2013","Hope Family Health","Westmoreland","Tennessee","PORT","MED","8,000","The August 4 theft of an unencrypted laptop from an employee's home may have resulted in the exposure of patient information.  Current and former patients may have had their names, Social Security numbers, dates of birth, and billing addresses exposed.  The information came from financial records, patient account information, and billing records dating back to 2005.","Media","","2013","36.561988","-86.248044" "October 10, 2013","Petrochem Insulation, ASRC Energy Services","San Francisco","California","PORT","BSO","0","The July 18 theft of a laptop from an employee's car resulted in the exposure of employee information.  The laptop contained personnel spreadsheets with employee names, Social Security numbers, and employee identification numbers.","Media","","2013","37.774930","-122.419416" "October 2, 2013","Santa Clara Valley Medical Center","San Jose","California","PORT","MED","571","The theft of an unencrypted laptop from the audiology department of Santa Clara Valley Medical Center resulted in the exposure of patient names, medical record numbers, dates of birth, ages, sex, dates of service, and brainwave tests.  The theft was discovered on September 16.","Media","","2013","37.338208","-121.886329" "October 1, 2013","R.T. Jones Capital Equities Management Inc.","St. Louis","Missouri","HACK","BSF","800","R.T. Jones learned of a cyber attack that occurred on July 22, 2013.  On August 7, 2013, it was discovered that an unauthorized party was able to access a database that contained names, Social Security numbers, and dates of birth.  At least 800 people were affected in Maryland.  It is unclear how many were affected nationwide.","Media","","2013","38.627003","-90.199404" "February 22, 2013","Minnesota Department of Natural Resources, Minnesota Department of Motor Vehicles","Little Falls","Minnesota","INSD","GOV","5,000","An employee working as an administrative manager in the Enforcement Division viewed the DMV information of around 5,000 people outside of work hours and for no job-related reason.  His activities between January 2008 and October 2012 were discovered and he was discharged on January 11, 2013.  It is believed that the driver's license and other motor vehicle record information was viewed for curiosity and not malicious purposes.UPDATE (05/01/2013): A group of people who had their driver's license information accessed filed lawsuits against Minnesota.  The state asked the federal judge hearing the case to dismiss the motions and argued that the state isn't liable under a federal law that protects the privacy of driver's license data.  The employee responsible for the breach is facing criminal charges; though the breach may not have been for malicious purposes.UPDATE (08/07/2013): The lawsuit was filed against other state employees as well as the employee responsible for the breach.UPDATE (9/25/2013): A district court dismissed the lawsuit.  The judge ruled that state agencies are not liable for a rogue employee's actions.  The case against the dishonest employee is still active.  The liability of the employee's supervisors has been limited and they will not pay damages for the breach.","Media","","2013","45.976389","-94.362500" "October 9, 2013","Holy Cross Hospital","Fort Lauderdale","Florida","INSD","MED","9,900","Nearly 9,900 former Holy Cross Hospital patients were affected by a breach that involved a dishonest employee filing fraudulent tax returns.  Names, Social Security numbers, dates of birth, and addresses were exposed between November 2011 and August 2013.","Media","","2013","26.122439","-80.137317" "September 23, 2013","Columbia University Medical Center (CUMC)","New York","New York","DISC","MED","407","An Excel file with the names and Social Security numbers of 407 medical students was accidentally attached to an email that was sent to medical students interested in a residency match list.  The Excel column that contained the Social Security numbers was hidden and still accessible.  The issue was discovered in March for the 2013 list and it was later discovered that the same issue had occurred in 2008 and 2009.","Databreaches.net","","2013","40.712784","-74.005941" "September 23, 2013","Stanford University","Stanford","California","HACK","EDU","0","Stanford University ID holders (SUNet) users had their account passwords and other information exposed.  The breach occurred sometime during the summer of 2013 and continued into the fall.  The full extent of the breach was not revealed.  SUNet users were instructured to change their passwords before accessing the system again.","Media","","2013","37.424106","-122.166076" "September 20, 2013","Murphy USA","Little Rock","Arkansas","CARD","BSR","0","Two men pleaded guilty to one count each of conspiracy to commit wire fraud.  They placed skimming devices on gas pumps at Murphy USA station in Conway and Little Rock, Arkansas as well as Durant, Oklahoma.  This allowed them to collect credit card information and create fraudulent credit cards.  The breach occurred between April 2012 and January 2013 and led to fraudulent charges of about $400,000. It's estimated that between 50 and 500 people were affected.","Media","","2013","34.746481","-92.289595" "April 19, 2012","South Carolina Health and Human Services, South Carolina Medicaid","Columbia","South Carolina","INSD","MED","228,435","An employee was fired and arrested after he sent the names, addresses, phone numbers, and dates of birth of Medicaid patients to his private email.  It was discovered that he had compiled and emailed the information of South Carolina Medicaid patients over a period of several months. He was charged with five misdemeanor counts of violating the confidentiality of medical indigents and one count of disclosing confidential information.  At least 22,600 patients had their Medicaid ID numbers emailed. It is unclear how many of those patients had their Social Security number used in place of a Medicaid ID number. Patients were warned not to give any personal information to anyone contacting them and claiming to be from the Medicaid agency.UPDATE (02/20/2013): A dishonest employee and another individual have been charged with criminal conspiracy.  The employee was also charged with willful examination of private records by a public official, public member, or public employee.UPDATE (10/09/2013): The former employee pleaded guilty to four counts of willfull examination of private records by a public employee and one count of criminal conspiracy.  The dishonest former employee faces up to 25 years in prison.","PHIPrivacy.net","","2012","34.000710","-81.034814" "October 8, 2013","Saint Louis University, Tenet Healthcare Corporation, SSM Health Care","Saint Louis","Missouri","HACK","MED","3,000","On August 8, Saint Louis University learned that about 10 employees had their direct deposit information changed after several malicious phishing emails were sent to employees on July 25.  About 20 phishing emails were sent and several employees provided their account information. No unauthorized transactions have occurred because of the email scam.  Additionally, patients who were treated or reviewed at facilities owned by the Tenet Healthcare Corporation or SSM Health Care may have had their information exposed.","Media","","2013","38.627003","-90.199404" "June 24, 2010","University of Oklahoma","Norman","Oklahoma","HACK","EDU","0","The University of Oklahoma began warning students of a security breach after its IT department noticed unusual internet activity on a laptop associated with its network.  The laptop was infected with a virus and it contained student names and Social Security numbers.  Students were advised to check bills and credit card transactions to make sure that no fraud had occurred.  ","Media","","2010","35.222567","-97.439478" "October 6, 2013","CaroMont Health","Gastonia","North Carolina","DISC","MED","1,310","An email with patient information was sent to an unauthorized person.  Names, dates of birth, addresses, diagnoses, and medications were exposed.","Media","","2013","35.262082","-81.187301" "October 7, 2013","PayJunction","Santa Barbara","California","HACK","BSF","0","A number of sales agents were affected when a data backup of PayJunction's internal business system was inappropriately accessed.  The unauthorized access occurred in July and was discovered in late September.  ","Databreaches.net","","2013","34.420831","-119.698190" "October 10, 2013","Legal Aid Society of San Mateo County","Redwood City","California","PORT","NGO","0","The August 12 office burglary of 10 laptops resulted in the exposure of client information.  The laptops were used by Legal Aid Society attorneys to assist individuals in getting services.  Names, Social Security numbers, dates of birth, medical information, and health information may have been exposed.","California Attorney General","","2013","37.485215","-122.236355" "October 11, 2013","Monterey County Department of Social Services","Salinas","California","HACK","GOV","0","A Monterey County computer was compromised during the evening of March 17.  It was connected to the California State Network and contained the information of individuals who received public assistance benefits through Monterey County Department of Social Services between 2002 and 2009.  First and last names, Social Security numbers, addresses, phone numbers, and dates of birth were exposed.  ","Media","","2013","36.677737","-121.655501" "March 29, 2013","Washington Department of Social and Health Services","Gig Harbor","Washington","PORT","GOV","652","A private contractor working for the Department of Social and Health Services discovered that their laptop had been stolen on February 4.  The laptop was recovered in a pawn shop on February 14.  It contained the names, ID numbers, psychological evaluations, dates of birth, diagnoses, dates of services, addresses, and last four digits of Social Security numbers of clients.UPDATE (10/14/2013): The private contractor was a psychologist who had his license suspended as a result of the incident.  The Washington State Department of Health suspended the license after a history of being charged with unprofessional conduct.  He is accused of misrepresenting the number of people who could be affected by the breach and failing to report it to the Department of Social and Health Services until five days after the breach.","Media","","2013","47.329264","-122.580129" "October 7, 2013","Walgreens","Anaheim","California","STAT","BSR","0","A breach at a Walgreens in Anaheim resulted in the exposure of customer information.  Thieves stole a computer and paper records in December of 2012.  The theft was discovered on December 31 and occurred on December 28.  The burglary occurred in Crescent's billing center.  Names, Social Security numbers, addresses, phone numbers, health insurance information, dates of birth, and medical information were exposed.  ","Media","","2013","33.836593","-117.914301" "November 4, 2011","University of California Los Angeles (UCLA) Health System","Los Angeles","California","PORT","MED","16,288","A September 6 home theft resulted in the loss of an external computer hard drive. It contained the first and last names, birth dates, medical record numbers, addresses, and other medical record information of patients.  The information dated from July 2007 to July 2011 and belonged to an individual who maintained the information in order to fulfill job duties.  Other items were taken during the theft, but none have been recovered.UPDATE (12/20/2011): A class action lawsuit was filed on December 14. It alleges that the UCLA Health System violated California's Confidentiality of Medical Information Act.  Since the act provides for statutory damages of $1,000 per person, the UCLA Health System could owe nearly $16.3 million to the 16,288 patients who were affected.  UPDATE (12/22/2011): A total of 16,288 people had some type of information on the laptop, but 2,761 had enough information on the laptop to cause ""more than a minimal amount of financial, reputational, or other harm"" if accessed.UPDATE (10/17/2013): A state appellate court dismissed the class action lawsuit.  The ruling was that health care providers are not necessarily liable when medical information is misused or stolen unless the information is accessed by unauthorized parties.","PHIPrivacy.net","","2011","34.052234","-118.243685" "October 17, 2013","California State University Sacramento (Sacramento State University)","Sacramento","California","HACK","EDU","1,800","In August, Sacramento State University was notified that a computer server had been hacked. It contained the Social Security numbers, driver's license numbers, and other personal information of staff members.  The cause and extent of the breach were determined in late September and staff members were notified in mid-October.","Media","","2013","38.581572","-121.494400" "October 17, 2013","Datapak Services Corporation","Howell","Michigan","HACK","BSO","0","Datapak Services discovered that its online systems had been infected by malware since March 5, 2013.  Customer names, addresses, payment card numbers, expiration dates, and CVV codes may have been accessed by an unauthorized party. ","Databreaches.net","","2013","42.607255","-83.929395" "October 9, 2013","Minnesota Counties Insurance Trust","St. Paul","Minnesota","INSD","BSF","3,000","An employee working as a child support officer is accused of making more than 4,000 queries without legitimate cause in a driver and vehicle services database between 2010 and 2011.  Photographs, addresses, and driving records may have been exposed.UPDATE (10/04/2013): A $2 million settlement has been proposed to end a class action lawsuit.  An insurance trust representing Minnesota counties will pay $500 to the named plaintiffs who initially brought the suit and those who had their information viewed for illegitimate purposes will receive a share of the money ""based on the number of times they were illegitimately searched.""","Media","","2013","44.953703","-93.089958" "September 11, 2013","FSV Payment Systems, Paymast'r Services","Boulder","Colorado","HACK","BSF","0","Between July 22 and July 28, an unauthoried party accessed a website that contained sensitive information.  Names, Social Security numbers, addresses, drivers' license numbers, and Payroll Card numbers may have been accessed.  The website was shutdown once the breach was discovered. Paymast'rServices, PaycheckPLUS! Payroll cards issued by MetaBank were affected.","California Attorney General","","2013","40.014986","-105.270546" "October 12, 2013","Gordon Supply Company","Glenside","Pennsylvania","HACK","BSF","400","A woman found two bags of personnel records in her backyard in mid-August.  The woman called the cops after discovering the sensitive information.  Social Security numbers, driver's license photos, addresses, phone numbers, medical information, dates of birth, emergency contacts, payroll history, and tax documents were exposed.  The breach occurred after the building was abandoned and the files were not checked before being discarded.  An estimated 400 people were affected.","Media","","2013","40.099908","-75.152793" "October 17, 2013","Ouidad","Danbury","Connecticut","HACK","BSR","0","Hackers were able to access Ouidad's customer database between June 30 and July 4 of 2013.  Ouidad account information, names, credit card numbers, credit card security codes and expiration dates, billing addresses, email addresses, and phone numbers were exposed. ","Media","","2013","41.394817","-73.454011" "October 18, 2013","Long Island Rail Road","Long Island","New York","CARD","BSR","0","Ticket vending machines associated with Long Island Rail Road were discovered to have been compromised.  Customers who used their debit and credit cards at the machines may have had their information recorded and used to create fraudulent payment cards.  Tiny cameras were placed on the machines and hidden in thin black strips.  A total of seven machines in Bayside, Garden City, Great Neck, Greenvale, and Merillon Avenue were compromised.","Media","","2013","40.789142","-73.134961" "October 26, 2012","South Carolina Department of Revenue","Columbia","South Carolina","HACK","GOV","6,400,000","South Carolina Department of Revenue's website was hacked by a foreign hacker.  The hack most likely began on August 27, was discovered on October 10, and was neutralized on October 20.  Around 3.6 million Social Security numbers and 387,999 credit card and debit card numbers were exposed. A total of 16,000 payment card numbers were not encrypted.UPDATE (10/31/2012): Tax records dating back to 1998 were exposed.  A lawsuit alleging that South Carolina failed to protect citizens of South Carolina and failed to disclose the breach quickly enough was announced on October 31.UPDATE (11/05/2012): Trustwave was named as the data security contractor who handled the South Carolina website and added to the group being sued over the breach.  Trustwave is an international company based in Chicago.UPDATE (11/15/2012): Over 4.5 million consumers and businesses may have had their tax records stolen by hackers.  It appears that Trustwave focused on helping the Southern Carolina Department of Revenue comply with regulations regarding how credit card information is handled.  Neither Trustwave nor the Southern Carolina Department of Revenue detected the breach.UPDATE (11/29/2012): The total number of people or businesses affected was updated to 6.4 million. Approximately 3.8 million taxpayers and 1.9 million of their dependents had their information exposed.  Additionally, 3.3 million tax payers had bank account information obtained.  It is unclear how much overlap there is between the 3.8 million taxpayers and the 3.3 million tax payers who had bank account information obtained.UPDATE (01/11/2013): A State IT division director reported that the SCDOR's former chief information officer and current computer security chief were notified on August 13 that 22 computers were infected with malicious code.  The State's division of IT recommended that passwords be reset after the discovery, but they were not reset.UPDATE (03/01/2013): A lawsuit brought against TrustWave and SCDOR by a former state senator has been dismissed by a judge.  The former senator accused the agencies of conspiring to hide the fact that a massive breach had occurred and failing to adequately protect taxpayers from a potential hack.UPDATE (04/02/2013): About 1,448,798 people signed up for free individual credit monitoring and 41,446 signed up for free family credit monitoring.UPDATE (10/25/2013): It is estimated that South Carolina taxpayers will pay at least $8.5 million to pay for one year's worth of free credit monitoring to those affected by the data breach.  Over 650,000 businesses had their tax information exposed.","Media","","2012","34.000710","-81.034814" "August 2, 2012","Environmental Protection Agency","Washington","District Of Columbia","HACK","GOV","7,800","A computer security breach resulted in the exposure of Social Security numbers, bank routing numbers, and home addresses.  A total of 5,100 current employees and 2,700 other individuals had their information exposed by the unspecified computer breach that occurred in March. Notification was sent around the end of July.UPDATE (10/28/2013): An England national was charged in New Jersey with one count of accessing a U.S. department or agency computer without authorization and one count of conspiring to access a U.S. department or agency computer without authorization.  He is being investigated for illegally accessing U.S. government computer systems associated with the U.S. Army, U.S. Missile Defense Agency, Environmetnal Protection Agency, and National Aeronautics and Space Administration.","Databreaches.net","","2012","38.895112","-77.036366" "October 28, 2013","Allina Health","Minneapolis","Minnesota","INSD","MED","3,800","Roughly 3,800 patients were affected by a breach that involved a former employee at the Inver Grove Heights clinic.  The employee worked as a certified medical assistant and viewed patient records without permission between February of 2010 and September of 2013.  Patients who were seen at any location within Allina Health's system may have had their demographic, clinical, and health insurance information viewed.  The employee also had access to the last four digits of patients' Social Security numbers.  ","Media","","2013","44.977753","-93.265011" "October 25, 2013","NBC Sports Group","Stamford","Connecticut","PORT","BSO","0","The August 24 theft of two laptops resulted in the exposure of personal information.  The laptops were stolen in Northern California and it is unclear whether employees, clients, or general consumers were affected.  Names, Social Security numbers, driver's licence numbers, and dates of birth were exposed.","Databreaches.net","","2013","41.053430","-73.538734" "October 28, 2013","HealthFitness, Gerdau","Minneapolis","Minnesota","PORT","MED","0","HealthFitness informed Gerdau of a laptop theft that exposed the information of Gerdau employees and employee dependents.  HealthFitness administors Gerdau's health management and wellness program.  The laptop contained Social Security numbers, employee names, spouse names, dates of birth, and health plan elections.","PHIPrivacy.net","","2013","44.977753","-93.265011" "October 22, 2013","AHMC Healthcare, Inc.","Alhambra","California","PORT","MED","73,000","The October 12 office theft of two laptops resulted in the exposure of patient information from a number of facilities.  Authorities believe a well-known transient was responsible for the thefts.  San Gabriel Valley Medical Center, Garfield Medical Center, Moneterey Park Hospital, Whittier Hospital Medical Center, Greater El Monte Community Hospital, and Anaheim Regional Medical Center patients were affected. Names, Social Security numbers, diagnosis and procedure codes, insurance identification numbers, and insurance payments were exposed.","Media","","2013","34.095287","-118.127015" "October 25, 2013","Michigan State University","East Lansing","Michigan","HACK","EDU","0","An unauthorized user was able to modify employee banking information.  The breach was discovered on October 18 when two employees reported receiving email confirmations of changes to their direct-deposit designations.  The unauthorized user may have obtained valid payroll credentials by using a phishing attack.  The HR/Payroll systems were taken offline on Friday, October 18 and were expected to become active again on October 21.","Media","","2013","42.736979","-84.483865" "December 10, 2012","Michigan State University","East Lansing","Michigan","HACK","EDU","1,500","A hacker published approximately 1,500 Michigan State University names, email addresses, user IDs, encrypted passwords, and mailing addresses.","Media","","2012","42.736979","-84.483865" "October 29, 2013","MongoHQ","Mountain View","California","HACK","BSO","0","MongoHQ's internal system was compromised.  The system allowed certain administrative users to appear as other users.  MongoHQ reset all employee accounts and will enable devices, email, and internal applications after a credential reset and audit.  ","Media","","2013","37.386052","-122.083851" "October 31, 2013","Boone Hospital Center","Columbia","Missouri","INSD","MED","125","An employee was found to have accessed Social Security numbers, dates of birth, medical diagnoses, prescribed treatments, and other health information without cause.  A patient contacted Boone Hospital Center on September 16 and said that her personal health information had been accessed.  An investigation revealed the breach and the employee's access was terminated on September 19.","Media","","2013","38.951705","-92.334072" "October 23, 2013","University of Southern Maine","Portland","Maine","PHYS","EDU","0","Someone broke into a University van and stole campus keys.  The keys could give them access to nearly 50 Portland and Gorham campus buildings.  The University is in the process of replacing locks of the affected buildings.  Student, personnel, and other records may be accessible.  Faculty, staff, and students were notified of the incident and encouraged to shut electronic devices down when leaving them unattended.  They were also advised to not leave sensitive information or belongings in campus buildings without additional locks.","Media","","2013","43.661471","-70.255326" "August 28, 2013","Advocate Medical Group, Advocate Health","Park Ridge","Illinois","STAT","MED","4,000,000","The July 15 office theft of four unencrypted desktop computers resulted in the exposure of patient information. Approximately four million patients who were seen by Advocate Medical Group physicians between the early 1990s and July of 2013 were affected.  Names, Social Security numbers, addresses, and dates of birth were exposed.  Diagnoses, medical record numbers, medical service codes, and health insurance information was also exposed in some circumstances.UPDATE (09/06/2013): A class-action lawsuit on behalf of patients in the Chicago area has been filed.  It claims that Advocate Medical Center should have done more to protect patient information.","Media","","2013","42.011141","-87.840619" "August 16, 2013","Ferris State University","Big Rapids","Michigan","HACK","EDU","62,000","An unauthorized person gained access to the school's computer network.  Campus ID numbers, names, and possibly other information of staff and students were exposed.  In addition to the 39,000 people who had their files with Social Security numbers exposed, 19,000 more indidviduals were notified of the breach.UPDATE (10/22/2013): It is estimated that 62,000 people were affected and $380,000 was spent investigating the breach.  This number includes providing services to those who were affected.","Media","","2013","43.698078","-85.483656" "September 30, 2013","The New Teacher Project","Brooklyn","New York","PORT","NGO","0","The July 27 or 28 office theft of an unencrypted laptop resulted in the exposure of current and former employee information.  Names, Social Security numbers, dates of birth, and employee ID numbers were exposed.","Databreaches.net","","2013","40.678178","-73.944158" "July 30, 2013","US Airways, McKesson, City of Houston, Automatic Data Processing (ADP), AlliedBarton Security Services","Tempe","Arizona","DISC","BSO","4,500","A programming error at ADP resulted in the exposure of employee names, Social Security numbers, and other information on W-2 forms.  Employees could have inadvertently downloaded the W-2s of other employees.  The error was corrected on May 4 and involved W-2 forms for tax years 2010, 2011, and/or 2012. ADP alerted US Airways to the issue on June 6, 2013.UPDATE (09/13/2013): McKesson and the city of Houston were also affected by the breach.UPDATE (09/30/2013): AlliedBarton Security Services was also affected.  It appears that 206 ADP customers were affected.  Two of the customers affected have at least 4,500 employees.","Media","","2013","33.425510","-111.940005" "September 30, 2013","Sentry Life Insurance, Department of Labor","Stevens Point","Wisconsin","DISC","BSF","0","Sentry Life Insurnace discovered that several forms sent to the Department of Labor contained an attachments with names, Social Security numbers, and in a few cases, 401k account balances.  The Department of Labor uploaded the forms to a public website before Sentry's discovery.  The discovery was made on July 2 and a letter was sent on July 11 to the Maryland Attorney General's Office on behalf of Sentry.","Databreaches.net","","2013","44.523579","-89.574563" "September 30, 2013","Denny's","Phoenix","Arizona","PHYS","BSR","200","Job applications from a Denny's in Phoenix were found in a dumpster behind the Denny's.  The paperwork dated back to August of 2012.  The information included addresses, Social Security numbers, and other information normally found on job applications.  The manager said there was a mistake and that similar paperwork is usually shredded.","Databreaches.net","","2013","33.448377","-112.074037" "October 13, 2013","PR Newswire","New York","New York","HACK","BSO","0","Customer usernames and encrypted passwords were accessed and taken by hackers on or after March 8, 2013.  Hackers may have had access to the news release services of companies that use PR Newswire.  The breach is related to the Adobe hack that was revealed in early October of 2013.  ","Media","","2013","40.712784","-74.005941" "October 23, 2013","The Fisherman's Restaurant, Radiant Systems","Fort Worth","Texas","DISC","BSR","0","Radiant Systems accidentally transmitted Fisherman's Restaurant employee information to another Radiant Systems restaurant customer.  The error occurred from May 3, 2013 through September 24, 2013.  Radiant Systems learned of the issue on September 23 and notifications were sent in early October.  Full names, Social Security numbers, dates of birth, gender, marital status and number of dependents, addresses, telephone numbers, and personnel information were exposed.","California Attorney General","","2013","32.755488","-97.330766" "September 15, 2013","International SOS Assistance, Inc.","Philadelphia","Pennsylvania","HACK","GOV","0","An unauthorized user or users accessed at least one U.S. system that hosts traveler information.  The type of information that may have been accessed was not reported and International SOS is still investigating the incident.UPDATE (10/23/2013): The breach occurred on August 24 and was confirmed on August 28.  Names and passport numbers were exposed.  Some travelers also had their Social Security numbers exposed.","Media","","2013","39.952584","-75.165222" "August 30, 2013","Harbor Freight Tools","Wichita Falls","Texas","HACK","BSR","300","Anyone who has shopped at Harbor Freight within the last three months (June, July, and August of 2013) may be at risk for credit or debit card fraud.  Online and in store customers were affected.  Tens of thousands of dollars were taken from between 300 and 600 member accounts.UPDATE (11/04/2013): Customers who made purchases in stores between May 6, 2013 and June 30, 2013 may have had their card account numbers, expiration dates, and card verification numbers exposed.  ","Media","","2013","33.913709","-98.493387" "November 4, 2013","Phoenix Medical Group","Laurel","New Jersey","INSD","MED","0","A dishonest employee accessed and misused patient information sometime between January of 2009 and March of 2012.  Social Security numbers and dates of birth were taken to file fraudulent tax returns. The former employee pleaded guilty to one count of theft of government property and one count of aggravated identity theft.","PHIPrivacy.net","","2013","39.934002","-74.890999" "November 4, 2013","Samaritan Family Medicine Resident Clinic, Samaritan Health System ","Corvallis","Oregon","PHYS","MED","1,222","A patient discovered a stack of unshredded medical documents in a publicly accessible dumpster near the medical offices on Samaritan Drive.  Prescriptions, diagnoses, and other sensitive medical information could have been accessed.  The breach occurred in July and an employee removed the information soon after the incident.The Oregon Department of Consumer and Business Services fined Samaritan $1,000 for the breach.  Samaritan will pay a full fine of $5,000 if it fails to comply with Oregon's confidential records laws during the next five years.","PHIPrivacy.net","","2013","44.564566","-123.262044" "May 31, 2012","Mount Sinai Hospital","Miami Beach","Florida","INSD","MED","340","Eleven computer screen printouts of personal information and seven credit cards of Mount Sinai patients were found in a vehicle that was searched after a motorist was stopped for reckless driving.  An employee of Mount Sinai was linked to patient personal information that was found during the traffic stop. She was arrested and accused of accessing and printing the names, Social Security numbers, and dates of birth of 340 patients for identity theft purposes.","PHIPrivacy.net","","2012","25.790654","-80.130046" "November 4, 2013","University Hospitals","Cleveland","Ohio","STAT","MED","7,100","An unnamed contractor misplaced a University Hospitals hard drive after taking it for a computer system upgrade.  The hard drive was stolen from the car of an employee of the contractor on August 8.  It contained patient information such as names, birth dates, addresses, medical record numbers, insurance provider information, and health information.  ","PHIPrivacy.net","","2013","41.499320","-81.694361" "October 30, 2013","Children's Healthcare of Atlanta","Atlanta","Georgia","INSD","MED","500","Children's Healthcare of Atlanta fired and sued an executive for allegedly taking proprietary information that included patient health information, state license numbers for more than 500 health care providers, and other health care provider information.  The executive announced her resignation on October 16 and on October 18 the Hospital discovered that she had emailed sensitive information to her personal email account.  The executive had planned to leave on December 20 but was fired for exposing the Hospital's sensitive information.","PHIPrivacy.net","","2013","33.748995","-84.387982" "October 30, 2013","Emerald Garden, Tampa General Hospital","Clearwater","Florida","INSD","MED","0","An investigation uncovered sensitive information from Emerald Garden and Tampa General Hospital patients.  A dishonest Emerald Garden employee was arrested in May and sentenced to 37 months in prison for conspiring to misuse the information to file tax refunds.  A contact at Tampa General Hospital also supplied patient information.  ","PHIPrivacy.net","","2013","27.965853","-82.800103" "October 30, 2013","Florida Department of Health","Orlando","Florida","INSD","MED","2,300","Two former employees used patient records to make lists of names, Social Security numbers, and dates of birth.  The information was created for tax fraud purposes.","PHIPrivacy.net","","2013","28.538336","-81.379237" "October 25, 2013","Yusen Logistics (Americas) Inc.","Secaucus","New Jersey","PORT","BSO","0","An unencrypted laptop was stolen from an employee's vehicle sometime around September 23.  It contained a spreadsheet with payroll deduction information for former and current Yusen Logistics Americas employees.  It contained names, Social Security numbers, addresses, and payroll benefit deduction amounts from the period of July 2013 to September 2013.","California Attorney General","","2013","40.789545","-74.056530" "October 22, 2013","Aaron's","Atlanta","Georgia","DISC","BSR","0","The US Federal Trade Commission filed a complaint against Aaron's over their practice of monitoring customer activity through software called Detective Mode.  It was determined that customers who rented computers were put at risk for identity theft by Aaron's practice of recording customer keystroke activity, screen shots, and images taken from webcams.  Aaron's may only use tracking technology with the consent of the renter and may not use technology that captures keystrokes, screenshots, images, or sounds on the devices it rents.  ","Media","","2013","33.748995","-84.387982" "October 18, 2013","Broward Health Medical Center","Fort Lauderdale","Florida","INSD","MED","960","Federal and local officials discovered a breach that involved the records of 960 patients treated at Broward Health between October of 2012 and December of 2012.  The patients were treated at 1600 S. Andrews Ave. Their names, addresses, dates of birth, insurance policy numbers, and reasons for visits were exposed when an employee took patient documents out of the medical facility.  The last four digits of patients' Social Security numbers are recorded at Broward Health for insurance purposes and were also exposed. ","Media","","2013","26.122439","-80.137317" "October 17, 2013","University of Arizona","Tucson","Arizona","HACK","EDU","9,080"," A July 29 breach of the University of Arizona's College of Law website allowed intruders to access class rosters and applicant lists.  University of Arizona law students and applicants may have had their names, Social Security numbers, usernames, and passwords exposed. ","Media","","2013","32.221743","-110.926479" "October 17, 2013","Eagleton School, Castro School, Munroe School","Morrison","Colorado","PORT","MED","100","The theft of a nurse's suitcase resulted in the exposure of student medical information.  The suitcase contained a thumb drive.  The theft occurred on October 5 and about 100 parents received notification of the breach.  Medications and other health-related information were on the thumb drive.  Addresses and Social Security numbers were not included in the compromised data.","PHIPrivacy.net","","2013","39.653599","-105.191100" "October 10, 2013","NHC Healthcare","Oak Ridge","Tennessee","PORT","MED","0","An unencrypted backup tape was discovered missing. It contained the names, Social Security numbers, dates of birth, home addresses, and medical information of patients.","Databreaches.net","","2013","36.010356","-84.269645" "October 25, 2013","Mount Sinai Medical Center","Miami Beach","Florida","INSD","MED","0","An employee who was working at Mt. Sinani Medical Center through a temp agency was found with patient information during a traffic stop.  Police uncovered a bag that contained over 100 printouts with patient names, Social Security numbers, addresses, and dates of birth.  Photocopies of checks that had been written to Mt. Sinai Medical Center and corresponding billing statements were also found during the February 27, 2013 traffic stop.  Additional information that could be used for fraud was also found at the temporary employee's residence.The dishonest employee was convicted for involvement in the identity theft and tax refund scheme. It was later discovered that the temp agency gave Mt. Sinai Medical Center false background information about the temporary employee.  Mt. Sinai Medical Center no longer does business with the staffing agency.","PHIPrivacy.net","","2013","25.790654","-80.130046" "November 8, 2013","Standard Insurance Company","Portland","Oregon","DISC","BSF","0","One of Standard Insurance Company's vendors accessed a file that was inadvertently disclosed on the vendor's system.  Names, Social Security numbers, addresses, and dates of birth could have been accessed between October 7 and October 18.  The issue was discovered when an insurance policyholder noticed they had access to the information and contacted Standard Insurance Company.","Media","","2013","45.523062","-122.676482" "November 7, 2013","DaVita","Denver","Colorado","PORT","MED","11,500","The theft of an unencrypted laptop resulted in the exposure of patient and employee information.  The laptop was stolen from an employee's vehicle and contained names, insurance information, diagnoses, and dialysis treatment information.  Approximately 375 patients also had their Social Security numbers exposed.","Media","","2013","39.739236","-104.990251" "November 8, 2013","Baltimore County","Baltimore","Maryland","INSD","GOV","12,000","A contractor who worked for Baltimore County between December of 2011 and July of 2012 was found to have saved the personal information of 12,000 county employees to computers for reasons unrelated to work.  The information was discovered during an investigation in Florida and came from payroll files dated between January and March of 2007.  Employees who had their paychecks direct deposited were affected and the bank account information of 6,633 employees was exposed.  Baltimore county employees are no longer allowed to download personal information to county computers and more than 5,000 county hard drives will be cleared of related data.","Media","","2013","39.290385","-76.612189" "November 8, 2013","North Carolina Department of Health and Human Services","Raleigh","North Carolina","DISC","GOV","1,300","Over 1,300 people who received payment from state hospitals had their information exposed online.  Names, addresses, payment dates, name of facilities that made the payments, and dollar amounts paid were posted on North Carolina Department of Health and Human Services' transparency website ""NC OpenBook.""  The error was discovered when an individual complained.  The information had been available for years.","Media","","2013","35.779590","-78.638179" "August 18, 2010","Payday Loan Stores of Illinois, PLS Financial","Chicago","Illinois","PHYS","BSF","369","Payday Loan Stores (PLS) was fined $1,107,000 for failing to protect consumer information.  In April of 2010, three boxes of documents were found by police at a dumpster near a Payday Loan Store. According to the Illinois Department of Financial and Professional Regulation, ""the discarded documents contained personal customer information, including Social Security numbers and copies of driver's licenses.""UPDATE (11/08/2012): The Federal Trade Commission (FTC) settled charges with PLS Financial Services and The Payday Loan Store of Illinois regarding their violation of FTC's Disposal Rule and the Gramm-Leach-Bliley Act's Privacy Rule and Safeguards Rule.  The two companies agreed to pay $101,500. The companies must also implement a comprehensive information security program that will be assessed for compliance for the next 20 years.","NAID","","2010","41.850033","-87.650052" "September 10, 2013","TrendNet","Torrance","California","HACK","BSR","700","FTC fined TrendNet for having inadequate security practices and marketing their products to consumers as secure.  TrendNet's website was breached by a hacker or hackers.  This allowed them to bypass users' login credentials and access wireless camera feeds.  At least 700 people who purchased TrendNet security cameras had their live camera feeds hacked. Some of their feeds were published online by hackers.","Media","","2013","33.835849","-118.340629" "November 7, 2013","Department of Economic Opportunity","Tallahassee","Florida","DISC","GOV","45","A glitch in the Department of Economic Opportunity's website caused Social Security numbers of people who registered for unemployment to be exposed.  The information was mistakenly sent to businesses and the Department of Economic Opportunity alerted businesses to the issue.  Those who were affected were sent letters.","Media","","2013","30.438256","-84.280733" "November 7, 2013","Washington State University","Pullman","Washington","PORT","EDU","300","The October 11 theft of two external hard drives may have exposed the information of students, current employees, and former employees.  Administrative and financial information such as Social Security numbers may have been exposed.","Media","","2013","46.729777","-117.181738" "November 11, 2013","City Jeffersonville","Jeffersonville","Indiana","DISC","GOV","311","City vendors and other businesses were alerted to a breach of information that dates back to 2001.  Names, addresses, and in some cases Social Security numbers, were sent to city employees in a monthly email about vendor payments.  The issue was noticed when a recent software change made the information easier to spot.  Jeffersonville's information technology staff deleted the emails from city employee inboxes.","Media","","2013","38.277570","-85.737185" "October 31, 2013","Ektron","Nashua","New Hampshire","HACK","BSO","22","The June 15 hack of Ektron resulted in the exposure of current and former employee information.  Names, Social Security numbers, immigration visas, passport numbers, and employee authorization cards were exposed.  Ektron learned of the breach in July and hired a third party firm to investigate the scope of the breach in August.","Databreaches.net","","2013","42.765366","-71.467566" "November 15, 2013","Greencastle Community School Corporation","Greencastle","Indiana","HACK","EDU","0","Greencastle Community School Corporation notified parents of a security issue involving improprer access by students.  Several students from Greencastle High School found a list of student network passwords and were able to access a limited amount of confidential student files on the school network.  Students in grades three through 12 may have had breakfast or lunch expenses falsely charged to their names and students with unauthorized access may have been able to access the network under other students' accounts.","Media","","2013","39.644490","-86.864732" "August 29, 2013","LabMD","Atlanta","Georgia","HACK","MED","9,000","An FTC complaint states that a LabMD spreadsheet with insurance billing data of over 9,000 customers was discovered on a public file sharing network. Social Security numbers, insurance information, medical treatment codes, and dates of birth were exposed by the cyber security issue.  Identity thieves were found to have acquired the personal information of at least 500 LabMD customers.UPDATE (11/15/2013): LabMD disputed the FTC probe and alleged that the government funded the breach to retaliate against LabMD.","Media","","2013","33.748995","-84.387982" "October 31, 2013","Milwaukee Public School District, Express Scripts","Milwaukee","Wisconsin","DISC","EDU","6,000","Social Security numbers were printed on the outside of letters that were sent to a third party vendor.  As many as 6,000 letters were sent to MPS Medicare D recipients. ","Media","","2013","43.038903","-87.906474" "November 11, 2013","St. Mary's Janesville Hospital, SSM Health Care","Janesville","Wisconsin","PORT","MED","629","The August 27 car theft of an SSM Health Care employee's unencrypted laptop resulted in the exposure of patient information.  Patients who were treated in St. Mary's Janesville Hospital's emergency room between January 1 and August 26 of 2013 were affected.  Names, dates of birth, medical record numbers, account numbers, providers, departments of service, bed numbers, room numbers, dates and times of service, history of visits, complaints, diagnoses, procedures, test results, vaccines, and medications were exposed.","PHIPrivacy.net","","2013","42.682789","-89.018722" "November 4, 2013","CorporateCarOnline.com","Kirkwood","Missouri","HACK","BSO","850,000","Hackers stole and stored information online related to customers who used limousine and other ground transportation.  The online information included plain text archives of credit card numbers, expiration dates, names, and addresses.  Many of the customers were wealthy and used credit cards that would be attractive to identity thieves.","Media","","2013","38.583386","-90.406785" "November 15, 2013","Office of Dr. Paul G. Klein, DPM","Wayne","New Jersey","PORT","MED","2,500","The October 1 theft of a laptop resulted in the exposure of patient information.","HHS via PHIPrivacy.net","","2013","40.925373","-74.276544" "November 15, 2013","Mount Sinai Medical Center","New York","New York","PORT","GOV","610","The August 1 theft or loss of a portable electronic device resulted in the exposure of patient information.","HHS via PHIPrivacy.net","","2013","40.712784","-74.005941" "November 15, 2013","Mount Sinai Medical Center","New York","New York","PHYS","MED","1,586","Patient records were improperly disposed of on August 6.  ","HHS via PHIPrivacy.net","","2013","40.712784","-74.005941" "November 15, 2013","Rose Medical Center","Denver","Colorado","PHYS","MED","606","Patient records were improperly disposed of sometime between June 28 of 2013 and July 16 of 2013.","HHS via PHIPrivacy.net","","2013","39.739236","-104.990251" "November 8, 2013","ICS Collection Services, Inc, University of Chicago Physicians Group","Tinley Park","Illinois","DISC","MED","1,344","University of Chicago Physicians Group's former contractor ICS Collection Services discovered that website users were able to view sensitive information of other users.  At least one user was able to view the names, addresses, dates of birth, insurance payments and dates, insurance company names, insurance policy numbers, procedures, diagnosis codes and descriptions, dates of service, treating physician names, and sometimes even Social Security numbers associated with University of Chicago Physicians Group patients.  ICS Collection Services learned of the issue on July 9.","HHS via PHIPrivacy.net","","2013","41.573144","-87.793294" "November 8, 2013","Office of Dr. Carol Patrick, Ph.D","Lima","Ohio","STAT","MED","517","The August 8 office theft of several computers resulted in the exposure of patient information.  The computers contained names, Social Security numbers, addreses, and dates of birth that were encrypted.  They also contained letters, reports, evaluations, and session notes that were not encrypted.","PHIPrivacy.net","","2013","40.742551","-84.105226" "October 22, 2013","Seton McCarthy Clinic, Seton Healthcare Family","Austin","Texas","PORT","MED","5,500","The clinic theft of a laptop on October 4 resulted in the exposure of patient information.  The stolen laptop contained names, Social Security numbers, addresses, phone numbers, dates of birth, Seton medical record numbers, patient account numbers, diagnosis information, immunization information, and insurance information of patients who visited the Seton Total Health Partners program, Seton McCarthy, Seton Topfer, and Seton Kozmetsky community health centers.","Media","","2013","30.267153","-97.743061" "October 8, 2013","Rothman Institute (Reconstructive Orthopaedic Associates)","Philadelphia","Pennsylvania","INSD","MED","2,350","A former employee removed paper copies of daily patient schedules from Rothman Institute on August 11.  The paper copies were taken without permission and were not used for malicious purposes.  Patients who were seen between March 18 and May 10 may have had their names, telephone numbers, dates of birth, locations, staff or physician seen, codes for insurance companies, copay amounts, dates and times of appointments, reasons for visits, and internal-use chart, and code numbers exposed.  Social Security numbers and credit card information were not exposed. The information was not shared with unauthorized parties.UPDATE (11/08/2013): A total of 2,350 patients were affected.","Media","","2013","39.952584","-75.165222" "October 19, 2013","Hospice of the Chesapeake","Pasadena","Maryland","INSD","MED","7,035","An employee emailed spreadsheets with sensitive patient information to a personal account in order to work from home.  Names, ages, dates of service, diagnoses, and medical record numbers were in the spreadsheets.  The breach was discovered on August 8 and initially suspected to have been caused by a computer intrusion.  Hospice of the Chesapeake investigated the breach for two months before revealing it to patients.UPDATE (11/08/2013): Hospice of the Chesapeake notified HHS and stated that 7,035 patients were affected.","Media","","2013","39.107332","-76.571075" "October 31, 2013","Paragon Benefits Inc, TSYS Employee Health Plan","Columbus","Georgia","INSD","BSO","5,232","An employee of a temporary staffing agency who was working at Paragon Benefits Inc. emailed personal information to his own Gmail account for fraudulent purposes.  The information came from TSYS employees. The dishonest employee was arrested and charged with felony identity theft.  Two spreadsheets that contained names, Social Security numbers, dates of birth, and home addresses were sent.  At least 1,000 TSYS former employees and 11 family members had their information exposed.","Media","","2013","32.460976","-84.987709" "September 6, 2013","Office of Dr. Hankyu Chung","San Jose","California","PORT","MED","2,182","A June 17 office burglary resulted in the theft of two laptops.  One of the laptops contained names, telephone numbers, dates of birth, visit dates, health complaints, physical examination notes, diagnoses, testing information, medication information, and other medical record information.  The thief or thieves were able to get into the office by opening an unlocked door.  No identity theft protection services are being offered to affected patients.UPDATE (11/08/2013): HHS received a report stating that 2,182 patients were affected by the breach.","California Attorney General","","2013","37.338208","-121.886329" "November 11, 2013","North Country Hospital and Health Center","Newport","Vermont","INSD","MED","550","A former employee refused to return a laptop that contained unspecified patient health information.  North County Hospital first learned of the issue on September 18.  The Newport Police Department was contacted and all administrator-level computer system user codes and passwords that the employee had access to were changed.  The laptop was also password-protected and will be remotely locked out if someone attempts to use it to access the Hospital systems.","HHS via PHIPrivacy.net","","2013","44.936436","-72.205102" "November 8, 2013","Texas Health Presbyterian Dallas Hospital","Dallas","Texas","STAT","MED","949","The August 22 office theft of a computer resulted in the exposure of patient information.  Names, dates of birth, age, gender, radiology images, radiation therapy dose planning, diagnoses, and Texas Health Presbyterian medical record numbers were on the computer.","HHS via PHIPrivacy.net","","2013","32.776664","-96.796988" "November 8, 2013","Comprehensive Podiatry LLC","Independence","Ohio","PORT","MED","1,360","The August 3 theft of a laptop resulted in the exposure of patient information.","HHS via PHIPrivacy.net","","2013","41.368665","-81.637903" "November 8, 2013","Access Counseling, LLC","Los Angeles","California","PORT","MED","566","A briefcase was stolen from an employee's car sometime between the evening of August 22 and the morning of August 23.  The case files of seven clients were inside of the briefcase. Additionally, the briefcase contained a computer with files that included names, partial Social Security numbers, dates of birth, addresses, and clinical notes related to all clients.","HHS via PHIPrivacy.net","","2013","34.052234","-118.243685" "November 8, 2013","BriovaRx","Chicago","Illinois","UNKN","MED","1,067","A breach of patient records occurred between July 3 and July 11 of 2013.  In a breach that may be related, a former employee was sued for stealing confidential health information and trade secrets in October.","HHS via PHIPrivacy.net","","2013","41.878114","-87.629798" "November 8, 2013","Region Ten Community Services Board","Charlottesville","Virginia","HACK","MED","10,228","A hacker obtained the passwords to several employees' emails on July 29.  The email accounts may have contained the health information of patients.","HHS via PHIPrivacy.net","","2013","38.029306","-78.476678" "November 8, 2013","Schuylkill Health System","Pottsville","Pennsylvania","PORT","MED","2,810","The August 7 theft of a laptop resulted in the exposure of patient information.  ","HHS via PHIPrivacy.net","","2013","40.685646","-76.195499" "November 8, 2013","Littleton Podiatry","Littleton","Colorado","PORT","MED","3,512","The August 27 theft of a laptop resulted in the exposure of patient information.","HHS via PHIPrivacy.net","","2013","39.613321","-105.016650" "October 21, 2013","RGV DME (Durable Medical Equipment)","McAllen","Texas","INSD","MED","0","Three people were sentenced to prison for their roles in a scheme to defraud Medicare and Medicaid.  Two of the people owned RGV DME and a third worked for them.  Between early 2004 and late 2011, the three submitted fraudulent claims to Medicare and Texas Medicaid for DME supplies.","PHIPrivacy.net","","2013","26.203407","-98.230012" "November 14, 2013","Alta Bates Summit Medical Center, AverMedia Technologies","Berkeley","California","INSD","MED","115","Two women are accused of misusing the information of over 115 people in the Bay Area for identity theft purposes.  At least 15 Atla Bates Summit Medical Center patients had their information misused and at least 35 had their information collected.  The two women were arrested on November 5 and also had a payroll sheet from AverMedia Technologies in their possession.","HHS via PHIPrivacy.net","","2013","37.871593","-122.272747" "November 17, 2013","CME Group, CME ClearPort","Chicago","Illinois","HACK","BSF","0","A July cyberattack resulted in the exposure of customer information.  Customers were required to change their log in credentials.  It is unclear what kind of customer information was exposed.","Media","","2013","41.878114","-87.629798" "December 25, 2011","Stratfor.com, Strategic Forecasting Inc.","Austin","Texas","HACK","BSO","68,063","Anonymous/#AntiSec has claimed responsibility for the hack of a global intelligence company named Stratfor.  Hackers were able to obtain tens of thousands of credit card numbers and other personal information from Stratfor.com.  In addition to credit card numbers with security codes, addresses, and names, the hackers obtained 200GB of emails.  The hackers also claim to have used the credit card information to make over $1 million in donations to charities. Hackers later revealed that the information was even easier to use since it had not been encrypted. Stratfor took the website down within an hour after it was hacked and defaced, but sensitive information had already been leaked.UPDATE (1/04/2012): A total of 68,063 unique credit card numbers, 859,311 unique email addresses, 860,160 hashed passwords, 50,569 phone numbers and 50,618 U.S. resident addresses were posted.  Of the 68,063 credit card numbers, about 36,000 were not expired.  UPDATE (2/15/2012): Hackers posing as officials from Stratfor have started emailing infected links to government subscribers whose email addresses were stolen during the breach.UPDATE (2/27/2012): Wikileaks published more than five million emails that were obtained by hackers during the breach. Some of these emails could contain sensitive information that would unmask sources, reveal security information that the intelligence-gathering company had collected, and reveal information about many Fortune 500 companies that subscribe to Stratfor.UPDATE (5/03/2012): Four Irish and British men were charged for their involvement with Anonymous's faction Antisec and the Stratfor breach. These men were also charged with involvement in hacks of Fox, Sony Pictures, and the Arizona Department of Public Safety.UPDATE (7/02/2012): Stratfor agreed to settle a class action lawsuit filed on behalf of customers.  Stratfor will offer members of the class action lawsuit one month of free access to its service, worth $29.08, and an electronic book published by Stratfo called ""The Blue Book,"" priced at $12.99.  These two offers may cost Stratfor $1.75 million.  Additionally, Stratfor agreed to pay for a credit monitoring service for any members of the class action lawsuit who request the service.  Stratfor will also pay a $400,000 lump sum for plaintiff attorneys and various fees.UPDATE (08/11/2012): Emails with data about the implementation of the domestic surveillance program TrapWire were also exposed. TrapWire gathers surveillance data from major cities in the US, encrypts it, and sends it to a secretive central database center.UPDATE (05/28/2013): A member of Anonymous pleaded guilty to playing a part in hacking Stratfor Global Intelligence Service, Arizona Department of Public Safety, the Boston Police Patrolmen's Association, the FBI's Virtual Academy, and the sheriff's office of Jefferson County, Alabama.  His charges are related to stealing emails and credit card data as well as hacking Stratfor and several other websites.  He faces up to 10 years in prison and is scheduled to be sentenced on September 6.UPDATE (11/15/2013): The member of Anonymous was sentenced to 10 years in prison and three years of probation.","Databreaches.net","","2011","30.267153","-97.743061" "September 28, 2013","Virginia Polytechnic Institute and State University (Virginia Tech)","Blacksburg","Virginia","HACK","EDU","144,963","The computer server of Virginia Tech's Department of Human Resources was accessed on August 28.  The information of people who applied online to Virginia Tech between 2003 and 2013 may have been accessed.  No Social Security numbers or financial information was exposed. A total of 16,642 job applicants had their driver's license numbers exposed.  The remaining job applicants had not submitted this information.","Media","","2013","37.229573","-80.413939" "November 20, 2013","GitHub","San Francisco","California","HACK","BSO","0","A hacker or hackers compromised some of the user accounts of GitHub.  The hackers used a brute force attack to expose passwords.  GitHub reset the passwords of users who were affected.","Media","","2013","37.774930","-122.419416" "September 28, 2013","State Farm","Bloomington","Illinois","INSD","BSF","687","State Farm became aware of fraudulent charges on a customer's credit card a few days after the card was used to pay for insurance policies.  A former employee at an after-hours call center was found to have misused the credit card information of at least 11 customers.  The dishonest employee had also worked with 687 other customers.","Media","","2013","40.484203","-88.993687" "September 28, 2013","ICG America (Amazing Clubs, Games2U, Flying Noodle, Monster Brew, Texas Irons, California Reds)","Austin","Texas","HACK","BSO","0","ICG America Learned that its payment processing system was the target of a cyber attack.  The attack began on January 2, 2013 and continued until August 2, 2013.  Customers who made purchases from companies operated by ICG America may have had their names, credit card and debit card numbers, expiration dates, CVV codes, addresses, and email addresses exposed.","Media","","2013","30.267153","-97.743061" "September 28, 2013","Unique Vintage","Burbank","California","HACK","BSR","0","Unique Vintage's website was accessed by malware between January of 2012 and September 14, 2013.  Customer names, emails, credit card numbers, and phone numbers may have been accessed.","California Attorney General","","2012","34.180839","-118.308966" "October 1, 2013","McHenry County College, Ellucian","Crystal Lake","Illinois","DISC","EDU","0","McHenry County College's software vendor Ellucian accidentally sent the personal information of current and former McHenry County College students and staff to three other junior colleges.  Social Security numbers and other information were sent to Morton, Prairie State, and Triton.","Media","","2013","42.241134","-88.316197" "October 1, 2013","JP Morgan Chase","New York","New York","DISC","BSF","0","JP Morgan Chase customers received a privacy notification in early September. A labeling error caused the Social Security numbers of customers to be printed on the outside of the notification letter.  A lawsuit was filed against JP Morgan Chase on behalf of affected customers.  The lawsuit claims that JP Morgan did not immediately notify its customers and should have prevented the breach from happening.  The case is Alexander Furman et al v JP Morgan Chase & Co et al, No. 13-cv-06749, U.S. District Court, Northern District of Illinois.","Media","","2013","40.712784","-74.005941" "October 3, 2013","Windhaven Investment Management","Boston","Massachusetts","HACK","BSF","419","Windhaven Investment discovered a breach of their server in August of 2013.  Client names, account numbers, custodians, investment positions, and other account information may have been accessed by an unauthorized party.  The breach may have occurred earlier than August.  At least 419 New Hampshire residents were affected.  The total number of people affected nationwide was not revealed.","Databreaches.net","","2013","42.360083","-71.058880" "October 3, 2013","Mercy Health Systems, Allscripts","Baltimore","Maryland","STAT","MED","25","An unencrypted hard drive was discovered missing on January 14, 2013.  It held the names, health plan beneficiary numbers, diagnoses, medical record numbers, and account numbers of 25 Mercy Health Systems patients.  The hard drive was last seen by Mercy Health Systems' transcription contractor, Allscripts. Mercy Health Systems learned of the issue on February 14, 2013.","PHIPrivacy.net","","2013","39.290385","-76.612189" "October 3, 2013","Tri-State Surgical Associates","Elkton","Maryland","INSD","MED","433","An unauthorized staff member provided a physician with the information of 433 patients on July 18.  The information included names, Social Security numbers, addresses, phone numbers for home and work, dates of birth, sex, languages spoken, employers, emergency contacts, emergency phone numbers, emergency contact relationship, guarantor information, and insurance information.","Media","","2013","39.606779","-75.833272" "October 4, 2013","Buckeye Check Cashing","Dublin","Ohio","PORT","BSF","0","The June 27 car theft of a laptop resulted in the exposure of customer information.  Names, Social Security numbers, addresses, and bank account information were exposed.","California Attorney General","","2013","40.099229","-83.114077" "October 4, 2013","NHC Healthcare Oak Ridge","Oak Ridge","Tennessee","PORT","MED","0","An unencrypted backup tape was discovered missing.  It contained patient names, Social Security numbers, dates of birth, home addresses, and medical information.","Media","","2013","36.010356","-84.269645" "October 4, 2013","PLS Financial Services","Chicago","Illinois","DISC","BSF","0","A programming error that occurred on July 11, 2013 allowed 34 visitors to PLS Financial Services' website to view the names, Social Security numbers, addresses, and email addresses of PLS Financial Services customers.  The error was discovered on July 26 and quickly fixed.","Media","","2013","41.878114","-87.629798" "October 4, 2013","Bell Helicopter","Hurst","Texas","HACK","BSO","0","On July 3, Bell Helicopter learned that some people who attended Bell Helicopter Training Academy were receiving phishing emails from a source claiming to be Bell. It appears that Bell's database of attendee information was accessed by a cyber intruder.  Attendees may have had their email addresses and credit card numbers exposed.","Media","","2013","32.823462","-97.170568" "October 2, 2013","UnityPoint Health","West Des Moines","Iowa","INSD","MED","1,800","A breach was discovered on August 8 during the course of a routine audit.  It was discovered that a contractor accessed UnityPoint's EMR system without a legitimate reason.  An employee gave computer passwords to an employee of another company that provides care to patients.  Names, medical insurance account numbers, home addresses, dates of birth and other health information was accessed between February of 2013 and August of 2013.  ","PHIPrivacy.net","","2013","41.577212","-93.711332" "November 25, 2013","University of California, San Francisco (UCSF)","San Francisco","California","PORT","MED","8,294","The September 25 car theft of a physician's laptop may have resulted in the exposure of patient information.  The laptop may or may not have been encrypted and the physician is based in the Division of Gastroenterology at UCSF's School of Medicine. Patient names, Social Security numbers, dates of birth, and medical record numbers were on the laptop.  ","Media","","2013","37.774930","-122.419416" "November 13, 2013","USI Insurance Services LLC","Columbus","Ohio","HACK","BSF","0","Malicious software was installed on the USI website on or around October 2, 2013.  A hacker may have been able to view information stored in the USI system.  Client names, usernames, passwords, and mailing addresses were exposed.","California Attorney General","","2013","39.961176","-82.998794" "November 15, 2013","Superior HealthPlan, Inc.","Austin","Texas","DISC","MED","6,284","New Health and Human Services Commission ID numbers were sent on Superior ID cards to CHIP members on October 4.  It was discovered that a computer error caused some Superior CHIP ID cards to be sent to incorrect addresses. Names, CHIP ID numbers, and doctors' names and phone numbers were exposed.  All members who were affected were notified.","HHS via PHIPrivacy.net","","2013","30.267153","-97.743061" "November 15, 2013","Group Health Cooperative","Seattle","Washington","DISC","NGO","1,015","Group Health member identification numbers and chronic conditions were accidentally printed on the outside of letters that were mailed on September 16.  The issue was discovered on September 23.","HHS via PHIPrivacy.net","","2013","47.606210","-122.332071" "November 8, 2013","Ferris State University - Michigan College of Optometry","Big Rapids","Michigan","HACK","MED","3,947","Michigan College of Optometry learned on July 23, 2013 that their network had been compromised in December of 2011.  A malware program could have accessed the names, Social Security numbers, demographic information, and a limited amount of clinical information of patients that were on the server.  Former and current patients were mailed letters on September 24.","HHS via PHIPrivacy.net","","2013","43.698078","-85.483656" "November 8, 2013","Sierra View District Hospital","Porterville","California","INSD","MED","1,009","A routine security audit at Sierra View District Hospital revealed that an employee had inappropriately accessed protected health information.  An investigation revealed that the information was not disclosed externally.  The breach occurred between July 1 and August 2.  ","HHS via PHIPrivacy.net","","2013","36.065230","-119.016768" "October 28, 2013","Dun & Bradstreet","Suwanee","Georgia","HACK","BSO","0","A cyber attack occurred during the period between March and April 2013.  Dun & Bradstreet hold information for business marketing and other businesses may have been affected. ","California Attorney General","","2013","34.051490","-84.071300" "November 28, 2013","The Flamingo Resort and Spa","Santa Rosa","California","HACK","BSO","0","A virus was discovered on The Flamingo Resort and Spa payroll computer.  Employee names, Social Security numbers, bank routing numbers for those who used direct deposit, dates of birth, phone numbers, and home addresses may have been exposed.","Media","","2013","38.440429","-122.714055" "November 28, 2013","Orange County Anaheim Medical Center, Kaiser Foundation Hospital","Anaheim","California","PORT","MED","0","A flash drive that contained patient information was discovered missing on September 25, 2013.  It contained names, dates of birth, and medical record numbers.  ","PHIPrivacy.net","","2013","33.836593","-117.914301" "November 27, 2013","University of Pittsburgh Medical Center","Pittsburgh","Pennsylvania","INSD","MED","1,300","An employee was found to have accessed patient records without legitimate cause.  The employee worked in a unit coordinator position for about a year and her supervisor was aware of the issue.  Patient names, Social Security numbers, medical records, dates of birth, contact information, treatment information, and diagnosis information were accessed.  The employee was fired.","Media","","2013","40.440625","-79.995886" "November 25, 2013","Crown Castle International Corp","Canonsburg","Pennsylvania","HACK","BSO","0","Crown Castle determined on October 31 that their payroll information may have been accessed by hackers.  Employee names, Social Security numbers, and compensation may have been exposed.","Media","","2013","40.262570","-80.187280" "October 10, 2013","City of Wichita - Electronic Procurement Website","Wichita","Kansas","HACK","GOV","29,000","Hackers accessed the city of Wichita's electronic procurement website.  Current and former vendors who had worked with the city and employees who had been reimbursed for expenses  since 1997 were affected.  Social Security numbers, taxpayer ID numbers, and bank account information may have been exposed.UPDATE (11/22/2013): This breach was a result of the Dun & Bradstreet Credibility Corp. breach.  Nearly 29,000 local vendors and employers were affected by the hacking incident that occurred during the weekend of October 5.","Media","","2013","37.687176","-97.330053" "November 22, 2013","Redwood Memorial Hospital","Fortuna","California","PORT","MED","1,039","An unencrypted flash drive from Redwood Memorial Hospital's Cardiopumlonary Services Department was discovered missing on November 8.  The flash drive had been missing since at least November 6 and contained patient names, report ID numbers, test indications, ages, heights, weights, test recording and analysis dates and times, facility and address where services were rendered, and clinical summaries of test findings.  Some patients who were seen at Redwood Memorial Hospital between 2001 and 2013 may have had their information exposed.  ","Media","","2013","40.598187","-124.157276" "November 21, 2013","Clarity Media Group","Denver","Colorado","PORT","BSO","0","The October 12 theft of a laptop resulted in the exposure of current and former employee information.  Current and former employees of Clarity Media Group's subsidiaries and of Freedom Communications were also affected.  Names, Social Security numbers, mailing addresses, email addresses, phone numbers, dates of birth, salaries, and 401(k) balances were on the laptop.  The dependents of employees may have also had their information exposed.","Media","","2013","39.739236","-104.990251" "November 26, 2013","Anthem Blue Cross","","California","DISC","MED","24,500","The Social Security numbers and tax identification numbers of around 24,500 California doctors were accidentally posted in Anthem's online provider directory.  The information was available online at the end of October for about 24 hours.","Media","","2013","36.778261","-119.417932" "November 19, 2013","Sachem Central School District","Lake Ronkonkoma","New York","HACK","EDU","15,000","Two breaches in the summer of 2013 and November of 2013 resulted in the exposure of student information.  The sensitive information that was exposed in July may have been accidentally exposed through an administrative error.  A second breach was discovered on November 8 when the Superintendent learned that student information had been posted on a publicly accessible webpage.  The investigation of the November breach is ongoing.  Student names and ID numbers were the primary types of data that were exposed in both incidents.UPDATE (11/23/2013): A student of Sachem North High School pleaded not guilty to computer trespass and was released without bail.  The student may have also accessed information in 2012.  A list of 15,000 students' information that dated back to the early 2000s was discovered online. A list of 130 students who received instructional services in an alternative setting in the 2010-2011 school year was also discovered online.","Security Breach Letter","","2013","40.832098","-73.105371" "November 15, 2013","Dynacare Laboratory, Froedtert Health Workforce Health, City of Milwaukee","Milwaukee","Wisconsin","PORT","MED","9,414","A Dynacare Laboratory employee's car was stolen on October 22.  The car held a flash drive with employee names, Social Security numbers, addresses, dates of birth, and genders.  Dynacare Laboratory is one of Froedtert Health Workforce's contractors and Froedtert Health Workforce was handling health information for the City of Milwaukee Wellness Program.  The City of Milwaukee Department of Employee Relations learned of the incident on November 15.UPDATE (11/18/2013): A Dynacare laptop that contained no personal information was also in the employee's car.  The car and laptop were recovered; the flash drive remains missing.UPDATE (11/21/2013): The City of Milwaukee filed a complaint against Dynacare with the Federal Office of Civil Rights.UPDATE (11/29/2013): A total of 9,414 people were affected including about 6,000 city employees and 3,000 city employee dependents.  The Milwaukee Professional Firefighters Association Local 215 was also affected and a lawsuit against Dynacare Laboratory and Froedtert Health was filed.","Media","","2013","43.038903","-87.906474" "May 25, 2012","University of Nebraska, Nebraska Student Information System, Nebraska College System","Lincoln","Nebraska","HACK","EDU","654,000","A University technical staff member discovered a breach on May 23.  Staff took steps to limit the breach and there was no clear evidence that any information was downloaded.  The Social Security numbers, addresses, grades, transcripts, housing and financial aid information for current and former University of Nebraska students may have been accessed.  The database also included the information of people who applied to the University of Nebraska, but may have not been admitted, and alumni information as far back as Spring of 1985. The University of Nebraska was still investigating the extent of the breach as of May 25, 2012.UPDATE (05/29/2012): The University of Nebraska created a webpage for information about the breach.  Close to 21,000 people had bank account information that was linked to the student information system and exposed.  The University of Nebraska's computer database also held 654,000 Social Security numbers, though it is unclear if that number completely overlaps the number of individuals who had their bank account information exposed.  Current and former students of the University of Nebraska campuses in Lincoln, Omaha, and Kearney were affected; as well as anyone who applied to the University since 1985.UPDATE (06/01/2012): The Nebraska College System began using a shared student information system called NeSIS in 2009.  This resulted in data from Chadron State, Peru State, and Wayne State colleges being exposed.UPDATE (09/10/2012): Police seized computers and related equipment belonging to a University of Nebraska-Lincoln (UNL) undergraduate student who is believed to be involved in the incident.UPDATE (12/11/2012): The former UNL student has been charged with intentionally accessing a protected computer system and causing damage of at least $5,000.UPDATE (06/22/2013): The hacker now faces an additional nine charges of exceeding his authorized access to a computer and two charges of knowingly transmitting a program that damaged computers owned by the University of Nebraska and Nebraska State College Systems.UPDATE (12/03/2013): The hacker and former UNL student pleaded guilty to one count of intentionally damaging a protected computer and causing loss in excess of $5,000.  His sentencing was scheduled for March 21, 2014.","Dataloss DB","","2012","40.806862","-96.681679" "November 26, 2013","URM Stores","Spokane","Washington","HACK","BSR","0","Washington banks and credit unions noticed fraudulent activity on the debit and credit cards of grocery store customers.  The breach was traced to Yoke's Fresh Markets, Rosauers stores, and other grocery stores associated with URM stores.  The hacking incident occurred sometime between September and October.  Customers were encouraged to use cash, check, or an alternative form of payment card processing to pay in stores until the breach was resolved.UPDATE (12/03/2013): Over 24 stores in Montana and an unspecified number of stores in Oregon were also affected.  URM believes the breach that allowed fraudulent copies of customer payment cards to be created has been contained.  Customers were encouraged to check their bank statements after URM allowed normal payment card purchases to resume.","Media","","2013","47.658780","-117.426047" "December 3, 2013","MadeInOregon","Portland","Oregon","HACK","BSR","1,700","MadeInOregon's website may have been accessed by unauthorized parties.  The credit card transaction information of customers may have been accessed between mid-October and mid-November. Seven customers confirmed that they were affected by fraudulent credit card activity after making purchases on MadeInOregon's website.","Media","","2013","45.523062","-122.676482" "December 4, 2013","ADP, Facebook, Gmail, LinkedIn, Twitter, Yahoo, YouTube","","","HACK","BSO","2,000,000","A breach that involved keylogging software affected at least 93,000 websites.  The virus may have originated on a server located in the Netherlands.  It first started collecting passwords and usernames on October 21. Approximately 860 computers in the United States were affected. More than 99% of the computers that were affected were outside of the United States.","Media","","2013","37.090240","-95.712891" "October 4, 2013","Adobe, PR Newswire, National White Collar Crime Center","San Jose","California","HACK","BSR","2,900,000","Hackers obtained the customer information of nearly 3 million Adobe custoemrs who used Photoshop, InDesign, Premiere, and other Adobe software products.  Customer IDs, encrypted passwords, names, encrypted credit or debit card numbers, expiration dates, and other information related to customer orders were exposed.  Anyone who bought software directly from Adobe's website is advised to change their Adobe account passwords.UPDATE (10/11/2013): Hackers kept the source code on a hidden, but unencrypted server.UPDATE (10/21/2013): A second breach related to the initial one in early October caused Adobe to reset client passwords.UPDATE (10/29/2013): An investigation revealed that the encrypted passwords of approximately 38 million active users were also exposed.  Adobe IDs were also compromised and were reset by Adobe after the breach.UPDATE (11/20/2013): Around 42 million passwords for the Australian-based online dating service Cupid Media were also found on the same server that contained stolen Adobe, PR Newswire, and National White Collar Crime Center information.UPDATE (11/25/2013): Some estimate that 152 million Adobe ID accounts were in a file that began circulating the internet in late October.  Adobe systems Inc has encountered delays in trying to notify all customers of the issue since it was discovered 10 weeks ago.  ","Media","","2013","37.338208","-121.886329" "December 6, 2013","B&G Foods North America, Inc., Maple Grove Farms","St. Johnsbury","Vermont","HACK","BSR","0","On November, 16, B&G Foods North America, Inc. discovered that an unauthorized party accessed Maple Grove Farms' website.  Customers who made online purchases may have had their names, addresses, telephone numbers, and payment card numbers exposed.  ","California Attorney General","","2013","44.419263","-72.015118" "November 15, 2013","Lincoln Credit Center, National Debt Defense, SmartPath","San Diego","California","UNKN","BSF","0","Personal information related to client accounts may have been compromised at a physical location.  The breach occurred sometime between October 20 and November 15. Lincoln Credit Center is monitoring client accounts for suspicious activity.","California Attorney General","","2013","32.715738","-117.161084" "August 17, 2012","Discover Financial Services","Riverwoods","Illinois","UNKN","BSF","0","An unspecified number of Discover customers had their account numbers changed and were issued a new card.  It is unclear what type of security breach prompted the notification and when it may have occurred. Several customers in California received the notification letter; residents of other states may have been notified as well.","California Attorney General","","2012","42.167525","-87.897014" "November 11, 2013","Discover Financial Services","Riverwoods","Illinois","UNKN","BSF","0","An unspecified number of Discover customers had their account numbers changed and were issued a new card.  It is unclear what type of security breach prompted the notification and when it may have occurred. Several customers in California received the notification letter; residents of other states may have been notified as well.","California Attorney General","","2013","42.167525","-87.897014" "November 20, 2013","Office of Dr. Kathleen Whisman","Sebastopol","California","STAT","MED","0","Sometime around April 11, 2013, Dr. Whisman learned of a breach that involved patient information on a computer recovered during an identity theft ring investigation.  The patient information included full names, Social Security numbers, addresses, telephone numbers, dates of birth, and insurance plan information for patients who were seen in 1998 and 1999.  The information likely came from a stolen computer and Dr. Whisman was encouraged to delay notification until the investigation was completed.","California Attorney General","","2013","38.402136","-122.823881" "September 26, 2013","LexisNexis, Dun & Bradstreet, Kroll Background America","Short Hills","New Jersey","HACK","BSO","0","Hackers were able to access an underground database of stolen consumer information.  It was discovered that the network was set up to receive information from internal systems at several large data brokers.  LexisNexis was one of the data brokers that was affected and discovered that their networks may have been compromised for at least five months.  Dun & Bradstreet discovered that their systems had been compromised as far back as March 27, 2013.  The breach of Kroll Background America, Inc. had began as far back as June 2013.UPDATE (11/26/2013): Kroll Background America informed California that 548 California residents were affected by the breach.","Media","","2013","40.748350","-74.323219" "December 6, 2013","Houston Methodist Hospital","Houston","Texas","PORT","MED","1,300","The December 5 theft of an encrypted laptop and files resulted in the exposure of transplant patient information.  Names, Social Security numbers, and dates of birth may have been exposed.","Media","","2013","29.760427","-95.369803" "November 17, 2013","MacRumors, vBulletin","","","HACK","BSO","860,000","A group of hackers claimed responsibility for compromising usernames, emails, and passwords associated with MacRumors and vBulletin Forum.  The hackers used a Zero Day exploit.  A total of 860,000 MacRumors users were affected. It is unclear how many vBulletin Forum users were affected.","Media","","2013","37.090240","-95.712891" "December 3, 2013","Chicago Public Schools","Chicago","Illinois","DISC","EDU","2,000","The vision exam dates, diagnoses, dates of birth, genders, identification numbers, and school names of students were accidentally made available to the public online between June 18 and July 31, 2013.  The breach was discovered on October 7 and the Chicago vision exam program information was removed.  The information was viewed by 14 people during that time.  All cached and archived versions of the information were also removed from the Internet.","Databreaches.net","","2013","41.878114","-87.629798" "November 29, 2013","University of Washington Medicine","Seattle","Washington","HACK","MED","90,000","An employee at UW Medicine opened an email attachment that contained malicious software in early October.  The malware affected the employee's computer and any information on the computer may have been compromised.  Patient names, Social Security numbers, phone numbers, addresses, and medical record numbers may have been affected.  Patients who were seen at UW Medicine dating back to at least 2008 could have had their information exposed.  Notifications of the breach were sent at the end of November.","Media","","2013","47.606210","-122.332071" "November 28, 2013","Florida Digestive Health Specialists","Bradenton","Florida","INSD","MED","4,400","An employee was found to have improperly accessed and photographed patient records.  The issue was discovered when the employee had the images printed at a store and a store employee reported the incident.  Patient names, Social Security numbers, dates of birth, and phone numbers were exposed.  The employee was fired and a criminal investigation has begun.","Media","","2013","27.498928","-82.574819" "November 27, 2013","California Employment Development Department","Sacramento","California","DISC","GOV","0","Unemployment claim filing notices were sent to employers that contained information of people who had never been employed with them.  An undisclosed number of people had their names and Social Security numbers mistakenly exposed.  The issue was discovered when several employers notified EDD that some of the names and Social Security numbers did not match their records.UPDATE (11/22/2013): The erroneous mailings occurred between September 14, 2013 and October 9, 2013.","Media","","2013","38.581572","-121.494400" "November 11, 2013","New York City Police Department","New York","New York","INSD","GOV","30","A former police detective pleaded guilty to paying hackers to steal passwords associated with the email accounts of other officers.  The dishonest detective also misused the National Crime Information Center database to search for the information of at least two other NYPD officers.  The breaches occurred between April of 2010 and October of 2012. The dishonest detective was charged with one count of conspiracy to commit hacking and one count of unauthorized access.  The 30 or more people who were affected included 20 current and former NYPD officers.  At least 43 email accounts and one cellular phone account were hacked.","Media","","2013","40.712784","-74.005941" "October 18, 2013","BW Arthritis and Rheumatology, Good Samaritan Hospital, MedStar Health Inc, Padder Health Service, LLC","Glen Burnie","Maryland","INSD","MED","55","Four people face charges related to misusing patient information to make more than $750,000 of fraudulent purchases.  At least two of the people worked at medical offices and at least one had direct access to a health care database.  One of the dishonest employees worked at Paddar Health Service between June of 2010 and February of 2012 and at BW Arthritis and Rheumatology between February of 2012 and February of 2013.  Another dishonest employee worked at Good Samaritan Hospital from July of 2008 to July of 2010.  ","PHIPrivacy.net","","2013","39.162608","-76.624689" "October 16, 2013","Memorial Hospital of Lafayette County, Healthcare Management System","Darlington","Wisconsin","DISC","MED","6,000","Memorial Hospital of Lafayette learned on August 6 that some patients had their financial statements sent to other people.  The mistake was caused by an error in the settings of an unnamed third-party billing vendor's system.  Patients who were seen at the hospital as far back as 2001 may have had their information sent to the wrong address. Patient names, addresses, identificaiton numbers, account numbers, dates of services, and the charges associated with services received were exposed.UPDATE (11/08/2013): The billing vendor was Healthcare Management System.","PHIPrivacy.net","","2013","42.683057","-90.117626" "December 5, 2013","JPMorgan Chase","New York","New York","HACK","BSF","465,000","The information associated with JPMorgan Chase prepaid cash cards (Ucards) that were issued to corporations for employee payments and for government issued tax refunds, unemployment, and other benefits may have been accessed by hackers. The breach happened back in July of 2013 and JPMorgan learned of the breach sometime during the middle of September.  The breach was disclosed after an investigation revealed which customer accounts may have been affected.UPDATE (12/06/2013): Hackers were able to breach the www.ucard.chase.com website and access personal information.  The passwords appeared in plain text during the course of the attack.Child support payments may have also been affected.  The Department of Social Services, the Department of Labor, and the Department of Children and Families sent out prepaid cards that were affected.  The breach affected people nationwide. Government agencies in Maine, Utah, Connecticut, and Pennsylvania confirmed they were affected.UPDATE (12/09/2013): Rhode Island residents were also affected.UPDATE (12/12/2013): Michigan residents were also affected.  Beneficiaries were affected nationwide.  Each state has a different number of residents who were affected.","Media","","2013","40.712784","-74.005941" "December 11, 2013","University of Iowa","Iowa City","Iowa","HACK","EDU","0","An employee called the University of Iowa's help desk after clicking a suspicious link in an email.  It was discovered that the personal information and direct deposit information of over a dozen University of Iowa employees may have been exposed through compromised employee computers and accounts.  At least two employees had an unspecified, but large amount of money stolen from their November paychecks.  Two sets of phishing emails were sent to nearly 2,000 University of Iowa employees and the scam has been contained. ","Media","","2013","41.661128","-91.530168" "December 12, 2013","Boston Convention and Exhibition Center","Boston","Massachusetts","CARD","BSO","300","At least seven employees of Boston Convention and Exhibition Center and 300 people who attended conventions during the fall may have been affected by a credit card breach.  It is unclear how the credit card information may have been accessed and the exact dates when customers would have been vulnerable.","Media","","2013","42.360083","-71.058880" "December 13, 2013","The University of Connecticut (UConn) Health Center","Storrs","Connecticut","INSD","MED","164","An employee accessed patient information without cause.  The employee's actions did not appear to be malicious and the employee was placed on administrative leave.  The incident or incidents were discovered on November 4.","Media","","2013","41.808431","-72.249523" "December 11, 2013","Los Angeles Gay & Lesbian Center","Los Angeles","California","HACK","NGO","59,000","A cyber attack caused the information of clients associated with the L.A. Gay and Lesbian Center to be affected between September 17, 2013 and November 8, 2013.  Names, Social Security numbers, credit card information, dates of birth, contact information, medical information, and health insurance account numbers may have been exposed.","Media","","2013","34.052234","-118.243685" "December 14, 2013","Bailey's Health Center","Falls Church","Virginia","DISC","MED","1,499","Patient information was kept on an unsecured computer server.  Names, Social Security numbers, addresses, pharmacy identification numbers, medication dosages, payment information, and names and addresses of prescribers may have been accessed by unauthorized parties.  The pharmaceutical records were discovered online on October 18 through a routine forensic audit.","Media","","2013","38.882334","-77.171091" "December 14, 2013","Lanap and Implant Center of Pennsylvania","Collegeville","Pennsylvania","DISC","MED","11,000","The Lanap and Implant Center learned of a breach on September 17, 2012.  Patient information had been uploaded to websites in February of 2010 where it could be downloaded by anyone.  Names, Social Security numbers, addresses, dates of birth, phone numbers, dates of appointments, types of services provided, dental insurance information, and other patient records were available.  At least 5,000 patients were informed of the breach sometime around November 1, 2012.  The information appears to still be available for download.","PHIPrivacy.net","","2013","40.185660","-75.451571" "December 12, 2013","inSync, Cottage Hospital, Cottage Health System","Santa Barbara","California","DISC","MED","32,755","A Cottage Hospital vendor removed an electronic security device without notifying Cottage Hospital.  The removal may have exposed patient information.  Patients treated at centers in Goleta, Santa Ynez, and Santa Barbara between September 29, 2009 and December 2, 2013 may have had their lab results, procedures performed, and other medical details relating to diagnosis exposed.UPDATE (12/13/2013): Patient names, dates of birth, addresses, and health information may have been exposed.UPDATE (12/15/2013): Cottage Hospital's vendor was inSync.","Media","","2013","34.420831","-119.698190" "September 13, 2013","MNsure","St. Paul","Minnesota","DISC","MED","2,400","An agency employee accidentally sent the information of 2,400 insurance agents to two other MNsure employees via email.  MNsure instructed the employees to delete the information.  Names, Social Security numbers, and addresses were part of the breach.UPDATE (12/12/2013): It was also discovered that the health insurance exchange has vulnerabilities that may allow hackers to see information travelling between a user's computer to the MNsure website.","Media","","2013","44.953703","-93.089958" "December 17, 2013","Colorado Governor's Office of Information Technology","Denver","Colorado","PORT","GOV","18,800","A Colorado state employee lost a flash drive that contained the information of current and former Colorado state employees.  It contained names, Social Security numbers, and a limited number of home addresses.  The flash drive was discovered missing in late November and is believed to have been lost while the employee traveled between work sites.  Approximately 8,000 of those who were affected were current employees while 10,800 were former employees.","Media","","2013","39.739236","-104.990251" "August 16, 2013","U.S. Department of Energy","Washington","District Of Columbia","UNKN","GOV","104,000","An unspecified security incident caused the personal information of current and former employees to be exposed.  No classified data was lost.UPDATE (08/30/2013): An August 29 memo revealed that the system that was hacked was called DOEInfo.  A total of 2,539 current employees and 3,172 former employees were affected.  Names, Social Security numbers, and dates of birth were exposed.UPDATE (09/03/2013): Approximately 53,000 current and former federal employees, employee dependents and contractors had their information exposed.  The incident occurred in July of 2013.UPDATE (10/22/2013): The Department of Energy revised the number of affected current and former employees to 104,000.UPDATE (12/13/2013): Up to 150,000 employees may have been affected.UPDATE (12/17/2013): A federal audit revealed that the Department of Energy had received warnings about the security of its information systems, yet failed to act.","Media","","2013","38.907192","-77.036871" "December 18, 2013","Washington Post","Washington","District Of Columbia","HACK","BSO","0","Hackers were able to access Washington Post employee usernames and passwords through an attack on the paper's servers.  The attack began through access to a server used by the Washington Post's foreign staff and then spread to more Washington Post servers.  The Washington Post and several other national papers were attacked in 2011 as well.","Media","","2013","38.907192","-77.036871" "December 21, 2013","Affinity Gaming","Las Vegas","Nevada","HACK","BSO","0","Facilities owned by Affinity Gaming may have been exposed to a cyber attack between March 14 and October 16.  Customer information associated with credit and debit cards may have been taken.  Affinity Gaming owns Silver Sevens Hotel & Casino, Rail City Casino, Buffalo Bill's Resort & Casino, Primm Valley Resort & Casino, Whiskey Pete's Hotel & Casino, Golden Mardi Gras Casino, Golden Gates Casino, Golden Gulch Casino, Mark Twain Casino & RV Park, Lakeside Hotel & Casino, and St. Jo Frontier Casino.","Media","","2013","36.169941","-115.139830" "December 24, 2013","Lakes Liquor","Detroit Lakes","Minnesota","UNKN","BSR","0","Hundreds of debit and credit cards were compromised after customers used them at Lakes Liquor between October 27 and November 25.  Customer names, payment card numbers, expiration dates, and security codes may have been accessed for fraudulent purposes.  It is unclear how the information was obtained from Lakes Liquor.","Media","","2013","46.817181","-95.845325" "December 21, 2013","DeLoach & Williamson, South Carolina Health Insurance Pool","Columbia","South Carolina","PORT","MED","0","The October 16, 2013 theft of a laptop from a DeLoach & Williamson employee's car may have resulted in the exposure of an unspecified number of South Carolina Health Insurance Pool patients' information.  Full names with middle initials, Social Security numbers, dates of service, and provider identification numbers may have been exposed.","Media","","2013","34.000710","-81.034814" "December 13, 2013","University of North Carolina - Chapel Hill","Chapel Hill","North Carolina","DISC","EDU","6,500","Electronic files that contained names, Social Security numbers, tax identification numbers, addresses, and dates of birth were discovered online on November 11.  The information was taken down on November 23 and appears to have accidentally ended up online after maintenance work on a University computer disabled a privacy feature during the summer.UPDATE (12/17/2013): Over 6,500 individuals were affected.  The breach affected current and former staff as well as fewer than 200 students.  The data affected may date back as far as 1999.","Media","","2013","35.913200","-79.055845" "December 17, 2013","Radnor School District","Radnor","Pennsylvania","DISC","EDU","2,000","An employee performing a transfer of personnel data accidentally left the data accessible and a middle school student viewed it.  The student also shared the information.  Current and former employees may have had their names, addresses, phone numbers, dates of birth, and Social Security numbers accessed as early as June and as late as the end of the 2012-2013 school year.  The breach was discovered in November.","Media","","2013","40.043912","-75.375460" "December 16, 2013","Tennessee Department of Treasury","Nashville","Tennessee","INSD","GOV","6,300","An employee downloaded the information of 6,300 Nashville teachers in order to work from a personal computer and account at home.  A Tennessee Consolidated Retirement System file that contained teacher names, Social Security numbers, and dates of birth was uploaded by the employee around the time that he resigned from his position.  His personal computer and other electronic devices were seized by investigators.","Media","","2013","36.162664","-86.781602" "December 17, 2013","U.S. Federal Election Commission (FEC)","Washington","District Of Columbia","HACK","GOV","0","The U.S. Federal Election Commission's computer system was accessed by unauthorized parties sometime in October of 2013 during the government shutdown.  The system appears to have been infiltrated by hackers located in China.  The attack occurred at a time when no staff members were on duty to identify the issue.","Media","","2013","38.907192","-77.036871" "December 10, 2013","Office of Dr. Stephen Imrie","San Jose","California","PORT","MED","8,900","The September 23 home burglary of a password-protected laptop and other items may have exposed patient information.  The laptop contained patient first and last names, Social Security numbers, dates of birth, telephone numbers, surgical information, medical history, and other information related to patient records.","California Attorney General","","2013","37.338208","-121.886329" "December 20, 2013","Discover Financial Services","Riverwoods","Illinois","UNKN","BSF","0","An unspecified number of Discover customers had their account numbers changed and were issued a new card.  It is unclear what type of security breach prompted the notification and when it may have occurred.  Several customers in California received the notification letter; residents of other states may have been notified as well.","California Attorney General","","2013","42.167525","-87.897014" "December 20, 2013","Techmedia Network","Ogden","Utah","HACK","BSO","0","An unauthorized person or persons gained access to Techmedia Network's systems.  Customer names, credit card numbers, expiration dates, CVV security codes, mailing addresses, email addresses, and phone numbers may have been exposed.  The breach was discovered on November 20.","California Attorney General","","2013","41.223000","-111.973830" "December 20, 2013","W.J. Bradley Mortgage Capital, LLC","Centennial","Colorado","INSD","BSF","0","A former loan officer took files from WJB's computer systems while she was still employed.  The loan officer then left WJB and another mortgage company ended up with the information in late July and early August of 2013.  Client names, Social Security numbers, credit reports, bank account information, tax information, and other sensitive information related to loan applications was taken.  The information was eventually retrieved and removed from the systems of the unnamed mortage company.","California Attorney General","","2013","39.580745","-104.877173" "December 22, 2013","Office of Dr. Rob Meaglia, DDS","Rocklin","California","STAT","MED","0","The December 15 office burglary of a computer resulted in the exposure of patient information.  Medical records, dental insurance information, and Social Security numbers may have been exposed. The computer was encrypted and password-protected.","California Attorney General","","2013","38.790734","-121.235783" "December 25, 2013","Inspira Medical Center Vineland","Vineland","New Jersey","STAT","MED","0","The December 23 theft of a computer from the radiology department of Inspira Medical Center Vineland may have resulted in the exposure of patient information.  The computer was kept in an unsecured filing room.","PHIPrivacy.net","","2013","39.486377","-75.025964" "October 30, 2013","Florida Department of Health","Orlando","Florida","INSD","MED","3,500","Two employees accessed a database of patient names, Social Security numbers, and dates of birth for the purpose of misusing the information to file tax returns.  Police found a hand written list of 148 names and personal information when they searched the home of the alleged ring leader.  Patients who were 17 and 18 years of age were targeted.UPDATE (12/21/2013): The two women each pleaded guilty to one federal fraud charge related to accessing names, Social Security numbers, and dates of birth.","PHIPrivacy.net","","2013","28.538336","-81.379237" "December 20, 2013","Walgreens","Baltimore","Maryland","INSD","BSR","8","Walgreens became aware of a breach involving an employee on November 4, 2013.  The employee was fired and prosecuted.  The incident was reported to the Maryland Attorney General's office on November 27 and credit card numbers were affected.","PHIPrivacy.net","","2013","39.290385","-76.612189" "November 15, 2013","Hospital for Special Surgery","New York","New York","INSD","MED","537","A March 19 breach may have resulted in the exposure of patient information.  The breach may have involved the theft of computer equipment, the unauthorized access of information on a computer, and/or paper records.UPDATE (12/20/2013): A dishonest employee accessed names, Social Security numbers, addresses, dates of birth, driver's license numbers, passport numbers, physician names, diagnosis information, medical billing codes, bank account and routing numbers, and payment party names and payment information.  Hospital for Special Surgery learned of the breach on May 31 and the dishonest employee was arrested in August.","HHS via PHIPrivacy.net","","2013","40.712784","-74.005941" "December 17, 2013","Comprehensive Psychological Services LLC","Columbia","South Carolina","PORT","MED","3,500","The October 28 office theft of a laptop resulted in the exposure of patient information.  The laptop was password-protected and the patient files on it were not encrypted.  Neuropsychological testing, educational testing, custody evaluations, and other assessments and evaluations may have been exposed.","HHS via PHIPrivacy.net","","2013","34.000710","-81.034814" "December 17, 2013","UHS-Pruitt Corporation","Norcross","Georgia","PORT","MED","1,300","Current and former residents of Heritage Healthcare of Ashburn, UniHealth Post-Acute Care Augusta Hills, Heritage Healthcare of Fitzgerald, Heritage Healthcare at Osceola, Palmyra Nursing Home and Sylvester Healthcare may have been affected by the September 26 theft of a laptop from an employee's car.  The laptop contained patient names, Social Security numbers, Medicare numbers, dates of birth, and resident ID numbers.","HHS via PHIPrivacy.net","","2013","33.941213","-84.213531" "December 17, 2013","UniHealth SOURCE","Austell","Georgia","PORT","MED","2,500","The October 8 theft of an employee's laptop resulted in the exposure of current and former client information.  The laptop was taken from the employee's car while it was parked at home.  Full names and potential diagnoses may have been exposed.","PHIPrivacy.net","","2013","33.812606","-84.634378" "December 16, 2013","Colorado Health & Wellness, Inc.","Colorado Springs","Colorado","INSD","MED","651","A former doctor took patient information after ending his practice at Colorado Health & Wellness, Inc.  The breach was discovered on September 4, 2013 and involved patient names, addresses, telephone numbers, and email addresses. A notice was sent by Colorado Health & Wellness in November.","HHS via PHIPrivacy.net","","2013","38.833882","-104.821363" "December 16, 2013","Greater Dallas Orthopaedics, PLLC","Dallas","Texas","STAT","MED","5,840","Patients of Dr. Allaaddin Mollabashy and Dr. Nathan F. Gilbert may have had their information exposed by the September 1 office theft of two computers.  Patient names and medical information were on the password-protected laptops.","HHS via PHIPrivacy.net","","2013","32.776664","-96.796988" "November 12, 2013","Rotech Healthcare","Orlando","Florida","PORT","MED","10,680","On August 30, 2013 Rotech discovered that a former employee had taken employee files when her employment ended on November 26 of 2010.  Rotech employees and their dependents may have had their names, Social Security numbers, addresses, and certain medical insurance information exposed.  This medical information may have included the carrier that administered health care coverage, pharmacy services received, and other medical services received.  The information was not removed with malicious intent and there has been no evidence of misuse.UPDATE (12/16/2013): A total of 10,680 employees and their dependents were affected.","PHIPrivacy.net","","2013","28.538336","-81.379237" "October 31, 2013","Genesis Rehabilitation Services","Kennett Square","Pennsylvania","PORT","MED","1,167","An employee's USB drive was discovered missing on September 3, 2013.  It contained the names, Social Security numbers, and addresses or email addresses of current employees, applicants, and agency employees.  A total of 33 people were affected.UPDATE (12/04/2013): A second USB drive was also lost on August 30.  A total of 739 Lebanon Center and Wheelock Terrace patients in New Hampshire were affected.  Patient information included names, dates of birth, diagnoses, dates of admission or service, medical insurance identification information, and other medical information.  At least 71 patients had their Social Security numbers on the USB drive.UPDATE (12/16/2013): A total of 1,167 individuals were affected.","Databreaches.net","","2013","39.846777","-75.711603" "October 9, 2013","All Source Medical Management, Scottsdale Dermatology Clinic","Scottsdale","Arizona","INSD","MED","1,456","An employee of All Source Medical Management was arrested on suspicion of stealing the credit card information of multiple patients.  The dishonest former employee later admitted to using patient address and credit card numbers to make fraudulent purchases with a co-conspirator.  It is unclear if other clinics and hospitals were affected.UPDATE (12/16/2013): A total of 1,456 patients were affected.  The data was stolen sometime between January 1, 2013 and October 4.  ","PHIPrivacy.net","","2013","33.494170","-111.926052" "December 9, 2013","Southern Illinois University (SIU) HealthCare","Springfield","Illinois","PORT","MED","1,891","The loss or theft of a former SIU orthopedic surgeon's computer resulted in the exposure of patient information.  The loss or theft was discovered on October 15.  Information included patient names, dates of birth, admission dates, medical record numbers, diagnoses, procedural codes, and other health information from patients treated by Dr. Mark P. McAndrew.","Media","","2013","39.781721","-89.650148" "November 28, 2013","Amos Medical Services","Laurel","Maryland","PHYS","MED","400","Amos Medical Services was charged with improper disposal of records after leaving patient records in a dumpster.  The records were left behind when the office of Amos Medical Services moved within Laurel, Maryland.  Amos Medical Services and their associated doctor agreed to pay $20,000.","PHIPrivacy.net","","2013","39.099275","-76.848306" "November 28, 2013","CVS Pharmacy, Inc., Maryland CVS Pharmacy, LLC","Gaithersburg","Maryland","PHYS","MED","0","The Maryland Attorney General charged CVS Pharmacy, Inc. and Maryland CVS Pharmacy, LLC with failing to protect sensitive financial and medical information.  CVS disposed of patient records in publicly accessible places. CVS agreed to pay $250,000 in a settlement with the Maryland Attorney General.","PHIPrivacy.net","","2013","39.143441","-77.201371" "November 18, 2013","Eastside Medical Center","Snellville","Georgia","PHYS","MED","0","Eastside Medical Center left patient information in a publicly accessible area.  A vendor was responsible for shredding the patient information and took it from Eastside Medical Center; it is unclear what happened to the information after that. Patient names, addresses, phone numbers, medications, and types of surgeries were exposed.","PHIPrivacy.net","","2013","33.857328","-84.019911" "November 18, 2013","AnMed Health, Health Port","Anderson","South Carolina","INSD","MED","0","An employee of AnMed's contractor Health Port accessed patient information without cause and posted it publicly.  Names, Social Security numbers, medical history, religious preference, and other personal information was accessed.  The employee was disciplined.  A lawsuit was filed in relation to the breach that named a dozen plaintiffs.","PHIPrivacy.net","","2013","34.503439","-82.650133" "October 11, 2013","Sentara Healthcare, Sentara Virginia Beach General Hospital","Virginia Beach","Virginia","INSD","MED","3,700","Two dishonest nurse aides gathered information from at least 12 patients in order to file fraudulent tax returns.  The breach occurred between September of 2011 and April of 2013.  Some of the patients were from Sentara Virginia Beach General Hospital.  The nurses' aides were indicted on charges of conspiracy to defraud the government.","PHIPrivacy.net","","2013","36.852926","-75.977985" "October 9, 2013","University of California San Francisco Medical Center (UCSF)","San Francisco","California","PORT","MED","3,541","A total of 3,541 patients were affected by the September 10 theft of an unencrypted laptop from an employee's vehicle.  A subset of the 3,541 patients who were affected had their Social Security numbers exposed.UPDATE (10/08/2013): Paper documents with patient names, Social Security numbers, dates of birth, and medical information were also stolen.","Media","","2013","37.774930","-122.419416" "January 28, 2013","RR Donnelley, UnitedHealthcare, Boy Scouts of America","Chicago","Illinois","STAT","MED","8,911","An unencrypted desktop computer was stolen from an RR Donnelley facility sometime between mid September and the end of November, 2012.  RR Donnelley is a vendor of UnitedHealthcare.  It is unclear why the breach was not noticed until December 3, 2012.  The stolen computer contained UnitedHealthcare member information that was related to participation in the Boy Scouts of America 2003 health benefit plan.  Names, Social Security numbers, and addresses may have been exposed.UPDATE (10/01/2013): A total of 8,911 Boy Scouts of America Employee Benefit Plan participants were notified of the breach.","California Attorney General","","2013","41.878114","-87.629798" "July 18, 2013","South Shore Physicians, P.C.","Staten Island","New York","INSD","MED","8,000","A dishonest nurse and three co-conspirators were linked to medical identity fraud after she posted details about the fraud on a social media account.  The ring had been active since 2004 and had brought in $675,000 over the past five years.  The nurse had been fired from South Shore Physicians after falsifying her work hours.  The co-conspirators face at least 64 counts related to fraud, falsifying records, and theft.UPDATE (10/1/2013): Notifications were sent to 8,000 patients in relation to the breach.","Media","","2013","40.579532","-74.150201" "December 21, 2012","CCS Medical","Savannah","Georgia","INSD","MED","6,601","An employee reported that another employee appeared to have been misusing patient information.  The dishonest employee may have accessed, recorded, and disclosed Social Security numbers and other personal information for the purpose of obtaining fraudulent tax returns.  The employee was reported on September 20 and the possibility that the employee had engaged in dishonest behavior was confirmed on October 17.  Patient information that was maintained by CCS Medical between May 1, and September 21, 2012 may have been accessed.  Notifications were sent to patients on December 7, 2012.  At least 23 New Hampshire residents may have been affected.  The total number of affected patients nationwide was not reported.UPDATE (10/1/2013): A total of 6,601 people may have been affected.","PHIPrivacy.net","","2012","32.083541","-81.099834" "September 5, 2013","Medical University of South Carolina (MUSC), Dreyer Medical Clinic, Blackhawk Consulting Group","Charleston","South Carolina","HACK","MED","10,000","A hacker from outside of the United States accessed customer information from Blackhawk Consulting Group, a credit card processing vendor.  The information included financial information from customers who paid the Medical Univeristy of Southern Carolina with a credit card online or over the phone between June 30 and August 21. No patient information was accessed. Some of Blackhawk Consulting Group's other customers were affected and a total of 10,000 people may have had their information exposed.UPDATE (09/09/2013): Specifically, names, billing addresses, email addresses, payment card numbers, expiration dates, and CCV2 numbers were exposed by a Blackhhawk Consulting Group hack in August. ","Media","","2013","32.776475","-79.931051" "October 1, 2013","Atlanta Center for Reproductive Medicine","Atlanta","Georgia","DISC","MED","654","Atlanta Center for Reproductive Medicine became aware of a breach on July 12.  The breach involved email and it is not clear exactly how patient information was exposed or what type of information was involved.","HHS via PHIPrivacy.net","","2013","33.748995","-84.387982" "October 1, 2013","Accountable Care Organization of Puerto Rico, Inc. (ACO of Puerto Rico), PHM Healthcare Solutions","San Juan","Puerto Rico","UNKN","MED","5,000","A breach that involved either unauthorized access to ACO of Puerto Rico's network or an unintentional disclosure of patient information online occurred between March 5 and July 16 of 2013. ","HHS via PHIPrivacy.net","","2013","18.465539","-66.105736" "October 1, 2013","Dermatology Associates of Tallahassee","Tallahassee","Florida","UNKN","MED","916","A breach caused the exposure of patient information; Dermatology Associates of Tallahassee notified patients on September 4.  Patient names, Social Security numbers, addresses, and dates of birth were compromised.  It is unclear how the breach occurred.","HHS via PHIPrivacy.net","","2013","30.438256","-84.280733" "August 28, 2013","Infocrossing Inc, MO HealthNet, Missouri Department of Social Services","Jefferson City","Missouri","DISC","MED","25,000","An error by Infocrossing, Inc. caused the personal information of a group of patients to be mailed to incorrect addresses.  The incident was discovered on June 6, 2013 and impacted correspondence sent between October 16, 2011 and June 7, 2013.  Names, dates of birth, MO HealthNet identification account numbers, county names, phone numbers, and the last four digits of Social Security numbers were exposed.UPDATE (09/23/2013): The breach was originally thought to have affected fewer than 2,000 individuals and last between 2011 and 2013.  The Missouri Department of Social Services reported that the breach began when information was sent out in December of 2009. More than 25,000 Missouri residents were affected.","PHIPrivacy.net","","2013","38.576702","-92.173516" "September 23, 2013","Summit Community Care Clinic","Frisco","Colorado","DISC","MED","921","An administrative error led to the exposure of patient email addresses.  Email addresses were placed in the visible ""TO:"" field instead of the blind ""BCC:"" field.  The email was an invitation to a monthly patient advisory meeting and was sent on July 22.","HHS via PHIPrivacy.net","","2013","39.574431","-106.097520" "September 19, 2013","Edgewater Hospital","Chicago","Illinois","PHYS","MED","0","A curious resident entered an abandoned building that used to be Edgewater Hospital and found a room filled with thousands of patient records.  A local news team investigated and found that photos had been taken of the situation four years earlier in 2009 by the Illinois State Health Department.  The records included patient names, Social Security numbers, dates of birth, and addresses.  Edgewater Hospital had been abandoned for more than a decade.","PHIPrivacy.net","","2013","41.878114","-87.629798" "August 8, 2013","M2ComSys, Cogent Healthcare, Inc.","Brentwood","Tennessee","DISC","MED","32,000","M2ComSys (M2), a medical transcription company, stored physicians' notes for Cogent Healthcare.   It was discovered that the online system that stored the notes could be accessed.  Patient care notes with names, physician names, dates of birth, diagnosis descriptions. summary of treatment, medical history, medical record numbers, and other medical information were exposed.  The notes could have been accessed on May 5, 2013 and improper access to the site ended on June 24, 2013.  M2 no longer provides services for Cogent Healthcare.UPDATE (9/17/2013): At least 32,000 patients were affected across all medical centers.  ","California Attorney General","","2013","36.033116","-86.782777" "November 28, 2012","Advanced Data Processing, Inc. (ADPI), Grady EMS","Roseland","New Jersey","INSD","BSF","15,000","Information from certain ambulance agencies was inappropriately accessed and disclosed.  Patient account information such as names, Social Security numbers, dates of birth, and record identifiers were exposed by a dishonest ADPI employee. ADPI learned of the breach on October 1. The dishonest employee was fired and apprehended by authorities.UPDATE (12/04/2012): The former ADPI employee stole information associated with Grady EMS ambulance service. About 900 Grady EMS patients had their information exposed between June 15, 2012 and October 12, 2012.UPDATE (01/05/2013): A detailed list of the organizations and number of people who were affected is available on phiprivacy.net here: http://www.phiprivacy.net/?p=10825UPDATE (03/08/2013): Osceola County EMS released a notification in March of 2013 here: http://tinyurl.com/a335kakUPDATE (03/14/2013): The Yuma, Arizona Fire Department was also affected by the breach.  ADP handles the billing for Yuma's emergency medical services.  Names, Social Security numbers, dates of birth, and record identifiers may have been accessed.UPDATE (08/28/2013): ADPI learned of the tax scheme after being notified by Tampa, Florida police.  The IRS confirmed that Valparaiso Fire Department information was compromised by the breach in July of 2013.  Patients seen at Valparaiso Fire Department or by Valparaiso Fire Department ambulances between January 1 and June 21 of 2012 may have had their names, Social Security numbers, and dates of birth exposed.","California Attorney General","","2012","40.820656","-74.293759" "August 16, 2013","California Correctional Health Care Services","Sacramento","California","INSD","MED","1,001","Missing dental information was discovered to have been removed by a staff member.  Patient names, dates of birth, dental treatment plans, and other information were exposed.  Dental records may have also been taken.  The documents were first discovered missing on June 19 and had not been recovered as of August 16.UPDATE (08/28/2013): A total of 1,001 inmates were affected.","California Attorney General","","2013","38.581572","-121.494400" "June 25, 2013","Foundations Recovery Network, Sebastopol Sea Serpents","Nashville","Tennessee","PORT","MED","5,690","The June 15 theft of an employee's laptop resulted in the exposure of patient information.  Names, Social Security numbers, dates of birth, addresses, medical information, and telephone numbers were on the laptop.UPDATE (08/28/2013): A total of 5,690 patients were affected by the breach.UPDATE (11/25/2013): Level of care, dates of service, health insurance information, and other medical information were also on the laptop.","PHIPrivacy.net","","2013","36.162664","-86.781602" "June 11, 2013","South Florida State Hospital, GEO Care LLC","Pembroke Pines","Florida","INSD","MED","710","A dishonest employee and his cousin pleaded not guilty to charges of conspiracy to commit identity theft, conspiracy to disclose individuals' health information, access device fraud, wrongful disclosure of health information, and aggravated identity theft.  The men are accused of stealing the names and Social Security numbers of patients to file fraudulent income tax returns between September of 2012 and April of 2013.UPDATE (08/28/2013): A total of 710 patients were affected by the breach on April 16.","PHIPrivacy.net","","2013","26.007765","-80.296256" "September 5, 2013","North Texas Comprehensive Spine and Pain Center","Sherman","Texas","INSD","GOV","3,000","A former employee stole an external hard drive that contained the medical information of patients.  There has been no evidence that the information on the hard drive was improperly used.UPDATE (09/15/2013): Close to 3,000 patients were notified of the potential breach. Names, Social Security numbers, dates of birth, addresses, and diagnoses were exposed.","Media","","2013","33.635662","-96.608881" "August 11, 2013","Resources for Human Development, Inc. (RHD)","Philadelphia","Pennsylvania","INSD","MED","40","At least 40 residents of RHD had their information sold for fraudulent purposes by a dishonest RHD employee.  The former employee was part of a bank fraud conspiracy that involved fraudulent tax refunds and bank fraud.  The former employee was sentenced to three years in prison and three years of supervised release for aggravated identity theft and bank fraud.","PHIPrivacy.net","","2013","39.952584","-75.165222" "August 2, 2013","Medtronic","Fridley","Minnesota","PHYS","MED","2,764","A box of training records went missing from a Medtronic facility in Minnesota.  Most of the records dated back to 2008.  People who received training in using insulin pumps or continuous glucose monitoring devices may have been affected. A limited number of patients had their Social Security numbers exposed.  Those who may have been affected were notified in early July.","PHIPrivacy.net","","2013","45.086077","-93.263282" "February 5, 2013","Boca Raton Regional Hospital","Boca Raton","Florida","INSD","MED","0","Eight people were charged for participating in an identity theft ring.  One of the members was employed as a scheduler at Boca Raton Regional Hospital.  She passed along patient information in exchange for payments.  One member allegedly filed 57 fraudulent tax returns with the stolen information in attempt to get $306,720 in refunds.  Another member is accused of filing 75 fraudulent returns for $750,469 in refunds.UPDATE (07/30/2013): The dishonest employee was convicted of unauthorized disclosure of medical records, using stolen Social Security numbers to file fraudulent tax claims, and conspiracy to commit false claims.  She was sentenced to 18 months in prison and ordered to pay $15,795 in restitution to the IRS.  A co-defendant was sentenced to 40 months for her role in filing fraudulent tax returns and stealing patient information.","PHIPrivacy.net","","2013","26.358689","-80.083098" "July 18, 2013","San Jose Medical Supply Company","San Jose","California","INSD","MED","800","Fraudulent activity by former employees was discovered when a new owner took over San Jose Medical Supply Company in August of 2012.  San Jose Medical Supply Company confirmed in June of 2013 that health information was exposed between August of 2011 and December of 2011.  The dishonest employees and other affiliated individuals no longer work with San Jose Medical.  Names, Social Security numbers, home addresses, dates of birth, Medi-Cal ID numbers, physician names and contact information, prescriptions, diagnosis information, type and quantity of medical supplies ordered, and disability codes were disclosed to Front Medical Supply and/or Living Medical Supply without authorization.UPDATE (07/29/2013): A total of 800 people were affected.","California Attorney General","","2013","37.338208","-121.886329" "July 29, 2013","Lone Star Circle of Care","Austin","Texas","PORT","MED","1,955","The theft of a laptop from an employee's car around May 1, 2013 resulted in the exposure of patient information.  Patients who were seen between 2012 and 2013 may have had their or their childrens' names, Social Security numbers, and diagnosis information exposed.","HHS via PHIPrivacy.net","","2013","30.267153","-97.743061" "July 29, 2013","Samaritan Regional Health System","Ashland","Ohio","PHYS","MED","2,203","An exposure of patient paper records was discovered on May 29th.","HHS via PHIPrivacy.net","","2013","40.868668","-82.318218" "July 29, 2013","South Florida Neurology Associates, P.A.","Boca Raton","Florida","PORT","MED","900","The theft of a laptop resulted in the exposure of patient information.  The laptop was stolen sometime between May 25 and May 30.","HHS via PHIPrivacy.net","","2013","26.368306","-80.128932" "July 29, 2013","Sheet Metal Local 36 Welfare Fund, People Resource Corporation","St. Louis","Missouri","UNKN","MED","4,560","A data breach occured between August 1, 2012 and July 8, 2013.","HHS via PHIPrivacy.net","","2013","38.627003","-90.199404" "July 29, 2013","Jacksonville Spine Center","Jacksonville","Florida","PHYS","MED","5,200","Paper patient records were lost, stolen, or exposed during an April 25 breach.","HHS via PHIPrivacy.net","","2013","30.332184","-81.655651" "July 29, 2013","MED-EL Corporation","Durham","North Carolina","DISC","MED","609","An email error that occrred on June 25 resulted in the exposure of health information.","HHS via PHIPrivacy.net","","2013","35.994033","-78.898619" "July 29, 2013","Northrop Grumman Retiree Health Plan, CVS Caremark","Fall Church","Virginia","PHYS","MED","4,305","A breach involving paper records from CVS Caremark affected 4,305 Northrop Grumman Retiree Health Plan enrollees.","HHS via PHIPrivacy.net","","2013","38.882334","-77.171091" "July 19, 2013","Regional Medical Center Bayonet Point","Hudson","Florida","DISC","MED","10","A patient received the information of other patients in a mailing.  Names, patient records, and Social Security numbers were exposed.  ","PHIPrivacy.net","","2013","28.364449","-82.693434" "July 13, 2013","Cedars-Sinai Medical Center","Los Angeles","California","INSD","MED","14","Five medical workers were fired for their role in a hacking effort that targeted a celebrity.  A total of 14 patient records were breached between June 18 and June 24.  The employees misused the Hospital's information system to access patient records for curiousity or media purposes.  A volunteer also participated and was barred from working at the Hospital.","Media","","2013","34.052234","-118.243685" "September 6, 2013","Illinois Department of Healthcare and Family Services","Springfield","Illinois","DISC","MED","3,100","A contractor sent Family Health Network ID cards to the wrong addresses in July of 2013.  A total of 3,100 clients had their names, Medicaid numbers, and dates of birth exposed.","Media","","2013","39.781721","-89.650148" "July 4, 2013","Behavioral Health Network","Springfield","Massachusetts","PHYS","MED","0","A concerned citizen found medical records in a publicly accessible dumpster.  Behavioral Health Network has a shredding vendor and did not have an explanation for the breach.  Behavioral Health Network picked up the remaining files.","PHIPrivacy.net","","2013","42.101483","-72.589811" "July 2, 2013","Advantage Health Solutions","Indianapolis","Indiana","DISC","MED","0","A patient discovered that he could see the information of other users by logging into his Advantage Health Solutions account.  Any patients who put in a name or date of birth other than their own were able to see the records of people with those names or dates of birth.  Names, phone numbers, addresses, primary care physicians, medical bills, types of medications, and other medical information were exposed.","PHIPrivacy.net","","2013","39.768403","-86.158068" "September 18, 2013","St. Francis Health Network, Advantage Health Solutions","Indianapolis","Indiana","UNKN","MED","2,575","Advantage Health Solutions and St. Francis Health Network (Franciscan Alliance ACO) were affected by a breach.","HHS via PHIPrivacy.net","","2013","39.768403","-86.158068" "June 6, 2013","SynerMed, Inland Valleys IPA, Inland Empire Health Plan","Monterey Park","California","PORT","MED","1,566","The theft of an employee's laptop resulted in the exposure of patient information.  The theft occurred on the night of April 14 or the early morning of April 15 when a thief broke into the employee's automobile.  The laptop was password-protected and reported missing on the morning of the April 15.  The laptop's access to the SynerMed systems was eliminated on the morning of April 15 and the laptop contained member names, membership numbers, member addresses, CPT Codes, Diagnosis Codes, and dates of birth.UPDATE (06/07/2013): The laptop belonged to a group of independent California physicians managed by SynerMed, Inc. called Inland Valleys IPA.UPDATE (06/17/2013): There were no Social Security numbers on the laptop.UPDATE (06/21/2013): A total of 1,566 people were affected.UPDATE (07/01/2013): A total of 3,164 patients were affected.","California Attorney General","","2013","34.062511","-118.122848" "July 1, 2013","Union Security Insurance Company","Kansas City","Missouri","UNKN","MED","1,217","A breach that occurred on May 17 may have exposed protected health information.  It involved email and/or the improper disposal of records.","HHS via PHIPrivacy.net","","2013","39.099727","-94.578567" "June 6, 2013","Sutter Health East Bay Region: Alta Bates Summit Medical Center, Sutter Delta Medical Center, Eden Medical Center","Sacramento","California","UNKN","MED","4,500","Patients who visited Sutter Health's Alta Bates Summit Medical Center, Sutter Delta Medical Center, or Eden Medical Center may have had their names, Social Security numbers, dates of birth, gender, addresses, zip codes, home phone numbers, marital status, names of employers, and work phone numbers exposed.  The Alameda County Sheriff's office notified Sutter Health of the potential breach on May 23.  It is unclear what the source of the breach might be.UPDATE (06/10/2013): The information was found during a narcotics raid.  The personal information of nearly 4,500 patients was discovered.UPDATE (07/29/2013): Nelson Family of Companies, a staffing firm, was also involved.","California Attorney General","","2013","38.581572","-121.494400" "June 20, 2013","Comfort Dental","Indianapolis","Indiana","PHYS","MED","6,500","Nearly 7,000 patient records were found in a publicly accessible dumpster.  A local news team investigated the breach and found the names, Social Security numbers, addresses, phone numbers, dates of birth, X-rays, dental information, credit card numbers, medical histories, and other sensitive information of Comfort Dental patients.  Comfort Dental patients who were seen at offices in Marion, Indiana and Kokomo, Indiana may have been affected.  The news team reported the issue around March 18, 2013 and removed the records.","PHIPrivacy.net","","2013","39.768403","-86.158068" "May 14, 2013","Presbyterian Anesthesia Associates, E-dreamz, Pledmont Healthcare","Charlotte","North Carolina","HACK","MED","9,988","A hacker took advantage of a security flaw in Presbyterian Anesthesia Associates' website and gained access to a database of patient information.  Names, credit card numbers, dates of birth, and contact information may have been exposed.UPDATE (05/15/2013): E-dreamz was the organization that hackers breached.  Patients from Pledmont Healthcare may have also been affected by E-dreamz's breach.  Names, addresses, phone numbers, email addresses, and credit card numbers may have been exposed.  Social Security numbers were not among the data that could have been exposed.","Media","","2013","35.227087","-80.843127" "March 27, 2010","Laboratory Corporation of America LabCorp","Burlington","North Carolina","PHYS","MED","0","Thousands of medical documents fell out of a truck bed while in transit.  The scattered documents contained billing information and possibly medical records from 1993 or later.","Media","","2010","36.095692","-79.437799" "June 9, 2013","Laboratory Corporation of America (LabCorp)","Burlington","North Carolina","STAT","MED","0","The theft of a computer that was scheduled to be destroyed may have exposed patient names, birthdates, and Medicare subscriber numbers.","PHIPrivacy.net","","2013","36.095692","-79.437799" "June 9, 2013","Office of Kara Falck, Other World Computing","Takoma Park","Maryland","PORT","MED","0","A hard drive from the therapy service was purchased and then returned to Other World Computing.  A doctor in Germany later contacted the therapy service and confirmed that he had received the hard drive.  Client information, progress notes, and billing notes could be found on the hard drive though the doctor had believed he was purchasing a new or refurbished hard drive.  Other World Computing or the hard drive's manufacturer failed to clear the hard drive before it was resold.  The hard drive was resold to its original owner in order to safeguard the therapeutic client information.","PHIPrivacy.net","","2013","38.977888","-77.007477" "May 31, 2013","University Dental Associates","Brooklyn","New York","PORT","MED","2,400","The November 21 office theft of a laptop resulted in the exposure of patient information.  Names, Social Security numbers, dates of birth, addresses, and billing codes were on the laptop.","PHIPrivacy.net","","2013","40.678178","-73.944158" "May 29, 2013","Palm Garden of Winter Haven","Winter Haven","Florida","INSD","MED","100","Patient information was found in a dishonest employee's car.  The information of more than 100 people who lived at Palm Garden of Winter Haven nursing home was found and the dishonest employee was charged with 13 counts of stealing identification information.","PHIPrivacy.net","","2013","28.022244","-81.732857" "May 21, 2013","Sovereign Medical Group, LLC","Ridgewood","New Jersey","HACK","MED","27,800","An October 10, 2012 breach resulted in the exposure of information.  The incident or incidents involved one or more network servers, theft, and/or hacking.","HHS via PHIPrivacy.net","","2013","40.979265","-74.116531" "May 21, 2013","Hawaii State Department of Health - Adult Mental Health Division","Honolulu","Hawaii","HACK","MED","674","An employee noticed unusual activity on a computer and a hacking incident was discovered on September 25, 2012.  Information stored on a computer file may have been accessed and dated back to 1997.  Names, dates of birth, addresses, phone numbers, consumer record numbers, and a limited number of Social Security numbers were exposed.","PHIPrivacy.net","","2013","21.306944","-157.858333" "October 22, 2012","L.A. Care Health Plan","Los Angeles","California","PHYS","MED","18,000","A mailing error caused ID cards to be mailed to the wrong members.  The cards were mailed on September 17, 2012 and the problem was discovered on September 18, 2012.  Names, member ID numbers, and dates of birth were exposed.UPDATE (05/21/2013): A total of 18,000 people were affected.","California Attorney General","","2012","34.052234","-118.243685" "May 17, 2013","Louisiana State University (LSU) Health Shreveport, Siemens Healthcare","Shreveport","Louisiana","DISC","MED","8,330","A computer data entry error resulted in a mailing error that exposed patient information.  The names and treatment information of certain patients were mistakenly mailed to other patients.  No Social Security numbers, dates of birth, or financial account numbers were exposed.","PHIPrivacy.net","","2013","32.525152","-93.750179" "December 18, 2013","CITGO Petroleum Corporation","Houston","Texas","DISC","BSO","0","A folder with personal information was discovered in a location that made it accessible on CITGO's intranet to unauthorized employees.  The issue was discovered on October 9.  Social Security numbers, financial information, and other personal information could have been accessed.","California Attorney General","","2013","29.760427","-95.369803" "December 17, 2013","Jonathan M. Wainwright Memorial VA Medical Center","Walla Walla","Washington","DISC","MED","1,519","Some veterans may have had their information accidentally emailed to an external source on November 1.  An email sent to an external education partner contained an attachment with veteran information that included names and Social Security numbers.  The issue was contained within 10 minutes of the email being sent.","Media","","2013","46.064581","-118.343021" "December 16, 2013","Massachusetts Mutual Life Insurance Company","Springfield","Massachusetts","DISC","BSF","0","A MassMutual account manager accidentally included information about retirement plans in an email that was sent to an individual at a MassMutual retirement services client.  The client representative confirmed that the email was deleted. It contained an unspecified number of client information that included names, Social Security numbers, addresses, dates of birth, retirement plan names, and group numbers.  The incident occurred on December 3.","California Attorney General","","2013","42.101483","-72.589811" "December 16, 2013","Dr. Martin Luther King Jr. Health Center, Bahoo.net, Professional Transcription Company","Bronx","New York","DISC","MED","37,000","Dr. Martin Luther King Jr. Health Center learned that a transcription vendor named Professional Transcription Company hired a subcontractor named Bahoo.net to work on data transcription.  Bahoo.net inadvertently made patient information viewable through public internet search engines.  The breach occurred in 2009. Patient names, treatments, procedures, diagnosis information, and dates of services may have been accessed.  Bahoo closed its website and destroyed the hard drive so that the public could no longer view the personal information.  It is unclear what types of data were on the hard drive and when it was posted because the hard drive was destroyed.","HHS via PHIPrivacy.net","","2013","40.844782","-73.864827" "December 20, 2013","StakerLaw Tax and Estate Planning Law","Camarillo","California","PHYS","BSF","0","On Friday December 20, 2013 the owner of the firm had his home burglarized in which the firms back-up hard drive was stolen which contained the firms customer files containing sensitive personal information.","California Attorney General","","2013","34.220616","-119.054079" "December 30, 2013","T-Mobile Supplier","Unknown","","HACK","BSO","0","A  supplier  for T-Mobile reported a breach of files stored on their servers. This breach included the breach of names, addresses, Social Seurity numbers and/or Driver's License numbers. This access was discovered in late November 2013.  They believe that the primary goal of the hackers was to obtain credit card data, but credit card information was not included in these files. ","California Attorney General","","2013","46.498432","-116.724759" "December 20, 2013","Tennova Cardiology","Nashville","Tennessee","PORT","MED","2,777","The October 22 theft of a laptop from a transcription contractor working with Tennova Cardiology resulted in the exposure of patient information.  The laptop was not encrypted and included names, dates of birth, physician names, and health information (No Social Security numbers or financial information reported).","Media","","2013","36.162664","-86.781602" "December 30, 2013","Wichcraft Operating LLC","New York","New York","HACK","BSO","0","An unauthorized third party accessed their systems compromising payment card information of certain customers in possibly two of their locations, New York and San Francisco. The breached occured from approximately August 11, 2013 to October 2, 2013. Based on their investigation, the information accessed by the unauthorized party may have included names, payment card numbers, security codes and expiration dates. They are claiming that not all of these data elements were accessed for each customer.","California Attorney General","","2013","40.752269","-74.006972" "December 20, 2013","Washington Department of Social and Health Services (DSHS)","Tacoma","Washington","DISC","MED","2,600","The personal information of between 2,600 and 7,000 households receiving assistance from the Washington DSHS was accidentally mailed to old or incorrect addresses between August 19 and October 26.  The information included names, Social Security numbers, dates of birth, phone number and other contact information, medical diagnosis information, chemical dependency or treatment information, income, and any public-assistance services that the household received.  The issue was discovered on October 22.UPDATE: Acting Medicaid Director releases information on the incorrect mailing of Medicaid cards by NCDHHS: The Director states; ""After a review of the incident, it has been determined that some Medicaid cards were incorrectly sent because of human error in computer programming and the quality assurance process in printing the new Medicaid identification cards.  These new cards were printed for children switched from NC Health Choice to Medicaid because of new eligibility rules and requirements under the Affordable Care Act (Obamacare).  A program was developed to extract the information from the eligibility database to generate the mailing, but utilized the incorrect name and address for the parent or responsible adult. The incorrect card shows the child’s name, Medicaid identification number, date of birth and primary care physician’s name and physician’s address. No Social Security numbers were released. The parent or responsible adult who received an incorrect card is being advised to immediately destroy it by shredding or cutting it into small pieces. They are also being advised that they can turn in the card to their county department of social services if they prefer. A directory of the county social services offices can be found here: http://www.ncdhhs.gov/dss/local/."" (1-06-2014)","PHIPrivacy.net","","2013","47.252877","-122.444291" "December 27, 2013","Briar Group","Brighton ","Massachusetts","HACK","BSO","0","Briar Group confirms it was the source behind a Seaport data breach. After an investigation by the Briar Group, who runs eight restaurants and bars in the city, confirmed that their systems were compromised causing the data breach that affected hundreds of individuals who visited the Seaport area of Boston sometime in November.Currently, a number has not been released as the investigation regarding the breach is ongoing. The breach included unauthorized access to card data at their restaurants sometime between October and November 2013. ","Media","","2013","42.349161","-71.151571" "December 29, 2013","Riverside Health System","Newport News","Virginia","INSD","MED","919","Riverside Health System has announced an electronic records health breach discovered in November. The breach involved one employee who accessed 919 medical records over a four-year period. The system wide breach included patients Social Security numbers, patient history and other information that appears in the system's electronic medical record. ","Media","","2013","37.063460","-76.483338" "December 27, 2013","Colorado Community Health Alliance (CCHA)","Denver","Colorado","INSD","MED","0","1,918 Medicaid patients data was breached after a temporary employee from an outside contractor Colorado Community Health Alliance (CCHA) sent the information to his/her own personal email address according to media reports. The Colorado Department of Health Care Policy and Financing believes this information may have been intended for the employee's use in another business.The information included patient names, date of birth, addresses, telephone numbers, health conditions and Medicaid identification numbers. Social Security numbers were not involved. ","Media","","2013","39.739236","-104.990251" "January 2, 2014","Eye Surgery Education Council","Fairfax","Virginia","HACK","MED","4,748","Reportedly, the Eye Surgery Education Councils system was hacked and user accounts with partial email addresses, user names and clear text passwords were dumped onto the Internet.","","","2014","38.865768","-77.365235" "January 13, 2014","Update Legal","San Francisco","California","INSD","BSO","0","On or around September 9, 2013, Update Legal was informed by San Francisco Police that a suspect in custody had digital photographs of I-9 forms on the smartphone in this persons possession. This individual potentially obtained Social Security numbers, date of birth, driver's license numbers, email addresses, passport identification, state ID cards, military dependent's ID cards, US Citizen's ID cards, Certification of Birth Abroad, Birth Certificates and addresses.","California Attorney General","","2013","37.793949","-122.398062" "January 15, 2014","South Carolina Department of Employment and Workforce","Columbia","South Carolina","INSD","GOV","4,658"," A South Carolina Department of Employment and Workforce human resources employee allegedly downloaded the personal information of 4,658 current and former DEW employess to a personal device, according to authorities. The data downloaded may have included payroll information, Social Security numbers and bank account information. The employee has since been fired. The incident allegedly occurred on December 18, 2013.","Media","","2014","34.004034","-81.041745" "January 14, 2014","Southwest General Health Center","Middleburg Heights","Ohio","PHYS","MED","480","Southwest General Hospital notified approximately 480 patients who were part of a obstetrics study that some of their private information was recently lost, including names, data on births, clinical information and medical record numbers. The data was included in one binder and the binder was discovered missing early in December 2013. The binder did not include Social Security numbers or financial information.","Media","","2013","41.369962","-81.832009" "January 10, 2014","Alamance County Department of Social Services","Burlington","North Carolina","INSD","GOV","33","Rakecia Matrese Brame, a former social worker for the Alamance County Department of Social Services in North Carolina, pled quilty to identity theft, tax, and fraud charges. According to court documents, Brame was employed as a social worker from 2009 to 2011 and was responsible for investigating claims of abuse and neglect against minors and disabled adults. She had authorized access to their system which included names, dates of birth and Social Security numbers of Alamance DSS clients. Brame used her access to identifying information contained in Alamance DSS records to illegally obtain the personal identifying information of clients and others. She would then sell that information to two tax preparers at the Greensboro branch of Nothing But Taxes, a tax return preparation firm.  They used the stolen identities to claim false dependents on tax returns they prepared for Nothing But Taxes clients, inflating tax refunds on their clients' behalf.  ","Media","","2011","36.100487","-79.405292" "January 14, 2014","NORCOM-North East King County Regional Public Safety Communication Agency","Bellevue","Washington","HACK","GOV","6,000","The North East King County Regional Public Safety Communication Agency (NORCOM) has announced a security breach of a server that stored records of an estimated 6,000 medical responses for Duvall Fire District 45, Skykomish Fire Department and Snoqualmie Pass Fire & Rescue. Currently, the investigation has revealed that the medical response records breached included names, addresses, dates of birth, nature of emergency call and initial medical condition. The breach also included personnel data for 231 full-time and volunteer firefighters who work or have worked for the three agencies. This information could include drivers license informatin, date of birth, Social Security numbers, emergency contact and limited medical information.","Media","","2013","47.610150","-122.201516" "December 29, 2013","American Express Company","New York","New York","UNKN","BSF","0","American Express announced, as part of an investigation by law enforcement and/or American Express, the company discovered a data breach that involved customer information. The data recovered included American Express cardholder acount numbers, names and other card information such as the expiration date. They have stated that Social Security numbers were not impacted and their systems did not detect any unauthorized activity on card holders accounts as related to this incident.UPDATE: (1/16/2014): American Express has sent out a new letter addressed to customers affected by the data breach. This new communication entailed information that one of the merchants that they purchased goods with was affected by the breach. The information breached did not change, in that card holder account numbers, names and other card information such as expiration date were compromised. No Social Security numbers were impacted. ","California Attorney General","","2014","40.713611","-74.014722" "January 17, 2014","Easton-Bell Sports Inc.","Van Nuys","California","HACK","BSR","0","Easton Bell Sports Inc., out of Van Nuys California informed customers of a data breach in December. The company has stated that one of their vendors servers was the attack of vicious malware and was breached on or around December 1, 2013.The breach may have impacted online purchases made from December 1, 2013 to December 31, 2013. The customer information breached may have included names, addresses, phone numbers, email addresses, credit card numbers, along with the 3 or 4 digit security code on the back of cards.Once the breach was discovered, the company immediately shut the server down and took steps to stop any further infiltration of the system. The company has hired a computer forensics expert to conduct an investigation. The amount of customers affected is currently unknown.","California Attorney General","","2013","34.213661","-118.475272" "January 17, 2014","E-Benefits Department of Veteran Affairs","","District Of Columbia","UNKN","GOV","0","As reported by a local T.V station in Moore County North Carolina, a Navy veteran  reported to have been utilizing the E-Benefits portal through the Department of Veteran Affairs to check his own benefits. He was on the VA's E-Benefits website trying to track down his own history for a bank loan. Instead, windows kept popping up displaying other veterans' medical and financial information. He has since reported the issue to the Department of Defense, the VA and Senator Kay Hagan's office. The VA has responded with a statement to ABC11 on Friday January 17, 2014 with the following: ""The Department of Veterans Affairs (VA) takes seriously our obligation to properly safeguard personal information.  Wednesday evening, during a process to improve software supporting the joint VA and Department of Defense benefits web portal eBenefits, VA discovered a software defect. During that limited timeframe, some Veterans and Servicemembers who had registered and logged into eBenefits were able to see a combination of their own information as well as data from other eBenefits users.  VA took immediate action upon discovering the software defect and shut the eBenefits system down in order to limit any problems.  VA is conducting a full review to be certain the underlying technological issues have been resolved before the system is returned to operation. VA's independent Data Breach Core Team (DBCT) is reviewing this issue and believes a relatively limited number of Veterans have been affected. Once the DBCT determines the number of users impacted, their identities and other pertinent facts, VA will take the appropriate response, which may include free credit monitoring for the affected individuals, consistent with VA's standard practice"".","Media","","2014","38.907192","-77.036871" "January 23, 2014","W.J Bradley","Centennial","Colorado","INSD","BSF","0","W.J Bradley Mortgage Capital, LLC announced in a letter to customers that information disclosed to the Emery Team at W.J Bradley Mortgage Capital, LLC in connection with numerous loan transactions had been breached. According to the company, information on specific loan transactions had been taken from their computer systems and copied by several former loan officers of the company. This information was then shared with another mortgage company not associated with W.J Bradley.The company communicated that the information taken included income, marital status, and loan information. There is no evidence that the information was released to the public at large. A court order was obtained by W.J Bradley requiring the return of all private customer information to the company, prohibiting the defendants from sending that information to others, and requiring that the defendants destroy all copies of the information in their possession. ","California Attorney General","","2013","39.599618","-104.896094" "January 24, 2014","St. Francis Hospita and Medical Centers","Hartford","Connecticut","PHYS","MED","858","St. Francis Hospital announced a breach of 858 patient records when physical patient files were stolen from a contracted emergency room physicians car. The files included patient names, patient medical record numbers and dates of birth. No Social Security numbers or financial records were compromised.","","","2014","41.774963","-72.698412" "January 28, 2014","Bring It To Me","San Diego","California","HACK","BSR","0","BringItToMe.com informed certain customers that a data breach occurred at one of their vendors that may have compromised personal or payment card information. No details have been released as to the specific personal or payment card information that may have been breachedThe company was recently informed that the online ordering software provider, Big Tree Solutions, discovered unauthorized modifications in their software that could potentially allow new payment card information entered between October 14, 2013 and January 13, 2014 to have been obtained by an unauthorized user.According to the company the unauthorized modification has been corrected and other security measures have been put into place. ","California Attorney General","","2013","32.798833","-117.252953" "January 30, 2014","UC Davis Health System","Sacramento","California","HACK","MED","0","UC Davis Health Center has informed patients of a potential data breach to their system. They recently learned that one of their medical provider's email accounts was impacted by an email ""phishing"" scam, which malicious software is used to access records. In this case this malware targeted the medical provider's email account.They are currently investigating the breach and are unclear as of now if direct access to the information contained in this provider's emails was breached. Potential records breached include names, medical record numbers and dates of clinical visits to this provider. ","California Attorney General","","2013","38.554761","-121.456308" "January 31, 2014","White Lodging Services Corporation","Merrillville","Indiana","HACK","BSR","0","White Lodging, a company that maintains hotel franchises under nationwide brands such as Hilton, Marriott, Sheraton and Westin may have been the victim of a data breach potentially exposing credit and debit card information. The company has not released the number of potential cards that may have been affected.The breach was first noticed by various banking sources, who were sharing data indicating that they were seeing a pattern of fraud on hundreds of cards that were all used at Marriott hotels around March 23, 2013 through the end of last year. The breach seemed to only occur at those Marriott locations that were managed by White Lodging Services Corporation. Reportedly the breach appears to have affected mainly restaurants, gift shops and other establishments within hotels managed by White Lodging.","Media","","2013","41.467004","-87.327562" "March 19, 2012","Kaiser Foundation Health Plan","Oakland","California","DISC","MED","30,000","Someone purchased a hard drive in September of 2011 and immediately notified law enforcement that it contained confidential information.  The external hard drive did not come from a Kaiser Permanente office.  It contained employee data that was as recent as 2009.  Current and former employees may have had their names, Social Security numbers, dates of birth, and addresses exposed. There is no evidence that the information from the hard drive was used for illegal purposes as of March of 2012.UPDATE (3/22/2012): The external hard drive was purchased at a thrift store.  Phone numbers, pay stubs, COBRA Error, Trust Fund Paid Hours, or Fidelity Savings Plan Deduction reports may have also been on the hard drive.UPDATE (4/16/2012): At least one source lists the total number of affected current and former employees as 30,000.UPDATE (2/4/2014): Attorney General Kamala Harris has agreed to drop a data breach lawsuit against the Oakland based managed care provider, Kaiser, if they agreed to a $150,000 fine paid to the state and improved their information handling practices.Originally the suite contended that the health care provider violated the three-month notification law. Kaiser learned of the violation in December 2011 but did not send letters to 20,539 affected Californians until mid-March 2012. The law requires data-holders disclose any breach ""in the most expedient time possible and without unreasonable delay"".  ","California Attorney General","","2012","37.804364","-122.271114" "February 5, 2014","St. Joseph Health System","Suwanee","Georgia","HACK","MED","405,000","St. Joseph Health System in Texas has reported a data breach of a server that stored information for numerous facilities.Information was accessed through a single server by hackers from China and other locations. The server contained employee and patient data for St. Joseph Regional Health Center in Bryan, Burleson St. Joseph Center, Madison St. Joseph Health Center, Grimes St. Joseph Health Center and St. Joseph Rehabilitation Center. The affected server was taken offline once the breach was discovered. The breach supposedly occurred between December 16 through the 18th, 2013. The data included patient names, birth dates, Social Security numbers, and possibly addresses. Medical information for patients was accessible, as well as bank information for current and former employees. Both adult and minor information may have been compromised.Currently, investigators could not determine if any information had been extracted or used.","California Attorney General","","2013","34.051490","-84.071300" "February 7, 2014","Easter Seals of Superior California","Suwanee","Georgia","PHYS","MED","0","On December 10, 2013, an Easter Seal Society of Superior California employee's company vehicle were broken in to, and a company laptop containing health record information belonging to minors may have been breached.The laptop contained emails that may have had specific information such as children's names, dates of birth, health care provider information, health care billing information, patient identification numbers, and occupational therapy notes.The company is investigating any potential fraud that may have been associated with this information. ","California Attorney General","","2013","34.051490","-84.071300" "February 8, 2014","Medtronic","Minneapolis","Minnesota","HACK","MED","0","It has been reported that Medtronic, the world's largest medical device maker's computer network  has been hacked sometime in the first half of 2013. It is not clear what type of information the hackers were targeting. Federal laws meant to safeguard medical information require companies to disclose any breach involving patient information, so far Medtronics has not made these disclosures.The attacks point to Chinese hackers and the medical device company was not aware of the intrusions until federal authorities contacted them and they have now formed a task force to investigate the breach. A spokewoman for the medical device maker would not comment on any specific attacks.","Media","","2013","45.069559","-93.251203" "February 8, 2014","Boston Scientific","Natick","Massachusetts","HACK","MED","0","It has been reported that Boston Scientific, a medical device maker's computer network  has been hacked sometime in the first half of 2013. It is not clear what type of information the hackers were targeting. Federal laws meant to safeguard medical information require companies to disclose any breach involving patient information, so far Boston Scientific has not made these disclosures.Denise Kaigler, a Senior Vice President of Corporate Affairs with Boston Scientific stated ""like many companies, Boston Scientific experiences attempts to penetrate our networks and systems and we take such attempts seriously. We have a dedicated team to detect and mitigate attacks when they occur as well as to implement solutions to prevent future attacks."" Ms. Kaigler would not comment on the specifics of any attack, but described the media reporting as ""inaccurate"". The attacks point to Chinese hackers and the medical device company was not aware of the intrusions until federal authorities contacted them and they have now formed a task force to investigate the breach.","","","2013","42.302125","-71.376388" "January 2, 2014","Straight Dope Message Board","Chicago","Illinois","HACK","BSO","0","The security team at The Straight Dope discovered hackers broke into their online message board forum. This resulted in unauthorized access of members usernames, emails and passwords. The message board does not store Social Security numbers or credit card information. The company is suggesting all users change their password in their system.","Media","","2014","41.888758","-87.637300" "August 6, 2010","WellPoint, Inc.","Indianapolis","Indiana","HACK","MED","31,700","A hacking or IT incident that occurred or was discovered around November 3, 2009 resulted in the possible exposure of protected health information on a network server.  The incident was reported by HHS on August 6, 2010.","HHS via PHIPrivacy.net","","2010","39.768516","-86.158074" "December 31, 2011","California Statewide Law Enforcement Association (CSLEA)","Sacramento","California","HACK","GOV","0","Hackers exposed the email addresses, passwords, and names of CSLEA members.  The passwords were encrypted, but were posted in their decrypted form.  If anyone used the same password and email combination for CSLEA and other websites, they should immediately change their password for those other websites.  Anonymous/AntiSec/LulzSec posted the information online.  UPDATE (1/04/2012): CSLEA became aware of the issue in early November. Old credit card information and corresponding home addresses for orders from the CSLEA online store were also obtained.  Though the ordering process and encryption of credit card information were eventually taken over by Wells Fargo Bank, the card info was inadvertently placed back onto the CSLEA server when the web hosting service restored the site from an earlier version.  It is unclear how old the credit card information was.  CSLEA attempted to prevent hackers from accessing information after the November breach, but Anonymous was able to get past new passwords, obtain information, and release it around December 31.","Databreaches.net","","2011","38.581572","-121.494400" "December 31, 2011","New York State Association of Chiefs of Police","Schenectady","New York","HACK","GOV","0","Member email addresses, passwords, and names were exposed by hackers.  The passwords were encrypted, but were posted in their decrypted form.  If anyone used the same password and email combination for CSLEA and other websites, they should immediately change their password for those other websites.  Anonymous/AntiSec/LulzSec posted the information online.","Databreaches.net","","2011","42.814243","-73.939569" "October 23, 2011","Onehitplay.com","Brea","California","HACK","BSO","1,008","A hacker or hackers posted the account information of Onehitplay.com users online.  The cost of the breach is estimated at $214,000.","Dataloss DB","","2011","33.916681","-117.900060" "January 1, 2014","Skype breach","Redmond","Washington","HACK","BSO","0","On January 1st, the Syrian Electronic Army is reportedly taking credit for hacking into user accounts on Skype. The amount of users affected is unknown. Reportedly, the hackers infiltrated a users account and monitors the activity and sells the data. ","Media","","2014","47.639323","-122.128383" "February 5, 2014","K. Min Yi, MD, Inc.","San Jose","California","PHYS","MED","4,676","Dr. K. Min Yi informed patients of a burglary that occurred at the surgeon's facility on May 28, 2013, in which the burglars stole a desktop hard drive and an external hard drive that had over 4,000 patients records on them.The information included patients medical history, including lab and radiology reports, surgical information, names, addresses, telephone numbers, dates of birth and insurance information of the primary insured individual. They do not believe that patient Social Security numbers were compromised, however the SSN of the primary insured may have been exposed.","California Attorney General","","2013","37.326100","-121.935349" "February 10, 2014","Nielsen","New York","New York","INSD","BSO","0","Nielsen company announced that an undisclosed number of Nielsen Audio employees are being notified that their personal information including names and Social Security numbers may be at risk after an employee with their Human Resources department mistakenly sent out a mass email containing the data.It is currently unknown how many employees were affected.The Nielsen Audio employee mistakenly emailed a file containing the information to other Nielsen Audio employees, who then forwarded the email containing the file to others within the Nielsen environment. These employees were unaware of the contents of the file.","Media","","2013","40.703992","-74.011092" "February 11, 2014","Bank of the West","San Francisco","California","UNKN","BSF","0","Bank of the West notified individuals regarding a recent data breach that may have involved stolen personal information such as Social Security and driver's-license numbers. The company sent letters and e-mails to anyone who applied for a job with the company before Dec. 19, the date the breach was discovered. Currently they are not releasing any information as to the type of information breached or the timeframes the information may have beeen exposed.""It could've been user name and pass code; it could've been more personal information like Social Security numbers, driver's license, date of birth,"" said Debra Jack, Bank of the West spokeswoman. ""We don't have conclusive evidence that personal information was taken, but we sent those letters as a precaution.""The target of the breach was an online application system that had been retired earlier in 2013, the company disabled the affected servers and is now investigating with help from the FBI.","Media","","2013","37.790773","-122.401906" "February 15, 2014","Kickstarter","Greenpoint, Brooklyn","New York","HACK","BSO","0","The crowd-funding site, Kickstarter, was infiltrated by hackers who made off with user information including usernames, email addresses, mailing addresses, phone number and encrypted passwords.The company has said that no credit card information was taken. ""Actual passwords were not revealed, however it is possible for a malicious person with enough computing power to guess and crack an encrypted password, particularly a weak or obvious one,"" the site said in a blog post, adding that ""as a precaution, we strongly recommend that you create a new password for your Kickstarter account, and other accounts where you use this password."" The company was made aware of the breach when contacted by law enforcement.  The company communicated that they ""immediately closed the security breach and began strengthening security measures throughout the Kickstarter system."" The site also said ""no credit card data of any kind was accessed by hackers"" and that ""there is no evidence of unauthorized activity of any kind on all but two Kickstarter user accounts.""","Media","","2014","40.724545","-73.941860" "February 14, 2014","Forbes.com","New York","New York","HACK","BSO","0","Forbes.com announced on their Facebook page February 14th, that they had been a target of a data breach by hackers. They claim that ""the email address for anyone registered with Forbes.com has been exposed Please be wary of emails that purport to come from Forbes, as the list of email addresses may be used in phishing attacks.  The passwords were encrypted, but as a precaution, we will strongly encourage Forbes.com readers to change their passwords on our system once we make sign-on available again"".","Media","","2014","40.736360","-73.993751" "February 21, 2014","Discover Financial Services","Salt Lake City","Utah","CARD","BSF","0","Discover Financial Services sent a notice to their card holders that they were replacing their current cards in wake of all of the retail data breaches. They stated this was not due to a breach of their own systems. The card replacement specifically replaces the security codes on the back of the card withouth changing the card holders current account number.They have stated to their members this was strictly a security measure on behalf of Discover Financial Services. No information was communicated in the letter that the members card had been compromised. ","California Attorney General","","2014","40.760779","-111.891047" "February 19, 2014","University of Maryland","College Park","Maryland","HACK","EDU","309,079","The University of Maryland, located in College Town Maryland, had one of their records databases hacked Tuesday January 18, 2014 around 4:00 a.m by an outside source.This particular database holds information dating back to 1998 and includes names, Social Security numbers, dates of birth and university identification numbers for 309,079 people affiliated with the school at their College Park and Shady Grove campuses.The hackers did not alter anything in the actual database, but apprarently have made a ""copy"" of the information. The university commented at how sophisticated the attack was by the hacker or hackers and they must have had a ""very significant understanding"" of how the database was designed and maintained, including the level of encryption and protection of the database.According to the university President, school officials are investigating the breach and taking steps to prevent any further system intrusions.The college has put out the following statements:""The University is offering one year of free credit monitoring to all affected persons. Additinoal information will be communicated within the next 24 hours on how to activate this service.University email communications regarding this incident will not ask you to provide personal information. Please be cautious when sharing personal information.All updates regarding this matter will be posted to this website.  If you have any questions or comments, please call our special hotline at 301-405-4440 or email us at datasecurity@umd.edu"". ","Media","","2014","38.989697","-76.937760" "December 2, 2013","Board of Barbering and Cosmetology","Sacramento","California","STAT","GOV","0","The August 23 office burglary of a desktop computer resulted in the exposure of sensitive information.  Individuals who participated as models during cosmetology, barbering, manicure, esthetician, or electrology exams may have had their names, dates of birth, and California drivers' license or identification card numbers exposed.","California Attorney General","","2013","38.581572","-121.494400" "April 26, 2013","LivingSocial","Washington","District Of Columbia","HACK","BSO","29,000,000","As many as 50 million LivingSocial members may have had their names, email addresses, dates of birth, and encrypted passwords exposed by a cyber attack.  Customer credit card information was not compromised.  Customers were encouraged to change their passwords on any other sites on which they used the same or similar passwords.UPDATE (05/03/2013): As many as 50 million acounts may have been affected.  It is estimated that 29 million people used LivingSocial and many had multiple accounts.","Media","","2013","38.907192","-77.036871" "January 1, 2014","Snapchat","Venice","California","HACK","BSO","0","The hacker or group known as ""Lightcontact"" is claiming to have hacked Snapchat.com. Reportedly, the group published a database containing Snapchat user names and phone numbers and posted it to several public forums such as Reddit.com.UPDATE: Snapchat has announced a security update to their mobile image sharing services to include an opt out option to the Find Friends system. This update is said to prevent others from looking up their account information through address books. This update will allow a person to no longer appear if this type of search is initiated. According to security vendor AdaptivMobile, the compromised accounts are concentrated mostly in California and New York, with the two states accounting for nearly 2.3 million accounts. Other regions affected include Illinois, Colorado and Florida(1/4/2014)","Media","","2014","33.992788","-118.478608" "February 26, 2014","Indiana University","Bloomington","Indiana","HACK","EDU","146,000","Indiana University announced that the personal data of 146,000 students and graduates was breached. The information included their Social Security numbers and addresses and may have affected students and graduates from 2011 to 2014 at seven of its campuses. According to the university ""The information was not downloaded by an authorized individual looking for specific sensitive data, but rather was accessed by three automated computer data-mining applications, called webcrawlers, used to improve Web search capabilities.""The university also announced that the information was stored in an insecure location for the past 11 months. The site has since been locked down.The university has set up a hotline 1-866-254-14841-866-254-1484 for students as well as a website http://bit.ly/1kbX505 with information on how to monitor credit accounts and answers to any additional questions regarding an individuals exposure. The university will also be providing the Social Security numbers of those affected to the three major credit-reporting agencies. CallSend SMSAdd to SkypeYou'll need Skype CreditFree via Skype","Media","","2014","39.166090","-86.526548" "March 3, 2014","Mt. Gox- Worlds Largest Bitcoin Exchange","","Tokyo","HACK","BSF","0","""From a distance, the world's largest bitcoin exchange looked like a towering example of renegade entrepreneurism. But on the inside, according to some who were there, Mt. Gox was a messy combination of poor management, neglect, and raw inexperience.Its collapse into bankruptcy last week – and the disappearance of $460 million, apparently stolen by hackers, and another $27.4 million missing from its bank accounts – came as little surprise to people who had knowledge of the Tokyo-based company's inner workings.""","Media","https://www.wired.com/2014/03/bitcoin-exchange/","2014","35.689488","139.691706" "February 26, 2014","Apple","Cupertino","California","HACK","BSO","0","Apple has revealed a security protocol breach of their iOS and OS X systems. The hacker was able to insert him/herself between the initial verfication and verification session's destination server. This type of hacking allows the hacker to take over as the trusted user. The destination server sees the hacker as the trusted user and will then allow the hacker to access secured connections such as websites, email messages, applications where you would typically enter a user id and password.","Media","","2014","37.332000","-122.030781" "February 28, 2014","Sears","Hoffman Estates","Illinois","HACK","BSR","0","Sears announced that the Secret Service is investigating Sears Holdings Corporation as a target of a similar security breach that hit Target and Neiman Marcus toward the end of 2013. Sears spokesperson, Howard Riefs in an emailed statement stated ""there have been rumors and reports throughout the retail industry of security incidents at various retailers, and we are actively reviewing our systems to determine if we have been a victim of a breach,” additionally,  “we have found no information based on our review of our systems to date indicating a breach.” said Riefs.","Media","","2013","42.077243","-88.215203" "February 28, 2014","80's Tees","Mt. Pleasant","Pennsylvania","HACK","BSR","3,503","80sTees.com, Inc. announced a data breach that was much larger than originally thought. The online retailer originally reported the breach in April of 2013 to customers whose credit card numbers had been used fraudulently. Since that time, the retailer's investigation uncovered that the scope of the exposure to customer credit card information was larger than originally believed. The company has notified any customer who used the site from June 3, 2012 through April 30, 2013 that their credit card may have been used fraudulently.  Originally the company was contacted by Discover Card requesting an investigation due to some unauthorized charges experienced by Discover cards customers. The company completed their own investigation and on February 27, 2013 learned that a small number of Visa customers had also experienced unauthorized charges. On March 6, 2013 Mastercard also contacted the company regarding fraudulent charges against their credit card holders.The company hired a forensic investigator who discovered that the company had been a victim of a cyber attack that gained access to and installed malware on their website server in eary June 2012. Their anitvirus and malware scans did not detect the malware. April 3, 2013 the company notified approximately 3,503 customers of the breach. This is the amount that was reported to the company by the credit card companies.  On April 22, 2013, the company received a report from the forensic investigator that 2,598 credit cards were compromised. On April 30, 2013 the company received calls from two customers stating that their cards had been compromised. The company investigated those customers' complaints and reported the issue to the Secret Service. The Secret Service asked the company to not provide any additional notice until their investigation had been completed.The Secret Service investigation uncovered that the hackers had set up an unauthorized email account that captured the company's credit card transactions without their knowledge. The Secret Service could not definitely say who the hacker or hackers were. Based on the information the company received, they believed it to be a former high level employee who has since died.   ","California Attorney General","","2012","40.185893","-79.562841" "June 7, 2013","Raley's Supermarket","West Sacramento","California","HACK","BSR","0","Raley's supermarket announced they may have been the target of a cyberattack that affected customers who used their credit or debit cards at any of its stores. The supermarket chain launched an investigation but had yet to find any evidence of unauthorized access to payment card data.Reportedly, the supermarket chain was contacted by a credit card company regarding  suspicious activity on customers credit cards on May 30, 2013.","Media","","2013","38.583003","-121.514606" "March 3, 2014","Various Taxi Cab Companies in Chicago","Chicago ","Illinois","HACK","BSO","466","In an unprecedented move, First American Bank made a public announcement regarding fraudulent activity they were seeing on both credit and debit cards of customers with their bank specifically related to cab rides in the city of Chicago.The bank is urging both residents and tourists to avoid paying for their cab rides with either debit or credit cards. The ongoing breach appears to be related to the card processing systems used by a significant amount of taxis in the city of Chicago.The bank has reported the breach to MasterCard. They have also reached out to Banc of America Merchant Services and Bank of America, the payment processors for the affected payment systems within the affected taxi cab companies. First American Bank is urging that Banc of America Merchant Services and Bank of America discontinue payment processing for the taxi companies who have been targeted in this breach. So far, neither entity is commenting on the breach or appear to be haulting the processing services. ","Media","","2013","41.878114","-87.629798" "March 3, 2014","City of Detroit","Detroit","Michigan","HACK","GOV","1,700","The City of Detroit announced a security breach that affected files of approximately 1,700 city employees. Apparently the breach occured when an employee clicked on a software link that contained malicious software that released a code that froze access to numerous files.The files included names, birth dates and Social Security numbers of current and former city employees. A city spokesperson communicated that it didn't appear that the malicious code gained access to the information in the files, however the city is taking all necessary steps to mitigate any damage. ","Media","","2014","42.331427","-83.045754" "February 12, 2014","Las Vegas Sands Hotels and Casinos","Las Vegas","Nevada","HACK","BSO","0","Las Vegas Sands recently launched an investigation into a security breach of several of their casino websites.  Both the Venetian and the Palazzo had the homepage of their websites hacked and there could be others. Currently it is unknown if credit card information and/or customer data was compromised. The hackers responsible for the breach posted employee information including email addresses and Social Security numbers, on the website for the Sands Casino Resort in Bethlehem. The hackers also posted an image of Sands Chairman and CEO Sheldon Adelson posing with the Israeli Prime Minister, Benjamin Netanyahu.In additional to Las Vegas and Bethlehem, websites for casinos in Macau and Singapore were also hacked.UPDATE (2/28/2014): Las Vegas Sands Casino released a statement that the attackers who breached the company website did compromise customer and employee data, which included Social Security numbers, driver's license numbers and a mailing database. The data breach affected customers at their location in Bethlehem Pennsylvania. They are currently investigating their additional locations to see if similar data was affected. Origininally the company had communicated that customer data was not affected.","Media","","2014","36.169941","-115.139830" "March 4, 2014","Smucker's","Orrville","Ohio","HACK","BSR","0","Smucker's announced a data breach to their Online Store, stealing customer data that could have included customer names, addresses, email addresses, phone numbers, credit card or debit card numbers, expiration dates, and verification codes. The hackers utilized a sophisticated malware that steals information from Web server applications. This particular malware obtains form data submitted by visitors as customers entered the data for the online checkout process. These particular hackers look for weaknesses in either the end-users computer or weakensses in the Web server. If there is a weakenss in either one, that web session then becomes compromised and the hackers ""suck down customer data post or pre-encryption (this all depends on whether the data was incoming or outgoing)"".KrebsOnSecurity noted ""when a reader first directed my attention to the Smucker's breach notice, I immediately recalled seeing the cmopany's name among a list of targets picked last year by a criminal hacking group that plundered sites running outdated, vulnerable versions of ColdFusion, a Web applicatoin platform made by Adobe Systems Inc"".","Media","","2014","40.847425","-81.762335" "March 4, 2014","Eureka Internal Medicine","Eureka","California","PHYS","MED","0","Eureka Internal Medicine has notified patients of a potential security breach. It was discovered from September 25, 2013 until around October 9, 2013 that their janitorial service was mixing paper recycling containing patient information with the regular trash vs. moving it to the locked shredding bin. As a result, the paper containing patient information ended up in the regular trash which was picked up and disposed of by the waste management company vs. being secured in the locked bin for pick up for secure shredding. Information that may have been in the regular trash bins could have included full names of patients, Social Security numbers, insurance plan information and medical information. Anyone who is potentially affected by the breach and has questions may call the representing attorney's office at 1-888-233-2305.","California Attorney General","","2013","40.787242","-124.139787" "March 4, 2014","Assisted Living Concepts, LLC","Chicago","Illinois","HACK","MED","0","Assisted Living Concepts LLC has notified current and former employees of a potential data breach regarding their payroll records and an unauthorized third party access of this data. Assisted Living Concepts utilizes an external vendor that provides them with payroll services. On February 14, 2014, the payroll vendor notified the facility of evidence of unauthorized third party access to their payroll information. The company launched an investigation and discovered evidence of this unauthorized access that obtained access to their vendor user credentials and access to the vendor's systems, which contained payroll files for current and former employees.The FBI and IRS have advised the company that they believe the personal information accessed may be used by criminals to file faudulent tax reutrns. The IRS is encouraging anyone who might have been affected by this unauthorized access file their tax return as soon as possible. Those affected can also call the IRS Identity Protection Specialized Unit at 1-800-908-44901-800-908-4490  with any questions. CallSend SMSAdd to SkypeYou'll need Skype CreditFree via Skype","Vermont Attorney General","","2013","41.888650","-87.627558" "March 4, 2014","Capital One","Salt Lake City","Utah","INSD","BSF","0","Capital One has sent notification to customers regarding a possible breach to their personal information. They discovered that a former employee of the company may have improperly accessed customer accounts, which could have been linked to unauthorized transactions. The information accessed included names, account numbers, SOcial SEcurity numbers, payment information and other account information. The credit card company has notified law enforcement of the breach.The company is also offering one year of Equifax's Credit Watch GOld with 3-in-1 Monitoring by February 28, 2014 for those that may have been affected. ","Vermont Attorney General","","2014","40.760779","-111.891047" "February 20, 2014","Alaska Communications","Anchorage","Alaska","HACK","BSR","0","Alaska Communications informed customers of a potential data breach on January 27, 2014. One of the company desktop computers was infected with a virus and subsequently sent data outside of their network. Possible personal information compromised could have included names, addresses, dates of birth, and Social Security numbers. The company stated they did not see any evidence of dependent, medical, or banking information that was compromised. The company is offering 1 year of AllClear ID protection at no cost and can be reached at 8-1-866-979-2593 for both AllClear Secure and AllClear PRO services.Any further questions or concerns about the incident there is more information at the company's website http://www.alaskacommunications.com/ ","Vermont Attorney General","","2014","61.186219","-149.872264" "February 13, 2014","Zevin Asset Management LLC","Boston ","Massachusetts","INSD","BSF","0","Zevin Assett Management LLC has notified customers of a potential security breach of their customers' data. In mid September 2013 a Zevin employee used an online service provider to host a document listing Zevin's usernames and passwords for certain custodian accounts. According to the company, two documents, one password protected and an inadvertent ""test"" version of the document that was neither password protected or deleted. Both versions were accesible online (one through the use of a password and one without a password) and visible from September 2013 through December 30, 2013. Possible information compromised included names, Social Security numbers, financial account numbers, and account holdings. The company is offering 1 year free of credit monitering services and asked to contact Benjamin Lovell, President if they want the enroll in the service.","Vermont Attorney General","","2013","42.357993","-71.055969" "March 5, 2014","OANDA","New York","New York","HACK","BSF","0","OANDA informed customers of an unauthorized breach affecting some of their clients. On Monday March 3, 2014 a historical log of some payments received via PayPal (prior to 2007) was accessed. The company states that the incident did not impact any fxTrade services, client trades or funds. The information accessed included named and email addresses. The company states that usernames or passwords for thier ""fxPense"" expense reporting tool may have been accessed. These accounts are not related to fxTrade. They are asking customers who registered for this service and use the same username and password on any other external websites, to change those passwords.Upon learning of the breach, the company shut down access to the system and alerted the FBI, their regulators and relevant privacy offices of the breach. For additional questions or concerns those who may have been affected can call their respective local office http://www.oanda.com/corp/contact/ or via frontdesk@oanda.com. ","California Attorney General","","2014","40.708600","-74.010012" "February 7, 2014","San Francisco Airport-South San Francisco Embassy Suites Hotel","South San Francisco","California","HACK","BSO","0","South San Francisco Embassy Suites hotel informed customers who stayed at the hotel that they may have been affected by unauthorized access to two of their computer systems. The hotel learned that in 2013 an unauthorized third party obtained information relating to some payment cards used at the hotel. The information breached involved credit and/or debit card numbers, expiration dates, cardholder names, and the CVV2 code on the back of the cards. The data was captured with a manual device and the hotle is claiming that their computer systems were not breached, so no other personal information about their customers was obtained.Law enforcement was contacted regarding the breach. The company stated they have no reason to believe that this situation has impacted any other Embassy Suites hotel or any other hotel in their chain.","Vermont Attorney General","","2013","37.655403","-122.400913" "January 27, 2014","State Industrial Products","Mayfield Heights","Ohio","HACK","BSO","0","State Industrial Products was contacted by the FBI informing them of unauthorized access to information about current and former State Industrial employees. The FBI shared a list of specific employees and the information that was breached.The information included named, addresses, email addresses, Social Security numbers, driver's license numbers, genders, dates of birth, phone numbers, employee ID's, and dates of hire.The company has launched an investigation as to the unauthorized access and hired a computer security firm to analyze thier computer network. In the initial investigation, it appears that the unauthorized person or persons did so for the purpose of filing fake tax returns. The company is asking any affected employees to complete the IRS Identity Theft Affidavit or to contact the IRS Identity Protection Specialized Unit at 1-800-908-44901-800-908-4490 with questions.The company has also offered free one-year membership to Experian's ProtectMyID Alert. CallSend SMSAdd to SkypeYou'll need Skype CreditFree via Skype","Vermont Attorney General","","2014","41.505845","-81.466993" "January 20, 2014","Dartmouth-Hitchcock","Lebanon","New Hampshire","HACK","BSO","0","Dartmouth-Hitchcock informed patients of a security breach involving their personal information that is maintained by the company.On or around December 3, 2013, the company discovered that, as a result of a phishing incident, certain employee user accounts had unauthorized activity in the Employee Self Service Direct Deposit Payroll system. The company launched an investigation and found further unauthorized access to this same system from October 6, 2013 through December 2, 2013. The information accessed included full names, bank account information (routing and checking account numbers), Social Security numbers along with other information the employee supplied to the self service system. Employees are asked to call IS Security Manager, Charles Goff at 1-603-653-1380 or email IS-Security@hitchcock.org.","Vermont Attorney General","","2013","43.676055","-72.272977" "January 10, 2014","Barry University","Portland","Oregon","HACK","EDU","0","Barry University informed individuals of a security incident that may have affected personal information maintained by the university.On May 14, 2013, Barry University detected malware which infected a laptop owned and used by Barry University. The files infected included full names, dates of birth, Social Security numbers, driver's license numbers, bank account numbers.The university is offering a free one-year credit monitoring service. They've supplied a phone number to those affected at 1-800-981-7571 and to reference number 47911.","Vermont Attorney General","","2013","45.523062","-122.676482" "December 2, 2013","UNICEF (""U.S.Fund"")","New York","New York","HACK","GOV","0","On December 2, 2013 the United States Fund for UNICEF discovered unauthorized access to one of the U.S Fund's servers on or around November 4, 2013. The initial investigation by the agency showed only one server affected, however the personal information exposed included names, credit card numbers, credit card security codes, expiration dates of the cards, bank account numbers, phone numbers, and email addresses. ","Vermont Attorney General","","2013","40.706609","-74.006250" "March 6, 2014","North Dakota University","Bismarck","North Dakota","HACK","EDU","290,780","North Dakota University System has notified individuals of a security breach of a computer server that stores personal information on students, staff and faculty. On February 7, 2014 the server was hacked into and more than 209,000 current and former students and 780 faculty and staff had personal information stored on thus server that included names and Social Security numbers according to Larry Skogen, the Interim Chancellor. The university has notified officials and has set up a website www.ndus.edu/data with information and is organizing a call center for questions from those who were affected.Authorities have announced that ""an entity operating outside the Unites States apparently used the server as a launching pad to attack other computers, possibly accessing outside accounts to send phishing emails""","Media","","2014","46.820698","-100.782752" "March 5, 2014","Point Park University","Pittsburgh","Pennsylvania","UNKN","EDU","1,800","On Wednesday March 5, 2014 Point Park University in Pittsburgh Pennsylvania notified employees of a possible data breach that included names, home addresses, Social Security numbers, wage information, birthdates, bank accounts and routing numbers.The Point Park President stated that as many as 1,800 employees could have been affected by this breach.""The university was expecting a package from its payroll processing vendor Ceridian, but when the package arrived to campus it was missing all of the accompanying reports, according to an internal email obtained by the Pittsburgh Post-Gazette.""The university is working with authorities and an investigation has been launched. The law firm that represents the university is currently putting a letter together to those who were affected that will include call-center information and other services offered. ","Media","","2014","40.438497","-80.001276" "February 6, 2010","AvMed Health Plans","Gainesville","Florida","PORT","MED","1,220,000","AvMed Health Plans announced that personal information of some current and former subscribers may have been compromised by the theft of two company laptops from its corporate offices in Gainesville. The information included names, addresses, phone numbers, Social Security numbers and protected health information. The theft was immediately reported to local authorities but attempts to locate the laptops have been unsuccessful. AvMed determined that the data on one of the laptops may not have been protected properly, and approximately 80,000 of AvMed's current subscribers and their dependents may be affected. An additional approximate 128,000 former subscribers and their dependents, dating back to April 2003, may also have been affected.UPDATE (06/03/2010): The theft of the laptops compromised the identity data of 860,000 more Avmed members than originally thought.  The total now nears 1.1 million.UPDATE (11/17/2010): Five AvMed Health Plans customers filed a class-action lawsuit against the health insurer on behalf of the 1.2 million people who were affected by the breach.  At least two of them believe that their personal information was misused as a result of this particular breach.UPDATE (09/24/2012): An appeals court ruled that the plaintiffs were ""explicitly"" able to prove a link between the breach and ID theft they incurred.  The case had been thrown out by a lower court in August 2011, but the appeal ruling may allow victims of identity theft to make it easier to prove that the identity theft was caused by a data breach.UPDATE (09/05/2013): AvMed Inc. agreed to settle with customers who were affected by the 2009 data breach on September 3, 2013.UPDATE (10/29/2013): AvMed will pay $3 million.UPDATE (3/6/2014): ""Last week, a judge for the Southern District of Florida gave final approval  to a settlement between health insurance provider AvMed and plaintiffs in a class action stemming from a 2009 data breach of 1.2 million sensitive records from unencrypted laptops. The settlement requires AvMed to implement increased security measures, such as mandatory security awareness training and encryption protocols on company laptops. More notably, AvMed agreed to create a $3 million settlement fund from which members can make claims for $10 for each year that they bought insurance, subject to a $30 cap (class members who experienced identity theft are eligible to make additional claims to recover their monetary losses)"".","Media","","2010","29.651634","-82.324826" "March 10, 2014","Statista","New York","New York","HACK","BSO","50,000","Online statistics portal, Statista, notified customers of a data breach that occurred with their system. The breach was noticed when the company internally started receiving spam emails. The company investigated and approximately 50,000 of its customers username and password combination were compromised.The company has not said whether or not the breach goes beyond access to username and passwords, but at present, this seems to be all that has been affected.The company notified users almost immediately and assured them that the compromised passwords ""cannot be used by third parties due to masking procedures"".  The company did not encourage customers to change their passwords. Experts are questioning how secure the passwords are for those that created accounts prior to December 2013 and have stated that ""the passwords of those who signed up before this data were stored in the Statista database as MD5 hashes. As many experts will tell you, MD5 passwords can be easily cracked"". The main risk for those affected would be a higher incidence of spam and phishing emails, potentially impersonating Statista.","Media","","2014","40.710923","-73.966924" "March 7, 2014","John Hopkins University","Baltimore","Maryland","HACK","EDU","1,307","University officials at John Hopkins University announced a data breach of their Department of Biomedical Engineering's Design Team course web server. A hacker claiming to be part of the group Anonymous claimed credit for the hack.The hackers made an attempt to extort the university out of server passwords, but the university did not comply with the request.Officials at the university said that the server did not contain Social Security numbers, birth dates, credit card numbers or any financial data. The data the server did contain included employee data that is publicly available from the department's website. Those affected include any students from the BME department who were enrolled in the course from 2006 to this past fall. Approximately 1,307 individuals may have been affected.There was a coding error that left the database vunerable was identified and fixed but not prior to the hackers infiltrating the system. The server was primarily used to produce the BME department's website. Although the breach happened late last year, it was not realized until someone posted on Twitter in January that the server was open to attack.","Media","","2013","39.290385","-76.612189" "March 5, 2014","Sally Beauty Supply","Denton","Texas","HACK","BSR","25,000","As reported by Krebs on Security, it appears that Sally Beauty Supply may be one of the latest victims of a string of credit card data breaches affecting their payment systems.""On March 2, a fresh batch of 282,000 stolen credit and debit cards went on sale in a popular underground crime store.  Three different banks contacted by KrebsOnSecurity made targeted purchases from this store, buying back cards they had previously issued to customers"".The banks used a ""common point of purchase"" or ""CPP"" to determine where the cards were used over the same period of time. ""Each bank independently reported that all of the cards (15 in total) had been used within the last ten days at Sally Beauty Supply locations across the United States"".The company had also detected some kind of intrusion into their network at or around the same time that the stolen card mapping or ""CPP"" dates that the banks found associated with Sally Beauty Supply. The company's initial investigation did not show any evidence that data was compromised at the store level. The company hired Verizon Enterprise Solutions for the initial and continued investigation.UPDATE (3-17-2014): Sally Beauty has confirmed that the breach they suffered was due to hackers breaking into their network, stealing credit card data from stores. Originally the retailer would not confirm that they suffered a breach as they had no evidence that any credit card data was stolen. The company confirmed that ""fewer than 25,000 records containing card present (track 2) payment card data have been illegally accessed on our systems and we believe have been removed."" The company also states "" As experience has shown in prior data security incidents at other companies, it is difficult to ascertain with certainty the scope of a data security breach/incident prior to the completion of a comprehensive forensic investigation. As a result, we will not speculate as to the scope or nature of the data security breach.""","Media","","2014","33.214841","-97.133068" "March 18, 2014","Hickory Grove Gas Station","Vincent","Ohio","HACK","BSR","300","A local area gas station in Vincent Ohio off of Ohio 339 has a credit card breach and those affected are customers who recently used either debit or credit cards at the gas station. So far 100 people have reported fraudulent charges on their account that dates back to at least a month ago. Reports are saying that the number could go as high as 300 victims.It appears hackers infiltrated the network that gas station and grocery store uses. The breach could have also potentially happened through the Kentucky-based credit card processing company they use. They have stopped accepting any credit or debit cards until a full investigation is completed.Those who think they have been victimized are asked to call the Vincent Ohio Sheriffs Department.","Media","","2014","39.374748","-81.670862" "March 17, 2014","Service Coordination Inc.","Frederick","Maryland","HACK","MED","9,700","Hackers infiltrated the computers of a state-licensed provider of services to developmentally disabled individuals. The information stolen included Social Security numbers and medical information for approximately 9,700 clients. The non-profit learned of breach in late October 2013. The U.S Justice Department asked the non-profit organization to delay notification of the breach to allow for a federal investigation. The investigation did lead to the alleged hacker and their equipment and accounts have been seized.""Service Coordination is one of five private organizations licensed by the state's Developmental Disabilities Administration, an agency of the Maryland Department of Health and Mental Hygiene.""","Media","","2013","39.414269","-77.410541" "March 17, 2014","Arcadia Home Care and Staffing","Southfield","Michigan","INSD","MED","0","Arcadia Home Care/Arcadia Health Services, Inc. notified employess of unauthorized access of their files by an independent contractor for Arcadia by the name of Charles E. Symes, II and his new business Alegre.  Mr. Symes was previously authorized to use Arcadia's database, which contained personal information, but only for authorized purposes and access. The company discovered Mr. Symes gaining unauthorized access to employee's personal information which included names, Social Security numbers, addresses, bank account information, California driver's license and other information. The company believes the information was breached on or around January 2014 through March 1, 2014. For questions the company is asking those affected to call1-800-733-8427800-733-8427.CallSend SMSAdd to SkypeYou'll need Skype CreditFree via Skype","California Attorney General","","2014","42.481965","-83.250079" "March 17, 2014","ELightBulbs.com","Maple Grove","Minnesota","HACK","BSR","0","Elightbulbs.com is in a series of companies who have had security breaches due to exposure of ColdFusion weaknesses. The online company was contacted by Discover card alerting them to a pattern of fraudulent activity on cards that were recently used at their store. This is a similar incident to what happened with Smucker's. ELightbulbs.com was listed in the ColdFusion botnet panel. The Vice President of the company, Paul McLellan said ""he first learned of the breach on November 7, 2013 from his company's processor, Heartland Payment Systems"". He also stated that ""shortly before we were told by Heartland, we paid $6,000 a year for a company to brutalize our server, for protection and peace of mind. Turns out this flaw had existed for two years and they never saw it.""The FBI has stated that group responsible for the attack have also compromised much higher-profile targets as well.","Media","","2014","45.072464","-93.455788" "March 17, 2014","Kichlerlightinglights.com","New York","New York","HACK","BSR","0","KichlerLightingLights is another victim of the ColdFusion botnet. The company's owner Gary Fitterman stated ""It was like being attacked by terrorists. When we learned what had happened, we immediately went into frenzy, spent a ton of money to get forensic experts to take a look."" The hacking gang used vunerabilities in Adobe's ColdFusion to build a botnet of hacked ecommerce sites, designed to bilk the customers credit card data, KichlerLightingLights was just another one of the ecommerce sites affected.The various companies that have been affected all handled credit card processing on their site. Mr. Fitterman has now outsourced all of his credit card processing transactions to a third party company.Experts state that if you run your own credit card processing you must be diligent about software updates.","Media","","2014","40.719161","-73.994882" "March 13, 2014","Detroit Medical Center-Harper University Hospital","Detroit","Michigan","INSD","MED","1,087","A former Detroit Medical Center-Harper University Hospital employee was found with the personal information of 1,087 patients by West Bloomfield police. The documents included patients health information, names, dates of birth, reasons for patient visits and Social Security numbers.When the hospital learned of the breach they immediately revoked the employee's access to its computer systems and all of the Detroit Medical Center hospitals.For patients that were affected they can call 1-855-830-9731 with questions.   ","Media","","2014","42.331427","-83.045754" "March 12, 2014","NoMoreRack.com","New York","New York","HACK","BSR","0","As reported by Krebs On Security, for the second time since August 2013, the ""online retailer NoMoreRack.com has hired a computer forensics team after being notified by Discover about a potential breach of customer card data.""The Director of Business Development with company, Vishal Agarwal, has confirmed that they were approached by Discover Card in August of 2013, communicating that they were seeing fraudulent activity and the online retailer was the point of compromise. As stated by Mr. Agarwal ""they requested then that we go through a forensics audit, and we did that late October by engaging with Trustwave. Trustwave came out wtih a report at end of October saying there was no clear cut evidence that our systems had been compromised. There were a few minor bugs reported, but not conclusive evidence of anything that caused a leakage in our systems.""Discover reached out the company again in February to notify them that there was additional evidence of fraud associated with their online store from November 1, 2013 through January 15, 2014. The company has again engaged Trustwave to complete another forensic audit and to also confirm that they are PCI compliant.","Media","","2013","40.742361","-73.984218" "March 18, 2014","Yellowstone Boys and Girls Ranch (YBGR)","Billings","Montana","PHYS","MED","0","The Yellowstone Boys and Girls Ranch which treats mental health issues for children and teens reported that a binder was lost or destroyed sometime in 2013. The binder contained information that included names, addresses, dates of birth, parents' names, programs and treatment professionals' information. They have stated that no financial or Social Security information was stored in this binder.","Health IT Security","","2013","45.783286","-108.500690" "March 14, 2014","Health Source of Ohio","Milford ","Ohio","PHYS","MED","8,800","Health Source of Ohio reported a breach of patients' personal information when a file containing specific data was accidentally made visible online. According to authorities the file was viewed 47 times. The file included names, account numbers, addresses, phone numbers, Social Security numbers, birthdates, credit card numbers and limited healthcare information. According to the center not all patients information included financial or Social Security numbers. A specific number was not provided of the 8,800, who may have suffered a breach of their financial information or SSN.Patients who were affected are advised to contact HSO at 1-800-495-7647","Media","","2013","39.156255","-84.252627" "March 21, 2014","Castle Creek Properties, Inc./Rosenthal Wine Shop","Malibu ","California","HACK","BSR","0","Castle Creek Properties Inc/ Rosenthal Malibu Estate notified customers of unauthorized access to computer systems used to process credit card transactions at their Rosenthal wine shop. The unauthorized access may have compromised payment card data of visitors who used their cards for payment of items at the wine shop tasting room. Information compromised included names, addresses, payment card account numbers, card expiration dates and security codes. The company is offering a complimentary one year membership of Experian ProtectMyID Alert. For those affected and wish to enroll in the services they are asked to call 1-310-899-8903.","California Attorney General","","2014","34.039315","-118.583335" "March 20, 2014","Auburn University","Auburn","Alabama","HACK","EDU","0","Auburn University notified individuals of a compromised server within the College of Business network. This incident could have resulted in unauthorized access to personal information including Social Security numbers and names. The investigation is ongoing and the University has reportedly patched the vulnerability in their system. They have no evidence as of yet if any information was accessed or misused in any way. The University is offering a one year complimentary membership of Experian's ProtectMyID Alert.  For questions or concerns, affected parties should call 1-877-371-7902.","Vermont Attorney General","","2013","32.609857","-85.480783" "March 18, 2014","The Shelburne Country Store","Shelburne","Vermont","HACK","BSR","0","The Shelburne Country Store notified customers of a computer hack to their payment processing system, similar to reported attackes by other national retailers such as Target and Neiman Marcus. The information compromised included names, addresses, credit or debit card numbers, expiration dates and verfication codes. They believe the breach occured between November 13, 2013 and January 6, 2014.  They are unclear as to how many purchases were affected. The company has set up AllClear ID protect your identity for 12 months at no cost to those affected. They can either email support@allclearid.com or call 1-855-434-8077.","Vermont Attorney General","","2013","44.380400","-73.226886" "March 22, 2014","California DMV","Sacramento ","California","HACK","GOV","0","The California DMV is investigating a potential data breach of their credit card processing systems. Reportedly several large financial institutions received private alerts this week from MasterCard about compromised cards used for charges. As reported by Krebs on Security, ""the alert, sent privately by MasterCard to financial institutions this week, did not name the breached entity but said the organization n question experienced a ""card-not-present"" breach-industry speak for transactin conducted online. The alert further stated that the date range of the potentially compromised transactions extended from August 2, 2013 to January 31, 2014, and that the data stolen included the card number, expiration date, and three-digit security code printed on the back of cards"".Krebs contacted 5 different financial institutions, two mid-sized California banks and ""confirmed receipt of the MasterCard notice, and said that all of the cars MasterCard alerted them about as cmopromised had been used for charges bering the notation ""STATE OF CALIF DMV INT.""The DMV, who originally stated they would investigate, put out a statement at 6:44 Eastern Time on March 22, 2014, placing blame on the the third party credit card processing company.The total amount of individuals potentially affected at this time is unknown. KrebsOnSecurity stated that they had received a list of more than 1,000 cards, from one bank, that were potentially exposed that included credit card numbers, expiration dates and three-digit security codes printed on the back.","Krebs On Security","","2014","38.581572","-121.494400" "March 18, 2014","IRS","","Pennsylvania","INSD","GOV","20,000","A former emloyee of the IRS took home a computer thumb drive that contained personal information on 20,000 current and former employees and contractors. The information included Social Security numbers, names and addresses. The thumb drive was plugged into the employees unsecured network, which could have left the information vulnerable. This incidence dates back to 2007 before the IRS stared using automatic encryption. The IRS will not comment why they did not discover this breach until now, or if the employee who used the thumb drive is still working at the IRS.","Media","","2014","41.203322","-77.194525" "March 25, 2014","American Express ","New York","New York","HACK","BSF","0","American Express sent out notification to cardholders regarding unauthorized activity on their cards from unnamed merchants. American Express has stated that names, card account numbers and expiration dates of cards could have been affected. At this time they have stated that no Social Security numbers have been affected.American Express has placed a fraud alert on their cardholders credit reports. For those affected they are to call 1-800-297-7672 for identity theft assistance or email www.americanexpress.com/idtheftassistance. ","California Attorney General","","2014","40.712784","-74.005941" "March 27, 2014","The University of Wisconsin-Parkside","Kenosha","Wisconsin","HACK","EDU","15,000","Students were notified by officials from The University of Wisconsin-Parkside of a data breach that occured to their system by hackers that installed malware on one university server. The information that is at risk includes names, addresses, telephone numbers, email addresses and Social Security numbers. The breach affects students who were either admitted or enrolled at the university since the fall of 2010. The server was shut down and the hacking was reported to local authorities. After launching an investigation it appears the malware was searching for credit card information and they show no evidence that any Social Security numbers were compromised. The university has set up a website with information for those who may have been affected http://www.uwp.edu/explore/contactus/index.cfm  ","Media","","2014","42.584743","-87.821185" "April 2, 2014","Kaiser Permanente Northern California Division of Research","Oakland","California","HACK","MED","5,100","Kaiser Permanente's Northern California Division of Research informed research patients of a data breach to their system. The company discovered that a server was infected by a malicious software that caused a breakdown in the server's security barriers allowing the hackers to obtain personal information. The information included firs names, last names, dates of birth, ages, genders, addresses, race/ethnicities, medical record numbers, lab results all associated with research provided by individuals as part of research studies.Currently the company has stated that no Social Security numbers or their Kaiser electronic medical record information used for ongoing medical care was not affected.Those affected with questions are asked to call 1-877-811-00191-877-811-0019 from 8 a.m to 6 p.m PDT Monday through Friday or the Department of Health and Human Services through the Office for Civil Rights at 1-800-368-10191-800-368-1019.CallSend SMSAdd to SkypeYou'll need Skype CreditFree via Skype","California Attorney General","","2014","37.804364","-122.271114" "April 6, 2014","BigMoneyJobs.com","Uknown","","HACK","BSO","36,802","The recruiting site BigMoneyJobs.com has apparently been breached by a hacker that goes by the name of ProbablyOnion by exploiting an SQL Injection vulnerability. The details of over 36,000 users have been leaked online due to the breach.The information included names, home addresses, phone numbers, emails and passwords of 36,802 users have been published in a Excel file. The information covers both individuals looking for a job and companies looking for talent. ","Media","","2014","41.626271","-79.673584" "April 2, 2014","Boxee","Ridgefield Park","New Jersey","HACK","BSO","158,128","The personal data of over 158,000 Boxee.tv forum accounts were hacked and leaked online to a Tor Internet site and at least one researcher. The information included email addresses, birth dates, IP addresses, message histories, and password changes. It also included message archives and past password changes.The company was purchased by Samsung last July.","Media","","2014","40.857044","-74.021529" "April 7, 2014","American Express Company","New York","New York","CARD","BSF","0","Amercian Express Company informed customers that their credit card information was recovered as part of an investigation by law enforcement agencies and/or American Express. The information reportedly only included the American Express Card account numbers, no Social Security numbers were impacted.Those individuals who notice suspicious activity on their account are asked to call 1-855-693-22131-855-693-2213 to notify the company.CallSend SMSAdd to SkypeYou'll need Skype CreditFree via Skype","California Attorney General","","2014","40.713611","-74.014722" "April 2, 2014","California Correctional Institution","Tehachapi","California","PHYS","GOV","0","On March 9, 2014 an employee roster was discovered within an unsecure desk drawer at one of the correctional facilities.The roster included full names and the last 6 digits of Social Security numbers.For those affected they are being directed to call Tim Fites, Information Security Coordinator at 1-661-823-5011.","California Attorney General","","2014","35.132188","-118.448974" "March 27, 2014","Sorenson Communications and CaptionCall","Salt Lake City","Utah","HACK","GOV","0","On March 7 it was discovered that there was an unauthorized access to Sorenson Communications employee data via the payroll vendor utilized for both Sorenson Communications and CaptionCall employees. The personal information breached includes both the employee, beneficiaries, dependents, and emergency contacts, or anyone listed in the employees HR account with the company. The information includes names, dates of birth, addresses, Sorenson income histories, Social Security Numbers, W-2 information, and emergency contact data and appeared to have happened between February 20, 2014 through March 3, 2014.The FBI has been contacted and is investigating the breach. An email was sent to all those affected on March 11th with instructions on how to enroll in the company-provided credit monitoring services. If an email was not received they are requesting those individuals contact the Human Resources Department at hrsupport@sorenson.com to obtain the information. ","California Attorney General","","2014","40.679179","-111.917551" "April 8, 2014","StumbleUpon","San Francisco","California","HACK","BSO","0","The San Francisco based Internet company has informed customers of a potential breach that may have occured in their system. The company sent notification out to customers noticing suspicious activity on their account and in turn locked their accounts and reset their passwords. The company reported that the breach included only passwords. ","California Attorney General","","2014","37.774930","-122.419416" "April 7, 2014","Deltek Inc.","Herndon","Virginia","HACK","GOV","80,000","Software developer Deltek Inc. informed approximately 80,000 employees of a breach that occured in Deltek's GovWin IQ system.The company confirmed that on March 13, 2014 they suffered a cyberattack where hackers obtained usernames, passwords and credit card information for individuals who use the GovWin IQ system. Of the 80,000 individuals affected, 25,000 of those may have had credit card information breached.Those individuals who did have credit card information affected, the company is offering a membership to TransUnion Monitoring services for free.It has also been reported that authorities have already made an arrest in this case. Deltek has set up an email address for users to submit questions: protect@deltek.com.","Media","","2013","38.969555","-77.386098" "April 9, 2014","Clinical Reference Laboratory","Lenexa","Kansas","PHYS","MED","0","Clinical Reference Laboratory, Inc. notified individuals of a breach regarding their personal information. On or around February 6, 2014 Clinical Reference Laboratory (CRL) sent a packet of invoices via the United States Postal Service to Nationwide Insurance for services performed. The package was damaged when it arrived at the USPS facility and some of the invoice pages were missing.The information in these missing pages included names, dates of birth, the last 4 digits of individuals Social Security number and the type of lab tests conducted.The company has arranged a free one year subscription through Equifax Personal Solutions.For those affected with questions they can call CRL at 1-855-758-75431-855-758-7543 or disclosurehelp@crlcorp.com.CallSend SMSAdd to SkypeYou'll need Skype CreditFree via Skype","Vermont Attorney General","","2014","38.975648","-94.723076" "April 11, 2014","LaCie USA","Tigard","Oregon","HACK","BSR","0","LaCie USA was informed by the FBI that they had found indications that an unauthorized person used malware to gain access to information from customer transactions that were made through LaCie's website.  Reportedly, the transactions that may have been affected happened from March 27, 2013 through March 10, 2014.The information breached included names, addresses, payment card numbers and card expiration dates. Also included could be an individuals LaCie username and password to access the website.For those affected they are asked to call Monday through Friday from 9:00 a.m through 7:00 p.m EDT (eastern time).","California Attorney General","","2014","45.420447","-122.755410" "April 11, 2014","University Urology, P.C. ","Knoxville","Tennessee","PHYS","MED","1,144","University Urology P.C of Knoxville Tennessee informed patients of a data breach regarding their personal information. According to the practice, the information was limited to names and addresses and that no Social Security numbers, financial account information or clinical information was exposed.According to a statment by the facility, an administrative assistant had compiled the data in an effort to sell it to a competing provider, helping them gain patient business. Patients contacted University Urology to let them know that the competing provider had been soliciting their business.","Media","","2014","35.934590","-83.948264" "April 17, 2014","Aaron Brothers","Coppell","Texas","HACK","BSR","400,000","Aaron Brothers, a division of Michaels Stores Inc. appears to been a part of the data breach of Michaels Stores Inc. The company confirmed on Thursday April 17, 2014 that the payment system breach also affected its Aaron Brothers chain. Approximately 400,000 cards were potentially breached from June 26, 2013 through February 27, 2014. ","Media","","2013","32.937623","-96.995080" "November 27, 2013","Maricopa County Community College District","Phoenix","Arizona","UNKN","EDU","2,490,000","An unspecified data breach may have exposed the information of current and former students, employees, and vendors.  Names, Social Security numbers, bank account information, and dates of birth may have been viewed by unauthorized parties.UPDATE (12/02/2013): Student academic information may have also been exposed.  The Maricopa County Community College District's governing board will spend as much as $7 million to notify and offer credit monitoring to those who may have been affected.UPDATE (12/07/2013): Estimations for the cost of the breach are as high as $14 million.UPDATE (4/22/2014): Maricopa County Community College District waited seven months to inform 2.5 millions individuals (students, staff, graduates) of the security breach. The District is now in a class action lawsuit. The lawsuit claims that the ""FBI warned the Maricopa County Community College District in January of 2011 that a number of its databases had been breached and made available for sale on the Internet"". It was also reported that ""the district's Information Technology Services employee also became aware of the security breach in January 2011, and repeatedly reported their findings to Vice Chancellor George Kahkedjian"".","Media","","2013","33.448377","-112.074037" "April 22, 2014","Iowa State University","Ames","Iowa","HACK","EDU","29,780","Iowa State University has reported a data breach of one of their systems that exposed a large amount of data of individuals who were enrolled in the university over the past 17-year period. Social Security numbers of approximately 30,000 people who enrolled in certain classes between 1995 and 2012 along with university ID numbers for nearly 19,000 additional people. Authorities believe that the person or persons motivation was apparently to generate enough computing power to create the virtual currency bitcoin.The university is offering AllClear ID for 12 months free for those whose Social Security numbers were affected. AllClear representatives can be reached at 1-877-403-02811-877-403-0281.Here is the link to the universities information regarding the breach http://www.news.iastate.edu/news/2014/04/22/serverbreach For those who suspect fraud or question whether a request you receive is legitimate, please contact the ISU Foundation at 515-294-4607515-294-4607, the ISU Alumni Association at 515-294-6525515-294-6525, or Iowa State’s computer security team at serverbreach@iastate.edu.CallSend SMSAdd to SkypeYou'll need Skype CreditFree via Skype","Media","","2014","42.025102","-93.649150" "April 28, 2014","AOL","New York","New York","HACK","BSO","0","AOL has sent a message to millions of its account holders of a data breach to their system urging them to change their usernames and passwords. AOL won't confirm an exact number but it appears to be approximately 2 percent of its accounts.AOL noticed the attack when a significant amount of spam began appearing from spoofed emails from AOL account holders email addresses.","Media","","2014","40.730601","-73.991522" "February 6, 2012","Concentra Medical Center, Concentra Health","Springfield","Missouri","PORT","MED","870","An office burglary resulted in the theft of an unencrypted laptop.  It contained the names, Social Security numbers, and pre-employment work-fitness tests of Concentra patients from the Springfield area.  The Concentra Springfield Medical Center will not encrypt all equipment as a result of this breach. UPDATE (4/22/2014): Concentra agreed to pay OCR (Office of Civil Rights) $1.7 million dollars for several data breaches that occured in both Texas and Missouri. The OCR found that ""Concentra previously had recognized security risks caused by a lack of encryption on some of its technology. However, OCR said steps to encrypt the technology were ""incomplete and inconsistent over time"".The OCR also found that "" the company did not have sufficient security management measures in place to protect patient health information"".","HHS via PHIPrivacy.net","","2012","37.208957","-93.292299" "April 3, 2014","Central City Concern","Portland ","Oregon","INSD","NGO","15","Central City Concern, a non-profit in Portland Oregon, notified individuals of a data breach that was perpetrated by an ex-employee of the agency.  Federal law enforcement officers notified the non-profit that this former employee copied files from approximately 15 clients from its Access Center with the intention of filing fraudulent tax returns.CCC began an investigation and has noted that this former employee may have accessed files from March 23, 2010 through May 24, 2013. The former employee stated to authorities that they had only copied 15 files. The non-profit has set up 12 months free monitoring through Experians ProtectMyID alert. Any questions for the agency, those affected are asked to call 1-866-778-1144 Monday through Friday 6:00 a.m to 6:00 p.m.","Vermont Attorney General","","2014","45.525003","-122.676214" "April 30, 2014","Boomerang Tags.com","Pismo Beach","California","HACK","BSR","0","Boomerand Tags.com notified customers of a data breach to their online website. The company released a letter to customers stating that hackers installed some form of malware onto the server that manages their website. The motivation of the hackers appears to be to gain the credit card information of the individual. Individuals financial information may have been exposed from July 4, 2013 through February 18, 2014.Any further questions for those who may have been affected they can email the company at http://www.boomerangtags.com/page.php?c=contact#email_form ","California Attorney General","","2014","35.142753","-120.641283" "May 1, 2014","JCM Partners LLC","Suwanee","Georgia","HACK","BSO","0","JCM Partners informed customers of a data breach that occured when a file containing personal information of housing applicants was taken from a JCM database and posted on an unauthorized website. An internal investigation was launched.The information in the file included Social Security numbers, driver's license numbers, email addresses and mailing addresses. The company is providing 12 months of AllClear Secure and those affected are automatically eligible and can call 1-877-979-2595. ","California Attorney General","","2014","34.051490","-84.071300" "May 5, 2014","ground (ctrl)","Sacramento","California","HACK","BSO","0","ground(ctrl) operates social networking community websites focused on musicians, informed customers of a data breach to their website. The information breached included e-mail addresses and passwords. The company did inform customers that their credit card information was never stored with them and was not at risk.For those affected, the company is recommending that usernames and passwords be changed. For questions individuals can call 1-877-463-2875 or via email at security@groundctrl.com.","California Attorney General","","2014","38.582053","-121.505066" "May 6, 2014","California Department of Child Support Services","Rancho Cordova","California","PHYS","GOV","0","The California Department of Child Support Services has notified individuals of a data breach that resulted in unauthorized disclosure of personal information. On April 7, 2014 letters from the Solano County Department of Child Support Services were misplaced while in the custody of a contracted courier who was transporting mail to the US Post Office. Those affected are asked to call the Department of Child Support Services at 1-866-901-3212.","California Attorney General","","2014","38.589072","-121.302728" "February 26, 2014","McKenna Long & Aldridge","Albany","New York","HACK","BSO","441","McKenna Long & Aldridge (MLA) informed current and former employees of suspicious activity on servers belonging to one of their vendors. Information potentially breached included Federal Wage and Tax Statement Forms W-2, names, addresses, wages, taxes and Social Security numbers, dates of birth, ages, genders, ethnicities, Visa, Passport or Federal Form I9 documents numbers.The law firm operates 15 offices throughout the United States and one in Korea and the data breach could have affected current and former employees in any of the 14 offices.As a result of an investigation the information related to the current and former employees was accessed on November 28, 2013, December 11, 2013, and December 12, 2013. The breach was a result of malicious software placed on the vendors servers.MLA is providing one year of credit monitoring and identity theft protection at no cost. Those affected must enroll by May 31, 2014 by calling 1-877-371-79021-877-371-7902  or visit the ProtectID website at http://www.protectmyid.com/redeem. CallSend SMSAdd to SkypeYou'll need Skype CreditFree via Skype","Maryland Attorney General","","2014","42.655233","-73.759752" "February 27, 2014","Eastern Alliance Insurance Group","Birmingham","Alabama","INSD","BSO","23","Eastern Alliance Insurance Group utilized myMatrix  as the pharmacy benefits manager responsible for pharmaceutical claims associated with workers compensation benefits provided through policies issued by Eastern Alliance Insurance Group. Based on an investigation by the company and federal law enforcement a former employee improperly accessed information on customers of Eastern Alliance Insurance Group. The information stolen included names and Social Security Numbers. They are claiming no credit card numbers were compromised.The company is offering free credit monitoring and identity protection from First Watch Technologies. Thos affected can call Jeffrey P. Lisenby, General Counsel at 1-800-282-6242 or contact myMatrixx toll free at 1-888-770-5571. ","Maryland Attorney General","","2014","33.466063","-86.773854" "April 18, 2014","University Pittsburgh Medical Center","Pittsburgh","Pennsylvania","HACK","MED","62,000","The University Pittsburgh Medical Center (UPMC) informed employees of a data breach that compromised employee's personal data, including their Social Security number and  the potential for fraudulent tax returns being filed in their name. The number of employees affected was approximately 800. The full extent of the information exposed has not been communicated, however, due to the tax fraud, information such as names, addresses and Social Security numbers were assumed to be involved. UPMC was aware of the breach in February and thought that the breach included only 27 individuals, but soon became aware that the breach was much larger. An investigation is currently being conducted.UPDATE (4/21/2014): The extent of the data breach at UPMC thought to be around 800 employees, is much more extensive than originally believed. The current numbers are around 27,000 employees affected. UPMC is offering Lifelock for 12 months for those affected. A letter went out to those individuals with the information. For additional questions, UPMC has provided a toll free hotline (1-855-306-8274) or email JohnHouston@upmc.edu. A class action lawsuit has been filed against UPMC.UPDATE (5/14/2014): On Friday May 9, 2014 the law firm of Kraemer, Manes & Associates sued University Pittsburgh Medical Center (UPMC) and Ultimate Software Group of Weston, Fla., over the loss of employee data and subsequent identity thefts. They are seeking class-action status in U.S. District Court, and would represent current and former UPMC employees who have been affected by the breach.UPDATE (2/8/2017): Based on current media, our numbers have been increased to 62,000 individual records breachedMore information: https://www.scmagazine.com/umpc-found-to-have-no-legal-duty-to-protect-e...","Media","","2014","40.440625","-79.995886" "September 30, 2011","TRICARE Management Activity (formerly Civilian Health and Medical Program of the Uniformed Services, CHAMPUS), Science Applications International Corporation (SAIC)","","","PORT","BSO","5,117,800","The car theft of backup tapes resulted in the exposure of protected health information from patients of military hospitals and clinics.  Uniformed Service members, retirees and their families were affected.  Patient data from the military health system that dates from 1992 to September 7, 2011 could have been exposed.  The personally identifiable and protected health information of those who received care in the San Antonio area military treatment facilities and others whose laboratory workups were processed in these facilities was exposed.  It includes Social Security numbers, addresses, phone numbers, clinical notes, laboratory tests, prescriptions, and other medical information.  The information was stolen from the car of an SAIC employee, along with a stereo system and a GPS device on September 13.UPDATE (10/16/2011): Four people have filed a $4.9 billion lawsuit over the improper disclosure of active and retired military personnel and family data.  The lawsuit would give $1000 to each of the 4.9 million affected individuals.UPDATE (11/4/2011): SAIC reported that 5,117,799 people were affected by the breach.UPDATE (01/06/2012): A second class action lawsuit filed in the Superior Court of California in San Diego seeks unspecified monetary damages related to the theft of the computer tapes targets SAIC.  The suit was filed in December and seeks certification as a class action for all TRICARE beneficiaries in California whose personal identity and health care information were compromised by the September 2011 theft of the tapes.UPDATE (03/14/2012): Some of the people affected by the breach have become victims of identity theft.  The class action lawsuit against the Department of Defense and SAIC was amended to reflect the new information about fraudulent charges appearing on credit cards.UPDATE (04/08/2012): SAIC's insurance will most likely be enough to cover any judgments or settlements that result from the data breach.  SAIC also revealed that the Office for Civil Rights in the Health and Human Services Department opened an investigation into the tape theft on November 17, 2011.UPDATE (07/10/2012): Eight class action lawsuits have been consolidated into one case alleging that personal information was mishandled.  The case will be handled by the U.S. District Court in Washington, D.C.UPDATE (5.13.2014): On Friday, ""a federal district judge dismissed the majority of a consolidated class-action lawsuit filed against the Department of Defense, its TRICARE health insurance program and a contractor following a 2011 data breach that affected over 4.7 million individuals.In his ruling, U.S. District Judge James Boasberg wrote that the case raises ""thorny standing issues regarding ... when is a consumer actually harmed by a data breach -- the moment data [are] lost or stolen or only after the data [have] been accessed or used by a third party?He noted that most courts ""have agreed that the mere loss of data -- without evidence that [the information] has been either viewed or misused -- does not constitute an injury sufficient to confer standing,"" adding, ""This court agrees"" (Kolbasuk McGee, GovInfoSecurity, 5/13)"".","Media","","2011","37.090240","-95.712891" "May 14, 2014","University California Irvine","Irvine ","California","HACK","EDU","0","On March 26, 2014, the California Information Security Office notified the University California Irvine that three of the computers in the Student Health Center had been infected by a keylogging virus, which captured the keystrokes as information was being entered into the computers, then transmitted the data to unauthorized servers. They believe that hackers gained information from February 14th through March 27th 2014.  As a result of the virus personal information of individuals was compromised. The information included names, unencrypted medical information, potentially including health or dental insurance number, CPT codes, ICD9 codes and/or diagnosis, student ID numbers, non-student patient ID numbers, mailing addresses, telephone numbers, amounts paid to the Student Health Center for services, bank names and check numbers. UC Irvine has contracted with ID Experts to provide one year of FraudStop credit monitoring and one year of CyberScan Internet monitoring for those affected. To enroll visit www.idexpertscorp.com/protect and use the code provided in the letter sent to those affected or call 1-877-810-8083. ","California Attorney General","","2014","33.645619","-117.835899" "May 7, 2014","Gingerbread Shed Corporation","Tempe","Arizona","HACK","BSR","0","Gingerbread Shed Corporation notified customers of unauthorized access to their system that compromised the personal data of its customers. The information included names, addresses, phone numbers, email addresses, credit card information, user names and passwords for website accounts.The company has established a confidential phone line for those affected that have questions 1-866-597-8199 and use reference # 5474042814.","California Attorney General","","2014","33.419942","-111.940379" "May 6, 2014","Molina Healthcare","Long Beach","California","PHYS","MED","5,000","Molina Healthcare has communicated to former members about a data breach that included their Social Security numbers. Molina said it contracted with a printing company to print postcards that contained information about benefits offered. Unfortunately the postcards did not contain names of the individuals, but addresses and Social Security numbers of the individual.  ","Media","","2014","33.766648","-118.200183" "April 11, 2014","Veterans Of Foreign Wars Of The United States","Kansas City","Missouri","HACK","NGO","55,000","The office of The Veterans Of Foreign Wars Of The United States notified members that an unauthorized party accessed VFW's webserver through the use of a trojan and malicious code. The hacker, thought to be in China, was able to download tables containing the names, addresses, Social Security numbers of approximately 55,000 VFW members.The motivation of the hacker, according to IT experts, was to gain access to information regarding military plans or contracts and not for purposes of identity theft, although they have not ruled that out.VFW is providing 12 months free of AllClearID. Members can call 1-855-398-6437 with any questions. A security code must be provided and was provided in the letter sent to those affected.","California Attorney General","","2014","39.066814","-94.591009" "May 9, 2014","Baylor Regional Medical Center ","Dallas","Texas","HACK","MED","1,981","Baylor Regional Medical Center at Plano communicated to patients a data breach that occured when a ""phishing"" email went out to affiliated physicians. The physicians may have been unaware that is was a ""phishing"" scam and inadvertently created unauthorized access to their email accounts. The email accounts may have included emails that contained patient information, including names, addresses, dates of birth, or telephone numbers, some clinical information such as treating physician, department, diagnosis, treatment received, medical record number, medications, medical service code or health insurance information and Social Security numbers.","Media","","2014","32.789961","-96.780593" "May 21, 2014","Paytime Inc.","Mechanicsburg","Pennsylvania","HACK","BSO","0","Paytime Inc, a payroll service for corporations, notified customers of a data breach to their payroll system. The hackers obtained usernames and passwords to their system and were able to obtain Social Security numbers, direct deposit account information, dates of birth, hire dates, wage information, home and cell phone numbers, other payroll information and home addresses.The company is providing one year free of AllClearID. Those affected are asked to call 1-855-398-6436.","California Attorney General","","2014","40.202038","-76.964389" "May 21, 2014","Ebay","San Jose","California","HACK","BSO","145,000,000","Ebay, the online auction site, was hacked between late February and early March with login credentials obtained from employees. The hackers then accessed a database containing user records of approximately 145 million users which they appeared to have copied. The information included email addresses, encrypted passwords, birth dates, mailing addresses. The company reports that no financial data or PayPal databases were compromised. The company is encouraging all who were affected to login into their account and change their passwords.Ebay has provided the following links for additional information:http://www.ebayinc.com/http://www.ebayinc.com/in_the_news/story/faq-ebay-password-change.","Media","","2014","37.295460","-121.927551" "March 30, 2011","Eisenhower Medical Center (EMC)","Rancho Mirage","California","STAT","MED","514,330","The March 11 theft of a desktop resulted in the exposure of patient names, dates of birth, ages, Eisenhower medical record numbers and the last four digits of patient Social Security numbers. A television was also stolen during the burglary. Patient information from as far back as the 1980's may have been exposed.UPDATE (5/22/2014): A California appellate court ruled Wednesday that Eisenhower Medical Center did not violate California's Confidentiality of Medical Information Act.According to the Fourth District Court of Appeals, ""names on a hospital patient index are not ""medical informaiton"" if they're not coupled with medical histories, condition or treatment"".If the court had found the medical center in violation, they could have been faced with damages as high as $500 million dollars. ","PHIPrivacy.net","","2011","33.739744","-116.412790" "April 11, 2012","North Shore University Hospital, North Shore - Long Island Jewish Health System","Manhasset","New York","UNKN","MED","950","A licensed nurse who may or may not have been affiliated with North Shore University Hospital was indicted for identity theft and possessing computer data from North Shore containing information on over 900 people.  It is unclear when the breach that allowed the nurse and an accomplice to access the information first occurred.  Social Security numbers, dates of birth, addresses, phone numbers, medical record numbers, insurance information, and medical histories could have been accessed.  North Shore University Hospital notified 50 patients of a potential breach in 2011 and may have experienced a separate system breach in early January of 2012.  UPDATE (04/12/2012): The nurse also had the information of an unspecified number of U.S. Nippon Express employees.UPDATE (02/05/2013): A lawsuit has been filed by a group of people who claim that the breach allowed identity thieves to access and misuse their information.  Many, but not all, of twelve people who filed the lawsuit claim to have been victims of identity thieves. UPDATE (03/04/2013): North Shore Long Island Jewish Health System faces a $50 million class action lawsuit.  It was also revealed that thefts of patient face sheet information for identity theft purposes have occurred at least three times in a matter of just a few years.UPDATE (5/24/2014): Another North Shore Hospital employee was charged for her involvement in the identity theft ring. ""Latoya Talbert, 24, has been accused of stealing the identities so she could go shopping. Talbert was arraigned in Nassau County for her alleged involvement in an identity theft ring that began in 2011"".","PHIPrivacy.net","","2012","40.797879","-73.699575" "May 28, 2014","Hospital for Veterans Affairs, Denver","Denver ","Colorado","STAT","BSF","248","The hospital for Veterans Affairs in Denver had two bio-medical computers stolen from a locked room in the hospital. The computers contained data from tests on approximately 239 VA patients. These computers were used to record data from pulmonary function tests for these patients. The hospital has said that no other data was stored on the computers and the data is encrypted on a password protected application.  ","PHIPrivacy.net","","2014","39.732103","-104.936152" "May 23, 2014","Humana","Atlanta","Georgia","PORT","MED","2,962","Humana has notified Atlanta customers of a data breach that occurred when a Humana associate's vehicle was broken into and an unencrypted USB drive along with the associates lap top computer were stolen. The information contained on these devices included medical record information and Social Security Numbers.Humana said that it ""has no reason to believe that the information has been used inappropriately."" The company is offering free access to a credit-monitoring service for members who were affected.""Members enrolled in Medicare plans who have any questions about this may contact Humana at 1-800-457-4708, from 9 a.m. to 5 p.m. Members enrolled in non-Medicare plans should call 1-800-448-6262"".","PHIPrivacy.net","","2014","33.748995","-84.387982" "May 22, 2014","San Diego State University","San Diego ","California","DISC","EDU","0","San Diego State University discovered a database that was set up and managed by the Pre-College Institute, containing names, Social Security numbers, dates of birth, addresses, and other personal information was mis-configured to enable any computer connected to the SDSU wired network with the program ""File Maker""   The SDSU wired network consists of offices, some labs and the library. For those with question or concerns about the incident are asked to contact Felecia Vlahos, the Information Security Officer at iso@sdsu.edu or via phone at toll free 1-855-594-0142 and refer to incident #H05007.  ","California Attorney General","","2014","32.715738","-117.161084" "May 19, 2014","Lowe's","Mooresville","North Carolina","DISC","BSR","0","Lowe's, the home improvement store informed current and former drives of Lowe's vehicles that one of their third party vendors who provide a computer system ""E-DriverFile"" that stores compliance documentation and information related to these current and former employees, was unintentionally backed up to an unsecure computer server that was accessible from the Internet. The information that was compromised included names, addresses, dates of birth, Social Security numbers, driver's license numbers, Sales IDs and other driving record information.An investigation was launche and it and it was discovered that the information may have been exposed between July 2013 and April 2014. The company is providing one year free of AllClear ID services to those affected. For questions from those affected asr asked to call 1-877-263-7997 within the USA, for those outside the United States or Canada, call 1-512-579-2449. ","California Attorney General","","2014","35.541800","-80.853851" "April 25, 2014","Willis North America Inc.","Nashville","Tennessee","DISC","BSO","0","Willis North America Inc, informed customers that on ""March 19, 2014 an email was sent internally to a group of current Willis Associates who were enrolled in the medical Plan's Healthy Rewards Program"". The original email sent out to customers was as a reminder for a special program through their company, however the individual who sent the email ""accidentally attached a spreadsheet to the email that was not meant to be included"". The information on the spreadsheet included names, email addresses, dates of birth, social security numbers, employee ID numbers, and office locations by city/state/zip, Wellness credits, an individuals credit status codes, insurance coverage codes, internal codes for plan geographic region and type of reward applicable, last effective date of medical plan elections, election selections, original and last start dates, and when medical plan coverages began. The spreadsheet did not include any information that revealed health conditions, health treatments or health claims, or personal health information regarding spouses or dependents. The company has arranged for two years of identity theft protection at no charge. Those affected can find the information at www.trustedid.com/enhanced-identity-theft-protection. To register to to www.trustedid.com/willis and enter the activation code WNAIDE0314 OR CALL 1-888-880-0761. ","Vermont Attorney General","","2014","36.150200","-86.685322" "April 22, 2014","NCO Financial Systems Inc.","Horsham","Pennsylvania","DISC","BSF","0","NCO Financial Systems Inc. informed customers of a data breach when their third party communication vendor, RevSpring, Inc. sent an email to a number of loan customers that mistakenly included an attachment that contained loan statements. The information on these statements included names, addresses, Social Security numbers, and account numbers.The company is offering 12 months free of ProtectMyID through Experian. A letter with a code went out to those individuals affected. Those with questions are asked to call 1-866-274-43711-866-274-4371.CallSend SMSAdd to SkypeYou'll need Skype CreditFree via Skype","California Attorney General","","2014","40.169434","-75.139259" "January 3, 2014","Agency of Human Services","Williston","Vermont","DISC","GOV","0","Vermont Agency of Human Services notified individuals of a data breach containing names and Social Security numbers of individuals. The email distribution list inadvertently included all AHS employees and some contractors. According to the agency, the email was opened by numerous AHS employees, a subsequent email was promptly sent that instructed recipients of the email to ""hard delete"" it so it did not remain in their email delete box. For those with questions or concerns can call Joanne Dunster, Benefit Programs Assistant Administrator/ESD HIPAA Liaison at 1-802-769-6155.","Vermont Attorney General","","2014","44.436707","-73.111325" "January 7, 2014","Risk Solutions International LLC, Loudoun County Public Schools","Ashburn","Virginia","DISC","EDU","0","Loudoun County school officials have responded to a data breach that made publicly available personal information about students and staff members, along with detailed emergency response plans for each school.More than 1,300 links could be accessed through a Google search, thought to be password protected, unveiled thousands of detailed documents as to how each school in the district will respond to a long list of emergencies, which included the staging areas for response teams as well as where the students and staff would be located during an emergency.Additional documents that could be accessed included students' courrse schedules, locker combinations, home addresses, phone numbers and birthdates along with the address and cell phone numbers for many school administrators.The contractor Risk Solution International acknowledged that the breach was caused by ""human error"" on their part, which is said to be the cause of the data breach. UPDATE: Loudoun County Public Schools administrators released a more detailed statement about the information made publicly available on the Internet due to errors committed by the contractor Risk Solutions International (RSI).According to school officials, the investigation is continuing as to how the webpage, which was made accessible through online search engines without any password protection happened. The page included 1,286 links detailing information on 84 Loudoun schools. It is unknown how long the information was exposed or how many links were opened by unauthorized individuals.Locker combinations were revealed for one school and only one parent contact information was revealed for fewer than 10 schools according to the spokesperson for the district. The statement also made clear that RSI's website was not hacked and that it never lost its password security. Instead, the breach occurred when RSI employees were doing technical testing on November 4th , December 19th and December 24th 2013. (1/9/2014)","Media","","2014","39.033554","-77.517474" "January 15, 2014","City of Burlington ","Burlington","Vermont","DISC","GOV","0","The Office of The Clerk/Treasurer for the City of Burlington informed individuals that their names and Social Security numbers were inadvertently left unredacted as part of the individuals request for a tax abatement that was provided to the Burlington Board of Tax Abatement (which is made up of the City Council, Mayor and CIty Assessor).The information was part of a clickable agenda item that was posted on the City Council's website on January 9, 2014, the information was redacted on January 13, 2014.Those affected with questions can call Bob Rusten, Chief Administrative Officer at 1-802-865-7000.","Vermont Attorney General","","2014","44.476303","-73.212821" "February 10, 2014","Freeman","Dallas","Texas","DISC","BSF","0","The company, Freeman, announced a data breach regarding employee W2 forms.  Some employees may have received a W2 form that belonged to another employee. The company announced that one of their vendors, ADP, who works with a large national vendor that mails all of ADP's W2's, has experienced an error in their technology. A glitch in the mail vendors' technology caused the barcode to input the incorrect barcode on the envelopes. The US Postal Service and delivered based on the barcode, not the name or address shown on the envelope. ","California Attorney General","","2014","32.776664","-96.796988" "February 20, 2014","Department of Resources, Recycling and Recovery","Sacramento ","California","DISC","GOV","0","On January 23, 2014 a Human Resource Officer with the office of Resources, Recycling, Recovery notified individuals that an email went out mistakenly to numerous third parties associated with the agency.  These third party specialists were hired by the agency to assist in HR issues and are known to the agency as ""Personal Liaisons"".  The report that was mistakenly sent contained first initials, middle initials, last names and Social Security numbers.The agency has contacted these third party liaisons asking them to immediately delete the email and shred any paper reports. The company is also recommending anyone affected by the breach, place a fraud alert  with the credit agency's.For those affected who have further questions, they should call Romana Herrera at (916) 341-6285.","California Attorney General","","2014","38.581779","-121.492088" "February 27, 2014","Oak Associates Funds","Boston","Massachusetts","PORT","BSF","0","Boston Financial Data Services notified customers of a dta secccurity incident that occurred between January 23 to January 27, 2014 that may have involved customer personal information. The incident involved the theft of a company electronic device. The device contained a data file that had certain Oak Associates Funds records. This file may have contained names, addresses, email addresses, phone numbers, Social Security numbers, and certain account information, which may have included numbers, shares, balances, set-up dates, and contact instructions.The company has notified authorities and an investigation is underway. The company is offering one year of Experian's ProtectMyID Alert. Those affected can enroll in the program by visiting the Experian ProtectMyID website at www.protecmyid.com/redeem or by calling 1-877-371-7902. An activation code was supplied in the notification letter sent by the company.","Vermont Attorney General","","2014","42.360083","-71.058880" "March 11, 2014","Emory Dialysis Center, part of Emory Clinic","Atlanta","Georgia","PORT","MED","826","An employee of Emory Dialysis Center, notified the center that his work laptop had been stolen out of his car on February 7, 2014.The laptop was protected by a password but was not encrypted. The laptop contained information for 826 patients which included dates of services, blood flow test graphs, first and last names for approximately half of the patients, the rest were the patients initials. They center has stated that the laptop did not contain dates of birth, addresses, billing information or Social Security numbers.HSM (Health Systems Management) who runs the clinic is now password protecting all laptops and encrypting patient information.","Media","","2014","33.748995","-84.387982" "March 11, 2014","Cornerstone Health Care","Hight Point","North Carolina","PORT","MED","548","Cornerstone Health Care reported a laptop containing information for 548 patients was stolen from Cornerstone Neurology sometime between December 31, 2013 and January 6, 2014. The laptop contained protected health information such as patient names, dates of birth, physician names and nerve conduction scan summaries. The laptop did not contain any addresses, billing information, or Social Security numbers. The laptop was not connected to their third party billing company or their electronic health records. Since the theft the medical practice has revised its procedures and policies, retrained the staff on securing patient information and replaced locks on rooms with electronic medical devices. ","Media","","2014","35.944044","-80.036678" "February 27, 2014","L.A Care Health Plan","Los Angeles","California","DISC","MED","0","Los Angeles Care Health Plan notified customers of a data breach to their system. Customers were informed that a processing error occured in their system that may have involved accidental disclosure of their information. They were made aware of an issue in their payment portal that allowed one member to see another members name, address and member identification number. Upon learning about the breach, they temporarily disabled the payment portal and reassigned new membership ID's to those members affected.  The disclosures took place  from January 22, 2014 through January 24, 2014. The breach is being blamed on a manual processing error which has now been corrected.They are stating that the information was limited to member name, address and member identification number and did not include any other information, such as Social Security number, Driver's License number, or financial account numbers. The company has requested those affected either email L.A Care's Privacy Office at PrivacyOfficer@lacare.org or by telephone 1-855-270-2327 or a letter to 1055 West 7th Street, 10th Floor, Los Angeles, CA 90017. ","California Attorney General","","2014","34.089854","-118.309340" "March 11, 2014","City of Hope","Duarte","California","STAT","MED","0","The City of Hope was informed by one of their vedors, Sutherland Healthcare Solutions, Inc. regarding a burglary that happened in one of their offices, where the thieves stole eight of their computers. Two of the computers contained City of Hope patient and patient guarantor information. Both computers were password protected. Sutherland Healthcare Solutions provides billing services for the City of Hope, who has since suspended their relationship with Sutherland.The information on the computers contained Social Security numbers, names, addresses, phone numbers, medical record numbers, account numbers and/or diagnoses. Law enforcement is currently investigating the incident.The City of Hope has secured the services of Kroll, a risk mitigation company, to provide identity theft protection at no cost for one year for those who may have been affected. ","California Attorney General","","2014","34.128758","-117.973393" "March 12, 2014","UCSF Family Medicine Center at Lakeshore","San Francisco","California","STAT","MED","9,986","UCSF Family Medicine Center at Lakeshore notified patients of a theft of desktop computers that were unencrypted on or around January 11, 2014.  An immediate analysis of what information the computers obtained. On March 6, 2014 UCSF determined that some of the computers stolen contained Social Security numbers, names, dates of birth and medical record numbers, some only contained names, medical record numbers and health information. Those who were affected were asked to contact UCSF/ID Experts by calling 1-888-236-02991-888-236-0299  Monday through Friday from 6 a.m to 6 p.m Pacific time. When calling individuals are asked to used Access Code: 59832UPDATE (3/20.2014): The University of California at San Francisco is notifying 9,986 individuals who had information on the computers that were stolen from the UCSF Family Medicine Center at Lakeshore. The computers included information such as names, dates of birth, mailing addresses, medical record numbers, health insurance ID numbers and driver's license numbers. Of the 9,986 files, 125 of them also included Social Security Numbers. Credit monitoring is being offered to those whose Social Security numbers were affected. CallSend SMSAdd to SkypeYou'll need Skype CreditFree via Skype","California Attorney General","","2014","37.732771","-122.491094" "March 13, 2014","Silversage Advisors","Irvine","California","PORT","BSF","0","On February 20, 2014 Silversage Advisors notified customers of a theft of back-up computer drives from a secure offsite location used as part of the company's disaster recovery plan. The drives contained names, addresses, Social Security numbers, driver's license numbers and account information. The company is providing one year of Breach Protector credit monitoring and identity theft restoration coverage. For those affected with question they are to call 1-888-969-7500.","California Attorney General","","2014","33.670458","-117.857625" "March 21, 2014","San Francisco Department of Public Health/Sutherland Healthcare Solutions","San Francisco","California","STAT","MED","0","San Francisco Health Network/San Francisco Department of Public Health has notified patients that their information may have been compromised as well, due to the recent theft of computers at Sutherland Healthcare Solutions. Sutherland is the third party billing company for the San Francisco Department of Public Health. The information contained in the stolen computers included names, dates of birth, Social Security numbers, dates and location of services and names of insurance companies or payers. The agency is providing one year of ID Experts. Anyone who was affected is encouraged to contact ID Experts with any questions and to enroll in the service by calling 1-866-486-4809 or by going to their website www.myidcare.com/idexpertshealthcareprotection. Documentation was sent to the affected parties that provided steps for enrollment and an access code for entry. Deadline to enroll is July 31, 2014","California Attorney General","","2014","37.774930","-122.419416" "March 25, 2014","University of Kentucky HealthCare/Talyst","Lexington","Kentucky","PORT","MED","1,079","UK Healthcare is notifying 1,079 patients that a laptop with their personal health information was stolen on February 4, 2014 from Talyst, a third party pharmacy billing management company.The vendor's laptop included names, dates of birth, medical record numbers, diagnosis, medications, laboratory results, progress notes, allergies, height and weights, dates of service, physician name and clinics, insurance carrier, insurance identification numbers.","Government Agency","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","38.040584","-84.503716" "March 27, 2014","Orlando Health's Arnold Palmer Medical Center","Orlando ","Florida","PORT","MED","586","A computer flash drive containing patient information on 586 children treated at Orlando Health's Arnold Palmer Medical Center is missing or reportedly been ""misplaced"" The information included last names, assigned medical record numbers, dates of birth, gestational ages, birth weights, dates of hospitalizations, and in some cases, transfer dates of children who were patients at Arnold Palmer Hospital for Children or Winnie Palmer Hospital for Women and Babies between 2009 and 2013. ","Media","","2014","28.538336","-81.379237" "March 28, 2014","Palomar Health","Escondido","California","PORT","MED","5,000","Palomar Health in Escondido had a laptop stolen along with two flash drives from an employee's SUV. Approximately 5,000 patients were affected by the breach.The flash drives contained patient names, dates of birth, information regarding individual diagnosis, individual treatment and insurance information. The computer was encrypted but the flash drives were not. The information dates back to 2008. The Oceanside police have recovered the laptop and the missing flash drives, one person was arrested and a possible second suspect arrest may follow. Those patients who may have been affected can reach the health care system for more information at 1-866-313-79931-866-313-7993. The company is offering credit monitoring services for those individuals whose medicare numbers were compromised. Palomar could face a fine as high as $250,000 from the California Department of Health. CallSend SMSAdd to SkypeYou'll need Skype CreditFree via Skype","Media","","2014","33.119207","-117.086421" "April 3, 2014","Cole Taylor Mortgage","Portland ","Oregon","DISC","BSF","0","Cole Taylor Mortgage (a division of Cole Taylor Bank) informed customers of a data breach that occured due to an error by one of their third party vendors. Information was inadvertently made accessible to employees of another federally regulated bank. The information included names, addresses, Social Security numbers, loan numbers and certain loan information. According to the mortage company, the breach was caused by a technical error by the vendor that provides them information technology services and solutions to both banks.The company has established a dedicated toll-free hotline for those who were affected at 1-800-572-9809.","California Attorney General","","2014","45.523062","-122.676482" "April 14, 2014","Wilshire Mutual Funds","Kansas City ","Missouri","DISC","BSF","0","Wilshire Mutual Funds informed customers of a data breach that took place on March 13, 2014. It was brought to the company's attention that a copy of individuals 1099-Div tax form was sent by fax to an incorrect shareholders in error. The information contained on the 1099-Div form included registered owner's names, the registration of the mutual fund account, the addresses of record, the last 4 digits of the Social Security numbers, the fund and account numbers assigned in their recordkeeping system, the taxable amounts, and the Payer's (Wilshire Equity Fund) Federal ID number.Those affected with questions are asked to call 1-866-591-15681-866-591-1568 or to send written correspondence to P.O. Box 219512, Kansas City, MO 64121-9512 or by overnight mail to 430 W. 7th Street, Kansas City, MO 64105.CallSend SMSAdd to SkypeYou'll need Skype CreditFree via Skype","Vermont Attorney General","","2014","39.099727","-94.578567" "April 22, 2014","Snelling Staffing LLC","Dallas","Texas","DISC","BSO","0","Snelling Staffing LLC informed current and previous employees of a data breach that exposed personal information to others via the Internet due to an installation error of a cloud based server at the home of a former Snelling employee, on January 24, 2014.The information exposed included Social Security numbers, driver's license numbers, dates of birth, home addresses, medical information, alleged criminal activity and/or drug test results. The company did discover that breach and shut down access to the information within the same day. ","California Attorney General","","2014","32.926169","-96.843754" "May 28, 2014","Sharper Future","Los Angeles","California","STAT","MED","0","The Sharper Future, a mental health facility in Los Angeles has informed clients of a data breach when their offices were burglarized and various electronic equipment that stored patient records which includes names, dates of birth, health and clinical histories, treatment records, CDCR identification numbers and Social Security numbers of their clients.The facility did report that the information on the stolen equipment was password-protected and did not include financial information. The incident is currently under investigation by authorities. ","California Attorney General","","2014","33.988023","-118.264835" "June 3, 2014","Craftsman Book Company","Carlsbad","California","HACK","BSO","0","Craftsman Book Company notified customers of a breach that occured on their site. On Tuesday May 27th the company discovered unauthorized access to their site and recommended a change in their username and password. Since that time they discovered that the breach also included charges on customers credit card. The hackers found another site operated by the company and through the security vulnerabilities in the one site, they were able to get to the Craftsman Book site and ultimately to the customers information.Since the vulnerability was discovered, the company has shut down the other site and is in the process of securing it.","California Attorney General","","2014","33.126525","-117.271899" "May 29, 2014","Montana Health Department","Helena","Montana","HACK","MED","0","The Montana Department of Public Health and Human Services announced a data breach that occured when hackers had access to the server for nearly a year. The server contains names, addresses, dates of birth, Social Security numbers and clinical information of customers along with the Social Security numbers and bank account information of employees.The agency has set up a help line for those who may have been affected at 1-800-809-29561-800-809-2956.CallSend SMSAdd to SkypeYou'll need Skype CreditFree via Skype","Media","","2014","46.585599","-112.014112" "May 26, 2014","Power Equipment Direct","Suwanee","Georgia","HACK","BSR","0","Power Equipment Direct has notified customers of a data breach that occured when a small piece of malicious computer code was uploaded to a server that handles their check-out process. The malicious code captured and transmitted screen shots of check-out pages. The company reported that the breach most likely occured from May 4, 2014 until May 5, 2014. The company is not sure as to what information was captured, it woud have been the information on the screen available at the time the malicious code was enabled. The company is offering AllClear SECURE at no cost for 12 months. For those affected they can call 1-877-676-0382.","Vermont Attorney General","","2014","34.051490","-84.071300" "May 26, 2014","AutoNation Toyota of South Austin ","Austin","Texas","HACK","BSO","0","AutoNation Toyota of South Austin informed customers of a data breach that occured when a third party vendor, TradeMotion, who operates parts websites for auto dealers nationwide, had their systems hacked potentially exposing credit card information that was stored on their system. The hackers may have also gotten names, addresses, telephone numbers, and email addresses.The company has arranged for those affected to receive one year of identity theft protection through Experian's ProtectMyID. Those affected can call 1-866-252-9553 by August 31, 2014 for enrollment.","Vermont Attorney General","","2014","30.267153","-97.743061" "May 22, 2014","Lowes Corporation","Mooresville","North Carolina","DISC","BSR","35,000","Lowes Corporation had to issue a data breach notice to current and former drivers for the company due to a security breach with one of the third party vendors they use.Information breached included including names, addresses, birthdays, Social Security numbers, driver's license numbers, and other driving record information with a company called E-DriverFile, an online database provided by SafetyFirst, a driver safety firm headquartered in New Jersey. The third party vendor unintentionally backed up the data to an unsecure server that was accessible via the Internet. The information may have been exposed from July 2014 through April 2014 before it was discovered.Lowes is offering their current and former employees one year free of AllClearID. Those affected can call 1-877-322-8228","Media","","2014","35.541800","-80.853851" "June 4, 2014","National Credit Adjusters","Hutchinson","Kansas","UNKN","BSF","0","National Credit Adjusters have informed individuals of a breach that has happened when they were notified that some customers were receiving phone calls from unauthorized third party debt collectors. The information that these unauthorized debt collectors may have access to include names, addresses, debt balances, dates of birth and Social Security numbers. The information may also expand beyond the individual on the account to co-signers of the account as well. The hackers pose as legitimate debt collectors but are actually calling with the attempt to scam individuals out of their money. For those affected, the company is asking individuals call 1-855-737-9123. ","California Attorney General","","2014","38.060845","-97.929774" "May 14, 2014","Paytime","Mechanicsburg","Pennsylvania","HACK","BSF","233,000","Paytime issued notices to its customers about a data breach that it discovered on April 30. According to recent reports, the breach has affected approximately 233,000 individuals in every state, although the majority were in Pennsylvania. The information could have included ""employees' names, Social Security Numbers, direct deposit bank account information (if provided), dates of birth, hire dates, wage information, home and cell phone numbers, other payroll related information and home addresses"".The investigation so far has uncovered ""intruders were skilled hackers working from foreign IP addresses."" ","Media","","2014","40.202038","-76.964389" "June 12, 2014","Redwood Regional Medical Group","Santa Rosa","California","PHYS","MED","33,702","A thumb drive containing 33,702 patient records was stolen from the Redwood Regional Medical Group in Santa Rosa California. An employee placed the thumb drive in a ""zipped container in an unlocked locker"", where the drive was stolen.The information contained on the device included patients' first and last names, gender, medical record numbers, date of birth, date and time of service, area of body X-rayed, the X-ray technologist's name and the radiation level required to produce the X-ray. No other images such as MRI's or mammograms were stored on the device. The medical center was taken over by St. Joseph Health on April 1st. The records were backed up to the drive as a precaution while they were being moved to Santa Rosa Memorial Hospital's electronic medical records system.","PHIPrivacy.net","","2014","38.442160","-122.701844" "May 7, 2014","Green's Accounting","Greenfield","California","STAT","BSF","0","The office of Brent Green, CPA was burglarized on April 6, 2014 where the burglars took a network server computer and hard drives containing personal information of their clients. Their server was unencrypted and contained Social Security numbers, names, and addresses of both individuals and their independents.For additional information or questions, those affected are asked to call Brent Green at 831-64-5562.","","","2014","36.320800","-121.243814" "May 8, 2014","Boulder Community Health","Boulder","Colorado","PHYS","MED","16","Boulder Community Health is investigating another data breach of their facility. It has been reported this is the third such incident for this facility since 2008. Nine people have claimed that they had their records stolen and hard copies mailed to them. Two of these individuals said that there was a letter in theirs that stated their records were mailed “to demonstrate the easy access the hospital and their partners provide to some with bad motives.” There is an ongoing investigation to understand the extent of the breach. ""The hospital — previously known as Boulder Community Hospital until a name change last month — is asking anyone else who thinks their records might have been stolen to call its legal office at 303-440-2342 "".UPDATE (5/12/2014): Seven more patients have claimed that an anonymous source has sent them copies of their medical records in the mail. It is still unclear as to whether the souce is taking the medical records from inside of the hospital or from somewhere outside of the hospital. The breach is still under investigation. CallSend SMSAdd to SkypeYou'll need Skype CreditFree via Skype","Media","","2014","40.014986","-105.270546" "April 28, 2014","Seton Northwest Hospital","Austin","Texas","INSD","MED","180","A computer-like device was stolen from Seton Northwest Hospital that is used in the sleep lab. The device according to the hospital, is a Hewlett Packard desktop device that is used to capture and manipulate data from sleep studies. ""It does not function like a normal computer. The operator would need a password and access to Seton systems to get a hold of patient data"". Reportedly the data consists of names, dates of birth and Seton account numbers.The device was stored inside a locked storage area at Seton Northwest Hospital, where the device was stolen.In response Seton Healthcare sent the following statement:""But to be safe, Seton already has offered, at no cost to patients, ID protection for a year to all the 180 or so patients whose information we believe is on this data storage device. Seton is sincerely sorry that this incident occurred and plans to work closely with the patients involved to protect them from harm.""","PHIPrivacy.net","","2014","30.405378","-97.743808" "June 7, 2014","Walgreens","Atlanta","Georgia","INSD","BSR","0","Walgreens has notified some patients of a breach when an employee stole some patients information, which included names, dates of birth, and Social Security Numbers in the form of a Medicare ID number and provided the information to a third party. Walgreens is claiming that no credit card, banking or other personal information was involved. The company has set up a hotling for those affected, 1-866-312-8654 from 7 a.m to 7 p.m Central Standard time, Monday through Friday.","Maryland Attorney General","","2014","33.770464","-84.381396" "June 10, 2014","St. Francis Hospital","Columbus","Georgia","DISC","MED","1,175","St. Francis Hospital notified patients of a data breach when a mass email to 1, 175 patients was sent out where all email addresses were visible vs. having each patient being blind copied on the email. The hospital is claiming that no medical treatment or other personal information was part of the email.Those St. Francis patients who have questions about the incident are asked to call the hospital at 1-800-723-49981-800-723-4998.CallSend SMSAdd to SkypeYou'll need Skype CreditFree via Skype","Media","","2014","32.505724","-84.960145" "June 6, 2014","Miami-Dade County","","Florida","UNKN","GOV","0","The county of Miami-Dade informed employees of a data breach where their personal information is being used to file fraudulent unemployment claims, along with credit card fraud. Currently, officials at the county are not clear if this breach happened internally or by external hackers.They have not released what specific information has been compromised.Federal officials at the U.S Inspector General's Office are leading the investigation due to false unemployment claims. The Human Resource Department of the agency has put out a statement.""The recent news report on a “Data Breech” has understandably raised concerns amongst our employees regarding their personal information and whether they are one of the employees impacted by identity theft. Please be advised that when we identify a possible fraudulent unemployment claim, we immediately notify the Departmental Personnel Representative (DPR) for that employee. Our procedures are as follows: The Human Resources Department receives the Notices of Reemployment Assistance once a claim for unemployment has been filed with the Department of Employment Opportunity (DEO). If a claim is identified as fraudulent (once HR confirms the employee is an active employee) HR contacts the employee’s DPR to provide notice to the Department and notification is immediately sent to the Department of Unemployment indicating that it is a fraudulent claim. If an employee is notified that a fraudulent claim has been filed on their behalf, the employee should be instructed to do the following:   Contact the Unemployment Fraud Hotline to report the fraud at (800) 342-9909(800) 342-9909. They should report that their identity (SS#, Name) is being used to commit Unemployment Fraud.Make a note of the Master Case File # that has been assigned by the Miami-Dade Police Department:PD130322106429.File an Identity Theft Affidavit (IRS Form 14039), found at http://www.irs.gov/pub/irs-pdf/f14039.pdfNotify their banking institutionsMake routine checks on their bank accountsConduct thorough reviews on their bank and credit card statementsVisit http://myfloridalegal.com/identitytheft to learn more about Identity Theft We assure you that fraudulent claims are being taken very seriously and every effort is being made to identify and refer these cases to the proper authorities for appropriate action.""CallSend SMSAdd to SkypeYou'll need Skype CreditFree via Skype","Media","","2014","27.664827","-81.515754" "June 6, 2014","Penn State Milton S. Hershey Medical Center","Hershey ","Pennsylvania","INSD","MED","1,801","Penn State Milton S. Hershey Medical Center began alerting patients of a data breach when an employee accessed clinical data on an unauthorized computer and removable storage device. The employee did have permissions to have access to the files, but downloaded the clinical information on a removable storage device and his personal computer, both of which were not properly secured and outside of the medical centers IT department. The employee also used their personal email account to send emails with a test log of the data to two physicians at the medical center.","Media","","2014","40.264038","-76.676678" "June 10, 2014","Access Health CT","Hartford","Connecticut","INSD","BSF","413","The Connecticut health insurance exchange has suffered a data breach, when one of the exchanges employees lost a backpack at a local deli that included names, Social Security numbers and birthdates of 413 individuals.The employee was not authorized to remove these documents from the facility and has since been put on administrative leave. ","Media","","2014","41.763711","-72.685093" "May 22, 2014","Bluegrass Communit Federal Credit Union","Ashland","Kentucky","UNKN","BSF","0","Experian has notified Bluegrass Federal Credit Union of unauthorized access of it's consumer information without proper authorization. The information includes names, addresses, Social Security numbers, dates of birth, and account numbers.For those affected they can contact Bluegrass Community FCU at 606-324-0888606-324-0888 and ask for Jamie Darling.CallSend SMSAdd to SkypeYou'll need Skype CreditFree via Skype","New Hampshire Attorney General","","2014","38.473212","-82.630552" "June 17, 2014","Service Alternatives","Coupeville","Washington","HACK","BSO","550","Service Alternatives has informed individuals of a data breach to their payroll system. It appears that an unauthorized third person or persons obtained access to that system between November 2013 and March 2014. The information obtained included full names, addresses, dates of birth (excluding foster parents), Social Security number, Driver's license number or identity card number (excluding foster parents), tax documents, documents provided on form I-9 for anyone hired after Oct. 2010 (excluding foster) parents, bank routing number and account number if direct deposit was ever used.Those who were affected by the breach may call 1-800-292-6697 or email support@servalt-adm.com","Maryland Attorney General","","2014","48.219821","-122.686280" "June 19, 2014","Rady's Childrens Hospital","San Diego","California","DISC","MED","14,100","Rady's Children's Hospital has suffered a data breach when an employee inadvertently sent an email with a file attached to 6 potential job applicants. The applicants were meant to receive approved information for an internal evaluation, instead they received the original file with the information of 14,100 patients. The information included names, dates of birth, primary diagnoses, medical records and insurance carrier claim information. According to the hospital no Social Security numbers,  credit card information, addresses or parent/guardian information were included in this file. The file contained information on patientes admitted to the hospital between July 1, 2012 through June 30, 2013.","Media","","2014","32.715738","-117.161084" "June 9, 2014","College of the Desert","Palm Desert","California","INSD","EDU","1,900","The College of the Desert in Palm Dale Calfornia informed individuals of a data breach in their system when a college employee sent an unauthorized attachment in an email to approximately 78 college employees,  that contained personal information of employees of the college. The information contained in the attachment included names, Social Security numbers, dates of birth, geners, zip codes, titles of postions held at the university, employment anniversary date, employee identification numbers, insurance information,  active or retired employee status.Those who are affected are asked to call Stan Dupree, HR and Labor Relations Director at 760-674-3777760-674-3777or sdupree@collegeofthedesert.eduUPDATE (6/19/2014): According to new reports, The College of the Desert breach affected 1,900 current and former employees. The total individuals affected was not reported when the breach was made public.CallSend SMSAdd to SkypeYou'll need Skype CreditFree via Skype","California Attorney General","","2014","33.731885","-116.385452" "June 16, 2014","Riverside Community College","Riverside","California","DISC","EDU","35,212","Riverside Community College has suffered a data breach affecting 35,212 students. On May 30th, a district employee emailed a file containing information about all students who were enrolled in the spring term to a colleague working at home due to illness, for a research report that was on a deadline. The district employee used a personal email account to send the data because the file was too large for the district's secure email to send. The employee then typed in the incorrect email address.The information contained in the file included names, addresses, birth dates, Social Security numbers, email addresses, student ID numbers, and telephone numbers. The district has set up a Call Assistance Center at 1-888-266-9438 for affected students. The center will be open from 6 a.m to 6 p.m Monday through Friday for 90 days.","","","2014","33.953349","-117.396156" "June 5, 2014","Highmark","Pittsburgh","Pennsylvania","DISC","BSF","3,675","Health Insurer, Highmark Inc. notified customers that are members of either Security Blue or Freedom Blue, that their information may have been mailed to other people. The information mailed was a health risk assessment that included information such as names, addresses, dates of birth and certain medical information.  The health insurer is claiming that no Social Security numbers were compromised. ","Media","","2014","40.440625","-79.995886" "May 30, 2014","Arkansas State University College of Education and Behavioral Science's Department of Childhood Services","Jonesboro","Arkansas","HACK","EDU","50,000","Arkansas State University was notified by the Arkansas Department of Human Services of a data breach in their College of Education and Behavioral Science's Department of Childhood Services database, potentially exposing personally identifiable information. According to A-State's Chief Information Officer Henry Torres,  “we have confirmed unauthorized access to data, but we have no reports regarding illegal use of the information in these files,” Torres said. “We took immediate measures to address this issue after being notified by DHS. We are cooperating with DHS and working with programmers to assess and resolve the situation.”The breached involved a database related to the ""Traveling Arkansas Professional Pathways (TAPP) Registry, which is a professional development system designed to track and facilitate training and continuing education for early childhood practictioners in Arkansas."" To date, the university has stated that Social Security numbers were compromised in the database, no other information as to the specific data was provided by the university.","Media","","2014","35.842297","-90.704279" "February 6, 2014","The Home Depot","Atlanta","Georgia","INSD","BSR","30,000","Three Home Depot employees were arrested for allegedly stealing personal information of some 300 employees, and were initially detected last fall and those employees whose files were notified of the breach. One of the three employees was caught using her Home Depot email to send the stolen information. Security investigators fear that this breach may have affected as manay as 20,000 individuals. Information stolen included Social Security numbers and birthdates. Allegedly the employees opened numerous fraudlent accounts with the stolen personal information. UPDATE (5/30/2014): Originally it was reported that up to 20,000 individuals may have been affected by this security breach. The number has now been increased to 30,000 individuals may have been affected. The first report that came out reported three Home Depot employees were involved, but according to the disclosure document sent on behalf of The Home Depot Corporation, one individual was arrested and The Home Depot will seek prosecution of the individual to the fullest extent of the law.","Media","","2013","33.865418","-84.481537" "June 11, 2014","Stanford Federal Credit Union","Palo Alto","California","DISC","BSF","18,000","Stanford Federal Credit Union informed 18,000 members that their personal information was sent to another member accidentally. According to the letter sent to the members,  credit union employees recognized the error immediately and the data was destroyed without it being read to the recipient. The data sent was a list of members who were pre-approved for loans. The credit union employee who sent the list inadvertently sent it to a member who had the same first name as the staff member it was meant for. According to the credit union, the member had not yet read the mail and worked with the staff of the credit union to properly destroy it. ","California Attorney General","","2014","37.441883","-122.143020" "May 23, 2014","Placemark Investments","Addison","Texas","HACK","BSF","11","Placemark Investments, Inc. who is a registered investment adviser providing overlay management services for TD Ameritrade's Unified Managed Account Exchange program, notified 11 Maryland residents of a data breach.Reportedly, malware placed on one of Placemark's servers, accessed and directed the server to send large batches of spam email. Based on analysis done by the company the malware also had the ""potential to expose certain PDF documents tied to account creation that were stored on the server for short intervals"".These documents contained information relating to the eleven individual accounts which included names, addresses, dates of birth, and Social Security numbers.The company is offering one year free of credit monitoring services from Experian.","Maryland Attorney General","","2014","32.976680","-96.827077" "May 21, 2014","Hanover Foods Corporation","Hanover","Pennsylvania","DISC","BSO","5,867","Hanover Foods Inc, who is a Paytime client has learned that over 5,800 of it's employees were part of the over 216,000 individuals affected by the Paytime breach. Hanover's representing law firm has also sent a letter to those affected and has reported the incident to those individuals affected.The information breached included names, Social Security numbers, direct deposit bank account information, dates of birth, hire dates, wage information, home and cell phone numbers, and other payroll information when hackers obtained usernames and passwords associated with the Paytime system.","Maryland Attorney General","","2014","39.800655","-76.983036" "May 28, 2014","Precision Planting","Tremont ","Illinois","HACK","BSO","0","Precision Planting customers have been impacted by a security breach affecting one of the company's data servers. The company has not communicated specifically how their system was compromised, however the information breached included customer names, addresses, tax identification numbers and financial information. The server also contained some employee W-2 forms, Social Security numbers, and driver's license numbers. ","Media","","2014","40.481329","-89.484065" "June 20, 2014","UCDC, Washington Center","Washington","District Of Columbia","HACK","EDU","0","The University California, Washington Center received a notification of unsolicited emails being sent to alumni of the university. After an investigation, it was revealed that someone accessed the pre-enrollment system, GoSignMeUp.com, which is a cloud-based provider for the online course registration utilized by UCDC to host its online course registration process. The information breach included usernames, passwords, addresses, principal e-mails, gender, birth dates and UCDC course information. The university has stated that they do not record or store any Social Security numbers or financial account information on any of its databases.For those who were affected the university is recommending individuals change their password.Those with questions are asked to contact techhelp@ucdc.edu ","California Attorney General","","2014","38.906548","-77.037322" "June 24, 2014","Riverside County Regional Medical Center","Moreno Valley","California","PORT","MED","0","The Riverside Regional Medical Center has notified patients of the loss of a laptop computer that contained personal patient information. The laptop went missing from a diagnostic services office in the hospital sometime between June 17, 2014 and June 18, 2014. The information on the missing laptop included names, dates of birth, medical record numbers and results of a nerve conduction study, and the names of the referring doctor and the doctor who performed the study. The hospital did communicate that no Social Security numbers, health insurance information or home addresses were stored on this particular laptop.For those who were affected, they have been asked to call Christina Quijada at 1-877-500-1255 or the Riverside County Privacy Office at 951-955-5757.","California Attorney General","","2014","33.912178","-117.196004" "June 18, 2014","The Metropolitan Companies","New York","New York","HACK","BSO","0","The Metropolitan Companies, LLC, which is a conglomerate of companies from staffing services to interpreters suffered a data breach as a result of unauthorized access to their computer systems and may have potentially removed documents that included personal information of their customers. Through an investigation, it has been disclosed that the information that was breached includes names, addresses, phone numbers, email addresses, Social Security numbers, dates of birth, past education, work history, and financial information. The company has not disclosed the number of individuals affected.For those that may have been affected the company is providing one year of identity theft protection through Kroll. They can be contacted at 1-855-781-0033 to speak with a licensed investigator or visit their website at Visit www.kroll.idMonitoringService.com.","California Attorney General","","2014","40.712784","-74.005941" "June 30, 2014","Butler University ","Indianapolis","Indiana","HACK","EDU","163,000","Butler University in Indianapolis Indiana informed students, staff and alumni of a data breach to their system. Over 160,000 individuals may have been affected when hackers may have accessed their personal information. The university was contacted by California officials to ""inform them that they had arrested an identity theft suspect who had a flash drive with Butler employee's personal information on it"". In a letter sent to those affected, the university has said that ""someone hacked the school's network sometime between November 2013 and May 2014"".The school officials have discovered that the information exposed included birthdates, Social Security numbers and bank account information of approximately 163,000 students, faculty and staff, alumni, and prospective students who never enrolle in classes at Butler.The university is offering a year of free credit monitoring. ","Media","","2014","39.840061","-86.172037" "June 26, 2014","Sterne, Agee & Leach","Birmingham","Alabama","PORT","BSF","0","Sterne, Agee & Leach has contacted customers regarding a data security incident that occured between May 29th and 30th, 2014. An employee of the brokerage firm was unable to locate their firm-issued laptop, which was password protected, but the data stored locally on the laptop was not encrypted. The data stored on the laptop included ""account information utilized for mailing to certain Private Client Group customers whose accounts were opened between July1, 1992 and June 30, 2013"".The information may have included names, addresses, account numbers and Social Security numbers. The information did not include dates of birth, account holdings, account passwords or access codes.The firm is offering a free one year membership to Experian's ProtectMyID. Those affected must enroll by September 30, 2014, and can visit the website to enroll at www.protecmyide.com/redeem and utilize the activation code in the letter sent by the firm. ","California Attorney General","","2014","33.474983","-86.767214" "June 26, 2014","Record Assist LLC","Houston","Texas","HACK","BSO","0","Record Assist, LLC informed cstomers of an unauthorized access to their order processing system for ExpressVitals.com. The unauthorized access could have led to obtaining information such as the individuals name, address, credit card number, security code and Social Security number. Those who are affected can contact the company at P.O Box 19686, Houston Texas 77224-9868 or call 1-844-245-5654.","","","2014","29.760427","-95.369803" "June 27, 2014","Benjamin F. Edwards & Company","St. Louis","Missouri","HACK","BSF","0","On May 27, 2014 Benjamin Franklin Edwards & Company (BFE) discovered an unauthorized access to their database which may have resulted in personal information of it's customers being compromised. The company did not provide the exact information that was stored on their system, nor have they communicated how many individuals were involved. For those that have an account and may have been affected the company is offering one year free of AllClearPro. They are asking individuals to contact their financial consultant for more information or go to www.enroll.allclearid.com to enroll. ","","","2014","38.651246","-90.341318" "June 26, 2014","Orange Public School District","Orange","New Jersey","HACK","EDU","0","A 16 year old New Jersey teen has been charged with unlawfully accessing the Orange Public School District's database and changing final grades and attendance records. The Orange High School sophomore is facing multiple counts of second-degree computer theft for unlawfully accessing and altering data an one cound of hindering apprehension. Reportedly, the student accessed the computer system after obtaining the password of a staff member. Authorities do not know how the teen was able to gain the password information. An investigation is still underway. ","Media","","2014","40.770619","-74.232648" "July 2, 2014","Uxbridge School District","Uxbridge","Massachusetts","PORT","EDU","0","Students at Uxbridge School District may have had their personal information stolen due to a data breach with a third party billing service, Multi-State Billing Services, located in Somersworth, New Hampshire, when an employee's laptop was stolen from their locked vehicle in May. The laptop was password protected but not encrypted, contained information on nearly 3,000 students from 19 school districts in Central and Eastern Massachusetts.The information on the laptop included names, addresses, Medicaid ID numbers and Social Security numbers.Multi-State Billing will reimburse costs related to security freezes for the next three years. Information about reimbursement can be obtained by emailing customersupport@msb-services.com or phoning (855) 285-7433(855) 285-7433  . Because the children aren't actual victims of identity theft, the credit agencies may charge up to $5 each time to place, temporarily lift or permanently remove a security freeze. CallSend SMSAdd to SkypeYou'll need Skype CreditFree via Skype","PHIPrivacy.net","","2014","42.075367","-71.628864" "July 2, 2014","Multi-State Billing Services","Somersworth","New Hampshire","PORT","BSF","3,000","Multi-State Billing Services LLC has let 19 school districts that they service, that a laptop that was stolen from an employee's locked vehicle contained records on nearly 3,000 students in 19 different school districts in Central and Eastern Massachusetts. The Central districts include Uxbridge,  Ashburnham-Westminster Regional, Milford, Northboro, Northboro-Southboro Regional, Southboro and Sutton. Information on which Eastern school districts is currently unknown.The information on the laptop included names, addresses, Medicaid ID numbers and Social Security numbers. Multi-State Billing will reimburse costs related to security freezes for the next three years. Information about reimbursement can be obtained by emailing customersupport@msb-services.com or phoning (855) 285-7433(855) 285-7433 . Because the children aren't actual victims of identity theft, the credit agencies may charge up to $5 each time to place, temporarily lift or permanently remove a security freeze.CallSend SMSAdd to SkypeYou'll need Skype CreditFree via Skype","PHIPrivacy.net","","2014","43.261655","-70.865628" "July 2, 2014","Milford Schools","Milford","Massachusetts","PORT","EDU","25","Up to  25 students at Milford Schools may have had their personal information stolen due to a data breach with a third party billing service, Multi-State Billing Services, located in Somersworth, New Hampshire, when an employee's laptop was stolen from their locked vehicle in May. The laptop was password protected but not encrypted, contained information on nearly 3,000 students from 19 school districts in Central and Eastern Massachusetts.The information on the laptop included names, addresses, Medicaid ID numbers and Social Security numbers.Multi-State Billing will reimburse costs related to security freezes for the next three years. Information about reimbursement can be obtained by emailing customersupport@msb-services.com or phoning (855) 285-7433(855) 285-7433  . Because the children aren't actual victims of identity theft, the credit agencies may charge up to $5 each time to place, temporarily lift or permanently remove a security freeze. CallSend SMSAdd to SkypeYou'll need Skype CreditFree via Skype","PHIPrivacy.net","","2014","42.139858","-71.516305" "July 1, 2014","Vermont Health Exchange","Williston","Vermont","HACK","MED","0","A Romanian hacker accessed the Vermont Health Exchange's development server last December gaining access at least 15 times and going undetected for a month.""CGI Group, the tech firm hired to build Vermont Health Connect, described the risk as “high” in a report about the attack. It also found possible evidence of sophisticated “counter-forensics activity performed by the attacker to cover his/her tracks.”""""The report says that no private consumer information was stored on the hacked server, and that CGI Group had “verified that no additional servers [that may store private data] communicated with any of the identified attacker IP addresses.”""This individual was able to gain access to the server because the defaut password on that server was never changed (in violation of guidelines laid out in the state’s official policy) along with the fact that the access to the server was never restricted to those users who were known and authorized to be on the server.","PHIPrivacy.net","","2013","44.435907","-73.109167" "September 27, 2010","Columbia University Medical Center","New York","New York","DISC","MED","6,800","Patients treated in the Intensive Care Unit at New York-Presbyterian Hospital and Columbia University Medical Center may have had their information accessed on the Internet during July. The personal information may have included name, age, surgical status, medications and lab results. It appears that a hospital employee's computer files were Internet accessible.UPDATE (5/17/2014): ""Two health care organizations have agreed to settle charges that they potentially violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules by failing to secure thousands of patients’ electronic protected health information (ePHI) held on their network.  The monetary payments of $4,800,000 include the largest HIPAA settlement to date"". ","PHIPrivacy.net","","2010","40.714353","-74.005973" "July 2, 2014","Goldman Sachs","New York","New York","DISC","BSF","0"," Goldman Sachs Group Inc warned customers of a data breach that occured when an outside contractor emailed confidential client data to a stranger's Gmail account by mistake. The bank has asked a U.S. judge to order Google Inc to delete the email to avert a ""needless and massive"" breach of privacy.  ""The breach occurred on June 23 and included ""highly confidential brokerage account information,"" Goldman said in a complaint filed last Friday in a New York state court in Manhattan"".Goldman Sachs did not say how many people were affected and are asking Google to assist in tracking down who has access to the data.The contractor meant to email a report to a gs.com account but inadvertently sent it to a similar email address with a gmail.com account. Goldman Sachs has not been able to retrieve the report and has not received a response back by the individual who owns the gmail account. ","Media","","2014","40.712784","-74.005941" "July 4, 2014","St. Vincent Breast Center","Indianapolis","Indiana","DISC","MED","63,000","St. Vincent Breast Center have announced that patient's health information may have been breached after the center sent around 63,000 letters to the wrong patients. The letters included patient names, addresses and in certain references to scheduled appointments. Reportedly no Social Security numbers, financial information or clinical information.""St.Vincent Breast Center entered into an agreement with Indianapolis Breast Center P.C. and Solis Women’s Health Breast Imaging Specialists of Indiana P.C. after they both closed last year. On May 5, St.Vincent Breast Center mailed letters intended for prior patients of the Indianapolis Breast Center and Solis Women’s Health to inform them that St.Vincent was available to provide care. Some letters also welcomed patients who had previously scheduled healthcare services. Officials said on May 15, people who had accidentally received another person’s letter began calling St.Vincent"".For those affected they can call 1-877-216-3862 from Monday through Friday 9:00 a.m. to 7:00 p.m.","Media","","2014","39.768403","-86.158068" "July 3, 2014","Watermark Retirement Communities","Tuscon","Arizona","PORT","BSO","0","Watermark Retirement Communities Inc. informed current and former employees of the facility of a data breach when a laptop was stolen on June 13, 2014. The information on these laptops included names, addresses, telephone numbers, email addresses, dates of birth and Social Security numbers. The laptop was password protected. For those affected they can call 1-800-597-66181-800-597-6618.CallSend SMSAdd to SkypeYou'll need Skype CreditFree via Skype","California Attorney General","","2014","32.316195","-111.010502" "July 7, 2014","Legal Sea Foods ","Boston","Massachusetts","HACK","BSO","0","Legal Sea Foods informed customers of a data breach that occured on June 5, 2014 that a segment of their mail order web sales and e-commerce environment, that an unauthorized person gained access to a server that contained information from mail order web customer transactions. After an investigation, transactions made between Jaunary 1, 2014 and May 21, 2014 were potentially affected, which included transactions used with credit cards. Names, credit card numbers, card expiratin dates, and card verification values may have been breached. The company has informed their payment processing company of the breach and the processor has been working with the credit card companies to provide them the card numbers of those affected. ","Vermont Attorney General","","2014","42.349740","-71.032134" "June 26, 2014","Splash Car Wash","Greenwich","Connecticut","HACK","BSR","120,000","Splash car wash has notified approximately 30,000 customers of a data breach to their system when malwar was found on their point of sale system at several of their locations affecting and potentially breaching credit card data.The car wash operates 13 locations in New York and Connecticut and was alerted by American Express of the breach. As soon as customers swiped their cards, the information was stolen, not giving the companies system time to encrypt the data. The breach is being investigated by authorities.","Media","","2014","41.016612","-73.649675" "July 8, 2014","Heartland Automotive/Jiffy Lube","Irving","Texas","PORT","BSO","0","Heartland Automotive (Jiffy Lube) has notified customers of a data breach that has occured when one of their company owned laptop was stolen with personal information on it.The information included names, addresses, dates of birth, Social Security numbers.The company is offering 12 months free of AllClearID. For those affected call 1-877-437-4004. ","California Attorney General","","2014","32.864185","-96.943929" "July 9, 2014","Office of Personnel Management","Washington","District Of Columbia","HACK","GOV","0","In March 2014, it has been reported that Chinese hackers broke into the computer networks of the United States government, specifically The Office of Personnel Management, which houses personal information of all federal employees. The hackers appeared to be targeting the files on ""tens of thousands of employees who have applied for top-secret security clearance.""""The hackers gained access to some of the databases of the Office of Personnel Management before the federal authorities detected the threat and blocked them from the network, according to the officials. It is not yet clear how far the hackers penetrated the agency’s systems, in which applicants for security clearances list their foreign contacts, previous jobs and personal information like past drug use.""This particular hacking is unusual as the US computer systems are constantly being hacked by international hackers, but up until this point, have been stopped before any information was compromised.Currently, officials are investigating to pinpoint exactly where these attacks came from.","Media","","2014","38.894721","-77.044149" "July 8, 2014","The Houstonian Hotel, Club and Spa","Houston ","Texas","HACK","BSO","0","Secret Service notified The Houstonian Hotel, Club and Spa regarding a breach to their system that houses customer credit card information.Once the notification happened, the company launched a forensics investigation and discovered that their POS system had been accessed by an unauthorized third party from December 2013 through June 2014, and that the credit card information stored on these systems were compromised.The company has since stopped the intrusions, but has not communicated how many individuals were affected by the breach. The company is offering 12 months free of credit monitoring services for those affected. ","Media","","2014","29.768061","-95.459858" "July 3, 2014","Blue Shield of California/Department of Managed Healthcare","San Francisco","California","DISC","BSF","18,000","The Department of Managed Health Care informed individuals of a breach concerning their personal information. Health plans regulated by the Department of Managed Health Care (DMHC) are required to provide the DMHC periodically with current rosters of the medical providers the health plans contract with. These plans are not supposed to include confidential or personal information in the rosters because these rosters are generally public documents.""The DMHC discovered that Blue Shield of California had inadvertently included provider Social Security numbers in the rosters Blue Shield provided to the DMHC in February, March and April, 2013"". Blue Shield neglected to inform the DMHC that the information was confidential or alert the DMHC that a mistake had been made on the documentation.The information included Social Security numbers, providers' names, business addresses, business telephone numbers, medical groups, and practice areas.For those affected Blue Shield is offering you a free-one-year membership in Experian's ProtectMyID Alert.  For those with questions they can call 1-877-371-7902.","California Attorney General","","2014","37.774930","-122.419416" "July 11, 2014","Epsilon Data Management LLC","Dallas","Texas","HACK","BSO","0","Hackers obtained the names and email addresses of customers of dozens of businesses maintained by Epsilon Management LLC. ""Epsilon said only 2% of its database had been invaded, but dozens of major companies across a variety of industries responded by emailing their customers to notify them of the breach. The companies include Citigroup Inc., Capital One Financial Corp., JPMorgan Chase & Co., 1-800-Flowers.com Inc., Best Buy Co. Inc., L.L. Bean Inc. and Target Corp"". Experts state that the biggest danger from this particular breach is  “phishing” attacks, where hackers send emails to company customers in an effort to obtain financial and other personal data. If you receive an email from entities that you have done or are doing business with, the advice is to not open the email, instead contact the company by phone to see if they have sent out a communication email to you. Those affected will also want to immediately change their passwords. Be cautious and don't trust that the email is legitimate, particularly from the companies that were named and do not ever provide personal information back to these types of emails.  ","Media","","2014","32.776664","-96.796988" "July 16, 2014","Central City Concern","Portland","Oregon","DISC","NGO","15","Central City Concern in Oregon suffered a data breach when an unauthorized access resulted in the breach of clients data. ""On April 2, 2014, a federal law enforcement official notified Central City Concern that a former Central City Concern employee has been accused of improperly copying information from approximately 15 Central City Concern clients from its Employment Access Center (EAC) program with the intent of processing fraudulent tax returns in their names"". The information breached included names, dates of birth, Social Security numbers, addresses, and health information of EAC clients.Client inquiries regarding this incident may be directed to 866-778-1144866-778-1144, Monday through Friday from 6:00 AM to 6:00 PM Pacific Time. CallSend SMSAdd to SkypeYou'll need Skype CreditFree via Skype","PHIPrivacy.net","","2014","45.525003","-122.676214" "July 17, 2014","Total Bank","Miami","Florida","HACK","BSF","72,500","Total Bank,  a subsidiary of Banco Popular that has 21 locations in South Florida, is notifying 72,500 customers that their account information was potentially exposed after an unauthorized third party gained access to the bank's computer network.Information obtained by this unauthorized third party included names, addresses, account numbers, account balances, Social Security numbers and driver's license numbers.The bank is offering 12 months free of credit monitoring services for those that were affected.","Media","","2014","25.772085","-80.191299" "July 14, 2014","Orangeburg-Calhoun Technical College","Orangeburg","South Carolina","PORT","EDU","20,000","""Orangeburg-Calhoun Technical College in South Carolina is notifying 20,000 former and current students and faculty members that an unencrypted laptop computer stolen this month from a staff member's office contained their personal information.""The information contained on the laptops included names, birth dates and Social Security numbers of individuals.The college stated that the information goes back 6 or 7 years and that they believe the thief was after the hardware, not the data stored on it. The college neglected to comment on whether or not they are providing credit monitoring services for those affected.","Media","","2014","33.544593","-80.826047" "July 11, 2014","Boeing ","Seattle","Washington","HACK","BSO","0","""Federal prosecutors have charged the owner of a Chinese aviation firm with trying to steal data about U.S. military aircraft by hacking into the computer networks of Boeing and other U.S. companies, according to a federal complaint unsealed in Los Angeles this week. According to authorities, the individuals allegedly stole information on  Boeing’s C-17 transport plane. Evidence shows that the Chinese hackers obtained large amounts of data on dozens of  military projects.","Media","","2014","47.606210","-122.332071" "June 23, 2014","Silk Road/U.S Marshall Service","Washington","District Of Columbia","HACK","BSF","40","""U.S. Marshals Service accidentally CC’d 40 potential Silk Road Bitcoin bidders instead of BCC’ing them. Thanks to a phishing scheme that took advantage of this slipup, though, an Australian bidder lost 100 Bitcoin—worth an estimated $62,000—according to. A total of 40 individuals received a phishing email on June 21st from someone who claimed to be from ""BitFirm Productions"". The email asked they these individuals participate in a survey for a client of the fake media firm and to click on a link that was supposed to be a GoogleDoc, instead the link contained malware. Unfortunately one individual did click on the link that infected his computer and the hackers were able to transfer 100 Bitcoin out of his account. ","Media","","2014","38.907192","-77.036871" "July 10, 2014","University Development and Alumni Relations at the Penn State College of Medicine","Philadelphia","Pennsylvania","HACK","EDU","1,176","Penn State has notified 1,176 individuals that a data breach of their personal information had been breached.  The Office of University Development and Alumni Relations at the Penn State College of Medicine was found to be ""infected with malware that enabled it to communicate with an unauthorized computer outside the network"". The university used Social Security numbers as a personally identifiable number for students and these SSNs were found in an archived College of Medicine alumni list last used in 2005. The university put out this information:""For information about Penn State's efforts to minimize computer security risks, visit the University's Be Safe website at http://its.psu.edu/be-safe. For more detailed information about identity theft risks and prevention, visit http://www.ftc.gov/bcp/edu/microsites/idtheft/."" ","Media","","2014","39.952584","-75.165222" "July 11, 2014","Lockheed Martin","Fortworth","Texas","HACK","BSO","0","""Federal prosecutors have charged the owner of a Chinese aviation firm with trying to steal data about U.S. military aircraft by hacking into the computer networks of Lockheed Martin and other U.S. companies, according to a federal complaint unsealed in Los Angeles this week"".Allegedly, the Chinese hackers stole information about Lockheed’s F-22 and F-35 fighter jets.  Large amount of data were stolen on a dozen U.S military projects.","Media","","2014","32.755488","-97.330766" "July 8, 2014","Aecom","Los Angles","California","HACK","BSO","0","Aecom has notified current and prior employees of a data breach that exposed employee personnel files. Hackers were able to penetrate their corporate network, which included the employee payroll system for the US specifically.The information exposed inlcuded names, addresses, Social Security numbers, personal bank account numbers and routing numbers.The company has set up 12 months of All ClearID at no cost. For those affected they can call which can be reached at 1-877-615-3770. ","California Attorney General","","2014","34.050639","-118.257575" "July 15, 2014","Atlantic Automotive Corporation/dba One Mile Automotive","Towson","Maryland","HACK","BSO","0","One Mile Automotive is notifying customers of a data breach of one of their third party vendors, Trade Motion who operates automobile websites and has notified One Mile Automotive that this breach could have included personal information of some of its customers.The information included names, addresses, email addreasses, telephone numbers, credit card information.Those who are affected should call 1-855-505-2774.","California Attorney General","","2014","39.402886","-76.602697" "July 16, 2014","Bay Area Pain Medical Associates","Sausalito","California","STAT","MED","2,780","Bay Area Pain Medical Associates have notified patients of a data breach when several of their desktop computers were stolen. There were approximately 2,780 patients first and last names, number of years the patients had been seen at their practice. The are reporting that the computer data was encrypted and inaccessible, there was an Excel spreadsheet that containing this information that could have possibly been accessed. No Social Security numbers, dates of birth, financial information, contact information or medical information was exposed.The facility is offering 12 months free of AllClearID. Those affected can call 1-877-579-2269.","California Attorney General","","2014","37.868158","-122.500181" "July 21, 2014","Dominion Resources Inc.","Richmond","Virginia","HACK","BSO","1,700","Personal information of more than 1,700 people at Dominion Resources Inc. were compromised when unauthorized parties hacked the employee wellness plan. The hacker gained access via a subcontractor's system, StayWell Health Management LLC who runs Dominions ""Well on Your Way"" program which includes a health screening, to gain the information hacked.The hacking actually occurred at a vendor Stay Well uses, Onsite Health Diagnostics, based in Irvine, Texas, that provideds the sign-up mechanism for ""Well on Your Way's"" health-screening appointments. The information included individuals' names, addresses, email addresses, phone numbers, gender and dates of birth of employees, spouses and domestic partners who went online to schedul a health-screening appointment going back to 2012. ""Dominion Resources said the company was notified of the breach on June 24 but didn't learn the identities of those affected until July 7th. Dominion Resources is investigating why it took so long for the company to be notified. They are no longer using Onsite Health Diagnostics for scheduling"".","Media","","2014","37.536937","-77.431397" "July 18, 2014","Penn Medicine Rittenhouse","Philadelphia","Pennsylvania","PHYS","MED","661","Penn Medicine had to announce a data breach involving receipts that were stolen last month from a locked office in Pennsylvania Hospital. The information on the receipts included combinations of patient names, dates of birth and the last four digits of credit card numbers.","Media","","2014","39.944858","-75.172654" "July 16, 2014","Apple Valley Christian Care Center","Apple Valley","California","DISC","MED","500","Apple Valley Christian Care Center has notified individuals of a security breach of their system when a ""technical glitch"" occurred. The center communicated that the compromised data varied greatly.The information included Social Security numbers, dates of birth, home addresses, dates of stays, Medi-Cal ID numbers, Medicare ID numbers, and/or other insurance information such as Medi-Cal appeals, diagnosis codes, treatment information and medical history.","PHIPrivacy.net","","2014","34.468218","-117.241622" "July 15, 2014","City of Encinitas/San Dieguito Water District","Encinitas","California","DISC","GOV","0","""City of Encinitas and San Dieguito Water District recently were made aware that a Cal-PERS payment document containing Social Security numbers with corresponding employee and former employee names had inadvertently been made accessible to the public on the City’s website on or about May 13, 2014 to July 3, 2014. Based on our research, we found the exposure has been limited to (16) people that accessed the document during that period.""The document contained information of employees and former employees who were enrolled in Cal-PERS during the following timeframes:City of Encinitas–July 1993-October 2011City of Encinitas Fire Safety/Fire Protection District–July 1986–October 2011San Dieguito Water District-July 1989–October 2011The city of Encinitas is offering 1 year free membership of Protect MyID Alert from Consumer Info.com by Experian. For those affected with questions contact Courtney Barrett at 760-633-2631 or Jace Schwarm at 760-633-2636.  ","California Attorney General","","2014","33.036987","-117.291982" "July 11, 2014","University of Illinois, Chicago","Chicago","Illinois","HACK","EDU","0","The University Illinois Chicago (UIC) notified former students of a data breach to their system that included the exposure of personal data.""A website security breach made two College of Business Administration documents from the 2002 spring semester accessible — a roster from a Special Topics in Accounting course and an advising list for all junior and senior accounting majors, according to a statement from the university"".Personal information was exposed, including Social Security numbers. The university has not stated how many students were affected, and the breach is currently under investigation.","Media","","2014","41.878114","-87.629798" "July 16, 2014","Douglas County School District","Castle Rock","Colorado","PORT","EDU","0","Douglas County School District notified employees of a data breach of their personal information when a laptop containing their personal information was stolen.In a letter sent to district employees, the district stated that the stolen computer contained some workers' Social Security numbers and bank account information.The district is currently investigating the breach.","Media","","2014","39.375974","-104.859398" "January 25, 2014","Michaels Stores Inc.","Irving ","Texas","HACK","BSR","2,600,000","On January 25, 2014, Michaels Stores Inc. communicated with customers as to the possibility of a security breach regarding customers payment cards. They have not confirmed as of yet, that a breach did occur, however based on a preliminary investigation and in light of the recent Target and Neiman Marcus breaches, the company felt it was important to warn customers of the possibility of a breach. Michaels is currently working with investigators as to the potential of this breach. No additional detailed information has been supplied by the company.UPDATE (2/11/2014): A class action lawsuit has been filed against Michaels by an individual. The suit claims that ""the arts and crafts supplier failed to secure and safeguard customers’ private financial information"".  The suit also alleges that ""Michaels failed to adequately monitor its payment systems in such a manner that would enable the retailer to detect fraud or other signs of tampering so that the breach of security and diversion of customer information was able to continue unnoticed for a period of time"".It has also been reported that Michaels failed to disclose a data breach that occurred in May of 2011. A lawsuit was filed for the 2011 breach, but was settled. The company has not yet released the total number of individuals affected by the breach or when the breach might have taken place.UPDATE (7/22/2014): ""A federal court in Illinois held July 14 that an elevated risk of identity theft from a Michaels Stores Inc. breach provides standing, but without evidence of specific monetary damages that risk is insufficient to support statutory or common law claims (Moyer v. Michaels Stores, Inc., N.D. Ill., No. 1:14-cv-00561,dismissed 7/14/14).Judge Elaine E. Bucklo of the U.S. District Court for the Northern District of Illinois dismissed the case against the arts and crafts retailer, finding that the plaintiffs failed to plead monetary damages"". ","Media","","2013","32.915281","-96.988620" "November 16, 2011","Sutter Physicians Services (SPS) and Sutter Medical Foundation (SMF)","Sacramento","California","STAT","MED","4,240,000","A company-issued password-protected unencrypted desktop computer was stolen from SMF's administrative offices during the weekend of October 15, 2011.  Approximately 3.3 million patients whose health care provider is supported by SPS had their names, addresses, dates of birth, phone numbers, email addresses, medical record numbers and health insurance plan name exposed.  The information dated from 1995 to January of 2011.  An additional 934,000 SMF patients had dates of services and description of medical diagnoses and/or procedures used for business operations in addition the the previously listed information exposed.  This information dated from January 2005 to January 2011.  Patients will receive notification letters no later than December 5.UPDATE (11/23/2011): Two lawsuits have been filed against Sutter Health.  One class-action suit alleges that Sutter Health was negligent in safeguarding its computers and data and then did not notify the millions of patients whose data went missing within the time required by state law.  The suit seeks $1,000 for each member of the class and attorneys' fees.  UPDATE (07/21/2014): ""A state appellate court Monday ordered the dismissal of a lawsuit that could have cost Sutter Health more than $4 billion when it ruled that millions of the health care giant’s patients had no right to sue over the theft of a computer with their personal, medical and insurance records on its hard drive. The court decided it has not been shown – and the patients have not alleged – that any unauthorized persons have actually viewed the contents of the hard drive, a fact that deprives the patients of grounds to seek civil damages"".Read more here: http://www.modbee.com/2014/07/21/3450039/court-halts-4-billion-privacy.h...","PHIPrivacy.net","","2011","38.581572","-121.494400" "July 22, 2014","Vice.com","Brooklyn","New York","HACK","BSO","0","Reportedly a ""Russian hacker group known as W0rm tweeted, along with screenshots, that it had hacked popular news, arts and culture site Vice.com and The Wall Street Journal website, and would sell each stolen database for Bitcoin.""The company has communicated that a hacker was able to access a list of Vice.com CMS users. This list included email addresses and hashed passwords. The company communicated that they since have patched the vulnerablity.","Media","","2014","40.678178","-73.944158" "July 14, 2014","CNET","New York","New York","HACK","BSO","0","Russian hackers infiltrated servers of CNET by the name of W0rm and the Twitter handle @rev-priv8, who ""posted an image of remote access to a CNET.com server, with a screenshot of a shell proving a compromise of the site"".CNET would not comment on the nature of the attack or what information was compromised, they have just communicated that they have fixed the problem. ""The image posted on Twitter would indicate the hacker could access and upload files to the website. It's pretty difficult to say how they did it, though. One source suggested it was likely a content management system breach - something like a WordPress or Joomla exploit"".","Media","","2014","40.712784","-74.005941" "April 27, 2011","Sony, PlayStation Network (PSN), Sony Online Entertainment (SOE)","New York","New York","HACK","BSR","101,600,000","Sony discovered an external intrusion on PSN and its Qriocity music service around April 19. Sony placed an outage to block users from playing online games or accessing services like Netflix and Hulu Plus on Friday April 22. Sony says the outage will continue until the situation is addressed, which will likely be within the next week. Sony believes an unauthorized person has obtained names, addresses, email addresses, dates of birth, PlayStation Network/Qriocity password and login, and handle/PSN online IDs for multiple users. The attacker may have also stolen users' purchase history, billing address, and password security questions. User credit card numbers may have also been obtained. Sony has hired a security firm to investigate the incident and strengthen the network infrastructure by re-building their system to provide greater protection of personal information.An individual filed a class action lawsuit on behalf of all PSN users following seven days of a Sony PlayStation Network outage. The lawsuit alleges that Sony ""failed to encrypt data and establish adequate firewalls to handle a server intrusion contingency, failed to provide prompt and adequate warnings of security breaches, and unreasonably delayed in bringing the PSN service back on line."" It also accused Sony of violating the Payment Card Industry (PCI) security standard, which prohibits companies from storing cardholder data.UPDATE (5/3/2011): A review of Sony's network breach revealed that it was larger than first thought. Sony turned the SOE system off.  Hackers may have taken personal information from an additional 24,600,000 user accounts in Austria, Germany, the Netherlands and Spain. Names, addresses, genders, email addresses, login name and associated password, phone numbers and birth dates of SOE gaming customers, as well as data from about 12,700 credit card accounts and 10,700 bank accounts from an outdated 2007 database could have been accessed.  The outdated account information that may have been obtained by hackers includes credit card numbers, debit card numbers, expiration dates, bank account numbers, customer names, account names and customer addresses. The SOE network hosts games that are played over the Internet on personal computers and is separate from the PlayStation network.  Sony has not clearly indicated if credit card numbers were compromised.  At least one report indicates that the numbers were encrypted.  These breached records will not be added to the total until more is known.UPDATE (5/6/2011): Sony now indicates that some credit card numbers were compromised.  Twelve million credit card numbers were unencrypted and could easily be read.UPDATE (5/7/2011): Sony discovered that hackers had placed customer information online. Sony removed the information.  It included customer names and addresses from a 2001 Sony database.Service restoration for the PlayStation network was indefinitely delayed. Additionally, the CEO issued an apology letter.UPDATE (5/17/2011): Hackers began changing user passwords by using PSN account emails and dates of birth within two days of the partial restoration of the PlayStation Network.  Sony failed to alter the password reset system to account for hackers having obtained user email addresses and dates of birth.  Users who changed their passwords, but not the email associated with their PlayStation Network accounts, were vulnerable to the hacker exploit. Sony shut down the PlayStation Network again and released a short statement about the incident.UPDATE (5/23/2011): Sony headquarters expects to spend about $171 million on its personal information theft protection program, welcome back programs, customer support, network security enhancements and legal costs associated with the breach.UPDATE (6/2/2011): Sony fully restored all Playstation Network services in all areas except Japan.  The Playstation Store and Qriocity divisions are now functioning properly.  UPDATE (6/4/2011): A concise history of the Sony hacks can be found here.UPDATE (7/21/2011): Zurich American, one of Sony's insurers, is suing to deny releasing data breach coverage funds to Sony.  Sony expects the breach to lower operating profit by $178 million in the current financial year.  A total of 55 class action complaints have been filed.UPDATE (10/11/2011): Sony Online Entertainment became aware of a large number of unauthorized sign-in attempts.  The attempts took place between October 7 and 10.  About 93,000 PlayStation Network, Sony Entertainment Network, and Sony Online Entertainment services accounts may have been compromised.  The unauthorized parties appear to have verified valid sign-in IDs and passwords after a number of failed attempts.  Sony temporarily locked those accounts. It is unclear if the email addresses were obtained from a previous breach.UPDATE (10/19/2012): A federal judge found that Sony users signed a privacy policy informing them that Sony's security was not perfect.  Sony was cleared of negligence, unjust enrichment, bailment, and violations of California consumer protection statutes. The judge ruled that plaintiffs could not claim that Sony violated consumer-protection laws because PSN services were free of cost.  This dismissed much of the lawsuit.UPDATE (12/16/2013): Sony agreed to drop an insurance claim over litigation related to the 2011 breach.UPDATE (7/30/2014): ""Sony recently offered to settle a class action lawsuit over the 2011 breach of its PlayStation Network. According to the terms of the proposed $15 million settlement, the money will be paid out in the form of games. Class members who didn't take advantage of initial ""Welcome Back"" package of games and memberships offered in 2011 will receive on of the 14 PlayStation 3 or PlayStation Portable games, as well as three of six PS3 themes or a three-month PlayStation Plus subscription. Qriocity users will get one month of free access.""","Media","","2011","40.714353","-74.005973" "July 28, 2014","Backcountry Gear","Eugene","Oregon","HACK","BSR","0","Backcountry Gear notified customers of a data breach with a server that handles credit card information. The company discovered malware that was put onto their server that was able to gain customer names, addresses, purchase information, and credit card/debit card information. The company has stated they do not collect pin numbers or bank account numbers in a transaction so those would not have been compromised in the breach.For those who were affected and have questions can call 1-800-953-5499 ext. 5 or email at data@backcountrygear.com.","California Attorney General","","2014","44.057925","-123.120994" "July 30, 2014","CVS/Caremark","Atlanta","Georgia","DISC","BSR","350","As reported by a local news station in Atlanta Georgia reported a breach by CVS/Caremark when a mailing went out to CVS Caremark customers offering a switch to a 90-day prescription supply. Unfortunately the mailings went out to the wrong addresses. ""CVS Caremark is in the process of notifying the affected members that due to a programming error, letters intended for fewer than 350 plan members were sent to incorrect addresses"".   The company said they sent the mailings July 15 and fixed the error after getting complaints. The information exposed were individual names, addresses and what prescriptions the individuals were on.","Media","","2014","33.748995","-84.387982" "July 30, 2014","Rite Aid Pharmacy","Milton ","Washington","PHYS","BSR","521","Rite Aid Pharmacy in Milton Washington notified customer of a data breach, when someone stole a"" stack of expired prescription records from a Rite Aid pharmacy in Milton, the company announced Wednesday"". ""The records did not contain Social Security numbers or credit card numbers, and there has been no sign of resulting identity theft"", spokeswoman Ashley Flower said. The theft occurred on June 30 when a burglar entered a back room where the records were stored.""Flower said 521 customers were notified of the theft via mail. She did not know how many records were stolen. The affected customers were offered a free identity theft consultation"".Those who were affected can contact Kroll Inc. at 855-269-6547 or Rite Aid at 800-RITE-AID. Read more here: http://www.thenewstribune.com/2014/07/30/3309632/expired-prescription-re...","Media","","2014","47.247803","-122.295901" "July 23, 2014","Wall Street Journal","New York","New York","HACK","BSO","0","The Wall Street Journal was compromised by a Russian hacker who posted images of a list of user accounts claiming they were from the Wall Street Journal. The Wall Street Journal claimed they had an intrusion but that no data was affected.The information has yet to be confirmed that it was from the Wall Street Journal, however the same type of intrusion was recently confirmed when this same hacker claimed an intrusion to CNET. ","Media","","2014","40.712784","-74.005941" "March 20, 2014","Marian Regional Medical Center","Santa Maria","California","DISC","MED","0","Marian Regional Medical Centers (Santa Maria and Arroyo Grande Campuses) notified patients of a data breach. A secured electronic file containing patients information was sent to a contracted health insurance plan in error. The health insurance plan notified the company immediately that they received the email in error. The file included names, addresses, types of insurance, dates of birth, dates of service, types of laboratory tests and test results for dates of service between March 1 and March 6, 2014. The company has stated that the Social Security number was not included in the electronic file. For those affected the company has asked questions or concerns to be directed to a toll free number 1-877-906-16031-877-906-1603.CallSend SMSAdd to SkypeYou'll need Skype CreditFree via Skype","California Attorney General","","2014","34.951241","-120.413334" "March 6, 2014","Los Angeles County Department of Health/Sutherland Healthcare Solutions","Los Angeles","California","STAT","MED","168,000","On February 5, 2014 Sutherland Healthcare Solutions, which provides patient billing and collection services for Los Angeles County was broken into and computers were stolen. Information that was stored on these computers included first and last names, Social Security numbers, billing information, dates of birth, addresses, diagnoses and other medical information.Currently the breach is being investigated by authorities and the agency is offering credit monitoring services through ID Experts free for 12 months. To enroll in the free services by calling 1-877-868-92841-877-868-9284 or going to www.myidcare.com/securityandprotection.UPDATE (3/7/2014): The Los Angeles County Department of Health and Human Services (DHS) announced recently that they will be notifying 168,000 patients of a data breach at Sutherland Healthcare Solutions. When originally reported the number of patients was not divulged.UPDATE (5.27.2014):  The Los Angeles County Department of Supervisors voted on Tuesday to tighten and add current requirements for county computers and hard drives. Currently, all laptops are required to be encrypted and the vote on Tuesday now extends that requirement to all county departments’ computer workstation hard drives as well.  They also voted to have ""all County-contracted agencies that exchange personally identifiable information and protected health information data with the County""  be encrypted as a requirement for any contract.CallSend SMSAdd to SkypeYou'll need Skype CreditFree via Skype","California Attorney General","","2014","34.052234","-118.243685" "June 11, 2014","PF Chang's","Scottsdale","Arizona","HACK","BSO","0","P.F Chang's is investigating a potential data breach, when credit cards showed up on an underground website that criminals use. Brian Krebs broke the story, when the banks he contacted confirmed that the cards had been used at P.F Chang's restaurants. P.F Chang's is investigating the allegations currently with authorities.UPDATE (06/30/2014): PF Chang's has had a class action lawsuit filed against the restaurant chain. The company confirmed on June 12, 2014 that a breach had occured. Some experts believe that the lawsuit is unlikely to succeed because some security experts have said, because proving consumer losses linked to the specific restaurant data breach is difficult to do.Some believe it was a breach of the restaurants POS system, most likely infiltrated by malware, similar to the Target and Salley Beauty breaches, the restaurant chain has yet to divulge any details, including the number of cards exposed. UPDATE (8/4/2014): ""P.F Chang's China Bistro Ltd. stated Monday that the data breach that affected customer credit and debit cards affected 33 locations throughout the continental U.S."", the investigatin is still ongoing. ","Krebs On Security","","2014","33.700100","-111.915420" "June 30, 2014","San Antonio Metropolitan Health District","San Antonio","Texas","PORT","MED","300","San Antonio Metropolitan Health District announced a data breach involving vaccination records of 300 children when a laptop containing these records was stolen.The records included first and the last name of the patient, the patient's date of birth, an identifier for the patient's doctor, and the name of the immunizations. The laptop has since been recovered.","Media","","2014","29.424122","-98.493628" "May 28, 2014","Promedica Bay Park Hospital","Oregon","Ohio","INSD","MED","500","ProMedica Bay Park Hospital notified patients of a data breach when an employee of the facility accessed records of patients not directly under their care from April 1, 2013 to April 1, 2014.The information breached included each ""patient's full name, date of birth, diagnosis, attending physicians, and medications. Patients' Social Security numbers and financial information are not believed to have been accessed"". The employee was immediately fired once the hospital learned of the privacy breach.","Media","","2014","41.620787","-83.479951" "May 22, 2014","Alabama Department of Public Health","Montgomery","Alabama","INSD","GOV","7,000","The Alabama Department of Public Health notified individuals of a breach when the U.S Attorney's Office for the Middle District of Alabama and the U.S. Department of Justice's Tax Division informed the health department that they were prosecuting individuals in an id theft ring involving personal information used to file fraudulent tax returns.""The indictment indicates that the women ran a large-scale ID theft ring between January 2011 and December 2013 during which time they filed more than 7,000 false tax returns that claimed more than $20 million. Authorities say the woman stole identities from numerous places. Tracy Mitchell, for example, worked at the hospital at Fort Benning, Georgia, where she had access to military personnel data, including that of soldiers deployed to Iraq and Afghanistan. Authorities also claim that Tracy Mitchell and her co-indicted daughter, Latasha Mitchell, obtained stolen identities from an Alabama state agency, that Keisha Lanier obtained stolen identities from the Alabama Department of Corrections, that Talarious Paige and Patrice Taylor worked in a call center for a Columbus, Georgia company and stole identities and that Paige, in turn, sold those identities and they were used by Tracy Mitchell, Keisha Lanier, and others to file false tax returns"".","Media","","2014","32.379177","-86.305820" "May 19, 2014","Safety First","Parsippany","New Jersey","DISC","BSO","35,000","SafetyFirst has come forward to announce a data breach of their E-DriverFile service. The company is connected to the announcement that Lowe's current and former employees were involved in a data loss.""A new filing with the California Attorney General’s Office obtained today indicates that a server containing a wealth of information about client vehicle operators was unprotected and accessible via the Internet for a period that exceeded six months. SafetyFirst reported that the breach dated back to September 27, 2013. It was not discovered until April 2, 2014 according to those records"".SafetyFirst unintentionally backed up data to an unsecured computer server that was accessible from the Internet.  The information breached included Social Security numbers, and driver license numbers.","Media","","2014","40.869136","-74.419138" "March 1, 2014","Managed Med, A Psychological Organization","Los Angeles","California","UNKN","MED","0","Managed Med, A Pschological Corporation has notified the California Attorney Generals office of a data breach with their system. Currently they have not communicated what information was involved in the breach, the dates or how many people were affected.","California Attorney General","","2014","34.052234","-118.243685" "July 30, 2014","Lasko Group, Inc.","West Chester","Pennsylvania","HACK","BSR","0","Lasko Group Inc. announced a data breach of customers who purchased on-line parts from them and Air King America Inc. Both companies were the victims of ""phishing"" emails from an unknown third party. These fraudulent emails led to unauthorized access to their computer network. Information breached included names, email addresses, phone numbers, credit card numbers, and credit card expiration dates.The company is offering AllClearID protect your identity for one year at no cost to those affected. For those who are affected they can sign-up by calling 1-866-979-2595 or at enroll.allclearid.com. The company has also established a confidential assistance line for questions or concerns at 1-877-218-0052 from 9:00 a.m. to 7:00 p.m. EST.","California Attorney General","","2014","39.960664","-75.605488" "June 20, 2014","Mount Olympus Mortgage Company","Irvine","California","INSD","BSF","0","Mount Olympus Mortgage Company has notified customers of a data breach when a previous employees downloaded mortgage applications from their system to their private Internet accounts and then sent it to a competitor. The information included names, addresses, Social Security numbers, and other information in connection mortgages.","California Attorney General","","2014","33.684567","-117.826505" "July 31, 2014","Recreational Equipment Inc. (REI)","Kent","Washington","HACK","BSR","0","On July 23, REI discovered that a third-party may have accessed REI customer accounts without authorization obtaining email addresses and passwords.For those affected who have further questions about this incident, please contact them at privacy@rei.com or 1-800-426-48401-800-426-4840 Monday through Sunday 4 a.m. to 11 p.m. Pacific Time. CallSend SMSAdd to SkypeYou'll need Skype CreditFree via Skype","California Attorney General","","2014","47.380934","-122.234843" "March 17, 2014","Maryland Department of Health and Mental Hygiene","Baltimore","Maryland","HACK","GOV","14,000","""The Department of Health and Mental Hygiene says hackers hit Service Coordination Incorporated of Frederick, which provides case management services to nearly 14,000 Maryland residents. SCI,in a letter provided to WBAL News, indicates that its computers were hacked between October 20th and October 30th and that access was gained to confidential information. That potentially includes names, social security numbers, medical assistance numbers, and other vital information, some shared with the Maryland Developmental Disabilities Administration"".","PHIPrivacy.net","","2014","39.302006","-76.621278" "July 8, 2014","Park Hill School District","Kansas City","Missouri","INSD","EDU","0","The Park Hill School District has informed current and former Park Hill students and employees of a data breach to their system. A former employee downloaded files onto a hard drive without authorization. When the employee connected it to a home network, the files went onto the Internet. The information leaked included personnel files and Social Security numbers.","Media","","2014","39.099727","-94.578567" "July 17, 2014","Freshology","Burbank","California","HACK","BSR","0","Only July 1, 2014 Freshology was performing a routine review of its Internet website and discovered unauthorized code. This code may have compromised billing names, addresses and credit/debit card information of customers. ","New Hampshire Attorney General","","2014","34.180839","-118.308966" "August 5, 2014","Vibram","Concord","Massachusetts","HACK","BSR","0","Vibrum USA Inc had notified customers of a data breach in their online ordering system. The compay contracts with a third party web hosting provider vibramfivefinger.com whose systems were compromised when an unauthorized party accessed their system that manages online transactions and inserted malicious code. The information that may have been compromised included credit card numbers.The company has set up credit monitoring services through Experian. Those affected can call 1-877-371-7902","California Attorney General","","2014","42.460372","-71.348948" "August 7, 2014","University California Santa Barbara","Santa Barbara","California","HACK","EDU","0","The University California Santa Barbara has notified unauthorized access to some archival payroll data that included names, social security numbers and direct deposit banking information.The University has contracted with ID Experts to provide free credit monitoring service, and insurance for identity theft restoration.If you need assistance enrolling or have additional questions, the University is requesting individuals call the UCSB / ID Experts team at 1-877-919-9184, between the hours of 6:00 am and 6:00 pm Pacific Time.","California Attorney General","","2014","34.420831","-119.698190" "August 5, 2014","Russian hacking discovered by Hold Security","Unknown","Wisconsin","HACK","BSO","1,000,000,000","""A gang of Russian hackers has amassed over 1 billion username and password combinations and more than 500 million email addresses, a security firm reported late Tuesday, calling it the largest-ever haul of stolen Internet credentials.The massive trove — stolen from hundreds of thousands of websites — was discovered by the Milwaukee firm Hold Security, according to a post on its website"".According to reports by Hold Security,  it took over seven months to identify the gang, ""whom the firm dubbed CyberVor, or cyber-thief in Russian"".   It appears that no payment card information or Social Security numbers were threatened.PRC will provide updates as the story unfolds.  *note: state location provided is that of Hold Security LLC.","Media","","2014","41.899183","-87.946671" "August 7, 2014","Anderson & Murison","Los Angeles","California","DISC","BSF","0","Anderson & Murison, a wholesale insurance broker, notified individuals of a data breach when individual retail insurance agents applied for personal umbrella insurance policies for their customers via Anderson & Murison's online umbrella rating system.When the retail agents requested an estimate through this online system, specific information regarding their customers was necessary to obtain the quote/estimate. Information such as first and last names, addresses, policy dates, policy numbers, premium costs, policy amounts, types of policies, dates of birth, all real estate owned and addresses, types of automobiles, other motorized equipment such as watercraft, occupations of both individuals and spouses, employer names and addresses, general information such as traffic violations, etc.The company is offering identity theft protection through Kroll for one year at no cost.  Those affected can call 1-844-263-8605. ","California Attorney General","","2014","34.140291","-118.183068" "August 7, 2014","San Mateo Medical Center","San Mateo","California","INSD","MED","0","San Mateo Medical Center (SMMC) notified individuals of a potential data breach when the facility discovered that an employee who was hired in the payroll unit of the facility failed to disclose a prior conviction for identity theft. The employee was terminated immediately, but the individual had access to SMMC employee information including names, contact information, Social Security numbers and dates of birth.The facility reported that they found ""no evidence indicating that the employee misused confidential information from SMMC employee records"".SMMC has engaged Kroll to provide identity theft protection for one year at no cost. For those affected they can contact the county at 1-844-530-4127 from 6:00 a.m. to 3:00 p.m. PDT. ","California Attorney General","","2014","37.531268","-122.299298" "August 12, 2014","Freedom Management Group, LLC dba The Natural","Hauppauge","New York","HACK","BSR","0","The Natural, an online store, notified customers of a data breach to their system when an unauthorized party accessed customer payment card data. The unauthorized access occurred from 4/22/2014 to 7/17/2014. The information accessed included customer credit and debit card numbers, expiratin dates, names, addresses, and phone numbers, account numbers, and passwords.The company has recommended that those affected change their online passwords to their online account. The company is offering AllClear ID at no cost for 12 months. For those affected they may contact the AllClear ID team at 1-877-615-3771. ","California Attorney General","","2014","40.809529","-73.258768" "August 18, 2014","MeetMe, Inc.","New Hope","Pennsylvania","HACK","BSO","0","MeetMe, Inc. has announced a data breach of their system when hackers gained access to their customer information. The information included names, emails addresses, and passwords. The company reported that they have contacted their customers to change their usernames and passwords.","California Attorney General","","2014","40.364273","-74.951279" "August 20, 2014","The UPS Store","Atlanta","Georgia","HACK","BSR","0","The UPS Store, Inc has notified customers of a data breach when they discovered malware in their systems targeting UPS retailers. UPS retained a security firm to review their systems and found malware at 51 locations in 24 states. UPS has a total of 4,470 franchised center locations within the US. The company announced that both credit and debit card purchases were impacted at the franchised locations from January 20, 2014 through August 11, 2014. The company has since removed the malware from their system. The company put out the following information: For those affected with questions,  please call us at 1-855-731-6016."" For more information http://oag.ca.gov/system/files/California%20Distribution_0.pdf? CallSend SMSAdd to SkypeYou'll need Skype CreditFree via Skype","California Attorney General","","2014","33.748995","-84.387982" "October 3, 2013","Comcast Phone","Bay Area","California","UNKN","BSO","74,000","The California Public Utilities Commission launched an investigation into the unauthorized disclosure and publication of Comcast subscribers' unlisted names, telephone numbers and addresses to determine whether Comcast violated the laws, rules, and regulations of California.UPDATE (8/25/2014): An evidentiary hearing has been scheduled in this case for September 2014 to investigate whether or not Comcast broke the law. ","Government Agency","","2013","37.827178","-122.291308" "August 15, 2014","Albertsons/AB Acquisitions LLC","Boise","Idaho","HACK","BSO","0","The Albertsons grocery chain in Southern California announced a data breach when hackers attempted to obtain customer credit and debit card information from its approximately 180 Southern California stores, as well as stores in several other states.AB Acquisition LLC which operates Albertson stores, ACME Markets, Jewel-Osco, Shaw’s and Star Markets all under New Albertson’s, Inc. confirmed that the data breach started as early as June 22, 2014 and ended July 17, 2014. ""Albertson stores in Idaho, Montana, North Dakota, Nevada, Oregon, Washington, Wyoming and southern Utah were also affected. In addition, ACME Markets in Pennsylvania, Maryland, Delaware and New Jersey; Jewel-Osco stores in Iowa, Illinois and Indiana; and Shaw’s and Star Markets stores in Maine, Massachusetts, Vermont, New Hampshire and Rhode Island were all impacted by this incident"".The company is offering customers who may have been affected by the breach a year of complimentary identity-protection services. For more information, customers can call (877) 932-7948 or visit Albertsons' website. More Information: http://www.latimes.com/business/la-fi-breach-alberstons-20140815-story.html ","Media","","2014","43.618710","-116.214607" "August 15, 2014","Supervalue","Eden Prairie","Minnesota","HACK","BSO","0","Supervalu, which operates 3,763 outlets, both corporate and franchised stores, has reported a data breach in their point-of-sale system which affected some of its retail food stores, along with several of its stand-alone liquor stores. The information compromised includes account numbers and other information on customer payment cards used at the point-of-sale systems. The data breach occurred from June 22, 2014 through July 17, 2014 according to company spokesperson. The retail grocery chain has notified authorities and the breach is currently under investigation.   More Information: http://www.cnbc.com/id/101922584#  ","Media","","2014","44.874768","-93.410996" "August 22, 2014","ManagedMed Inc (A Psychological Corporation)","Los Angeles","California","DISC","MED","0","ManagedMed Inc.(A Psychological Corporation) notified patients and the Attorney General's office of a data breach of their patient scheduling system. According to the facility patient scheduling information was viewed via an unsecured webpage by at least two non-ManagedMed individuals. This information was visible from March, 2013 through May 15, 2014. The breach allowed unauthorized persons to access the facilities calendaring system and view the information. This information included patient scheduling information, patient names, telephone numbers, names of providers, notes on the patient which could have included information on the type of visit scheduled or medication/test scheduled for the patient, and dates of appointments.  According to the facility no SSN's, credit card or medical records information were exposed. ","California Attorney General","","2014","34.052234","-118.243685" "August 25, 2014","BioReference Laboratories, Inc./CareEvolve, Inc.","Ann Arbor","Michigan","DISC","MED","3,334","CareEvolve Inc, a subsidiary of BioReference Laboratories, Inc. have notified patients of a data breach to their system that may have inadvertently exposed personal information of patients. CareEvolve, Inc. was reconfiguring a test server and accidentally exposed the server, making it accessible via the Internet. This particular server included patient names, home addresses, telephone numbers, ages, patient/medical record numbers, clinical tests, collection dates, dates of birth and Social Security numbers (196 SSN's exposed according to CareEvolve Inc). Automated search engine data mining applications did access this information starting on February 2, 2014 and ended when the breach was discovered on March 19, 2014. For those that may have been affected can call 1-800-229-52271-800-229-5227 ext. 8433 or email compliancedepartment@bioreference.com.CallSend SMSAdd to SkypeYou'll need Skype CreditFree via Skype","PHIPrivacy.net","","2014","42.283766","-83.751185" "August 26, 2014","Milpitas Knights PAL Youth Football","Milpitas","California","PHYS","BSO","80","Parents of 80 youth football players were notified of a data breach, when a bag of registration materials required by the league were stolen from the back seat of a volunteers car.The information included original birth certificates and physical forms. The league did not comment on what information was entered on the physical form.  More Information: http://www.mercurynews.com/sports/ci_26375263/milpitas-youth-football-pl... ","Media","","2014","37.432334","-121.899574" "August 26, 2014","The Hand Care Center/Shoulder and Elbow Institute","Orange.","California","PHYS","MED","10,000","The Hand Care Center/Shoulder and Elbow Institute in Orange California notified patients of data breach when they were notified by Iron Mountain Record Management, a facility where the medical practice stores old files, that 25 boxes of X-rays were stolen by two employees of the storage company.  The employees sold the X-rays to a recycler who melted them down to recover the silver.  The information in the X-ray files included patient names, dates of birth, gender, treating physician, medical record numbers and the image on the X-ray itself.For those possibly affected, they can call the center at 1-877-615-3762. The center is reporting that any X-rays taken after 2002 were most likely not affected.   ","PHIPrivacy.net","","2014","33.787914","-117.853101" "August 26, 2014","Long Beach Internal Medical Group","Long Beach","California","PHYS","MED","0","The Long Beach Internal Medical Group, Inc. in Long Beach California notified patients of data breach when they were notified by Iron Mountain Record Management, a facility where the medical practice stores old files, that boxes of records were stolen by two employees of the storage company.  Reportedly the employees sold X-rays files to a recycler who melted them down to recover the silver.  The information in the files stored by the medical practice included names, sex, addresses, dates of birth, telephone numbers, account numbers, office charges, insurance information, diagnosis information, Social Security numbers. CallSend SMSAdd to SkypeYou'll need Skype CreditFree via Skype","PHIPrivacy.net","","2014","33.770050","-118.193740" "August 12, 2014","Orthopaedic Specialty Institute Medical Group","Orange","California","PHYS","MED","49,000","Orthopaedic Specialty Institute Medical Group has reported a data breach when it was discovered that 742 boxes of patient X-rays were stolen from an Iron Mountain Record Management storage facility. After an investigation by the authorities, it was discovered that two Iron Mountain Record Management employees stole the files and melted them down for the silver.The information in the records, which are 10 to 15 years old,  and could have included patient names, birth dates and medical record numbers. For those who might have been affected they can call the medical group at 1-714-937-48251-714-937-4825 .  More Information: http://www.ocregister.com/articles/medical-631456-rays-group.html CallSend SMSAdd to SkypeYou'll need Skype CreditFree via Skype","Media","","2014","33.787914","-117.853101" "February 10, 2014","University of Miami Health System","Miami","Florida","PHYS","MED","13,000","The University of Miami Health System (UHealth) notified patients of a data breach when an offsite storage vendor communicated that the records could not be located. The Health System, which is one of the largest health providers in Southern Florida, discovered the breach on June 27, 2013. They have just recently begun notifying patients of the breach.The information in the missing files included patient names, dates of birth, physician names, insurance company names, medical record names, facility visited, procedures, diagnostic codes, and Social Security numbers. More Information: http://blogs.miaminewtimes.com/riptide/2014/02/security_breach_at_jackso...UPDATE (8/26/2014): The University of Miami Health System has agreed to a class-action settlement for the data breach that occurred in 2013 when records went missing from an offsite storage facility the medical system used. Under the settlement agreement, the UHealth will be required to conduct various risk assessments, remediate any identified problems, and ensure vendors have adequate security controls in place. The agreement states that the university will pay $100,000 in individual claims, $90,000 in attorneys’ fees, and $1,500 to the named plaintiff that initiated the lawsuite. Both parties have asked the federal district court to approve the recently-filed proposed settlement agreement.  http://www.phiprivacy.net/wp-content/uploads/Carsten_proposedsettlement.pdf ","Media","","2014","25.761680","-80.191790" "August 18, 2014","Community Health Systems","Franklin","Tennessee","HACK","MED","4,500,000","Community Health Systems out of Franklin Tennessee has announced a large data breach of their medical system. The breach occured when hackers infiltrated the server of the health system compromising Social Security numbers, names and addresses for 4.5 million patients. Authorities believe that the hackers were based out of China and the attacks happened from April 2014 through June 2014.The company operates 206 hospitals in 29 states and is currently doing further investigations regarding the attack. More Information:  http://bits.blogs.nytimes.com/2014/08/18/hack-of-community-health-system...  UPDATE (8/26/2014): Five Alabama residents have filed a class-action lawsuit against Community Health Systems following last week's announcement of the data breach of 4.5 million patients. ","Media","","2014","35.925064","-86.868890" "August 26, 2014","Geekface LLC","Pawcatuck","Connecticut","HACK","NGO","0","Geekface LLC, which runs the online sites Hatchwise.com and eLogoContest.com notified customers of a data breach to their server that compromised personal information.The information breached included names, addresses, birth dates, usernames, passwords, and Social Security numbers.For those with questions or needing further assistance they can call 1-800-303-09111-800-303-0911 between 10:00 a.m and 5:00 p.m. EST Monday through Friday or visit hatchwise.com.CallSend SMSAdd to SkypeYou'll need Skype CreditFree via Skype","California Attorney General","","2014","41.377322","-71.833680" "August 26, 2014","Imhoff & Associates, PC","Los Angeles","California","PORT","BSO","0","Imhoff and Associates, a criminal defense lawfirm notified clients of a data breach when a backup hard drive was stolen from a locked trunk of an employee's vehicle.The personal information contained on the backup hard drive may have included names, birth dates Social Security numbers, driver's license numbers, addresses, emails and phone numbers.The firm is offering those affected 12 months of AllClear ID at no cost. Those individuals with questions can call 1-877-615-3769 to reach an AllClear ID representative, Monday through Saturday 8:00 a.m to 8:00 p.m Central Standard Time.. ","California Attorney General","","2014","34.052234","-118.243685" "July 29, 2014","Northern Trust Company","Chicago ","Illinois","DISC","BSO","0","The Northern Trust Company communicated a data breach to customers that involved their personal information. Northern Trust Company ""provides or previously provided payment services for an employee benefits plan or program in which you participate or participated through. In that capacity, Northern Trust is responsible for maintaining certain personal information about you as a participant of that plan. Regrettably, we are writing to inform you about an inadvertent disclosure by Northern Trust of some of that information"".""As part of normal procedures, Northern Trust sends participant information to record-keeping companies that assist in administering those benefit plans and programs. In late May, a Northern Trust employee transmitted a file containing your information to one of our record-keeping companies that was not responsible for the plan in which you participate (d). The information included your name, address, Social Security number, and benefits plan or program account number, as well as other information about your benefits plan or program account, such as your payment /deduction amounts and, in some situations, bank routing and account numbers used for direct deposits"".","California Attorney General","","2014","41.881019","-87.632895" "June 4, 2014","Midwest Urological Group","Peoria","Illinois","PORT","MED","0","Midwest Urological Group notified patients of a data breach when a laptop was reported stolen when an employee may have inadvertently forgot to lock the cabinet that housed the laptop.  According to authorities the laptop contained patient information that included treatment information on the patients at the facility. No specific details were released as to the type of information involved.  More Information: http://www.pjstar.com/article/20140604/NEWS/140609564/10924/NEWS","Media","","2014","40.693649","-89.588986" "August 29, 2014","Memorial Hermann Hospital","Houston","Texas","INSD","MED","10,604","Memorial Hermann Hospital is notifying patients of a data breach when they discovered a former employee accessed medical records of more than 10,000 patients.Reportedly the former employee had been accessing patient information for over severn years, December 2007 through July 2014, that were outside their normal job description. The information breached included patients' medical records, health insurance information, Social Security numbers, names, addresses and dates of birth. More Information:http://www.click2houston.com/news/memorial-hermann-hospital-employee-acc... ","Media","","2014","29.760427","-95.369803" "August 29, 2014","AltaMed Health Services","Los Angeles","California","INSD","MED","2,995","AltaMed Health has notified patients of a data breach when a temporary employee and other individuals were reported to be under investigation for an identity theft scheme, according to Arcadia law enforcement agents. No arrests have been made currently, but the investigation is continuing.""Law enforcement disclosed it recovered a hard drive and other evidence during its investigation, that this hard drive and evidence may include the organization’s records, and that it believes this information may have been misused by participants in the identity theft ring currently under investigation"". The investigation has shown that this temporary employee accessed electronic and paper records for individuals that attended community events in Orange and Los Angeles counties from October 24, 2013 through June 6, 2014. The temporary employee was hired to help with patient enrollment.The records this person had access to included names, email addresses, telephone numbers, Social Security numbers, provider information, insurance information, dates of birth, and addresses. AltaMed is offering AllClear ID and AllClear ID Pro for those individuals affected. You can find information regarding these services by calling (877) 579-2263More Information: https://oag.ca.gov/system/files/AltaMed%20Individual%20Notice%20Template...","California Attorney General","","2014","34.052234","-118.243685" "August 29, 2014","Beachwood-Lakewood Plastic Surgery","Beachwood","Ohio","PORT","MED","6,141","Beachwood-Lakewood Plastic Surgery and Dr. Stevem A. Golman, notified patients of a data breach when their office in the Parkway Medical complex were burglarized. The theives stole computer hardware that inlcuded patient information that included names and limited medical information.The medical practice is offering you one year of credit monitoring at no cost. This service is provided by All Clear ID.If you have any questions or would like to enroll in the credit monitoring service, call 1-877-615-3745.","PHIPrivacy.net","","2014","41.461743","-81.492892" "September 4, 2014","Healthcare.gov","Washington","District Of Columbia","HACK","GOV","0","Reportedly, Healthcare.gov has suffered a data breach to one of their test systems by hackers. Currently the Obama administration is communicating that no personal information was compromised, but authorities are investigating.According to the administration, ""“our review indicates that the server did not contain consumer personal information, data was not transmitted outside the agency and the website was not specifically targeted,” said Aaron Albright, a spokesman at the Centers for Medicare and Medicaid Services, which runs the website. “We have taken measures to further strengthen security.”""""Mr. Albright said the hacking was made possible by several security weaknesses. The test server should not have been connected to the Internet, he said, and it came from the manufacturer with a default password that had not been changed.In addition, he said, the server was not subject to regular security scans as it should have been"".More Information: http://www.nytimes.com/2014/09/05/us/hackers-breach-security-of-healthca...","Media","","2014","38.907192","-77.036871" "September 9, 2014","Beef O'Brady's Restaurants","North Port","Florida","HACK","BSO","0","Beef O'Brady restaurants appear to have been a victim of a data breach to their point of sale system, when unauthorized credit card transactions begain appearing on financial statement of customers. These transactions were from numerous vendors in Texas, New York, and Massachusetts. The restaurant chain is located in Florida.Reportedly, a minimum of four Florida Beef O'Brady's restaurant locations have been compromised.The information compromised included credit and debit card information. The company is currently working with local law enforcement to further investigate the breach. More Information: http://www.wtsp.com/story/news/local/2014/09/09/potential-data-breach-at... ","Media","","2014","27.044224","-82.235925" "September 10, 2014","Bartell Hotels ","San Diego","California","HACK","BSO","55,000","Bartell Hotels, who operates several hotels in San Diego, has announced that they have suffered a data breach of customer credit card information.The Best Western Plus Island Palms Hotel & Marina, The Dana on Mission Bay, Humphreys Half Moon Inn & Suites, Pacific Terrace Hotel and Days Hotel – Hotel Circle had names, credit card numbers and credit card expiration dates of customers who stayed at these hotels between February 16, 2014 and May 13, 2014 breached.  The breach could have affected up to 55,000 individuals.For those affected, they can contact a representative at  877-437-4010 Monday through Saturday 8 a.m. to 8 p.m. CT with questions or concerns. More Information: http://www.nbcsandiego.com/news/local/Data-Security-Breach-Reported-at-San-Diego-Hotels-274421341.html#ixzz3CvzjLpSG ","Media","","2014","32.726344","-117.223356" "July 14, 2014","Goodwill Industries International Inc.","Rockville","Maryland","HACK","BSR","868,000","Financial institutions are tracking what appears to be fraudulent activity at numerous Goodwill retail stores. The fraudulent activity involves credit card breaches and that the compromised credit cards appear to have started at Goodwill stores across the country. The credit card information is then showing up at other retail establishments, similar to the breaches that occurred at Target, Neiman Marcus, P.F. Changs, etc.“Goodwill Industries International was contacted last Friday afternoon by a payment card industry fraud investigative unit and federal authorities informing us that select U.S. store locations may have been the victims of possible theft of payment card numbers,” the company wrote in an email.  “Investigators are currently reviewing available information,” the statement continued. “At this point, no breach has been confirmed but an investigation is underway. Goodwills across the country take the data of consumers seriously and their community well-being is our number one concern. Goodwill Industries International is working with industry contacts and the federal authorities on the investigation. We will remain appraised of the situation and will work proactively with any individual local Goodwill involved taking appropriate actions if a data compromise is uncovered.”Goodwill Industries stated they learned of the potential breach on July 18th and is working with federal investigators to determine if the breach is legitimate and if legitimate. how many stores were affected. UPDATE (9/10/2014): Goodwill Industries announced that the data breach they suffered is linked to a third party vendor.  ""Goodwill said a forensic investigation had found that a third-party vendor's systems had been attacked by malware, providing the attackers with access to the credit card data of several of that vendor's customers intermittently between February 10, 2013 and August 14, 2014"".According to Goodwill, 330 Goodwill stores in 20 states were affected. Forbes reported that 868,000 individuals were affected.More Information: http://www.esecurityplanet.com/network-security/goodwill-data-breach-lin... ","Krebs On Security","","2014","39.083997","-77.152758" "September 12, 2014","Health and Human Services Agency, Napa","Napa","California","PORT","GOV","0","The Napa Health and Human Services Department, specifically In Home Supportive Services (IHSS) notified patients of a data breach when one of their flash/thumb drives was missing from their offices on Coombs Street. This portable drive contained information specifically related to their Comprehensive Services for Older Adults Division of HHS.The discovery was made of the missing drive when clean-up was happening to their offices after the recent Napa earthquake. The offices have not been occupied since the earthquake. The information on the drive included names, addresses, phone numbers and information regarding patients status in the IHSS program. The agency is reporting that no financial or Social Security information was on the flash/thumb drive.They agency has reported the incident to the police and are treating the missing flash/thumb drive as a burglary. More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-46595","California Attorney General","","2014","38.298602","-122.286168" "September 5, 2014","California State University, East Bay","Hayward","California","HACK","EDU","0","California State University, East Bay has notified individuals of a data breach that has occurred on August 11, 2014 when the University discovered unauthorized access to individuals information when an overseas IP address appears to have used a software tool designed to access information on a server without being detected. The server targeted contained personal information on various employment record transactions and some extended learning course information. The specific information breached included names, addresses, Social Security Numbers and dates of birth. The University has set up 12 months free of Experian's ProtectMyID for those affected. For additional questions or concerns individuals can contact (888) 738-3759 a toll free number specifically set up to deal with questions/concerns regarding this breach.More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-46513","California Attorney General","","2014","37.657128","-122.056745" "September 5, 2014","Yandy.com","Phoenix","Arizona","HACK","BSR","0","Yandy.com, an online retailer, notified customers of a data breach to their online payment system when the server that processes this information was hacked. The unauthorized user (s) gained payment card information, including the CVV numbers on the back of the cards, expiration dates, names, addresses and email addresses of customers.For those affected with questions, they can call the company at 1-844-236-1015. More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-46527","California Attorney General","","2014","33.682492","-112.080993" "September 1, 2014","Apple","Cupertino","California","HACK","BSO","0","""A few days ago a group calling themselves hackappcom posted a proof of concept script on the popular code repository called Github that would allow for a user to attempt to breach iCloud and access a user account. This script would query iCloud services via the “Find My iPhone” API to guess username and password combinations. The problem here was that apparently Apple was not limiting the number of queries. This allowed for attackers to have numerous chances to guess password combinations without the fear of being locked out"".The number of celebrity photos or private information breached is still unknown.  More Information: http://www.forbes.com/sites/davelewis/2014/09/02/icloud-data-breach-hack...","Media","","2014","37.322998","-122.032182" "January 15, 2012","Zappos.com","Las Vegas","Nevada","HACK","BSR","24,000,000","Customers were informed that their customer account information on Zappos.com may have been illegally accessed by unauthorized parties.  Customer names, email addresses, billing and shipping addresses, phone numbers, final four digits of credit card numbers, and/or cryptographically scrambled passwords were linked to customer accounts and could have been obtained. The secure database that stores detailed credit card and payment information was not affected by the breach or accessed. Since passwords may have been affected, customers should change their passwords and make sure that their old Zappos.com password is not used for any other sites.UPDATE (1/21/2012): A resident of Texas is suing Zappos.com and Zappos' parent company Amazon.com on behalf of millions of customers who were affected by the release of personal account information.  The lawsuit is being filed in Kentucky.UPDATE (9/22/2014):  A federal judge has denied a motion by Zappos to dismiss a class action lawsuit for a breach of customer data in 2012. Reportedly, the parties are nearing a settlement.More Information: http://www.courthousenews.com/2014/09/22/71619.htm","Databreaches.net","","2012","36.114646","-115.172816" "September 15, 2014","Tim McCoy & Associates/ dba.NEAT Management Group","Austin","Texas","PORT","BSF","0","Tim McCoy and Associates, also known as NEAT Management Group informed customers of a data breach when the laptop belonging to one of the company's software engineers was stolen on August 27, 2014.The information on the laptop included names,  Social Security Numbers, dates of birth, addresses, phone numbers, employer identification numbers and email addresses.The company is providing a free membership for a year to ProtectMyID. For those who were affected, they can call 1-888-829-6550. More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-46601","California Attorney General","","2014","30.267153","-97.743061" "August 22, 2014","Cedars-Sinai Medical Center, Los Angeles","Los Angeles","California","PORT","MED","33,136","Cedars-Sinai Medical Center in Los Angeles California has reported a data breach of at least 500 patients at the facility when an employees laptop computer was stolen from their home during a burglary in June 2014. The laptop was password protected.The records on the laptop included specific patient data such as lab testing, treatment and diagnosis, Social Security numbers and other personal information. More Information: http://www.latimes.com/business/la-fi-cedars-breach-20140823-story.html UPDATE (10/3/2014): The data breach that occurred when an employee laptop was stolen, contained many more files than what was originally reported by the hospital. When the breach was made public, Cedars-Sinai hospital reported that 500 patient files were on the stolen laptop. After an investigation, the laptop actually contaned personal information on  33,136 patients. More Information: http://www.latimes.com/business/la-fi-cedars-data-breach-20141002-story....","Media","","2014","34.052234","-118.243685" "September 22, 2014","Viator Inc","San Francisco","California","HACK","BSO","0","Viator Inc, was notified of a data breach by their credit card service provider when they had received numerous complaints of erroneous charges to accounts. Their investigation lead to seeing fraudulent charges to Viator customers via their online payment processing system. The breach includes the compromise of customer credit card and debit card data, card expirations, names, billing addresses, email addresses and Viator ""nicknames"". The company is offering 12 month of credit monitoring services at no cost. For those affected they can call 1-888-680-0710 to speak with someone. The company is also asking customers to go into their accounts and change their passwords. More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-46657","California Attorney General","","2014","37.771704","-122.402634" "September 25, 2014","Pacific BioSciences of California Inc.","Menlo Park","California","PORT","BSO","0","Pacific BioSciences of California Inc. has notified patients of a data breach when an employee laptop was stolen from their home that contained some of their personal information.The information included names, birthdates, and Social Security numbers.The company has arranged credit monitoring services through AllClearID for one year at no charge. For those affected they can call 1-866-979-2595. More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-46702","California Attorney General","","2014","37.478576","-122.150825" "September 26, 2014","BayBio","San Francisco","California","HACK","NGO","0","BayBio.org has notified individuals of a data breach to their online payment system. The non-profit organization has notified that the hacking to their payment system compromised credit card numbers in process.The hacker inserted files that captured keystrokes of visitors to their site which included credit card numbers when individuals were either paying for a membership or an event being held by the non-profit. Payments are being taken by phone until the breach has been repaired. More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-46727 ","California Attorney General","","2014","37.652912","-122.396383" "September 29, 2014","Albertson's LLC (AB Acquisition LLC)","Spokane ","Washington","HACK","BSR","0","AB Acquisition LLC announced the discovery of a separate criminal investigation involving payment cards of customers who shopped at Albertsons stores, ACME Markets, Jewel-Osco, Shaw's and Star Markets. The company has discovered that a different malware was used in some of the stores than what was discovered in the recent data breach incident on August 2014. This breach is more recent than the August breach and appears to have happened at the end of August, beginning of September 2014. This newer breach reportedly captured account numbers, expiration dates, other numerical information and/or cardholder names. The company has different point of sale systems at the different locations. Reportedly Albertson stores in Arizona, Arkansas, Colorado, Florida, Louisiana, New Mexico, Texas and their two Super Saver Food Stores in Northern Utah were not affected. Those stores that were affected includes Albertsons stores in Southern California, Idaho, Montana, North Dakota, Nevada, Oregon, Washington, Wyoming and Southern Utah. In addition, ACME Markets in Pennsylvania, Maryland, Delaware and New Jersey were affected, along with Jewel-Osco stores in Iowa, Illinois and Indiana and Shaw's and Star Markets stores in Maine, Massachusetts, Vermont, New Hampshire and Rhode Island.The timeframes of the breach are August 27, 2014 through September 21, 2014. The company is offering free credit monitoring for one year  with AllClearID at no cost to those who were affected. For questions, call 1-855-865-4449.More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-46749","California Attorney General","","2014","47.656897","-117.420752" "October 1, 2014","Flinn Scientific, Inc.","Batvia","Illinois","HACK","BSR","0","Flinn Scientific, an ecommerce site focused on scientific materials for teachers and students, notified customers of a data breach to their online payment system when a cyber attacker inserted malware to gain access to the server that hosts payment information. The information breached includes payment card numbers, card verification codes, expiration dates, names, addresses, and email addresses.The company has set up credit monitoring with AllClearID for 12 months for those individuals affected by the breach. For questions individuals can call 1-866-979-2595 to get credit monitoring started.More Information:http://oag.ca.gov/ecrime/databreach/reports/sb24-46816","California Attorney General","","2014","41.850028","-88.312574" "July 17, 2014","Bank of America","Baltimore","Maryland","DISC","BSF","0","Aon Hewitt, a human resources benefits service provider for Bank of America, was made aware that a vendor's former employee (Hexaware) sent a copy of certain files and inadvertently uploaded them to an FTP site. The file contained names and Social Security numbers.  ","Maryland Attorney General","","2014","39.291270","-76.614337" "July 15, 2014","Bank of The West","San Francisco","California","HACK","BSF","0","Bank of The West notified customers of an email scam that involved two employees' remote bank email login credentials being compromised. As a result of this unauthorized access, customer information could be at risk. The information includes names, account numbers, loan numbers, Social Security numbers. The bank is offering one year free of First Watch ID for those affected. For those with questions regarding the service they can call 1-866-310-7373 or 1-800-488-2265. ","California Attorney General","","2014","37.790773","-122.401906" "August 27, 2014","Dairy Queen","Edina","Minnesota","HACK","BSR","0","Dairy Queen has reported a data breach of their POS (Point of Sale) system when malware authorities are calling ""Backoff"" was found on the system. This same malware authorities are attributing to the Target and Supervalu Inc. data breaches.  Currently the restaurant chain is unclear as to how many stores were affected.  Dairy Queen operates 6,300 restaurants across the US, many of which are franchisees that are not required to report fraud to Dairy Queens headquarters. Currently Dairy Queen is working with authorities to uncover the specifics.More Information: http://bringmethenews.com/2014/08/27/dairy-queen-confirms-potential-brea...UPDATE:(9/10/2014): Dairy Queen has announced that several of its stores will go to a ""cash only"" model in lieu of the current data breach the fast food restaurant chain suffered.The company stated that only a small portion of its 4,500 stores were affected, but they would not say how many or which restaurants will be going to a cash only system. More Information: http://minnesota.cbslocal.com/2014/09/03/dairy-queen-taking-security-ste...UPDATE: (10/10/2014): On Thursday, Dairy Queen confirmed that 400 stores and one Orange Julius location were compromised as a result of the point of sale malware first reported back in August. The investigation also confirmed that the hackers used compromised credentials of a third party vendor to infiltrate Dairy Queen's POS system.More Information: http://www.dairyqueen.com/us-en/datasecurityincident/affected-stores/?lo...","Media","","2014","44.889687","-93.349949" "June 10, 2014","AT&T Mobility, LLC","Des Peres","Missouri","INSD","BSR","0","AT&T has informed California regulators of a data breach that occurred with a third party service provider.""Employees of one of our service providers violated our strict privacy and security guidelines by accessing your account without authorization,"" the company said in a letter to affected customers. ""AT&T believes the employees accessed your account as part of an effort to request codes from AT&T than are used to unlock AT&T mobile phones in the secondary mobile phone market.""Personal information such as Social Security numbers and phone records were accessed. The incident took place between April 9th through April 21st, but the California regulators were just informed this week. AT&T would not disclose how many customers were affected, but the law requires disclosure if more than 500 people have been affected. ","California Attorney General","","2014","38.603387","-90.461726" "October 6, 2014","AT&T","Dallas","Texas","INSD","BSR","1,600","AT&T is at the center of another data breach to their system, this time, by an internal employee. AT&T has announced that one of its staff members accessed account information of customers, which included Social Security Numbers, drivers license numbers, unique customer numbers, known as Customer Proprietary Network Information (CPNI), which includes information such as times, dates, durations and destination numbers of every call made. No specific numbers have yet been released.More Information: http://www.zdnet.com/at-and-t-hit-by-insider-data-breach-unspecified-num...UPDATE (10/7/2014): The Vermont Attorney General posted that 1,600 letters went out to customers regarding the recently announced data breach that happened in August of 2014 by an employee of AT&T. The employee has since been fired and the breach is still under investigation.More Information:http://www.reuters.com/article/2014/10/07/us-at-t-cybersecurity-idUSKCN0...","Media","","2014","32.779561","-96.798889" "October 9, 2014","Evolution Nature Corp. dba The Evolution Store","Manhattan","New York","HACK","BSR","0","Evolution Nature Corp., dba The Evolution Store contacted customers regarding a data breach to their online stores affecting customer credit card information.The company received a complaint of credit card fraud from a customer and launched an investigation by a data forensics expert. The investigation revealed that the administrative portion of the Evolution e-commerce site was accessed by an unauthorized third party that was using administrative credentials exposing customer order information.The information exposed included names, email addresses, phone numbers, billing addresses, shipping addresses, order information, and credit/debit card information, including the CVV numbers on the backs of the cards.For those affected, the company is offering AllClear Secure for 12 months at no cost. For those with questions, call 1-877-322-82281-877-322-8228.More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-46935CallSend SMSAdd to SkypeYou'll need Skype CreditFree via Skype","California Attorney General","","2014","40.783060","-73.971249" "October 1, 2014","Provo City School District","Provo","Utah","HACK","EDU","1,400","The Provo City School District notified employees of a ""phishing"" attack Monday September 29, 2014 which allowed access to employees email accounts. Some employee email accounts contained files that may have had personally identifiable information. Currently the school district is investigating the breach and notifying those affected.More Information: http://fox13now.com/2014/10/01/provo-city-school-district-warning-employ...","Media","","2014","40.233844","-111.658534" "October 1, 2014","Fort Hays State University","Hays","Kansas","DISC","EDU","138","Fort Hays State University has notified 138 of it's graduates that their personal information may have been compromised when personal information was ""accidentally"" exposed on the Internet. The information exposed included Social Security Numbers and various other pieces of personal information.The university stopped storing Social Security Numbers of students five years ago, however anyone who attended the university prior to 5 years ago, their SSN information is still part of the university database. More Information: http://ksn.com/2014/10/01/fort-hays-state-university-experiences-data-br...","Media","","2014","38.879178","-99.326770" "September 29, 2014","American Family Care","Birmingham ","Alabama","PORT","MED","0","""American Family Care of Birmingham is alerting customers following the theft of two laptops containing sensitive information from an employee’s vehicle earlier this summer"".The information on the laptops contained personal information of patients specifically related to work injuries, physicals, immunizations and drug screens. The lap top also included the names, dates of birth, addresses, phone numbers, medical record numbers, Social Security Numbers, additional medical information, insurance information, driver's license numbers and dates of service. Those with questions concerning the incident can call (800) 258-7535(800) 258-7535 extension 2588 or e-mail ComplianceOfficer@americanfamilycare.com.More Information: http://www.phiprivacy.net/american-family-care-alerts-customers-of-stole... and http://www.bizjournals.com/birmingham/morning_call/2014/09/american-fami... CallSend SMSAdd to SkypeYou'll need Skype CreditFree via Skype","PHIPrivacy.net","","2014","33.520661","-86.802490" "September 29, 2014","Texas Wellness Incentives and Navigation (WIN) Project- University of Florida and Texas Health and Human Services Commission","Gainesville","Florida","DISC","MED","0","The University of Florida and Texas Health and Human Services Commission (HHSC) a cooperative project called the Texas Wellness Incentives and Navigation (WIN) Project for Medicaid patients, notified patients of a data breach. The University of Florida, acting as a partner of HHSC, sent letters to Houston area physicians requesting health records. Unfortunately, due to a database merging error, some of those health record requests were sent to the wrong physicians. The information shared with the incorrect physician included names, Medicaid STAR+PLUS identification numbers, and dates of birth. Those affected with questions can call 1-866-876-HIPA1-866-876-HIPA (4472).More Information: http://www.phiprivacy.net/university-of-florida-and-texas-hhsc-notify-te... and http://privacy.ufl.edu/wp-content/uploads/2014/09/Brch-letr-ICHP-KCase-P... CallSend SMSAdd to SkypeYou'll need Skype CreditFree via Skype","PHIPrivacy.net","","2014","29.651634","-82.324826" "October 7, 2014","Municipal Bond Insurance Association (MBIA)","Purchase","New York","DISC","BSF","0","Brian Krebs of Krebs On Security notified MBIA of a breach that exposed numerous customer account numbers, balances and various other sensitive data due to a misconfiguration on a company Web server. ""Much of the information had been indexed by search engines, including a page listing administrative credentials that attackers could use to access data that wasn’t already accessible via a simple Web search.""MBIA is one of the largest bond insurers, that offers municipal bond insurance and investment management products and services companies such as Aetna and Fireman's Fund.The company has since shut this website down and is currently investigating. No information is available to the number of individuals that may have been affected by the breach.More Information:http://krebsonsecurity.com/2014/10/huge-data-leak-at-largest-u-s-bond-in...","Krebs On Security","","2014","41.040014","-73.714448" "October 2, 2014","Community Technology Alliance","San Jose","California","PORT","NGO","0","Community Technology Alliance (CTA) is notifying individuals of a potential compromise of their personal information, when an employee's laptop was stolen on July 28, 2014. CTA is a non-profit organization that administers the Bay Area Homeless Management Information Systems (HMIS) and helps hundreds of partner agencies. The information in HMIS can include names and Social Security Numbers, and various other pieces of personal information. If services were being received from an HMIS Partner Agency in Santa Cruz California, those individuals are the ones at risk. The partner agencies include the following: Community Action Board, Families in Transition, Homeless Services Center, Salvation Army of Watsonville, Pajaro Valley Shelter Services, Housing Authority of the County of Santa Cruz, Encompass, Front Street Housing, Inc., Mountain Community Resource Center, Catholic Charities, Veterans Resource Center, Santa Cruz County Office of Education, Santa Cruz County Health and Human Services Agency, Housing Services Center, Pajaro Rescue Mission, and New Life Community Services. More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-46834","California Attorney General","","2014","37.336594","-121.919007" "October 13, 2014","Snapsaved.com","","California","HACK","BSO","200,000","Snapsaved.com, a third party vendor to Snapchat, announced that their servers were hacked, which in turn caused thousands of photos and videos from the third party service to show up on the Internet.""On Sunday, thousands of photos and videos from the Snapchat service were put online, apparently taken from sites including Snapsaved.com, which had allowed people to log in using their Snapchat username and password to offer desktop-based rather than handset-based access to the site - and also the chance to store photos, which are meant to be deleted within seconds of being viewed.""Snapsaved posted on Facebook the following:""I would like to inform the public that snapsaved.com was hacked” due to a mistake in the setup of its web server. “As soon as we discovered the breach in our systems, we immediately deleted the entire website and the database associated with it,” the unsigned statement continues. “As far as we can tell, the breach has effected [sic] 500MB of images, and 0 personal information from the database.”More Information: http://www.theguardian.com/technology/2014/oct/13/third-party-snapchat-s...","Media","http://www.businessinsider.com/snapsaved-admits-it-was-source-of-leaked-snapchat-photos-2014-10?r=UK&IR=T","2014","40.760537","-73.978890" "October 10, 2014","Sears Holding Company/K-Mart","Hoffman Estates","Illinois","HACK","BSR","0","Sears Holding Corp announced Friday that a data breach occurred at their K-Mart stores starting last month, with malicious software targeting their Point of Sale systems that  compromised customers' credit card information.Currently, Sears Holding Corp is not clear as to the number of affected customer cards and the breach is currently under investigation. K-Mart has said that they were able to remove the malware from their systems.K-Mart is working currently working with federal investigators.For those with questions, they are asked to call K-Mart's Customer Care Center at 1-888-488-5978.More Information: http://abcnews.go.com/Business/wireStory/kmart-latest-victim-data-breach...CallSend SMSAdd to SkypeYou'll need Skype CreditFree via Skype","Media","","2014","42.077243","-88.215203" "June 26, 2014","Salina Family Healthcare Center","Salina","Kansas","DISC","MED","500","""Salina Family Healthcare Center (SFHC) notified more than 500 patients of an unintentional transmission of unsecured personal patient protected health information after discovering the following event: ""On April 8, 2014, a staff member submitted a database to the National Commission for Quality Assurance (NCQA) for our involvement in a care coordination research study. The staff member responsible for our participation in the project inadvertently left a table in that database that included patients’ names, dates of birth, chart numbers and CPT codes associated with their care. Upon opening the email, the NCQA staff member who received the database immediately recognized the breach, deleted the database, and notified our staff member"""".","PHIPrivacy.net","","2014","38.828341","-97.600796" "October 10, 2014","Sausalito Yacht Club","Sausalito","California","HACK","BSO","0","The Sausalito Yacht Club notified its members of a data breach to their online member roster. The information on the roster included member names linked to private Sausalito Yacht Club member numbers. These two pieces of information together allows for the charging of beverages, goods, services and meals at the club. Additionally, members personal contact information, financial information, including accounts receivable information could have been obtained. Currently, the breach is under investigation and depending upon what is found, the club may issue new cards and account numbers. For those affected with questions they may call General Manager, Dave Martel at 1-415-332-7400 or by e-mail at gm@sausalitoyachtclub.org.","California Attorney General","","2014","37.857401","-122.480138" "October 13, 2014","University of California Davis Medical Center","Sacramento","California","HACK","MED","0","The University California Davis Medical Center discovered abnormal activity in the email account of one of their providers. An investigation determined that the provider's email was compromised by an unknown source. As a result, an unauthorized use and access to their system giving them access to communication between the provider and the patients. For additional questions regarding the incident contact 1-916-734-8808 or email privacyprogram@ucdmc.ucdavis.edu More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-46960 ","California Attorney General","","2014","38.554761","-121.456308" "October 14, 2014","Cyberswim.com","Pen Argyl","Pennsylvania","HACK","BSR","0","Cyberswim.com notified customers of a data breach to their online ecommerce store and the discovery of customers' personal information being breached.On September 24, 2014 the company confirmed that an unauthorized individual(s) or entities installed malware on the server hosting their website. This malware was able to access personal information entered by customers when completing a purchase on the site.Information breached includes names, addresses, website usernames and passwords, payment card account numbers, card expiration dates, and payment card security codes.Purchases made between May 12, 2014 and August 28, 2014 are the dates this breach occurred. For those with questions call 1-844-286-4855 between 9:00 a.m and 5:00 p.m Easter time, Monday through Friday (excluding holidays). More Information: oag.ca.gov/ecrime/databreach/reports/sb24-46986 ","California Attorney General","","2014","40.865686","-75.260081" "October 23, 2014","Reeves International Inc/ Breyer Horses","Pequannock","New Jersey","HACK","BSR","0","Reeves International Inc. is informing customers of a data breach of one of their online retail sites called Breyer Horses (www.breyerhorses.com). On September 9, 2014 the company discovered an unauthorized party installed malware on the server hosting the Breyer Horse website, the malware compromised customers' personal data. The dates of the attack were from March 31, 2013 through October 6, 2014.The information compromised includes names, addresses, website usernames and passwords, payment card account numbers, card expiration dates, and payment card security codes. For anyone affected or those with questions call 1-877-572-06281-877-572-0628 twenty-four hours a day Monday through Sunday (excluding holidays). More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-47096CallSend SMSAdd to SkypeYou'll need Skype CreditFree via Skype","California Attorney General","","2014","40.941631","-74.283856" "October 17, 2014","Sourcebooks Inc. ","Naperville","Illinois","HACK","BSR","0","Sourcebooks Inc. has informed customers of a breach of their shopping cart software that supports several of their websites. The breach dates were from April 16, 2014 and June 19, 2014. An unauthorized party gained access to specific customer purchase information.The information breached includes first names, last names, email addresses, phone numbers, addresses, account passwords, credit card numbers, expiration dates of credit cards, cardholder names and card verification values.The company is conducting an investigation including a forensic audit to determine the full extent of the breach.For those with questions or concerns call 1-844-810-1155 between 8:30 a.m and 5:30 p.m Central Standard Time or go to http://www.sourcebooks.com/cardfaq.More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-47029","California Attorney General","","2014","41.792879","-88.201676" "October 23, 2014","American Soccer Inc./SCORE","Wilmington ","California","HACK","BSR","0","On October 21, 2014 SCORE discovered an unauthorized access to their server that processes customer payment information.According to the company on September 4, 2014 unauthorized access to their website compromised personal information of individuals who completed a transaction.The information includes names, payment card account numbers, expiration dates of cards, SCORE account numbers. Those who were affected conducted a transaction between June 1, 2014 and September 4, 2014. There was no evidence that customer addresses or security codes being compromised after an investigation was conducted.For those with questions or concerns call 1-800-626-77741-800-626-7774.More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-46986CallSend SMSAdd to SkypeYou'll need Skype CreditFree via Skype","California Attorney General","","2014","33.779802","-118.253559" "October 10, 2014","Oregon Employment Department/WorkSource Oregon","Portland","Oregon","HACK","GOV","850,000","The Oregon Employment Department, specifically WorkSource Oregon, discovered a data breach of a data base that contained personal information of individuals searching for jobs when an anonymous tip came in alerting officials of the breach. Social Security numbers of more than 850,000 individuals were compromised in the breach. Officials shut down the website and were investigating the breach.More Information: http://www.oregonlive.com/money/index.ssf/2014/10/security_breach_discov...","Media","","2014","45.523062","-122.676482" "November 3, 2014","Fidelity National Financial","Jacksonville","Florida","HACK","BSF","0","Fidelity National Financial, Inc (FNF) informed customers of a breach to their system due to a targeted phishing attack to certain employees.FNF is the parent company of Ticor Title Company of Oregon, Ticor Title of Nevada, Inc., Lawyers Title Company, and Lawyers Title of Oregon, LLC, which provides title insurance and real estate settlement services in Oregon, Nevada, and/or California. From April 14, 2014 and April 16, 2014 a certain number of employees were targeted in a phishing attack that allowed the hackers to obtain username and password information for employees of the company. The company hosts their email with a third party vendor and after investigating did not find any evidence that the hackers were able to breach FNF's internal network or systems. However, the investigation did reveal that personal information was obtained including Social Security numbers, bank account numbers, credit/debit card numbers and driver's license numbers. The company is offering 12 months free of AllClear ID to those affected. Those affected can call 1-877-676-03741-877-676-0374 to reach an AllClear investigator. More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-47112CallSend SMSAdd to SkypeYou'll need Skype CreditFree via Skype","California Attorney General","","2014","30.318178","-81.676431" "November 10, 2014","US Postal Service","Washington","District Of Columbia","HACK","GOV","800,000","The US Postal Service is releasing information today that they have been the victim of a cyber attack with Chinese hackers being suspected of hacking into their computer networks compromising the information of over 800,000 employees.Currently the FBI is investigating the breach and it appears that information obtained included names, dates of birth, Social Security numbers, addresses, dates of employment. According to officials, all postal service employees were affected and they are not yet clear why their information was of interest to these hackers. They are not seeing any evidence of customer information being compromised. The investigators are calling the hackers ""sophisticated actors"".  More information will be posted as additional information comes out with the investigation.More Information: http://www.washingtonpost.com/blogs/federal-eye/wp/2014/11/10/china-susp...","Media","","2014","38.907192","-77.036871" "November 13, 2014","U.S. Weather System","Washington","District Of Columbia","HACK","GOV","0","Officials from the National Oceanic and Atmospheric Administration (NOAA), which includes the National Weather Service, have notified officials of a data breach to the National Weather Service's satellite network.Reports are stating ""hackers from China breached the federal weather network recently, forcing cybersecurity teams to seal off data vital to disaster planning, aviation, shipping and scores of other crucial uses, officials said.""It appears the system was affected in September, but officials did not communicate that there was a problem until late October. an NOAA spokesman Scott Smullen did confirm that there were hacks and communicated that ""incident response began immediately"". More Information: http://www.washingtonpost.com/local/chinese-hack-us-weather-systems-sate... ","Media","","2014","38.907192","-77.036871" "November 10, 2014","Anthem Blue Cross","Southern and Northern California cities","California","DISC","BSF","0","Anthem Blue Cross in California sent text emails with personal details about individuals health information and member specific demographic information such as age, language spoken, specific medical test received or not received as part of the text message.The company is reviewing whether or not they have to report this information as part of the specific notification laws in California, which does include the breach of medical history, mental or physical condition, medical treatment or diagnosis by a health care professional.A spokesperson for Blue Cross stated that they are investigating the incident.More Information: http://bits.blogs.nytimes.com/2014/11/10/oops-health-insurer-exposes-mem... ","Media","","2014","37.597754","-122.044609" "November 10, 2014","Central Dermatology Center","Chapel Hill","North Carolina","HACK","MED","0","Central Dermatology Center notified patients of a data breach to their system when malware was found on one of their servers. The information compromised included patient names, addresses, phone numbers, dates of birth, Social Security Numbers, sex, treatment dates, account balances, email addresses, insurer, providers, employers and race.Currently, the center has hired an forensic IT firm to investigate the breach. They did not provide the number of individuals at risk.More Information: http://healthitsecurity.com/2014/11/10/potential-health-data-breach-hits... ","Media","","2014","35.911101","-78.986943" "October 3, 2014","Mount Sinai Beth Israel","New York","New York","PORT","MED","10,790","Mount Sinai Beth Israel announced a data breach when a laptop computer was stolen from a staff room. According to the facility the laptop was password-protected but not encrypted.The patient information housed on the laptop included patient names, dates of birth, medical record numbers, dates of service, procedure codes and description of procedures along with clinical information about patient care received. The facility has stated that patient Social Security numbers, insurance information, addresses and phone numbers were not stored on this particular laptop.More Information: http://www.mountsinaihealth.org/about-the-health-system/news-releases/st...","Media","","2014","40.732649","-73.981616" "November 7, 2014","Jessie Trice Community Health Center","Miami","Florida","HACK","MED","8,000","Jessie Trice Community Health Center announced a data breach when members of an identity theft ring accessed the personal information of 8,000 patients.The informaton accessed included names, dates of birth and Social Security Numbers. No medical information was compromised according to the facility. The FBI and the IRS are currently investigating the breach.More Information: http://www.clinical-innovation.com/topics/privacy-security/identity-thef...","Media","","2014","25.761680","-80.191790" "November 12, 2014","Onsite Health Diagnostics","Dallas","Texas","HACK","MED","60,582","Dallas-based Onsite Health Diagnostics, a third party contractor with state of Tennessee,  who completes medical testing and health screenings for various government insurance plans has suffered a data breach. The company discovered hackers had gained access to a computer system that houses personal information for members of the Tennessee's State Insurance Plan, Local Government Insurance Plan and Local Education Insurance plan.The information affected in the breach included health benefit member names, dates of birth, addresses, emails, phone numbers and gender. More Information: http://www.healthcareitnews.com/news/hackers-swipe-data-60k-vendor-hipaa... ","Media","","2014","32.776664","-96.796988" "November 14, 2014","Seattle Public Schools","Seattle ","Washington","DISC","EDU","8,000","The Seattle Public School District announced in a letter to parents Thursday about a data breach that involved their children's information.""Late Tuesday night Seattle Public Schools learned that a law firm retained by the district to handle a complaint against the district inadvertently sent personally identifiable student information to an individual involved in the case. The district promptly removed the law firm from the case and is working to ensure that all improperly released records are retrieved or destroyed.""Over 800 special education students were involved in a breach. The information involved in the breach included their names, addresses, student identification numbers, test scores and disabilities. More Information: http://www.king5.com/story/news/local/seattle/2014/11/14/seattle-public-...","Media","","2014","47.606210","-122.332071" "August 22, 2014","US Investigations Services (USIS)","Falls Church","Virginia","HACK","GOV","25,000","The US Investigations Services (USIS), a firm that performs background checks for U.S government employees had a breach in their data base. Cyber criminals were able to hack their system to gain personal information on employees with the Department of Homeland Security, U.S Immigration and Customs Enforcement and U.S Customs and Border Protection units.The information breached included Social Security numbers, education and criminal history, birth dates, information on spouses, other relatives and friends including names and addresses.Officials say the number may increase as the investigation continues.More Information: http://www.reuters.com/article/2014/08/22/us-usa-security-contractor-cyb... UPDATE (9/18/2014): ""The Office of Personnel Management will not renew any of its contracts with USIS, the major Falls Church, Va., contractor that provides the bulk of background checks for federal security clearances and was the victim of a recent cyberattack, officials confirmed Tuesday evening"".USIS conducted over 21,000 background checks per month for the US government and has been under scrutiny since the data breach in August. More Information: http://www.washingtonpost.com/business/economy/opm-to-end-usis-contracts...UPDATE (11/14/2014) It appears that the breach affecting the Department of Homeland Security goes beyond just this US governmental agencies. The Ex-DHS official warns of more USIS breach victims and is warning that the breach likely affected other federal workers beyond DHS. ","Media","","2014","38.882334","-77.171091" "October 14, 2014","Novant Health Gaffney Family Medical Care ","Gaffney ","South Carolina","PORT","MED","0","Novant Health Gaffney Family Medical Care informed patients of a data breach when their offices were broken into and two of the facilities laptops were stolen.The information on the laptops was not disclosed.More Information: http://www.wspa.com/story/26681323/laptops-with-patient-data-stolen-from...","Media","","2014","35.071795","-81.649820" "October 3, 2014","Touchstone Medical Imaging","Brentwood","Tennessee","DISC","MED","0","Touchstone Medical Imaging notified patients of a data breach as a ""result of an open share that was exposed to the Internet.""The information exposed included Social Security numbers, names, addresses, dates of birth, and phone numbers. The center stated that no medical information was stored in this exposed folder. They are not sure if any financial information was contained in this folder. More Information: http://www.csoonline.com/article/2691601/data-breach/touchstone-medical-...","Media","","2014","36.033116","-86.782777" "November 14, 2014","Cone Health","Greensboro","North Carolina","DISC","MED","2,076","Cone Health notified patients to a data breach when after letters sent from one of its facilities were addressed to the wrong patients. The information on 2,076 patients included names, Social Security numbers, dates of birth and insurance information. More Information: http://www.wfmynews2.com/story/news/local/2014/10/09/cone-health-admits-...","Media","","2014","36.072635","-79.791975" "October 9, 2014","South Texas Veterans Health Care System","San Antonio","Texas","DISC","MED","4,000","The South Texas Veterans Health Care System informed 4,000 patients of a data breach to their personal information.  ""South Texas Veterans Health Care tried to send veterans notices on September 15 to explain a new federal rule of Hydrocodone combination they need to be aware of. But in the process of printing the letters, they mistakenly came out double-sided and had one unique veteran’s information on one side and another veteran’s on the other.""The information breach included full names, addresses and the type of prescription drugs. More Information: http://healthitsecurity.com/2014/10/09/south-texas-va-reports-printing-e...","Media","","2014","29.424122","-98.493628" "October 9, 2014","U.S. Health Holdings, Ltd.","Detroit","Michigan","DISC","MED","0","U.S Health Holdings, Ltd. on behalf of Macomb County Michigan has suffered a breach when an accidental disclosure of of personal informaton was posted on the Michigan Inter-Governmental Trade Network (""MITN"") website. The information exposed included names, dates of birth, Social Security numbers, zip codes, cities, and Plan carrier names. More Information: http://www.phiprivacy.net/2014/10/page/13/","PHIPrivacy.net","","2014","42.331427","-83.045754" "November 17, 2014","US State Department","Washington","District Of Columbia","HACK","GOV","0","The US State Department shut down one of its computer networks when it was believed to have been hacked. Experts believe this is related to the breach to the White House's unclassified computer network. On Monday Jeff Rathke, a State Department spokesperson said ""the department had recently detected ""activity of concern"" in portions of the system handling non-classified emails, and the weekend maintenance included security improvements responding to the breach.""More Information: http://phys.org/news/2014-11-state-dept-hacked-email.html#inlRlvon Monday, Rathke said the department had recently detected ""activity of concern"" in portions of the system handling non-classified emails, and the weekend maintenance included security improvements responding to the breach. Read more at: http://phys.org/news/2014-11-state-dept-hacked-email.html#jCpon Monday, Rathke said the department had recently detected ""activity of concern"" in portions of the system handling non-classified emails, and the weekend maintenance included security improvements responding to the breach. Read more at: http://phys.org/news/2014-11-state-dept-hacked-email.html#jCp","Media","","2014","38.907192","-77.036871" "October 9, 2014","Albertina Kerr Centers","Gresham","Oregon","PORT","MED","1,300","The Albertina Kerr Centers have notified individuals of a breach when two of their laptop computers and a cell phone were stolen from the Albertina Kerr's campus. The laptops contained medical information identifying individuals, the diagnoses they received and treatements applied. The theft took place in August of 2014 when an individual or individuals broke into one the facilities offices at the Kerr's crisis psychiatric care facility. According to the facility these laptops did not contain Social Security numbers or financial information. The center is offering a year of free identity theft security monitoring. For those affected they can call 1-888-276-0529.More Information: http://www.oregonlive.com/gresham/index.ssf/2014/10/laptops_stolen_from_...","PHIPrivacy.net","","2014","45.528806","-122.494864" "October 10, 2014","Georgia Department of Behavioral Health and Developmental Disabilities (DBHDD)","Atlanta ","Georgia","PORT","GOV","3,397","The Georgia Department of Behavioral Health and Developmental Disabilities (DBHDD) notified individuals of a data breach when one of their departments laptops was stolen out of a car of an employee who was attending a conference.The laptop contained personal information of over 3,000 patients including names, addresses, phone numbers, dates of birth, names of guardians, marital status, Social Security numbers, Medicaid numbers, diagnosis, behavioral data and other personal information.The laptops were not encrypted.For those who might have been affected, they can call DBHDD at 844-888-5998 until January 9, 2015More Information: http://www.phiprivacy.net/2014/10/page/12/","PHIPrivacy.net","","2014","33.754158","-84.390589" "October 10, 2014","Department of Human Services' Office of Behavioral Health, Denver","Denver","Colorado","DISC","GOV","15,000","The Department of Human Services' Office of Behavioral Health in Denver Colorado notified individuals of a data breach when a postcard mailing went out to individuals as part of a survey. The cards were specifically addressed to individuals receiving behavioral health services through DHS office and mailed in post-card format. This information is considered to be protected health information. According to the DHS no Social Security numbers or financial information was on the cards. More Information: http://www.9news.com/story/news/local/2014/10/10/colorado-health-officia...","Media","","2014","39.739236","-104.990251" "October 13, 2014","Penn Highlands Brookville","Brookville","Pennsylvania","HACK","MED","0","The office of Dr. Barry J. Snyder at Penn Highlands Brookville, a healthcare service provider for the Brookville area in Pennsylvania, notified patients of a data breach when a third party accessed the third party vendor's server who maintains records for Dr. Snyder. The information compromised included patient names, addresses, dates of birth, driver's license numbers, Social Security numbers, phone numbers, insurance information, medical informatino and genders. The facility is offering free identity monitoring and identity protection services to affected individuals through Kroll Inc. Those affected can call 1-855-401-2640.","PHIPrivacy.net","","2014","41.161175","-79.083092" "November 25, 2014","Texas Health and Human Services","Houston","Texas","DISC","GOV","2,000,000","The Texas Health and Human Services department discovered a data breach it appears by ""chance"" after terminating their relationship with Xerox Corporation. ""In August, after the transition to a new Medicaid vendor, the Texas commission filed a lawsuit against Xerox, alleging that the contractor had failed to turn over computer equipment, as well as paper records, containing Medicaid and health information for 2 million individuals, ""putting the state out of compliance with federal regulations and at risk of massive federal fines,"" says a statement issued by Texas HHSC in August.""The Texas Health and Human Services department has notified individuals of the data breach communicating that their information may have been compromised. The information includes ""Medicaid clients' names, birthdates, Medicaid numbers, and medical and billing records related to care provided through Medicaid, such as reports, diagnosis codes and photographs.""More Information: http://www.govinfosecurity.com/breach-reported-after-vendor-dispute-a-7605 ","Media","","2014","29.760427","-95.369803" "November 28, 2014","University Hospitals","Cleveland","Ohio","INSD","MED","692","University Hospital has informed 692 patients of that their personal information has been compromised. An employee of the hospital had been accessing the personal information of patients for over 3 years. The employee has been dismissed.The information this person accessed included names, addresses, phone numbers, email addresses, medical and health-insurance account numbers, financial information including debt/credit card information and Social Security numbers. Those with additional questions or concerns can call (866) 329-5860 More Information: http://www.cleveland.com/metro/index.ssf/2014/11/uh_employee_gained_impr...","Media","","2014","41.499320","-81.694361" "October 13, 2014","Oak Park Medical Center","Oak Partk","Michigan","DISC","MED","0","Medical files were found by a former customer of a Dr. Pramod Raval, who was indicted in a Medicare home health care fraud scheme. Boxes of full files were dumped outside with massive amounts of patient data still intact.The medical files included files that contained names, Social Security numbers, X-rays, blood types and addresses.The local police were notified and the files were scheduled to be shredded.More Information: http://www.clickondetroit.com/news/medical-files-found-dumped-in-oak-par...","Media","","2014","42.459480","-83.182705" "December 2, 2014","Dallas Fire-Rescue","Dallas","Texas","PORT","MED","0","Dallas Fire-Rescue had several laptops containing patient information come up missing from several of their ambulances. ""According to the city, those computers disappeared between January 1, 2011, and August 29, 2014. The city’s release did not say how many laptops were unaccounted for — or how they disappeared. Messages have been left for Sana Syed, the city’s spokesperson.""No specific information was provided as to what information was in the files. For those patients who have questions can call the Dallas Fire-Rescue EMS staff at (844) 532-5527.More Information: http://cityhallblog.dallasnews.com/2014/10/dallas-warns-that-small-numbe...","Media","","2014","32.776664","-96.796988" "November 14, 2014","Reeve-Wood Eye Center","Chico","California","UNKN","MED","0","The Reeve-Wood Eye Center reported a data breach to the California Attorney General's office. No specific details were provided as to the scope of the breach, type of breach or individuals affected. ","California Attorney General","","2014","39.728494","-121.837478" "November 25, 2014","State Compensation Insurance Fund","Pleasanton","California","HACK","GOV","0","The State Compensation Insurance Fund, a state agency that provides workers compensation insurance to businesses informed customers of a data breach when one of their brokers suffered a data breach to their system.Lucy Gomez Blankley Interpreting Inc., a provider of Stat Fund was the victim of a computer hack that resulted in theft of emails in which contained information regarding patient workers compensation claims.The specific information included names, addresses, phone, Social Security Number, dates of birth and workers compensation claim number.The agency is providing one year free of Experian ProtectMyID services to those who were affected. Those with questions can call 1-877-220-1388,More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-47592","California Attorney General","","2014","37.662431","-121.874679" "November 25, 2014","Godiva Chocolatier Inc.","New York","New York","PORT","BSR","0","Godiva notified employees of the company of a data breach when a Human Resources employee, who was traveling to retail sites, had a briefcase stolen from a car. The briefcase contained a lap top that had employee information on it. The lap top was not encrypted.The information included names, addresses, Social Security numbers and drivers license numbers.The company is providing Experian ProtectMyID Alert for 12 months for free. For questions call 1-866-328-1993 Monday through Friday 6:00 a.m to 6:00 p.m Pacific time.More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-47593","California Attorney General","","2014","40.753290","-73.994868" "December 1, 2014","American Residuals and Talent Inc.","Los Angeles","California","HACK","BSO","0","American Residuals and Talen Inc, dba ART Payroll, a specialized payroll company for the entertainment, advertising and events production industry, notified customers of a breach to their system when hackers infiltrated their servers and obtained personal information. The information included names, addresses, dates of birth, Social Security number, email addresses, phone numbers, ART account numbers, bank account information, ART account user ID and password.The company is providing ProtectMyID for 1 year at no cost to those who were affected. For questions call 1-877-297-7780.More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-47623","California Attorney General","","2014","34.052234","-118.243685" "November 26, 2014","Shutterfly/Tiny Prints/Treats/Wedding Divas","Redwood City","California","HACK","BSO","0","Tiny Prints, Treat and Wedding Paper Divas, owned by Shutterfly Inc. notified customers of a data breach to their online system by hackers. The hacking may have exposed customer usernames and passwords. The company is urging customers to change all usernames and passwords to each site.More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-47602  ","California Attorney General","","2014","37.539421","-122.256700" "December 5, 2014","Bebe Retail","Brisbane","California","HACK","BSR","0","Bebe Stores have notified customers of a data breach to their point of sale systems that took place last month for several weeks. The goal of the hackers was to obtain payment card information. The hacking took place between November 8, 2014 and November 26, 2014The retailer is not stating how many cards were affected and the breach is currently being investigated by forensic IT specialists. Bebe has more than 200 stores that could have been affected.  More Information: http://fortune.com/2014/12/05/bebe-data-breach/","Media","","2014","37.680766","-122.399972" "December 9, 2014","Charge Anywhere LLC","South Plainfield","New Jersey","HACK","BSF","0","The electronic payment provider Charge Anywhere has notified individuals of a data breach of their networks when an unauthorized person(s) installed ""sophisticated malware"" that allowed the hackers to ""capture segments of outbound network traffic"" as the company has explained in a statement released December 9, 2014.The information captured included customer names, card numbers, expiration dates and verification codes of debit/credit cards.The company stated that transactions completed from August 17, 2014 through September 24, 2014 were compromised. However, information as far back as November 5, 2009 could have been captured as well.""The incident is the latest reminder of what happens to businesses that handle credit card data and other sensitive information and yet fail to full encrypt the data as it traverses their network. The company has provided a searchable list of merchants who may have been affected by the breach.""More Information: http://krebsonsecurity.com/2014/12/unencrypted-data-lets-thieves-charge-...","Krebs On Security","","2014","40.579270","-74.411540" "October 8, 2012","TD Bank","Cherry Hill","New Jersey","PORT","BSF","260,000","Two data backup tapes were lost during shipping in late March 2012.  The tapes included customer names, Social Security numbers, addresses, account numbers, debit card numbers, and credit card numbers.UPDATE (10/13/2012): A total of 260,000 customers from Maine to Florida were notified. UPDATE (10/15/2014):  ""TD Bank NA has agreed to pay $850,000 to settle a multistate probe into the security breach, New York's attorney general said"".More Information: http://www.bloomberg.com/news/2014-10-15/td-bank-resolves-claims-over-da...UPDATE (12/10/2014): TD Bank has settled with the state of Massachusetts for $625,000, seperate from the above previous settlement deals the bank made with other states. More Information: http://www.americanbanker.com/news/bank-technology/td-bank-pays-625000-i...","California Attorney General","","2012","39.926813","-75.024631" "December 1, 2014","Highlands-Cashier Hospital","Highlands","North Carolina","DISC","MED","25,000","Highlands-Cashier hospital in North Carolina informed patients of a data breach to their servers that contained patient data. The disclosure of the data was due to an error by one of their third party vendors, TruBridge a subsidiary of Computer Programs and Systems, Inc. when they were contracted to complete some specialized computer services.A data security screening caught the disclosure on September 29, 2014 that exposed patient information between May 2012 through September 2014. The information exposed included patient names, addresses, dates of birth, treatment information, diagnosis, helath insurance information and Social Security numbers. All of this information could be accessed via the Internet. For those who might have been affected you can call 1-888-227-14161-888-227-1416  Monday through Friday between 9:00 a.m and 9:00 p.m Eastern Time. More Information: http://www.phiprivacy.net/highlands-cashiers-hospital-discovers-patient-... CallSend SMSAdd to SkypeYou'll need Skype CreditFree via Skype","PHIPrivacy.net","","2014","35.085886","-83.187267" "May 27, 2014","Midwest Womens Healthcare Specialists","Kansas City ","Missouri","PHYS","MED","1,500","Midwest Women's Healthcare has informed patientes of a data breach when records were mistakenly placed in a dumpster during a construction project at their facility. The records in turn were blown out of the dumpster during a strong wind storm in the area. The records included names, addresses and Social Security numbers for female patients in 2011 and 2012. More Information: http://www.kshb.com/news/local-news/mistake-during-construction-led-to-l...UPDATE (12/3/2014): A settlement agreement has been reached with over 1,500 women and the Women's Healthcare Specialists over the mistaken exposure of their personal information when records were accidentally dumped outside the facility in a dumpster, then blown from the dumpster due to high winds in May 2014. Midwest Healthare Specialists agreed to set up a victims' fund of $400,000 to compensate those women whose records were exposed as a result of the physical disclosure of documents. More Information: http://www.kshb.com/news/local-news/exclusive-settlement-reached-over-im... ","Media","","2014","39.099727","-94.578567" "June 21, 2014","NRAD Medical Associates","Nassau","New York","INSD","MED","96,998","NRAD Associates informed patients of a data breach to their system when a radiologist employed with the facility accesses patient information without authorization. As disclosed by NRAD the information the Dr. accessed included the following information: names, addresses, dates of birth, Social Security numbers, health insurance information, diagnosis codes and procedure codes.For those with questions or concerns, call 1-800-926-81801-800-926-8180  or go to the link www.NRAD.com/answersMore Information: http://www.databreaches.net/radiologist-bypasses-billing-system-computer...UPDATE (12/4/2014): A physician with NRAD Associates has been arrested for the theft of protected health information of 96,998 patients of the medical facility. James Kessler, a Radiologist with the facility has been charged with Unauthorized Use of a Computer, Unlawful Duplication of Computer Related Material in the 2nd degree and Petit Larceny, all of which are misdemeanors in the state of New York. As disclosed by NRAD the information the Dr. accessed included the following information: names, addresses, dates of birth, Social Security numbers, health insurance information, diagnosis codes and procedure codes. More Information: http://www.phiprivacy.net/doctor-who-stole-personal-information-of-nearl... CallSend SMSAdd to SkypeYou'll need Skype CreditFree via Skype","Media","","2014","42.515915","-73.610116" "November 8, 2013","Good Samaritan Hospital","San Jose","California","PORT","MED","3,833","Good Samaritan Hospital learned that a laptop was missing on July 8.  An investigation revealed on September 23 that the laptop contained data files related to patient pacemakers.  Names, dates of birth, addresses, telephone numbers, and health insurance company names may have been exposed.  Five patients had their Social Security numbers on the laptop.  Only a fraction of patients who had their pacemakers checked between 1996 and July of 2013 were affected.UPDATE (12/5/2014): ""Rensselaer County has paid $25,000 in a court award and set aside $90,000 for expected legal fees in a flurry of lawsuits brought by jail officers and others whose medical information was viewed for years by employees using a computer in the jail nurses' office.Seven parties, including four current or former correction officers, a jail employee, the family of a correction officer on behalf of a minor child, and a private individual have sued the county. More suits are anticipated, officials have said.Two cases have been settled.""More Information: http://www.timesunion.com/local/article/Cost-grows-for-medical-access-la... ","HHS via PHIPrivacy.net","","2013","37.338208","-121.886329" "December 6, 2014","WellCare Health Plans","Monroe County","New York","DISC","MED","47","500 Monroe County residents were notified by WellCare Health of disclosure of some of their personal information when their Medicare records were ""mishandled"" by a sub-contractor for the insurer.The insurers vendor had an error in their computer coding causing denial letters to be sent to the wrong members. The information on the letters included names, addresses, member ID numbers and general descriptions of the procedure. According to the insurer, no Social Security numbers or financial information was disclosed in the letter. Subscribers with questions can call WellCare at (888) 240-4946(888) 240-4946.More Information: http://www.democratandchronicle.com/story/news/2014/12/06/wellcare-medic...CallSend SMSAdd to SkypeYou'll need Skype CreditFree via Skype","PHIPrivacy.net","","2014","43.284125","-77.745208" "December 11, 2014","Emcor Services Mesa Energy Systems","El Cajon","California","PORT","BSO","0","Emcor Services Mesa Energy Systems notified individual of a data breach when a company laptop was stolen that contained customers personal information. The information contained on thelaptop included names, Social Security numbers, dates of birth, dates of hire, addresses, salaries, gender and ethnicity. The theft occurred on or around November 25, 2014. The company is offering the services of Kroll for one year at no cost. For those who were affected they can call 1-866-775-42091-866-775-4209  from 8:00 a.m to 5 p.m Central Time, Monday through Friday. For those with questions for the company can call Mike Cook at 1-949-460-46051-949-460-4605.More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-47705 CallSend SMSAdd to SkypeYou'll need Skype CreditFree via Skype","California Attorney General","","2014","32.812602","-116.972987" "December 11, 2014","ABM Parking Services","St. Louis","Missouri","HACK","BSO","0","ABM Parking Services notified customers of a data breach when the point of sale software system implemented by Datapark USA Inc, a third party vendor for several Chicago, Illinois parking facilities was hacked. The information was compromised from October 6, 2014 through October 31, 2014. The hackers were able to compromise certain customer credit and debit card information, including payment card numbers. A toll-free information line has been made available for those affected. Customers can call 1-877-238-37901-877-238-3790. The company is offering one year free of Experian's ProtectMyID Elite for those affected.More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-47710CallSend SMSAdd to SkypeYou'll need Skype CreditFree via Skype","California Attorney General","","2014","38.627003","-90.199404" "December 12, 2014","Acosta Sales and Marketing","Jacksonville","Florida","PORT","BSO","0","Acosta, Inc. and its subsidiaries (Mosaic Sales Solutions US Operating Co. LLC) informed customers of a data breach when an employee of their Human Resources department had a laptop containing personal information stolen from their car on November 11, 2014.For those affected, the company has set up a toll free number to assist with questions at 1-877-237-49711-877-237-4971  Monday through Friday 9:00 a.m to 7:00 p.m Eastern Standard Time. The reference number to the incident is #5316120814.More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-47713 CallSend SMSAdd to SkypeYou'll need Skype CreditFree via Skype","California Attorney General","","2014","30.256280","-81.599016" "December 12, 2014","University of California Berkeley","Berkeley","California","HACK","EDU","0","The University of California Berkeley has notified individuals of a data breach in their Real Estate Division that resulted in unauthorized access to servers used to support a number of Real Estate programs and work stations.  These workstations contained files that included some personal information. The investigation of the hacking showed that these servers were breached in mid-to late September. The personal information included names, Social Security Numbers, credit card numbers and driver's license numbers. The university is offering identity theft protection and fraud resolution through ID Experts for free for one year. For those affected call 1-877-846-63401-877-846-6340  Monday through Friday from 6 a.m to 6 p.m Pacific Time or go to www.myidcare.com/ucbinfo.    More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-47717CallSend SMSAdd to SkypeYou'll need Skype CreditFree via Skype","California Attorney General","","2014","37.871593","-122.272747" "December 26, 2014","Sony PlayStation","New York","New York","HACK","BSO","0","PlayStation and xBox networks over the holiday season. A group calling itself ""LizardSquad"" hacked both gaming networks on Christmas Day.  According to the group and KrebsOnSecurity, ""various statements posted by self-described LizardSquad members on their open online chat forum - chat.lizardpartrol.com - suggest that these misguided individuals launched the attack for no other reason than because they thought it would be amusing to annoy and dissapoint people who received new Xbox and Playstation consoles as holiday gifts""More Information: http://krebsonsecurity.com/2014/12/cowards-attack-sony-playstation-micro...","Krebs On Security","","2014","40.712784","-74.005941" "December 26, 2014","Microsoft xBox","Redmond ","Washington","HACK","BSO","0","Microsoft Xbox Live networks were hacked by a group called ""LizardSquad"", preventing users from playing games over the holiday. The assault was a DDoS attack (distributed denial-of-service) which ""harness the Internet connectivity of many hacked or misconfigured systems so that those systems are forced to simultaneously flood target network with junk Internet traffic. The goal, of course, is to prevent legitimate visitors from being able to load the site or use the service under attack.""More Information: http://krebsonsecurity.com/2014/12/cowards-attack-sony-playstation-micro...","Krebs On Security","","2014","47.673988","-122.121512" "October 20, 2014","Staples Inc.","Framingham","Massachusetts","HACK","BSR","1,200,000","Several large banks notified Staples Inc. of unusual activity on credit and debit cards used at several locations in Northeastern United States. According to Brian Krebs, Krebs on Security ""According to more than a half-dozen sources at banks operating on the East Coast, it appears likely that fraudsters have succeeded in stealing customer card data from some subset of Staples locations, including seven Staples stores in Pennsylvania, at least three in New York City, and another in New Jersey"". Staples Inc. has more than 1800 stores nationwide and is currently investigating the potential breach. More Information: http://krebsonsecurity.com/2014/10/banks-credit-card-breach-at-staples-s...UPDATE (11/17/2014): It appears that the breach that happened at Staples was conducted by the same cyber criminals that infiltrated Michaels stores. According to Krebs On Security ""Multiple banks interviewed by this author say they’ve received alerts from Visa and MasterCard about cards impacted in the breach at Staples, and that to date those alerts suggest that a subset of Staples stores were compromised between July and September 2014.""More Information: http://krebsonsecurity.com/2014/11/link-found-in-staples-michaels-breach...UPDATE (12/19/2014): After an investigation, Staples Inc. said that nearly 1.2 million customers payment cards. ""Staples said Friday that the investigation revealed that the hackers used malware that provided access to information for transactions at 115 of its stores. The hackers stole cardholder names, payment card numbers, expiration dates and card verification codes.  The company is offering free identity theft protection services.More Information: http://www.huffingtonpost.com/2014/12/19/staples-breach-payment-cards_n_...","Media","","2014","42.279286","-71.416157" "August 28, 2014","J.P Morgan Chase","New York","New York","HACK","BSF","76,000,000","The FBI is investigating a sophisticated hacking attack on JP Morgan Chase and potentially seven other financial institutions. Originally it was reported that possibly one to four other institutions may have been affected, but it appears that the breach could be much larger than originally thought.The hackers, who are reportedly Russian, gained enough personal information to completely wipe out bank accounts. The sophisticated and coordinated attacks go beyond the typical criminal hacker (s) according to authorities. Investigators are looking into the reasons behind the coordinated attack. It appears that not only did the hackers gain access to the accounts, but also altered and possibly deleted information.The attack appears to have been coordinated and directed at specific JP Morgan Chase employees to gain access to their computers and databases at the bank.Experts are communicating that the hackers would have had to of spent a significant amount of time researching and studying the record system of the bank prior to attempting any kind of unauthorized access. ""What was even more concerning is these hackers were able to modify records using high-level credentials and do it in a way that was undetected.""More Information: http://www.foxnews.com/politics/2014/08/28/fbi-reportedly-probing-hack-j...http://www.cnet.com/news/jpmorgan-hackers-altered-deleted-bank-records-s...UPDATE (9/16/2014): After further investigation by authorities and Chase Bank, the breach they suffered isn't as severe as originally anticipated. The bank has confirmed that the hackers were able to gain access only to names, addresses and phone numbers, no financial or bank account information was accessed. More Information: http://www.tomsguide.com/us/chase-bank-breach-update,news-19545.htmlUPDATE (10/3/2014): The cyber attack JPMorgan Chase & Co. faced this summer compromised personal information in much greater numbers than first reported. Originally the numbers reported were over 1 million affected customers. After an investigation, JP Morgan Chase reports that hackers gained access to data on more than 76 million account holders--names, addresses, phone numbers and emails. Information on an additional 7 million small businesses was obtained as well. """"JPMorgan Chase said that names, addresses, phone numbers and email addresses were stolen from the company's servers, but only customers who use the websites Chase.com and JPMorganOnline and the apps ChaseMobile and JPMorgan Mobile were affected"".More Information:  http://www.pressofatlanticcity.com/news/ap/jpmorgan-says-data-breach-aff...UPDATE (12/22/2014): The computer breach at JP Morgan Chase could have been avoided according to security experts if the bank had installed an easy security fix to a server that was overlooked.More Information: http://dealbook.nytimes.com/2014/12/22/entry-point-of-jpmorgan-data-brea... ","Media","","2014","40.712784","-74.005941" "January 6, 2015","NVIDIA Corporation","Santa Clara","California","HACK","BSO","0","NVIDIA Corporation suffered a data breach when hackers infiltrated their network and stole employee usernames and passwords. The company is requesting that those affected change their password and be cautious of ""phishing"" emails that look like they are coming from a colleague or friend requesting sensitive information. More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-47824","California Attorney General","","2014","37.370012","-121.965350" "December 23, 2014","Rob Kirby, CPA","Santa Rosa","California","PORT","BSO","0","Rob Kirby CPA notified customers of a data breach when the car he was driving was broken into and his briefcase, a password protected laptop and flash drive containing confidential client information was stolen.The information stolen included tax returns for current and previous years, copies of supporting documents associated with the returns, including names, addresses, birth dates, and Social Security numbers for clients, spouses, and dependents.More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-47844 ","California Attorney General","","2014","38.448569","-122.731675" "December 23, 2014","Public Architecture/theonepercent.org","San Francisco","California","HACK","BSO","0","On December 8th, 2014 Public Architecture, theonepercent.org, was breached when a hacker broker through the sites security protocols and firewalls to put up a brag page touting his success in hacking.  The hacker deleted files that affected the operation of the site, and possibly stole usernames, passwords, and contact information. More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-47847","California Attorney General","","2014","37.774710","-122.410090" "December 24, 2014","Corday Productions, Inc.","Burbank","California","HACK","BSO","0","Corday Productions, Inc. has payroll administered by Sony Pictures Entertainment. As part of the Sony breach, Corday Production Inc.'s employees, independent contractors or employees of contractors providing services to Corday may have had personal information compromised. The incident is still under investigation as part of the larger Sony investigation. Corday is offering AllClear ID to those who may have been affected. They can be contacted at 1-855-434-80771-855-434-8077  or https://www.allclearid.com/More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-47852 CallSend SMSAdd to SkypeYou'll need Skype CreditFree via Skype","California Attorney General","","2014","34.180839","-118.308966" "January 7, 2015","Lokai","New York","New York","HACK","BSO","0","Lokai informed customers of a data breach to their system from July 18, 2014 to October 28, 2014 by hackers who gained access to their server that hosts their website. The hackers installed a program that was designed to record information entered by customers. The information affected included names, addresses, payment card information, expiration dates, verification codes, and user name and passwords. For those affected who have questions they can call 1-800-981-75711-800-981-7571 Monday through Friday between the hours of 9:00 a.m and 9:00 p.m. Eastern Time. More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-47853CallSend SMSAdd to SkypeYou'll need Skype CreditFree via Skype","California Attorney General","","2014","40.726790","-74.005396" "January 2, 2015","Chic-Fil-A","Atlanta","Georgia","HACK","BSO","0","Chic-Fil-A has announced they are investigating a possible data breach to their payment card system. They have not released any details as to the reality of the breach, however, many experts are predicting it could be extensive.The restaurant chaind operates over 1,850 stores nationwide. Suspicious activity on their payment systems and a report provided to the on December 19, 2014 as to suspicious activity, prompted the company to launch an investigation.Additional information will be posted as soon as information is available. More Information: http://www.eweek.com/security/chick-fil-a-may-be-the-latest-retail-data-...Fast food restaurant chain Chick-fil-A could well be the first retail breach to be publicly confirmed in 2015. Chick-fil-A released a public statement on Jan. 2, confirming that it is investigating a possible data breach at its restaurants. While Chick-fil-A's statement was issued on Jan. 2, the company admitted that it received a report about a potential breach on Dec. 19. After the report was received, Chick-fil-A  indicated that it launched an investigation to determine what had occurred. ""The initial report was of potential suspicious activity involving payment cards at a few restaurants,"" Chick-fil-A stated. ""Our investigation is ongoing and we will update as we are able to do so."" Chick-fil-A reported 2013 sales of more than $5 billion and has over 1,850 locations, including both stand-alone restaurants and mall locations.  - See more at: http://www.eweek.com/security/chick-fil-a-may-be-the-latest-retail-data-...Fast food restaurant chain Chick-fil-A could well be the first retail breach to be publicly confirmed in 2015. Chick-fil-A released a public statement on Jan. 2, confirming that it is investigating a possible data breach at its restaurants. While Chick-fil-A's statement was issued on Jan. 2, the company admitted that it received a report about a potential breach on Dec. 19. After the report was received, Chick-fil-A  indicated that it launched an investigation to determine what had occurred. ""The initial report was of potential suspicious activity involving payment cards at a few restaurants,"" Chick-fil-A stated. ""Our investigation is ongoing and we will update as we are able to do so."" Chick-fil-A reported 2013 sales of more than $5 billion and has over 1,850 locations, including both stand-alone restaurants and mall locations.  - See more at: http://www.eweek.com/security/chick-fil-a-may-be-the-latest-retail-data-...","Media","","2015","33.613826","-84.489645" "December 24, 2014","Boersma Bros.LLC/dba DutchWear","Grants Pass","Oregon","HACK","BSR","0","Boersma Brothers, dba DutchWear suffered a databreach when their website was breached exposing the payment information for customers from November 7 and December 6, 2014. The information compromised included names, addresses, phone numbers, credit card numbers, expiration dates, and credit card security codes. The company has set up a toll-free help line for customers at 1-844-835-8656 from 8 a.m. and 4 p.m PST, Monday through Friday.More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-47840","California Attorney General","","2014","42.439007","-123.328393" "November 3, 2014","Palm Springs Federal Credit Union","Palm Springs","California","PORT","BSF","0","The Palm Springs Federal Credit Union was conducting an audit of their systems and realized that one of their external hard drives that contained customer data was missing. The information contained on the drive included customer names, addresses, Social Security Numbers and account numbers. The credit union is offering AllClearID and AllClearID Pro for 12 months at no cost to those who were affected by this breach. For those with questions they can call 1-866-979-25951-866-979-2595 or the credit union at dpitigliano@palmspringsfcu.com. More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-47289UPDATE (1/16/2015): The National Credit Union Administration has announced that it will be paying Palm Springs Federal Credit Union $50,000 to help cover expenses incurred due to a data breach the credit union suffered. The regulatory agency is taking responsibility for the breach. More Information: http://www.bankinfosecurity.com/agency-takes-responsibility-for-breach-a...CallSend SMSAdd to SkypeYou'll need Skype CreditFree via Skype","California Attorney General","","2014","33.828450","-116.516148" "January 21, 2015","Sunglo Home Health Services","Harlingen","Texas","PORT","MED","0","Sunglo Home Health Services notified customers/patients of a data breach when their facility was broken into and stole one of their company lap tops. The laptop contained patient information including Social Security Numbers and personal health information.Currently the company does not know the number of affected patients.More Information: http://www.krgv.com/news/local-news/Computer-with-Patients-Personal-Info...","Media","","2015","26.190631","-97.696103" "January 21, 2015","Mount Pleasant School District","Mount Pleasant","Texas","HACK","EDU","915","Mount Pleasant School District has informed approximately 915 present and former staff members that their personal information may have been compromised between January 18th 2015 and January 21st 2015.   A spokesperson for Mount Pleasant School District stated “Forest Hills District had a denial of service and discovered they had been hacked,” she said. “The district’s technology director found a Tweet that mentioned us. She looked us up on the Web and called us to let us know on Tuesday.” When the technology director for Mount Pleasant clicked on the link, it directed him to a file that included names, addresses and Social Security numbers” of MPISD staff.More Information: http://www.dailytribune.net/news/data-breach-hits-mpisd-employees/articl...","Media","","2015","33.156786","-94.968269" "December 26, 2014","Physicians Skin and Weight Systems","Roseville","California","PORT","MED","0","On November 14, 2014 an employee laptop and hard drive were stolen when their car was broken into. According to the company the laptop was password protected.The information stored on the laptop included images taken during the course of treatment, names, banking, full routing numbers, credit card numbers, some financing applications that included Social Security Numbers, dates of birth, mailing address, email address, income, rent payments and employer names. The company is providing 12 months free of AllClearID, call 1-877-437-3998More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-47861 ","California Attorney General","","2014","38.761189","-121.249122" "January 30, 2015","CICS Employment Services, Inc","Lincoln City","Oregon","HACK","BSO","0","CICS Employment Services notified customers of a data breach when their system was accessed by an unauthorized user (s) gaining access to employment application information on individuals.The information accessed included names, addresses, dates of birth and Social Security Numbers.The company is providing 12 months free of AllClearID. Call 1-855-865-4453. For additional questions or concerns a company representative can be reached at 1-888-593-5379.More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-48292","California Attorney General","","2015","44.986413","-124.007236" "January 16, 2015","Grill Parts.com","Santa Rosa","California","HACK","BSR","0","Grillparts.com notified customers of a data breach to their website from January 2014 through October 2014. The information compromised included first and last names, addresses, personal card account numbers, expiration dates, and credit/debit card security codes. It is currently unknown or has not been reported as to the number of people who were affected.The company is providing the services of Kroll identity theft protection for one year at no cost to those who might have been affected by the breach. Visit kroll.idMonitoringService.com and follow the online instructions to take advantage of the Identity Theft Protection Services. You will need to enter the membership ID provided by the company sent in a letter to those whose information has been or could have been compromised.More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-48107","California Attorney General","","2015","38.417615","-122.715309" "January 15, 2015","Oppenheimer Funds","Denver","Colorado","DISC","BSF","0","Oppenheimer Funds was notified by a brokerage firm that works with Oppenheimer Funds that customer information that was mistakenly made available to a representative of the associated brokerage firm.The information included names, addresses, Oppenheimer Fund account numbers and Social Security numbers.The company is offering credit protection through Equifax Consumer Services, LLC. For those affected they can reach out to Equifax Consumer Services at 1-888-766-00081-888-766-0008 FREE for information regarding the credit monitoring. Oppenheimer Funds provided a monitoring code to all those affected.  The company can be reached at 1-800-225-56771-800-225-5677 FREE Monday through Friday from 8:00am to 8:00pm Easter time or visit the website at www.oppenheimerfunds.com.More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-48071CallSend SMSAdd to SkypeYou'll need Skype CreditFree via Skype","California Attorney General","","2015","39.739236","-104.990251" "January 23, 2015","California Pacific Medical Center/Sutter Health","San Francisco","California","INSD","MED","844","California Pacific Medical Center notified 844 patients of a data breach to their system when an employee accessed records without authorization.A total of 844 patients between October 2013 and October 2014, were accessed by this person who has since been terminated. The information obtained included patient demographics, last four digits of Social Security number, clinical information such as diagnosis, clinical notes, and prescription information. The company states that the employee did not have access to full Social Security numbers, credit card or financial information, driver's license numbers, or California identification numbers. Those with questions can contact Sutter Health's Chief Privacy Officer toll-free at 1-855-771-42201-855-771-4220 FREE Monday through Friday from 8:00 am to 5 pm Pacific Standard Time.More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-48217CallSend SMSAdd to SkypeYou'll need Skype CreditFree via Skype","California Attorney General","","2015","37.774930","-122.419416" "February 5, 2015","Anthem","Indianapolis","Indiana","HACK","BSF","80,000,000","Anthem, the second largest health insurance company operating under Anthem Blue Cross, Anthem Blue Cross and Blue Shield Amerigroup and Healthlink has suffered a massive data breach.The company announced that they have been the victim of a ""very sophisticated external cyber attack"" on their system. The information compromised includes names, birthdays, medical ID's, Social Security Numbers, street addresses, e-mail addresses, employment and income information. Over the next several weeks, those who were affected will be receiving some form of identity theft protection. For those members with questions regarding the breach, the company has set up a toll- free line at 1-877-263-79951-877-263-7995 FREE.More Information: For the statement by Anthem's CEO Joseph R. Swedish and the dedicated website created for customer information, click here.Additional Information: http://money.cnn.com/2015/02/04/technology/anthem-insurance-hack-data-se...UPDATE (2/10/2015): As further investigations are pursued regarding the Anthem breach, research by Brian Krebs and others show that the hacking began as early as April 2014 and is pointing to Chines hacker group known as ""Deep Panda"".  At the time, Anthem was called Wellpoint, and upon further investigation Krebs ""discovered a series of connected domain names that appear to imitate actual Wellpoint sites, including we11point.com and myhr.we11point.com.""Because these sites were contructed almost 10 months prior, the question has now been raised as to why it took the company such a long time to uncover the hacking. More Information: http://thehill.com/policy/cybersecurity/232285-analysis-anthem-attack-ma...CallSend SMSAdd to SkypeYou'll need Skype CreditFree via Skype","Media","","2015","39.768403","-86.158068" "February 18, 2015","The Office of Jeb Bush","Tallahassee","Florida","DISC","BSO","12,000","Jeb Bush's office inadvertently exposed 12,500 individuals' personal information as part of a larger cached file of 332,999 emails sent to him when he was the Governor of Florida. The email was sent as part of a measure for transparency, however his team neglected to remove personal information if 12,500 of those individuals exposing names, Social Security numbers, and birthdates. The office has since redacted the information, which were believed to have been individuals on a family services waiting list from 2003. More Information: http://www.welivesecurity.com/2015/02/18/12000-exposed-possible-id-theft...","Media","","2015","30.438256","-84.280733" "March 3, 2015","Toys ""R"" Us","Wayne","New Jersey","HACK","BSR","0","Toys ""R"" Us contacted customers that their passwords to their reward program account would be reset in order to avoid an unauthorized attempts to their rewards program account. The company communicated that those notified did not necessarily have their accounts accessed, however, the risk was higher due to the discovery by the company of ""recycled login details used by some of its customers.""  Between January 28th and January 30th, 2015, the company discovered a number of ""illegal login attempts made to its Rewards ""R"" Us accounts."" The current announcement is an additional security measure so that other customer accounts cannot be accessed in a similar way.  ""Out of an abundance of caution, we are therefore treating your account password as compromised and taking appropriate steps to address the situation,"" in a letter sent by the company to its customers. More Information: http://www.welivesecurity.com/2015/03/03/toys-r-us-resets-account-passwo...","Media","","2015","40.980753","-74.256172" "March 4, 2015","Mandarin Oriental Hotel Group","New York","New York","HACK","BSO","0","The hotel chain Mandarin Oriental has announced that their point-of-sale systems were hacked and infected with malware that stole customer credit card data. The hacking, according to the hotel chain, is limited to hotels in the U.S and Europe.The company has not communicated exactly how many of the hotels locations were compromised only stating that ""Mandarin Oriental can confirm that the credit card systems in an isolated number of our hotels in the US and Europe have been accessed without authorization and in violation of both civil and criminal law. The Group has identified and removed the malware and is coordinating with credit card agencies, law enforcement authorities and forensic specialists to ensure that all necessary steps are taken to fully protect our guests and our systems across our portfolio.Unfortunately incidents of this nature are increasingly becoming an industry-wide concern. The Group takes the protection of customer information very seriously and is coordinating with credit card agencies and the necessary forensic specialists to ensure our guests are protected.”According to Krebs on Security, ""banking industry sources say the breach almost certainly impacted most if not all Mandarin hotels in the United States, including locations in Boston, Florida, Las Vegas, Miami, New York, and Washington D.C. Sources also say the compromise likely dates back to just before Christmas 2014.""More Information: http://krebsonsecurity.com/2015/03/credit-card-breach-at-mandarian-orien...","Krebs On Security","","2015","40.766288","-73.982519" "March 2, 2015","Natural Grocers","Lakewood","Colorado","HACK","BSR","0","Natural Grocers announced a possible datal breach of its customers payment cards. The grocery retailer claims they have not received any reports or complaints of fraudulent activity of customers payment cards, however, according to Krebs on Security ""Sources in the financial industry tell KrebsOnSecurity they have traced a pattern of fraud on customer credit and debit cards suggesting that hackers have tapped into cash registers at Natural Grocers locations across the country.  The grocery chain says it is investigating ""a potential data security incident invloving an unauthroized intrusion targeting limited customer payment card data.""""The grocery retailer has 93 stores in 15 states and has hired a third party vendor that specializes in data forensics to investigate the possible breach. The company claims that ""no personally identifiable information, such as names, addresses or Social Security numbers, was involved, as the company does not collect that data as part of its payment processing system."" Again, as stated by KrebsOnSecurity, ""According to a source with inside knowledge of the breach, the attackers broke injust before Christmas 2014, by attacking weaknesses in the company's database servers. From there, the attackers moved laterally with Natural Grocers internal network, eventually planting card-snooping malware on point-of-sale systems.""More Information: https://krebsonsecurity.com/2015/03/natural-grocers-investigating-card-b...","Krebs On Security","","2015","39.702286","-105.138164" "December 31, 2014","La Jolla Group","Irvine","California","HACK","BSO","0","The La Jolla Group has informed customers of a data breach in connection with ecommerce sites that the company manages for various apparel brand licensees. On December 3, 2014 they noticed unauthorized access to check-out pages on the websites of certain clients. The company then launched an investigation and confirmed that certain information had been breached. The information included names, addresses, phone numbers, email addresses, credit card numbers, CVV2 data and credit card expiration dates of customers who checked out at their clients websites. According to the company no Social Security numbers were compromised. The company has set up AllClearID for those who were affected for one year for free. Those with questions can contact their hotline at 1-877-403-02811-877-403-0281 FREE between 9:00 a.m and 9 p.m. Eastern Standard Time, Monday through Saturday. More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-47915CallSend SMSAdd to SkypeYou'll need Skype CreditFree via Skype","California Attorney General","","2014","33.684567","-117.826505" "January 1, 2015","Fast Forward Academy","Altamonte Springs","Florida","HACK","EDU","0","The Fast Forward Academy LLC has notified customers of a data breach to their systems that store customer and partner information. The information compromised included names, addresses, Social Security numbers, and email addresses. The company is providing access to Triple Bureau Credit Monitoring services at no charge for 12 months. Those affected can enroll at https://www.myidmanager.com/promo_code.html and provide the code provided by the company or call 1-866-717-94291-866-717-9429 FREE to set up services or their help line at 1-800-405-61081-800-405-6108 FREE Monday through Friday between the hours of 8 a.m. to 5 p.m. EST.More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-47924CallSend SMSAdd to SkypeYou'll need Skype CreditFree via Skype","","","2015","28.661490","-81.362108" "January 1, 2015","United Airlines","Chicago","Illinois","HACK","BSO","0","United Airlines notified customers of an unauthorized access to their MileagePlus account with usernames and passwords obtained from a third-party source. The unauthorized access began on December 9, 2014, where the hacker (s) attempted to infiltrate the accounts of United Mileage Plus accounts. The hackers obtained MileagePlus numbers and possible account details. The company has stated that if the profile included a credit card number, only the last 4 digits of the card were visible. United temporarily suspended Mileage Plus accounts. For those with suspended accounts they can call 1-800-421-46551-800-421-4655 FREE to change usernames, passwords, PIN's, and security questions. More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-47959  CallSend SMSAdd to SkypeYou'll need Skype CreditFree via Skype","California Attorney General","","2015","41.878114","-87.629798" "February 27, 2015","Uber Technologies Inc. ","San Francisco","California","HACK","BSO","50,000","Uber notified 50,000 drivers of an unauthorized access to their database which resulted in compromising driver data. The hacking took place in May of 2014. According to the company only names and driver's license numbers were compromised. The company is offering identity protection services for affected drivers. More Information: http://www.bloomberg.com/news/articles/2015-02-27/uber-discloses-databas...","Media","","2015","37.774930","-122.419416" "March 16, 2015","Advantage Dental","Redmond","Washington","HACK","MED","151,626","Advantage Dental notified 151,626 patients of data breach when their database of patient information was hacked between February 23rd and February 26th. The hackers had access to patient names, dates of birth, phone numbers, Social Security numbers and home addresses. Advantage is offering credit monitoring and call center support through Experian. For further information go to Advantage homepage https://secure.advantagedental.com/ More Information: http://portlandtribune.com/pt/9-news/253880-123802-advantage-dental-says... ","Media","","2015","47.673988","-122.121512" "March 16, 2015","Bistro Burger","San Francisco","California","HACK","BSO","0","Bistro Burger confirmed that malware was installed on the point-of-sale system at their San Francisco location between October 2, 2014 and December 4, 2014. The information compromised included names, payment card account numbers, card expiration dates and security codes. ","Media","","2015","37.774930","-122.419416" "March 3, 2015","Pioneer Bank ","New York","New York","PORT","BSF","0","New York based Pioneer Bank notified customers of a data breach when an employee laptop was stolen on January 26th, compromising their personal information. The information compromised the names, addresses, Social Security numbers, and account and debit card numbers. More Information: http://www.scmagazine.com/laptop-stolen-from-employee-contained-data-on-...","Media","","2015","40.712784","-74.005941" "March 2, 2015","Piedmont Advantage Credit Union","Greensboro","North Carolina","PORT","BSF","0","Piedmont Advantage Credit Union notified customers of a data breach when one of their laptops containing personal information of its members could not be located. The information contained names, addresses, dates of birth, member account numbers, and Social Security numbers. According to the credit union the laptop included password protected authentication.More Information: http://www.scmagazine.com/north-carolina-credit-union-notification-says-... ","Media","","2015","36.123750","-79.845807" "February 27, 2015","Bulk Reef Supply","Golden Valley","Minnesota","HACK","BSO","0","Bulk Reef Supply notified customers of a data breach when their online website was compromised. The customer information compromised included names, addresses, phone numbers, email addresses, usernames, passwords, and credit card information. The company is asking customers to change their passwords. The company is offering one year free of credit monitoring and identity theft services. More Information: http://www.scmagazine.com/bulk-reef-supply-website-compromised-credit-ca...","Media","","2015","45.002753","-93.363486" "February 25, 2015","Lime Crime","New York","New York","HACK","BSO","0","Lime Crime, an online cosmetics company notified customers of an unauthorized access to their website server which resulted in malware being installed. This malware allowed customer data to be captured, including credit card payment information. The information compromised included names, addresses, card account numbers, expiration dates, security codes and Lime Crime website usernames and passwords. The malware affected customers who purchased items on the website from October 4, 2014 through February 15, 2015. For those customers that used PayPal to purchase items, their Lime Crime website usernames and passwords may have also been compromised. More Information: http://www.scmagazine.com/malware-on-lime-crime-website-payment-cards-co...","Media","","2015","40.712784","-74.005941" "February 24, 2015","Cathrine Steinborn, Dentist","Santa Clara","California","PORT","MED","0","The office of Cathrine Steinborn, DDS was broken into and a server containing patient and other personal information in it. The information compromised included names, addresses, dates of birth, telephone numbers, Social Security numbers, dental and/or medical insurance information, health information, treatment information, and billing information.More Information: http://www.scmagazine.com/california-dentist-announces-theft-of-server-c...","Media","","2015","37.347106","-121.959669" "February 23, 2015","Lone Star Circle of Care","Georgetown","Texas","DISC","BSO","8,700","Lone Star Circle of Care notified individuals of a data breach after the discovery of a back-up file containing containing names, addresses, phone numbers, and birth dates was accidentally posted on their website for view. More Information: http://www.statesman.com/news/news/data-breach-at-lone-star-circle-of-ca...","Media","","2015","30.660720","-97.688207" "February 18, 2015","University of Maine","Orono","Maine","PORT","EDU","941","The University of Maine notified students of a data breach when a laptop was stolen with student roster information on it including Social Security numbers, phone numbers, email addresses, grade data and course information. According to the university only 604 Social Security numbers were involved in the total of 941 records exposed. More Information: http://umaine.edu/news/blog/2015/02/18/umaine-working-with-information-s...","Media","","2015","44.883113","-68.671941" "March 16, 2015","Apple America Group LLC","Independence","Ohio","PORT","BSF","0","Apple America Group, LLC informed employees of a data breach when a portable USB flash drive owned by a third party vendor containing payroll information was lost.The information on the portable usb drive included names, addresses, Social Security numbers, and wage and tax information.More Information: http://oag.ca.gov/system/files/Non-Massachusetts%20consumer%20notificati...?","Massachusetts Attorney General","","2015","39.091116","-94.415507" "February 17, 2015","Escondido Union School District","Escondido","California","PORT","EDU","0","The Escondido Union School District notified some students and employees of the district of a data breach that occurred when a district owned tablet and external hard drive were stolen from a backpack belonging to a district employee.The personal information saved on the laptop included student contact information, assessment results, and self reported income by parents. More Information: http://www.utsandiego.com/news/2015/feb/17/tp-school-district-warns-of-p... ","Media","","2015","33.119207","-117.086421" "April 3, 2015","Microsoft/Xbox One","Redmond","Washington","HACK","BSO","11,266","A 19 year hacker has pleaded guilty to hacking and stealing ""11,266 log-in credentials from an unnamed which he then shared amongst the other members."" Austin Alcala was part of a larger hacking network that stole software and data from gaming companies such as Microsoft, Valve, Epic. The group stole internal documents from companies, source code and games that had not yet been released to the public. The items stolen were stated to be worth approximately $100 million dollars. The hacking took place from 2012 to 2014. More Information: http://www.welivesecurity.com/2015/04/03/us-teen-pleads-guilty-100-milli...  ","Media","","2015","39.868614","-85.993002" "December 6, 2013","Horizon Healthcare Services, Inc. (Horizon Blue Cross Blue Shield)","Newark","New Jersey","PORT","BSF","840,000","Sometime between November 1 and 3, two unencrypted laptops were stolen from employee workstations.  The laptops were password-protected and cable-locked to the workstations. Names, Social Security numbers, addresses, dates of birth, Horizon Blue Cross Blue Shield New Jersey identification numbers, and demographic information may have been exposed. Almost 840,000 Horizon Blue Cross Blue Shield members were affected.UPDATE (04/06/2015): A class action lawsuit was filed against Ble Cross Blue Shield of New Jersey of more than 830,000 members arguing that they were at risk of identity theft due to the data breach when stolen lap tops were discovered that contained personal information, including Social Security numbers. The judge in the case dismissed the class action lawsuit claiming that since there was no evidence that the information on the lap tops was used to create harm,  the judge clained there was no standing. More Information: http://www.nj.com/news/index.ssf/2015/04/judge_tosses_data-breach_suit_a...She also ""dismissed a claim of economic injury brought by three of the plaintiffs who argued that their premiums should have provided for the security of their personal information. Citing precendent, Cecchi dismissed that claim as well, writing that the plaintiffs failed to demonstrate actual economic harm as a result of the breach.""UPDATE (03/1/2017): ""New Jersey Attorney General Christopher S. Porrino announced Feb.17 that Horizon Healthcare Services, Inc., the state's largest health care provider, will pay $1.1 million and improe data security practices after allegations of failing to properly protect the privacy of close to 690,000 New Jersey policyholders.""More Information: http://legalnewsline.com/stories/511085361-horizon-healthcare-services-s...  ","California Attorney General","","2013","40.735657","-74.172367" "January 30, 2015","Phoenix House Foundation Inc. ","New York","New York","HACK","BSO","0","On December 22, 2014, the Phoenix House discovered a data breach when their payroll system when a consultant they hired made unauthorized changes to their electronic payroll systems. The information accessed included names, addresses, Social Security numbers, salary information, and benefit information. The company has terminated the contracted with the consultant and contacted authorities. The company is offering a 12 month membership in Experian's ProtectMyID Alert for free for those affected. More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-48355","California Attorney General","","2015","40.779492","-73.980262" "February 13, 2015","Liberty Tax Services","Highland","California","PORT","BSF","0","Liberty Tax Services contacted customers to inform them of a data breach due to a burglary. The thieves took some files and electronic records that included personal information of their customers. The information included names, addresses, dates of birth, identification numbers, Social Security numbers, income documents and names of dependents, their dates of births, and their Social Security numbers. The company is offering those who were affected one year free of credit monitoring. For those affected they can call 1-909-864-8122 to set up an appointment. For further questions contact a member of their team at the following: Linda Sowell, Office Manager at 909-864-8122 or Jeanette Burr, District Manager at 909-533-0448. More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-48438","California Attorney General","","2015","34.121651","-117.210412" "February 12, 2015","Big Fish Games","Seattle","Washington","HACK","BSR","0","Big Fish contacted customers of a data breach when they discovered malware installed on their billing and payment pages of their online stores that affected purchases from December 24, 2014 through January 8, 2015. The information affected included names, addresses, and payment card information, including the card number, expiration date, and CVV2 code. The company is providing one year free of Experian's ProtectMyID Alert.  For those affected with questions they can call 877-534-7032. More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-48441","California Attorney General","","2015","47.620810","-122.361733" "December 29, 2014","LeapLab","Chandler","Arizona","INSD","BSO","0","LeapLab is being sued by the Federal Trade Commission for purchasing ""payday loan applications of financially strapped consumers, and then sold that information to marketers whom it knew had no legitimate need for it"". In another FTC case, Ideal Financial Solutions, used this information sold to them to withdraw millions of dollars from individual accounts without permission. More Information: http://krebsonsecurity.com/2014/12/payday-loan-network-sold-info-to-scam...","Krebs On Security","","2014","33.303116","-111.842308" "February 20, 2015","American Apparel, Inc. ","Los Angeles","California","PORT","MED","0","Lime Crime has warned customers of a data breach when they discovered malware installed on their website server potentially compromising payment cards and personal data of their  customers who used their site. The compromised data included names, addresses, website usernmanes, passwords, payment card account numbers, card expiration dates and payment card security codes. More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-48501","California Attorney General","","2015","34.034276","-118.239861" "April 8, 2015","AT&T","Dallas","Texas","INSD","BSO","280,000","The FCC has fined AT&T $25 million dollars after an investigation revealed that three separate international call centers are at the center of a data breach of customer information.Call centers in Mexico, the Phillipines and Columbia all had similar incidences ""when employees accessed sensitive customer data without adequate authorization. Those employees took payment from third parties who were apparently interested in customer names and Social Security numbers so they could unlock stolen cell phones for sale on secondary markets.""As part of the settlement, AT&T has agreed to notify those customers that were affected and offer one year free of credit monitoring services. More Information: http://www.cnbc.com/id/","Media","","2014","32.776664","-96.796988" "November 4, 2014","Hilton/Hilton Honors Program","McClean","Virginia","HACK","BSO","0","""Hilton HHonors is at the center of a security crisis. According to reports and testaments from FlyerTalk readers, hackers are finding their way into HHonors member accounts, stealing points, and using registered credit cards to make unauthorized purchases of more points and hotel stays.One of the worst incidents so far involved a Canadian man, Brendan Brothers. According to a report from Krebs on Security, a security and cybercrime news site run by former Washington Post staffer Brian Krebs, Brothers’ account was hacked in the last week of September. Brothers claims the hackers stole about 250,000 points and used his account to redeem hotel stays on the east coast. Brothers’ stored credit card was then allegedly used to purchase more rewards points.""","Media","http://www.flyertalk.com/articles/hilton-hhonors-hit-by-hackers-points-stolen-credit-cards-charged.html/","2014","38.933868","-77.177260" "April 14, 2015","Damariscotta County Sherrifs Department","Damariscotta","Maine","HACK","GOV","0","A Sheriffs Department in Damariscotta Maine was forced to pay hackers $300 in bitcoins to retrieve confidential records being held hostage by hackers who broke into their system. The FBI traced back the bitcoins to a Swiss account but have no other details as to who perpetrated this hacking. The malware installed on the system happened when someone at the Sheriffs department clicked a link allowing the malware to be installed on their system, which in turn the hackers then held the information hostage until they were paid a ransom to release the malware. More Information: www.technewstoday.com/-us-police-department-forced-to-pay-bitcoins-after-hackers-enter-system/","Media","","2015","44.032877","-69.518888" "April 13, 2015","Grapevine Police Departments","Grapevine","Texas","HACK","GOV","0","A group demanding the dashcam video of a shooting be released to the public, hacked the database of the Grapevine Police Department posting a video demanding this release. The police department is currently investigating the hacking of their system.More Information: www.thescoopblog,dallasnews.com/2015/04/anonymous-hacker-group-demands-police-video-of-shooting-of-mexican-immigrant-by-grapevine-cop,html/ ","Media","","2015","32.934292","-97.078065" "May 4, 2015","Sally Beauty Supply","Denton","Texas","HACK","BSR","0","Salley Beauty has announced the possiblity of another data breach to their payment systems. The company said they were investigating ""unusual activity of payment cards at some stores"" but do not know yet how many customer cards were affected.Last March the company announced a similar attack to their payment systems, compromising over 25,000 customer payment cards. The company thought they had shut down the malicious attempts. More Information: www.wsj.com/articles/sally-beauty-investigating-possible-data-breach-1430747729","Media","","2015","33.184761","-97.099485" "May 1, 2015","Harbortouch","Allentown","Pennsylvania","HACK","BSO","4,200","Harbortouch, a POS vendor, announced a breach of several of the companies restaurant and bar customers. Patrons to the restaurants and/or bars were notified that their payment cards may have been compromised when malicious software was found on the POS systems. More Information: http://krebsonsecurity.com/2015/05/harbortouch-is-latest-pos-vendor-breach/","Krebs On Security","","2015","40.608431","-75.490183" "May 15, 2015","Penn State College of Engineering","University Park","Pennsylvania","HACK","EDU","18,000","Penn State's College of Engineering announced that their servers were hacked in two different intrustions. The hackers are believed to be based in China and may have exposed ""at least 18,000 people and possibly other sensitive data"". Penn State's President sent a letter out to students and faculty informing them that the college's network had been disconnected to the Internet while they investigate the intrusio. Read more here: http://news.psu.edu/story/357654/2015/05/15/administration/message-presi...The information compromised has not yet been made public, all College of Engineering faculty, staff and students were affected. Those who also had taken at least one engineering class would be affected as well. The university is requiring those who meet this criteria change their username and password. They have set up a VPN and will be required to use two-factor authentication. More Information: http://arstechnica.com/security/2015/05/penn-state-severs-engineering-ne...","Media","","2015","42.251250","-71.809495" "April 2, 2015","California Department of Business Oversight","Sacramento","California","DISC","GOV","0","The California Department of Business Oversight notified both registered investment advisers and broker-dealers that some of their personally identifying informatino was accidentally disclosed when typical procedure to redact the information either failed or was neglected. The information exposed included Social Security numbers of these individuals. The DBO did not mention the other information exposed on the forms. For those with questions call 1-866-275-2677.More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-49208","California Attorney General","","2015","38.581572","-121.494400" "April 2, 2015","SRI, Inc.","Mclean ","Virginia","HACK","BSO","0","SRI, Inc. notified customers of a data breach when they discovered an unauthorized access of their website software. The unauthorized access may have been going on since December of 2014 and files containing individual personal information may have been accessed. The information accessed included names, addresses, Social Security numbers, tax identification numbers, and financial information which included bank account and routing numbers. For questions call 1-800-800-9588More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-49214","California Attorney General","","2015","38.930359","-77.219504" "April 6, 2015","Tulare County Health and Human Services","Visalia","California","DISC","GOV","845","The Tulare County Health and Human Services Agency notified individuals of a breach of their personal information when an HHSA employee emailed approximately 845 patients from the Visalia and Farmersville clinics exposing information to access their medical portal. The agency disabled all patient portal accounts and are asking individuals to change their email addresses, re-register through the portal and change the PIN to login to the patient portal. The agency did not disclose specifically what personal information may have been viewable. More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-49239","California Attorney General","","2015","36.277556","-119.314875" "April 10, 2015","University of California, Riverside Graduate Division offices","Riverside","California","PORT","EDU","0","The University of California, Riverside's Graduate Divison offices notified individuals of a theft of a laptop computer that included graduate student application information including Social Security numbers, first and last names. For questions call UCR's Risk Management Office at 1-866-827-4844More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-49300","California Attorney General","","2015","33.977776","-117.327913" "May 20, 2015","CareFirst BlueCross BlueShield","Baltimore","Maryland","HACK","BSF","1,100,000","The largest insurer in the Baltimore regions, CareFirst BlueCross BlueShield notified customer of a cyberattack to a single database, comprising the information of approximately 1.1 million individuals. The hackers were able to access names, birth dates, email addresses and insurance identification numbers. CareFirst has stated that they did not gain Social Security numbers, credit card numbers, passwords or medical information in the breach.The insurer is offering free credit monitoring for two years even though individual no financial or Social Security data was compromised. The company has posted more answers to the attack at www.carefirstanswers.com.More Information: http://www.baltimoresun.com/health/bs-bz-carefirst-data-breach-20150520-... ","","","2015","39.290385","-76.612189" "April 10, 2015","HSBC Finance Corporation","Brandon","Florida","DISC","BSF","0","HSBC notified customers of a data breach when customer mortgage information was inadvertently exposed via the Internet, which included personal information. The personal information included names, Social Security numbers, account numbers and old account information.The company is providing Identity Guard for 12 months free for those affected.  They can be reached at the Identity Guard Victim Recovery Services phone line at 1-800-901-7107 Monday-Friday 8 a.m-11 p.m, and Saturday 9 a.m-6 p.m Eastern Time. More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-49318","California Attorney General","","2015","27.937801","-82.285925" "April 10, 2015","Kellog & Andelson Global Management","Woodland Hills","California","HACK","BSF","0","Kellogg & Andelson Global Management notified individuals of a data breach when a server containing client account information was hacked. The information exposed included names, addresses, dates of birth, Social Security numbers, financial account numbers of both the individual account holder and potential family members. The company is provided identity protection services for 2 years for free through Experian's ProtectMyID Elite. Victims can go to www.protectmyide.com/protect and provide the activation code provided by Kellog & Anderson's notification letter. More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-49323","California Attorney General","","2015","34.178839","-118.602053" "April 13, 2015","Stanislaus Surgical Hospital","Modesto","California","UNKN","MED","0","Stanislaus Surgical Hospital notified individuals of a data security breach that occurred on April 5, 2015. They do not state exactly how the breach occurred in their notification letter. The information compromised included names, addresses, account numbers, Social Security numbers and other personally identifiable information. The hospital is providing one year free of Experian's ProtectMyID Elite to those affected. For questions call 1-87-441-6943.More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-49325 ","California Attorney General","","2015","37.665277","-120.958025" "April 2, 2015","Intuit","San Diego","California","UNKN","BSF","0","Intuit informed customers of a potential breach to their information after reviewing customer accounts. In this review, Intuit identified certain TurboTax accounts may have been accessed by someone other than the account holder. The company believes that usernames and passwords were stolen by using username/password combinations from other sources, not directly from the Intuit site. The company automatically changed usernames and passwords to protect from further potential unauthorized access. The company is offering credit monitoring through ProtectMyID through experian for free. For information, email TTaxInvestigations@intuit.com or call 1-866-602-4279.More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-49249","California Attorney General","","2015","32.959567","-117.158079" "April 13, 2015","Homebridge (formerly In-Home Supportive Services)","San Francisco","California","HACK","MED","0","Homebridge, formerly the In-Home Supportive Services, notified current and former employees of a data breach on several computers when malware was installed potentially compromising individual information. The information accessed between January and March 2015 included first and last names, addresses, and Social Security numbers. The company has been informed that the information obtained may have been used to file fradulent tax returns. The company is offering one year free of ID Guard. For questions call Human Resources at 415-659-5331. More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-49328","California Attorney General","","2015","37.781351","-122.410928" "May 12, 2015","Starbucks ","Seattle","Washington","HACK","BSR","0","Starbucks is responding to unauthorized access by hackers into the Starbucks mobile application,  draining dollars out of customers bank accounts, credit cards and paypal accounts. According to one report, ""The Starbucks app lets you pay at checkout with your phone. It can also reload Starbucks gift cards by automatically drawing funds from your bank account, credit card or PayPal.That's how criminals are siphoning money away from victims. They break into a victim's Starbucks account online, add a new gift card, transfer funds over -- and repeat the process every time the original card reloads.""Starbucks had denied the unathorized activity was a result of a hack or intrusion into its servers. Starbucks has received complaints from customers regarding unauthroized activity and they claim it is""primarily caused when criminals obtain reused names and passwords from other sites and attempt to apply that information to Starbucks."" The company will be reimbursing those who had fraudulent charges to their account. The company suggest customers use stronger, unique usernames and passwords and turn off the ""reload"" feature in the application.More Information: http://money.cnn.com/2015/05/13/technology/hackers-starbucks-app/More Information: http://krebsonsecurity.com/2015/05/starbucks-hacked-no-but-you-might-be/","Media","","2015","47.606210","-122.332071" "April 16, 2015","American Sleep Medicine","San Diego","California","PORT","MED","0","American Sleep Medicine has notified patients of a data breach that has occurred when an external hard drive was stolen from a locked server room at their facility. The hard drive contained patient data from previous sleep studies. The specific information included names, dates of birth, name of referring doctor, name of interrpreting doctor, medical history and sleep study results. According to the facility no Social Security numbers or financial information was on the external hard drive. For questions, call 858-277-7353 or toll free at 844-238-9431.More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-49386 ","California Attorney General","","2015","32.830356","-117.120569" "April 24, 2015","Stater Brothers Market","West Covina","California","HACK","BSO","0","Stater Brothers Markets in West Covina has sent out a notice to the public to help aprehend three suspects who placed a skimmer device on a pin pad in the deli department of the grocery chain located  at 375 North Azuza Avenue, West Covina California.They have also send the notification out for those who may have used their debit or credit card at the West Covina location from March 5, 2015 and March 29, 2015 to review their bank or credit card statements for any unauthorized activity. They are cautioning to change the pin if a debit card was utilized and contact the financial institutions that hold the card so new cards can be issued. For those with any information on the suspects, they are asking individuals to call 1-855-782-8377 between 8:99 a.m and 5:00 p.m Monday through Friday. More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-55627","California Attorney General","","2015","34.068621","-117.938953" "March 17, 2015","Premera Blue Cross","Mountlake Terrace","Washington","HACK","BSF","11,000,000","Premera Blue Cross notified customers of a data breach of their system by a cyberattack that compromised medical, personal and financial data of 11 million customers.The information compromised included medical information, bank account numbers, Social Security numbers, birth dates, names, addresses and other personal information. ""About six million of the people whose accounts were affected are residents of Washington state, where customers include employees of Amazon.com, Microsoft and Starbucks, according to Premera. The rest are scattered across the United States.""The breach was uncovered on January 29, 2015.More Information: http://www.nytimes.com/2015/03/18/business/premera-blue-cross-says-data-...","Media","","2015","47.788153","-122.308741" "June 15, 2015","LastPass","Fairfax","Virginia","HACK","BSO","0","LastPass notified customers of a data breach when they discovered suspicious activity on their network. The company has communicated that ""In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.""The company is requiring that ""all users who are logging in from a new device or IP address first verify their account by email, unless you have multifactor authentication enabled. As an added precaution, we will also be prompting users to update their master password.""More Information: http://gizmodo.com/lastpass-defender-of-our-passwords-just-got-hacked-17...","Media","","2015","38.873405","-77.232536" "June 16, 2015","Houston Astros","Houston","Texas","HACK","BSO","0","The FBI is investigating allegations that the St. Louis Cardinals baseball club hacked into the network of the Houston Astros baseball club to gain information regarding the Astros statistics, scouting reports and internal documents regarding players and trades. The St. Louis Cardinals will not comment on the ongoing investigation.More Information: http://www.nytimes.com/2015/06/17/sports/baseball/st-louis-cardinals-hac...UPDATE (July 18, 2016): ""A former employee of the St. Louis Cardinals baseball organization has been sentenced to nearly four years in prison for hacking computers belonging to the Houston Astros, the US Justice Department said Monday.Christopher Correa, the Cardinals' former scouting director, was sentenced to 46 months in federal prison on Monday after pleading guilty to five counts of unauthorized access of an Astros' database on player information and the team's email system. Correa, who had worked for the Cardinals since 2009 before being fired last July, was also ordered to pay $279,038 in restitution.""More Information: http://www.cnet.com/news/ex-cards-employee-gets-nearly-4-years-in-prison...","Media","","2015","37.326159","-91.955988" "June 12, 2015","Fred's Inc.","Memphis ","Tennessee","HACK","BSR","0","Fred's Inc. announced that it is investigating a potential breach when malware was discovered on their point-of-sale system.  The discount merchandiser operates 650 stores in multiple states and the company is not clear on how many stores were affected.""Sources said it was unclear how many Fred’s locations were affected, but that the pattern of fraudulent charges traced back to Fred’s stores across the company’s footprint in the midwest and south, including Alabama, Arkansas, Georgia, Indiana, Kentucky, Louisiana, Mississippi, Tennessee and Texas.""More Information: http://krebsonsecurity.com/2015/06/discount-chain-freds-inc-probes-card-...","Krebs On Security","","2015","35.149534","-90.048980" "December 18, 2014","KeyPoint Government Solutions","Fairfax","Virginia","HACK","BSO","48,439","KeyPoint Government Solutions notified over 48,000 individuals of a data breach when their computer network was hacked. KeyPoint Solutions was hired by the Office of Personnel Management to take over the background checking process for the agency, when the agency did not renew the contract of USIS who suffered a breach earlier in the year. More Information: http://www.washingtonpost.com/business/economy/keypoint-suffers-network-breach-thousands-of-fed-workers-could-be-affected/2014/12/18/e6c7146c-86e1-11e4-a702-fa31ff4ae98e_story.html ","Media","","2014","38.864455","-77.230308" "January 1, 2015","Summit Financial Group","La Mesa","California","DISC","BSF","662","After a Summit client files a tax return, we mail the client a CD that contains his or her tax return.  Between January 1, 2015 and February 15, 2015, in connection with performing tax return services for our clients, we mailed CDs to sixty-seven clients.  We intended that these CDs would contain only the individual recipient's tax return information.  On April 15, 2015, a client contacted Summit to inform us that a single CD had other clients' data on it.  We immediately retrieved that DC and confirmed that the individual had not retained any of the information on the CD.  At that time, we had no reason to believe that any other CDs had information relating to other clients stored on them.  On May 15, 2015, one more client contacted us and informed us that the CD he/she received also contained other clients' tax return were compiled.  As a result, we immediately began our investigation and started to personally visit each of the sixty-seven clients to retrieve all of the CDs issued between January 1, 2015 and February 15, 2015.  All of the CDs have either been destroyed by our clients or personally collected by Summit where we are maintaining them in a locked container.""","California Attorney General","https://oag.ca.gov/system/files/Sample%20Notice%201_0.pdf","2015","32.767829","-117.023084" "June 22, 2015","Summit Financial Group","La Mesa","California","DISC","BSF","662","Summit Financial Group contacted customers regarding a data breach of their information. An employee of Summit Financial Group inadvertently copied data of other clients onto CD's that should have contained only the individuals information. Those CD's were mailed to clients and soon thereafter Summit clients contacted the company alerting them to the fact that other individuals personal information was on their CD.The information contained names, addresses, dates of birth, Social Security numbers, and income.  The company has claimed that they have contacted all the individuals who received a CD and they have either been gathered by the company or destroyed. More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-56repo501 ","California Attorney General","","2015","32.778421","-116.995623" "June 22, 2015","Trustmark Mutual Holding Company","Lake Forest","Illinois","DISC","BSF","0","Trustmark Insurance Company contacted customers regarding a data breach. The company discovered that ""our automated billing e-mail system generated and sent encrypted e-mails to certain insurance carrier clients.  While each encrypted email should have contained a single file with information related to each carrier's insureds, on May 14, 2015, we discovered that a software error resulted in each carrier receiving file attachments for all of the carriers instead of just the one file related to their own insureds.""More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-56493","California Attorney General","","2015","42.246200","-87.899462" "June 19, 2015","Dungarees","Portland","Oregon","HACK","BSR","0","Dungarees notified customers of a breach to their system when they discovered an illegal hack that may have compromised customer credit card or debit card information. Based on the investigation the company believes that information provided with orders placed on their website between March 26, 2015 and June 5, 2015 was compromised. The information compromised included names, billing information, address, email addresses, credit or debit card number, the card expiration number and the CVV codes on the back of the card. The company is providing those affected with identity theft protection through ID Experts. Those affected can call -866-833-7917 to speak to a representative. More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-56488 ","California Attorney General","","2015","45.445159","-122.775090" "June 25, 2015","Bank of Manhatten Mortgage Lending","Manhattan","New York","DISC","BSF","0","The Bank of Manhattan Mortgage Lending notified customers of a data breach when an employee handled mortgage information of customers that did not meet the company policies, which may have resulted in disclosure of customers loan file information.The information compromised included names, addresses, loan numbers, phone numbers, Social Security numbers, birth dates, credit information, tax information, and other financial information. The company is offering free identity theft protection services through Kroll. For those who were affected call 1-866-775-4209.More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-56587","California Attorney General","","2015","40.783060","-73.971249" "June 29, 2015","State Department","Washington","District Of Columbia","INSD","GOV","0","Two brothers, Muneeb and Sohaib Akhter, have pleaded guilty to various charges including conspiracy to access a protected computer without authorization, wire fraud, and accessing government computers without authorization.  Muneeb Akhter, pleaded separately to additional charges including accessing a protected computer without authorization, obstructing justice and making false statements. Muneeb Akhter ""stole thousands of customers' credit card details, along with other personal information of consumers, by hacking into a cosmetic company's website in March 2014. Then, the brothers and co-conspirators used to the stolen data to purchase ""goods and services, including flights, hotel reservations, and attendance at professional conferences,” The DOJ release said. “Muneeb Akhter also provided stolen information to an individual he met on the ‘dark net,' who sold the information to other dark-net users and gave Akhter a share of the profits.” ""Sohaib Akhter was employed in a contract position with the State Department and begain obtaining passport and visa information, as well as additional sensitive data from the agency's servers. Sohaib ""devised a scheme to ensure that he could maintain perpetual access to desired State Department systems. Sohaib Akhter, with the help of Muneeb Akhter and co-conspirators, attempted to secretly install an electronic collection device inside a State Department building. Once installed, the device could have enabled Sohaib Akhter and co-conspirators to remotely access and collect data from State Department computer systems.  Sohaib Akhter was forced to abandon the plan during its execution when he broke the device while attempting to install it behind a wall at a State Department facility in Washington, D.C.,” as communicated by a DOJ spokesperson. More Information: http://www.scmagazine.com/brothers-accused-of-state-dept-hack-plead-guil...","Media","","2015","38.907192","-77.036871" "July 2, 2015","The Trump Hotel Collection","New York","New York","HACK","BSO","0","The Trump Hotel Collection appears to be the latest victim of a credit card breach. Banks noticed a string of fraudulent debit and credit card charges all coming from several Trump Hotels. ""The Trump Organization just acknowledged the issue with a brief statement from Eric Trump, executive vice president of development and acquisitions: “Like virtually every other company these days, we have been alerted to potential suspicious credit card activity and are in the midst of a thorough investigation to determine whether it involves any of our properties,”""The Trump Hotels have locations in Chicago, Honolulu, Las Vegas, Los Angeles, Miami, and New York.  How many individuals affected is not yet known. More Information: http://krebsonsecurity.com/2015/07/banks-card-breach-at-trump-hotel-prop...","Krebs On Security","","2015","40.712784","-74.005941" "July 2, 2015","Harvard University","Boston","Massachusetts","HACK","EDU","0","""Last month Harvard University uncovered ""an intrusion"" on its computer networks, the school disclosed late Wednesday.""The discovery, which was made June 19, affects two IT systems that impact eight colleges and administrations, the school says. These include the Faculty of Arts and Sciences, Harvard Divinity School, Radcliffe Institute for Advanced Study, Central Administration, the Graduate School of Design, Harvard Graduate School of Education, Harvard John A. Paulson School of Engineering and Applied Sciences, or Harvard T.H. Chan School of Public Health.""","Media","http://fortune.com/2015/07/02/harvard-data-breach/","2015","42.360083","-71.058880" "July 2, 2015","Bonita Unified School District","San Dimas","California","HACK","EDU","0","The Bonita Unified School District notified parents and students of a breach when unauthorized access was discovered at San Dimas High School server. On June 2, 2015 the district discovered the unauthorized access to the high school's student database and noticed that several students grades had been changed. The district believes that the individual (s) that changed the grades also downloaded personal information of students. The information compromised included names, Social Security numbers, birthdates, medical information, the school's systems usernames and passwords, addresses, email addresses, and phone numbers. The district is providing 12 months free of ProtectMyID Alert from Experian for those affected. Those with questions can call 1-909-971-8320 and ask for Donna Martin at ext. 5201 Monday through Friday 8:00 am to 4:30 pm Pacific Time. More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-56705","California Attorney General","","2015","34.117895","-117.807883" "May 5, 2016","ADP, LLC.","Roseland","New Jersey","HACK","BSF","0","""Identity thieves have their hands on a new batch of personal and tax data after hacking the payroll outsourcing company ADP.The information is from W-2 forms, the documents workers get from their employers in late January or early February so they can file their annual tax returns with the Internal Revenue Service and state tax departments.Now crooks have all they need to beat those filers to the punch and submit fake 1040s claiming fraudulent tax refunds.""","Media","http://www.bankrate.com/financing/taxes/adp-w-2-data-hacked-in-latest-breach/","2016","40.820656","-74.293759" "June 3, 2015","Gallant Risk and Insurances Services","Corona","California","PORT","BSF","0","Gallant Risk and Insurances Services notified customers of a potential data breach when their offices were broken into and several company laptops were stolen. The laptops were password protected according to the company. The company did not disclose what type of information may have been stored on the laptops. The company is providing ID theft protection through Kroll free for one year. For those affected call 1-855-330-6366 from 8:00 a.m to 5:00 p.m Central Time. More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-56236 ","California Attorney General","","2015","33.818817","-117.508483" "July 2, 2015","Harvard University","Cambridge","Massachusetts","HACK","EDU","0","Harvard University is notifying individuals of a data breach to their system that included 8 colleges and administrations. Those colleges and administrations include the Faculty of Arts and Sciences, Harvard Divinity School, Radcliffe Institute for Advanced Study, Central Administration, the Graduate School of Design, Harvard Graduate School of Education, Harvard John A. Paulson School of Engineering and Applied Sciences, or Harvard T.H. Chan School of Public Health. The university has not commented on how many individuals were affected or what information was compromised. The university is requesting that anyone who is associated with any of the entities to change their username and password. More Information: http://fortune.com/2015/07/02/harvard-data-breach/","Media","","2015","42.373616","-71.109734" "June 10, 2015","Missing Link Networks Inc.","Calistoga","California","HACK","BSO","0","Missing Link Networks Inc notified customers of a breach of their networks exposing customer credit cards. Missing Link Networks provides credit card processing and point of sale services.The company began reaching out to its customers notifying them that ""Beginning on May 27, 2015, we began notifying our winery customers that eCellar Systems, our consumer-direct sales platform, had been breached during the month of April, 2015 by an unknown intruder"". This particular platform services numerous wineries in California and elsewhere. The information compromised included customer names, credit/debit card numbers, billing address, and dates of birth. The company is confirming that Social Security numbers, the CVV and pin numbers were not compromised. More Information: http://krebsonsecurity.com/2015/06/breach-at-winery-card-processor-missing-link/ UPDATE (7/3/2015): The vineyards reportdely affected by this breach include the following: All notificatons can be found on the California Attorney General's data breach site at http://oag.ca.gov/ecrime/databreach/list Cain Vineyard                                                    Corison WineryCharles Krug Winery (C. Modavi & Family)             Flora Springs Winery and VineyardGemstone                                                         Heitz Wine CellarsJessup Cellars                                                   Larkmead Vineyards Vinter and GrowerMartinelli Winery                                                 Outpost VineyardsPalmaz Vineyards                                               Pride Mountain VineyardsRepris Vineyards                                                 Rhys VineyardsSilverado Vineyards                                             Signorello EstateRound Pond Estates                                            Summers Estate WinesSpring Mountain Vineyards                                   Peter Michael WineryRombauer Vineyards, Inc.                                    Turley Wine CellarsClif Bar Family Winery & Farm, LLC ","Krebs On Security","","2015","38.578797","-122.579705" "July 9, 2015","Service Systems Associates","Denver","Colorado","HACK","BSO","0","Service Systems Associates, who specifically services zoos, restaurants and various cultural centers across the US,  has notified customers of a breach of its credit and debit card processing systems.""“The violation occurred in the point of sale systems located in the gift shops of several of our clients,” the company said in a written statement. “This means that if a guest used a credit or debit card in the gift shop at one of our partner facilities between March 23 and June 25, 2015, the information on that card may have been compromised.”""SSA has not communicated the specific locations affected, however Krebs on Security sources communicate the following locations are most likely affected. Birmingham, Ala.                                          Tucson, Ariz. San Francisco, Calif.                                      Fresno, Calif. Sacramento, Calif.                                        Colorado Springs, Colo. Palm Desert, Calif.                                        Miami, Fla. Honolulu, HI                                                 Boise, Id. Fort Wayne, Ind.                                           Louisville, Ky. Baltimore, Md.                                              Battle Creek, Mich. Apple Valley, Minn.                                        Cincinnati, Ohio Tulsa, Okla.,                                                 Pittsburgh, Penn. Columbia, SC                                                Dallas, Texas El Paso, Texas                                               Houston, Texas Nashville, Tenn.                                             Salt Lake City, UtahMore Information: https://krebsonsecurity.com/2015/07/credit-card-breach-at-a-zoo-near-you/ ","Krebs On Security","","2015","39.739236","-104.990251" "July 13, 2015","Insurance Services Office (ISO)","Jersey City","New Jersey","HACK","BSF","0","Insurance Services Office, which provides information and analytics to the property and casualty insurance industry has notified customers of a data breach of policyholder information.The company has been working with the County Prosecutor's office and the National Insurance Crime Bureau investigating the breach. Authorities informed ISO that an unauthorized individual (s) viewed personal information of policyholders. The information included contact information, dates of birth, Social Security numbers, insurance policy numbers, and driver's license numbers.For those with questions, contact a representative at 1-800-888-4476 7:00 a.m to 9:00 p.m Eastern Time or email njsupport@iso.comMore Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-57032","California Attorney General","","2015","40.727733","-74.035184" "July 13, 2015","Mule Creek State Prison","Ione","California","DISC","GOV","0","","","","2015","38.369629","-120.953345" "July 13, 2015","Mule Creek State Prison","Ione","California","DISC","GOV","0","Mule Creek State Prison notified individuals of a breach when documents submitted to the prison were scanned into a computer folder where employees outside of the prison may have access to it. The information contained names, Driver License numbers and Social Security numbers.For those with questions, call Ed Ayo, Senior Information System Analyst (Supervisor) at 209-274-5978.More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-57023","California Attorney General","","2015","38.369629","-120.953345" "July 10, 2015","New Horizons Computer Learning Centers, Inc.","Austin","Texas","HACK","BSO","0","New Horizons Computer Learning Centers, Inc. notified business owners of a data breach when unauthorized access to employee and vendor information stored on the company network may have been compromised. The information included names and bank account information. For those with questions can call their confidential inquiry line at 1-866-979-2512 Monday through Saturday, 8:00 a.m - 8:00 p.m. Central Time.More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-57002","California Attorney General","","2015","39.468899","-117.196098" "July 10, 2015","Mandarin Oriental","New York","New York","HACK","BSO","0","The Mandarin Oriental Hotel Group has informed customers of a breach when malware was found on their credit card transaction systems, at the following locations:Boston                                   GenevaHong Kong                              Hyde Park, LondonLas Vegas                                MiamiNew York                                  San FranciscoWashington DC                         The Landmark Mandarin Oriental, Hong KongThe information compromised included names and credit card numbers.More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-56994","California Attorney General","","2015","40.766245","-73.982425" "July 8, 2015","Evans Hotels","San Diego","California","HACK","BSO","0","Evans Hotels has notified customers of a breach of backup card readers used to encrypt payment card data. The hotel chain kept the card readers as backup for IT disaster recovery. These back-up readers were being used in conjunction with their current system for check-in with large groups. For those with questions they can call 888-738-3786 Monday through Friday between 9:00 a.m and 9:00 p.mMore Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-56969","California Attorney General","","2015","32.772071","-117.246821" "July 6, 2015","Automotive Recovery Services Inc. ","Westchester","Illinois","HACK","BSO","0","Automotive Recovery Services (ARS) notified customers of a breach when an unauthorized party gained access to one of their legacy systems compromising customer information.The information compromised included names, Social Security numbers, street addresses, email addresses, phone numbers, driver's license numbrs, the type of vehicles donated, name of the charity that the vehicle was donated to.The company is providing identity theft protecton for 12 months for free with AllClear ID. For those with a questions call 1-855-861-4023.More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-56920","California Attorney General","","2015","41.846156","-87.904733" "June 17, 2015","UC Irvine Medical Center","Orange","California","INSD","MED","0","UC Irvine Medical Center has notified patients of a data breach when an employee reviewed patient records without authorization.The information this individual may have gained access to included names, dates of birth, gender, medical record numbers, height, weight, Medical Center account number, allergy informaton, home addresses, medical documentation, diagnoses, test orders/results, medications, employment status, and names of your health plan and employer. The medical center is providing those who were affected FraudStop free for one year. For questions call 1-888-653-6036.More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-56428","California Attorney General","","2015","33.787989","-117.890134" "June 3, 2015","AeroGrow International","Boulder","Colorado","HACK","BSO","0","AeroGrow International Inc. informed customers of a data breach to their online servers when malware was detected on their system from October 15, 2014 through April 27, 2015. The information compromised included names, addresses, payment card account numbers, expiration dates, and CCV/CVV numbers. The company is providing free access to ProtectMyID Elite through Experian. For questions call 1-866-348-1808 from 8 am through 5 pm Mountain Time, Monday through Friday. More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-56231","California Attorney General","","2015","40.014986","-105.270546" "October 21, 2013","Court Ventures ","Anaheim","California","INSD","BSO","3,100,000"," Between October 2010 and December 2012, Court Ventures, a public records aggregator, provided access to US Info Search data to a foreign criminal posing as a legitimate private investigator. Court Ventures had a contract with US Info Search where customers of Court Ventures had access to US Info Search data which included records on more than 200 million Americans, including individuals' Social Security numbers, dates of birth, and other records. Experian purchased the assets of Court Ventures in March 2012, and the criminal's access to the US Info Search data was shut down in December 2012. Experian has publicly stated that no Experian databases were breached in this situation.UPDATE (3/10/2014): According to Krebs on Security, in March 2014, Hieu Minh Ngo pled guilty to running an identity theft business called Superget.info out of his home in Vietnam.  Ngo posed as a private investigator when he contracted with Court Ventures to gain access to consumer records. Ngo was then able to provide access to the US Info Search database to his clients.Krebs on Security states, ""The government alleges that the service's customers used the information for a variety of fraud schemes, including filing fraudulent tax returns on Americans, and opening new lines of credit and racking up huge bills in the names of unsuspecting victims. The transcript shows government investigators found that over an 18-month period ending Feb.2013, Ngo's customers made approximately 3.1 million queries on Americans.""Krebs adds, ""That means that if Ngo's clients conducted 3.1 million individual queries, the sheer number of records exposed by Ngo's service is likely to have been many times that number - potentially as many as 30 million records.""More Information: http://krebsonsecurity.com/tag/court-ventures/UPDATE (2/23/2015): The total number of records indicated here has been changed to 3.1 million by PRC to reflect the approximate number of records queried by Ngo's customers according to the court transcript. [This 3/10/14 UPDATE was amended on 2/23/15 to include additional content from the Krebs on Security blog post of March 10, 2014, related to the Court Ventures breach.]UPDATE (7/15/2015): Hieu Minh Ngo, the Vietnamese man who perpetrated an online identity theft service and had access to personal information on more than 200 million Americans was sentenced to 13 years in a U.S prisonUPDATE (7/21/2015): A class action lawsuit has been filed against Experian as a result of their subsidiary, Court Ventures, allowed access to personal information of individuals by one individual who posed as a private invegtigator. ""The suit alleges that Experian negligently violated consumer protection laws when it failed to detect for nearly 10 months that a customer of its data broker subsidiary was a scammer who ran a criminal service that resold consumer data to identity thieves.""Read more regarding the suite here:http://krebsonsecurity.com/wp-content/uploads/2015/07/Experian-Ngo-Compl...More Information: http://krebsonsecurity.com/2015/07/experian-hit-with-class-action-over-i...","Media","","2013","33.836593","-117.914301" "January 10, 2014","Neiman Marcus","Dallas","Texas","HACK","BSR","1,100,000","Neiman Marcus confirmed that its database of customer information was hacked last month, around mid-December, the same time that Target stores were targeted. The case is similar to the Target case in that only retail shoppers were affected, no online shoppers were affected. The cause, size and duration of the attack are not yet known and should start to be revealed once a third party investigation is completed. The company is also working with the Secret Service, which is customary in these types of attacks.UPDATE (1/16/2014): It has been reported that the breach at Neiman Marcus could as far back as July 2013 and that the breach was not fully contained until Sunday January 12, 2014. Neiman Marcus is still not communicating the total amount of individuals affected, but did comment that ""some of their customers"" payment cards were used fraudulently and have taken steps to notify those customers. They still do not believe that Social Security numbers or birth dates were affected.UPDATE (1/25/2014): Neiman Marcus released a statement that approximately 1.1 million individuals have been affected by the recent data breach to their system.UPDATE (7/21/105): A lawsuit filed against Neiman Marcus for the data breach it suffered in 2014 and may have started as far back as 2013, has been ruled to have standing.""The United States Court of Appeals for the Seventh Circuit held that data breach victims suffer injury for purposes of Article III standing and can thus have their day in court against companies who fail to protect their personal information from hackers. The class action against Neiman Marcus alleged that the data breach plaintiffs suffered injuries even if they have not yet been victims of identity theft or other fraud. These injuries include an increased risk of future fraudulent charges and greater susceptibility to identity theft. Chief Judge Wood noted that “the Neiman Marcus customers should not have to wait until hackers commit identity theft or credit-card fraud in order to give the class standing, because there is an ‘objective reasonable likelihood’ that such an injury will occur.” More Information: http://www.ktul.com/story/29599640/data-breach-plaintiffs-have-standing-...","Media","","2014","32.780732","-96.797295" "May 22, 2015","Adult Friend Finder (owned by Penthouse Media)","Miami","Florida","HACK","BSO","3,500,000","The adult website Adult Friend Finder was hacked and personal information posted publicly for people to see.The information included customers' email addresses, usernames, passwords, birthdays and zip codes,and sexual preferences. To date they have not yet discovered if customer credit card information was exposed.More Information: http://money.cnn.com/2015/05/22/technology/adult-friendfinder-hacked/","Media","","2015","25.761680","-80.191790" "February 9, 2012","St. Elizabeth's Medical Center","Boston","Massachusetts","PHYS","MED","6,831","St. Elizabeth's Medical Center became aware of sensitive paperwork that was found exposed miles away from the medical center's Brighton campus.  St. Elizabeth's immediately sent someone to recover the documents.  It is unclear how the documents ended up in the area and a vendor may have been the source of the breach.  The types of information exposed were not revealed.UPDATE (4/09/12): The total number of patients who were notified is 6,831.  The documents contained billing information such as patient names, hospital account numbers, credit card numbers and security codes.  The breach was discovered when someone saw the credit card payment receipts of at least five patients flying through a field.  There is no evidence that more than five patients were affected, however, it is unclear how those receipts escaped destruction.UPDATE (7/14/2015): ""A Massachusetts hospital has agreed to pay $218,400 and implement a corrective action plan to correct deficiencies in its Health Insurance Portability and Accountability Act compliance program under a recently unveiled no-fault resolution agreement with federal officials.""More Information: http://www.bna.com/hhs-hospital-settle-n17179933667/?elq=a8d4812e425e411...","PHIPrivacy.net","","2012","42.358431","-71.059773" "July 18, 2015","CVS Pharmacy, Imperial Beach ","Imperial Beach","California","INSD","BSR","100","A pharmacy technician at the CVS Pharmacy on Saturn Boulevard in Imperial Beach California has admitted to stealing customer records and providing the information to her property manager who then used the information to gain credit and credit cards. An further investigation is currently being conducted. The California State Board of Pharmacy has suspended the license of the pharmacy tech, Nicole Yvonne Flores and CVS no longere employs Ms. Flores.More Information: http://www.sandiegouniontribune.com/news/2015/jul/17/pharmacy-patient-data/","Media","","2015","32.584753","-117.091167" "July 17, 2015","Richard Berger CPA","Oakland","California","PORT","BSF","0","Richard Berger CPA notified customers of a data breach when external hard drives were stolen from his residence. The drives contained personal customer information. The information included names, tax information, Social Security numbers, bank and investment account information, dependents, beneficiaries, employees or contractors (including their names and Social Security numbers). Authorities were notified and according to Mr. Berger's office, no drives have been recovered.  His office is providing Kroll identity theft protection services to those affected for 12 months for free. More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-57066","California Attorney General","","2015","37.849961","-122.252658" "July 21, 2015","Atkinson, Andelson, Loya, Ruud & Romo","Cerritos","California","PORT","BSO","0","The lawfirm of Atkinson, Andelson, Loya, Ruud & Romo notified clients of a data breach, when one of their attorney's laptops was stolen that contained personal information of their clients.The personal information on the laptop included names, addresses, telephone numbers,  Social Security numbers, possible financial information, and medical records information. The firm is providing MyIDCare, ID Experts for free for 12 months for those who were affected. They can be reached by calling 1-877-341-4604. Monday through Friday from 6:00 a.m to 6 p.m Pacific Time. More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-57094 ","California Attorney General","","2015","33.868076","-118.059132" "July 27, 2015","Golden 1 Credit Union","Los Angeles","California","INSD","BSF","0","Golden State Credit Union notified members of a data breach when a credit union employee viewed member accounts without authorization. The information viewed included names, Social Security numbers, driver's license numbers and additional financial information. The credit union is providing Credit Watch through Equifax to those affected for 12 months at no cost. Those affected must apply by April 15, 2016. More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-57170","California Attorney General","","2015","34.049434","-118.250130" "July 29, 2015","United Airlines","Chicago","Illinois","HACK","BSO","0","United Airlines may be the latest victim of Chinese hackers. It is being reported that the hackers are potentially the same group that infiltrated OPM and Anthem.""United, the world’s second-largest airline, detected an incursion into its computer systems in May or early June, said several people familiar with the probe. According to three of these people, investigators working with the carrier have linked the attack to a group of China-backed hackers they say are behind several other large heists -- including the theft of security-clearance records from the U.S. Office of Personnel Management and medical data from health insurer Anthem Inc.""The information compromised included flight information, passenger itinerary, passenger information, origins and destinations. The airline has not announced whether or not any financial data was compromised in this hack.More Information:http://www.bloomberg.com/news/articles/2015-07-29/china-tied-hackers-tha...","Media","","2015","41.878807","-87.636005" "August 3, 2015","Veterans Affairs Hospital, South Dakota","Hot Springs","South Dakota","PHYS","MED","1,100","The VA Hot Springs hospital notified patients of a data breach when files containing their Social Security numbers along with additional personal information were thrown in a trash bin without being shredded. The incident took place in May and the 1,100 patients that were affected were not notified until July 29, 2015. Reportedly, an employee discarded a box of patient files in a dumpster. The box of files was found two days later by another employee who removed them from the trash. More Information: http://www.foxnews.com/us/2015/08/03/sd-va-waits-more-than-two-months-to...","Media","","2015","34.503700","-93.055180" "August 7, 2015","Sabre Corporation","Southlake","Texas","HACK","BSO","0","Sabre Corporation is investigating a possible recent data breach that was brought to light by the announcement of the American Airlines breach. American Airlines uses the reservation software developed by the Sabre Corporation.""Sabre said in a statement Friday, ""We recently learned of a cybersecurity incident, and we are conducting an investigation into it now. At this time, we are not aware that this incident has compromised sensitive protected information, such as credit card data or personally identifiable information, but our investigation is ongoing.""""More Information: http://www.usnews.com/news/business/articles/2015/08/07/airline-technolo...","Media","","2015","32.941236","-97.134178" "June 26, 2015","Medical Informatics Engineering","Fort Wayne","Indiana","HACK","MED","390,000","Medical Informatics Engineering has notified individuals of a data breach when they noticed suspicious activity on one of their servers. The company has determined that some protected health information was exposed including names, home addresses, email addresses, dates of birth, Social Security numbers, lab results, dictated reports and medical conditions. More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-56609UPDATE (7/23/2015): Medical Informatics Engineering put out a notification on their website regarding the data breach to their system in June. The company is claiming that only certain clients were affected by their breach and notifications went out. More Information: https://www.mieweb.com/notice/UPDATE (8/6/2015): Two class action status lawsuits have been filed against Medical Informatics Engineering regarding the data breach that affected 3.9 million people (this article shares the total numbers and PRC has updated the total number affected according to this article). More Information: http://www.ibj.com/articles/54329-patients-suing-indiana-medical-company...","California Attorney General","","2015","41.068132","-85.225482" "July 29, 2015","East Bay Perinatal Medical Associates","Oakland","California","INSD","MED","0","East Bay Perinatal Medical Associates (EBPMA) has notified patients of a data breach when they were contacted by the Berkeley Police regarding an employee who had a patient list on their personal laptop. The list according to the company was created as a part of the employee's duties to catalogue their 2012 records. The information was deleted from the employee's hard drive by EBPMA. The information contained in the document included first and last names, and dates of birth.  The company is providing those who were affected Kroll ID monitoring services for free for one year. They can be reached at 1-855-205-6940. More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-57193","California Attorney General","","2015","37.819284","-122.263807" "August 7, 2015","Ubiquiti Networks Inc.","San Jose","California","HACK","BSO","0","Ubiquiti Networks Inc. announced that cyber thieves stole $46.7 million using a scam "" in which crooks spoof communications from executives at the victim firm in a bid to initiate unauthorized international wire transfers.""Ubiquiti disclosed the attack when they filed a report with the U.S. Securities and Exchange Commission. ""The company said it discovered the fraud on June 5, 2015, and that the incident involved employee impersonation and fraudulent requests from an outside entity targeting the company’s finance department.""More Information: http://krebsonsecurity.com/2015/08/tech-firm-ubiquiti-suffers-46m-cyberh...","Krebs On Security","","2015","37.338208","-121.886329" "July 27, 2015","Orange County Employees Association","Santa Ana","California","HACK","BSO","0","The Orange County Employees Association (OCEA) notified members of a data breach  when they were a recent victim of a cyber attack.  The attack affected OCEA members, certain non-members, OCEA Health & Welfare Trust participants, OCEA staff, customers of Velece Corporation and dependents.The information included names, addreses, dates of birth, Social Security numbers, driver's license numbers, payroll information, dental, vision, life and disability enrollment information, retirement status, information concerning dependents and usernames and passwords. OCEA is providing one year free credit monitoring and identity theft recover and restoration services. ","California Attorney General","","2015","33.752750","-117.872831" "July 17, 2015","North East Medical Services","San Francisco","California","PORT","MED","0","North East Medical Services notified patients of a security breach when an employees laptop was stolen from the trunk of the employees car. The information compromised included names, dates of birth, gender, contact information, payer/insurer and limited personal health information. According to the medical office no Social Security number or credit card information or actual medical record was involved. More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-57240 ","California Attorney General","","2015","37.799917","-122.408848" "August 3, 2015","Orlantino Dyoco, M.D.","Fresno","California","PORT","MED","0","The office of Olartino Dyoco, M.D. notified patients of a data breach when his offices were burglarized and several computers were stolen that contained patient information used for billing. The information compromised included names, addresses, birth dates, telephone numbers, insurance numbers, treatment codes, and billing information. The incident has been reported to the authorities. For those who were affected call 1-888-233-2305. More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-57245","California Attorney General","","2015","36.779272","-119.781546" "July 20, 2015","PNI Digital Media","Vancouver","British Columbia","HACK","BSO","0","PNI Digital Media is investigating their online photo printing service that they either manage or host for a number of large retailers such as Costco, Walmart, Walgreens, CVS, Rite to name a few. The photo printing service has been taken off line while the company and their customers investigate the breach. The concern is that the hackers gained credit card information from customers of the retailers they service. ","Media","http://www.reuters.com/article/2015/07/21/us-cyberattack-retail-idUSKCN0PV00520150721","2015","49.282729","-123.120738" "January 5, 2015","Morgan Stanley","New York","New York","INSD","BSF","350,000","An employee of Morgan Stanley stole customer information on 350,000 clients including account numbers. Additional information on what other information was captured has not yet been released. Files for as many as 900 clients ended up on a website. The employee has since been fired and the bank is notifying all of the individuals affected. The FBI is currently investigating the incident.More Information: http://www.bloomberg.com/news/print/2015-01-05/morgan-stanley-fires-empl...","Media","","2014","40.712784","-74.005941" "August 17, 2015","University of Virginia","Charlottesville","Virginia","HACK","EDU","0","The University of Virginia has notified individuals of a hacking originating from China and accessed the IT systems of the university.  The university has stated that no Social Security numbers or banking information was compromised. The university has assked all users to change their ""Eservices"" login passwords. Reportedly the hackers were targeting email account belonging to ""two employees whose work is connected to China"". More Information: http://www.scmagazine.com/uva-attack-came-from-china-targeted-email-acco...","Media","","2015","38.029306","-78.476678" "July 19, 2015","Ashley Madison (owned by Canadian Avid Life Media)","Toronto","Ontario","HACK","BSO","37,000,000","Ashley Madison, the online cheating website, confirmed a hack of their system, exposing 40 million records.The data that was stolen included the company's user databases, financial records along with other confidential information. The company has not stated the exact personal information compromised.""Reached by KrebsOnSecurity late Sunday evening, ALM Chief Executive Noel Biderman confirmed the hack, and said the company was “working diligently and feverishly” to take down ALM’s intellectual property. Indeed, in the short span of 30 minutes between that brief interview and the publication of this story, several of the Impact Team’s Web links were no longer responding.""""Besides snippets of account data apparently sampled at random from among some 40 million users across ALM’s trio of properties, the hackers leaked maps of internal company servers, employee network account information, company bank account data and salary information.""More information: http://krebsonsecurity.com/2015/07/online-cheating-site-ashleymadison-ha...UPDATE (8/18/2015): Hackers who stole sensitive customer information originally reported back in July, have now stated that because the company has not taken down their site as requested by the hackers, sensitive customer information has been posted online.""A data dump, 9.7 gigabytes in size, was posted on Tuesday to the dark web using an Onion address accessible only through the Tor browser. The files appear to include account details and log-ins for some 32 million users of the social networking site, touted as the premier site for married individuals seeking partners for affairs. Seven years worth of credit card and other payment transaction details are also part of the dump, going back to 2007. The data, which amounts to millions of payment transactions, includes names, street address, email address and amount paid, but not credit card numbers; instead it includes four digits for each transaction that may be the last four digits of the credit card or simply a transaction ID unique to each charge.""Raja Bhatia, AshleyMadison's founding Chief Technology Officer stated that these recent data dumps are not legitimate. His team has been reviewing 30 to 80 reported data dumps daily and that ""most of these dumps are entirely fake and being used by other organizations to capture the attention that's been built up through this release""More Information: http://www.wired.com/2015/08/happened-hackers-posted-stolen-ashley-madis...http://krebsonsecurity.com/2015/08/was-the-ashley-madison-database-leaked/  ","Krebs On Security","","2015","43.653226","-79.383184" "August 19, 2015","Web.com","Jacksonville","Florida","HACK","BSO","93,000","Web.com notified customers of a data breach to their systems, when hackers were able to infiltrate their system gaining personal information of customers.The information included credit card numbers, names, addresses, card validation numbers and the security codes associated with the credit cards.The CEO of Web.com put out a statement regarding the breach http://ir.web.com/releasedetail.cfm?ReleaseID=928078More Information: https://threatpost.com/web-com-loses-93000-credit-card-numbers-in-breach...","Media","","2015","30.136493","-81.532047" "August 4, 2015","Mama Mio US","Costa Mesa","California","HACK","BSO","0","Mama Mio informed customers of a cyber-attack to their system where their personal information may have been compromised. According to the company, the attack happened on July 28, 2015. The information compromised included first names and surnames, emails, billing addresses and telephone numbers, card numbers, expiration dates, and the 3-digit security code on the back of the card. For those affected call 1-888-962-6264 or send an email at privacy@mioskincare.com.More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-57280","California Attorney General","","2015","33.639122","-117.942479" "August 6, 2015","WP Technology Inc. dba Wattpad","Toronto","Ontario","HACK","BSO","0","W.P Technology (dba Wattpad) informed customers of a cyber attack to their system that may have compromised customer information.The information compromised included email addresses, Wattpad passwords, Tumblr usernames and passwords, last login IP, and other user profile information provided.The company is recommending that their customers change their Wattpad password and your Tumblr password. For questions contact security@wattpad.comMore Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-57318 ","California Attorney General","","2015","43.653226","-79.383184" "August 12, 2015","Nationstar Mortgage LLC","Dallas","Texas","DISC","BSF","0","Nationwide Mortgage notified customers of a data breach when copies of their W2's were inadvertently emailed to an employee at Greenlight Mortgage. The information compromised included names, addresses, Social Security numbers and other information that is common with a W2 form. The company is providing one year free of Experian's ProtectMyID Elite. Those who are affected can call 877-441-6943 or www.protectmyid.com/enroll.More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-57381","California Attorney General","","2015","32.776664","-96.796988" "August 7, 2015","Sterling BackCheck","New York","New York","PORT","BSO","0","SterlingBackcheck notified customers of a data breach when a laptop was stolen from an employees vehicle. The laptop contained customer information including names, Social Security numbers, and dates of birth.The company is providing AllClear ID for 24 months for free. For those who are affected call 1-855-227-9823 Monday through Sunday  8:00 am - 8:00 pm Central Time. More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-57330","California Attorney General","","2015","40.675263","-73.971273" "August 12, 2015","ICANN.org","Los Angeles, CA 90094-2536","","HACK","NGO","0","ICANN.org notified individuals of a data breach when they discovered unauthorized access to an external service provider. The non-profit believes that usernames/email addresses and encrypted passwords were compromised.User profiles contain a users preference for the website, public bio, individual interests, subscription to newsletters and other information. They are requiring that all members change their password to the site. The password change can be accessed via this link https://www.icann.org/users/password/new More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-57383","California Attorney General","","2015","33.982885","-118.404731" "August 14, 2015","Sterling M Enterprise (dba Lee's Deli)","San Francisco","California","HACK","BSO","0","Lee's Deli, which has a location at 75 Battery Street in San Francisco and 4200 Bohannon Drive in Menlo Park California, have notified individuals of a data breach of their information when the company found malware installed on their credit card processing system. The information captured through this malware included payment card account numbers, card expiration dates, and the CVV code on the back of the card. Any transaction made from January 4, 2015 through May 20, 2015 at the Battery Street location and between November 3, 2014 through February 13, 2015 at the Bohannon Drive location, those cards are at risk.For those affected contact the company at 415-986-1892 between the hours of 9:00 am and 5:00 pm, Monday through Friday or via email at info@leesdeli.com.More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-57419","California Attorney General","","2015","37.774930","-122.419416" "August 20, 2015","Buyers Protection Group","Alpharetta","Georgia","PORT","BSF","0","Buyers Protection Group (BPG) notified customers of a data breach to their personal information. ""On July 19, 2015, a company laptop was stolen from an employee's car during a large-scale break in of at least 20 vehicles in the Greater Atlanta Area.""The personal information contained on these laptop (s) included names, addresses, dates of birth and Social Security Numbers. For further questions about this incident individuals can send an email to privacy@bpgwi.com.More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-57473","California Attorney General","","2015","34.060128","-84.246251" "August 21, 2015","M&M Automotive Group, Inc. (Volkswagen of Oakland)","Oakland","California","PHYS","BSO","0","Volkswagen of Oakland notified customers of a data breach when the dealership was broken into and boxes of files were stolen. The company stated that ""We believe that some of the stolen boxes held sold vechicles jackets. Each sold vehicle jacket typically contains copies of the forms signed by the vehicle purchaser including the name, address, phone number, driver's licens information, bank account information, car insurance information and information on the vehicle purchased. In some cases where financing is provided in connection with the purchase of a vehicle, the deal jacket will also contain a copy of the consumer's credit application, credit report, pay stubs, job information and references.""More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-57502","California Attorney General","","2015","37.816015","-122.263430" "September 1, 2015","UCLA Health System","Los Angeles","California","PORT","MED","1,200","UCLA Health notified approximately 1,242 patients of another data breach to their health system when an faculty employee was stolen that contained personal information of patients. According the UCLA Health the lap top did not contain Social Security numbers or financial data, but may have contained other personal and health information of these patients.UCLA Health has set up a special phone line at 1-888-236-0447 to provide assistance for those who received a letter from the health system notifying them of the breach. UCLA Health has also issued a statement regarding the breach here: https://www.uclahealth.org/news/ucla-health-notifying-patients-of-stolen...More Information: http://www.dailynews.com/general-news/20150901/ucla-health-notifying-124...","Media","","2015","34.052234","-118.243685" "August 31, 2015","State of Minnesota","St. Paul","Minnesota","DISC","GOV","18","Driver's license information of 18 St. Paul residents ""were accessed after a password-protected portal was inadvertentlly opened online.""According to officials a server update inadvertently removed the authentication processes in place when accessing the online portal system for drivers license information. According to these same officials, only two individuals utilized this portal 55 time from August 2, 2015 and August 24, 2015, showing 18 individuals information was accessed during this time frame. The information included pictures, names, addresses and dates of birth. More Information: http://www.kare11.com/story/news/2015/08/31/state-discovers-drivers-lice...","Media","","2015","44.953703","-93.089958" "August 26, 2015","Dr. Robert E. Soper M.D","Eureka","California","PORT","MED","0","Dr. Robert Soper's office notified patients of a data breach when the doctors laptop was stolen out of his car when visiting San Francisco. The computer contained patient names, dates of birth, some phone numbers, and clinical notes and emails. According to the doctor no addresses, Social Security numbers or insurance information was stored on this laptop. Additionally, "" the clinical notes were protected by two passwords, and were maintained in a format unique to the software used to prepare them. The software program itself was not on the computer, making the data almost impossible to decipher.""More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-57565        ","California Attorney General","","2015","48.967446","-115.081062" "September 2, 2015","Heritage Foundation","Washington","District Of Columbia","HACK","BSO","0","The Heritage Foundation was the victim of a data breach when hackers infiltrated an external server that contained personal information of private donors. """"We experienced a malicious, unauthorized data breach of six-year-old documents on an external server that appear to contain personal information of private donors, who we are notifying,” said spokesman Wesley Denton. “We are unable to verify the authenticity of files circulated online.”""More Information: http://www.politico.com/story/2015/09/heritage-foundation-emails-donor-data-stolen-in-data-breach-213292#ixzz3kncGV7nG","Media","","2015","38.895177","-77.002798" "February 24, 2015","The Urban Institute","Washington ","District Of Columbia","HACK","BSO","700,000","The Urban Institute alerted charitable organization that utilize their National Center for Charitable Statistics (NCCS) to file their taxes, was compromised when the system was hacked. ""An official with the Urban Institute estimated that between 600,000 and 700,000 organizations were affected by the breach. At this point, there is apparently no evidence that tax filings themselves were compromised. There were also no Social Security numbers or credit card information in the system, the official said.""The tax filings by these organizations are said to be compromised in this particular hack. The Urban Institute has stated that there were no Social Security numbers or credit card information on this system. More Information: http://thehill.com/policy/cybersecurity/233641-prominent-dc-think-tank-h...","Media","","2015","38.907192","-77.036871" "November 24, 2014","Sony Pictures","New York","New York","HACK","BSO","47,000","Sony Pictures Entertainment has suffered a data breach when hackers posted threatening messages on company computers. According to a report the threat ""began with a skull appearing on screens, and then a strangely ominous message telling users they’d been hacked by something called #GOP. It gets more bizarre as the message claims this is just the beginning and then threatens to release documents by 11 PM this evening.""The company has completely shut down all email communications and employees are not allowed to use company computers while the entertainment giant works through where and what the threat is and if it is real. The original threat did not give specifics or communicate any kind of ""ransom"" for the data that had supposedly been hacked.More Information: https://deadline.com/2014/11/sony-computers-hacked-skull-message-1201295... UPDATE (12/5/2014): A data security analyst has discovered information leaked by the hacker (s) goes beyond what was originally reported.According to the security company Identity Finder, showed that leaked files included vast amount of personal data on ""more than 47,000 celebrities, freelancers, and current and former Sony employees"". ""An analysis of 33,000 leaked Sony Pictures documents by data security software firm Identity Finder showed that the leaked files included the personal information, salaries and home addresses for employees and freelancers who worked at the studio. Some of the celebrities include Sylvester Stallone, director Judd Apatow and Australian actress Rebel Wilson, according to the Wall Street Journal, which first reported on the analysis"". Additional information such as contracts, termination dates, termination reason and other data was also leaks. Unfortunately these files were in Excel format without any password protection.More Information: http://www.cnet.com/news/sony-hack-said-to-leak-47000-social-security-nu...UPDATE (12/16/2014): ""Sony Pictures Entertainment has been sued by two self-described former employees who accuse the movie studio of failing to protect Social Security numbers, healthcare records, salaries and other data from computer hackers who attacked it last month. The proposed class action lawsuit against Sony Corp's studio was filed on Monday in federal court in Los Angeles. It alleges that the company failed to secure its computer network and protect confidential information.""More Information: http://www.reuters.com/article/2014/12/16/sony-cybersecurity-classaction...UPDATE (06/16/2015): Sony Pictures Entertainment has been denied a dismissal of a lawsuit brought on by former employees who claim that their personal data was stolen in the 2014 hacking. The judge stated ""Sony created a ""special relationship"" with its employees by requiring them to provide personal information to be eligible for salaries and benefits.""More Information: http://www.businessinsider.com/r-sony-fails-to-dismiss-lawsuit-over-inte...UPDATE (09/02/2015): ""Lawyers for former Sony Pictures Entertainment employees whose data was breached last year say they have tentatively reached a settlement with the company. Wednesday's filing in a proposed class-action lawsuit does not detail settlement terms or how many current and former Sony employees would be covered by the settlement. Plaintiffs' attorney Daniel Girard wrote that he and fellow lawyers believe the settlement is favorable to employees whose personal, financial and medical information was posted online. Additional details about the settlement are expected to be filed in a Los Angeles federal court by mid-October.""More Information: http://www.usnews.com/news/entertainment/articles/2015/09/02/federal-son...","Media","","2014","40.712784","-74.005941" "September 9, 2015","eMinor Incorporated d/b/a ReverbNation","Durham","North Carolina","HACK","BSO","0","ReverbNation was contacted by law enforcement regarding an unauthorized access to their customer data sometime in January of 2014. The individual who accessed this information was caught and charged. The customer information this individual may have viewed included email addresses and encrypted passwords, names, addresses, phone numbers, and/or dates of birth.The company automatically reset users passwords to combat those customers who used a common password. According to the company no credit card information was accessed as they do not store that information on their servers. More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-57665 ","California Attorney General","","2015","36.002814","-78.904058" "February 1, 2015","CitiStorage","Brooklyn","New York","PHYS","BSO","0","A fire at the CitiStorage warehouse in Brooklyn, inadvertently put individual's privacy at risk. This warehouse stored thousands of records for law firms, medical practices, government agencies, financial companies and other businesses.Amongst the charred paperwork were visible Social Security numbers, medical information, bank checks, lawyers' letters, court transcripts and more. Much of the paperwork was strewn out for blocks with clearly visible personal information making it very easy to steal someone's identity. ""New York City sent disaster recovery contractors, equipped with nets, shovels and protective boots, to try to collect the debris. But still, beachcombers sifted freely through the trove of documents, picking their way through remnants of the days when many records were on paper and the city government was one of the few takers for north Brooklyn’s waterfront land."" The various government agencies that stored information at the warehouse included the state court system, the city's Administration for Children's Services and the Health and Hospitals Corporation. More information: http://www.nytimes.com/2015/02/02/nyregion/large-warehouse-fire-continue... ","Media","","2015","40.722503","-73.959758" "September 11, 2015","Sutter Health","Sacramento","California","INSD","MED","0","Sutter Health has notified patients/customers of a data breach when they discovered that a former employee had emailed documents of individuals to a personal email address on April 26, 2013.The information in these electronic documents included names, dates of birth, insurance identification numbers, dates of services and billing codes. They have stated that no Social Security numbers, drivers' license or ID numbers, credit card or bank information was contained in these documents. Sutter Health is offering one year free of Experian's ProtectMyID Alert for those who were affected. Those with questions call 1-877-235-0796 Monday through Friday, 6:00 a.m. to 5:00 p.m. Pacific Time. More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-57764","California Attorney General","","2015","38.605414","-121.518387" "September 14, 2015","James R. Glidwell, Dental Ceramics, Inc.","Newport Beach","California","HACK","BSO","0","Glidewell, Dental Ceramics, Inc. and its subsidiaries notified employees of a breach to their system that maintains employee files was discovered. The unauthorized individual (s) may have taken documents that contained personal information of employees, including names, addresses, Social Security numbers, and financial account informaiton related to direct deposit accounts. The company is offering one year free of fraud resolution and identity theft protection services through ProtectMyID. Those affected can call 888-227-1416 or www.protectmyid.com/alert and engagement number PC96191.More Information:http://oag.ca.gov/ecrime/databreach/reports/sb24-57775 ","California Attorney General","","2015","33.618910","-117.928947" "September 17, 2015","Kardashian Website","Los Angeles","California","HACK","BSO","663,200","The Kardashian brand recently launched a new website design which appears to have some security holes. One developer discovered a misconfiguration in the site that allowed him to access full names and emails of over 600,000 users who signed up for Kylie Jenner's website.This developer stated ""I’ll admit I downloaded Kylie’s app just to check it out. I also checked out the website, and just like most developers, I decided to take a look around to see what was powering the site. After I started digging a little bit deeper, I found a JavaScript file namedkylie.min.75c4ceae105ad8689f88270895e77cb0_gz.js. Just for fun, I decided to un-minify this file to see what kind of data they were collecting from users and other metrics they may be tracking. I saw several calls to an API, which of course made sense. I popped one of those endpoints into my browser, and got an error just liked I expected.""The developer then logged in with his own username and password and was ""directed to a web page that contained the first and last names and email addresses of the 663,270 people who had signed up for the site.""More Information: http://techcrunch.com/2015/09/16/kardashian-website-security-issue-expos... ","Media","","2015","34.052234","-118.243685" "September 15, 2015","LSU Health New Orleans School of Medicine","New Orleans","Louisiana","PORT","EDU","5,000","A doctor associated with the LSU Health New Orleans School of Medicine had his laptop stolen which may have exposed 5,000 patients personal information.The laptop computer was stolen from the doctors vehicle when it was parked in front of his home on July 16th or 17th. The theft was reported but has not yet been recovered.The information contained on this laptop included names, dates of birth and medical information. It did not contain Social Security numbers, credit card or banking information. For those with questions, call 1-504-568-8672 or 1-844-578-2656.More Information: http://wgno.com/2015/09/15/lsu-docs-stolen-laptop-brings-offer-for-free-...","Media","","2015","29.951066","-90.071532" "July 17, 2015","UCLA Health System","Los Angeles","California","HACK","MED","4,500,000","UCLA Health System's has informed as many as 4.5 million patients of a data breach of their network, exposing sensitive personal and medical information. The information compromised included names, dates of birth, Social Security numbers, Medicare and health plan identification numbers, patient diagnosis and procedures.It has been reported that UCLA did not take basic steps to encrypt the patient data.Patients who are affected can call UCLA at (877) 534-5972 or check the website www.myidcare .com/uclaprotection.More Information: http://www.latimes.com/business/la-fi-ucla-medical-data-20150717-story.html ","Media","","2015","34.052234","-118.243685" "September 10, 2015","Excellus Blue Cross Blue Shield","Syracuse","New York","HACK","BSF","10,000,000","Excellus has revealed that in August the company discovered a breach to their system that may have started two years prior by hackers, gaining access to its customers' information.The information accessed included names, birth dates, Social Security numbers, mailing addresses, telephone numbers, claims and financial payment information, which included some credit card numbers. ""Excellus spokesperson Cane confirmed in a phone call with WIRED that between 10 and 10.5 million customers had their data potentially accessed in the breach. Beyond just Excellus itself, the company says that even some of its insurance partners within the Blue Cross Blue Shield network may be affected, accounting for about 3.5 million of those victims. Everyone affected will receive a letter from Excellus, along with two years of free credit monitoring from the company.""More information: http://www.wired.com/2015/09/hack-brief-health-insurance-firm-excellus-s...UPDATE (9/21/2015): A class-action lawsuit has now been filed against Excellus as a result of the data breach the company suffered exposing 10.5 million individuals to potential identity theft. More Information: http://www.databreachtoday.com/excellus-faces-breach-related-lawsuit-a-8539","Media","","2015","43.048122","-76.147424" "September 2, 2015","We End Violence, LLC","San Diego","California","HACK","BSO","0","We End Violence LLC notified individuals of a data breach when they discovered unauthorized access into their website server that may have gained access to personal information. The information accessed included names, student ID numbers, email addresses, Agent of Change usernames, Agent of Change passwords, gender identity, race, ethnicity, age, relationship status, sexual identity and the name of an individuals college or university. The company is encouraging individuals to change their passwords. For information call 1-877-218-2930 6 a.m to 4 p.m PST, Monday through Friday. Provide the reference number 6751090215 when calling. More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-57701","California Attorney General","","2015","32.715738","-117.161084" "June 4, 2015","Office of Personnel Management (OPM)","Washington ","District Of Columbia","HACK","GOV","21,500,000","The Office of Personnel Management will be notifying over 4 million current and former federal employees of a data breach thought to be perpetrated by Chinese hackers. Federal officials stated that the hacking exposed employee's job assignments, performance and training. Officials stated that no ""background or clearance investigations"" were exposed. They are not stating whether or not the information that was exposed included any Social Security information or financial information. More Information: http://www.washingtonpost.com/world/national-security/chinese-hackers-breach-federal-goernments-personnel-office/2015/06/04/889c0e52-Oaf7-11e5-95fd-d580f1c5d44e_story.html Breach FAQ: http://www.opm.gov/faqs/topic/cybersecurityinformation/UPDATE (06/15/2015): Very interesting timeline laid out by Brian Krebs which includes the OPM breach, along with connections to various other breaches that are very similar attacks to OPM. http://krebsonsecurity.com/2015/06/catching-up-on-the-opm-breach/ UPDATE (06/24/2015): The 4.2 million individuals reported to have been affected by the OPM breach, has now increased to approximately 18 million individuals, including individuals that applied for jobs but never ended up being hired. More Information: www.cnn.com/2015/06/22/politics/opm-hack-18-million/index.html UPDATE (06/25/2015): The head of OPM has publicly stated that they are investigating the breach of 18 million Social Security numbers as part of the recent hacking at the OPM Currently we are now including the 18 million in our breach total number as prior the office would not state specifically what information in the records was obtained. Authorities are also stating that the hack can be defined as two distinct breaches. More Information: http://www.wsj.com/articles/hack-defined-as-two-distinct-breaches-1435158334UPDATE (7/2/2015): The Office of Personnel Management has had a class-action lawsuit filed against them over the recent data breach by a federal employee's union. The suit claims that OPM's negligence led to the breach. Since 2007 when OPM had been notified by the Office of Inspector General that there were deficiencies in the agency's cybersecurity processes, the agency failed to correct the issues. Here is OPM's website explaining the breach and what to do. https://www.opm.gov/cybersecurityMore Information: http://www.computerworld.com/article/2942038/security/opm-hit-by-classac... UPDATE (7/9/2015): OPM admits that hackers breached 21.5 million Social Security numbers in the recent data breach. More Information: http://www.foxnews.com/politics/2015/07/09/hackers-stole-social-security...UPDATE (9/23/2015): OPM has stated that 5.6 million finger prints were part of the cyber attack to the agencies computer systems. This is almost 5 times greater than initially communicated.More Information: https://www.washingtonpost.com/news/the-switch/wp/2015/09/23/opm-now-says-more-than-five-million-fingerprints-compromised-in-breaches/","Media","","2015","38.907192","-77.036871" "September 17, 2015","T-Bird Restaurant Group, Inc. (Outback Steakhouse)","Northridge","California","PHYS","BSO","0","The Outback Steakhouse in Northridge, a franchise location for the restaurant group T-Bird Restaurant Group, Inc. notified employees of a data breach when the location was burglarized. The individual (s) managed to steal computer equipment including their point of sale computer terminal and back office computer. The point of sale computer contained information that included employee time sheet information, files that contained names and Social Security numbers. The company is offering ID Experts theft protection for one year for free. Those affected call 1-888-773-9953 or go to www.IDExpertscorp.com/protect.More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-57861","California Attorney General","","2015","34.238125","-118.530123" "September 25, 2015","Silverberg Surgical and Medical Group","Newport Beach","California","DISC","MED","0","Silverberg Surgical and Medical Group notified patients of a data breach when a ""scanning device inadvertently exposed some patient health records to the Internet."" The information exposed included names, addresses, dates of birth, admission records, telephone and fax numbers, email addresses, medical information, medical record numbers, health plan data, beneficiary numbers, Social Security numbers, state license numbers and facial photographic images. The medical group is providing Kroll identity theft monitoring for one year for free. For those affected visit kroll.idMonitoringService.com or call 1-844-530-4126.More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-57984 ","California Attorney General","","2015","33.612701","-117.870553" "September 28, 2015","Palo Alto VA Health Care System","Palo Alto","Virginia","DISC","MED","0","""An inspector general’s report revealed that Palo Alto’s Department of Veterans Affairs facility provided patient information to a private IT company whose employees had not been cleared through background checks.""The investigation was intiated when a complaint by House Committee on Veteran's Affairs alleged that the Informatics Chief at the Palo Alto VA had ""entered into an illegal agreement with a healthcare tech company, Kyron, for sharing patient information.""According to the VA, they removed identifiable information prior to releasing this data to Kyron. The Office of Inspector General determined that the the VA did not verfiy whether or not the individuals at Kyron had received backgrounds checks prior to handling this type of sensitive information. Nor did the receive proper security or privacy training. They also discovered that the information loaded into Kryon's software was not yet approved by VA Information security officers prior to installation. More Information: http://www.federaltimes.com/story/government/it/2015/09/28/oig-palo-alto...","Media","","2015","37.441883","-122.143020" "September 29, 2015","Barrington Orthopedic Specialists","Barrington","Illinois","PORT","MED","1,009","Barrinton Orthopedic Specialists notified patients of data breach when a laptop and EMG machince was stolen from their offices. The information compromised included patient names, dates of birth and EMG results and reports. More information: http://www.barringtonortho.com/sites/barringtonortho.com/files/HIPAA_Pat...http://healthitsecurity.com/news/theft-printing-error-lead-to-health-dat...","Health IT Security","","2015","42.153914","-88.136189" "September 25, 2015","Blue Cross Blue Shield of North Carolina (BCBSNC)","Durham","North Carolina","DISC","BSF","0","Blue Cross BlueShield of North Carolina notifed customers of a data breach when they discovered two incidences that may have exposed personal information.The first incident occurred when a printing error resulted in members' billing invoice information printed on the back of other members' invoices. The information exposed here included names, addresses, internal BCBSNC account numbers, group numbers, coverage dates and premium amounts. The second incident occurred when payment letters included incorrect information and sent to the wrong members. This information included they type of health plan purchased, effective dates, health insurance marketplace identification numbers, payment amounts, telephone numbers and payment identification numbers. More information: http://www.bcbsnc.com/content/corporate/privacy-breach-20150925.htmhttp://healthitsecurity.com/news/theft-printing-error-lead-to-health-dat...","Health IT Security","","2015","35.958220","-78.961330" "September 25, 2015","Ginger Blossom","Springfield","Massachusetts","PHYS","BSO","0","The owner of a Chines restaurant called the Ginger Blossom discovered that one of her employees stealing customer credit and debit card information. The employee was caught on surveillance video with a skimming device. The police recovered a bag that was hidden in a planter outside of the restaurant that contained the scanner and numerous pre-pad gift cards and credit cards. More information: http://wwlp.com/2015/09/25/waiter-charged-with-credit-card-fraud/","Media","","2015","42.101483","-72.589811" "September 25, 2015","Horizon Blue Cross Blue Shield","Newark","New Jersey","DISC","GOV","1,100","Horizon Blue Cross Blue Shield of New Jersey notified customers of a data breach when several individuals pretended to be doctors or a health care professionals and obtained member identification numbers, and other personal information. These individuals then submitted claims to Horizon Blue Cross Blue Shield with these member ID numbers. During the investigation it was confirmed that names, dates of birth, gender and member ID numbers were accessed. The company is claiming that no Social Security numbrs or financial information or medical information was accessed. More Information: http://www.nj.com/news/index.ssf/2015/09/nj_insurer_says_some_data_stole...","Media","","2015","40.070396","-82.310384" "September 25, 2015","Bed Bath and Beyond","New York ","New York","INSD","BSO","0","Bed Bath and Beyond notified customers of a data breach in their New York city store, between March 7, 2015 and August 3, 2015. Customers who used their cards during that time period have been encouraged to notify their banks of the potential for credit card theft. More Information: http://ago.vermont.gov/assets/files/Consumer/Security_Breach/Bed%20Bath%...","Vermont Attorney General","","2015","40.772511","-73.981784" "September 21, 2015","Systema Software","Larkspur","California","HACK","BSO","1,500,000","Systema Software has communicated that a ""single individual gained unapproved access into our data storage system."" It has been communicated that this breach exposed over 1.5 million records of public agencies in California, Kansas and Utah.The records included police injury reports, drug tests, detailed doctor visit notes and Social Security numbers. More information: http://www.modernhealthcare.com/article/20150921/NEWS/150929997 ","Media","","2015","37.948658","-122.510013" "September 27, 2015","Big Blue Bus","Santa Monica","California","HACK","BSO","0","The Big Blue Bus has notified customers of a data breach when the company discovered unauthorized access at NextBus, a third party company that Big Blue Bus works with to provide real-time bus arrival information to customers. The individual (s) may have gained accress to account information of customers. The company claims that no Social Security numbers or financial information was compromised.  The company is recommending that customers change their passwords and to watch for potential phishing scams. For those with questions call 1-877-639-8287.More Information: http://smdp.com/data-breach-involves-big-blue-bus-customers/151000","Media","","2015","34.019454","-118.491191" "February 14, 2014","Experian","Costa Mesa","California","HACK","BSF","0","Experian notified customers of a potential security breach of their information. Between January 30, 2014 and January 31, 2014 the nationwide credit agency noticed unauthorized access into consumer information without proper authorization using an Experian client's login information. The consumer information consists of information typically found in a consumer report. This information includes names, addresses, Social Security numbers, dates of birth, and account information.For assistance or any question regarding this breach the agency has provided a toll free number, 800-232-8081 for an Experian representative.","Vermont Attorney General","","2014","33.689456","-117.874016" "October 6, 2015","Affinity Health Plan","Bronx","New York","DISC","MED","0","Affinity Health Plan (AHP) notified customers of a data breach when letters for renewing Child Health Plus for customers children, contained on the back of the letter information and addressed of another Affinity member. ""This led to a number of Affinity members' information being shared with other Affinity members.""This was a printing error that included information on another Affinity member including their children's names, addresses, and AHP identification numbers. The company is reporting that no chldren's health information or Social Security numbers were disclosed. More information: http://healthitsecurity.com/news/misprinted-letter-leads-to-affinity-hea...Letter released to members: http://www.affinityplan.org/uploadedFiles/Affinity/Who_We_Are/Press_Rele...","Health IT Security","","2015","40.849335","-73.842588" "October 1, 2015","Experian","Cost Mesa","California","HACK","BSF","15,000,000","Experian has announced a breach to their system affecting over 15 million T-Mobile customers. T-Mobile uses Experian to run credit checks on potential customers. ""Who Is Affected Experian said the incident is ""isolated"" and is only limited to consumers who applied for T-Mobile USA services between Sept. 1, 2013, and Sept. 16, 2015.  What's Been Exposed The information exposed to hackers includes names, addresses, social security numbers, dates of birth, and various identification numbers, including a passport, driver's license or military identification number, according to Experian.""T-Mobile is offereing 2 years free of identity theft monitoring services through Experian.More information: http://abcnews.go.com/Technology/experian-hack-exposes-mobile-customers/...UPDATE (10/07/2015): T-Mobile is now offering a secondary service to customers who were part of the Experian breach that is not an Experian service. See the link below for the information.https://www.csid.com/t-mobile/ ","Media","","2015","33.641132","-117.918669" "October 6, 2015","Lake Norman High School","Mooresville","California","DISC","EDU","0","Lake Norman High School notified students of a breach when a Lake Norman High School student who obtained an administrative password, however the student was able to manipulate the script that contains the admin password. “We have a script that we send out that runs on the computers that does contain the admin password,” Blattner said in an email. “It runs and then deletes itself....The file was made invisible and the script to delete the file was provided by the software manufacturer, but it did not work as designed.”Seven students used the password to access school computers were charged with accessing computers without authorization by the Iredell County Sheriff's Office. More information: http://www.statesville.com/news/it-faulty-file-caused-lnhs-security-brea... ","Media","","2015","35.596483","-80.902712" "October 2, 2015","Sentara Heart Hospital","Norfolk","Virginia","PORT","MED","1,040","","","","2015","36.862103","-76.303582" "October 1, 2015","American Bankers Association","Washington","District Of Columbia","HACK","BSF","6,400","The American Bankers Association has notified customers of a data breach when email addresses and passwords used to make purchases on their site or used to register for events were compromised. ""6,400 users' records had been posted online, the trade group said, though there was no evidence that credit card or other personal financial information had been accessed.""More information: http://www.americanbanker.com/news/bank-technology/experian-aba-breached...","Media","","2015","38.904107","-77.040998" "October 2, 2015","Schwab Retirement Plan Services, Inc. ","San Francisco","California","DISC","BSF","0","Schwab Retirement Plan Services Inc. (SRPS), notified customers of a data breach when a spreadsheet containing Social Security numbers, names, addresses, dates of birth, dates of termination, employment status, division code, marital status and account balance was accidentally emailed to a participant in another retirement plan serviced by SRPS.For those affected they can call 1-800-724-7526.More information: http://oag.ca.gov/system/files/Participant%20Incident%20Notification%20T...? ","California Attorney General","","2015","37.774930","-122.419416" "September 11, 2015","Yap Stone Payment Systems","Walnut Creek","California","UNKN","BSF","0","YapStone payment systems has sent notification to the California Attorney General's office and individuals who were affected by the breach. Unfortunately no detailed information was available as to they type of breach, the information affected or the number of individuals involved in the breach. As more information is available, this post will be updated.More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-57770UPDATED (9/30/2015): YapStone is being sued by a New Jersey man who filed in a California federal court accusing YapStone of ""negligence and breach of contract for failing to protect customer data from a possible breach.""More information: http://www.law360.com/articles/708884/vrbo-payment-processor-hit-with-da...","California Attorney General","","2015","37.908536","-122.066336" "October 8, 2015","North Shore Care Supply","Austin","Texas","HACK","BSO","0","North Shore Care Supply notified customers of a data breach when their online ecommerce site was compromised exposing customers' personal information.The information accessed included debit/credit card information, names, addresses, card numbers, verification codes and expiration dates.Online purchases made between June 7, 2015 and August 24, 2015 are at risk. The company has set up AllClearID for 12 months for free. Those affected can call 1-855-229-0069. More information: http://oag.ca.gov/ecrime/databreach/reports/sb24-58183","California Attorney General","","2015","30.267153","-97.743061" "October 8, 2015","GlamGlow","Hollywood","California","HACK","BSO","0","GlamGlow notified customers of a data breach when their online ecommerce site was compromised. The information accessed occurred between September 19 and September 21, 2014 and May 12 and May 15, 2015 and included names, addresses, telephone numbers, payment card numbers, expiration dates, security codes, email addresses and GlamGlow account passwords. For those affected with questions call 1-800-219-2031 between 9:30 am and 4:30 pm EST.More information: http://oag.ca.gov/ecrime/databreach/reports/sb24-58194","California Attorney General","","2015","34.093899","-118.379612" "October 9, 2015","E-Trade","New York ","New York","HACK","BSF","31,000","E-Trade has notified customers that their information may have been compromised as a result of a hacking to their system back in 2013. E-Trade claims that there was no evidence that any sensitive information was compromised such as Social Security numbers or financial information. The information they are stating was compromised were customer email names, email and physical addresses. E-Trade learned of the cyberattack shortly after it occurred in 2013 and launched an internal investigation while it worked with law enforcement, according to a person familiar with the investigation who spoke on the condition of anonymity. But at the time, the company did not believe customer information had been compromised, the person said. Recently, however,  federal law enforcement officials alerted the company to evidence that customer contact information may have been breached, prompting E-Trade to inform customers about the incident ""out of an abundance of caution,"" according to the e-mail.""More information: https://www.washingtonpost.com/news/the-switch/wp/2015/10/09/e-trade-not...","Media","","2013","40.760632","-73.981007" "October 9, 2015","Care Plus Health Plans","Miami","Florida","DISC","BSF","1,400","CarePlus Health Plans have notified customers of a data breach when an error in processing their statements exposed their personal information to other members. The machine that processed these statement had a programming error that inserted two statements into one envelope vs. just one.According to the company, no Social Security numbers were on these statements. The information compromised included names, addresses and CarePlus identification numbers. For those affected, call 1-800-794-5907 from 8:00 a.m. to 8 p.m ESt seven days a week. More information: http://www.wtsp.com/story/news/health/2015/10/09/careplus-might-mishandl...","Media","","2015","25.761680","-80.191790" "October 9, 2015","America's Thrift Stores","Decatur","Georgia","HACK","BSO","0","America's Thrift Stores notified customers of a data breach when they thrift store chain discovered the software used through a third-party service provider was compromised.The hacking, alledgedly from Eastern Europe, compromised customer credit card or debit card information was compromised.More information: www.waaytv.com/appnews/data-breach-at-america-s-thrift-store/article_54d... ","Media","","2015","33.774828","-84.296312" "October 9, 2015","Vacaville Housing Authority","Vacaville","California","DISC","GOV","0","The Vacaville Housing Authority (VHA) notified individuals of a data breach when a VHA employee inadvertently sent sent an email with a file that had customers personal information in it. The information included names and Social Security numbers. The file reportedly was sent to only one person and she immediately contacted the VHA. According to the VHA authorities verified that the email was deleted from this persons computer. The VHA is offering 12 months free of credit monitoring services through Kroll for those individuals that were affected. More information: http://oag.ca.gov/ecrime/databreach/reports/sb24-58203","California Attorney General","","2015","38.357046","-122.001696" "October 12, 2015","Dow Jones & Company","New York","New York","HACK","BSF","3,500","Down Jones & Company notified individuals of a breach when they discovered unauthorized access to their system, affecting payment card information of customers.The unauthorized access also included names, addresses, email addresses and phone numbers of current and former subscribers.More information: http://www.wsj.com/articles/dow-jones-discloses-customer-data-breach-144...Company letter: http://online.wsj.com/public/resources/documents/dowjonesletter.pdf   ","Media","","2015","40.712784","-74.005941" "October 7, 2015","LoopPay","Woburn","Massachusetts","HACK","BSO","0","""Months before its technology became the centerpiece of Samsung’s new mobile payment system, LoopPay, a small Massachusetts subsidiary of the South Korean electronics giant, was the target of a sophisticated attack by a group of government-affiliated Chinese hackers.As early as March, the hackers — alternatively known as the Codoso Group or Sunshock Group by those who track them — had breached the computer network of LoopPay, a start-up in Burlington, Mass., that was acquired by Samsung in February for more than $250 million, according to several people briefed on the still-unfolding investigation, as well as Samsung and LoopPay executives.""","Media","https://www.nytimes.com/2015/10/08/technology/chinese-hackers-breached-looppay-a-contributor-to-samsung-pay.html","2017","42.479262","-71.152277" "October 1, 2015","Scottrade","St. Louis","Missouri","HACK","BSF","4,600,000","Scottrade notified customers of a data breach, when one of their systems was hacked into exposing customers records. The information compromised included client names and street addresses.The company is providing AllClear ID to those affected for one year for free.  Those affected can call 855-229-0083 Monday through Saturday 8:00 am to 8:00 pm. More information: https://oag.ca.gov/system/files/Scottrade%20California%20notice%20only%2...?UPDATED (10/2/2015): The Scottstrade data breach appears to have affected 4.6 million customers. The company stated “Based upon our subsequent internal investigation coupled with information provided by the authorities, we believe a list of client names and street addresses was taken from our system,” the email notice reads. “Importantly, we have no reason to believe that Scottrade’s trading platforms or any client funds were compromised. All client passwords remained encrypted at all times and we have not seen any indication of fraudulent activity as a result of this incident.” The notice sent out also stated that ""that although Social Security numbers, email addresses and other sensitive data were contained in the system accessed, “it appears that contact information was the focus of the incident.”""More information: http://krebsonsecurity.com/2015/10/scottrade-breach-hits-4-6-million-cus...","California Attorney General","","2015","38.627003","-90.199404" "October 9, 2015","Humana ","Wausau","Wisconsin","PORT","BSF","2,800","Humana is notifying Wisconsin members of a breach of customers information after an employee’s vehicle was broken into and a company laptop was stolen along with a file containing customer information.  The information compromised included member names, dates of birth, Humana and clinic names. The documents also included Humana member identification numbers of 250 of those individuals.More information: http://www.wsaw.com/home/headlines/Laptop-with-Humana-member-information...","Media","","2015","38.569308","-121.355712" "October 13, 2015","Uniformed Services University","Bethesda","Maryland","HACK","EDU","0","A hacker by the name of Kuroi SH infiltrated the United States based Uniformed Services University (USU) leaking 2014 login credentials online.USU educates service members in for the military's medical corps in the US and abroad. The university also provides training to military physicians, nurses and educators.  ""The hacker uploaded a deface page on 8 of the USU websites on which a database of all the websites, names, emails and clear-text passwords of those working for the university are held.""More information: https://www.hackread.com/uniformed-services-university-domain-hacked/ ","Media","","2015","39.001344","-77.085776" "October 13, 2015","Peppermill Resort Spa & Casino","Reno","Nevada","HACK","BSO","0","The Peppermill Resort Spa & Casino notified customers of a breach when their front desk system compromising customer payment card information and the security codes on the back of the cards. According to the casino, the hack occurred between October 12, 2014 and February 16, 2015. The casino was asked to delay notifying individuals by federal authorities while they investigated the incidence. More information: http://ago.vermont.gov/assets/files/Consumer/Security_Breach/Peppermill%... ","Media","","2015","39.499872","-119.802395" "January 24, 2014","Coca-Cola Company","Atlanta","Georgia","PORT","BSO","18,000","The Coca-Cola Company announced the theft of several computers from one of their locations that contained personal information on employees and other individuals. The company did not detail the specific information that was stored on the stolen computers. The theft was discovered on December 19, 2013.UPDATE (11/13/2014): ""A class action lawsuit has been filed against the Coca-Cola company and its regional distribution subsidiaries on behalf of 70,000 people whose information and identities have been allegedly compromised by the theft of 55 laptops from the company's Atlanta headquarters over a six year period.""The company did not notice the theft of these laptops until November of 2013 prompting the company to send notices to those affected in January 2014. According to the company 18,000 individuals had Social Security numbers affected, and an additional 56,000 individuals that may have had their drivers license information compromised. The laptops were not encrypted and along with the above information, the laptops may have also included names, addresses, ethnicity and other personal information.The class action suit alleges that the company failed to protect personal data, but failed in adequately notifying victims of the breach.More Information: http://pennrecord.com/news/15093-class-action-filed-against-coca-cola-fo...UPDATE (October 13, 2015): A Coca-Cola employee who showed he suffered harm after company laptops were stolen is pursuing a class action lawsuit against the company according to a Pennsylvania federal court. More information: http://www.businessinsurance.com/article/20151013/NEWS06/151019945/penns...","California Attorney General","","2014","33.770933","-84.396644" "October 13, 2015","Streets of New York","Phoenix","Arizona","HACK","BSO","200","The Streets of New York restaurant in Phoenix Arizona notified customers of a breach when hackers infiltrated the payment card system of the restaurant. According to the restaurant a few hundred customers were affected. The hackers then tried extorting the owners for $10,000.More information: http://www.fox10phoenix.com/arizona-news/32931241-story","Media","","2015","33.448377","-112.074037" "October 14, 2015","University of Oklahoma's Urology Clinic","Oklahoma City","Oklahoma","PORT","MED","7,693","The University of Oklahoma College of Medicine - Department of Obstetrics & Gynecology notified patients of a data breach when a physicians laptop was stolen from their car. ""The laptop had a list of information on it related to two groups of individuals.  For one group of individuals, the information included  full name, medical record number, date of birth, age, the name and date of a gynecologic or urogynecologic medical procedure, patient account number, and admission and discharge dates for that procedure (if the procedure was an inpatient procedure).  Social Security numbers and credit card numbers were not included. Addresses were not included.  These individuals had gynecologic or urogynecologic procedures at the OU Outpatient Surgery Center or the Presbyterian Tower between January 1, 2009, and December 31, 2014.  The information for other group of individuals included last name and first initial, age, and information related to pregnancy, such as lab results and medications, delivery date, and problem and allergy list.""More information: https://www.oumedicine.com/OBGYN/contact-us","HHS via Databreaches.net","","2015","35.478676","-97.497358" "October 16, 2015","Scripps Network LLC. (Food.com)","Knocksville","Tennessee","HACK","BSO","0","Food.com notified customers of a databreach to their system that may have affected emails, usernames and passwords. These credentials were used to login onto the site for managing their recipe box and posting recipes on the site. These same credentials are used to Foodnetwork.com website as well as mobile applications through the site. This intrusion occurred between August 8, 2015 and September 2, 2015. According to the company no financial information or Social Security information was compromised. The company is recommending that customers change their usernames and passwords. Those with questions can call 1-800-380-6336 between 9 a.m. through 7 p.m. EST Monday to Friday and use the reference number 1031100715.More information: http://oag.ca.gov/ecrime/databreach/reports/sb24-58311","California Attorney General","","2015","35.960638","-83.920739" "October 16, 2015","NextBus","Emeryville","California","HACK","BSO","0","NextBus has notified customers of a data breach to their system that disclosed usernames, email addresses, telephone numbers and passwords of customers. The company is advising customers to change their passwords.More information: http://oag.ca.gov/ecrime/databreach/reports/sb24-58315","California Attorney General","","2015","37.841814","-122.289736" "October 16, 2015","Community Catalysts of California","San Diego","California","PORT","NGO","1,182","Community Catalysts of California notified customers of a data breach that may have compromised their information when a thumb drive was stolen from an employee's car. The information included names, addresses, diagnosis, dates of birth, ages, genders and telephone numbers.  They are claiming that no Social Security number, financial account numbers, medications or client identification numbers were compromised. For those with questions call Alesia Forte at (888) 344-1237 Monday through Friday from 8:30 a.m. through 5:00 p.m, Pacific Time. More information: http://oag.ca.gov/ecrime/databreach/reports/sb24-58324 ","California Attorney General","","2015","32.812389","-117.153976" "October 16, 2015","Department of Health and Human Services","Granville","North Carolina","DISC","MED","1,615","The Department of Health and Human Services (DHHS) in Granville County North Carolina notified patients of a data breach when an employee inadvertently sent an email to the Granville County Health Department when the file was not encrypted. The information compromised included first and last names, Medicaid identification numbers, provider names, provider ID numbers, and other Medicaid related services. For those with questions call 1-800-662-7030. More information: http://www.wral.com/nc-dhhs-reveals-potential-medicaid-data-breach/14975...","Media","","2015","40.068119","-82.519604" "October 13, 2015","Service Systems Associates, Inc. ","Denver","Colorado","HACK","BSO","60,000","Service Systems Associates, Inc. notified customers of a data breach when their point-of-sale software contained malware that compromised payment card information of individuals who visited gift shops in several zoos from March 24 and May 20, 2015. The following zoo locations were affected:- Dallas Zoo- Detroit Zoo- El Paso Zoo- Fresno Chaffee Zoo- Herman Park Conservancy- Honolulu Zoo- Houston Zoo- Zoo Miami- Museum of Science and Industry (Tampa Florida)- Pittsburgh Zoo & PPG AquariumVisit http://www.kmssa.com/creditcardbreach/ for more informationMore information: http://oag.ca.gov/ecrime/databreach/reports/sb24-58264UPDATE (10/20/2015): Service Systems Associates lawyer sent a letter to the New Hampshire Attorney General's office affected approximately 60,000 consumer credit cards. More information: http://doj.nh.gov/consumer/security-breaches/documents/service-systems-2...","California Attorney General","","2015","39.739236","-104.990251" "October 22, 2015","Osceola County Juvenile Division Court of Clerks","Osceola County","Florida","DISC","GOV","0","The county of Osceola in Florida, specifically the Juvenile Division of the Clerk of Courts, when children's information was inadvertently exposed on their website. The names for every child charged in court cases and names of children in their foster system were exposed online via their e-file system. Currently the disclosure is being investigated.More information: http://www.wftv.com/news/news/local/9-investigates-osceola-county-childr...   http://www.wftv.com/news/news/local/9-investigates-osceola-county-childr...     ","Media","","2015","28.101984","-81.075466" "October 22, 2015","Osceola County Juvenile Division Clerk of Courts","Osceola County","Florida","DISC","GOV","0","The county of Osceola in Florida, specifically the Juvenile Division of the Clerk of Courts, when children's information was inadvertently exposed on their website. The names for every child charged in court cases and names of children in their foster system were exposed online via their e-file system. Currently the disclosure is being investigated.More information: http://www.wftv.com/news/news/local/9-investigates-osceola-county-childr...     ","Media","","2015","28.101984","-81.075466" "October 22, 2015","Xero","San Francisco","California","HACK","BSO","0","The online accounting software company Xero is notifying customers of a data breach when ""a small number"" of their customers had their accounts compromised. In particular, they had been seeing a large increase in phishing scams pretending to be the company.The company is asking those who are compromised to change their account passwords. More information: https://grahamcluley.com/2015/10/online-accounting-software-xero-tells-u...               ","Media","","2015","37.800155","-122.401883" "October 26, 2015","Emergence Health Network","El Paso","Texas","DISC","MED","11,100","Emergence Health Network has notified patients of a data breach to their system when a server was accessed without authorization. ""It is not apparent that any medical information was disclosed based upon a third-party audit of the computer server and EHN does not have any proof that information such as social security number, date of birth, home address, was accessed or otherwise misused""More information: http://emergencehealthnetwork.org/wp-content/uploads/2015/10/EHN-Compute...","HHS via Databreaches.net","","2015","31.773006","-106.476830" "October 3, 2015","Sentara Heart Hospital","Suffolk","Virginia","INSD","MED","1,040","Sentara Heart Hospital notified patients of a data breach when two portable hard drives were stolen. According to authorities the theft occurred the weekend of August 14, 2015. The information on the hard drives included birthdates, names, diagnoses, types of procedures and other clinical notes. According to the clinic no Social Security numbers or addresses were on the portable drives. For those affected can call 844-322-8235 between 8 a.m. and 6 p.m. and refer to incident No. COE151471.More information: http://hamptonroads.com/2015/10/security-breach-sentara-heart-hospital ","Media","","2015","36.773281","-76.581092" "October 22, 2015","Noble House and Resorts","Kirkland","Washington","HACK","BSO","0","The Nobel House Hotels and Resorts notified customers of a data breach when guests informed them of unauthorized charges on their payment cards used at one of their hotels, The Commons.The company identified malware on the payment card system on September 25, 2015. The information compromised included cardholder name, card numbers, expired dates, and the CVV number on the back of the cards. The dates cards were potentially compromised were from January 28, 2015 to August 3, 2015. More information: http://oag.ca.gov/system/files/General%20Notice_0.pdf?UPDATE (11/13/2015): A second notice by the Noble House Hotels and Resorts specifies the hotels that were affected by this breach. The list is as follows:- The Portofino Hotel and Marina, Redondo Beach CA, from April 3, 2015-August 11, 2015- The Edgewater, Seattle WA, from December 29, 2014 to August 11, 2015- Little Palm Island Resort and Spa, Florida Keys FL, from December 29, 2014 to May 22, 2015- Mountain Lodge Telluride, Telluride, CO, from December 29, 2014 to May 27, 2015- Ocean Key Resort and Spa, Key West, FL, from December 29, 2014 to August 6, 2015- River Terrace Inn, Napa, CA from December 29, 2014 to August 11, 2015More Information: http://oag.ca.gov/system/files/General%20Notice_1.pdf?","California Attorney General","","2015","47.679816","-122.197021" "October 30, 2015","American Bankers Association","Washington","District Of Columbia","HACK","BSO","6,400","American Bankers Association notified individuals of a data breach of their Shopping Cart affecting 6,400 records. The information compromised included Shopping Cart user names and passwords, which were posted online.  At this time the company has stated that they do not believe that any financial information was compromised.The company is requesting that individuals change their online passwords. For those with questions call 1-800-226-5377.More information:http://oag.ca.gov/ecrime/databreach/reports/sb24-58430","California Attorney General","","2015","38.904107","-77.040998" "October 28, 2015","Digital Theatre, LLC (ShowTix4U)","Las Vegas","Nevada","HACK","BSO","0","Digital Theatre, LLC which operates ShowTix4U notified individuals of a data breach when some payment cards were affected. Investigators found between late April 2015 and late September 2015 unauthorized access was discovered on a computer server hosting ShowTix4U's website. The information compromised names, addresses, payment card account numbers, card expiration dates, and payment card security codes of customers. More information: http://oag.ca.gov/ecrime/databreach/reports/sb24-58535","California Attorney General","","2015","36.169941","-115.139830" "November 23, 2015","Cox Communications","Atlanta","Georgia","HACK","BSO","0","""Recently, the Enforcement Bureau of the Federal Communications Commission (FCC) entered into a settlement with Cox Communications (Cox) resolving an investigation into whether the cable operator failed to properly protect its customers' personally identifiable information (PII) when its electronic data systems were breached in 2014. Cox is the third-largest cable television provider and the seventh-largest telephone carrier in the United States with over six million subscribers. This settlement presents the FCC's first privacy and data security enforcement action with a cable operator, echoing steps the FCC has recently taken against telecommunications providers to regulate and enforce privacy and cybersecurity breaches.The BreachCox's electronic data systems were breached in August 2014 by a hacker using the alias ""Evil Jordie,"" a member of the band of teenage cybercriminals known as the Lizard Squad. Evil Jordie simply called Cox and posed as a member of Cox's information technology department. He convinced both a Cox customer service representative and a Cox contractor to provide him with their account IDs and passwords and enter them into a ""phishing"" website.""With those credentials, the hacker gained unauthorized access to Cox customers' personally identifiable information, which included names, addresses, email addresses, secret questions/answers, PINs, and in some cases partial social security and driver's license numbers of Cox's cable customers, as well as Customer Proprietary Network Information (CPNI) of the company's telephone customers,"" the FCC said. ""The hacker then posted some customers' information on social media sites, changed some customers' account passwords, and shared the compromised account credentials with another alleged member of the Lizard Squad.""","Media","http://www.jdsupra.com/legalnews/fcc-settles-data-breach-investigation-56753/","2015","33.748995","-84.387982" "November 9, 2015","Comcast","Pomona","California","HACK","BSO","590,000","Comcast may be the latest victim of a breach when 590,000 customer email addresses and passwords were posted on the Dark Web website, an underground site selling people's information for money. The company is denying that they were a victim of a breach, and were ""certain that none of their systems or apps had been compromised.""The company took precaution and reset passwords of those affected. ""Over the weekend, a reader (@flanvel) directed Salted Hash to a post on a Dark Web marketplace selling a number of questionable, if not outright illegal goods. The post in question offered a list of 590,000 Comcast email addresses and corresponding passwords.As proof, the seller offered a brief list of 112 accounts with a going rate of $300 USD for 100,000 accounts. However, one wished to purchase the entire list of 590,000 accounts, the final price was $1,000 USD.""More information: http://www.csoonline.com/article/3002604/cyber-attacks-espionage/comcast...","Media","","2015","34.062348","-117.752111" "November 2, 2015","Accuform Signs","Brooksville","Florida","HACK","BSO","0","Accuform Signs notified customers of a data breach when they noticed order information from their site and possible the site of a distributor of the company, which was hacked from an outside source. The information compromised included names, addresses, emails, phone and credit card information. For those with questions, call 1-800-233-3352 8 a.m- 7 p.m EST or go to www.safetybreach.info.More information: http://oag.ca.gov/ecrime/databreach/reports/sb24-58598","California Attorney General","","2015","28.478269","-82.459130" "November 4, 2015","Avis Budget Group","Parsippany","New Jersey","DISC","BSO","0","Avis Budget Group notified customers of a data breach when the third-party provider that manages their open enrollment process accidentally sent a file to another company that is also their client. The information exposed to this other client included names, addresses and Social Security numbers. For those affected the company is offering a Experian's ProtectMyID for free for one year. More information: http://oag.ca.gov/ecrime/databreach/reports/sb24-58635","California Attorney General","","2015","40.848517","-74.450576" "November 16, 2015","Swiss Cleaners","Rockville ","Connecticut","HACK","BSO","0","Swiss Cleaners notified customers of a data breach to their credit card system that may have compromised customers debit/credit card information. The company investigated the incident and discovered malware on their system that handles their payment card system. The malware made copies of the payment card information as it was being routed from Swiss Cleaners system to the payment processor. The malware installed gathered cardholder names, card numbers, expiration dates and the verification code on the back of cards. The cards compromised were used at the location at 35 Windsor Avenue, PO Box 825, Vernon Connecticut from December 30, 2014 through October 26, 2015 as well as any other Swiss Cleaner stores from December 30, 2014 through October 23, 2015. The breach affected the company's drycleaning services only. For those affected with questions call 1-888-760-4869 Monday-Friday 9 am to 9 pm EST.More information: http://www.databreaches.net/ct-alerted-that-banks-had-discovered-a-probl...","Databreaches.net","","2015","39.083997","-77.152758" "November 15, 2015","Fashion Figure (B. Lane, Inc.)","New York","New York","HACK","BSO","0","Fashion Figure is notifying customers of a data breach to their system when they discovered unauthorized access to names, customer ID's, addresses, phone numbers, email addresses, and credit card information. After investigation, the company found malware installed on their webserver. The company is providing ID Experts for free for one year for those who were affected. For those with questions call 1-877-868-0171 Monday through Friday from 8:00 am-8:00 pm CST. More information: https://oag.ca.gov/ecrime/databreach/reports/sb24-58851","California Attorney General","","2015","40.712784","-74.005941" "October 29, 2015","Stiletto Solutions","Inglewood","California","HACK","BSO","0","Stiletto Solutions notified consumers of a data breach when they noticed suspicious activity on their e-Commerce server which may have compromised customers personal information.The information compromised included customer credit/debit card information, the CVV code on the back of the cards, names, billing and shipping addresses, e-mails, usernames and passwords. Customers affected used their cards between November 1, 2013 through September 16, 2015. More information: http://oag.ca.gov/ecrime/databreach/reports/sb24-58547","California Attorney General","","2015","33.964007","-118.371182" "November 9, 2015","California Department of Motor Vehicles","Sacramento","California","DISC","GOV","0","THe California Department of Motor Vehicles notified individuals of a data breach when one of the agencies employees inadvertently sent a file with individual drivers license numbers and names to the Riverside Probation Department. More information: http://oag.ca.gov/ecrime/databreach/reports/sb24-58698","California Attorney General","","2015","38.581572","-121.494400" "November 18, 2015","Secretary of State Brian Kemp","Fulton County","Georgia","DISC","GOV","6,000,000","The Georgia Secretary of State, Brian Kemps office is being sued by two Georgia women who claim that the Secretary's office released personal information that involves 6 million Georgia voters. Mr. Kemps office has communicated that his office released information to media, political parties and other paying subscribers who legally buy voter information from the state, but due to what they are calling a ""clerical"" error, individual voters personal information was included in these files.12 separate entities received the files that contained 6 million Georgia voters and inadvertently included drivers license information, Social Security numbers and dates of birth. It is legal for the state to release public voter information,  but the information is only supposed to include voter's name, residential or mailing address, race, gender, registration date and last voting date. According to the lawsuit, Mr. Kemps office never notified individuals regarding the breach, nor did they contact the consumer reporting agencies. More information: http://www.ajc.com/news/news/state-regional-govt-politics/suit-accuses-g...     ","Media","","2015","33.803397","-84.396254" "November 18, 2015","W.W Grainger Inc. ","Lakeforest","Illinois","DISC","BSO","0","Grainger has notified customers of a data breach when their IT team ""recently identified a coding error in the Grainger.com mobile apps for iPhone and Android that resulted in the collection and storage of unsecured user names and passwords on the Grainger system.""  This particular data base could be accessed by unauthorized users. The company has implement a reset of users passwords to their Grainger.com system. For those with questions or support can call 1-847-647-3275. More information: oag.ca.gov/ecrime/databreach/reports/sb24-58923","California Attorney General","","2015","33.646966","-117.689218" "November 20, 2015","Starwood Hotels","Stamford","Connecticut","HACK","BSO","0","Starwood Hotel chain is the latest to have been affected by cyber criminals. The hotel has notified customers of exposure of credit/debit card information used at retail shops, gift shops and restaurants at W Hotels, Sheraton Hotels and Westin brands. 54 locations may have been affected and included credit/debit card numbers, names and security codes on the back of the cards. ""The locations and potential dates of exposure for each affected Starwood property is available at www.starwoodhotels.com/paymentcardsecuritynotice. Customers with questions may call 1-855-270-9179 (U.S. and Canada) or 1-512-201-2201 (International), Monday through Saturday, 8:00 am to 8:00 pm CST or visit www.starwoodhotels.com/paymentcardsecuritynotice for more information.""  More information: http://www.cbsnews.com/news/starwood-data-breach-see-which-hotels-are-af...","Media","","2015","41.053430","-73.538734" "November 27, 2015","Rockland Nissan","Blauvelt","","INSD","BSO","0","A Rockland Nissan employee was arrested for identity theft after reportedly stealing customers' personal information to obtain and use their information to get credit cards. He charged more than $3,000 in charges.  More information: http://www.lohud.com/story/news/crime/2015/11/27/car-salesman-charged/76...","Media","","2015","41.063430","-73.957638" "November 27, 2015","DeKalb County School System","Decatur","Georgia","DISC","EDU","0","DeKalb County School System notified teachers of a data breach when a mass email was sent out to the system's special education teachers. Sensitive information was exposed within the email which included first, middle and last names, and Social Security numbers.  More information: http://www.11alive.com/story/news/education/2015/11/20/dekalb-county-tea...","Media","","2015","33.774828","-84.296312" "November 30, 2015","Private Internet Access","Los Angeles","California","HACK","BSO","0","Customers of Private Internet Access were notified via email of a data breach when the company discovered a vulnerability to an IP address affecting the ""port forwarding feature"" of the service the company provided to customers. ""On November 17, we were privately notified of an IP address leak vulnerability affecting the port forwarding feature of our service. Essentially, anyone connecting to a forwarded port on any of our VPN gateways could have their real IP address leaked to an attacker specifically targeting a PIA user. Within 12 hours of the initial report, we developed and tested what we thought was a complete fix, and deployed it to all of our VPN gateways. On November 26, the researchers who discovered the vulnerability made it public and we quickly noticed that our service was still vulnerable to the IP address leak in certain cases, despite our initial fix. After further investigation, we also realized there was a separate but related issue on our desktop client. To fix this issue we are releasing updated VPN apps to prevent any leaks. We released v.52 on November 27.""The company is recommending anyone who uses their service to make sure they have the most recent release v.52 to avoid vulerability.More information: http://www.databreaches.net/private-internet-access-notifies-customers-o...","Databreaches.net","","2015","34.052234","-118.243685" "November 30, 2015","Pathways Professional Counseling","Birmingham","Alabama","PORT","MED","3,397","Pathways Counseling Center has notified patients of a data breach when a company laptop assigned to an employee was stolen from the employees car on September 25, 2015.The information contained on the laptop included patient names, Social Security numbers, dates of birth, addresses, diagnoses and/or clinical information, names of treating physician names, phone numbers, email addresses, demographic information, insurance information, types of treatements, prescription medication.Pathways is offering one year free of credit monitoring services. More information: http://healthitsecurity.com/news/laptop-theft-results-in-phi-data-breach...","Health IT Security","","2015","33.520661","-86.802490" "November 25, 2015","LANDesk","South Jordan","Utah","HACK","BSO","0","LANDesk, an IT automation firm has notified employees of a databreach when they discovered hackers had infiltrated their system and obtained personal information of current and former employees. According to the company ""it is possible that, through this compromise, hackers obtained personal information, including names and Social Security numbers, of some LANDESK employees and former Wavelink employees.”More information: http://krebsonsecurity.com/2015/11/breach-at-it-automation-firm-landesk/","Krebs On Security","","2015","40.571981","-111.910106" "September 25, 2015","Hilton Hotels","McClean ","Virginia","HACK","BSO","0","""Multiple sources in the banking industry say they have traced a pattern of credit card fraud that suggests hackers have compromised point-of-sale registers in gift shops and restaurants at a large number of Hilton Hotel and franchise properties across the United States. Hilton says it is investigating the claims.""According to Krebs on Security, five banks have determined that a breach of credit card payment systems has a common thread in that they were all used at Hilton properties. Hilton runs Embassy Suites, Doubletree, Hampton Inn and Suites, Waldorf Astoria Hotel & Resorts and Hilton hotels. Currently it is not clear at this time how many hotels have been affected.More information: http://krebsonsecurity.com/2015/09/banks-card-breach-at-hilton-hotel-pro...Update (11/24/2015): Hilton Worldwide has sent an update to the California Attorney General's office regarding the credit card breach. The company confirms they were a victim of a malware attack that affected debit and credit card information of customers from November 18, 2014 through December 5, 2014 or April 21, 2015 through July 27,2015. More information: https://oag.ca.gov/system/files/Hilton%20Worldwide%20Inc%20%20Consumer%2...?","Krebs On Security","","2015","38.933868","-77.177260" "November 23, 2015","Jefferson County Texas","Jefferson County","Texas","DISC","GOV","0","Jefferson County residents were alerted to a databreach of the Jefferson County Clerks office, when online county records exposed personal information of individuals. The information exposed thousands of Social Security numbers of current and former Jefferson County residents. ""The issue lingers from an unresolved statewide privacy gap spotted almost a decade ago, when it became apparent county clerks were uploading old records containing personal information to their electronic databases.""""Jefferson County Clerk Carolyn Guidry said she is aware of the online disclosures but said her office lacks the resources to make comprehensive redactions to archived records. Instead, workers have taken a piecemeal approach to removing personal information from the archives, she said.""More information: http://www.beaumontenterprise.com/news/article/Personal-data-of-thousand... ","Media","","2015","39.580030","-105.266293" "November 23, 2015","Yellowfront Grocery","Damariscotta","Maine","HACK","BSR","3,000","Yellowfront Grocery has notified customers of a databreach when malware was discovered on the POS system called CSTARS of Maine, compromising customers debit and credit card statements. The grocery company is sure that the card numbers were compromised but it is still unclear whether or not additional information was stolen. CSTARS reported that card numbers and expiration dates were stolen and no other information was compromised. CSTARS is communicating that the hackers were able to gain access through ""compromised LogMeIn credentials. ""Authorities believe that cards used at the store between August 11, 2015 to October 16, 2015 are at risk of being compromised. The local branch of First Bancorp and Damariscotta Bank & Trust are replacing nearly 2,000 cards and 1,000 cards, respectively, in relation to the breach. Pierce said he's heard some reports of fraud.""More information: http://www.scmagazine.com/yellowfront-grocery-notified-customers-via-fac...","Media","","2015","44.032877","-69.518888" "November 17, 2015","Dallas County Texas","Dallas County","Texas","DISC","GOV","0","Dallas County Texas has admitted to a databreach of residents information that has been accessible online for over 6 months. The information included names, addresses, Social Security numbers and birth dates of residents, including children. The county has had over 6 months to pull the data offline, however as of the time of this report by CBS the information had not yet been pulled.More information: http://www.msn.com/en-us/news/us/cbs11-investigates-north-texas-security...","Media","","2015","32.802468","-96.835100" "December 13, 2013","Target Corp.","Minneapolis","Minnesota","HACK","BSR","40,000,000","Target discovered that hackers may have accessed customer debit and credit card information during the Thanksgiving and Christmas shopping season. Customers who used a payment card at any of Target's stores nationwide between November 27, 2013 and December 15, 2013 may have had their payment card information copied for fraudulent purposes. Credit card companies and banks have been notifying customers of the issue and advising them to watch for suspicious charges. Customer names, credit or debit card numbers, card expiration dates, and card security codes were taken and have appeared on the black market.UPDATE (12/24/2013): Target now faces at least three class-action lawsuits as a result of the breach. A wave of scam artists are attempting to profit from the breach by posing as Target or bank representatives addressing the breach. People who shopped at Target are being warned not to give their information out over the phone. Target is working with the U.S. Department of Justice and the Secret Service to investigate the breach.UPDATE (12/27/2013): Target customers are also being warned to be suspicious of emails claiming to be from Target or banks that request personal information. It is estimated that the breach may cost Target up to $3.6 billion. It appears that online customers were not affected.UPDATE (12/28/2013): Target confirmed that PINs associated with payment cards were also exposed.UPDATE (1/2/2014): East-West bank has issued a letter to their card holders warning that some of their accounts may have been compromised due to the Target data breach. East-West bank has issued new credit cards to their customers who shopped at any Target stores to reduce any potential unauthorized use of a card. (Source CA Attorney Generals' Office)UPDATE (1/10/2014): Target Corp. says that up to 70 million people were affected by the data breach, significantly more than was originally suspected. Experts predict the numbers could climb even higher than 70 million once the company completes its investigation. UPDATE (1/13/2014): Target Corp. has confirmed that malware was found on the Point of Sale devices. The malware has been removed. The number of individuals affected are now said to be 110 million individuals, 70 million more than originally thought.UPDATE (1/13/2014): Security experts are stating that Target may not be alone in the data breach. Neiman Marcus and at least 3 other unnamed retailers (these retailers are thought to be located in Eastern Europe) may also have been compromised as federal investigators track what they believe to be an international crime ring. UPDATE (1/14/2014): Companies that help Target process payments could be facing millions of dollars in fines and costs as a result of the data breach.UPDATE (1/16/2014): The malware that infected in the Target POS systems has been found and is known as the Trojan.POSRAM, according to new report by investigators. ""The malware is a memory-scraping tool that grabs card data directly from point-of-sale terminals and then stores it on the victims system for later retrieval"". The malware was originally thought to have been developed in Russia, known as BlackPOS. This new version is considered to be highly customized so that current anitvirus programs would not have detected it as reported by investigative agencies.UPDATE (1/20/2014): ""A 17 year-old Russian national from St. Petersburg is thought to be responsible for the malicious programming that allowed for data from Target and Neiman Marcus to be compromised,"" according to a California based security firm.UPDATE (1/21/2014): Two Mexican citizens were arrested at the border in South Texas for the purchase of thousands of dollars worth of merchandise with information stolen during the Target security breach, as reported by a South Texas police chief.A spokesman with the Secret Service announced that the investigation is ongoing into the possibility of a link between the Target breach and the two arrested in Texas. UPDATE (1/29/2014): The malware used in the Target attack could suggest a poorly secured feature built into a popular IT management software product that was running on the retailers internal newtork.UPDATE (1/29/2014): A Target Corp. investor filed suit in Minnesota federal court Wednesday, against the retailers Executives holding them liable for damage caused by the holiday season data breach that saw hackers steal personal and financial information from tens of millions of customers.Shareholder Maureen Collier filed the suite with a complaint alleging that Target's board and top executives harmed the company financially by failing to take adequate steps to prevent the cyberattack then by subsequently providing customers with incomplete and misleading information about the extent of the data theft.""The suit brings claims of breach of fiduciary duty, gross mismanagement, waste of corporate assets and abuse of control, and seeks monetary damages on behalf of the company from the 14 named officers and directors"".UPDATE (2/5/2014): Hackers who broke into Target's computer network and stole customers' financial and personal data used credentials alledgedly  were stolen from a heating and air conditioning subcontractor in Pennsylvania, according to digital security journalist Brian Krebs.It appears as though the air conditioning company was given access to Target's computer network in order for the vendor to make remote changes to the system to  cut heating and cooling costs. Target has not confirmed the accuracy of this report.UPDATE (2/6/2014): Target Corporation announced they are fast tracking new credit card security technology in their stores, 6 months earlier than originally planned. Target's CFO announced it is moving up its goal to utilize chip-enabled smart cards, and now plans to have them in stores by early 2015. These cards encrypt point of sale data, rendering the credit card number less useful if stolen. Currently this technology is more prevalent outide of the US, but have resulted in lower card number thefts in other countries, notably Canada and the United Kingdom.UPDATE (2/15/2014): The breach at the Target Copr. that exposed credit card and personal data on more than 110 million consumers appears to have begun with a malware-laced email phishing attack sent to employees at the HVAC contractor Fazio Mechanical in Sharpsburg Pennsylvania. According to Krebs on Security, ""multiple sources close to the investigation now tell this reporter that those credentials were stolen in an email malware attack at Fazio that began at least two months before thieves started stealing card data from thousands of Target cash registers.""UPDATE (5/5/2014): Target's CEO has resigned in the wake of the data breach over the holiday season. He is claiming the breach was his fault. He is the second major executive to resign. Earlier in the year the company's Chief Technology Office resigned as well. The CFO of the company will take over as the interim CEO.UPDATE (8/7/2014): Target has announced that the data breach will cost it's shareholders $148 million. UPDATE (12/9/2014): A Minnesota ruled that a lawsuit put forth by several banks could proceed as the court stated that Target failed to adequately defend against the massive data breach they suffered. This is the first time a data breach case of this size has moved forward based on a companies failure to respond to warnings from security software/experts. More Information: http://www.csmonitor.com/World/Passcode/2014/1209/Target-ruling-raises-s...UPDATE (12/2/2015): Target will pay $39.4 million dollar settlement with banks and credit unions who filed a lawsuite against the retailer after the massive hacking event. More Information: http://www.reuters.com/article/us-target-breach-settlement-idUSKBN0TL20Y...","Media","","2013","44.977753","-93.265011" "November 30, 2015","VTech","Arlington Heights","Illinois","HACK","BSO","5,100,000","VTech, a Hong Kong based company notified customers of a data breach when hackers were able to gain access to childrens' photos, chat logs, children's names, genders and birthdates, account email addresses, passwords, secret questions and answers for password retrieval, IP addresses, mailing addresses and download history. ""The majority of the people hacked - more than 2.2 million parents and nearly 2.9 million kids - are in the U.S. The hacks were spread across more than a dozen countries, including France, the U.K. and Germany.""More information: http://money.cnn.com/2015/11/30/technology/vtech-hack-kids/","Media","","2015","42.088360","-87.980627" "December 3, 2015","Dover School District","Danvers","Massachusetts","PHYS","EDU","160","Personal information for close to 160 volunteers in Dover’s school district — including their fingerprint cards and social security numbers — was “mistakenly destroyed” this fall, according to city officials.Between early September and the beginning of last month, a janitor working for S.J. Services in Danvers, Mass., bagged up numerous postmarked envelopes to be sent to the state for background checks, and walked them out to the Dumpster. Inside the envelopes was personal biographical information for each volunteer, as well as checks made out to the state. - See more at: http://www.unionleader.com/Personal-information-for-Dover-volunteers-mis...Dover School District has sent out a notification to volunteers that their personal information may have been compromised. The information included names, fingerprint cards and Social Security numbers.Personal information for close to 160 volunteers in Dover’s school district — including their fingerprint cards and social security numbers — was “mistakenly destroyed” this fall, according to city officials.Between early September and the beginning of last month, a janitor working for S.J. Services in Danvers, Mass., bagged up numerous postmarked envelopes to be sent to the state for background checks, and walked them out to the Dumpster. Inside the envelopes was personal biographical information for each volunteer, as well as checks made out to the state. - See more at: http://www.unionleader.com/Personal-information-for-Dover-volunteers-mis...Between early September and the beginning of last month, a janitor working for S.J. Services in Danvers, Mass., bagged up numerous postmarked envelopes to be sent to the state for background checks, and walked them out to the Dumpster. Inside the envelopes was personal biographical information for each volunteer, as well as checks made out to the state. - See more at: http://www.unionleader.com/Personal-information-for-Dover-volunteers-mis...Between early September and the beginning of last month, a janitor working for S.J. Services in Danvers, Mass., bagged up numerous postmarked envelopes to be sent to the state for background checks, and walked them out to the Dumpster. Inside the envelopes was personal biographical information for each volunteer, as well as checks made out to the state. - See more at: http://www.unionleader.com/Personal-information-for-Dover-volunteers-mis...Between early September and the beginning of last month, a janitor working for S.J. Services in Danvers, Mass., bagged up numerous postmarked envelopes to be sent to the state for background checks, and walked them out to the Dumpster. Inside the envelopes was personal biographical information for each volunteer, as well as checks made out to the state. - See more at: http://www.unionleader.com/Personal-information-for-Dover-volunteers-mis...A janitor working for the company S.J Services, accidentally placed envelopes that were to be sent to the state to do background checks on the volunteers, in a trash bag and put into a dumpster outside. More information: http://www.unionleader.com/Personal-information-for-Dover-volunteers-mis...","Media","","2015","42.575001","-70.932122" "December 4, 2015","Blue Cross Blue Shield of Nebraska","Omaha","Nebraska","DISC","BSF","1,872","Blue Cross Blue Shield of Nebraska notified patients of a data breach when personal information was inadvertently disclosed on dental form claims. ""The company said a printing error caused some dental explanation of benefits forms to be sent to the wrong customers. The forms reveal treatment and services that the insurer paid on a customer’s behalf.The company said an internal review found that 1,872 dental plan customers received mail statements that included another customer’s name, member identification number and dental claim information. The forms did not disclose birth dates, Social Security numbers, or financial or employment information.""More information: http://www.omaha.com/money/blue-cross-blue-shield-says-it-disclosed-cust...","Media","","2015","41.252363","-95.997988" "December 1, 2015","Cottage Health","Santa Barbara","California","DISC","MED","11,000","Cottage Health is notifying patients of a data breach when the personal health information was exposed inadvertently online from October 26, 2015 to November 8, 2015. The information included patient and/or guarantor names, addresses, Social Security numbers, health insurance information and account numbers. Some medical and diagnosis information was also exposed. The breach affects the following affiliated hospitals in the healthcare system:- Goleta Valley Cottage Hospital- Santa Ynez Valley Cottage Hospital- Santa Barbara Cottage HospitalThe healthcare company is providing 12 months free of single- Bureau Credit Monitoring through TransUnion credit bureau.For those with questions call 1-877-866-6056 Monday through Friday 6 am- 6 pm Pacific Time.More information: http://oag.ca.gov/ecrime/databreach/reports/sb24-59101","California Attorney General","","2015","34.420831","-119.698190" "December 1, 2015","Keenan and Associates","Torrance","California","DISC","BSF","0","Keenan and Associates, a third party administrator of health insurance benefits, notified individuals of a data breach when one of their vendors inadvertently exposed personal information when a security setting was not configured correctly on their portal system, potentially exposing the information.The information compromised included names, addresses, telephone numbers, birth dates, medical plan names, plan identifiers and Social Security numbers. The company is providing 24 months free of theft protection through Kroll. For those affected or with questions call 1-855-287-9328.More information: http://oag.ca.gov/ecrime/databreach/reports/sb24-59125","California Attorney General","","2015","33.835849","-118.340629" "December 7, 2015","Muji USA","Bayonne","New Jersey","HACK","BSO","0","Muji USA notified customers of a data breach when they discovered malware on their online shopping portal which may have compromised their customers personal information.The information compromised included names, addresses, payment card numbers, the expiration dates of cards, the CVV code on the back of cards.More information: http://oag.ca.gov/ecrime/databreach/reports/sb24-59200","California Attorney General","","2015","40.676504","-74.093491" "February 28, 2010","Wyndham Hotels & Resorts","Dallas","Texas","HACK","BSO","500,000","International hotel group Wyndham Hotels and Resorts (WHR) has suffered yet another serious data breach after hackers broke into its computer systems, stealing customer names and payment card information.UPDATE (05/18/2010): An open letter from Wyndham to its customers: www.wyndhamworldwide.com/customer_care/data-claim.cfmUPDATE (05/12/2011): Wyndham identified 42 additional New Hampshire residents who were affected by the 2010 breach.  The total number of people affected by hacking incidents at Wyndham in 2009 and 2010 is likely to be large since 37 hotels under Wyndham's hotel group were affected.UPDATE (06/26/2012): The FTC has filed a complaint against Wyndham hotels for failure to protect the personal information of consumers.  Wyndham hotels and three of its subsidiaries are accused of data security failures that led to three data breaches at Wyndham hotels between 2009 and 2011.  The FTC accused them of allowing failures that led to fraudulent charges on consumers' accounts, millions of dollars in fraud loss, and the export of hundreds of thousands of consumers' payment card account information to an internet domain address registered in Russia.  The FTC statement can be read here: http://www.ftc.gov/opa/2012/06/wyndham.shtm.UPDATE (08/30/2012): Wyndham Hotel & Resorts LLC is contending that the FTC lacks the authority to regulate private companies' data security practices. Wyndham motioned to dismiss the FTC's Arizona federal court case with this assertion.UPDATE (06/25/2014): On June 25th, The Federal Trade Commission ""sufficiently alleged that several Wyndham Hotels entities operated as a common enterprise in the commission's data security enforcement action against them, the U.S. District Court for the District of New Jersey held June 23, in an unpublished opinion. The court is allowing Wyndham Hotels and Resorts LLC a interlocutory review of portions an an earlier April 7th opinion denying the company's separate motion to dismiss, Judge Esther Salas wrote in a second unpublished opion (FTC v. Wyndham Worldwide Corp., 2014 BL 174519, D.N.J., No. 2:13-cv-01887, unpublished opinion 6/23/14)"".UPDATE (12/09/2015): Wyndham Hotels has settled with the FTC that it failed to properly secure customer credit card information. ""A consent order outlining the settlement was filed with the federal court in Newark, New Jersey, 3-1/2 months after the 3rd U.S. Circuit Court of Appeals in Philadelphia said the FTC had authority to regulate corporate cyber security.Under the order, Wyndham must establish a comprehensive information security program designed to protect cardholder data including payment card numbers, names and expiration dates, the FTC said.""More information: http://www.reuters.com/article/us-wyndham-ftc-cybersecurity-idUSKBN0TS24...","Media","","2010","32.802955","-96.769923" "December 8, 2015","Middlesex Hospital","Middletown ","Connecticut","HACK","MED","946","Middlesex Hospital has notified patients of a data breach when four of its employees were victims of a phishing scam that enabled hackers to get into hospital records compromising patient information.The information compromised included names, addresses, dates of birth, medical record numbers, medications they took, dates of service and diagnosis. More information: http://fox61.com/2015/12/08/middlesex-hospital-suffers-patient-data-secu...","Media","","2015","41.562321","-72.650649" "December 11, 2015","Northwest Primary Care","Portland ","Oregon","INSD","MED","5,372","Northwest Primary Care is notifying patients of a data breach when a former employee stole patient information. The information compromised patient names, dates of birth, Social Security numbers, and credit card numbers. The employee took the information from April 2013 and December 2013. More information: http://www.nwpc.com/ ","Databreaches.net","","2015","45.523062","-122.676482" "December 10, 2015","Word Press","San Francisco","California","HACK","BSO","30,000","""WordPress hosting outfit WP Engine has confessed to a security breach, prompting it to reset 30,000 customers' passwords.""At WP Engine we are committed to providing robust security. We are writing today to let you know that we learned of an exposure involving some of our customers’ credentials,"" it said in a statement yesterday.""Out of an abundance of caution, we are proactively taking security measures across our entire customer base,"" it added.""","Media","https://www.theregister.co.uk/2015/12/10/wordpress_hosting_biz_confesses_to_hack/","2015","37.774930","-122.419416" "December 8, 2015","George Hills Company Inc.","Sacramento","California","DISC","MED","0","George Hills Company Inc. notified patients of a data breach when a third party software provider, Systema Software, notified the company of a configuration error that allowed unauthorized access to a temporary data backup of claims databases. The information exposed included names, driver's license numbers, and medical information related to claims. More information: http://oag.ca.gov/ecrime/databreach/reports/sb24-59212","California Attorney General","","2015","38.581572","-121.494400" "December 8, 2015","CM Ebar LLC (Elephant Bar restaurants)","Dallas","Texas","HACK","BSO","0","CM Ebar LLC (Elephant Bar restaurants) notified customers of a data breach when malware was discovered on their payment systems, potentially compromising customer debit and credit card information. The breach affected restaurants in California, Colorado, Arizona, Missouri, Nevada, New Mexico, and Florida. The incident was discovered on November 3, 2015 and affective dates are anywhere from August 12, 2015 through December 4, 2015. Information on specific restaurant locations and dates can be found in the link below.http://www.elephantbar.com/incident/(Any questions regarding the incident, individuals can call 1-888-578-5412)More information: http://sacramento.cbslocal.com/2015/12/08/elephant-bar-restaurant-warns-...","Media","","2015","33.006522","-96.828216" "December 11, 2015","TuneCore","Brooklyn","New York","HACK","BSO","0","TuneCore, a music distribution site, notified customers of a data breach, when unauthorized access was discovered affecting potentially compromising customer information.The information included Social Security numbers or taxpayer ID number, dates of birth, royalty statements for third quarter of 2015, names, addresses, email addresses, TuneCore account numbers, and passwords, billing addreses, last 4 digits of debit or credit card information, expiration dates of cards, last 4 digits of bank account numbers, and last four digits of banking account numbers.More information: http://oag.ca.gov/ecrime/databreach/reports/sb24-59260","California Attorney General","","2015","40.678178","-73.944158" "December 14, 2015","Sorrento Pacific Financial LLC","Sacramento","California","UNKN","BSF","0","Sorrento Pacific Financial LLC notified the California Attorney General's office of a breach. No specifics were communicated on the AG's site.More information: http://oag.ca.gov/ecrime/databreach/reports/sb24-59275","California Attorney General","","2015","38.581572","-121.494400" "December 15, 2015","Toyota Financial Services","Anaheim","California","DISC","BSF","0","Toyota Financial Services has contacted customers regarding a data breach when an unencrypted email that contained customer information was send to a third party vendor that worked on computer system enhancements for Toyota Financial Services. The information exposed included Toyota Financial System account numbers, bank account numbers and bank routing numbers. The company is offering one year of credit monitoring for free through ConsumerInfo.com, Inc through Experian. For questions call 1-877-371-7902.More information: http://oag.ca.gov/ecrime/databreach/reports/sb24-59287 ","California Attorney General","","2015","33.800957","-117.888445" "December 15, 2015","Rivers Casino","Pittsburgh","Pennsylvania","HACK","BSO","0","The Rivers Casino released a statement stating that their system had been infected with malware, but they are claiming that no customer information was compromised. More information: http://pittsburgh.cbslocal.com/2015/12/15/rivers-casino-hit-with-compute...","Media","","2015","40.440625","-79.995886" "December 2, 2015","Holly A. Nordhues","Vacaville","California","HACK","BSF","0","Holly A. Nordhues CPA notified customers of a data breach when the she discovered a cyberhack to a computer that housed customer information.The information compromised included names, addresses, Social Security number, birthdates, sources of income and tax deductions.She is offering AllClearID for 12 months at no cost. For those affected or questions call 1-877-676-0379.More information: http://oag.ca.gov/ecrime/databreach/reports/sb24-59137  ","California Attorney General","","2015","38.350071","-121.994641" "December 18, 2015","CBC Restaurant Corporation (Corner Bakery Cafe)","Dallas","Texas","INSD","BSO","0","The Corner Bakery Corporation notified employees of a data breach when an ex-employee of the company may have stolen employee files with the intent to commit identity theft. The company has not been able to verify if this has happened.The information that may have been exposed includes names, addresses, dates of birth and Social Security numbers. More information: http://oag.ca.gov/ecrime/databreach/reports/sb24-59339","California Attorney General","","2015","32.776664","-96.796988" "December 22, 2015","Dungarees","Columbia","Missouri","HACK","BSR","0","Dungarees has notified individuals of a data breach when they discovered their online store was hacked. The hacking may have been compromised both debit and credit card numbers. The hacking may have compromised customer names, billing information, mailing information email addresses, credit and debit card information, the expiration dated, the CVV on the back of the card. More information: http://oag.ca.gov/ecrime/databreach/reports/sb24-59371","California Attorney General","","2015","34.000710","-81.034814" "December 23, 2015","Acclaim Technical Services","Huntington Beach","California","HACK","BSO","0","Acclaimed Technical Services has notified individuals of a data breach when their system was hacked compromising personal information of individuals who had a background check done with the company.The information compromised included names, Social Security numbers, addresses, dates and places of birth, residency, educational and employment history, personal foreign travel history, information about immediate family, as well as business and other personal information contained in a background check.More information: http://oag.ca.gov/ecrime/databreach/reports/sb24-59396","California Attorney General","","2015","33.734737","-117.994262" "December 23, 2015","Matson Navigation Company (Horizon Lines)","Phoenix","Arizona","PORT","BSO","0","Horizon Lines has notified mariners who served on vessels operated by Horizon Lines that a device containing their personal information has been identified as missing. The device was first identified as potentially missing on or about December 7, 2015 and appears to have been lost between November 9 and December 7, 2015.  The device contained individualized information of mariners who have served aboard vessels operated by Horizon Lines since the year 2000.  The information compromised  included names, birth dates, addresses, telephone numbers, emergency contact information, Social Security numbers, and in some cases bank account and routing numbers, photocopies of passports, Transportation Worker Identification Credentials (TWIC), Merchant Mariner Documents (MMD) and Merchant Mariner Credentials (MMC), and copies of specific medical documents.The company is offering AllClear ID for up to 12 months at no cost. For those affected call 1-855-711-5990.More information: http://oag.ca.gov/ecrime/databreach/reports/sb24-59399 ","California Attorney General","","2015","33.399136","-112.017755" "December 22, 2015","HealthSouth Rehabilitation Hospital","Round Rock","Texas","PORT","MED","1,359","HealthSouth Rehabilitation Hospital of Round Rock put out a notification on their site regarding a data breatch after a laptop was stolen.""HealthSouth Rehabilitation Hospital of Round Rock, previously Reliant Rehabilitation Hospital Central Texas, is currently notifying potentially affected individuals that a laptop containing unsecured protected health information was stolen from the trunk of an employee’s vehicle on or around Oct. 21, 2015. The information on the laptop varied by individual but may have included an individual’s name, address, date of birth, Social Security number, phone number, insurance number, diagnosis, referral ID number or medical record number. At this time, the hospital is working to notify the 1,359 potentially affected individuals via letter."" More information: http://www.healthsouthroundrock.com/en/news-listing/2015-data-breach#sth...","Security Breach Letter","","2015","30.508255","-97.678896" "December 22, 2015","Thomas Nelson Community College","Hampton","Virginia","DISC","EDU","0","Thomas Nelson Community College notified students of a data breach when their personal information was inadvertently sent to 11 current nursing students. ""We learned on December 9, 2015, that on December 8, 2015, your confidential student information to include name, address, phone number, social security number, student identification number, date of birth, immunization dates, background check results (no offenses listed), grades, and student progress indicators were emailed to eleven current nursing students.  Each of the email recipients has been contacted and directed to permanently delete this information.  While there is no indication that your information has been misused in any way, as a precautionary measure, we are offering a complimentary one-year membership to Experian’s® ProtectMyID®.""More information: http://ago.vermont.gov/assets/files/Consumer/Security_Breach/Thomas%20Ne...","Vermont Attorney General","","2015","37.029869","-76.345222" "December 22, 2015","Alliance Health","South Jordan ","Utah","DISC","MED","0","Alliance Health has put up a notification on their site regarding a databreach that potentially exposed their customers personal health information.""Alliance Health had a configuration error in its MongoDB Database installation. The leak was reported to DataBreaches.net by Chris Vickery, who has uncovered other leaks including the Systema Software leak affecting numerous clients and millions of insurance or workers compensation claims.""Databreaches.net notified the company of the breach. More information: http://www.databreaches.net/misconfigured-database-may-have-exposed-1-5-...Company notification: https://www.alliancehealth.com/news/statement-regarding-data-security/","Databreaches.net","","2015","40.562170","-111.929658" "December 21, 2015","Radiology Regional Center","Fort Meyers","Florida","PHYS","MED","0","Hundreds of medical records belonging to Radiology Regional Center were found scattered on the roads in Fort Myers Florida. The records included finacial information on accounts, old phone bills invoice and registration information typically given at the front desk. It appears that the container that the documents were in that were being collected for destruction by the county, opened and the papers flew out of the truck.More information: http://www.winknews.com/2015/12/21/medical-records-found-on-fowler-street/","Media","","2015","26.640628","-81.872308" "December 21, 2015","Fox River Counseling Center","Oshkosh","Wisconsin","PORT","MED","509","""An Oshkosh counseling center has notified 509 patients of a breach of personal and medical information after an October burglary.Fox River Counseling Center, 627 Bay Shore Drive, is encouraging clients to change their passwords and monitor their accounts after someone stole an unsecured laptop Oct. 23, said Dr. Scott Trippe, a psychologist at the clinic. The computer contained outpatient mental health records of clients who visited the center from Nov. 7, 2012, to Aug. 19, 2014, and Wisconsin Disability Determination Bureau psychological evaluations from May 13, 2013, to Oct. 21, 2015.Information included in the data breach included clients' names, addresses, dates of birth, Social Security numbers, medical histories, mental status interviews, results of psychological testing, diagnoses and statements of work capacity, said Trippe, who himself had personal information on the laptop.""More information: http://www.thenorthwestern.com/story/news/2015/12/21/counseling-clinic-w... ","Media","","2015","44.024706","-88.542614" "December 24, 2015","Livestream","New York","New York","HACK","BSO","0","""Live video streaming platform Livestream has discovered that an unauthorised person may have accessed its customer accounts database.The database holds information such as a user's name, email address, an encrypted version of their password, as well as phone numbers and the customer's date of birth.""","Media","http://www.zdnet.com/article/online-broadcaster-livestream-suffers-possible-database-breach/","2015","40.712784","-74.005941" "December 21, 2015","Juniper Network","sunnyvale","California","HACK","BSO","0","""Juniper Networks, a computer network company, disclosed late last week that they suffered a major breach. The attack may have compromised the encrypted communications of many of their enterprise customers, including the U.S. government. Juniper Networks officials confirmed that hackers installed a “back door” on their computer equipment to gain access to the private communications of their customers. The company reports that “unauthorized code” was inserted in ScreenOS software that “could allow a knowledgeable attacker to gain administrative access.” USA Today reports, “The rogue code could potentially compromise the whole system and decrypt VPN devices, without leaving a trace of the party behind the breach.”","Media","https://www.securelink.com/securelink-blog/juniper-networks-data-breach/","2015","37.368830","-122.036350" "January 5, 2016","Washington Hospital Healthcare System","Fremont","California","HACK","MED","0","Washington Township Health Care District has notified individuals of a data breach to their system located in the Washington Community Health Resource Library. This system is used to maintain library identification cards. The information compromised included names, addresses, and driver's license numbers.For questions call 1-888-668-9189 Monday through Friday 6:00 am to 6:00 pm PST.More information: http://oag.ca.gov/ecrime/databreach/reports/sb24-59419","California Attorney General","","2016","37.548270","-121.988572" "December 31, 2015","Hillsides","Los Angeles","California","DISC","MED","0","Hillsides is notifying individuals of a data breach when an employee send internal files that included personal information on both employees of the organization and patients of the organization.The information included names, hiring dates, job titles, division descriptions, Social Security numbers, home addresses, zip codes and home phone numbers. In some instances the emails also included therapists names, Integrated System numbers, stard dates for services, outcome dates, parent partner names, names of rehabilitation specialists, rehab clinics, and gender.For questions call 1-323-543-2800 between the hours of 8:30am through 4:30 pm Monday to Friday. Or email taikins@hillsides.org.More information: http://oag.ca.gov/ecrime/databreach/reports/sb24-59475","","","2015","34.140785","-118.183761" "January 4, 2016","Regional Income Tax Agency","Brecksville","Ohio","PORT","GOV","50,000","The Regional Income Tax Agency notified indivudals that it lost personal data when a DVD that contained copies of income tax documents went missing. ""The agency stored DVD's off-site at a third party vendor's facility. The missing DVD was discovered when RITA recalles some DVDs to destroy them. The agency has moved to a new more secure backup system, making the DVDs obsolete, according to the agency.""More information: http://www.cleveland.com/metro/index.ssf/2016/01/rita_loses_personal_inf...","Media","","2015","41.319776","-81.626790" "December 27, 2015","University of Connecticut","Storrs","Connecticut","HACK","EDU","0","The University of Connecticut has notified individuals of a breach when malware was found on their website ""prompting visitors to download a malicious program posing as Adobe Flash Player, according to a university spokesman.""More information: http://dailycampus.com/stories/uconn-website-compromised-malicious-program","Media","","2015","41.808431","-72.249523" "December 27, 2015","Quincy Credit Union","Boston","Massachusetts","HACK","BSF","670","Quincy Credit Union was a target of malware that allowed hackers to gain access to customers bank accounts when skimmers were found on ATM machines. ""Quincy Credit Union president Stewart Steele told WBZ-TV an estimated 670 accounts were impacted. Steele said he believes skimmers may have been placed on the ATM machines. It’s unclear how much money was taken.""More information: http://boston.cbslocal.com/2015/12/27/quincy-credit-union-restricts-atm-... ","Media","","2015","42.360083","-71.058880" "December 28, 2015","Oregon Department of Veterans Affair","Portland","Oregon","DISC","GOV","967","The Oregon Department of Veterans Affairs notified patients of a data breach when they found discharge and release papers with an unauthorized individual. The information compromised included names, addresses, Social Security numbers and dates of birth.More information: http://ijpr.org/post/personal-info-hundreds-oregon-veterans-compromised#...","Media","","2015","45.523062","-122.676482" "December 18, 2015","Cottonwood Comfort Dental","Albuquerque","New Mexico","PHYS","MED","0","Thousands of dental records from Cottonwood Comfort Dental were found scattered all over a New Mexico freeway. The paperwork contained addresses, insurance information and Social Security numbers. The dental company said they have their paperwork shredded and is now investigating the incident. More information: http://krqe.com/2015/12/18/new-mexicans-medical-records-dumped-along-wes...","Media","","2015","35.085334","-106.605553" "January 5, 2015","mdlNR LLC","Jacksonville","Florida","HACK","MED","1,859","As reported through Health and Human Services, mdlNR LLC a healthcare provider in Jacksonville Florida had unauthorized access in emails.Additional specific information as to what personal information was compromised was not available. More information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2015","30.332184","-81.655651" "January 8, 2016","Time Warner Cable","San Diego","California","HACK","BSO","320,000","Time Warner Cable discovered that their online systems were hacked compromising the username and passwords of approximately 320,000 of its customers. ""The telecommunications giant says the FBI informed it of the apparent breach. As a precaution, the company is now contacting affected customers to advise them to change their account passwords.""More information: http://www.foxnews.com/tech/2016/01/08/time-warner-cable-says-320000-cus...","Media","","2016","32.715738","-117.161084" "October 13, 2015","Uber","San Francisco","California","DISC","BSO","674","The ""Uber partner"" app that was designed by the company apparently has leaked drivers information which included their license and Social Security number. An Uber driver found the glitch and communicated his findings with a reporter. More information: http://motherboard.vice.com/read/uber-left-hundreds-of-drivers-licenses-...Update (1/7/2016): New York has agreed to a $20,000 settlement with Uber over their ""god view"" rider-tracking system that compromised driver information.More information: http://www.cnet.com/news/uber-fined-20k-in-surveillance-data-breach-probe/","Media","","2015","37.774930","-122.419416" "January 6, 2016","Indiana University Health Arnett Hospital","Lafayette","Indiana","PORT","MED","0","Indiana University Health Arnett Hospital notified patients of a data breach when the hospital became aware of a missing unencrypted flash drive from their emergency department. The information compromised included patient information from emergency department visits, names, dates of birth, ages, home telephone numbers, medical record numbers, dates of service, diagnoses and treating physicians. More information: http://www.beckershospitalreview.com/healthcare-information-technology/f... ","Media","","2016","30.224090","-92.019843" "January 7, 2015","Saint Louis County Department of Health","St. Louis","Missouri","HACK","MED","4,000","""On November 18, 2014, an employee of the covered entity (CE), Saint Louis County Department of Health, resigned her position and then impermissibly emailed her personal email account a spreadsheet that was used to reconcile bills for medical services provided to the CE's patients.  The types of protected health information (PHI) contained in the spreadsheet included the names, social security numbers, and dates of service of approximately 4,000 patients, along with the names of the medical providers.  The CE provided breach notification to HHS, affected individuals, and the media, and also filed a police report.  The CE terminated the former employee’s access to its patient database and retrained employees on its HIPAA policies and procedures regarding HIPAA.  OCR obtained assurances that the CE implemented the corrective actions listed.""More information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2015","38.627003","-90.199404" "January 7, 2016","Aspire Indiana Inc.","Lebanon","Indiana","PORT","MED","43,890","According to Health and Human Services Aspire Indiana Inc. suffered a data breach when a laptop was stolen from their facitlity. They did not report as to what specific personal information was on the laptop.More information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2015","36.208110","-86.291102" "January 7, 2015","VA Corporate Data Center Operations/Austin Information Technology Center","Austin","Texas","HACK","MED","7,029","According to the Health and Human services website the VA Corporate Data Center suffered a data breach when they discovered their network server was hacked compromising personal information. The types of information compromised was not communicated.More information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2015","30.267153","-97.743061" "January 12, 2015","Tennessee Rural Health Improvement Association","Cucamonga","California","PHYS","MED","1,030","Children's Eyewear Sight notified individuals of a data breach when a desktop computer was stolen containing individuals personal information. What specific personal information was contained in the computers was not communicated. More information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2015","35.306787","-112.309725" "January 15, 2015","National Pain Institute","Winter Park","Florida","PHYS","MED","500","""From July 13, 2013, to August 13, 2013, the covered entity (CE), National Pain Institute, distributed outdated computers to its employees for their personal use without first deleting all electronic protected health information (ePHI) from the computers. The computers contained the PHI of approximately 500 individuals, including names, addresses, dates of birth, diagnoses, and other treatment information.  The CE provided breach notification to HHS, affected individuals, and the media.  In response to the incident, The CE tracked the computers, repossessed those computers that it was able to locate, and obtained written acknowledgement from the former employees that the PHI from the computers was not used or disclosed to others.  In addition, the CE improved safeguards by encrypting all computers, upgrading the malware and software of desktop computers, improving network and email security, improving identity management, and automating and standardizing security for devices containing ePHI.  The CE also updated its HIPAA policies and procedures, including a policy for responding to security incidents.  OCR obtained assurances that the CE implemented the corrective actions listed.""More information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2015","28.600000","-81.339235" "January 16, 2015","Rainier Surgical, Incorporated","Dallas","Texas","PHYS","MED","4,920","Rainier Surgical Incorporated reported a file drawer that contained personal information on patients was stolen from a warehouse.The information compromised included names, addresses, dates of birth, health insurance information, explanations of benefits, credit card numbers and Social Security numbers. The company offered one year of free credit monitoring services.More information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2015","32.776664","-96.796988" "January 23, 2015","St. Peter's Health Parnters","Albany","New York","PORT","MED","5,117","St. Peter's Health Partners notified individuals of a data breach when a portable device containing personal health information was stolen from their offices. More information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2015","42.652579","-73.756232" "January 23, 2015","Ronald D. Garrett-Roe MD","Corpus Christi","Texas","HACK","MED","1,600","Dr. Ronald D. Garrett-Roe notified patients of a data breach when hackers gained unauthorized access to two hard drives located on the desktop computers of the physicians office. The hard drive had been removed and all the files contained on the hard drive were copied. The hard drive was then formatted to erase all of the information on the computer system. No specific information was provided as to what patient information was compromised.More information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2015","27.800583","-97.396381" "January 23, 2015","California Pacific Medical Center","San Francisco","California","INSD","MED","858","California Pacific Medical Center through an audit discovered that one its employees accessed medical records of 13 coworkers. A subsequent audit showed that this same employee accessed records of an additional 845 individuals. The information compromised included patient demographics, last four digits of a Social Security numbers, clinical information about diagnoses, clinical notes, physician order information, laboratory and radiological data, and prescription information.More information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2015","37.774930","-122.419416" "January 23, 2015","Diana S. Guth DBA Home Respiratory Care","Los Angeles","California","DISC","MED","1,285","Diana S. Guth DBA Home Respiratory Care notified individuals of a data breach when information was disclosed through email. No specific details on how the breach occurred or what specific information was compromised. More information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2015","34.052234","-118.243685" "January 29, 2015","David E. Hansen DDS PS","Tacoma","Washington","PORT","MED","2,000","David E. Hansen DDS PS notified patients of a data breach when a portable electronic device was stolen.Specifics on what information was compromised was not provided.More information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2015","47.252877","-122.444291" "January 29, 2015","Kaiser Foundation Health Plan of the Mid-Atlantic States, Inc.","Mid-Atlantic ","Maryland","DISC","MED","630","Kaiser Foundation Health Plan of the Mid-Atlantic States, Inc. notified patients of a data breach when a printing error patients received appointment reminders containing other patients health information. the breach affected 630 individuals. The information compromised included names, medical record numbers, types of appointments to be scheduled, and providers' names and departments. More information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2015","40.216408","-73.276536" "January 29, 2015","Riverside County Regional Medical Center","Moreno Valley","California","PORT","MED","7,925","Riverside Regional Medical Center notified patients of a databreach when one of their employee laptops used in their Opthamology and Dermatology clinics was stolen that contained patient information. The information on the laptop included names, phone numbers, addresses, dates of birth, Social Security Numbers, and clinical information such as medical record numbers, physicians, diagnosis, treatments received, medical departments and health insurance information.The facility has set up 12 months free of Experian's ProtectMyID Alert for those affected. For questions call 1-866-313-7993. More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-48266","California Attorney General","","2015","33.912178","-117.196004" "January 29, 2015","North Dallas Urogynecology","Dallas","Texas","PORT","MED","678","North Dallas Urogynecology notified patients of a data breach when a laptop was stolen from their offices that contained personal information of patients.No specifics were provided as to what kind of personal information the laptop contained.More information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2015","32.776664","-96.796988" "May 5, 2014","UMASS Memorial Medical Center (UMMMC)","Worcester","Massachusetts","INSD","MED","14,100","UMass Memorial Medical Center informed patients of a data breach that occurred when a former employee stole personal information from the medical centers files. The information stolen included names, dates of birth, Social Security numbers and addresses. The former employee had access to this information from May 6, 2002 to March 4, 2014. Investigators believe that this individual stole the information in order to open credit card and cell phone accounts.Update (1/14/2016): Per HHS the total breach number increased to 14,100 individuals vs. the original 2,300 reported. Our numbers have been ammended as such.More information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Media","","2014","42.262593","-71.802293" "January 5, 2016","Southern New Hampshire University","Hooksett","New Hampshire","DISC","EDU","140,000","Southern New Hampshire University is investigating disclosure of a database that contained student information, The database contained more than 140,000 records including student names, email addresses, and ID's, course name, course selection, assignment details and assignment score, instructor names and email addresses. The University claims that a third party vendor exposed the data due to a configuration error. More information: http://www.csoonline.com/article/3019278/security/snhu-still-investigati...","Media","","2016","43.039228","-71.453400" "January 19, 2016","Earbits.com","Venice","California","DISC","BSO","325,000","""Music industry security has taken a beating recently, and today I'm adding another log to the fire: Earbits, an independent Internet radio outlet, was recently leaking the private account details of over 325,000 users.Followers of data breach news will recall the early December hack of music sales site Tunecore as well as more recent coverage of a SQL injection attack against a band known as Faithless.But unlike the Tunecore and Faithless incidents, this Earbits situation does not involve a hack at all. I discovered the 325k user database through a regular review of search results on the site Shodan.io. The Earbits database was not using any authentication measures. It was completely exposed and available to anyone in the entire world with an Internet connection.We're talking about everything from real names, email addresses, and SHA1 password hashes (with accompanying salts), to the secret access keys of Earbits' Amazon S3 account.""","Media","https://mackeeper.com/blog/post/183-earbitscom-leaks-325000-user-credentials","2016","27.099778","-82.454263" "March 9, 2015","Inland Empire Health Plan/Children's Eyewear Sight","Rancho Cucamonga","California","STAT","MED","0","Inland Empire Health Plan notified customers of a data breach when a desktop computer and other items were stolen from Children's Eyewear Sight. The police were able to apprehend the individual who perpetrated the theft. The files on the computer included names, dates of birth, genders, addresses, contact phone numbers, email addresses, IEHP Member ID number, dates of appointments, dates of purchases, and the names of doctors who provided services. More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-47991","California Attorney General","","2014","34.081915","-117.568733" "January 15, 2016","Virginia Department of Human Resources Management","Richmond","Virginia","DISC","GOV","0","The Department of Human Resources was notified by a third party that accidental disclosure of employee information was found on their website when improper redaction of documents was discovered. The information exposed included Social Security numbers, and salary.More information: http://www.databreaches.net/improper-redaction-exposed-virginia-employee...","Databreaches.net","","2015","37.536603","-77.429885" "January 15, 2016","Hyatt Hotels","Chicago","Illinois","HACK","BSO","0","The Hyatt hotel chain has notified individuals of a data breach when they discovered 250 of their 627 hotels were infected with malware that stole information, in particular, credit/debit card information.The malware infected restaurants, spas, parking, golf shops, front desk reception. The infection may have started as early as July 30, 2015 to December 8, 2015 and affecting hotels in US, UK, China, Germany, Japan, Italy, France, Russia and Canada. Hyatt is offering one year of credit monitoring for free via CSID.Click on the link for global list of sitesMore information: http://www.zdnet.com/article/250-hyatt-hotels-infected-last-year-with-pa...","Media","","2016","41.878114","-87.629798" "January 25, 2016","University of Virginia","Charlottesville","Virginia","HACK","EDU","1,440","The University of Virginia has notified employees of a data breach, when a cyber attack of their human resources system was discovered. The attack was initiated by a phishing email asking for usernames and passwords to their HR system and one or more employees fell for the phishing scam. The information compromised included 1,400 W2's (which includes names, addresses, Social Security numbers,etc) of employees and direct deposit banking information of an additional 40 employees. According to the university the attackers gained access to the system sometime in early November 2014 and continued through February 2015. The FBI led investigation has resulted in the arrest of suspects who are currently being held in custody, no names have been released.More information: http://www.zdnet.com/article/university-of-virginia-data-breach-exposed-... ","Media","","2016","38.029306","-78.476678" "December 28, 2015","Unconfirmed","Unknown","","DISC","BSO","191,000,000","The Hill has communicated that ""Security bloggers and researchers claim to have uncovered a publicly available database exposing the personal information of 191 million voters on the Internet.The information contains voters’ names, home addresses, voter IDs, phone numbers and date of birth, as well as political affiliations and a detailed voting history since 2000.""In many states, this information is a matter of public record. However there are several states such as South Dakota that require confirmation of those who are using the information to consent that they will not use or sell the information for commercial purposes or placed on the Internet for anyone to access. Currently, no company has claimed the database so it is unclear who the information belongs to or how the information was put up on the Internet. As more information is discovered, we will update as appropriate. More information: http://thehill.com/policy/cybersecurity/264297-report-191m-voter-records...","","","2016","42.230537","-83.746640" "January 16, 2016","Berks & Beyond Employment Services","Allentown","Pennsylvania","STAT","BSO","0","Stacks of paperwork from an employment agency was found dumped in containers at The City of Allentown Center for Recycling and Solid Waste. The files were not secure as they were placed in a public trash bin. The information exposed included names, Social Security numbers, addresses and other information.More information: http://www.mcall.com/news/local/watchdog/mc-employment-agency-applicatio...","Media","","2016","40.608431","-75.490183" "January 6, 2016","McFadden","Glendale","Arizona","CARD","BSO","0","People who ate at McFadden's received phone calls about fraudulent charges made to their credit card. ""The victims were told by their banks, the charges were made using a fake credit card. ABC15 found even more victims when we searched on Yelp. One writes, the manager told them they were aware of the problem, suggesting a problem with the bank.""More information: http://www.abc15.com/news/region-west-valley/glendale/mcfaddens-at-westg...","Media","","2016","34.142508","-118.255075" "January 16, 2016","Gas and Shop","San Anselmo","California","HACK","BSO","20","The Central Marin Police have been investigating a skimming operation that as many as 20 people may have been victims of after the police received reports from individuals claiming that their credit/debit card information was compromised. The investigation revealed that skimming devices were placed on the gas pumps at the Gas and Shop station in San Anselmo. ""Police said the suspects used physical skimming devices to obtain the cards' information, and detectives have since checked all the gas pumps at the station to make sure the devices are no longer in place. Police said they expected more than 20 people were victimized and the fraud has been occurring throughout Marin, Sonoma and Contra Costa counties.""More information: http://www.marinscope.com/twin_cities_times/news/at-least-people-are-vic...","Media","","2016","37.977379","-122.562424" "January 18, 2016","University of Northern Iowa","Cedar Falls","Iowa","UNKN","EDU","100","Over 100 University of Northern Iowa employees reported that their tax returns had been rejected in 2014 because someone had filed a return fraudulently on their behalf, collecting their refund. After further investigation, a 45 year old man, Bernard Ogie Oretekor has been charged with the tax indentity theft when computers belonging to Oretekor in connection with a separate investigation, uncovered the information on the employees. It is still not clear how Oretekor gained this information on the employees. More information: http://www.kcrg.com/content/news/Suspect-Charged-in-University-of-Northe...","Media","","2016","42.534899","-92.445316" "January 18, 2016","Crest Foods","Oklahoma City","Oklahoma","PHYS","BSO","0","An individual contacted a local news agency in Oklahoma City, Oklahoma when information on Crest Food employees was found in a dumpster at a recycling facility. The information this individual found on one employee included her application of employement, direct deposit form. Another individuals Social Security number and bank routing numbers were exposed.The grocery store chain is currently investigation the issue with both their internal procedures and procedures with a third party vendor that they use to destroy sensitive information. More information: http://www.news9.com/story/30995309/personal-information-found-on-discar...","Media","","2016","35.467560","-97.516428" "January 19, 2016","Unknown","Indianapolis","Indiana","PHYS","BSF","0","An individual contacted a local TV station regarding records found in a dumpster outside a strip mall in Indianapolis Indiana. These documents were people's tax returns containing addresses, names and Social Security numbers. The amount of individuals affected or the company that prepared the tax returns is not yet known. More information: http://www.theindychannel.com/news/call-6-investigators/call-6-tax-docum...","Media","","2016","39.768403","-86.158068" "December 17, 2015","Landry's ","Houston","Texas","HACK","BSO","0","Landry's has notified individuals of a data breach to their card payment systems. The restaurant/hotel and casino chain discovered unauthorized charges to debit and credit card of customers who dined at some of its restaurants.The company owns 500 locations and owns a variety of brands including Bubba Gump Shrimp Co., Salt Grass Steak House, Willie G's, the Aquarium, Vic & Anthony's downtown, Kemah Boardwalk, the Pleasure Pier and several Golden Nugget casinos and hotels.The information compromised included names, card numbers, expiration dates and verification codes on the back of cards. More information: http://www.chron.com/business/retail/article/Landry-s-investigates-payme...Update (2/1/2016): Landry's has released the list of locations that were affected by the data breach. You can find the list here: http://www.landrysinc.com/protectingourcustomers/Locations.asp?loc=LDRYFor those with questions on this breach, call 877-238-2151 (U.S. and Canada), Monday through Friday from 9am to 7pm EST.","Media","","2015","29.760427","-95.369803" "January 12, 2016","Rate My Professors","New York","New York","HACK","BSO","0","RateMyProfessors.com notified customers of a data breach when they discovered unauthorized access to a ""Decommissioned Site"" which allowed the hackers to gain access to the companies live site. The information compromised included email addresses and passwords for registered users of the site. The site does not collect payment card information, Social Security numbers, driver's license numbers or insurance numbers. The company is requiring individuals change their username and passwords. More information: http://oag.ca.gov/ecrime/databreach/reports/sb24-59576","California Attorney General","","2016","40.757932","-73.986072" "January 12, 2016","JB Autosports","Des Moines","Iowa","HACK","BSO","0","JB Autosports, Inc. notified customers of a data breach when the system their check out page was the target of a cyberattack. The cyberattack affected customers who used their credit cards to pay for purchases from the companies website.The information compromised included names, addresses, credit card numbers, credit card expiration dates, CID numbers, CAV2 numbers, CVC2 numbers and CVV2 numbers.More information: http://oag.ca.gov/ecrime/databreach/reports/sb24-59575","California Attorney General","","2016","41.609903","-93.617962" "February 2, 2016","Hawaii Medical Service Association (HMSA)","Honolulu","Hawaii","DISC","MED","10,800","HMSA notified 10,800 members of a data breach when letters communicating care management went to the wrong addresses.The information compromised included patient names, management of certain health conditions and steps individuals could take to identify or treat an ailment.""Members are encouraged to visit hmsa.com/media-center to see copies of the letters. Members who have questions about this mailing can visit an HMSA Center or office. They can also call (808) 948-6404 on Oahu and 1 (800) 459-3963 toll-free on the Neighbor Islands or the Mainland, from 8 a.m.- 5 p.m. Hawaii Time, Monday to Friday.""More information: https://hmsa.com/media-center/2015/12/letter-error/","Databreaches.net","","2016","21.306944","-157.858333" "February 1, 2016","Tax Slayer","Evans","Georgia","HACK","BSF","8,800","Tax Slayer is notifying customers of a data breach that may have affected their 2014 tax return information. The company is stating that an unauthorized party accessed the information through a third party vendor. The company is not stating who the vendor is. The information compromised included names, addresses, Social Security numbers, Social Security numbers of independents and other data contained in a tax return.""The company is making $1 million worth of identity theft insurance available to those affected for one year along with credit monitoring for the same period. The company is recommending that these individuals change not only their TaxSlayer user names and passwords, but also those on any other accounts on which they are used.""More information: http://www.scmagazine.com/taxslayer-breached-8800-customers-notified-pii...","Media","","2016","33.533746","-82.130675" "January 13, 2016","Tax Act","Cedar Rapids","Iowa","HACK","BSF","450","TaxAct has notified customers of a data breach when an unauthorized party or party's infiltrated their system. ""According to the letter dated January 11, TaxAct found evidence that certain accounts were entered between Nov. 10, 2015 and Dec. 4, 2015. The attacker viewed and possibly copied or printed stored tax returns and thus had access to Social Security numbers, addressed, names, driver's license numbers and bank account information.""The company has not released how many individuals were affected by this breach. They are claiming that less than 0.25 percent were affected. The company is offering one year free of credit monitoring and a $1 million dollar insurance reimbursement policy. More Information: http://www.scmagazine.com/taxact-breached-customer-banking-and-social-se...More Information: http://www.wsj.com/articles/tax-preparation-firm-discloses-data-breach-1...","Media","","2016","42.037549","-91.657429" "February 1, 2016","Neiman Marcus","Dallas","Texas","HACK","BSO","5,200","Neiman Marcus has notified individuals of a data breach when the company discovered unauthorized access to online accounts on or around December 26, 2015.The information compromised included usernames, passwords, names, mailing addresses, phone numbers, last four digits of payment card along with purchase histories. ""The firm suspects the attacker obtained the login credentials from large breaches at other companies where login names and passwords were stolen in order to gain unauthorized access to other accounts where victims might use the same credentials. Rawlinson said, customers will be required to reset their passwords on all NMG websites the next time they log into their accounts.""More information: http://www.scmagazine.com/attacker-accesses-5200-neiman-marcus-group-cus...","Media","","2016","32.776664","-96.796988" "February 4, 2016","University of Central Florida","Orlando","Florida","HACK","EDU","63,000","The University of Central Florida notified current and former students of a data breach when they discovered unauthorized access into the university system.The information compromised included financial records, medical records, grades and Social Security numbers. ""We have established a call center that you can contact at 877-752-5527 between 9 a.m. and 9 p.m. EST Monday through Friday if you have questions about this incident.""The university will be providing one year free of credit monitoring to those who were affectedMore information: http://www.ucf.edu/datasecurity/","Security Breach Letter","","2016","28.538336","-81.379237" "January 25, 2016","Livongo Health Inc.","Chicago","Illinois","PHYS","MED","1,950","Per Health and Human Services Livongo Health suffered a breach when paper files/films were breached. There is no information as to what type of information was compromised in the breach.More information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2016","41.878114","-87.629798" "January 14, 2016","G&S Medical Associates, LLC","Paterson","New Jersey","HACK","MED","3,000","G&S Medical Associates, LLC suffered a data breach when a desktop computer was hacked. The type of information hacked was not disclosed by HHS.More information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2016","40.916765","-74.171811" "January 14, 2016","Blue Shield of California","Los Angeles","California","HACK","MED","20,764","Per Health and Human Services Blue Shield of California suffered a data breach when one of their network servers was hacked. No information was provided as to what information was compromised in the hack. More information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2016","34.052234","-118.243685" "January 15, 2016","New West Health Services dba New West Medicare","Kalispell","Montana","PORT","MED","28,209","Per Health and Human Services, New West Health Services, dba New West Medicare suffered a data breach when a laptop went missing. The information compromised was not disclosed.More information:https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2016","48.191989","-114.316813" "January 4, 2016","Elite Imaging","Aventura","Florida","PHYS","MED","1,457","Per Health and Human Services, Elite Imaging notified HHS of a data breach when they discovered paper files had been stolen. What specific personal information was compromised was not communicated. More information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2016","25.956481","-80.139212" "February 2, 2016","Grx Holdings LLC dba Medicap Pharmacy","West Des Moines","Iowa","PHYS","MED","2,300","Grx Holdings, LLC dba Medicap Pharmacy notified Health and Human Services of a data breach when they suffered a loss of information. There are no specifics as to what kind of loss it was or what type of information was compromised. More information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2016","41.577212","-93.711332" "February 9, 2016","Washington State Health Authority (HCA)","Washington","District Of Columbia","INSD","GOV","91,000","""The Washington State Health Authority (HCA) said Tuesday that an employee mishandled the Social Security numbers, dates of birth, Apple Health client ID numbers and private health information of 91,000 Apple Health (Medicaid) clients.""The employees involved worked at two different state agencies and they exchanged files of clients which violates HIPAA. They are not clear if any of the files were disseminated beyond the two employees who exchanged the files. More information: http://www.king5.com/story/news/health/2016/02/09/state-data-breach-impa...","Media","","2016","41.301408","-91.691642" "February 10, 2016","Internal Revenue Service","Washington ","District Of Columbia","HACK","GOV","101,000","""The IRS revealed on Tuesday that it discovered and stopped an automated cyberattack on its e-filing personal identification number (PIN) system last month. According to the IRS, the cybercriminals used information stolen “elsewhere outside the IRS” to generate e-file PINs for stolen Social Security numbers (SSNs). E-file PINs are used by some taxpayers to electronically file their tax returns. Although no personal taxpayer data were compromised or disclosed by the breach, the IRS noted that the cybercriminals succeeded in using 101,000 SSNs to access e-file PINs (out of 464,000 attempts).""The IRS is notifying individuals and placing markers on their tax accounts to try and catch any fraudulent tax returns being filed. More information: http://www.journalofaccountancy.com/news/2016/feb/irs-data-breach-expose...","Media","","2016","38.907192","-77.036871" "February 1, 2016","IATSE Local 134","San Jose","California","HACK","BSO","0","IA 134 notified individuals of a data breach when a laptop that belonged to the organization was connected to a network at Levi's Stadium was hacked compromising personal information.Individual Social Security numbers may have been compromised.More information: http://oag.ca.gov/ecrime/databreach/reports/sb24-59899","California Attorney General","","2016","37.338208","-121.886329" "February 18, 2016","Hollywood Presbyterian Hospital","New York","New York","HACK","BSO","0","Hollywood Presbyterian Hospital paid $17,000 in bitcoin in order to retrieve records they held for ransom against the hospital. The hackers installed a malicious ransomware on their server to hold patient records hostage so the hospital staff could not access any record. More information: http://www.csmonitor.com/USA/Justice/2016/0218/Why-California-hospital-p...","Media","","2016","40.712784","-74.005941" "February 5, 2016","Gyft","Mountain View","California","HACK","BSR","0","Gyft notified customers of a data breach when they discovered unauthorized access to two cloud providers used by the company contained personal information of customers.The information compromised included names, addresses, dates of birth, phone numbers, email addresses, and gift card numbers. Gift cards may have been used to make purchases on their site. The dates of the breach were March 19, 2015 and December 4, 2015.For additional information on the breach go to www.myidcare.com/gyft.More information: http://oag.ca.gov/ecrime/databreach/reports/sb24-59990 ","California Attorney General","","2016","37.392425","-122.071879" "February 8, 2016","BajaBound.com (Mexican Insurance Services)","Baja","California","HACK","BSF","0","Bajabound.com notified customers of a data breach when they discovered an agent's email account was compromised through a phishing attack. The company investigated the incident and the phishing was meant to collect email addresses. The information that was compromised included names, addresses, dates of birth, driver's license numbers, and credit card numbers.More information: http://oag.ca.gov/ecrime/databreach/reports/sb24-60000","California Attorney General","","2016","37.294892","-120.446975" "January 21, 2016","Kicky Pants, Inc.","Seattle","Washington","HACK","BSO","0","Kicky Pants (previously spelled KicKee Pants) notified customers of a data breach when the company discovered unauthorized access into their system.  The breach occurred between September 24, 2015 and December 26, 2015.The information compromised included firs and last names, credit card numbers, expiration dates, security codes on the back of cards, billing address, telephone numbers and email addresses.The company is offering identity theft protection services through ID Experts. They can be reached at 1-866-833-7924 Monday through Friday 6 a.m to 6 p.m Pacific Standard Time. The deadline to enroll is Aprill 22, 2016.More information:http://oag.ca.gov/ecrime/databreach/reports/sb24-59770 ","California Attorney General","","2016","47.606210","-122.332071" "January 25, 2016","California Virtual Academies","Simi Valley","California","DISC","EDU","0","California Virtual Academies (CAVA) notified individuals of a data breach to their system. On December 9, 2015 the company discovered a ""vulnerability in a data storage system"" belonging to a third party provider.For those with questions call 1-805-587-0202 Monday through Friday 8:00 a.m to 5:00 p.m Pacific Standard Time.More information: http://oag.ca.gov/ecrime/databreach/reports/sb24-59786","California Attorney General","","2016","34.275868","-118.797980" "January 25, 2016","RealSelf","Seattle","Washington","HACK","BSO","0","RealSelf.com notified customers of a data breach when they company noticed unauthorized access to their consumer data located on their servers. The information compromised included username, email address and passwords.The company is encouraging customers to change their passwords which can be done by clicking on the link at https://www.realselft.com/user/forgotPasswordMore information:http://oag.ca.gov/ecrime/databreach/reports/sb24-59793","California Attorney General","","2016","47.596995","-122.333683" "January 25, 2016","HealthEquity","Draper","Utah","DISC","MED","0","Health Equity notified individuals of a data breach when an employee inadvertently sent an email on December 11, 2015 containing personal information to another employer the company conducts business with.The information compromised included Social Security numbers.The company is providing identity monitoring services through Kroll for one year for free. More information: http://oag.ca.gov/ecrime/databreach/reports/sb24-59797","California Attorney General","","2016","40.480554","-111.892012" "January 26, 2016","County of San Diego","San Diego","California","DISC","GOV","0","The County of San Diego Human Resources Department notified employees of a data breach when information involving employees Wells Fargo Health Savings Accounts. The County stated,  ""data regarding County employees who elected to set up HSAs was sent to Wells Fargo. The information compromised includes names, addresses, Social Security Number, birthdate, employee ID, primary email, work phone number, personal phone number.More information: http://oag.ca.gov/ecrime/databreach/reports/sb24-59801","California Attorney General","","2016","32.833850","-117.130887" "February 26, 2016","Bailey's Inc.","Woodland ","California","HACK","BSO","15,000","Bailey's Inc. have notified  customers of a data breach when an unauthorized party access their website server, obtaining credit card information of customers who puchased items from the company's online store.More information: http://oag.ca.gov/ecrime/databreach/reports/sb24-59802","California Attorney General","","2016","38.686416","-121.763284" "May 26, 2015","Internal Revenue Service","Washington","District Of Columbia","UNKN","GOV","700,000","A previous story that was broken by Brian Krebs, Krebs On Security, regarding fradulent tax returns being filed by identity thieves who gained the information using data directly from the IRS website, was confirmed today by the IRS Commissioner Josh Koskinen.Mr. Koskinen confirmed that the identity thieves pulled data off of the IRS website to file fraudulent tax returns on unsuspecting individuals. The IRS became suspicious due to a large increase of individuals requesting their tax transcripts. The investigation revealed that approximately 200,000 suspicious attempts occurred and 100,000 of those were successful in being authenticated through the IRS website. According to the IRS these atte27/politics/irs-cyber-breachmpts started in February and continued through mid-May 2015 and totaled over $50 million dollars in fraudulent refunds. More Information: http://krebsonsecurity.com/2015/05/irs-crooks-stole-data-on-100k-taxpayers-via-get-transcript-feature/    UPDATE (5/28/2015): The IRS has communicated that the recent breach of 100,000 individuals they believe originated from Russia. The IRS is claiming that this was not a hack, instead that they ""went in the front door of the IRS and unlocked it with the key"". More Information: http://www.cnn.com/2015/05/27/politics/irs-cyber-breach-russia/index.htmlUPDATE (8/17/2015): The IRS is now announcing that the data breach that was first reported in May, is three-times larger than originally reported. After a review of the 2015 filing season, the IRS is sending additional letters to individuals warning them that their information may have been compromised and the possibly threat of potential identity theft. More Information: http://money.cnn.com/2015/08/17/technology/irs-data-theft/index.htmlPrivacy Rights Clearinghouse has changed our original number of 100,000 individuals to 330,000 individuals affected in this breach on Aug.19, 2015 as is being reported in the media. UPDATE (2/26/20116): The hacking incident according to the IRS, has increased to 700,000 individual Social Security numbers being affected.More Information: http://www.cbsnews.com/news/irs-hackers-stolen-taxpayer-information-breach/","Krebs On Security","","2015","38.907192","-77.036871" "February 12, 2016","Magnolia Health Corporation","Tulare","California","HACK","MED","0","Magnolia Health Corporation has notified individuals of a data breach when someone impersonating the CEO in an email, obtained personal information for all active employees of the health center. Magnolia Health Corporation and each of their facilities managed including Twin Oaks Assisted Living, Inc., Twin Oaks Rehabilitation And Nursing Center, Inc., Porterville Convalescent, Inc., Kaweah Manor, Inc., Merritt Manor Inc.The personal information compromised included employee numbers, names, addresses, city, state, zip code, sex, dates of birth, Social Security numbers, hire dates, seniority dates, salary/hourly, salary/rates, departments, job titles, last dates paid, and names of facility.More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-60061","California Attorney General","","2016","36.221038","-119.344828" "March 6, 2016","Seagate","Scottsvalley","California","HACK","BSO","10,000","Seagate notified current and former employees of a data breach, when an employee feel for a phishing attack that exposed W2 information of employees.""Email scam artists last week tricked an employee at data storage giant Seagate Technology into giving away W-2 tax documents on all current and past employees, KrebsOnSecurity has learned. W-2 forms contain employee Social Security numbers, salaries and other personal data, and are highly prized by thieves involved in filing phony tax refund requests with the Internal Revenue Service (IRS) and the states.""The information compromised includes all information found on a W2 form, which includes Social Security numbers. The company is not saying exactly how many individuals were affected at this time, only that “It’s accurate to say several thousand. But less 10,000 by a good amount.”More information: https://krebsonsecurity.com/2016/03/seagate-phish-exposes-all-employee-w...","Krebs On Security","","2016","37.046016","-122.015754" "March 7, 2016","Turner Construction ","San Diego","California","DISC","BSO","0","Turner Construction notified individuals of a data breach when certain personal information was disclosed in an email to an unauthorized party. The information included names, Social Security number, name of each state in which wages or taxes are reported, federal, state, local and Medicare earnings and tax withholding data.The company is providing identity monitoring services through Kroll. For those affected call 1-877-451-9366.More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-60340","Maryland Attorney General","","2016","32.680189","-116.259909" "March 4, 2016","Snapchat","Venice","California","HACK","BSO","700","Snapchat has notified current and former employes of a phishing scam that targeted their payroll department that compromised employee information.The information compromised included names, Snapchat employee ID, Social Security numbers, state of residence and work, 2015 wages earned, including stock-option gains, costs of company paid benefits for life and health insurance, relocation reimbursements, employee contricutions to retirement, dependent care, and healthcare plans, additional required payments and taxes withheld. More information: http://oag.ca.gov/ecrime/databreach/reports/sb24-60310 ","California Attorney General","","2016","27.099778","-82.454263" "March 11, 2016","Staminus Communications Inc.","Newport Beach","California","HACK","BSO","0","Staminus Communications Inc. has notified individuals of a data breach when their network was hacked and their site went down. Customer credentials, support tickets, credit card numbers and other sensitive data showed up on online download links. More information: http://krebsonsecurity.com/2016/03/hackers-target-anti-ddos-firm-staminus/","Krebs On Security","","2016","33.618910","-117.928947" "September 2, 2014","The Home Depot","Atlanta","Georgia","HACK","BSR","56,000,000","The Home Depot appears to be another victim of a data breach of their POS systems, reportedly by the same Russian hacking group that hit Target, Michaels, Neiman Marcus and P.F. Chang's. Brian Krebs of Krebs on Security reported that a significantly large amount of debit and credit card information went up for sale on the underground cybercrime sites, all leading back to purchases made at Home Depot stores across the US.Home Depot is currently investigating the potential breach. Updated postings will follow as more information comes in.More Information: http://www.latimes.com/business/la-fi-retail-hacking-20140904-story.html UPDATE (9/10/2014): The Home Depot has now confirmed that their credit card processing systems were compromised in 2,200 of its stores across the U.S and Canada. Currently, no information has been released as to the number of individuals affected. Authorities are predicting this could surpass the 40 million individuals affected by the Target hacking.More Information: http://www.reuters.com/article/2014/09/09/us-usa-home-depot-databreach-i...UPDATE (9/16/2014): ""A group of attorneys general have opened a multistate investigation into the recently confirmed data breach at Home Depot Inc.""Attorneys General in Connecticut, Illinois and California will be leading the investigation to uncover the cause of the data breach and how the retailer has handled the breach with their affected customers. More Information:http://www.bna.com/attorneys-general-launch-n17179894898/UPDATE (9/18/2014): The Home Depot has announced the data breach they suffered earlier this month has affected approximately 56 million credit and debit cards. This makes this breach the second largest breach ever, just behind TJX'x co's breach of 90 million records. The also announced that they see no evidence of any breach of their stores in Mexico or for those who shopped at their online store, HomeDepot.com.More Information: http://www.wjla.com/articles/2014/09/home-depot-data-breach-affected-56m...UPDATE (9/26/2014): At least 15 law suits have been filed against The Home Depot for the recent data breach that occurred in US and Canadian stores. The lawsuit alleges that The Home Depot neglected to secure customers' financial and personal information. Most of the cases were filed by customers, however two credit unions and one bank have also filed suit. More Information: http://www.nationallawjournal.com/id=1202671405651/Lawsuits-Piling-Up-in-Home-Depot-Data-Security-Breach#ixzz3EQXm6uC9UPDATE (9/29/2014): The Home Depot has posted a page on their website regarding the recent data breach, for consumers who were affected. This page will advise you on what to do and how to obtain information to take advantage of the free 12 month credit monitoring services. Make sure to scroll down past the photo.More Information: https://corporate.homedepot.com/MediaCenter/Pages/Statement1.aspxUPDATE (11/14/2014): The Home Depot has now announced that on top of the 56 million customers who had financial information compromised in the breach, the hackers also made off with 53 million email addresses of customers as well. More Information: http://krebsonsecurity.com/category/data-breaches/UPDATE (11/25/2014): The Home Depot is facing 44 civil lawsuits in the U.S and Canada as a result of the data breach that occured across the organizations retail stores. Currently the company ""has been working to deploy EuroPay MasterCard Visa (EMV) chip-and-pin security at each of its U.S. and Canadian stores. The breach compromised the financial details of customers who shopped at any of Home Depot's 2,266 stores in the U.S. and Canada"".More Information: http://www.techtimes.com/articles/20956/20141125/home-depot-data-breach-backlash-44-civil-lawsuits-in-the-works.htm#ixzz3KfNFgv6eUPDATE (3/17/2016): ""Home Depot has settled a consumer lawsuit filed in the wake of its massive 2014 data breach that exposed payment card information of about 40 million customers and email addresses of up to 53 million people.'""Terms of the initial agreement were disclosed earlier this month in court papers filed in a federal court in Atlanta, according to a Reuters report. The home improvement chain's settlement totals at least $19.5 million -- $13 million of which will compensate shoppers for the losses in connection with the data breach and around $6.5 million for identity protection services for 1 1/2 years for the cardholders.""More Information: http://www.darkreading.com/vulnerabilities---threats/home-depot-to-pay-$195-million-in-data-breach-settlement/d/d-id/1324723","Media","","2014","33.748995","-84.387982" "September 14, 2012","Feinstein Institute for Medical Research","Manhasset","New York","PORT","NGO","13,000","A laptop stolen on or around September 2, 2012 contained current and former patient names, Social Security numbers, and other personal information.  The laptop was taken from the car of a contractor or employee and may have also contained current and former patient mailing addresses, dates of birth, and medical information. Participants in about 50 different research studies that date back an unknown number of years were affected.UPDATE (3/17/2016): Feinstein Institute for Medical Research was fined $3.9 million dollars to settle HIPAA violations by the organization when a laptop that was stolen containing personal information of individuals. The fine was in response to the organizations lack of, or incomplete security management processes which violates HIPAA.More information: http://www.hhs.gov/about/news/2016/03/17/improper-disclosure-research-pa...","PHIPrivacy.net","","2012","40.797879","-73.699575" "March 1, 2016","Central Concrete Supply Company","San Jose","California","HACK","BSO","0","Central Concrete Supply Company notified employees of a data breach when they discovered a third party gained access to copies of employees W2 information along with tax withholding statements that contained personal information of the employees.The information compromised included employer name, employee names, addresses, phone numbers, tax identification numbers, social security numbers, and income information. The company has retained Kroll to provide identity theft protection for one year for free. More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-60270","California Attorney General","","2016","37.341665","-121.914754" "March 4, 2016","Rosen Hotels & Resorts","Orlando","Florida","HACK","BSO","0","Rosen Hotels have notified customers of a data breach when unauthorized charges occurred on payment cards after guests used their payments during their stay. The hotel discovered that an unauthorized malware was installed on their payment card network. The information compromised included card numbers, expiration dates, and internal verification codes. Cards used from September 2, 2014 and February 18, 2016.More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-60301","California Attorney General","","2016","28.435227","-81.473257" "March 24, 2016","Verizon Enterprise Solutions","New York","New York","HACK","BSO","0","Verizon Enterprise Solutions has suffered a data breach of their customer data. ""Earlier this week, a prominent member of a closely guarded underground cybercrime forum posted a new thread advertising the sale of a database containing the contact information on some 1.5 million customers of Verizon Enterprise. The seller priced the entire package at $100,000, but also offered to sell it off in chunks of 100,000 records for $10,000 apiece. Buyers also were offered the option to purchase information about security vulnerabilities in Verizon’s Web site.""Verizon communicated to KrebsOnSecurity that ""the company recently identified a security flaw in its site that permitted hackers to steal customer contact information, and that it is in the process of alerting affected customers.""More Information: http://krebsonsecurity.com/2016/03/crooks-steal-sell-verizon-enterprise-...","Krebs On Security","","2016","40.712784","-74.005941" "March 4, 2016","21st Century Oncology","Fort Meyers","Florida","HACK","MED","2,200,000","21st Oncology notified individuals of a data breach of patient information via unauthorized access to their database. The information compromised included names, Social Security numbers, physician's name, diagnosis and treatment information, and insurance information. The company is offering Experian's Protect My ID to those who were affected.More information: http://oag.ca.gov/ecrime/databreach/reports/sb24-60307UPDATE (3/24/2016): 3 class action lawsuits have been filed against 21st Century Oncology over a major data breach of patient data. ""Patients affected by a recent computer data breach at 21st Century Oncology have filed federal class-action lawsuits, claiming the Fort Myers-based cancer-care provider failed to adequately protect sensitive medical and personal information.""More Information: http://www.news-press.com/story/news/2016/03/23/21st-century-breach-prom...","California Attorney General","","2016","26.596093","-81.866226" "March 8, 2016","Billy Casper Golf","Reston","Virginia","HACK","BSO","0","Billy Casper Golf has notified customers of a data breach when they were a target of email spoofing attack. Hackers were able to obtain information from individuals W-2 information. The spoofing email appeared as if it was coming from the CEO asking for all 2015 employee W2 information. For those with questions call 877-213-5100 Monday through Friday from 9:00 a.m. to 7 p.m. EST and provide reference number 9416022816.More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-60368 ","California Attorney General","","2016","38.949609","-77.386226" "March 8, 2016","1-800-Flowers","Carle Place","New York","HACK","BSO","0","1-800-Flowers customer service received reports on February 15, 2016 from customers that they couldn't complete their online orders. The company investigated and discovered from February 15th, 2016 through February 17th, 2016 orders that were placed may have been compromised customer personal information.Information compromised may have included names, addresses, email addresses, payment card numbers, expirations dates and security codes.For those that were affected can call 888-687-9294 from 9 a.m to 7 p.m EST.More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-60377","","","2016","40.742789","-73.621614" "March 11, 2016","Sequoia Union High School","Redwood City","California","HACK","BSO","0","Sequoia Union High School District (SUHSD) notified employees and retiree personal information of a data breach when a phishing incident when a third party accessed an office computer that contained personal information of employees and retirees. The information compromised included names and Social Security numbers.The school district is providing a free membership for one year through ProtectMyID. For these questions they can call 1-844-754-5532 Monday through Friday 6:00 a.m to 6:00 p.m Pacific Time. More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-60445 ","California Attorney General","","2016","37.485215","-122.236355" "March 14, 2016","Mitchell International, Inc. ","San Diego","California","HACK","BSO","0","Mitchell International, Inc. notified individuals of a data breach when an individual impersonated an executive with the company and convinced an employee to provide certain information on current and former employees. The information compromised included first and last names, Social Security numbers, and salary information.More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-60473","California Attorney General","","2016","32.715738","-117.161084" "March 15, 2016","Laborers Funds Administrative Office of Northern California, Inc.","Fairfield","California","DISC","BSO","0","The Laborers Health and Welfare Fund of Northern California notified member of a databreach when a computer error caused personal information of members and member's family to be sent to another fund member.The information compromised included full names, Social Security numbers, and health plan coverage. The same information was compromised for dependents as well. More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-60488","California Attorney General","","2016","38.231427","-122.125969" "March 16, 2016","Advanced Auto Parts","Roanoke","Virginia","HACK","BSR","0","Advance Auto Parts notified individuals of a data breach when the company suffered a phishing attack when an unauthorized individual posed as an employee, and convinced an employee of the company to provide a file containing information about certain individuals working for the company. The information compromised included names, Social Security numbers, 2015 gross wages, and the state(s) the individual pays income taxes.More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-60518","California Attorney General","","2016","37.317428","-79.959208" "March 16, 2016","PerkinElmer, Inc.","Waltham","Massachusetts","HACK","BSO","0","PerkinElmer, Inc notified employees of a data breach when a PerkinsElmer employee was a victim of a phishing scam and was sent an email that appeared to be from another PerkinsElmer employee requesting information on other employees. The information compromised included names, dates of birth, home addresses, Social Security numbers, salary information, titles and specific employee information.More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-60521 ","California Attorney General","","2016","42.404762","-71.274298" "March 21, 2016","LAZ Parking","Hartford","Connecticut","HACK","BSO","0","LAZ Parking notified employees of a data breach when an email phishing scam was sent to an employee appearing as though it was from a LAZ Parking executive asking for employees' 2015 W2 information. The information compromised included first and last names, home addresses, Social Security numbers, and 2015 compensation data.More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-60586","California Attorney General","","2016","41.765061","-72.675603" "March 23, 2016","Lamps Plus","Chatsworth","California","HACK","BSR","0","Lamps Plus notified employees of a data breach when a phishing email sent to an employee that posed as an executive of the company asking for employee W-2 information. The information compromised included names, Social Security numbers, addresses and unfortunately this compromised information was used to file fraudulent tax returns.More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-60670UPDATE (4/4/2016): ""Lamps Plus is facing a proposed class action lawsuit over allegations that the company failed to provide adequate security measures to prevent a recent massive data hack into the company’s payroll system, putting more than 1,300 employees’ sensitive information at risk.""Information regarding the lawsuit is as follows: ""The Lamps Plus Employee Data Breach Class Action Lawsuit is Frank Varela, et al. v. Lamps Plus Inc., et al., Case No. 5:16-cv-00577, in the U.S. District Court for the Central District of California, Eastern Division – Riverside.""More Information: http://topclassactions.com/lawsuit-settlements/lawsuit-news/331892-lamps...","California Attorney General","","2016","34.242236","-118.574953" "March 25, 2016","AspiraNet","Bakersfield","California","HACK","NGO","0","AspiraNet notified individuals of a databreach when a spoofing email went out on March 21, 2016. The spoofing email that resulted in W-2 information being disclosed. The information compromised included names, residential addresses, and Social Security numbers. The company is providing ProtectMyID Elite for free for two years. More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-60715","California Attorney General","","2016","35.363925","-119.061591" "March 28, 2016","Sprouts Farmers Market","Phoenix","Arizona","HACK","BSO","0","Sprouts Farmers Market notified employees of a databreach when a phishing attack resulted in disclosure of employee W-2 information. The information compromised included names, addresses, Social Security numbers, wages, and withheld taxes for 2015 in the state in which individuals pay income taxes. More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-60739","California Attorney General","","2016","33.675117","-111.963173" "March 28, 2016","Ullrich Delevati","Woodland","California","HACK","BSF","0","Ullrich Delevati CPA's notified customers of a data breach when their system was compromised exposing names, addresses, dates of birth, Social Security numbers, and bank account numbers. More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-60748","California Attorney General","","2016","38.676613","-121.771534" "March 30, 2016","Pivotal Software Inc. ","Palo Alto","California","HACK","BSO","0","Pivotal Software notified individuals of a databreach when they were a victim of a phishing scam. ""On March 22, 2016 a third party sent a fraudulent email message impersonating CEO Rob Mee to an employee requesting certain information about Pivotal employees. The employee responded to the request, mistakenly believing that it came from Mr. Mee.""More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-60798","California Attorney General","","2016","37.394293","-122.147949" "April 5, 2016","Katherman Kitts & Company","Irvine","California","PORT","BSF","0","Kathermine Kitss & Co. LLP notified customers of a data breach when hard drives containing backup files for one of the firm's servers was stolen from one of the partner's cars.There was personal information contained on that drive that included names, addresses, dates of birth, Social Security number, and other information contained in your tax return. More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-60867","California Attorney General","","2016","33.653875","-117.747284" "April 6, 2016","Whiting Turner Contracting","Baltimore","Maryland","HACK","BSF","0","Whiting-Turner notified customers of a data breach when a thirs party vendor that they use had a data breach. ""Whiting-Turner uses an outside vendor to provide tax filing and information services, including preparation of our employees' W-2 and 1095 tax forms. On March 8, 2016, this vendor notified us they had detected suspicious activity on their systems. We also received reports around that time from some of our employees regarding fraudulent tax filings in their names."" The information compromised included names, dates of birth, and Social Security number of any minor dependent. More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-60875","California Attorney General","","2016","39.402509","-76.597189" "April 7, 2016","Trump Hotels","New York","New York","HACK","BSO","0","Trump Hotel has suffered a second data breach this year. The hotel chain is investigating a pattern of fraud with customer credit cards. ""The Trump Hotel Collection includes more than a dozen properties globally. Sources said they noticed a pattern of fraud on cards that were all used at multiple Trump hotel locations in the past two to three months, including at Trump International Hotel New York, Trump Hotel Waikiki in Honolulu, and the Trump International Hotel & Tower in Toronto.""More Information: http://krebsonsecurity.com/2016/04/sources-trump-hotels-breached-again/#...","Krebs On Security","","2016","40.712784","-74.005941" "February 2, 2015","Boston Baskin Cancer Foundation","Memphis","Tennessee","PORT","MED","56,694","Boston Baskin Cancer Foundation notified individuals of a data breach when a laptop computer and external hard drive were stolen. The hard drive contained personal information of patients. The information included patient names, dates of birth, Social Security numbers, addresses, phone numbers, clinic medical record numbers and the last dates seen by the clinic.More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2015","35.207524","-89.801379" "February 4, 2015","South Sunflower County Hospital","Indianola","Mississippi","DISC","MED","19,000","""A local merchant sent a package with shredded documents containing protected health information (PHI) from the covered entity (CE), South Sunflower County Hospital, used as packing material.""The information compromised included dates of service, providers names, diagnoses, patient names, Social Security numbers, and dates of birth. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2015","33.457231","-90.650115" "February 5, 2015","Planned Parenthood Southwest Ohio","Cincinnati","Ohio","DISC","MED","5,000","Planned Parenthood mistakenly disposed of binders containing protected health information. The information included archived prescription dispending logs and lab test logs.More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2015","39.123773","-84.507991" "April 11, 2016","FDIC","Washington ","District Of Columbia","DISC","GOV","44,000","The FDIC announced a data breach that affected 44,000 customers when an employee who was leaving inadvertently downloaded sensitive information onto a portable hard drive device unknowingly.The FDIC has not provided the specific information that was compromised but did state that the employee had authority to access personal information  “for bank resolution and receivership purposes.”More Information: https://www.washingtonpost.com/news/powerpost/wp/2016/04/11/inadvertent-...","Media","","2016","38.907192","-77.036871" "April 8, 2016","OptumRx","Eden Prairie","Minnesota","PORT","MED","0","OptumRx notified individuals of a data breach when a third party vendor that provides home delivery of prescription services had a laptop computer stolen from an employee vehicle. The laptop contained personal information of OptumRx customers.The information on the laptop included names, addresses, health plan name, prescription drug information and prescribing provider information.More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-60898","California Attorney General","","2016","44.890719","-93.416813" "April 11, 2016","Schwaab Inc. ","Brookfield ","Wisconsin","HACK","BSO","0","Schwaab, Inc. notified customers of a data breach when DiscountRubberStamps.com (a Schwaab owned company) discovered unauthorized access in their computer system from January 22, 2014 through February 8, 2016. The information compromised may have included credit card information. For questions call 1-844-608-3819 or customers@discountrubberstamps.com More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-60906","California Attorney General","","2016","43.092494","-88.072024" "April 11, 2016","Staminus Communications Inc.","Newport Beach","California","HACK","BSO","0","""On March 10, 2016 Staminus Communications was the victim of an unauthorized intrusion into its network."" The information compromised included names, credit card numbers, as well as usernames, passwords, and contact information.More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-60912","California Attorney General","","2016","33.670409","-117.862143" "April 11, 2016","Bristol Farms","Carson","California","HACK","BSO","0","Bristol Farms notified current and former employees of a data breach when someone posing as a company executive requested certain information.The information compromised included first and last names, addresses, Social Security numbers, and 2015 compensation and deduction information. More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-60914","California Attorney General","","2016","33.831675","-118.281693" "April 26, 2016","Academy of Art University","San Francisco","California","HACK","EDU","3,000","""Three thousand employees with the Academy of Art are scrambling to find out if their financial and credit information has been compromised in the wake of a sophisticated email spoof.On March 4th, someone in the Academy of Art human resources department received an e-mail purporting to be from a senior executive with the Academy demanding the W-2’s of every single employee. The e-mail address looked legit, but it wasn’t. It had been spoofed.""","Media","http://sanfrancisco.cbslocal.com/2016/04/26/thousands-threatened-by-academy-of-art-email-spoof/","2016","37.774930","-122.419416" "April 13, 2016","Academy of Art University","San Francisco","California","HACK","BSO","0","Academy of Art University suffered a data breach when hackers posing as an executive at the university asked for employee W2 information.The information compromised included names, residential addresses and Social Security numbers. More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-60936","California Attorney General","","2016","37.787826","-122.400649" "April 22, 2016","Berkeley Public Schools","Berkeley","California","DISC","EDU","0","The Bay Area News Group, a publisher of multiple Bay Area newspapers, requested information on public employee salaries of the school district. The school district complied with the request, however the employee who transmitted this information to the news group inadvertently put Social Security numbers of the employees as part of the information. The school district is offering one year free subscription to an identity protection program provide by Identity Fraud Inc. More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-61243","California Attorney General","","2016","37.871593","-122.272747" "April 21, 2016","Voya Financial Advisor's Inc. ","New York","New York","HACK","BSF","0","Voya Financial Advisors notified customers of a data breach when they discovered unauthorized access to the company's systems, including client records. The information compromised included names, addresses, dates of birth, last four digits of Social Security numbers, driver's license number, passport number and other government issued ID's, telephone numbers, email addresses, account numbers and account balances.More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-61193","California Attorney General","","2016","40.754372","-73.976183" "April 26, 2016","Lucky Pet","Seattle","Washington","HACK","BSO","0","Lucky Pet notified customers of a data breach when an unauthorized individual (s) accessed the company's third party shopping cart software compromising customers personal information.The information compromised consisted of names, addresses, and credit card information including expiration dates and security codes. More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-61371","California Attorney General","","2016","47.659739","-122.347744" "April 26, 2016","Advanced International Marketing Inc. ","Middletown","Ohio","HACK","BSO","0","Advanced International Marketing Inc. notified customers of a data breach when an unauthorized party gained access to certain images that were uploaded to the company's website. The information compromised included names and state ID's. More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-61377","California Attorney General","","2016","41.445927","-74.422934" "February 6, 2016","Senior Health Partners","New York","New York","PORT","MED","2,772","Health and Human Services has reported a breach with Senior Health Partners when a portable device was stolen.More Information:https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2015","40.713329","-74.010158" "February 9, 2015","Dr. Arturo Tomas","Ottawa","Illinois","PHYS","MED","680","""On February 2, 2014, Arturo D. Tomas, MD LTD's office, the covered entity (CE), discovered that a package containing the protected health information (PHI) of approximately 680 individuals had been lost in the process of shipment to its billing company through the U.S. Postal Service (USPS). The PHI included individuals names, addresses, phone numbers, dates of birth, referring physician names, medical record numbers, diagnoses, and clinical information.""More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2015","41.357740","-88.824195" "April 19, 2016","doTerra","Pleasant Grove","Utah","HACK","BSO","0","doTerra notified customers of a data breach when a third party data provider that their system was accessed by an unauthorized party. The information included names, Social Security numbers, other government issued i.d. numbers, payment card information, dates of birth, postal and email addresses, telephone numbers, and usernames and passwords.More Information: http://www.scmagazine.com/d%C5%8Dterra-breach-exposes-customer-info-incl...","Media","","2016","40.359870","-111.759272" "April 19, 2016","Arlington Public Schools","Arlington","Washington","HACK","EDU","0","""More than two dozen Arlington Public Schools employees have had their social security numbers and tax information compromised in a data breach, according to a memo sent to APS employees Monday.""The information compromised included information found on employees W-2 forms. More Information: https://www.arlnow.com/2016/04/19/data-breach-affecting-some-aps-employees/UPDATE (4/28/2016): The first report stated that 28 employees were affected, a new updated report came out on April 28th that 40 additional employees were affected for a total of 68 individuals. More Information: https://www.arlnow.com/2016/04/28/scope-of-aps-employee-data-breach-expa...  ","Media","","2016","32.735687","-97.108066" "April 26, 2016","BeautifulPeople.com","New York","New York","HACK","BSO","1,100,000","BeautifulPeople.com notified individuals of a data breach when their system was hacked compromising personal information. The information included member's names, addresses, sexual preferences, relationship status, phone numbers, email addresses and private messages. More Information: http://www.welivesecurity.com/2016/04/26/beautifulpeople-com-experiences...","Media","","2016","40.760286","-73.972244" "February 9, 2015","Haywood County NC","Haywood County","North Carolina","STAT","MED","955","""On or around October 31, 2014, a paper accounts receivable report went missing from the covered entity (CE) billing office.  The report contained the protected health information (PHI) of 955 individuals and included patients internal identifications numbers, names, clinics visited, and amounts owed.  The CE provided breach notification to HHS, affected individuals, and the media, and set up a toll free number anser line and e-mail contact.""More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","Government Agency","","2016","35.624394","-82.993161" "February 12, 2016","Pathway to Hope","Fort Lauderdale","Florida","DISC","MED","600","As reported by Health and Human Services unauthorized access/disclosure to emails. No specific information as to what was contained in the emails was provided by health and human services.More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","Government Agency","","2016","26.122439","-80.137317" "April 18, 2016","Hunt Regional Medical Partners","Greenville","Texas","DISC","MED","3,000","""Vandals broke into a building storing paper protected health information (PHI) for the covered entity (CE), Hunt Regional Medical Partners.  The types of PHI involved in the breach included patients' names, addresses, dates of birth, Social Security numbers, claims information, and patients' chart information. Approximately 3,000 individuals were affected.""More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","Government Agency","","2015","34.852618","-82.394010" "May 3, 2016","Nazareth Area School District","Nazareth","Pennsylvania","HACK","EDU","0","The Nazareth Area School District notified parents of a data breach when a student accessed students records without authorization and put student information on a flash drive.""The letter dated April 29 went home to district parents from Superintendent Dennis Riker. Riker says in the letter a student accessed the private data between December 2011 and April 2014 and put it on a flash drive.""The information compromised included student names, addresses, phone numbers, dates of birth, student ID's and parents names.More Information: http://www.lehighvalleylive.com/nazareth/index.ssf/2016/05/find_out_what...","Media","","2016","40.741446","-75.298537" "May 5, 2016","Stonebridge Realty Advisors","Glenwood Springs","Colorado","HACK","BSO","0","""What HappenedBased upon an extensive forensic investigation, it appears that unauthorized individuals installed malicious software on our payment processing systems that was designed to capture payment card information as it is inputted into those systems.What Information Was InvolvedBased on the information currently available from our investigation, we believe that the incident may have affected payment card data (including payment card account number and card expiration date) of individuals who used a payment card at our restaurant between November 8, 2015, and March 26, 2016. If you made a payment card transaction at our restaurant during that time frame, your payment card information could have been impacted by this incident. Please note, at this time, we are not aware of any misuse of your information as a result of this incident and no other information, such as your Social Security number was involved in this incident.""","California Attorney General","https://oag.ca.gov/system/files/49932072_6_1.pdf","2016","39.550538","-107.324776" "May 6, 2016","Google Inc.","Mountain View ","California","DISC","BSO","0","Google Inc. notified employees of a data breach when a third-party vendor that provides benefit management services inadvertently sent a document that contained personal information of their employee to a benefits manager of another organization.The information exposed included names, Social Security numbers.More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-61707","California Attorney General","","2016","37.422359","-122.084344" "May 9, 2016","Bay Area Children's Association","Oakland","California","HACK","MED","0","Bay Area Children's Network notified individuals of a data breach, when an unauthorized person (s) accessed their patient account records. The patient information acquired was due to the result of malware installed sometime in January 2015.The information compromised included names, addresses, telephone numbers, dates of birth, Social Security numbers, medical inurance and health visit information. More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-61688","California Attorney General","","2016","37.799181","-122.285895" "May 5, 2016","Saint Agnes Medical Center","Fresno","California","HACK","MED","2,812","""Saint Agnes Medical Center was targeted by an isolated email phishing attack in which a scammer impersonated our Chief Executive Officer and requested that W-2 information be sent via email. There was no breach to any of our Sant Agnes systems and all patient information remains secure. Rather, we were a target of what is known as a BEC (Business Email Compromise/Correspondence) attack, which typically focuses on tax information that can be used to obtain fraudulent returns.""The information compromised is the information you would find on a W2 form, including names, addresses, salary information, withholding information and Social Security numbers. More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-61673","California Attorney General","","2016","36.746842","-119.772587" "May 5, 2016","CertifiKid LLC","Washington ","District Of Columbia","HACK","BSO","0","""On March 25, 2016, CertifiKid discovered malicious software code that was inserted by unknown individuals into the server of its e-commerce website between the dates of January 25, 2016 and March 19, 2016.""The information compromised included names, credit card numbers, expiration dates and security code information. More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-61677","California Attorney General","","2016","38.907192","-77.036871" "January 27, 2016","Wendy's ","Dublin","Ohio","HACK","BSO","0","Wendy's, the fast food chain retailer, is investigating reports regarding a potential breach of their credit card systems in their restaurants. The company has hired a security expert to investigate the incidences. The company received reports from their payment industry contacts alerting them of unusual activity and fraudulent charges after credit/debit cards were used at their locations for legitimate purchases. A spokesperson for the restaurant chained stated, ""We began investigating immediately, and the period of time we’re looking at the incidents is late last year,” he said. “We know it’s [affecting] some restaurants but it’s not appropriate just yet to speculate on anything in terms of scope.”KrebsOnSecurity heard from banking industry sources stating a possible breach and the reports were coming mostly from financial institutions in the midwest. Krebs has also heard ""similar reports from banks on the east coast"".""The Wendy’s system includes approximately 6,500 franchise and company-operated restaurants in the United States and 28 countries and U.S. territories worldwide. Bertini said most of the U.S.-operated stores are franchises.""More information: http://krebsonsecurity.com/2016/01/wendys-probes-reports-of-credit-card-...UPDATE (3/2/2016): The Wendy's credit/debit card breach appears to be much worse then originally thought, according to credit unions. ""This is what we’ve heard from three different credit union CEOs in Ohio now: It’s more concentrated and the amounts hitting compromised debit accounts is much higher that what they were hit with after Home Depot or Target,” Berger said. “It seems to have been been [the work of] a sophisticated group, in terms of the timing and the accounts they targeted. They were targeting and draining debit accounts with lots of money in them.”More information: https://krebsonsecurity.com/2016/03/credit-unions-feeling-pinch-in-wendy...UPDATE (5/12/2016): After an investigation by the fast food chain, less then 5 percent of its restaurants were affected by the data breach. ""Based on preliminary findings of the investigation and other information, the Company believes that malware, installed through the use of compromised third-party vendor credentials, affected one particular point of sale system at fewer than 300 of the approximately 5,500 franchised North America Wendy's restaurants, starting in the fall of 2015.""More Information: http://www.foxnews.com/tech/2016/05/11/wendys-data-breach-hit-5-percent-...","Krebs On Security","","2016","37.702152","-121.935792" "May 16, 2016","Poway Unified School District","Poway ","California","DISC","EDU","70,000","The Poway Unified School District notified parents of a data breach when the district inadvertently sent information on 70,000 individuals, including students to a parent who requested information on their specific child only.""The information released did not include Social Security numbers,” the statement said. However, it included directory information and district-based test scores, some of which are protected information under the Family Educational Rights and Privacy Act.”The information compromised included children's names, nicknames, addresses, phone numbers, hearing and vision exam results, dates of birth, language fluency, academic test results and occupation of parents. More Information: http://www.sandiegouniontribune.com/news/2016/may/16/poway-data-breach/?...","Media","","2016","32.962823","-117.035865" "May 20, 2016","O'Charley's Restaurant and Bar","Nashville","Tennessee","HACK","BSO","0","O'Charley's Restaurant and Bar notified customers of data breach when a third party security firm discovered unauthorized access to their payment card system. Between March 19, 2016 and April 8, 2016 customers who used their debit or credit card information could be the target of identity theft. The information compromised included data found on the magnetic strip of the card which would include the cardholder names and card numbers. The following locations were potentially compromised. O'Charley's Restaurants locatd at 930 Windham Court, Boardman Ohio and 2077 Interchange Drive, Erie Pennsylvania. The number of debit/credit cards affected has not yet been released. For those with questions they can call If you have questions, please call (855) 907-3245 from 9:00 a.m. to 6:00 p.m. ET Monday - Friday.More Information: http://www.11alive.com/money/personal-finance/georgia-ag-olens-warns-res...Release from the company: http://www.ocharleys.com/protectingourguests","Media","","2016","36.099591","-86.755627" "May 16, 2016","Noodles and Company","Ann Arbor","Michigan","HACK","BSO","0","Noodles & Company is investigating a data breach of their payment card systems at some of their locations. “We are currently investigating some unusual activity reported to us Tuesday, May 16, 2016 by our credit card processor. Once we received this report, we alerted law enforcement officials and we are working with third party forensic experts. Our investigation is ongoing and we will continue to share information.”The company operates 500 stores in 35 U.S states. The number of credit/debit cards affected and the locations that were compromised have not yet been released.More Information: http://krebsonsecurity.com/2016/05/noodles-company-probes-breach-claims/UPDATE (9/7/2016): An Oregon credit union has sued Noodles and Company over a data breach that compromised customer credit and debit cards. ""The suit, filed Tuesday in U.S. District Court of Colorado by SELCO Community Credit Union, seeks class action status for all U.S. financial institutions whose customers made purchases at Noodles from Jan. 1 to the present.SELCO accuses the Broomfield-based fast-casual chain of negligence in failing to use “reasonable security measures” in its point-of-sale system despite a stream of high-profile data breaches at retailers and restaurants such as Target, Home Depot,  P.F. Chang’s, Wendy’s and Dairy Queen.""More Information: http://www.denverpost.com/2016/09/07/noodles-company-data-breach/","Krebs On Security","","2016","42.278630","-83.741055" "May 19, 2016","Milwaukee Bucks","Milwaukee","Wisconsin","HACK","BSO","0","The Milwaukee Bucks have notified players of a data breach when someone posing as the team's president sent a spoofing email requesting information on the players W2 forms.The information compromised included names, addresses, Social Security numbers, compensation figures and dates of birth. More Information: http://www.usatoday.com/story/sports/nba/bucks/2016/05/19/milwaukee-buck...","Media","","2016","43.038903","-87.906474" "May 24, 2016","Lewis-Palmer School District 38","Monument","Colorado","DISC","EDU","2,000","Officials at the Lewis-Palmer were confronted by parents regarding their use of student ID numbers as part of the districts Google Apps for Education (GAFE) in order to connect to the districts Infinite Campus.  ""GAFE is a hosting solution by Google to incorporate Google mail, calendar and chat services. Student emails in the district use the student's ID in an @lewispalmer.org format.""Several parents came forward and notified the district of how easily their information was breached.""After walkding through the process with several students and parents using their accounts, Complete Colorado discovered that anyone could easily access the personal information of any student in the district, including names, addresses, and phone numbers for students, parents, siblings and emergency contacts; schedules; attendance records; grades; locker numbers and combinations; transportation details, including where and when bus pickups take place; and health records.""The district has yet to notify parents of the issue.More Information: http://completecolorado.com/pagetwo/2016/05/24/probable-security-breach-...","Media","","2016","39.090783","-104.870840" "May 31, 2016","MySpace","Santa Monica","California","HACK","BSO","360,000,000","My Space is notifying individuals of a large data breach of usernames and passwords on their system. The number of passwords compromised is being reported as over 360 million. These usernames and passwords were exposed due to ""unsalted SHA-1 hashes"" that allowed hackers to run certain numbers they can obtain with a cracking server, which can process millions of SHA-1 calculations per second.The breach has been reported to only be usernames and passwords.Time Inc. who owns MySpace has confirmed the breach. More Information: http://www.usatoday.com/story/tech/2016/05/31/360-million-myspace-accoun...","Media","","2016","34.019454","-118.491191" "May 6, 2016","Equifax Inc. ","Atlanta","Georgia","HACK","BSO","431,000","""Identity thieves stole tax and salary data from big-three credit bureau Equifax Inc., according to a letter that grocery giant Kroger sent to all current and some former employees on Thursday. The nation’s largest grocery chain by revenue appears to be one of several Equifax customers that were similarly victimized this year. Atlanta-based Equifax’s W-2Express site makes electronic W-2 forms accessible for download for many companies, including Kroger — which employs more than 431,000 people. According to a letter Kroger sent to employees dated May 5, thieves were able to access W-2 data merely by entering at Equifax’s portal the employee’s default PIN code, which was nothing more than the last four digits of the employee’s Social Security number and their four-digit birth year.""Equifax believes that the Social Security numbers and dates of birth were obtained from another source.More Information: http://krebsonsecurity.com/2016/05/crooks-grab-w-2s-from-credit-bureau-e...","Krebs On Security","","2016","33.748995","-84.387982" "June 1, 2016","Washington Redskins","Ashburn","Virginia","PORT","BSO","0","""A laptop containing the medical records of thousands of NFL players was stolen from the car of a Washington Redskins trainer last month, the team said in a statement on Wednesday, confirming a story first reported by Deadspin.""""According to a letter from the NFLPA that was obtained by Deadspin, the stolen medical records were of every player who went through the NFL scouting combine from 2004 through 2016, as well as current Redskins players. The backpack also contained a zip drive and hard copies of the medical records, the letter said.""More Information: http://espn.go.com/nfl/story/_/id/15884597/laptop-stolen-washington-reds...","Media","","2016","39.043757","-77.487442" "May 3, 2016","Lafler, Moore, Connerty & Webb, LLP","Roseville","California","HACK","BSO","0","""On March 11, 2016, an employee was on a work computer when unusual cursor behavior was observed. The computer was immediately taken off-line and our IT consultant was contacted.  The consultant confirmed suspicious activity and changed potentially impacted passwords.  That same day, a forensic data analysis company was also hired to investigate and determine what, if any, information was breached.  On April 8, 2016, we learned with a ""high level of confidence"" that information on our network was breached by an unauthorized individual starting on or about January 27, 2016, and who was potentially impacted.""The information compromised included names, gender, dates of birth, telephone numbers, addresses, social security numbers, all employment (W-2) information, a bank account and routing numbers, mortgage documentation, charitable contributions, casualty and theft losses, investment information, health coverage documentation, and medical expenses. More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-61621","California Attorney General","","2016","38.744705","-121.244052" "May 4, 2016","Areas","Miami","Florida","HACK","BSO","0","Areas notified employees of a data breach when they were the victim of a phishing scheme.""On April 29, 2016, Areas learned it was the target of an email phishing scheme which resulted in unauthorized access to your peronal information.""The information compromised included names, addresses, and Social Security numbers.More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-61634 ","California Attorney General","","2016","25.782487","-80.282067" "May 4, 2016","Pro Sports Daily","","Ontario","HACK","BSO","0","""We are writing to notify you that a breach of security of personal information occurred on April 4, 2016.  We learned that there was a hack into our database for the ProSportsDaily Forum website, which means that your account password to the ProSportsDaily Forum, despite encryption, may have been compromised.""The information compromised were customer logins and passwords. ","California Attorney General","http://oag.ca.gov/ecrime/databreach/reports/sb24-61644","2016","56.130366","-106.346771" "May 5, 2016","Hume Lake Christian Camps","Hume","California","HACK","BSO","0","Hume Lake Christian Camps notified employees of a data breach when they were a victim of a phishing scam. ""On March 4, 2016, we discovered that between February 29, 2016 and March 4, 2016, as a result of a phishing incident, an unauthorized third party gained accessed to a Hume Lake employee's email account and, in turn, may have accessed files containing certain personal information.""More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-61646","California Attorney General","","2016","36.787710","-118.913490" "May 3, 2016","Ken Waterman, CPA","Santa Rosa","California","HACK","BSF","0","Ken Waterman, CPA notified customers of a data breach when the company noticed unauthorized access to their servers that contained personal information of their customers.""On March 30, 2016, KW learned that a possible security incident may have impacted the security of information stored on our servers.  We immediately began and investigation and engaged independent, third-party forensic computer experts to assist.  While the investigation is still ongoing, it appears that files stored on our system may have been accessed by an unauthorized individual.  These files contain information related to your tax filings, and may have included your name, address, Social Security number, wage information, and in some instances bank account information.""More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-61628","California Attorney General","","2016","38.449125","-122.717295" "February 20, 2015","Marketing Clique","","Texas","DISC","MED","8,700","No specific details per Health & Human Services website as to what specifically was breached.More information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","","","2015","40.760537","-73.978890" "May 31, 2016","Verity Health System","Redwood City","California","HACK","MED","0","""May 23, 2016, Verity Health System was targeted with an isolated email phishing scam in which a scammer impersonated a Verity executive and requested that certain employee information be sent via email. This scam did not affect any patient information or the delivery of healthcare to our patients.""The information breached included current and former employees information on their W2 form.More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-62088","California Attorney General","","2016","37.521112","-122.254753" "May 24, 2016","A&A Ready Mixed Concrete, Inc. ","Newport Beach","California","HACK","BSO","0","""We are contacting you regarding a data security incident that occurred on Monday, May 16th, 2016, at the Company. It appears the targeted data involved 2015 W2 information of employees which could potentialy become available to unknown individuals.  As a result, your person information may have been exposed to others.  Please be assured we have taken every step necessary to address the incident, and are fully committed to protecting your information.""More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-61962","California Attorney General","","2016","33.666956","-117.858151" "May 23, 2016","Berkeley Endocrine","Berkeley","California","HACK","MED","0","""On April 22, 2016, my office was subject to a spam email which we believe went to many patients. Though no patient information was affected by that correspondence, we sent a notification email to al individuals on our email list, informing them of the spam. Inadvertently, the recipient list for the notificaation email on April 22, 2016 was not hidden.""The information compromised included first and last names, email addresses.More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-61958 ","California Attorney General","","2016","37.855161","-122.257971" "May 18, 2016","The Paper Works","Paradise","California","PORT","BSO","0","The Paper Works notified customers of a data breach when a laptop and a computer were stolen from their office that included personal information of customers.The information compromised includeed names, addresses, Social Security numbers, spouse and dependent information listed on tax filings.More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-61876","California Attorney General","","2016","39.758626","-121.625459" "May 16, 2016","Flurish Inc.dba LendUp","San Francisco","California","DISC","BSF","0","""Earlier this year during a routine examination, we discovered that personal information for a small subset of visitors to our website had been made available to third-party companies.  We place on our website widgets, beacons, and analytics trackers from third-party companies to provide services to us and our customers related to device authentication, site functionality, advertising, and marketing.  Our examination showed that personal information could have been made available to these third-party companies, for a small number of customers, as early as 2012.""The information compromised included first and last names, email addresses, telephone numbers, home addresses, dates of birth, and Social Security numbers. More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-61852","California Attorney General","","2016","37.790323","-122.404214" "May 16, 2016","Solano Community College","Fairfield","California","HACK","EDU","0","""On April 28, 2016, we learned that a ""phishing"" email was sent to an employee who responded to the email, thinking that it was a legitimate request. When we learned of this, we immediately secured the email account, reset passwords and began an investigation.  We also notified the Solano County Sheriff's Office which is working with the college Information Department and the Solano County Sheriff's Office Computer Crime Task Force in the investigation of this matter.""The information compromised included names, addresses, Social Security numbers and salary information. More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-61842","California Attorney General","","2016","38.234829","-122.123542" "June 13, 2016","Twitter","San Francisco","California","HACK","BSO","32,000,000","""Late last week, a password leak hit Twitter, and the company locked millions of user accounts as a result. It was reported that the login credentials of more than 32 million Twitter users were compromised. According to LeakedSource, which indexes hacked credentials from data breaches, the credentials are being traded on the Dark Web for about 10 bitcoin a pop or a little under $6,000. LeakedSource goes on to note that passwords are stored as plain text files, and many seem to be attached to Russian users. That detail indicates that the passwords were stolen from users, as opposed to through a hack into Twitter’s central systems. In response to the leak, Twitter quickly initiated forced resets for many of its users.""More Information: http://www.pymnts.com/news/security-and-risk/2016/twitter-account-lockou...","Media","","2016","37.776790","-122.416406" "February 26, 2015","Raymond Mark Turner, M.D.","Las Vegas","Nevada","PORT","MED","2,153","""One unencrypted laptop computer was stolen during business hours wile the office of Dr. Robert Mark Turner was in the process of updating and encrypting its computers.  A file on the stolen laptop contained the electronic protected health information (ePI) of 2,153 individuals which included names, addresss, dates of birth, Social Security numbers, drivers license numbers, health insurance information, and records of medical treatment.  The covered entity (CE) provided breach notifications to HHS, affected individuals, and the media and provided credit monitoring and identity theft protection to affected individuals.  In response to the breach, the CE improved physical safeguards and enhanced technical safeguards by implementig an encryption management program for all computer syystems. OCR reviewed the CE's HIPAA risk assessment and provided technical assistance on the required elements of a risk analysis and risk management plan."" More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2015","36.169941","-115.139830" "February 27, 2015","St. Vincent Hospital and Health Care Center Inc. ","Indianapolis","Indiana","DISC","MED","63,325","No specifc information was provided by Health and Human Services as to the type of information compromised in the breach.More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2015","39.768403","-86.158068" "February 27, 2015","Cathrine Steinborn, DDS","Santa Clara","California","PORT","MED","3,224","No specifc information was provided by Health and Human Services as to the type of information compromised in the breach.More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2015","37.347106","-121.959669" "February 27, 2015","Aventura Hospital and Medical Center","Aventura","Florida","HACK","MED","686","No specifc information was provided by Health and Human Services as to the type of information compromised in the breach.More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2015","25.969940","-80.145330" "March 1, 2015","Amedisys","Baton Rouge","Louisiana","HACK","MED","6,909","No specifc information was provided by Health and Human Services as to the type of information compromised in the breach.More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2015","30.400970","-91.050462" "March 2, 2015","Advance Rehabilitation & Consulting LTD","Calhoun","Georgia","HACK","MED","570","No specifc information was provided by Health and Human Services as to the type of information compromised in the breach.More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2015","34.478293","-84.936616" "March 2, 2015","Georgia Department of Community Health","Cordele","Georgia","HACK","MED","557,779","No specifc information was provided by Health and Human Services as to the type of information compromised in the breach.More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2015","31.964379","-83.782930" "March 5, 2015","St. Mary's Health","Lafayette","Indiana","HACK","MED","3,952","No specifc information was provided by Health and Human Services as to the type of information compromised in the breach.More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2015","40.420234","-86.871844" "March 5, 2015","Sharon J. Jones M.D.","San Pablo","California","PHYS","MED","1,342","No specifc information was provided by Health and Human Services as to the type of information compromised in the breach.More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2015","37.953950","-122.338539" "March 6, 2015","Valley Community Healthcare","Hollywood","California","PORT","MED","1,233","No specifc information was provided by Health and Human Services as to the type of information compromised in the breach.More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2015","34.194451","-118.415024" "March 5, 2015","Mosaic Medical","Prineville","Oregon","PHYS","MED","2,207","""An intruder entered the administrative office of the covered entity (CE) through a window. Nothing was stolen; however, the protected health information b(PHI) of 2,202 individuals was stored in the offic.  The PHI involved in the breach included names, medical information, medical inusreance information, addresses, phone numbers, and email addresss.  The CE provided breach notification to HHS, affected individuals, and the media. Followng the breach, the CE moved its administrative office to another location wih improved physical safeguards.  In addition, the CE instructed staff on its procedures for securely storing PHI, OCR obtained assurance that the CE implemented the corrective action listed above.""More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2015","44.303534","-120.849140" "March 3, 2015","Clinical Reference Laboratory","Lenexa ","Kansas","DISC","MED","4,668","""A parcel addressed by the covered entity (CE), Clinical Reference Laboratory, Inc., to Personalized Prevention, was damaged and opened during the mailing process by the United States Postal Service on or about November 4, 2014.  The types of protected health nformation (PHI) involved in the breach included the names, partial Social Security Numbers, dates of service, and lab test types of 4,668 individuals.  Since multiple breach reports have been received involving the same CE and fact pattern, this nvestigation is being closed and consolidated into one OCR investigation.""More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2015","38.975648","-94.723076" "March 6, 2015","Indiana State Medical Association","Indianapolis","Indiana","PORT","MED","38,351","No specifc information was provided by Health and Human Services as to the type of information compromised in the breach.More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2015","39.772207","-86.166159" "March 6, 2015","San Francisco General Hospital and Trauma Center","San Francisco","California","PHYS","MED","2,500","No specifc information was provided by Health and Human Services as to the type of information compromised in the breach.More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2015","37.755805","-122.404443" "March 11, 2015","Dr. Anthony T.R. Green DDS","Jamaica","New York","DISC","MED","7,448","No specifc information was provided by Health and Human Services as to the type of information compromised in the breach.More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2015","40.713295","-73.784322" "March 12, 2015","Virginia Department of Medical Assistance Services","Richmond","Virginia","HACK","MED","697,586","No specifc information was provided by Health and Human Services as to the type of information compromised in the breach.More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2015","37.542467","-77.435920" "March 13, 2015","EyeCare of Bartlesville","Bartlesville","Oklahoma","HACK","MED","4,000","No specifc information was provided by Health and Human Services as to the type of information compromised in the breach.More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2015","36.750087","-95.972411" "June 7, 2016","State Farm Mutual Automobile Insurance Company","Bloomington","Illinois","INSD","BSF","0",""" On January 21, 2016, State Farm opened an investigation related to employees of a State Farm independent contractor agent in Chino Hills, CA.  The investigation determined there was misappropriation of customer payments that were either diverted or not correctly applied to customers' accounts.""The information compromised included ""customer funds, misuse of some customer financial cards, and accessing and changing some customers' contact information"". Some information was used to add additional insurance coverage without the policyholders' knowlede and consent.More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-62237","California Attorney General","","2016","40.477335","-88.955172" "June 6, 2016","Empathia Inc","Waukesha","Wisconsin","HACK","BSO","0","""On January 30 2016, we discovered spam files on one of our data servers.  We removed the spam and immediately launched an investigation to determine the nature of the access and what data may have been stored on that server. We also hired a third party forensic investigator to the supplement our investigation. The forensic investigation revealed that the spam spread to a second domain on the same server. That contained a file with your information which you provided to Empathia when you submitted a request for a credit check in 2003 or 2004.""More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-62197","California Attorney General","","2016","43.054219","-88.233263" "June 13, 2016","Grand Sierra Resort and Casino","Reno","Nevada","HACK","BSO","0","""On or around September 29, 2015, the Grand Sierra Resort was contacted by law enforcement regarding an investigation into a potential compromise of payment card inforamtion used at food and retail locations at the Grand Sierra Resort.  We immediately began to cooperate with law enforcement and to investigate this matter.  Third party forensics investigators were retained to assist the Grand Sierra Resort.  On or around January 11, 2016, these investigators confirmed that certain guest payment card information for cards used at food and retail locations at the Grand Sierra Resort may have been compromised.""The information compromised included payment card information including card holder names, credit card numbers, credit card expiration dates, ""Track 1 data and Track 2 data""More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-62337 ","California Attorney General","","2016","39.529633","-119.813803" "June 13, 2016","Momentum for Mental Health","San Jose","California","HACK","MED","0","""On June 3, 2016, Momentum was targeted by an e-mail scam called ""spoofing"". We discovered this incident within hours of it taking place. Nonetheless, it resulted in Momentum inadvertently making person information from your Form W-2 available to an unknown third party.""The information compromised included Social Security numbers, information, wage information, tax deductions.More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-62338","California Attorney General","","2016","37.377897","-121.836571" "June 14, 2016","Acer Service Corporation","San Jose","California","HACK","BSO","35,000","""We recently identified a security issue involving the information of certain customers who used our ecommerce site between May 12, 2015 and April 28, 2016, which resulted in unauthorized access by a third party.""The information compromised included names, addresses, card numbers, expiration dates, and three digit security code on the back of cards.More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-62344UPDATE (2/10/2017): ""On January 26, New York Attorney General Eric Schneiderman announced a settlement with Acer Service Corporation over an alleged data breach involving more than 35,000 credit card numbers, including the credit card information and other personal information of 2,250 New York residents. As part of the settlement, Acer agreed to pay $115,000 in penalties and to improve its data security practices. The penalty amounts to approximately $50.12 per New York resident potentially affected.Acer is a computer manufacturer based in Taiwan. According to the A.G.'s press release, Acer maintained a website that had numerous security vulnerabilities. For example, between July 2015 and April 2016, an Acer employee had enabled a debugging mode on Acer's e-commerce platform, during which time the website saved all information provided by customers in an unencrypted format. The unencrypted information included customers' full names, home addresses, email addresses, credit card numbers, card expiration dates, card verification numbers, user names, and passwords. Additionally, Acer erroneously configured its website to allow directory browsing by unauthorized users. This configuration allowed external viewing of and access to subdirectories on the website using a simple web browser, according to the A.G.""More information: http://www.mondaq.com/unitedstates/x/567202/Consumer+Law/NY+AG+Settles+w...","California Attorney General","","2016","37.328862","-121.893598" "May 16, 2016","Zocdoc, Inc. ","New York","New York","DISC","MED","0","""As you know, Zocdoc allows you to book appointments with doctors who list their medical or dental practices on our service.  Each practice registered with Zocdoc receives usernames which allow staff members to access Zocdoc's system (the ""Provider Dashboard"") to view appointments and other information you provide when you book an appointment. In June 2015, we learned of programming errors in the processes responsible for managing username access the Provider Dashboard, and therefore potentially view your personal information, after their usernames were removed, deleted or otherwise limited.""The information compromised included names, email addresses, phone numbers, Social Security numbers, appointment history, insurance member ID and other medical history. More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-61838","California Attorney General","","2016","40.724280","-73.997354" "May 11, 2016","Hi-Tec Sports USA, Inc. ","Modesto","California","HACK","BSO","0","""Hi-Tec received reports from several customers of fraudulent charges appearing on their payment cards shortly after they were used to make a purchase on our Magnum Boots online order page. Hi-Tec immediately began working with the company that developed and maintains its websites. On March 11, 2016, the web developer reported that it had identified unauthorized code that had been inserted into the program that operates its order completion page.  Hi-Tec began an analysis to determine when the code was inserted and its functionality.  While that analysis was being conducted, Hi-Tec stopped accepting payment cards on its site and engaged a leading computer security investigation firm to assist in the investigation.""The information compromised included names, email addresses, phone numbers, payment card numbers, expiration dates and security codes (CVV codes). Orders placed between January 24, 2016 to March 11, 2016 on their Magnum Boots and Hi-Tec websites may have been affected. Additionally orders placed between September 22, 2014 and January 23, 2016 may also have been affected.More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-61796","California Attorney General","","2016","37.707382","-121.070351" "May 11, 2016","San Mateo Foster City School District","San Mateo","California","PORT","EDU","0","""On April 6, 2016, we were informed that a thumb drive, containing certain information on all of our active employees, including me, was inadvertently misplaced.  We have devoted considerable time and effort to try and locate the thumb drive, as well as to determine what exact information may have been included on it, and as such, is at risk of disclosure.Please know that we take this situation very seriously.  The police were notified and a pollice report was filed; however, at this time, the thumb drive has not been recovered.""The information compromised included names, addresses and Social Security numbers.More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-61794","California Attorney General","","2016","37.562992","-122.325525" "May 11, 2016","Lynn N. Talbott, JR., CPA","El Dorado Hills","California","HACK","BSF","0","""On April 19, 2016, I detected suspicious activity on a work computer.  I immediately took the computer off-line and contacted our IT consultant.  The consultant has confirmed unusual activity and changed potentially impacted passwords.  Further, on April 21, 2016, after a thorough analysis of the computer, the consultant removed malware found on the impacted computer's hard drive, and confirmd all firewalls and security protections were properly functioning.""The information compromised included names, gender, dates of birth, telephone numbers, addresses, Social Security numbers, all employment (W-2) information, direct deposit bank account information. More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-61797","California Attorney General","","2016","38.686569","-121.080903" "May 13, 2016","City College of San Francisco","San Francisco","California","HACK","EDU","0","""On April 15, 2016, we learned that an employee had responded to a ""phishing"" email thinking it was a legitimate request.  When we learned of this, we immediately secured the email account, reset passwords and began an investigation of the incident.""The information compromised included student information including names, addresses, Social Security numbers and additional information included in an application for financial aid. More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-61821","California Attorney General","","2016","37.774930","-122.419416" "May 13, 2016","Imperial Valley Family Care Medical Group, APC","El Centro","California","PORT","MED","0","""On March 21, 2016 there was a burglary at the office of Dr. Sampat and a single laptop computer was taken from the premises. A police report of the incident was filed with the El Centro Police Department.  We have discovered dring our investigation of the incident that the laptop may have contained your personal information including name, address, date of birth, and personal health information.""More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-61822","California Attorney General","","2016","32.792000","-115.563051" "January 21, 2016","The University of Texas System Administration","Austin","Texas","DISC","MED","794","No specifc information was provided by Health and Human Services as to the type of information compromised in the breach.More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2016","30.267153","-97.743061" "February 2, 2016","Louisiana Healthcare Connections","Baton Rouge","Louisiana","PHYS","MED","13,086","No specifc information was provided by Health and Human Services as to the type of information compromised in the breach.More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2016","30.413639","-91.094920" "February 3, 2016","Rite Aid, New York","Poughkeepsie","New York","HACK","MED","976","No specifc information was provided by Health and Human Services as to the type of information compromised in the breach.More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2016","41.686871","-73.911810" "February 8, 2016","SEIM Johnson LLP","Elkhorn","Nevada","PORT","MED","30,972","""A business associate (BA), Seim Johnson, LLP, reported on behalf of 10 health care provider clients that its health care auditor took his firm-issued laptop computer on a non-business weekend trip.  When the employee arrived home from this trip, he discovered the backpack containing the laptop was missing.  The laptop contained the protected health information (PHI) of 30,972 individuals and included demographic, clinical, and financial information.  The BA provided breach notification to HHS, affected individuals, and the media.  After investigating this incident, the BA determined that the laptop may not have been effectively encrypted.  Following the breach, the BA sanctioned the involved employee and its security officer, retrained employees on security risks involving portable devices, and implemented new policies and procedures.  OCR obtained assurances that the BA implemented the corrective actions listed above.""More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2016","41.265081","-96.197951" "February 12, 2016","Blue Cross Blue Shield of South Carolina","Columbia","South Carolina","DISC","MED","998","""A business associate (BA), Blue Cross\Blue Shield, of the covered entity (CE), South Carolina Public Employee Benefit Authority, incorrectly mailed pre-authorization dental letters to the CE's members due to a computer error.  Duing the mailing sorting process, the names of the envelopes were not matched to the correct addresses.  The breach affected 998 individuals and included financial, demographic, and clinical information.  The BA provided breach notification to HHS, affected individuals, and the media.  Following the breach, the BA revised its procedures for ensuring data integrity and accuracy and enhanced procedures to include a quality control validation step.  The BA trained systems support staff and confirmed that it requires all of its employees, contractors and consultants employed or retained for longer than 45 days to receive HIPAA training.  OCR obtained assurances that the BA implemented the corrective actions listed above.""More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","California Attorney General","","2016","34.000710","-81.034814" "June 14, 2016","Democratic National Committee","Washington","District Of Columbia","HACK","BSO","0","""Russian government hackers broke into the computer systems of the Democratic National Committee and accessed information about Democratic candidates as well as a database on opposition research against Donald Trump, POLITICO has confirmed.""""In late April, the DNC's IT department noticed some suspicious behavior and contacted DNC chief executive officer Amy Dacey, according to a DNC official. Dacey reached out to DNC lawyer Michael Sussmann, a partner at the Perkins Coie law firm and a former federal prosecutor specializing in cybercrimes. Sussmann called Shawn Henry, the president of cybersecurity firm CrowdStrike, to get his company's help. Within 24 hours of the first signals that something was amiss, CrowdStrike was brought in to install monitoring software to analyze the details of who was responsible. The DNC has also been in contact with the FBI since the hack was discovered.""""CrowdStrike designated two groups that gained access to the DNC's info. One, codenamed Cozy Bear, broke into the DNC last summer and had been monitoring the committee's emails and chats. The other group CrowdStrike dubbed Fancy Bear. It hacked into the DNC in April aiming to get opposition research files. The Fancy Bear breach is what tipped off DNC officials. Fancy Bear was able to gain access to all of the DNC's research staff computers.""More Information: http://www.politico.com/story/2016/06/russian-government-hackers-broke-into-dnc-servers-stole-trump-oppo-224315#ixzz4Bev49jq9 ","Media","","2016","38.907192","-77.036871" "June 14, 2016","University of Connecticut","Storrs","Connecticut","HACK","EDU","0","""We are writing to inform you of a data security-related incident that may have involved your personal information.  On March 9, 2015, Information Technology (IT) staff in the School of Engineering detected that malicious software, or ""malware"", had been placed on a number of servers that are part of the School's technical infrastructure over a period of months, with penetration of the servers beginning as early as September 2013.""The information compromised included names, contact information, Social Security numbers, employment information, student academic information, research data and School of Engineering graduate level admissions data, credit card information, usernames and passwords. The exact number of individuals affected has not yet been released. More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-62350More Information:  http://today.uconn.edu/2015/07/uconn-responds-to-data-breach-at-school-o... ","California Attorney General","","2016","41.807546","-72.297646" "June 16, 2016","Multi-Color Corporation","Batavia","Ohio","PORT","BSO","0","""An East Coast law firm representing Multi-Color in litigation.  As part of that representation, the law firm collected data from Multi-Color's systems,  which included HR recrods and information on all current US employees as of April 13, 2016; certain former employees and some employees of a predecessor company; and applicants.  The data was saved to an external hard drive and password protected.  The hard drive was delivered to the law firm and the password was separately emailed to the law firm.""""On May 16, 2016, the law firm informed Multi-Color that someone broke into the law firm's law officees on eithr May 14 or May 15 and stole several items, including the hard drive containing Multi-Color's data and the password.""The information compromised included all current US employees as of April 13, 2016, former employees and employees of a predecessor company all of which may have included names, Social Security numbers, addresses as well as dependent information. More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-62424","California Attorney General","","2016","41.850028","-88.312574" "February 19, 2016","Roark's Pharmacy","Oneida","Tennessee","PHYS","MED","3,000","As reported by Health and Human Services unauthorized access/disclosure to emails. No specific information as to what was contained in the emails was provided by health and human services.More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","Government Agency","","2016","36.507287","-84.513664" "March 4, 2016","Walgreen Co.","Deerfield","Illinois","PHYS","MED","880","As reported by Health and Human Services theft/paper films. No specific information as to what was information was compromised was provided by health and human services.More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","Government Agency","","2016","42.171137","-87.844512" "March 4, 2016","Premier Healthcare, LLC","Bloomington","Indiana","PORT","MED","205,748","""Premier Healthcare, a Bloomington based physician-led multispecialty provider healthcare group, is reporting a possible data breach that could affect over 200,000 people after a laptop containing patient information was stolen.""The information compromised included names, addresses, dates of birth, Social Security numbers, financial information, medical record numbers, insurance information, and clinical information.More Information: http://fox59.com/2016/03/08/premier-healthcare-reports-possible-data-bre...As reported by Health and Human Services theft/laptop. No specific information as to what  information was compromised was provided by health and human services.More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","Media","","2016","39.160858","-86.555514" "March 4, 2016","Cardiology Associates of Jonesboro, Inc.","Jonesboro","Arkansas","DISC","MED","1,669","As reported by Health and Human Services unauthorized access/disclosure paper films. No specific information as to what information was compromised was provided by health and human services.More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","Government Agency","","2016","35.833543","-90.703812" "March 1, 2016","Walmart Stores, Inc. ","Bentonville","Arkansas","HACK","MED","4,800","As reported by Health and Human Services unauthorized access/disclosure electronic medical record. No specific information as to what information was compromised as provided by health and human services.More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","Government Agency","","2016","36.372854","-94.208817" "February 29, 2016","Group Life Hospital and Medical Program","Hartford","Connecticut","HACK","MED","3,000","As reported by Health and Human Services hacking/IT incident. No specific information as to what information was compromised as provided by health and human services.More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","Government Agency","","2016","41.763711","-72.685093" "February 27, 2016","Mind Springs Health","Grand Junction","Colorado","HACK","MED","2,147","As reported by Health and Human Services unauthorized access/disclosure network server. No specific information as to what information was compromised as provided by health and human services.More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","Government Agency","","2016","39.063871","-108.550649" "February 26, 2016","The Eye Institute of Corpus Christi","Corpus Christi","Texas","HACK","MED","43,961","""The Eye Institute of Corpus Christi, a full service eye care, diagnosis, and treatment clinic in Texas, has discovered that individuals gained access to the records of all of its patients, downloaded their protected health information from the EHR, copied those data, and provided them to two physicians formerly employed by the eye clinic. The disclosed data include the names of patients, their addresses, contact telephone numbers, Social Security numbers, dates of birth, medical diagnoses, details of treatment, and health insurance details.""More Information: http://www.hipaajournal.com/data-breach-discovered-by-the-eye-institute-...More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","Government Agency","","2016","27.800583","-97.396381" "February 26, 2016","Freeport Memorial Hospital","Freeport","Illinois","PORT","MED","1,349","As reported by Health and Human Services theft/other. No specific information as to what information was compromised as provided by health and human services.More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","Government Agency","","2016","42.295924","-89.637734" "February 26, 2016","Ecolab Health and Welfare Benefits Plan","St. Paul","Minnesota","HACK","MED","1,550","As reported by Health and Human Services Hacking/IT incident. No specific information as to what information was compromised as provided by health and human services.More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","Government Agency","","2016","44.946166","-93.094166" "February 26, 2016","Valley Hope Association","Norton","Kansas","PORT","MED","52,076","As reported by Health and Human Services theft/laptop. No specific information as to what information was compromised as provided by health and human services.More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","Government Agency","","2016","39.838123","-99.896994" "February 26, 2016","Vancouver Radiologists, PC","Vancouver","Washington","DISC","MED","603","""The covered entity (CE), Vancouver Radiologists, PC, on January 4, 2016, received telephone calls from a few patients that they received a postcard mammogram reminder, but with another patients name.  The CE mailed 603 postcards which contained names, addresses, and generic reminders to schedule a mammogram. The CE submitted a breach notification report to HHS, affected individuals, and the media.  In response to the breach, the CE stopped mailing the postcard reminder and revised its mailng procedures.  The CE provided OCR with additional documentation specifically its HIPAA Notice of Privacy Practices Policy, as relevant to this breach investigation.  OCR obtained assurances that the CE implemented the corrective actions listed above.  The CE also provided refresher reminders to all staff members about is HIPAA privacy policies and procedures.""More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","Government Agency","","2016","45.657559","-122.590445" "February 26, 2016","Locust Fork Pharmacy","Locust Fork","Alabama","DISC","MED","5,000","As reported by Health and Human Services unauthorized access/disclosure other. No specific information as to what information was compromised as provided by health and human services.More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","Government Agency","","2016","33.903913","-86.620655" "February 26, 2016","Elliot J Martin Chiropractic PC","Albertson","New York","HACK","MED","1,200","As reported by Health and Human Services hacking/IT incident/network server, desktop computer.  No specific information as to what information was compromised as provided by health and human services.More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","Government Agency","","2016","40.770325","-73.652603" "February 19, 2016","Public Health Trust of Miami-Dade County Florida","Miami","Florida","HACK","MED","24,188","As reported by Health and Human Services unauthorized access/disclosure electronic medical record. No specific information as to what information was compromised as provided by health and human services.More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","Government Agency","","2016","25.761680","-80.191790" "March 8, 2016","Illinois Valley Podiatry Group","Peoria","Illinois","HACK","MED","26,588","""The Illinois Valley Podiatry Group, 3322 W. Willow Knolls Drive, has announced that it has became aware of unauthorized access to its computer records, believed to have taken place last year.The names, addresses and Social Security numbers of patients may have been viewed, according to the medical office.""More Information: http://www.pjstar.com/article/20160308/NEWS/160309356As reported by Health and Human Services unauthorized access/hacking. No specific information as to what was compromised as provided by health and human services.More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","Media","","2016","40.774843","-89.644298" "June 14, 2016","Sutter County Superior Court","Yuba City","California","DISC","GOV","0","""Private personal information of potentially thousands of people was unintentionally available on public access computers in the Sutter County Superior Courthouse on Monday. The data breach occurred when a new case management system went live Monday morning. The system was taken down the same afternoon after an Appeal-Democrat reporter alerted Court Executive Officer Stephanie Hansel that sensitive and private information was viewable to the public. For about six hours, anyone who searched for a criminal or traffic case on public access computers could view the defendant's Social Security number, birthday, driver's license number and home address. State court rules clearly say such data should be redacted by court clerks for the protection of privacy.""More Information: http://www.govtech.com/dc/articles/California-County-Courthouse-Suffers-...","Media","","2016","39.135565","-121.606056" "March 10, 2016","UHHS Geauga Medical Center","Chardon","Ohio","HACK","MED","677","As reported by Health and Human Services unauthorized access/disclosure electronic medical records. No specific information as to what information was compromised as provided by health and human services.More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2016","41.508017","-81.190121" "March 10, 2016","Vidant Health","Greenville","North Carolina","HACK","MED","897","As reported by Health and Human Services unauthorized access/disclosure other. No specific information as to what information was compromised as provided by health and human services.More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2016","34.852618","-82.394010" "March 10, 2016","Karmanos Cancer Center","Farmington Hills","Michigan","PORT","MED","2,808","As reported by Health and Human Services loss/other portable electronic device. No specific information as to what information was compromised as provided by health and human services.More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2016","42.521967","-83.345378" "March 11, 2016","Virtua Medical Group","Evesham Township","New Jersey","HACK","MED","1,654","As reported by Health and Human Services unauthorized access/disclosure network server. No specific information as to what information was compromised as provided by health and human services.More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2016","39.882944","-74.917998" "March 11, 2016","Vibrant Body Wellness","Berkeley","California","PORT","MED","726","As reported by Health and Human Services theft/laptop, other portable electronic device. No specific information as to what information was compromised as provided by health and human services.More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2016","37.870783","-122.270219" "March 14, 2016","JASACare","New York","New York","HACK","MED","1,154","""March 15th, 2016: JASACare, a licensed home care services provider, experienced a breach of its email system, resulting in the potential exposure of patient and employee information.  On January 29th, 2016, the email account of a JASACare staff member was accessed illegally by individuals outside of JASACare. The unauthorized individuals had access to the account for less than two hours over the course of a single day. JASACare believes that the individuals accessed the account in an attempt to make an illegal transfer of JASACare’s funds to the individual(s) bank account.""More Information: http://www.jasa.org/news/jasacare-experiences-breach-of-its-email-system...As reported by Health and Human Services Hacking/IT incident. No specific information as to what information was compromised as provided by health and human services.More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2016","40.754069","-73.991269" "March 15, 2016","Laborers Fund Administrative Office of Northern California, Inc. ","Fairfield","California","DISC","MED","2,373","As reported by Health and Human Services unauthorized access/disclosure paper films. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...  ","Government Agency","","2016","38.231427","-122.125969" "March 17, 2016","W. Christopher Bryant DDS PC","Grand Rapids","Michigan","PORT","MED","2,200","As reported by Health and Human Services Loss/ther portable electronic device. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...  ","Government Agency","","2016","42.917620","-85.619047" "March 17, 2016","Hospital fo Special Surgery","New York","New York","HACK","MED","647","As reported by Health and Human Services unauthorized access/disclosure email. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...  ","Government Agency","","2016","40.765043","-73.952557" "March 18, 2016","Lindsay House Surgery Center, LLC","Rochester","New York","PHYS","MED","773","As reported by Health and Human Services theft/paper films. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...  ","Government Agency","","2016","43.161030","-77.610922" "March 18, 2016","Val Verde Regional Medical Center","Del Rio","Texas","HACK","MED","2,000","As reported by Health and Human Services hacking/IT incident/desktop computer/electronic medical records/email/laptop/network server. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...  ","Government Agency","","2016","29.374044","-100.892535" "March 21, 2016","National Counseling Group","Richmond","Virginia","HACK","MED","23,000","As reported by Health and Human Services hacking/IT incident/email. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...  ","Government Agency","","2016","37.602100","-77.507781" "March 22, 2016","Metropolitan Jewish Health System, Inc. d/b/a MJHS","Brooklyn","New York","HACK","MED","2,483","As reported by Health and Human Services hacking/IT incident/email. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...  ","Government Agency","","2016","40.634565","-74.013522" "March 23, 2016","Excel Plus Home Health, Inc.","Plano","Texas","PORT","MED","524","As reported by Health and Human Services theft/desktop computer,other portable electronic device. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...  ","Government Agency","","2016","33.026986","-96.712812" "March 24, 2016","Morton Medical Center","Morton","Washington","HACK","MED","3,000","As reported by Health and Human Services hacking/IT incident/destop computer/network server. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...  ","Government Agency","","2016","46.555773","-122.280333" "April 1, 2016","Pointe Medical Services, Inc.","Orange Park","Florida","PORT","MED","2,000","As reported by Health and Human Services theft/desktop computer, other portable electronic device. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...  ","Government Agency","","2016","30.164334","-81.738837" "April 1, 2016","Einstein Healthcare Network","Philadelphia","Pennsylvania","DISC","MED","2,939","As reported by Health and Human Services unauthorized access/disclosure other. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...  ","Government Agency","","2016","40.036805","-75.143441" "April 5, 2016","Sisters of Charity of Leavenworth Health System Health Benefits","Broomfield","Colorado","DISC","MED","540","As reported by Health and Human Services unauthorized access/disclosure paper films. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...  ","Government Agency","","2016","39.921207","-105.127959" "April 5, 2016","Target Corporation Health Plan","Minneapolis","Minnesota","DISC","MED","719","As reported by Health and Human Services unauthorized access/disclosure paper films. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...  ","Government Agency","","2016","44.977753","-93.265011" "April 5, 2016","Pacific Gas and Electric","San Diego","California","DISC","MED","2,426","As reported by Health and Human Services unauthorized access/disclosure paper films. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...  ","Government Agency","","2016","32.715738","-117.161084" "April 7, 2016","RMA Medical Centers of Florida","Pembroke Pines","Florida","PORT","MED","3,906","As reported by Health and Human Services theft/laptop. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...  ","Government Agency","","2016","26.007765","-80.296256" "April 7, 2016","Indian Health Service Northern Navajo Medical Center","Shiprock","New Mexico","DISC","MED","7,421","As reported by Health and Human Services unauthorized access/theft paper films. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...  ","Government Agency","","2016","36.785554","-108.687032" "April 12, 2016","Mark Anthony Quintero M.D, LLC","Miami","Florida","HACK","MED","650","As reported by Health and Human Services hacking/IT incident/network server. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...  ","Government Agency","","2016","25.750798","-80.217077" "April 12, 2016","Sacred Heart Health System, Inc.","Pensacola","Florida","DISC","MED","532","As reported by Health and Human Services unauthorized access/disclosure other. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...  ","Government Agency","","2016","30.476499","-87.212194" "April 12, 2016","OptumRx, Inc. ","Carlsbad","California","PORT","MED","6,229","As reported by Health and Human Services theft/laptop/email. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...  ","Government Agency","","2016","33.132132","-117.246673" "April 12, 2016","United Community & Famiy Services","Norwich","Connecticut","HACK","MED","1,000","As reported by Health and Human Services unauthorized access/disclosure email. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...  ","Government Agency","","2016","41.524265","-72.075911" "April 13, 2016","Florida Department of Health","Tallahassee","Florida","DISC","MED","1,076","As reported by Health and Human Services unauthorized access/disclosure paper films. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...  ","Government Agency","","2016","30.389647","-84.229946" "April 15, 2016","Oneida Tribe of Indians of Wisconsin","Green Bay","Wisconsin","PORT","MED","2,734","As reported by Health and Human Services theft/desktop computer/other portable electronic device. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...  ","Government Agency","","2016","44.526258","-88.097631" "April 15, 2016","Vail Clinic, Inc. dba Vail Valley Medical Center and dbs Howard Head Sports Medicine","Vail","Colorado","HACK","MED","1,506","As reported by Health and Human Services unauthorized access/disclosure laptop/network server. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...  ","Government Agency","","2016","39.640264","-106.374196" "April 18, 2016","Florida Hospital Medical Group","Orlando","Florida","HACK","MED","1,906","As reported by Health and Human Services unauthorized access/disclosure email. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...  ","Government Agency","","2016","28.538336","-81.379237" "April 19, 2016","Quarles & Brady, LLP","Madison","Wisconsin","PORT","MED","1,032","As reported by Health and Human Services theft/laptop. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...  ","Government Agency","","2016","43.073052","-89.401230" "April 20, 2016","Lake Pulmonary Critical Care PA","Tavares","Florida","PORT","MED","648","As reported by Health and Human Services theft paper films. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...  ","Government Agency","","2016","28.819148","-81.715446" "April 20, 2016","Wyoming Medical Center","Casper","Wyoming","HACK","MED","3,184","As reported by Health and Human Services hacking/IT incident/email. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...  ","Government Agency","","2016","42.848066","-106.307984" "April 22, 2016","Kaiser Foundation Health Plan, Inc.","Oakland","California","PHYS","MED","2,451","As reported by Health and Human Services theft/paper films. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...  ","Government Agency","","2016","37.809976","-122.264117" "April 22, 2016","Edwin Shaw Rehabilitation","Akron","Ohio","PHYS","MED","975","As reported by Health and Human Services loss/other. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...  ","Government Agency","","2016","41.081445","-81.519005" "April 22, 2016","Ohio Department of Mental Health and Addiction Services","Columbus","Ohio","DISC","MED","59,000","As reported by Health and Human Services unauthorized access/disclosure paper films. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF... More Information: http://mha.ohio.gov/Portals/0/assets/News/pressReleases/20160422-Media-N...","Government Agency","","2016","39.962804","-82.999438" "April 23, 2016","Mayfield Clinic Inc. ","Cincinnati","Ohio","HACK","MED","23,341","As reported by Health and Human Services hacking/IT incident/email/network server.  No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...  ","Government Agency","","2016","39.150519","-84.443784" "April 27, 2016","Family & Children's Services of Mid-Michigan","Midland","Michigan","HACK","MED","981","As reported by Health and Human Services hacking/IT incident/network server. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...  ","Government Agency","","2016","31.997346","-102.077915" "April 29, 2016","Pruitt Home Health","Florence","South Carolina","DISC","MED","1,500","As reported by Health and Human Services unauthorized access/disclosure paper films. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...  ","Government Agency","","2016","34.195433","-79.762563" "May 1, 2016","Managed Health Services","Indianapollis","Indiana","DISC","MED","610","As reported by Health and Human Services unauthorized access/disclosure paper films. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...  ","Government Agency","","2016","39.781855","-86.156979" "May 4, 2016","Florida Medical Clinic","Land O Lakes","Florida","DISC","MED","1,000","As reported by Health and Human Services unauthorized access/disclosure electronic medical records. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...  ","Government Agency","","2016","28.186912","-82.423224" "May 4, 2016","UnitedHealthcare Group Single Affiliated Covered Entity","Minneapolis","Minnesota","DISC","MED","5,330","As reported by Health and Human Services unauthorized access/disclosure paper films. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...  ","Government Agency","","2016","44.977753","-93.265011" "May 9, 2016","Lafayette Pain Care PC","Lafayette","Indiana","HACK","MED","7,500","As reported by Health and Human Services hacking/IT incident/unauthorized access/disclosure/network server/electronic medical records. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...  ","Government Agency","","2016","40.408164","-86.829688" "May 11, 2016","Unity Point Health","West Des Moines","Iowa","DISC","MED","1,620","As reported by Health and Human Services unauthorized access/disclosure electronic medical records. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...  ","Government Agency","","2016","41.597695","-93.786746" "May 11, 2016","Family Medicine of Weston","Weston","Florida","HACK","MED","500","As reported by Health and Human Services hacking/IT incident/electronic medical records. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...  ","Government Agency","","2016","26.090508","-80.369279" "May 11, 2016","Medical Colleagues of Texas, LLP","Katy","Texas","HACK","MED","68,631","""Hackers breached the computer network of a doctors' group in Katy, potentially accessing upward of 50,000 medical records and personnel files, a lawyer for the practice said Wednesday. ""It's a large number of records,"" said Dallas attorney Lindsay Nickle, who represents the group, Medical Colleagues of Texas. Computer forensics experts were called in after an office employee at the family practice and obstetrics group noticed unusual activity on March 8 and it was determined the system had been hacked, Medical Colleagues of Texas said. The breached information could include names, addresses, health insurance information and Social Security numbers.""More Information: http://www.houstonchronicle.com/business/medical/article/Data-breach-rep...Total number of records breached provided health and human servicesMore Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF... ","Media","","2016","29.776075","-95.746321" "May 12, 2016","Employee Benefits Division","Little Rock","Arkansas","DISC","MED","2,602","As reported by Health and Human Services unauthorized access/disclosure email. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2016","41.663485","-88.580607" "May 11, 2016","Northwest Oncology & Hematology, S.C.","Elk Grove","Illinois","DISC","MED","1,625","As reported by Health and Human Services unauthorized access/disclosure email. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...  ","Government Agency","","2016","42.004684","-88.016638" "April 28, 2016","Northstar Healthcare Acquisitions LLC","Houson","Texas","PORT","MED","19,898","As reported by Health and Human Services theft/laptop. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...  ","Government Agency","","2016","29.760427","-95.369803" "May 16, 2016","Surgical Care Affiliates","Birmingham","Alabama","PORT","MED","9,009","As reported by Health and Human Services theft/laptop. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2016","33.520661","-86.802490" "May 17, 2016","San Juan County New Mexico","Aztec","New Mexico","HACK","MED","12,500","As reported by Health and Human Services hacking/IT incident/desktop computer. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2016","36.826213","-108.019575" "May 19, 2016","Emergency Room Associates dba- Emergency Medicine Associates","Tuscon","Arizona","PHYS","MED","1,067","As reported by Health and Human Services theft paper films. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2016","32.221743","-110.926479" "May 20, 2016","Tallahassee Memorial HealthCare, Inc","Tallahassee","Florida","HACK","MED","505","As reported by Health and Human Services hacking/IT incident other. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2016","30.438256","-84.280733" "May 24, 2016","Melanie Witte (counsel for Berkeley Endocrine Clinic)","Berkeley","California","DISC","MED","1,370","As reported by Health and Human Services unauthorized access/disclosure email. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2016","37.871593","-122.272747" "June 8, 2016","WalMart Stores, Inc.","Bentonville","Arkansas","DISC","MED","27,393","As reported by Health and Human Services unauthorized access/disclosure paper films. No specific information as to what information was compromised as provided by health and human services.More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2016","36.376912","-94.223202" "June 7, 2016","Grace Primary Care, PC","Huntsville","Tennessee","HACK","MED","6,853","As reported by Health and Human Services hacking/IT incident/network. No specific information as to what information was compromised as provided by health and human services.More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2016","36.411781","-84.521501" "June 3, 2016","The Vein Doctor","Liberty","Missouri","HACK","MED","3,000","As reported by Health and Human Services hacking/IT incident/electronic medical records, network server. No specific information as to what information was compromised as provided by health and human services.More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2016","39.275339","-94.424853" "June 3, 2016","The University of New Mexico","Albuquerque","New Mexico","DISC","MED","2,827","As reported by Health and Human Services unauthorized access/disclosure paper films. No specific information as to what information was compromised as provided by health and human services.More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2016","35.085334","-106.605553" "June 7, 2016","Vincent Vein Center","Grand Junction","Colorado","HACK","MED","2,250","This breach appears to be part of the third party vendor, Bizmatic breach. Bizmatic provides EMR/EHR software to 15,000 customers in the medical industry. The media report specifically states that Vincent Vein Centers breach included Social Security numbers as part of the breach. More Information: http://www.healthcare-informatics.com/news-item/cybersecurity/close-1500...As reported by Health and Human Services hacking/IT incident/electronic medical record. No specific information as to what information was compromised as provided by health and human services.More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2016","39.089094","-108.561837" "April 11, 2016","Pain Treatment Centers of America/Interventional Surgery Institute","Little Rock","Arkansas","HACK","MED","19,397","This breach appears to be part of the third party vendor, Bizmatic breach. Bizmatic provides EMR/EHR software to 15,000 customers in the medical industry. The media report and letter released by the company specifically states that Pain Treatment Centers/Interventional Surgery Institute breach included Social Security numbers as part of the breach. More Information: http://www.ptcoa.com/wp-content/uploads/2016/04/HIPAA-Security-Notificat...More Information: http://www.healthcare-informatics.com/news-item/cybersecurity/close-1500...As reported by Health and Human Services hacking/IT incident/electronic medical records/network server. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...  ","Government Agency","","2016","34.739887","-92.373759" "May 25, 2016","Integrated Health Solutions PC","Easton","Pennsylvania","HACK","MED","19,776","This specific breach, as reported, is part of a larger breach of the company Bizmatics which provides EHR/EMR software solutions to 15,000 healthcare providers. ""The company has not disclosed exactly how many of its clients were affected by the breach, although a number of healthcare providers have now issued breach notifications to patients and have informed the Department of Health and Human Services’ Office for Civil Rights of the breach.""Integrated Health Solutions is telling its members that names, addresses, Social Security numbers and health visit information may have been compromised. More Information: http://www.hipaajournal.com/integrated-health-solutions-notifies-20k-pat...As reported by Health and Human Services hacking/IT incident/electronic medical records, network server. No specific information as to what information was compromised as provided by health and human services.More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Media","","2016","40.679276","-75.258978" "May 25, 2016","Stamford Podiatry Group PC","Stamford","Connecticut","HACK","MED","40,491","""Connecticut-based Stamford Podiatry Group is notifying patients that medical and personal information was compromised in a recent security incident. How many victims? 40,491 What type of information? Names, medical history and treatment information, name, social security numbers, dates of birth, gender, marital status, addresses, phone numbers, email addresses, names of treating and referring doctors, and insurance coverage information were all compromised in the breach. What happened? On April 14 officials discovered that an unauthorized individual had covert access to the group's systems including its electronic database between February 22 and April 14.""More Information: http://www.scmagazine.com/data-of-40000-stamford-podiatry-group-patients...As reported by Health and Human Services hacking/IT incident/network server. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF... ","Media","","2016","41.061304","-73.541696" "May 26, 2016","Orchid MPS Holdings, LLC/Welfare Benefit Plan","Holt","Missouri","DISC","MED","771","As reported by Health and Human Services unauthorized access/disclosure paper films. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2016","42.626598","-84.503762" "May 31, 2016","Washington DC VA Medical Center","Washington","District Of Columbia","PHYS","MED","1,062","As reported by Health and Human Services theft/paper films. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2016","38.929003","-77.010060" "June 1, 2016","Allen Dell P.A.","Tampa","Florida","HACK","BSO","2,500","As reported by Health and Human Services hacking/IT incident/network server. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2016","27.942739","-82.476490" "June 1, 2016","ENT & Allergy Center","Fayetteville","Arkansas","HACK","MED","16,200","This specific breach, as reported, is part of a larger breach of the company Bizmatics which provides EHR/EMR software solutions to 15,000 healthcare providers. ""The company has not disclosed exactly how many of its clients were affected by the breach, although a number of healthcare providers have now issued breach notifications to patients and have informed the Department of Health and Human Services’ Office for Civil Rights of the breach."" This specific breach, as reported, is part of a larger breach of the company Bizmatics which provides EHR/EMR software solutions to 15,000 healthcare providers. ""The company has not disclosed exactly how many of its clients were affected by the breach, although a number of healthcare providers have now issued breach notifications to patients and have informed the Department of Health and Human Services’ Office for Civil Rights of the breach."" More Information: http://www.hipaajournal.com/integrated-health-solutions-notifies-20k-pat...As reported by Health and Human Services hacking/IT incident/electronic medical records. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...Statment from company: http://entnwa.com/patient-resources/patient-forms/","Government Agency","","2016","36.090419","-94.155046" "May 5, 2016","Southeast Eye Institute, P.A. dba-Eye associates of Pinellas","Pinellas Park","Florida","HACK","MED","87,314","This specific breach, as reported, is part of a larger breach of the company Bizmatics which provides EHR/EMR software solutions to 15,000 healthcare providers. ""The Southeast Eye Institute, P.A., in Florida, doing business under the name the Eye Associates of Pinellas, reported a possible data breach after an unauthorized individual gained access to patient data via a third party affiliate.   How many victims? 87,314 What type of information? Names, addresses, telephone numbers, Social Security numbers, dates of birth, and insurance information may have all been compromised. What happened? On March 30, 2016, The Southeast Eye Institute was notified that a third-party breach at the medical practice software provider Bizmatics may have compromised the information of “at least some” of the institute's patients. Officials said the breach occurred in January 2015 but they did not immediately become aware of the incident. Bizmatics was unable to determine which patients' information was accessed and if the unauthorized individual was able to collate the various data files.""More Information: http://www.scmagazine.com/the-southeast-eye-institute-patient-informatio...","Media","","2016","27.857047","-82.727953" "January 4, 2016","Regional Income Tax Agency","Brecksville","Ohio","PHYS","BSF","50,000","""The Regional Income Tax Agency announced Dec. 31 that nearly two months earlier it lost personal data for about 50,000 people who filed tax forms with the agency. A backup DVD with the information cannot be located, according to RITA. The agency says it will provide one-year of free credit monitoring to those affected. ""Nothing in our investigation indicates that the DVD was stolen, or that there has been any misuse of information,"" agency attorney Amy L. Arrighi said today. ""Our investigation to locate the missing DVD led us to the conclusion that it was most likely destroyed."" More Information: http://www.cleveland.com/metro/index.ssf/2016/01/rita_loses_personal_inf...","Media","","2016","41.319776","-81.626790" "January 7, 2016","Indiana University Health Arnett Hospital","Lafayette","Indiana","PORT","MED","29,000","""Indiana University Health’s Arnett Hospital has alerted 29,324 patients about the potential exposure of their Protected Health Information after an unencrypted flash drive disappeared from its emergency department. The flash drive was discovered to be missing on November 20, 2015, and an investigation was immediately launched. Efforts are continuing to try to locate the missing flash drive, which was lost in an area of the hospital not accessible to the public. Consequently, hospital officials do not believe patient data have been acquired or viewed by an external third party. IU Health Arnett Hospital started sending breach notification letters to affected patients last week to inform them that some of their PHI has potentially been compromised. However, no reports of inappropriate use of the data have so far been received by the hospital. The flash drive was not used to store Social Security numbers, financial information, or credit card numbers, although spreadsheets saved on the device included patient names, medical record numbers, dates of birth, and medical diagnoses.""More Information: http://www.hipaajournal.com/iu-health-security-breach-29k-8252/","Media","","2016","40.399672","-86.808588" "January 7, 2016","Fidelis Care","Rego Park","New York","DISC","MED","738","As reported by Health and Human Services unauthorized access/disclosure paper films. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2016","40.731095","-73.863630" "January 14, 2016","St. Lukes Cornwall Hospital","Newburgh","New York","PORT","MED","29,156","""St. Luke’s Cornwall Hospital has issued a media announcement providing further information on the 29,156-record data breach that occurred on October 31, 2015. The hospital has explained that the breach occurred when an unidentified individual entered a restricted area of the hospital and stole a thumb drive containing a limited amount of patient data. The device was unencrypted and contained patient names, medical record numbers, details of imaging services provided, and the dates of patient visits. Some administration information was also stored on the thumb drive, although no financial information, insurance details, health information, or Social Security numbers were compromised.""More Information: http://www.hipaajournal.com/st-lukes-cornwall-hospital-notifies-29k-pati...","Media","","2016","41.503489","-74.014570" "September 6, 2016","Ocean Acquisitions, Inc. ","Greenwich","Connecticut","PHYS","BSO","659","""In December 2015, Oceans Acquisitions, Inc. began notifying patients in the Abilene area about a possible data security breach that may have resulted in exposure of a limited amount of protected health information (PHI). The potential exposure occurred when a laptop was stolen from an employee’s car. The laptop stored emails that potentially contained PHI such as names, dates of birth, medical record numbers, diagnoses, payer information and admission dates. No patient social security numbers or bank account information was included in the emails. Upon learning PHI may have been present on the device, Oceans immediately took steps to identify the individuals with the potential to be impacted.""","Databreaches.net","https://www.databreaches.net/eight-months-after-laptop-theft-oceans-acquisitions-notifies-patients/","2015","41.026242","-73.628196" "June 20, 2016","GoToMyPC","Santa Clara","California","HACK","BSO","0","""GoToMyPC, a service that helps people access and control their computers remotely over the Internet, is forcing all users to change their passwords, citing a spike in attacks that target people who re-use passwords across multiple sites.""""John Bennett, product line director at Citrix, said once the company learned about the attack it took immediate action. But contrary to previous published reports, there is no indication Citrix or its platforms have been compromised, he said. “Citrix can confirm the recent incident was a password re-use attack, where attackers used usernames and passwords leaked from other websites to access the accounts of GoToMyPC users,” Bennett wrote in an emailed statement. “At this time, the response includes a mandatory password reset for all GoToMyPC users. Citrix encourages customers to visit the  GoToMyPC status page to learn about enabling two-step verification, and to use strong passwords in order to keep accounts as safe as possible. ”More Information: http://krebsonsecurity.com/category/data-breaches/","Krebs On Security","","2016","37.354108","-121.955236" "November 11, 2015","Capital Financial Group","Brentwood ","Tennessee","STAT","BSF","0","""We are writing to let you know about an incident involving your personal information. On September 24th, Cindi Phillips' office was broken into and two computers were stolen.  The computers stored files which included your personal information. The information included your name, marital status, employer information, net worth, home phone number, E-mail address, cell phone number, address, and Social Security Number. The police have been notified of this incident.""More Information: http://www.dfr.vermont.gov/sites/default/files/11_12_2015%20Capital%20Fi...","Vermont Attorney General","","2015","36.034959","-86.799264" "February 6, 2016","Ocean Acquisitions, Inc.","Greenwich","Connecticut","PORT","BSO","659","""In December 2015, Oceans Acquisitions, Inc. began notifying patients in the Abilene area about a possible data security breach that may have resulted in exposure of a limited amount of protected health information (PHI). The potential exposure occurred when a laptop was stolen from an employee’s car. The laptop stored emails that potentially contained PHI such as names, dates of birth, medical record numbers, diagnoses, payer information and admission dates. No patient social security numbers or bank account information was included in the emails. Upon learning PHI may have been present on the device, Oceans immediately took steps to identify the individuals with the potential to be impacted.""","Databreaches.net","https://www.databreaches.net/eight-months-after-laptop-theft-oceans-acquisitions-notifies-patients/","2015","41.026242","-73.628196" "February 9, 2016","Ocean Acquisitions, Inc.","Lake Charles","Louisiana","PORT","MED","659","""The theft of a laptop computer from the vehicle of an Oceans Acquisitions employee has resulted in the protected health information of 659 patients from the Abilene region of Texas being exposed. In May 2015, Oceans Acquisitions confirmed that all portable devices, including laptop computers, had sensitive data encrypted. In the event of theft or loss of a device, all PHI stored on that device would be protected. The encryption would prevent any unauthorized individual from being able to access stored data. However, the laptop theft occurred on April 9, 2015, a month before Oceans Acquisitions ascertained that all devices were protected. While the healthcare provider believed the laptop computer theft did not place any data at risk of exposure, this has turned out not to be the case. According to a substitute breach notice issued on February 2, 2016, Oceans Acquisitions determined that the laptop in question did contain the PHI of 659 individuals, and that those patients potentially had their PHI exposed. This came to light during an unrelated systems review, which was not linked to the laptop computer theft. The data were stored in an email account that could be accessed through the computer. The data exposed included names of patients, medical record numbers, dates of birth, payer information, medical diagnoses, and admission dates. No financial information, insurance data, or Social Security numbers were stored in the email account or on the laptop.""More Information: http://www.hipaajournal.com/oceans-acquisitions-laptop-theft-data-breach...","Media","","2016","30.226595","-93.217376" "January 13, 2016","HSBC Bank USA, National Association","Depew","New York","DISC","MED","0","""We recently became aware of an incident in which HSBC's mortgage servicing provider sent encrypted and password pretected disks, which inadvertently included some of your personal information, to an unauthorized commercial third party (a firm that performs financial analytics).  The information was sent between December 7, 2015 and December 8, 2015.  Upon review of some of the data, the third party realized the disks included more information than requested and returned all the disks to the mortgage servicing provider.  While the third party has attested that HSBC customer data was not loaded, accessed, or viewed by their personnel, HSBC is notifying you out of an abundance of caution.  The security of your information is very important to us and HBC takes this matter very seriously.  HSBC has received assurance from our mortgage servicing provider that they have made changes to their processes to avoid future incidents."" The information on the disks included names, mailing addresses, property addresses, Social Security Numbers, mortgage account numbers, deposit account numberrs, payment history, demographic information and any additional necessary information to service a mortgage account. More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-59603  ","California Attorney General","","2016","42.909323","-78.727086" "June 17, 2016","Bizmatics, Inc.","San Jose","California","HACK","MED","177,000","""A healthcare provider in Colorado, Vincent Vein Center, is the latest organization to notify the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) about a breach of protected health information stemming from a malicious hacker attacking Bizmatics’ data servers. Bizmatics provides ambulatory software and electronic health records serving 15,000 healthcare providers.""Each customer/provider is reporting the specific numbers to Health and Human Services. We will be reporting the specific provider records breached as they are reported by HHS. The information provided to date knowledge of these following entities have been reported as affected by the Bizmatic breach.- Integrated Health Solutions- Pennsylvania- ENT & Allergy Center- Arkansas- Vincent Vein Center- Colorado- Southeast Eye Institute/Eye Associates of Pinellas- Florida- California Health  & Longevity Institute- California- Pain Treatment Centers of America and Intervential Surgery Institute- ArkansasAs further information is provided, we will add to this list and make an effort to call out the third party breach in each individual breach post of the entity if and when it is provided. UPDATE (6/28/2016): Two additional health providers have reported being a part of the Bizmatic breach. The Vein Doctor out of Liberty MO notified that 3,000 patients data had been affected by this data breach. Grace Primary Care. P.C. has also notified patients that they too were affected by the Bizmatic breach and 6,853 patients were potentially affected. Each of these entities have been reported separately within our Chron stating the number of patients affected by this breach. More Information: http://www.hipaajournal.com/bizmatics-data-breach-victim-count-rises-alm...","Media","","2016","37.314635","-121.972668" "June 23, 2016","Texas Health and Human Services","Dallas","Texas","PHYS","MED","600","""A storage contractor has informed the Texas Health and Human Services Commission (HHSC) that 15 storage boxes have been discovered to be missing. The boxes were stored at three Iron Mountain facilities in Dallas, Fort Worth, and Irving.The boxes contained files relating to individuals who had applied to HHSC for medical assistance between January 1, 2008 and August 31, 2009. The files contained names, addresses, dates of birth, Social Security numbers, Social Security claim numbers, bank account numbers, Medicaid/individual numbers, and medical record numbers. The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 600 individuals were affected.""More Information: http://www.hipaajournal.com/texas-health-human-services-commission-notif...","Media","","2016","32.776664","-96.796988" "June 27, 2016","Hard Rock Hotel & Casino Las Vegas","Las Vegas","Nevada","HACK","BSO","0","""The Hard Rock Hotel & Casino in Las Vegas said Monday that customer payment-card data was accessed after malware was placed on the resort’s payment-card system, becoming the latest hotel to report such a breach. The company said the card-scraping malware identified data including cardholder name, card number, expiration date and internal verification code, in some cases. Hard Rock said that cards used at some restaurant and retail outlets between Oct. 27 and March 21 could have been impacted. The number of potential cards impacted wasn’t immediately disclosed.""More Information: http://www.wsj.com/articles/hard-rock-las-vegas-reports-card-data-breach...Hard Rock statement: http://oag.ca.gov/system/files/Hard%20Rock%20-%20Regulatory%20Packet%20%...?","Media","","2016","36.169941","-115.139830" "June 24, 2016","Mercy Medical Center Redding","Redding","California","INSD","MED","0","""On June 6, 2016, Dignity Health learned your information was accessed inappropriately.  Our business partner, naviHealth employed a person as a case manager who was working under a false name and nursing license.  This case manager was employed by naviHealth from June 2015 to May 2016.  When naviHealth discovered the problem, it immediately severed ties with the case manager and prevented further computer access.  Law enforcement was contacted, and naviHealth is cooperating in the on-going investigation.Unfortunately, the case manager accessed your patient informattion as part of his work.  The information accessed includes the following:your standard clinical information, such as diagnosis, lab results, medications, dates of treatment, and provider notes;your individual information, such as name, address, phone number, social security number, date of birth, email, medical record number, account number, dates of service; andyour health insurance account information, such as group health plan number and member ID""More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-62536 ","California Attorney General","","2016","40.586540","-122.391675" "November 4, 2015","Genworth","New York","New York","DISC","BSF","0","""On July 30, 2015, your insurance agent, Gerals Darringer, notified us that in an attempt to obtain help desk support for his computer, he allowed access to his computer to a third party he thought was a representative of a major on-line retailer.  We now believe this third party was not a representative of the retailer, and it is possible that this connection allowed access to the files on his computer.  These files may have contained your name, address, date of birth, social security number, banking information as well as policy account numbers and some personal health information.""More Information: http://www.dfr.vermont.gov/sites/default/files/11_4_2015%20Genworth.pdf","Vermont Attorney General","","2015","40.712784","-74.005941" "June 27, 2016","Linda J White, DDS, PC","Manassas","Virginia","PORT","MED","2,000","As reported by Health and Human Services theft/other portable electronic device. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2016","38.793807","-77.517857" "June 14, 2016","Kern County Mental Health","Bakersfield","California","DISC","MED","1,212","As reported by Health and Human Services improper disposal/paper films. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2016","35.374178","-119.027286" "June 10, 2016","Riverside Health System","Riverside","California","DISC","MED","578","As reported by Health and Human Services unauthorized access/disclosure paper films. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2016","33.953349","-117.396156" "June 10, 2016","Saint Mary and Elizabeth Hospital","Louisville","Kentucky","HACK","MED","1,682","As reported by Health and Human Services unauthorized access/disclosure email. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2016","38.252665","-85.758456" "June 9, 2016","Pruitt Health Hospice Beaufort","Anderson","South Carolina","DISC","MED","1,437","As reported by Health and Human Services unauthorized access/disclosure paper films. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2016","34.518759","-82.650707" "June 29, 2016","Vertical Scope Inc.","","Ontario","HACK","BSO","0","""On June 13, 2016, we became aware that February 2016 data stolen from VerticalScope was being made available online.""The information compromised included member usernames, email addresses, hashed passwords, community userIDS, community website, and IP addresses usernames originally registered with.More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-62619","California Attorney General","https://oag.ca.gov/ecrime/databreach/list","2016","43.647862","-79.392903" "June 30, 2016","Kool Kids Model & Talent Management","Marina del Rey","California","PORT","BSO","0","""APPLE Store- Topanga, CA referred us to ACS Computer Services-Tarzana, CA to remove the hard drive from our MacBook pro prior to a repair service.  While removing the hard drive and transferring it to an external hard drive case ACS COMPUTER SERVICES allegedly misplaced the MacBook Pro hard drive.""The information compromised included names, Social Security numbers, addresses, bank account numbers and payroll records.More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-62623","California Attorney General","","2016","33.983900","-118.458845" "June 30, 2016","KontrolFreek, LLC","Atlanta","Georgia","HACK","BSO","0","""We recently became aware that an unauthorized third party accessed the KontrolFreek servers and acquired certain payment card information of some of our customers.  Promptly after learning of the issue, we took steps to secure our website and determine the nature and scope of the issue.  In addition, we retained a data security expert to conduct a forensic investigation.""The information compromised included names, addresses, payment card number and security code. ","California Attorney General","","2016","33.810018","-84.413937" "June 29, 2016","Massachusetts General Hospital","Boston","Massachusetts","HACK","MED","4,293","As reported by Health and Human Services hacking/IT incident/network server. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2016","42.363154","-71.068833" "June 1, 2016","My Pediatrician","Brandon","Florida","HACK","MED","2,500","As reported by Health and Human Services hacking/IT incident/network server. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2016","27.920301","-82.323421" "February 26, 2016","Nintendo of America, Inc.","Redmond","Washington","HACK","MED","6,248","As reported by Health and Human Services hacking/IT incident/network server. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2016","47.651044","-122.139453" "January 15, 2016","Hawaii Medical Service Association","Honolulu","Hawaii","DISC","MED","10,179","As reported by Health and Human Services unauthorized access/disclosure paper/films. No specific information as to what was contained in the emails was provided by health and human services.More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","Government Agency","","2016","21.306944","-157.858333" "January 14, 2016","Fellicia Lewis, M.D.","Lakewood Hills","Texas","HACK","MED","1,500","No specifc information was provided by Health and Human Services as to the type of information compromised in the breach.More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2016","32.811989","-96.737628" "December 31, 2015","Pittman Family Dental","Montpelier","Ohio","HACK","MED","8,830","As reported by Health and Human Services hacking/IT incident/network server. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2016","41.589049","-84.595466" "December 28, 2015","Michael Benjamin, M.D. Inc. ","West Hills","California","PHYS","MED","1,300","As reported by Health and Human Services theft/paper/films. No specific information as to what was contained in the emails was provided by health and human services.More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","Government Agency","","2015","34.203418","-118.629834" "December 24, 2015","HealthSouth Rehabilitation Hospital of Round Rock","Round Rock","Texas","PORT","MED","1,359","As reported by Health and Human Services theft/laptop. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2015","30.483551","-97.693370" "December 23, 2015","ST Psychotherapy, LLC","Oshkosh","Wisconsin","PORT","MED","509","As reported by Health and Human Services theft/laptop. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2015","44.024706","-88.542614" "December 23, 2015","Allina Health","Minneapolis","Minnesota","PHYS","MED","6,195","As reported by Health and Human Services improper disposal/paper films. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2015","44.977753","-93.265011" "December 23, 2015","White Glove Health","Austin","Texas","DISC","MED","975","As reported by Health and Human Services unauthorized access/disclosure email. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2015","30.259991","-97.791380" "February 15, 2016","Radiology Regional Center, PA","Fort Meyers","Florida","PHYS","MED","483,063","""Radiology Regional Center, PA, a physician-owned and managed diagnostic facility with nine locations in Florida, announced today that on December 19, 2015, Radiology Regional Center was informed by its records disposal vender, Lee County Solid Waste Division (“Lee County”), that, on that same date, paper records containing the personal information of Radiology Regional Center’s patients were released by Lee County on Fowler Street in Fort Myers, Florida.  The records were released while Lee County was transporting the records to be incinerated.  This release is being issued in accordance with guidelines from the Health Insurance Portability and Accountability Act (“HIPAA”). Impacted patients have already been notified in accordance with HIPAA. To the best of Radiology Regional Center’s knowledge, these records, which date from 2005-2012, may have contained patient names, addresses, phone numbers, social security numbers, dates of birth, health insurance numbers, and other medical status and assessment information as well as financial information gathered in the patient medical and financial records.""More Information: https://globenewswire.com/news-release/2016/02/15/810701/0/en/Radiology-...","Media","","2016","26.553927","-81.899291" "July 12, 2016","Pennsylvania Revenue Department","Harrisburg","","PORT","GOV","865","""The Pennsylvania Revenue Department announced Tuesday that it is mailing letters to 865 taxpayers whose ""personally identifiable"" data were on one of four laptops stolen from a rental car in San Francisco, where auditors were working last month. Thieves smashed the windows of several parked vehicles, including the auditors' car, the Revenue Department said in a news release.The department said it determined that ""some procedures to secure data may not have been followed with one laptop"" but the department's computer network hasn't been accessed or hacked.The taxpayers whose information was on the potentially unsecure laptop will receive free credit monitoring services and other protections. Details will be provided in the letter.""More Information: http://www.mcall.com/news/local/watchdog/blog/mc-stolen-government-lapto...","Media","","2016","40.261250","-76.881526" "July 6, 2016","California Department of Corrections and Rehabilitation","Stockton","California","DISC","GOV","0","""We are writing to you because of a security incident that occurred on May 2, 2016 at the California Health Care Facility.  An employee inadvertently e-mailed a document containing your personal information to the wrong person.""Information compromised included first and last names and Social Security numbers. More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-62703","California Attorney General","","2016","37.894728","-121.184844" "July 15, 2016","Matador Recordings, LLC","New York","New York","HACK","BSO","0","""On May 4, 2016, we were advised by our third-party website developer that it had identified and removed suspicious files from the e-commerce websites of the record labels for which Matador Direct is the distributor.  We quickly began an investigation and hired a third-party cybersecurity firm to assist us.  Findings from the investigation show that if a customer attempted to or did place an order on one of the affected websites from April 28, 2015 to May 4, 2016, information associated with the order being placed may have been obtained by an unauthorized third-party.""The information compromised included customer names, addresses, phone numbers, email addresses, payment card numbers, expiration dates, security codes, and account passwords.More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-62853","California Attorney General","","2016","40.726052","-73.996539" "July 14, 2016","Opes Advisors","Cupertino","California","HACK","BSO","0","""On or about May 26, 2016, email login credentials were compromised allowing an outside party to gain access to one specific account.  Although we are still investigating the incident, the email may have contained your private information so we wanted to let you know about this incident right away.""The information compromised included email accounts that contained names, Social Security numbers, and any documents emailed. More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-62850","California Attorney General","","2016","37.322543","-122.010909" "July 14, 2016","Project Management Institute","Newton Square","Pennsylvania","HACK","BSO","0","""PMI was informed on June 14, 2016, that one of its vendors, Comnet Marketing Group, Inc. (""Comnet""), had been the victim of an intrusion of its computer systems.  An unauthorized user gained administrative access to Comnet's systems on April 23-24, 2016, and issued commands to delete all the data housed on Comnet's servers.  That data may have included certain PMI customer credit card information that Comnet had collected on behalf of PMI.  Comnet did not discover any evidence indicating that the credit card data was accessed or acquirred by an unauthorized user or that the unauthorized user intended to steal data.  But the Comnet has been unable to definitively rule out any unauthorized access to or acquisition of data.  Thus, PMI provides this notice out of an abundance of caution.""The information compromised included names, addresses, email addresses, phone numbers, credit card numbers, CVV codes, and expiration dates. More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-62846","California Attorney General","","2016","39.977697","-75.419014" "July 12, 2016","Kaiser Permanente Northern California","Oakland","California","INSD","MED","0","""The preliminary investigation has determined that two Kaiser Permanente employees stole equipment and machines from several Kaiser Permanente sites and stored them in an offsite storage unit.  When the stolen items were returned, each was examined and some of the ultrasound machines were found to contain PHI.  The theft of this equipment appears to have been for the purpose of selling the machine for profit, and not for the disclosing or misuse of PHI.  There is no indication that any protected health information has been used for fraud or other criminal activity.""The information compromised included MRN only or with first names, last names, images. More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-62796 ","","","2016","37.805766","-122.265201" "July 8, 2016","Omni Hotels & Resorts","Dallas","Texas","HACK","BSO","0","""On May 30, 2016, we discovered we were the victim of malware attacks on our network affecting specific point of sale systems on-site at some Omni properties.  The malware was designed to collect certain payment card information, including cardholder name, credit/debit card number, security code and expiration date.""More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-62753","California Attorney General","","2016","32.805534","-96.816549" "June 21, 2016","Uncommon Care, P.A.","Angier","North Carolina","HACK","MED","13,674","As reported by Health and Human Services hacking/IT incident/network server. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2016","35.539944","-78.748300" "June 17, 2016","Midland Women's Clinic","Midland","Texas","DISC","MED","717","As reported by Health and Human Services unauthorized access/disclosure. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2016","31.995210","-102.103079" "June 14, 2016","Laser & Dermatologic Surgery Center","St. Louis","Missouri","HACK","MED","31,000","As reported by Health and Human Services hacking/IT incident/network server. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2016","38.654494","-90.552692" "June 7, 2016","Midland County Hospital District dba. Midland Memorial Hospital","Midland","Texas","DISC","MED","1,468","As reported by Health and Human Services unauthorized access/disclosure/paper films. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2016","31.996702","-102.099608" "July 19, 2016","San Antonio Shoemakers","San Antonio","","HACK","BSO","0","""We recently became aware of a computer intrusion that affected checkout systems at a number of San Antonio Shoemakers stores located in the United States. Promptly after discovering the issue, we engaged outside cybersecurity experts to conduct an extensive investigation. We have been working closely with law enforcement authorities andcoordinating our efforts with the payment card organizations to determine the facts. Upon the written request of the United States Attorney’s Office for the Southern District of New York and the New York Electronic Crimes Task Force of the United States Secret Service we delayed notifying individuals potentially affected by this incident for 30 days while lawenforcement began their investigation.""More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-62930","California Attorney General","","2016","29.360197","-98.536821" "June 3, 2016","Cici's Pizza","Coppell","Texas","HACK","BSO","0","""Cici's Pizza, an American fast food business based in Coppell, Texas with more than 500 stores in 35 states, appears to be the latest restaurant chain to struggle with a credit card breach. The data available so far suggests that hackers obtained access to card data at affected restaurants by posing as technical support specialists for the company’s point-of-sale provider, and that multiple other retailers have been targeted by this same cybercrime gang.""More Information: http://krebsonsecurity.com/2016/06/banks-credit-card-breach-at-cicis-pizza/","Krebs On Security","","2016","32.954569","-97.015008" "July 21, 2016","inVentiv Health, Inc. ","Burlington","Massachusetts","HACK","BSO","0","""On July 7, 2016, we learned that a targeted ""phishing"" email message had been sent to inVentiv Health in June.  Phishing emails are crafted to appear as if they have been sent from a legitimate organization or known individual.  The email was designed to appear as though it had been sent by an inVentiv executive, from the inVentiv executive's email account, requesting the uploading of our U.S. employees' 2015 W-2 Forms to a file sharing site.  Believing the email request to be legitimate, the W-2 data was uploaded.  It is unknown how much of the data uploaded may have been accessed by unauthorized individuals.""The information compromised included W-2 data included your name, address, Social Security number and salary information.More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-62962","California Attorney General","","2016","42.484445","-71.196007" "July 26, 2016","Kimpton Hotels","San Francisco","California","HACK","BSO","0","""Kimpton Hotels, a boutique hotel brand that includes 62 properties across the United States, said today it is investigating reports of a credit card breach at multiple locations.On July 22, KrebsOnSecurity reached out to San Francisco-based Kimpton after hearing from three different sources in the financial industry about a pattern of card fraud that suggested a card breach at close to two-dozen Kimpton hotels across the country.Today, Kimpton responded by issuing and posting the following statement:“Kimpton Hotels & Restaurants takes the protection of payment card data very seriously. Kimpton was recently made aware of a report of unauthorized charges occurring on cards that were previously used legitimately at Kimpton properties. As soon as we learned of this, we immediately launched an investigation and engaged a leading security firm to provide us with support.”More Information: http://krebsonsecurity.com/2016/07/kimpton-hotels-probes-card-breach-cla...","Krebs On Security","","2016","37.790213","-122.403507" "July 27, 2016","Cardon Outreach","The Woodlands","Texas","INSD","MED","22","""A health care revenue company says one of its employees looked at nearly two dozen patient records without authorization.Cardon Outreach does contract work for AnMed Health, and has employees on site at the hospital. AnMed said in a release that a Cardon Outreach employee opened 22 patient files without authorization, including her own file.Cardon Outreach fired the employee immediately after learning of the breach, according to the release.""More Information: http://www.wyff4.com/news/unauthorized-employee-accessed-hospital-patien...","Media","","2016","30.181265","-95.486611" "July 16, 2016","Providence Health & Services","Portland","Oregon","INSD","MED","5,400","""Providence Health & Services in Oregon is notifying about 5,400 current and former patients that a former employee may have improperly accessed their patient records.Providence said in a statement Friday that it learned of the breach in May during an internal audit and had since fired the Portland-based employee.The audit found the worker had accessed health records between July 2012 and April 2016. It says the worker viewed demographic and medical treatment information, and may also have seen insurance information and Social Security numbers.""More Information: http://www.kgw.com/news/health/providence-notifies-5400-oregon-patients-...","Media","","2016","45.523062","-122.676482" "July 26, 2016","Harrison Municipality","Harrison","New Jersey","HACK","GOV","0","""Since the West Hudson town's website was initially hacked on July 7, Harrison's website has been infiltrated seven more times in the past two weeks, officials said. ""These are highly intelligent criminals who seek to cause havoc and destruction in the cyber world,"" said Nick Ayala of Scan Worx, the company that has managed the town's website for eight years. ""Unfortunately, these are the times we live in."" Harrison Mayor James Fife told The Jersey Journal this morning that the town's website does not contain any private information and no ""sensitive material"" has been compromised.""More Information: http://www.nj.com/hudson/index.ssf/2016/07/this_nj_towns_website_has_bee...","Media","","2016","38.170114","-86.175176" "July 22, 2016","Elex (mobile game Clash of Kings)","","Beijing","HACK","BSO","1,600,000","""A hacker has targeted the official forum for popular mobile game ""Clash of Kings,"" making off with close to 1.6 million accounts.The hack was carried out on July 14 by a hacker, who wants to remain nameless, and a copy of the leaked database was provided to breach notification site LeakedSource.com, which allows users to search their usernames and email addresses in a wealth of stolen and hacked data.Three major social networks have quietly fallen victim to data breaches. Despite some success, patience and trust is now fading.In a sample given to ZDNet, the database contains (among other things) usernames, email addresses, IP addresses (which can often determine the user's location), device identifiers, as well as Facebook data and access tokens (if the user signed in with their social account). Passwords stored in the database are hashed and salted.""  Note: Company breach affected customers within the US","Media","http://www.zdnet.com/article/hacker-steals-forums-of-clash-of-kings-mobile-game/","2016","45.425168","-75.694837" "July 29, 2016","Hillary Clinton Political Campaign","Washington","District Of Columbia","HACK","BSO","0","""The computer network used by Democratic presidential candidate Hillary Clinton's campaign was hacked as part of a broad cyber attack on Democratic political organizations, people familiar with the matter told Reuters.The latest attack, which was disclosed to Reuters on Friday, follows reports of two other hacks on the Democratic National Committee and the party's fundraising committee for candidates for the U.S. House of Representatives.The U.S. Department of Justice national security division is investigating whether cyber hacking attacks on Democratic political organizations threatened U.S. security, sources familiar with the matter said on Friday.The involvement of the Justice Department's national security division is a sign that the Obama administration has concluded that the hacking was state sponsored, individuals with knowledge of the investigation said.In a comment, the Clinton campaign said the data program maintained by the DNC and used by its campaign and other entities was accessed as part of the DNC hack. It added that its computer system has been under review by outside cyber security experts. To date, the outside experts have found no evidence that the campaign's internal systems have been compromised.""More Information: http://www.cnbc.com/2016/07/29/hackers-breached-clinton-campaign-compute...","Media","","2016","38.907192","-77.036871" "July 30, 2016","Disney Consumer Products and Interactive Media","Burbank","California","HACK","BSO","365,000","""Disney Consumer Products and Interactive Media has confirmed a data breach that affected some users of its Playdom forums.A spokesperson for the business segment of the Walt Disney Company explains in a statement that security teams detected the incident back in July:“On July 12, 2016, we became aware that an unauthorized party gained access to the Playdom Forum servers. We immediately began investigating the incident and discovered that on July 9 and July 12, 2016, the unauthorized party acquired certain user information from the playdomforums.com site.“The information compromised included usernames, email addresses, passwords, and IP addresses of Playdom Forum users. More Information: http://www.tripwire.com/state-of-security/latest-security-news/disney-co...","Media","","2016","34.180839","-118.308966" "July 27, 2016","Select Pain & Spine Dr. Christopher T. Sloan, D.P.M.","Farmington","Missouri","HACK","MED","48,000","“We write to inform you that our practice discovered a data breach on May 27, 2016 that may have contained personal health information and have been investigating the exact nature and scope of the information obtained by the hackers since,” the letter reads. “To date, our investigation has determined that on May 4, 2016, a hacker, or hackers, likely gained access into our secured database system through a third party contractor and may have obtained some personal information of our patients including: names, addresses, social security numbers, date of births, diagnoses, lab results, other medical records, and potentially some financial information.""""On June 25, a hacker going by the name “thedarkoverlord” provided information to Deep Dot Web of a purported hacking of three different healthcare organizations – one originating from Farmington and containing 48,000 alleged patient records, according to the Deep Dot Web report.""This breach is one entity of the medical group that was hacked. More Information: http://dailyjournalonline.com/news/local/local-medical-group-involved-in...More Information: http://www.hipaajournal.com/farmington-medical-group-confirms-cyberattac...","Media","","2016","37.790083","-90.438572" "July 26, 2016","Midwest Orthopedic Group","Farmington","Missouri","HACK","MED","29,153","""Midwest Orthopedics Group includes a number of healthcare companies including Midwest Imaging Center, LLC; Van Ness Orthopedic and Sports Medicine, Inc.; Mineral Area Pain Center, P.C.; MidWest Orthopedic Pain & Spine; and Select Pain & Spine.""""Patients were informed that the breach was first discovered on May 27, 2016 and the information compromised in the attack included names, dates of birth, addresses, Social Security numbers, Medical diagnoses, laboratory test results, medical records, and possibly also financial information. An investigation into the breach was launched and it appears that the cyberattack occurred on May 4, 2016. The attack was conducted via a third party contractor, according to the breach notice.""More Information: http://www.hipaajournal.com/farmington-medical-group-confirms-cyberattac...More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF... ","Media","","2016","36.728058","-108.218686" "July 21, 2016","Sunbury Plaza Dental","Westerville","Ohio","PHYS","MED","7,784","As reported by Health and Human Services theft/paper/films. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2016","40.084951","-82.895615" "July 20, 2016","Premier Family Care I, Inc.","Midland","Texas","DISC","MED","1,326","As reported by Health and Human Services unauthorized access/disclosure/paper/films. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2016","31.997346","-102.077915" "July 15, 2016","Lee Rice D.O. Medical Corp DBA Lifewellness Institute","San Diego","California","HACK","MED","2,473","As reported by Health and Human Services hacking/IT incident. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2016","32.715738","-117.161084" "July 14, 2016","Sunshine State Health Plan, Inc. ","Sunrise","Florida","DISC","MED","1,479","As reported by Health and Human Services unauthorized access/disclosure/email. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2016","26.137382","-80.339727" "July 11, 2016","Lasair Aesthetic Health P.C.","Denver","Colorado","DISC","MED","1,835","As reported by Health and Human Services unauthorized access/disclosure/email. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2016","39.652704","-104.910060" "July 11, 2016","Health Incent, LLC","Memphis","Tennessee","HACK","MED","1,100","As reported by Health and Human Services hacking/IT incident/other. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2016","35.149534","-90.048980" "July 11, 2016","Dr. Q Pain and Spine d/b/a Arkansas Spine and Pain","Little Rock","Arkansas","HACK","MED","17,100","As reported by Health and Human Services hacking/IT incident/network server. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2016","34.746481","-92.289595" "July 7, 2016","Heart Center of Southern Maryland, L.L.P.","Waldorf","Maryland","HACK","MED","1,350","As reported by Health and Human Services hacking/IT incident/electronic medical record. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2016","38.616013","-76.915080" "July 7, 2016","The Ambulatory Surgery Center at St. Mary","Langhorne","Pennsylvania","HACK","MED","13,000","As reported by Health and Human Services hacking/IT incident/network server. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2016","40.202327","-74.924778" "July 1, 2016","Planned Parenthood of the Heartland","Des Moines","Iowa","DISC","MED","2,506","As reported by Health and Human Services unauthorized access/disclosure/paper/films. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2016","41.600545","-93.609106" "August 3, 2016","Banner Health","Phoenix","Arizona","HACK","MED","0","""On July 13, 2016, we discovered that cyber attackers may have gained unauthorized access to information stored on a limited number of Banner Health computer servers.  We immediately launched an investigation, hired a leading forensics firm, took steps to block the cyber attackers, and contacted law enforcement.  The investigation revealed that the attack was initiated on June 17, 2016.""The information compromised included names, birthdates, addresses, physician's name (s), dates of service, clinical information, health insurance information, and Social Security numbers. More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-63197","California Attorney General","","2016","33.480797","-112.073047" "August 8, 2016","Oracle's MICROS Point-of-Sale","San Jose","California","HACK","BSO","0","""A Russian organized cybercrime group known for hacking into banks and retailers appears to have breached hundreds of computer systems at software giant Oracle Corp., KrebsOnSecurity has learned. More alarmingly, the attackers have compromised a customer support portal for companies using Oracle’s MICROS point-of-sale credit card payment systems.""""MICROS is among the top three point-of-sale vendors globally. Oracle’s MICROS division sells point-of-sale systems used at more than 330,000 cash registers worldwide. When Oracle bought MICROS in 2014, the company said MICROS’s systems were deployed at some 200,000+ food and beverage outlets, 100,000+ retail sites, and more than 30,000 hotels.The size and scope of the break-in is still being investigated, and it remains unclear when the attackers first gained access to Oracle’s systems. Sources close to the investigation say Oracle first considered the breach to be limited to a small number of computers and servers at the company’s retail division. That source said that soon after Oracle pushed new security tools to systems in the affected network investigators realized the intrusion impacted more than 700 infected systems.""More Information: https://krebsonsecurity.com/2016/08/data-breach-at-oracles-micros-point-... ","Krebs On Security","","2016","37.338208","-121.886329" "August 8, 2016","Newkirk Products Inc.","Albany","New York","HACK","BSF","0","""Personal information about members of two local health insurance companies has been breached in a data security incident involving an Albany firm.Newkirk Products Inc., an Albany company that prints identification cards for insurers, reported a cybersecurity incident that exposed information including names, mailing addresses and, in some cases, date of birth. Social Security numbers, medical information and financial account information was not breached.Newkirk makes insurance ID cards for Albany nonprofit insurer CDPHP and BlueShield of Northeastern New York, the Latham division of Buffalo's HealthNow New York Inc. More than half a million CDPHP members and 70,000 BlueShield members were affected by the data incident, according to the insurers.The data systems of the health insurers were not affected.""More Information: http://www.bizjournals.com/albany/news/2016/08/08/data-breach-at-albany-...","Media","","2016","42.652579","-73.756232" "August 8, 2016","7-Eleven, Inc.","Dallas","Texas","DISC","BSO","7,820","""On behalf of the 7-Eleven franchisees, 7-Eleven maintains a database of records for each franchise location that contains information on all franchisee employees for that location.  Only the records in the database for the employees of a particular franchisee (""Employing Franchisee"") are sent to the local store and are available for access by the Employing Franchisee. 7-Eleven discovered in June 2016 that as a part of the update process, in addition to the normal set of employee records sent for each Employing Franchisee, some additional records from the franchisee employee database were available to certain 7-Eleven franchises.  We immediately updated the records, investigated to determine the cause of the issue, and have taken additional safety measures to protect your informaton and ensure that records are not accidentally made available to any franchisee other than the Employing Franchisee.""The information compromised included names, addresses, Social Security Numbers, and telephone numbers.More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-63282 ","California Attorney General","","2016","32.916372","-96.854126" "August 9, 2016","Brian D. Halevie-Goldman, M.D. ","Walnut Creek","California","PORT","MED","2,000","""On July 19, 2016 two laptop computers belonging to the medical offices of Dr. Brian Halevie-Goldman were stolen. The laptops were password protected, secured in a carrying case and locked inside a vehicle when the theft occurred.  It is not known whether the information contained on the laptops was or will be accessed by the thief.  It is possible that the laptops themsleves and not the information they contained were the target of the thief.""The information compromised included names, birthdate and patient charts.More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-63286","California Attorney General","","2016","37.929327","-122.014549" "August 12, 2016","Bon Secours Health System","Richmond ","Virginia","DISC","MED","655,000","""Approximately 655,000 patients of the Bon Secours Health System are being notified that their informaiton may have been compromised during an incident with a contractor in April.According to a release, R-C Healthcare Management, a company doing work for Bon Secours, inadvertently left files containing patient information accessible on the internet while attempting to adjust their network settings from April 18th to April 21st.""The information compromised included patient names, health insurer's name, health insurance identification number, social security number and limited clinical information. More Information: http://wtkr.com/2016/08/12/655000-bon-secours-patients-exposed-to-data-b...","Media","","2016","37.540725","-77.436048" "August 12, 2016","Valley Anesthesiology & Pain Consultants","Phoenix","Arizona","HACK","MED","0","""On June 13, 2016, we learned that a third party may have gained unauthorized access to the VAPC computer systems on March 30, 2016. Upon learning of the situation, we immediately began an investigation, including hiring a leading forensics firm to assist us, and notifying law enforcement.  The forensics firm found no evidenc that the information on the computer systems was accessed, but was unable to definitively rul that out.  The computer systems may ontain some of your information, such as your name, providers' names, date of service, place treatment, diagnosis and treatment codes, and your Medicare number, which may include your social security number.  Your financial information was not included in these computer systems.""More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-63349 ","California Attorney General","","2016","33.468450","-112.074908" "August 9, 2016","Professional Dermatology Care, P.C. ","Reston","Virginia","HACK","MED","13,237","As reported by Health and Human Services unauthorized hacking/IT incident. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2016","38.942547","-77.324590" "August 11, 2016","Prosthetic & Orthotic Care, Inc.","St. Louis","Missouri","HACK","MED","23,015","""Prosthetic and Orthotic Care (POC), an independent prosthetics and orthotics company serving disabled individuals in Southern Illinois and Eastern Missouri, has discovered that an unauthorized individual has stolen the protected health information of 23,015 patients.The cyberattack occurred in June 2016, although POC only became aware of the hacking incident on July 10. The hacker gained access to patient data by exploiting security flaw in a third party software system that had been purchased by POC. The attack was conducted by a hacker operating under the name – TheDarkOverlord – who was also responsible for the cyberattacks on Athens Orthopedic Clinic and Midwest Orthopedics Group, in addition to a hack of as of yet unnamed health insurer. In total, the records of over 9.5 million patients are understood to have been obtained by the hacker.According to a breach notice issued by POC, the stolen data include names, addresses and other contact information, internal ID numbers, billing amounts, appointment dates, and diagnostic codes. Some patients also had their Social Security number, date of birth, procedure photographs, health insurer’s names, and other identification information stolen.""The ""breach total number"" was included in the posting of the third party software vendor who was hacked and affected many medical clinics, practices and facilities. More Information: http://www.hipaajournal.com/hacker-steals-phi-23000-patients-prosthetic-...","Media","","2016","38.627003","-90.199404" "August 5, 2016","Center for Minimally Invasive Bariatric and General Surgery","Chester","Pennsylvania","DISC","MED","992","As reported by Health and Human Services unauthorized access/disclosure/email. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2016","39.856341","-75.367874" "July 29, 2016","Jefferson Medical Associates, P.A.","Laurel","Missouri","HACK","MED","10,401","""A Laurel clinic has issued a warning to a small group of their patients after a recent data breach of their systems. Jefferson Medical Associates issued a press release stating that privacy events may have compromised certain personal information. Continue reading >>""I find things that are publicly available on the internet that should probably not be public available,"" said Chris Vickery, a cyber security researcher who lives in Austin, Texas. ""Things like databases that have no password and are configured for public access. ""Vickery said he found a security flaw in a database of Jefferson Medical patient information.""I was just going through randomly looking at the publicly available, configured for public access databases on those ports, and this one showed up,"" he said. ""When I realized there social security numbers and names and phone numbers and prescription information, it dawned on me that 'hey this probably should not be public if it is real data.' So then I started the process of trying to figure out whose it was."" Jefferson Medical said Vickery was an unauthorized individual who shouldn't have had access to that information.""This information is private information,"" said Katie Gilchrist, Jefferson Medical's legal counsel. ""It's federally protected information. It's information that was on our server. This individual accessed it without our permission. He did in secret. There has never been a time when patient information in Jefferson Medical's possession has been just out there for anyone to get to.""Vickery agrees he shouldn't have had access and said that's why he alerted the clinic to the hole in its security.""It was as available as a website is,"" Vickery said.Gilchrist said, ""Basically it's like leaving a window unlocked in your house. You leave the house, and you leave a window unlocked. These folks out there think that entitles them to come into the house and look around at all your stuff and then take things with them when they leave. That's just not appropriate.""Vickery said this isn't a hack because the information was readily available to anyone who knewwhere to look.""There was nothing to hack,"" Vickery said. ""There simply was no password, no user name, no security features of any sort being used. If you want to use a real analogy, here's a better one. I drove along a country road, a public country road, that not many people drive along, and on the side of the road, there were some records. Jefferson Medical left those records there. I took pictures of them and hunted down Jefferson and told them their records were on the side of the road. There's no crime involved there. That's not hacking. That's simply them being negligent.""Gilchrist said and internal investigation is ongoing, and Jefferson Medical has already increase security in response to the breach.""More Information: http://www.wdam.com/story/32712941/security-flaw-may-be-responsible-for-...","Media","","2016","31.685946","-89.141363" "July 25, 2016","StarCare Specialty Health System","Lubbock","Texas","PORT","MED","2,844","As reported by Health and Human Services theft/laptop, paper/films. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2016","33.558870","-101.846058" "August 15, 2016","HEI Hotels & Resorts","Norwalk","Connecticut","HACK","BSO","0","""A hotel operator responsible for several high-profile hotels across the U.S. says it discovered a breach of its payment processing systems that may impact hotels in several states and The District of Columbia.In a statement Monday, HEI Hotels & Resorts says 20 hotels representing brands including Marriott, Starwood, Sheraton and Westin were impacted. HEI says they are working with law enforcement and financial institutions to address the breach. An outside forensic expert was also tapped to investigate the breach.""We are pleased to report that the incident has now been contained and individuals can safely use payment cards at our properties,"" reads a statement from HEI.According to HEI, ""unauthorized individuals"" installed malware on its payment processing systems at these properties that can capture payment card information at the point of purchase.""List of hotels affected: http://www.heihotels.com/list-of-propertiesMore Information: www.usatoday.com/story/tech/news/2016/08/15/major-hotel-operator-hit-dat...UPDATE (8/19/2016): ""All in all, 12 Starwood properties, 6 Marriott Properties and a single Hyatt hotel have been found to have been snagged in the breach. According to available data, the breach was active March 1, 2015 to June 21, 2016, with 14 of the hotels affected after Dec. 2, 2015, HEI said on its website on Friday.  IHG and Marriott have no comment on the breach at this point. According to HEI – customer names, account numbers, payment card expiration dates and verification codes are all likely to have been stolen.Affected properties include: Starwood’s Westin hotels in Minneapolis; Pasadena, California; Philadelphia; Snowmass, Colorado; Washington, D.C.; and Fort Lauderdale, Florida. Also affected were Starwood properties in Arlington, Virginia; Manchester Village, Vermont; San Francisco; Miami; and Nashville, Tennessee.The Marriott properties affected were in Boca Raton, Florida; Dallas-Fort Worth, Texas; Chicago; San Diego, California; and Minneapolis.""More Information: http://www.pymnts.com/news/security-and-risk/2016/hei-data-breach-starwo...","Media","","2016","33.902237","-118.081733" "August 14, 2016","John E. Gonzalez DDS","Los Angeles","California","PORT","MED","0","""On the late afternoon of Monday July 25, 2016, my car window was broken out and my briefcase was stolen.  In that breifcase was an external hard drive containing two different types of data.  First, all office patient records were backed up on the drive, including social security numbers, driver's license numbers, phone numbers, date of birth, physical and email addresses and health insurance information.  NO passwords or user names appear in these records. No complete credit card information or bank account information was stored on this drive (only the last four digist of the most recend card used is stored).""More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-63351","California Attorney General","","2016","34.052234","-118.243685" "August 16, 2017","Virgin Mobile","Warren","New Jersey","HACK","BSO","0","""A privacy breach seems to be underway at Virgin Mobile. Customers attempting to access their voicemail messages are instead getting access to the voicemail messages of other people.When dialing the 212 number used by Virgin Mobile that allows access to your own voicemail box, Virgin Mobile customers are instead reporting that they are hearing strangers' voicemail messages, getting access to their voicemail account menus, or being directed to leave messages on a stranger's voicemail.Customers are already taking to social media to report the issue. One Facebook user, Alison, raised concerns with Virgin Mobile customer service. ""This is clearly a security issue when I'm reaching other customers, I assume they're customers, voicemail inboxes.""","Media","https://www.cnet.com/au/news/virgin-mobile-australia-voicemail-error-privacy/","2016","40.651159","-74.573076" "August 19, 2016","Eddie Bauer","Bellevue","Washington","HACK","BSO","0","""The outdoor clothing and accessories retailer Eddie Bauer is the latest victim of point-of-sale malware to admit that its customers’ card details may have been stolen.Just days after hotel operator HEI said 20 of its hotels had been infected, Eddie Bauer said its 350-or-so stores in the U.S. and Canada had also been the victim of a malware attack.Cleaning up the mess won’t be cheap—Eddie Bauer said Thursday that it had arranged for all customers who made purchases and returns during this period to get free identity protection services from Kroll for the next year.""More Information: http://fortune.com/2016/08/19/eddie-bauer-data-breach/","Media","","2016","47.617230","-122.200964" "August 10, 2016","NLU Products, LLC","Lehi","Utah","HACK","BSO","0","""We recently discovered that we have been the victim of a data security incident that began in April 2015, during which personal, private and unencrypted credit/debit card information may have been exposed to an outside party and compromised. We are reporting the incident to to the appropriate state agencies and federal authorities for investigation. Our notification has not been delayed as a result of any law enforcement investigation.""The information compromised included names, shipping addresses, billing addresses, credit card security codes, credit/debit card numbers.More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-63305","California Attorney General","","2016","40.434337","-111.895019" "August 12, 2016","PAX Labs, Inc. ","San Francisco","California","HACK","BSO","6,000","""On July 15, 2016, we discovered that an unauthorized party had gained access to one of our cloud-based website servers and installed unauthorized software.  PAX removed this software on July 15, 2016. Subsequently, an unauthorized party added similar software on July 22, 2016, which PAX removed that same day.   Our investigation revealed that the unauthorized party accessed personal payment card information of approximately 6,000 customers who had made purchases from either www.JUULvapor.com or www.PAXvapor.com between June 25, 2016, and July 22, 2016.""The information compromised included payment card data including names, shipping and billing addresses, credit/debit card numbers, expiration dates, and security codes. More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-63327 ","California Attorney General","","2016","37.774930","-122.419416" "August 23, 2016","Epic Games Forums","Cary","North Carolina","HACK","BSO","808,000","""Epic Games has temporarily shut down some of its user forums for maintenance after data on about 808,000 accounts was stolen, marking the second data breach of the game maker in 13 months.The compromise involved several forums maintained by Epic Games, based in Cary, N.C., that center on games and developer tools.The most affected forums are Infinity Blade, UDK, Gears of War archives and those for previous Unreal Tournament games. Email addresses, hashed and salted passwords and data entered into forums were leaked.""More Information: http://www.bankinfosecurity.com/epic-games-forums-breached-again-a-9355","Media","","2016","35.791540","-78.781117" "August 22, 2016","Schwan's Home Service, Inc. ","Marshall","Minnesota","HACK","BSO","0","""As a precaution, we want to make you aware that CARDSource, the third-party company that manufactured the cards for the Schwan’sPay™ program, has notified us ofa possible compromise of its data. Thankfully, this activity represents a low risk, and there has been no evidence that your Schwan’sPay card information has been misused in anyway. As part of CARDSource’s investigation, it was determined that the potentially compromised data included the names of some of our Schwan’sPay customers, along with their mailing addresses, email addresses , phone numbers and Schwan’sPay card numbers.CARDSource did not possess any other data for our Schwan’sPay card users.""More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-63471","California Attorney General","","2016","44.445222","-95.789632" "August 22, 2016","SCAN Health Plan","Long Beach","California","HACK","MED","0","""On June 27, 2016 we learned that contact sheets, which are documents kept in a system used for sales purposes, had been accessed and possibly viewed for unauthorized purposes. We immediately began an investigation and brought in outside experts. We determined the unauthorized access occurred between March and June of 2016. While there is no indication that the information in this system has been used fraudulently, we needed to let you know that your information was in this system.What Information Was Involved? The information on the contact sheets that were exposed included name, address, and phone number. For some people it also included date of birth and limited health notes, such as a doctor name, health condition, or medication name. For a small number of individuals it may have also included Social Security number.""More Information: http://www.scandatafacts.com/#substitute","Security Breach Letter","","2016","33.807176","-118.144457" "August 26, 2016","County of Sacramento","Sacramento","California","DISC","GOV","0","""An error was discovered in the online automated application system within the Accela software that may have made your personal data available to Emergency Medical Service license applicants that had an account on the system.The report that allowed unauthorized access was deployed on August 8 2015.  The report providing that data was shut off within an hour of discovery on August 1, 2016.While we have no indication that any data was compromised or misused, we are taking the precaution of notifying you so you can, if you deem appropriate, take additional steps to protect yourself and your information.""The information compromised incuded names, addresses, social security number, driver's licenses, phone numbers, and birth dates. More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-63584","California Attorney General","","2016","38.581572","-121.494400" "August 26, 2016","Toyota Motor Corporation","Plano","Texas","DISC","BSO","0","""On June 28, 2016, a TFS associate mistakenly emailed a spreadsheet containing customer information to her personal email account. The email was sent using an encrypted transmission method. This incident was discovered on June 28, 2016.""The information compromised included account numbers, first and last names, telephone numbers, payoff amounts and maturity dates.More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-63586","California Attorney General","","2016","33.019843","-96.698886" "August 19, 2016","Orleans Medical Clinic","Orleans","Massachusetts","HACK","MED","6,890","As reported by Health and Human Services unauthorized hacking/IT incident. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2016","41.785114","-69.967659" "August 15, 2016","Phoenix Dental Care","Lebanon","Tennessee","PHYS","MED","500","As reported by Health and Human Services theft/paper/films. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2016","36.208110","-86.291102" "August 4, 2016","The Carle Foundation","Urbana","Illinois","DISC","MED","1,185","As reported by Health and Human Services unauthorized access/disclosure/network server. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2016","40.110588","-88.207270" "August 29, 2016","Langston Hughes Young Explorers Academy","Mount Hope, Bronx","New York","PHYS","EDU","0","""Eyewitness News has learned exclusively that the pile of papers contain extremely personal documents, including private medical information and social security numbers of students, documents that no one outside the school is supposed to see, but that were left fully exposed on the street for anyone to see.The papers were apparently left by workers at the Langston Hughes Young Explorers Academy, also called PS 236.They are from the 2007-2008 school year, but many contain up to date addresses and phone numbers of students and parents, and potentially embarrassing medical information along with social security numbers.""More Information: http://abc7ny.com/education/exclusive-student-records-found-discarded-in...","Media","","2016","40.848886","-73.905119" "August 26, 2016","Infowars/ Prison Planet TV","Austin","Texas","HACK","BSO","50,000","""Tens of thousands of subscriber accounts for media company Infowars are being traded in the digital underground.Infowars, created by famed radio host and conspiracy theorist Alex Jones, produces radio, documentaries and written pieces. The dumped data relates to Prison Planet TV, which gives paying subscribers access to a variety of Infowars content. The data includes email addresses, usernames, and poorly hashed passwords.The administrator of breach notification site Databases.Land provided a copy of 100,223 records to Motherboard for verification purposes. Vigilante.PW, another breach notification service, also has the Infowars dump listed on its site, and says the data comes from 2014. However, every record appears to have been included twice in the data, making the actual number of user accounts closer to 50,000.""More Information: http://motherboard.vice.com/read/infowars-accounts-hacked-prison-planet-...","Media","","2016","30.267153","-97.743061" "August 31, 2016","Artarama N.C. Inc. ","Raleigh","North Carolina","HACK","BSO","0","""We value your business and respect the privacy of your information. As a precautionary measure, we are writing to let your know about a potential data security incident that may involve your information.  Our online sales platform may have been attacked by an Internet hacker and the security of certain information that was transmitted to us in connection with online sales during a short period of time may have been compromised.   You may have read about similar data security breaches in the news recently.  Unfortunately, we are the latest victims in this trend.  Although we had taken measures that we believe were commercially reasonable under the circumstances, we may have been subject to a sophisticated cyber-attack that appears to have potentially penetrated our defenses.  Malicious code may have been placed on our system and based upon our investigation, appears to have intercepted customer information that was transmitted during purchase transactions from May 3rd, 2016 until July 10th, 2016.   The data that may have been accessed included credit card numbers and corresponding credit card expiration dates, email addresses, delivery and billing addresses.  We do not have access to birthdates or Social Security Numbers so these categories of information were not at risk.  Information transmitted during in-store sales in our retail store locations are not at risk from this incident.""More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-63613","California Attorney General","","2016","35.865794","-78.588754" "September 1, 2016","M Holdings Securities, Inc. ","Portland","Oregon","PORT","BSF","0","""One of our employees reported that his company computer had been stolen from his parked car. The theft was reported to law enforcement, but, to date, the laptop has not been recovered. We  believe  that  certain  information  that  you  provided  to  M  Securities,  such  as  your  name, address, Social Security number, driver’s license or identification number, and financial account number may have been stored on this device and could have potentially been affected as a result of the theft. Although the computer was password-protected and it is unlikely that the stored data was accessed, we are notifying you of this incident out of an abundance of caution. Please note, at  this  time,  we  are  not  aware  of  any  fraud  or  misuse  of  your  information  as  a  result  of  this  incident.""More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-63675","Maryland Attorney General","","2016","45.523062","-122.676482" "February 4, 2016","Northwestern Mutual Life","Milwaukee","Wisconsin","PORT","BSF","0","""We discovered that a theft had occurred in the secured office space and a backup hard drive was stolen.  The drive was not encrypted and may have contained some client information.  We are working with local law enforcement and the Northwestern Mutual Home Office to investigate and address this situation and recover the stolen items if possible.At this time, there is no evidence that your personal information has been misused; however, a breach of confidential information is something we take very seriously.  Some of your personally identifiable information may have been included on the hard drive, such as your name, address, policy/account number(s), banking information and/or Social Security numbers. The entities involved include: The Northwestern Mutual Life Insurance Company; Northwestern Mutual Investment Services, LLC; and Northwestern Long Term Care Insurance Company (collectively, ""Northwestern Mutual"")"". More Information: http://www.dfr.vermont.gov/data-security-breach-notices","Vermont Attorney General","","2016","43.039231","-87.902089" "February 8, 2016","BajaBound.com","Baja","California","HACK","BSF","0","""We are writing to inform you of a data security incident that may have resulted in the disclosure of your personal information, including your name and driver’s license number. Your Social Security number is not in our system and was not exposed. We take the security of your personal information very seriously, and sincerely apologize for any inconvenience this may cause you. This letter contains information about steps you can take to protect your information, and resources we are making available to help you.What happened and what information was involved:On December 16, 2015, we discovered that an agent’s Baja Bound Insurance Service’s email account may have been compromised through a phishing attack. From our investigation, it appears the phishing email was intended to collect only email addresses. As part of our investigation, we also reviewed the documents stored in the email account and discovered an application that contained your personal information, including your name, address, date of birth, and driver’s license number. Our website, www.bajabound.com, was not affected and remains secure. While we have no evidence that any of this information was viewed or compromised, we wanted to let you know about this event out of an abundance of caution.""More Information: http://www.dfr.vermont.gov/sites/default/files/2_8_2016%20Baja%20Bound%2...","Vermont Attorney General","","2016","33.632791","-117.881401" "May 3, 2016","Charles Schwab","San Francisco","California","HACK","BSF","0","""We are contacting you to alert you to unusual login activity on your account(s), which began on or after March 25, 2016.  We believe someone may have obtained your username and password from a non-Schwab account or website that you use and tried them successfully on Schwab.com.  This type of account access can occur when you use the same username and password on multiple sites.""The information compromised included names, account numbers, positions and transaction history. More Information: http://www.dfr.vermont.gov/sites/default/files/Schwab%20data%20security%... ","Vermont Attorney General","","2016","37.774930","-122.419416" "December 7, 2015","New England Calendar and Novelty Company","Cobleskill ","New York","HACK","BSO","0","""On November 12, 2015, New England Calendar learned that, due to a security breach involving the company's websites (http://www.newenglandcalendar.com and http://www.ancompanycal.com), an unauthorized and unknown party was able to access the information of customers that had purchased products online from New England Calendar.  Upon discovery of this issue, New England Calendar investigated the matter with its website vendor and determined that certain personal information, such as name, address, email address, site password, and payment card information, was accessed on or around September 24, 2015 and may have een compromised""More Information: https://www.oag.state.md.us/idtheft/Breach%20Notices/2015/itu-263308.pdf ","Maryland Attorney General","","2015","42.681715","-74.478637" "August 30, 2016","Illinois Board of Elections","Springfield","Illinois","HACK","GOV","200,000","""Hackers have breached databases for election systems in Illinois and Arizona, according to state election systems in Illinois and Arizona, according to state election and law enforcement officials.In Illinois, hackers accessed a database for the Illinois Board of Elections, compromising up to 200,000 personal voter records according to Ken Menzel, General Counsel for the board.""The information compromised included names, addresses, sex and birthdays, plus voter's social security number or drivers' license numbers. The database that was compromised had information going back 10 years and most likely included outdated information which was never purged. More Information: http://www.cnn.com/2016/08/29/politics/hackers-breach-illinois-arizona-e...https://www.elections.il.gov/NewsDetail.aspx?ID=aw6iJK5tTZs%3d","","","2016","39.774346","-89.670185" "August 30, 2016","Arizona State Board of Elections","Phoenix","Arizona","HACK","GOV","0","""Hackers have breached databases for election systems in Illinois and Arizona, according to state election systems in Illinois and Arizona, according to state election and law enforcement officials.In Illinois, hackers accessed a database for the Illinois Board of Elections, compromising up to 200,000 personal voter records according to Ken Menzel, General Counsel for the board.According to Matthew Roberts, director of communications for the Arizona secretary of state, in late May, Arizona officials took the statewide voting registration system offline after the FBI alerted the Arizona Department of Administration that there was a credible cyber threat to the voter registration system. Although the Washington Post reported that Roberts attributed the database breach directly to a Russian hacker, when pressed by CNN, he said that the Arizona secretary of state's office learned of Russian involvement from internal IT and cyber security staff.""The information compromised included names, addresses, sex and birthdays, plus voter's social security number or drivers' license numbers. The database that was compromised had information going back 10 years and most likely included outdated information which was never purged. More Information: http://www.cnn.com/2016/08/29/politics/hackers-breach-illinois-arizona-e...","Media","","2016","33.448116","-112.097030" "September 5, 2016","Hutton Hotel","Nashville","Tennessee","HACK","BSO","0","""The Hutton Hotel has sent an alert to cutomers about a possible data breach.This is pretty unsettling news for the tens of thousands of people who have stayed at the hotel over this nearly four-year period.The hotel is calling this a ""payment card security incident."" It's basically a breach of payment processing system and they say it could have affected guests who stayed there between Sept. 19, 2012, and April 16, 2015.This also affects anyone who made food and beverage purchases at the hotel from Sept. 19, 2012, to Jan. 15, 2015, and Aug. 12, 2015, to June 10, 2016.The release doesn't say if fraudulent charges have shown up on anyone's credit cards, but with nearly 250 rooms on the property, there are tens of thousands of credit cards that may have had information stolen.The hotel is asking past guests to keep an eye on their statements and report any fraudulent charges to their bank.""More Information: http://www.wsmv.com/story/33014980/hutton-hotel-warning-customers-about-...http://www.huttonhotel.com/notice/","Media","","2016","36.162664","-86.781602" "September 6, 2016","Brazzers.com","","Quebec","HACK","BSO","800,000","""The user data appears to have been taken from the Brazzers forum, however many users used the same login details for the forum as they did for the main site, leaving many people exposed.The data leak is said to have included email addresses, usernames, and unencrypted passwords, which most websites typically encrypt or hash in case of leak scenarios. This means that users on the porn site who have used the same email address and password on other sites may be vulnerable to attacks elsewhere.“Problem with a hack like that is it’s a *forum*. Worse than just adult website creds, this is what people were talking / fantasising about,” said security researcher Troy Hunt on Twitter, highlighting the fact that users’ specific sexual fetishes and fantasies could now be leaked into the open.The leak, which actually happened in 2013 but has only just been discovered, was reportedly due to the forum’s vBulletin software.Brazzers confirmed vBulletin to be the cause of the vulnerability and is currently taking “corrective measures” to protect its users and their information from cyber criminals."" ","Media","http://www.breitbart.com/tech/2016/09/06/nearly-800000-users-exposed-brazzers-data-breach/","2016","46.341655","-72.539524" "September 2, 2016","Noble House Hotels and Resorts (Noble House)","Kirkland","Washington","HACK","BSO","0","""Noble House Hotels & Resorts (Noble House) values the relationship it has with its guests and understands the importance of protecting your personal information.  Regrettably, we are writing to inform you about an incident that may involve some of your information. What Happened?We began an investigation after we were notified by the Secret Service about possible fraudulent activity on the payment card system at one of our properties.  We engaged a computer security firm to examine the payment systems at all of the properties we manage for any signs of an issue. Through our investigation, we learned that malware may have been  installed on payment processing systems that potentially affected cards swiped at the following hotels, restaurants, and bars during the periods identified:Kona Kai Resort & Spa, San Diego, CA, including the Vessel restaurant and the Tiki Bar,from April 25, 2016 - August 3, 2016;Little Palm Island Resort & Spa, Florida Keys, FL, including the Little Palm Island Dining Room, from April 25, 2016 - June 8, 2016;The Portofino Hotel & Marina, Redondo Beach, CA, including the Baleen Kitchen & Lounge restaurant and the Living Room Bar, from April 26, 2016 - June 8, 2016;The Edgewater, Seattle, WA, including the Six Seven restaurant, from April 26, 2016 - August 3, 2016;River Terrace Inn, Napa, CA, including the Terrace Café & Wine Bar, from April 25,2016 - June 8, 2016;LaPlaya Beach & Golf Resort, Naples, FL, including the Baleen restaurant and the Tiki Bar, from April 26, 2016 - August 3, 2016;Mountain Lodge at Telluride, Telluride, CO, including The View restaurant, from April 26, 2016 - August 5, 2016;Hotel Deca, Seattle, WA from April 25, 2016 - June 8, 2016;Blue Mermaid restaurant, San Francisco, CA from April 26, 2016 – August 3,2016;Pescatore restaurant, San Francisco, CA from April 26, 2016 – August 3,2016. What Information Was Involved?The information potentially compromised involved data found in the magnetic stripe on payment cards, which included your payment card number, payment card expiration date, CVV number, and may have included your name.""More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-63728","California Attorney General","","2016","47.681488","-122.208735" "December 1, 2015","Maryland Health Benefit Exchange","Baltimore","Maryland","DISC","GOV","0","""We are writing to inform you of a recent incident involving a breach of your personallyidentifiable information.  On November 27, 2015, a consumer reported that she had been given your user name and passcode by a Navigator who was trying to assist the consumer with her application.  The consumer, who has the same name as yours, reported she had accessed your account and found the information was incorrect.  Upon learning of the mistake, a customer service representative immediately changed your account passcode so that no further access could be gained.  Your application contained personally identifiable information such as you and your dependent’s name, address, dates of birth, social security numbers, gender, ethnicity and race as well as your address, phone number, email address, annual income amount and citizenship status.We became aware of the incident on November 27, 2015 We take the protection of the privacy and security of your personally identifiable information very seriously.  Upon discovery, an investigation was initiated into the cause of the incident and found that the Navigator failed to perform redundant checks, such as asking the consumer her name, date of birth, and address to ensure the Navigator was opening the correct account.""More Information: https://www.oag.state.md.us/idtheft/Breach%20Notices/2015/itu-262365.pdf","Maryland Attorney General","","2015","39.291270","-76.614337" "December 22, 2015","Crescent Hotels & Resorts","Fairfax","Virginia","HACK","BSO","0","On November 12, 2015 at the Holiday Inn Fredrick, Fredrick Maryland, notified individuals of a data breach when names, credit card account numbers of guests of the hotel were exposed to theft. The hotel does not say specifically how the information was stolen.More Information: https://www.oag.state.md.us/idtheft/Breach%20Notices/2015/itu-262351.pdf","Maryland Attorney General","","2015","38.861584","-77.303537" "December 18, 2015","Wabash College","Crawfordsville","Indiana","HACK","EDU","49","Wabash College notified individuals of a data breach when an employee found a virus on their work computer. The virus itself copied files from the employee's hard drive and ""accessible network shares to external servers outside of institutional control"". This particular virus also encrypted data on the universities server and held it ransom to obtain the encryption key. 49 individuals in total were affected, 15 individuals Social Security numbers were compromised, 3 individuals had their credit card numbers compromised and 35 individuals had thier bank account information including their routing numbers compromised.More Information: https://www.oag.state.md.us/idtheft/Breach%20Notices/2015/itu-262315.pdf","Maryland Attorney General","","2015","40.041154","-86.874452" "December 31, 2015","Point Breeze Credit Union","Hunt Valley","Maryland","DISC","BSF","389","Point Breeze Credit Union notified customers of a data breach when an error in processing the December 2015 credit card statement inadvertently disclosed customer information.The information compromised included names, mailing addresses and membership numbers. More Information: https://www.oag.state.md.us/idtheft/Breach%20Notices/2015/itu-262311%20(1).pdf","Maryland Attorney General","","2015","39.486580","-76.657094" "December 28, 2015","Flewelling & Mitton PC","Louisville","Colorado","PHYS","BSF","0","Flewelling & Mitton PC notified individuals of a data breach when their offices were broken into the morning of December 11, 2015. The individual broke the locks on several file cabinets that contained customer information.The information compromised included names and Social Security numbers. They stated that the only thing stolen was petty cash.More Information: https://www.oag.state.md.us/idtheft/Breach%20Notices/2015/itu-262309.pdf","Maryland Attorney General","","2015","38.252665","-85.758456" "December 24, 2015","HDIS, Inc. ","Olivette","Missouri","HACK","BSO","0","""On behalf of our client, HDIS, Inc. (the ""Company""), a supplier of incontinence related products, we write to advise you of an incident involving the unauthorized introduction of maiware onto the shopping cart program used on the Company's website, www.hdis.com. This malware resulted in the possible compromise of personal information of Company customers residing in Maryland. Based upon the Company's investigation, the malware was present from November 27, 2015 to November 30, 2015 and potentially exposed certain personal information of seven residents that was inputted by those customers during the online ""checkout"" process. The personal information that was potentially affected by the incident includes: customer name, address, credit or debit card number, payment card expiration date and the card's CVV security number. The Company does not collect customers' social security or driver's license numbers during the online checkout process and that data was in no way affected by the incident.""More Information: https://www.oag.state.md.us/idtheft/Breach%20Notices/2015/itu-262307.pdf","Maryland Attorney General","","2015","38.680224","-90.374674" "December 24, 2015","SAS Safety Corporation","Long Beach","California","HACK","BSO","0","""On behalf of our client, SAS Safety Corporation (the ""Company""), we write to advise you of an incident involving the unauthorized introduction of maiware onto the Company's website,www.sassafety.com. This malware resulted in the possible compromise of personal information of Company customers residing in Maryland. Based upon the Company's investigation, the maiware was present from September 23, 2015 to December 8, 2013 and potentially exposed certain personal information of three residents that was inputted by those customers. The personal information that was potentially affected by the incident includes: customer name, address, credit or debit card number, payment card expiration date and the card's CVV security number. Additionally, the customer's logon identification and password for the website may have been affected. The Company does not collect customers' social security or driver's license numbers and that data was in no way affected by the incident.""More Information: https://www.oag.state.md.us/idtheft/Breach%20Notices/2015/itu-262306.pdf","Maryland Attorney General","","2015","33.812857","-118.169608" "December 23, 2015","Farm to Feet","Mount Airy","North Carolina","HACK","BSO","0","""On November 18, 2015, Farm to Feet discovered information collected during the checkout page of its farmtofeet.com e-commerce site may have been subject to unauthorized acquisition.  Upon discovery, Farm to Feet immediately began to investigate this issue.  Third-party computer forensic experts were retained to assist with the investigation and to determine the impact on the security of Farm to Feet's system.  During this investigation, Farm to Feet confirmed this incident compromised the security of certain information used to make a purchase on the farmtofeet.com website between August 3, 2015 and November 18, 2015.  For customers who made purchases during this time period, Farm to Feet has determined this incident may have compromised the security of the customer's name, address, email address, credit card number, credit card expiration date and CVV2 data.""More Information: https://www.oag.state.md.us/idtheft/Breach%20Notices/2015/itu-262305.pdf","Maryland Attorney General","","2015","36.499301","-80.607286" "September 8, 2016","Fuzzy's Taco ShopAbi","Abilene","Texas","HACK","BSO","2,000","Fuzzy Taco Shop notified customers of a data breach when hackers used a combination of social engineering and computer malware.Detectives working on the case stated that hackers spoofed an email from an employee who worked at the restaurant. The hackers posed as this employee who worked in the IT department, sent an email to the manager of the restaurant instructing the manager to download a program on a specific computer that was linked to the point of sale system the restaurant used. The program was malware.The information compromised included credit card information of customers who ate at the restaurant between July1 and September 1, 2016.More Information:  http://www.ktxs.com/news/abilene-police-reveal-details-of-restaurant-cre...","Media","","2016","32.448736","-99.733144" "September 12, 2016","University Gastroenterology","Providence","Rhode Island","HACK","MED","0","""On July 11, 2016, we discovered that an unauthorized individual had gained access to an electronic file storage system from a practice we acquired in 2014, Consultants in Gastroenterology, and encrypted several files. We immediately took action to secure our system and conducted  an investigation to determine what information was contained in those files. We determined that some files may have contained your name, address, date of birth, Social Security number, and medical billing information.""More Information: http://ago.vermont.gov/assets/files/Consumer/Security_Breach/University%...http://universitygi.com/securityincident.pdf","Vermont Attorney General","","2016","41.823989","-71.412834" "September 9, 2016","Rebecca Minkoff","New York","New York","HACK","BSO","0","""On August 10, 2016, Rebecca Minkoff learned that there may have been unauthorized access to our website.  We hired an outside forensic expert to determine whether the incident resulted in the unauthorized access to any personal information.The information compromised included names, website usernames and password, payment card information.""More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-63838","California Attorney General","","2016","40.741048","-73.991429" "September 11, 2016","Pratap S. Kurra, M.D.","Los Banos","California","PHYS","MED","0","""On August 9, 2016, I was informed that papers related to my practice were found in a trash container. I immediately began an investigation into the matter and determined that on August 8, 2016, the day before, billing tickets used by my practice were accidentally thrown away during my move.  Fortunately, all known records were retrieved within 24 hours, and upon further investigation, it was determined to have been a singular incident.""The information compromised included names, procedure type, surgeon, additional physician information, hospital, date and time of procedure, type of anesthesia and case difficulty. More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-63839","California Attorney General","","2016","37.064074","-120.859310" "September 11, 2016","Wheeler, Egger, CPA's LLP","Sonora","California","HACK","BSF","45","""On August 15, we discovered a data security incident involving our firm and some of our clients whose 2015 tax returns were on Extension.  After thorough investigation, we have discovered that the perpetrator(s) hacked into our system, and between August 3rd and 9th 2016, fraudulently filed 45 client tax returns.  Although we are unaware of any false tax return having been filed under your name or company, we are notifying you of this incident because your tax information may have been exposed.""The information compromised included names, genders, dates of birth, telephone numbers, addresses, Social Security numbers, all employment (W-2) information, 1099 information, as well as direct deposit bank account information such as account numbers, routing information and any additional supporting documentation necessary for the filing of taxes. More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-63840","California Attorney General","","2016","37.972710","-120.367302" "August 3, 2016","Yuba Sutter Medical Center","Yuba City","California","HACK","MED","0","""What HappenedOn or about August 3, 2016, the Yuba-Sutter Medical Clinic's computer system came under a ""ransomware attack"" by hackers.  Ransomware attacks are designed to deny access to certain portions of a computer systems until a ransom is paid.In such an attack, the risk is not usually to patient privacy.  Instead it poses an operational risk to health systems in that it can result in patients being turned away due to an inability to provide care as a result of not having immediate access to records.   Fortunately, we were able to regain access and no data was lost.  Nevertheless, as a result of the attack, we were temporarily denied access to certain portions of our computer system, and we regret any delays or rescheduling of appointments that may have resulted from this incident.""","California Attorney General","https://oag.ca.gov/ecrime/databreach/reports/sb24-63841","2016","39.140448","-121.616911" "September 11, 2016","Yuba Sutter Medical Center","Sonora","California","HACK","MED","0","""On or about August 3, 2016, the Yuba-Sutter Medical Clinic's computer system came under a ransomware attack"" by hackers.  Ransomware attacks are designed to deny access to certain portions of a computer systems until a ransom is paid.In such an attack, the risk is not usually to patient privacy.  Instead it poses an operational risk to health systems in that it can result in patients being turned away due to an inability to provide care as a result of not having immediate access to records.  Fortunately, we were able to regain access and no data was lost.  Nevertheless, as a result of the attack, we were temporarily denied access to certain portions of our computer system, and we regret any delays or rescheduling of appointments that may hae resulted from this incident.""The information involved included clinic information, patient names, addresses, phone numbers, billing and insurance information. More Information: http://oag.ca.gov/ecrime/databreach/reports/sb24-63841","California Attorney General","","2016","37.982950","-120.382172" "December 18, 2015","Catholic Charities of the Archdiocese of Galveston-Houston","Houston","Texas","PORT","BSO","0","""On July 6, Catholic Charities discovered that one of its offices, located at 6671 Southwest Freeway, Houston Texas, had been burglarized and twenty-two (22) laptop computers had been stolen from within the office.  Catholic Charities immediately reported this incident to the Houston Police Department, and continues to work with the department in the active investigation of this matter.  Cahtolic Charities also worked with its property manager to immediately increase physical security safeguards for the office location. One of the (22) laptops stolen was used by Catholic Charities to process fingerprint screening information for individuals applying to sponsor an unaccompanied child, on behalf of the Administration for Children and Families (""ACF"") Office of Refugee Resettlement (""ORR"").  Stored on this laptop computer were documents containing personal information relating to individuals.  ACF/OCR decided to provide notice of the theft of that device to (71) individuals whose personally identifiable information was found to be locally stored on the device at the time it was stolen, and such notice was provided on October 2, 2015. ""More Information: https://www.oag.state.md.us/idtheft/Breach%20Notices/2015/itu-262207.pdf","Maryland Attorney General","","2016","29.714590","-95.498955" "December 18, 2015","Minnesota Life Insurance Company","St. Paul","Minnesota","DISC","BSF","0","""On December 8th, a system error caused an e-mail to be inadvertently sent to an incorrect party.  The e-mail was an automatically generated notice regarding changes made to 401(k) contribution rates and included an attachment which listed employee names, Social Security numbers, and details of the changes made.""More Information: https://www.oag.state.md.us/idtheft/Breach%20Notices/2015/itu-262206.pdf","Maryland Attorney General","","2015","44.948950","-93.091347" "December 16, 2015","Wilderness at the Smokies","Sevierville","Tennessee","HACK","BSO","0","""On November 3, 2015, Wilderness at the Smokies discovered that sophisticated malware may have been placed on certain computer systems used at the Wilderness at the Smokies to process credit and debit cards.  Following this discovery, Wilderness at the Smokies launched an in-depth investigation to determine what happened and what information was affected.  After extensive investigation, forensic investigators determined that credit and debit cards used at the Wilderness at the Smokies onsite food beverage outlets, attractions and retail locations between February 18, 2015 and March 10, 2015 were being collected by the malware.  The cardholder data that may be at risk as a result of this incident includes name, card number, expiration date, and CVV. The systems used to process credit and debit cards to reserve and pay for hotel stays were not affected.""More Information: https://www.oag.state.md.us/idtheft/Breach%20Notices/2015/itu-262197.pdf","Maryland Attorney General","","2015","35.894666","-83.585021" "December 15, 2015","Vesta Property Services","Jacksonville ","Florida","PHYS","BSO","3","""On October 31, 2015, Vesta discovered that one of its servers was stolen while Vesta was relocating its office in Jacksonville, Florida.  The server contained the name, date of birth, address, Social Security number, and certain deposit information for employees and independent contractors of a company Vesta acquired, Amenity Companies.""More Information: https://www.oag.state.md.us/idtheft/Breach%20Notices/2015/itu-262196.pdf","Maryland Attorney General","","2015","30.332184","-81.655651" "September 14, 2016","ClixSense","Hamstead","North Carolina","HACK","BSO","6,600,000","""ClixSense has become the victim of a cyberattack which has led to the data of millions of users being put up for sale.This week, ClixSense, a website which offers users cash in return for completing surveys and watching ads, admitted to a data breach in which an attacker was able to gain access to the firm's database.The unknown attacker was able to use an old server which the company was no longer using -- but was, at the time, still networked -- to gain access to the main database.After gaining entry, the cybercriminal was able to copy ""most, if not all"" of the ClixSense users table, changed account names to ""hacked account"" and deleted a number of forum posts -- as well as set user account balances to a zero balance.According to Ars Technica, Have I Been Pwned operator Troy Hunt verified the leak, in which account passwords in plaintext, user dates of birth, IP addresses, email addresses, account balances, and payment histories are all included in the file dump.In total, 2.2 million records have been published, leaving the data of an additional 4.4 million up for grabs to the highest bidder.""More Information: http://www.zdnet.com/article/clixsense-data-breach-exposes-personal-info...","Media","","2016","40.096947","-82.917211" "September 1, 2016","New York State Psychiatric Institute","New York","New York","HACK","GOV","21,880","""The New York State Office of Mental Health (OMH) recently announced that one of its facilities experienced a cybersecurity breach, which potentially exposed the records of research participants. Between April 28 and May 4 of this year, certain parts of New York State Psychiatric Institute’s system was accessed by unauthorized individuals, according to an online statement.The information may have included names, addresses, dates of birth, telephone numbers, and email addresses. Social Security numbers, driver’s license or state identification numbers, school, county, and coded health-related information from interviews or questionnaires may have been included in some cases.""","Media","https://healthitsecurity.com/news/ny-psychiatric-institute-cybersecurity-breach-affects-21k","2017","40.712784","-74.005941" "September 13, 2016","New York State Psychiatric Institute","New York","New York","HACK","MED","22,000","""For one week in late April and early May, a hacker (or hackers) got into servers that held information provided by 22,000 people for 11 mental health studies being done at the New York State Psychiatric Institute.These were not patients being treated at the institute, but subjects of its research.They included, among others, school children directly exposed to the events of Sept. 11; Puerto Rican youth; severely emotional disturbed young people in Westchester County and their caretakers; people in the Bronx suffering from post-traumatic stress who have family in the criminal justice system; students at three schools in Queens and four others in Washington Heights, Manhattan, whose mental health needs were being assessed.It was a hack with different fingers, infiltrating two servers operated by the State of New York and plucking out information of varying calibers. For about 9,000 people, it captured the kind of data that is sold to identity thieves, like names, addresses and so forth.""More Information: http://www.nytimes.com/2016/09/14/nyregion/a-computer-breach-that-could-...","Media","","2016","40.712784","-74.005941" "September 13, 2016","The World Anti-Doping Agency (WADA)","Montreal","Quebec","HACK","BSO","4","""The World Anti-Doping Agency (WADA) confirmed in a statement posted on Tuesday that its database, which included medical files of athletes competing in the Olympics, was hacked by the Russian group that cybersecurity companies have named “Fancy Bear.”“WADA deeply regrets this situation and is very conscious of the threat that it represents to athletes whose confidential information has been divulged through this criminal act,” Olivier Niggli, WADA’s executive director, said in the statement. “WADA condemns these ongoing cyber-attacks that are being carried out in an attempt to undermine WADA and the global anti-doping system.”More Information: https://www.buzzfeed.com/sheerafrenkel/simone-biles-serena-williams-amon... ","Media","https://www.buzzfeed.com/sheerafrenkel/simone-biles-serena-williams-among-olympic-athletes-to-have?utm_term=.qdrYRmgJvy&mkt_tok=eyJpIjoiWTJFME9HTmlZV0V6WXpaaSIsInQiOiJ6ZDg4OVZZQm9Dczd1YllISUlmc3JsZkZhZGlNUWFHRFhDWXk2aWVcL3lvbFhYTXE4OHFjNnRMN2lLeFJQMnJYWU5jeFBMaThcL0NpZjBNdnoyM2xra1gzMXNsT3NybjlCbnhDXC92cmQybW1MND0ifQ%3D%3D#.ftj4yXV5Pe","2016","45.501689","-73.567256" "September 9, 2016","U.S HealthWorks","Sacramento","California","PORT","MED","1,400","As reported by Health and Human Services theft/laptop. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2016","38.581572","-121.494400" "September 2, 2016","Medical College of Wisconsin","Milwaukee","Wisconsin","HACK","MED","3,179","As reported by Health and Human Services unauthorized hacking/IT incident. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2016","43.043851","-88.022186" "September 19, 2016","Cicis Restaurants","Coppel","Texas","HACK","BSO","0","""More than 130 Cicis Pizza locations, including Waco’s at 1609 N. Valley Mills Drive, Bellmead’s at 910 North Loop 340, Suite 4, and Killeen’s at South Fort Hood Street, have suffered a security breach that could compromise information on payment cards used at the stores, the company announced Monday.Cards used between March 1 and July 5 at the three locations in the area were vulnerable.Malware was found on the restaurants’ point-of-sale computer software, according to a statement from the company..""More Information: http://www.wacotrib.com/news/business/credit-card-security-breached-at-l...","Media","","2016","32.955707","-97.025269" "September 9, 2016","Asante","Ashland","Oregon","DISC","MED","2,400","As reported by Health and Human Services unauthorized access/disclosure/electronic medical record. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2016","37.757679","-77.478967" "September 9, 2016","Martin Army Community Hospital","Fort Benning","Georgia","PHYS","MED","1,000","As reported by Health and Human Services unauthorized theft/paper films. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2016","32.374819","-84.933569" "September 22, 2016","Yahoo","Sunnyvale","California","HACK","BSO","500,000,000","""Yahoo is poised to confirm a massive data breach of its service, according to several sources close to the situation. The company was the victim of hacking that has exposed several hundred million user accounts. While sources were unspecific about the extent of the incursion, since there is the likelihood of government investigations and legal action related to the breach, they noted that it is widespread and serious. Earlier this summer, Yahoo said it was investigating a data breach in which hackers claimed to have access to 200 million user accounts and one was selling them online.""More Information: http://www.recode.net/2016/9/22/13012836/yahoo-is-expected-to-confirm-ma...Yahoo statement: https://help.yahoo.com/kb/account/SLN27925.html?impressions=trueUpdate (12/14/2016): ""Yahoo Inc (YHOO.O) warned on Wednesday that it had uncovered yet another massive cyber attack, saying data from more than 1 billion user accounts was compromised in August 2013, making it the largest breach in history.The number of affected accounts was double the number implicated in 2014 breach that the internet company disclosed in September and blamed on hackers working on behalf of a government.""More information: http://www.reuters.com/article/us-yahoo-cyber-idUSKBN1432WZYahoo statement: https://help.yahoo.com/kb/account/SLN27925.html?impressions=true","Media","","2016","37.368830","-122.036350" "September 26, 2016","Yale-New Haven Hospital","New Haven","Connecticut","INSD","MED","20","""Federal investigators say two women orchestrated an identity theft ring that targeted at least 20 people. But it's how suspects Jamila Williams-Stevenson and Loretta Coburn are said to have gotten some of their victim's personal information that is most shocking.Authorities said several of the alleged victims had been patients at Yale-New Haven Hospital where Williams-Stevenson was working as a companion or sitter.""""According to a court affidavit, once the two changed their alleged victims addresses, they took control of their mail, then took control of their finances.""More Information: http://www.nbcconnecticut.com/troubleshooters/Hospital-Patients-Caught-i...","Media","","2016","41.304544","-72.935795" "September 16, 2016","Lulu's Fashion Lounge, Inc. ","Chico","California","HACK","BSO","0","""On August 23, 2016, we discovered that our payment card processing system may have been accessed without our authorization. We immediately launched a full investigation, including working with a third-party digital forensic investigator.  We determined that the unauthorized access occurred intermittently between August 11 and August 16, 2016, and only affected customers entering a payment card new to our system.""The information compromised included names, addresses, payment card number which includes the security code and expiration date. More Information: https://oag.ca.gov/ecrime/databreach/reports/sb24-63911","California Attorney General","","2016","39.725493","-121.833284" "September 19, 2016","Active Outdoors","Dallas","Texas","HACK","BSO","0","""After we have made and continue to make significant investments in technology and security, on August 22, we became aware that we were the victim of an unauthorized and unlawful access to our online hunting and fishing licensing applications in Idaho, Oregon and Washington.""The information compromised included names, addresses, dates of birth, driver's license number, Social Security number. More Information: https://oag.ca.gov/ecrime/databreach/reports/sb24-63929","California Attorney General","","2016","32.785480","-96.798300" "September 19, 2016","Ascensus, Inc. ","Dresher","Pennsylvania","DISC","BSF","0","""On August 23, 2016, we discovered a website configuration error that allowed the plan administrator of another Ascensus retirement plan access to your personal information.  Upon discovering this, Ascensus immediately terminated the configuration that allowed this inadvertent access. The configuration error allowed the plan administrator to view a file which contains your name, address, birth date, and Social Security number.""More Information: https://oag.ca.gov/ecrime/databreach/reports/sb24-63931","California Attorney General","","2016","40.156292","-75.147791" "September 19, 2016","Ursus Holdings, LLC","Arlington","Texas","HACK","BSO","0","""We first detected suspicious email account activity on April 25, 2016, when an employee's email account began sending blast"" or ""spam"" emails.  That employee previously had received a phishing email requesting account credentials to access what appeared to be a secure PDF attachment.  Upon the employee providing the credentials, others within the employees contact list bean receiving similar emails.  Three other employees are believed to have received the same email attachment and provided their credentials.""The information compromised included Social Security numbers, bank account numbers, driver's license numbers, and credit card numbers were included in the four employees' Google Mail and Google Docs accounts. More Information: https://oag.ca.gov/ecrime/databreach/reports/sb24-63932","California Attorney General","","2016","38.879970","-77.106770" "October 12, 2016","Keck Medical Center of USC","Los Angeles","California","HACK","MED","0","""On August 1st 2016, USC Keck and Norris Hospitals detected ransomware on two servers after being notified earlier that day that certain hospital employees could not access their files.  This type of malware attack encrypted files on both servers, which made the files inaccessible to our employees.  However, the attack was quickly contained and isolated to prevent the spreading of malware to other servers.""The information stored on the servers held by the ransomware included departmental files including ""templates, training manuals, human resource materials and other information needed for hospital operations.""More Information: https://oag.ca.gov/ecrime/databreach/reports/sb24-63962","California Attorney General","","2016","34.061963","-118.201420" "September 22, 2016","Napa Valley Dentistry","Napa Valley","California","PHYS","MED","0","""Someone broke into our locked storage unit, which was within a gated storage facility, and stole a password-protected server. Upon discovery of the theft, we promptly notified the Napa Police Department and will provide whatever cooperation is necessary to identify the perpetrator(s) and hold them accountable. On September 8, 2016, we confirmed that your personal information may have been on the server. In December 2012, Dr. Justin Newberry, DDS, purchased Napa Valley Dentistry, including this server, from Dr. C. Michael Quinn, DDS. The server may therefore contain personal information of Dr. Quinn's former patients who may not currently have a relationship with Napa Valley Dentistry. While there is no indication that your personal information was, in fact, accessed without authorization, we are notifying you out of an abundance of caution and offering you identity protection services.""The information compromised included names, addresses, dates of birth, Social Security numbers and dental insurance information. More Information: https://oag.ca.gov/ecrime/databreach/reports/sb24-64007","California Attorney General","","2016","38.427432","-122.394330" "September 21, 2016","Stallcup & Associates, CPAs","San Francisco","California","HACK","BSF","0","""On July 11th, our firm was subject to a ransomware virus wherein some of our network computer files were encrypted without our permission.  Fortunately, the virus was detected within an hour and immediately stopped.  Although there is no evidence that any files were viewed nor ex-filtrated out of our network, nor that such activities were intended, we are notifying you of this incident because your tax information was located in the same drive as some of the files infected by the virus.""The information compromised included names, gender, dates of birth, telephone numbers, addresses, Social Security numbers, all employment (W-2) information, 1099 information, direct deposit information, bank account and routing information.More Information: https://oag.ca.gov/ecrime/databreach/reports/sb24-63986","California Attorney General","","2016","37.755626","-122.418512" "September 21, 2016","Zazzle Inc.","Redwood City","California","HACK","BSO","0","""Our Security Team detected some unauthorized login attempts to Zazzle accounts, including on using your Zazzle username (email address) and password.  Given the nature of the incident, Zazzle believes that the usernames and passwords used in the incident, including yours, were obtained from a data breach of some other website.""More Information: https://oag.ca.gov/ecrime/databreach/reports/sb24-63988 ","California Attorney General","","2016","37.510861","-122.201337" "October 12, 2016","Vera Bradley","Fort Wayne","Indiana","HACK","BSO","0","""Payment cards used at Vera Bradley store locations between July 25, 2016 and September 23, 2016 may have been affected. Not all cards used in stores during this time frame were affected. Cards used on verabradley.com were not affected.  Information on steps customers may take to protect their information can be found at www.verabradley.com/protectingourcustomers.""The information compromised included all information on the magnetic stripe of the card. The information on the stripe includes the card number, name on the card, expiration date and verification code. More Information: http://investors.verabradley.com/releasedetail.cfm?ReleaseID=993213","Security Breach Letter","","2016","41.122209","-85.171407" "September 22, 2016","Premier America Credit Union","Woodland Hills","California","INSD","BSF","0","""We recently learned that a departing employee of Premier America emailed to his non-Premier America account lists that reflected some of your personal information, in violation of our company policies, during late June 2016.  At this point, we assume that the purpose of the acquisition was solely for solicitation purposes (which we consider to be inappropriate) and do not believe that you are at risk for identity theft.""The information compromised included names, addresses Social Security number, employer identification number, account numbers, credit/debit card numbers, driver's license numbers, California identification card numbers, access codes, passwords, security codes and PIN's. More Information: https://oag.ca.gov/ecrime/databreach/reports/sb24-64011","California Attorney General","","2016","34.180027","-118.596946" "September 23, 2016","Dr. Hal Meadows","Susanville","California","HACK","MED","0","""On July 27, 2016, Dr. Meadows found that his patient file had been unlawfully accessed. The patient file contained information used for billing, which included: Names and addresses, birth dates, telephone numbers, insurance numbers, treatment codes, billing information.""More Information: https://oag.ca.gov/ecrime/databreach/reports/sb24-64012","California Attorney General","","2016","40.409710","-120.665419" "September 23, 2016","Jive Software/Producteev","Palo Alto","California","HACK","BSO","0","""We want to inform you of an issue involving your Producteev username (i.e. your email address) and password.  We learned on August 24 that your Producteev username and password had been held in a file outside our normal encryption procedures, and we believe that this file was potentially accessed by an unauthorized third party.  We cannot confirm that your username or password was compromised, but we are notifying you so that you may take protective action.""The information compromised included usernames and passwords. More Information: https://oag.ca.gov/ecrime/databreach/reports/sb24-64018","California Attorney General","","2016","37.441883","-122.143020" "September 26, 2016","Novation Settlement Solutions","West Palm Beach","Florida","HACK","BSO","0","""In late August, Novation learned that some of its confidential information may be in the possession of an unidentified third-party.  Novation promptly initiated a fact-gathering process and, subsequently, on September 8, 2016, determined that an unidentified third-party was likely in possession of a set of Novation files including applications and contracts.  Novation has no evidence that any of your information has been misused.""The information compromised included names, dates of birth, addresses, telephone numbers, Social Security numbers, and financial account numbers. More Information: https://oag.ca.gov/ecrime/databreach/reports/sb24-64028","California Attorney General","","2016","26.697285","-80.075277" "September 29, 2016","City of Vallejo","Vallejo","California","UNKN","GOV","0","The City of Vallejo submitted a notification of a data breach to the California General Attorney's office. No specific information was provided on the AG's post. More Information: https://oag.ca.gov/ecrime/databreach/reports/sb24-64148","California Attorney General","","2016","38.104086","-122.256637" "October 5, 2016","Public Health Institute","Oakland","California","DISC","NGO","0","""The California Environmental Health Tracking Program (CEHTP) of the Public Health Institute (PHI) became aware on August 4, 2016 that an electronic database containing email addresses and corresponding passwords for individual user accounts at one or more of the sites listed below was accessible on the internet without encryption or other security features for approximately 30 days.""The information compromised included email addresses and passwords.More Information: https://oag.ca.gov/ecrime/databreach/reports/sb24-64216 ","California Attorney General","","2016","37.803685","-122.275340" "October 5, 2016","Qvale Auto Group, Inc. ","San Francisco","California","DISC","BSO","0","""As some of you may know, we have recently learned that certain employees may have viewed, or had the ability to view, certain information of other employees.The incident occurred when, during the course of an upgrade by a third party IT vendor, employee access limitations were removed to certain information of employees for a limited time period in June 2016.  This allowed certain employees to potentially access that information. As soon as this error was discovered, it was corrected.""The information compromised included names, bank accounts, Social Security numbers. More Information: https://oag.ca.gov/ecrime/databreach/reports/sb24-64308","California Attorney General","","2016","37.784005","-122.421708" "October 7, 2016","Warren Clinic","Tulsa","Oklahoma","HACK","MED","2,938"," As reported by Health and Human Services unauthorized hacking/IT Incident. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF... ","Government Agency","","2016","36.153982","-95.992775" "October 7, 2016","Northwest Community Healthcare","Arlington","Illinois","DISC","MED","540"," As reported by Health and Human Services unauthorized access/disclosures. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF... ","Government Agency","","2016","42.067357","-87.993577" "October 5, 2016","Baxter Regional Medical Center- Home Health Facility","Moutain Home","Arkansas","DISC","MED","2,124","s reported by Health and Human Services unauthorized access/disclosures. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2016","36.342950","-92.394419" "October 4, 2016","Apria Healthcare","San Diego","California","DISC","MED","1,987","s reported by Health and Human Services unauthorized access/disclosures. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","California Attorney General","","2016","32.900770","-117.108678" "October 4, 2016","Juame Francisco D.O. ","Prescott","Arizona","HACK","MED","14,236"," As reported by Health and Human Services hacking/IT Incident. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF... ","Government Agency","","2016","34.561147","-112.488832" "September 30, 2016","University of Wisconsin Hospitals and Clinics","Madison","Wisconsin","DISC","MED","6,923"," As reported by Health and Human Services unauthorized access/disclosures. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF... ","Government Agency","","2016","43.076393","-89.432172" "October 14, 2016","Integrity Transitional Hospital","Denton ","Texas","HACK","MED","0","""Integrity receives laboratory specimens from companies that work with various healthcare providers, and then submits these specimens to laboratories for testing.  In the course of providing this service and for billing purposes, Integrity maintains certain patient information on specimens submitted by the healthcare providers.  On August 15, 2016, Integrity leaned that suspicious activity on its network may have affected the systems related to its laboratory services.  Integrity immediately began investigation, with the assistance of an expert forensics company, to determine the scope of the incident.  Our investigation has determined that an unauthorized individual potentially could have accessed your lab results, lab testing information, health insurance information, and scanned driver's license if you provided one.""More Information: https://oag.ca.gov/ecrime/databreach/reports/sb24-64398","California Attorney General","","2016","33.174024","-97.086342" "August 5, 2016","Marin Medical Practice Concepts","Novato","California","HACK","MED","0","""Marin Medical Practice Concepts, a Novato company that provides medical billing and electronic medical records services to many Marin physicians, had its computer system hacked and paid a ransom to regain access to its own data. There is ""no evidence"" that any patient data were compromised, according to a company official.As a result of the security breach, many Marin doctorrs have been unable to access patients' electronic medical records for more than a week.""More Information: http://www.mercurynews.com/2016/08/05/marin-electronic-medical-record-sy...","Media","","2016","38.125145","-122.569390" "October 14, 2016","CalOptima","Orange","California","PORT","MED","0","""On or about August 17, 2016, a departing CalOptima employee downloaded data, which included protected health information, to an unencrypted USB flash drive. Shortly after, the departing employee returned the USB flash drive to CalOptima.  While we are still investigating the contents of the flash drive, we do not believe the information was shared.""The information included names, demographic information, Social Security number and additional plan related data.More Information: https://oag.ca.gov/ecrime/databreach/reports/sb24-64419","California Attorney General","","2016","33.782593","-117.895590" "October 14, 2016","Evony Gaming Company","Wilmington","Delaware","HACK","BSO","0","""In June 2016, the official website of Evony gaming suffered a massive data breach in which 33,407,472 of its registered user accounts were stolen.  Things couldn't go worse when in August 2016, the gaming site suffered another data breach on its forum in which 938,000 of its registered accounts were stolen. ""The information compromised included usernames, email addresses, passwords and IP addresses.More Information: https://www.hackread.com/evony-gaming-company-website-hacked/","Media","","2016","39.754538","-75.627306" "October 14, 2016","Peabody Retirement Community","Manchester","Indiana","HACK","MED","1,466"," As reported by Health and Human Services hacking/IT Incident. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF... ","Government Agency","","2016","41.005554","-85.773784" "October 3, 2016","Rainbow Children's Clinic","Arlington","Texas","HACK","MED","33,698"," As reported by Health and Human Services hacking/IT Incident. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF... ","Government Agency","","2016","32.764746","-97.074918" "October 17, 2016","Broadview Mortgage","La Mesa","California","HACK","BSF","0","""On July 28, 2016, we were advised by our third-party information technology provider that it had identified two unauthorized administrative accounts on a server in one of our branch offices.  We immediately began an investigation and promptly disabled the unauthorized accounts.Findings from our investigation show that the server may have contained information related to your mortgage application, including your name, address, driver's license number, date of birth, Social Security number, and financial account numbers.""More Information: https://oag.ca.gov/ecrime/databreach/reports/sb24-64437  ","California Attorney General","","2016","32.771858","-117.031912" "October 14, 2016","Gibson Insurance Agency, Inc. ","South Bend","Indiana","PORT","MED","7,242"," As reported by Health and Human Services theft/laptop. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF... ","Government Agency","","2016","41.675711","-86.251455" "October 19, 2016","Eastwood Company","Pottstown","Pennsylvania","HACK","BSO","0","""On July 22, 2016, Eastwood learned that malicious software code may have been inserted into its e-commerce website.  We immediately removed the malicious software, began an investigation and hired a third-party cyber-security firm to assist us.  Findings from the investigation show that if a customer placed an order on our website from May 29, 2016 to July 22, 2016, information associated with the order being placed may have been obtained by an unauthorized third-party.""The information compromised included names, addresses, phone numbers, email addresses, payment card numbers, expiration date and security code.The Information: https://oag.ca.gov/ecrime/databreach/reports/sb24-64455","California Attorney General","","2016","40.255599","-75.669365" "October 20, 2016","Weebly","San Francisco","California","HACK","BSO","43,430,300","""Weebly, a San Francisco-based company that has allowed more than 40 million people create websites with since 2007; will start sending notification letters to all of their customers on Thursday, informing them of a data breach that occurred eight months ago.The breach, affecting 43,430,316 customers, happened February 2016, but the root cause remains unknown. The compromised database is just now coming to the public's attention after an anonymous source sent it to LeakedSource.""The information compromised included email addresses, usernames, IP addresses and passwords. More Information: http://www.csoonline.com/article/3133031/security/weebly-data-breach-aff...","Media","","2016","37.774930","-122.419416" "October 21, 2016","FourSquare","San Francisco","California","HACK","BSO","22,535,000","""The data breach notification LeakedSource has revealed that the web design platform Weebly and FourSquare, a local search-and-discovery service mobile app suffered a data breach.  As a result, 43,430,316 Weebly and 22,534,984 FourSquare users accounts were stolen.""""The NewYork-based company FourSquare suffered a security breach in December 2013 in which 22,534,984 user accounts were stolen however FourSquare has denied that it was hacked and claims that email addresses were simply cross-referenced with publicly available data from FourSquare. The data includes usernames, emails and Twitter and Facebook IDs""More Information: https://www.hackread.com/weebly-foursquare-hacked-accounts-stolen/ ","Media","","2016","37.774930","-122.419416" "October 21, 2016","Dyn","Manchester","New Hampshire","HACK","BSO","0","""Criminals this morning massively attacked Dyn, a company that provides core Internet services for Twitter, SoundCloud, Spotify, Reddit and a host of other sites, causing outages and slowness for many of Dyn’s customers.In a statement, Dyn said that this morning, October 21, Dyn received a global distributed denial of service (DDoS) attack on its DNS infrastructure on the east coast starting at around 7:10 a.m. ET (11:10 UTC).“DNS traffic resolved from east coast name server locations are experiencing a service interruption during this time. Updates will be posted as information becomes available,” the company wrote.DYN encouraged customers with concerns to check the company’s status page for updates and to reach out to its technical support team.""More Information: https://krebsonsecurity.com/2016/10/ddos-on-dyn-impacts-twitter-spotify-...Company statement: http://dyn.com/blog/dyn-statement-on-10212016-ddos-attack/","Krebs On Security","","2016","42.996002","-71.467137" "October 21, 2016","Great America PAC","Alexandria","Virginia","DISC","BSO","336","""Great America PAC on Thursday night erroneously published the credit card numbers and expiration dates belonging to 49 donors, a Center for Public Integrity review of its latest Federal Election Commission campaign finance disclosure discovered.The screw-up comes one month after the super PAC, which aims to “help grow the burgeoning movement behind Donald Trump and merge the grassroots with the business community,” mistakenly revealed the personal cell phone numbers and/or email addresses of 336 of its donors.Great America PAC treasurer Dan Backer, upon being informed by the Center for Public Integrity of his organization’s mistake, said the likely culprit is “an isolated software glitch in an otherwise automated process” involving data transfers between the PAC and a contractor that helps manage the group’s finances.""More Information: https://www.publicintegrity.org/2016/10/21/20370/whoops-pro-donald-trump...","Media","","2016","38.804836","-77.046921" "October 21, 2016","Florida Hospital Medical Group","Orlando","Florida","PHYS","MED","6,000","""A hospital representative said some boxes were misplaced while moving boxes of patient files from one storage unit to another.In a release, the hospital said, “While transferring boxes from our storage vendor, Access, to another one of our storage vendors, Iron Mountain, we discovered on or about Aug. 17, 2016, boxes containing patient information were inadvertently misplaced.” Hospital officials said they believe the boxes are “most likely located in either Access or Iron Mountain’s secure facility.”More Information: http://www.wftv.com/news/local/boxes-of-patient-information-missing-from...","Media","","2016","28.538336","-81.379237" "October 8, 2016","Seattle Indian Health Board","Seattle","Washington","HACK","MED","0","""The Seattle Indian Health Board experienced a security attack to an employee email account on August 10, 2016. Access to the account lasted approximately 4 hours before the Seattle Indian Health Board IT department shut down the email system. The information accessed may or may not have included patients’ names, date of birth, patient ID numbers, social security numbers or other protected health information. The security of patient data is extremely important to us and we are taking this attack seriously as well as informing our patients directly and notifying the public about this incident.""More Information: http://www.sihb.org/current/?id=135","Media","","2016","47.606210","-122.332071" "October 21, 2016","Baystate Health","Springfield","Massachusetts","HACK","MED","13,000","""About 13,000 patients of Baystate Health may have had some of their personal information compromised, due to a “phishing” e-mail that was received by some staff members.According to a Baystate Health news release sent to 22News, the information may have included names and dates of birth, in addition to medical information, such as diagnoses and the type of treatment the patient received, and even perhaps health insurance identification numbers. Social Security numbers and billing information were definitely not compromised, Baystate says.Baystate Health learned about the phishing e-mail on August 22. The e-mail, which was sent to several employees- five of whom replied to it- was designed to look like a legitimate internal memo. By responding to the e-mail, those five employees potentially had their accounts accessed by hackers.""More Information: http://wwlp.com/2016/10/21/baystate-health-patient-information-possibly-...","Media","","2016","37.208957","-93.292299" "October 21, 2016","City of Middletown","Middleton","New York","HACK","GOV","0","""The city said Friday that computer hackers gained access to personal information of people who had contact with the Middletown Police Department. While an investigation has found no evidence of fraudulent misuse of personal information, the city of notifying those potentially affected by the breach and offering them free credit-monitoring and identity-restoration service.The FBI notified the city on June 15 that it discovered that part of the city's computer network might have been compromised.An investigation by the city, the FBI, state police, the state Office of Information Technology Services and forensics experts found one or more unauthorized people gained access to the database and were able to export at least a portion of the information.The potentially accessible data includes names, Social Security numbers, driver's license numbers, dates of birth fingerprints and addresses.  The investigation found no evidence the information was publicly displayed or distributed, and the city is unaware of any fraudulent misuse of personal data.""More Information: http://www.recordonline.com/news/20161021/hackers-breach-city-of-middlet...  ","Media","","2016","43.097217","-89.504288" "October 20, 2016","Premium Beat","Montreal","Quebec","HACK","BSO","0","""To ensure you continue having the highest level of customer security on PremiumBeat, we're regularly monitoring our site and the Internet for any security matters that would compromise your account information.  Unfortunately, on the afternoon of September 29th, we discovered a security bug in third party software which that resulted in unauthorized access to PremiumBeat user information.  We immediately investigated and learned that this unauthorized party may have obtained the names, addresses, phone numbers, emails addresses, and encrypted passwords for PremiumBeat users.  We sincerely regret any concerns this incident may cause you.""More Information: https://oag.ca.gov/ecrime/databreach/reports/sb24-64473","California Attorney General","https://oag.ca.gov/ecrime/databreach/reports/sb24-64473","2016","45.501689","-73.567256" "October 21, 2016","Baystate Health, Inc. ","Springfield","Massachusetts","HACK","MED","13,112"," As reported by Health and Human Services hacking/IT Incident. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF... ","Government Agency","","2016","37.208957","-93.292299" "October 12, 2016","Bedford County Board of Education","Shelbyville","Tennessee","DISC","MED","862"," As reported by Health and Human Services unauthorized access/disclosure. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF... ","Government Agency","","2016","39.521437","-85.776924" "October 7, 2016","Genesis Physical Therapy, Inc.","Simi Valley","California","DISC","MED","2,245"," As reported by Health and Human Services unauthorized access/disclosure. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF... ","Government Agency","","2016","34.280471","-118.741188" "September 30, 2016","Urgent Care Clinic of Oxford","Oxford","Mississippi","HACK","MED","64,000"," As reported by Health and Human Services hacking/IT Incident. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF... ","Government Agency","","2016","34.366495","-89.519248" "September 29, 2016","Fred's Stores of Tennessee","Memphis","Tennessee","PORT","MED","9,624"," As reported by Health and Human Services theft/laptop. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF... ","Government Agency","","2016","35.037380","-89.936314" "October 28, 2016","Office of the Comptroller of the Currency","Washington","District Of Columbia","INSD","GOV","10,000","""A U.S. bank regulator on Friday disclosed a data breach involving a former agency employee’s unauthorized removal of more than 10,000 records. The cybersecurity breach at the Office of the Comptroller of the Currency was detected in September while the agency was undertaking a retrospective two-year review of employees downloading information in an effort to help minimize cyberthreats. The breach, flagged to Congress and three other government agencies including the Department of Homeland Security, occurred in November 2015 when a former employee downloaded a large number of files onto two thumb drives before retiring from the agency. The OCC said data on the thumb drives were encrypted and there is no evidence that data taken by the employee were “disclosed” or “misused.”An OCC spokesman said the files included information “related to OCC activities and employees.” He said there is “no indication that there was bank customer information among the files removed.”The agency said that once it discovered the data breach, it immediately referred the case to the Treasury Department’s Inspector General’s office. The OCC review concluded it was a “major incident,” involving more than 10,000 records and potentially exposing personal information. The former employee was identified only as a retiree who downloaded the information shortly before leaving the agency. Government agencies are required to report all “major incidents” to Congress; this is the first time the OCC has done so. The OCC said the data breach hasn’t “adversely affected” the agency’s internal operations.""More Information: http://www.wsj.com/articles/u-s-bank-regulator-notifies-congress-of-majo... ","Media","","2016","38.907192","-77.036871" "October 24, 2016","Silver Creek Fitness & Physical Therapy","San Jose","California","DISC","MED","0","""On September 11, 2016, we were notified by our billing and software companies that their Amazon “S3” storage account was vulnerable because it  was accessible to persons outside their organization, and that a security  researcher who works for a software company accessed and downloaded  information from the account.    This storage account contained, among other things, protected health  information of certain Silver Creek Fitness & Physical Therapy, Silver Creek  Physical Therapy Gilroy, Silver Creek Physical Therapy Sunnyvale, and Silver  Creek Physical Therapy Los Gatos patients. The billing and software companies immediately took steps to secure the storage account and  launched an investigation to determine whether any sensitive information was accessed or  acquired. They determined that  the  storage account was vulnerable from  May, 2016 to September 11, 2016. However, we have no indication that any fraud has resulted from this incident.    While we have no indication that any fraud has resulted from this incident, we have confirmed that the data affected by this incident possibly included your name, Medicare number, prescription, date of birth, treatment location, treatment date, Social Security number, drivers license number, and progress notes. This information may have been downloaded by the security researcher on or around September 10, 2016 and may have been accessible to individuals who were able to access the “S3” account.""More Information: https://oag.ca.gov/ecrime/databreach/reports/sb24-64521","California Attorney General","","2016","37.338208","-121.886329" "October 25, 2016","Cisco","San Jose","California","DISC","BSO","0","""Cisco’s investigation found this to be the result of an incorrect security settingfollowing system maintenance. The issue was immediately fixed and passwords  to  the  site  have  been  disabled.  Because Cisco  takes  its  responsibility  to protect information seriously, and since many people use the same passwords on multiple websites, we wanted to alert you to this incident.As a precaution, users of Cisco’s Professional Careers Website will need to reset their passwords at their next login by clicking “forgot my password”. WHAT INFORMATION WAS INVOVLED:Exposed data included the following data fields: name, address, email, phone number, username and pass-word, answers to security questions , education and professional profile, cover letter and resume text, and voluntary information (if entered) such as gender, race, veteran status, and disability.More Information: https://oag.ca.gov/ecrime/databreach/reports/sb24-64548","California Attorney General","","2016","37.338208","-121.886329" "October 28, 2016","Beyond Yoga","Culver City","California","HACK","BSO","0","""We recently discovered that your personal information may have been exposed in July and August 2016 as a result of an incident currently under investigation. What Information Was Involved? The incident may have exposed your personal information, including payment card information and user names and passwords. What Are We Doing? We are requiring that all Beyond Yoga customers reset their passwords. Effective immediately, your password is no longer valid and access to your Beyond Yoga account will be disabled until a new password is set. What Can You Do? We recommend that you review your online accounts for suspicious activity and change passwords for any other accounts that you use the same or similar information as your Beyond Yoga account. We also recommend that you review your payment card accounts for unauthorized transactions. We thank you for being a loyal Beyond Yoga customer and assure you that customer privacy and security is our main priority. For any questions or concerns,  contact privacy@beyondyoga.com.""More Information: https://oag.ca.gov/ecrime/databreach/reports/sb24-64630","California Attorney General","","2016","34.006551","-118.392735" "October 30, 2016","Anne M. Cummings, M.D. F.A.C.P","Greenbrae","California","HACK","MED","0","""On August 22, 2016, I received confirmed notice from my electronic medical record provider that their electronic system was subject to a malware attack on July 26, 2016.  They became aware of the incident on July 27, 2016, and I am informed that they promptly took action to secure their systems.I  immediately requested further information to understand what happened and  to determine which, if any, of my patients  were  affected.  On  September 14,  2016,  I was provided further detail of the events, and learned that the company, Marin Medical Practice Concepts, Inc. (MMPC), experienced a ransomware infection.  Ransomware is a type of malware which restricts access to the computer system that it infects, and demands that a ransom be paid to the creator of the malware to remove the restriction.  The third party forensic IT firm hired to investigate this incident found no evidence that patient information was viewed, transferred or accessed.  However, during the restoration process of their system, MMPC has informed me that one of their backup systems failed causing the loss of consultation notes between July 11, 2016 and July 26, 2016.  Given these events, I wanted to notify you of this matter.""More Information: https://oag.ca.gov/ecrime/databreach/reports/sb24-64633","California Attorney General","","2016","37.944689","-122.536252" "October 24, 2016","Dr. Dennis T. Myers, D.D.S, P.A.","St. Joseph","Missouri","HACK","MED","3,364"," As reported by Health and Human Services hacking/IT Incident. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF... ","Government Agency","","2016","39.798214","-94.818146" "October 20, 2016","The Finley Center","Reno","Nevada","PHYS","MED","3,000"," As reported by Health and Human Services theft. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF... ","Government Agency","","2016","39.475834","-119.797161" "October 20, 2016","You and Your Health Family Care, Inc. ","Tavares","Florida","HACK","MED","3,000"," As reported by Health and Human Services hacking/IT Incident. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF... ","Government Agency","","2016","28.804158","-81.725632" "September 29, 2016","San Juan Oncology Associates","San Juan","New Mexico","HACK","MED","500"," As reported by Health and Human Services hacking/IT incident. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF... ","Government Agency","","2016","26.189241","-98.155287" "September 28, 2016","Thomasville Eye Center","Thomasville","Georgia","DISC","MED","10,981"," As reported by Health and Human Services unauthorized access/disclosure. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF... ","Government Agency","","2016","30.847221","-83.946862" "September 26, 2016","Prima Medical Foundation","San Rafael","California","HACK","MED","2,933"," As reported by Health and Human Services hacking/IT incident. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF... ","Government Agency","","2016","38.004557","-122.537977" "September 27, 2016","Marin Healthcare District","Greenbrae","California","HACK","MED","2,292"," As reported by Health and Human Services hacking/IT incident. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF... ","Government Agency","","2016","37.943223","-122.518046" "September 23, 2016","Group Health","Seattle","Washington","DISC","MED","668"," As reported by Health and Human Services unauthorized access/disclosure. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF... ","Government Agency","","2016","47.606210","-122.332071" "September 23, 2016","Jennie Stuart Medical Center","Hopkinsville","Kentucky","HACK","MED","1,500"," As reported by Health and Human Services hacking/IT incident. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF... ","Government Agency","","2016","36.861113","-87.495548" "September 22, 2016","New Jersey Spine Center","Chatham","New Jersey","HACK","MED","28,000"," As reported by Health and Human Services unauthorized hacking/IT incident. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF... ","Government Agency","","2016","40.739580","-74.373492" "September 21, 2016","McLaren Greater Lansing Cardiovascular Group","Lansing","Michigan","DISC","MED","1,000"," As reported by Health and Human Services unauthorized access/disclosure. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF... ","Government Agency","","2016","42.732535","-84.555535" "September 20, 2016","Ventura County Health Care Agency","Ventura","California","DISC","MED","777"," As reported by Health and Human Services unauthorized access/disclosure. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF... ","Government Agency","","2016","34.274646","-119.229032" "September 19, 2016","KidsPeace","Schnecksville","Pennsylvania","PHYS","MED","1,456"," As reported by Health and Human Services loss/paper/films. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF... ","Government Agency","","2016","40.659019","-75.598188" "September 15, 2016","Heritage Medical Partners, LLC","Hilton Head","South Carolina","DISC","MED","812"," As reported by Health and Human Services unauthorized access/disclosure. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF... ","Government Agency","","2016","32.216316","-80.752608" "September 13, 2016","King of Prussia Dental Associates","King of Prussia","Pennsylvania","HACK","MED","16,228"," As reported by Health and Human Services hacking/IT incident. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF... ","Government Agency","","2016","40.096625","-75.392990" "September 12, 2016","Pratap S. Kurra, M.D","Merced","California","PHYS","MED","2,029"," As reported by Health and Human Services unauthorized access/disclosure. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF... ","Government Agency","","2016","37.064074","-120.859310" "September 9, 2016","Public Education Employees' Health Insurance Plan","Montgomery","Alabama","DISC","MED","1,349"," As reported by Health and Human Services unauthorized access/disclosure. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF... ","Government Agency","","2016","32.374812","-86.298872" "September 8, 2016","Man Alive, Inc.and Lane Treatment Center, LLC","Baltimore","Maryland","HACK","MED","860"," As reported by Health and Human Services hacking/IT incident. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF... ","Government Agency","","2016","39.313713","-76.617800" "September 2, 2016","Santa Cruz County Health Services Agency","Santa Cruz","California","DISC","MED","25,000"," As reported by Health and Human Services unauthorized access/disclosure. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF... ","Government Agency","","2016","36.974117","-122.030796" "August 31, 2016","Willow Bend Dental","Plano","Texas","PHYS","MED","625"," As reported by Health and Human Services theft/other. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF... ","Government Agency","","2016","33.041344","-96.830798" "August 30, 2016","Howard R. Jarvis, D.M.D., L.L.C. dba Southwest Portland Dental","Portland","Oregon","HACK","MED","1,980"," As reported by Health and Human Services hacking/IT incident. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF... ","Government Agency","","2016","45.479556","-122.694929" "August 30, 2016","County of Los Angeles","Los Angeles","California","PHYS","MED","743"," As reported by Health and Human Services theft/paper/films. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF... ","Government Agency","","2016","34.052234","-118.243685" "August 26, 2016","Planned Parenthood of Greater Washington and North Idaho","Yakima","Washington","DISC","MED","10,700"," As reported by Health and Human Services unauthorized access/disclosure. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF... ","Government Agency","","2016","46.593060","-120.523795" "August 23, 2016","Summit Medical Group, In. dba St. Elizabeth Physicians","Independence","Kentucky","DISC","MED","674"," As reported by Health and Human Services unauthorized access/disclosure. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF... ","Government Agency","","2016","38.941921","-84.533241" "August 18, 2016","Village of Oak Park","Oak Park","Illinois","HACK","MED","688"," As reported by Health and Human Services unauthorized access/disclosure. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF... ","Government Agency","","2016","41.878973","-87.778851" "August 15, 2016","New York State Office of Mental Health","New York","New York","HACK","MED","21,880"," As reported by Health and Human Services hacking/IT incident. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF... ","Government Agency","","2016","40.712784","-74.005941" "July 20, 2016","Memorial Hermann Health System","Houston","Texas","DISC","MED","12,061"," As reported by Health and Human Services unauthorized access/disclosure. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF... ","Government Agency","","2016","29.713813","-95.396382" "July 20, 2016","Neurology Physicians LLC","Columbia","Maryland","HACK","MED","4,831"," As reported by Health and Human Services hacking/IT incident. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF... ","Government Agency","","2016","34.000710","-81.034814" "June 14, 2016","Texas Health and Human Services Commission","Austin","Texas","PHYS","MED","600"," As reported by Health and Human Services loss/paper/films. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF... ","Government Agency","","2016","30.267153","-97.743061" "June 10, 2016","Edward G. Myers, D.O. Inc.","Warren","Ohio","HACK","MED","6,441"," As reported by Health and Human Services hacking/IT incident. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF... ","Government Agency","","2016","41.265110","-80.774978" "November 8, 2016","Pace University","New York","New York","HACK","EDU","1,000","""An Arizona man was arrested last Wednesday after hacking into more than 1,000 student email accounts here at Pace, just in time for cybersecurity awareness month.Jonathan Powell broke into 1,035 student emails and social media accounts between October 2015 and September 2016 in search of lewd and “embarrassing” content, using keywords such as “naked” and “horny,” according to the U.S. Attorney for the Southern District of New York and Executive Director of Media Relations, Scott Trent.According to a statement provided by the university:“In response to a potential information security breach, Pace launched an internal investigation and immediately brought in the cybersecurity forensics team it has on-call under an existing agreement. When it was determined the incident had originated outside the University and the perpetrator had also possibly compromised external, non-Pace social media accounts, the University contacted the Federal Bureau of Investigation and US Attorney’s Office. As a result of the efforts of the FBI and the US Attorney’s Office, the individual responsible has been identified and arrested.”More Information: http://pacechronicle.com/news/2016/11/08/man-arrested-for-hacking-more-t...","Media","","2016","40.712784","-74.005941" "November 8, 2016","DealerBuilt","Mason City","Iowa","DISC","BSO","0","""If you bought a car in the last few years, there's a good chance your personal information may have found its way to the open internet.Names, addresses, phone numbers, and social security numbers for both customers and employees for over a hundred car dealerships have leaked online, all thanks to a centralized records system coupled with shoddy security.The system, built and operated by DealerBuilt, an Iowa-based database software company, sells management systems for car dealerships across the US, offering a central system for sales, customer relations, and employee payroll needs.""More Information: http://www.zdnet.com/article/bought-a-car-recently-millions-of-customers...","Media","","2016","43.146771","-93.259245" "November 3, 2016","National Wholesale Incorporated","Lexington","North Carolina","HACK","BSO","0","On October 14, 2016, National Wholesale discovered that it had been the victim of a computer related incident. Unknown individuals targeted our website and inserted harmful code. This code allowed unauthorized individuals to monitor the information our customers typed into the website when placing an online order. We believe that the information of 14,281 of our customers may have been compromised; we are notifying you because our records indicate that you placed an order on www.shopnational.com during the relevant time periods.National Wholesale immediately removed the malicious software, began an investigation, and engaged IT security firms to assist in repairing and securing our website.We also reported the incident to the FBI. Findings from the investigation show that if a customer placed an order on our website from September 1, 2016 through October 15, 2016, information associated with the order being placed, including the customer’s name, address, phone number, email address, payment card number, expiration date and credit card security code (CVV) may have been obtained by unauthorized individuals. If you placed an order as an existing National Wholesale customer during this same time period, your username and password to your account may have also been exposed.Please be aware that National Wholesale does not receive or retain your credit card information when you place an order. However, given the nature of this incident, it is possible that your credit card number was intercepted when you typed it into the website.More Information: https://oag.ca.gov/ecrime/databreach/reports/sb24-64682","California Attorney General","","2016","35.829288","-80.271161" "November 16, 2016","FriendFinder","Sunnyvale","California","HACK","BSO","412,000,000","""A hack against popular adult dating and entertainment company FriendFinder Networks exposed data related to more than 412 million user accounts, according to a report from breach notification site LeakedSource. If the report is correct, that would make the breach one of the largest on record in terms of the number of accounts affected. It also would mark the second such incident at the company in two years.FriendFinder Networks did not confirm or deny the breach when reached by The Washington Post. But the company said in a statement that it had “received a number of reports regarding potential security vulnerabilities from a variety of sources” and that it is investigating. ""Immediately upon learning this information, we took several steps to review the situation and bring in the right external partners to support our investigation,"" the statement said.The Adult FriendFinder data stretched back 20 years and included information such as usernames, emails, join dates and the date of a user’s last visit, according to LeakedSource. Passwords were also included in the trove -- the vast majority of them featured unsecured protections or none at all, the report said.LeakedSource said the alleged breach includes nearly 340 million accounts from flagship site Adult FriendFinder, plus data from other sites owned by FriendFinder Network, including Cams.com, as well as records from Penthouse.com, which was sold in February. The cache may also include 15 million email addresses connected to deleted accounts, according to LeakedSource.""More Information: https://www.washingtonpost.com/news/the-switch/wp/2016/11/14/adult-frien...","Media","","2016","37.407315","-122.017311" "November 4, 2016","Welk Resorts","Escondido","California","PHYS","BSO","0","""On October 6, 2016, we learned that, late on October 5, a Welk team member’s home was burglarized, and the team member’s company laptop was stolen.  Upon learning of the theft, we immediately launched an investigation to  determine  what information  may  have  been  involved  in  this  incident.    While  our  investigation  is  ongoing,  we  have determined that your information may have been stored on the stolen laptop. To date, we have no evidence to suggest that the data stored on the laptop has been accessed.  Further, we have no evidence to date that there has been any attempted or actual misuse of data stored on the laptop.  This incident has been reported to local police and, to our knowledge, there is an ongoing criminal investigation.    The  information  contained  on  the  stolen  laptop  may  include  your  name,  Social Security number, address, certain benefit plan participation information, and date of birth.""More Information: https://oag.ca.gov/ecrime/databreach/reports/sb24-64705","California Attorney General","","2016","33.119207","-117.086421" "November 4, 2016","Welk Resorts","Escondido","California","PHYS","BSO","0","On October 6, 2016, we learned that, late on October 5, a Welk team member’s home was burglarized, and the team member’s company laptop was stolen.  Upon learning of the theft, we immediately launched an investigation to  determine  what information  may  have  been  involved  in  this  incident.    While  our  investigation  is  ongoing,  we  have determined that your information may have been stored on the stolen laptop. To date, we have no evidence to suggest that the data stored on the laptop has been accessed.  Further, we have no evidence to date that there has been any attempted or actual misuse of data stored on the laptop.  This incident has been reported to local police and, to our knowledge, there is an ongoing criminal investigation.    The  information  contained  on  the  stolen  laptop  may  include  your  name,  Social Security number, address, certain benefit plan participation information, and date of birth.More Information: https://oag.ca.gov/ecrime/databreach/reports/sb24-64705","California Attorney General","","2016","33.119207","-117.086421" "November 6, 2016","iDressup.com","Mountain View","California","HACK","BSO","0","""On September 27, 2016, we learned that cyber criminals gained unauthorized access to our computer system and to your personal information, including your age, email address and password that you provided to create, and used to access, your www.i-Dressup.com account, as well as any additional personal information that you may have voluntarily provided such as your first name, last name, gender and country (collectively, “Personal Information”). Because it was not required to create or use any www.i-Dressup.com account, no Social Security or other identification numbers, physical addresses, mailing addresses, credit card numbers, banking or other financial information was compromised. Be that as it may, we want to make you aware of the incident, update you on the steps we have taken, and propose further steps you should take to guard yourself against identity theft or fraud.""More Information: https://oag.ca.gov/ecrime/databreach/reports/sb24-64721","California Attorney General","","2016","37.386052","-122.083851" "November 9, 2016","UFCW Local 655","Ballwin","Missouri","HACK","BSO","0","""On or around July 21, 2016, UFCW Local 655 Food Employers Joint Pension Plan was the victim of ransomware attack.  We immediately began an investigation into the nature and the scope of this incident.  We retained a third-party data forensic firm to assist in our investigation.  After an extensive investigation, we found no evidence demonstrating that an unauthorized individual accessed or acquired your child's information, however we determined that an unauthorized user gained access to our server on July 14, 2016, one week before the ransomware attack.  While there is no evidence that your child's information was accessed or acquired, we are unable to definitively rule out this possibility, and are providing notice out of an abundance of caution.""The information compromised included union members children's name, Social Security number, date of birth, credit card information, health insurance information, state ID and/or drivers license number, and bank account information. More information: https://oag.ca.gov/ecrime/databreach/reports/sb24-64824","California Attorney General","","2016","38.597939","-90.491684" "November 9, 2016","Eileen Fisher","Irvington","New York","HACK","BSO","0","""Our records show that you made a purchase on eileenfisher.com between Wednesday, September 7 – Monday, October 24, 2016. In late October, we were informed of a possible data security incident that affected our website during that time.We immediately began investigating the situation and are working diligently with a leading forensics firm to explore the issue. At this time, we believe that malicious code was added to our website which allowed unauthorized individuals to capture certain information during the checkout process. We have removed that malicious code and excluded the unauthorized individuals from our website.""More information: https://oag.ca.gov/ecrime/databreach/reports/sb24-64832","California Attorney General","","2016","40.726325","-74.228644" "November 10, 2016","Baxter Credit Union","Irvine","California","HACK","BSF","0","""We value and respect the privacy of your information, which is why we are writing to advise you of a recent incident that may have involved your personal information. We recently learned that the email account of one of our employees was compromised when it was used to spam or send an unsolicited email. Upon learning of the incident, we promptly deleted the email account credentials to prevent any additional impact on our system. In addition, we have also retained a leading forensic security firm to help us analyze the situation, identify potentially affected members and remediate our system.It is important to note that we have no reason to believe that the intent of the compromise was anything other than sending the unsolicited email, and have no evidence to suggest that anyone’s information has been or will be misused. Protecting your data is a top priority for everyone at BCU. We take seriously the trust you have placed in us, and that’s why we are sharing with you what we know about this situation. The enclosed notice contains full details, including what personal information was potentially accessed and the steps we encourage you to take to protect against fraud.I understand you may have questions or concerns and we’re here to help in every way possible. A team of representatives who are experts in dealing with these matters is available to take your call at 844-512-9008 from 8 a.m. - 8 p.m. CST, Monday through Friday.""More information: https://oag.ca.gov/ecrime/databreach/reports/sb24-64838","California Attorney General","","2016","33.702398","-117.852854" "November 17, 2016","Luque Chiropractic, Inc. ","Watsonville","California","DISC","MED","0","""Luque Chiropractic, Inc. on behalf of itself and Watsonville Chiropractic, Inc. (David W. Christie, D.C.) (collectively “Luque”) today announced a data incident affecting the security of certain patient records. On September 18, 2016, Luque was notified by its billing software company that its Amazon “S3” storage account was vulnerable because it was accessible to persons outside their organization, and that a security researcher accessed and downloaded information from the storage account. This storage account contained, among other things, protected health information of certain Luque Chiropractic, Inc. and Watsonville Chiropractic, Inc. (David W. Christie, D.C.) patients. The billing software company immediately took steps to secure the storage account and launched an investigation to determine to what extent sensitive information was accessed or acquired. They determined that the storage account was vulnerable from May, 2016 to September 11, 2016 and that information was accessed and downloaded by the security researcher on or around September 10, 2016. However, there are no indications that any fraud has resulted from this incident.""The information compromised included patient names, addresses, diagnoses, dates of birth, treatment locations, treatment dates, and Social Security numbers.More information: https://oag.ca.gov/system/files/Luque%20--%20Press%20Release_1.pdf?","California Attorney General","","2016","36.910231","-121.756895" "November 17, 2016","QVC, Inc.","West Chester","Pennsylvania","DISC","BSO","0","""QVC uses technology to track activities that occur on its website, and the tracking technology sends data to companies that provide services to QVC. We recently learned that as the result of a technical setting, instead of sending anonymous data, the tracking technology unintentionally sent limited information about website visitors to those online marketing partners. While the information was sent securely, neither QVC nor the online marketing partners intended for this data to be sent.""The information compromised included email addresses and passwords used to access QVC accounts. More information: https://oag.ca.gov/ecrime/databreach/reports/sb24-64962","California Attorney General","","2016","39.960664","-75.605488" "November 14, 2016","Lebanon Cardilogy Associates, PC","Lebanon","Pennsylvania","PORT","MED","537"," As reported by Health and Human Services unauthorized access/disclosure/portable electronic device. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF... ","Government Agency","","2016","40.313756","-76.413309" "November 20, 2016","IRS","Washington","District Of Columbia","INSD","GOV","28,200,000","""A recent report from the Treasury Inspector General for Tax Administration (TIGTA) found that IRS employees sent unencrypted emails which contained 8,031 different taxpayers’ personally identifiable information. According to the report, TIGTA found 326 unencrypted emails containing taxpayer data. 275 of the emails were sent internally within IRS, while 51 emails were sent outside of the agency’s network to non-IRS email accounts. Of those emails sent externally, 20 were sent to six IRS employees’ personal email accounts. The significance of where the emails were sent is relevant to the level of the security risk to the taxpayer data. The report noted that unencrypted emails sent within the IRS internal network were of lower risk because they remained behind the agency’s firewalls which greatly lowers the probability they could be accessed by a third party. However, the emails sent outside of the agency were exposed to greater risk, not only because they were not encrypted, but because they no longer had the protection afforded by the firewall. Additionally, for the emails sent to personal accounts, the report noted that per IRS policy, no officer or employee of the IRS may use a personal email account to conduct official business. 326 emails containing 8,031 different taxpayers’ data may not sound like much, but TIGTA had this to say about their findings"" - See more at: http://www.fedsmith.com/2016/11/20/ig-irs-employees-sent-unencrypted-ema...More information: http://www.fedsmith.com/2016/11/20/ig-irs-employees-sent-unencrypted-ema...","Media","","2016","38.907192","-77.036871" "November 18, 2016","Michigan State University","East Lansing","Michigan","HACK","EDU","400,000","""Michigan State University is confirming that someone breached a database that contains around 400,000 records containing personal information. The breached happened on November 13.According to MSU, that information ""included names, Social Security numbers, MSU identification numbers, and in some cases, date of birth of some current and former students and employees. It did not contain passwords, financial, academic, contact, gift or health information.""MSU says they have confirmed that 449 of records were accessed, before the records were taken offline within 24 hours of breach.""More information: http://www.wxyz.com/news/michigan-state-university-confirms-data-breach-...","Media","","2016","42.719835","-84.494251" "November 18, 2016","Eye Institute of Marin","Marin","California","HACK","MED","0","""On or about August 22, 2016, we received confirmed notice from our electronic medical record provider that their electronic system was subject to a malware attack on July 26, 2016. They became aware of the incident on July 27, 2016, and we are informed that they promptly took action to secure their systems. We immediately requested further information to understand what happened and to determine which, if any, of our patients were affected. On September 14, 2016, we were provided further detail of the events, and learned that the company, MMPC, experienced a ransomware infection. Ransomware is a type of malware which restricts access to the computer system that it infects, and demands that a ransom be paid to the creator of the malware to remove the restriction. The third party forensic IT firm hired to investigate this incident found no evidence that patient information was viewed, transferred or accessed. However, during the restoration process of their system, MMPC has informed us that one of their backup systems failed causing the loss of consultation notes between July 11, 2016 and July 26, 2016. Given these events, we wanted to notify you of this matter.""More information: https://oag.ca.gov/ecrime/databreach/reports/sb24-64977","California Attorney General","","2016","38.083403","-122.763304" "November 18, 2016","Springfield Armory","Geneseo","Illinois","HACK","BSO","0","""In late September, Springfield Armory received a report from a payment card network that it had noticed a pattern of unauthorized charges occurring on payment cards after they were used to make a purchase on our website. Springfield Armory immediately initiated an investigation and engaged a leading cyber security firm to examine our website network. In early October, the investigation determined that an unauthorized person gained access to the web server and installed code that was designed to copy information entered during the checkout process. What Information Was Involved Information entered during the checkout process included order ID, name, address, email address, phone number, payment card number, expiration date and card security code. This information from orders placed between October 3, 2015 and October 9, 2016 may have been affected.""More information:   https://oag.ca.gov/ecrime/databreach/reports/sb24-64988","California Attorney General","","2016","41.447036","-90.161260" "November 21, 2016","Division of Adult Institutions Folsom State Prison","Represa","California","DISC","GOV","0","""On Friday, October 28, 2016, at approximately 11:00 a.m., the Confidential Alpha Roster (MIRS report) that contains all staff names, social security, dates of birth, and other non-confidential data such as classification, tenure, and time base had been saved in a none-secure location, accessible to all FSP Staff.The error was discovered and the file was removed from the non-secure location on the morning of Saturday, October 29, 2016.To protect yourself from the possibility of identity theft, we recommend that you place a fraud alert on your credit files by following the recommended privacy protection steps outlined in the enclosure.""More information: https://oag.ca.gov/ecrime/databreach/reports/sb24-65014 ","California Attorney General","","2016","38.683803","-121.159335" "November 23, 2016","United States Navy Career Waypoints (C-WAY) Database","Washington","District Of Columbia","DISC","GOV","134,386","""The personal data of more than 130,000 sailors in a re-enlistment approval database was stolen from a contractor’s laptop, the Navy disclosed Wednesday. The Navy was notified in October by Hewlett Packard  Enterprise Services  that a computer supporting a Navy contract was “compromised,” and that the names and social security numbers of 134,386 current and former sailors were accessed by unknown persons, the service said in a news release. The Naval Criminal Investigative Service is in the early stages of investigating the breach, but in a release said it hasn’t found any malicious use of the data yet. “The Navy takes this incident extremely seriously -- this is a matter of trust for our sailors,"" said Navy personnel boss Vice Adm. Robert Burke in a statement. ""We are in the early stages of investigating and are working quickly to identify and take care of those affected by this breach."" A Navy official familiar with the investigation said the personal data came from the Career Waypoints database, known as C-WAY, which sailors use to submit re-enlistment and requests to change Navy Occupational Specialties.""More information: https://www.navytimes.com/articles/data-breach-exposes-more-than-100-000...","Media","","2016","38.907192","-77.036871" "November 22, 2016","The Madison Square Garden Company","New York","New York","HACK","BSO","0","""The Madison Square Garden Company (NYSE: MSG) is notifying customers that it identified and has addressed a payment card issue. This issue may have affected cards used at merchandise and food and beverage locations at Madison Square Garden, The Theater at Madison Square Garden, Radio City Music Hall, Beacon Theatre and The Chicago Theatre. After MSG was notified that payment card issuing banks identified a transaction pattern indicating a potential data security concern, MSG immediately commenced an investigation and engaged leading computer security firms to examine its network. In the last week of October 2016, as soon as the investigation found signs of external unauthorized access, MSG worked with security firms to stop it and to implement enhanced security measures. MSG is also working with law enforcement regarding this matter.Findings from the investigation show external unauthorized access to MSG’s payment processing system for the properties listed above and the installation of a program that looked for payment card data as that data was being routed through the system for authorization. Data contained in the magnetic stripe on the back of payment cards swiped in person at the MSG locations listed above between November 9, 2015 and October 24, 2016 may be affected, including credit card numbers, cardholder names, expiration dates and internal verification codes. Not all cards used during this timeframe were affected, and this incident did not involve cards used at MSG websites, the venues’ Box Offices or on Ticketmaster.""More information: https://oag.ca.gov/ecrime/databreach/reports/sb24-65042","California Attorney General","","2016","40.712784","-74.005941" "November 23, 2016","Atlantis, Paradise Island","","Grand Bahama","HACK","BSO","0","""Atlantis, Paradise Island (the “Resort”) today announced that a recent data security incident may have compromised the security of payment information of some customers who used debit or credit cards at food and beverage and retail locations at the Resort between March 9, 2016 and October 22, 2016. Customers can now safely use their credit and debit cards at the food and beverage and retail locations at the Resort. This incident did not affect credit and debit cards used to make or pay for hotel reservations or purchases made by guests who charged their food and beverage or retail purchases back to their room.What Happened? The Resort began investigating unusual activity after receiving reports from its credit card processor. The Resort immediately began working with third-party forensic experts to investigate these reports and to identify any signs of compromise on its computer systems. On October 21, 2016, the Resort discovered suspicious files on its computer systems that indicated a potential compromise of customers’ credit and debit card data for some credit and debit cards used at food and beverage and retail locations at the resort.Since that time, the Resort has been working with third-party forensic investigators to determine what happened and what information was affected. The Resort has confirmed that malware may have captured data from some credit and debit cards used at food and beverage and retail locations at the Resort. The Resort has removed the malware at issue to contain this incident and implemented additional procedures in an effort to prevent any further unauthorized access to customers’ credit and debit card information. This incident did not affect credit and debit cards used to make or pay for hotel reservations or purchases made by guests who charged their food and beverage or retail purchases back to their room.What Information Was Involved? Through the ongoing third-party forensic investigations, the Resort confirmed that malware may have captured credit and debit card data from some credit and debit cards used at food and beverage and retail locations between March 9, 2016 and October 22, 2016. The information at risk as a result of this event for credit or debit cards used at the impacted locations includes the card number, expiration date, CVV and in some instances, cardholder name. This incident did not involve customers’ Social Security numbers as this information is never collected by the Resort. This incident did not involve customers’ PIN numbers, either."" ","California Attorney General","https://oag.ca.gov/ecrime/databreach/reports/sb24-65066","2016","26.659447","-78.520650" "November 22, 2016","Darlington","Rome ","Georgia","PHYS","MED","600"," As reported by Health and Human Services improper disposal/email. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF... ","Government Agency","","2016","34.257038","-85.164673" "November 30, 2016","Google Android","Mountain View","California","HACK","BSO","1,000,000","""Hackers have in a matter of months compromised more than 1 million Google accounts as part of a lucrative fraudulent advertising scheme involving malicious app downloads, according to a new report by Check Point Software Technologies chkp , an Israeli cybersecurity firm.People’s devices became infected after they installed innocent-looking, albeit booby-trapped software from app stores outside Google’s goog authorized Play store. The malware took complete control of their devices at the root, or deepest level, stealing tokens that Google cloud services—such as Gmail, Google Photos, and Google Docs—use to authenticate users.""More information: http://fortune.com/2016/11/30/google-android-fraud/","Media","","2016","37.386052","-122.083851" "November 29, 2016","Hewitt Associates","Lincolnshire","Illinois","HACK","BSO","2,892","""The unauthorized access was to a specific group of Irvine Company employees’ personal information within the Core Benefit Administration (CBA) web portal (known to you as BenefitsNow) set up and maintained by Aon Hewitt, a benefits service provider.  An unauthorized individual potentially accessed your personal information.  We have confirmation that the unauthorized individual accessed 55 records of the 2,892 current or former employees receiving this letter.  Since we cannot verify the identity of those 55 impacted employees, we are notifying you at this time of the unlikely, but potential access of your personal information.  We sincerely apologize for any inconvenience you might experience as a result of this incident.  What Information Was Involved?  The personal information potentially accessed by the unknown third person or persons was limited to your first and last name, social security number, saved contact information (such as mailing address or phone numbers), date of birth, beneficiary information, employee ID number, employment status, and health care plan status. The accessed data did not include any other personal information.""More information: https://oag.ca.gov/ecrime/databreach/reports/sb24-65100","California Attorney General","","2016","42.190025","-87.908404" "November 29, 2016","Hillary Tentler, CPA","Santa Barbara","California","PORT","BSF","0","""On November 4, 2016, I discovered that my home was broken into earlier in that day.  Upon discovery, I immediately notified the Santa Barbara County Sheriff’s office and a police report was filed.  Unfortunately, along with personal effects, the burglars stole three back up hard drives for my practice. On November 9, 2016, the Sherriff’s office miraculously caught the burglars and one of the stolen hard drives was located and returned to me. What Information Was Involved? I am notifying you of this incident because your information is believed to have been on a stolen hard drive. Though the hard drives require specific proprietary software for the files to be readable, I cannot be certain that the information was not accessed. Accordingly, I am notifying you of the potential information that may have been exposed: your name, date of birth, telephone number(s), address, social security number, all employment (W-2) information, 1099 information (including account number if provided to me), and direct deposit bank account information (including account number and routing information if provided to me). ""","California Attorney General","","2016","34.419289","-119.699383" "November 30, 2016","EmblemHealth","New York","New York","DISC","BSF","0","""We are writing to tell you about a privacy incident involving Group Health, Inc. (GHI), an EmblemHealth company, and what we are doing to protect your personal information.What HappenedEarlier this month, GHI mailed you a copy of your Medicare Prescription Drug Plan Evidence of Coverage (a document that describes the health care benefits covered by your plan and how your plan works). On October 13, 2016, we learned of an unintentional disclosure of your Health Insurance Claim Number (HICN) as a result of this mailing.Our investigation found that, while preparing the Evidence of Coverage documents for mailing, HICNs were inadvertently included in the electronic file sent to EmblemHealth’s vendor and were then disclosed on the external mailing label that was affixed to the package.What Information Was InvolvedGHI is required to assign each member a “mailing identifier” number, which is randomly selected and contains no member information. This mailing identifier helps us keep track of the mailings we send to you. In this instance, the “mailing identifier” that GHI intended to use was mistakenly replaced with your HICN, which mirrors your Social Security number. As a result, your proper name and address appeared on the external mailing label of the evidence of coverage documents, along with the nine digits of your Social Security number that were listed as the package number (PKG#) located above the barcode. At no time were these nine digits identified as your Social Security number and no health information or financial information about you was disclosed.""","California Attorney General","","2016","40.703192","-74.009368" "November 30, 2016","The LANG Companies, Inc. ","Waukesha","Wisconsin","HACK","BSO","0","""On October 12, 2016, we learned that unauthorized individuals installed malicious software on the computer server used to process credit card transactions at www.LANG.com. Based on our investigation, we believe that customers who placed an order on our website from September 1, 2016 to October 19, 2016, may have had information associated with the order transmitted outside of our system. What Information Was InvolvedOur records show that you made a purchase using a payment card during this time. The information that could have been transmitted may include your name, address, payment card number, expiration date and security code (CVV).""More information: https://oag.ca.gov/ecrime/databreach/reports/sb24-65124","California Attorney General","","2016","43.031364","-88.172510" "December 2, 2016","San Jose Evergreen Community College District","San Jose","California","DISC","EDU","0","""On November 7, 2016, we learned that an SJECCD employee had inadvertently uploaded a file containing the personal information of certain SJECCD students to a publicly accessible folder on the SJECCD website. The file was temporarily stored on the webserver and could be retrieved in search results. Upon learning this, we promptly removed the file from the website and began an investigation into the incident. Our investigation indicates that the incident was an accident, and not the result of any kind of malicious attack.What Information Was Involved?The personal information contained in the file may have included your name, date of birth, and Social Security number. Although we are not aware at this time of any third party misusing your personal information, we take privacy and security very seriously and wanted to inform you about this situation, the steps we are taking to protect your information, and steps you may take to help protect yourself.""More information: https://oag.ca.gov/ecrime/databreach/reports/sb24-65161","California Attorney General","","2016","37.338208","-121.886329" "December 6, 2016","East Valley Community Health Center, Inc. ","West Covina","California","HACK","MED","0","""We are sending this letter to you as part of East Valley Community Health Center’s (EVCHC) commitment to patient privacy. We take patient privacy very seriously, and it is important to us that you are made fully aware of a potential privacy issue. We learned that your personal information, including name, date of birth, address, medical record number, health diagnosis codes and insurance account number may have been compromised. However, information such as social security number and/or CA identification/driver license number was not included. On October 18th, an unknown individual logged into an EVCHC server without authorization and installed Troldesh/Shade, encrypting (locking) the files that were stored on the server, this is also known as a ransomware attack. One of the files that was encrypted had patient health information on it, which came from claims that were submitted to health plans. However, to date, there is no indication that the information has been accessed or used by the unauthorized individual.""","California Attorney General","","2016","34.067295","-117.924924" "December 5, 2016","CVS Health","Cranston","Rhode Island","PHYS","BSO","626","As reported by Health and Human Services theft/paper/films. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2016","41.779823","-71.437280" "November 30, 2016","Sequin Dermatology, Office of Robert J Magnon, MD","Seguin","Texas","HACK","MED","29,969"," As reported by Health and Human Services hacking/IT Incident. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF... ","California Attorney General","","2016","29.568841","-97.964727" "November 30, 2016","Louisiana Health Cooperative, Inc. in Rehabilitation","Metairie","Louisiana","HACK","MED","8,000"," As reported by Health and Human Services hacking/IT incident. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF... ","California Attorney General","","2016","30.011859","-90.154200" "December 9, 2016","Anchor Loans","Los Angeles","California","DISC","BSF","0","""On or about November 7, 2016, a security researcher accessed one of our databases that was publicly exposed on the Internet. We reacted swiftly by reconfiguring the database and moving to secure the data. Because the security researcher had access to this database, your personal information may have been exposed. We have no reason to believe our users’ data was accessed for the purpose of identity theft, but we are nevertheless providing this notice to individuals whose personal information was contained in the exposed data. What Information Was Involved To date, we have identified the following categories of personal information stored in the affected data: name, address, e-mail address, SSN, ACH routing number, bank account number, bank statement data, birthdate, and birthplace. The great majority of the data in the affected databases related to real estate transactions, not to individual borrowers or contacts.""More information: https://oag.ca.gov/ecrime/databreach/reports/sb24-65361","California Attorney General","","2016","34.052234","-118.243685" "December 12, 2016","Quest Diagnostics","Madison","New Jersey","HACK","MED","34,000","""Quest Diagnostics regrets to notify you of a breach of your Protected Health Information (PHI) which we became aware of on November 28, 2016.  Here are the details of the breach: On November 26th an unauthorized third party accessed the MyQuest by Care360® internet application and obtained PHI of approximately 34,000 patients.  The data included name, date of birth, lab results, and, in some instances, telephone numbers. The affected information did not include Social Security numbers, credit card information, insurance or other financial information.""More information: https://oag.ca.gov/ecrime/databreach/reports/sb24-65390","California Attorney General","","2016","40.770313","-74.438844" "December 7, 2016","T-Mobile ","Bellevue","Washington","DISC","BSO","0","""On Wednesday afternoon, T-Mobile unveiled a new program called Digits, which will allow T-Mobile subscribers to use a single mobile phone number across multiple devices and use multiple phone numbers on a single device. Unfortunately, the launch of the exciting new Digits beta was quickly overshadowed by a major error on T-Mobile’s website that was sharing private account information with anyone who visited the sign-up page for the beta program.According to multiple Twitter users, the form on T-Mobile’s website for the Digits beta would occasionally show the name and phone number of another active T-Mobile subscriber. When signing up to sync a single device to multiple numbers, the site offered a series of seemingly random numbers to choose from. But after moving on to review the information, the customers who were attempting to sign up for Digits would sometimes see the name, email address and phone number of another T-Mobile subscriber in the registration details.""More information: http://bgr.com/2016/12/07/t-mobile-digits-security-fail-expose-private-d...","Media","","2016","47.576611","-122.167383" "May 12, 2016","Joan Jett's BlackHeart Records","Hollywood","California","DISC","BSO","0","""This week legendary rocker and Rock and Roll Hall of Fame Member Joan Jett had an unfortunate reminder of how important cyber security and data protection is in today’s digital world. On Dec 1st the MacKeeper Security Research Center discovered Joan Jett’s BlackHeart Records leaking hundreds of gigabytes of data online. BlackHeart Records is an Independent label founded by Joan Jett and Kenny Laguna and has a good reputation as an established label with a range of well known artists.The data breach is a massive treasure trove for fans and cyber criminals alike. There are unreleased tracks, never before seen pictures, even rejection letters from 1980 when Joan Jett was trying to get a record deal. There are also social security numbers of label employees and band members, internal memos and scanned checks of royalty payments and much more.From the entertaining obsessed fan emails to lawsuits and arrest records of the label manager, this database is a look inside of how the record label is operated and the communication between rock and roll royalty.Although there are no naked pictures or Hollywood style tabloid drama in the hundreds of gigabytes and countless thousands of files, there is a complete view of the many aspects of being a famous rockstar, operating a record label, and the meticulous documentation of every achievement, failure, or internal and external communications.With the social security numbers, banking information, scans of passports, and IDs it is easy to see that cyber criminals could have exploited this data for identify theft, fraud, or extortion. The data is now secured and it is not known how long that IP was publically available.""More information: https://mackeeper.com/blog/post/307-joan-jetts-blackheart-records-leaks-...","Media","","2016","34.092809","-118.328661" "December 7, 2016","Preventice Services, LLC","Houston","Texas","DISC","MED","6,800"," As reported by Health and Human Services unauthorized access/disclosure. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF... ","Government Agency","","2016","29.936628","-95.443427" "December 5, 2016","Dr. Melissa D. Selke","Hillsborough Township","New Jersey","HACK","MED","4,277"," As reported by Health and Human Services hacking/IT Incident. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF... ","Government Agency","","2016","40.500977","-74.637921" "November 28, 2016","Glendale Adventist Medical Center","Glendale","California","HACK","MED","528"," As reported by Health and Human Services improper unauthorized access/disclosure. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF... ","Government Agency","","2016","34.150322","-118.230086" "November 28, 2016","Young Adult Institute, Inc. ","New York","New York","PHYS","MED","913"," As reported by Health and Human Services improper theft/laptop. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF... ","Government Agency","","2016","43.299429","-74.217933" "December 14, 2016","Yahoo","Sunnyvale","California","HACK","BSO","3,000,000,000","""Yahoo Inc (YHOO.O) warned on Wednesday that it had uncovered yet another massive cyber attack, saying data from more than 1 billion user accounts was compromised in August 2013, making it the largest breach in history.The number of affected accounts was double the number implicated in 2014 breach that the internet company disclosed in September and blamed on hackers working on behalf of a government.Yahoo required all of its customers to reset their passwords - a stronger measure than it took after the previous breach was discovered, when it only recommended a password reset. Yahoo also said Wednesday that it believes hackers responsible for the previous breach had also accessed the company’s proprietary code to learn how to forge ""cookies"" that would allow hackers to access an account without a password.""Yahoo badly screwed up,"" said Bruce Schneier, a cryptologist and one of the world's most respected security experts. ""They weren't taking security seriously and that's now very clear. I would have trouble trusting Yahoo going forward.""Yahoo was tentative in its description of new problems, saying the incident was ""likely"" distinct from the one it reported in September and that stolen information ""may have included"" names, e-mail addresses, telephone numbers, dates of birth, hashed passwords and, in some cases, encrypted or unencrypted security questions and answers.""More information: http://www.reuters.com/article/us-yahoo-cyber-idUSKBN1432WZYahoo statement: https//yahoo.com/security-updateUPDATE (2/15/2017):""Yahoo's newly issued warning to users about malicious hacks is related to a third data breach that the company disclosed in December 2016.A warning sent to some Yahoo users Wednesday read: ""Based on the ongoing investigation, we believe a forged cookie may have been used in 2015 or 2016 to access your account.""This breach was previously revealed in a December 2016 statement from Yahoo that also provided information on a separate hack that occurred in August 2013 involving more than 1 billion accounts. In addition, some of the 2015 and 2016 incidents have been tied to a ""state-sponsored actor"" that was involved in a different 2014 breach that affected up to 500 million accounts.""Forged cookies"" are digital keys that allow access to information without re-entering passwords. The leaked data included email addresses, birth dates and answers to security questions. Yahoo declined to say how many people were affected.""More information: http://www.cnbc.com/2017/02/15/yahoo-sends-new-warning-to-customers-abou...UPDATE (3/15/2017): The U.S. Justice Department today unsealed indictments against four men accused of hacking into half-billion Yahoo email accounts.  Two of the men named in the indictments worked for a unit of the Russian Federal Security Services (FSB) that serves as the FBI's point of contact in Moscow on cybercrime cases.""More Information: http://krebsonsecurity.com/UPDATE (9/7/2017): Link to Yahoo judgement: https://www.documentcloud.org/documents/3986196-Yahoo-judgement-on-data-...UPDATE (10/3/2017): ""Yahoo has tripled down on what was already the largest data breach in history, saying it affected all 3 billion accounts on its service, not the 1 billion it revealed late last year.The company announced Tuesday that it's providing notice to additional user accounts affected by the August 2013 data theft.""More Information: http://hosted.ap.org/dynamic/stories/U/US_YAHOO_DATA_BREACH?SITE=AP&SECT...    ","Media","","2016","37.368830","-122.036350" "December 13, 2016","BraceAbility","Cedar Falls","Iowa","HACK","BSO","0","""On October 28, 2016, BraceAbility, Inc. learned of a possible security incident involving its online ordering website. We immediately engaged independent IT forensic experts to assist with our investigation. While the investigation is still ongoing, it appears that your credit or debit card data may have been compromised if you made an online purchase between September 24, 2016 and November 28, 2016. The information potentially exposed includes your name, address, card number, verification code, and/or the card’s expiration date as well as information related to your online purchase.""More information: https://oag.ca.gov/ecrime/databreach/reports/sb24-65407","California Attorney General","","2016","42.534869","-92.445223" "December 14, 2016","K Partners Hotel Management","San Antonio","Texas","HACK","BSO","0","""On April 2, 2016, we discovered that on that same day, as a result of a sophisticated network intrusion, an unauthorized third party gained access to an email account and a file server. Upon learning of the issue, our incident response team promptly launched an investigation and notified local law enforcement. As part of our investigation, we have been working very closely with one of the nation’s leading cybersecurity firms that regularly investigates and analyzes these types of incidents. Their investigation and remediation efforts are now completed, and we have removed the infection from our system. K Partners also immediately changed passwords and took other steps to enhance the security of our network.""More information: https://oag.ca.gov/ecrime/databreach/reports/sb24-65435","California Attorney General","","2016","29.424122","-98.493628" "December 16, 2016","Pentagon","Washington","District Of Columbia","HACK","GOV","0","""An unclassified email system used by the Pentagon was compromised by Russian hackers in 2015, forcing security teams to take the entire network down in order to fix the breach.Martin Dempsey, who was at that time Chairman of the Joint Chiefs, told CBS that he was informed of the breach by the Director of the National Security Agency, Admiral Mike Rogers, revealing that in approximately one hour, hackers seized control of the entire email system.However, Dempsey explains that the email service was used by staff of the Pentagon’s Joint Chiefs staff, which involves some 3,500 military officers and civilians who work for the chairman, and included only unclassified emails that “had no real intelligence value.”According to Dempsey, hackers managed to obtain passwords and electronic signatures that he personally used to access the network, so taking the entire system offline was the only way to deal with the problem.Russia-backed attackersAs for the identity of the hackers, the United States officials believed they were Russians who were trying to fight back at the Pentagon after the US issued economic sanctions against their country for the conflict in Ukraine and the annexation of Crimea.The attack was launched with compromised severs from a West Coast university, which were used to send a total of 30,000 emails. Four of them were eventually forwarded to Joint Chiefs of Staff employees and included malicious files that infected computers when executed. At least one of them was opened by an employee and eventually compromised the system before spreading across the entire network.""More information: http://news.softpedia.com/news/russian-hackers-seized-control-of-pentago...","Media","","2016","38.871857","-77.056267" "December 15, 2016","US Election Assistance Commission","Washington","District Of Columbia","HACK","GOV","100","""The US agency responsible for certifying the security of voting machines reportedly fell victim to a hacker believed to be Russian.Security firm Recorded Future said Thursday that it discovered login credentials for computers at the US Election Assistance Commission for sale on the internet black market. The firm said its analysis identified the hacker as Russian.""The breach appeared to include more than one hundred access credentials, including some with the highest administrative privileges,"" Andrei Barysevich, director of advanced collection at Recorded Future, wrote in a blog post. ""These administrative accounts could potentially be used to access sensitive information as well as surreptitiously modify or plant malware on the EAC site.""More information: https://www.cnet.com/news/us-election-agency-hacked-by-suspected-russian/","Media","","2016","47.751074","-120.740139" "December 16, 2016","Turner Broadcasting Systems (Bleacher Report)","New York","New York","HACK","BSO","0","""On November 12, 2016, we became aware that an unauthorized party gained access to certain files containing limited Bleacher Report user information.  We immediately began investigating the incident, and our investigation revealed that the unauthorized party accessed this user information sometime in or before early November 2016.  We also reported the incident to law enforcement authorities.We concluded that the unauthorized party may have acquired the first name, last name,  username (email address), and password for Bleacher Report's website and mobile application user accounts.  The Bleacher Report website and mobile application do not collect credit card numbers or other sensitive personal information, such as Social Security numbers.""More information: https://oag.ca.gov/ecrime/databreach/reports/sb24-65476Company information: https://support.bleacherreport.com","California Attorney General","","2016","40.712784","-74.005941" "December 16, 2016","County of Los Angeles","Los Angeles","California","HACK","GOV","108","""On May 13, 2016, the County experienced a phishing email attack that affected approximately 108 out of 120,000 County employee email accounts. A phishing email tries to trick someone into giving up important information (in this case, email account usernames and passwords) by appearing to come from a trustworthy source. Email accounts are used by County employees to communicate about and coordinate County services. As a recipient of County services, information concerning you described below was identified in one or more of these email accounts and may have been compromised. Due to the ongoing investigation by law enforcement, we were advised to delay notifying you of this incident until now, as public notice may have hindered their investigation. What Information Was Involved? The information may have included your first and last name, date of birth, Social Security number (SSN), driver’s license or state identification number, payment card information, bank account information, home address, phone number(s), and/or medical information, such as Medi-Cal or insurance carrier identification number, diagnosis, treatment history, or medical record number. Each individual may have been impacted differently.""","California Attorney General","","2016","34.052234","-118.243685" "December 20, 2016","Kaiser Foundation Hospital","Oakland","California","DISC","MED","0","""You visited kp.org between November 16 and 28, 2016, and used our online Estimates tool. Due to a system error, there is a small chance that your name, age, address, and some information on how much you’ve spent on health care this year may have been seen by another kp.org user.  An update to the Estimates tool was made on November 16, 2016.  After the update, there was a small chance that a subsequent user of the tool may have viewed a previous user’s information.  We discovered the problem on November 28, and immediately rolled back the update to keep similar errors from happening again.   What information was involved?  We’ve confirmed that no Social Security numbers or banking or claims information was seen by others. However, the following information may have been mistakenly seen by a kp.org visitor who used the tool after you:  First and last name, age (not date of birth), address, copay information for your plan, deductible payments(dollars spent toward your deductible) so far in 2016,  out-of-pocket expenses (dollars spent) so far in 2016""More information: https://oag.ca.gov/ecrime/databreach/reports/sb24-65536","California Attorney General","","2016","37.804364","-122.271114" "December 20, 2016","Western Union","Englewood","Colorado","HACK","BSF","0","""We recently became aware that your information may have been accessed without authorization in July of this year in a computer intrusion against a vendor-supplied external system formerly used by Western Union for secure data storage.  We promptly informed federal law enforcement and began work to notify individuals whose information may have been compromised. What information was involved:  Your personal information that may have been involved includes driver's license, Social Security number, and date of birth.  Please note that, at this time, we are not aware of any instances of fraud, identity theft or other harm to any individual associated with this incident.""More information: https://oag.ca.gov/ecrime/databreach/reports/sb24-65549","California Attorney General","","2016","39.647765","-104.987760" "December 22, 2016","Dover Federal Credit Union","Cheswold","Delaware","INSD","BSF","0","""On September 20, 2016, DFCU learned that an employee had transferred DFCU files to the employee’s personal Dropbox account to access the information from the employee’s home computer for business purposes.  Although DFCU had no indication that any of the transferred information was compromised, DFCU managers immediately began an investigation to determine what information had been transferred.  DFCU hired a computer forensic firm to help investigate the incident.  The investigation determined on November 18, 2016, that it was unlikely that any information was accessed by any unauthorized person, as the employee was the only authorized user of the Dropbox account and did not provide the Dropbox credentials to any other individual.  DFCU determined on November 23, 2016, that the files transferred to the employee’s Dropbox account included personal information of all DFCU members.  What information was involved? The information included your name, address, DFCU account number, and your Social Security number.""More information: https://oag.ca.gov/ecrime/databreach/reports/sb24-65580","California Attorney General","","2016","39.221427","-75.582978" "December 22, 2016","Claremont University Consortium","Claremont","California","PORT","EDU","0","""On November 15, 2016, several items, including a password-protected laptop, were stolen from a Claremont University Consortium employee’s locked vehicle. The theft was discovered the same day and the employee promptly notified the College and the Berkeley Police Department. We have been working with law enforcement but, to date, they have been unable to locate the suspects or the stolen items. What information was involved? Our investigation has confirmed that the stolen laptop may have contained information regarding your 1099 tax form, including your name, address, date of birth, and Social Security number.""More information: https://oag.ca.gov/ecrime/databreach/reports/sb24-65602","California Attorney General","","2016","34.096676","-117.719779" "December 31, 2016","KeepKey","Redmond","Washington","HACK","BSO","0","""On the last day of 2016, KeepKey, a vendor of Bitcoin hardware wallets, has notified users of a security breach that inadvertently exposed some of its customers' details.According to Darin Stanchfield, KeepKey founder and CEO, the attack took place on Christmas Day, December 25, when an unknown attacker had activated a new phone number with Stanchfield's Verizon account.This allowed the attacker to request a password reset for his Verizon email account, but receive the password reset details on the newly activated phone number.Attacker hijacked CEO's Verizon account by activating a rogue phone numberA few minutes later, the attacker had taken over Stanchfield's email account and proceeded to request password resets for several services where the KeepKey founder had used that email address to register profiles.In no time, the attacker had taken over several of Stanchfield's accounts on other sites, such as KeepKey's official Twitter account, and several of KeepKey's side services, such as accounts for sales distribution channels and email marketing software.""More information: https://www.bleepingcomputer.com/news/security/attacks-on-phones-of-bitc...","Media","","2016","47.708828","-122.160140" "December 29, 2016","New Hampshire Department of Health and Human Services","Concord","New Hampshire","INSD","MED","15,000","""State officials are working to strengthen the security of the state’s computer network, after a data breach last year leaked the confidential information of thousands of New Hampshire Department of Health and Human Services clients.A former patient at New Hampshire’s state psychiatric hospital used a computer in the hospital library to access information of about 15,000 individuals who received department services, according to a DHHS statement.While on the state’s network, the patient accessed confidential information including names, addresses, Social Security numbers and Medicaid ID numbers and posted the information on social media sites.""More information: http://www.concordmonitor.com/NH-state-officials-working-to-make-network... ","","","2016","43.197344","-71.546616" "December 28, 2016","InterContinental Hotels Group (IHG)","Denham","Buckinghamshire","HACK","BSO","0","""InterContinental Hotels Group (IHG), the parent company for more than 5,000 hotels worldwide including Holiday Inn, says it is investigating claims of a possible credit card breach at some U.S. locations.Last week, KrebsOnSecurity began hearing from sources who work in fraud prevention at different financial institutions. Those sources said they were seeing a pattern of fraud on customer credit and debit cards that suggested a breach at some IHG properties — particularly Holiday Inn and Holiday Inn Express locations.Asked about the fraud patterns reported by my sources, a spokesperson for IHG said the company had received similar reports, and that it has hired an outside security firm to help investigate. IHG also issued the following statement:“IHG takes the protection of payment card data very seriously. We were made aware of a report of unauthorized charges occurring on some payment cards that were recently used at a small number of U.S.-based hotel locations.  We immediately launched an investigation, which includes retaining a leading computer security firm to provide us with additional support.  We continue to work with the payment card networks.”“We are committed to swiftly resolving this matter. In the meantime, and in line with best practice, we recommend that individuals closely monitor their payment card account statements.  If there are unauthorized charges, individuals should immediately notify their bank. Payment card network rules generally state that cardholders are not responsible for such charges.”Headquartered in Denham, U.K., IHG operates more than 5,000 hotels across nearly 100 countries. The company’s dozen brands include Holiday Inn, Holiday Inn Express, InterContinental, Kimpton Hotels, and Crowne Plaza."" ","Krebs On Security","https://krebsonsecurity.com/2016/12/holiday-inn-parent-ihg-probes-breach-claims/","2016","51.569583","-0.493857" "December 31, 2016","Topps","Brooklyn","New York","HACK","BSO","0","""Topps, the iconic maker of Star Wars, Frozen and various sports-related trading cards, has just notified its customers of security breaches that happened earlier this year. In it, the company has admitted that one or more intruders infiltrated its system and ""may have gained access to [customers'] names, addresses, email addresses, phone numbers, debit or credit card numbers, card expiration days and card verification numbers."" Topps said it didn't find out about the intruders until October 12th, but anyone who bought items through its website from June 30th to that date could be affected. Upon discovering the breaches, it worked with a security firm to fix the vulnerability the hackers exploited and to fortify its system.""More information: https://www.engadget.com/2016/12/31/topps-trading-card-maker-security-br...","Media","","2016","40.656411","-74.008272" "November 23, 2016","Hewlett Packard Enterprise Services ","Plano","Texas","HACK","BSO","134,386","""According to a news release, Hewlett Packard Enterprise Services notified the Navy on Oct. 27 that one of the company's laptops operated by an employee who was supporting a Navy contract had been breached. On Tuesday, an analysis by HP Enterprise Services and a Naval Criminal Investigative Service investigation indicated personal information — including names and Social Security numbers — of 134,386 current and former sailors had been accessed by unknown individuals.""More information: http://www.washingtonexaminer.com/navy-130000-current-and-former-sailors...!","Media","","2016","33.074279","-96.815199" "October 14, 2016","Washington Department of Fish and Wildlife","Olympia","Washington","HACK","GOV","1,700,000","""About 1.7 million people who bought Washington hunting and fishing licenses before mid-2006 have been notified that their personal information may have been exposed earlier this year to a hacker who gained unauthorized access to a data base maintained by the state's license vendor. Customers' personal information included their names; addresses; birthdates; driver's license numbers (customers had the option of providing this information)and related details such as height, weight, and eye/hair color; and the last four digits of Social Security numbers (the other five Social Security numbers were encrypted). No credit card or other financial data was exposed. The state Office of Cyber Security, federal law enforcement agencies, and the vendor continue to investigate the incident.""More information: http://wdfw.wa.gov/licensing/wild_system/","Government Agency","","2016","47.049469","-122.901976" "August 25, 2016","Kentucky Department of Fish and Wildlife","Frankfort","Kentucky","HACK","GOV","0","""Someone illegally accessed Kentucky Department of Fish and Wildlife Resources customer information, officials announced Thursday.The information included names, addresses, birth dates, last four digits of Social Security numbers and phone numbers and email addresses. No credit card numbers, full Social Security numbers, usernames or passwords were accessed, officials said.Fish and Wildlife officials ""acted immediately to fix the vulnerability"" after learning of it earlier this week, they said.The department is working with the Commonwealth Office of Technology and other states that had similar breaches to ensure the security of their web systems.Anyone with questions about their accounts with the department can call 800-858-1549.""More information: http://www.wcpo.com/news/state/state-kentucky/ky-fish-and-wildlife-data-...","Media","","2016","38.200906","-84.873284" "August 26, 2016","Idaho Department of Fish and Game","Boise","Idaho","HACK","GOV","0","""Idaho Fish and Game today learned that personal information for license buyers who began purchasing hunting and fishing licenses and tags prior to 2008 was potentially accessed by a breach of the online computer license sales system owned and operated by Active Network, a Texas-based company.During a Friday afternoon conference call, Active Network executives told Fish and Game that it cannot confirm whether any personal information was actually taken but that it is possible.The data breach apparently occurred sometime over the summer.  Personal information potentially includes name, age, address, and Social Security Number.  Idaho Fish and Game is required by state law to obtain this information to issue a license. Credit card information is not kept in the Active Network licensing system and Fish and Game is confident it was not accessed.“This is a serious matter and we encourage all license holders who may potentially be affected to take proactive steps to protect themselves,” Fish and Game Deputy Director Ed Schriever said.  “We apologize to our license buyers and will continue to work with Active Network to get to the bottom of this.”More information: https://idfg.idaho.gov/press/idaho-fish-and-game-customer-information-po...","Government Agency","","2016","43.602032","-116.186316" "August 5, 2016","U.S. Department of Health and Human Services","Washington ","District Of Columbia","PORT","GOV","5,000,000","""The top watchdogs in the House demanded to know Tuesday why a personal laptop taken from a federal building in Washington state was used to conduct child-support audits, especially because it and other stolen hard drives may have contained millions of names and Social Security numbers.The letter by the House government oversight panel's Republican chairman and senior Democrat to Health and Human Services Secretary Sylvia Burwell comes about a week after GOP investigators began looking into the breach in Olympia, Washington, which authorities say affected as many as five million people.""Your staff acknowledged that the use of personal equipment is a clear violation of HHS privacy and security policy,"" Utah Republican Jason Chaffetz and Maryland Democrat Elijah Cummings wrote in the letter obtained by The Associated Press. The break-ins occurred in early February at the federal Office of Child Support Enforcement.Chaffetz's committee has been critical of data breaches under the Obama administration, including when the U.S. Office of Personnel Management said last year hackers committed an unprecedented theft of private data for millions of federal workers.""More information: http://www.usnews.com/news/politics/articles/2016-04-05/senate-few-answe...","Media","","2016","47.751074","-120.740139" "January 4, 2016","Salem Five Cents Savings Bank","Salem","Massachusetts","HACK","BSF","315","Electronic breach affecting credit/debit cards as reported by the department of Consumer Affairs and Business Regulation the state of Massachusetts. More information: http://www.mass.gov/ocabr/docs/idtheft/data-breach-web-report-2016.pdf","Government Agency","","2016","42.519540","-70.896716" "January 11, 2016","Motivate International Inc.","Brooklyn","New York","HACK","BSO","43","Electronic breach affecting Social Security numbers as reported by the department of Consumer Affairs and Business Regulation the state of Massachusetts. More information: http://www.mass.gov/ocabr/docs/idtheft/data-breach-web-report-2016.pdf","Government Agency","","2016","40.646505","-74.016238" "January 12, 2016","Clarks Americas, Inc. ","Newton","Massachusetts","HACK","BSO","37","Electronic breach affecting Social Security numbers as reported by the department of Consumer Affairs and Business Regulation the state of Massachusetts. More information: http://www.mass.gov/ocabr/docs/idtheft/data-breach-web-report-2016.pdf","Government Agency","","2016","42.337041","-71.209221" "January 12, 2016","The Cooperative Bank of Cape Cod","Cape Cod","Massachusetts","HACK","BSF","166","Electronic breach affecting credit/debit cards as reported by the department of Consumer Affairs and Business Regulation the state of Massachusetts. More information: http://www.mass.gov/ocabr/docs/idtheft/data-breach-web-report-2016.pdf","Government Agency","","2016","41.668790","-70.296241" "January 12, 2016","Eastern Bank","Boston","Massachusetts","HACK","BSF","121","Electronic breach affecting credit/debit cards as reported by the department of Consumer Affairs and Business Regulation the state of Massachusetts. More information: http://www.mass.gov/ocabr/docs/idtheft/data-breach-web-report-2016.pdf","Government Agency","","2016","42.356500","-71.053368" "December 28, 2016","Graphik Dimensions, Ltd. (pictureframes.com)","High Point","North Carolina","HACK","BSO","1,614","""On or around November 9, 2016, Graphik Dimensions was advised that it had been identified as a common point of purchase for credit card fraud. On or around November 29, 2016, Graphik Dimensions’ investigation confirmed that an unidentified third party had injected malicious code into the pictureframes.com e-commerce site. The malicious code enabled the unidentified third party to acquire credit card information while the purchase took place. Graphik Dimensions’ investigation revealed that the exploit existed between July 12, 2016 and November 30, 2016. The specific information that may have been obtained by the unidentified third party included customers’ name, billing address, full credit card number, expiration date, CVV number, and user name and password. Graphik Dimensions removed the malicious code from the affected system, and continues to take steps to ensure the security of its systems. It worked with the investigators, along with other subject matter experts, to ensure the security of its customers’ data and to implement a remediation plan to improve security in Graphik Dimensions’ network.""More information: https://oag.ca.gov/ecrime/databreach/reports/sb24-65625","California Attorney General","","2016","35.933451","-79.977343" "December 30, 2016","Sheet Metal Workers' Local Union No.104","Cupertino","California","DISC","BSO","0","""On November 16, 2016, we were made aware of a blog post claiming that the author was able to access sensitive member data on October 3, 2016.  Immediately after being made aware of the report, we launched an internal investigation to ensure the security of our systems.  We also retained third-party forensic experts to assist in the investigation of the incident and determine if our systems were accessed without authorization.  While the investigation is ongoing, we have no reason to believe that any member data has been used to engage in the identity theft or fraud.  We have no evidence the Local 104's systems were subject to unauthorized access; rather, we believe that the blogger may have accessed data on a system maintained by a Local 104 third-party vendor. What Information Was Involved? We determined that the unauthorized individual was able to obtain files containing certain types of your personal information including your name, address, phone number, date of birth, driver's license number and Social Security number. ""More information: https://oag.ca.gov/ecrime/databreach/reports/sb24-65675","California Attorney General","","2016","37.322619","-122.016006" "January 8, 2017","E-Sports Entertainment Association (ESEA)","Cologne","Berlin","HACK","BSO","1,503,710","""E-Sports Entertainment Association (ESEA), one of the largest competitive video gaming communities on the planet, was hacked last December. As a result, a database containing 1.5 million player profiles was compromised.On Sunday, ESEA posted a message to Twitter, reminding players of the warning issued on December 30, 2016, three days after they were informed of the hack. Sunday’s message said the leak of player information was expected, but they’ve not confirmed if the leaked records came from their systems."" ","Media","http://www.csoonline.com/article/3155397/security/esea-hacked-1-5-million-records-leaked-after-alleged-failed-extortion-attempt.html","2017","50.937531","6.960279" "January 10, 2017","Legal Aid Society of Orange County (LASOC)","Santa Ana","California","DISC","NGO","0","""LASOC developed the I-CAN! web application, which was previously used by individuals, as part of the IRS's Free File Program, to prepare and file tax forms at no cost to the filer.  On October 31, 2016, LASOC became aware that certain completed tax forms from the 2007 and 2008 tax years had become temporarily accessible to the general public through a directed search on certain internet search engines.  However, LASOC is unaware of any attempted or actual misuse of personal data contained within the tax forms that were temporarily accessible on the internet as a result of this incident.What Information Was Involved? As part of the investigation into this incident, LASOC determined a tax form containing the following information about you, as provided by the filer, was temporarily accessible to the general public through a directed search search on certain internet search engines: name and Social Security number.""More information: https://oag.ca.gov/system/files/Legal%20Aid%20Orange%20County%20NOTICE_0...? ","California Attorney General","","2017","33.765160","-117.835264" "January 3, 2017","MetroPlus Health Plan","New York","New York","DISC","MED","808","As reported by Health and Human Services unauthorized access/disclosure. No specific information as to what information was compromised as provided by health and human services.More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...","Government Agency","","2017","40.706783","-74.005889" "December 29, 2016","PathGroup","Brentwood","Tennessee","DISC","MED","1,443"," As reported by Health and Human Services unauthorized access/disclosure. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF... ","Government Agency","","2016","36.032263","-86.809293" "December 29, 2016","PrimeWest Health","Alexandria","Minnesota","HACK","MED","2,441"," As reported by Health and Human Services hacking/IT incident. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF... ","Government Agency","","2016","45.853497","-95.392901" "December 27, 2016","Susan M. Hughes Center","Cherry Hill","New Jersey","HACK","MED","11,400"," As reported by Health and Human Services hacking/IT incident. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF... ","Government Agency","","2016","39.899651","-74.966712" "December 23, 2016","Waiting Room Solutions Limited Liability Limited Partnership","Goshen","New York","DISC","MED","700"," As reported by Health and Human Services unauthorized access/disclosure. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF... ","Government Agency","","2016","41.582272","-85.834438" "December 21, 2016","Henry County Health Department","Napoleon","Ohio","PHYS","MED","574"," As reported by Health and Human Services as theft. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF... ","Government Agency","","2016","41.408869","-84.123556" "January 9, 2017","Kevin Harrington, CPA","Rancho Cordova","California","HACK","BSF","0","""On November 11, 2016, I detected that someone may have accessed my computer without authorization. I immediately informed my information technology provider and disabled online access to my computer. I immediately began an investigation, and on November 18, 2016, the information technology firm confirmed that someone accessed client files on my computer without authorization. I immediately notified the Internal Revenue e-File Services Department, the Internal Revenue Service/Criminal Investigation, and the California Franchise Tax Board to prevent any fraudulent activity. Although I am not aware of any fraudulent use of information associated with the event, I encourage you to utilize the services referenced below to monitor your personal information.What Information Was Involved? The following information appears to have been accessed: tax return information which included names, addresses, dates of birth, and Social Security numbers.""More information: https://oag.ca.gov/ecrime/databreach/reports/sb24-65751","California Attorney General","","2017","38.596462","-121.268255" "January 12, 2017","SwimOutlet.com","Campbell","California","HACK","BSO","0","""On October 31, 2016, we began investigating some unusual activity reported by our credit card processor. We immediately began to work with third-party forensic experts to investigate these reports and to identify any signs of compromise on our systems. On November 28, 2016, we received confirmation of a sophisticated cyberattack in which a hack into our system may have compromised some customers’ debit and credit card data used at www.swimoutlet.com between May 2, 2016-November 22, 2016. The information at risk as a result of this event includes the cardholder’s name, address, phone number, email address, card number, expiration date, and CVV.""More information: https://oag.ca.gov/ecrime/databreach/reports/sb24-65809","California Attorney General","","2017","37.288231","-121.935698" "January 13, 2017","Children's Hospital of Los Angeles","Los Angeles","California","PORT","MED","3,600","""On December 21, 2016, we learned that a laptop that was stolen from the locked vehicle of a Children’s Hospital Los Angeles Medical Group physician who practices at Children’s Hospital Los Angeles was unencrypted. What Information Was Involved The laptop may have had files on it with your child’s name, date of birth, address, medical record number and some clinical information. We have been working with law enforcement but, to date, they have been unable to find the stolen laptop.""More information: https://oag.ca.gov/ecrime/databreach/reports/sb24-65827More information: http://www.esecurityplanet.com/network-security/three-medical-data-breac...","California Attorney General","","2017","34.052234","-118.243685" "January 18, 2017","California Department of Justice","Sacramento","California","DISC","GOV","3,424","""Radio (KPCC), an NPR affiliate, sought all information on Firearms Safety Certifications available from the California Department of Justice.The information was released in October, and a clerical error gave the reporter wide access to the personal information of 3,424 firearms instructors -- whose dates of birth, driver’s license numbers and California identification numbers were handed over, according to NRA-ILA, the legislative arm of the National Rifle Association.The error was caught two months later, and the California DOJ sent out a letter to all of the Golden State’s instructors letting them know their personal information had been compromised.""More information:http://www.foxnews.com/us/2017/01/18/california-snafu-releases-personal-...","Media","","2016","38.581572","-121.494400" "January 19, 2017","CoPilot Provider Services Inc.","New Hyde Park","New York","HACK","BSO","220,000","""CoPilot maintains a particular website, www.monovischcp.com,1 used by physicians to help determine whether insurance coverage is available for ORTHOVISC® and MONOVISC® injections. This website may have been used by your physician’s office to make an inquiry about your insurance coverage for these injections. On December 23, 2015, CoPilot received complaints claiming that personal information submitted to the site, including health information, was accessible for downloading from the website. CoPilot immediately launched an investigation and retained a leading cybersecurity consulting firm to assist in its investigation of what occurred. As a result of CoPilot’s investigation, CoPilot believes that it identified the individual who accessed CoPilot’s database through unauthorized means and downloaded certain health information, and that the data was not accessible for downloading by the general public from the website. Subsequently, CoPilot referred the matter to law enforcement. Our understanding is that the law enforcement investigation supports CoPilot’s conclusion about the identity of the responsible individual. What Information Was Involved? The data accessed may have contained information such as your name, gender, date of birth, address, phone number, and medical insurance card information. It is important to note that your Social Security number was not included. No medical records, or specific diagnosis or treatment information was involved in this incident, although the fact that your information was in our database, in connection with other information, could suggest that an inquiry was made regarding whether you had insurance coverage for ORTHOVISC® or MONOVISC® injections.""More information: https://oag.ca.gov/ecrime/databreach/reports/sb24-65922More information: http://www.beckershospitalreview.com/healthcare-information-technology/c...","California Attorney General","","2017","40.735102","-73.687908" "January 20, 2017","Wonderful Center for Health Innovation","Lost Hills","California","PORT","MED","0",""" On December 12, 2016, it was discovered that a laptop containing medical information from the Wonderful Center for Health Innovation was stolen between December 9, 2016 and December 12, 2016.  We promptly reported the incident to law enforcement, and we continue to cooperate with the authorities.  Unfortunately, the laptop has not yet been recovered.The files on the laptop included your full name, home address, date of birth, telephone number, electronic mail (email) address, clinic account number, medical conditions, medical test results, and clinic treatment date (s). We have no received an indication that information on the laptop has been accessed or used by an unauthorized individual, but wanted to alert you of this issue.""More information: https://oag.ca.gov/ecrime/databreach/reports/sb24-65961","California Attorney General","","2017","35.616349","-119.694294" "June 14, 2016","Sutter County Courthouse","Yuba City","California","DISC","GOV","43","""Private personal information of potentially thousands of people was unintentionally available on public access computers in the Sutter County Superior Courthouse on Monday.The data breach occurred when a new case management system went live Monday morning. The system was taken down the same afternoon after an Appeal-Democrat reporter alerted Court Executive Officer Stephanie Hansel that sensitive and private information was viewable to the public.For about six hours, anyone who searched for a criminal or traffic case on public access computers could view the defendant's Social Security number, birthday, driver's license number and home address. State court rules clearly say such data should be redacted by court clerks for the protection of privacy.""More information: http://www.govtech.com/dc/articles/California-County-Courthouse-Suffers-...","Media","","2016","39.145990","-121.638862" "January 26, 2016","Centene","St. Louis","Missouri","PORT","BSF","950,000","""Centene, a St. Louis-based payer, is searching for six missing hard drives that contain protected health information of approximately 950,000 individuals. The six hard drives contain information of individuals who received laboratory services from 2009 to 2015, including names, addresses, birth dates, Social Security numbers, member ID number and health information. There is no financial or payment information stored on the hard drives, according to the payer.Centene noticed the hard drives were missing when they were unaccounted for in an inventory of IT assets. The hard drives were part of a data project that used laboratory results to improve health outcomes.The payer does not believe the information has been inappropriately used but has launched an ongoing search ""out of abundance of caution and in transparency,"" according to a media notice.""More information: http://www.beckershospitalreview.com/healthcare-information-technology/c...","Media","","2016","38.627003","-90.199404" "January 27, 2016","cPanel","Houston","Texas","HACK","BSO","0","""Website administration firm cPanel told customers that it had been hacked over the weekend, potentially exposing contact information in the process.Customers' names, contact details, and encrypted (and salted) passwords were publicly aired due to a series of unfortunate events.Payment information, kept on a separate system, remains safe.Passwords ought to be safe too, but cPanel is taking the opportunity to get customers with older password encryption to change up anyway.“I am writing to let you know that one of our user databases may have been breached,” the firm warned customers in an email over the weekend (republished online here). “Although we successfully interrupted the breach, it is still possible that user contact information may have been susceptible.”“The customer contact information that may have been susceptible is limited to names, contact information, and encrypted (and salted) passwords. Please note that our credit card information is stored in a separate system designed for credit card storage and is not impacted by this possible breach.”“Although current passwords are stored salted and encrypted, we are accelerating our move to stronger password encryption at the same time in order to minimize disruption. In order to safeguard the system, we will force all users with older password encryption to change their passwords,” it added.This is a fairly minor breach and the main outcome – if crooks manage to get their hands on the potentially exposed contact info – is more convincing phishing emails.""More information: http://www.theregister.co.uk/2016/01/27/cpanel_security_breach/","Media","","2016","29.808178","-95.444629" "February 8, 2016","Department Homeland Security","Washington","District Of Columbia","HACK","GOV","9,000","""Computer hackers have accessed and dumped personal information of more than 9,000 Department of Homeland Security employees, and the hackers suggest they have the information of more than 20,000 FBI employees, reports Motherboard. Breached information includes names, job titles, email addresses and phone numbers of employees.The hacker told Motherboard they obtained the data by ""compromising the email account"" of an employee in the Department of Justice, though they did not expand on how the account was accessed. The hacker contacted the Motherboard reporter through the compromised DOJ account, according to the report.The hacker then reportedly tried logging into a DOJ web portal. When the hacker ran into trouble accessing the portal, the hacker told Motherboard he called the department and said he was new and didn't know how to access the portal. ""They asked if I had a token code, I said no, they said, 'That's fine, just use our one,'"" the hacker told Motherboard.Once gaining entry into the web portal, the hacker had access to documents on the local network, including a database of government workers on a DOJ intranet, according to the report.The hacker said he had access to 1 TB of data, of which he downloaded 200 GB, according to the report.According to The Hill, the hacker appears to be motivated by the United States' support of Palestine.""More information: http://www.beckershospitalreview.com/healthcare-information-technology/h...","Media","","2016","47.751074","-120.740139" "February 26, 2016","University California Berkeley","Berkeley","California","HACK","EDU","80,000","""Campus officials are alerting nearly 80,000 current and former faculty, staff, students and vendors about a criminal cyber security breach on a campus system, making vulnerable thousands of Social Security or bank account numbers.The data breach occurred Dec. 28 to a portion of Berkeley Financial System, or BFS, a software used by the campus for financial management.“We don’t see any evidence that this is the kind of attacker that actually did access the data or did anything to take that data from the system,” said campus Chief Information Security Officer Paul Rivers in a phone press conference Friday.The system that houses BFS is large and complicated, Rivers said, containing numerous machines and various types of software packages. When the campus detected a vulnerability in one of these areas in November, the campus began installing and testing a security fix — known as a patch — which can take weeks, Rivers said during the press call. During this process, attackers were able to discover a security flaw and gained access to the system.BFS contains the information of about 50 percent of current students and 65 percent of active employees. Affected individuals largely include students, faculty and staff who received payments from the campus, mainly through electronic fund transfers. Those who received paper payments, however, may have also been affected.A private computer investigation firm was retained by the campus to further determine whether personal information was compromised. The campus will send notice letters in the mail with more information about free credit monitoring and insurance to those who were potentially impacted starting Friday.According to Rivers, this is the third significant breach UC Berkeley has seen in the past five years.Within a day of the unauthorized intrusion Dec. 28, the campus’s security team had detected and began efforts to contain the attack, according to campus spokesperson Janet Gilmore.Once campus IT staff identified the unauthorized access, they forensically preserved copies of the system for investigation purposes and took affected servers offline for about two weeks to prevent further access. When the campus shut down BFS and supporting systems, some students received emails in early January notifying them of possible disruptions to financial aid disbursements.""More information: http://www.dailycal.org/2016/02/26/campus-notifies-nearly-80000-students...","Media","","2015","37.871593","-122.272747" "May 17, 2016","LinkedIn","Mountain View","California","HACK","BSO","117,000,000","""A recent incident involving LinkedIn, the business-oriented social networking service, is showing that data breaches can cause big problems for companies and consumers — even years after the breaches take place. On May 17, 2016, LinkedIn discovered that information stolen in a 2012 incident was being made available online, and notified site users immediately the next day about what happened and what they were doing to fix it. In 2012, an alleged 117 million email and password combinations were stolen by hackers. At the time, LinkedIn issued a mandatory password reset for any accounts they thought were compromised; all LinkedIn members were encouraged to change their passwords as well, just in case. Fast forward to present day, and the 2012 breach has come back to haunt LinkedIn. The stolen data popped up online, and in an e-mail to LinkedIn users sent on May 25, 2016, the company said the published information included email addresses, hashed passwords, and LinkedIn member IDs, which are an internal identifier LinkedIn assigns to each member profile. They immediately invalidated passwords of all LinkedIn accounts that were created prior to the 2012 breach and had not undergone a password reset since the breach. LinkedIn’s attempts to protect users, however, are extending beyond resetting passwords this time. They are also using automated tools to try and identify (and block) any suspicious activity on specific LinkedIn accounts. The proper authorities have been contacted and LinkedIn is working with law enforcement. They have demanded that anyone making stolen password data available must stop immediately, or face potential legal action. In their e-mail, the company also shared that they have improved security features since the 2012 breach, which will hopefully prevent another incident like this from happening in the future. As examples, they noted that they use salted hashes to store passwords and offer two-step verification for members who are interested in additional security. LinkedIn also encouraged members to use strong passwords and to change them regularly. If you don’t change your password often enough because you have trouble remembering new passwords, consider using a password manager, which can help you keep all of your passwords organized.""More information: https://www.identityforce.com/blog/linkedin-data-breach-continues-cause-...","Media","","2016","37.386052","-122.083851" "May 13, 2016","Tumblr","New York","New York","HACK","BSO","65,469,300","""A third party accessed a set of Tumblr user email addresses with salted and hashed passwords, the Yahoo-owned microblogging site said Thursday. The credentials are from early 2013, prior to Tumblr's acquisition by Yahoo, officials said in a May 12 blog post.   The site's security team investigated the matter as soon as it became aware of the incident. “Our analysis gives us no reason to believe that this information was used to access Tumblr accounts,” the blog said. Officials said in the blog that those affected will be required to set a new password as a precaution. Users are instructed to visit the sites security page for more information on how to keep their accounts secure.""More information: https://www.scmagazine.com/tumblr-announces-email-credentials-compromise...UPDATE (5/31/2016):  ""More than 65 million Tumblr accounts from a 2013 breach were spotted for sale on the dark web. Security researcher and Haveibeenpwned owner Troy Hunt recently found a database containing the stolen account information for sale on a dark web market site and listed the breach on his own site as the third largest ever. A hacker known as Peace was selling the database for $150, according to Vice's Motherboard. Peace told Motherboard the price is so low because the salted passwords are very difficult to crack however, Hunt told the publication roughly half of the passwords will likely be cracked due to weak password protections that were used at the time. On May 12, Tumblr notified users of the breach that compromised user email addresses with salted and hashed passwords from early 2013 and told users there is no reason to believe that the information was used to access their Tumblr accounts. Although the breach isn't as bad as other major breaches, it has the potential to be dangerous for users who re-use passwords, Kaspersky Lab Senior Security Researcher Brian Bartholomew told SCMagazine.com via email. “If you were to think about how many users from Tumblr have Apple cloud accounts, Twitter accounts, Gmail or other online mail accounts, etc. the potential risk is high for this breach to bleed over into other stories down the road,” he said.  “These credentials could be used by criminals to access anything from bank accounts, to mail accounts, to other online systems that may house personal data / pictures / etc.” Bartholomew also said the credentials could be used to carry out phishing attacks, targeting and extortion.""More information: https://www.scmagazine.com/tumblr-accounts-from-2013-breach-for-sale-on-...","Media","","2016","40.712784","-74.005941" "January 23, 2017","Pool Supply Unlimited","Ontario","California","HACK","BSO","0","""On January 11, 2017 Pool Supply Unlimited learned that a third party computer server utilized for our website was hacked.  In the last week poolsupplyunlimited.com has been held hostage by a group of hackers in Iran.  Unfortunately, this specific group of hackers have been cuasing problems for American companies big ans small for years.We have been working closely with the FBI since the breach. It was only this morning that we learned the extent of the information stolen during the hack. More information: https://oag.ca.gov/ecrime/databreach/reports/sb24-65971","California Attorney General","","2016","34.035497","-117.623141" "January 26, 2017","Cuddl Duds (Komar & Sons, Inc)","Jersey City","New Jersey","HACK","BSO","0","""Cuddl Duds is writing regarding a recent data security incident that may impact certain payment card information used by you at our e-commerce website. We wanted to provide you with information about this incident, our response, and steps you can take to prevent fraud, should you feel it necessary to do so. What Happened? On or around December 1, 2016, we received reports of suspicious activity from our third party e-commerce partner. We immediately began to investigate these reports to identify what happened and what information was impacted. Third-party computer forensic investigators were retained to assist with the investigation into what happened and what data was impacted. The investigation initially identified suspicious files on the system. In an abundance of caution, all user passwords were reset as this incident was initially determined to impact only name, address, email address, and encrypted passwords. Further investigation identified a malicious code inserted into the e-commerce website. Upon identifying the malicious code, Cuddl Duds and its partner quickly took steps to remove the code and prevent further unauthorized access. A review of the code determined that it was capable of collecting information provided by customers on the checkout page of Cuddl Duds. What Information Was Involved? Cuddl Duds’s investigation has revealed that the malicious code collected demographic and credit card information entered on our e-commerce site checkout page between March 1, 2015 and December 1, 2016. The information collected included the cardholder’s name, shipping address, billing address, email address, card number, card type, expiration date, and CVV. If you were a registered user at our site, your login and password would also have been collected. All user passwords were changed in December after the discovery of the files.""More information: https://oag.ca.gov/ecrime/databreach/reports/sb24-66044","California Attorney General","","2016","40.715226","-74.033716" "January 27, 2017","Synergy Specialists Medical Group","San Diego","California","HACK","MED","0","""On December 9, 2016, we became aware that some patients had received an email from our office earlier that morning that we did not send. Specifically, it appeared to be an email alerting you that our office had a “Docusign” document waiting for you to review. Upon discovery of this fraudulent activity, we immediately sent an email alerting you not to open the email. We also immediately took action to secure our Gmail account and promptly hired forensic IT specialists to determine exactly what happened and whether any of our other systems were affected. Fortunately, the fraudulent activity was determined to be limited to our Gmail account only. What Information Was Involved? Any information you sent to or received from our office on drjsbdpm@gmail.com. This could include completed patient registration forms if you emailed them to us, prescription or lab requests, and the content of voicemail messages you have left for our office as they would be email transcribed to us for quicker response. We do not send patient records electronically unless specifically requested by a patient so the information is limited to your requests. Further, our office email recipient list, which potentially included your first and last name, and email address may have been exposed.""More information: https://oag.ca.gov/ecrime/databreach/reports/sb24-66062","California Attorney General","","2016","32.877956","-117.210080" "January 27, 2017","International Code Council","Brea","California","HACK","NGO","0","""We are writing to inform you of an incident at International Code Council (“ICC”) that may have resulted in the disclosure of your name and payment card information. We take the security of your personal information very seriously, and sincerely apologize for any inconvenience this incident may cause. This letter contains information about steps you can take to protect yourself.What happened and what information was involved: On December 16, 2016, we discovered an issue potentially impacting the processing of credit and debit card purchases made through our online store. We immediately took action to secure our system and conducted an investigation to determine what information may have been accessed. The independent forensics investigation, which took time, determined that customer payment card information, including name, address, and credit/debit card information may have been compromised between the dates April 25, 2016 – May 24, 2016, and July 11, 2016 - September 14, 2016. The security incident has been contained, and you may continue use your credit and debit cards securely.""","California Attorney General","","2016","33.909417","-117.855691" "January 27, 2017","eHealth Insurance","Mountain View","California","HACK","BSF","0","""On January 20, 2017, we learned that one of our employees had received a phishing email, which the employee mistakenly believed to be legitimate email from an eHealth executive.  As a result of the phishing email, copies of 2016 employee W-2 forms were provided before we discovered that the request was made from a fraudulent account.  Since we discovered this incident, we have been working to investigate the mitigate its potential impact. What Information Was Involved? A file containing a copy of your IRS Tax Form W-2, was sent in response to the fraudulent email.  An IRS Tax Form W-2 includes the following types of information (1) the employee's name; (2) the employee's address; (3) the employee's Social Security number; and (4) the employee's wage information. No other types of information, such as a bank account information or credit card information, were exposed.""  ","California Attorney General","","2017","37.397129","-122.057617" "January 30, 2017","Palomar College","San Marcos","California","HACK","EDU","0","""What Happened On January 19, 2017, we learned that an unauthorized individual may have accessed part of our network that contained IRS Form W-2s for some of our employees. Upon learning of this, we immediately began an investigation and contacted law enforcement. What Information Was Involved Our ongoing investigation has determined that the unauthorized individual may have accessed your IRS Form W-2. The information that could have been accessed included your name, address, and Social Security number.""More information: https://oag.ca.gov/ecrime/databreach/reports/sb24-66102","California Attorney General","","2017","33.143372","-117.166145" "February 2, 2017","Sunrun","San Francisco","California","HACK","BSO","0","""What HappenedOn Friday, January 20, a targeted email from a scammer impersonating me was sent to our payroll department requesting employee W-2s. Unfortunately, the phishing email wasn’t recognized for what it was – a scam – and employee W-2s for 2016 were disclosed externally. What Information Was InvolvedWe have determined that the 2016 W-2s for our current and former employees were affected by this incident. These W-2 forms include your name, address, Social Security number, salary, and taxes withheld for 2016.""More information: https://oag.ca.gov/ecrime/databreach/reports/sb24-66148","California Attorney General","","2017","37.774930","-122.419416" "February 2, 2017","DBM Global","Phoenix","Arizona","PORT","BSO","0","""On January 7, 2017, our Phoenix office was burglarized and one employee laptop was stolen. We contacted law enforcement and conducted an investigation. What Information Was Involved? The stolen laptop data may have included personal information such as employee, former employees, and their respective dependents from December 2014 to present. Specifically, the information may have included: name, address, social security number, employee identification number, date of birth, and direct deposit bank information. The stolen data may also have included name, address, social security number and date of birth for dependents of the employees and former employees.""More information: https://oag.ca.gov/ecrime/databreach/reports/sb24-66150","California Attorney General","","2017","33.510987","-112.016540" "February 2, 2017","Toys R Us","Wayne","New Jersey","HACK","BSO","0","""The vendor who manages our Rewards“R”Us loyalty program recently advised us of unauthorized attempts to access Rewards“R”Us loyalty member accounts. It appears this was an effort to fraudulently redeem Rewards coupons beginning in November. We expect this activity is related to previously reported online breaches, not affiliated with Toys“R”Us, where thieves stole login names and passwords. This may be because the thieves know that users tend to have the same password across multiple accounts.What Information Was Involved?Account information may include the loyalty members’ name, email addresses, mailing address and phone number(s). If you have a Geoffrey’s Birthday Club account and it is linked to your Rewards“R”Us account, then information in this account, such as your child’s name and birth date, may have been accessed as well. Please be assured that the Rewards“R”Us profiles and vendor database do not contain credit card numbers, payment or other sensitive personal information, such as Social Security numbers.""More information: https://oag.ca.gov/ecrime/databreach/reports/sb24-66154","California Attorney General","","2017","40.925373","-74.276544" "February 3, 2017","Renovate America","San Diego","California","HACK","BSO","0","""What Happened? We recently discovered that our company was the targeted victim of an email spoofing attack on January 20, 2017 in which an individual pretended to be our Chief Executive Officer. A request was made from what appeared to be a legitimate Renovate America email address for all 2016 Renovate America employee W-2 information. Unfortunately, copies of all 2016 employee W¬2 forms were provided before we discovered that the request was made from a fraudulent account by someone using an email address that appeared to belong to our CEO. We discovered the fraudulent nature of the request within a few hours and have been working tirelessly to investigate and to mitigate the impact of the attack.What Information Was Involved? A file, including a copy of your IRS Tax Form W-2, was sent in response to the fraudulent emails. An IRS Tax Form W-2 includes the following categories of information: (1) the employee’s name; (2) the employee’s address; (3) the employee’s Social Security number; and (4) the employee’s wage information. Other than information contained on the IRS Tax Form W-2, no personal financial information was emailed to the external email account.""More information: https://oag.ca.gov/ecrime/databreach/reports/sb24-66165","California Attorney General","","2017","32.991459","-117.080199" "February 3, 2017","Nakawatase & Kaminsky, CPS's, LLP","San Diego","California","HACK","BSF","0","""We are writing to you because of an incident at Nakawatase & Kaminsky. In January 2017, we confirmed through the use of our forensic information technology investigation firm, Navigant, that the Lacerte tax system we utilize for maintaining and filing tax returns was compromised by an intruder on October 31, 2016, November 1, 2016, November 5, 2016 ,and November 8, 2016. The attacker managed to hack into our computer system despite the use of firewalls and anti-virus software. This resulted in four tax returns being fraudulently filed. While to date we only have knowledge of four instances of reported problems, Navigant determined that there is the possibility that the personal and financial information of other clients and their dependents, including names, addresses,dates of birth, Social Security numbers,Tax Identification Numbers, employer and salary information ,as well as bank account numbers, were also compromised. Once we confirmed that a breach had taken place, the San Diego County Sheriff’s Department was immediately notified, which referred the matter to the Federal Bureau of Investigation’s San Diego field office. In addition the Internal Revenue Service Treasury Inspector General has been notified of the incident and the Franchise Tax Board’s fraud unit.""More information: https://oag.ca.gov/ecrime/databreach/reports/sb24-66191","California Attorney General","","2017","32.715738","-117.161084" "February 6, 2017","Capital One","Tysons Corner","Virginia","HACK","BSF","0","""WHAT HAPPENED As we have discussed with you recently, someone made or attempted to make unauthorized transactions on your Capital One account(s) by logging in with your username and password, which we believe were stolen from one of these websites. This is a follow-up letter to provide you with notice of what happened and ensure all of your questions have been addressed.WHAT INFORMATION WAS INVOLVED We believe that , the fraudster had access to your Capital One account information, which may include your name, address, full or partial account number and transaction history. While our investigation is ongoing and we may uncover additional facts, we wanted to communicate with you about this issue so you can take steps to protect yourself. Please be assured that you are protected by our fraud policies and you are not responsible for any fraud on your account(s).""More information: https://oag.ca.gov/ecrime/databreach/reports/sb24-66214","California Attorney General","","2017","38.918722","-77.231093" "February 6, 2017","Verity Health System","Redwood City","California","HACK","MED","0","""On January 6, 2017, Verity Health System learned that some of your personal information may have been accessed by an unauthorized third party. Although we are not aware of any misuse of your information, we are notifying you to advise you of the incident out of an abundance of caution.The information, dated between 2010 and 2014, includes patient names, dates of birth, medical record numbers, addresses, email addresses, phone numbers, and the last four digits of credit card numbers. Importantly, the information involved in this incident does not include social security numbers or full credit card information.When we detected that an unauthorized third party accessed the Verity Medical Foundation-San Jose Medical Group website that is no longer in use, we promptly initiated an internal investigation. Our investigation determined that the unauthorized third party accessed the website between October 2015 and January 2017. We took immediate steps to secure the website, stop any further unauthorized activity, and prevent similar incidents from happening in the future. We are working with a leading cyber-security firm to assist with the investigation and to further evaluate the integrity of our information systems to ensure protection of our patients’ personal data. We promptly reported the incident to the Department of Health and Human Services, Office of Civil Rights, as required, and to federal law enforcement authorities.""More information: https://oag.ca.gov/ecrime/databreach/list","California Attorney General","","2017","37.521112","-122.254753" "January 31, 2017","Vertiv Co. Health & Welfare Plan","Columbus","Ohio","DISC","MED","955"," As reported by Health and Human Services unauthorized access/disclosure. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF... ","Government Agency","","2017","40.113386","-82.988829" "February 13, 2017","PIP Printing Company","Peoria","Illinois","DISC","BSO","0","""An online security breach at a national printing chain leaked thousands of sensitive documents — from labor filings involving NFL players to lawsuits against Hollywood studios to personal immigration-related papers — raising the possibility that private information could end up in the wrong hands. The leak at PIP printing, which has more than 400 locations in 13 countries, went on for four months before it was repaired Tuesday, cybersecurity experts involved in investigating the breach told NBC News. But there's no evidence that any hackers may have stumbled upon the files to use them for malicious purposes, they add. The documents, which NBC News examined, ranges from emails revealing credit card and social security numbers to legal filings such as depositions, subpoenas and labor lawsuits. Extensive medical records belonging to high-profile athletes were also at risk.PIP owner Michael Bluestein told NBC News that the breach appeared to stem from a third-party IT firm that accidentally misconfigured the backup protocols — essentially leaving a ""back door"" open in the system. ""After discovering the breach, we acted quickly to lock down access to our database,"" Bluestein said. ""We immediately strengthened our security controls. We changed all passwords, took offline all computers that may have been affected and brought in forensic IT experts."" More information: http://www.nbcnews.com/news/us-news/data-breach-pip-printing-company-lea...","Media","","2017","40.789161","-89.632060" "February 9, 2017","Arby's","Atlanta","Georgia","HACK","BSR","335,000","""Sources at nearly a half-dozen banks and credit unions independently reached out over the past 48 hours to inquire if I’d heard anything about a data breach at Arby’s fast-food restaurants. Asked about the rumors, Arby’s told KrebsOnSecurity that it recently remediated a breach involving malicious software installed on payment card systems at hundreds of its restaurant locations nationwide.A spokesperson for Atlanta, Ga.-based Arby’s said the company was first notified by industry partners in mid-January about a breach at some stores, but that it had not gone public about the incident at the request of the FBI.“Arby’s Restaurant Group, Inc. (ARG) was recently provided with information that prompted it to launch an investigation of its payment card systems,” the company said in a written statement provided to KrebsOnSecurity.""More information: https://krebsonsecurity.com/2017/02/fast-food-chain-arbys-acknowledges-b...http://www.esecurityplanet.com/network-security/arbys-hacked.html","Media","","2017","33.748995","-84.387982" "January 18, 2010","Children's Medical Center of Dallas","Dallas","Texas","PORT","MED","3,800","As reported by Health and Human Services loss/portable electronic device. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report","Government Agency","","2010","32.776664","-96.796988" "July 10, 2013","Children's Medical Center of Dallas","Dallas","Texas","PORT","MED","2,462","As reported by Health and Human Services theft/laptop. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_reportUPDATE (2/3/2017): ""Children's Health has paid an almost $3.2 million federal penalty after a multiyear investigation into patient data privacy breaches.Scott Summerall, a spokesman for the health system, said Thursday that the Children's Medical Center of Dallas self-reported the breaches that were part of the federal investigation. He said hospital administrators don't think the stolen data has been used in a way that has negatively affected patients.""We have also enacted many levels of protection across our variety of devices. We train our colleagues on the importance of protecting patient information, and the methods by which they do so,"" he wrote in an emailed response to questions from The Associated Press.The U.S. Department of Health and Human Services Office for Civil Rights said Wednesday that the finding against the hospital was the result of ""impermissible disclosure of unsecured"" health information. The hospital self-reported the loss of three devices, two of which contained patient data.""More information:http://www.nbcdfw.com/news/health/Childrens-Health-Pays-3M-Fine-Over-Pat...","Government Agency","","2013","32.776664","-96.796988" "February 3, 2017","InterContinental Hotels Group (IHG)","","Buckinghamshire","HACK","BSO","0","""IHG values the relationship we have with our guests and understands the importance of protecting payment card data. On Dec. 28, 2016, IHG reported it was conducting an investigation after receiving a report of unauthorized charges occurring on some payment cards that were used at a small number of U.S. hotel properties. IHG hired leading cyber security firms to examine the payment card processing systems for the hotels that it manages in the Americas region. Based on the investigation, IHG is providing notification to guests who used their payment card at restaurants and bars of 12 company managed properties during the time periods from August 2016 – December 2016 identified below. An investigation of other properties in the Americas region is ongoing.Findings show that malware was installed on servers that processed payment cards used at restaurants and bars of 12 IHG managed properties. Cards used at the front desk of these properties were not affected. The malware searched for track data (cardholder name, card number, expiration date, and internal verification code) read from the magnetic stripe of a payment card as it was being routed through the affected server.""More information: https://oag.ca.gov/ecrime/databreach/reports/sb24-66180","California Attorney General","https://oag.ca.gov/ecrime/databreach/list","2017","51.813707","-0.809471" "February 15, 2017","Platt College","Alhambra","California","DISC","EDU","0","What Happened?A technical error caused Student's 1098T Tuition Statements to be addressed with another student's mailing address, and the Statements were inadvertently mailed to another student on January 113, 2017.What Information Was Involved?1098T Tuition Statements contain your first and last name, last four digits of your social security number, total amount billed for qualified tuition and related expenses for 2016 and any scholarships or grant totals for 2016.""","California Attorney General","","2017","34.081478","-118.149994" "February 8, 2017","The Boeing Corporation","Seattle","Washington","DISC","BSO","0","""Boeing recently discovered that a company employee sent an email containing personal information of other employees to his non-Boeing spouse on Nov. 21, 2016. During Boeing's investigation, the employee stated that he sent a spreadsheet with the personal information to his spouse for help with a formatting issue.  He did not realize the spreadsheet included sensitive personal information because that information was contained in hidden columns.  We have taken steps to ensure that any copies of the spreadsheet have been destroyed, including a forensic examination of both the Boeing employee's computer and the spouse's computer to confirm to us that they have not distributed or used any of the information.""What Information Was InvolvedThe spreadsheet contained each employee's first and last name, place of birth, BEMSID, and accounting department code in visible columns, and social security  number and date of birth in hidden columns.""More information: https://oag.ca.gov/ecrime/databreach/reports/sb24-66255","California Attorney General","","2017","47.606210","-122.332071" "February 9, 2017","California Correctional Health Care Services","Stockton","California","DISC","GOV","0","""What Happened On January26, 2017, California Correctional Health Care Services (CCHCS) was informed that on January 23, 2017,a CCHCS staff member inadvertently sent an email containing your personal information to a staff member at another California State department.What Information Was InvolvedThe personal information contained in the email included your name, CDCR number, CDCR housing information, mental health related information, and health care provider names.More information: https://oag.ca.gov/ecrime/databreach/reports/sb24-66267","California Attorney General","","2017","37.957702","-121.290780" "February 13, 2017","NEO Tech","Chatsworth","California","HACK","BSO","0","""On Friday, January 27, 2017, NEO Tech was the victim of an email “phishing” incident that resulted in the release of employee W-2 wage and tax data to an unauthorized email recipient outside the company. This was an isolated incident that did not involve an intrusion into our computer systems or network. What information was involvedThe following NEO Tech employee information: a copy of your 2016 Form W-2, which includes your name, address, 2016 income information and Social Security Number.More information: https://oag.ca.gov/ecrime/databreach/reports/sb24-66307","California Attorney General","","2017","34.240234","-118.601831" "February 14, 2017","The Honest Kitchen","San Diego","California","HACK","BSO","0","""What Happened?We recently discovered that The Honest Kitchen experienced an unauthorized network intrusion. As a result of this intrusion, some customers’ information was exposed. Based on our investigation to date, we believe unauthorized access was gained to our network on November 30, 2016. The protection of our customers’ personal information is incredibly important to us. Upon discovering this attack, we took immediate action to protect customer information. What Information Was Involved?Based on our initial investigation, we know that name, email, address and payment card information (including card number, CID, and expiration date) were exposed.""More information: https://oag.ca.gov/ecrime/databreach/reports/sb24-66352","California Attorney General","","2017","32.706554","-117.151682" "February 15, 2017","Operating Engineers Local Union No. 3","Alameda","California","HACK","BSO","0","""On or about February 9, 2017, OE3 learned that the security of user data stored on our website, www.oe3.org, had been breached.  OE3 is not currently aware of the reason for the breach, but does not have any reason to believe that is was caused by intentional interference or a deliberate effort by any unauthorized person to misappropriate the data.  OE3 immediately tested the website for malware and viruses, and found no traces of any. WHAT ARE DOING?After OE3 became aware of the breach, we promptly notified the website host, which shut down the website.  We also contacted the web developer, who immediately corrected the issue on the website that caused the breach, and secured the data once again.  Although the public portion of OE3's website is back up, we are suspending the members-only portion pending our investigation to determine the cause of the breach.  We are also exploring additional security measures to assist us in preventing any future security breach.""More information: https://oag.ca.gov/ecrime/databreach/reports/sb24-66363 ","California Attorney General","","2017","33.186520","-87.510699" "February 2, 2017","Jeffrey D. Rice","Zanesville","Ohio","PORT","MED","1,586"," As reported by Health and Human Services paper/films. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF... ","California Attorney General","","2017","39.940345","-82.013192" "February 17, 2017","Deboer Income Tax","Big Bear Lake","California","HACK","BSF","7","""We are notifying you that our data system may have been breached.  We have  observed an increased rate of e-file tax returns being rejected by the IRS due to the client's social security number having been already submitted in another tax return.   Normally we may have one or two of our clients experience this identify theft problem during a tax season and this year we have already experienced seven of these rejections.  We take the privacy of our clients very serious and after observing this we have been working closely with the IRS and partners and have taken the following steps:  *  Our data security team, Computer Reality, has investigated the breach and uncovered a series of attacks trying to gain access to our systems.  The investigation produced a series of IP addresses that had been attacking our system, but the investigation could not ascertain weather they gained successful access and/or what records were exposed.    *  As a security measure all of our computer systems has been reconfigured from the bottom up with a new IP address and new ID's and Passwords.  *  Shared Investigation findings with IRS partner.  For clients that are effected by an identity theft issue.  We are working with the IRS and are will be submitting mail in tax returns with an attached affidavit confirming your identify.   The effect will be that for those effected there refund will be delayed as the IRS is going through extra scrutiny to protect your identy and ensure you get your proper refund.""More information: https://oag.ca.gov/ecrime/databreach/reports/sb24-66415https://oag.ca.go...","California Attorney General","","2017","34.243896","-116.911422" "February 20, 2017","Intex Recreation Corp.","Long Beach","California","HACK","BSO","0","""Intex Recreation Corp (""Intex"") is writing to inform you of a data security event that may affect the security of your personal information and to prive you with information on how to better protect against the possible misuse of your information.What Happened? On November 16, 2016, Intex learned of the potential compromise of certain personal information of our customers.  We immediately launched an investigation to determine the nature and scope of this event and began working with third-party forensic investigators to assist with these efforts.  Our forensic investigation indicates that unauthorized and malicious code may have been inserted into the company's website and that the incident occurred between approximately April 24, 2016, and December 14, 2016.What Information Was Involved? The information involved may have included your name, address, telephone, e-mail address, and credit card information.""More information: https://oag.ca.gov/ecrime/databreach/reports/sb24-66423 ","California Attorney General","","2017","33.832431","-118.213244" "February 22, 2017","JoFit","Warminster","Pennsylvania","HACK","BSO","0","""We’re writing to inform you about a data security incident that may have exposed some of your personal information. For this reason, we are contacting you directly to explain the circumstances of the incident and the outcome of our investigation. What happened? In mid-January, JoFit first learned that its website may have been the target of a cybersecurity attack aimed at acquiring customer credit card information. On the same day that we received this information, JoFit began work to investigate and take any necessary corrective steps. In that process, we confirmed that there was a vulnerability in the website that could have resulting in exposure of personal information. Within days of first learning of the incident, we notified law enforcement of this incident, and we hired an independent computer forensics consultant that specializes in cybersecurity. The consultant is investigating precisely what happened, what information may have been compromised, and what additional steps are needed. What information was involved? The information that may have been compromised included first name, last name, and credit card payment information. What we are doing. JoFit is continuing its investigation of the situation. In the meantime, while our investigation is ongoing, we have engaged Epiq Corporate Services, Inc. (“EPIQ”) to provide identity monitoring at no cost to you for one year. Please review the enclosed “EPIQ Family Secure” section included with this letter for information on how to activate your complimentary identity monitoring services.""More information: https://oag.ca.gov/ecrime/databreach/reports/sb24-66446","California Attorney General","","2017","40.213150","-75.083485" "February 23, 2017","Catalina Post-Acute and Rehabilitation","Tucson","Arizona","PHYS","MED","2,953","""Catalina Post-Acute and Rehabilitation recently became aware of an incident where paper files containing resident and employee information were left in an unattended area. The patient data files, along with certain employee information, were left temporarily vulnerable to possible unauthorized public access.The healthcare organization reported on its website that it found evidence on December 5, 2016 that documents containing the sensitive information of patients and employees had been left “unattended in an area where there is the potential for public access.” The unattended documents included demographic information. Diagnoses and Social Security numbers were included in some cases as well, Catalina stated.The OCR data breach reporting tool states that 2,953 individuals were potentially affected by this incident.Catalina said it launched an investigation into the incident and reviewed protocols in place relating to PHI storage and employee information to prevent further security issues.The healthcare organization’s internal investigation found that it appears no patient or employee information was accessed or misused by any unauthorized individuals.""More information: http://healthitsecurity.com/news/rehabilitation-facility-reports-patient...","California Attorney General","","2017","32.254796","-110.947577" "February 23, 2017","Dignity Health St. Joseph's Hospital and Medical Center","Phoenix","Arizona","INSD","MED","600","""A recent data breach incident at Dignity Health St. Joseph’s Hospital and Medical Center has potentially put over 600 patient medical records at risk, according to a press release issued February 15 of this year.According to a routine review of employee access to the hospital’s electronic health records, St. Joseph’s found that from October 1 through November 22, 2016 a part time hospital employee viewed sections of patient medical records without authorization or appropriate reason.St. Joseph’s has since notified potentially impacted patients of the security breach through advisory letters.Potentially accessed information included patient medical records, demographic information (e.g. names and dates of birth), and clinical data, such as doctor’s orders and diagnostic information.St. Joseph’s asserts that because Social Security numbers, billing, and credit card information were not accessed during the breach, there is “no reason to believe these patients need to take any action to protect themselves against identity theft.”“Dignity Health St. Joseph’s Hospital and Medical Center is deeply committed to protecting its patients,” the statement explained. “Any person who accesses medical records without a job-related reason is in violation of St. Joseph’s policy and appropriate action has been taken in response to this event.”More information: http://healthitsecurity.com/news/rehabilitation-facility-reports-patient...","Media","","2017","33.481882","-112.079310" "February 17, 2017","Group Health Incorporated","New York","New York","DISC","MED","703","As reported by Health and Human Services unauthorized theft/desktop computer. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9","Government Agency","","2017","40.703323","-74.008896" "February 23, 2017","Logic Supply","South Burlington ","Vermont","HACK","BSO","0","""Monday, February 6th, we discovered unauthorized access to our website, which made some customer information vulnerable. Once we discovered the breach, we blocked their access, deployed a security patch and took other security measures. We believe the vulnerability and access was for roughly 30 minutes. There were no breaches of any of our other internal applications, resources or ERP system.What information was involved?In stark contrast to well publicized retail breaches, no credit card or other financial information was involved in the attack. (We do not keep credit card numbers on file on our site.) Additionally, because the breach was limited to our website, the breach did not involve any customer software imaged onto our PCs or other proprietary product information.However the attacker may have accessed, among other things:● The Username (your email) & internally created Password for your account● Customer (Company) names● Order information.""","California Attorney General","","2017","44.439629","-73.149878" "February 24, 2017","Rod's True Western Living","Columbus","Ohio","HACK","BSO","0","""After identifying suspicious activity within our e-commerce site on February 8, 2017, we immediately initiated an internal investigation and engaged external IT consultants to assist us.  By February 10th, we identified the malicious code, permanently removed it from our site, and took additional steps to prevent a similar intrusion.We have learned that certain customer credit and debit card information may have been obtained by an unauthorized party from our payment portal when purchasing through our online store at www.rods.com, from October 11, 2016 through February 10, 2017.  We do not store card data on our website; this data was taken during the transaction.  Purchases through our physical retail location and call center were not impacted by this incident.What Information Was Involved?Based on our investigation, the information potentially involved in this incident may have included your name, credit or debit card number, card expiration date and CVV2/CVC2/CID/CVD (security code on the front or back of the card).  Debit PIN numbers were not obtained during this incident."" More information: https://oag.ca.gov/ecrime/databreach/reports/sb24-66493","California Attorney General","","2017","40.028068","-82.995225" "February 24, 2017","Abbott Nutrition","Columbus ","Ohio","HACK","BSO","0","""We wanted to notify you of an unauthorized intrusion which resulted in the compromise of some customer information at AbbottStore.com.  The privacy and protection of our customers' information is a matter we take very seriously, and we have worked swiftly to resolve the incident.  We recommend that you closely review the information provided in this letter for some steps that you may take to protect yourself against potential misuse of your information."" What Happened?On February 6, 2017, we were first alerted of a security incident at Aptos, Inc. (Aptos), the company that provided and managed the e-commerce platform for AbbottStore.com.  This incident may affect our customers who purchase products from AbbottStore.com.  Aptos retained the services of an outside security forensics team to investigate the nature and scope of the incident.What Information Was Involved?Aptos' investigation determined that an unauthorized party entered Aptos' systems and was able to access and possibly obtain the following information for customers who purchased products from AbbottStore.com from approximately June 2013 to December 2016: names, addresses, phone numbers, e-mail addresses, payment card numbers, and expiration dates.Additionally, for customers who placed an order on AbbottStore.com between approximately April 11 and August 8, 2016 and between approximately November 12 and November 28, 2016, the information compromised may also have included card security codes (CVV numbers). Individual who visited AbbottStore.com but did not make a purchase online or by phone are not affected.""More information: https://oag.ca.gov/ecrime/databreach/reports/sb24-66497    ","California Attorney General","","2017","40.039977","-82.906337" "February 27, 2017","Spiral Toys","Los Angeles","California","HACK","BSO","2,000,000","""A company selling internet-connected stuffed toys used by kids and parents to send voice messages to one another leaked 800,000 user account credentials and 2 million message recordings, according to security researcher Troy Hunt. The data was hacked, locked and held for ransom.Researchers and journalists have been trying to reach the company, Spiral Toys, since late last year to confirm and fix the data breach and security problems for the CloudPets brand. No one has heard back from the manufacturers as the data hit the web and was passed around between hackers and researchers.The magnitude of problems and the nature of the victims — small children and families — have set up the CloudPets hack to be a textbook-example security failure for a long time to come. Spiral Toys is a virtually worthless company, according to its stock prices and activity. It does not appear to have a functioning phone number, and no one at Spiral Toys has answered an email on this issue for months, including messages sent Monday by CyberScoop.CloudPets’ data is stored in a public-facing MongoDB database without any authentication required. The database was indexed by search engines like Shodan and found independently by multiple individuals. There was no password to protect the database. Users have no password requirements on their own accounts and the site itself offers no security.In mid-January, as hackers attacked and ransomed thousands of critically vulnerable MongoDB databases, researchers saw the CloudPets database suffer the same fate. Unlike other databases, whose owners paid the ransom or at least responded to the demands, Spiral Toys appears to have been silent on the issue as the database was deleted and ransomed numerous times over the next several days.Sensitive data was exposed, Hunt wrote, and no parents were ever notified.""More information: https://www.cyberscoop.com/internet-connected-teddy-bear-company-hacked-...","Media","","2017","34.052234","-118.243685" "February 27, 2017","Boeing","Seattle","Washington","DISC","BSO","36,000","""A Boeing employee inadvertently leaked the personal information of 36,000 of his co-workers late last year when he emailed a company spreadsheet to his non-Boeing spouse.News of the breach surfaced earlier this month after a letter (.PDF) from Boeing’s Deputy Chief Privacy Officer Marie Olson, to the Attorney General for the state of Washington Bob Ferguson, was posted to Ferguson’s website.Forty-seven states, including Washington, have legislation on the books that requires companies or government entities to disclose whenever there’s been a breach of personally identifiable information. Under Washington law, companies are required to notify the Attorney General’s office if the incident affects more than 500 of the state’s residents. In this instance Boeing claims the information of 7,288 Washington residents may have been impacted.According to the letter, the breach occurred on Nov. 21, 2016 after a Boeing employee encountered a formatting issue and emailed a spreadsheet to his spouse who didn’t work at the company. The file contained sensitive, personally identifiable information of 36,000 of the aircraft manufacturer’s employees. The file included the names, places of birth, BEMSID, or employee ID numbers, and accounting department codes. The spreadsheet also included Social security numbers and dates of birth, albeit in “hidden columns,” according to Olson.Spreadsheet software, such as Microsoft’s Excel, usually allows authors to make select information hidden, usually to prevent that data from being seen, changed, or deleted.According to Olson’s letter, the breach was discovered earlier this year, on Jan. 9, but the company didn’t begin to inform employees until a month later, Feb. 8.In the letter to Ferguson, Boeing claims it destroyed copies of the spreadsheet and carried out a “forensic examination” of both the Boeing employee’s computer and his spouse’s to ensure it was deleted.""More information: https://threatpost.com/boeing-notifies-36000-employees-following-breach/...","Media","","2017","47.606210","-122.332071" "March 1, 2017","Autoneum North America","Farmington Hills","Michigan","HACK","BSO","2,400","""A Swiss company said Wednesday income tax information was stolen for about 2,400 workers in the United States, putting them at risk of identity theft just as many are awaiting tax refunds. Autoneum North America Inc. said the data included 2016 W-2 salary and tax information as well as the current and former workers' names, addresses and Social Security numbers. Company spokeswoman Anahid Rickmann said it has been working with the FBI and IRS to investigate the breach and has offered its employees identity repair and credit monitoring services. She said the information was stolen ""with criminal intent."" The company said affected employees worked at plants that make vehicle components for noise and heat protection in Jeffersonville, Indiana; Oregon, Ohio; Bloomsburg, Pennsylvania; and Aiken, South Carolina; and at its North American headquarters in Farmington Hills, Michigan.""More information: http://citizensvoice.com/news/data-breach-puts-employees-at-bloomsburg-p...","Media","","2017","42.498994","-83.367717" "March 2, 2017","Goldenvoice/Coachella Music Festival","Los Angeles","California","HACK","BSO","950,000","""On Feb. 22, Motherboard reported someone was selling data—including hashed passwords, usernames and email addresses—on 950,000 Coachella.com accounts. Nearly a week later, concert-promoter Goldenvoice sent an email to account holders to let them know.  According to the email, ""usernames, first and last names, shipping addresses, email addresses, phone numbers and dates of birth"" were taken, but it was ""confirmed that no user passwords were stolen,"" and ""no financial information was accessed.""Goldenvoice said Coachella has since implemented strategies to prevent hackers from barging back into the system, but also warned account holders of phishing emails sent from supposed Coachella staff. ""Please remember that Coachella will never solicit personal information or account information from you via email,"" the Goldenvoice email noted. ""Please exercise caution if you receive any emails or phone calls that ask for such information, or direct you to web sites where you are asked for personal or financial information.""No passwords were stolen, according to the email, but per the usual advice, it might be a good idea to change them anyway.""More information:  http://mashable.com/2017/03/01/coachella-hack-names-emails/#prEXWijuxEqH","Media","","2017","34.042059","-118.262529" "February 24, 2017","Roberts Hawaii, Inc.","Honolulu","Hawaii","HACK","BSO","0","""What Happened Roberts Hawaii received reports from several customers of fraudulent charges appearing on their payment cards shortly after they were used to make a purchase on our website. We immediately initiated an investigation and engaged a leading cyber security firm to examine our website network.    What Information Was InvolvedThe investigation determined that an unauthorized person gained access to the web server for robertshawaii.com and airportwaikikishuttle.com and installed code that was designed to copy information entered during the checkout process, including, name, address, email address, phone number, payment card number, expiration date and card security code. Information from purchases made between July 30, 2015 and December 14, 2016 may have been affected. You are being notified because you placed an order through one of these websites (robertshawaii.com, airportwaikikishuttle.com)using the payment card ending in XXXX during this time period."" More Information: https://oag.ca.gov/ecrime/databreach/reports/sb24-66502","California Attorney General","","2017","21.316888","-157.870834" "March 2, 2017","Aptos Inc","Atlanta","Georgia","HACK","BSO","0","""Shoppers of 40 online stores have had their bank card numbers and addresses slurped by a malware infection at backend provider Aptos.The security breach occurred late last year when a crook was able to inject spyware into machines Aptos used to host its retail services for online shops. This software nasty was able to access customer payment card numbers and expiration dates, full names, addresses, phone numbers and email addresses, we're told.Rather than being alerted to the infiltration by Aptos itself, instead we were warned this week by Aptos' customers – the retailers whose websites were infected by the malware on the backend provider's servers.According to these stores, which have had to file computer security breach notifications with state authorities, the malware was active on Aptos systems from February through December of 2016.""","Media","https://www.secureworldexpo.com/industry-news/40-online-stores-affected-in-aptos-data-breach","2017","40.259485","-89.233424" "February 27, 2017","John D Williamson","Laguna Hills","California","PORT","BSF","0","""What Happened?  On the morning of February 10, 2017 I discovered that my car had been stolen sometime between the night of February 9, 2017 and that morning.  I quickly reported this incident to law enforcement and have been cooperating with their investigation.  Inside my trunk were two password protected laptop computers containing tax software for my personal tax clients.  That software contained personal tax information including the Social Security numbers and birthdates for all of the persons listed on your tax return (spouse and dependents).  If you ever provided me bank accounts used for Direct Deposit, then you should alert your banking institution for that particular account and follow their advice.  One of the laptops possibly included tax years as far back as 2010.  I have no evidence that the laptops were targeted or that the information stored on the laptops at the time they were stolen was accessed or acquired by an unauthorized individual.What Information Was Involved?  The stolen laptops stored certain data related to you, including a combination of name, address, date of birth, Social Security number, and bank account information.  There may also be information related to a spouse or dependents if provided for previous tax filings.  I will be notifying all impacted individuals separately, so if your spouse or dependent is impacted, they will be sent a letter.""More Information: https://oag.ca.gov/ecrime/databreach/reports/sb24-66571","California Attorney General","","2017","33.626344","-117.728859" "March 1, 2017","Met West Terra","Wilson","Wyoming","HACK","BSO","0","""What HappenedOn February 9, 2017, we learned that a targeted ""spear phishing"" email message had been sent to a MetWest Terra Hospitality employee.  The email our employee received was designed to appear as though it had been sent to the employee by a MetWest Terra Hospitality manager from the MetWest Terra Hospitality manager's email account.  The request was for all 2016 W2 information, and believing the email to be legitimate, the employee provided the requested information.What Information Was InvolvedThe W2 information included your name, address, Social Security number and earnings.""More Information: https://oag.ca.gov/ecrime/databreach/reports/sb24-66620","California Attorney General","","2017","35.721269","-77.915540" "March 1, 2017","Stallcup & Associates CPA's","San Francisco","California","HACK","BSF","0","""On January 10, 2017, we became aware that some clients had received an email from our office that we did not send.  Upon discovery of this fraudulent activity, we sent an email alerting you not to open the email.  We also immediately contacted our local IT consultant, re-secured the email account michelle@stallcupcpas.com, and promptly hired forensic IT specialists to determine exactly what happened and what information and systems were affected.  The forensic investigation is now completed and the unauthorized access has been determined to be limited to the one email account. While there is no evidence of data viewing or exfiltration of information, the fraudulent person(s) did obtain the employee’s email credentials and therefore had access to her email account.  What Information Was Involved?  I am notifying you of this incident because you exchanged email correspondences on the following email account michelle@stallcupcpas.com and therefore, that information could have been accessed by the perpetrator(s).  Given the nature of our relationship, this information included your name, email address, physical address, social security number, and could include any of the following: • W-2 and/or 1099-MISC information such as employer/payer name and address, and amount of compensation and annual gross income and tax • Brokerage account number and amounts received as investment income, including gross proceeds and cost basis information • Amounts of gross income and tax (Electronic Filing Authorization form) • Form K-1 • IRA information • Federal and state tax return • IRS or state agency notices • Date of birth""More Information: https://oag.ca.gov/ecrime/databreach/reports/sb24-66627","California Attorney General","","2017","37.755626","-122.418512" "February 27, 2017","Berkeley Medical Center","Berkeley","California","INSD","MED","7,445","""A Berkeley Medical Center employee has been discovered to have inappropriately accessed the electronic protected health information of more than 7,400 patients over a period of 10 months.WVU Medicine University Healthcare discovered the inappropriate accessing of ePHI by an employee of the Berkeley Medical Center on January 17, 2017 after being alerted to potential data theft by law enforcement. A joint investigation into the employee had been conducted by the FBI and the Berkeley County Sheriff’s Department.As soon as WVU Medicine University Healthcare became aware of the incident, an internal investigation was launched. Two days later, the employee was suspended pending the outcome of the investigation. Information provided to the healthcare provider from law enforcement linked the employee with 113 former patients who had suffered identity theft.The healthcare worker had been employed by WVU Medicine University Healthcare since March 2004 and was required to schedule appointments for patients at both the Berkeley Medical Center in Martinsburg, WV and Jefferson Medical Center in Ranson, WV. The investigation revealed that the inappropriate accessing of medical records first occurred on March 1, 2016. Inappropriate access continued until the notification was received by law enforcement.No evidence was uncovered to suggest that the employee copied ePHI onto a portable device, although Teresa McCabe, vice president of marketing and development, said the employee manually copied data from computer screens and removed that information from the premises. A link between 113 patients and the employee was found, although in total, 7,445 breach notification letters were sent to patients informing them of unauthorized ePHI access.After the investigation confirmed that hospital and HIPAA Rules had been violated, WVU Medicine University Healthcare terminated the employee. A criminal investigation is ongoing and the woman is being prosecuted.The female employee was found to be in possession of driver’s licenses with photos and insurance and Social Security cards, suggesting the stolen information had already been used for identity theft. It is unclear whether those identification documents have been used to fraudulently obtain credit or medical services.All individuals impacted by the incident have been offered credit monitoring and identity theft protection services for a period of one year via Kroll. Patients have been encouraged to check their accounts, credit histories, and EoB statements and to alert their financial organizations to the possibility of fraudulent use of their information.""More information: http://www.hipaajournal.com/berkeley-medical-center-employee-inappropria...","Media","","2017","37.871899","-122.258540" "March 6, 2017","Universal Care, dba, Brand New Day","Riverside","California","HACK","MED","14,005","""A major breach of electronic protected health information has been discovered by Universal Care, dba, Brand New Day – A Medicare approved health plan.On December 28, 2016, Brand New Day became aware that an unauthorized individual had gained access to ePHI provided to one of its HIPAA business associates. Access to ePHI was gained via a third-party vendor system used by Brand New Day’s contracting provider six days previously on December 22, 2016.The breach notification submitted to the California attorney general does not indicate whether the ePHI of plan members was stolen, although the data were accessed and a criminal investigation into the breach has been launched by law enforcement. The types of data accessed include plan members’ names, addresses, phone numbers, dates of birth and Medicare ID numbers.Upon discovery of the incident, Brand New Day immediately launched an investigation and contacted its vendor to ensure that access to ePHI was immediately terminated. The vendor was informed that someone had improperly accessed plan members’ data and rapid action was taken to block access. Brand New Day says the error that allowed ePHI to be accessed was eliminated ‘within hours’ of its vendor being notified of the breach.While no specific mention of the exact nature of improper access was made, Brand New Day says “We changed our practices regarding access requiring monthly verification of each user.” Brand New Day is also performing a thorough ‘self audit’ to determine whether any other errors have occurred that jeopardize the confidentiality, integrity and availability of ePHI.As a precaution against identity theft, all affected individuals have been offered 12 months’ complimentary identity theft mitigation services via Experian.The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 14,005 individuals were impacted by the incident. Brand New Day says it delayed the issuing of breach notification letters so as not to interfere with the criminal investigation of the breach.""More information: http://www.hipaajournal.com/configuration-error-vendor-results-exposure-...","Media","","2017","33.979709","-117.381107" "February 28, 2017","The North Carolina Department of Health and Human Services","Raleigh","North Carolina","DISC","MED","12,731","""The North Carolina Department of Health and Human Services has announced that the names, addresses, and Medicaid numbers of 12,731 patients were exposed as a result of an email error. The data were sent via email to adult care homes last year, but the emails were not encrypted. Potentially, the emails could have been intercepted and the data obtained by individuals unauthorized to view the information.The emails were sent on November 30, 2016 and the Department of Health and Human Services’ Office for Civil Rights has now been notified of the incident. No mention has been made of when the incident was discovered.This is the third such incident of this nature to have affected the NC Department of Health and Human Services in the past 38 months.On December 30, 2013, 49,000 Medicaid cards of minors were accidentally mailed to incorrect recipients, exposing Medicaid numbers, names and birth dates. The privacy breach was attributed to human error. Two years later, 1,615 patients were impacted when an unencrypted email containing was sent to the Granville County Health Department. The email contained a spreadsheet containing names, Medicaid ID numbers, provider’s name and ID number, and other Medicaid related information.The two email incidents are not believed to have resulted in any individual’s data being compromised. No indications that the emails were intercepted has been found by the NC Department of Health and Human Services, although the possibility cannot be ruled out. Individuals affected by the latest incident have been advised to monitor their accounts for any signs of fraud as a precaution.In order to prevent similar security breaches from occurring in the future, policies and procedures have now been changed. Rather than emailing Medicaid numbers and names, identification numbers will be used in future. Should any email messages be intercepted, it would not be possible for patients to be identified.""More information: http://www.hipaajournal.com/north-carolina-department-health-human-servi...","Media","","2017","35.771609","-78.663789" "February 27, 2017","Vanderbilt University Medical Center","Nashville","Tennessee","INSD","MED","0","""Two employees of Vanderbilt University Medical Center have been discovered to have inappropriately accessed the medical records of more than 3,000 patients.The inappropriate ePHI access was discovered during a routine audit of access logs: A requirement of the Health Insurance Portability and Accountability Act (HIPAA).While the HIPAA Security Rule requires audit logs to be regularly reviewed by HIPAA-covered entities, in this case the inappropriate accessing of ePHI continued for 19 months before it was detected.Vanderbilt University Medical Center first became aware of inappropriate ePHI access on December 27, 2016, prompting a full audit of access logs.That audit revealed that two patient transporters at the medical center had viewed more information than was necessary in order for them to perform their work duties. The employees were required to move patients between treatment rooms and hospital floors. The pair were discovered to have first started viewing patients protected health information in May 2015. Medical records of patients continued to be accessed until December 2016.The types of information accessed included patients’ names, medical record IDs, and birth dates. According to a press release from VUMC, one individual was also able to view some patients’ Social Security numbers. While patients’ electronic medical records were accessed, VUMC does not believe that any information has been copied or misused. VUMC has not said why patients’ health information was viewed by the employees, although the individuals concerned have been disciplined for their actions.Patients are not believed to be at any elevated risk of suffering identity theft or fraud as a result of the privacy breaches. However, as a precaution, VUMC said “we are contacting each of them by letter to recommend that they vigilantly review account statements and their credit status.” Any patient whose Social Security number has been viewed is being provided with credit monitoring services via Experian Family Secure “out of an abundance of caution.”In response to the breach, Vanderbilt University Medical Center has changed policies and procedures relating to how patient transporters are provided with patients’ health information. Any PHI needed for patient transporters to conduct their work duties will now be provided on paper. Access to its medical record system will no longer be provided. Patient transporters have also received further training relating to the accessing of patient health information.""More information: http://www.hipaajournal.com/vanderbilt-university-medical-center-employe...","Media","","2017","36.162664","-86.781602" "March 3, 2017","The Center for Election Systems at Kennesaw State University","Kennesaw","Georgia","UNKN","EDU","7,500,000","""The Federal Bureau of Investigation is investigating an alleged data breach in Georgia at the Center for Election Systems at Kennesaw State University, The Atlanta Journal-Constitution has learned. The situation is still developing, although the Secretary of State’s Office said Friday that the investigation is not related to its own network and is not a breach of its database containing the personal information on Georgia’s 6.6 million registered voters. The office referred all other questions to both university and federal officials.In a statement released Friday afternoon, the university said it was “working with federal law enforcement officials to determine whether and to what extent a data breach may have occurred involving records maintained by the Center for Election Systems. Because this involves a pending criminal investigation, Kennesaw State will have no further comment on this matter and any inquiries should be addressed to the U.S. Attorney’s Office,” the statement said.""More Information: http://www.ajc.com/news/state--regional-govt--politics/fbi-investigating...","Media","","2017","34.023434","-84.615490" "March 3, 2017","Sharp Healthcare","San Diego","California","PORT","MED","750","""The personal health information of more than 750 outpatients at Sharp Healthcare might have been compromised because of a computer theft, the San Diego-based medical care provider announced Friday. In a statement, Sharp said a computer and external storage device were discovered missing on Feb. 6 from a locked cabinet in an access-controlled patient care area at the Sharp Memorial Outpatient Pavilion in Kearny Mesa. Subsequent investigations led officials to believe the devices were stolen, and police were notified, according to Sharp. “The devices were used to process and store patient-specific wellness screening information for outpatients undergoing blood pressure and/or cardiac health studies,” the statement said. “Each study record may have included patient name, date of birth, age, current medications, family history and a summary of the studies performed.” Sharp said letters have been sent to the affected patients, and the California Department of Public Health and the U.S. Health and Human Services Agency’s Office for Civil Rights have been notified. Patients with any related questions can call (800) 263-0217.""More Information: http://timesofsandiego.com/crime/2017/03/03/data-of-750-patients-breache...","Media","","2017","32.715738","-117.161084" "March 2, 2017","University California Santa Cruz","Santa Cruz","California","PORT","EDU","0","""What Happened? On January 13, 2017, two unencrypted laptops were stolen from the home of a University of California, Santa Cruz (UC Santa Cruz) researcher/instructor. The theft was discovered the same day and a police report was filed, but at this time no items have been recovered.Our investigation confirmed that the stolen laptop contained copies of your UC Santa Cruz narrative evaluations. There is no indication that the student information was the intended target.What Information Was Involved? These UC Santa Cruz narrative evaluations dating from 2000 to 2004 contained personally identifiable information including your name and Social Security Number (SSN) (which was used as the Student ID number prior to 2005). In addition to SSN, student record information including grades, narrative evaluations and email addresses were on the stolen laptops.The data was not encrypted.""More Information: https://oag.ca.gov/ecrime/databreach/reports/sb24-66636","California Attorney General","","2017","36.974117","-122.030796" "March 2, 2017","Orange County Global Medical Center","Santa Ana","California","DISC","MED","0","""What Happened? In connection with preparing research regarding labor and delivery services provided to patients in 2016, on February 8, 2017, we discovered that an employee inadvertently emailed an Orange County Global Medical Center statistical report. The error was discovered that same day, and we reached out to the recipient and instructed him to permanently delete the information. What Information Was Involved? We have confirmed the report contained the following information relating to you: treatment and diagnosis information, medical record number, date of birth, treatment date, and name. Notably, this report did not contain your Social Security number, driver’s license number, health insurance information, or financial account information.""More Information: https://oag.ca.gov/ecrime/databreach/reports/sb24-66646","California Attorney General","","2017","33.754234","-117.832900" "March 3, 2017","Friedman & Perry, CPA's","Fremont","California","HACK","BSF","0","""On February 6, 2017, we learned that some clients had received notification letters from either the IRS or the FTB, regarding an attempted filing of their 2016 tax returns. Knowing that neither they nor we filed the returns, we immediately began an investigation into the matter (specifically, whether the breach was from a third party or our computers). That same day we contacted our IT consultant, we ensured that all system passwords were changed and user information was secure, and we started running scans and reviewing our systems to identify any malicious malware on our computers. None was found. We then hired a specialized forensic IT firm for additional investigation.On February 16, 2017, the specialized forensic IT firm determined that hackers had gained unauthorized access to our system from a foreign IP address. We then notified you of the unauthorized access to your information via email, as a precursor to this letter. Through investigation we have discovered that the unauthorized access occurred through Remote Desktop Protocol between June 15, 2016 and January 30, 2017.""More Information: https://oag.ca.gov/ecrime/databreach/reports/sb24-66802","California Attorney General","","2017","37.559308","-121.956477" "March 7, 2017","Verifone","San Jose","California","HACK","BSO","0","""Credit and debit card payments giant Verifone [NYSE: PAY] is investigating a breach of its internal computer networks that appears to have impacted a number of companies running its point-of-sale solutions, according to sources. Verifone says the extent of the breach was limited to its corporate network and that its payment services network was not impacted.San Jose, Calif.-based Verifone is the largest maker of credit card terminals used in the United States. It sells point-of-sale terminals and services to support the swiping and processing of credit and debit card payments at a variety of businesses, including retailers, taxis, and fuel stations.On Jan. 23, 2017, Verifone sent an “urgent” email to all company staff and contractors, warning they had 24 hours to change all company passwords.“We are currently investigating an IT control matter in the Verifone environment,” reads an email memo penned by Steve Horan, Verifone Inc.’s senior vice president and chief information officer. “As a precaution, we are taking immediate steps to improve our controls.”An internal memo sent Jan. 23, 2017 by Verifone’s chief information officer to all staff and contractors, telling them to change their passwords. The memo also states that Verifone employees would no longer be able to install software at will, apparently something everyone at the company could do prior to this notice.The internal Verifone memo — a copy of which was obtained by KrebsOnSecurity and is pictured above — also informed employees they would no longer be allowed to install software of any kind on company computers and laptops.Asked about the breach reports, a Verifone spokesman said the company saw evidence in January 2017 of an intrusion in a “limited portion” of its internal network, but that the breach never impacted its payment services network.""More Information: https://krebsonsecurity.com/2017/03/payments-giant-verifone-investigatin...","Krebs On Security","","2017","37.338208","-121.886329" "March 8, 2017","prAna","Carlsbad","California","HACK","BSO","0","""What HappenedOn February 6, 2017, we detected that an unauthorized third party may have obtained access to the servers that operate our e-commerce website, www.prana.com.  We immediately hired a leading cybersecurity firm to assist us in our investigation and remediate the website.What Information Was InvolvedFindings from the investigation show that an unauthorized third party captured information as it was being entered on the site during the checkout process for orders placed from December 14, 2016 to February 6, 2017.  Based on our investigation, we believe the unauthorized third party also may have decrypted an internal database containing information from completed orders prior to February 6, 2017.  The information that may have been affected includes your name, address, phone number, email address, payment card number ending in , expiration date and security code (CVV), and username and account password for our website.""More Information: https://oag.ca.gov/ecrime/databreach/reports/sb24-66814","California Attorney General","","2017","33.131999","-117.233742" "March 15, 2017","Dunn and Bradstreet","New York","New York","DISC","BSO","33,500,000"," ""NEW YORK -- Millions of records from a commercial corporate database have been leaked. The database, about 52 gigabytes in size, contains just under 33.7 million unique email addresses and other contact information from employees of thousands of companies, representing a large portion of the US corporate population. Dun & Bradstreet, a business services giant, confirmed that it owns the database, which it acquired as part of a 2015 deal to buy NetProspex for $125 million.The purchased database contains dozens of fields, some including personal information such as names, job titles and functions, work email addresses, and phone numbers. Other information includes more generic corporate and publicly sourced data, such as believed office location, the number of employees in the business unit, and other descriptions of the kind of industry the company falls into, such as advertising, legal, media and broadcasting, and telecoms. This entire database is used for marketers who want to directly target their own email campaigns and through other communications methods for current and prospective customers. The data can be bought either in bulk, or by type of record by companies, but it's not known exactly how much the going rate is for a full data set of this size. We understand from a 2015 brochure that the cost of accessing a half-million records can cost some firms up to $200,000. Troy Hunt, who runs breach notification site Have I Been Pwned, obtained the database and analyzed the records. In a blog post Tuesday, Hunt said the breakdown was entirely US-focused, with California as the most represented demographic with over four million records, then New York with 2.7 million records and Texas with 2.6 million records. Hunt's analysis of the records showed that the leading organization by records is the Dept. of Defense, with 101,013 employee records, followed closely by the US Postal Service with 88,153 employee records. The US Army, Air Force, and Dept. of Veterans Affairs are all listed with a combined 76,379 records. AT&T, Boeing, Dell, FedEx, IBM, and Xerox were among the most named companies in the database, with tens of thousands of employee records each. ""Whilst you could piece together parts of the data from information already in the public domain, having it aggregated and so easily searchable in this fashion is enormously valuable,"" said Hunt in an email on Tuesday. ""It also serves as a reminder that we've lost control of our privacy; the vast majority of people in the data set would have no idea their information is being sold in this fashion and they certainly don't have any control over it."" Hunt ran the exposed database through Have I Been Pwned's database of breached records, which showed 14 percent of email addresses already existed in his database. The data is now searchable in Have I Been Pwned. But it's not known exactly how the data was exposed, or who is to blame for the leak.  A spokesperson for Dun & Bradshaw would not talk on the record beyond an emailed statement, sent prior to publication. ""We've carefully evaluated the information that was shared with us and it is of a type and in a format that we deliver to customers every day. Based on our analysis, it was not accessed or exposed through a Dun & Bradstreet system,"" the statement read.""More Information: http://www.zdnet.com/article/millions-of-records-leaked-from-huge-corpor...","Media","","2017","40.712784","-74.005941" "March 15, 2017","Twitter Counter","San Francisco","California","HACK","BSO","0","Thousands of high-profile Twitter accounts have been spewing swastikas and spam following the hack of a popular third-party Twitter service.Sites tied to Amnesty International, BBC's North American service, Forbes magazine, the European Parliament and even tennis star Boris Becker were affected.The hacking traces to third-party analytics service Counter, which bills itself as ""the #1 stat site powered by Twitter.""""We're aware that our service was hacked and have started an investigation into the matter,"" Counter tweeted March 15. ""One thing is important to note - we do not store users' Twitter account credentials (passwords) nor credit card information.""More Information: http://www.databreachtoday.com/twitter-app-hack-spews-swastikas-turkish-...","Media","","2017","37.774930","-122.419416" "March 8, 2017","River City Media","Portland","Oregon","DISC","BSO","1,370,000,000","""One of the world's allegedly most prolific spamming operations inadvertently left backup databases accessible online, exposing upwards of 1.37 billion records and a raft of internal company information.Chris Vickery, a security researcher who works for the anti-virus company MacKeeper, discovered the databases, which belong to a US-based email and SMS marketing company called River City Media. In some cases, the records include the names, IP addresses, zip codes and physical addresses associated with the email addresses.The cause of the data exposure appears to be an oversight. The company used the rsync protocol to backup its MySQL databases. But those backup servers were not password-protected, Vickery says in an email to Information Security Media Group.The leak could be one of the largest of all time, but it's likely the databases contain duplicates. The databases, which were exposed for at least three months, have since been taken offline. It's unclear if other fraudsters or hackers may have already stumbled upon it. Some of records were updated as recently as January.""If the databases were to be released in the wild, the damage would be astounding,"" Vickery says. ""Abusive ex-boyfriends and stalkers everywhere would have a fresh new source of information on victims. You wouldn't feel the damage all at once, but society would indeed suffer over time.""Based on preliminarily checks, at least some of the exposed data is legitimate, Vickery writes in a blog post.""Investigating names from the list, through social media and work websites, usually shows that the additional details in the entry are most likely accurate,"" Vickery writes.""More Information: http://www.databreachtoday.com/backup-error-exposes-137-billion-record-s...","Media","","2017","45.520842","-122.680344" "February 28, 2017","Emory Healthcare","Atlanta","Georgia","HACK","MED","80,000","""An attack on a database used by Emory Healthcare for patient appointments is the largest health data breach reported to federal regulators so far in 2017. The incident, which exposed data on almost 80,000 individuals, seems to spotlight a persistent problem facing a growing number of organizations that use misconfigured MongoDB and other similar databases, security exerts say (see Database Hijackings: Who's Next?).In a statement posted on its website, Atlanta, Ga.-based Emory Healthcare says that on Jan. 3, the organization ""learned that there was unauthorized access to [its patient appointment] waits & delays database around the New Year's weekend after someone deleted the database and demanded that EHC pay to have it restored.""In addition to the extortion attack on the database, Emory Healthcare says in its notification statement that it also learned ""that there was another unauthorized access by an independent security research center that searches out vulnerabilities in applications and traditionally notifies the company so that it can be remedied.""The unnamed independent security research firm referenced by Emory in its statement is believed to be MacKeeper Security Research Center. That's because Mackeeper wrote in a Jan. 4 blog that on Dec. 30, its security researchers discovered a misconfigured Mongo database that ""contained hundreds of thousands of what appeared to be patient records and other sensitive information,"" belonging to Emory Healthcare. ""The IP was hosted on Google Cloud and results for domain names hosted on that address (Reverse IP) identified Emory Brain Health Center,"" MacKeeper wrote.""More Information: http://www.databreachtoday.com/emory-healthcare-database-breach-what-hap...","Media","","2017","33.748995","-84.387982" "February 24, 2017","Cloudfare","San Francisco","California","DISC","BSO","4,300,000","""A well-known Google security researcher discovered that Cloudflare was exposing chat messages, encryption keys, cookies, password manager data, hotel bookings and more. The content delivery network quickly confirmed the finding, traced it to a coding error involving just a single wrong character and put related remediations in place.But the leaked data had been cached by major search engines, and the discovery triggered a frantic effort to remove the cached data before the flaw was publicized. Much of the exposed data would have normally been protected by SSL/TLS, but the nature of the vulnerability caused it to be exposed to the internet in unencrypted form.It's unknown how much data may have been leaked, which may make it difficult for companies and users to decide what their most prudent reaction to this bug report should be.""Cloudflare specializes in improving the performance and redundancy of websites, as well as offering protection against attacks such as distributed denial-of-service. The discovery shows how a weak link in just a single widely used cloud service can have a vast impact on data security downstream.The sensitive data was exposed for ""months,"" writes Google's Tavis Ormandy, a researcher with the company's Project Zero, who found the bug. He jokingly dubbed it Cloudbleed, a portmanteau that recalls the Heartbleed OpenSSL vulnerability (see Heartbleed Lingers: Nearly 180,000 Servers Still Vulnerable).A redacted sample of the leaked data. Source: Tavis Ormandy.Cloudflare has not released a list of affected domains. But Nick Sweeting, the co-founder and CTO of Blitzka Software, has created a list of 4.3 million websites that use Cloudlfare, and he aims to eventually narrow the list to only display sites left at risk by the coding error.So far, Ormandy has found data on the web from Uber, 1Password, FitBit and OKCupid. 1Password, a widely used password manager, says the data that was exposed was encrypted in two other ways, thus making the Cloudflare bug of little consequence for its users.More Information: http://www.databreachtoday.com/cloudflare-coding-error-spills-sensitive-...","Media","","2017","37.780223","-122.390587" "March 15, 2017","Wishbone","Santa Monica","California","HACK","BSO","0","""Check your kid’s phone for this app, ASAP: Wishbone. This popular quiz app for kids, tweens and teens has been hacked, according to a report from Motherboard out this morning. The hack involved 2.2 million email addresses, as well as 287,000 phone numbers, many of which are from kids under the age of 18.The app is operated by the incubator Science, and is one of the more popular social networking applications in the U.S., currently ranking No. 14 in that category on iTunes.Users have been alerted to the hack by way of an email from the company, which explains that it became aware of the breach on March 14, 2017.Per the email, hackers appear to have accessed a private API to pull information on Wishbone users. This included usernames, personal names, emails and phone numbers. Some users also opted to provide their date of birth to Wishbone, and, if they did, this information was also included. Wishbone says no passwords or financial information was part of the breach, however.Users were also alerted via an in-app notification.The message says that Wishbone is initiating “precautionary measures” as a part of the breach. But Motherboard received confirmation that the vulnerability has now been fixed.Unfortunately, the data is already out there in the wild, and consists mainly of kids’ personal information. The app’s core demographic is very young users — many who don’t even yet have iPhones, but play with the app on their iPod touch. Thankfully, this limited the amount of phone numbers included in the data breach.""More Information: https://techcrunch.com/2017/03/15/teen-quiz-app-wishbone-hacked-users-em...","Media","","2017","34.014684","-118.496812" "March 16, 2017","Virginia Commonwealth University (VCU) Health System","Richmond","Virginia","HACK","MED","0","""March 16, 2017 - Virginia Commonwealth University (VCU) Health System recently discovered a data breach potentially impacted over 2,700 patients, according to an announcement in the Richmond Times-Dispatch.On January 10, 2017, VCU Health System became aware of a data breach in which patient EHRs were vulnerable to unauthorized access over a three-year period between January 3, 2014 and January 10, 2017.Following an investigation, VCU Health System concluded employees of community physician groups, and an employee of a contracted vendor, had accessed patient records without proper justification. Officials maintain no information was used inappropriately.The employees involved in the incident have since been terminated.Employees may have viewed information including patient names, addresses, dates of birth, medical record numbers, health care providers, visit dates, health insurance information, and Social Security numbers.VCU Health System said it is providing concerned patients with one year of free credit monitoring to avoid further issues with identity theft and fraud.""More Information: http://healthitsecurity.com/news/va-university-health-system-security-br...","Media","","2017","37.540725","-77.436048" "March 16, 2017","Denton Heart Group","Denton","Texas","PORT","MED","0","""On January 11, 2017, Denton Heart Group, a member of HealthTexas Provider Network, discovered an external computer hard drive containing patient information was stolen from its facility around December 29, 2016.The clinic immediately launched an investigation into the incident and found the information contained on the hard drive may have included patient information such as names, addresses, driver’s license numbers, and Social Security numbers.Presently, the clinic has no evidence to suggest any information was misused in any way.“We regret any inconvenience caused by this incident,” the healthcare organization stated in a posted announcement. “Necessary corrective actions have been taken to safeguard against similar incidents in the future, and we are taking steps to re-evaluate the security of computer devices within our clinics to further protect our patient’s information.”The statement did not list the number of patients affected by the incident.""More Information: http://healthitsecurity.com/news/va-university-health-system-security-br...","Media","","2017","33.214841","-97.133068" "March 16, 2017","BJC HealthCare Raising St. Louis","St. Louis","Missouri","DISC","MED","644","""BJC HealthCare Raising St. Louis recently became aware of a data breach potentially impacting 644 current and former Raising St. Louis participants, according to a recent post on the healthcare organization’s website.On January 9, 2017, BJC Raising St. Louis became aware of an incident in which sensitive patient information was left potentially vulnerable in a series of unencrypted email exchanges between participating program partners.Upon discovering the security breach, BJC staff went through its required protocol for emailing data securely to mitigate further issues.After an investigation, BJC confirmed no unauthorized individuals read or accessed the unencrypted emails at any time. Additionally, the healthcare organization determined no Social Security numbers or financial information were contained within the emails.In an effort to avoid similar incidents in the future, BJC intends to re-educate staff members on the proper way to send securely encrypted emails and have notified potentially impacted participants of the event.""More Information: http://healthitsecurity.com/news/va-university-health-system-security-br...","","","2017","38.627003","-90.199404" "March 16, 2017","Tarleton Medical","Rancho Mirage","California","HACK","MED","3,929","""On January 6, 2017, Tarleton Medical became aware of a data security incident involving the unauthorized access of a data server containing PHI from patient medical records.Potentially accessed information includes patient names, addresses, dates of birth, Social Security numbers, and healthcare claims information.The California family medicine practice has not listed how many individuals were potentially impacted during the incident. However, the OCR data breach reporting tool states that 3,929 individuals had their information involved.“We have taken steps to enhance the security of TM patient information to prevent similar incidents from occurring in the future,” the healthcare organization explained in its notification letter.Tarleton Medical has since reported the incident to the FBI and is offering concerned patients free access to a credit monitoring service for one year.""More Information: http://healthitsecurity.com/news/va-university-health-system-security-br...","Media","","2017","33.739744","-116.412790" "March 16, 2017","Summit Reinsurances Services","Fort Wayne","Indiana","HACK","MED","0","""On August 8, 2016, Summit Reinsurance Services, Inc. became aware of a ransomware attack on a server containing patient PHI. The organization immediately initiated an investigation into the incident and concluded an unauthorized user accessed the server around March 13, 2016.  The investigation also found the information on the affected server may have included Social Security numbers, health insurance information, provider names, and claim-focused medical records containing diagnoses and clinical information.Summit did not state how many patients were potentially impacted by the security breach but it asserted there is no evidence any information from the affected server has been misused in any way.To mitigate any further problems, Summit has informed potentially impacted individuals of the incident and provided information to help concerned patients protect themselves against identity theft and fraud in the future. The organization has also provided individuals with one free year of credit monitoring and identity restoration.This incident was the catalyst for numerous reported security issues that were reported throughout 2016 at several healthcare organizations. For example, Black Hawk College reported in 2016 that certain information may have been accessed through an infected server containing PHI.Summit has worked to notify all impacted individuals and healthcare organizations of each incident and provided information for those seeking assistance in finding ways to protect their information moving forward.""More Information:  http://healthitsecurity.com/news/va-university-health-system-security-br...","Media","","2017","41.079273","-85.139351" "March 10, 2017","Hutchinson and Bloodgood LLP","San Diego","California","HACK","BSF","0","""We are committed to maintaining the privacy and security of that personal information. Regrettably, I am writing to inform you of an incident involving some of that information.What Happened On December 21, 2016, we learned that a targeted “spear phishing” email was sent to employees of multiple CPA firms, including a Hutchinson and Bloodgood LLP employee. Spear phishing emails are attempts by an individual or group to solicit specific information from unsuspecting users by employing social engineering techniques. Phishing emails are crafted to appear as if they have been sent from a legitimate organization or individual. Our review of network activity after the email was opened indicated that there may have been unauthorized access to some company data. In an abundance of caution, we have viewed this as an event requiring disclosure. What Information Was Involved Based on our investigation, potentially accessible documents contained information, that may have included your name, address and/or social security number.""More Information: https://oag.ca.gov/ecrime/databreach/reports/sb24-66868","California Attorney General","","2017","32.771388","-117.156994" "March 13, 2017","Ondracek & Company","Santa Barbara","California","HACK","BSF","0","""What Happened?On February 6, 2017, we learned that some clients had received notification letters from the IRS telling them that someone had filed or attempted to file a 2016 tax return. Knowing that neither they nor we filed the returns, we immediately began an investigation into the matter (specifically, whether the breach was from a third party or our network). That same day we contacted our IT consultant, immediately changed all system passwords and user information, and started running scans and reviewing our systems to identify any malicious malware on our network. None was found. We further contacted the IRS and FTB, and hired a specialized forensic IT firm for additional investigation.On February 17, 2017, the specialized forensic IT firm determined that hackers had gained unauthorized access to our system from a foreign IP address. Immediately upon discovery, we notified you of the unauthorized access to your information via email, as a precursor to this letter. Through investigation we have discovered that the unauthorized access occurred through Remote Desktop Protocol between November 21, 2016 and February6, 2017.What Information Was Involved?If you are an individual, this information may have included your: name, date of birth, telephone number(s), address, Social Security number, all employment (W-2) information, 1099 information (including account number if provided to me), and direct deposit bank account information (including account number and routing information if provided to me). If you are an entity, this information may have included your: company name, Federal Employer Identification Number, address, telephone number; employee and/or 1099-recipient information (including account number if provided to me); bank or brokerage account information if provided to me; and partner,shareholder/officer or beneficiary names, addresses, and Social Security numbers.""","California Attorney General","","2017","34.420831","-119.698190" "March 14, 2017","Zest Dental Solutions","Carlsbad","California","HACK","BSO","0","What HappenedWe began an investigation of our systems after reports from some customers receiving unusual emails containing Zest Dental purchase information. We engaged a computer security firm to examine our systems for any signs of an issue.  On February 16, 2017, we learned that an unauthorized entity had compromised our e-commerce system potentially affecting customer payment card information. What Information Was InvolvedThe information compromised by the attack may have included your name, billing address, phone number, payment card number, expiration date, and CVV number from payment cards used for online transactions on Zest Dental's  website between December 31, 2013 and September 21, 2014, and between November 2, 2016 and February 4, 2017.""More Information: https://oag.ca.gov/ecrime/databreach/reports/sb24-66908","California Attorney General","","2017","33.131928","-117.248542" "March 16, 2017","Defense Point Security","Alexandria","Virginia","HACK","BSO","0","""On Thursday, March 16, the CEO of Defense Point Security, LLC — a Virginia company that bills itself as “the choice provider of cyber security services to the federal government” — told all employees that their W-2 tax data was handed directly to fraudsters after someone inside the company got caught in a phisher’s net.Alexandria, Va.-based Defense Point Security (recently acquired by management consulting giant Accenture) informed current and former employees this week via email that all of the data from their annual W-2 tax forms — including name, Social Security Number, address, compensation, tax withholding amounts — were snared by a targeted spear phishing email.“I want to alert you that a Defense Point Security (DPS) team member was the victim of a targeted spear phishing email that resulted in the external release of IRS W-2 Forms for individuals who DPS employed in 2016,” Defense Point CEO George McKenzie wrote in the email alert to employees. “Unfortunately, your W-2 was among those released outside of DPS.”More Information: http://krebsonsecurity.com/","Krebs On Security","","2017","38.804836","-77.046921" "March 16, 2017","Select Restaurants Inc. ","Cleveland","Ohio","HACK","BSO","0","""For the second time in the past nine months, Google has inadvertently but nonetheless correctly helped to identify the source of a large credit card breach — by assigning a “This site may be hacked” warning beneath the search results for the Web site of a victimized merchant. A little over a month ago, KrebsOnSecurity was contacted by multiple financial institutions whose anti-fraud teams were trying to trace the source of a great deal of fraud on cards that were all used at a handful of high-end restaurants around the country. Two of those fraud teams shared a list of restaurants that all affected cardholders had visited recently. A bit of searching online showed that nearly all of those establishments were run by Select Restaurants Inc., a Cleveland, Ohio company that owns a number of well-known eateries nationwide, including Boston’s Top of the Hub; Parker’s Lighthouse in Long Beach, Calif.; the Rusty Scupper in Baltimore, Md.; Parkers Blue Ash Tavern in Cincinnati, Ohio; Parkers’ Restaurant & Bar in Downers Grove, Illinois; Winberie’s Restaurant & Bar with locations in Oak Park, Illinois and Princeton and Summit, New Jersey; and Black Powder Tavern in Valley Forge, PA.""More Information: https://krebsonsecurity.com/2017/03/google-points-to-another-pos-vendor-...","Krebs On Security","","2017","41.499320","-81.694361" "March 16, 2017","NSC Technologies","Portsmouth","Virginia","HACK","BSO","0","""What Happened? On March 2, 2017 an on-line hacker posing as NSC’s CEO emailed the company’s payroll department and directed that copies of employee W-2 forms be sent to him. Believing the request to come from the CEO, the payroll department forwarded PDF copies of a number of employee IRS W-2 forms to the requestor, who was using a false email address that appeared to belong to NSC’s CEO. Although this “spoofing” episode was identified for what it was literally moments after the W-2 forms were sent to the hacker, by that point the forms themselves had already been shared with him or her. At this point we have no indication that any of the information contained on the W-2 forms that the payroll department was tricked into sharing with the hacker has been misused in any way, but the potential for such misuse certainly exists.What Information Was Involved?This incident involved your 2016 IRS W-2 form, which includes your name, address, social security number, and 2016 income and withholding information.""More Information: https://oag.ca.gov/system/files/NSC%20Data%20Breach_CA%20Letter_030717_0...?","California Attorney General","","2017","36.835028","-76.298232" "March 17, 2017","American Tire Distributors","Charlotte","North Carolina","HACK","BSO","0","""We believe that on March 3, 2017 a file containing your 2016 W-2 information was apparently fraudulently obtained by a third party.  We learned of this on March 6, 2017 and an investigation immediately commenced.  We believe the incident has been contained and did not involve an intrusion into the company's networks. What information was involved: The incident involved your 2016 W-2 information, which included your name, Social Security number, 2016 wage information, and mailing address. ""More Information: https://oag.ca.gov/ecrime/databreach/reports/sb24-67004 ","California Attorney General","","2017","35.236388","-80.974919" "March 17, 2017","Hampton Jitney and Ambassador Riders","Calverton","New York","HACK","BSO","0","""What Happened On February 22, 2017, we discovered that an unauthorized user recently accessed customer accounts at Hampton Jitney. Upon discovery, we immediately investigated the situation and disabled all internet access to the network server that was the suspected source of the unauthorized access.We hired a reputable computer specialist and law firm with expertise in data breach investigations,to investigate the incident and determine whether personal information of our customers was stolen.We learned that customer information may have been accessed starting on February 20, 2017 until the incident was discovered. We also forced a reset of all passwords of users that may have been affected by the intrusion.What Information Was Involved Information including customer names, addresses, phone numbers, email addresses and unencrypted passwords was accessible for two days. Although we do not store social security numbers, credit card numbers, or other financial account information, some customer data was stolen during the incident. Because the email and password used by you to access our website was stolen, we are providing you with Notice of Data Breach.""More Information: https://oag.ca.gov/ecrime/databreach/reports/sb24-67007","California Attorney General","","2017","40.914264","-72.746786" "March 18, 2017","Campbell Taylor & Company Certified Public Accountants & Consultants","Roseville","California","HACK","BSF","0","""What Happened?After noticing some unusual activity on our network including a possible ransomware attempt, on February 13, 2017, we hired a specialized forensic IT firm to investigate. On February 23, 2017, the specialized forensic IT firm determined that there was unauthorized access to our main network drive from a foreign IP address between January 27, 2017 and February 2, 2017, however the firm cannot determine which files were accessed. Accordingly, we are notifying everyone whose information was on our system out of an abundance of caution.What Information Was Involved?As an employee participant of a retirement or other benefit plan, the information on our system may have included your: first and last name, date of birth, Social Security number, and salary information.""More Information: https://oag.ca.gov/ecrime/databreach/reports/sb24-67009","California Attorney General","","2017","38.746302","-121.230069" "March 21, 2017","Bulletproof","Bellevue","Washington","HACK","BSO","0","""What Happened After noticing unusual activity relating to customer online transactions, we began an immediate investigation of our website and took prompt action to address and stop the unauthorized activity. We also engaged a leading computer security firm to examine our systems for any signs of an issue, and notified law enforcement. On February 23, 2017, our investigation determined that an unknown third party had compromised our e-commerce system, potentially affecting customer payment card information. What Information Was InvolvedThe information compromised by the incident may have included your name, payment card number,expiration date, and CVV number from payment cards used for online transactions on Bulletproof's e-commerce website from October 26, 2016 to January 31, 2017.""More Information: https://oag.ca.gov/ecrime/databreach/reports/sb24-67028","California Attorney General","","2017","47.625867","-122.190200" "March 22, 2017","The Washington State Liquor and Cannabis Board","Olympia","Washington","DISC","BSO","0","""The recent accidental leak of sensitive information about Washington medical marijuana applicants is raising more concerns about the Washington State Liquor and Cannabis Board’s (WSLCB) ability to adequately protect private patient information.According to Washington cannabis activist John Novak, the WSLCB accidentally released a “massive” amount of personal identifying information about Washington medical marijuana applicants on a public records request.The data includes social security numbers and medical records, among other sensitive information.The WSLCB would not confirm the number of people impacted by the breach but told The Cannabist it is working to inform all affected parties..""More Information: http://extract.suntimes.com/news/10/153/20392/washington-marijuana-appli... ","Media","","2017","47.043691","-122.858357" "March 27, 2017","America's Job Link Alliance","Topeka","Kansas","HACK","BSO","2,100,000","""Hackers have breached America's Job Link Alliance (AJLA), a job portal offered by the Department of Labor (DOL), and stolen personal details from an undisclosed number of job seekers.AJLA, a multi-state database of US job seekers, acknowledged the security breach through a message on its website.Hackers stole information from job seekers in 10 statesAccording to AJLA officials, hackers registered an account on the job portal and then used a vulnerability in the AJLA source code to extract data from other users.An investigation revealed hackers managed to get access to names, dates of birth, and Social Security Numbers for users in ten of the sixteen states catered by the AJLA portal.Affected states include Alabama, Arizona, Arkansas, Delaware, Idaho, Illinois, Kansas, Maine, Oklahoma, and Vermont. Currently, job seekers in Georgia, Indiana, Kentucky, Nevada, New Jersey and Massachusetts don't appear to be affected.""More Information: https://www.bleepingcomputer.com/news/security/hackers-breached-departme...http://www.ajla.net/pressrelease.html","Media","","2017","39.040138","-95.682406" "March 27, 2017","Med Center Health","Louisville","Kentucky","PHYS","MED","160,000","""The FBI continues its look into a breach of personal information from about 160,000 patients serviced at some Med Center Health affiliates between 2011 and 2014.It will take about two weeks for all of the patients to be notified by mail that their personal data – including from The Medical Center at Bowling Green, The Medical Center at Scottsville, The Medical Center at Franklin, Commonwealth Regional Specialty Hospital, Cal Turner Rehab and Specialty Care and Medical Center EMS – was taken by a former employee.David Habich, chief counsel for the FBI in Louisville, said in general that FBI investigations take time to thoroughly investigate.A former employee is accused of taking the data that included billing information such as name, address, Social Security, insurance information, procedure codes and others. It did not include the release of actual medical records.Emailed responses to Daily News questions from Med Center Health indicated that “other federal agencies” also are investigating.A news release to the public about the data breach came several months after it was spotted by Med Center, something which was asked of it by investigators.""More Information: http://www.bgdailynews.com/news/k-affected-by-med-center-data-breach/art...","Media","","2017","38.252665","-85.758456" "March 23, 2017","Metropolitan Urology Group","Wauwatosa","Wisconsin","HACK","MED","17,634","""Wauwatosa, Wis.-based Metropolitan Urology Group has notified its patients of a breach of unsecured patient health information due to a ransomware attack back in November 2016.According to a statement on the medical group’s website, on January 10th, 2017, Metropolitan Urology Group (MUG) was made aware that a ransomware attack that occurred November 28, 2016 exposed certain patient health information to the hackers who infected two MUG servers with the ransomware virus.According to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) breach portal, the breach affected the protected health information (PHI) of 17,634 individuals, and the breach notification was submitted to OCR on March 10th. The incident was categorized as hacking/IT incident on a network server.“MUG has been working with a premier, international information technology firm to remove the ransomware virus and is taking steps to ensure that such attacks never occur again. MUG has blocked all traffic from accessing the affected servers,” the medical group stated. Further, the medical group wrote in the statement, “MUG has installed the best firewall protection and secure email system. It is protecting all devices used by MUG employees, and updating its policies and procedures to reflect these technological changes. MUG is also conducting a risk analysis of its information technology system to detect any other vulnerabilities that may exist so it can quickly correct them. Both MUG and its information technology vendor, Digicorp, will be undergoing training on information security.”The information exposed relates to services provided to patients by MUG between 2003 and 2010 and includes patient first and last name, procedure codes, dates of service, patient account number or patient control number and provider identification number. Less than five patients also had the social security numbers exposed.""More Information: https://www.healthcare-informatics.com/news-item/cybersecurity/wisconsin...","Media","","2017","43.049457","-88.007588" "March 21, 2017","Praetorian Digital/ PoliceOne Forum","San Francisco","California","HACK","BSO","0","""What Happened. On Friday, February 3, 2017, we were notified that the content of our PoliceOne Forum was the subject of unauthorized access and acquisition. The incident occurred in our forums, which are run on third party software and are entirely separate from our main PoliceOne member database and other systems, which have not been compromised. We have become aware of a security incident in our PoliceOne Forums that allegedly occurred in 2015. We are aggressively addressing the matter and want to make you clear on the scope of the issue and its potential impact to you. Security is incredibly important to us and we've worked hard to protect your information over the past 17 years.What Information Was Involved. The information accessed was limited, and included email addresses, user names and hashed and salted passwords (a protected version of the password you use). It did not include forums posts or other content.""More Information: https://oag.ca.gov/ecrime/databreach/reports/sb24-67050","California Attorney General","","2017","37.800482","-122.402922" "March 21, 2017","Rent the Runway","New York","New York","HACK","BSO","0","""What HappenedIt was discovered that your Rent the Runway account was accessed by an unknown party between December 25, 2016 and February 23, 2017.What Information Was InvolvedThe information that may have been accessed includes: email address, first name, last name,birthday and mailing address. We do not store credit cards, so your credit card information was not exposed.""More Information: https://oag.ca.gov/ecrime/databreach/reports/sb24-67055","California Attorney General","","2017","40.727752","-74.007695" "March 21, 2017","Schurman Retail Group","Fairfiel ","California","HACK","BSO","0","""What Happened? On March 8, 2017, we discovered that our company was the victim of an email spoofing attack on January 18, 2017, by an individual pretending to be our Chief Financial Officer. A request was made from what appeared to be legitimate Schurman Retail Group (""SRG"") email address for all 2016 SRG employee Form W-2 information.  Unfortunately, copies of all 2016 employee W-2 forms were provided before we discovered that the request was fraudulent.  We have been working tirelessly to investigate and to mitigate the impact of the attack since we discovered the fraudulent nature of the request.What Information Was Involved? A file, including a copy of your IRS Tax Form W-2, was sent in response to the fraudulent email.  An IRS Tax Form W-2 includes the following categories of information: (1) the employee's name; (2) the employee's address; (3) the employee's Social Security number; and (4) the employee's wage information. Other than the information contained on the IRS Tax Form W-2, no personal financial information was emailed to the external email account.""More Information: https://oag.ca.gov/ecrime/databreach/reports/sb24-67056","California Attorney General","","2017","41.140836","-73.261262" "March 21, 2017","LYFE Kitchen Notice of Data Breach","Memphis","Tennessee","HACK","BSO","0","""What Happened? LYFE Kitchen was notified by its third-party point of sale (“POS”) vendor that the vendor’s computer network potentially had been compromised by a malware data breach. The malware was programmed to access data from the magnetic stripe of payment cards at the time they were swiped. The magnetic stripe contains only the card number, expiration date and verification code. No other customer information was involved. Based on our third-party IT security expert’s investigation, the malware could have affected the POS equipment at two (2) LYFE Kitchen corporate restaurants in California, two (2) corporate restaurants in Tennessee, and one (1) corporate restaurant in Nevada (listed below). The malware has been removed and eradicated. We have no evidence that the malware exported any payment card information to the malware host, and we have received no reports of unauthorized charges from customers or the banks that issued payment cards. II.What Information Was Involved? LYFE Kitchen does not have customers’ social security numbers, driver’s license numbers, or other personal information. Additionally, we do not store customers’ payment card information. But this incident may have resulted in the unauthorized acquisition of payment card information of some LYFE Kitchen customers who dined on the dates and at the locations listed below: • November 3, 2016 to January 5, 2017: LYFE Kitchen, 12746 Jefferson Blvd., Suite 2200, Los Angeles, CA 90094. • November 3, 2016 to January 6, 2017: LYFE Kitchen, Valencia Town Center, 24201 Valencia Blvd., Ste. 3260, Valencia, CA 91355. • November 2, 2016 to January 3, 2017: LYFE Kitchen, 272 S. Main St., Memphis, TN 38103. • November 3, 2016 to January 5, 2017: LYFE Kitchen, 6201 Poplar Ave., Memphis, TN 38119. • November 3, 2016 to January 5, 2017: LYFE Kitchen, 140 S. Green Valley Pkwy., Henderson, NV 89102.""More Information: https://oag.ca.gov/ecrime/databreach/reports/sb24-67060","California Attorney General","","2017","35.149534","-90.048980" "March 22, 2017","Urology Austin","Austin","Texas","HACK","MED","0","""What happened? On January 22, 2017, Urology Austin was the victim of a ransomware attack that encrypted the data stored on our servers. Within minutes, we were alerted to the attack, our computer network was shut down, and we began an investigation. We also began to take steps to restore the impacted data and our operations. What information was involved? Our investigation indicates that your personal information may have been impacted by the ransomware, including your name, address, date of birth, Social Security number, and medical information.""More Information: https://oag.ca.gov/ecrime/databreach/reports/sb24-67070https://oag.ca.go...","California Attorney General","","2017","30.267153","-97.743061" "March 24, 2017","For the Inspiration and Recognition of Science and Technology","Manchester","New Hampshire","HACK","BSO","0","""What happened?  On March 6, 2017, we received a report of suspicious activity for our two externally hosted websites – the FIRST Forum (forums.usfirst.org) and FIRST Tech Challenge Forum (ftcforum.usfirst.org).  We immediately launched an internal investigation into this report to figure out what happened and what information may be impacted.  While the investigation is ongoing, we have determined that the two websites were accessed between January 21, 2017, and March 7, 2017.  These websites are forums where members of the FIRST robotics community can ask questions that are answered by the FIRST community and forum moderators. No other FIRST websites, including the FIRST registration sites, were affected. What information is involved?  While our investigation into this incident is ongoing, participant information may have included your username (defined by you, which may or may not include your first or last name), email address, date of birth, and encrypted password. No other personally identifiable, financial, or credit card information is stored on these websites.""More Information:https://oag.ca.gov/ecrime/databreach/reports/sb24-67116","California Attorney General","","2017","42.989674","-71.467930" "March 27, 2017","easybreathe.com","Los Angeles","California","HACK","BSO","0","""On February 10, 2017, we learned that an unknown individual may have accessed your credit or debit card information used to make purchases at our online store.  We immediately took action to secure our system and commenced an investigation to determine what information may have been accessed.  We determined that the unknown individual may have accessed customer payment card information, including name, address, telephone number, and credit/debit card information.  None of your health information (for example, social security number, insurance member ID number, etc.) was present or at risk.""More Information: https://oag.ca.gov/ecrime/databreach/reports/sb24-67162","California Attorney General","","2017","34.047384","-118.464011" "March 27, 2017","Mollie Stone's Markets","Mill Valley","California","HACK","BSO","0","""What Happened On March 17, 2017, we learned that one of our employees received a phishing email designed to appear as if it came from one of our Senior Executives.  As a result of this phishing incident, we learned that an unauthorized individual may have obtained IRS Form W-2s for the 2016 employment year for some of our employees.  When we learned of this, we immediately secured the email account and enabled restrictions to prevent further unauthorized access.   What Information Was Involved  We conducted a thorough review of the email account and confirmed that the sent email contained some personal information and may have included your name, address, Social Security number and wage information.""More Information:https://oag.ca.gov/ecrime/databreach/reports/sb24-67171 ","California Attorney General","","2017","37.881013","-122.518639" "March 29, 2017","Oilandgasjobsearch.com","","Cheshire","HACK","BSO","0","""At Oilandgasjobsearch.com, our candidates and our employers are our top priority.  We are writing to you today to inform you of an incident in which we experienced unauthorized access to data within our systems.  Oilandgasjobsearch.com, an independent UK subsidiary of CareerBuilder, investigated the incident with a leading IT security firm and law enforcement to understand all of the facts.  Based on our investigation, we believe that your candidate account credentials (user name and password) and your CV (or resume) may have been accessed by an unauthorized third party.  Our investigation has revealed that the unauthorized third party accessed Oilandgasjobsearch.com systems beginning in September of 2016.We have implemented additional security measures for Oilandgasjobsearch.com systems.  We are resetting all candidate account passwords to secure access to each account.  In order to obtain access to your account you will need to create a new password by going to Oilandgasjobsearch.com and clicking “Forgotten your password?” in the Login tab.  You will then be prompted to enter your email address and click “Recover Your Password” and you will receive an email from Oilandgasjobsearch.com that will contain a time-sensitive link.  Please click on the link within 24 hours after receiving it and follow the prompts that instruct you to reset your account password.  We encourage you to use a “strong” password that is different from your previous Oilandgasjobsearch.com password.  Strong passwords tend to be long and include a mix of letters, numbers and characters.  We also recommend that you change your password for any other online accounts that use a similar user name or email address and password combination.""More Information:    https://oag.ca.gov/ecrime/databreach/reports/sb24-67192","California Attorney General","","2017","53.438197","-2.165726" "March 29, 2017","Quench","King Prussia","Pennsylvania","HACK","BSO","0","""Quench USA, Inc. (“Quench”) is writing to inform you of a recent event that may affect certain information related to your company. While we are unaware of any actual or attempted misuse of the information involved, out of an abundance of caution, we are providing you with information about the incident, steps we are taking in response, and steps you can take to protect against fraud should you feel it is appropriate. What Happened? On February 13, 2017, we discovered our Coffee Service server had been infected with a virus that prohibited our access to our files. We restored the server and launched an investigation to determine the capabilities of the virus and how it was introduced to the server. On February 22, 2017, as part of our ongoing investigation, we determined this virus was introduced by an unknown third party that had access to a server on our information system and confirmed this server contains information relating to Quench Coffee Service customers. What Information Was Involved? While our investigation is ongoing, we have no evidence the unknown third party accessed or acquired your company’s information stored on the server. Nevertheless, we have confirmed this server housed information relating to your company, which may include your company’s credit card number, expiration date, zip code and address. Out of an abundance of caution, we are providing notice of this incident to you given we cannot rule out unauthorized access to this information occurred.""More Information: https://oag.ca.gov/ecrime/databreach/reports/sb24-67200","California Attorney General","","2017","40.103129","-75.406772" "March 29, 2017","ShowTix4U","Las Vegas","Nevada","HACK","BSO","0","""ShowTix4U recently became aware of a potential security incident possibly affecting the personal information of certain individuals who made a payment card purchase on the ShowTix4U.com website. We are providing this notice as a precaution to inform potentially affected individuals about the incident and to call your attention to some steps you can take to help protect yourself. We sincerely regret any concern this may cause you.  What Happened We were recently alerted by our payment card processor to a potential security incident involving our website. Based upon an ongoing forensic investigation, it appears that an unauthorized actor was able to gain access to our third-party vendor’s server and install malicious software on our website.  The malicious software appears designed to capture payment card information as the information was inputted.  What Information Was Involved  We believe that the incident could have affected certain information (including name, address, email address, telephone number, payment card account number, expiration date, and card verification code) of individuals who made a purchase on the website between December 11, 2016, and February 2, 2017. According to our records, you made a payment card transaction on the website during that timeframe and your information may be affected. Please note that because we do not collect sensitive personal information like Social Security numbers, this type of sensitive information was not affected by this incident.""More Information: https://oag.ca.gov/ecrime/databreach/reports/sb24-67213","California Attorney General","","2017","36.114707","-115.172850" "March 23, 2017","WellSpan Health","York","Pennsylvania","DISC","MED","732"," As reported by Health and Human Services unauthorized access/disclosure. No specific information as to what information was compromised as provided by health and human services. More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF... ","Government Agency","","2017","39.923303","-76.716879" "April 7, 2017","IRS Data Retrieval Tool","Washington","District Of Columbia","HACK","GOV","100,000","""A financial aid tool for college students helped hackers steal up to $30 million from the US government.Nearly 100,000 people are at risk for identity theft after hackers breached the IRS's Data Retrieval Tool, which parents use to transfer financial information for their kids using the Free Application for Federal Student Aid. In 2015, 17 million students used FAFSA to file for financial aid.Fraudulent tax returns have become a growing issue for the IRS, as hackers find more sophisticated measures to steal financial documents online. The agency lost $5.8 billion in 2013 alone from sending tax refunds to thieves filing in other people's names. These schemes have targeted schools, hospitals and restaurants, and college students are the latest victims. IRS Commissioner John Koskinen testified to the Senate Finance Committee on Thursday, revealing thousands of people could be hit by identity theft from the breach. The agency delayed refunds from going out to 52,000 taxpayers until they can verify they're real requests.""It was clear that some of that activity was legitimate students, some of it was criminals,"" Koskinen said. ""So we shut the system down.""""More Information: https://www.cnet.com/news/hackers-used-college-student-loans-tool-to-ste...","Media","","2017","47.751074","-120.740139" "April 4, 2017","Auto Pride Car Wash","Redwood City","California","HACK","BSO","0","""Auto Pride Car Wash was informed on March 27, 2017 that our point-of-sale system experienced an intrusion last month.  Our point-of-sale system is operated by a third-party platform provider and this provider experienced the intrusion.  To date, the investigation indicates that the intruder placed malware on the point-ofsale system, and by doing so gained access to our customers’ payment card data, including the cardholder’s first and last name, payment card number, and security code.   If you used a payment card at any of our locations between the dates of 02/11/17 – 02/27/17, your payment card information may be at risk.  Because we are unable to determine contact information for each customer whose information may be at risk, we are notifying our customers of this risk in this Substitute Notice.  What information was involved?  For those customers who used a payment card at our location(s) between the dates of 02/11/17 – 02/27/17, the information the intruder had access to includes the cardholder’s first and last name, card number and security code."" ","California Attorney General","https://oag.ca.gov/ecrime/databreach/reports/sb24-67321","2017","37.485215","-122.236355" "April 6, 2017","Edgar & Associates LLP","Sacramento","California","HACK","BSF","0","""What Happened?After experiencing unusual activity during this filing season with an escalated number of rejected returns and a few clients receiving letters from the IRS telling them that someone had filed or attempted to file a 2016 tax return that we had not prepared, we immediately hired IT consultants to investigate. On March 13, 2017, a specialized forensic IT firm determined that hackers had gained unauthorized access to our system from a foreign IP address. After a thorough investigation we have discovered that the unauthorized access occurred on April 1-2, 2016, and occurred through Remote Desktop Protocol between September 28, 2016 and November 3, 2016.What Information Was Involved?If you are an individual, this information may have included your: name, date of birth, telephone number(s), address, Social Security number, all employment (W-2) information, 1099 information (including account number if provided to us), direct deposit bank account information (including account number and routing information if provided to us).If you are an entity, this information may have included your: company name, Federal Employer Identification Number, address, telephone number; employee and/or 1099-recipient information (including account number if provided to us); bank or brokerage account information if provided to us; and partner, shareholder/officer or beneficiary names, addresses, and Social Security numbers.""","California Attorney General","https://oag.ca.gov/ecrime/databreach/reports/sb24-67343","2017","38.492536","-121.522269" "April 10, 2017","WildWater Express Carwash","Sab Pedro","California","HACK","BSO","0","""WildWater Express Carwash was informed on March 27, 2017 that our point-of-sale system is operated by a third party platform provider and this provider experienced the intrusion.To date, the investigation indicates that the intruder placed malware on the point-of-sale system, and by doing so gained access to our customers' payment card data, including the cardholder's first and last name, payment card number, and security code. If you used a payment card at any of our locations between the dates of 02/10/2017 through 02/28/2017, your payment card information may be at risk.  Because we are unable to determine contact information for each customer whose information may be at risk, we are notifying our customers of this risk in this Substitute Notice.What information was involved?For those customers who used a payment card at our location (s) between the dates of 02/10/2017 through 02/28/2017, the information the intruder had access to includes the cardholder's first and last name, card number and security code.""","California Attorney General","https://oag.ca.gov/ecrime/databreach/reports/sb24-67428","2017","33.737600","-118.289892" "April 10, 2017","Acme Car Wash and Clearwater Express","Salina","California","HACK","BSO","0","""Acme Car Wash and Clearwater Express Car Wash were informed on March 27, 2017 that our point-of-sale system experienced an intrusion last month. Our point-of-sale system is operated by a third-party platform provider and this provider experienced the intrusion.To date, the investigation indicates that the intruder placed malware on the point-of-sale system, and by doing so gained access to our customers' payment card data, including the cardholder's first and last name, payment card number, and security code.If you used a payment card at any of our locations between the dates of February 6, 2017 and February 23,2017, your payment card information may be at risk. Because we are unable to determine contact information for each customer whose information may be at risk, we are notifying our customers of this risk in this Substitute Notice.What information was involved?For those customers who used a payment card at our location(s) between the dates of February 6,2017 and February 23,2017,the information the intruder had access to includes the cardholder's first and last name, card number and security code.""","California Attorney General","https://oag.ca.gov/ecrime/databreach/reports/sb24-67429","2017","38.840281","-97.611424" "April 13, 2017","Fingerhut","Saint Cloud ","Minnesota","HACK","BSO","0","""What Happened We believe that your personal information was accessed by cyber-attackers executing an attempt to obtain unauthorized access to your Fingerhut account between March 24, 2017 and April 7, 2017.  What Information Was Involved The account data accessed may have included personal information such as your name and address, email address, phone number, and credit account number.""","California Attorney General","https://oag.ca.gov/ecrime/databreach/reports/sb24-67606","2017","45.566318","-94.245355" "April 13, 2017","Alamo Capital","Walnut Creek","California","HACK","BSF","0","""What Happened? On March 14, 2017, a data security incident occurred which may have affected your personal information. When we discovered the incident on the same day, we immediately launched an investigation, and reported it to the FBI, the SEC and the Financial Industry Regulatory Authority (FINRA). Our information technology personnel also took measures to secure all client information. What Information Was Involved? The incident may have involved names, dates of birth, and Social Security numbers.""","","https://oag.ca.gov/ecrime/databreach/reports/sb24-67621","2017","37.910046","-122.059782" "April 14, 2017","Delta Career Education Corporation","Virginia Beach","Virginia","HACK","BSO","0","""What Happened On March 30, 2017, Delta Career completed an investigation regarding suspicious activity in its computer network.  The suspicious activity was detected on February 13th in one of its email accounts. Delta Career immediately began an internal investigation and engaged a leading computer security firm to determine the nature and extent of the incident.  The investigation recently determined that unauthorized persons may have accessed information relating to some of our current and former employees.  What Information Was Involved The information potentially affected includes your name, address, and Social Security number.""","California Attorney General","https://oag.ca.gov/ecrime/databreach/reports/sb24-67632","2017","36.840605","-76.132195" "April 14, 2017","Westlake Touchless Car Wash","Daly City","California","HACK","BSO","0","""Westlake Touchless Car Wash was informed on March 27, 2017 that our point-of-sale system experienced an intrusion last month.  Our pointof-sale system is operated by a third-party platform provider and this provider experienced the intrusion.  To date, the investigation indicates that the intruder placed malware on the point-ofsale system, and by doing so gained access to our customers’ payment card data, including the cardholder’s first and last name, payment card number, and security code.   If you used a payment card at our locations between the dates of 02-06-2017 thru   02-23-2017, your payment card information may be at risk.  Because we are unable to determine contact information for each customer whose information may be at risk, we are notifying our customers of this risk in this Substitute Notice.  What information was involved?  For those customers who used a payment card at our location between the dates of 02-06-2017 thru 02-23-2017, the information the intruder had access to includes the cardholder’s first and last name, card number and security code. ""","California Attorney General","https://oag.ca.gov/ecrime/databreach/reports/sb24-67633","2017","37.687924","-122.470208" "April 14, 2017","Six Continents Hotels, Inc. dba InterContinental Hotels Group","Alpharetta","Georgia","HACK","BSO","0","""What HappenedMany IHG-branded locations are independently owned and operated franchises, and certain of these franchisee operated locations in the Americas were made aware by payment card networks of patterns of unauthorized charges occurring on payment cards after they were legitimately used at their locations. To ensure an efficient and effective response, IHG hired a leading cyber security firm on behalf of franchisees to coordinate an examination of the payment card processing systems of franchise hotel locations in the Americas region.What Information Was InvolvedThe investigation identified signs of the operation of malware designed to access payment card data from cards used onsite at the front desk at certain IHG-branded franchise hotel locations in the Americas* between September 29, 2016 and December 29, 2016. The malware searched for track data (which sometimes has cardholder name in addition to card number, expiration date, and internal verification code) read from the magnetic stripe of a payment card as it was being routed through the affected hotel server. There is no indication that other guest information was affected.You are being notified because you used payment card(s) ending in during this time period onsite at the front desk of an affected hotel. A list of affected IHG franchise locations and respective time frames, which may vary by location, is available at www.ihg.com/protectingourguests."" ","California Attorney General","https://oag.ca.gov/ecrime/databreach/reports/sb24-67635","2017","34.075376","-84.294090" "April 14, 2017","Neiman Marcus Group","Dallas","Texas","HACK","BSO","0","""On or about January 17, 2017, unauthorized individuals began attempting to access our InCircle, Neiman Marcus, Bergdorf Goodman, Last Call, CUSP, and Horchow websites (collectively the ""NMB websites"") by trying various companies (not associated with NMG websites), in which user login names and passwords were stolen.  The intruders were able to access customers' names, basic contact information, email addresses, purchase history, but only the last four digits of payment card numbers.  For InCircle online accounts, the accessible information also included customers' gift card numbers and ""Circle Level."" At present, all indications are that the InCircle and Neiman Marcus Group database of customer email addresses and passwords remains safe, and that our cyber defenses repelled the majority of the attacks.A similar automated login/password attack occurred on or about December 26, 2015 in which unauthorized individuals began attempting to access NMG websites' online accounts.  At the time, the outside forensic experts we engaged to investigate this matter determined that the online intruders were able to view customers' names, basic contact information, email addresses, purchase history, and only the last four digits of the payment cards associated with the online accounts.  Unfortunately, it has become clear that the intruders also had access to full payment card numbers and card expiration dates."" ","California Attorney General","https://oag.ca.gov/ecrime/databreach/reports/sb24-67636","2017","32.780732","-96.797295" "April 14, 2017","Jack Anthony Industries, Inc.","Vallejo","California","HACK","BSO","0","""Vallejo/Fairfield/Vacaville/Sacramento, CA – Jack Anthony Industries, Inc. was informed on March 27, 2017 that our point-of-sale system, operated by a third-party platform provider experienced an intrusion last month.  To date, the investigation indicates that the intruder placed malware on the point-ofsale system, and by doing so gained access to our customers’ payment card data, including the cardholder’s first and last name, payment card number, and security code.   If you used a payment card at any of our locations between the dates of February 6, 2017 and February 23, 2017, your payment card information may be at risk.  Because we are unable to determine contact information for each customer whose information may be at risk, we are notifying our customers of this risk in this Substitute Notice.  What information was involved?For those customers who used a payment card at our location(s) between the dates of February 6, 2017 and February 23, 2017, the information the intruder had access to included the cardholder’s first and last name, card number and security code."" ","California Attorney General","https://oag.ca.gov/ecrime/databreach/reports/sb24-67641","2017","38.104086","-122.256637" "April 20, 2017","Fashion Fantasy Game","Manhattan","New York","HACK","BSO","15,000","""It never seems to end. We've seen every service from LinkedIn to Tumblr being successfully targeted by attackers who then tried to sell millions of user accounts online, hotel chains admit to malware infections which lead to customer card details being swiped, and social media networks are fighting a constant battle to keep valuable user data out of the wrong hands.In yet another example of a data breach, eyes have recently turned to a fashion gaming website which appears to have either ignored or is completely unaware of compromise.Fashion Fantasy Game is an online game and social network for fashion lovers. The platform, developed by fashion designer Nancy Ganz, allows users to design and sell virtual fashion items in their own online fashion businesses, manage currency and market them to other virtual retailers.Over 15,000 people follow the game on Facebook, but the community does not appear to be very active. However, despite this, the information of both past and present users has been exposed in a data breach.""","Media","http://www.zdnet.com/article/amid-data-breach-responsibility-thrown-to-the-wind/","2017","40.783060","-73.971249" "April 12, 2017","Schoolzilla","Oakland","California","HACK","BSO","1,300,000","""More than a million American students had their information exposed this month in a data breach at a California-based company that offers data services to kindergarten through 12-grade schools.A student data warehouse platform, Schoolzilla first acknowledged the breach on April 12 in a message on its website, informing customers: “A well-known computer security researcher was doing a targeted analysis of Schoolzilla when he uncovered a file configuration error.”The researcher, Chris Vickery of the Kromtech Security Research Team, told the Daily Dot this week that he discovered the Schoolzilla breach in early April while scanning the web for an “all too common” misconfiguration in Amazon cloud storage devices (Amazon S3 buckets).The storage device discovered by Vickery included a database that contains the personal information of approximately 1.3 million students in the United States, including some Social Security numbers. The researcher was unable to provide the Dot with evidence of the breach because he delete the database from his own computer shortly after realizing the leaked data pertained to minors.“The sheer volume of private student data, including [test] scores and social security numbers for children, convinced me that it should be purged from my storage in an expedited fashion,” Vickery said.The Daily Dot was unable to immediately confirm which U.S. schools may have been affected. However, Vickery confirmed (and praised) the swift action of Schoolzilla, which he said corrected the issue and secured the students’ information within 24 hours. “As soon as we learned of it, we immediately fixed the error and confirmed no one accessed any information, other than the researcher,” the company said.Unfortunately, that’s an atypical response. It is a common issue that many companies respond with suspicion when reached by outside security researchers reporting vulnerabilities that expose their customers’ data. In contrast, Schoolzilla responded to his notification appropriately, Vickery said, and took immediate action to secure its data.  “This was the first situation of its kind for them and they reacted professionally,” Vickery said. “It must have been grueling for the CEO to phone each client and relay the unpleasant news, but they did it within only a few days of my report.”","Media","https://www.dailydot.com/layer8/1-3-million-american-students-exposed-data-breach-now-secured/","2017","37.810299","-122.265998" "April 17, 2017","DLD Accountancy","Los Angeles","California","HACK","BSF","0","""We are contacting you regarding a data security incident that occurred on or about March 3, 2017 at DLD Accountancy, LLP .  This incident may have involved some of your personal information.  Unfortunately, this has become more common over the last few years and has happened to hundreds of CPA firms.  We have been advised that this year particularly the IRS has seen a huge increase in fraudulent attempts than years prior. The IRS has been on high alert to review and address all fraudulent attempts.  Please be assured that we have taken every step necessary to address the incident, and that we are committed to fully protecting all of the information that you have entrusted to us.  Please review the information provided in this letter for some steps that you may take to protect yourself against any potential misuse of your information.On or about March 20, 2017, DLD Accountancy, LLP became aware that it was the victim of a cyberattack by which an unknown third party was able to access DLD Accountancy, LLP 'scomputer network and some of its clients’ personal information. The unknown third party accessed our Lacerte 2015 tax software, a product owned by intuit QuickBooks, and as a result some of your personal information may have been exposed to others, including your first and last name, home address, social security number, and 2015 compensation data.""","California Attorney General","https://oag.ca.gov/ecrime/databreach/reports/sb24-67648","2017","34.061473","-118.320684" "April 17, 2017","Combat Brands","Lenexa","Kansas","HACK","BSO","0","""We recently learned that we were the victims of a sophisticated cyber-attack that may affect the security of your payment information. We are providing you with information about the incident, steps we are taking in response, and steps you can take to protect against fraud should you feel it is appropriate.What Happened?On January 25, 2017, we began investigating some unusual activity reported by our credit card processor.  We immediately began to work with third-party forensic experts to investigate these reports and to identify any signs of compromise on our systems.  On February 23, 2017, we discovered that we were the victim of a sophisticated cyber-attack that resulted in the potential compromise of some customers’ debit and credit card data used at www.fightgear.com, www.fitness1st.com, www.ringside.com, and www.combatsports.com between July 1, 2015 and February 23, 2017. Since that time, we have been working with third-party forensic investigators to determine what happened, what information was affected and to implement additional procedures to further protect the security of customer debit and credit cards.  We removed the malware at issue to prevent any further unauthorized access to customer debit or credit card information.  We are also working with the Federal Bureau of Investigations to investigate this incident.  You can safely use your payment card at our websites.What Information Was Involved? Through the ongoing third-party forensic investigations, we confirmed on February 23, 2017 that malware may have stolen credit or debit card data from some credit and debit cards used at www.fightgear.com, www.fitness1st.com, www.ringside.com, and www.combatsports.com between July 1, 2015 and February 23, 2017. The information at risk as a result of this event includes the cardholder’s name, address, card number, expiration date and CVV.""","California Attorney General","https://oag.ca.gov/ecrime/databreach/reports/sb24-67664","2017","38.933861","-94.769604" "April 19, 2017","Northrop Grumman Systems Corporation","San Diego","California","HACK","BSO","0","""We are writing to follow up on an email we recently sent you about an issue that may have affected your personal information.  What Happened?Equifax Workforce Solutions (aka TALX), our W-2 online portal provider, recently confirmed that an unauthorized third party(ies) gained access to its portal during various time periods from April 18, 2016 through March 29, 2017, and may have accessed your personal information and downloaded a copy of your 2016 W-2 form.  What Information Was Involved?The personal information that may have been accessed includes your name, address, work email address, work phone number, Social Security number, employer identification number, and wage and tax information, as well as any personal phone number, personal email address, or answers to customized security questions that you may have entered on the W-2 online portal.""","California Attorney General","https://oag.ca.gov/ecrime/databreach/reports/sb24-67691","2017","32.715738","-117.161084" "April 20, 2017","Campbell Union High School District","Campbell","California","HACK","EDU","0","""What Happened:Sometime between 3/30/2017 and 4/6/2017 district computers were tampered with allowing unauthorized access to district file servers.What Information Was Involved:This matter was immediately and thoroughly investigated by Campbell Union High School District technology staff and results of that investigation have been shared with law enforcement.Campbell Union High School District is committed to safeguarding your personal information and is taking immediate steps to enhance security measures.  Accordingly, Campbell Union High School District is reviewing and improving its processes for handling data, and we have reiterated to our staff the importance of carefully handling confidential information to protect your privacy.""  ","California Attorney General","https://oag.ca.gov/ecrime/databreach/reports/sb24-67731","2017","37.287165","-121.949957" "April 24, 2017","Los Angeles City Employees Retirement System","Los Angeles","California","DISC","GOV","0","""What happened?We recently learned that an email attachment containing personally identifiable information was accessed by one individual who received it inadvertently from a LACERS’ staff member. The error was discovered the same day it occurred and the person who received the file was immediately instructed to delete the email containing the attachment. This person has confirmed that the attachment was deleted in response to these instructions.  What information was involved?The information contained in the email attachment included member social security numbers, names, addresses, and date of death information, if applicable.""","California Attorney General","https://oag.ca.gov/ecrime/databreach/reports/sb24-67761","2017","34.051933","-118.245720" "April 26, 2017","Chipotle Mexican Grill","Denver","Colorado","HACK","BSO","0","""Popular Mexican food chain Chipotle is warning customers about a data breach.The company says it recently found unauthorized activity on a network used for payment processing in its restaurants. Chipotle immediately launched an investigation, and believe it has stopped the unauthorized activity. Additional security measures have also been put in place.Investigators are focusing on payment card transactions made in restaurants between March 24 and April 18 of this year.Chipotle says the investigation is still ongoing, but it does plan to notify affected customers.As a reminder, Chipotle says you should always monitor your payment card statements and contact your bank if you see any suspicious charges.""","Media","http://wfla.com/2017/04/26/chipotle-investigating-security-breach/","2017","39.739236","-104.990251" "April 29, 2017","Larson Studios","Los Angeles","California","HACK","BSO","0","""An anonymous hacker has carried through on a threat to release “Orange Is the New Black” season five episodes online — after Netflix allegedly failed to respond to the cybercriminal’s shakedown demands.Variety was unable to verify the authenticity of the “OITNB” episodes the hacker claimed to have shared on popular file-sharing site the Pirate Bay.The first 10 episodes of season 5 were apparently shared shortly before 6 a.m. ET Saturday, with the 10 files comprising a total of 11.46 gigabytes. The hacker, who uses the handle “thedarkoverlord,” published the premiere episode from the upcoming season of “Orange Is the New Black” on Friday to the Pirate Bay.Netflix has set June 9 for the release of season five of “Orange Is the New Black.” It’s possible that the streamer will move up the “OITNB” premiere date now that the bulk of the episodes have leaked.Reps for Netflix did not respond to a request for comment about the latest developmentAccording to “thedarkoverlord,” the hacker or hackers also have obtained unreleased shows from ABC, Fox, National Geographic and IFC. The content appears to have been stolen in an attack on post-production studio Larson Studios in late 2016, according to piracy-news site TorrentFreak. “Thedarkoverlord” explained in an online post that they obtained only the first 10 of the 13 episodes of “OITNB” season 5 because the cyberattack was carried out before the final three installments were available.In a statement Friday, Netflix said: “We are aware of the situation. A production vendor used by several major TV studios had its security compromised and the appropriate law enforcement authorities are involved.”It’s not clear what impact the theft and piracy of one of Netflix’s top shows will have. The hacker (or hacker collective) behind the heist has claimed to have made an extortion demand to the company, asking for an unspecified sum of money. However, the motive for purloining and leaking “OITNB” could be more about bragging rights in the cybercrime underworld.""","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx?subfolder=2015","2014","34.099357","-118.331384" "April 24, 2017","I Love Kick Boxing (ILKB LLC)","Uniondale ","New York","HACK","BSO","0","""WHAT HAPPENED:As a customer of ILKB, we want to inform you of a security concern that has recently arisen. On or about March 24, 2017, our third-party cybersecurity team reasonably determined that ILKB was the target of a sophisticated cyber-attack.  As a result of our investigation, it appears that your private information may have been accessed by unauthorized persons intermittently between October 2016 and early January 2017.  We believe an external source obtained unauthorized access to our server and managed to access personal customer information stored on the server. WHAT INFORMATION WAS INVOLVED:We reasonably believe that these unauthorized persons gained access to your private information, including first and last name, street address, email address, credit/debit card number, security code, and expiration date.  We value you as a customer and we have worked diligently with our cybersecurity team to give you confidence in your kickboxing fitness journey with us."" ","California Attorney General","https://oag.ca.gov/ecrime/databreach/reports/sb24-67759","2017","40.720249","-73.583470" "April 28, 2017","Extreme Reach","Needham","Massachusetts","HACK","BSO","0","""What Happened? On February 8, 2017, a small number of employees were targeted by a phishing email, which resulted in those employees' email credentials being compromised.  We immediately launched an investigation, with the assistance of third-party forensic investigators, to determine what happened and what information, if any, may have been accessed or accessible by an unauthorized individual.  As part of this investigation, which is ongoing, we determined on February 15, 2017 that certain employee email accounts were accessed without authorization for a brief period of time.What Information Was Involved? As part of our ongoing investigation, we determined on April 10, 2017, that the following information about you was contained in an email account (or associated cloud drive) at the time of the unauthorized access: Social Security number, driver's license number, financial account number, credit card number, passport number, and name.  Again, there is no indication that your information was actually accessed or viewed by the unauthorized individual during the brief period of time the email account was subject to unauthorized access.""","California Attorney General","https://oag.ca.gov/ecrime/databreach/reports/sb24-67890","2017","42.303954","-71.218480" "May 2, 2017","Sabre Corporation","Southlake","Texas","HACK","BSO","0","""Breaches involving major players in the hospitality industry continue to pile up. Today, travel industry giant Sabre Corp. disclosed what could be a significant breach of payment and customer data tied to bookings processed through a reservations system that serves more than 32,000 hotels and other lodging establishments.In a quarterly filing with the U.S. Securities and Exchange Commission (SEC) today, Southlake, Texas-based Sabre said it was “investigating an incident of unauthorized access to payment information contained in a subset of hotel reservations processed through our Hospitality Solutions SynXis Central Reservations system.”According to Sabre’s marketing literature, more than 32,000 properties use Sabre’s SynXis reservations system, described as an inventory management Software-as-a-Service (SaaS) application that “enables hoteliers to support a multitude of rate, inventory and distribution strategies to achieve their business goals.”Sabre said it has engaged security forensics firm Mandiant to support its investigation, and that it has notified law enforcement.“The unauthorized access has been shut off and there is no evidence of continued unauthorized activity,” reads a brief statement that Sabre sent to affected properties today. “There is no reason to believe that any other Sabre systems beyond SynXis Central Reservations have been affected.”Sabre’s software, data, mobile and distribution solutions are used by hundreds of airlines and thousands of hotel properties to manage critical operations, including passenger and guest reservations, revenue management, flight, network and crew management. Sabre also operates a leading global travel marketplace, which processes more than $110 billion of estimated travel spend annually by connecting travel buyers and suppliers.""","Krebs On Security","https://krebsonsecurity.com/2017/05/breach-at-sabre-corp-s-hospitality-unit/","2017","32.941236","-97.134178" "May 2, 2017","American Optometric Association","St. Louis","Missouri","HACK","BSO","0","""Another wave of malicious credit-line openings related to an ongoing suspected data breach are impacting students and doctors of optometry within the past week. These affected parties-like the initial group-report receiving unsolicited, fraudulent applications for Chase Amazon.com Visa cards submitted in their name. In some cases, these cards are approved.At the direction of the AOA's Board of Trustees, the AOA apprised federal authorities of the breach, including the U.S. Attorney General's Office (member login required) and Department of Justice. Additionally, the AOA called for a united front among affiliates and others, asking optometric testing organizations and state boards of optometry to immediately discontinue use of SSNs as personal identifiers. This petition resulted in the National Board of Examiners in Optometry (NBEO) eliminating the use of SSNs in favor of ""OE Tracker numbers.""     As of Jan. 26, the NBEO announced that its own months-long investigation into its systems found no evidence of compromised personal information.    To date, the source of the breach is still unknown. The AOA continues to closely follow this situation and will provide updates when possible.""  ","Media","https://www.aoa.org/news/practice-management/credit-breach-continues-grip-on-doctors?sso=y","2017","38.658589","-90.405360" "May 4, 2017","Harrisburg Endoscopy and Surgery Center","Harrisburg","Pennsylvania","HACK","MED","0","""A doctor's office in Dauphin County is notifying patients of a potential records breach.Harrisburg Endoscopy and Surgery Center on Union Deposit Road says it's just precautionary and a cyber forensics team didn't find evidence that information was stolen.The data that could be affected includes names, addresses, birth date and health information.""","Media","http://local21news.com/news/local/dauphin-county-doctors-office-informs-patients-of-possible-records-breach","2017","40.273191","-76.886701" "May 4, 2017","Gannett Co","Tysons Corner","Virginia","HACK","BSO","18,000","""US newspaper and media giant Gannett Co has been targeted by a phishing attack that may have compromised the accounts of as many as 18,000 current and former employees.The group has already stressed that there is currently no indication that any sensitive personal data has been accessed as part of the phishing attack, although it will be offering credit monitoring to those affected.According to USA Today, which is owned by Gannett Co, the breach was discovered on March 30th when the perpetrator(s) attempted to use one of the compromised accounts for a fraudulent corporate wire transfer request.This was then identified as suspicious by the company’s finance team.Officials claim the data breach stemmed from a malicious email sent to the company’s human resources department.Gannett Co, which also owns another 109 media titles across the United States, is only the latest high-profile victim of a phishing scam, with the incident occurring in the same week as a similar attack on Gmail users.""","Media","https://www.welivesecurity.com/2017/05/04/gannett-co-data-breach-18000-employees-reportedly-affected/?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A%20eset/blog%20%28ESET%20Blog%3A%20We%20Live%20Security%29","2017","38.918722","-77.231093" "May 4, 2017","Google Docs","Mountain View","California","HACK","BSO","0","""Recently, many people received a phishing email from a mailinator.com address that was attached to a malicious Google doc. It seemed to be targeting journalists, as well as yours truly.Once the link is clicked, a user is directed to the Google login page, asking for a username and password.Except, the page is not as it seems. The page IS hosted (or was hosted) in Google’s infrastructure of servers, and utilized SSL, making it appear that the user was logging into an actual Google associated web page. However, the credentials were handed over to a different server, coded in PHP.""","Media","https://www.welivesecurity.com/2017/05/04/teach-person-phishing/?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A%20eset/blog%20%28ESET%20Blog%3A%20We%20Live%20Security%29","2017","37.386052","-122.083851" "May 9, 2017","DRB Systems LLC","Akron","Ohio","HACK","BSO","5,000","""A local car wash isn't the only one around the country telling customers their credit card information may be at risk.Yankee Car Wash & Detailing says it was told on March 27 its point of sale system — operated by third party platform provider DRB Systems LLC — saw an intrusion that likely compromised credit card information of customers between Feb. 8 and March 3. It pointed to a breach that occurred at an Akron-based company that handles point-of-sale equipment and services for car washes around the country. Enlarge A local car wash isn't the only one around the country telling customers their credit… moreaetb ""To date, the investigation indicated that the intruder placed malware on DRB Systems LLC, and in doing so, most likely gained access to our customers payment card data, including the card holder's name, card number and security code,"" the business said in a statement.","Media","http://www.bizjournals.com/dayton/news/2017/05/09/data-breach-hitting-local-car-wash-follows-string.html","2017","41.081445","-81.519005" "May 2, 2017","McDavid Inc","Woodridge","Illinois","HACK","BSO","0","""McDavid, Inc. (""McDavid"") values and respects your privacy, which is why we are writing to advise you about a recent incident that may affect your personal information, steps that McDavid has undertaken since discovering the incident, and information what you can do to better protect yourself, should you feel it is appropriate to do so.  On April 6, 2017, McDavid discovered that your personal information may have been affected when an external actor or actors placed hidden code on the McDavid webservers (the ""Incident""). The code may have targeted certain personal information of customers who made credit card purchases via the McDavid webservers between September 5, 2016 and November 11, 2016.The information potentiall targeted includes customers' first and last names, billing or mailing addresses, e-mail addresses and credit card information (card holder names, credit card account numbers, expiration months and years and card security codes)."" ","California Attorney General","https://oag.ca.gov/ecrime/databreach/reports/sb24-67942","2017","41.746975","-88.050341" "October 21, 2009","Brooke Army Medical Center","","Texas","PHYS","MED","1,000","A binder containing the protected health information (PHI) of up to 1,272 individuals was stolen from a staff member's vehicle. The PHI included names, telephone numbers, detailed treatment notes, and possibly social security numbers. In response to the breach, the covered entity (CE) sanctioned the workforce member and developed a new policy requiring on-call staff members to submit any information created during their shifts to the main office instead of adding it to the binder. Following OCR's investigation, the CE notified the local media about the breach. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2009","40.760537","-73.978890" "October 28, 2009","Mid America Kidney Stone Association, LLC","","Missouri","PHYS","MED","1,000","Five desktop computers containing unencrypted electronic protected health information (e-PHI) were stolen from the covered entity (CE). Originally, the CE reported that over 500 persons were involved, but subsequent investigation showed that about 260 persons were involved. The ePHI included demographic and financial information. The CE provided breach notification to affected individuals and HHS. Following the breach, the CE improved physical security by installing motion detectors and alarm systems security monitoring. It improved technical safeguards by installing enhanced antivirus and encryption software. As a result of OCR's investigation the CE updated its computer password policy. Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2009","40.760537","-73.978890" "October 30, 2009","Alaska Department of Health and Social Services","","Alaska","PHYS","MED","501","\N Location of breached information: Other, Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2009","40.760537","-73.978890" "November 17, 2009","Health Services for Children with Special Needs, Inc.","","District Of Columbia","PHYS","MED","3,800","A laptop was lost by an employee while in transit on public transportation. The computer contained the protected health information of 3800 individuals. The protected health information involved in the breach included names, Medicaid ID numbers, dates of birth, and primary physicians. In response to this incident, the covered entity took steps to enforce the requirements of the Privacy & Security Rules. The covered entity has installed encryption software on all employee computers, strengthened access controls including passwords, reviewed and updated security policies and procedures, and updated it risk assessment. In addition, all employees received additional security training. \ Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2009","40.760537","-73.978890" "November 20, 2009","Mark D. Lurie, MD","","California","PHYS","MED","5,166","A shared Computer that was used for backup was stolen on 9/27/09 from the reception desk area of the covered entity. The Computer contained certain electronic protected health information (ePHI) of 5,166 individuals who were patients of the CE, The ePHI involved in the breach included names, dates of birth, and clinical information, but there were no social security numbers, financial information, addresses, phone numbers, or other ePHI in any of the reports on the disks or the hard drive on the stolen Computer. Following the breach, the CE: notified all 5,166 affected indiv's and the appropriate media; added technical safeguards of encryption for all ePHI stored on the USB flash drive or the CD used on the replacement computer; all passwords are strong; all computers are password protected; added physical safeguards by keeping new portable devices locked when not in use in a secure combination safe in doctor's private office or in a secure filing cabinet; and added administrative safeguards by requiring annual refresher retraining of CE staff for Privacy and Security Rules as well as requiring immediate retraining of cleaning staff in both Rules, which has already taken place. \ Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2009","40.760537","-73.978890" "November 20, 2009","L. Douglas Carlson, M.D.","","California","PHYS","MED","5,257","A shared Computer that was used for backup was stolen on 9/27/09 from the reception desk area of the covered entity. The Computer contained certain electronic protected health information (ePHI) of 5,257 individuals who were patients of the CE. The ePHI involved in the breach included names, dates of birth, and clinical information, but there were no social security numbers, financial information, addresses, phone numbers, or other ePHI in any of the reports on the disks or the hard drive on the stolen Computer. Following the breach, the covered entity notified all 5,257 affected individuals and the appropriate media; added technical safeguards of encryption for all ePHI stored on the USB flash drive or the CD used on the replacement computer; added physical safeguards by keeping new portable devices locked when not in use in a secure combination safe in doctor's private office or in a secure filing cabinet; and added administrative safeguards by requiring annual refresher retraining of CE staff for Privacy and Security Rules as well as requiring immediate retraining of cleaning staff in both Rules. \ Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2009","40.760537","-73.978890" "November 20, 2009","David I. Cohen, MD","","California","PHYS","MED","857","A shared Computer that was used for backup was stolen from the reception desk area, behind a locked desk area, probably while a cleaning crew had left the main door to the building open and the door to the suite was unlocked and perhaps ajar. The Computer contained certain electronic protected health information (ePHI) of 857 patients. The ePHI involved in the breach included names, dates of birth, and clinical information. Following the breach, the covered entity notified all affected individuals and the media, added technical safeguards of encryption for all ePHI stored on the USB flash drive or the CD used on the replacement computer, added physical safeguards by keeping new portable devices locked when not in use in a secure combination safe in doctor's private office or in a secure filing cabinet, and added administrative safeguards by requiring annual refresher retraining staff for Privacy and Security Rules as well as requiring immediate retraining of cleaning staff in both Rules, which has already taken place. \ Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2009","40.760537","-73.978890" "November 20, 2009","Michele Del Vicario, MD","","California","PHYS","MED","6,145","A shared Computer that was used for backup was stolen on 9/27/09 from the reception desk area of the covered entity. The Computer contained certain electronic protected health information (ePHI) of 6,145 individuals who were patients of the CE, The ePHI involved in the breach included names, dates of birth, and clinical information, but there were no social security numbers, financial information, addresses, phone numbers, or other ePHI in any of the reports on the disks or the hard drive on the stolen Computer. Following the breach, the CE: notified all 6,145 affected individuals and the appropriate media; added technical safeguards of encryption for all ePHI stored on the USB flash drive or the CD used on the replacement computer; all passwords are strong; all computers are password protected; added physical safeguards by keeping new portable devices locked when not in use in a secure combination safe in doctor's private office or in a secure filing cabinet; and added administrative safeguards by requiring annual refresher retraining of CE staff for Privacy and Security Rules as well as requiring immediate retraining of cleaning staff in both Rules, which has already taken place. \ Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2009","40.760537","-73.978890" "November 20, 2009","Joseph F. Lopez, MD","","California","PHYS","MED","952","A shared Computer that was used for backup was stolen on 9/27/09. The Computer contained certain electronic protected health information (ePHI) of 952 patients. Following the breach, the covered entity notified all 952 affected individuals and the appropriate media; added technical safeguards of encryption for all ePHI stored on the USB flash drive or the CD used on the replacement computer; added physical safeguards by keeping new portable devices locked when not in use in a secure combination safe in doctor's private office or in a secure filing cabinet; and added administrative safeguards by requiring annual refresher retraining of staff for Privacy and Security Rules. \ Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2009","40.760537","-73.978890" "November 23, 2009","City of Hope National Medical Center","","California","PHYS","MED","5,900","A laptop computer was stolen from a workforce member's car. The laptop computer contained the protected health information of approximately 5,900 individuals. Following the breach, the covered entity encrypted all protected health information stored on lap tops. Additionally, OCR's investigation resulted in the covered entity improving their physical safeguards and retraining employees. \ Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2009","36.778261","-119.417932" "November 24, 2009","The Children's Hospital of Philadelphia","","Pennsylvania","PHYS","MED","943","A laptop computer was stolen from a hospital employee’s vehicle. The computer contained the protected health information (PHI) of 943 individuals and included names, contact information, dates of birth, social security numbers, medical record numbers, and health insurance information including diagnosis codes and billing code descriptions. The CE provided breach notification to HHS, affected individuals, and the media. In response to this incident, the CE accelerated and completed implementation of a pre-existing plan to encrypt all hospital laptops. Additionally, the CE revised its information security policies and retrained its workforce. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2009","40.760537","-73.978890" "November 25, 2009","Cogent Healthcare, Inc.","","Tennessee","PHYS","MED","6,400","A laptop was stolen from a locked office at the Aurora St. Lukes Medical Center. The laptop contained protected health information pertaining to 6,400 individuals. The information included patient names, dates of birth, social security numbers, medical record numbers, and in some cases diagnosis codes. In response to the theft, the hospital implemented several corrective action measures, including accelerated efforts to encrypt all laptop hard drives, improved physical locks on the office where the theft occurred, staff training regarding the appropriate use and storage of devices containing ePHI, and encryption of portable flash drives and Blackberry devices. Location of breached information: Laptop Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2009","40.760537","-73.978890" "December 8, 2009","Democracy Data & Communications, LLC (","","Virginia","UNKN","MED","83,000","In its breach report and during the course of OCR's investigation, the covered entity advised that it took various corrective actions to prevent a reoccurrence of the breach. Specifically, the covered entity conducted a risk assessment which revealed that the breach posed a significant risk of financial, reputational, or other harm to the 83,000 members. The covered entity sent notification letters to 83,000 members apologizing for the breach and offered a year of free credit monitoring and a $25,000 insurance policy against identity theft ($10,000 for New York residents). The covered entity also provided training to its call centers on November 29, 2009 to answer inquiries from callers concerned about the breach. In addition, media outlets were contacted to alert of a breach in states in which more than 500 members were impacted by the breach. The covered entity advised that media outlets were identified based on location of membership impacted, as well as ensuring it was a major media outlet and press releases were sent to 21 major media outlets on December 18, 2009. The covered entity also created and implemented a new policy titled 'Personal Health Information and Personal Identifiable Information Data Security and Handling Policy Acknowledgement Form' that centralized all data requests through a 'Team Track' which is an internal electronic submission request that ensures all PHI requested data receives the sign off of the Privacy Officer and Security Officer prior to release. Further, the covered entity also provided a mandatory annual computer-based training to all staff in May 2010. \ Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2009","40.760537","-73.978890" "December 10, 2009","Kern Medical Center","","California","PHYS","MED","596","\N Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2009","40.760537","-73.978890" "December 11, 2009","Rick Lawson, Professional Computer Services","","North Carolina","PHYS","MED","2,000","The covered entity (CE) changed the business associate (BA) it used as its information technology vendor. During the transition, a workforce member of the outgoing BA entered the CE's computer system, changed the passwords, disabled all accounts, and removed drive mappings on the computer server for all of the workstations. The BA also removed the CE's backup program and deactivated all of its antivirus software. The breach affected approximately 2,000 individuals. The protected health information (PHI) involved in the breach included patients' names, addresses, dates of birth, social security numbers, appointments, insurance information, and dental records. The CE provided breach notification to affected individuals, HHS, and the media. Following the breach, the CE implemented security measures in its computer system to ensure that its information technology associates do not have access to the CE's master system and enabled direct controls for the CE. A new server was installed with no ties to the previous BA. The new BA corrected the CE's passwords and settings, mitigating the issues caused by the previous vendor. The CE provided OCR with copies of its HIPAA security and privacy policies and procedures, and its signed BA agreements that included the appropriate HIPAA assurances required by the Security Rule. As a result of OCR's investigation, the CE improved its physical safeguards and retrained employees. \ \ \ Location of breached information: Desktop Computer, Electronic Medical Record, Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2009","40.760537","-73.978890" "December 15, 2009","Detroit Department of Health and Wellness Promotion","","Michigan","PHYS","MED","10,000","\N Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2009","40.760537","-73.978890" "December 15, 2009","University of California, San Francisco","","California","UNKN","MED","610","\N Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2009","40.760537","-73.978890" "January 7, 2010","Daniel J. Sigman MD PC","","Massachusetts","PHYS","MED","1,860","Computer backup tapes containing EPHI for the office practice management program including electronic medical records were stolen from the home of the practice manager on December 11, 2009. The breach affected approximately 1,860 patients. The protected health information on the tapes contained patients' names, addresses, telephone numbers, dates of birth, insurance information, social security numbers and medical record information. Following the breach, Sigman took the following voluntary corrective actions: (1) upgraded software application for backup security; implemented a new external backup system in case the server goes down; (2) encryption software was implemented for data contained on both its backup tapes and network storage device; (3) revised its security policy for transporting backup media; backup tapes must now be stored in a lockbox within a locked office in its facility; the revised policy also prohibits the movement of backup tapes from the facility as well as restricts access to the tapes to designated workforce; (4) employees were retrained on the policies and procedures in place and received training on the new policies and procedures for safeguarding backup tapes; (5) notified affected individuals and the media. \ Location of breached information: Electronic Medical Record, Other, Other Portable Electronic Device Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "January 8, 2010","Service Benefits Plan Administrative Services Corp","","District Of Columbia","PHYS","MED","3,400","The covered entity's (CE) business associate (BA) incorrectly updated contract holders' addresses and mailed protected health information (PHI) to the wrong address of approximately 3,400 individuals. The PHI involved included demographic information, explanations of benefits, clinical information, and diagnoses. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. Upon discovery of the breach, the CE obtained assurances that the BA took steps to enforce the requirements of the BA agreement. Specifically, the BA updated its processes and created an incident tracking report. In addition, a contract was executed for a new vendor to handle mail address verification. Following OCR's investigation, the BA improved its code review process to catch the system error that caused this incident and instituted a manual quality review process. OCR verified that the CE had a proper BA agreement in place that restricted the BA's use and disclosure of PHI and required the BA to safeguard all PHI. \ \ Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "January 8, 2010","Massachusetts Eye and Ear Infirmary","","Massachusetts","PHYS","MED","1,076","Two employees of the covered entity (CE) misused credit card information from several different departments that served approximately 1,076 individuals. The protected health information (PHI) involved in the breach included names, addresses, and credit card information. Following the breach, the CE notified the affected individuals, the media, and HHS and offered one free year of credit monitoring to all affected individuals. The CE also terminated the employees involved, revised its data breach prevention policy, and reviewed the physical processes involved when payment is made in person using a credit card. OCR reviewed the CE's breach notification policies to assure that they contained the required elements and obtained assurances that the CE provided breach notification. \ \ \ Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "January 11, 2010","Merkle Direct Marketing","","Maryland","PHYS","MED","15,000","The covered entity's (CE) business associate (BA) mailed protected health information (PHI) of approximately 15,000 individuals to incorrect addresses due to an error in its quarterly address update process. The mailing contained demographic information, explanations of benefits, clinical information, and diagnoses. Upon discovery of the breach, the CE collected the returned mail and verified that it had not been delivered, and updated its HIPAA policies and procedures. Following OCR's investigation, the CE was able to recover all or nearly all of the misdirected envelopes. Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "January 12, 2010","Kaiser Permanente Medical Care Program","","California","PHYS","MED","15,500","An unencrypted portable hard drive containing the electronic protected health information (ePHI) of approximately 15,500 individuals was stolen from the vehicle of the covered entity's (CE) employee. The ePHI involved in the breach included names, medical record numbers, and treatment information. A subset of records may also have included dates of birth, age, gender, and phone numbers. Following the breach, the responsible employee was terminated for violating the CE's policies. OCR obtained assurances of the CE's policies and procedures for safeguarding ePHI and verification that the CE provided breach notification to affected individuals, the media, and HHS. In addition, the CE deployed encryption software for removable media. Location of breached information: Other, Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "January 14, 2010","United Micro Data","","Idaho","PHYS","MED","2,562","The covered entity's (CE's) business associate (BA) mailed a package to the CE that was supposed to contain a backup data tape and compact disc containing protected health information (PHI); however, the tape was not in the package when delivered. Approximately 2,000 individuals were affected by the breach. The PHI included demographic, financial, and clinical information. The CE provided breach notification to affected individuals, HHS, and the media. Following the breach, the CE revised its procedures for back up data storage instead of sending tapes via the mail. Following OCR's investigation, the CE continued to reevaluate ways to enhance administrative, physical, and technical safeguards. \ Location of breached information: Other Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "January 15, 2010","Goodwill Industries of Greater Grand Rapids, Inc.","","Michigan","PHYS","MED","10,000","On December 15, 2009, a safe was stolen from Goodwill's off-site facility, which contained five unencrypted back-up tapes. The breach affected approximately 10,000 individuals. The protected health information involved in the breach included full names, addresses, dates of birth, reasons for referral, dates of service, miscellaneous demographics, and, in some cases, Social Security numbers. The covered entity moved the off-site storage of back-up tapes to a new site controlled by Goodwill. The tapes are now kept in a commercial grade safe with a combination lock. The actions taken by Goodwill prior to OCR's formal investigation brought the covered entity into compliance. \ Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "January 18, 2010","Children's Medical Center of Dallas","","Texas","PHYS","MED","3,800","\N Location of breached information: Other, Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "January 19, 2010","Ashley and Gray DDS","","Missouri","PHYS","MED","9,309","\N Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "January 19, 2010","Concentra","","Texas","PHYS","MED","900","An unencrypted laptop computer containing the electronic protected health information (ePHI) of approximately 900 patients was stolen from one of the covered entity's (CE) facilities. The ePHI included demographic and clinical data. Following the breach, the CE filed a police report and notified affected patients, HHS and the media. Following OCR's investigation, the CE required all business units to identify any devices that contain PHI and revised procedures for future computer purchases. The CE also implemented physical and technical safeguards for all testing devices that contain ePHI and replaced outdated machines that could not be encrypted. Additionally, the CE revised existing physician agreements to disallow the use of equipment containing ePHI that is not encrypted. OCR obtained assurances that the CE implemented the corrective action listed above. \ \ Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "January 22, 2010","Advocate Health Care","","Illinois","PHYS","MED","812","On November 24, 2009, an Advocate nurse's laptop computer was stolen. The missing laptop computer contained the protected health information of approximately 812 individuals. The protected health information involved in the breach included name, address, dates of birth, social security numbers, insurance information, medication, and diagnoses. Following the breach, Advocate specifically addressed mobile device security and accepted use. Additionally, OCR's investigation resulted in Advocate workforce members that use mobile devices are now required to fill out and submit an acknowledgment form that establish proper administrative, technical, and physical security safeguards. \ Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "January 25, 2010","The Methodist Hospital","","Texas","PHYS","MED","689","An unencrypted laptop computer was stolen from the covered entity's unlocked testing office. The laptop computer contained the protected health information of approximately 689 individuals. The protected health information involved in the breach included names, dates of birth, Social Security numbers, and the age, gender, race, and medication information of affected individuals. Following the breach, the covered entity restricted the storage of electronic protected health information to network drives. Additionally, OCR's investigation resulted in the covered entity improving their physical safeguards and in retraining employees. \ Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "January 27, 2010","University of California, San Francisco","","California","PHYS","MED","7,300","\N Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "January 28, 2010","Carle Clinic Association","","Illinois","PHYS","MED","1,300","\N Location of breached information: Other, Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "February 5, 2010","Health Behavior Innovations (HBI)","","Utah","PHYS","MED","5,700","A laptop computer containing the protected health information (PHI) of 3,500 individuals was stolen from the covered entity's (CE) locked medical office. The PHI involved in the breach included names, addresses, dates of birth, social security numbers, and medication information. As a result of this incident, the CE encrypted all PHI stored on the medical office computers. Following OCR's investigation, the CE improved its physical safeguards and retrained employees. Location of breached information: Other Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "February 10, 2010","Center for Neurosciences","","Arizona","PHYS","MED","1,100","\N Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "February 16, 2010","Blue Cross Blue Shield of RI","","Rhode Island","UNKN","MED","528","On January 5, 2010, BCBSRI was notified that a 16 page report pertaining to Brown University's health plan was impermissibly disclosed to two other BCBSRI agents. The reports contained the PHI of approximately 528 individuals. The PHI involved: first and last names, dates of service, cost of medical care provided, and member identification numbers. Following the breach, BCBSRI recovered the reports, received written assurances that any electronic copies of the reports were deleted, notified affected individuals of the breach, implemented new procedure for all outgoing correspondence, and is in the process of auditing all affected members' claim history to ensure no fraud. \ Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "February 17, 2010","MSO of Puerto Rico","","Puerto Rico","PHYS","MED","605","The covered entity's (CE) business associate (BA) erroneously merged two lists which led to the disclosure of protected health information (PHI) of 605 individuals. The PHI included names, internal identification numbers, and the number of emergency room visits. Upon discovery of the breach, the CE's BA established a quality control process in order to ensure adequate safeguards for that letters that are sent by mail. As a result of OCR's investigation, the CE created and implemented additional policies and procedures for quality control of mailings. The CE also provided training to all staff on its revised privacy and security policies and procedures. \ \ Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "February 17, 2010","MSO of Puerto Rico, Inc. ","","Puerto Rico","PHYS","MED","1,907","The covered entity's (CE) business associate (BA) erroneously merged two lists which led to the disclosure of protected health information (PHI) of 1,907 individuals. The PHI included names, internal identification numbers, and the number of emergency room visits. Upon discovery of the breach, the CE's BA established a quality control process in order to ensure adequate safeguards for that letters that are sent by mail. As a result of OCR's investigation, the CE created and implemented additional policies and procedures for quality control of mailings. The CE also provided training to all staff on its revised privacy and security policies and procedures. \ \ \ Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "February 18, 2010","Cardiology Consultants/Baptist Health Care Corporation","","Florida","PHYS","MED","8,000","A desktop computer that contained the e-PHI of approximately 8,000 individuals was stolen from the covered entity's (CE) locked medical suite. The PHI involved in the breach included names, dates of birth, medical record numbers, ultrasound information, exam dates, and reasons for the ultrasound. The computer that was stolen used proprietary software and a special electronic key to access the PHI. The CE provided breach notification to affected individuals, HHS, and the media and posted substitute notification on its website. Following the breach, the CE worked with law enforcement to identify the possible suspect. The CE upgraded its facility access controls to include proximity card readers for every location that stores PHI. As a result of OCR's investigation the CE updated its risk analysis and carried out additional risk management activities. \ \ Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "February 19, 2010","State of TN, Bureau of TennCare","","Tennessee","PHYS","MED","3,900","The covered entity (CE) mailed the wrong information to 3,900 individuals based on a corrupted data file it received from a state agency. The types of PHI involved were names, dates of birth, social security numbers, member identification numbers, and in some cases, diagnoses, treatments, conditions, and medications. Following the breach, the CE immediately fixed the corrupted file and mailed corrected letters. The CE provided breach notification to HHS, the media, and affected individuals and provided substitute notification by posting on its website. It also offered affected individuals one year of free credit monitoring and comprehensive credit services. The CE also worked with the state agency to implement a new procedure to improve safeguards for PHI. OCR obtained assurances that the CE implemented the corrective action listed above. \ \ Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "February 21, 2010","Lucille Packard Children's Hospital","","California","UNKN","MED","532","\N Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "February 23, 2010","University of New Mexico Health Sciences Center","","New Mexico","UNKN","MED","1,900","\N Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "February 23, 2010","Advanced NeuroSpinal Care","","California","PHYS","MED","3,500","A computer containing the electronic protected health information (ePHI) of 3,500 individuals was stolen from the office of a covered entity (CE). The ePHI included patient names, addresses, dates of birth, social security numbers, driver's licenses, claims information, diagnoses, and conditions. As a result of the loss, the CE upgraded the alarm system and replaced the server housing and storage security lock-up. The CE also notified affected individuals, the media, appropriate government agencies, and law enforcement. In addition, the CE established an office-based hotline to assist affected individuals. As a result of OCR's investigation, the CE has implemented regularly scheduled security risk analyses and has installed window bars, roll down shutters, four video surveillance cameras, and other physical security measures to prevent theft. Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "February 25, 2010","Central Brooklyn Medical Group, PC","","New York","PHYS","MED","500","OCR opened an investigation of the covered entity (CE), Preferred Health Partners f/k/a Central Brooklyn Medical Group, after it reported appointment schedules, pathology reports and portions of medical records containing the protected health information (PHI) of 500 individuals were stolen from an office. The PHI included names, ages, telephone numbers, social security numbers, medical insurance information, pathology reports, and other clinical information. Upon discovery of the breach, the CE filed a police report and worked with law enforcement authorities to recover as much of the PHI as possible that was stolen. As a result of OCR's investigation, the CE removed PHI such as social security or medical insurance numbers from tracking logs. In addition, the CE improved safeguards by storing log binders in a locked area and shredding documents regularly. Further, the CE replaced the manual process of printing certain records with an electronic verification system. The CE also archived, stored off site, and locked up all paper records and retrained all staff on its HIPAA policies and procedures. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "March 1, 2010","Shands at UF","","Florida","PHYS","MED","12,580","A laptop containing certain information collected on approximately 12,580 individuals referred to Shands at UF GI Clinical Services was stolen from the private residence of an employee. The stolen information included patient names, social security numbers, and medical record numbers. As a result of the incident, the employee was counseled by her supervisor, issued written corrective action with a 3-day suspension, and provided additional HIPAA training. OCR reviewed Shands at UF's most recent Risk Analysis and Risk Management Plans and they revealed no high risk findings related to encryption, workstation use, or physical security. OCR's investigation found that Shands at UF has implemented appropriate technical safeguards, such as secure VPN network connections and network storage for workforce usage, encrypted USB portable flash drives, and PGP whole disk encryption. \ Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "March 3, 2010","Thrivent Financial for Lutherans","","Wisconsin","PHYS","MED","9,500","On January 29, 2010, there was a break-in at one of the Thrivent's offices and five laptop computers were stolen; four of the five laptops were recovered. The missing laptop computer contained the protected health information of approximately 9,400 individuals. The protected health information involved in the breach included name, address, date of birth, social security number, prescription drugs, medical condition, age, weight, etc. Thrivent provided OCR with additional controls to remedy causes of security breach at various stages of implementation. The actions taken by the CE prior to OCR's formal investigation brought the CE into compliance. \ Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "March 3, 2010","North Carolina Baptist Hospital","","North Carolina","PHYS","MED","554","An employee’s car was broken into and a tote bag, which had a paper spreadsheet containing protected health information (PHI), was stolen. The spreadsheet contained PHI pertaining to 554 patients and included patients’ names, ages, weight, race, social security numbers, and blood and tissue typing. The covered entity (CE), North Carolina Baptist Hospital, provided breach notification to HHS, affected individuals, and the media, and offered affected individuals a year of credit monitoring services along with a toll-free number to contact. Following the breach, the CE reviewed the applicable policies and procedures with the clinic responsible, revised the spreadsheet to no longer include patients’ social security numbers, and counseled and warned the involved employee about the requirements for properly safeguarding PHI. Additionally, the Chief Executive Officer of the Medical Center emailed all employees to re-educate them about the importance of properly safeguarding PHI and the expectations for compliance and commitment to adhering to federal and state privacy and security laws. As a result of OCR’s investigation, the CE provided an alternate, secure way to electronically access the clinic spreadsheet, installed video cameras in the parking dock, and externally inspected employee vehicles to assure no PHI was visible. The CE established a Privacy and Information Security Council to help identify ways to improve and strengthen privacy and security policies and practices. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "March 9, 2010","Montefiore Medical Center","","New York","PHYS","MED","625","An unencrypted laptop computer containing the electronic protected health information (ePHI) of 625 individuals was stolen from the covered entity's (CE) mobile dental van. The ePHI included names, dates of birth, medical record numbers and dental x-rays. Upon discovery of the breach, the CE filed a police report and provided breach notification to HHS, the media and affected individuals. As a result of OCR's investigation, the CE revised its procedures so that all ePHI is stored in a data center, rather than the mobile dental van laptop. In addition, the CE encrypted all mobile dental van laptops and improved physical security for the van. The CE developed a new policy on ePHI security and retrained all staff. OCR obtained assurances that the CE implemented the corrective action listed above. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "March 10, 2010","Ernest T. Bice, Jr. DDS, P.A.","","Texas","PHYS","MED","21,000","Three unencrypted external back-up drives were stolen from a safe in the covered entity's locked office. The laptop computer contained the protected health information of approximately 21,000 individuals. The protected health information involved in the breach included names, addresses phone numbers, dates of birth, social security numbers, insurance information, and treatment histories. Following the breach, the covered entity moved back-up data offsite and encrypted all workstations. Additionally, OCR's investigation resulted in the covered entity improving their physical safeguards and in retraining employees. \ Location of breached information: Other, Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "March 17, 2010","Lee Memorial Health System","","Florida","UNKN","MED","3,800","The covered entity sent postcards to approximately 3,800 patients, which listed the patients' demographic information, and a statement that read, 'Your Physician Has Moved,' with a name and description of the practice, Infectious Disease Specialist. The types of PHI involved were demographic and clinical information. Voluntary actions taken prior to OCR's investigation include the issuance of sanctions and review of policies and procedures. \ Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "March 18, 2010","Laboratory Corporation of America/Dynacare Northwest, Inc.","","Washington","PHYS","MED","5,080","A laptop computer was stolen from a workforce member's car. The laptop computer contained the protected health information of approximately 5080 individuals. The protected health information involved in the breach included names, addresses, dates of birth, Social Security numbers, and lab results. Following the breach, the covered entity encrypted all laptop computers. \ Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "March 23, 2010","Mount Sinai Medical Center","","Florida","PHYS","MED","2,600","\N Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "March 26, 2010","Griffin Hospital","","Connecticut","HACK","MED","957","\N Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "March 27, 2010","Hypertension, Nephrology, Dialysis and Transplantation, PC","","Alabama","PHYS","MED","2,465","\N Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "April 1, 2010","Laboratory Corporation of America / US LABS / Dianon Systems, Inc","","Arizona","PHYS","MED","2,773","An external hard drive containing ePHI of 2,773 individuals was stolen. The ePHI included first and last name, medical record number, date of birth, laboratory test information data, and some social security numbers. CE advises OCR that notice to the individuals went out April 13 and 14, 2010. The media (St. Petersburg Times) was notified. CE added emails will now be password protected and encrypted. As a result of the loss, CE has initiated an encryption project to encrypt external hard drives and related media. \ \ Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "April 2, 2010","University of Pittsburgh Student Health Center","","Pennsylvania","PHYS","MED","8,000","\N Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "April 5, 2010","VHS Genesis Lab Inc. ","","Illinois","PHYS","MED","6,800","The covered entity (CE), VHS Genesis Lab, Inc., misplaced a month’s worth of client invoices which were never located. The invoices contained the protected health information (PHI) of over 500 individuals and included names, dates of birth, and medical testing information. The CE provided breach notification to HHS, affected individuals and the media, and placed notice on its website. Following the breach, the CE arranged for a business associate to handle the mailing of invoices. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "April 5, 2010","Providence Hospital","","Michigan","UNKN","MED","83,945","\N Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "April 9, 2010","Pediatric Sports and Spine Associates","","Texas","PHYS","MED","955","An unencrypted laptop was stolen from an employee's vehicle. The laptop contained the protected health information of approximately 955 individuals. The protected health information involved in the breach included names, addresses, dates of birth, social security numbers, diagnoses, medications and other treatment information. Following the discovery of the breach, the covered entity revised policies, retrained staff and implemented additional physical and technical safeguards including encryption software. The covered entity also removed the stolen laptop's access to the server, sanctioned the involved employee, notified the affected individuals and notified the local media. \ Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "April 9, 2010","McKesson Information Solutions, LLC","","Georgia","UNKN","MED","660","\N Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "April 14, 2010","Affinity Health Plan, Inc.","","New York","PHYS","MED","344,579","Under a settlement with the U.S. Department of Health and Human Services (HHS), Affinity Health Plan, Inc. will settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules for $1,215,780. Affinity Health Plan is a not-for-profit managed care plan serving the New York metropolitan area. \Affinity filed a breach report with the HHS Office for Civil Rights (OCR) on April 15, 2010, as required by the Health Information Technology for Economic and Clinical Health, or HITECH Act. The HITECH Breach Notification Rule requires HIPAA-covered entities to notify HHS of a breach of unsecured protected health information. Affinity indicated that it was informed by a representative of CBS Evening News that, as part of an investigatory report, CBS had purchased a photocopier previously leased by Affinity. CBS informed Affinity that the copier that Affinity had used contained confidential medical information on the hard drive. \Affinity estimated that up to 344,579 individuals may have been affected by this breach. OCR's investigation indicated that Affinity impermissibly disclosed the protected health information of these affected individuals when it returned multiple photocopiers to leasing agents without erasing the data contained on the copier hard drives. In addition, the investigation revealed that Affinity failed to incorporate the electronic protected health information (ePHI) stored on photocopier hard drives in its analysis of risks and vulnerabilities as required by the Security Rule, and failed to implement policies and procedures when returning the photocopiers to its leasing agents. \This settlement illustrates an important reminder about equipment designed to retain electronic information: Make sure that all personal information is wiped from hardware before it's recycled, thrown away or sent back to a leasing agent, said OCR Director Leon Rodriguez. 'HIPAA covered entities are required to undertake a careful risk analysis to understand the threats and vulnerabilities to individuals' data, and have appropriate safeguards in place to protect this information.' \In addition to the $1,215,780 payment, the settlement includes a corrective action plan requiring Affinity to use its best efforts to retrieve all hard drives that were contained on photocopiers previously leased by the plan that remain in the possession of the leasing agent, and to take certain measures to safeguard all ePHI. \ Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "April 16, 2010","Tomah Memorial Hospital","","Wisconsin","UNKN","MED","600","A nurse impermissibly used the protected health information (PHI) of approximately 600 patients to obtain narcotics from the covered entity (CE), Tomah Memorial Hospital, for her own use. The PHI involved in the breach included patients’ names and account numbers. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE improved safeguards by creating a monthly audit of Schedule II narcotics, matched to the dispense log, medical order, and bill. OCR obtained assurances that the CE implemented the corrective actions listed above. The CE also terminated the involved employee’s employment. Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "April 19, 2010","Praxair Healthcare Services, Inc. (Home Care Supply in NY)","","Connecticut","PHYS","MED","54,165","A laptop computer was stolen from the covered entity's office by a former employee after it had been damaged. The laptop computer contained the PHI of approximately 54,165 individuals. The computer contained a limited amount of PHI, including client names and one or more of the following: addresses, phone numbers, social security numbers, insurance provider names and policy numbers, medical diagnostic codes or medical equipment. Following the breach, the covered entity notified all affected individuals, the media, and HHS of the breach. Additionally, the covered entity completed its laptop encryption project to cover all PHI stored on computers in the office. Additionally, OCR's investigation resulted in the covered entity reinforcing the requirements of HIPAA to its employees. \ Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "April 20, 2010","Massachusetts Eye and Ear Infirmary","","Massachusetts","PHYS","MED","3,594","\N Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "April 21, 2010","Blue Cross & Blue Shield of Rhode Island","","Rhode Island","PHYS","MED","12,000","A covered entity (CE) donated a file cabinet containing the protected health information (PHI) of 12,000 individuals before cleaning it out. The PHI included members' names, addresses, telephone numbers, social security numbers, and Medicare identification numbers. The covered entity (CE) provided breach notification to HHS, the affected individuals, and media, and offered all affected individuals free credit monitoring for a period of one year. Following the breach, the CE sanctioned the employees involved in the incident and held a mandatory training regarding the HIPAA Privacy and Security Rule for all departments involved in the breach. The CE also revised the policy for office moves. OCR obtained assurances that the CE implemented the corrective action listed above. \ \ Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","41.580095","-71.477429" "April 22, 2010","South Carolina Department of Health and Environmental Control","","South Carolina","PHYS","MED","2,850","\N Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","33.836081","-81.163725" "April 23, 2010","St. Joseph Heritage Healthcare","","California","PHYS","MED","22,012","22 computers were stolen from Clinical Management Service office.Five of the stolen computers contained the protected health information of approximately 22,012 individuals. The protected health information involved in the breach included name, date of birth, social security number, referral number, encounter number, facility, member ID, diagnosis, procedure, and/or diagnosis code. As a result of this incident, St. Joseph notified the potentially affected individuals, notified the local media, installed security cameras, re-trained employees, and installed encryption software on all laptops and Computers enterprise-wide. OCR's investigation resulted in the covered entity improving their physical and technological safeguards and retraining employees. \ Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","36.778261","-119.417932" "April 24, 2010","John Muir Physician Network","","California","PHYS","MED","5,450","Two laptop computers containing the electronic protected health information (ePHI) of approximately 5,450 individuals were stolen from the CE. The ePHI included patient names, dates of birth, and social security numbers. The CE provided breach notification to all affected individuals, HHS, and the media. As a result of OCR's investigation, the CE installed encryption software and increased physical security. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","36.778261","-119.417932" "April 26, 2010","Medical Center At Bowling Green","","Kentucky","PHYS","MED","5,148","\N Location of breached information: Other, Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","37.839333","-84.270018" "April 27, 2010","UnitedHealth Group health plan single affiliated covered entity","","Minnesota","PHYS","MED","735","On March 2, 2010, the covered entity (CE), UnitedHealth Group, discovered that remittance forms containing member information which accompany paper checks were stolen. The invoices contained the protected health information (PHI) of over 735 individuals. The types of PHI included demographic and claims information. The CE provided breach notification to HHS, affected individuals, and the media, and provided affected individuals with credit monitoring services. Following the breach, the CE reviewed its payment and remittance information controls and notified its provider call centers to remain on a high level alert to monitor all remittance payments. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Other, Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","46.729553","-94.685900" "April 27, 2010","TOWERS WATSON","","Virginia","PHYS","MED","1,874","A business associate (BA), Towers Watson, of the covered entity (CE), General Agencies Welfare Benefits Program, lost two electronic media disks containing protected health information (PHI) while transporting the disks between two BA offices. The disks contained the names, health plan numbers, and social security numbers of 1,874 individuals. The BA notified all affected individuals and provided two years of enhanced credit services. The CE notified HHS and the media and posted substitute notice on its website. The CE had the BA destroy any of its PHI that had been retained by the BA and executed a new BA agreement for any remaining PHI that the BA was unable to destroy because they were archival files. After OCR's investigation, the CE updated its privacy and breach notification policies and procedures. \ \ Location of breached information: Other Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "April 28, 2010","South Texas Veterans Health Care System","","Texas","PHYS","MED","1,430","\N Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "April 29, 2010","Rockbridge Area Community Services","","Virginia","PHYS","MED","500","\N Location of breached information: Desktop Computer, Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "April 29, 2010","Millennium Medical Management Resources, Inc.","","Illinois","PHYS","MED","180,111","\N Location of breached information: Other, Other Portable Electronic Device Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "May 5, 2010","Miami VA Healthcare System","","Florida","PHYS","MED","568","A covered entity's (CE) pharmacy log book, containing the protected health information (PHI) of 568 individuals, was misplaced and never recovered. The PHI affected by the breach included names and partial social security numbers. Following the breach, the CE provided breach notification as required by the HIPAA Breach Notification Rule and instructed employees to cease the practice of keeping log books. Following OCR's investigation, the CE revised and/or updated its policies and procedures with respect to safeguarding PHI. Regarding logbooks, it established a written employee agreement, implemented an employee authorization process, and established safeguards. Additionally, the CE provided training to all staff in the pharmacy department regarding the use of logbooks and accounted for the disclosures in each of the affected individuals' accounting log. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "May 5, 2010","VA Eastern Colorado Health Care System","","Colorado","PHYS","MED","649","A covered entity's (CE's) employee placed paper records containing protected health information (PHI) in an unsecured box that was left undiscovered in a public parking garage for four days. The box contained the PHI of 649 patients. The PHI included treatment records, productivity reports, coding information, names, medical treatments, conditions, diagnoses, and social security numbers. Upon discovery of the breach, the CE notified the affected individuals and provided credit protection to those whose social security numbers had been breached. The CE provided OCR with copies of its breach prevention policies and procedures. Following OCR's investigation, the employee who left the records resigned from her position and the CE improved its breach response procedures. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "May 11, 2010","Heriberto Rodriguez-Ayala, M.D.","","Texas","PHYS","MED","4,200","An unencrypted laptop computer containing the protected health information (PHI) of approximately 4,200 individuals was stolen from a personal vehicle. The PHI included names, addresses, phone numbers, dates of birth, social security numbers, treatment histories, and driver license numbers. The covered entity (CE) provided breach notification to the affected individuals, HHS, and the media. As a result of OCR's investigation the covered entity implemented new policies and procedures, retrained staff, and installed encryption software on all workstations. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "May 13, 2010","Georgetown University Hospital","","District Of Columbia","PHYS","MED","2,416","An employee of the covered entity emailed protected health information (PHI) to an offsite research office (which is not itself a covered entity) in violation of the review preparatory to research protocol. The research office stored the electronic information on an external hard drive that was later stolen. The device contained the PHI of 2,416 individuals. The PHI involved in the breach included names, dates of birth, and clinical information. In response to this incident, the covered entity terminated transmission of the PHI to this research office and gave the responsible employee a verbal warning and counseling. Additionally, the covered entity undertook a review of all research affiliations involving PHI of hospital patients to confirm that appropriate documentation and procedures are in place. \ Location of breached information: Email, Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "May 13, 2010","Silicon Valley Eyecare Optometry and Contact Lenses","","California","PHYS","MED","40,000","A computer network server and a television were stolen from the covered entity (CE), Silicon Valley Eyecare. The CE’s network sever contained the electronic protected health information (ePHI) of approximately 40,000 individuals and included demographic information, social security numbers, diagnoses, and insurance information. The CE investigated the incident and provided breach notification to HHS, affected individuals, and media. As a result of OCR’s investigation, the CE provided its most recent risk analysis, risk management plan, security training program, and policies and procedures regarding administrative, physical and technical safeguards. Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "May 14, 2010","Heritage Health Solutions","","Texas","PHYS","MED","656","\N Location of breached information: Laptop Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "May 20, 2010","Oconee Physician Practices","","South Carolina","PHYS","MED","653","On May 9, 2010, the covered entity (CE), Oconee Physician Practices, discovered that a password-protected, unencrypted laptop computer used for EKG testing was missing from its facility. The loss potentially exposed the demographic and clinical information of 653 individuals. The CE provided breach notification to HHS, affected individuals, and the media. The CE improved safeguards by changing access codes and physical locks to the building and retrained its workforce on the importance of password protection and laptop security. The CE developed a plan to create a stronger policy for asset tracking, accountability, and activity monitoring and upgrade its procedures for password strength, automatic log-off capabilities, and limiting the number of sign-on attempts. The CE also developed a plan to encrypt laptops and other portable media containing electronic protected health information (ePHI). OCR reviewed the CE’s policies and procedures and supporting documents. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "May 20, 2010","University of Rochester Medical Center and Affiliates","","New York","UNKN","MED","2,628","The covered entity (CE), University of Rochester Medical Center and Affiliates, reported that on April 19, 2010, 2,628 patient billing statements for Strong Memorial Hospital were sent to the wrong patients. The statements contained patients’ names, addresses, guarantors’ names, guarantors’ addresses, dollar amounts owed, health insurance plans, subscriber numbers, social security numbers, general descriptions of services rendered (such as inpatient room charge, outpatient visit charge, physical therapy, laboratory, pharmacy, radiology, etc.) and dates of service. The CE provided breach notification to HHS, affected individuals, and the media. As a result of the breach, the CE established a numerical counter to ensure that the numbers of statements that run through the folding machine are matching the numbers of statements that are printing. In addition, a report was added to the statement bundles distributed by the printing center that identifies the number of pages printed for each statement run. Further, a quality control process was put into place where a second staff member manually inspects stuffed envelopes on a random basis to ensure that the correct number of pages are inserted as well as verifying that the contents are all for the same patient. As a result of OCR investigation, OCR reviewed a copy of the CE’s risk assessment and policies and procedures relating to uses and disclosures of protected health information (PHI) and safeguarding PHI. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.712784","-74.005941" "May 21, 2010","Omaha Construction Industry , Privacy Manager Breach","","Nebraska","PHYS","MED","800","\N Location of breached information: Laptop Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","41.492537","-99.901813" "May 24, 2010","City of Charlotte, NC (Health Plan)","","North Carolina","PHYS","MED","5,220","\N Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","35.759573","-79.019300" "May 25, 2010","VA North Texas Health Care System","","Texas","PHYS","MED","4,083","\N Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "May 26, 2010","Rainbow Hospice and Palliative Care","","Illinois","PHYS","MED","1,000","An employee's laptop was stolen out of her bag while she was making an admission visit in a patient's home. The evidence showed that although the covered entity had a policy of encrypting and password-protecting its computers, this particular computer did not require a password most of the time. The invoices contained the protected health information (PHI) of approximately 1,000 individuals. The PHI stored on the laptop included names, addresses, dates of birth, phone numbers, Social Security numbers, Medicare numbers, electronic health records and commercial insurance information. Following the breach, the covered entity notified its clients of the incident, placed notice on its website and in The Daily Herald, sanctioned the employee for changing the security settings on the laptop in question, and established stringent computer security guidelines, and retrained its staff in the new requirements, with the intention of preventing a similar event from occurring again. \ Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.633125","-89.398528" "June 1, 2010","Occupational Health Partners","","Kansas","PHYS","MED","1,105","\N Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","39.011902","-98.484247" "June 1, 2010","University of Louisville Research Foundation, Inc., DBA The Kidney Disease Program","","Kentucky","HACK","MED","708","An outside computer’s unique numerical code (Internet Protocol address) accessed the covered entity’s (CE) website which contained a database containing the protected health information of 708 patients. The types of PHI involved in the breach included names, social security numbers, and treatment information. The CE provided breach notification to HHS and affected individuals. Following the breach, the CE disabled the website containing the breached PHI. As a result of OCR’s investigation, the CE removed social security numbers from its site, added a time out feature, retrained staff, and completed a risk assessment. Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "June 1, 2010","Cincinnati Childrens Hospital Medical Center ","","Ohio","PHYS","MED","60,998","An unencrypted laptop computer containing the electronic protected health information (ePHI) of 60,998 individuals was stolen out of a workforce member's car. The ePHI stored on the laptop included names, medical record numbers, and services received. The covered entity (CE) provided breach notification to affected individuals, HHS, and the media. Following the breach, the CE established a new internal procedure to encrypt all new computers before they are given to employees. OCR obtained assurances that the CE implemented the corrective action listed above. \ \ \ Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "June 3, 2010","AvMed, Inc.","","Florida","PHYS","MED","1,220,000","Two laptop computers with questionable encryption (each containing the electronic protected health information (ePHI) of 350,000 individuals) were stolen from the covered entity's (CE) premises. The types of ePHI involved included demographic and clinical information, diagnoses/conditions, medications, lab results, and other treatment data. After discovering the breach, the CE reported the theft to law enforcement and worked with the local police to recover the laptops. As a result of OCR's investigation, the CE developed and implemented new policies and procedures to comply with the Security Rule. The CE also provided breach notification to all affected individuals, HHS, and the media and placed an accounting of disclosures in the medical records of all affected individuals. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "June 4, 2010","Nihal Saran, MD ","","Michigan","PHYS","MED","2,300","A password protected laptop computer containing protected health information (PHI) was stolen from Dr. Saran's personal residence. The laptop contained the PHI of approximately 2,300 individuals. The PHI stored on the laptop included patients' names, addresses, dates of birth, Social Security numbers, insurance information, and diagnoses. Following the breach, Dr. Saran notified the Northville Township Police Department of the theft, contacted the individuals reasonably believed to have been affected by the breach, sent a notice of the breach to the Detroit Free Press and the Monroe News, and installed encryption software for its billing software. \ Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "June 4, 2010","Siemens Medical Solutions, USA, Inc","","Pennsylvania","PHYS","MED","130,495","The covered entity's business associate (BA), Siemens Medical Solutions USA, Inc., shipped seven unencrypted compact disks (CDs) that contained the electronic protected health information (ePHI) of 130,495 individuals to the covered entity (CE), Lincoln Medical and Mental Health Center. The CD's, containing back-up data, were lost in transit. The ePHI included names, addresses, social security numbers, medical record numbers, health plan information, dates of birth, dates of admission and discharge, diagnostic and procedural codes, and driver's license numbers. The CE provided breach notification to affected individuals, HHS, and the media. Upon discovery of the breach, the CE directed the BA to cease using the shipping service as a means of transporting the CDs. As a result of OCR's investigation, the BA adopted a procedure to encrypt CDs. The CE also implemented a procedure for a senior employee of the BA to physically deliver the encrypted CDs to the CE. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BA's use and disclosure of PHI and required the BA to safeguard all PHI. Location of breached information: Other Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "June 4, 2010","UnitedHealth Group health plan single affiliated covered entity","","Minnesota","UNKN","MED","16,291","Paper correspondence to certain members in UnitedHealth's prescription drug plans were in advertently sent to the incorrect temporary address due to a database administration error. Approximately 16,291 individuals were affected by the breach. UnitedHealth member's name, plan number and in some instances, date of birth and/or limited medical information. United Health reported that it stopped using PDI's proprietary database for address updates and made outbound verifications calls to members to get accurate temporary addresses. United Health reported that it revised its address update process. \ Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "June 8, 2010","St. Jude Children's Research Hospital","","Tennessee","PHYS","MED","1,745","\N Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "June 9, 2010","DentaQuest","","Massachusetts","PHYS","MED","10,515","A car containing an unencrypted laptop computer was stolen from West Monroe Partners, a contractor for the covered entity's (CE) business associate (BA), DentaQuest. The laptop stored a database containing the electronic protected health information (ePHI) of approximately 76,000 individuals, including data on 10,515 of the CE's members. The types of PHI involved in the breach included names, social security numbers, dates, and certain provider identification numbers. The CE and BA worked together to provide breach notification to affected individuals and the media, and offered free credit monitoring and enhanced credit services to affected individuals for one year. The CE reported the breach to HHS and provided substitute notification on its website. The BA implemented procedures to ensure that any third party laptops connecting to its network employ disk encryption. Further, the BA established a policy to prohibit contractors from storing PHI on laptops. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BA's use and disclosure of PHI and required the BA to safeguard all PHI. \ \ Location of breached information: Laptop Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "June 14, 2010","Comprehensive Care Management Corporation","","New York","PHYS","MED","1,020","OCR opened an investigation of the covered entity (CE), Comprehensive Care Management Corporation, after it reported two former employees sent emails that contained the electronic protected health information (ePHI) of 1,020 individuals to their personal email accounts to open a competitor organization. The ePHI included names, addresses, and enrollment information. Upon discovery of the breach, the CE conducted an internal inquiry and found that the former employees disclosed the ePHI to its competitor. As a result of OCR's investigation, the CE replaced and strengthened external firewalls, restricted access to email websites, restricted the use of portable devices, limited the ability to upload data to external websites, and evaluated new monitor and control software for network information. In addition, the CE provided training to all staff on its HIPAA policies and procedures. The CE also entered into an agreement with its competitor who hired the former employees to return or destroy the ePHI. Location of breached information: Desktop Computer, Email, Laptop, Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "June 14, 2010","The Children's Medical Center of Dayton","","Ohio","UNKN","MED","1,001","\N Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "May 12, 2017","Brooks Brothers","New York","New York","HACK","BSO","0","""U.S. clothing company Brooks Brothers said on Friday payment card information of certain customers were compromised at some of its retail locations in the United States and Puerto Rico over 11 months until March.The company said that an unauthorized individual was able to gain access to and install malicious software designed to capture card information on some of its payment processing systems at the locations.Some customers who shopped at certain Brooks Brothers and Brooks Brothers Outlet retail locations between April 4, 2016 and March 1, 2017 were affected, the company said.Brooks Brothers said the malicious software could have affected payment card data – including names, payment card account numbers, card expiration dates and card verification codes.However, the company said no sensitive personal information, such as Social Security numbers or customer addresses, was impacted.Brooks Brothers, which operates over 400 stores worldwide, said it had engaged independent forensic experts and alerted law enforcement after being informed of the breach.""","Media","http://www.reuters.com/article/us-brooks-brothers-cyber-idUSKBN1882QU","2017","40.712784","-74.005941" "May 10, 2017","Bronx Lebanon Hospital Center","New York","New York","DISC","MED","7,000","""Medical records of at least 7,000 people compromised in a data breach involving Bronx Lebanon Hospital Center in New York disclosed patients' mental health and medical diagnoses, HIV statuses and sexual assault and domestic violence reports, according to records reviewed by NBC News.Other information in the compromised records, which online security experts said spanned 2014 to 2017, included names, home addresses, addiction histories and religious affiliations.Bob Diachenko, a security researcher with MacKeeper Security Research Center, told NBC News on Tuesday the leak was caused by a misconfigured Rsync backup server hosted by iHealth, a Louisville, Kentucky-based company that offers records management technology.It's unclear how long the records were exposed, but ""if you visited BLHC during that period of time, your patient history was probably there,"" Diachenko said.""","Media","http://www.nbcnews.com/news/us-news/thousands-patient-records-leaked-hospital-data-breach-n756981","2017","40.712784","-74.005941" "May 15, 2017","DocuSign","San Francisco","California","HACK","BSO","0","""DocuSign, a major provider of electronic signature technology, acknowledged today that a series of recent malware phishing attacks targeting its customers and users was the result of a data breach at one of its computer systems. The company stresses that the data stolen was limited to customer and user email addresses, but the incident is especially dangerous because it allows attackers to target users who may already be expecting to click on links in emails from DocuSign.San Francisco-based DocuSign warned on May 9 that it was tracking a malicious email campaign where the subject line reads, “Completed: docusign.com – Wire Transfer Instructions for recipient-name Document Ready for Signature.” The missives contained a link to a downloadable Microsoft Word document that harbored malware.The company said at the time that the messages were not associated with DocuSign, and that they were sent from a malicious third-party using DocuSign branding in the headers and body of the email. But in an update late Monday, DocuSign confirmed that this malicious third party was able to send the messages to customers and users because it had broken in and stolen DocuSign’s list of customers and users.“As part of our ongoing investigation, today we confirmed that a malicious third party had gained temporary access to a separate, non-core system that allows us to communicate service-related announcements to users via email,” DocuSign wrote in an alert posted to its site. “A complete forensic analysis has confirmed that only email addresses were accessed; no names, physical addresses, passwords, social security numbers, credit card data or other information was accessed. No content or any customer documents sent through DocuSign’s eSignature system was accessed; and DocuSign’s core eSignature service, envelopes and customer documents and data remain secure.”The company is asking people to forward any suspicious emails related to DocuSign to spam@docusign.com, and then to delete the missives. “They may appear suspicious because you don’t recognize the sender, weren’t expecting a document to sign, contain misspellings (like “docusgn.com” without an ‘i’ or @docus.com), contain an attachment, or direct you to a link that starts with anything other than https://www.docusign.com or https://www.docusign.net,” reads the advisory.If you have reason to expect a DocuSign document via email, don’t respond to an email that looks like it’s from DocuSign by clicking a link in the message. When in doubt, access your documents directly by visiting docusign.com, and entering the unique security code included at the bottom of every legitimate DocuSign email. DocuSign says it will never ask recipients to open a PDF, Office document or ZIP file in an email.DocuSign was already a perennial target for phishers and malware writers, but this incident is likely to intensify attacks against its users and customers. DocuSign says it has more than 100 million users, and it seems all but certain that the criminals who stole the company’s customer email list are going to be putting it to nefarious use for some time to come.""","Krebs On Security","https://krebsonsecurity.com/2017/05/breach-at-docusign-led-to-targeted-email-malware-campaign/","2017","37.774930","-122.419416" "May 12, 2017","Massood & Company, P.A.","Totowa","New Jersey","HACK","BSF","0","""What Happened?On March 28, 2017, Massood & Company, PA (“Massood”) received reports of issueswith certain client’s 2016 tax filings. Massood immediately launched an investigation and determined,through this investigation, that it was the target of a data security incident that affected the security of somepersonal information for certain clients. Massood has been working diligently, with the assistance of thirdparty forensic investigators, to determine the full nature and scope of this incident. Through theinvestigation, Massood has determined that an unauthorized actor or actors had gained unauthorized accessto Massood’s network and, consequently, to some personal information of certain Massood clients. Theinvestigation has determined that the unauthorized actor(s) may have had access to Massood’s system fromFebruary 17, 2017 to March 28, 2017. What Information Was Involved?The information relating to you that was present on the affected systemsmay include the following categories of information: (1) name; (2) address; (3) Social Security number; (4)wage/salary information; and (5) date of birth.""","Vermont Attorney General","http://ago.vermont.gov/assets/files/Consumer/Security_Breach/Massood%20&%20Company,%20PA%20SBN%20to%20Consumers.pdf","2017","40.895398","-74.225763" "May 11, 2017","Snake River Farms","Boise ","Idaho","HACK","BSO","0","""Agri Beef Co. (“Agri Beef”) is writing to inform you of a data security incident that may have exposed some of your personally identifiable information (“PII”) submitted to our website snakeriverfarms.com (“Snake River Farms”). What Happened?Gorilla Group, a third-party partner that hosts Snake River Farms servers, advised us that a data security incident occurred during the window of November 22, 2016 to April 4, 2017, and Gorilla Group notified Agri Beef of the incident on April 5, 2017. During the window, a third party may have gained access to snakeriverfarms.com with the intent to obtain certain PII. The PII compromised includes: customer names, email addresses, billing addresses, telephone numbers, credit card/debit card numbers, credit card/debit card security codes and expiration dates, the credit card type, and the date of the transaction. After learning of the data breach on April 5, 2017, we have been working, with the aid of outside resources, to help you avoid and/or minimize as much as possible, any negative consequences. Our notification has not been delayed as a result of any law enforcement investigation. What Information Was Involved?The potentially compromised information relates to your transactions on the Snake River Farms website. As explained above, PII that may have been compromised includes: customer names, email addresses, billing addresses, telephone numbers, credit card/debit card numbers, credit card/debit card security codes and expiration dates, the credit card type, and the date of the transaction. Compromised information could be usedto attempt to fraudulently charge your credit or debit card.""","Vermont Attorney General","http://ago.vermont.gov/assets/files/Consumer/Security_Breach/Dorsey%20&%20Whitney%20LLP%20SNB%20to%20Consumers.pdf","2017","43.615804","-116.220692" "May 11, 2017","Intuit","San Diego","California","HACK","BSF","0","""We are writing to notify you that, during a security review on [insert date], we determined that your TurboTax account may have been accessed by an unauthorized party.  Promptly after discovering the issue, we conducted an investigation and tool steps to secure your accounts.Based on our investigation, it appears an unauthorized party may have accessed your account by using your username and password combination that was obtained from a non-Intuit source.  The unauthorized access occurred [on/from] [date/date range]. By accessing your account, the unauthorized party may have obtained information contained in a prior year's tax return or your current tax return in progress, such as your name, Social Security number, address (es), date of birth, driver's license number and financial information (e.g., salary and deductions), and information of other individuals contained in the tax return.""","Vermont Attorney General","http://ago.vermont.gov/assets/files/Consumer/Security_Breach/Intuit-Turbo%20Tax%20SBN%20to%20Consumers.pdf","2017","32.715738","-117.161084" "May 5, 2017","Horizon Media, Inc.","New York","New York","HACK","BSO","0","""We are writing to inform you of a recent incident affecting certain of your personal information.  Regrettably, on or about March 30, 2017, an employee of Horizon Media, Inc. (""Horizon"") was the target and victim of a sophisticated phishing attack by an unknown, unauthorized third party.  That even led to the targeting of several additional Horizon employees through similar phishing emails on April 10, 2017.  These emails resulted in the compromise of the personal information of certain Horizon employees and those employees dependents and beneficiaries.  While the April 10 emails were discovered shortly after they were sent and Horizon took preventative measures, Horizon did not learn that any personal information had been compromised until April 12, 2017.""","Vermont Attorney General","http://ago.vermont.gov/assets/files/Consumer/Security_Breach/Horizon%20Media_%20Inc%20SBN%20to%20Consumers.pdf","2017","40.723415","-74.006843" "May 4, 2017","Diamond Institute For Infertility & Menopause","Millburn","New Jersey","HACK","MED","0","""On February 27, 2017 we discovered that an unknown individual had gained access to the third-party server containing our electronic health records database.  Although the database and your electronic health records were encrypted and remain secure, certain support documents may have been accessible.  We immediately conducted an investigation and it was determined that the support documents may have contained your name, address, date of birth, Social Security number, lab results, and sonograms.  Law enforcement has been notified and we are cooperating with their investigation.""","Vermont Attorney General","http://ago.vermont.gov/assets/files/Consumer/Security_Breach/Diamond%20Institute%20for%20Infertility%20and%20Menopause%20SBN%20to%20Consumers.pdf","2017","40.722776","-74.286795" "May 2, 2017","Pratt Industries, Inc. ","Conyers","Georgia","HACK","BSO","0","""This follows on the information you were recently provided wherein you were advised that Pratt Industries, Inc. (""Pratt Industries"") recently discovered that we were the target of a criminal cyber-attack that impacted certain of your personal information.  We value and respect your privacy, which is why we are writing to advise you of the steps that Pratt Industries has undertaken since discovering the incident and to provide you with information on what you can do to better protect yourself, should you feel it is appropriate to do so.On April 19, 2017 a phishing attack directed at Pratt Industries resulted in the disclosure of your first and last name, Social Security number and compensation information. Upon discovering the incident on April 19, 2017, Pratt Industries promptly notified local law enforcement, the Federal Bureau of Investigation and the Criminal Investigation Division of the Internal Revenue Service, and we are continuing to cooperate in their respective investigations into this incident."" ","Vermont Attorney General","http://ago.vermont.gov/assets/files/Consumer/Security_Breach/Pratt%20Industries%20SBN%20to%20Consumers.pdf","2017","33.667610","-84.017690" "May 2, 2017","Hill Country Memorial Hospital ","Federicksburg","Texas","HACK","MED","0","""Hill Country has recently learned that, on February 21, 2017, the email account of an employee in our emergency room department was accessed by an unauthorized individual not affiliated with Hill Country.  Our investigation to date suggests that the individual used his access to the email account only for the purpose of submitting fraudulent invoices to our accounts payable department for payment.  However, we cannot confirm which, if any, emails in the account the individual accessed and whether there was any resulting acquisition, access, use, or disclosure of your personal information, but it is possible.  Therefore, out of an abundance of caution, we are notifying all potentially affected individuals about this issue. In that regard, it is possible that the individual may have had access to email (s) containing your following information.""","Vermont Attorney General","http://ago.vermont.gov/assets/files/Consumer/Security_Breach/Hill%20Country%20Memorial%20Hospital%20SBN%20to%20Consumers.pdf","2017","38.303184","-77.460540" "June 18, 2010","University of Kentucky","","Kentucky","PHYS","MED","2,027","A laptop computer containing the protected health information (PHI) of approximately 2,027 individuals was stolen from the covered entity (CE), University of Kentucky, Department of Pediatrics. The information was part of the New Born Screening Program sent to that department by the state screening program. The types of PHI involved in the breach included demographic information, specifically, names, addresses, dates of birth, social security numbers, and other identifiers, and clinical information. As a result of OCR’s investigation the CE provided OCR with an updated status report of its encryption project that it had previously reported as one of its corrective measures. It also trained workforce members on encryption of computing devices and provided reminders to workforce members about its facility locking procedures. Additionally, the CE provided a report of its information security assessment with details of security gaps as evidence of its risk analysis, along with recommendations for remediation of the gaps identified in the assessment. The CE also improved physical safeguards. The CE provided documentation of compliance with the applicable notification provisions of the Breach Notification Rule. It also updated its accounting of disclosures policy, and drafted a new policy relating to accounting of disclosures regarding breach incidents. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "June 21, 2010","alma aguado md pa","","Texas","PHYS","MED","600","OCR investigated the covered entity (CE) following a report that its main server and desktop computers containing the electronic protected health information (ePHI) of 600 individuals were taken from the CE's office. The ePHI involved in the breach included patient names, addresses, dates of birth, and social security numbers. As a result of OCR's investigation, the CE changed its privacy and security policies, retrained its employees and provided additional physical security to better safeguard patient ePHI. Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "June 21, 2010","Augusta Data Storage, Inc","","Georgia","PHYS","MED","14,000","\N Location of breached information: Other Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "June 22, 2010","University Health System","","Nevada","PHYS","MED","7,526","\N Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "June 24, 2010","Aramark Healthcare Support Services, LLC","","Pennsylvania","UNKN","MED","937","A business associate employee sent an email to multiple patients without concealing patient email addresses. The message concerned a dietary program in which the names and email addresses were visible to all recipients. The breach affected 937 individuals. In response to this incident, the covered entity took steps to enforce the requirements of its business associate agreement with Aramark. The business associate counseled the employee responsible for the breach and retrained all employees who may communicate with patients via email on the requirements of the Privacy and Security Rules as well as related policies and procedures. \ Location of breached information: Email Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "June 28, 2010","Mary M. Desch,MD/PathHealer, LTD","","Arizona","PHYS","MED","5,893","\N Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "June 29, 2010","Children's Hospital & Research Center at Oakland","","California","UNKN","MED","1,000","\N Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "July 2, 2010","Centerstone","","Tennessee","PHYS","MED","1,537","A major flooding event damaged a building where the CE operated its school-based program offices. The flooding was so significant that the area was deemed a federal disaster area. An estimated 1,537 individuals were affected by the loss of data due to flood damage. The types of PHI involved were names, addresses, dates of birth, and social security numbers. After the flood, the CE attempted to collect as much PHI as it could from the site but access was limited by authorities because the building was deemed toxic and salvage cleanup commenced prior to the CE's ability to access the building. PHI in paper format was either washed away or disposed of during salvage procedures. Computers and equipment in the building were destroyed by water damage. Because the CE relied primarily on their electronic health records stored on an offsite server, medical data was still intact for continuity of care purposes. The CE provided breach notification to individuals, HHS, and the media, and posted substitute notice on its website. The CE has since moved its school-based operations to a CE owned facility. OCR obtained assurances that the CE implemented the corrective action listed above. Location of breached information: Desktop Computer, Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "July 6, 2010","Care 1st Health Plan","","California","PHYS","MED","29,000","\N Location of breached information: Other, Other Portable Electronic Device Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "July 7, 2010","NYU Hospitals Center","","New York","PHYS","MED","2,563","The covered entity (CE) misplaced an unencrypted USB drive that contained the electronic protected health information (ePHI) of 2,563 individuals. The ePHI included names, medical record numbers, ages, genders, procedures, attending physicians' names, anesthesiologists' names, types of anesthesia, times of arrival in the recovery room, and times of discharge. Upon discovery of the breach, the CE reported the incident to internal security as a possible theft and conducted a thorough search of the perimeter. The CE provided breach notification to HHS, the media, and affected individuals. As a result of OCR's investigation, the CE stopped using USB drives and local desktop computers for data storage. In addition, the CE updated physical security in the recovery room and installed data prevention software to monitor, block or encrypt mobile media used in the CE. Further, the CE purchased encrypted USB drives for workforce members with an identified need to download and store ePHI. The CE also revised its mobile device and portable storage media policy and retrained all workforce members on its policies. Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "July 7, 2010","Long Island Consultation Center","","New York","PHYS","MED","800","The covered entity (CE), Long Island Consultation Center, misplaced an unencrypted portable device that contained the electronic protected health information (ePHI) of 800 individuals. The ePHI included names, dates of birth, diagnoses, and other treatment information. Upon discovery of the breach, the CE conducted a search for the portable device. The CE provided breach notification to HHS, the media, and affected individuals. As a result of OCR's investigation, the CE improved physical security. The CE also developed and implemented a policy and procedure prohibiting use of portable media for storing ePHI and trained staff on its new policy. Location of breached information: Other, Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "July 8, 2010","SunBridge Healthcare Corporation","","New Mexico","PHYS","MED","3,830","A laptop computer containing the electronic protected health information (EPHI) of 3,830 individuals was stolen out of a workforce member’s vehicle. The types of ePHI included names, birthdates, social security numbers, claims information, financial information, diagnoses/conditions, medications, lab results, and other treatment information. The covered entity (CE), SunBridge Healthcare Corporation, provided breach notification to HHS, affected individuals, and the media, and provided individuals with identity theft protection services. As a result of OCR’s investigation the CE updated its risk analysis, re-educated its workforce members on proper laptop security protocols, and installed encryption software to protect ePHI. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "July 8, 2010","University of Florida","","Florida","UNKN","MED","2,047","The covered entity (CE), University of Florida Department of Epidemiology and Health Policy Research, mailed approximately 2,047 letters that contained an identifier on the address label that was an adaptation of either a child’s social security number or Medicaid identification number. The types of protected health information (PHI) involved in the breach included names, social security numbers, or Florida Medicaid numbers of the patients. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE recalled the faulty files from the printing company and the medical survey company and updated its procedures and forms to ensure that data is handled in accordance with the Privacy Rule. The CE provided OCR with its 2011 Training Schedule for Research Coordinators at the Institute of Child Health Policy (ICHP). Included in this year-long training is a section dedicated to Regulatory Compliance, including the importance of HIPAA and data security. The CE also sanctioned the employees involved in the breach. OCR’s investigation resulted in the CE improving its physical safeguards and retraining employees. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "July 9, 2010","Governor's Office of Information Technology","","Colorado","PHYS","MED","105,470","\N Location of breached information: Desktop Computer Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "July 15, 2010","Prince William County Community Services (CS)","","Virginia","PHYS","MED","669","\N Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "July 17, 2010","UnitedHealthcare Insurance Company ","","Minnesota","UNKN","MED","1,097","\N Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "July 19, 2010","Iron Mountain Data Products, Inc. (now known as ","","Pennsylvania","PHYS","MED","800,000","\N Location of breached information: Electronic Medical Record, Other, Other Portable Electronic Device Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "July 23, 2010","Montefiore Medical Center","","New York","PHYS","MED","16,820","Two unencrypted desktop computers containing the electronic protected health information (ePHI) of 16,820 individuals were stolen from the covered entity (CE). The ePHI included medical record numbers, dates of birth, admission /discharge dates, billing codes, and social security numbers. Upon discovery of the breach, the CE filed a police report and provided breach notification to HHS, the media, and affected individuals. It also provide substitute notification by posting on its website. As a result of OCR's investigation, the CE replaced its building alarm and installed bars on the windows. In addition, the CE directed its staff to save patient data only on a centralized network drive, moved all ePHI stored on desktop hard drives to centralized secured network servers, and encrypted all of its computers. The CE also revised its policy and procedure on password management and provided training to all staff on its new policy. Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.712784","-74.005941" "July 23, 2010","Medina OB/GYN Associates, Inc","","Ohio","PHYS","MED","1,200","\N Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "July 23, 2010","The University of Texas at Arlington","","Texas","HACK","MED","27,000","A file server at the Office of Health Services was compromised and impermissibly accessed. The compromise potentially exposed the prescription records of 27,000 individuals to an unauthorized source. The protected health information involved in the breach included names, addresses diagnostic codes, name of medication prescribed, medication costs and some social security numbers. Following the discovery of the breach, UTA removed the server from the network, notified the affected individuals and notified local media. Following the breach, the covered entity also replaced the operating system and implemented additional technical safeguards. \ Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "July 23, 2010","DC Chartered Health Plan, Inc","","District Of Columbia","PHYS","MED","540","\N Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "July 28, 2010","Charles Mitchell MD","","Texas","PHYS","MED","6,873","A burglary occurred at the covered entity's (CE) facility and two desktop computers containing protected health information (PHI) were stolen. Approximately 6873 individuals were affected. The PHI involved included names, addresses, dates of birth, social security numbers, diagnoses and conditions, medications, and other treatment information. OCR closed this investigation after determining that the individual who reported the breach worked for a CE no longer in existence. Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "July 30, 2010","Baylor College of Medicine","","Texas","PHYS","MED","1,646","An unencrypted laptop computer was stolen from an administrative office. The laptop contained the protected health information (PHI) of approximately 1,618 patients (originally reported as 1,646). The types of PHI involved in the breach included the demographic and clinical information of pediatric cardiology patients, including names, medical record numbers, dates of service, diagnoses, and dates of birth. Following the breach, the covered entity (CE), Texas Children’s Hospital, and Baylor College of Medicine (which filed a separate breach report) jointly notified the affected individuals and the local media after a delay due to a law enforcement request. As a result of OCR’s investigation, the CE revised several information technology policies and modified physical safeguards. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "July 30, 2010","Mercer","","","PHYS","MED","1,073","\N Location of breached information: Other Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","37.090240","-95.712891" "July 30, 2010","Matrix Imaging","","New York","PHYS","MED","2,631","The covered entity's (CE) business associate (BA) sent coverage determination letters to incorrect addresses, affecting 2,631 individuals. The protected health information (PHI) included names, addresses, unique CE identification numbers, and prescription drug information. Following the breach, the CE reprinted all erroneous coverage determination letters with an apology notice and provided breach notification to all affected individuals and HHS. The CE implemented additional policies and procedures to ensure mailing list accuracy. Specifically, the CE implemented a multiple-step quality assurance process and established verification with the BA. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BA's use and disclosure of PHI and required the BA to safeguard all PHI. As a result of OCR's investigation, the CE placed a record into its accounting of disclosure records for each individual impacted. Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "July 30, 2010","Carolina Center for Development and Rehabilitation","","North Carolina","PHYS","MED","1,590","The covered entity's (CE) staff inadvertently sent twenty-three boxes containing the protected health information (PHI) of 1,590 patients to a recycling center. The PHI included patients' full names, addresses, dates of birth, social security numbers, insurance identification numbers, driver's license numbers, diagnoses, medication information, checking and savings account numbers, credit and debit card numbers, and photographs of the patients. Following the breach, the CE immediately took steps for the records to be returned. The CE notified HHS, the media, and all individuals affected by the breach, and established a toll free number for patients to call for more information. The CE cooperated with the state attorney general's investigation and suspended the responsible staff members. Following OCR's investigation, the CE placed a record into its accounting of disclosure log for each individual affected and terminated the employment of the staff involved in the breach. In addition, the CE revised its policies and procedures regarding the rights of individuals and safeguards for PHI, and re-trained staff. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "July 30, 2010","WellPoint, Inc.","","Indiana","HACK","MED","31,700","\N Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "July 30, 2010","Texas Children's Hospital","","Texas","PHYS","MED","694","\N Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "August 3, 2010","Wright State Physicians","","Ohio","UNKN","MED","1,309","On June 11, 2010, a laptop computer containing PHI was mistakenly discarded in the trash. The laptop computer contained the protected health information of approximately 1,309 individuals. The protected health information involved in the breach included patient full names or first initial and last name, dates of service, and in some cases, a brief description of medical condition or care. Following the breach, the covered entity submitted evidence of its progress in implementing encryption on its laptop computers in its various departments. \ Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.417287","-82.907123" "August 3, 2010","Penn Treaty Network America Insurance Company ","","Pennsylvania","UNKN","MED","560","Social security numbers were inadvertently printed on the address labels in a newsletter mailing. The mailing had 560 recipients. The covered entity acted to mitigate the disclosure by verifying that the all mail was correctly delivered. It also counseled the responsible employee and updated its policies and procedures. \ Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","41.203322","-77.194525" "August 5, 2010","Jewish Hospital","","Kentucky","PHYS","MED","2,089","\N Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","37.839333","-84.270018" "August 5, 2010","McKesson Pharmacy Systems LLC","","Georgia","UNKN","MED","11,440","\N Location of breached information: Other, Other Portable Electronic Device Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "August 5, 2010","Beauty Dental, Inc.","","Illinois","PHYS","MED","657","Following the breach, the covered entity notified its clients by letter of the incident, submitted a press release that outlined the circumstances of the breach to the Chicago Tribune and the Chicago Sun Times, required the individual who allegedly stole the documents to return all physical patient PHI in her possession and sign a statement swearing that she no longer possessed any patient documents, would not use or disclose the PHI in any manner and would erase an excel spreadsheet she had in her possession, installed a new security system for the office that requires the input of a code specific to each employee, and implemented new technical safeguards that limited employee access to ePHI according to the employee's position and rank. \ Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "August 5, 2010","Fort Worth Allergy and Asthma Associates","","Texas","PHYS","MED","25,000","Several computers, including a server, were stolen during a burglary at the covered entity's (CE) premises. The breach affected approximately 25,000 individuals and included names, addresses, dates of birth, social security numbers, driver license numbers, diagnoses, and conditions. Following the breach, the CE provided breach notification to affected individuals, the media, and HHS. It also improved physical security and began using a new model for its management practices with an off-site encrypted database. After the initiation of OCR'S investigation, the CE amended its business associate agreement. \ \ \ Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "August 5, 2010","Aultman Hospital","","Ohio","PHYS","MED","13,867","A password-protected laptop, which was maintained by the covered entity (CE), Aultman Hospital, was stolen from an employee’s car, which contained the electronic protected health information (ePHI) of approximately 13,867 individuals, including patients’ names, dates of birth, telephone numbers, social security numbers, insurance identification, and health information related to home health services. The CE provided breach notification to HHS, affected individuals, and the media, posted notification of the breach on its website, and reported the theft to the local police department. The CE also offered one year of free credit monitoring services to affected individuals. Following the breach, the CE revised its HIPAA policies and procedures, enhanced encryption and updated software on its laptops, sanctioned employee(s) involved in the breach incident, and retrained its workforce on the revised policies and procedures. OCR obtained documentation evidencing that the CE implemented the corrective actions listed. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "August 9, 2010","UNCG Speech and Hearing Center","","North Carolina","HACK","MED","2,300","Computer malware was detected on the covered entity’s (CE) unencrypted billing software program, “Therapist Helper.” The CE did not know when the malware entered its system. Approximately 2,300 individuals were potentially affected by this malware virus. The types of protected health information (PHI) involved included demographic, financial (claims information), and clinical information (diagnoses/conditions, medications, lab results, and other treatment information). Following the breach, the CE applied security and privacy safeguards, mitigated harm, and implemented sanctions. The CE also reported working and cooperating with the local law enforcement. As a result of OCR’s investigation, the CE implementing processes and deployed software to detect, prevent, and mitigate malware on its computers, installed new computers and systems to segregate electronic PHI, and implemented additional procedures to increase awareness of and ensure compliance with technical and physical safeguards. The CE also placed an accounting of disclosures in the medical records of the affected individuals, and complied with the applicable notification provisions of the Breach Notification Rule. Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "August 9, 2010","St. John's Mercy Medical Group","","Missouri","PHYS","MED","1,907","Covered entity improperly disposed of patients' Protected Health Information (PHI), by placing the PHI in a dumpster outside of a doctor's office. The PHI involved in the breach included demographic, financial, clinical, and other medical information. Following the breach, the covered entity notified all affected individuals of the breach, posted a notice about the incident on its website; attempted to retrieve and track all of the medical records that were inappropriately disposed of; offered all affected individuals identity theft protection; obtained a formal apology from and assumed direct office operations management of the physician involved; re-educated its workforce to reinforce policies relating to appropriate medical record protection and disposal requirements. \ Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "August 9, 2010","Thomas Jefferson University Hospitals, Inc.","","Pennsylvania","PHYS","MED","21,000","\N Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "August 10, 2010","Mercer Health & Benefits","","Idaho","PHYS","MED","5,500","Idaho Power Group Health Plan's business associate, Mercer Health and Benefits, lost a backup tape as it was being sent via FEDEX from Boise to Seattle. The backup tape contained information of about 375,000 individuals that Mercer serviced. The total affected at Idaho Power was about 5,500 current and former employees and their dependents. The protected health information involved included names, addresses, dates of birth, and social security numbers. Although Mercer concluded that the lost tape was configured so that even a sophisticated user would be unlikely to be able to access the data within, both Mercer and Idaho Power notified all possible affected individuals and offered free credit protection services. To prevent a similar breach from occurring in the future, Mercer now stores backup tapes through a third party vendor who offers secure transport services. Mercer's Boise office now encrypts backup tapes. Following the incident, Idaho Power renegotiated its contract with Mercer and continues to evaluate its business relationship with Mercer. \ Location of breached information: Other Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "August 11, 2010","Ward A. Morris, DDS","","Washington","PHYS","MED","2,698","The covered entity’s (CE), computer server containing the electronic protected health information (ePHI) of 2,698 patients was stolen during an office burglary. The server was password-protected but not encrypted. The types of ePHI involved in the breach included names, addresses, dates of birth, social security numbers, and medical information. The CE provided breach notification to HHS, affected individuals, and the media, and posted substitute notice. Following the breach, the CE encrypted all ePHI on computer workstations and servers. As a result of OCR’s investigation, the CE improved its physical safeguards and retrained employees. Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "August 11, 2010","Loma Linda University School of Dentistry","","California","PHYS","MED","10,100","Three password protected desktop computers and an auxiliary hard drive containing electronic protected health information (ePHI) was stolen from the covered entity (CE), Redlands Periodontal Group, Loma Linda University School of Dentistry. The ePHI involved in the breach included the demographic information of 10,100 individuals. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, The CE conducted an on-site audit of the periodontal clinic and conducted a risk assessment of the 16 clinics under the purview of the School of Dentistry. The CE improved safeguards by replacing the clinic’s computers with computers that do not contain local hard drive storage, issuing remote access credentials, relocating paper patient charts, and deactivating access to network resources from the periodontal facility. It also decommissioned associated equipment and networks, and disposed of computing equipment used in conjunction with daily operations at the periodontal facility. In addition, the CE retrained staff regarding its HIPAA policies and procedures. OCR obtained assurances that the CE implemented the corrective actions listed. Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "August 16, 2010","Chattanooga Family Practice Associates, P.C.","","Tennessee","PHYS","MED","1,711","A physician of the CE lost a flash drive which he routinely used for data backup and remote access to patient data. The flash drive contained names, dates of birth and treatment notes for approximately 1,711 patients. Following the breach, the CE notified affected individuals. The CE retrained the physician who lost the flash drive and implemented an organization-wide decision to prohibit storage of protected health information on any removable electronic devices. As a result of OCR’s investigation, the CE notified the media and posting substitute notification on its website. Location of breached information: Other, Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","35.517491","-86.580447" "August 18, 2010","Yale University","","Connecticut","PHYS","MED","1,000","An unsecured laptop computer containing sensitive protected health information (PHI) involving the Ryan White Part A program, involving approximately 1,000 individuals, was stolen from an office building on Yale’s premises. The types of PHI contained on the laptop consisted of names, dates of birth, diagnoses/conditions, medications, lab results, and other treatment information. The covered entity (CE) provided breach notification to HHS, the media and affected individuals. Following the breach, the CE installed access card readers for entry to the office suite, inspected the facility’s alarm system, replaced custodial staff, and limited cleaning to office hours. The CE also accelerated the implementation of safeguards created prior to the theft, implemented mandatory encryption for all mobile devices, and created a new system to ensure all employees complete mandatory Privacy and Security Awareness training. The CE also revised several policies and procedures on ePHI security. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","41.603221","-73.087749" "August 20, 2010","Eastmoreland Surgical Clinic, William Graham, DO","","Oregon","PHYS","MED","4,328","Three desktop computers, one laptop computer, and a backup drive, containing the electronic protected health information (EPHI) of 4,328 individuals, were stolen on July 5, 2010. The EPHI involved in the breach included names, addresses, phone numbers, dates of birth, Social Security numbers, reason for visits, and insurance information. Following the breach, the covered entity implemented backup and whole disk encryption on electronic information systems that maintain EPHI and improved their physical safeguards. Additionally, OCR's investigation resulted in the covered entity improving their administrative safeguards, such as password complexity requirements and data backup protocols. \ Location of breached information: Desktop Computer, Laptop, Other, Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","43.804133","-120.554201" "August 20, 2010","Cook County Health & Hospitals System","","Illinois","PHYS","MED","7,081","An employee's laptop was stolen out of a locked office; evidence shows that the laptop was password protected but not encrypted. The laptop contained the protected health information (PHI) of approximately 7,000 individuals. The PHI stored on the laptop included names, dates of birth, Social Security numbers, internal encounter numbers, and other administrative codes. Following the breach, the covered entity notified those individuals reasonably believed to have been affected by the breach, placed notice on its website and with a local news center; established stringent computer security guidelines, and retrained its staff in the new requirements with the intention of preventing a similar event from occurring again. \ Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "August 25, 2010","Pioneer Valley Pathology","","Massachusetts","PHYS","MED","24,750","A Boston Globe employee discovered the unsecured paper medical records of Pioneer Valley Pathology, a group practice with offices inside Holyoke Medical Center (HMC), at a trash transfer station. The breach affected approximately 24,750 individuals. The PHI involved in the breach included names, addresses, dates of birth, social security numbers, insurance information, and medical information. HMC is not the covered entity (CE) responsible for this breach and it field the breach report in error. OCR provided HMC with technical assistance related to breach notification. OCR opened a compliance review against the CE responsible for this breach. Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "August 25, 2010","SunBridge Healthcare Corporation","","New Mexico","PHYS","MED","1,000","A BlackBerry personal digital assistant device, which stored the protected health information (PHI) of 1,000 patients, was stolen from a workforce member. The types of PHI involved in the breach included names, birthdates, diagnoses/conditions, and other treatment information. The CE provided breach notification to HHS, affected individuals, and the media, and offered identity theft protection services to the individuals. Following the breach, the CE encrypted and password protected all its Blackberry devices. As a result of OCR’s investigation, the CE changed its Blackberry encryption policy. Location of breached information: Other, Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "August 26, 2010","KPMG LLP","","New York","PHYS","MED","956","OCR opened an investigation of the covered entity (CE), Newark Beth Israel Medical Center, after it reported an employee of the CE's business associate (BA), KPMG LLP, lost an unencrypted USB drive that contained the electronic protected health information (ePHI) of 956 individuals. The ePHI included names and clinical information. Upon discovery of the breach, the CE's BA conducted a search of the area. The CE provided breach notification to HHS, the Media and affected individuals. As a result of OCR's investigation, the BA installed and implemented encryption software to its electronic equipment and devices. In addition, the BA encrypted and password protected all equipment and devices that could contain the CE's data. The BA also reprimanded and retrained the employee and retrained all employees on safeguarding ePHI. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BA's use and disclosure of PHI and required the BA to safeguard all PHI. Location of breached information: Other, Other Portable Electronic Device Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "August 27, 2010","NYU School of Medicine--Aging and Dementia Clinical Research Center ","","New York","PHYS","MED","1,200","\N Location of breached information: Other, Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "September 7, 2010","Aon Consulting","","Pennsylvania","UNKN","MED","22,642","The business associate prepared a document as part of a request for proposal for the covered entity's vision benefit program which mistakenly included protected health information of 22,642 individuals. The document was posted online for five days. The protected health information involved in the breach included social security numbers, dates of birth, gender, zip codes, and vision plan enrollment information. In response to this incident, the covered entity implemented additional safeguards to prevent this type of impermissible disclosure of protected health information. In particular, the covered entity will now require several layers of review before allowing public disclosure of documents prepared by the business associate. The covered entity also took steps to enforce the requirements of its business associate agreement with Aon Consulting. Aon will provide affected individuals with free credit monitoring, fraud resolution resources, and identity theft insurance. Additionally, the business associate has provided assurances to the covered entity that it has taken steps to prevent this type of impermissible disclosure in the future. \ Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "September 7, 2010","University of Rochester Medical Center and Affiliates","","New York","PHYS","MED","857","\N Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "September 8, 2010","Mayo Clinic","","Minnesota","PHYS","MED","1,740","An employee of the covered entity (CE) impermissibly accessed medical records containing the protected health information (PHI) of 1,740 patients for a period of 4 �� years. The PHI affected by the breach included the demographic information of 691 individuals, and both demographic and clinical information of 1,049 individuals. Following the breach, the CE conducted an investigation, terminated the involved employee, re-trained its employees regarding patient privacy and access to PHI, and enhanced its supervision and monitoring of employees' PHI access activities. It also provided breach notification to the affected individuals, HHS, and the media, as well as substitute notice on its website. OCR obtained assurances that the CE completed the voluntary compliance action described above. \ \ Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "September 8, 2010","Curtis R. Bryan, M.D.","","Virginia","PHYS","MED","2,739","\N Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "September 10, 2010","The Kent Center ","","Rhode Island","PHYS","MED","1,361","A briefcase containing paper documents including the protected health information (PHI) of approximately 1,361 individuals was stolen from an employee’s car. The types of PHI involved in the breach included clients’ names, dates of birth, and for a small number of clients, limited clinical information. The covered entity (CE), The Kent Center, provided breach notification to affected individuals, the media, and HHS. Following the breach, the CE sanctioned the employee involved, revised its confidentiality policy related to safeguarding client lists, and re-trained its employees. Additionally, as a result of OCR’s investigation the CE revised and updated its breach notification policies and reinforced the requirements of the Privacy and Breach Rules to its employees. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "September 10, 2010","LabCorp Patient Service Center","","Nevada","PHYS","MED","507","\N Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "September 11, 2010","Pediatric and Adult Allergy, PC","","Iowa","PHYS","MED","19,222","\N Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "September 15, 2010","Ault Chiropractic Center","","Indiana","PHYS","MED","2,000","Two unencrypted desktop computers and one unencrypted laptop computer storing electronic protected health information (ePHI) of approximately 2,000 individuals were stolen from the covered entity’s (CE) premises during a break-in on September 15, 2010. The ePHI involved in the breach included patients’ names, thermal imaging scans, patients’ contact information, insurance information, and social Security numbers. The CE investigated the incident and reported the theft to the local police department. It also provided breach notification to HHS, the media, and affected individuals. Following the breach, the CE moved to a new facility with a security system. As a result of OCR’s investigation, the CE developed and implemented a policy and procedure related to compliance with the Breach Notification Rule. Location of breached information: Desktop Computer, Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "September 17, 2010","County of Los Angeles","","California","PHYS","MED","33,000","\N Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "September 19, 2010","Matthew H. Conrad, M.D., P.A.","","Kansas","PHYS","MED","1,200","\N Location of breached information: Laptop, Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "September 20, 2010","CareCore National","","South Carolina","UNKN","MED","1,270","\N Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "September 21, 2010","Counseling and Psychotherapy of Throggs Neck","","New York","PHYS","MED","9,000","OCR opened an investigation of the covered entity (CE), Counseling and Psychotherapy of Throggs Neck, after it reported that a password protected, unencrypted desktop computer was stolen which contained the protected health information (PHI) of 9,000 individuals. The PHI involved in the breach included names, addresses, dates of birth, social security numbers, diagnosis, patient notes and demographics. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE encrypted all of its patient databases and word processing programs on all computers. The CE improved physical safeguards by changing locks and fixing one of the entrance doors to the building to ensure that it automatically closes. The CE also placed security guards at all five entrances to the building and installed a video surveillance system. The CE also implemented internal safeguards and a policy to ensure that the last person in the office ensures rooms are vacant and the suite doors are locked upon leaving. As a result of OCR’s investigation the CE agreed to include effective dates and revision dates on its policies and to include documentation on the front page of its manual regarding annual reviews of the policies. Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "September 22, 2010","Alaskan AIDS Assistance Association","","Alaska","PHYS","MED","2,000","\N Location of breached information: Other, Other Portable Electronic Device Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "September 23, 2010","St. Vincent Hospital and Health Care Center, Inc.","","Indiana","PHYS","MED","1,199","\N Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.267194","-86.134902" "September 23, 2010","Oroville Hospital","","California","PHYS","MED","1,474","The covered entity (CE) filed a breach report with OCR after two USB storage devices containing electronic protected health information (ePHI) of 1,474 individuals were lost. The ePHI included names, dates of birth, and treatment information. Upon discovery of the breach, the CE notified individuals, OCR and the media. Additionally, the CE initiated an encryption project to encrypt emails, external hard drives, and related media. Following OCR's investigation, the CE filed a police report, updated its policies and procedures in an effort to better safeguard ePHI, and encrypted USB devices. \ \ Location of breached information: Other, Other Portable Electronic Device Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "September 23, 2010","Eden Medical Center","","California","PHYS","MED","1,474","The covered entity (CE) lost two portable electronic storage devices containing the electronic protected health information (ePHI) of 1,474 individuals. The ePHI included patients' names, dates of birth, and treatment information. Upon discovery of the breach, the covered entity (CE) notified individuals, HHS, and the media. Additionally, the CE initiated a project to encrypt emails, external hard drives, and related electronic media. Following OCR's investigation, the CE filed a police report, updated its policies and procedures in order to better safeguard patients' ePHI, and encrypted portable electronic computer devices. Location of breached information: Other, Other Portable Electronic Device Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "September 24, 2010","NewYork-Presbyterian Hospital and Columbia University Medical Center","","New York","PHYS","MED","6,800","Data breach results in $4.8 million HIPAA settlements \Two health care organizations have agreed to settle charges that they potentially violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules by failing to secure thousands of patients' electronic protected health information (ePHI) held on their network. The monetary payments of $4,800,000 include the largest HIPAA settlement to date. \The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) initiated its investigation of New York and Presbyterian Hospital (NYP) and Columbia University (CU) following their submission of a joint breach report, dated September 27, 2010, regarding the disclosure of the ePHI of 6,800 individuals, including patient status, vital signs, medications, and laboratory results. \NYP and CU are separate covered entities that participate in a joint arrangement in which CU faculty members serve as attending physicians at NYP. The entities generally refer to their affiliation as 'New York Presbyterian Hospital/Columbia University Medical Center.' NYP and CU operate a shared data network and a shared network firewall that is administered by employees of both entities. The shared network links to NYP patient information systems containing ePHI. \The investigation revealed that the breach was caused when a physician employed by CU who developed applications for both NYP and CU attempted to deactivate a personally-owned computer server on the network containing NYP patient ePHI. Because of a lack of technical safeguards, deactivation of the server resulted in ePHI being accessible on internet search engines. The entities learned of the breach after receiving a complaint by an individual who found the ePHI of the individual's deceased partner, a former patient of NYP, on the internet. \In addition to the impermissible disclosure of ePHI on the internet, OCR's investigation found that neither NYP nor CU made efforts prior to the breach to assure that the server was secure and that it contained appropriate software protections. Moreover, OCR determined that neither entity had conducted an accurate and thorough risk analysis that identified all systems that access NYP ePHI. As a result, neither entity had developed an adequate risk management plan that addressed the potential threats and hazards to the security of ePHI. Lastly, NYP failed to implement appropriate policies and procedures for authorizing access to its databases and failed to comply with its own policies on information access management. \'When entities participate in joint compliance arrangements, they share the burden of addressing the risks to protected health information,' said Christina Heide, Acting Deputy Director of Health Information Privacy for OCR. 'Our cases against NYP and CU should remind health care organizations of the need to make data security central to how they manage their information systems.' \NYP has paid OCR a monetary settlement of $3,300,000 and CU $1,500,000, with both entities agreeing to a substantive corrective action plan, which includes undertaking a risk analysis, developing a risk management plan, revising policies and procedures, training staff, and providing progress reports. \ Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "September 24, 2010","St. James Hospital and Health Centers","","Illinois","PHYS","MED","967","\N Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "September 27, 2010","University of Oklahoma - Tulsa, Neurology Clinic","","Oklahoma","HACK","MED","19,200","\N Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "September 29, 2010","LORENZO BROWN, MD INC.","","California","PHYS","MED","928","\N Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "October 1, 2010","Joseph A. Gagnon d/b/a Goldthwait Associates","","Massachusetts","PHYS","MED","11,000","\N Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "October 5, 2010","Debra C. Duffy, DDS","","Texas","PHYS","MED","4,700","An unencrypted laptop and network server were stolen during a burglary of the office.The breach affected approximately 4700 individuals.The protected health information involved in the breach included treatment information for pediatric dental patients and social security numbers, insurance identification numbers and driver's license numbers. Following the discovery of the breach, the CE relocated the practice servers, secured the laptops and installed steel doors at the front entrance of the facility. Additionally, the CE notified the affected individuals and local media and retrained staff. \ Location of breached information: Laptop, Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "October 5, 2010","Cumberland Gastroenterology, P.S.C.","","Kentucky","PHYS","MED","2,200","The covered entity's (CE) medical records storage facility was burglarized, resulting in the theft of protected health information (PHI) of 2,207 individuals. The PHI included names, birth dates, social security numbers, addresses, phone numbers, primary care providers, diagnosis codes, presenting complaints, exam findings, insurance information, dates of visits, services performed, and referring providers. The CE filed a police report and provided breach notification to affected individuals, HHS, and the media. The CE also conducted an inventory of stolen items and created an accounting of affected individuals. Following the breach, the CE increased physical security, limited the amount of stored PHI, and expedited the adoption of electronic medical records. As a result of OCR's investigation the CE executed BA agreements with the storage facility and with a document shredding company. Additionally, it re-trained workforce members on its revised HIPAA policies and procedures with respect to safeguards for PHI, and placed an accounting of disclosures of PHI in each of the affected individuals' medical records. OCR obtained assurances that the CE implemented the corrective action listed above. \ \ \ Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "October 5, 2010","WESTMED Medical Group","","New York","PHYS","MED","578","An unencrypted laptop computer that contained the electronic protected health information (ePHI) of 578 individuals was stolen from the covered entity (CE), WestMed Medical Group. The ePHI included names, dates of birth and test results. Upon discovery of the breach, the CE filed a police report and provided breach notification to affected individuals, HHS and the media. As a result of OCR's investigation, the CE improved physical security by locking all laptops during the day and storing all laptops in a locked cabinet overnight. In addition, the CE reconfigured all laptops with strong passwords and implemented a new procedure to save data to a secure file server. Further, the CE encrypted all laptop hard drives. The CE also retrained staff on safeguarding ePHI. \ \ Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "October 6, 2010","Johns Hopkins University Applied Physics Laboratory (JHU/APL) Medical and Dental Insurance Plan","","Maryland","UNKN","MED","692","Protected health information was attached to an email addressed to 85 employees by a benefits staff member. Within 5 days, all recipients were notified, and the email was deleted. Approximately 692 individuals were affected by this breach. The email included names, dates of birth, social security numbers, and marital and disability status. To prevent a similar breach from happening in the future, the covered entity instituted a policy to encrypt emails containing protected health information before it is sent out from the benefits department. Following OCR's investigation, the covered entity updated its policies and procedures establishing a new business process to require that all emails sent by the benefits office to 5 or more staff members that includes an attachment be reviewed by another team member to ensure the proper document is attached and took personnel action with the responsible employee. Further, the benefits office will use an encryption specialist to train all benefits office staff in the proper methods of encryption, explore future capability of automated flagging of any electronic communications sent by benefits office staff containing potentially sensitive data such as 9-digit numbers, and obtain additional HIPAA training. \ Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "October 8, 2010","LoneStar Audiology Group","","Texas","PHYS","MED","585","A laptop was stolen from a workforce member's home. Approximately 585 individuals were affected. The PHI included addresses, dates of birth, diagnosis and conditions, medications and other treatment information. Following the breach, the covered entity encrypted all its laptops. After the initiation of OCR's investigation, the encryption of the laptops was completed. \ Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "October 13, 2010","Utah Department of Workforce Services","","Utah","UNKN","MED","1,298","\N Location of breached information: Desktop Computer, Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "October 15, 2010","SW Seattle Orthopaedic and Sports Medicine","","Washington","HACK","MED","9,493","A database web server, containing the electronic protected health information (EPHI) of 9,493 individuals, was breached by an unknown, external person(s) for use as a game server. Although there was no indication of access to EPHI, the EPHI on the database web server included names, dates of birth, types of x-rays, and dates of x-rays. Following the breach, the covered entity relocated two servers to its more secure primary data center and removed the Internet access line that resulted in the breach. Additionally, OCR's investigation resulted in the covered entity improving their administrative safeguards, such as incident response and reporting. \ Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "October 18, 2010","University of Arkansas for Medical Sciences","","Arkansas","PHYS","MED","1,000","\N Location of breached information: Other, Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "October 26, 2010","Aspen Dental Care P.C.","","Colorado","PHYS","MED","2,500","A computer hard drive containing encrypted patient records was stolen from the covered entity's (CE) safe. The hard drive contained clinical and demographic information of approximately 2,500 patients. Following the breach, the CE provided additional training to its staff. OCR obtained assurances that the CE implemented the corrective action listed above. \ \ Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "November 1, 2010","BlueCross BlueShield of Tennessee, Inc.","","Tennessee","PHYS","MED","1,023,210","\N Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "November 2, 2010","Northridge Hospital Medical Center","","California","PHYS","MED","716","\N Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "November 4, 2010","Puerto Rico Department of Health - Triple S Management Corp.","","","DISC","MED","475,000","On November 5, 2010, the Puerto Rico Department of Health (DOH), a hybrid entity, reported on behalf of the covered entity (CE), Puerto Rico Health Insurance Administration, also known as the Administracion de Seguros Salud de Puerto Rico, that it discovered that two former staff members of the business associates (BAs) Triple-S Salud (TSS) and Triple-C, improperly accessed restricted areas of TSS’ proprietary internet IPA database managed by Triple-C, Inc. The staff members, who were employed by a competitor, were able to gain access to the database because their access rights were not terminated upon leaving the employment of TSS. As a result, the electronic protected health information in the database, including 400,000 of the CE’s members’ names, contract numbers, home addresses, diagnostic codes, and treatment codes, was accessed. DOH provided breach notification to HHS, and TSS provided breach notification to affected individuals, and the media. Due to OCR’s investigation, the CE committed to conduct a risk analysis, implement a risk management plan, revise its policies and procedures, and retrain its staff within a specified period. Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","37.090240","-95.712891" "November 7, 2010","Aetna, Inc.","","Connecticut","DISC","MED","2,345","Aetna notified all possibly affected individuals of the breach, filed a breach report with OCR, commenced an investigation to identify and correct the root cause of the issue; the coding changes that were causing the breach were removed from IPS via Aetna's emergency Change Management procedures to prevent any further exposure while the problem was analyzed; once the specific code that conflicted with its proxy server settings was identified as the root cause of the breach, it was removed. Also, in an effort to mitigate any harm as a result of the breach, Aetna offered all affected individuals one year of free credit monitoring, and the notification letters included a toll-free number which was established specifically to answer questions related to this incident. \ Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "November 8, 2010","Sta-home Health & Hospice","","Mississippi","PHYS","MED","1,104","\N Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "November 9, 2010","Medical Card System/MCS-HMO/MCS Advantage/MCS Life","","Puerto Rico","DISC","MED","115,000","\N Location of breached information: Other, Other Portable Electronic Device Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "November 11, 2010","VNA of Southeastern Ct.","","Connecticut","PHYS","MED","12,000","\N Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "November 12, 2010","Prime Home Care, LLC","","Nebraska","PHYS","MED","1,550","\N Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "November 12, 2010","Manor Care Indy (South), LLC.","","Indiana","DISC","MED","845","\N Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "November 12, 2010","Visiting Nurse Service Association of Schenectady County","","New York","PHYS","MED","535","An encrypted laptop computer that contained the electronic protected health information (ePHI) of 535 individuals was stolen from the covered entity (CE). The ePHI included names, addresses, and dates of birth. Upon discovery of the breach, the CE filed a police report to recover the stolen item. Following OCR's investigation, the CE disabled the involved staff member's account, verbally counseled the staff member, and retrained the staff member. The CE also adopted and implemented security policies and procedures for laptops/tablet devices and provided training to all staff. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "November 15, 2010","Henry Ford Hospital","","Michigan","PHYS","MED","3,700","\N Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "November 15, 2010","Robert Wheatley, DDS, PC","","Missouri","PHYS","MED","1,400","\N Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "November 16, 2010","Holy Cross Hospital","","Florida","PHYS","MED","1,500","A covered entity's (CE) employee impermissibly obtained copies of patient data sheets containing protected health information (PHI) and sold the PHI to a third party. The PHI included names, addresses, dates of birth, social security numbers, insurance information, and diagnoses affecting 38 individuals; however, the initial investigation addressed a report of approximately 1,500 affected individuals. The CE provided breach notification to 44,000 individuals (including those who were potentially affected), HHS and the media. In addition, free credit monitoring was offered. Following the breach, the CE cooperated with federal authorities, law enforcement, and the state health administration agency, and provided a report to a national accreditation organization. As a result of this incident, the CE convened a high level work group to oversee privacy and security issues and hired an expert forensic investigator to perform a risk assessment. The CE updated its privacy and security policies and procedures, developed a plan to adopt electronic health records and initiated a continuous review process including random HIPAA compliance audits. The CE also expanded its HIPAA training program for employees. OCR obtained written assurances that the CE implemented the corrective action listed above. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "November 18, 2010","Triple-S Salud, Inc.","","","PHYS","MED","398,000","Triple-S Management Corporation (“TRIPLE-S”), on behalf of its wholly owned subsidiaries, Triple-S Salud Inc., Triple-C Inc. and Triple-S Advantage Inc. , formerly known as American Health Medicare Inc., has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR). TRIPLE-S will pay $3.5 million and will adopt a robust corrective action plan to correct deficiencies in its HIPAA compliance program, an effort it has already begun. “OCR remains committed to strong enforcement of the HIPAA Rules,” said OCR Director Jocelyn Samuels. “This case sends an important message for HIPAA Covered Entities not only about compliance with the requirements of the Security Rule, including risk analysis, but compliance with the requirements of the Privacy Rule, including those addressing business associate agreements and the minimum necessary use of protected health information.” TRIPLE-S is an insurance holding company based in San Juan, Puerto Rico, which offers a wide range of insurance products and services to residents of Puerto Rico through its subsidiaries. TRIPLE-S has fully cooperated with HHS in investigating this case and has agreed to put in place a comprehensive HIPAA compliance program as a condition for settlement. After receiving multiple breach notifications from TRIPLE-S involving unsecured protected health information (PHI), OCR initiated investigations to ascertain the entities’ compliance with HIPAA Rules. OCR’s investigations indicated widespread non-compliance throughout the various subsidiaries of Triple-S, including: Failure to implement appropriate administrative, physical, and technical safeguards to protect the privacy of its beneficiaries’ PHI; Impermissible disclosure of its beneficiaries’ PHI to an outside vendor with which it did not have an appropriate business associate agreement; Use or Disclosure of more PHI than was necessary to carry out mailings; Failure to conduct an accurate and thorough risk analysis that incorporates all IT equipment, applications, and data systems utilizing ePHI; and Failure to implement security measures sufficient to reduce the risks and vulnerabilities to its ePHI to a reasonable and appropriate level. The settlement requires TRIPLE-S to establish a comprehensive compliance program designed to protect the security, confidentiality, and integrity of the personal information it collects from its beneficiaries, that includes: A risk analysis and a risk management plan; A process to evaluate and address any environmental or operational changes that affect the security of the ePHI it holds; Policies and procedures to facilitate compliance with requirements of the HIPAA Rules; and A training program covering the requirements of the Privacy, Security, and Breach Notification Rules, intended to be used for all members of the workforce and business associates providing services on TRIPLE-S premises. Triple-S, with the help of OCR through its technical assistance, had already begun to take extensive corrective action, as required by the Corrective Action Plan, and will continue to work with OCR to come into compliance with HIPAA. “Triple-S is committed to protecting the privacy and security of its beneficiaries’ health information and implementing the Corrective Action Plan entered into with OCR,” said President and CEO of Triple-S Management Corporation, Ramon M. Ruiz. “We are pleased with the agreement and regard it as an opportunity to strengthen our privacy policies. We have appreciated OCR’s technical assistance to date, and look forward to our collaboration in the future.” Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","37.090240","-95.712891" "November 24, 2010","Professional Transcription Company, Inc.","","New York","PHYS","MED","1,744","The covered entity's (CE) business associate (BA), Professional Transcription Company, posted the electronic protected health information (ePHI) of 1,744 individuals on a website portal of the BA. The ePHI included names, dates of birth, diagnosis, and other clinical information. Upon discovery of the breach, the BA shut down the applicable server. The CE, Newark Beth Israel Medical Center, provided breach notification to HHS, the media, and affected individuals and also posted substitute notice on its website. As a result of OCR's investigation, the BA located the ePHI online and contacted Google to block files that contained ePHI. In addition, the BA retrained all employees regarding its security policies. The CE terminated its BA agreement with the BA. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BA's use and disclosure of PHI and required the BA to safeguard all PHI. Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "November 25, 2010","Memorial Hospital of Gardena","","California","DISC","MED","771","\N Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "November 29, 2010","Oklahoma City VA Medical Center","","Oklahoma","PHYS","MED","1,950","\N Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "November 30, 2010","Kings County Hospital Center","","New York","PHYS","MED","542","An unencrypted desktop computer that contained the electronic protected health information (ePHI) of 542 individuals was stolen from the covered entity (CE), Kings County Hospital Center. The ePHI included names, medical record numbers, admission and treatment dates, diagnostic treatment, pathology and/or medication information, telephone numbers and ages. Upon discovery of the breach, the CE filed a police report and provided breach notification to affected individuals, HHS, and the media. As a result of OCR's investigation, the CE installed an encryption system for all internal and external computers and laptops. The CE implemented a new policy that prohibits staff from storing ePHI on their local computer hard drives or Windows desktop. Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "November 30, 2010","Albert Einstein Healthcare Network","","Pennsylvania","PHYS","MED","613","\N Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "November 30, 2010","University of Tennessee Medical Center","","Tennessee","PHYS","MED","8,200","\N Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "December 3, 2010","H.E.L.P. Financial Corporation","","Michigan","DISC","MED","9,475","A programming error in a business associate's IT system caused the PHI of patients to be printed on letters sent to other patients. The printing error affected approximately 9475 individuals.The protected health information involved in the breach included patient names, medical record numbers and account balances. Following the discovery of the breach, the BA corrected the programming error and implemented additional quality checks. Additionally, the BA notified the affected individuals and the CE notified the local media. \ Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "December 7, 2010","zarzamora family dental care","","Texas","PHYS","MED","800","\N Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "December 13, 2010","Gary C. Spinks, DMD, PC","","Maryland","HACK","MED","1,000","\N Location of breached information: Desktop Computer, Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "December 13, 2010","Hospital Auxilio Mutuo","","","PHYS","MED","1,000","The covered entity (CE), Hospital Auxilio Mutuo de Puerto Rico, Inc., reported that on November 9, 2010, an employee resigned his position and removed two computer hard drives and a laptop computer that contained electronic protected health information (ePHI), potentially affecting over 30,000 individuals. The CE initially reported that the breached ePHI included names, addresses, zip codes, dates of births, social security numbers, diagnostic conditions and other treatment information. During the investigation, the CE retrieved the hard drives and laptop and determined that the hard drives contained confidential financial information and business making decisions by the CE, and did not include the types of identifiers (e.g. patient names, Social Security numbers, home addresses, etc.) that could be used to re-identify an individual. Thus, the CE determined that the theft did not constitute a breach of ePHI. Further, the CE determined that the laptop was an information technology department laptop that only contained financial data and upper management e-mails. As of the result of OCR’s investigation, OCR has required the CE to conduct a risk analysis, implement a risk management plan, revise its policies and procedures, and re-train its staff. Location of breached information: Desktop Computer, Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","37.090240","-95.712891" "December 15, 2010","Gair Medical Transcription Services, Inc.","","Pennsylvania","DISC","MED","1,085","Pinnacle Health Systems was notified that a business associate, a medical transcription service, had a server compromised in which reports of Pinnacle patients could be viewed online. The server compromise involved the protected health information of 1085 individuals. The protected health information involved in the breach included names, Medicaid ID numbers, dates of birth, and primary physicians. In response to this incident, the covered entity took steps to enforce the requirements of the Privacy & Security Rules. The covered entity immediately discontinued its relationship with the business associate and engaged another medical transcription service. The covered entity also contracted with forensic consultants to ensure that the cause of the compromise was found that that all traces of breached medical reports were removed from online and inaccessible in the future. \ Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "December 17, 2010","Cook County Health & Hospitals System","","Illinois","PHYS","MED","556","\N Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "December 20, 2010","Dean Health Systems, Inc.; St. Mary's Hospital; St. Marys Dean Ventures, Incorporated","","Wisconsin","PHYS","MED","3,288","\N Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "December 21, 2010","Riverside Mercy Hospital and Ohio/Mercy Diagnostics","","Ohio","PHYS","MED","1,000","\N Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "December 22, 2010","California Therapy Solutions","","California","PHYS","MED","1,250","\N Location of breached information: Other, Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "December 27, 2010","The Southwestern Indiana Regional Council on Aging","","Indiana","PHYS","MED","757","\N Location of breached information: Laptop Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "December 27, 2010","Hils Transcription","","Indiana","DISC","MED","585","\N Location of breached information: Other Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "December 28, 2010","Geisinger Wyoming Valley Medical Center","","Pennsylvania","PHYS","MED","2,928","The covered entity's (CE) staff physician emailed the protected health information (PHI) of approximately 2,900 individuals to his home email account while working on an analysis. The PHI included names, addresses, dates of birth, social security numbers, and medication information. Following the breach, the CE sanctioned the physician and implemented a plan to auto-encrypt all PHI sent through email. As a result of OCR's investigation, the CE improved its physical safeguards and retrained employees. \ \ Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "December 28, 2010","Mankato Clinic","","Minnesota","PHYS","MED","3,159","\N Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "December 29, 2010","Zenith Administrators, Inc.","","Maryland","PHYS","MED","800","\N Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "December 29, 2010","Our Lady of Peace Hospital","","Kentucky","PHYS","MED","24,600","\N Location of breached information: Other, Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "December 30, 2010","Keystone/AmeriHealth Mercy Health Plans","","Pennsylvania","PHYS","MED","808","\N Location of breached information: Other, Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "December 30, 2010","Southern Perioperative Services, P.C.","","Alabama","PHYS","MED","2,000","A bag containing a compact disk - read only memory (CD-ROM) was stolen from the vehicle of a physician associated with the covered entity (CE). The CD-ROM involved in the breach contained names, dates of birth, social security numbers, medical histories, and the treatment information of approximately 2,046 individuals. Following the breach, the CE filed a police report and provided breach notification to affected individuals, HHS, and the media. The CE sanctioned and retrained the physician whose bag was stolen and implemented organization wide improvements to its compliance with the Privacy and Security Rules. As a result of OCR's investigation the covered entity posted substitute notification of the breach in the local paper and confirmed that corrective actions steps were taken. \ \ \ Location of breached information: Other, Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2010","40.760537","-73.978890" "January 3, 2011","Ankle + Foot Center of Tampa Bay, Inc.","","Florida","PHYS","MED","156,000","The covered entity's (CE) network server, containing the electronic protected health information (ePHI) of 136,000 patients, was hacked. The types of ePHI involved in the breach were demographic and clinical information, including diagnoses and other treatment data. Following the breach, the CE hired a third party vendor to resolve a data crash and to create a data back-up plan in order to restore office functioning. To implement adequate safeguards, the CE also employed a cloud service with increased security as the new network server. Additionally, the CE contacted the local FBI office to assist with the CE's internal investigation of the breach and provided breach notification to all affected individuals, the media, and HHS. As a result of OCR's investigation, the CE developed and implemented new protocols to comply with the Security Rule. In addition, the CE provided and initiated new trainings for its staff, completed hiring of a new network vendor, implemented a new electronic health records system, and accounted for the disclosures in the affected individuals' medical records. Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "January 4, 2011","OhioHealth Corporation dba Grant Medical Center","","Ohio","PHYS","MED","501","\N Location of breached information: Desktop Computer, Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "January 10, 2011","Seacoast Radiology, PA","","New Hampshire","HACK","MED","231,400","\N Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "January 11, 2011","Friendship Center Dental Office","","Florida","PHYS","MED","2,200","On December 19, 2010, the covered entity’s (CE) facility was broken into and an unencrypted laptop was stolen, affecting the demographic information of approximately 2,200 individuals, including names, addresses, dates of birth and social security numbers. The CE provided breach notification to HHS, affected individuals, and the media. The CE increased physical security by installing a security system with motion detectors as well as motion sensor lighting outside the building. The CE also updated its HIPAA policies and procedures to reflect Security Rule requirements, including password protection requirements and the encryption of ePHI in transit. OCR obtained assurances that the corrective actions listed above were taken. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "January 12, 2011","St.Vincent Hospital - Indianapolis","","Indiana","HACK","MED","1,848","\N Location of breached information: Email, Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "January 12, 2011","Centra","","Virginia","PHYS","MED","11,982","\N Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "January 13, 2011","Franciscan Medical Group","","Washington","PHYS","MED","1,250","\N Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "January 14, 2011","State of South Carolina Budget and Control Board Employee Insurance Program (EIP)","","South Carolina","PHYS","MED","5,596","A workstation in the covered entity's (CE) finance department was infected with malware that recorded keystrokes and captured screenshots. The CE reported 5,596 individuals as being potentially affected by the malware. The types of PHI involved in the breach included names, addresses, dates of birth, benefits identification numbers, social security numbers, and in some cases, banking information. The CE provided breach notification to affected individuals, HHS, and the media. Following the breach, the CE disconnected the workstation from the network and provided the affected employee with new login credentials, a new hard drive, and additional training. The CE updated its Privacy and Security Rule policies and procedures and initiated mandatory annual supplemental training for all of its employees. The CE improved safeguards by implementing additional network security monitoring programs to actively protect workstation environments and limit the proliferation of malware infections on its network. OCR obtained assurances that the appropriate notifications were made and that the corrective actions listed above were completed. Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","33.836081","-81.163725" "January 18, 2011","Lake Woods Nursing & Rehabilitation Center","","Michigan","PHYS","MED","656","\N Location of breached information: Desktop Computer, Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "January 18, 2011","Travis Software Corp.","","Texas","PHYS","MED","16,200","\N Location of breached information: Other, Other Portable Electronic Device Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "January 18, 2011","J. A. Still Corporation","","Missouri","PHYS","MED","4,800","Two diskettes containing the electronic protected health information (ePHI) of approximately 4,754 individuals were lost by the Covered Entity's (CE) Business Associate (BA) after the package containing the diskettes was damaged by the mail carrier. Although one of the diskettes was eventually found, the other diskette was never recovered. The ePHI on the diskettes included names, addresses, dates of birth, social security numbers, and clinical information. Upon discovery of the breach, the CE obtained a copy of the information contained on the diskettes and notified all affected individuals, OCR and the media. Following OCR's investigation, the CE terminated its contract with the BA involved in the incident and provided evidence of the assurances in its BA agreement pertaining to the return or destruction of ePHI. Lastly, the CE entered an accounting of disclosures for each affected individual into its electronic database. Location of breached information: Other Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "January 21, 2011","Grays Harbor Pediatrics, PLLC","","Washington","PHYS","MED","12,009","\N Location of breached information: Other, Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "January 24, 2011","Hanger Prosthetics & Orthotics, Inc.","","Texas","PHYS","MED","4,486","An unencrypted laptop was stolen from an employee offsite. The laptop contained the PHI of 4,486 patients. The protected health information involved in the breach contained names, addresses and procedure codes. Following the breach, the CE filed a police report, notified affected patients and notified the media. Following the discovery of the breach, the covered entity encrypted all existing laptops and implemented a policy requiring all future purchased laptops to be encrypted prior to being issued for use. \ Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "January 25, 2011","Baylor Heart and Vascular Center","","Texas","PHYS","MED","8,241","A portable ultrasound machine containing electronic protected health information (ePHI) of approximately 8,241 individuals was stolen from the covered entity's (CE) facility. The ePHI involved in the breach included patient names, dates of birth, and limited health information. Upon discovery of the breach, the CE conducted a privacy and security assessment of its portable machines to identify vulnerabilities. Following OCR's investigation, the CE updated its privacy and security policies, retrained its employees, and increased physical security to ensure reasonable safeguards. Location of breached information: Other, Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "January 28, 2011","CHC MEMPHIS CMHC, LLC","","Tennessee","PHYS","MED","500","\N Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "February 7, 2011","Integranetics","","Kentucky","HACK","MED","18,871","\N Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "February 7, 2011","Jefferson Center for Mental Health","","Colorado","PHYS","MED","546","A list containing the protected health information (PHI) of 546 patients was stolen from the vehicle of the covered entity's (CE) employee. The breached PHI included names, dates of birth, social security numbers, and Medicaid information. Following the breach, the CE changed its practices and procedures to safeguard PHI and trained staff on its new policies. As a result of OCR's investigation, the CE improved its process for reporting breaches and mitigating harm. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "February 8, 2011","Ortho Montana, PSC","","Montana","PHYS","MED","37,000","A laptop containing the electronic protected health information (ePHI) of approximately 37,000 patients was lost or stolen when the laptop was taken to an event by a workforce member. Following the breach, the covered entity (CE) sanctioned the workforce member who responsible for handling the laptop. As a result of OCR's investigation, the CE conducted a risk analysis and developed a risk management plan. The CE also removed ePHI from laptops and encrypted laptops, tablets, and cellular smart phones. Additionally, the CE developed new procedures and revised existing procedures in order to safeguard ePHI . Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "February 9, 2011","Cancer Care Northwest P.S.","","Washington","PHYS","MED","3,100","The covered entity (CE) accidentally mailed the protected health information (PHI) of approximately 3,100 individuals to other individuals when a mail-merge process mismatched names and addresses. The PHI involved in the breach included names and indicated that the individuals were patients of the CE. Following the breach, the CE implemented additional safeguards, as well as policies and procedures to ensure mailing list accuracy. As a result of this incident, OCR required the CE to train its workforce members on its newly developed policies and procedures. Additionally, OCR provided technical assistance regarding substitute breach notification methods, including a conspicuous posting on the CE's website. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "February 10, 2011","Saint Louis University","","Missouri","HACK","MED","800","\N Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "February 11, 2011","GRM Information Management Services","","New Jersey","PHYS","MED","1,700,000","Unencrypted clinical system backup tapes that contained the electronic protected health information (ePHI) of 1,700,000 individuals were stolen from the unlocked vehicle of an employee of the covered entity's (CE) business associate (BA). The ePHI included names, medical record numbers, social security numbers, addresses, telephone numbers, health plan numbers, dates of birth, dates of admission, dates of treatment, dates of discharge, dates of death, mother's name, next of kin, clinical information related to diagnosis, treatment, prognosis, laboratory tests and results, and medications. Upon discovery of the breach, the CE filed a police report to recover the stolen items and provided breach notification to HHS, the media, and affected individuals. As a result of OCR's investigation, the CE terminated its BA agreement and installed encryption software on backup media. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BA's use and disclosure of PHI and required the BA to safeguard all PHI. Location of breached information: Electronic Medical Record, Other Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "February 11, 2011","Long Beach Memorial Medical Center","","California","DISC","MED","2,250","\N Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "February 13, 2011","Texas Health Harris Methodist Hospital Azle","","Texas","PHYS","MED","9,922","\N Location of breached information: Other, Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "February 15, 2011","Business Express","","Florida","PHYS","MED","2,700","\N Location of breached information: Other, Other Portable Electronic Device Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "February 16, 2011","Xforia Web Services","","West Virginia","DISC","MED","3,655","\N Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "February 21, 2011","Mountain Vista Medical Center","","Arizona","PHYS","MED","2,291","\N Location of breached information: Other, Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "February 22, 2011","Departamento de Salud de Puerto Rico","","","PHYS","MED","2,621","\N Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","37.090240","-95.712891" "February 23, 2011","Henry Ford Hospital","","Michigan","PHYS","MED","2,777","\N Location of breached information: Other, Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "March 1, 2011","TriWest Healthcare Alliance Corp.","","Arizona","DISC","MED","4,500","\N Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "March 3, 2011","Blue Cross and Blue Shield of Florida ","","Florida","UNKN","MED","7,366","\N Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "March 7, 2011","University Health Services, University of Massachusetts, Amherst","","Massachusetts","DISC","MED","942","\N Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "March 10, 2011","Omnicare, Inc","","Kentucky","PHYS","MED","8,845","\N Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "March 16, 2011","JEFFREY J. SMITH, MD","","Oklahoma","PHYS","MED","600","The covered entity (CE) shipped a skin analysis machine containing the electronic protected health information (ePHI) of approximately 600 individuals to the manufacturer for repairs via UPS. The machine was damaged and discarded by UPS. The ePHI included names, dates of birth and facial photographs. The CE posted breach notification on its website. As a result of OCR's investigation, the CE revised its policy regarding the security of hardware containing PHI so that all work on hardware will be performed on-site. The policy also requires that all ePHI is to be backed up and erased from the hardware prior to any unavoidable off-site maintenance. Location of breached information: Desktop Computer, Other, Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "March 18, 2011","Coventry Health Care, Inc.","","Maryland","DISC","MED","765","\N Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "March 23, 2011","Texas Health Arlington Memorial Hospital","","Texas","UNKN","MED","654","The IT department turned on the switch to a BA HIE without notifying patients of the exchange or obtaining authorization. The interface transmitted the PHI of 654 individuals. The PHI disclosed included patient names, addresses, dates of birth, social security numbers, other identifiers, diagnosis/conditions, medications, lab results, other treatment information and financial information. Following the breach, the CE revised the IT process, created a checklist that included notifying the affected departments and provided additional training to IT and registration employees. \ Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "March 28, 2011","Rape & Brooks Orthodontics, P.C.","","Alabama","PHYS","MED","20,744","On February 4, 2011, covered entity’s (CE) facility was broken into and a computer server, three desktop computers, and an external hard drive were stolen, affecting the demographic, clinical and financial information of approximately 20,744 individuals. The CE, Rape & Brooks Orthodontics, P.C., provided breach notification to HHS, affected individuals, and the media. As a result of this incident, the CE increased physical security by upgrading its alarm system, changing and installing additional locks, and storing its server in a locked data closet. The CE also improved technical safeguards by implementing double-layered password protection on its computers and encrypting data on external hard drives. OCR obtained and reviewed the CE’s relevant HIPAA policies and procedures. Location of breached information: Desktop Computer, Network Server, Other, Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "March 28, 2011","NYU School of Medicine Faculty Group Practice","","New York","PHYS","MED","670","An unencrypted desktop computer that contained the electronic protected health information (ePHI) of 670 individuals was stolen from the covered entity (CE), NYU Langone Medical Center. The ePHI included names, diagnoses, the results of diagnostic tests, and clinical information. Upon discovery of the breach, the CE filed a police report and provided breach notification to HHS, the media, and affected individuals. As a result of OCR's investigation, the CE directed staff to store ePHI on network servers and not on desktops. In addition, the CE improved physical security by installing a locking device to secure the desktop computer and a latch guard on the office door. The CE retrained all staff on its policies and procedures for HIPAA and HITECH compliance. Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "March 30, 2011","EISENHOWER MEDICAL CENTER","","California","PHYS","MED","514,330","\N Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "March 30, 2011","Clarksburg - Louis A. Johnson VA Medical Center","","West Virginia","DISC","MED","1,470","\N Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "March 30, 2011","County of Los Angeles","","California","PHYS","MED","667","\N Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "March 31, 2011","Trisha Elaine Cordova","","Alaska","PHYS","MED","1,700","A personal laptop computer containing the electronic protected health information (ePHI) of 1,700 individuals and approximately 493 adoption home studies was stolen from a contractor's vehicle. The ePHI involved included names, addresses, phone numbers, dates of birth, driver's license numbers, health information, and social security numbers. At the time of the breach, the covered entity (CE) did not have a business associate (BA) contract with the contractor. Following OCR's investigation, the CE developed policies and procedures for obtaining BA contracts as required by the Privacy Rule and verified that the contractor no longer had a business relationship with the CE. OCR obtained assurances that breach notification was provided to the affected individuals, HHS, and the media. Location of breached information: Laptop Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "March 31, 2011","Park Avenue Obstetrics & Gynecology, PC","","Arizona","PHYS","MED","635","\N Location of breached information: Other, Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "April 4, 2011","Brian J Daniels D.D.S.,Paul R Daniels D.D.S.","","Arizona","PHYS","MED","10,000","\N Location of breached information: Other, Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "April 5, 2011","Hartford Hospital","","Connecticut","PHYS","MED","93,500","A workforce member of the covered entity's (CE) business associate (BA) saved the electronic protected health information (ePHI) of approximately 93,500 patients on an unsecured computer drive in order to do work from home, and subsequently lost the hard drive. The PHI included names, addresses, dates of birth, marital status, social security numbers and medical record numbers. Following the breach, the workforce member involved was sanctioned for violating the CE's policies. The CE provided breach notification to the media, HHS, and all affected individuals. It also offered all affected individuals 2 years of free identity protection services. In addition, the CE disabled the ability for all of its computing devices to download ePHI via USB connection ports. Further, it began implementing malicious software prevention utilities as well as data encryption controls to supplement its portable computing devices. OCR obtained assurances that the CE implemented the corrective action listed above. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BA's use and disclosure of PHI and required the BA to safeguard all PHI. \ \ \ \ Location of breached information: Other Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "April 6, 2011","Patient Care Services at Saint Francis, Inc.","","Oklahoma","PHYS","MED","84,000","\N Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "April 8, 2011","Union Security Insurance Company","","Missouri","DISC","MED","935","On February 18, 2011, a Union Security Insurance Co. policy holder notified the covered entity (CE) that while accessing their online account, they were also able to access the accounts of other policy holders. Approximately 1,500 individuals were affected by this breach. These accounts included names, dates of birth, social security numbers, and other identifiers. In addition, on May 17, 2013, an employee of the CE impermissibly emailed a spreadsheet which included identifiable data belonging to a customer group of the CE. Approximately 1,127 group members were affected by this breach. The email included names and social security numbers. The CE provided breach notification to HHS, affected individuals, and the media. To prevent similar breaches from happening in the future, the CE disabled its website, reversed the problematic coding, and increased the number of vulnerability scans of the CE’s website. The CE also retrained employees, to include distribution of its revised policy and procedure for safeguarding social security numbers. Following OCR’s investigation, the CE prohibited social security numbers on any document being sent to any customer. The CE provided OCR documentation that substantiates all its actions taken in response to the two breach incidents. Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "April 11, 2011","Oklaholma State Dept. of Health","","Oklahoma","PHYS","MED","132,940","\N Location of breached information: Laptop, Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "April 12, 2011","Aiken Community Based Outpatient Clinic","","South Carolina","PHYS","MED","2,717","\N Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "April 14, 2011","Fairview Health Services","","Minnesota","PHYS","MED","1,215","\N Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "April 14, 2011","IBM","","New York","UNKN","MED","1,900,000","\N Location of breached information: Other Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "April 14, 2011","SW General Inc","","Arizona","PHYS","MED","566","\N Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "April 19, 2011","Healthcare Solutions Team, LLC","","Illinois","DISC","MED","675","\N Location of breached information: Other Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "April 20, 2011","Community Action partnership of Natrona County","","Wyoming","PHYS","MED","15,000","The covered entity (CE), Community Action Partnership of Natrona County, reported a breach affecting approximately 15,000 individuals, wherein it asserted that a virus had infected a computer and exported data. The CE provided breach notification to HHS and the media. Upon investigation, the CE determined that no protected health information was exported or breached. As a result of OCR's compliance review, the CE improved safeguards to protect its computers from viruses and malware, conducted a risk analysis, drafted a risk management plan, and revised or developed its HIPAA policies and procedures. Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","43.075968","-107.290284" "April 21, 2011","Keith & Fisher, DDS, PA","","North Carolina","HACK","MED","6,000","The covered entity (CE), Keith & Fisher DDS PA, discovered on March 7, 2011, that its server had been hacked, potentially exposing the clinical and demographic data for 6,000 individuals. The CE provided breach notification to HHS, to affected individuals, and published notice on its website and to the media. In response to the breach, the CE increased its information systems security, improved its password policy, implemented logging procedures to track access failures and changed access to its servers so it is only accessible through an existing firewall and a virtual private network tunnel. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","35.759573","-79.019300" "April 25, 2011","Genesis Clinical Laboratory","","Illinois","HACK","MED","1,070","\N Location of breached information: Desktop Computer, Email, Laptop, Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.633125","-89.398528" "April 25, 2011","MacNeal Hospital","","Illinois","HACK","MED","845","\N Location of breached information: Desktop Computer, Email, Laptop, Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.633125","-89.398528" "April 25, 2011","West Lake Hospital ","","Illinois","HACK","MED","686","\N Location of breached information: Desktop Computer, Email, Laptop, Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "April 25, 2011","Phoenix Health Plan","","Arizona","HACK","MED","9,393","\N Location of breached information: Desktop Computer, Email, Laptop, Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "April 25, 2011","MacNeal Physician Group","","Illinois","HACK","MED","532","\N Location of breached information: Desktop Computer, Email, Laptop, Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "April 28, 2011","Knox Community Hospital","","Ohio","PHYS","MED","500","\N Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "May 2, 2011","Speare Memorial Hospital","","New Hampshire","PHYS","MED","5,960","\N Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "May 5, 2011","Methodist Charlton Medical Center","","Texas","PHYS","MED","1,500","An unencrypted laptop was stolen from a locked office in the hospital. The laptop contained the PHI of 1523 patients. The protected health information involved in the breach contained demographic and clinical data. Following the breach, the CE filed a police report, notified affected patients and notified the media. Additionally, the CE expanded its encryption policy to include more laptops and implemented additional physical safeguards. \ Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "May 6, 2011","Reid Hospital & Health Care Services","","Indiana","PHYS","MED","22,001","An unencrypted, password protected laptop computer was stolen from an employee’s home on April 2, 2011. The covered entity (CE), Reid Hospital & Health Care Services, reported that this breach affected 22,001 individuals and that the laptop contained names, social security numbers, Medicare numbers, and some reports entitled “psychiatric services.” The CE investigated the breach and provided breach notification to HHS, affected individuals, and the media. As a result of OCR’s investigation, the CE completed encryption of its laptop and desktop computers, implemented safeguards for its email system and smartphones, and updated its mobile media policy. It also completed a new risk analysis and implemented action steps in its risk management plan. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "May 6, 2011","Drs Edalji and Komer","","Massachusetts","PHYS","MED","563","An unsecured laptop containing the electronic protected health information (ePHI) of approximately 563 individuals was stolen from the car of a business associate's (BA) subcontractor. The PHI included names, addresses, dates of birth, and social security numbers. Following the breach, the covered entity (CE) notified affected individuals, HHS, and the media, and offered all affected individuals one year of free credit monitoring services. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BA's use and disclosure of PHI and required the BA to safeguard all PHI. \ \ Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "May 9, 2011","PMC Medicare Choice","","Puerto Rico","PHYS","MED","24,361","Thieves broke into the PMC Medicare Choice facility located in Humacao, Puerto Rico and stole four unencrypted desktop computers containing 24,361 health plan members’ electronic protected health information (ePHI). The ePHI included names, addresses, phone numbers, Medicare HIC numbers, diagnosis and treatment information, health plan names, health plan member identification numbers, health plan enrollment information, health care claim information, and social security numbers. The covered entity (CE) provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE repaired a damaged wall and improved security at the facility and the surrounding premises. OCR obtained assurances that the CE implemented the corrective actions noted above. As a result of OCR’s investigation, the CE encrypted all computers located at its regional offices. OCR stated its expectation that the CE will perform a thorough and accurate risk analysis and establish a risk management plan. In addition, OCR stated an expectation that the CE will implement contingency operations procedures, implement its facility security plan’s policies and procedures, and regularly patch and update its IT infrastructure. OCR also stated an expectation that the CE will encrypt and decrypt ePHI where appropriate and document the technical safeguards implemented to prohibit the unauthorized copying and removal of PHI and ePHI. Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "May 9, 2011","Union Security Insurance Company","","Missouri","DISC","MED","850","\N Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "May 9, 2011","Indiana Regional Medical Center","","Pennsylvania","PHYS","MED","1,388","\N Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","41.203322","-77.194525" "May 9, 2011","MMM Healthcare, Inc.","","Puerto Rico","PHYS","MED","32,390","Thieves broke into the MMM Healthcare, Inc. facility located in Humacao, Puerto Rico and stole four unencrypted desktop computers containing 32,390 health plan members’ electronic protected health information (ePHI). The ePHI stored in the stolen computers included names, addresses, phone numbers, Medicare numbers, diagnosis and treatment information, health plan names, health plan member identification numbers, health plan enrollment information, health care claim information, and social security numbers. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE repaired a damaged wall and improved physical security for the facility and the surrounding premises. As a result of OCR’s investigation, the CE encrypted all computers located at its regional offices. OCR obtained assurances that the CE implemented the corrective actions listed above. Additionally, OCR stated its expectation that the CE will perform a thorough and accurate risk analysis and establish a risk management plan. In addition, OCR stated its expectation that the CE will implement contingency operations procedures, implement its security policies and procedures, and regularly patch and update its IT infrastructure. OCR stated an expectation for the CE to encrypt ePHI where appropriate, and document the technical safeguards implemented to prohibit the unauthorized copying and removal of PHI and ePHI from the premises. Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "May 11, 2011","CENTER FOR ARTHRITIS & RHEUMATIC DISEASES","","Florida","PHYS","MED","8,000","\N Location of breached information: Other, Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","27.664827","-81.515754" "May 11, 2011","CVS CAREMARK","","Arizona","PHYS","MED","654","An employee of the covered entity (CE), CVS Caremark, with access to patients’ protected health information (PHI) impermissibly accessed and printed patient drug transfer reports as part of a scheme to fill fraudulent prescriptions. The prescription drug reports were then disclosed to a third party, the employee’s boyfriend, who was a former employee of another CVS store. Law enforcement notified the CE about the breach on March 16, 2011 following a raid of the perpetrators’ home, in which law enforcement confiscated paper documents belonging to the CE. The PHI involved in the breach included the names, addresses, birthdates, prescription numbers, telephone numbers, and prescription names of approximately 654 individuals. The CE provided breach notification to HHS and affected individuals and also offered free credit monitoring. In response to this incident, the CE immediately terminated the employee and retrained pharmacy staff on its HIPAA policies. The CE also provided evidence that both individuals have since had their pharmacy licenses suspended by the state licensing board. As a result of OCR’s investigation, OCR obtained assurances that the corrective actions listed above were completed. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "May 17, 2011","Robert B. Miller, MD","","California","PHYS","MED","620","\N Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "May 19, 2011","St. Mary's Hospital for Children","","New York","PHYS","MED","550","A bag containing 43 pages of protected health information (PHI) of 550 nursing home residents and an encrypted laptop computer were stolen from the vehicle of an employee of the covered entity's (CE) business associate (BA). The PHI included names, dates of birth, gender identities, names of the nursing homes, and Medicaid numbers. Upon discovery of the breach, the CE filed a police report and provided breach notification to HHS, the media, and all affected individuals, as well as offering one year of free identity theft protection. Following OCR's investigation, the CE's BA terminated the employee and re-trained its staff on its privacy and security policies, including not leaving laptops in unoccupied vehicles. In addition, the CE reminded all contractors about the need to safeguard confidential information, and reviewed the BA's contractual obligations relating to safeguarding PHI. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BA's use and disclosure of PHI and required the BA to safeguard all PHI. Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "May 19, 2011","Imaging Center of Garland","","Texas","PHYS","MED","1,031","\N Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "May 25, 2011","Cahaba Government Benefit Administrators, LLC","","Alabama","DISC","MED","13,412","\N Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "May 26, 2011","Agent Benefits Corporation","","Michigan","HACK","MED","11,387","\N Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "May 26, 2011","VA Caribbean Healthcare System","","Puerto Rico","PHYS","MED","6,006","An employee of the covered entity (CE), VA Caribbean Healthcare System, left documents containing the protected health information (PHI) of 6,006 individuals in an unsecure bag at a nursing station. The PHI included names, social security numbers, patient care assignments, patient counts and patient census lists. Upon discovery of the breach, the CE secured the PHI and provided breach notification to HHS, the media, and affected individuals. As a result of OCR's investigation, the CE disciplined and retrained the employee and implemented a procedure that nursing leadership is required to conduct rounds on wards once vacated. The CE also retrained all staff on its privacy and security policies and procedures. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "May 27, 2011","Spartanburg Regional Healthcare System","","South Carolina","PHYS","MED","400,000","Three unencrypted desktop computers and one unencrypted laptop computer in need of repair were stolen from an IT employee’s vehicle when he stopped at his home when transporting the equipment from an offsite location to the main hospital. The home stop was against the CE’s internal policies and procedures and exposed the protected health information (PHI) of 402,647 patients, including names, addresses, dates of birth and social security numbers. The CE provided breach notification to HHS, affected individuals, and the media and also offered affected individuals one year of free credit monitoring. In response to the breach, the CE revised its new employee and upper management orientation materials to reflect updated HIPAA revisions. The CE encrypted all of the hard drives on its computers. It also updated policies and procedures regarding electronic data and use of company vehicles. Additionally, the CE began distributing an information security newsletter to employees. The CE sanctioned the involved employee for violating the CE’s handling of computer equipment policy. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "June 2, 2011","Saint Joseph - Berea","","Kentucky","PHYS","MED","1,986","The covered entity (CE), St. Joseph-Berea discovered that an external back-up hard drive attached to a workstation was missing. The external hard drive included the protected health information of 1,986 individuals, including patients’ names, dates of birth and information related to bone density scans. The CE provided breach notification to HHS, affected individuals, and the media and performed substitute notice by posting on its website. Following the breach, the CE updated its procedures to limit the use of external hard drives, encrypted all laptops, desktops, servers, and portable media devices, and improved safeguards by monitoring physical workstation access and maintaining observation cameras. As a result of OCR’s investigation, OCR obtained assurances that the corrective actions listed above were completed. Location of breached information: Other, Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "June 8, 2011","Navos","","Washington","UNKN","MED","2,700","\N Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "June 8, 2011","Lower Umpqua Hospital","","Oregon","PHYS","MED","17,000","\N Location of breached information: Other, Other Portable Electronic Device Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","43.804133","-120.554201" "June 9, 2011","Metropolitan Community Health Services, Inc.","","North Carolina","UNKN","MED","1,263","\N Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","35.759573","-79.019300" "June 9, 2011","TUBA CITY REGIONAL HEALTH CARE CORPORATION","","Arizona","PHYS","MED","2,000","\N Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "June 9, 2011","FOOTHILLS NEPHROLOGY, PC","","South Carolina","PHYS","MED","1,280","A company-issued laptop computer containing the protected health information (PHI) of approximately 1,280 individuals was stolen from the vehicle of a covered entity's (CE) employee. The PHI included demographic and clinical information. The CE provided breach notification to the affected individuals, HHS, and the media and created a toll-free number for information regarding the incident. As a result of this incident, the CE contacted law enforcement, retrained staff on the use of portable media, and initiated a risk analysis. Following the OCR investigation, the CE reviewed and updated its policies and procedures to ensure adequate safeguards, instituted a new electronic medical records system which encrypts medical information, updated password requirements for computers, and retrained employees. Location of breached information: Other, Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "June 10, 2011","Fidelity National Technology Imaging (FNTI)","","California","PHYS","MED","1,192","\N Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "June 16, 2011","HealthCare Partners","","California","PHYS","MED","15,677","\N Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "June 16, 2011","New River Health Association","","West Virginia","DISC","MED","950","\N Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "June 17, 2011","Gene S. J. Liaw, MD. PS","","Washington","PHYS","MED","1,105","An unencrypted portable computer drive (a USB) containing the electronic protected health information (ePHI) of 1,105 patients was misplaced and could not be found in the entity's office. The ePHI included names, addresses, phone numbers, dates of birth, diagnosis codes, insurance information, and social security numbers. The entity provided breach notification to affected individuals and HHS. Following the breach, the entity replaced the missing drive with encryption-capable USB drives, provided secure, locked storage facilities for its mobile devices, and implemented policies preventing removal of such devices from the office. OCR's investigation found that the entity in fact is not a covered entity under the Privacy and Security Rules. Location of breached information: Other, Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "June 17, 2011","Blue Cross and Blue Shield of Florida ","","Florida","DISC","MED","3,463","\N Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "June 22, 2011","Advanced Diagnostic Imaging, P.C.","","Tennessee","PHYS","MED","705","\N Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "June 22, 2011","NOL, LLC d/b/a Premier Radiology","","Tennessee","PHYS","MED","810","\N Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "June 23, 2011","University of Missouri Health Care","","Missouri","UNKN","MED","1,288","\N Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "June 27, 2011","Area Agency on Aging, Ohio District 5","","Ohio","PHYS","MED","78,042","\N Location of breached information: Laptop Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.417287","-82.907123" "June 28, 2011","Gail Gillespie and Associates, LLC","","Louisiana","PHYS","MED","2,000","An unecrypted laptop computer and an unecrypted desktop computer, jointly containing the electronic protected health information (ePHI) of 2,334 individuals, were stolen during a burglary. The computers contained patient names, parent names of minor patients, dates of service, addresses, phone numbers, dates of birth, social security numbers, diagnoses, prognoses, reports/evaluations/interventions, observations, recommendations, goals, medications, and confidential information relayed by parents and/or children and verbal information received from schools/doctors/agencies involved with the patient. The CE provided breach notification to HHS and affected individuals. It improved physical safeguards by purchasing a monitored alarm system. As a result of OCR’s investigation, the CE conducted a risk analysis, deployed encryption on workstations, retrained employees, and notified the media of the breach. Location of breached information: Desktop Computer, Electronic Medical Record, Email, Laptop, Network Server, Other, Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "June 29, 2011","Health Plan of San Mateo","","California","DISC","MED","694","\N Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "June 29, 2011","Department of Personnel and Administration","","Colorado","PHYS","MED","3,589","\The covered entity's (CE) business associate (BA) mailed a compact disk (CD) containing electronic protected health information (ePHI) through the inter-office mail system for delivery in another city. The CD, containing ePHI of 3,589 individuals, was lost en route. The PHI included state Medicaid and children's health plan data. Immediately following the breach, the CE completed a risk analysis to identify additional concerns and developed a risk management plan. The CE provided breach notification to the affected individuals, HHS, and the media and provided substitute notification on its website. To prevent a similar breach from happening in the future, the CE required all future ePHI to be encrypted prior to shipment. OCR obtained assurances that the CE implemented the corrective action listed above. \ \ Location of breached information: Other Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "July 4, 2011","Yanez Dental Corporation","","California","PHYS","MED","10,190","\N Location of breached information: Desktop Computer, Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "July 8, 2011","Jackson Health System","","Florida","DISC","MED","1,562","The CE’s employee removed protected health information of 1,562 patients from the CE’s premises over a period of 18 months in order to commit identity theft. The types of PHI involved in the breach included names, addresses, dates of birth, and social Security numbers. The CE notified affected individuals, HHS, and the media about the breach. It offered a year of credit monitoring to those affected. Following the breach, the CE terminated the employee and initiated an auditing program to automatically detect excessive accesses to PHI on its electronic health record system. OCR’s investigation confirmed that the appropriate notifications were made and that corrective actions steps were taken. Location of breached information: Electronic Medical Record, Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "July 8, 2011","Troy Regional Medical Center","","Alabama","DISC","MED","880","On March 22, 2011, during a house raid, the Secret Service discovered the protected health information (PHI) of approximately 880 patients of the covered entity (CE), Troy Regional Medical Center, in the form of admission “face sheets.” The PHI involved in the breach included demographic information, such as patients’ names, dates of birth, social security numbers, and medical record numbers. The CE could not accurately identify the person responsible for breaching its electronic medical record (EMR) system due to a software error which erroneously recorded multiple occasions of systems access when workforce members were accessing the system for legitimate business purposes. Due to this software error, the CE could not effectively assist in the criminal investigation being conducted by local law enforcement and the Secret Service. The CE provided breach notification to HHS, the media, and affected individuals and posted substitute notice on its website. It also provided a toll-free information number and offered credit monitoring for one year. In response to the incident, the CE worked with its IT vendor to increase data security monitoring and implement automatic log-out for its EMR system. The CE also updated and added to its policies and procedures, improved system review documentation, implemented verification of user access rights, and developed sample audit logs. The CE also retrained employees on its HIPAA security policies. OCR obtained assurances that the corrective actions listed above were completed. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "July 8, 2011","The Mount Sinai Hospital","","New York","PHYS","MED","712","Two unencrypted laptop computers containing the electronic protected health information (ePHI) of 712 individuals were stolen from the covered entity's (CE) office. The ePHI included names, dates of birth, social security numbers, diagnostic reports, and demographic information. Upon discovery of the breach, the CE filed a police report to recover the stolen items. As a result of OCR's investigation, the CE improved physical security by installing an exit alarm lock and surveillance camera, and implementing a policy and procedure requiring managers to monitor inappropriate use of the facility's rear exit. The CE also inventoried its ePHI systems and adopted and implemented policies and procedures for workstation security, encryption, security awareness and training, electronic devices, and media controls. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "July 11, 2011","Lansing Community College","","Michigan","HACK","MED","5,000","An unknown assailant associated with a foreign IP address attempted to bypass the security mechanisms of a computer server of a former third party administrator and business associate (BA), AssureCare Risk Management, of the covered entity (CE), Lansing Community College Dental Care Plan. Approximately 5,000 individuals were affected by the breach. The server contained protected health information (PHI) regarding some of the CE’s participants such as names, addresses, social security numbers and clinical information, including information regarding healthcare providers and types of service. The BA provided breach notification to HHS, affected individuals, and the media. Following the breach, the BA shut down the unsecured server and hired Kroll Background America, a forensic computer security service, to investigate the nature and extent of the unauthorized access. Kroll’s findings indicated that it was unlikely that any of the CE’s member data was taken. The BA also reviewed and reevaluated its security policies and related BA agreements. OCR obtained written documentation that the BA implemented the corrective actions listed above. Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "July 13, 2011","Dr Axel Velez","","Puerto Rico","PHYS","MED","2,800","Four computers containing the electronic protected health information (ePHI) of 2,143 patients were stolen from the covered entity (CE), Dr. Axel Velez. The PHI involved in the breach included patients’ names, addresses, contact numbers, partial social security numbers, dates of birth, diagnostic information, dates of visits, patient numbers, referring physicians, physicians’ telephone numbers, and insurance information. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE improved physical security by repairing the backdoor entrance to the office, installing an alarm system and video surveillance equipment, attaching cable locks to the workstation computers, servers and portable media devices, and moving inventoried equipment off-site. OCR provided technical assistance to the CE regarding risk analysis, risk management planning, and policies and procedures required under the Security Rule. Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "July 15, 2011","DeKalb Medical Center, Inc. d/b/a DeKalb Medical Hillandale","","Georgia","PHYS","MED","7,500","An employee working for the covered entity (CE) took protected health information (PHI) off premises for purposes of identity theft. Over a period of three months, the employee impermissibly accessed the PHI of 7,500 patients. The types of PHI involved in the breach included names, dates of birth, medical record and account numbers, admission or visit dates, primary diagnoses, treating physicians and in some cases social security numbers. The CE notified affected individuals, HHS, and the media about the breach. It offered a year of enhanced credit services to those affected. Upon full investigation of the breach, the CE terminated the employee. As a result of this incident, the CE initiated a corrective action plan that included revising or creating policies and procedures to prevent such incidents in the future as well as retraining of staff on its HIPAA policies and procedures. OCR’s investigation confirmed that the appropriate notifications were made and that corrective actions steps were taken. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "July 15, 2011","Memorial Health Systems","","Colorado","DISC","MED","0","On July 12, 2011, the covered entity (CE), Memorial Health System (now doing business as Memorial Hospital – University of Colorado Health) submitted a breach report explaining that a former Colorado Springs Occupational Health Clinic (CSOHC) nurse impermissibly accessed over 2,330 individuals’ medical records between 2003 and May 2011. To carry out these impermissible accesses, the nurse utilized a web-based electronic health record (EHR) application that was owned and operated by the CE and utilized by several Colorado Springs area providers, including the CSOHC. The CE provided breach notification to HHS, the media, and affected individuals. Based on the breach and OCR’s investigation, the the CE terminated the former CSOHC nurse’s access to the EHR and ultimately replaced the EHR. The CE developed and implemented several new Privacy and Security Rule policies and procedures, conducted institution-wide HIPAA training, implemented stricter audit controls, and implemented an information system activity review mechanism. Additionally, the involved nurse resigned from CSOHC. OCR has consolidated the unresolved issues from this breach into another review of this CE. Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "July 19, 2011","Beth Israel Deaconess Medical Center","","Massachusetts","HACK","MED","2,021","\N Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "July 21, 2011","Assurecare Risk Management, Inc.","","Illinois","DISC","MED","25,330","The covered entity (CE), Gypsum Management & Supply, Inc. Medical and Dental Plan, is a management company for a network of drywall supply yards that offers group health plans for its employees. On May 9, 2011, the computer server of the CE’s former business associate (BA), Assurecare Risk Management, Inc., was hacked, exposing the demographic, clinical, and health insurance information for 25,330 of the CE’s employees, many of whom no longer worked with the CE at the time of the breach. The CE provided breach notification to HHS, to affected individuals, and to the media. Because the breach incident involved a BA and occurred prior to the September 23, 2013, compliance date, OCR verified that the CE had a proper BA agreement in place that restricted the BA’s use and disclosure of protected health information (PHI) and required the BA to safeguard all PHI. The CE’s internal investigation revealed little activity on the server as a result of the hack. In addition, no reports of misuse of information have been reported. OCR obtained assurances that the CE took the corrective actions listed above. Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "July 22, 2011","Windsor Health Plan","","Tennessee","DISC","MED","1,378","A third-line sub-contractor of Windsor Health Plan’s business associate (BA), CVS Caremark, changed the printing format on letters mailed to the covered entity’s (CE) members, potentially causing protected health information (PHI) to be visible through the envelope window. The letters included the names, addresses, and some clinical information of 1,378 individuals. RxAmerica, an operating subsidiary of CVS Caremark, subcontracted its mailing services to Accendo, who in turn subcontracted printing services to Progressive Direct Mail (PDM). The CE provided breach notification to HHS and affected individuals; media notification did not occur because the impacted members did not exceed 500 in any single state or geographic area. However, CVS issued a media release regarding the incident. In response to the incident, Accendo conducted a full review of the incident, notified PDM of the formatting error, and ensured it was corrected. Accendo also conducted an onsite visit at the PDM facility and implemented new quality assurance protocols and internal validation steps. OCR obtained written assurances the CE provided the breach notification as indicated above. Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "July 22, 2011","RxAmerica, a subsidiary of CVS Caremark","","Texas","DISC","MED","4,573","\N Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "July 22, 2011","Andersen Air Force Base, Guam","","Virginia","PHYS","MED","700","\N Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "July 28, 2011","Austin Center for Therapy and Assessment, LLC","","Texas","PHYS","MED","1,870","An unencrypted laptop, containing the electronic protected health information (ePHI) of 1,870 individuals, was stolen from the covered entity's (CE) office. The ePHI involved includes clinical evaluation reports, test results, patient names, addresses, phone numbers, and social security numbers. Upon discovery of the breach, the CE notified affected individuals, OCR and the media. Following OCR's investigation, the CE revised its HIPAA policies and procedures, implemented additional physical safeguards in its facility and installed encryption software. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "July 28, 2011","Health Care Service Corporation","","Illinois","PHYS","MED","501","\N Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "July 28, 2011","University of Kentucky - UK HealthCare","","Kentucky","PHYS","MED","3,604","An unencrypted company laptop computer was stolen from the car of an employee of the covered entity (CE). The laptop contained the protected health information (PHI) of 3,604 individuals and included names, dates of birth, social security numbers, medical record numbers, and diagnoses. The CE provided breach notification to HHS, the media, and affected individuals. In response to this incident, the CE implemented a policy requiring encryption on all laptops containing PHI. The CE also provided employee training regarding mobile device encryption and refresher training on HIPAA. OCR obtained assurances that the CE implemented the corrective actions listed. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "July 29, 2011","Treatment Services Northwest","","Oregon","PHYS","MED","1,200","\N Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "July 29, 2011","Mills-Peninsula Health Services","","California","DISC","MED","1,500","\N Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","36.778261","-119.417932" "August 3, 2011","Brigham and Women's Hospital and Faulkner Hospital ","","Massachusetts","PHYS","MED","638","A covered entity's (CE) workforce member lost an external hard drive containing the electronic protected health information (ePHI) of 638 individuals while traveling. The external hard drive included names, medical record numbers, dates of admission, medications, diagnoses, and treatment information. The CE notified HHS, the media, and all individuals affected regarding the breach and provided individuals with identity protection services. Following the breach, the CE sanctioned the workforce member involved and retrained the workforce member and division staff on safeguards for ePHI. In addition, the CE established a mitigation workgroup to review policies and procedures regarding the protection of ePHI and created a new external hard drive encryption policy. OCR obtained assurances that the CE implemented the corrective action listed above. Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","42.407211","-71.382437" "August 8, 2011","Ashley Industrial Molding, Inc. Employee Welfare Benefit Plan","","Indiana","HACK","MED","506","A computer server belonging to a former business associate (BA) and third party administrator, AssureCare Risk Management, Inc., was hacked. The server contained social security numbers, birth dates, names, addresses, gender, and physician and hospital/facility names linked with benefit payment information which could include type of service (i.e. office visit, inpatient stay, lab and x-ray, physical therapy, etc.). The breach affected 506 individuals. The relationship between the BA and the covered entity, Ashley Industrial Molding, Inc. Employee Welfare Benefit Plan, ended in 2006, but the BA continued to retain possession of protected health information (PHI) relating to the Plan’s participants because it was required to do so by law. The CE provided breach notification to HHS, affected individuals, and the media. OCR reviewed the BA agreement between the BA and CE which contained provisions regarding the use, disclosure, and safeguarding of PHI that ended in 2006, but also contained language requiring the BA to extend the protections of the agreement to the CE’s PHI after the agreement terminated. The CE obtained assurances that the BA shut down the server in question following the breach and does not maintain unsecured PHI on any other server. OCR obtained written assurances that the CE implemented the corrective actions noted above. Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "August 8, 2011","Med Assets","","New Jersey","PHYS","MED","8,795","An unencrypted hard drive containing the electronic protected health information (ePHI) of 8,795 individuals was stolen from an employee of the covered entity's (CE) business associate (BA), MedAssets. The ePHI included names, dates of birth, social security number, account numbers, medical record numbers, charges incurred, amounts paid, admission and discharge dates, and information regarding health insurance and eligibility for applicable governmental benefit programs. Upon discovery of the breach, the CE, Clara Maass Medical Center, filed a police report, provided breach notification to HHS, the media, and affected individuals, and posted substitute notification on its website. As a result of OCR's investigation, the BA retrained the employee, instructed all employees to stop using any type of external storage device that contains ePHI, and recalled and destroyed all unencrypted external hard drives that contained ePHI. In addition, the BA improved technical safeguards by encrypting external hard drives and installing a new software system that monitors, controls and encrypts data leaving the BA's computers. The BA also hired an IT security analyst to supplement its security program. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BA's use and disclosure of PHI and required the BA to safeguard all PHI. \ \ Location of breached information: Other, Other Portable Electronic Device Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "August 9, 2011","Washington State Department of Social and Health Services","","Washington","DISC","MED","3,950","\N Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "August 15, 2011","The Neurological Institute of Savannah & Center for Spine","","Georgia","PHYS","MED","63,425","\N Location of breached information: Other, Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "August 15, 2011","Accuprint ","","Puerto Rico","PHYS","MED","5,848","The covered entity's (CE) business associate (BA) erroneously sent explanation of benefits letters (EOBs) containing the protected health information (PHI) of 5,848 individuals to other individuals. The PHI included names, addresses, current procedural terminology codes (CPT), explanations of CPT codes, providers' names, and dates of service. Upon discovery of the breach, the CE provided notice to the individuals affected by the breach but did not notify the media. As a result of OCR's investigation, OCR provided technical assistance regarding the requirements of the Breach Notification Rule to the CE and the CE published a media notice. In addition, the CE developed policies and procedures requiring quality control checks on the BA. In addition, the BA adopted a new software system that validates the contents of the EOBs prior to mailing. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BA's use of PHI and required the BA to safeguard all PHI. Location of breached information: Other Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "August 17, 2011","Texas Health Partners","","Texas","PHYS","MED","10,345","\N Location of breached information: Laptop Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "August 18, 2011","Capron Rescue Squad District","","Illinois","DISC","MED","815","A trustee of the covered entity (CE), Capron Rescue Squad District, removed a laptop computer containing the unencrypted electronic protected health information (ePHI) of 815 individuals from its facility under the mistaken belief that the laptop was no longer used by the CE in its provision of health care services and gave the laptop to his adult grandson. The ePHI on the laptop included individuals’ full names, social security numbers, dates of birth, home addresses, and medical histories. The CE recovered the laptop which was the subject of the breach and obtained written assurances from the individuals involved in the breach that they did not use, disclose, or retain any ePHI stored on the laptop. The CE provided breach notification to HHS, the media, and affected individuals. The CE improved safeguards by encrypting ePHI stored on its computers, including laptops. OCR obtained assurances that the corrective actions listed above were completed. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "August 18, 2011","MedAssets","","New Jersey","PHYS","MED","32,008","\N Location of breached information: Other, Other Portable Electronic Device Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "August 25, 2011","Lexington VAMC","","Kentucky","PHYS","MED","1,432","The covered entity's (CE) workforce member impermissibly stored the protected health information (PHI) of 1,432 individuals in a personal computer and other portable electronic media in order to conduct research. The PHI included social security numbers, names, initials, ages, and diagnoses. Additional PHI was found in the workforce member's residence. The CE provided breach notification to a total of 1,890 affected individuals and HHS. Following the breach, the responsible workforce member is no longer employed by the CE. \ \OCR opened a compliance review of VA Medical Centers and is consolidating the investigation of this incident into the compliance review. \ Location of breached information: Laptop, Other Portable Electronic Device, Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "August 28, 2011","SpaMed Solutions, LLC, Edward McMenamin President,","","New Jersey","PHYS","MED","3,000","\N Location of breached information: Desktop Computer, Electronic Medical Record, Email, Laptop, Network Server, Other, Other Portable Electronic Device, Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "August 29, 2011","HEALTH RESEARCH INSTITUTE, INC., PFEIFFER TREATMENT CENTER","","Illinois","PHYS","MED","2,000","\N Location of breached information: Desktop Computer, Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "August 29, 2011","Multi-Speciality Collection Services, LLC","","California","DISC","MED","19,651","\N Location of breached information: Other Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "September 7, 2011","NEA Baptist Clinic","","Arkansas","HACK","MED","3,116","An unknown individual hacked into a database that contained electronic protected health information (ePHI) of individuals who had registered online with the covered entity (CE) in the last eight years. The PHI involved in the breach, which affected approximately 3,116 patients, included names, addresses and dates of birth. The CE provided breach notification to HHS and affected individuals. Following this breach, the CE shut down its “old” website and replaced it with a “new” website with improved safeguards such as blocking of specific IP addresses, strong authentication for areas that are not available to the general public, and secure web browsers. As a result of OCR’s investigation, the CE created new procedures to protect ePHI, including procedures for inventory and asset management, as well as tracking encrypted devices. Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "September 7, 2011","Muir Orthopaedic Specialists, A Medical Group Inc.","","California","PHYS","MED","1,800","\N Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "September 8, 2011","Jonathan Noel MD","","Indiana","PHYS","MED","2,059","\N Location of breached information: Other, Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "September 9, 2011","Texas Health and Human Services Commission","","Texas","PHYS","MED","1,696","An unencrypted laptop was stolen from an employee's vehicle. The laptop contained the ePHI of 1,696 patients. The information at issue included patient names, dates of birth, gender, Medicaid identification numbers, procedure codes and diagnosis. Following discovery of the breach, the CE notified affected patients and notified the media. Following the breach, the CE confirmed encryption of laptops per CE's policy and sanctioned three involved employees. \ Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "September 13, 2011","Living Healthy Community Clinic","","Wisconsin","HACK","MED","3,000","\N Location of breached information: Desktop Computer Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "September 13, 2011","Centro de Ortodoncia Inc.","","Puerto Rico","PHYS","MED","2,000","OCR opened an investigation of the covered entity (CE), Dr. Pedro Valentin, after it reported boxes containing the protected health information (PHI) of 2,000 individuals were moved from the CE's office. The PHI included names, account numbers, responsible party in charge of account, and method of payment. OCR's investigation revealed that the individual who removed the PHI was the CE's wife and business partner. The CE advised OCR that he knew his wife/partner was removing the boxes for the purpose of ascertaining the amount of monies the CE was receiving and that he is in the process of dissolving the partnership. OCR concluded that the actions alleged in the breach report did not amount to a breach. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "September 14, 2011","John T. Melvin, M.D.& Associates","","Texas","PHYS","MED","2,541","Medical records were stolen from an off-site storage facility of the covered entity (CE), John T. Melvin & Associates. The protected health information (PHI) involved in the breach included names, dates of birth, social security numbers, claim information, diagnoses/conditions, medications, lab results, and other treatment information for approximately 2,541 individuals. The CE provided breach notification to HHS, affected individuals, and the media. As a result of OCR’s investigation the CE changed its policies, so that all records are now kept on-site and all records are immediately shredded once the required retention time has elapsed, according to applicable state law. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "September 15, 2011","Diversified Resources, Inc.","","Georgia","PHYS","MED","863","On August 11, 2011, a password protected, but unencrypted laptop computer was stolen from a nurse’s car. The laptop contained the electronic protected health information (ePHI) of 863 individuals. The ePHI on the laptop included names, addresses, phone numbers, primary care physicians, caregiver contacts, and social security numbers. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, CE reviewed its policies and procedures, applied employee sanctions, retrained its workforce, and implemented file-level encryption. Pursuant to technical assistance provided by OCR, CE implemented additional administrative safeguards, including a new policy prohibiting employees from leaving laptops unattended in a vehicle. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "September 20, 2011","Freda J Bowman MD PA","","Texas","HACK","MED","1,300","\N Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "September 20, 2011","VA Gulf Coast Veterans Health Care System","","Mississippi","PHYS","MED","1,797","The covered entity (CE), U.S. Department of Veterans Affairs (VA), Gulf Coast Veterans Health Care System, Biloxi Veterans Affairs Medical Center (Biloxi VAMC) reported that the office of an employee was vandalized. Paper files were found on the office floor, and the protected health information (PHI) of approximately 1,814 individuals was compromised. The PHI included full names, social security numbers, dates of birth, and medical diagnoses. The CE provided breach notification to HHS, the media and affected individuals. Following the breach, VA police at the facility reviewed procedures and continued foot patrols to ensure office doors are locked during non-business hours. The CE provided additional training to workforce members of the affected department on its physical security policies and procedures to improve safeguards for PHI. OCR obtained assurances that the CE implemented the corrective action listed above. \ \ Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","32.354668","-89.398528" "September 21, 2011","Bonney Lake Medical Center and Mythili R. Ramachandran, MD","","Washington","PHYS","MED","2,367","\N Location of breached information: Desktop Computer, Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","47.751074","-120.740139" "September 22, 2011","Benefits Administration Services, Inc.","","Virginia","PHYS","MED","4,000","\N Location of breached information: Other, Other Portable Electronic Device Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "September 23, 2011","AllOne Health Management Solutions, Inc.","","Pennsylvania","PHYS","MED","507","\N Location of breached information: Laptop, Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "September 23, 2011","VA Illiana Health Care System","","Illinois","PHYS","MED","518","\N Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "September 23, 2011","Health Texas Provider Network","","Texas","PHYS","MED","1,259","An unencrypted laptop possibly containing the electronic protected health information (ePHI) of 1,259 patients was stolen from an employee’s personal vehicle. The ePHI that was potentially involved in the breach included patients’ names, contact information, social security numbers, dates of birth, diagnoses, account numbers, physician names, types of procedures and services, dates of service, and health insurance information. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach the CE terminated the employee. As a result of OCR’s investigation, the CE updated its encryption policies and procedures to require and verify the encryption of computers before use, and conducted mandatory annual computer safety training. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "September 26, 2011","NYU Hospital for Joint Diseases Inventory Management Department","","New York","PHYS","MED","2,600","A box containing 2,600 paper records of tissue implants used in surgeries was discarded by a waste disposal contractor of the covered entity (CE), NYU Hospital for Joint Diseases Inventory Management Department, when the box was not property secured. The box contained the protected health information (PHI) of 2,239 individuals and included names, dates of birth, dates of surgery, surgeon names, procedures, and types and serial numbers of the tissues used in the surgeries. Upon discovery of the breach, the CE contacted the waste disposal contractor and determined that the documents were discarded and buried in a landfill out of state. The CE provided breach notification to HHS, the media, and affected individuals, and posted substitute notice on its website. As a result of OCR's investigation, the CE improved safeguards by storing all tissue records in a locked cabinet and requiring management to store the keys. In addition, the CE counseled the employees involved in the incident and retrained all staff on its policies and procedures for safeguarding PHI. The CE also implemented a plan to conduct reviews of HIPAA compliance, including both physical access and physical security risks. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "September 27, 2011","Fairview Health Services","","Minnesota","PHYS","MED","14,623","An unencrypted laptop computer storing the electronic protected health information (ePHI) of approximately 14,623 individuals was stolen from the locked vehicle of a workforce member of Accretive Health, a business associate (BA) of the covered entity (CE), Fairview Health Services. The ePHI included individuals’ names, addresses, dates of birth, social security numbers, financial information, and clinical information. The CE provided breach notification to HHS, affected individuals, and the media. It also provided complimentary credit monitoring services to affected individuals. Following the breach, the CE investigated the root cause of the breach, developed a new policy which addresses the risks associated with sharing sensitive data with third parties, and obtained assurances from the BA that it would undertake appropriate corrective actions. OCR obtained a copy of the BA agreement between the CE and the BA at the time of the breach. OCR also obtained evidence and assurances that the CE implemented the corrective actions listed. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "September 27, 2011","North Memorial Health Care","","Minnesota","PHYS","MED","9,497","North Memorial Health Care of Minnesota has agreed to pay $1,550,000 to settle charges that it potentially violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules by failing to enter into a business associate agreement with a major contractor and failing to institute an organization-wide risk analysis to address the risks and vulnerabilities to its patient information. North Memorial is a comprehensive, not-for-profit health care system in Minnesota that serves the Twin Cities and surrounding communities. “Two major cornerstones of the HIPAA Rules were overlooked by this entity,” said Jocelyn Samuels, Director of the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). “Organizations must have in place compliant business associate agreements as well as an accurate and thorough risk analysis that addresses their enterprise-wide IT infrastructure.” OCR initiated its investigation of North Memorial following receipt of a breach report on September 27, 2011, which indicated that an unencrypted, password-protected laptop was stolen from a business associate’s workforce member’s locked vehicle, impacting the electronic protected health information (ePHI) of 9,497 individuals. OCR’s investigation indicated that North Memorial failed to have in place a business associate agreement, as required under the HIPAA Privacy and Security Rules, so that its business associate could perform certain payment and health care operations activities on its behalf. North Memorial gave its business associate, Accretive Health, Inc., access to North Memorial’s hospital database, which stored the ePHI of 289,904 patients. Accretive also received access to non-electronic protected health information as it performed services on-site at North Memorial. The investigation further determined that North Memorial failed to complete a risk analysis to address all of the potential risks and vulnerabilities to the ePHI that it maintained, accessed, or transmitted across its entire IT infrastructure -- including but not limited to all applications, software, databases, servers, workstations, mobile devices and electronic media, network administration and security devices, and associated business processes. In addition to the $1,550,000 payment, North Memorial is required to develop an organization-wide risk analysis and risk management plan, as required under the Security Rule. North Memorial will also train appropriate workforce members on all policies and procedures newly developed or revised pursuant to this corrective action plan. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "September 28, 2011","Summit Medical Group, PLLC","","Tennessee","PHYS","MED","731","On September 4, 2011, a Summit Medical Group (SMG) employee’s car was burglarized, resulting in the theft of paper reports containing the protected health information (PHI) of approximately 731 of the covered entity’s (CE) patients. The PHI involved in the breach included account numbers, patients’ names, physicians’ names, names of hospitals, dates of discharge, dates of birth, names of insurance providers, and discharge diagnoses. The CE provided breach notification to HHS, the media, and affected individuals. It also offered credit monitoring services and created a customer service center to handle questions. Following the breach, the CE initiated an internal investigation, filed a police report, notified the affected physician sites of the breach, conducted a risk assessment, and adopted additional identification verification measures for affected individuals. As a result of OCR’s investigation, the CE updated its HIPAA policies and procedures and improved safeguards by encrypting laptop computers. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "September 28, 2011","FIRST PRIORITY LIFE INSURANCE COMPANY","","Pennsylvania","PHYS","MED","579","\N Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "September 29, 2011","MAPFRE Life","","","PHYS","MED","2,209","HIPAA settlement demonstrates importance of implementing safeguards for ePHI The U.S. Department of Health and Human Services, Office for Civil Rights (OCR), has announced a Health Insurance Portability and Accountability Act of 1996 (HIPAA) settlement based on the impermissible disclosure of unsecured electronic protected health information (ePHI). MAPFRE Life Insurance Company of Puerto Rico (MAPFRE) has agreed to settle potential noncompliance with the HIPAA Privacy and Security Rules by paying $2.2 million and implementing a corrective action plan. With this resolution amount, OCR balanced potential violations of the HIPAA Rules with evidence provided by MAPFRE with regard to its present financial standing. MAPFRE is a subsidiary company of MAPFRE S.A., a global multinational insurance company headquartered in Spain. MAPFRE underwrites and administers a variety of insurance products and services in Puerto Rico, including personal and group health insurance plans. On September 29, 2011, MAPFRE filed a breach report with OCR indicating that a USB data storage device (described as a “pen drive”) containing ePHI was stolen from its IT department, where the device was left without safeguards overnight. According to the report, the USB data storage device included complete names, dates of birth and Social Security numbers. The report noted that the breach affected 2,209 individuals. MAPFRE informed OCR that it was able to identify the breached ePHI by reconstituting the data on the computer on which the USB data storage device was attached. OCR’s investigation revealed MAPFRE’s noncompliance with the HIPAA Rules, specifically a failure to conduct its risk analysis and implement risk management plans, contrary to its prior representations, and a failure to deploy encryption or an equivalent alternative measure on its laptops and removable storage media until September 1, 2014. MAPFRE also failed to implement or delayed implementing other corrective measures it informed OCR it would undertake. “Covered entities must not only make assessments to safeguard ePHI, they must act on those assessments as well” said OCR Director Jocelyn Samuels. “OCR works tirelessly and collaboratively with covered entities to set clear expectations and consequences.” The Resolution Agreement and Corrective Action Plan may be found on the OCR website at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreem... Location of breached information: Desktop Computer, Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","37.090240","-95.712891" "October 3, 2011","Henry Ford Health System","","Michigan","PHYS","MED","520","\N Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","44.314844","-85.602364" "October 3, 2011","Futurity First Insurance Group","","Connecticut","PHYS","MED","1,631","\N Location of breached information: Other, Other Portable Electronic Device Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","41.603221","-73.087749" "October 4, 2011","Indiana University","","Indiana","PHYS","MED","3,266","An unencrypted and password protected laptop computer was stolen from the car of an employee (medical resident) of the covered entity (CE). The laptop contained the electronic protected health information (ePHI) of approximately 3,266 individuals. The types of ePHI in the breach included names, medical record numbers, birth dates, diagnosis codes, and social security numbers. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE audited the employee’s department and equipment, retrained the involved employee and other staff, updated its HIPAA policies and procedures, and encrypted its laptop computers. OCR obtained written assurances that the CE implemented the corrective actions listed above. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.267194","-86.134902" "October 7, 2011","Thomas J O'Laughlin, MD","","California","PHYS","MED","700","\N Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","36.778261","-119.417932" "October 7, 2011","Adult & Pediatric Dermatology, PC","","Massachusetts","PHYS","MED","2,200","Adult & Pediatric Dermatology, P.C., of Concord, Mass., (APDerm) has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules with the Department of Health and Human Services, agreeing to a $150,000 payment. APDerm will also be required to implement a corrective action plan to correct deficiencies in its HIPAA compliance program. APDerm is a private practice that delivers dermatology services in four locations in Massachusetts and two in New Hampshire. This case marks the first settlement with a covered entity for not having policies and procedures in place to address the breach notification provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, passed as part of American Recovery and Reinvestment Act of 2009 (ARRA). \ \The HHS Office for Civil Rights (OCR) opened an investigation of APDerm upon receiving a report that an unencrypted thumb drive containing the electronic protected health information (ePHI) of approximately 2,200 individuals was stolen from a vehicle of one its staff members. The thumb drive was never recovered. The investigation revealed that APDerm had not conducted an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of ePHI as part of its security management process. Further, APDerm did not fully comply with requirements of the Breach Notification Rule to have in place written policies and procedures and train workforce members. \ \'As we say in health care, an ounce of prevention is worth a pound of cure,' said OCR Director Leon Rodriguez. 'That is what a good risk management process is all about ' identifying and mitigating the risk before a bad thing happens. Covered entities of all sizes need to give priority to securing electronic protected health information.' \ \In addition to a $150,000 resolution amount, the settlement includes a corrective action plan requiring AP Derm to develop a risk analysis and risk management plan to address and mitigate any security risks and vulnerabilities, as well as to provide an implementation report to OCR. \ Location of breached information: Other, Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "October 7, 2011","The Nemours Foundation","","Florida","PHYS","MED","1,055,490","A locked cabinet was removed from an IT service desk area at the Wilmington, Delaware facility of the covered entity (CE), The Nemours Foundation during an August 2011 remodeling project. The cabinet housed three unencrypted backup tapes containing the electronic protected health information (ePHI) of 1,055,489 individuals. The ePHI involved in the breach included patients’ names, addresses, social security numbers, diagnoses and procedure codes. The CE provided breach notification to HHS, affected individuals, and the media, and offered one year of free credit monitoring to affected individuals. Following the incident, the CE hired a private investigator to assist in locating the missing backup tapes; however, they were not recovered. Additionally, the CE retained Navigant Consulting to assess the recoverability of the information and to conduct a validation review of CE’s internal analyses. In response to the incident, the CE improved safeguards by encrypting all backup tapes, storage devices, and electronic media that may contain e-PHI, moving backup tapes to a secure off-site facility, installing non-movable storage cabinets in its data centers, and implementing two-factor authentication for access to ePHI. It also hired a system administrator to manage and audit backup procedures, retrained staff, and updated and created HIPAA policies and procedures, including role-based access to cabinets containing backup data. OCR obtained assurances that the corrective actions listed above were carried out. Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "October 11, 2011","InStep Foot Clinic, P.A.","","Minnesota","PHYS","MED","2,600","\N Location of breached information: Electronic Medical Record, Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "October 11, 2011","Futurity First Insurance Group","","Connecticut","PHYS","MED","3,994","\N Location of breached information: Other Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "October 11, 2011","Lahey Clinic","","Massachusetts","PHYS","MED","599","Lahey Hospital and Medical Center (Lahey) has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules with the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR). Lahey will pay $850,000 and will adopt a robust corrective action plan to correct deficiencies in its HIPAA compliance program. Lahey is a nonprofit teaching hospital affiliated with Tufts Medical School, providing primary and specialty care in Burlington, Massachusetts. Lahey notified OCR that a laptop was stolen from an unlocked treatment room during the overnight hours on August 11, 2011. The laptop was on a stand that accompanied a portable CT scanner; the laptop operated the scanner and produced images for viewing through Lahey’s Radiology Information System and Picture Archiving and Communication System. The laptop hard drive contained the protected health information (PHI) of 599 individuals. Evidence obtained through OCR’s subsequent investigation indicated widespread non-compliance with the HIPAA rules, including: •Failure to conduct a thorough risk analysis of all of its ePHI; •Failure to physically safeguard a workstation that accessed ePHI; •Failure to implement and maintain policies and procedures regarding the safeguarding of ePHI maintained on workstations utilized in connection with diagnostic/laboratory equipment; •Lack of a unique user name for identifying and tracking user identity with respect to the workstation at issue in this incident; •Failure to implement procedures that recorded and examined activity in the workstation at issue in this incident; and •Impermissible disclosure of 599 individuals’ PHI. “It is essential that covered entities apply appropriate protections to workstations associated with medical devices such as diagnostic or laboratory equipment,” said OCR Director Jocelyn Samuels. “Because these workstations often contain ePHI and are highly portable, such ePHI must be considered during an entity’s risk analysis, and entities must ensure that necessary safeguards that conform to HIPAA’s standards are in place.” In addition to the $850,000 settlement, Lahey must address its history of noncompliance with the HIPAA Rules by providing OCR with a comprehensive, enterprise-wide risk analysis and corresponding risk management plan, as well as reporting certain events and providing evidence of compliance. The Resolution Agreement and Corrective Action Plan can be found on the OCR website at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/LAHEY Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "October 13, 2011","Florida Hospital","","Florida","DISC","MED","12,784","\N Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "October 14, 2011","Thomas Jefferson University Hospitals, Inc.","","Pennsylvania","PHYS","MED","3,150","\N Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "October 17, 2011","Lankenau Medical Center","","Pennsylvania","PHYS","MED","500","\N Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "October 20, 2011","Spectrum Health Ssytems, Inc. ","","Massachusetts","PHYS","MED","14,750","\N Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "October 21, 2011","Conway Regional Medical Center","","Arkansas","PHYS","MED","1,472","A business associate (BA) of the covered entity (CE), Conway Regional Medical Center, sent the CE two compact disks containing scanned medical records which were mislaid following receipt. The protected health information (PHI) involved in the breach included the demographic and financial information of 1,472 individuals. The CE provided breach notification to HHS, the media, and affected individuals. Following this breach, the CE instructed its BA to encrypt any removable media that contains PHI and hand deliver the removable media to the CE’s Medical Records Department. Further, the CE improved administrative safeguards by updating its policy and procedures, which now requires a signature of an employee in the receiving department when packages are delivered. Also, all workforce members in the department involved in the breach attended additional HIPAA training. As a result of OCR’s investigation, the CE no longer routinely sends PHI off site for scanning. Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","35.201050","-91.831833" "October 22, 2011","HITS Scanning Solutions, Inc.","","Missouri","PHYS","MED","7,059","The covered entity's (CE) business associate (BA) shipped microfilm records containing protected health information (PHI) of 7,059 workforce members. The microfilm was lost in transit and not recovered. The PHI included clinical information, diagnoses, names, addresses, zip codes, date of births, social security numbers, driver's license numbers, and other identifiers. Following the breach, the CE changed its procedures, requiring PHI to be shipped via a new mail carrier that requires a confirmation signature upon receipt and allows for the tracking of packages. As a result of OCR's investigation the CE retrained its employees on its HIPAA policies and procedures. Location of breached information: Other Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","37.964253","-91.831833" "October 24, 2011","Stone Oak Urgent Care & Family Practice","","Texas","PHYS","MED","6,672","\N Location of breached information: Desktop Computer Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","31.968599","-99.901813" "October 25, 2011","Indiana University School of Optometry","","Indiana","PHYS","MED","757","A doctor's letters and reports were exposed on the Internet for one month after the security configuration of the covered entity's (CE) computer server was changed. The electronic protected health information (ePHI) of 757 individuals appearing on the Internet included patient names, birth dates, medical histories, diagnoses, and treatment plans. Following the breach, the CE identified and blocked the internet protocol (IP) address that was allowing access to ePHI over the Internet, removed the web portal that was facilitating access, and restored the affected server to its previous security configuration. As a result of OCR's investigation, the CE implemented monitoring and reporting of electronic information systems that transmit ePHI. OCR obtained assurances that breach notification was provided to affected individuals, the media, and HHS. Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.267194","-86.134902" "October 25, 2011","Brevard Emergency Services, P.A.","","Florida","PHYS","MED","2,200","\N Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "October 27, 2011","Morris Heights Health Center","","New York","PHYS","MED","927","An unencrypted laptop computer containing the electronic protected health information (ePHI) of 927 individuals was stolen from the covered entity's (CE) school based health center. The ePHI included names, dates of birth, sex, ethnicities, height, weight, body mass index data, complete physical examination information such as asthma and obesity information, health action plans, and enrollment dates. Upon discovery of the breach, the CE filed a police report to recover the stolen laptop. As a result of OCR's investigation, the CE purchased locks to physically secure its' school health computers to the desks where the computers are located. In addition, the CE encrypted all portable devices' hard drives and installed software to track portable devices. The CE also retrained all staff on its policies and procedures for using and securing ePHI. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "October 28, 2011","Pitney Bowes Management Services, Inc.","","Connecticut","PHYS","MED","1,089","\N Location of breached information: Desktop Computer Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "October 28, 2011","Thresholds Inc.","","Michigan","PHYS","MED","1,100","\N Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "October 28, 2011","Premier Imaging","","North Carolina","UNKN","MED","551","A newly hired employee impermissibly took patient registration documents home. The records taken included the protected health information of 551 patients. The information at issue included names, addresses, birth dates, social security numbers, and driver's license numbers. As a result, the CE terminated the employee, provided notice to the affected individuals, amended registration procedures, implemented additional safeguards for such information, and offered identity theft protection to the affected individuals. \ Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "October 31, 2011","Julie A. Kennedy, D.M.D., P.A.","","Florida","PHYS","MED","2,900","Two laptop computers containing the electronic protected health information (ePHI) of approximately 5,450 individuals were stolen from the CE. The ePHI included patient names, dates of birth, and social security numbers. The CE provided breach notification to all affected individuals, HHS, and the media. As a result of OCR's investigation, the CE installed encryption software and increased physical security. Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "October 31, 2011","KCI USA, Inc.","","Texas","PHYS","MED","567","\N Location of breached information: Other, Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "November 2, 2011","Lebanon Internal Medicine Associates","","Pennsylvania","PHYS","MED","55,000","\N Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "November 3, 2011","St. Joseph Medical Center","","Maryland","PHYS","MED","5,000","\N Location of breached information: Other, Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "November 4, 2011","UCLA Health System","","California","PHYS","MED","2,761","\N Location of breached information: Other, Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "November 4, 2011","Science Applications International Corporation (SA","","Virginia","PHYS","MED","4,900,000","\N Location of breached information: Other Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","37.431573","-78.656894" "November 8, 2011","Logan County Emergeny Ambulance Service Authority","","West Virginia","PHYS","MED","12,563","\N Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","38.597626","-80.454903" "November 13, 2011","Amerigroup Community Care of New Mexico, Inc","","New Mexico","PHYS","MED","1,537","A workforce member of the covered entity (CE), Amerigroup Community Care of New Mexico, accessed the company data system to compile a list of members’ names, dates of birth, and social security numbers. The protected health information (PHI) of approximately 1,526 individuals was involved in the breach. The workforce member did not have a job specific purpose for accessing and downloading the information. Following this breach, the CE terminated the workforce member involved. Further, the CE conducted an internal review of its procedures to determine whether additional security controls are needed. As a result of OCR’s investigation, the CE provided additional training, through email reminders, about workforce members’ responsibilities to protect member information and to report incidents when observed. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","34.519940","-105.870090" "November 14, 2011","Mid Continent Credit Services, Inc.","","Kansas","PHYS","MED","8,275","The covered entity's (CE), Lawrence Memorial Hospital, business associate (BA), performed a security update to the CE's website that potentially allowed the impermissible disclosure of 8,275 individuals' electronic protected health information (ePHI). The ePHI consisted of names, addresses, other demographic information, and credit card/bank account numbers. Upon discovering the breach, CE shut down its website, removed all identified cached pages containing ePHI, started actions to terminate the relationship with the BA, and updated its breach notification policy. CE also provided breach notification to affected individuals, HHS, and the media, and posted substitute notice on its website. It offered credit monitoring service to affected individuals. As a result of OCR's investigation, CE finalized its new breach notification policy, updated its BA contracts, and re-trained staff on its privacy, security, and breach notification polices. Location of breached information: Other Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","39.011902","-98.484247" "November 17, 2011","Sutter Medical Foundation","","Alabama","PHYS","MED","943,434","\N Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "November 17, 2011","Medcenter One","","North Dakota","PHYS","MED","650","On or about October 21, 2011, the covered entity (CE), MedCenter One, Inc., which merged with Sanford Health on July 3, 2012, failed to safeguard the electronic protected health information (ePHI) of approximately 650 patients when an unencrypted, password-protected laptop computer and a bag containing 11 patient charge tickets were stolen from an employee’s vehicle. The type of ePHI involved in the breach included demographic information. The CE provided breach notification to HHS, affected individuals, and the media. The CE encrypted all of its laptop computers, implemented new information technology security policies and procedures, retrained staff on its new policies, and sanctioned the responsible employee. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "November 17, 2011","Dallas County Hospital District dba Parkland Health & Hospital System","","Texas","DISC","MED","2,464","OCR opened an investigation of the covered entity (CE), Dallas County Hospital District dba Parkland Health & Hospital System, after it reported that a former workforce member, while still employed, downloaded the names and certain personal information of its patients. The electronic protected health information (ePHI) involved in the breach included names, social security numbers, dates of birth, and other demographic information of approximately 2,464 individuals. The downloaded information was used to solicit potential clients in the workforce member’s personal business, a home health agency. The CE provided breach notification to HHS and affected individuals and offered free credit monitoring services for a year. Further, the CE terminated the workforce member who was involved in the incident and pursued criminal charges against him. As a result of OCR’s investigation, the CE developed a program to track anomalies to detect inappropriate use or access. Further, the CE revised its code of conduct and ethics to increase focus on conflicts of interest and confidentiality of PHI. Location of breached information: Electronic Medical Record, Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "November 23, 2011","University of Kentucky UK HealthCare","","Kentucky","PHYS","MED","878","\N Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "November 28, 2011","State of Tennessee Sponsored Group Health Plan","","Tennessee","DISC","MED","1,770","An equipment operator at the state's postal facility set the machine to insert four (4) pages per envelope instead of one (1) page per envelope, which caused the PHI of four individuals to be sent to one address per envelope. The error affected approximately 1770 enrollees. The letters contained information such as names, addresses, birth dates, and social security numbers. As a result, the CE retrained the employee, submitted a breach report to HHS, provided notice to the affected individuals, notified the media, created a toll-free number for information regarding the incident, posted notice on its website, modified policies to remove the SSN on templates for future mailings, and offered identity theft protection to the affected individuals. Following the OCR investigation, the CE provided reviewed its policies and procedures to ensure adequate safeguards are in place. \ Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "December 1, 2011","Cleveland Clinic Florida","","Florida","PHYS","MED","772","\N Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "December 5, 2011","Jay C. Platt, DDS","","Indiana","PHYS","MED","10,705","\N Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "December 7, 2011","Rite Aid Corporation ","","Pennsylvania","UNKN","MED","2,900","\N Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "December 9, 2011","Blue Vantage Group","","New York","DISC","MED","7,226","\N Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "December 9, 2011","Nation Wise Machine Buyers","","Illinois","PHYS","MED","2,000","\N Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "December 9, 2011","University of Nebraska Medical Center","","Nebraska","PHYS","MED","611","\N Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "December 13, 2011","Roberts S. Smith M.D. Inc.","","Georgia","PHYS","MED","17,000","\N Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "December 15, 2011","Paul C. Brown, MD, PS","","Washington","PHYS","MED","4,693","\N Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "December 17, 2011","Molina Healthcare of California","","California","UNKN","MED","11,081","\N Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "December 21, 2011","Aegis Sciences Corporation","","Tennessee","PHYS","MED","2,185","OCR opened an investigation of the covered entity (CE), Aegis Science Corp., after the CE reported that a laptop computer and unencrypted external hard drive containing the electronic protected health information (ePHI) of 2,185 individuals were stolen from a workforce member's vehicle. The ePHI included social security numbers, driver's license numbers, and other demographic information, as well as bank account information of fourteen individuals and credit card information of three individuals. Upon discovering the breach, the CE filed a police report and hired a private investigator to recover the stolen items. The CE also initiated plans to encrypt laptops, revise security procedures, retrain employees, and offer credit monitoring to affected individuals. As a result of OCR's investigation, the CE completed a security risk analysis and risk management report and implemented new security policies and procedures to ensure adequate safeguards to protect ePHI. The CE also provided media notification in the two localities with greater than 500 individuals affected. Additionally, the CE encrypted all employee computers and removable media containing ePHI and retrained employees on the CE's confidentiality and security policies. Location of breached information: Laptop, Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","40.760537","-73.978890" "December 23, 2011","Soundpath Health, Inc","","Washington","PHYS","MED","7,581","A laptop containing the protected health information (PHI) of approximately 7,581 clients was stolen out a workforce member's vehicle and subsequently used to access the covered entity's (CE) company server. The laptop contained clients' demographic information. After the incident, the CE performed a risk analysis of the specific breach occurrence. The CE provided OCR with a copy of its risk analysis, as well as its privacy, breach notification, and security policies and procedures. Following OCR's investigation, the CE performed a broader security risk assessment and encrypted all mobile media. The CE also developed and provided computer security training to its staff members. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","47.751074","-120.740139" "December 28, 2011","Concentra Health","","Texas","PHYS","MED","870","\N Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","31.968599","-99.901813" "December 28, 2011","Sleep HealthCenters LLC","","Massachusetts","PHYS","MED","2,988","\N Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2011","42.407211","-71.382437" "January 6, 2012","Smile Designs","","Florida","PHYS","MED","1,670","\N Location of breached information: Desktop Computer, Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","27.664827","-81.515754" "January 10, 2012","Alamance Caswell Local Management Entity","","North Carolina","DISC","MED","50,000","\N Location of breached information: Email, Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "January 10, 2012","CardioNet, Inc","","Pennsylvania","PHYS","MED","1,300","\N Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "January 11, 2012","RightNow Technologies","","Montana","DISC","MED","2,700","RightNow Technologies, the software vendor and business associate (BA) for the covered entity (CE), MDwise, failed to disable a software switch, which allowed Google to index files on the CE’s hosted website containing the electronic protected health information (ePHI) of approximately 2,700 individuals. The ePHI included individuals’ names, addresses, zip codes, Medicaid numbers, and primary care physicians’ names and addresses. Following the breach, the CE took down the files in issue, disallowed the indexing and searching of the CE’s files by Internet search engines, and added restrictions. The CE also requested that Google remove the indexing on the affected files and obtained confirmation that Google cooperated within 24 hours. The CE provided breach notification to HHS, affected individuals, and the media. Finally, the CE improved technical safeguards pursuant to the HIPAA Security Rule. OCR obtained assurances that the CE implemented the corrective actions listed. Location of breached information: Other Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "January 13, 2012","WageWorks, Inc.","","California","UNKN","MED","1,700","\N Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "January 16, 2012","Foundation Medical Partners","","New Hampshire","PHYS","MED","771","Without permission from the covered entity (CE), an employee provided a list of patient's names to a local counseling center as the employee was leaving the CE to begin employment at the new counseling center in an attempt to coordinate care of the patients she was treating. The list, containing the PHI of approximately 771 individuals, included names, dates of birth, addresses, phone numbers, names of the insurance carriers, and facility codes. Following the disclosure, the CE provided breach notification to HHS, the media, and all individuals affected and sanctioned the former employee for violating its policies and procedures. The CE also changed its procedures for list management. The CE sent a reminder to all of its health care providers regarding the handling of PHI and made plans to provide HIPAA compliance information in a quality assurance newsletter. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "January 19, 2012","Kansas Department on Aging","","Kansas","PHYS","MED","7,757","On January 13, 2012, a laptop computer was from stolen from an employee’s vehicle. The laptop contained the electronic protected health information (ePHI) of approximately 7,757 Kansas Department on Aging customers. The ePHI included customers’ names, addresses, dates of birth, types of services, case managers and their telephone numbers, dates of quality reviews, and names of quality review staff. KDOA filed a police report, provided breach notification to HHS, affected individuals, and the media, and issued substitute notice. Following the breach, KDOA retrained its workforce and encrypted all its laptops and thumb/flash drives. OCR obtained assurances that KDOA implemented the corrective action listed above, and upon investigation, OCR determined that KDOA does not meet the definition of a covered entity. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "January 19, 2012","Delta Dental of California","","California","UNKN","MED","11,646","\N Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "January 20, 2012","Muskogee Regional Medical Center","","Oklahoma","PHYS","MED","844","A binder containing flu test results went missing from the lab of the covered entity (CE), Muskogee Regional Medical Center, on or about December 5, 2011. The binder contained the protected health information (PHI) of approximately 844 individuals, including patients’ names, account numbers, genders, medical record numbers, dates of birth, ages, test dates, and flu test results. Although the CE’s investigation could not confirm that the information had been impermissibly disclosed, it provided breach notification to the potentially affected individuals, HHS and the media. Following discovery of the incident, the CE retrained laboratory workforce members regarding proper handling and disposal procedures for PHI. It also determined to eliminate such paper records and to store future similar records electronically. OCR obtained assurances that the corrective actions listed above were completed. Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "January 23, 2012","ACS, Affiliated Computer Services, Inc., A Xerox Company","","Virginia","DISC","MED","1,444","\N Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "January 24, 2012","Oldendorf Medical Services, PLLC","","New York","PHYS","MED","549","OCR opened an investigation of the covered entity (CE) after it reported two unencrypted laptops were stolen that contained the electronic protected health information (ePHI) of 549 individuals. The ePHI included names, dates of birth, diagnostic test results, and social security numbers. Upon discovery of the breach, the CE filed a police report to recover the stolen items. As a result of OCR's investigation, the CE installed security cameras and new door locks and changed the codes to the outside entrance keypad lock. The CE also encrypted laptop computers. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.712784","-74.005941" "January 26, 2012","St.Vincent Physician Network","","Indiana","PHYS","MED","1,423","\N Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.267194","-86.134902" "January 27, 2012","Flex Physical Therapy","","Washington","PHYS","MED","3,100","On 12/30/2011, three password protected desktop computers were stolen as a result of a break-in. The electronic protected health information (ePHI) involved in the breach may have contained the names, social security numbers, addresses, dates of birth, claims information, diagnosis and treatment information of 3,100 individuals. The CE provided breach notification to HHS, affected individuals, and the media, and also provided substitute notice. Following the breach, the CE upgraded its software and addressed facility access controls. OCR provided technical assistance regarding encryption standards and breach notification requirements. Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "January 27, 2012","Metro Community Provider Network","","Colorado","HACK","MED","3,200","The U.S. Department of Health and Human Services, Office for Civil Rights (OCR), has announced a Health Insurance Portability and Accountability Act of 1996 (HIPAA) settlement based on the lack of a security management process to safeguard electronic protected health information (ePHI). Metro Community Provider Network (MCPN), a federally-qualified health center (FQHC), has agreed to settle potential noncompliance with the HIPAA Privacy and Security Rules by paying $400,000 and implementing a corrective action plan. With this settlement amount, OCR considered MCPN’s status as a FQHC when balancing the significance of the violation with MCPN’s ability to maintain sufficient financial standing to ensure the provision of ongoing patient care. MCPN provides primary medical care, dental care, pharmacies, social work, and behavioral health care services throughout the greater Denver, Colorado metropolitan area to approximately 43,000 patients per year, a large majority of whom have incomes at or below the poverty level. On January 27, 2012, MCPN filed a breach report with OCR indicating that a hacker accessed employees' email accounts and obtained 3,200 individuals' ePHI through a phishing incident. OCR’s investigation revealed that MCPN took necessary corrective action related to the phishing incident; however, the investigation also revealed that MCPN failed to conduct a risk analysis until mid-February 2012. Prior to the breach incident, MCPN had not conducted a risk analysis to assess the risks and vulnerabilities in its ePHI environment, and, consequently, had not implemented any corresponding risk management plans to address the risks and vulnerabilities identified in a risk analysis. When MCPN finally conducted a risk analysis, that risk analysis, as well as all subsequent risk analyses, were insufficient to meet the requirements of the Security Rule. “Patients seeking health care trust that their providers will safeguard and protect their health information,” said OCR Director Roger Severino. “Compliance with the HIPAA Security Rule helps covered entities meet this important obligation to their patient communities.” The Resolution Agreement and Corrective Action Plan may be found on the OCR website at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreem... Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","39.550051","-105.782067" "January 30, 2012","University of Miami ","","Florida","PHYS","MED","1,219","An unencrypted USB drive was stolen from the vehicle of a University of Miami pathologist. The drive contained the electronic protected health information (ePHI) of 1,219 patients, including names, ages, diagnoses, and treatment information. The covered entity (CE) provided breach notification to HHS, affected individuals, and the media. It also established a website related to the breach and offered credit monitoring to affected individuals. Following the breach, the CE implemented sanctions by ceasing relations with the pathologist (an independent contractor) and retrained personnel on safeguards, notably encryption, data protection and security awareness. OCR obtained assurances that the corrective actions listed above were completed. Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","27.664827","-81.515754" "February 1, 2012","UnitedHealth Group health plan single affiliated covered entity","","Minnesota","UNKN","MED","6,678","\N Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "February 1, 2012","Triumph, LLC","","North Carolina","PHYS","MED","2,000","\N Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "February 6, 2012","Accretive Health","","Illinois","PHYS","MED","14,000","\N Location of breached information: Laptop Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "February 8, 2012","Loma Linda University Medical Center (LLUMC)","","California","UNKN","MED","1,366","\N Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "February 8, 2012","Affiliated Computer Services, Inc. (ACS, Inc.) A Xerox Company","","New Jersey","UNKN","MED","1,700","\N Location of breached information: Other Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "February 13, 2012","Medco Health Solutions, Inc.","","New Jersey","PHYS","MED","1,287","The covered entity (CE), Medco Health Solutions, Inc., reported that it mailed letters that contained the protected health information (PHI) of 4,341 individuals to incorrect addresses due to a corruption of data in the mailing software programming code. After conducting a risk assessment, the CE determined that the actual number of affected individuals was 1,287. The PHI included names, medication names, and prescription numbers. The CE provided breach notification to HHS and affected individuals. Upon discovery of the breach, the CE immediately ceased using the update to its mailing software system. As a result of OCR's investigation, the CE corrected the update to its mailing software system and established a manual quality check process. The CE also implemented the use of a daily automated surveillance system for its mailing software. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "February 14, 2012","Lakeview Medical Center","","Wisconsin","PHYS","MED","698","\N Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "February 14, 2012","Goshen Health System, Inc.","","Indiana","HACK","MED","660","Computer servers of Goshen Health System’s business associate (BA), Silver Tech, may have been injected with a virus on December 22, 2011. The BA operates a consumer website on behalf of the covered entity (CE) for employment and pre-registration for screenings and diagnostic testing. The BA’s servers contained the electronic protected health information (ePHI) of approximately 660 individuals, including patients’ names, social security numbers, addresses, insurance carriers, and testing information, and financial information. The CE provided breach notification to HHS, affected individuals, the media. It also notified the Indiana Attorney General’s office and the FBI and offered one year of free credit monitoring services to affected individuals. Following the breach, the CE terminated its relationship with the BA, engaged an outside forensic security firm to conduct an internal investigation, and updated its website. The CE revised its HIPAA policies and procedures and updated its practices to ensure the proper execution of Business Associate Agreements with all vendors and other parties who may have access to PHI. The CE trained its employees on its policies and procedures and documented its most recent risk analysis and corresponding risk management plan. OCR obtained documentation evidencing that the CE implemented the corrective actions listed. Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "February 15, 2012","St. Joseph Health System","","California","DISC","MED","0","St. Joseph Health (SJH) has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules following the report that files containing electronic protected health information (ePHI) were publicly accessible through internet search engines from 2011 until 2012. SJH, a nonprofit integrated Catholic health care delivery system sponsored by the St. Joseph Health Ministry, will pay a settlement amount of $2,140,500 and adopt a comprehensive corrective action plan. SJH’s range of services includes 14 acute care hospitals, home health agencies, hospice care, outpatient services, skilled nursing facilities, community clinics and physician organizations throughout California and in parts of Texas and New Mexico. On February 14, 2012, SJH reported to the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) that certain files it created for its participation in the meaningful use program, which contained ePHI, were publicly accessible on the internet from February 1, 2011, until February 13, 2012, via Google and possibly other internet search engines. The server SJH purchased to store the files included a file sharing application whose default settings allowed anyone with an internet connection to access them. Upon implementation of this server and the file sharing application, SJH did not examine or modify it. As a result, the public had unrestricted access to PDF files containing the ePHI of 31,800 individuals, including patient names, health statuses, diagnoses, and demographic information. OCR’s investigation indicated the following potential violations of the HIPAA Rules: • From February 1, 2011 to February 13, 2012, SJH potentially disclosed the PHI of 31,800 individuals; • Evidence indicated that SJH failed to conduct an evaluation in response to the environmental and operational changes presented by implementation of a new server for its meaningful use project, thereby compromising the security of ePHI; • Although SJH hired a number of contractors to assess the risks and vulnerabilities to the confidentiality, integrity and availability of ePHI held by SJH, evidence indicated that this was conducted in a patchwork fashion and did not result in an enterprise-wide risk analysis, as required by the HIPAA Security Rule. In addition to the $2,140,500 settlement, SJH has agreed to a corrective action plan that requires the organization to conduct an enterprise-wide risk analysis, develop and implement a risk management plan, revise its policies and procedures, and train its staff on these policies and procedures. The Resolution Agreement and Corrective Action Plan may be found on the OCR website at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreem.... Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "February 15, 2012","Georgetown University Hospital","","District Of Columbia","DISC","MED","1,549","\N Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "February 15, 2012","Motion Picture Industry Health Plans (MPI)","","California","PHYS","MED","703","The covered entity (CE), Motion Picture Industry Health Plans (MPIHP), mistakenly sent mailings containing protected health information (PHI) to the prior address of approximately 700 individuals due to a computer error. The PHI involved in the breach included names, claim numbers, dates of service, and provider names. The CE provided breach notification to affected individuals, HHS, and the media, and posted substitute notice on its website. Following the breach, the CE instituted additional safeguards including automatic suppression of documents when conflicting addresses are contained in multiple computer systems. As a result of OCR's investigation, the CE updated its policies, conducted a new risk analysis, and developed a new risk management plan. Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","36.778261","-119.417932" "February 20, 2012","Ochsner Health System","","Louisiana","PHYS","MED","2,088","An external hard drive was stolen from the radiology department of the covered entity (CE), Ochsner Health System. The electronic protected health information (ePHI) on the hard drive included the names, addresses, dates of birth, and medical record numbers of approximately 2,088 individuals. The CE provided breach notification to HHS, affected individuals, and the media. As a result of the breach, the CE improved technical safeguards and updated its policies and procedures. OCR obtained assurances that the CE implemented the corrective actions listed. Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","30.984298","-91.962333" "February 20, 2012","Dr. Trandinh","","Oregon","PHYS","MED","2,300","The CE reported that a physician’s personally-owned, unencrypted laptop was stolen from her residence. The laptop contained the medical records of 2,306 patients who had been seen by the physician in her solo private practice, not the CE. The medical records contained demographic information, including home addresses, social Security numbers, and clinical information, including diagnoses, treatment information, and medical history. Prior to the theft, the physician had closed her private practice and provided an electronic copy of her patient records to the CE. The CE, as custodian of the records, provided breach notification to HHS, affected individuals and the media. Following additional technical assistance provided by OCR, the CE developed a written breach policy and procedure. Location of breached information: Laptop Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","43.804133","-120.554201" "February 27, 2012","CardioNet, Inc.","","Pennsylvania","PHYS","MED","728","\N Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","41.203322","-77.194525" "February 28, 2012","Beth Barrett Consulting, LLC","","New Mexico","PHYS","MED","7,000","\N Location of breached information: Laptop Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","34.519940","-105.870090" "February 28, 2012","Catalyst Health Solutions, Inc.","","Maryland","DISC","MED","632","\N Location of breached information: Other Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "February 28, 2012","T&P CONSULTING, INC. D/B/A QUANTUM","","Puerto Rico","PHYS","MED","7,706","An unencrypted laptop computer and external hard drive containing the electronic protected health information (ePHI) of 7,706 individuals were stolen from a staff member of the covered entity's (CE) business associate (BA). The ePHI included names, ages, sex, social security numbers, medical services provided, diagnosis codes, and dates of service. Upon discovery of the breach, the CE filed a police report to recover the stolen items and provided breach notification to HHS, the media, and all individuals affected by the breach. As a result of OCR's investigation, the CE had its BA conduct a risk analysis, implement new security policies and procedures to ensure adequate safeguards to protect ePHI, and retrain its employees. In addition, the CE also had its BA change its security practices to include encryption on all laptops and restrict the use of portable media devices. OCR obtained assurances that the CE implemented the corrective action listed above and required two additional corrective actions. OCR identified the need for the CE to complete a risk assessment and implement certain security policies and procedures. Location of breached information: Laptop Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "February 29, 2012","Lee Miller Rehabilitation Associates","","Maryland","PHYS","MED","10,480","\N Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "March 2, 2012","Jeremaih J. Twomey, F.A.C.P., P.A.","","Texas","PHYS","MED","2,559","Jeremaih J. Twomey, F.A.C.P., P.A. filed a breach notification report on March 2, 2012, as a business associate (BA), stating its office building and suite were ransacked and vandalized during the weekend of December 31, 2011. An external hard drive was stolen containing patient names, addresses, medical condition(s), diagnoses and, in some instances, social security numbers and dates of birth. The number of patients affected was 2,559. The BA provided breach notification to HHS, affected individuals, and the media. OCR initiated an investigation and, subsequently, learned that Jeremaih J. Twomey, F.A.C.P., P.A. is no longer a business associate (or covered entity). Dr. Twomey retired and closed his practice. Location of breached information: Other Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "March 3, 2012","Anchorage Community Mental Health Services Inc.","","Alaska","DISC","MED","2,743","Anchorage Community Mental Health Services (ACMHS) has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule with the Department of Health and Human Services (HHS), Office for Civil Rights (OCR). ACMHS will pay $150,000 and adopt a corrective action plan to correct deficiencies in its HIPAA compliance program. ACMHS is a five-facility, nonprofit organization providing behavioral health care services to children, adults, and families in Anchorage, Alaska. OCR opened an investigation after receiving notification from ACMHS regarding a breach of unsecured electronic protected health information (ePHI) affecting 2,743 individuals due to malware compromising the security of its information technology resources. OCR’s investigation revealed that ACMHS had adopted sample Security Rule policies and procedures in 2005, but these were not followed. Moreover, the security incident was the direct result of ACMHS failing to identify and address basic risks, such as not regularly updating their IT resources with available patches and running outdated, unsupported software. “Successful HIPAA compliance requires a common sense approach to assessing and addressing the risks to ePHI on a regular basis,” said OCR Director Jocelyn Samuels. “This includes reviewing systems for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks.” ACMHS cooperated with OCR throughout its investigation and has been responsive to technical assistance provided to date. In addition to the $150,000 settlement amount, the agreement includes a corrective action plan and requires ACMHS to report on the state of its compliance to OCR for a two-year period. The Resolution Agreement can be found on the OCR website at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/index.html Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "March 6, 2012","Robley Rex VA Medical Center ","","Kentucky","UNKN","MED","1,182","A workforce member of the covered entity (CE), Robley Rex VA Medical Center, lost or had stolen a binder of coding reports, which contained the protected health information (PHI) of 1,182 individuals. The binder was left unattended outside the entrance of the facility and returned soon thereafter to a workforce member by an inpatient at the facility who discovered the log book. The PHI involved in the breach included PHI of approximately 1,182 individuals, including names, social security numbers, and discharge dates. The CE provided breach notification to HHS, affected individuals, and the media, and offered free credit protection to all affected individuals. Following the breach, the CE suspended the employee, sent a bulletin to all employees indicating that they were not permitted to maintain log books or transport PHI outside the facility without authorization. As a result of OCR’s investigation, the CE reviewed its policies and procedures to ensure the adequacy of safeguards. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "March 9, 2012","Indiana Internal Medicine Consultants","","Indiana","PHYS","MED","20,000","A laptop computer that contained the electronic protected health information (ePHI) of approximately 20,000 individuals was stolen from the covered entity's (CE) laboratory manager's office. The ePHI involved in the breach included patients' names, dates of birth, clinic identification numbers, and laboratory results. Following the breach, the CE reported the theft to the building management company. The management company investigated the theft and determined that cleaning personnel had stolen the laptop. The company reported that the patient information was not compromised, as the database could not be accessed without propriety software and specialized assistance. As a result of OCR's investigation, physical security was improved by housing the replacement laptop in a locked drawer in a locked office with limited staff access. The CE also implemented a new policy prohibiting the storage of PHI on the laptop computer and updated additional policies and procedures to enhance safeguards for systems containing PHI. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "March 12, 2012","T & P Consulting, Inc. d/b/a Quantum Health Consulting","","Puerto Rico","PHYS","MED","10,000","The covered entity (CE) filed a breach report with OCR after an external hard drive and laptop computer containing electronic protected health information (ePHI) of 39,609 individuals were stolen from the CE's Business Associate (BA). The ePHI included names, ages, sex, social security numbers, medical services provided, diagnosis codes, and the dates of the service. Immediately following the breach, the CE conducted a risk assessment, filed a breach report and provided OCR a copy of its BA agreement. Additionally, the CE notified all affected individuals of the breach and issued a press release. As a result of OCR's investigation, the CE required the BA to revise its security practices to include laptop encryption and restrictions on the use of portable media devices as outlined in the BA's newly developed security policies and procedures. Location of breached information: Laptop, Other Portable Electronic Device Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "March 12, 2012","Quantum Health Consulting","","Puerto Rico","PHYS","MED","4,645","OCR opened an investigation of the covered entity (CE), First Proveedores Aliados Por Tu Salud, after it reported an unencrypted laptop computer and external hard drive containing the electronic protected health information (ePHI) of 4,645 individuals were stolen from a staff member of the CE's business associate (BA), Quantum Health. The ePHI included names, age, sex, social security numbers, medical services provided, diagnosis codes, and the dates of service. Upon discovery of the breach, the CE filed a police report and provided breach notification to all individuals affected by the breach, HHS, and the media. As a result of OCR's investigation, the CE had its BA conduct a risk analysis and implemented new security policies and procedures to ensure adequate safeguards to protect ePHI and retrain its employees. In addition, the CE also had its BA change its security practices to include encryption on all laptops and restricted the use of portable media devices. \ Location of breached information: Laptop Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "March 12, 2012","T&P Consulting, INC. d/b/a Quantum Health Consulting","","Puerto Rico","PHYS","MED","27,098","OCR opened an investigation of the covered entity (CE), Centro De Servicios de Cuidados Dirigidos, Inc. d/b/a Metro Salud grupo Profesional, after it reported an unencrypted laptop computer and external hard drive containing the electronic protected health information (ePHI) of 27,098 individuals were stolen from a staff member of the CE’s business associate (BA), Quantum Health. The ePHI included names, age, sex, social security numbers, medical services provided, diagnosis codes, and the dates of service. Upon discovery of the breach, the CE filed a police report to recover the stolen items. As a result of OCR’s investigation, the CE had its BA conduct a risk analysis and implemented new security policies and procedures to ensure adequate safeguards to protect ePHI and retain its employees. In addition, the CE also had its BA change its security practices to include encryption on all laptops and restricted the use of portable media devices. Lastly, the CE also provided media notification and notification to all individuals affected by the breach. Location of breached information: Laptop Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "March 12, 2012","Kern Medical Center ","","California","PHYS","MED","1,431","\N Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "March 13, 2012","William F. DeLuca Jr., M.D.","","New York","PHYS","MED","577","OCR opened an investigation of the covered entity (CE) after it reported two unencrypted laptops were stolen that contained the electronic protected health information (ePHI) of 577 individuals. The ePHI included names and pictures. Upon discovery of the breach, the CE filed a police report to recover the stolen items. As a result of OCR's investigation, the CE encrypted its computers, changed the locks to a numbered key system, and installed a lock to secure portable devices in storage. In addition, the CE started using identification numbers instead of names on patients' files. The CE also revised its security policy and trained all staff on its policies. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "March 13, 2012","Quantum Health Consulting","","Puerto Rico","PHYS","MED","7,923","An unencrypted laptop computer and an external hard drive containing the electronic protected health information (ePHI) of 7,923 individuals were stolen from a staff member of the CE's business associate (BA). The ePHI included names, ages, gender, social security numbers, medical services provided, diagnosis codes, and dates of service. Upon discovery of the breach, the CE filed a police report to recover the stolen items. The CE also provided breach notification to all affected individuals, HHS, and the media. As a result of OCR's investigation, the CE had its BA conduct a risk analysis, implement new security policies and procedures to ensure adequate safeguards to protect ePHI, and retrain its employees. The CE also had its BA change its security practices to include encryption on all laptops and restrict the use of portable media devices. Location of breached information: Laptop Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "March 14, 2012","Advanced Clinical Research Institute","","California","PHYS","MED","875","\N Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "March 15, 2012","T&P Consulting, INC DBA Quantum HC","","Puerto Rico","PHYS","MED","7,606","An unencrypted laptop computer and external hard drive containing the electronic protected health information (ePHI) of 39,609 individuals were stolen from a staff member of the covered entity's (CE) business associate (BA). The ePHI included names, ages, sex, social security numbers, medical services provided, diagnosis codes, and dates of service. Upon discovery of the breach, the CE filed a police report and provided breach notification to HHS, the media and all affected individuals. As a result of OCR's investigation, the CE had its BA conduct a risk analysis, implement new security policies and procedures to ensure adequate safeguards to protect ePHI, and retrain its employees. In addition, the CE also had its BA change its security practices to include encryption on all laptops and restrict the use of portable media devices. OCR obtained assurance that the CE implemented the corrective action listed above and required one additional corrective action. OCR identified the need for the CE to implement certain security policies, procedures and controls. Location of breached information: Laptop, Other Portable Electronic Device Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "March 15, 2012","Georgia Health Sciences University","","Georgia","PHYS","MED","513","On January 19, 2012, the covered entity’s (CE) employee discovered that her laptop computer was stolen from the front porch of her home. The laptop contained the electronic protected health information (ePHI) of 513 patients, including names, dates of birth, and health data. The laptop lacked virtual private network connectivity and the data was password protected but not encrypted. The CE provided breach notification to HHS, affected individuals, and the media. In response to the breach, the CE encrypted all employee laptops, implemented a mobile device and remote access policy and updated its electronic data backup policy. The CE also trained staff on its HIPAA Privacy and Security policies. Additionally, the CE counseled the employee for failure to maintain physical security of the CE’s property. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "March 16, 2012","Baylor Heart and Vascular Center, LLP","","Texas","PHYS","MED","1,972","An unsecured tablet computer was stolen from an employee’s vehicle on January 6, 2012. The protected health information (PHI) involved in the breach included names, addresses, dates of birth, treating physicians’ names and health screening results for 1,972 individuals. The covered entity (CE) provided breach notification to HHS, affected individuals, and the media. As a result of OCR’s investigation, OCR reviewed the CE’s HIPAA policies, documentation of workforce training related to safeguarding mobile devices, and its risk analysis related to mobile devices. Following the incident, the CE implemented additional technical safeguards, including encryption solutions, as part of its mobile device management program. Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "March 23, 2012","Chicago Muscoskeletal Institute","","Illinois","DISC","MED","750","On December 31, 2011, the names, dates of birth, medical record numbers, and clinic notes for 750 of the covered entity’s (CE) patients were available on its network server and website. The CE disabled the website and removed the 750 patients’ demographic and clinical information from its network server. The CE provided breach notification to HHS, affected individuals, and the media. As a result of OCR’s investigation, the CE provided fraud and credit monitoring to affected individuals and retrained its staff on technical safeguards. Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "March 23, 2012","Caremark PCS Health, L.L.C. (formerly known as Caremark PCS Health, L.P.)","","Illinois","UNKN","MED","3,482","\N Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "March 23, 2012","Duke University Health System","","North Carolina","DISC","MED","1,370","\N Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "March 29, 2012","St. Joseph's Medical Center","","California","PHYS","MED","712","\N Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "April 3, 2012","CenterLight Healthcare","","New York","DISC","MED","642","A workforce member emailed to his personal email address files containing the protected health information (PHI) of 642 individuals, including their names, Medicare numbers, Medicaid numbers, enrollment status, and some health plan names. The workforce member was a temporary worker who had intended to show his work product to potential employers to demonstrate his experience with such work. The covered entity (CE), CenterLight Healthcare, provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE ensured that the temporary worker deleted the email at issue from his personal email account and personal mobile device. The CE also attempted to secure the temporary worker’s written acknowledgment that confirmed that he either (i) did not save the files to his home desktop computer or (ii) deleted the files from his home desktop computer. The CE also sanctioned the worker. Additionally, the CE stopped using temporary workers, implemented an email encryption solution, and revised its HIPAA training. OCR obtained assurances that the CE implemented the corrective actions listed. Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "April 4, 2012","Lake Granbury Medicl Ceter","","Texas","PHYS","MED","502","\N Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "April 6, 2012","County of Wayne Department of Personnel/Human Resources Benefits Administration Division","","Michigan","DISC","MED","1,229","\N Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "April 6, 2012","St. Elizabeth's Medical Center","","Massachusetts","PHYS","MED","6,831","\N Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "April 9, 2012","The Neighborhood Christian Clinic","","Arizona","PHYS","MED","9,565","\N Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "April 10, 2012","AccentCare Home Health of California, Inc. Medicare # 057564 CA state License # 080000226","","California","DISC","MED","1,000","A former workforce member of the covered entity (CE), AccentCare Home Health Care of CA, downloaded and forwarded the electronic protected health information (ePHI) of approximately 1,000 individuals via a personal email account to other ex-workforce members. The ePHI included names, addresses, zip codes, social security numbers, diagnoses and conditions. This was discovered nearly a year after the incident during a deposition. The intended recipients denied requesting or receiving the ePHI. The CE provided breach notification to HHS, affected individuals, and the media. Following discovery of the breach, the CE hired a third party to conduct a risk assessment, followed through with recommended risk management processes and began working toward obtaining a HITRUST Certification. As a result of OCR’s investigation, the CE improved its understanding of the risk analysis and risk management process. Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "April 10, 2012","HealthLOGIX","","Michigan","DISC","MED","555","\N Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "April 10, 2012","David Charles Rish","","California","PHYS","MED","2,000","\N Location of breached information: Other Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "April 11, 2012","Utah Department of Technology Services","","Utah","HACK","MED","780,000","\N Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "April 12, 2012","IU Medical Group","","Indiana","PHYS","MED","1,000","\N Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "April 12, 2012","Rhinebeck Health Center/Center for Progressive Medicine","","New York","PHYS","MED","6,745","The CE's network server and two local computers were hacked and compromised by a computer virus which resulted in the disclosure of electronic protected health information (ePHI) of 6,745 individuals. The ePHI included names, insurance numbers, diagnoses, medical histories, dates of birth, telephone numbers, and social security numbers. Upon discovery of the breach, the CE shut down all computer and email systems to prevent unauthorized access to its network and core files. In addition, the CE decommissioned the previously used server, deactivated the network router, disabled network access to ePHI, and discontinued the previously utilized backup. As a result of OCR's investigation, the CE deployed a new real-time firewall and intrusion detection system and implemented new measures for software management. In addition, the CE installed a new network server, deployed a new router with security subscription to actively monitor internal network traffic and external threat patterns, and implemented a centralized antivirus software system. Location of breached information: Desktop Computer, Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "April 13, 2012","Memorial Healthcare System","","Florida","UNKN","MED","9,497","\N Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "April 13, 2012","Roy E. Gondo, M.D.","","Washington","PHYS","MED","2,100","\N Location of breached information: Desktop Computer, Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "April 16, 2012","DRD Management, Inc. D/B/A DRD Knoxville Medical Clinic - Central","","Texas","PHYS","MED","1,000","After an extensive investigation, OCR determined that DRD Knoxville was not a HIPAA covered entity at the time that the incident occurred. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "April 18, 2012","Emory Healthcare","","Georgia","UNKN","MED","315,000","On February 20, 2012, the covered entity (CE), Emory Healthcare, discovered that ten unencrypted back-up compact disks (CDs) containing electronic protected health information (ePHI) were missing. The types of ePHI involved in the breach included clinical and demographic data for 315,000 surgical patients treated at three locations between September 1990 and April 2007. The information on the CDs could only easily be read using decommissioned software. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE required every department to inventory and properly store or destroy PHI. It also distributed educational material to all staff. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "April 20, 2012","Desert AIDS Project","","California","PHYS","MED","4,400","\N Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "April 20, 2012","University of Arkansas for Medical Sciences","","Arkansas","DISC","MED","7,121","\N Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "April 23, 2012","TLC Dental Dania, LLC","","Florida","PHYS","MED","750","A laptop computer and 750 paper medical records were stolen from the covered entity (CE), TLC Dental Dania, LLC, during a break-in. The CE reported the theft to the law enforcement. The CE provided timely breach notification to affected individuals and HHS, and posted notice on its website. OCR provided technical assistance to CE about the requirements for media notice. In response to the breach, the CE adopted and implemented new HIPAA policies that addressed the Security, Privacy and Breach Notification Rules. OCR obtained assurances from the CE that its staff would be trained on these new policies. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "April 24, 2012","South Carolina Department of Health and Human Services","","South Carolina","DISC","MED","228,435","The covered entity (CE), South Carolina Department of Health and Human Services, discovered that an employee sent Medicaid reports to her personal email from January 31, 2012, through April 4, 2012. The breach affected 228,435 individuals and the types of protected health information (PHI) involved in the breach included names, addresses, phone numbers, social security numbers and for 22,648 individuals, their Medicaid identification numbers. The CE provided timely breach notification to HHS, affected individuals, and the media. CE also posted notification about the breach on its website. In response to the breach, CE suspended access to most of its ad hoc electronic reporting, initiated a comprehensive review of its privacy and security safeguards, contacted local and federal law enforcement, and sanctioned the responsible employee. The CE also revised its security policies to restrict employee access to PHI to only that necessary for the individual’s job function and implemented an automated monitoring system to track user activity in its computer system. CE also implemented annual privacy and security training. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "April 26, 2012","Oregon Health Authority","","Oregon","PHYS","MED","550","\N Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "April 26, 2012","SHIELDS For Families ","","California","PHYS","MED","961","On February 27, 2012, a computer server was stolen from the covered entity (CE), Shields for Families. The server contained the electronic protected health information (ePHI) of 961 individuals and included names, addresses, zip codes, birth dates and referral information. The CE provided breach notification to HHS, affected individuals, and the media. The CE improved physical safeguards by relocating the new server to a locked office and securing it within the room. The CE initiated major improvements to its IT infrastructure, revised its security program, and retrained workforce members on its revised policies and procedures. OCR obtained assurances that the CE implemented the corrective actions noted above. Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "May 1, 2012","Safe Ride Services, Inc","","Arizona","HACK","MED","42,000","\N Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "May 3, 2012","IntraCare North Hospital","","Texas","PHYS","MED","750","A former employee of the covered entity (CE), Intracare North Hospital, stole computers, monitors, and the CE’s billing software. The protected health information (PHI) involved in the breach included names, addresses, phone numbers, dates of birth, insurance information, and social security numbers. The District Attorney’s Office has not provided the CE with the PHI nor have they provided the CE with the number of patients that were affected. The CE provided breach notification to HHS, the media, and affected individuals. Individual notification included a toll-free number and the Harris County District Attorney’s contact number. Following OCR’s investigation, the CE improved safeguards by upgrading its system to allow for more specific monitoring of the activity of users and creating user codes to track copier use. The CE also improved administrative safeguards by revising workforce clearance procedures for certain jobs, and improved physical safeguards by installing surveillance cameras. In addition, staff was re-trained on the HIPAA Rules. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "May 3, 2012","Oakland Vision Services, PC","","Michigan","HACK","MED","3,000","\N Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "May 4, 2012","Stephen Haggard, DPM Podiatry ","","Washington","PHYS","MED","1,597","Computer equipment and a safe containing unencrypted the electronic protected health information (ePHI) of 1,597 individuals were stolen from the covered entitiy’s (CE) office on March 4, 2012. The ePHI involved in the breach included names, addresses, dates of birth, social security numbers, claims information, diagnoses, and medication information. Following the breach, the covered entity purchased a new door and locks, a new alarm system, and alarm monitoring. As a result of OCR’s investigation, the CE conducted a risk analysis and developed breach notification policies and procedures. The CE also encrypted its computer server. Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "May 4, 2012","Baptist Health System","","Alabama","PHYS","MED","1,655","On March 8, 2012, a trash bag containing discarded appointment schedules was inadvertently removed from a “shred bin” at Baptist Health System’s Talladega clinic by the office cleaning service and disposed of in a dumpster without being shredded. The protected health information (PHI) involved in the breach included patients’ names, dates of birth, dates of service, account numbers, and chart numbers for approximately 2,000 individuals. The CE provided breach notification to affected individuals, the media, and HHS. Following the breach, the CE initiated an internal investigation, conducted a risk assessment, and updated its policies and procedures regarding access to shred bins. As a result of OCR’s investigation, the CE reviewed its policies and procedures with staff to ensure the adequacy of safeguards. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "May 8, 2012","University of Houston for UH College of Optometry","","Texas","HACK","MED","7,000","\N Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "May 10, 2012","Rite Aid Store 1343","","West Virginia","PHYS","MED","2,905","On March 29, 2012, the covered entity (CE), Rite Aid Store 1343, discovered that hard copy prescriptions from 2004 were stolen from a storage building in Oceana, West Virginia. The prescriptions contained the protected health information (PHI), of approximately 2,905 individuals, and included names and prescription information. After the breach was discovered, the CE removed two remaining boxes of prescriptions from the storage unit and secured them. The CE also improved physical safeguards by placing a new lock on the outside of the storage facility. The CE reported the incident to the authorities. As several staff members violated company policy by not ensuring that the storage area was properly secured, the CE issued final written warnings to all responsible staff members. The CE provided breach notification to HHS, affected individuals, and the media, and also offered each affected individual free identity theft protection services for one year. OCR obtained assurances that the CE implemented the corrective actions listed. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "May 11, 2012","Iowa Department of Human Services","","Iowa","PHYS","MED","3,000","\N Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "May 11, 2012","Hogan Services Inc. Health Care Premium Plan","","Missouri","DISC","MED","1,134","On March 30, 2012, Hogan Services Inc. (HSI), the sponsor of a fully insured employee health plan, erroneously distributed an email to 287 employees containing the electronic protected health information (ePHI) of approximately 1,134 individuals. The ePHI included names, social security numbers, dates of birth, gender, group health plan identification numbers, member identifications, enrollment dates, and types of coverage for employees and names, dates of birth, and relationship information for employees’ spouses and dependents enrolled in the group health insurance plan. Upon discovering the breach, HSI directed its email vendor to shut down its email server, and constructed an incident response team that went to each workstation and deleted the ePHI from employees’ computers, and shredded any copies of the email that had been printed. HSI provided breach notification to HHS and affected individuals. As a result of OCR’s investigation, HSI made a decision not to accept, store, or transmit ePHI, and it retrained its workforce regarding the HIPAA Rules. HSI also added encryption software to employees’ accounts that have access to ePHI. OCR obtained assurances that HSI implemented the corrective actions listed above. Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "May 14, 2012","Family Health Services Minnesota PA","","Minnesota","PHYS","MED","4,000","\N Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "May 14, 2012","St. Mary Medical Center","","California","PHYS","MED","3,900","\N Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "May 18, 2012","Our Lady of the Lake Regional Medical Center","","Louisiana","PHYS","MED","17,000","A physician’s personally owned laptop computer, which was used to conduct business on behalf of the covered entity (CE), Our Lady of the Lake Regional Medical Center, was either misplaced or stolen. The laptop contained the electronic protected health information (ePHI) of 17,339 individuals and included patients’ names, ages, dates and times of admission/discharge, race, health coverage, medical history, and results of ICU treatments. The CE provided breach notification to HHS, affected individuals, established a call center, and employed a service to provide identity protection services. As a result of OCR’s investigation, the CE established and finalized controls and policies on personally owned devices used on behalf of the CE. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "May 18, 2012","UnitedHealth Group health plan single affiliated covered entity","","Minnesota","DISC","MED","19,100","\N Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "May 18, 2012","West Dermatology","","California","PHYS","MED","1,900","\N Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "May 18, 2012","Duke University Health System","","North Carolina","DISC","MED","591","\N Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "May 19, 2012","Luz Colon, DPM Podiatry ","","Florida","PHYS","MED","1,137","On March 20, 2012, an unencrypted laptop computer containing patient information was lost or stolen. The laptop contained the demographic, clinical and financial information of 1,137 individuals. The covered entity (CE), Absolute Foot and Ankle Specialists Inc., provided breach notification to HHS, affected individuals, and English and Spanish media. In response to the breach, the CE disallowed removal of equipment from the premises and began using cloud-based electronic medical record software. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "May 21, 2012","Ameritas Life Insurance Corp. ","","Nebraska","PHYS","MED","3,000","\N Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "May 22, 2012","Children's Hospital Boston","","Massachusetts","PHYS","MED","2,159","\N Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "May 22, 2012","Data Image, Inc.","","Ohio","DISC","MED","15,000","\N Location of breached information: Other Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "May 23, 2012","Physician's Automated Laboratory","","California","PHYS","MED","745","\N Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "May 24, 2012","Phoebe Putney Memorial Hospital, Inc. ","","Georgia","PHYS","MED","12,937","\N Location of breached information: Electronic Medical Record, Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "May 25, 2012","Independence Physical Therapy","","Connecticut","PHYS","MED","925","\N Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "May 26, 2012","Titus Regional Medical Center","","Texas","PHYS","MED","500","Titus Regional Medical Center, the covered entity (CE), reported the theft of the protected health information (PHI) of an undetermined number of individuals from an offsite storage location. The PHI involved in the breach included first and last names, medical record numbers, account numbers, and in some cases, doctor’s reports. The CE filed a police report and provided breach notification to HHS, affected individuals, and the media. The CE also provided additional training to the involved employees. As a result of OCR’s investigation, the CE conducted a risk assessment and implemented additional safeguards for records contained in the storage location. Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "May 29, 2012","Lutheran Community Services Northwest","","Washington","PHYS","MED","756","Two desktop computers and a USB drive were stolen during a break-in at the CE’s premises. The devices contained the electronic protected health information (ePHI) of approximately 757 individuals. The ePHI involved in the breach included phone numbers, email addresses, state identification card information, demographic, financial, clinical, diagnostic, and treatment information. The CE installed new locks, added HIPAA policies and procedures, and encrypted all mobile devices. As a result of OCR’s technical assistance, the CE revised policies and procedures, moved the back-up server offsite to a secure storage facility, and stopped saving ePHI to local computer drives. Location of breached information: Desktop Computer, Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "May 31, 2012","Volunteer State Health Plan, Inc. ","","Tennessee","PHYS","MED","1,102","The covered entity (CE), Volunteer State Health Plan, mailed three envelopes containing the protected health information (PHI) that arrived at the contracted provider’s address damaged, with the contents missing. The envelopes were damaged at the U.S. postal facility where they were processed and contained member claim information of 1,102 individuals, including members’ names, identification numbers, claim numbers, dates of service, procedure codes, charges, and provider information. In response to this incident, an investigator for the CE visited the mail facility where the damage occurred in an attempt to determine that the documentation was appropriately shredded under USPS policy for damaged mail. Additionally, the CE’s mailroom began using tear resistant envelopes for oversized mailings, and the CE trained its mailroom employees on the new envelope policy. Finally, the CE provided breach notification to HHS, the media, and affected individuals, and posted substitute notice on its website. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","35.517491","-86.580447" "June 4, 2012","Charlie Norwood VA Medical Center","","Georgia","PHYS","MED","824","\N Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","32.165622","-82.900075" "June 4, 2012","PrevMED","","Maryland","PHYS","MED","1,444","\N Location of breached information: Laptop Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","39.045755","-76.641271" "June 4, 2012","Metcare of Florida, Inc.","","Florida","PHYS","MED","2,557","The covered entity (CE), Metcare of Florida, discovered on May 2, 2012, that its facility had been broken into and a tablet computer was stolen. The tablet was password protected but not encrypted and contained the following types of protected health information (PHI): patients’ name, dates of birth, patient identification numbers, and clinical information. The theft affected 2,557 individuals. The CE provided breach notification to HHS, affected individuals, and the media and posted substitute notice on its website. In response to the breach, the CE encrypted its portable devices, implemented written policies requiring the physical safeguard of portable devices, and provided specialized training to its workforce. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","27.664827","-81.515754" "June 6, 2012","Robert Witham, MD, FACP","","Oregon","PHYS","MED","11,136","\N Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "June 8, 2012","Memorial Sloan-Kettering Cancer Center","","New York","PHYS","MED","568","The covered entity's (CE) staff member disclosed an unencrypted Microsoft Excel graph to a non-covered entity physician who re-disclosed it to a medical education organization to be used in a presentation. In addition, the medical education organization posted the presentation slides on its website. The graph contained the protected health information (PHI) of 569 individuals and included names, telephone numbers, social security numbers, ages, cities and states of residence, medical record numbers, and clinical information. Upon discovery of the breach, the CE ensured that the information was removed from the website and deleted, sanctioned the workforce member responsible, and retrained its workforce on the use of a data loss prevention tool and the risks of embedded PHI. As a result of OCR's investigation, the CE provided OCR with evidence of its technical safeguards and security awareness initiatives and provided assurance that it implemented the corrective action listed above. Location of breached information: Email, Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "June 14, 2012","Gessler Clinic, P.A.","","Florida","PHYS","MED","1,409","\N Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "June 19, 2012","University of Kentucky HealthCare","","Kentucky","PHYS","MED","4,490","On May 1, 2012, an unencrypted laptop of a University of Kentucky Health Care employee with the protected health information (PHI) of approximately 4,488 individuals was stolen from a workforce member’s son, who borrowed the laptop without permission and knew the computer’s password. The PHI involved in the breach included medical record numbers, dates of visits, and chief complaints. The covered entity (CE) provided breach notification to HHS, the media, and affected individuals, set up a toll-free number for questions, and posted substitute notice on its website. The responsible workforce member was suspended pending an investigation and ultimately resigned. The CE created and revised its HIPAA policies and procedures, including its mobile device policy, and implemented additional security measures to address high and moderate risks identified in its risk analysis. Finally, the CE provided evidence of employee training and security reminders. OCR obtained assurances that the corrective actions listed above were completed. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "June 22, 2012","Wolf & Yun","","Kentucky","PHYS","MED","824","On April 24, 2012, a password protected laptop computer containing patient demographic information and auditory diagnostic testing data was stolen during office hours from a back laboratory testing room of the covered entity (CE), Wolf and Yun. The breach affected approximately 824 individuals. The electronic protected health information (ePHI) on the laptop included patients’ names, addresses, dates of birth, and raw auditory testing data. The CE provided breach notification to HHS, affected individuals and the media. Following the breach, the CE filed a police report, reviewed its policies and procedures and improved physical safeguards. As a result of OCR’s investigation, the CE performed a risk analysis, installed a secure router, increased transmission security, revised its HIPAA policies, updated its computer operating system, created formal incident response and reporting procedures, and retrained its workforce. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "June 22, 2012","Karen Kietzman","","Montana","PHYS","MED","708","A laptop, iPad, and portable memory drive were stolen from the office of Dr. Karen Kietzman, the covered entity (CE), affecting approximately 708 individuals. The electronic protected health information (ePHI) contained on the devices included patients’ demographic and mental health information. The CE provided breach notification to HHS, affected individuals, and media. As a result of the breach, and to prevent a recurrence, the CE improved physical safeguards, encrypted her laptop, and stopped storing ePHI on any other electronic media. As a result of OCR’s investigation and technical assistance, the CE developed a risk analysis and risk management plan and developed policies and procedures to implement the Privacy, Security, and Breach Notification Rules. Location of breached information: Laptop, Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "June 25, 2012","Bruce G. Peller, DMD, PA","","North Carolina","DISC","MED","9,953","The covered entity (CE), Dr. Bruce Peller DMD, PA, discovered on April 27, 2012, that an unauthorized individual gained access to patients' protected health information (PHI) and compiled a list of such information. The CE determined that 9,953 individuals may have been affected and the following information may have been accessed: patients' names, legal guardians (if applicable), dates of birth, addresses, phone numbers, email addresses, treatment dates, internal identification numbers and account balances. The CE provided breach notification to HHS, affected individuals, and the media. In response to the breach, the CE obtained an injunction that required the destruction or return of PHI, implemented a stronger training program for its workforce, and improved its privacy and security policies. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "July 3, 2012","Sharon L. Rogers, Ph.D., ABPP","","Texas","PHYS","MED","585","\N Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "July 5, 2012","Health Texas Provider Network - Cardiovascular Consultants of North Texas","","Texas","DISC","MED","2,462","A former employee of the covered entity (CE), Baylor Health Care System and Health Texas Provider Network – Cardiovascular Consultants of North Texas, continued to access its appointment reminder system for nearly two months after employment ended. The former employee accessed the protected health information (PHI) of 2,462 individuals, including patients’ names, phone numbers, appointment times and dates, reason for appointments, physicians’ names and facility names. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE terminated the former employee’s system access, modified its access termination protocol, and sanctioned and retrained involved staff. As a result of OCR’s investigation, OCR obtained assurances that the corrective actions listed above were completed. Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "July 12, 2012","SwedishAmerican Health System","","Illinois","PHYS","MED","1,500","An individual misrepresented himself as an employee of a vendor contracted with the covered entity (CE) to dispose of x-ray films, obtained access to a storage area that contained films to be destroyed, and stole approximately 1,500 x-ray films from the CE. The CE strongly believes that the films were stolen due to silver content rather than patient information. The protected health information (PHI) involved in the breach included names, addresses, dates of birth, medical record numbers, account numbers and x-ray types. The CE provided breach notification to HHS and the media and posted substitute notice online. Following the breach, the CE examined its policies and procedures, established a committee to oversee PHI destruction processes, reviewed physical security on campuses, and issued email notices to all workforce members regarding vendor security. OCR reviewed the CE’s policies and procedures. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "July 13, 2012","Patterson Dental, Inc.","","Minnesota","DISC","MED","2,533","\N Location of breached information: Other Portable Electronic Device Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","46.729553","-94.685900" "July 16, 2012","Visiting Nurse Services of Iowa","","Iowa","PHYS","MED","1,298","\N Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","41.878003","-93.097702" "July 16, 2012","Hamner Square Dental, Privacy Manager Breach","Norco","California","HACK","MED","0","Location of breached information: Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","33.931126","-117.548661" "July 16, 2012","Molalla Family Dental","","Oregon","HACK","MED","4,354","The CE did not control access to the electronic protected health information (ePHI) of 4,354 individuals which was contained in the CE’s network-attached storage. Specifically, the CE’s firewall was set to allow access to a port that permitted anyone outside of CE’s firewall to access patient information. The ePHI involved in the breach included names, addresses, email addresses, dates of birth, patient intake sheets, invoices, dental charts, photos, x-rays, insurance information, credit card numbers, dates of birth, and social security numbers. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE closed access to the unsecured port, encrypted ePHI, upgraded operating system software on all workstations, implemented new firewall rules, installed a new server, set up automatic software patching and spyware removal, and deployed new virus and spam filters. The CE also retrained employees and implemented extensive policies and procedures, including new backup procedures for ePHI. OCR obtained assurances that the corrective actions were taken. Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","43.804133","-120.554201" "July 17, 2012","Pamlico Medical Equipment LLC","","North Carolina","PHYS","MED","2,917","\N Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "July 20, 2012","Beth Israel Deaconess Medical Center","","Massachusetts","PHYS","MED","3,900","A physician’s unencrypted personal laptop computer, which he used for business purposes, was stolen from his office on the campus of the covered entity (CE), Beth Israel Deaconess Medical Center. The laptop contained the PHI of approximately 3,900 individuals, including short summaries of medical information and the names and social security numbers of two individuals. After discovering the breach, the CE notified the police and hired an independent forensic firm. The CE provided breach notification to HHS, affected individuals, and the media. The CE also offered affected individuals one year of free credit monitoring and access to a dedicated call center to contact with questions regarding the incident. As a result of this incident, the CE retrained staff, enhanced its data security policy, and initiated an awareness campaign to educate and alert its workforce of security and privacy issues. The CE improved technical safeguards by encrypting or disabling all of its laptops. The CE counseled the physician whose laptop was stolen and assured that his replacement laptop was secured to the desk and encrypted. OCR’s investigation occurred simultaneously with the Massachusetts Attorney General’s Office (AGO) investigation into the same incident. Pursuant to an information sharing agreement, OCR and the AGO worked in collaboration to ensure the corrective action and future compliance of this CE. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "July 23, 2012","NYU School of Medicine Faculty Group Practice","","New York","PHYS","MED","8,488","\N Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "July 25, 2012","The Surgeons of Lake County, LLC","","Illinois","UNKN","MED","7,067","\N Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "July 25, 2012","Kindred Healthcare Inc d/b/a Kindred Transitional Care and Rehabilitation-Sellersburg","","Indiana","PHYS","MED","1,504","\N Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "July 27, 2012","Jeffrey Paul Edelstein M.D.","","Arizona","PHYS","MED","4,800","\N Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "July 27, 2012","Northwestern Memorial Hospital","","Illinois","PHYS","MED","4,211","\N Location of breached information: Laptop, Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "July 30, 2012","Walgreen Co.","","Illinois","PHYS","MED","1,240","\N Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "July 30, 2012","EMC","","Connecticut","PHYS","MED","7,461","\N Location of breached information: Laptop Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "July 31, 2012","Oregon Health & Science University","","Oregon","PHYS","MED","702","\N Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","43.804133","-120.554201" "August 3, 2012","Stanford Hospital & Clinics and School of Medicine, Privacy Manager Breach","","California","PHYS","MED","2,300","The covered entity (CE), Stanford Health Care (SHC)(formerly Stanford Hospital and Clinics), and Stanford School of Medicine (SOM), reported that on July 15 or 16, 2012, a password-protected computer was stolen from a locked SOM workforce member's office. The electronic protected health information (ePHI) of approximately 2,641 individuals may have been affected by this incident. The ePHI involved in the breach included clinical and demographic information related to SHC patient care and SOM research. The CE reported that there was no evidence to indicate that ePHI had been inappropriately accessed. The CE contacted law enforcement, notified the affected individuals, offered identity protection services at no cost to the affected individuals, established a toll-free call center to assist affected individuals with questions or concerns, and notification the media and HHS. As a result of the breach and OCR’s corresponding investigation, the CE implemented additional physical safeguards, audited SCH desktops and laptops to ensure encryption, issued security awareness reminders to workforce, and initiated plans to implement an improved risk management process. Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","36.778261","-119.417932" "August 3, 2012","Harris County Hospital District","","Texas","PHYS","MED","2,875","\N Location of breached information: Electronic Medical Record, Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","31.968599","-99.901813" "August 10, 2012","Siemens Medical Solutions, USA","","Pennsylvania","PHYS","MED","66,601","\N Location of breached information: Laptop Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","41.203322","-77.194525" "August 15, 2012","TEMPLE COMMUNITY HOSPITAL","","California","PHYS","MED","603","\N Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "August 15, 2012","Heartland Pathology Associates, P.A.","","Florida","PHYS","MED","1,175","Heartland Pathology Associates, P.A., the covered entity (CE), discovered that its past business associate (BA), Medical Business Service, Inc., suffered a breach when an employee downloaded protected health information (PHI) to a portable computer drive and provided the drive to a third party. The breach affected 1,175 individuals and included patients' names, addresses, telephone numbers, social security numbers, dates of birth, insurance carriers, insurance policy numbers, physicians' name, diagnosis information, medical record numbers, account numbers, admission and discharge dates, and gender. The CE delayed providing breach notification due to a law enforcement investigation. Once given approval, the CE timely sent breach notification to HHS, affected individuals, and the media and posted substitute notification online. The CE contracted with Florida Hospital Heartland Medical Center (“Hospital”) for annual HIPAA training and for use of a computer maintained and monitored by the Hospital’s information technology department. The CE received assurances that PHI maintained by its BA was destroyed. OCR obtained assurances that the CE has implemented the corrective actions listed above. Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "August 15, 2012","Apria Healthcare, Inc., Privacy Manager Breach","","California","PHYS","MED","0","On August 13, 2012, the covered entity (CE), Apria Healthcare, Inc., reported that an unencrypted laptop computer was stolen from a workforce member’s locked vehicle. The laptop contained the electronic protected health information (ePHI) of 65,700 individuals. The PHI involved in the breach included names, addresses, birth dates, social security numbers, and isolated instances of driver’s licenses, financial and medical information. The CE provided breach notification to HHS, the affected individuals and the media. The CE sanctioned the workforce member, encrypted all laptop and desktop computers, and retrained workforce members. OCR obtained assurances that the CE implemented the corrective actions noted above. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "August 16, 2012","Memorial Healthcare System","","Florida","PHYS","MED","105,646","\N Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "August 17, 2012","Liberty Resources, Inc.","","Pennsylvania","PHYS","MED","3,183","An employee's personal laptop computer that contained the unencrypted electronic protected health information (ePHI) of 3,183 individuals was stolen from his vehicle. The ePHI involved in the breach included consumer names, identification numbers, diagnosis codes, base service unit numbers, service start and end dates, service names, procedure codes, service location identifiers, units authorized, units utilized, units cost, total authorization amounts, total utilized amounts, authorization dates, funding sources, provider names, and master provider index numbers. The CE timely notified all affected individuals, the media, and HHS, and offered assistance to consumers who wished to place fraud alerts on their consumer credit files. Following the breach, the CE created and implemented a new policy and procedure to improve safeguards. This policy prohibits downloading any PHI to a home computer or portable device, prohibits forwarding emails containing PHI to a personal account, cloud service, or unauthorized user, and requires full-disk encryption of agency laptops. OCR obtained assurances that the CE implemented the corrective action listed above. \ \ \ Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "August 17, 2012","The University of Texas MD Anderson Cancer Center","","Texas","PHYS","MED","2,264","\N Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "August 21, 2012","Central States Southeast and Siouthwest Areas Health & Welfare Fund","","Illinois","DISC","MED","754","\N Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "August 28, 2012","LANA MEDICAL CARE","","Florida","PHYS","MED","500","\N Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "August 28, 2012","Cancer Care Group, P.C.","","Indiana","PHYS","MED","55,000","$750,000 HIPAA settlement emphasizes the importance of risk analysis and device and media control policies Cancer Care Group, P.C. agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules with the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR). Cancer Care paid $750,000 and will adopt a robust corrective action plan to correct deficiencies in its HIPAA compliance program. Cancer Care Group is a radiation oncology private physician practice, with 13 radiation oncologists serving hospitals and clinics throughout Indiana. On August 29, 2012, OCR received notification from Cancer Care regarding a breach of unsecured electronic protected health information (ePHI) after a laptop bag was stolen from an employee’s car. The bag contained the employee’s computer and unencrypted backup media, which contained the names, addresses, dates of birth, Social Security numbers, insurance information and clinical information of approximately 55,000 current and former Cancer Care patients. OCR’s subsequent investigation found that, prior to the breach, Cancer Care was in widespread non-compliance with the HIPAA Security Rule. It had not conducted an enterprise-wide risk analysis when the breach occurred in July 2012. Further, Cancer Care did not have in place a written policy specific to the removal of hardware and electronic media containing ePHI into and out of its facilities, even though this was common practice within the organization. OCR found that these two issues, in particular, contributed to the breach, as an enterprise-wide risk analysis could have identified the removal of unencrypted backup media as an area of significant risk to Cancer Care’s ePHI, and a comprehensive device and media control policy could have provided employees with direction in regard to their responsibilities when removing devices containing ePHI from the facility. “Organizations must complete a comprehensive risk analysis and establish strong policies and procedures to protect patients’ health information,” said OCR Director Jocelyn Samuels. “Further, proper encryption of mobile devices and electronic media reduces the likelihood of a breach of protected health information.” Cancer Care has taken corrective action with regard to the specific requirements of the Privacy and Security Rules that are at the core of this enforcement action, as well as actions to come into compliance with the other provisions of the HIPAA Rules. The Resolution Agreement and Corrective Action Plan (CAP) can be found on the OCR website at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/cancercare.html HHS offers guidance on how your organization can conduct a HIPAA Risk Analysis: http://www.healthit.gov/providers-professionals/security-risk-assessment To learn more about non-discrimination and health information privacy laws, your civil rights, and privacy rights in health care and human service settings, and to find information on filing a complaint, visit us at http://www.hhs.gov/ocr/office. ### Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "August 31, 2012","Tricounty Behavioral Health Clinic","","Georgia","PHYS","MED","4,000","\N Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "September 5, 2012","Sierra Plastic Surgery","","Nevada","HACK","MED","800","\N Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","38.802610","-116.419389" "September 7, 2012","Charlotte Clark-Neitzel, MD","","Washington","PHYS","MED","942","\N Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "September 7, 2012","University of Miami","","Florida","DISC","MED","64,846","Two employees of the covered entity (CE), University of Miami Hospital, printed patients’ face sheets in excess of their job duties and sold them over a period of 19 months before the activity was discovered by police while on an unrelated house raid. Following notification by the police, the CE conducted an internal investigation and determined that the breach potentially involved the protected health information (PHI) of 64,846 individuals. The PHI involved in the breach included demographic and clinical information. The CE provided breach notification to HHS, affected individuals, and the media. It also applied sanctions to the involved employees. Following the breach, the CE disseminated educational material to the workforce and reviewed its HIPAA policies and procedures. It also deployed a program which monitors its electronic systems to safeguard against inappropriate use. OCR obtained assurance that the CE took the corrective actions listed above. The CE also confirmed its plan to continue to perform frequent access reviews, periodic audit trail reviews, and to create and retain audit logs for routine analysis. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "September 12, 2012","University of New Mexico Health Sciences Center","","New Mexico","HACK","MED","2,365","Anomalous activity occurred on a single computer server utilized to support clinical trial programs at the covered entity (CE), the University of New Mexico Cancer Center. The University of new Mexico is a component of the University of New Mexico Health Sciences Center. The electronic protected health information (ePHI) included the names, addresses, dates of birth, phone numbers, patient identification numbers, and/or social security numbers of approximately 2,365 individuals. Upon discovering the breach, the CE followed its investigative procedures. The CE provided breach notifications to HHS, affected individuals, and the media. The CE improved physical security and retrained staff. OCR obtained assurances that the CE implemented the corrective actions listed. Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "September 13, 2012","Valley Plastic Surgery, P.C.","","Virginia","PHYS","MED","4,873","The covered entity’s (CE) backup hard drive was stolen from the physician’s car, along with a camera and prescription pads. All the items were thrown aside except for the hard drive. The PHI involved in the breach consisted mainly of names and clinic notes of 4,873 individuals, while dates of birth were involved in some instances. Some photos of patients’ hands were also involved. Following the breach, the CE filed a police report. As a result of OCR’s investigation, the CE updated HIPAA policies, re-trained staff at all levels, and contracted with a third party to provide record storage service and encryption. Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "September 14, 2012","Ecco Health, LLC","","Nevada","PHYS","MED","5,713","\N Location of breached information: Other Portable Electronic Device Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "September 14, 2012","BHcare, Inc","","Connecticut","PHYS","MED","5,827","OCR opened an investigation of the covered entity (CE), BHcare, Inc. after it reported that a laptop computer and unencrypted back-up tape containing the electronic protected health information (ePHI) of 5,827 individuals were stolen from a workforce member's vehicle. The ePHI included names, date of birth, social security numbers, health insurance numbers, and some patients' assessments and diagnosis information. Upon discovering the breach, the CE filed a police report with the Connecticut State Police. The CE provided breach notification to affected individuals, HHS, and the media and posted substitute notice on its website. The CE offered one year of free credit monitoring services to affected individuals. As a result of OCR's investigation, the CE completed a risk analysis and risk management plan, retrained employees, and implemented new security policies and procedures to ensure adequate safeguards of ePHI. \ \ \ Location of breached information: Laptop, Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "September 14, 2012","The Feinstein Institute for Medical Reserch","","New York","PHYS","MED","13,000","Feinstein Institute for Medical Research (Feinstein) has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR). Feinstein will pay $3.9 million and will adopt a robust corrective action plan to correct deficiencies in its HIPAA compliance program; an effort it has already begun. Research institutions subject to HIPAA must be held to the same compliance standards as all other HIPAA-covered entities,” said OCR Director Jocelyn Samuels. “For individuals to trust in the research process and for patients to trust in those institutions, they must have some assurance that their information is kept private and secure.” Feinstein is a biomedical research institute that is organized as a New York not-for-profit corporation and is sponsored by Northwell Health, Inc., formerly known as North Shore Long Island Jewish Health System, a large health system headquartered in Manhasset, New York that is comprised of twenty one hospitals and over 450 patient facilities and physician practices. After receiving a breach notification from Feinstein involving unsecured electronic protected health information (ePHI), OCR initiated an investigation to ascertain the entity’s compliance with HIPAA Rules. OCR’s investigation indicated that the following occurred: • Feinstein impermissibly disclosed the ePHI of 13,000 individuals when an Feinstein-owned laptop computer containing ePHI was left unsecured in the back seat of an employee’s car; • Feinstein failed to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of the ePHI held by Feinstein, including the ePHI on the aforementioned laptop computer; • Feinstein failed to implement policies and procedures for granting access to ePHI by its workforce members; • Feinstein failed to implement physical safeguards for a laptop that contained ePHI to restrict access to unauthorized users; • Feinstein failed to implement policies and procedures that govern receipt and removal of hardware and electronic media that contain ePHI into and out of a facility, and the movement of these items within the facility; and, • Feinstein failed to implement a mechanism to encrypt ePHI or, alternatively, document why encryption was not reasonable and appropriate and implement an equivalent alternative measure to encryption to safeguard ePHI. The settlement requires Feinstein to establish a comprehensive compliance program designed to protect the security, confidentiality, and integrity of ePHI that includes: • A risk analysis and a risk management plan; • A process to evaluate and address any environmental or operational changes that affect the security of the ePHI it holds; • Policies and procedures to facilitate compliance with requirements of the HIPAA Rules; • A training program covering the requirements of the Privacy, Security, and Breach Notification Rules, intended to be used for all members of the workforce. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "September 17, 2012","St. Therese Medical Group, Inc","","California","PHYS","MED","3,031","\N Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "September 19, 2012","Cabinet for Health and Family Services, Department for Community Based Services","","Kentucky","DISC","MED","2,500","An employee’s email account generated spam email which may have caused an unintentional release of protected health information (PHI) held by the Kentucky Cabinet for Health and Family Services (CFHS), Department for Community Based Services, the covered entity (CE). The CE provided breach notification to HHS, affected individuals, and the media, and posted a copy of its press release on the CHFS website with a toll-free number. As a result of OCR’s investigation, the CE required workforce members to sign an agreement to ensure that they understand their role in safeguarding PHI, including safeguarding from phishing attacks. The CE created a security video that all new hires are required to view and that is used for re-training of current staff. In addition, OCR obtained the CE’s HIPAA policies and procedures which complied with the requirements of the Privacy and Security Rules as well as the Breach Notification Rule. Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "October 8, 2012","PST Services, Inc","","Georgia","PHYS","MED","13,074","\N Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "October 10, 2012","Apria Healthcare, Inc.","","California","PHYS","MED","65,700","\N Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","36.778261","-119.417932" "October 12, 2012","Alexander J. Tikhtman, M.D.","","Kentucky","PHYS","MED","2,376","The covered entity (CE), offices of Alexander J. Tikhtman, M.D., lost an unencrypted flash drive containing the electronic protected health information (ePHI) of 2,376 individuals. The flash drive was not recovered. The ePHI included patient's names, treatment and diagnostic information, and in some instances, dates of birth and social security numbers. The CE provided breach notification to the affected individuals, HHS, and the media. It also established a dedicated call center for questions related to the breach and offered free credit monitoring and identity theft services to individuals whose social security numbers were breached. The CE updated its privacy and security policies and procedures relating to the use, storage, and transmission of PHI. OCR obtained assurances that the CE completed the corrective action listed above. \ \ Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","37.839333","-84.270018" "October 15, 2012","Gulf Coast Health Care Services Inc","","Florida","HACK","MED","13,000","Two former employees of the covered entity (CE) took a list of patient information to a competitor’s office. The list contained the names, dates of birth, addresses and phone numbers of 13,000 patients—every active and inactive patient treated by the CE. The CE ceased operations on October 31, 2013, and eventually filed for voluntary dissolution with the Florida Secretary of State effective July 27, 2015. OCR obtained assurances that the CE is no longer in business. Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","27.664827","-81.515754" "October 17, 2012","Blount Memorial Hospital, Inc","","Tennessee","PHYS","MED","27,799","The covered entity (CE), Blount Memorial Hospital, reported that a laptop computer containing the electronic protected health information (ePHI) of 27,799 individuals was stolen from a workforce member's home. The ePHI involved in the breach included demographic and other financial information. The CE provided breach notification to affected individuals, HHS, and the media. Following the breach, the CE reviewed its privacy and security policies and procedures, encrypted all of its laptops, and improved its HIPAA training. As a result of OCR's investigation, OCR provided technical assistance regarding the CE's security incident procedures and risk management plan. OCR also reviewed the CE's HIPAA policies and procedures that were created or revised in response to the breach. \ \ \ Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "October 18, 2012","Alere Home Monitoring, Inc","","California","PHYS","MED","116,506","\N Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "October 18, 2012","Coastal home Respiratory, LLP","","Georgia","PHYS","MED","3,440","Computers containing the electronic protected health information (ePHI) of 3,440 patients were stolen from the covered entity (CE), Coastal Home Respiratory, during a burglary. The ePHI included names, addresses, phone numbers, insurance identification numbers, social security numbers, and diagnoses. The computers were password protected and the data was encoded. The CE promptly notified law enforcement and provided breach notification to affected individuals, HHS, and the media. Following the breach, the CE cancelled access passwords for patient data, and changed patient data software to a server based system that is password protected and encrypted. The CE's billing software vendor changed the CE's account numbers to prevent unauthorized access to the ePHI. The CE improved physical safeguards by installing a new alarm system. Following OCR's investigation, the CE also improved safeguards for PHI by implementing new procedures for activity reports, audit logs, and security reports. Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "October 22, 2012","Philip P Corneliuson, DDS, INC.","","California","PHYS","MED","980","\N Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "October 22, 2012","L.A. Care Health Plan","","California","UNKN","MED","18,000","The covered entity (CE), L.A. Care Health Plan, reported that an accidental mailing error caused member identification (ID) cards to be mailed to the wrong addresses during its annual member mailing process. The mailing error potentially affected 18,000 individuals and included names, dates of birth, addresses, and zip codes. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE edited the case numbering and address verification process for print and mail jobs with its vendor. The CE revised its policies and procedures to exclude ID cards from the annual member mailing. As a result of OCR’s investigation it provided technical assistance regarding a covered entity’s obligation to conduct an accurate and thorough risk analysis and implement security measures sufficient to reduce those risks and vulnerabilities identified in the analysis. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "October 23, 2012","First Step Counseling, Inc.","","New Jersey","PHYS","MED","638","From May 1, 2011, to August 5, 2011, two employees of the covered entity (CE), First Step Counseling, Inc., made photocopies of documents containing 638 patients' protected health information (PHI) and disclosed the documents to their attorney. The PHI included names, insurance numbers, diagnosis information, dates of birth, telephone numbers and social security numbers. Upon discovery of the breach, the CE hired attorneys to seek immediate return of all photocopies that contained CE's patients' PHI. The CE provided breach notification to HHS, affected individuals, and the media. As a result of OCR's investigation, the CE transferred to an electronic billing system which is password protected. In addition, the CE improved safeguards so that all patient files are locked and unlocked by the office manager, the front desk is protected by a window, and patients are not allowed to stand beside the receptionist desk. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "October 23, 2012","Logan Community Resources, Inc.","","Indiana","HACK","MED","2,900","\N Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "October 26, 2012","Health Care Service Corporation","","Illinois","PHYS","MED","0","On July 28, 2011, the covered entity (CE) reported paper documents containing protected health information (PHI) were stolen from an employee's locked car that was parked in front of the employee’s home. The documents included the names, member identification numbers, birthdates, group numbers, group names, and diagnostic information for about 511 individuals, 498 of them residing in Texas, and 13 in New Mexico. Following the breach, the CE counseled the employee who was responsible for the breach, revised its policies and procedures on safeguards, and sent out an email to all staff, reminding them of the importance of safeguarding PHI in their possession at all times. OCR obtained documentation evidencing that the CE implemented the corrective actions listed. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "October 26, 2012","SwedishAmerican Health System","","Illinois","PHYS","MED","1,500","No web description - case is a duplicate. The duplicate is posted on the webpage with a summary. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "October 26, 2012","CVS Caremark","","Rhode Island","PHYS","MED","955","\N Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "October 29, 2012","Memorial Hospital","","Ohio","PHYS","MED","500","\N Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "October 31, 2012","Waipahu Aloha Clubhouse, Privacy Manager Breach","Waipahu","Hawaii","DISC","MED","0","The covered entity (CE) reported unauthorized remote access into one of its desktop computers containing the protected health information (PHI) of 674 people. The CE later determined that the computer stored the PHI of 170 individuals. The PHI involved included names, addresses, dates of birth, and social security numbers. Following the breach, the CE updated its security policies and procedures, encrypted computers, updated its passwords, and retrained its employees. OCR provided technical assistance. Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","21.386667","-158.009167" "November 1, 2012","QUANTERION SOLUTIONS INC","","New York","PHYS","MED","1,017","An unencrypted thumb drive that contained the electronic protected health information (ePHI) of 1,017 individuals was stolen by an employee of the covered entity's (CE) business associate (BA), Quanterion Solutions, Inc. The ePHI included names, addresses, dates of birth, driver's license numbers, social security numbers, claims information, clinical information, diagnosis/conditions, lab results, treatment information, and medications. Upon discovery of the breach, the CE, Surgical Associates of Utica, PC, filed a police report and the employee was arrested. The CE provided breach notification to HHS, the media, and affected individuals and provided credit monitoring services for these individuals. As a result of OCR's investigation, the CE executed a BA agreement. \ \ Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.712784","-74.005941" "November 2, 2012","University of Illinois, College of Nursing","","Illinois","PHYS","MED","508","\N Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.633125","-89.398528" "November 5, 2012","Henry Ford Health System","","Michigan","PHYS","MED","2,777","Location of breached information: Other, Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "November 5, 2012","Union County Board of Developmental Disabilities","","Ohio","PHYS","MED","0","On October 23, 2010, an unencrypted laptop computer containing the protected health information (PHI) of 1,420 individuals with disabilities served by the covered entity (CE), Union County Board of Developmental Disabilities, was stolen from a service consultant’s car. The laptop contained names, dates of birth, social security numbers, Medicare/Medicaid numbers, addresses, behavior plans, diagnoses, guardianship information, phone numbers, email addresses, parents’ names, dates of eligibility, case notes, third party insurance information, and current living arrangements. The CE provided breach notification to HHS, affected individuals, and the media. The CE also reported the theft to the proper authorities, who later recovered the laptop. Following the breach, the CE encrypted its laptops and retrained staff. As a result of OCR’s investigation, the CE implemented written HIPAA policies and procedures, including uses and disclosures, safeguarding PHI/ and electronic PHI, and breach notification policies and procedures. The CE provided documentation substantiating all actions taken. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "November 5, 2012","Miami Beach Healthcare Group Ltd. dba Aventura Hospital and Medical Center","","Florida","PHYS","MED","2,560","This case has been consolidated with another review of the same covered entity. Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "November 5, 2012","WYATT DENTAL GROUP, LLC","","Louisiana","PHYS","MED","10,271","The Louisiana State Police and the FBI notified the covered entity (CE) that a former employee was involved in identify theft affecting the protected health information (PHI) of the CE’s patients. Approximately 10,271 patients’ PHI was involved in the breach; however, the CE’s investigation concluded that after the Dept. of Public Safety and Corrections investigation, only 10 patients were affected. The PHI involved in the breach included names, addresses, and social security numbers. The CE provided breach notification to HHS, the media, and all patients whose names were included in their business associate’s (BA) information system. To prevent a similar breach from happening in the future, the BA reviewed its system and assured the CE and OCR that its system was designed to comply with the regulations under HIPAA. As a result of OCR’s investigation, the CE provided OCR with a copy of its HIPAA policies and procedures. Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "November 5, 2012","Women and Infant's Hospital ","","Rhode Island","PHYS","MED","14,004","Care New England Health System (CNE), on behalf of each of the covered entities under its common ownership or control, has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules. The settlement includes a monetary payment of $400,000 and a comprehensive corrective action plan. CNE provides centralized corporate support for its subsidiary affiliated covered entities, which include a number of hospitals and health care providers in Massachusetts and Rhode Island. These functions include, but are not limited to, finance, human resources, information services and technical support, insurance, compliance and administrative functions. On November 5, 2012, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) received notification from Woman & Infants Hospital of Rhode Island (WIH), a covered entity member of CNE, of the loss of unencrypted backup tapes containing the ultrasound studies of approximately 14,000 individuals, including patient name, data of birth, date of exam, physician names, and, in some instances Social Security Numbers. As WIH’s business associate, CNE provides centralized corporate support including technical support and information security for WIH’s information systems. WIH provided OCR with a business associate agreement with Care New England Health System effective March 15, 2005, that was not updated until August 28, 2015, as a result of OCR’s investigation, and therefore, did not incorporate revisions required under the HIPAA Omnibus Final Rule. OCR’s investigation found the following: • From September 23, 2014 until August 28, 2015, WIH disclosed protected health information (PHI) and allowed its business associate, CNE, to create, receive, maintain, or transmit PHI on its behalf, without obtaining satisfactory assurances as required under HIPAA. WIH failed to renew or modify its existing written business associate agreement with CNE to include the applicable implementation specifications required by the HIPAA Privacy and Security Rules. • From September 23, 2014, until August 28, 2015, WIH impermissibly disclosed the PHI of at least 14,004 individuals to its business associate when WIH provided CNE with access to PHI without obtaining satisfactory assurances, in the form of a written business associate agreement, that CNE would appropriately safeguard the PHI. “This case illustrates the vital importance of reviewing and updating, as necessary, business associate agreements, especially in light of required revisions under the Omnibus Final Rule, said OCR Director Jocelyn Samuels. “The Omnibus Final Rule outlined necessary changes to established business associate agreements and new requirements which include provisions for reporting. A sample Business Associate Agreement can be found on OCR’s website to assist covered entities in complying with this requirement.” With respect to the underlying breach, on July 17, 2014, WIH entered into a consent judgment with the Massachusetts Attorney General’s Office (AGO), and reached a settlement of $150,000. OCR found the consent judgment to sufficiently cover most of the conduct in this breach, including the failure to implement appropriate safeguards related to the handling of the PHI contained on the backup tapes and the failure to provide timely notification to the affected individuals. While the AGO’s actions do not legally preclude OCR from imposing civil money penalties, OCR determined not to include additional potential violations in this case for the purposes of settlement, given that such potential violations had already been addressed by the AGO and based on OCR’s policy approach to concurrent cases with State AGOs. The Resolution Agreement and Corrective Action Plan may be found on the OCR website athttp://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreem... Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "November 7, 2012","Memorial Health System","","Colorado","PHYS","MED","6,262","\N Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "November 8, 2012","Maryville Academy","","Illinois","PHYS","MED","3,897","Three secondary back-up portable hard drives, which were maintained by the covered entity (CE), Maryville Academy, were removed from a locked room used as a secure area to maintain a secondary back-up copy of some electronic records for the CE’s services programs. The drives contained the electronic protected health information (ePHI) of approximately 3,897 individuals, including patients’ names, dates of birth, telephone numbers, social security numbers, addresses, diagnosis/conditions, financial claims information, medications, lab results, and other treatment information. The CE provided breach notification to HHS, affected individuals, and the media, and posted notification of the breach on its website. The CE also offered one year of free credit monitoring services to affected individuals. Following the breach, the CE revised its HIPAA policies and procedures and encrypted its back-up portable hard drives and other portable electronic devices. It also updated its practices regarding the physical storage of its back-up portable hard drives to include the use of a third party, off-site vendor and contracted with a third party vendor for long term offsite archive storage, and trained its workforce on any revised or newly implemented policies and procedures. OCR obtained documentation evidencing that the CE implemented the corrective actions listed. Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "November 16, 2012","CHRISTUS St. John Hospital","","Texas","PHYS","MED","5,748","On September 25, 2012, an employee lost an unsecured flash drive which contained the electronic protected health information (ePHI) of 5,748 individuals. The types of ePHI involved in the breach included financial, demographic, and clinical information. The hospital provided breach notification to HHS, affected individuals, and the media. Following the discovery of the incident, the hospital revised its HIPAA policy, implemented an encryption solution for media storage devices, and retrained the involved employee. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "November 17, 2012","L.A. Care Health Plan","","California","UNKN","MED","18,000","\N Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "November 20, 2012","Hawaii State Department of Health, Adult Mental Health Division","","Hawaii","HACK","MED","674","\N Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","19.896766","-155.582782" "November 21, 2012","Original Medicine Acupuncture & Wellness, LLC","","New Mexico","PHYS","MED","540","\N Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","34.519940","-105.870090" "November 21, 2012","Soundental Associates, PC","","Connecticut","PHYS","MED","14,511","\N Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "November 21, 2012","Digital Archive Management","","Texas","PHYS","MED","501","On or about July 26, 2012, the covered entity (CE), El Centro Regional Medical Center, learned that its business associate (BA), Digital Archive Management, abandoned the CE’s hard copy “jackets” for radiology films (x-rays) and radiology reports at a locked El Centro facility, instead of digitizing and destroying the records in accordance with the Business Associate Agreement. The CE recovered the jackets and radiology reports. On March 22, 2013, the CE learned from the FBI that the missing radiology films and hard copy paper documents were discovered in an abandoned commercial facility in Nevada. The breach involved the protected health information (PHI) of approximately 501 individuals and included demographic Information, including names and dates of birth and clinical information, including diagnoses and conditions. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE sanctioned certain employees, reviewed and updated its HIPAA policies and procedures, and implemented security measures to reduce risks and vulnerabilities to PHI and ePHI. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance deadline. OCR verified that the CE had a proper BA agreement in place that restricted the BA’s use and disclosure of PHI and required the BA to safeguard all PHI. OCR also reviewed the CE’s policies and procedures, risk analysis, risk management plan, and incident report. Location of breached information: Network Server, Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "November 26, 2012","Brigham and Women's Hospital","","Massachusetts","PHYS","MED","615","\N Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "November 26, 2012","Advantage Health Solutions, Inc.","","Indiana","UNKN","MED","2,575","\N Location of breached information: Other Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "November 27, 2012","James M. McGee, D.M.D., P.C.","","Georgia","PHYS","MED","1,306","The covered entity’s (CE) locked storage unit was broken into and hard copies of 1,306 patients’ medical records were stolen. The types of protected health information (PHI) in records included patients’ full names, social security numbers, home addresses, telephone numbers, dental charts, insurance information, and payment information. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE repaired the door to the storage unit, added a professional lock, and destroyed outdated patient records. The CE retrained staff, deployed new practice management software for storage of electronic patient records, and transferred storage of paper records on-site. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "November 28, 2012","Robbins Eye Center PC","","Connecticut","PHYS","MED","1,749","\N Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "November 29, 2012","Advanced Data Processing, Inc.","","Florida","PHYS","MED","10,000","On or around June 15, 2012, an employee of the covered entity (CE), Advanced Data Processing, Inc. (ADP), dba Intermedix, who had access to patients’ protected health information (PHI) as part of her job, inappropriately accessed the PHI of approximately 10,000 individuals and sold the information to third parties. An addendum to the initial breach report, submitted on April 3, 2015, expanded the breach to an additional 2,360 individuals. The PHI involved in the breach included patient names, social security numbers, addresses, dates of birth, claims, and other financial information. The CE provided breach notification to HHS, affected individuals, and the media and posted substitute notice. Following the breach, the CE engaged a third party to review its network environment and make recommendations for security enhancements. It implemented data loss prevention technology to identify electronic PHI and block transmittal of sensitive information and a log management and analysis solution to automate collection, analysis, archival and recovery of log data. The CE implemented policies and procedures for disposal and reuse of mobile devices, as well as for the secure transport of sensitive information to, from, and between data centers. The CE also created an information security team and appointed a committee to address compliance. Additionally, the CE improved its employee training program and launched a vendor management program to ensure the safeguarding of ePHI by its business associates. OCR obtained assurances that the CE implemented the correction actions listed above. The CE also initiated upgrades to its data center security and workstation antivirus technology. Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "November 29, 2012","Cuyahoga County Board of Developmental Disabilities","","Ohio","PHYS","MED","613","\N Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "November 29, 2012","Blue Cross Blue Shield","","Illinois","DISC","MED","500","\N Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "November 29, 2012","Vidant Pungo Hospital","","North Carolina","PHYS","MED","1,100","\N Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "November 29, 2012","County of San Bernardino Department of Public Heatlh","","California","DISC","MED","1,370","\N Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","36.778261","-119.417932" "November 29, 2012","City of Berkeley, Privacy Manager Breach","Berkeley","California","HACK","MED","0","Location of breached information: Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","37.871593","-122.272747" "November 29, 2012","ADPI-West","","California","PHYS","MED","1,500","\N Location of breached information: Desktop Computer Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","36.778261","-119.417932" "November 30, 2012","Landmark Medical Center","","Rhode Island","PHYS","MED","683","\N Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "November 30, 2012","University of Virginia Medical Center","","Virginia","PHYS","MED","1,846","\N Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "December 7, 2012","Carolinas Medical Center - Randolph","","North Carolina","HACK","MED","5,600","The covered entity (CE), Carolina’s Medical Center, discovered that a physician had responded to a phishing email and provided her password to a third party, causing all of the physician’s emails to be forwarded to a third party. The forwarded emails included protected health information (PHI) regarding 5,600 individuals. The PHI in the emails included names, dates of birth, medications, treatment information, social security numbers (for 5 patients), dates of service, addresses, names of providers, admission/discharge dispositions and dates, and internal medical record and account numbers. Following the breach, CE improved administrative and technical safeguards by terminating auto-forwarding capabilities and implementing an alert for remote system accesses that originate from a foreign country. The CE also trained employees on identifying social engineering schemes. OCR obtained assurances that the corrective actions were taken. Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "December 7, 2012","Coastal Behavioral Healthcare, Inc.","","Florida","PHYS","MED","4,907","OCR opened an investigation of the covered entity (CE), Coastal Behavioral Healthcare, Inc., after it reported that four pages containing protected health information (PHI) were recovered by local law enforcement during a motor vehicle traffic stop. The CE indicated the four pages were likely part of a larger report and may have containing the PHI of 4,907 individuals. The PHI involved in the breach included names, social security numbers, dates of birth, and other identifiers. The CE provided breach notification to the affected individuals, HHS, and the media. Following the breach, the CE hired a cybersecurity firm to perform a network audit and to conduct a security risk assessment. The CE also improved safeguards by restricting physical access to its information technology department, implementing a new electronic health record system, and disabling the ability to print reports from its database containing data similar to the report that was the subject of the breach. OCR obtained assurances that the CE implemented the corrective action listed above. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "December 10, 2012","CCS Medical, Inc.","","Texas","DISC","MED","6,601","\N Location of breached information: Network Server, Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "December 14, 2012","Columbia University Medical Center and NewYork-Presbyterian Hospital","","New York","PHYS","MED","4,929","\N Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "December 20, 2012","Health Advantage","","Arkansas","UNKN","MED","2,863","The covered entity (CE), Health Advantage, mailed Personal Health Statements to approximately 2,863 plan members’ previous addresses due to an internal programming error. This incident affected additional patients (addressed in separate breach reports) in that the covered entity had contracted with other covered entities, BCBS of Arkansas, the State of Arkansas Department of Finance and Administration Employee Benefits Division health plan and Baptist Health System’s health plan. The protected health information (PHI) involved in the breach included patients’ demographic information, health insurance identification numbers, descriptions of treatment or services received, and names of treating facilities or providers. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE corrected the programming error, purged outdated information from its system, and implemented new quality control procedures for mailings. As a result of OCR’s investigation, Health Advantage also revised or entered into multiple business associate agreements. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "December 20, 2012","Westerville Dental Center","","Ohio","PHYS","MED","850","\N Location of breached information: Laptop, Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.417287","-82.907123" "December 21, 2012","OHP PHSP, Inc.","","New York","DISC","MED","28,187","\N Location of breached information: Other Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.712784","-74.005941" "December 21, 2012","Center for Orthopedic Research and Education, Inc.","","Arizona","PHYS","MED","35,488","\N Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "December 23, 2012","Calif. Dept. of Health Care Services (DHCS)","","California","DISC","MED","2,643","The covered entity (CE), California Department of Health Care Services reported that 2,705 member identification cards were mailed to the wrong households. Due to a computer programming error in the electronic file for multiple beneficiaries living in the same household, some cards for these beneficiaries were sent to the wrong households. The types of protected health information (PHI) on the cards included names, dates of birth, genders, dates of issue, and Medi-Cal-assigned numbers. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE put an immediate hold on additional mailings and conducted a quality assurance check. The CE deactivated the cards that were mailed to the wrong addresses, requested the return of the deactivated cards, and issued replacements. The CE implemented a new internal data transfer policy and updated related procedures. It also instituted new processes for mailings. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","36.778261","-119.417932" "December 23, 2012","Richard Switzer MD PC","","Michigan","UNKN","MED","4,100","\N Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "December 26, 2012","Gibson General Hospital","","Indiana","PHYS","MED","28,893","A laptop computer containing the electronic protected health information (ePHI) of 28,893 individuals was stolen from the home of one of the covered entity’s (CE) employee’s during a burglary. The ePHI included names, addresses, telephone numbers, social security numbers, medical record numbers, plan beneficiary numbers, and clinical information. The CE, Gibson General Hospital, provided breach notification to HHS, affected individuals, and the media, as well as substitute notice. Following the breach, the CE offered one year of free credit monitoring services to affected individuals. The CE also improved safeguards by encrypting all its laptop computers. As a result of OCR’s investigation, the CE implemented new security policies and procedures related to safeguarding ePHI. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "December 27, 2012","Sovereign Medical Group, LLC","","New Jersey","HACK","MED","27,800","OCR opened an investigation of the covered entity (CE), Sovereign Medical Group, LLC, after it reported that its data files were corrupted and were inaccessible on its network server. The CE received a ransom note from a hacker advising that if it paid the specified amount the CE could regain access to its files. The breach affected 27,800 individuals and the types of electronic protected health information (ePHI) included demographic information, social security numbers, driver’s license numbers, insurance information, dates of services, claims information, diagnoses, and procedure codes. Upon discovering the breach, the CE filed reports with the police department, the county prosecutor’s office, and the Federal Bureau of Investigations. The CE provided breach notification to HHS, affected individuals, and the media, and offered one year of free credit monitoring services to the affected individuals. As a result of the breach, the CE closed inbound communication ports to the contaminated server, deployed a web-filtering mechanism to scan and monitor all outbound traffic, and disabled all wireless networks. OCR provided the CE with technical assistance regarding the HIPAA Security Rule. Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "December 28, 2012","HP Enterprise Services","","Kentucky","PHYS","MED","1,090","An employee of a subcontractor for the covered entity's (CE) Business Associate (BA), responded to a telephone phishing attack and permitted a hacker to remotely access the laptop computer of the subcontractor. In violation of the subcontractor BA's policies, the laptop contained the protected health information (PHI) of 1,090 individuals, including names, dates of birth, diagnosis codes, and diagnosis code descriptions and some social security numbers and treatment descriptions. The CE, through its BA, provided breach notification to HHS, affected individuals, and the media, and provided substitute notice. The BA also offered a year of credit monitoring to those affected. In response to the incident, the subcontractor improved safeguards by initiating laptop audits to ensure PHI is not stored on them, re-trained employees, and applied employee sanctions by terminating the employee who failed to follow its policy. OCR obtained assurances that the corrective action listed above was completed. \ \ Location of breached information: Laptop Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "December 28, 2012","Clearpoint Design, Inc.","","Massachusetts","HACK","MED","4,343","\N Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "December 31, 2012","Omnicell, Inc.","","California","PHYS","MED","56,820","An electronic medication dispensing device was stolen from the locked car of an Omnicell employee. Omnicell is a business associate (BA) of the covered entity (CE), Sentara. The protected health information that was involved in the breach included patient names, birth dates, patient numbers, medical record numbers, and clinical information of 56,820 of the CE's patients. Breach notification was provided to HHS, the media and affected individuals. The BA represented to the CE that they had recently completed a risk analysis containing details of implemented administrative, physical and technical safeguards. The BA informed the CE that they have in place a security awareness and training program and provided information regarding its education of workforce members. As a result of OCR's investigation, OCR obtained an executive summary of the BA's risk analysis and a copy of the CE's most recent risk analysis. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BA's use and disclosure of PHI and required the BA to safeguard all PHI. Location of breached information: Laptop Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "December 31, 2012","St. Mark's Medical Center","","Texas","HACK","MED","2,988","\N Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2012","40.760537","-73.978890" "January 2, 2013","Group Health Incorporated","","New York","PHYS","MED","1,771","OCR opened an investigation of the covered entity (CE), Group Health Insurance, after it reported that postcard reminders were sent to 1,771 subscribers. The protected health information (PHI) involved included social security numbers within a series of other numbers inscribed on the outside of the postcard. The CE provided breach notification to HHS, the media, and affected individuals, and posted substitute notice on its website. Upon discovery of the breach, the CE suspended its mailing in order to verify subscriber information to ensure pending and completed projects did not contain social security numbers. As a result of OCR's investigation, the CE modified its mailing procedures to prevent similar disclosures from recurring in the future and retrained staff on its modified mailing procedure. The CE provided affected individuals with a free one year subscription for credit monitoring. \ \ Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "January 4, 2013","Calvin Schuster,MD","","California","PHYS","MED","532","\N Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "January 7, 2013","Clearpoint Design, Inc.","","Massachusetts","HACK","MED","4,125","\N Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "January 8, 2013","University of Nevada School of Medicine","","Nevada","PHYS","MED","1,483","\N Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","38.802610","-116.419389" "January 8, 2013","WorkflowOne","","Ohio","DISC","MED","635","Due to a malfunction in processing benefit confirmation statements, employee information was comingled and statements were mailed to the wrong employees and dependents. The breach included the protected health information (PHI) of 635 individuals. The PHI involved in the breach included names and social security numbers. The covered entity (CE), Dimensions Healthcare System, provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE revised its correspondence handling procedures. As a result of OCR’s investigation, the CE reviewed its business associate (BA) relationships to ensure that appropriate BA agreements were in place. Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.417287","-82.907123" "January 8, 2013","SilverScript Insurance Company","","Arizona","DISC","MED","852","Letters for 852 prospective new members of the covered entity (CE), SilverScript Insurance Company Part D plan, were misdirected to incorrect addresses. SilverScript is a wholly-owned subsidiary of CVS Health, formerly CVS Caremark. The CE reported that the root cause of the incident was that the eligibility data file received from Northgate Arinso, a third party vendor of Energy Future Holdings, was inaccurate. The data file contained multiple, incorrect addresses, resulting in protected health information (PHI) being disclosed to other members. The letters contained members’ names, addresses, identification numbers, and group numbers and informed the members that such information could be taken to a pharmacy and used to process pharmacy claims. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, CVS Health implemented additional quality control measures to verify information received from third parties. OCR obtained and reviewed documentation regarding the implementation of those additional quality control measures. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","34.048928","-111.093731" "January 10, 2013","Clearpoint Design, Inc.","","Massachusetts","HACK","MED","4,100","\N Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","42.407211","-71.382437" "January 10, 2013","Pousson Family Dentistry","","Louisiana","PHYS","MED","1,400","\N Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","30.984298","-91.962333" "January 11, 2013","Lee D. Pollan, DMD, PC","","New York","PHYS","MED","19,178","OCR opened an investigation of the covered entity (CE) after it reported an unencrypted laptop was stolen that contained the electronic protected health information (ePHI) of 19,178 individuals. The ePHI included names, addresses, zip codes, dates of birth, social security numbers, claims information, and diagnosis codes. Upon discovery of the breach, the CE filed a police report to recover the stolen items. As a result of OCR's investigation, the CE encrypted the backup drive of the contents of the laptop computer. The CE also trained all staff on the use of encryption to safeguard data on personal computers and mobile devices. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "January 11, 2013","Washington University School of Medicine","","Missouri","PHYS","MED","1,105","\N Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "January 17, 2013","Riderwood Village","","Maryland","PHYS","MED","3,230","OCR opened an investigation of the covered entity (CE), Riderwood Senior Living Community, after it reported that five laptop computers (four of which were unencrypted) containing the electronic protected health information (ePHI) of 8,507 individuals were stolen from the facility's physical therapy department. The ePHI included names, dates of birth, addresses, Health plan ID numbers, and discussions of therapy treatments. Upon discovering the breach, the CE filed a police report, mailed individual notice of the breach to all current and former Riderwood residents and affected health plan members, issued a press release to seven media outlets, posted substitute notice on its website for 90 days, and reported the breach to HHS. Following this breach, the CE encrypted laptops, revised security procedures, and retrained employees. OCR obtained written assurance that the CE implemented the corrective action listed above as well as new security policies and procedures to ensure adequate safeguards of ePHI. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "January 18, 2013","WAYNE MEMORIAL HOSPITAL","","Pennsylvania","PHYS","MED","1,184","The covered entity (CE), Wayne Memorial Hospital, lost an unencrypted compact disk (CD) containing the electronic protected health information (ePHI) of approximately 1182 individuals in the U.S. mail. The types of ePHI involved in the breach included patients’ names, account balances and Medicare numbers (which contain social security numbers). The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE attempted to locate the CD. The CE also encrypted a CD that contains similar data, to be used for the same purpose. As a result of OCR’s investigation, the CE retrained employees and evaluated ePHI maintained on computers in its most recent risk analysis. Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "January 22, 2013","Baptist Health System","","Texas","DISC","MED","678","\N Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "January 22, 2013","BlueCross BlueShield of Western New York","","New York","PHYS","MED","725","The covered entity’s (CE) business associate (BA), Blue Cross Blue Shield, mailed a monthly premium notice with invoices that contained the protected health information (PHI) of 725 individuals which was never received by the CE. The PHI included names, member identification numbers, and social security numbers. Upon discovery of the breach, the BA contacted the U.S. Post Office regarding the undelivered mailing. The CE provided breach notification to HHS and the BA notified affected individuals. The BA revised its invoice procedures to assure the removal of social security numbers and member identification numbers, and send invoices via secure email. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BA’s use and disclosure of PHI and required the BA to safeguard all PHI. Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "January 23, 2013","Stanford School of Medicine & LP Children Hosp, Privacy Manager Breach","","California","PHYS","MED","0","The covered entity (CE), Stanford School of Medicine (SOM) and Stanford Children's Hospital (SCH)(formerly Lucile Packard Children's Hospital), reported that on January 9, 2013, a SOM workforce member's password-protected laptop was stolen from the workforce member’s vehicle. The CE reported that the electronic protected health information (ePHI) stored on the laptop was unencrypted. The ePHI of approximately 56,500 individuals may have been affected by this incident. The ePHI included demographic and clinical information related to SCH patient care and SOM research. Following this incident, the CE contacted law enforcement, notified the affected individuals, offered identity protection services to the affected individuals, established a call center to assist affected individuals with questions or concerns, and submitted notification to the media and HHS. The CE reported that there was no evidence of unauthorized access to the ePHI stored on the laptop. As a result of the breach and OCR’s corresponding investigation, the CE sanctioned the workforce member for violating HIPAA policies, and retrained workforce members on data security policies. SCH implemented enhanced administrative and technical safeguards to ensure secure email communications; and. The CE also initiated plans to implement an improved risk management process. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "January 24, 2013","The University of Texas MD Anderson Cancer Center","","Texas","PHYS","MED","29,021","\N Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "January 25, 2013","Western Wisconsin Medical Association, S.C. - River Falls Medical Clinics","","Wisconsin","PHYS","MED","2,400","The covered entity (CE), Western Wisconsin Medical Associates, discovered that, during the summer of 2012, an employee of a cleaning service used by River Falls Medical Clinic (“Clinic”) stole paper-based protected health information (PHI) of approximately 2,400 individuals, which was stored in unsecured bins for pick-up by a shredding company. The PHI involved in the breach included patients’ names and at least one of the following for each affected patient: date of birth, insurance account number, address, phone numbers, social security number, or medical number. The CE provided breach notification to HHS, the media, and affected individuals. The CE arranged for the provision of secure bins in which Clinic staff may dispose of paper PHI, developed new policies and procedures related to the disposal of PHI, and retrained relevant workforce members on the newly implemented policy and procedures. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "January 30, 2013","RR Donnelley (a sub-BA for UnitedHealth Group)","","Illinois","PHYS","MED","8,911","\N Location of breached information: Desktop Computer Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "January 31, 2013","Kmart Pharmacy #7623","","Louisiana","PHYS","MED","16,988","\N Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","30.984298","-91.962333" "February 2, 2013","Community Services NW","","Alabama","PHYS","MED","2,400","A computer was stolen from the covered entity’s (CE) locked medical office. The computer contained the protected health information (PHI) of approximately 2,400 individuals. The PHI involved in the breach included names, addresses, dates of birth, social security numbers, and clinician information. Following the breach, the CE encrypted all PHI in transit as well as at rest, upgraded their facility access controls, and updated their device inventory system. Additionally, OCR’s investigation resulted in the CE creating an acceptable risk analysis and risk management plan. The entity also contracted with a third party to overhaul their privacy and security policies and procedures. Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","32.318231","-86.902298" "February 4, 2013","LifeGas","","Georgia","PHYS","MED","1,103","On October 11, 2012, an employee of LifeGas , a business associate (BA) of the covered entity (CE), American Home Patient Inc., lost or misplaced an unencrypted laptop computer containing the electronic protected health information (ePHI) of 1,103 of the CE’s clients across 13 states. The ePHI stored in the laptop included patients’ names, addresses, and an indicator showing that the patient received oxygen supplies. The CE determined that a thumb drive that was misplaced in the same incident did not contain PHI. The CE conducted an internal investigation, and provided breach notification to HHS and affected individuals. In addition, the CE negotiated a new agreement with the BA, including stringent provisions regarding the timeframes allowed for future breach notifications. OCR obtained assurances the CE completed the corrective actions listed. Location of breached information: Laptop Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "February 6, 2013","Yadkinville Chiropractic DCPA","","North Carolina","PHYS","MED","1,000","On February 1, 2013, the back door to the covered entity’s (CE) facility was pried open and its unencrypted desktop computer was stolen. Due to the theft, the protected health information (PHI) of 1,000 individuals was potentially exposed, including names, dates of birth, and social security numbers. The CE provided timely breach notification to HHS, affected individuals, and the media, and posted substitute notice in the lobby of its facility. In response to the breach, the CE replaced the back door, upgraded its security system, and installed cameras. The CE updated its billing software and on October 30, 2014, the CE was sold and effectively ceased operations. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Desktop Computer Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "February 7, 2013","Intervention Services, Inc.","","Florida","PHYS","MED","1,200","A laptop from the covered entity (CE), Intervention Services, was stolen from a workforce member’s vehicle. The electronic protected health information (ePHI) on the laptop included patient names, dates of birth, Medicaid numbers, and the names of the patients’ funding source for approximately 1,200 individuals. Upon discovering the breach, the CE filed a police report. The CE provided breach notification to HHS, affected individuals, and the media. The CE improved physical security, sanctioned the involved workforce member, and retrained staff. OCR obtained assurances that the CE implemented the corrective actions listed. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "February 11, 2013","West Georgia Ambulance","","Georgia","PHYS","MED","500","\N Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "February 12, 2013","Center for Pain Management, LLC","","Maryland","PHYS","MED","5,822","Three laptop computers were stolen from the Rockville, MD office of the covered entity (CE), Center for Pain Management. The laptops were unencrypted and two of the devices contained the electronic protected health information (ePHI) of 5,822 individuals. The CE retained Identity Force, a firm specializing in providing mitigation services in cases of security breaches. Identity Force mailed notification letters to all affected individuals and provided identity theft insurance and credit monitoring services for one year. The CE also posted the breach notification on its website and notified the media. The CE engaged the services of an information technology firm to update its devices and computer network. OCR obtained assurances that the corrective action listed above was completed. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "February 12, 2013","Coast Healthcare Management, LLC","","California","PHYS","MED","1,368","\N Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "February 12, 2013","Froedtert Health","","Wisconsin","DISC","MED","43,549","\N Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "February 13, 2013","Jackson Health System","","Florida","UNKN","MED","566","Federal law enforcement notified Federal law enforcement the covered entity (CE), Jackson Health System, on March 21, 2012, that a volunteer at Jackson North Medical Center photographed paper documents containing the protected health information (PHI) of 566 patients, allegedly for use in an identity theft scheme. The type of PHI involved in the breach included patients’ names, social security numbers, addresses, and birthdates. The Ce provided breach notification to HHS, affected individuals, and the media and posted substitute notice on its website. It also offered one year of free credit monitoring. In response to the incident, the CE revised its HIPAA policies and procedures. The CE updated its volunteer program to prohibit the use of smartphones in patient care areas, require volunteers to agree in writing to conform to its privacy policies and procedures, and provide nursing staff with a list of volunteers’ permitted job duties. The CE also changed the leadership of the volunteer program and increased the supervision of the volunteers. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "February 14, 2013","Kindred Transitional Care and Rehabilitation - Marl","","Massachusetts","PHYS","MED","716","Backup tapes containing the protected health information (PHI) of 716 individuals were stolen from the covered entity (CE), Kindred Transitional Care and Rehabilitation – Marlborough, during the theft of the safe where the tapes were stored. The types of PHI involved in the breach included patients’ names, diagnoses, social security numbers, medications and Medicare numbers. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE revised its process for encrypting backup tapes. Additionally, as a result of OCR’s investigation the CE stopped using tapes to backup information at individual sites. Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "February 14, 2013","HomeCare of Mid-Missouri, Inc.","","Missouri","PHYS","MED","4,027","\N Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "February 15, 2013","Heyman HospiceCare at Floyd","","Georgia","PHYS","MED","1,819","\N Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","32.165622","-82.900075" "February 17, 2013","ABQ HealthPartners","","New Mexico","PHYS","MED","778","A laptop computer was stolen from the covered entity (CE), ABQ Health Partners. The laptop contained the electronic protected health information (ePHI) of approximately 778 patients, although the CE was unable to conclusively determine which patients’ names were still on the laptop. The ePHI involved in the breach included names, dates of birth, age, sex, referring physicians’ names, and raw numeric test data of less than 778 individuals. Following the breach, the CE encrypted ePHI stored on laptops and tablet computers. As a result of OCR’s investigation, the CE obtained more information about the outdated system which held the ePHI. In addition, the CE provided OCR with a copy of their IT Security Policy in which the CE focused on compliance with the HIPAA Security Rule and HITECH Act requirements. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "February 18, 2013","Terrell County Health Department","","Georgia","DISC","MED","18,000","On December 6, 2012, the Dawson Police Department notified the covered entity (CE), Terrell County Health Department, that an employee was suspected of the identity theft of at least two of the CE’s patients. All patients that the employee had access to records for during her employment were potentially affected, totaling 18,000 individuals. The protected health information (PHI) involved in the breach included demographic, clinical, financial, and health insurance information. The CE provided breach notification to HHS, affected individuals, and the media. The CE terminated the offending employee and re-educated the workforce on its HIPAA policies. The CE also improved its HIPAA training materials, risk analysis procedure, operation software, and auditing methods. OCR obtained assurances that the corrective actions were taken. Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","32.165622","-82.900075" "February 19, 2013","Florida Healthy Kids Corporation","","Florida","DISC","MED","3,667","A vendor, OneTouchPoint CCI, incorrectly printed and mailed 3,667 identification cards for the business associate (BA), DentaQuest of Florida. The types of protected health information (PHI) involved in the breach included names, identification numbers, and dates of coverage. The covered entity (CE) provided breach notification to HHS, affected individuals, and the media. Following the incident, the CE re-programmed the software to compare names and addresses, and conducted quality assurance tests to ensure accuracy. The BA re-issued identification cards and provided self-addressed, stamped envelopes and requested that the members return the previously sent cards. OCR reviewed copies of the CE’s policies and procedures related to the incident. Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","27.664827","-81.515754" "February 20, 2013","Catoctin Dental/Richard B. Love, D.D.S., P.A.","Thurmont","Maryland","HACK","MED","0","Location of breached information: Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","39.623709","-77.410820" "February 21, 2013","Stronghold Counseling Services, Inc.","","South Dakota","PHYS","MED","8,500","OCR opened an investigation of the covered entity (CE), Stronghold Counseling Services, after it reported that a desktop computer was missing from its facility. The computer contained protected health information (PHI) on appointments, client insurance, payments, and demographics, including social security numbers, as well as some client letters and reports. The breach affected 8,500 individuals. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE revised its procedures for encryption and implemented a risk analysis/risk management process. OCR provided technical assistance to the CE regarding the risk analysis and risk management requirements of the Security Rule and the requirements of the Breach Notification Rule. Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "February 21, 2013","Arizona Oncology","","Arizona","PHYS","MED","501","\N Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "February 22, 2013","Crescent Health Inc. - a Walgreens Company","","California","PHYS","MED","109,000","\N Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "February 25, 2013","County of San Bernardino, Department of Behavioral Health","","California","PHYS","MED","686","\N Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "February 27, 2013","WOMENS HEALTH ENTERPRISE, INC.","","Georgia","PHYS","MED","3,000","\N Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "March 1, 2013","Standard Register","","Ohio","PHYS","MED","2,261","OCR opened an investigation of the covered entity (CE), The Brookdale University Hospital and Medical Center, after it reported its business associate (BA), Standard Register, inadvertently mailed statements to 2,261 individuals using another affiliated CE's envelopes. The protected health information (PHI) included names, addresses and financial information. OCR provided technical assistance to the CE regarding safeguarding PHI. Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "March 1, 2013","Health Plus Amerigroup","","New York","PHYS","MED","28,187","The covered entity's (CE) business associate (BA), Health Plus Amerigroup, mailed an unencrypted compact disk that contained the electronic protected health information (ePHI) of 28,187 individuals to the CE, The Brookdale University Hospital and Medical Center. OCR closed this breach report and consolidated into an existing breach report filed by OHP PHSP, Inc. regarding the same issues. Location of breached information: Other Portable Electronic Device Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "March 1, 2013","Plexus Group","","Illinois","DISC","MED","500","Prime Therapeutics, a business associate (BA) and pharmacy benefit manager for the covered entity (CE), Ultra Stores, Inc.’s health plan, electronically submitted a file containing the eligibility information for plan members to the Illinois Department of Healthcare and Family Services (IDHFS), as required by law for Medicaid subrogation. Due to a system error during the file generation process, the electronic protected health information (ePHI) of at least 500 plan members who do not reside in Illinois were also included in the file. The ePHI in the mailing included full names, social security numbers, dates of birth, and home addresses. During the investigation, OCR learned that Signet Jewelers had acquired Ultra and, consequently, Ultra’s health plan no longer exists. Additionally, Sterling Jewelers (Sterling), a business unit of Signet, informed OCR that it believes that Ultra had erroneously reported the September 13, 2012 incident to OCR, as Prime had conducted a risk assessment and had determined that the incident was not a breach, as the file in issue was not accessed or viewed by anyone at IDHFS. OCR obtained and reviewed documentation indicating that, in response to the incident, the BA obtained confirmation from IDHFS that it destroyed the file and that it did not further disclose the file. The BA also corrected the system error and implemented changes to the file generation process to prevent the same error from recurring Location of breached information: Other Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "March 2, 2013","South Miami Hospital","","Florida","DISC","MED","834","\N Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "March 4, 2013","Lancaster General Medical Group","","Pennsylvania","PHYS","MED","527","A spreadsheet containing the protected health information (PHI) of 527 individuals was stolen from one of the covered entity's (CE) locations. The PHI involved in the breach included names and dates of birth. Following the breach, the CE notified the local police, provided breach notification to HHS, the media, and the affected individuals, and offered identity protection services to the individuals. The CE attempted to retrieve the PHI. As a result of OCR's investigation, the CE reviewed its policies to prevent a similar incident from occurring in the future. \ \ \ Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "March 4, 2013","Maine Medical Center","","Maine","UNKN","MED","1,920","\N Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","45.253783","-69.445469" "March 4, 2013","North Los Angeles County Regional Center ","","California","PHYS","MED","18,162","\N Location of breached information: Laptop Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","36.778261","-119.417932" "March 6, 2013","Goold Health System (Goold)","","Massachusetts","PHYS","MED","6,332","An employee of the covered entity’s business associate (BA) lost a portable thumb drive containing the electronic protected health information (ePHI) of over 6,000 individuals. The ePHI included demographic information, Medicaid identification numbers, and prescription information. The covered entity (CE), Utah Department of Health, provided breach notification to HHS, affected individuals, and the media. The CE took corrective action to mitigate the situation and implemented a new agreement with its BA to include additional security measures. As a result of OCR’s investigation, OCR obtained assurances that the corrective actions listed above were completed. OCR opened a separate investigation of the BA. Location of breached information: Other Portable Electronic Device Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "March 6, 2013","Sports Rehabilitation Consultants","","Ohio","PHYS","MED","1,200","\N Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.417287","-82.907123" "March 8, 2013","University of Connecticut Health Center","","Connecticut","DISC","MED","1,382","\N Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "March 9, 2013","United HomeCare Services, Inc.","","Florida","PHYS","MED","12,299","On January 8, 2013, an employee’s unencrypted laptop (owned by the covered entity (CE), United HomeCare Services, Inc.,) was stolen from her locked vehicle. The laptop contained demographic data, including names, dates of birth, addresses, and social security numbers, as well as clinical and health insurance information affecting 12,299 patients of the CE and 1,318 clients of its subsidiary, United Home Care Services of Southwest Florida, LLC. The CE provided breach notification to HHS, affected individuals, and the media and posted substitute notice on its website. In response to the breach, the CE encrypted its portable devices and provided specialized training to its workforce. OCR obtained assurances that the CE implemented the corrective actions listed above. The employee at fault was suspended without pay for 5 days and resigned shortly thereafter. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "March 12, 2013","Patterson Dental Supply/Patterson Companies","","Minnesota","HACK","MED","6,400","An unknown individual hacked into the covered entity’s (CE) server which contained the electronic protected health information (ePHI) of approximately 6,400 individuals. The ePHI involved in the breach included names, addresses, dates of birth, social security numbers, payment information, and treatment information. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE improved safeguards by installing a new firewall and filtering technology. Additionally, OCR’s investigation resulted in the CE retraining its employees. Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "March 14, 2013","Connextions c/o Anthem BCBS","","Indiana","PHYS","MED","1,678","From November 11, 2011 through October 1, 2012, an employee of the covered entity’s (CE) business associate (BA), Connextions, improperly accessed the protected health information (PHI) of the CE's Medicare members, and the employee may have disclosed their social security numbers to a third party. This breach affected approximately 528 Indiana members. The PHI involved in the breach included demographic information and social security numbers. The CE provided breach notification to HHS, affected individuals, and the media, and posted substitute notice on its website. Following the breach, the BA completed a security risk assessment, phased out the call center where the at-fault employee worked, and engaged in an independent, external audit. OCR reviewed the BA agreement in place between the CE and BA and obtained assurances that the CE and BA implemented corrective actions in this matter. In addition, the involved individual’s employment was terminated. Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "March 15, 2013","Mount Sinai Medical Center","","Florida","PHYS","MED","628","\N Location of breached information: Desktop Computer, Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "March 15, 2013","Thomas L. Davis, Jr. DDS","","Oregon","PHYS","MED","3,269","\N Location of breached information: Desktop Computer, Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "March 20, 2013","HealthCare for Women, Inc.","","Massachusetts","HACK","MED","8,727","\N Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "March 21, 2013","University of Mississippi Medical Center","","Mississippi","PHYS","MED","500","The University of Mississippi Medical Center (UMMC) has agreed to settle multiple alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR). OCR’s investigation of UMMC was triggered by a breach of unsecured electronic protected health information (“ePHI”) affecting approximately 10,000 individuals. During the investigation, OCR determined that UMMC was aware of risks and vulnerabilities to its systems as far back as April 2005, yet no significant risk management activity occurred until after the breach, due largely to organizational deficiencies and insufficient institutional oversight. UMMC will pay a resolution amount of $2,750,000 and adopt a corrective action plan to help assure future compliance with HIPAA Privacy, Security, and Breach Notification Rules. “In addition to identifying risks and vulnerabilities to their ePHI, entities must also implement reasonable and appropriate safeguards to address them within an appropriate time frame,” said OCR Director Jocelyn Samuels. “We at OCR remain particularly concerned with unaddressed risks that may lead to impermissible access to ePHI.” On March 21, 2013, OCR was notified of a breach after UMMC’s privacy officer discovered that a password-protected laptop was missing from UMMC’s Medical Intensive Care Unit (MICU). UMMC's investigation concluded that it had likely been stolen by a visitor to the MICU who had inquired about borrowing one of the laptops. OCR’s investigation revealed that ePHI stored on a UMMC network drive was vulnerable to unauthorized access via UMMC’s wireless network because users could access an active directory containing 67,000 files after entering a generic username and password. The directory included 328 files containing the ePHI of an estimated 10,000 patients dating back to 2008. Further, OCR’s investigation revealed that UMMC failed to: •implement its policies and procedures to prevent, detect, contain, and correct security violations; •implement physical safeguards for all workstations that access ePHI to restrict access to authorized users; •assign a unique user name and/or number for identifying and tracking user identity in information systems containing ePHI; and •notify each individual whose unsecured ePHI was reasonably believed to have been accessed, acquired, used, or disclosed as a result of the breach. University of Mississippi is the state’s sole public academic health science center with education and research functions. In addition it provides patient care in four specialized hospitals on the Jackson campus and at clinics throughout Jackson and the state. Its designated health care component, UMMC, includes University Hospital, the site of the breach in this case, located on the main UMMC campus in Jackson. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "March 22, 2013","Granger Medical Clinic","","Utah","PHYS","MED","2,600","\N Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "March 22, 2013","Texas Tech Unversity Health Sciences Center","","Texas","DISC","MED","697","\N Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","31.968599","-99.901813" "March 26, 2013","Oregon Health & Science University","Portland","Oregon","PHYS","MED","0","Oregon Health & Science University (OHSU) has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules following an investigation by the U.S. Department of Health and Human Services Office for Civil Rights (OCR) that found widespread and diverse problems at OHSU, which will be addressed through a comprehensive three-year corrective action plan. The settlement includes a monetary payment by OHSU to the Department for $2,700,000. OCR’s investigation began after OHSU submitted multiple breach reports affecting thousands of individuals, including two reports involving unencrypted laptops and another large breach involving a stolen unencrypted thumb drive. These incidents each garnered significant local and national press coverage. OCR’s investigation uncovered evidence of widespread vulnerabilities within OHSU’s HIPAA compliance program, including the storage of the electronic protected health information (ePHI) of over 3,000 individuals on a cloud-based server without a business associate agreement. OCR found significant risk of harm to 1,361 of these individuals due to the sensitive nature of their diagnoses. OHSU performed risk analyses in 2003, 2005, 2006, 2008, 2010, and 2013, but OCR’s investigation found that these analyses did not cover all ePHI in OHSU’s enterprise, as required by the Security Rule. While the analyses identified vulnerabilities and risks to ePHI located in many areas of the organization, OHSU did not act in a timely manner to implement measures to address these documented risks and vulnerabilities to a reasonable and appropriate level. OHSU also lacked policies and procedures to prevent, detect, contain, and correct security violations and failed to implement a mechanism to encrypt and decrypt ePHI or an equivalent alternative measure for ePHI maintained on its workstations, despite having identified this lack of encryption as a risk. “From well-publicized large scale breaches and findings in their own risk analyses, OHSU had every opportunity to address security management processes that were insufficient. Furthermore, OHSU should have addressed the lack of a business associate agreement before allowing a vendor to store ePHI,” said OCR Director Jocelyn Samuels. “This settlement underscores the importance of leadership engagement and why it is so critical for the C-suite to take HIPAA compliance seriously.” OHSU is a large public academic health center and research university centered in Portland, Oregon, comprising two hospitals, and multiple general and specialty clinics throughout Portland and throughout the State of Oregon. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","45.523062","-122.676482" "March 29, 2013","Rite Aid #10217","","Rhode Island","UNKN","MED","2,082","\N Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","41.580095","-71.477429" "March 29, 2013","Sunil Kakar, Psy.D.","","Washington","PHYS","MED","629","On February 4, 2013, a personal laptop computer used to store medical reports and information about the covered entity’s (CE) clients was lost by, or stolen from, a provider formerly contracted by the CE. The computer's hard drive was wiped before it could be determined what information it contained, but the CE treated it as a breach affecting 629 individuals. The protected health information (PHI) involved in the breach may have included names, dates of birth, social security numbers, and clinical information, such as diagnoses or conditions. Following the breach, the CE updated contract language with business associates and contractors to include data security requirements and additional physical controls, as well as a self-assessment tool and monitoring plan. The CE added provisions to require contracted providers to provide proof of annual completion of a self-assessment tool and verification of encryption software use. OCR provided technical assistance on the Security Rule requirements and obtained assurances that breach notification was provided in accordance with the Breach Notification Rule requirements. Location of breached information: Laptop Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","47.751074","-120.740139" "March 29, 2013","QuickRunner, Inc. (dba, RoadRunner Mailing Services)","","California","DISC","MED","2,400","\N Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "April 2, 2013","Shands Jacksonville Medical Center, Inc.","","Florida","PHYS","MED","1,025","A clinical intern at the covered entity (CE), University of Florida Health Jacksonville (UFHJ) (formerly Shands Jacksonville Medical Center), took photographs of protected health information (PHI) and emailed the PHI to an unauthorized third person for the purpose of filing fraudulent tax returns. The PHI included the names, addresses, social security numbers, dates of birth, and treatment information of 1,025 individuals. Law enforcement agencies that learned of the breach informed the CE and requested delays of breach notification. The CE later provided breach notification to affected individuals, HHS, and the media, and offered affected individuals one year of free identity theft protection. Following the breach, the CE sanctioned two workforce members who had allowed the intern, who was no longer at the CE, to use their credentials to access the electronic medical records in violation of its policies. The CE also retrained workforce members on its privacy policies; increased access restrictions to social security numbers; and ended its clinic-based internships. OCR provided technical assistance and obtained assurances of the CE's plan to update its breach notification policies and procedures. Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "April 3, 2013","University of Florida","","Florida","DISC","MED","14,519","\N Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "April 3, 2013","Kmart Corporation","","Illinois","PHYS","MED","12,542","\N Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "April 4, 2013","PORTAL HEALTHCARE SOLUTIONS LLC","","Virginia","PHYS","MED","2,360","The covered entity's (CE) business associate (BA) operated a server containing the electronic protected health information (ePHI) of 2,360 individuals that was vulnerable to access by unauthorized persons for over four months. The ePHI included transcribed doctors' notes, which may have included medical diagnoses, clinical laboratory results, diagnostic imaging reports, emergency department records, and medication administration. Upon discovery of the breach, the CE engaged a computer forensic expert to investigate the incident and terminated the BA agreement. As a result of OCR's investigation, the CE ensured that its BA secured the server, verified that the server was no longer accessible from the Internet, and required the BA to return or destroy all of the CE's ePHI. Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "April 4, 2013","Hospice and Palliative Care Center of Alamance Caswell","","North Carolina","PHYS","MED","5,370","\N Location of breached information: Laptop, Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "April 5, 2013","Texas Health Care, P.L.L.C.","","Texas","PHYS","MED","554","\N Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "April 5, 2013","TMG Health ","","Pennsylvania","DISC","MED","3,794","\N Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "April 10, 2013","Wm. Jennings Bryan Dorn VAMC","","South Carolina","PHYS","MED","7,405","On February 11, 2013, a laptop was stolen from the William Jennings Bryan Dorn VAMC’s Pulmonary Testing Unit. The laptop contained the protected health information (PHI) of approximately 7,405 individuals, including names, dates of birth, and clinical information. The covered entity (CE) provided breach notification to HHS, the media, and affected individuals, and issued substitute notice by placing a notice on its website. It also offered credit monitoring, including identity theft protection for one year. The CE opened a report with the VA police and VA Office of Inspector General (OIG). To prevent future occurrences, the CE improved physical safeguards for all laptops attached to medical testing devices. Additionally, procedures were implemented for secure storage and removal of all personally identifiable information from such medical devices. OCR obtained assurances that the corrective actions listed above were completed. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "April 11, 2013","John J. Pershing VA Medical Center","","Missouri","PHYS","MED","589","OCR opened an investigation of the covered entity (CE), John J. Pershing VA Medical Center, after the CE reported that its business associate (BA), Stress Laboratory, placed a box of unsecured protected health information (PHI) in an equipment storage room. The PHI included the names, social security numbers, diagnoses, and age of approximately 589 individuals. This breach incident involved a BA, and occurred prior to the September 23, 2013 compliance date. The BA employee involved in this matter separated from employment in 2012, and the BA was reorganized and has been incorporated into the CE. The CE provided breach notification to affected individuals, HHS, and the media. Substitute notification was provided through a posting on the CE's main website with a toll-free information number. The CE also offered one year of identity protection and credit monitoring services to affected individuals. As a result of this incident, the CE adopted a new policy that provides guidance to its staff regarding the handling of PHI. Additionally, the CE trained its employees on this new policy, and re-trained its employees on the Privacy, Security, and Breach Notification Rules. Finally, OCR obtained assurances that the CE implemented the corrective action listed above. \ \ Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "April 11, 2013","Oregon Health & Science University","","Oregon","PHYS","MED","1,076","\N Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "April 12, 2013","Schneck Medical Center","","Indiana","DISC","MED","3,131","\N Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "April 17, 2013","The Guidance Center of Westchester","","New York","PHYS","MED","1,416","\NOn February 22, 2013, a CPU that contained the protected health information (PHI) of 1,416 individuals was stolen from the covered entity (CE), Guidance Center of Westchester. The types of PHI involved in the breach included the individuals’ names, dates of birth, dates of admittance, insurance carriers’ names, home addresses, diagnoses, outpatient treatment authorization requests, social security numbers, treating physicians’ names, case numbers and other identifiable information. Upon discovering the breach, the CE filed a police report and notified the New York State Attorney General’s Office, New York State Office of Cyber Security, New York State Department of State Division of Consumer Protection and the Connecticut Attorney General’s Office. The CE provided breach notification to HHS, affected individuals, and the media and offered one year of free credit monitoring services to affected individuals. As a result of the breach, the CE encrypted all of its desktop and laptop computers and disabled the use of portable devices with a Universal Serial Bus (USB) connection. The CE initiated plans to relocate two of its offices to buildings with security cameras and to install security cameras at another location. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "April 25, 2013","Hope Hospice","","Texas","UNKN","MED","818","An email containing electronic protected health information (ePHI) was sent from a work email address to a home email address by a workforce member of the covered entity (CE), Hope Hospice. The ePHI in the email contained the names, referral sources, admission dates, and health insurers of approximately 818 individuals. Upon discovering the breach, the CE implemented sanctions against the involved workforce member. The CE provided breach notification to HHS, affected individuals, and the media. The CE improved physical security and retrained staff. OCR obtained assurances that the CE implemented the corrective actions listed. Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "April 26, 2013","IHC Health Services, Inc. dba Intermountain Life Flight","","Utah","DISC","MED","857","\N Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "April 26, 2013","Valley Mental Health","","Utah","PHYS","MED","700","On February 27, 2013, Valley Mental Health, the covered entity (CE), discovered that a computer hard drive had been stolen from one of its facilities. The computer was located in a common area and available for use by members. The hard drive contained protected health information (PHI)—members' names, diagnostic and treatment information, financial records, media release forms, members' photographs, activity sign-up sheets, and resumes—for approximately 700 individuals. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach and during OCR’s investigation, the CE posted signs reminding members that information stored on shared computers is not confidential, encrypted hard drives, and stored PHI in locked offices and locked file cabinets. OCR obtained assurances that the CE implemented the corrective actions listed above, and OCR provided the CE with technical assistance regarding its Security Rule obligations. Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "April 29, 2013","ZDI","","California","PHYS","MED","14,829","This case, along with two companion cases , involved data lost due to damage and/or opening of priority mail during processing and transit through the United States Post Office. In this case, potentially 15,000 individuals may have been affected. The types of protected health information (PHI) involved in the breach included names, social security numbers, group names, and group numbers. The data was not recovered. The covered entity (CE), Delta Dental, provided breach notification to HHS, affected individuals, and the media. It also took immediate and appropriate steps to mitigate potential damages to individuals and to reduce the likelihood of recurrence. From December 2013 to case closure in September 2015, no further incidents occurred, and OCR determined that the CE’s corrective actions were effective. Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "April 30, 2013","Raleigh Orthopaedic Clinic","","North Carolina","DISC","MED","17,300","Raleigh Orthopaedic Clinic, P.A. of North Carolina (Raleigh Orthopaedic) has agreed to pay $750,000 to settle charges that it potentially violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule by handing over protected health information (PHI) for approximately 17,300 patients to a potential business partner without first executing a business associate agreement. HIPAA covered entities cannot disclose PHI to unauthorized persons, and the lack of a business associate agreement left this sensitive health information without safeguards and vulnerable to misuse or improper disclosure. Raleigh Orthopaedic is a provider group practice that operates clinics and an orthopaedic surgery center in the Raleigh, North Carolina area. OCR initiated its investigation of Raleigh Orthopaedic following receipt of a breach report on April 30, 2013. OCR’s investigation indicated that Raleigh Orthopaedic released the x-ray films and related protected health information of 17,300 patients to an entity that promised to transfer the images to electronic media in exchange for harvesting the silver from the x-ray films. Raleigh Orthopedic failed to execute a business associate agreement with this entity prior to turning over the x-rays (and PHI). “HIPAA’s obligation on covered entities to obtain business associate agreements is more than a mere check-the-box paperwork exercise,” said Jocelyn Samuels, Director of the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). “It is critical for entities to know to whom they are handing PHI and to obtain assurances that the information will be protected.” In addition to the $750,000 payment, Raleigh Orthopaedic is required to revise its policies and procedures to: establish a process for assessing whether entities are business associates; designate a responsible individual to ensure business associate agreements are in place prior to disclosing PHI to a business associate; create a standard template business associate agreement; establish a standard process for maintaining documentation of a business associate agreements for at least six (6) years beyond the date of termination of a business associate relationship; and limit disclosures of PHI to any business associate to the minimum necessary to accomplish the purpose for which the business associate was hired. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "May 1, 2013","Laboratory Corporation of America","","North Carolina","PHYS","MED","1,580","A desktop computer tagged for destruction was stolen after hours from a facility of the covered entity (CE), Laboratory Corporation of America (LabCorp). The computer contained the electronic protected health information (ePHI)) of approximately 1,580 individuals, including clinical and demographic information, such as diagnoses, names, social security numbers, and dates of birth. The CE provided breach notification to HHS and affected individuals. The CE also notified law enforcement and initiated an internal investigation. In coordination with OCR’s investigation, the CE retrained its employees, changed the storage location of mobile devices and computers, and updated the encryption for its desktop computers. Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "May 1, 2013","Arizona Counseling & Treatment Services, LLC","","Arizona","PHYS","MED","3,800","\N Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "May 3, 2013","Wood County Hospital","","Ohio","PHYS","MED","2,500","\N Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "May 6, 2013","University of Rochester Medical Center & Affiliates","","New York","PHYS","MED","537","\N Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "May 7, 2013","AssuranceMD f/k/a Harbor Group","","Pennsylvania","PHYS","MED","22,000","An unsecured hard drive containing the electronic protected health information (ePHI) of up to 22,000 individuals was lost in transit between Dr. Andrew F. Brooker's business associate, AssuranceMD, and a subcontracted electronic medical records storage company. The ePHI involved in the breach included patients' names, diagnoses/conditions, lab results, other clinical information and for some patients, addresses, dates of birth and/or social security numbers. Dr. Brooker provided breach notification to HHS and affected individuals. Following the breach he updated his HIPAA policies and procedures. OCR obtained assurances that the corrective action steps listed above were completed. Prior to completion of additional corrective actions, Dr. Brooker notified OCR that he had sold his private practice. \ \ Location of breached information: Other Portable Electronic Device Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "May 7, 2013","Digital Archive Management","","Texas","PHYS","MED","189,489","\N Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "May 7, 2013","Seattle - King County Department of Public Health","","Washington","PHYS","MED","750","The covered entity (CE), Public Health, Seattle & King County, discovered that the protected health information (PHI) of 450 to 750 clients was inadvertently disposed of improperly by being put in the regular recycling. The PHI involved in the breach included treatment or medical condition information, and may have included the social security numbers of five individuals. The CE provided breach notification to HHS, the media, and 2,300 individuals who had an appointment at the subject clinic during the four weeks prior to the incident. It also provided substitute notification. The CE improved safeguards by updating its PHI disposal policies and procedures. OCR’s investigation confirmed that the appropriate notifications were made, that corrective actions steps were taken, and required that the CE retrain all staff on its revised disposal policy. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "May 7, 2013","Regional Medical Center","","Tennessee","DISC","MED","1,180","\N Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "May 8, 2013","E-dreamz, Inc.","","North Carolina","HACK","MED","9,988","The credit card information of 9,988 patients of the covered entity (CE), Presbyterian Anesthesia Associates, P.A. (now known as Providence Anesthesia Associates, P.A.), was compromised when an unauthorized person gained access to the servers of E-dreamz, the CE’s website hosting business associate (BA). The protected health information (PHI) involved in the breach included patients’ names, addresses, phone numbers, email addresses, and credit card information. The CE provided breach notification to HHS, the media, and affected individuals, and offered them a year of free credit monitoring and identity theft protection. The CE also notified the FBI, North Carolina’s Attorney General, and all major credit card companies. In response to the breach, the CE hired an outside forensic computer specialist to investigate. Additionally, the CE terminated its service agreement with the BA and entered into a satisfactory BA agreement with a new website hosting vendor. The BA agreement prohibits storage of any PHI on the vendor’s servers. The CE also reviewed and updated its HIPAA policies and procedures. OCR obtained assurances that the CE implemented the corrective actions listed. Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "May 8, 2013","North Atlantic Telecom, Inc.","","Tennessee","UNKN","MED","539","\N Location of breached information: Desktop Computer Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "May 10, 2013","E-dreamz, Inc.","","North Carolina","HACK","MED","1,924","On April 19, 2013, the credit card information of 1,924 patients of the covered entity (CE), Piedmont HealthCare, P.A., was compromised via a breach of a website hosted by one of the CE’s vendors, E-dreamz. An unauthorized person gained access to E-dreamz’s servers and obtained payment information of the CE’s patients. The protected health information (PHI) involved in the breach included patients’ names, addresses, phone numbers, email addresses, and credit card information. The CE provided breach notification to HHS, the media, and affected individuals, and offered them a year of free credit monitoring and identity theft protection. Following the breach, the CE terminated its agreement with E-dreamz and entered into a business associate (BA) agreement with a new website hosting vendor. The CE also initiated legal proceedings against E-dreamz regarding its breach of contract for storing credit card information on its server and other issues related to this incident. OCR obtained assurances that the CE implemented the corrective actions listed. Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "May 13, 2013","Indiana University Health Arnett","","Indiana","PHYS","MED","10,350","\N Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "May 14, 2013","Dent Neurologic Institute","","New York","DISC","MED","10,000","\N Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "May 20, 2013","City of Norwood","","Ohio","PHYS","MED","9,577","\N Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "May 20, 2013","Lutheran Social Services of South Central Pennsylvania","","Pennsylvania","HACK","MED","7,803","This case involved a hacking incident on the covered entity’s (CE) network server. A Trojan virus was discovered running under an administrative account on a remote access server. No data loss was actually discovered, but potentially 7,300 records may have been vulnerable. The types of protected health information (PHI) potentially breached included demographic, financial, and clinical information. The CE engaged a forensic consulting team to verify the scope and impact of the malware and to clean the system. The CE installed more effective virus detection software, trained and educated users regarding data security, and made adjustments to data storage policies. OCR confirmed that the CE took all appropriate corrective action. Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "May 20, 2013","Just the Connection Inc","","Indiana","PHYS","MED","5,388","\N Location of breached information: Other Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "May 21, 2013","Erskine Family Dentistry","","Indiana","HACK","MED","2,723","An email was opened on an Erskine Family Dentistry computer that contained a virus; it affected the computers which stored the protected health information (PHI) of 2,723 individuals. The types of PHI involved in the breach included patients’ names, addresses, dates of birth, social security numbers, credit card numbers, claims information, and treatment information. The covered entity (CE) investigated and ensured that the virus did not penetrate any of its programing containing PHI. The CE also ensured that it was only storing PHI in its encrypted programs, installed a new antivirus tool, and assured that every potentially affected computer was examined and wiped of the virus. The CE provided breach notification to HHS, the media, and affected individuals. The CE also retrained staff. OCR obtained written documentation that the CE implemented the corrective actions listed. Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "May 23, 2013","Health Resources of Arkansas","","Arkansas","PHYS","MED","1,900","\N Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "May 24, 2013","SynerMed / Inland Valleys IPA","","California","PHYS","MED","3,164","On April 14, 2013, a SynerMed employee’s laptop computer was stolen out of her vehicle while parked in front of her home. The laptop contained the protected health information (PHI) of 3,164 individuals, and included patients’ names, member identification, dates of service, reasons for visits, and procedure codes. The laptop was password protected, but was not encrypted. The covered entity (CE) provided breach notification to HHS, affected individuals, and the media, and posted substitute notice on its website. In response to this incident, the CE improved physical security, encrypted all computers, counseled the employee involved, and trained staff. It also reviewed its policies and implemented an encryption policy. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Laptop Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "May 24, 2013","Independence Care System","","New York","PHYS","MED","2,434","\N Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "May 24, 2013","Sonoma Valley Hospital","","California","UNKN","MED","1,386","\N Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "May 29, 2013","Bon Secours Mary Immaculate Hospital","","Virginia","PHYS","MED","5,764","The covered entity (CE), Bon Secours Health System, discovered that two Certified Nursing Assistants (CNAs) impermissibly electronically accessed the medical records of approximately 5,764 patients during the prior 12 months. The protected health information (PHI) contained in the breach included patients' names, social security numbers, dates of birth, addresses, clinical information, and other identifiers. The CE provided breach notification to HHS, affected individuals and the media. Following the breach, the CE conducted a full investigation, sanctioned the two CNAs, revoked their access to the electronic medical record system and subsequently terminated both employees for their actions. Following the CE's reports to law enforcement and the state department of health professions, the two former employees plead guilty to Federal misdemeanor charges and had their professional certifications revoked. OCR reviewed the CE's most recent risk assessment and confirmed that all identified risks are to be addressed by December 2014 according to the CE's Risk Management Plan. As a result of OCR's investigation, the CE pursued prosecution of the CNAs and provided credit monitoring services to the affected individuals. \ \ Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "May 30, 2013","University of Florida","","Florida","PHYS","MED","5,875","\N Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "June 3, 2013","Community Support Services, Inc.","","Ohio","PHYS","MED","1,167","\N Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "June 5, 2013","UMASSAmherst","","Massachusetts","HACK","MED","1,670","\N Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "June 11, 2013","Palm Beach County Health Department","","Florida","DISC","MED","877","\N Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "June 13, 2013","Lucile Packard Childrens Hospital, Privacy Manager Breach","","California","PHYS","MED","12,900","The covered entity (CE), Stanford School of Medicine (SOM) and Stanford Children's Hospital (SCH)(formerly Lucile Packard Children's Hospital), reported that on May 8, 2013, a workforce member’s laptop was stolen from a badge-access controlled area of the hospital. SCH employed the workforce member; however, SOM owned and managed the laptop. The laptop was password-protected, but not encrypted. The electronic protected health information (ePHI) of approximately 12,900 individuals may have been affected by this breach. The type of ePHI involved included clinical and demographic information. The CE reported the theft to law enforcement, notified the affected individuals, offered identity protection services at no cost to the affected individuals, established a toll-free call center to assist affected individuals with questions or concerns, and submitted notification to the media and HHS. Following the breach and OCR’s corresponding investigation, the CE sanctioned the workforce member for violating its HIPAA policies, ensured that SOM’s devices were encrypted and compliant with data security policies, and restricted SCH users’ ability to download attachments to unencrypted devices. The CE also initiated plans to implement an improved risk management process. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "June 14, 2013","Fayetteville VAMC","","North Carolina","PHYS","MED","1,093","The covered entity (CE), Fayetteville VA Medical Clinic Optical Shop, impermissibly disclosed the protected health information (PHI) of approximately 1,094 individuals by placing consultation reports in the recycling bin rather than the shred bin from January to April 2013. The PHI involved in the breach included patients’ names, social security numbers, birthdates, addresses, and phone numbers. The CE provided breach notification to HHS, the media, and all potentially affected patients and also offered credit monitoring. The CE investigated the incident, removed and shredded all identified documents from the recycle bin, and provided a document shredder on-site. Additionally, the CE retrained employees regarding security and disposal methods for documents containing PHI. Moreover, the responsible staff member was sanctioned according to the CE’s policy. OCR obtained assurances that the corrective actions listed above were completed. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "June 14, 2013","Lincoln County Health and Human Services/Lincoln Community Health Center","","Oregon","DISC","MED","959","The covered entity’s (CE) locked building was burglarized and a locked medical chart room containing protected health information (PHI) in paper form was broken into and accessed by an unknown person(s). No PHI was removed and forensics determined there were no attempts to access electronic PHI on the CE’s computers. The medical charts potentially accessed included names, dates of birth, addresses, social security numbers, financial information, medications, treatment information, and lab results for 956 individuals. The CE improved physical safeguards by repairing or replacing the broken locks and adding a security camera. OCR’s investigation confirmed that the appropriate breach notifications were made and that corrective actions steps were taken. OCR also required the CE to update its breach notification policies and procedures, and retrain its staff on its revised policies. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "June 17, 2013","Union Security Insurance Company","","Missouri","PHYS","MED","1,127","\N Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "June 17, 2013","Gulf Breeze Family Eyecare, Inc","","Florida","PHYS","MED","9,626","\N Location of breached information: Desktop Computer, Electronic Medical Record, Email, Network Server, Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "June 24, 2013","Jacksonville Spine Center","","Florida","PHYS","MED","5,200","The covered entity (CE), Jacksonville Spine Center, impermissibly disclosed the protected health information (PHI) of approximately 5,200 individuals when a workforce member misaddressed some envelopes due to a spreadsheet error. The mailing resulted in some individuals receiving correspondence with another patient's name on the envelope. The only PHI involved in the breach was patients' names. The CE provided breach notification to HHS, the media and affected individuals. The notice to individuals requested that patients either return the envelope to the CE or destroy the envelope. As a result of this incident, the CE issued a written warning to the responsible workforce member pursuant to the CE's sanction policy. Moreover, the CE implemented additional safeguards including the checking of data file integrity prior to sending mailings. OCR obtained assurances that the CE implemented the corrective action listed above. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "June 26, 2013","Iowa Department of Human Services","","Iowa","PHYS","MED","7,335","\N Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "June 26, 2013","James A. Fosnaugh","","Nebraska","PHYS","MED","2,125","OCR opened an investigation of the covered entity (CE), Dr. James A. Fosnaugh, after he reported that the computer chip in his thumb drive had fallen out of its casing at some point in May 2013. The thumb-drive contained the names, dates of birth, addresses, phone numbers, and in some cases, names of family members listed on family medical histories. The incident affected approximately 2,125 of the CE’s patients. The CE provided breach notification to HHS, affected individuals, and the media. To prevent similar breaches from happening in the future, the CE established a team responsible for identifying security issues as they arise. The CE also retrained employees on its policies and procedures regarding the Privacy and Security Rules. As a result of OCR’s investigation, the CE completed a risk analysis to ensure adequate safeguards of electronic protected health information. Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "June 28, 2013","Lone Star Circle of Care","","Texas","PHYS","MED","1,955","On June 28, 2013, the covered entity (CE), Lone Star Circle of Care, reported a breach when a work force member’s car was broken into and an unencrypted, password-protected laptop computer was stolen. The protected health information (PHI) involved in the breach included the financial and clinical information of 1,955 individuals. The CE provided breach notification to HHS, affected individuals, and the media. Following the incident, the CE encrypted all of its laptops and revised its policies for storing PHI on hard drives and other mobile devices. Additionally, the CE retrained staff on its privacy and security policies. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "June 28, 2013","Alberto Gerardo Vazquez Rivera","","Puerto Rico","PHYS","MED","679","An encrypted laptop computer was stolen from an AFLAC associate's vehicle in Puerto Rico. The laptop contained PHI of approximately 679 individuals and contained demographic, financial and clinical information, including patient names, addresses, birthdates, social security numbers, claims information, and diagnoses. The covered entity filed a police report and provided breach notification to all affected individuals, HHS, and the media. The responsible workforce member was sanctioned. OCR acknowledges that the incident does not constitute a reportable breach under the Breach Notification Rule because the laptop was sufficiently encrypted. Location of breached information: Laptop Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "July 1, 2013","RCR Technology Corporation","","Indiana","UNKN","MED","187,533","\N Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "July 2, 2013","CVS Caremark","","Arizona","PHYS","MED","4,305","Business associate (BA) employees erroneously sent 4,305 health plan members' protected health information (PHI) to other plan members. The PHI involved in the breach included names and prescribed medication(s). The covered entity, Northrop Grumman Retiree Health Plan, provided breach notification to HHS, and the BA, CVS Caremark, provided breach notification to affected individuals and the media. Following the breach, the BA revised its quality control policies for targeted mailings and retrained employees involved in the breach to prevent similar incidents in the future. OCR obtained assurances that the BA implemented the breach notification and policy revisions listed above. Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "July 2, 2013","Health Net, Inc.","","California","UNKN","MED","8,331","The covered entity, Health Net, Inc. (HN), erroneously mailed identification cards for 8,331 members to their former addresses due to a system error by its contractor, Cognizant Technology Services. HN also acts as a business associate for some other covered entities. The types of protected health information (PHI) included demographic information, such as members’ names. HN provided breach notification to HHS, affected individuals, and the media. Following the breach, HN uncovered and corrected the programming error and developed and implemented a new program to help ensure that the syncing of beneficiary addresses between specific enrollment files and HN’s master address file is accurate. OCR provided technical assistance regarding security risk analysis and determined that HN must conduct an enterprise-wide security risk analysis.. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "July 3, 2013","South Florida Neurology Associates, P.A.","","Florida","PHYS","MED","900","A laptop computer was stolen after hours from a lab of the covered entity (CE), South Florida Neurology Associates. The laptop contained the protected health information (PHI) of approximately 900 patients and contained demographic and clinical information, including patients’ names, dates of birth, and diagnoses. The CE notified law enforcement which initiated an investigation. Additionally, the CE provided breach notification to HHS, the affected individuals, and the media, and posted substitute notice on its website. The CE improved physical safeguards and improved administrative safeguards by imposing more restrictive access policies for the lab. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "July 3, 2013","Samaritan Regional Health System","","Ohio","PHYS","MED","2,203","The covered entity (CE), Samaritan Regional Health System, mismatched names and addresses in a mailing to former patients of a recently deceased physician. The protected health information (PHI) included the names and addresses of approximately 2,203 individuals. The CE provided breach notification to affected individuals, the media, and HHS, and posted substitute notice on its website. Following the breach, the CE re-trained staff on proper address validation techniques and implemented new audit procedures for mailings. OCR obtained assurances that the CE implemented the corrective action listed above. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "July 5, 2013","MED-EL Coproration","","North Carolina","UNKN","MED","609","\N Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "July 5, 2013","Sutter Health East Bay Region","","California","DISC","MED","4,479","The Alameda County Sheriff’s office found a list of protected health information (PHI) belonging to 4,491 individuals during an unrelated investigation and provided it to the covered entity (CE), Sutter Health East Bay Region. The list contained demographic information such as names, addresses, dates of birth, social security numbers, and other identifiers. The CE determined that the PHI was stolen by a workforce member of its business associate (BA). The PHI belonged to patients of the following CE hosptials: Alta Bates Summit Medical Center, Sutter Delta Medical Center, and Eden Medical Center. The CE provided breach notification to HHS, the media, and affected individuals, and provided the affected individuals one year of free credit monitoring. Following the breach, the CE conducted an internal forensics investigation, hired an external forensics firm, and fully implemented data loss prevention technology. OCR obtained assurances that the CE implemented the corrective actions listed above. Additionally, the workforce member responsible for the breach is no longer employed by the BA. Location of breached information: Email Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "July 8, 2013","Family Health Network","","Illinois","UNKN","MED","3,133","\N Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "July 10, 2013","Children's Medical Center of Dallas","","Texas","PHYS","MED","2,462","Lack of timely action risks security and costs money The U.S. Department of Health and Human Services, Office for Civil Rights (OCR), has announced a Health Insurance Portability and Accountability Act of 1996 (HIPAA) civil money penalty against Children’s Medical Center of Dallas (Children’s) based on its impermissible disclosure of unsecured electronic protected health information (ePHI) and non-compliance over many years with multiple standards of the HIPAA Security Rule. OCR issued a Notice of Proposed Determination in accordance with 45 CFR 160.420, which included instruction for how Children’s could file a request for a hearing. Children’s did not request a hearing. Accordingly, OCR issued a Notice of Final Determination and Children's paid the full civil money penalty of $3.2 million. Children’s is a pediatric hospital in Dallas, Texas, and is part of Children’s Health, the seventh largest pediatric health care provider in the nation. On January 18, 2010, Children’s filed a breach report with OCR indicating the loss of an unencrypted, non-password protected BlackBerry device at the Dallas/Fort Worth International Airport on November 19, 2009. The device contained the ePHI of approximately 3,800 individuals. On July 5, 2013, Children's filed a separate HIPAA Breach Notification Report with OCR, reporting the theft of an unencrypted laptop from its premises sometime between April 4 and April 9, 2013. Children's reported the device contained the ePHI of 2,462 individuals. Although Children's implemented some physical safeguards to the laptop storage area (e.g., badge access and a security camera at one of the entrances), it also provided access to the area to workforce not authorized to access ePHI. OCR’s investigation revealed Children’s noncompliance with HIPAA Rules, specifically, a failure to implement risk management plans, contrary to prior external recommendations to do so, and a failure to deploy encryption or an equivalent alternative measure on all of its laptops, work stations, mobile devices and removable storage media until April 9, 2013. Despite Children's knowledge about the risk of maintaining unencrypted ePHI on its devices as far back as 2007, Children's issued unencrypted BlackBerry devices to nurses and allowed its workforce members to continue using unencrypted laptops and other mobile devices until 2013. “Ensuring adequate security precautions to protect health information, including identifying any security risks and immediately correcting them, is essential” said OCR Acting Director Robinsue Frohboese. “Although OCR prefers to settle cases and assist entities in implementing corrective action plans, a lack of risk management not only costs individuals the security of their data, but it can also cost covered entities a sizable fine.” The Notice of Proposed Determination and Notice of Final Determination may be found on the OCR website at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreem... Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "July 10, 2013","Medtronic, Inc.","","Minnesota","PHYS","MED","2,764","The covered entity (CE), Medtronic, misplaced a box of paper records containing the protected health information (PHI) of approximately 2,764 individuals. The box contained patient pump training records, including a checklist of training received, patients' names, device serial numbers, phone numbers, and, in some cases, email addresses. Some of the records may also have included social security numbers, medical necessity forms, physician orders, and copies of documents from one patient's medical record. The CE provided breach notification to affected individuals and HHS. Following the breach, the CE improved safeguards by redesigning its records tracking procedures and installing software with additional box tracking capabilities. OCR obtained assurances that the CE implemented the corrective action listed above. \ \ \ Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "July 11, 2013","Shred-it International Inc.","","Texas","PHYS","MED","277,014","\N Location of breached information: Other Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "July 11, 2013","Long Beach Memorial Medical Center","","California","DISC","MED","2,864","\N Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "July 15, 2013","Hansen and Associates","","Wyoming","DISC","MED","2,700","Location of breached information: Desktop Computer Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "July 15, 2013","Sheet Metal Local 36 Welfare Fund","","Missouri","DISC","MED","4,560","The covered entity (CE), Sheet Metal Local 36 Welfare Fund, reported that an employee of its business associate (BA), People Resources Corporation, inadvertently uploaded Excel spreadsheets containing the CE’s Member Assistance Program (MAP) eligibility data onto an unsecure website maintained by the BA. An unknown individual or entity believed to be in China uploaded the data to two additional websites. In addition, two other websites contained links to the BA’s unsecure website. The spreadsheets contained the names, addresses, dates of birth, and social security numbers of 4,560 members (but not dependents). The BA was purchased by E4 Health, Inc. in September 2013. The CE provided breach notification to HHS, affected individuals, and the media. The BA immediately removed the protected health information (PHI) from the unsecure website, confirmed that the PHI was no longer available on its websites or through internet search engines, and confirmed that only one spreadsheet was accessed by unauthorized parties and the other spreadsheets had not been viewed or compromised. The BA adopted additional protections to prevent future unauthorized disclosures (including management level review of any documents posted to its websites). Additionally, the CE met with each of its vendors to review the vendors’ security procedures and protocols and instituted a review program, as well as reviewed its own internal procedures. OCR obtained assurances that the CE and BA implemented the corrective actions listed. Location of breached information: Other Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "July 16, 2013","Harris County","","Texas","DISC","MED","21,000","\N Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "July 18, 2013","Jesle Kuizon","","California","HACK","MED","800","Between October and November of 2011, employees of San Jose Medical Supply, Inc. (SJMS) impermissibly disclosed information regarding 800 SJMS patients. The information contained on Excel spreadsheets and prescriptions contained full names, addresses, zip codes, medical conditions, diagnoses, license numbers, physicians’ contact information, and dates prescriptions were obtained. SJMS initiated a forensics security investigation, identified the perpetrators of the breach, determined the recipients of the information, trained employees on HIPAA regulations and patient information security procedures, and filed a lawsuit against Front Medical Supply and the individual perpetrators. SJMS provided breach notification to the California Attorney General, the Secretary of HHS, the affected individuals, and the media. SJMS enhanced computer security protection and protocols to ensure that patient information is protected from unauthorized access, sanctioned responsible workforce members, and updated policies and procedures. OCR determined that SJMS is not a covered entity. Location of breached information: Desktop Computer, Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "July 19, 2013","GEO Care, LLC","","Florida","PHYS","MED","710","The FBI notified the covered entity (CE), GEO Care, that a GEO Care employee, inappropriately accessed the patient admission reports of approximately 710 patients at South Florida State Hospital and provided them to a third party, the employee's cousin, without authorization. The employee's cousin then attempted to sell the reports for an illegal purpose. The protected health information (PHI) involved in the breach included names, dates of birth, social security numbers, admission dates, discharge dates, and patients' unit names. The CE provided breach notification to HHS, the media, and posted substitute notice on its website. It also offered identity theft protection to the affected individuals. The responsible staff member was terminated according to the CE's policy and has also been criminally indicted. Following the breach, the CE improved safeguards by limiting the use of full social security numbers, restricting access to documents, and performing weekly audits of those workforce members who access documents with full social security numbers. Additionally, the CE updated its privacy and security policies and procedures and developed new policies and procedures. It also revised its policies for employee access to electronic PHI based on job title and function, and provided retraining to employees regarding access and disclosure of PHI. OCR obtained assurances that the corrective actions listed above were completed. Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "July 20, 2013","The Brookdale Hospital and Medical Center","","New York","PHYS","MED","2,700","\N Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "July 22, 2013","Louisiana State University Health Care Services Division","","Louisiana","DISC","MED","6,994","\N Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "July 28, 2013","Oregon Health & Science University","","Oregon","DISC","MED","1,361","Oregon Health & Science University (OHSU) has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules following an investigation by the U.S. Department of Health and Human Services Office for Civil Rights (OCR) that found widespread and diverse problems at OHSU, which will be addressed through a comprehensive three-year corrective action plan. The settlement includes a monetary payment by OHSU to the Department for $2,700,000. OCR’s investigation began after OHSU submitted multiple breach reports affecting thousands of individuals, including two reports involving unencrypted laptops and another large breach involving a stolen unencrypted thumb drive. These incidents each garnered significant local and national press coverage. OCR’s investigation uncovered evidence of widespread vulnerabilities within OHSU’s HIPAA compliance program, including the storage of the electronic protected health information (ePHI) of over 3,000 individuals on a cloud-based server without a business associate agreement. OCR found significant risk of harm to 1,361 of these individuals due to the sensitive nature of their diagnoses. OHSU performed risk analyses in 2003, 2005, 2006, 2008, 2010, and 2013, but OCR’s investigation found that these analyses did not cover all ePHI in OHSU’s enterprise, as required by the Security Rule. While the analyses identified vulnerabilities and risks to ePHI located in many areas of the organization, OHSU did not act in a timely manner to implement measures to address these documented risks and vulnerabilities to a reasonable and appropriate level. OHSU also lacked policies and procedures to prevent, detect, contain, and correct security violations and failed to implement a mechanism to encrypt and decrypt ePHI or an equivalent alternative measure for ePHI maintained on its workstations, despite having identified this lack of encryption as a risk. “From well-publicized large scale breaches and findings in their own risk analyses, OHSU had every opportunity to address security management processes that were insufficient. Furthermore, OHSU should have addressed the lack of a business associate agreement before allowing a vendor to store ePHI,” said OCR Director Jocelyn Samuels. “This settlement underscores the importance of leadership engagement and why it is so critical for the C-suite to take HIPAA compliance seriously.” OHSU is a large public academic health center and research university centered in Portland, Oregon, comprising two hospitals, and multiple general and specialty clinics throughout Portland and throughout the State of Oregon. Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "July 31, 2013","Rocky Mountain Spine Clinic","","Colorado","DISC","MED","532","\N Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "August 2, 2013","Vitreo-Retinal Medical Group, Inc. ","","California","PHYS","MED","1,837","\N Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "August 5, 2013","Health Resources of Arkansas","","Arkansas","PHYS","MED","1,911","A break-in and burglary took place at the Office of Health Resources (HRA), a business associate (BA) of the covered entity (CE), the Arkansas Department of Humans Services (DHS). Two laptop computers which contained client files and the protected health information (PHI) of approximately 1,911 individuals were stolen. Following the breach, the CE improved physical safeguards, retrained workforce members, revised its HIPAA training for all employees on incident reporting procedures, and revised the Arkansas Business Associate Agreement (BAA) provisions on reporting breach incidents. Additionally, OCR’s investigation resulted in the CE’s development of a plan to survey its BAAs to assess HIPAA compliance and conduct on-site inspections. Location of breached information: Laptop Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "August 5, 2013","Baylor All Saints Medical Center at Fort Worth","","Texas","DISC","MED","940","A former employee the covered entity (CE), Baylor All Saints Medical Center at Fort Worth, breached protected health information (PHI) via text messages forwarded from a pager of the CE. The PHI involved in the breach included the names, demographic information, patients’ bed locations in the emergency department, and ER admission notifications of approximately 940 individuals. Breach notification was provided to HHS, affected individuals, and the media. Following the breach, the CE disabled the copy forward feature on all pagers receiving messages from the pager vendor, and revised pager procedures. As a result of OCR’s investigation, the vendor’s software and paging server configuration was changed, and the CE revised its pager requisition form to reflect prohibited device settings. Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "August 8, 2013","M2ComSys Inc.","","Nevada","DISC","MED","32,151","\N Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "August 12, 2013","Young Family Medicine Inc.","","Ohio","PHYS","MED","2,045","\N Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "August 12, 2013","Hancock OB/GYN","","Indiana","DISC","MED","1,396","An employee of the covered entity (CE), Hancock OB/GYN impermissibly accessed the electronic protected health information (ePHI) of 1,396 individuals without a necessary business reason to do so. The ePHI included names, dates of service, medical record numbers, and clinical information. The CE provided breach notification to HHS, affected individuals, and the media. Upon discovering the breach, the CE terminated the responsible individuals’ employment. As a result of OCR’s investigation, the CE revised its policies and procedures related to safeguarding ePHI and implemented routine audits of employee access to ePHI. Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "August 13, 2013","Anthem BCBS of GA","","Indiana","PHYS","MED","5,497","The covered entity's (CE) sales representative used an incorrect group number based on an erroneous membership and data file, resulting in an impermissible disclosure of protected health information (PHI) to the CE's business associate (BA). This breach affected approximately 5,497 individuals and included demographic information. Following the breach, the CE obtained certification that the BA destroyed the PHI and determined that there was a low risk of harm to the affected individuals. The CE also sent a memorandum and its corrective action/sanction policy to the account manager's staff regarding quality control procedures, instituted an additional quality control procedure, and counseled the involved sales representative. OCR obtained assurances that the CE implemented the corrective action listed above. \ \ Location of breached information: Other Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "August 13, 2013","InfoCrossing, Inc.","","Missouri","DISC","MED","1,357","\N Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "August 15, 2013","Foundations Recovery Network","","Tennessee","DISC","MED","5,690","A password-word protected, unencrypted laptop was stolen from the covered entity’s (CE) employee’s car in her neighborhood. The laptop contained the protected health information (PHI) of 5,690 individuals and included patient names, dates of birth, addresses, telephone numbers, social security numbers, diagnoses, level of care, dates of service, and health insurance identifiers. The CE conducted an investigation and filed a police report. The CE provided breach notifications to HHS and affected individuals. Following the breach, the CE disabled the laptop’s access to its internal systems and changed the passwords. The employee was formally reprimanded and retrained. The CE hired experts to perform a risk assessment and gap analysis of its existing privacy and security practices, policies, and procedures and instituted a policy prohibiting workforce members from removing unencrypted company laptops from the premises. The CE retrained employees at all levels on its HIPAA policies and procedures and provided company-wide email reminders to all workforce members regarding privacy and security protections. The CE established roles to address compliance, including a compliance committee and a compliance director. OCR obtained assurances that the corrective actions listed above were taken. Two of the three individuals involved in the theft of the laptop were arrested. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "August 16, 2013","California Correctional Health Care Services","","California","UNKN","MED","1,033","\N Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "August 19, 2013","North Texas Comprehensive Spine & Pain Center","","Texas","PHYS","MED","3,200","On August 19, 2013, the covered entity (CE), North Texas Comprehensive Spine & Pain Center, reported a breach when an employee’s car was broken into and an external hard drive was stolen. The hard drive contained the demographic and clinical information of 3,200 individuals. The CE provided breach notification to HHS, affected individuals, and the media. The employee was authorized to take protected health information (PHI) home as part of her job duties. Following the breach, the CE sanctioned the involved employee, encrypted its hard drives, and changed its policies to prohibit employees from remotely accessing PHI. OCR verified the corrective action taken by the CE. Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "August 21, 2013","Elbowoods Memorial Health Center","","North Dakota","PHYS","MED","10,000","\N Location of breached information: Desktop Computer, Other, Other Portable Electronic Device, Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "August 22, 2013","Jackson Health System","","Florida","PHYS","MED","1,471","\N Location of breached information: Other, Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "August 23, 2013","Advocate Health and Hospitals Corporation, d/b/a Advocate Medical Group","","Illinois","PHYS","MED","4,029,530","Advocate Health Care Network (Advocate) has agreed to a settlement with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR), for multiple potential violations of the Health Insurance Portability and Accountability Act (HIPAA) involving electronic protected health information (ePHI). Advocate has agreed to pay a settlement amount of $5.55 million and adopt a corrective action plan. This significant settlement, the largest to-date against a single entity, is a result of the extent and duration of the alleged noncompliance (dating back to the inception of the Security Rule in some instances), the involvement of the State Attorney General in a corresponding investigation, and the large number of individuals whose information was affected by Advocate, one of the largest health systems in the country. “We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals’ ePHI is secure,” said OCR Director Jocelyn Samuels. “This includes implementing physical, technical, and administrative security measures sufficient to reduce the risks to ePHI in all physical locations and on all portable devices to a reasonable and appropriate level.” OCR began its investigation in 2013, when Advocate submitted three breach notification reports pertaining to separate and distinct incidents involving its subsidiary, Advocate Medical Group (""AMG""). The combined breaches affected the ePHI of approximately 4 million individuals. The ePHI included demographic information, clinical information, health insurance information, patient names, addresses, credit card numbers and their expiration dates, and dates of birth. OCR’s investigations into these incidents revealed that Advocate failed to: •conduct an accurate and thorough assessment of the potential risks and vulnerabilities to all of its ePHI; •implement policies and procedures and facility access controls to limit physical access to the electronic information systems housed within a large data support center; •obtain satisfactory assurances in the form of a written business associate contract that its business associate would appropriately safeguard all ePHI in its possession; and •reasonably safeguard an unencrypted laptop when left in an unlocked vehicle overnight. Advocate Health Care Network is the largest fully-integrated health care system in Illinois, with more than 250 treatment locations, including ten acute-care hospitals and two integrated children's hospitals. Its subsidiary, AMG, is a nonprofit physician-led medical group that provides primary care, medical imaging, outpatient and specialty services throughout the Chicago area and in Bloomington-Normal, Illinois. Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "August 27, 2013","Summit Community Care Clinic, Inc.","","Colorado","HACK","MED","921","An employee impermissibly disclosed approximately 921 patients’ protected health information (PHI) when the employee sent an email message to patients and failed to place the patients’ email addresses in the blind carbon copy area of the email. The only type of PHI involved in the breach was email addresses. The CE provided breach notification to HHS, affected individuals, and the media. The covered entity (CE), Summit Community Care Clinic, Inc. had a policy and procedure in place addressing security issues regarding email. In response to the incident the CE re-trained its staff on its policy and procedure, and individually counseled the responsible employee. OCR provided technical assistance regarding the CE’s obligations under the Security and Breach Notification Rules and obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "August 28, 2013","UT Physicians","","Texas","PHYS","MED","596","An unencrypted laptop computer containing the electronic protected health information (ePHI) of approximately 596 individuals was stolen from the covered entity's (CE), UT Physicians, facility. The laptop was stored in a locked closet, in an area secured by a key card. The laptop had been attached to an electromyography (EMG) nerve device and had been inventoried as a medical device. The ePHI included patients' names, dates of birth, and medical record numbers along with the values from the EMG machine. The CE provided breach notification to HHS, affected individuals and the media. Following the breach, the CE replaced the stolen laptop with an encrypted laptop and improved physical safeguards for the new laptop. Additionally, it inventoried and assessed devices and equipment containing ePHI and brought them into compliance with the CE’s policies, including encryption requirements. OCR obtained a copy of the CE's current risk analysis and risk management plan with evidence of implementation for security measures, including evidence of security measures to reduce the risk of computer theft. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "August 30, 2013","Cogent Healthcare, Inc.","","Tennessee","PHYS","MED","32,000","Cogent Healthcare, Inc., a business associate (BA) providing management services for 24 providers of hospitalist services, submitted a breach report to HHS on behalf of these covered entities. The BA's privacy officer found that protected health information (PHI) for which the BA was responsible was accessible on a File Transfer Protocol (FTP) Internet site. The PHI involved in the breach affected approximately 32,151 individuals and included patients' names, physicians' names, dates of birth, diagnoses, treatment summaries, medical histories, medical record numbers and related information. \ \OCR determined that the reporting entity is a BA and the incident occurred prior to the September 23, 2013, enforcement date. OCR provided the BA with technical assistance regarding current HIPAA Privacy and Security Rule BA requirements. \ \ Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "August 30, 2013","Atlanta Center for Reproductive Medicine","","Georgia","DISC","MED","654","The Atlanta Center for Reproductive Medicine, the covered entity (CE), discovered that, on July 12, 2013, an employee unintentionally attached the wrong file to an email sent to one patient. The file contained protected health information (PHI) including the names, dates of birth, addresses, medical record numbers, social security numbers, conditions, and treatment and diagnostic information for 654 individuals. The CE obtained assurances that the file containing PHI was destroyed and not used or disclosed to any other parties. The CE provided timely breach notification to HHS, to affected individuals, and the media. In response to the breach, the CE revised its policies and procedures concerning the transmission of PHI via email, and provided additional training to its staff. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "August 30, 2013","St. Anthony's Physician Organization","","Missouri","PHYS","MED","2,600","\N Location of breached information: Laptop, Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "September 3, 2013","Valperaiso Fire Department","","Indiana","PHYS","MED","0","This case has been consolidated with another review for this covered entity. Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "September 3, 2013","Janna Benkelman LPC LLC","","Colorado","PHYS","MED","1,500","On August 1, 2013, the covered entity (CE), Dr. Benkelman, discovered that her unencrypted office laptop computer had been stolen from her unlocked office. The resulting breach affected approximately 1,500 patients, and the electronic protected health information (ePHI) included demographic and mental health information (diagnoses/conditions). The CE reported the theft to the police, and provided breach notification to HHS, the media, and affected individuals. The CE also offered credit monitoring to affected individuals. The CE closed the practice in the fall of 2013 due to the breach. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "September 3, 2013","Olson & White Orthodontics","","Missouri","PHYS","MED","10,000","On July 22, 2013, two desktop computers that contained protected health information (PHI) were stolen from the covered entity (CE), Olson & White Orthodontics, during a break-in. The names, addresses, dates of birth, social security numbers, claims information, diagnoses, and treatment information affecting 10,000 were reportedly disclosed. The CE utilized a system for encryption to protect its PHI; however, a software oversight may have resulted in some PHI being stored in an unencrypted manner on the stolen computers. The CE provided breach notification to HHS, affected individuals, and the media and posted substitute notice on its website. Following the breach, the CE reported the theft to the proper authorities, added offsite data backup storage, and improved physical safeguards. Additionally, it retrained staff and eliminating office procedures that resulted in the storage of unencrypted PHI. As a result of OCR’s investigation, the CE updated its uses and disclosures policy and provided training on the updated policy. The CE also provided OCR documentation of its corrective actions. Location of breached information: Desktop Computer, Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "September 3, 2013","Kaiser Foundation Health Plan of the Northwest","","Oregon","DISC","MED","647","Over a period of about three and half years, an employee of Kaiser Foundation Health Plan of the Northwest, the covered entity (CE), accessed patient records either without a business need to know or beyond the minimum necessary for her job. The impermissible access by the employee totaled 647 individuals. The type of protected health information involved in the breach included names and treatment information. The CE provided breach notification to HHS and affected individuals. Following the discovery of the breach the CE retrained employees. After an intensive investigation, it terminated the employee and disciplined four others for related misconduct. OCR obtained written assurances that the corrective actions were taken. Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "September 6, 2013","Hankyu Chung, M.D.","","California","PHYS","MED","2,182","On June 17, 2013, two unencrypted laptop computers were stolen from the covered entity's facility in San Jose, California. One of the laptops reportedly contained the electronic protected health information (ePHI) of approximately 2,182 individuals. In particular, the ePHI was included full names, home addresses, telephone numbers, date of birth information, and medical records. The CE provided breach notification to HHS, affected individuals, and the media and established a website to assist potentially affected individuals. The CE implemented measures to improve physical security and safeguard the ePHI it maintains. OCR provided substantive technical assistance and identified corrective actions that the CE must complete to comply with the Security Rule, which includes the following: conduct and monitor a comprehensive, enterprise-wide risk analysis as well as administer measures that support the results of that analysis, such as articulating policies and procedures and maintaining current business associated agreements. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "September 6, 2013","ICS Collection Service, Inc.","","Illinois","HACK","MED","1,290","\N Location of breached information: Other Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "September 11, 2013","PHMHS","","Puerto Rico","PHYS","MED","5,000","Upon request, a subcontractor (PHM Software Solutions) of the covered entity's (CE) business associate (BA), PHM Healthcare Solutions, modified a software application the CE was utilizing which led to the disclosure of electronic protected health information (ePHI) of 5,000 individuals on the Internet. The ePHI included names, gender, member identification numbers, dates of birth, and consent forms. The CE provided breach notification to HHS, the media, and affected individuals and posted substitute notice on its website. Upon discovery of the breach, the BA removed the software application and placed it offline. As a result of OCR's investigation, the CE had its BA to conduct a risk analysis and create a risk management plan to address any vulnerabilities identified in the risk analysis. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR provided technical assistance to assist the CE understand its obligations under the Privacy and Security Rules regarding BA agreements. Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "September 12, 2013","Dermatology Associates of Tallahassee","","Florida","PHYS","MED","915","The Secret Service discovered patient information pages printed from the covered entity's (CE) electronic medical record system at a vacant home in South Georgia. The breach affected 915 individuals whose names, dates of birth, insurance information, scheduling information, referring physicians, phone numbers and Social Security numbers were included on the printed pages. The CE delayed sending notification based on a law enforcement request. Once authorized to move forward, the CE timely sent breach notification to HHS, affected individuals, and the media. The CE also posted notification about the breach on its website. In response to the breach, the CE implemented changes to its policies and procedures and increased its monitoring of user activity on its computer system. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "September 13, 2013","NHC HealthCare, Oak Ridge","","Tennessee","PHYS","MED","4,268","\N Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "September 13, 2013","NHC HealthCare, Mauldin","","South Carolina","PHYS","MED","4,204","\N Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "September 13, 2013","Advocate Health and Hospitals Corporation d/b/a Advocate Medical Group","","Illinois","HACK","MED","2,029","Advocate Health Care Network (Advocate) has agreed to a settlement with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR), for multiple potential violations of the Health Insurance Portability and Accountability Act (HIPAA) involving electronic protected health information (ePHI). Advocate has agreed to pay a settlement amount of $5.55 million and adopt a corrective action plan. This significant settlement, the largest to-date against a single entity, is a result of the extent and duration of the alleged noncompliance (dating back to the inception of the Security Rule in some instances), the involvement of the State Attorney General in a corresponding investigation, and the large number of individuals whose information was affected by Advocate, one of the largest health systems in the country. “We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals’ ePHI is secure,” said OCR Director Jocelyn Samuels. “This includes implementing physical, technical, and administrative security measures sufficient to reduce the risks to ePHI in all physical locations and on all portable devices to a reasonable and appropriate level.” OCR began its investigation in 2013, when Advocate submitted three breach notification reports pertaining to separate and distinct incidents involving its subsidiary, Advocate Medical Group (""AMG""). The combined breaches affected the ePHI of approximately 4 million individuals. The ePHI included demographic information, clinical information, health insurance information, patient names, addresses, credit card numbers and their expiration dates, and dates of birth. OCR’s investigations into these incidents revealed that Advocate failed to: •conduct an accurate and thorough assessment of the potential risks and vulnerabilities to all of its ePHI; •implement policies and procedures and facility access controls to limit physical access to the electronic information systems housed within a large data support center; •obtain satisfactory assurances in the form of a written business associate contract that its business associate would appropriately safeguard all ePHI in its possession; and •reasonably safeguard an unencrypted laptop when left in an unlocked vehicle overnight. Advocate Health Care Network is the largest fully-integrated health care system in Illinois, with more than 250 treatment locations, including ten acute-care hospitals and two integrated children's hospitals. Its subsidiary, AMG, is a nonprofit physician-led medical group that provides primary care, medical imaging, outpatient and specialty services throughout the Chicago area and in Bloomington-Normal, Illinois. Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "September 13, 2013","Dreyer Medical Clinic","","Illinois","HACK","MED","998","\N Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.633125","-89.398528" "September 16, 2013","South Shore Physicians, PC","","New York","PHYS","MED","8,000","The protected health information (PHI) of approximately 8000 individuals was purposely taken by an employee for identity theft purposes. The employee took copies of patients’ names, dates of birth, mailing addresses, social security numbers, bank account numbers, credit card numbers and medical information. The covered entity (CE) had to wait in order to report the breach to OCR due to the criminal investigation by the New York City police and district attorney’s office. The CE hired a consultant to conduct an investigation, risk analysis, risk management plan. Additionally, the CE’s consultant reviewed its Privacy and Security Rule policies and procedures and retrained staff. Lastly, the CE notified the patients regarding this incident as required by the Breach Notification Rule. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "September 16, 2013","Dermatology Associates of Tallahassee","","Florida","UNKN","MED","915","\N Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "September 20, 2013","Sierra View District Hospital","","California","DISC","MED","1,009","A workforce member of the covered entity (CE), Sierra View Medical Center, impermissibly accessed an internal hospital roster covering different departments over a period of several days between July and August 2013, which potentially affected the electronic protected health information (ePHI) of approximately one thousand nine (1,009) individuals. The ePHI included patients' names, room numbers, treating physicians' information, diagnoses, and medical record data, including treatment notes. The CE provided breach notification to HHS, affected individuals, and the media. The CE investigated and determined that the employee had not used the information, despite impermissibly accessing it. The CE sanctioned the employee, implemented compliance actions to meet workforce security standards, including log-in monitoring. The CE also revised policies and procedures and conducted training on the security awareness standard. OCR provided substantive technical assistance and identified corrective actions that the CE must complete to comply with the Security Rule, which includes the following: conduct and monitor a comprehensive, enterprise-wide risk analysis, update and monitor its risk management plan, and monitor its information access management to ensure adequate safeguards of ePHI. Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "September 20, 2013","InfoCrossing, Inc.","","Missouri","DISC","MED","25,461","\N Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "September 24, 2013","Holy Cross Hospital, Inc.","","Florida","PHYS","MED","9,900","An employee accessed and used protected health information (PHI) outside of her job duties to file fraudulent tax returns. The PHI involved in the breach included the names, addresses and social security numbers of 9,900 individuals. The covered entity (CE), Holy Cross Hospital, provided breach notification to HHS, affected individuals, and the media. The CE retrained staff, disseminated educational material, and implemented an extensive risk management plan to bolster procedures for auditing and monitoring PHI use and access. OCR obtained assurances that the CE implemented the corrective actions listed above. The CE also terminated the employment of the involved employee. Location of breached information: Desktop Computer, Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "September 26, 2013","Region Ten Community Services Board","","Virginia","PHYS","MED","10,228","The covered entity (CE), Region Ten Community Services Board, reported that multiple employees had responded to an email, appearing to come from an internal sender, informing them that their mailboxes had exceeded limits and instructing them to follow a link to enter username and password. A forensic investigation was conducted which did not show that any sensitive client information was compromised. However, in an effort to mitigate any potential harm the CE sent notification to over 10,000 individuals, sent a press release to a local news station and also posted information about the occurrence on its website. The CE engaged the services of a technology consulting firm and has provided OCR written assurance that it has implemented updates to its computer network including an additional firewall Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "September 27, 2013","Comprehensive Podiatry LLC","","Ohio","PHYS","MED","1,360","\N Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "September 27, 2013","Santa Clara Valley Medical Center","","California","PHYS","MED","579","Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "September 28, 2013","Sarah Benjamin, DPM - Littleton Podiatry","","Colorado","PHYS","MED","3,512","On August 27, 2013, an unencrypted laptop computer containing the protected health information (PHI) of 3,512 individuals was stolen from a locked supply closet at the covered entity’s (CE) facility. The types of PHI involved in the breach likely included patients’ names, genders, addresses, telephone numbers, dates of birth, health insurance information, and medical records, including, appointment notes, diagnosis, treatments, surgery notes, lab test results, prescriptions, instructions, and other information relating to podiatric care. The CE provided breach notification to HHS, affected individuals, and the media, and also contacted the police. Following the breach, the CE conducted an enterprise-wide risk analysis, implemented a risk management plan, encrypted its workstations and devices, and improved physical safeguards. The CE also implemented several other administrative and technical safeguards to ensure its compliance with the Security Rule. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Laptop Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "September 30, 2013","Carol L Patrick Ph. D.","","Ohio","PHYS","MED","517","On August 9, 2013, the covered entity (CE), Dr. Carol L. Patrick, discovered that her office was broken into and all the operational computers, network servers, and work stations were stolen. The stolen equipment contained the electronic protected health information (ePHI) of approximately 517 individuals and included clinical information, specifically psychological assessments, evaluations, letters, reports, and evaluations written on behalf of clients. The CE provided breach notification to HHS, affected individuals, and the media, and filed a police report. Following the breach, the CE improved physical safeguards by installing a security system with motion and fire protection and internal alarms. The CE also installed encryption software and updated its privacy policy. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Desktop Computer, Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "September 30, 2013","HOPE Family Health","","Tennessee","PHYS","MED","6,932","\N Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "October 1, 2013","Paul G. Klein, DPM","","New Jersey","PHYS","MED","2,500","OCR opened an investigation of the covered entity (CE), Paul G. Klein DPM, after it reported that an encrypted and password protected laptop was stolen that contained the electronic protected health information (ePHI) of 2,500 individuals. The ePHI included names, addresses, dates of birth, social security numbers, diagnoses, lab test results, medications, medical notes, and treatment plans. Upon discovery of the breach, the CE filed a police report to recover the stolen item. As a result of OCR’s investigation, the CE provided confirmation that there was encryption software and multi-layered password protection software installed on the stolen laptop. OCR determined that the impermissible disclosure of ePHI did not constitute a breach under the HIPAA Rules and provided technical assistance to the CE regarding the requirements of the Breach Notification Rule. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "October 2, 2013","UnityPoint Health Affiliated","","Iowa","DISC","MED","1,825","The covered entity (CE), UnityPoint Health, discovered that an office manager (from an independent private practice) was using physicians’ passwords to access patients’ protected health information (PHI). The types of PHI involved in the breach included names, social security numbers, addresses, driver’s license numbers, dates of birth, diagnoses, lab results, and medications affecting approximately 1,825 individuals. The CE provided breach notification to HHS, affected individuals, and the media, and contacted the proper authorities to investigate any possible criminal infractions. The CE investigated the breach, which resulted in the office manager’s resignation from her job. The CE also retrained the physicians who shared their passwords with the office manager and obtained written assurances they would no longer share passwords. OCR obtained and reviewed the CE’s HIPAA compliance documentation. Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","41.878003","-93.097702" "October 2, 2013","TSYS Employee Health Plan","","Georgia","PHYS","MED","5,232","TSYS Employee Health Plan, the covered entity (CE), discovered that an employee of the CE’s business associate (BA), Paragon Benefits, Inc., misappropriated a digital file that contained protected health information (PHI) for 5,232 beneficiaries. The CE sent timely breach notification to HHS, to affected individuals, to the media and posted substitute notification on its website. In response to the breach, the CE provided affected individuals with identity theft protection, credit monitoring, tax forms, contact information for the Federal Trade Commission, and instructions on how to put a credit freeze on a credit account. OCR determined that the CE and BA had an effective BA agreement in place at the time of the breach. The CE terminated its contract with the BA as of December 31, 2012, but the BA continues to provide services for outstanding claims that it submitted on the CE’s behalf. The CE obtained assurances from the BA that additional security measures have been implemented. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Email Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","32.165622","-82.900075" "October 3, 2013","University of California, San Francisco","","California","PHYS","MED","3,553","On September 9, 2013, both an unencrypted personal laptop computer containing electronic protected health information (ePHI) and paper documents that contained PHI were stolen out of a workforce member’s locked car. The laptop contained unencrypted ePHI pertaining to 3,541 individuals, and the paper documents contained PHI for 31 patients. The types of PHI involved in the breach included patients’ names, addresses, dates of birth, medical record numbers, social security numbers, diagnoses, conditions, dates of service, lab results, medications, and other treatment-related PHI. The covered entity (CE), the University of California San Francisco, provided breach notification to HHS, affected individuals, and the media. Following the breach the CE retrained the workforce members on encryption, use of email on personal devices, and best practices for sharing PHI documents via email. OCR obtained assurances that the CE implemented the corrective actions noted above. Location of breached information: Laptop, Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","36.778261","-119.417932" "October 3, 2013","Reconstructive Orthopaedic Associates II, P.C. d/b/a Rothman Institute","","Pennsylvania","PHYS","MED","2,350","An employee removed paper copies of daily patient schedules and two medical reports from the covered entity's (CE) transcription processing department without authorization upon her termination from employment. Approximately 2,300 individuals were affected by the breach. The protected health information (PHI) involved in the breach included patient names, telephone numbers, appointment dates and times, dates of birth, reasons for visits, visit sites, assigned staff/physician, chart numbers, insurance company codes and copays, encounter numbers, and treatment information. The CE provided breach notification to HHS, the media and affected individuals and provided one year of free credit monitoring to those requested it. Following the breach, the CE cooperated with local authorities in their arrest and prosecution of the involved employee. The CE updated its privacy policies and procedures, organized the policies into a HIPAA manual, and retrained 687 employees on its privacy policies and procedures. In response to OCR's investigation, the CE decided to replace its electronic medical records and practice management systems to improve safeguards for electronic PHI. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "October 3, 2013","Group Health Cooperative","","Washington","UNKN","MED","1,015","The CE sent an erroneous mailing to 1,105 individuals which displayed protected health information (PHI) in the address window of the envelope. The PHI involved in the breach included patients’ names, medical record numbers, diagnoses, and addresses. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE reviewed, updated and implemented applicable procedures to correct the causes of this incident. In response to OCR’s investigation, CE provided documentation of the corrective actions taken. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "October 4, 2013","Schuylkill Health System","","Pennsylvania","PHYS","MED","2,810","\N Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "October 4, 2013","CaroMont Medical Group","","North Carolina","HACK","MED","1,310","On August 8, 2013, the covered entity (CE), CaroMont Medical Group, performed an internal audit that found an unencrypted email was sent by an employee on August 5, 2013. The employee emailed a spreadsheet to her personal email containing the following protected health information (PHI) for 1,310 individuals: patients’ names, dates of birth, medical record numbers, insurance providers, insurance numbers, diagnoses, and two Medicaid/Medicare numbers. The CE provided breach notification to HHS, affected individuals, and the media. In response to this incident, the CE reviewed its policies, updated its secure email policy, and required employees to attest to reviewing the new policy. The CE trained staff on data privacy and information security, and it implemented security controls for the encryption of all external emails containing an attachment. OCR obtained assurances that the CE implemented the corrective actions noted above. Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "October 4, 2013","Mount SInai Medical Center","","New York","PHYS","MED","1,586","OCR opened an investigation of the covered entity (CE), Mt. Sinai Medical Center, after it reported that a trash vendor placed two garbage bags in an open box containing the protected health information (PHI) of 1,586 patients outside the Mt. Sinai’s Department of Preventive Medicine’s facility with the regular trash. The PHI involved in the breach included names, dates of service, payer information, patients’ clinical information, mental health information and social security numbers. As a result of the breach, the CE retrieved the two trash bags and the box that contained PHI, provided training to its staff regarding appropriate disposal of PHI including paper files, and sanctioned the supervisor for failing to follow its policy regarding confidential waste. OCR provided TA to the CE regarding accounting of disclosures. CE assured OCR that the disclosures would be documented. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "October 4, 2013","Healthcare Management System ","","Tennessee","DISC","MED","4,330","\N Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "October 7, 2013","Saint Louis University","","Missouri","DISC","MED","3,100","\N Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "October 9, 2013","BlackHawk","","Illinois","HACK","MED","7,120","The covered entity (CE), MUSC Physicians & MUHA, learned on August 22, 2013, that the payment portal of its business associate (BA), Blackhawk Statement Group, had been hacked on June 30, 2013. The breach exposed the names, addresses, email addresses, and credit care information for 7,120 individuals. The CE provided breach notification to HHS, affected individuals, and the media and posted notice on its website. In response to the breach, the CE changed its payment procedures to circumvent the BA and process credit card transactions directly with the processor. The BA patched the vulnerability in the software that was targeted by the hack and improved its network security. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BA’s use and disclosure of protected health information (PHI) and required the BA to safeguard all PHI. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "October 11, 2013","Ferris State University - MI College of Optometry","","Michigan","HACK","MED","3,947","\N Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "October 14, 2013","Access Counseling, LLC","","Indiana","PHYS","MED","566","\N Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "October 14, 2013","Rose Medical Center","","Colorado","PHYS","MED","606","A newly hired janitorial service mistakenly disposed of information face sheets awaiting removal from the covered entity’s (CE) Breach Center to shredding bins before the face sheets could be shredded. The face sheets belonged to the CE, Rose Medical Center, a Hospital Corporation of America facility, and contained protected health information (PHI), including demographic information, social security numbers, insurance information, physician information and next of kin contact information for approximately 606 individuals. The CE provided timely written notice to affected individuals, HHS, and the media. As a result of OCR’s investigation, the CE instituted a new procedure whereby all documents containing PHI must be disposed of directly into secured shredding bins, rather than recycling bins. The CE also launched a company-wide initiative to implement improved procedures to safeguard social security numbers, such as removing the numbers from documents where possible, and minimizing the printing of documents containing such PHI. The CE also retrained staff on the HIPAA Privacy Rule. Finally, the CE’s Breast Center ceased printing duplicate face sheets and full social security numbers on face sheets. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","39.550051","-105.782067" "October 14, 2013","BriovaRx","","Illinois","DISC","MED","1,067","An employee of the covered entity (CE) who later resigned effective July 17, 2013, emailed confidential documents from his company-issued laptop computer to his personal email account without authorization. The emailed data contained the protected health information (PHI) of approximately 1,067 individuals. The protected health information involved in the breach included first and last names, diagnoses, and medication names. The CE provided breach notification to HHS, affected individuals, and the media. Upon discovery of the breach, the CE’s outside legal counsel the CE contacted the employee and the employee’s new employer for assurances and affidavits prohibiting the involved employee or the employee’s new employer from transferring and/or disclosing sensitive confidential information and PHI, and later obtained a preliminary injunction motion. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.633125","-89.398528" "October 15, 2013","North Country Hospital and Health Center, Inc","","Vermont","PHYS","MED","550","A former employee of the covered entity (CE), North Country Hospital and Health Center, retained possession of a retired unencrypted laptop computer that contained protected health information (PHI) following his termination on July 15, 2013. The types of PHI involved in the breach included electronically signed physician orders with dates and ordering providers’ names, as well as patient names, demographic information and clinical information, including diagnoses. The CE provided breach notification to HHS, affected individuals, and the media. As a result of OCR’s investigation, the CE installed removable disk encryption on all of its laptops as well as desktop computers that store PHI. It also revised the computer system and risk management policy. The CE also implemented a termination checklist and a termination procedure. OCR provided technical assistance to the CE regarding risk analysis. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","44.558803","-72.577842" "October 16, 2013","Hope Community Resources, Inc.","","Alaska","DISC","MED","1,556","A client contact list was inadvertently attached to a group email to parents and guardians of clients by an employee of the covered entity (CE), Hope Community Resources, affecting 1,556 individuals. The protected health information (PHI) involved in the breach included client names, contact information for client support persons, dates of birth, and internal identification numbers issued by the CE. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE sanctioned the responsible employee and improved safeguards by instituting new quality measure for large mailings. Following OCR’s investigation, the CE updated its risk analysis through an outside vendor. Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "October 17, 2013","Broward Health Medical Center","","Florida","DISC","MED","960","Broward Health Medical Center, the covered entity (CE), discovered that an employee had taken paper patient facesheets off the premises, which were then stolen from the employee’s home by a visitor. The names, dates of birth, addresses, telephone numbers, social security numbers, primary insurance providers, insurance guarantors, reasons for visits, employers, and emergency contact information pertaining to 960 potentially affected individuals was exposed due to the breach. The CE provided breach notification to HHS, to affected individuals and to the media. At the time of the breach the CE had policies in place prohibiting the removal of PHI from the facility and the employee at fault for this incident is no longer employed by the CE. In response to the breach, the CE re-trained its workforce to reinforce its existing policies. OCR provided technical assistance regarding procedures for responding to and reporting privacy incidents as well as the CE’s obligations under the Breach Notification Rule in the event of a law enforcement delay. OCR obtained assurances that the CE has implemented the corrective actions listed above. Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "October 21, 2013","Mount Sinai Medical Center","","New York","PHYS","MED","610","\N Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "October 22, 2013","Texas Health Presbyterian Dallas Hospital","","Texas","PHYS","MED","949","\N Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "October 23, 2013","Ferris State University MI College of Optometry","","Michigan","HACK","MED","3,947","An unauthorized person evaded the network security of Ferris State University Michigan College of Optometry on December 1, 2011, and placed a malware program on the computer Ferris uses to operate its website, which had the technical ability to access its electronic files on certain network servers. The breach of electronic protected health information (ePHI) affected approximately 3,947 individuals and included patients' names, dates of birth, Social Security numbers, addresses, diagnoses/conditions, financial claims information, clinical information, and other treatment information. The covered entity (CE) provided breach notification to HHS, affected individuals, and the media and posted substitute notification of the breach incident on its website. The CE created a dedicated call center regarding the breach and also offered one year of free credit monitoring to individuals whose social security number was involved in the breach. Following the breach, the CE engaged an outside forensic security firm to conduct an internal investigation, installed the latest operating systems and patches to its network asset and web server, and applyed the latest version of antivirus and malware on its servers. The CE verified the removal of ePHI from the application and archive files, worked with its customers to remove sensitive data, and blocked specific internet addresses from its networks. The CE also revised its policies and procedures addressing how it administratively, technically, and physically safeguards patients’ PHI. Additionally, the CE trained employees on its policies and procedures and documented its most recent risk analysis and corresponding risk management plan. OCR obtained documentation evidencing that the CE implemented the corrective actions listed. Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "October 23, 2013","none, Seton Healthcare Family","","Texas","PHYS","MED","5,500","OCR opened an investigation of the covered entity (CE), Seton Healthcare Family after it reported that on October 4, 2013, an unencrypted laptop computer that contained the electronic protected health information (ePHI) of 5,500 patients was stolen from a clinic. The ePHI included patients' names, medical record numbers, account numbers, social security numbers, dates of birth, diagnoses, immunizations, and insurance information. The CE notified HHS, affected individuals, and the media in accordance with the Breach Notification Rule and provided free credit monitoring services for one year. The CE took a number of corrective actions to prevent future breaches. It implemented a full disk encryption policy to be applied prior to deployment of new computers, updated internal processes, and retrained staff on its updated processes. The CE also sanctioned and re-trained the workforce member involved in the breach, and confirmed the same was applied to the Dell IT technician involved with system upgrades, including encryption. OCR obtained assurances that the CE implemented the corrective actions listed. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "October 25, 2013","Bronx Lebanon Hospital Center","","New York","DISC","MED","10,930","A transcription company’s subcontractor misconfigured its server, such that search engines, such as Google, were able to locate the server and index the records on that machine, including names, dates of service, medical record number, dates of birth and types of procedures/diagnoses for patients of the covered entity (CE), Bronx Lebanon Hospital Center. The CE that had retained the transcription company, Professional Transaction Services (PTC), provided breach notification to HHS, affected individuals, and the media. Once the CE learned of the breach, it initiated an investigation and learned that PTC’s subcontractor immediately disabled the server, destroyed the hard drive that stored the PHI, and worked with Google to remove the protected health information (PHI) from the Google caches. The CE also engaged a technical consultant to conduct forensic analyses and work to ensure that affected patients’ records could no longer be found by commonly used internet search engines. The CE also terminated its relationship with PTC and engaged a new transcription company. OCR obtained assurances that the CE implemented the corrective actions listed. Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "October 25, 2013","Martin Luther King Jr. Health Center, Inc.","","New York","DISC","MED","37,000","A transcription company’s subcontractor misconfigured its server, such that search engines, such as Google, were able to locate the server and index the records on that machine, including names, dates of service, medical record number, dates of birth and types of procedures/diagnoses). Martin Luther King Jr. Health Center, the covered entity (CE) who had retained the transcription company, Professional Transaction Services (PTC), provided breach notification to HHS, affected individuals, and the media. Once the CE learned of the breach, it initiated an investigation and learned that PTC’s subcontractor immediately disabled the server, destroyed the hard drive that stored the PHI, and worked with Google to remove the PHI from the Google caches. The CE also engaged a technical consultant to conduct forensic analyses and work to ensure that affected patients’ records could no longer be found by the most commonly used internet search engines. The CE also terminated its relationship with PTC and engaged a new transcription company. OCR obtained assurances that the CE implemented the corrective actions listed. Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "October 25, 2013","Good Samaritan Hospital","","California","PHYS","MED","3,833","The covered entity (CE), Samaritan Regional Health System, mismatched names and addresses in a mailing to former patients of a recently deceased physician. The protected health information (PHI) included the names and addresses of approximately 2,203 individuals. The CE provided breach notification to affected individuals, the media, and HHS, and posted substitute notice on its website. Following the breach, the CE re-trained staff on proper address validation techniques and implemented new audit procedures for mailings. OCR obtained assurances that the CE implemented the corrective action listed above. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "October 25, 2013","SSM Health Care of Wisconsin DBA: St. Mary���s Janesville Hospital","","Wisconsin","PHYS","MED","631","A laptop computer containing protected health information (PHI) was stolen from the vehicle of a covered entity's (CE) workforce member. Approximately 633 individuals were affected by the breach. The PHI included patients' names, dates of birth, medical records, and account numbers. The CE immediately reported the laptop theft to the police. In response to the breach, the CE provided notice to HHS, the affected individuals, and the media. In addition, the CE encrypted all company laptops, re-trained each provider and employee in possession of a company laptop, and applied disciplinary policies to the employees involved in the incident. OCR obtained assurances that the covered entity implemented the corrective action listed above. \ \ Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "October 25, 2013","AHMC Healthcare Inc. and affiliated Hospitals","","California","PHYS","MED","729,000","Two unencrypted laptop computers containing the protected health information (PHI) of 729,000 individuals were stolen from a secure office on October 23, 2013. The types of PHI involved in the breach included financial information, diagnoses, conditions, treatment information, and demographic information. The covered entity (CE), AHMC, provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE implemented and maintained an encryption plan. It also developed policies and procedures regarding access to and receipt and removal of electronic PHI (ePHI). It also improved safeguards to reduce risks and vulnerabilities to ePHI. As a result of this investigation, OCR provided technical assistance to the CE regarding its obligations to implement and maintain policies and procedures that comply with the Privacy and Security Rules, conduct an accurate and thorough risk analysis, and implement a risk management plan. OCR also provided technical assistance regarding encryption. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "October 28, 2013","Greater Dallas Orthopaedics, PLLC","","Texas","PHYS","MED","5,840","Two computers containing files with dictated letters were stolen from the covered entity (CE), Greater Dallas Orthopaedics, PLLC. The protected health information (PHI) on the audio files included the names and medical information of approximately 5,840 individuals. Upon discovering the breach, the CE filed a police report. The CE provided breach notification to HHS, affected individuals, and the media. The CE improved physical security and retrained staff. OCR obtained assurances that the CE implemented the corrective actions listed. Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "October 29, 2013","Spirit Home Health Care, Corp","","Florida","PHYS","MED","603","\N Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "October 29, 2013","Rotech Healthcare Inc.","","Florida","DISC","MED","10,680","A former employee of the covered entity (CE), Rotech, removed and retained electronic files from a company computer, some of which contained the protected health information (PHI) of employees in relation to the CE’s group health plan. The demographic, clinical and financial information of 10,680 individuals was affected by the breach. The CE provided breach notification to HHS, affected individuals, and the media. In response to the breach, the CE updated its policies and procedures regarding downloading of information from company-issued computers to external devices, retrieval of company-issued removable media from departing employees, and destruction of PHI and ePHI. The CE improved safeguards by disabling USB ports on most computers and encrypting all company laptops. Additionally, the CE conducted a HIPAA gap analysis, implemented a process for periodic analysis, and updated and secured the methods used to back up data. Finally, the CE obtained outside experts to assist in reviewing and enhancing HIPAA training and retrained employees. OCR obtained assurances that the corrective actions listed above were completed. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "October 31, 2013","Reimbursement Technologies, Inc.","","Pennsylvania","DISC","MED","2,300","An employee of the covered entity (CE), Reimbursement Technologies, Inc., impermissibly accessed the check images of approximately 2,300 patients. The protected health information (PHI) involved in the breach included personal check information, including bank routing numbers, names and addresses. Following the breach, the CE terminated the employee and reported the breach to the FBI for further investigation. The CE reviewed all the check images accessed and notified the guarantors and offered credit monitoring. The CE monitored employee check viewing, further identified vulnerabilities, and updated its HIPAA policies and procedures, including requiring the check imaging vendor to truncate bank routing numbers. The CE also improved safeguards by installing a new firewall. OCR obtained assurance that the covered actions listed above were completed. Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "November 1, 2013","Advocate Health and Hospitals Corporation","","Illinois","PHYS","MED","2,237","Advocate Health Care Network (Advocate) has agreed to a settlement with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR), for multiple potential violations of the Health Insurance Portability and Accountability Act (HIPAA) involving electronic protected health information (ePHI). Advocate has agreed to pay a settlement amount of $5.55 million and adopt a corrective action plan. This significant settlement, the largest to-date against a single entity, is a result of the extent and duration of the alleged noncompliance (dating back to the inception of the Security Rule in some instances), the involvement of the State Attorney General in a corresponding investigation, and the large number of individuals whose information was affected by Advocate, one of the largest health systems in the country. “We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals’ ePHI is secure,” said OCR Director Jocelyn Samuels. “This includes implementing physical, technical, and administrative security measures sufficient to reduce the risks to ePHI in all physical locations and on all portable devices to a reasonable and appropriate level.” OCR began its investigation in 2013, when Advocate submitted three breach notification reports pertaining to separate and distinct incidents involving its subsidiary, Advocate Medical Group (""AMG""). The combined breaches affected the ePHI of approximately 4 million individuals. The ePHI included demographic information, clinical information, health insurance information, patient names, addresses, credit card numbers and their expiration dates, and dates of birth. OCR’s investigations into these incidents revealed that Advocate failed to: •conduct an accurate and thorough assessment of the potential risks and vulnerabilities to all of its ePHI; •implement policies and procedures and facility access controls to limit physical access to the electronic information systems housed within a large data support center; •obtain satisfactory assurances in the form of a written business associate contract that its business associate would appropriately safeguard all ePHI in its possession; and •reasonably safeguard an unencrypted laptop when left in an unlocked vehicle overnight. Advocate Health Care Network is the largest fully-integrated health care system in Illinois, with more than 250 treatment locations, including ten acute-care hospitals and two integrated children's hospitals. Its subsidiary, AMG, is a nonprofit physician-led medical group that provides primary care, medical imaging, outpatient and specialty services throughout the Chicago area and in Bloomington-Normal, Illinois. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "November 1, 2013","Comprehensive Psychological Services LLC","","South Carolina","PHYS","MED","3,500","On October 28, 2013, the covered entity’s (CE) facility was broken into and an unencrypted laptop was stolen, affecting the demographic and clinical information of approximately 3,500 individuals. The CE provided breach notification to HHS, affected individuals, and the media. The CE increased its facility’s physical security. The CE also upgraded its technology and improved safeguards by encrypting equipment and communication containing ePHI, implementing a networked file server and domain, and backing up client data to an encrypted cloud-based storage service. Pursuant to OCR’s recommendations, the CE modified its policies and training procedures. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "November 1, 2013","Superior HealthPlan, Inc.","","Texas","UNKN","MED","6,284","The covered entity (CE), Superior HealthPlan, Inc., mistakenly sent mail containing protected health information (PHI) to unrelated members. Approximately 6,284 individuals were affected. The PHI involved in the breach included names, addresses, and identification numbers. The CE provided breach notification to HHS, the media, and affected individuals, and posted substitute notice on its website. It also offered credit and identity theft protection to the affected parties. As a result of OCR’s investigation, the CE implemented procedures to improve accuracy of mailings. In addition, the CE improved safeguards by implementing a periodic audit to assure that IDs are matched to mailing addresses. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "November 1, 2013","Genesis Rehabilitation Services","","Pennsylvania","PHYS","MED","1,167","Two unencrypted flash drives containing the electronic protected health information (ePHI) of 1,167 individuals were stolen from a staff member’s office. The ePHI involved in the breach included names, dates of birth, treatment and diagnosis information, medical insurance identification numbers, and, in some instances, social security numbers. The covered entity (CE), Genesis Rehabilitation Services, provided breach notification to HHS, affected individuals, the media, and provided free credit monitoring. The CE retrained all staff members on its policies regarding encryption of flash drives. Additionally, OCR’s investigation resulted in the CE revising its HIPAA policies. Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "November 2, 2013","Colorado Health & Wellness, Inc.","","Colorado","PHYS","MED","651","Colorado Health and Wellness reported an alleged impermissible use of protected health information by an employee, affecting up to 651 individuals. OCR determined that a breach had not occurred and provided technical assistance to the covered entity. Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "November 4, 2013","Allina Health","","Minnesota","DISC","MED","3,807","Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "November 5, 2013","Barnabas Health Medical Group, P.C.","","New Jersey","PHYS","MED","1,100","\N Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "November 5, 2013","DaVita","","California","PHYS","MED","11,500","\N Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "November 7, 2013","Blue Cross and Blue Shield of North Carolina","","North Carolina","DISC","MED","687","On October 14, 2013, the covered entity (CE), Blue Cross Blue Shield of North Carolina, impermissibly disclosed the protected health information (PHI) of 687 individuals when an employee inadvertently mailed notices regarding policy changes to incorrect addresses. The PHI involved in the breach included names. The CE provided breach notification to HHS and affected individuals. Following the breach the CE sanctioned the responsible workforce member. As a result of OCR’s investigation, the CE provided media notice and established a toll-free number for affected individuals. Additionally, the CE improved safeguards by retraining employees and initiating a regular review of mailing procedures. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "November 8, 2013","North Carolina Department of Health and Human Services - Division of State Operated Health Care Facilities ","","North Carolina","DISC","MED","1,315","The covered entity (CE), North Carolina Department of Health and Human Services Division of State Operated Health Care Facilities, impermissibly disclosed the protected health information (PHI) of 1,315 individuals by exposing their PHI on its website, NC Open Book, without authorizations. The PHI involved in the breach included patient payment information, names, addresses, and facility names, which were erroneously posted as vendor payments on the website. The CE removed the information from the website immediately upon discovery. The CE also provided breach notification to HHS, affected individuals, and the media, and placed substitute notice on its website. In addition, the CE provided a toll-free phone number for affected individuals to obtain additional information. Following the breach the CE implemented procedures limiting the types of personally identifiable information that are disclosed in the accounting system. Additionally, the CE improved safeguards for all HIPAA-related documents and email correspondence containing PHI. Finally, the CE implemented a procedure that requires prior review of any data being released to the public and redaction of confidential information. OCR obtained assurances that the corrective actions listed above were completed. Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "November 8, 2013","Triple S Salud Inc.","","Puerto Rico","DISC","MED","13,336","On November 8, 2013, the covered entity (CE), Puerto Rico Health Insurance Administration, also known as the Administracion de Seguros Salud de Puerto Rico reported to HHS that on September 23, 2013, they became aware that a vendor doing business with its business associate (BA), Triple-S Salud, disclosed protected health information (PHI) on the outside of a pamphlet mailed to beneficiaries on September 20, 2013. The PHI disclosed in the breach included the names, mailing addresses, and the health insurance claim numbers of 13,336 of the CE’s members. The CE and BA each provided breach notification to affected individuals and the CE provided breach notification to the media. As a result of OCR’s investigation, the CE committed to conduct a risk analysis, implement a risk management plan, revise its policies and procedures, and retrain its staff within a specified time. Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "November 8, 2013","Associated Urologists of North Carolina","","North Carolina","DISC","MED","7,300","On September 11, 2013, a patient of the covered entity (CE), Associated Urologists of North Carolina (AUNC), notified the CE that when he did an internet search for his name he was able to see a list identifying him as an AUNC patient. The CE investigated and discovered that protected health information (PHI) was accessible on the internet from September 17, 2012, to September 11, 2013, and that the breach was due to the way medical notes had been transcribed. An employee uploaded audio files and lists of patients’ names through a file transfer protocol (FTP) site to assist with transcription. The files included the names, dates of birth, phone numbers, referring physicians, chart numbers, and reasons for visits for 7,297 patients. In response to the incident, the CE immediately discontinued use of the FTP site, removed all of its files from the unsecure website, and contacted Google to have all cached copies of the files removed. The CE also provided breach notification to HHS, affected individuals, and the media and offered free credit monitoring and a toll free number to answer questions. The CE also reviewed its policies and retrained all staff on it data privacy and information security policies. Additionally, the CE partnered with a security contractor to develop and implement new policies and procedures to safeguard electronic PHI. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "November 12, 2013","Kemmet Dental Design","","North Dakota","PHYS","MED","2,000","The covered entity (CE), Kemmet Dental Design, learned on November 11, 2013, that its office had been broken into over the preceding weekend. At the time of the break-in, the CE stored between 1,500 – 2,000 paper patient charts containing protected health information (PHI) in its office, and the paper patient charts were not further secured inside the office. The CE provided breach notification to HHS and affected individuals. Though the CE indicated that nothing appeared to be missing, it moved its dental office to a different location in July 2014 and implemented safeguards it had lacked prior to the break-in. For example, the CE converted all of its patient charts to a secure electronic medical record system, properly shredded its old x-rays, and properly disposed of its old paper charts. It also improved physical security. OCR provided technical assistance regarding the need to implement safeguards policies and procedures and regarding the CE's breach notification reporting obligations. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "November 12, 2013","Hospice of the Chesapeake","","Maryland","PHYS","MED","7,606","Contrary to the covered entity's (CE) established policy, an employee emailed spreadsheets containing the electronic protected health information (ePHI) of 7,035 patients to a personal email account, and a third party may have viewed the spreadsheets. The PHI included names, addresses, conditions, and diagnoses. Following the breach, the CE hired an independent computer forensics firm which conducted an independent investigation. The investigation uncovered another spreadsheet containing the PHI of 571 additional patients in the employee's personal email account. The CE provided breach notification to affected individuals, the media, and HHS, and posted substitute notice on its website. The CE applied sanctions for violating its policy and terminated the responsible employee. As a result of OCR's investigation, OCR obtained assurances that the CE has periodically conducted risk assessments to assess vulnerabilities to ePHI in its computer systems. Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "November 13, 2013","All Source Medical Management","","Arizona","PHYS","MED","1,456","\N Location of breached information: Other Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "November 13, 2013","Memorial Sloan-Kettering Cancer Center","","New York","PHYS","MED","2,279","\N Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "November 14, 2013","Health Fitness Corporation","","Illinois","PHYS","MED","4,837","\N Location of breached information: Laptop Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "November 15, 2013","UHS-Pruitt Corporation","","Georgia","PHYS","MED","1,300","A manager's unencrypted laptop computer was stolen from a hotel parking lot which also included the employee's login and system password and the covered entity's (CE) long term care software application. The laptop contained 1,300 individuals' protected health information (PHI) and included names, social security numbers, addresses, dates of birth, bank account numbers, Medicare numbers, possible diagnoses, and patient locations. Following the breach, the CE changed the employee's password and performed an analysis to ensure no attempts had been made to access the system and long term care application using the prior account and password. The CE improved safeguards by encrypting electronic devices and employing devices that do not allow local storage. The CE has also re-trained employees. OCR has consolidated this review into a compliance review that involves the same corporate entity and another stolen unencrypted laptop. \ \ \ Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "November 18, 2013","United Dynacare, LLC dba Dynacare Laboratories","","Wisconsin","PHYS","MED","9,328","On October 22, 2013, the covered entity (CE) learned that one of its employee’s car was stolen with a mobile data drive (“flash drive”) that stored a database with protected health information (PHI). The unencrypted flash drive contained the electronic PHI of approximately 9,328 individuals. The types of ePHI involved in the breach included patients’ names, addresses, birth dates, social security numbers, and gender. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE sanctioned employees, improved safeguards related to encryption and mobile devices, updated and implemented policies and procedures, and retrained its workforce. The flash drive was recovered after the breach notifications were mailed. The forensic analysis of the recovered flash drive indicated that there was no evidence of unauthorized access of information. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "November 19, 2013","Redwood Memorial Hospital","","California","PHYS","MED","1,039","\N Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "November 22, 2013","University of California, San Francisco","","California","PHYS","MED","8,294","On September 25, 2013, a personal laptop computer containing electronic protected health information (ePHI), and paper documents containing PHI, were stolen out of a physician’s locked car, affecting 8,294 individuals. The stolen laptop contained unencrypted ePHI, including patients’ names, addresses, social security numbers, dates of birth, diagnoses, conditions, lab results, medications, and other treatment related-ePHI. The covered entity (CE), University of California San Francisco, provided breach notification to HHS, affected individuals, and the media. In response to the breach, the CE updated its policy on safeguarding ePHI to specifically address personally owned electronic devices, including the requirement that they be encrypted, and that ePHI transported offsite must stay within the direct possession of the workforce member. OCR obtained written assurances that the CE implemented the corrective actions listed above. Location of breached information: Laptop, Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "November 22, 2013","New Jersey Department of Human Services","","New Jersey","PHYS","MED","9,825","An employee of the covered entity's (CE) business associate (BA), Island Peer Review Organization, lost an unencrypted and not password-protected portable computer drive (a ""USB"" drive) that contained 9,825 patients’ names, addresses, dates of birth, social security numbers, clinical information, diagnoses, conditions, and identification numbers (including member identification, Medicaid identification, subscriber identification, patient account number and patient control number). The CE, New Jersey Department of Human Services, provided breach notification to HHS, and the BA notified affected individuals and the media. Following the breach, the BA recovered all of the USB drives used by employees and retrained these employees on the BA’s security policies and the appropriate use of encryption on portable electronic media. As a result of OCR’s investigation and technical assistance, the BA retrained certain staff and implemented a policy requiring staff to use only portable media purchased by the BA's Information Systems Department. The BA installed technical safeguards on all computers so only approved portable devices are allowed access while any other types can be rendered as “read only” or unusable. Further, the CE indicated that the BA's device access will be monitored and logged to guard against employees who attempt to copy data to unauthorized devices. OCR advised the CE of the requirements to perform a thorough and accurate risk analysis and establish a risk management plan. Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "November 22, 2013","Kaiser Foundation Hospital- Orange County","","California","PHYS","MED","49,000","The covered entity (CE), Kaiser Foundation Hospital - Orange County, misplaced a portable computer drive containing the protected health information (PHI) of 49,000 individuals. The types of PHI involved in the breach included names, dates of birth, and medications. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach the CE began phasing out the use of flash drives or similar devices and initiated a plan to replace computers, and store PHI on secured servers behind the CE’s firewall. OCR provided technical assistance on conducting a security risk analysis, and as a result of its investigation OCR informed the CE that it is required to conduct an enterprise-wide security risk analysis. Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "November 26, 2013","Jones Chiropractic and Maximum Health","","Indiana","PHYS","MED","1,500","\N Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "November 26, 2013","Ronald Schubert MD PLLC","","Washington","PHYS","MED","950","A covered entity (CE) physician’s car was broken into while parked in a public non-work location and an unencrypted laptop computer under the seat was stolen. The electronic protected health information (ePHI) involved in the breach included addresses, birth dates, social security numbers and clinical information in password-protected electronic medical record software and affected 950 individuals. The CE filed a police report and notified practice partners. Breach notification was provided to HHS, affected individuals, and the media. Following the breach, the CE improved safeguards by encrypting all devices and media that store, access or transmit ePHI. As a result of OCR’s investigation, OCR provided technical assistance and the CE implemented a policy to formalize the procedures for safeguarding mobile devices. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "November 27, 2013","UPMC","","Pennsylvania","DISC","MED","1,279","An employee impermissibly accessed the protected health information (PHI) of 1,279 individuals. The types of PHI accessed included names, dates of birth, social security numbers, and addresses, as well as clinical information. The covered entity (CE), UPMC, provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE sanctioned the employee and notified law enforcement. OCR reviewed the CE's risk analysis to ensure compliance with the Security Rule. Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "November 27, 2013","UW Medicine, Privacy Manager - Breach","","Washington","HACK","MED","76,183","The University of Washington Medicine (UWM) has agreed to settle charges that it potentially violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule by failing to implement policies and procedures to prevent, detect, contain, and correct security violations. UWM is an affiliated covered entity, which includes designated health care components and other entities under the control of the University of Washington, including University of Washington Medical Center, the primary teaching hospital of the University of Washington School of Medicine. Affiliated covered entities must have in place appropriate policies and processes to assure HIPAA compliance with respect to each of the entities that are part of the affiliated group. The settlement includes a monetary payment of $750,000, a corrective action plan, and annual reports on the organization’s compliance efforts. The U.S. Department of Health and Human Services Office for Civil Rights (OCR) initiated its investigation of the UWM following receipt of a breach report on November 27, 2013, which indicated that the electronic protected health information (e-PHI) of approximately 90,000 individuals was accessed after an employee downloaded an email attachment that contained malicious malware. The malware compromised the organization’s IT system, affecting the data of two different groups of patients: 1) approximately 76,000 patients involving a combination of patient names, medical record numbers, dates of service, and/or charges or bill balances; and 2) approximately 15,000 patients involving names, medical record numbers, other demographics such as address and phone number, dates of birth, charges or bill balances, social security numbers, insurance identification or Medicare numbers. OCR’s investigation indicated UWM’s security policies required its affiliated entities to have up-to-date, documented system-level risk assessments and to implement safeguards in compliance with the Security Rule. However, UWM did not ensure that all of its affiliated entities were properly conducting risk assessments and appropriately responding to the potential risks and vulnerabilities in their respective environments. “All too often we see covered entities with a limited risk analysis that focuses on a specific system such as the electronic medical record or that fails to provide appropriate oversight and accountability for all parts of the enterprise,” said OCR Director Jocelyn Samuels. “An effective risk analysis is one that is comprehensive in scope and is conducted across the organization to sufficiently address the risks and vulnerabilities to patient data.” The Resolution Agreement and Corrective Action Plan can be found on the OCR website at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/uwm/index.html HHS offers guidance on how your organization can conduct a HIPAA Risk Analysis: http://www.healthit.gov/providers-professionals/security-risk-assessment Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "November 29, 2013","City of Chicago","","Illinois","DISC","MED","2,080","The covered entity (CE) mistakenly permitted protected health information (PHI) to be viewable on the Internet when users uploaded files without changing the default permission settings for the folders containing the files. As a result, Google was able to detect and cache the PHI in the uploaded folders. Approximately 2,080 individuals were affected by this breach. The types of PHI involved in the breach included students’ names, birthdates, genders, identification numbers, vision exam dates, diagnoses, and schools. The CE provided breach notification to HHS, the parents and guardians of affected individuals, and the media. It also posted notice on its website. The CE took action to remove the files containing PHI from its network and compiled a list of files along with the associated unique record locator numbers (URLs) and cached URLs. The CE contacted Google to request removal of the data from the cache and the archives, and Google confirmed that the data was removed. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "December 4, 2013","American Anesthesiology, Inc.","","Florida","DISC","MED","1,000","The covered entity’s (CE) business associate (BA), Financial Imaging, LLC, erroneously mailed 1,000 patient invoices to the wrong patients. The types of protected health information (PHI) involved in the breach included patients’ names, dates of service, and procedures performed. The BA sent breach notification letters to affected individuals and reimbursed the CE for all costs associated with breach notification it provided to the media. Following the breach, the BA revised its quality assurance process to ensure the accuracy of future print jobs and counseled and retrained the staff involved in the breach. The CE had a BA agreement in place and policies that were in compliance with the HIPAA Rules. OCR obtained assurances that CE and BA implemented the corrective actions listed above. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "December 6, 2013","Medical Mutual of Ohio","","Ohio","DISC","MED","643","The covered entity (CE) mistakenly included protected health information in two postcard mailings affecting 2,063 individuals. The first mailing included the CE’s patients and second mailing included the patients of other CEs for which the CE acted as the business associate (BA). The PHI involved in the breaches included names, home addresses, and an eleven-digit number (social security number plus two digits). The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE revised mailing procedures, retrained applicable staff, and sanctioned the involved employee. OCR obtained documented assurances that the CE/BA implemented the corrective actions listed above. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "December 6, 2013","Quality Health Claims Consultants, LLC","","Illinois","PHYS","MED","1,573","The Covered Entity's (CE) Business Associate (BA) mailed letters to their clients to request certain documents containing identifying information. An erroneous fax number listing caused some clients to fax their information to the wrong number. Approximately 1,573 individuals were affected by the breach. The protected health information (PHI) involved included names, addresses, dates of birth, and social security numbers. Following the breach, the BA confirmed that any faxes sent to the incorrect fax number were destroyed. The BA also standardized all company literature to require manual data entry of client-specific contact information to assure quality control. OCR provided information to assist the CE to revise its BA agreement. \ \ Location of breached information: Email Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "December 6, 2013","SIU HealthCare","","Illinois","PHYS","MED","1,891","\N Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "December 6, 2013","The Good Samaritan Health Center","","Georgia","HACK","MED","5,000","One of the covered entity's (CE) computers was infected with malware and as a result, data on the infected computer was encrypted and made inaccessible. The CE subsequently restored the infected data. The type of protected health information (PHI) involved in the breach was clinical information and included diagnoses/conditions, lab results, medications, and other treatment information for approximately 5,000 individuals. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE retrained staff, implemented additional safeguards for secure file backup, and upgraded its antivirus software. In response to OCR’s investigation, the CE provided substitute notice of the breach. OCR provided the CE with technical assistance regarding the Security Rule including risk analysis and risk management. Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "December 6, 2013","PruittHealth Corporation","","Georgia","PHYS","MED","4,500","\N Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "December 6, 2013","Walgreen Co.","","Illinois","UNKN","MED","17,350","\N Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "December 6, 2013","Methodist Dallas Medical Center","","Texas","DISC","MED","44,000","\N Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "December 9, 2013","Florida Digestive Health Specialists","","Florida","DISC","MED","4,400","A patient scheduler at one of the covered entity’s (CE) small subsidiary offices impermissibly accessed the electronic health record (EHR) system via a virtual private network (VPN) and took photographic images of patient data, which she tried to download for printing at Wal-Mart. She accessed the records of about 4,400 patients and photographed those of 430. The protected health information (PHI) involved in the breach included names, addresses, dates of birth, social security numbers, and telephone numbers. The suspect behavior at Wal-Mart was investigated by the County Sheriff, who informed the CE of the breach. The CE provided partial breach notification to affected individuals, HHS, the media, and provided substitute notice on its website. Following the breach, the CE discharged the workforce member and terminated her access to the EHR. The CE updated its privacy and security plan and employee handbook. In addition, the CE improved safeguards by limiting access to its VPN to providers and administrators, and instituted routine weekly audits of EHR system use. After OCR began its review, the covered entity retrained the office manager and the provider who had been at the office where the breach occurred. As a result of OCR’s investigation the CE received technical assistance on the complete requirements for breach notifications. Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "December 10, 2013","Northside Hospital, Inc.","","Georgia","PHYS","MED","4,879","A password-protected, unencrypted laptop was lost or stolen when a Northside Hospital (NSH) workforce member inadvertently left it on the hood of her car while parked. The laptop contained the electronic protected health information (ePHI) of 4,879 individuals. The ePHI involved in the breach included patients’ names, account numbers, billing dates, diagnoses and/or diagnosis codes, and lab results. The covered entity (CE), NSH, provided breach notification to HHS, affected individuals, and the media and provided substitute notification. Following the breach, the CE encrypted all its ePHI. As a result of OCR’s investigation, the CE also revised its HIPAA policies reguarding mobile devices and breach notification, and implemented other safeguards. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "December 10, 2013","Health Help, Inc.","","Kentucky","PHYS","MED","535","An unencrypted portable computer drive containing the electronic protected health information (ePHI) of 535 individuals was stolen from a workforce member's unlocked personal vehicle parked at home. The ePHI involved in the breach included names and birthdates. Upon discovering the breach, the covered entity (CE) provided notice to HHS, affected individuals and the media. Following the breach, the CE reminded employees of its safeguards policy, provided additional training to workforce members who are authorized to take laptops and mobile devices home, and improved safeguards by instituting random audits to ensure that unencrypted ePHI is not stored on computers and mobile devices. The CE also updated the computer usage agreement for employees and sanctioned the workforce member for violating its policy. OCR obtained assurances that the CE implemented the corrective action listed above. Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "December 10, 2013","L.A. Gay & Lesbian Center","","California","HACK","MED","59,000","\N Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "December 11, 2013","Mosaic","","Nebraska","DISC","MED","3,857","The covered entity (CE), Mosaic, discovered multiple employee email accounts that had fallen victim to a phishing attack. The affected e-mail accounts contained the following types of protected health information (PHI): clients’ names, dates of birth, addresses, telephone numbers, government–issued identification numbers, medical record numbers, insurance identification numbers, payment information, Medicaid and Medicare numbers, and in some instances social security numbers. This breach affected approximately 3,857 individuals. The CE provided breach notification to HHS, affected individuals, and the media. The CE responded to the breach by blocking the IP address which was the source of the phishing scam, contacting the proper authorities to investigate possible criminal infractions, providing phishing scam awareness training, and changing its email practices. As a result of OCR’s investigation, the CE updated its HIPAA policies, created additional training material, and changed its training practices. Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "December 16, 2013","Molina Healthcare In","","California","DISC","MED","1,499","A business associate (BA), Molina Healthcare of Virginia, for the covered entity (CE), Fairfax County, Virginia, used a subcontractor, Health Business Systems, Inc. (HBS), a subsidiary of Catamaran/HBS. An employee of HBS placed a pharmacy claims report containing the protected health information (PHI) of 1,499 individuals in a non-secured file transfer protocol (FTP) site when troubleshooting issues during a systems conversion. Upon discovering the breach, Catamaran/HBS notified the BA, conducted a thorough investigation and removed the file from the non-secure server. A copy of the file was encrypted and password protected. The CE provided breach notification to HHS. Affected individuals were offered free identify theft protection. Following this breach, Catamaran/HBS retrained employees, updated its security software and enabled an alert feature when files containing potential PHI are saved on an FTP server. OCR obtained written assurance that the CE implemented the corrective action listed above. Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "December 17, 2013","Shiloh Medical Clinic","","Montana","DISC","MED","1,900","The covered entity (CE) reported an alleged impermissible use of protected health information (PHI), affecting approximately 1,900 individuals, by an employee. The PHI involved included patients’ demographic information. OCR determined that a breach had not occurred and provided technical assistance to the CE on the minimum necessary standard and reasonable safeguards. Location of breached information: Desktop Computer, Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "December 18, 2013","DeLoach & Williamson","","South Carolina","PHYS","MED","3,432","DeLoach & Williamson's (a business associate (BA) for South Carolina Health Insurance Pool) employee's car was broken into and her password-protected company laptop computer was stolen which contained the electronic protected health information (ePHI) of 3,432 individuals. The ePHI involved in the breach included social security numbers, names, dates of service, and provider identification numbers. The BA provided breach notification to the covered entity, affected individuals, and HHS. The covered entity provided breach notification to the media. Following the breach, the BA immediately launched an internal investigation and retrained the subject employee on the company's policies on privacy and security of electronic information. Prior to the incident, the BA had decided to dissolve the company and it ceased operations by December 2013. The BA intends to legally file for dissolution in December 2014. \ \ Location of breached information: Laptop Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "December 19, 2013","Wyoming Department of Health","","Wyoming","HACK","MED","11,935","The covered entity (CE), Wyoming Department of Health, transferred a copy of the Women Infants and Children benefit program backup database via the internet to a business associate using an unsecured method. Approximately 11,935 individuals were affected by the breach, potentially disclosing demographic information, dates of birth, gender, and identification numbers. The CE notified affected individuals, the media, and the Secretary. Following OCR’s investigation, the CE conducted an enterprise-wide risk analysis, developed a risk management plan, and revised its organizational structure in order to hybridize into covered and non-covered functions. OCR obtained assurances that the CE implemented these corrective action steps. Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "December 19, 2013","Colby DeHart","","Tennessee","PHYS","MED","2,777","On October 21, 2013, an unencrypted laptop computer belonging to a Tennova Cardiology business associate (BA) was stolen from a vehicle. The laptop contained the protected health information (PHI) of 2,777 individuals, and included patient names, dates of birth, dates of service, names of referring physicians, and health information about treatment and diagnostic procedures. The CE provided breach notification to HHS, affected individuals, and the media. In response to this breach, the covered entity (CE) conducted an encryption assessment of laptop computers with user system access to PHI and then encrypted all laptop computers. The CE reviewed its policies, retrained staff, and implemented an encryption policy. The CE also terminated the BA agreement and moved the work in-house. OCR obtained assurances that the CE implemented the corrective actions listed. Location of breached information: Laptop Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "December 21, 2013","Molina Healthcare of Texas, Inc.","","Texas","UNKN","MED","2,826","\N Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "December 23, 2013","Rob Meaglia, DDS","","California","PHYS","MED","1,400","\N Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "December 23, 2013","Jeff Spiegel","","Massachusetts","DISC","MED","832","Dr. Jeffrey Spiegel’s practice, the covered entity (CE), mistakenly sent a promotional email to approximately 500 patients with an attachment that included the email addresses of 832 patients. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE instituted a new procedure that requires two employees to proof promotional emails prior to sending. OCR obtained assurances that corrective actions listed above were completed. Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "December 23, 2013","Tranquility Counseling Services","","North Carolina","UNKN","MED","1,683","\N Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "December 23, 2013","Florida Department of Health","","Florida","DISC","MED","2,354","\N Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "December 31, 2013","Barry University","","Florida","HACK","MED","9,017","Barry University, the covered entity (CE), discovered on May 13, 2013, that a laptop was infected with malware. The protected health information (PHI) for 8,741 individuals was potentially exposed, including names, dates of birth, social security numbers, driver’s license numbers, banking/credit card information, medical record numbers, health insurance information, diagnoses, and treatment information. Due to a lengthy investigation, the CE performed its breach notification obligations outside of the 60 day timeframe required by the Breach Notification Rule. OCR provided technical assistance to the CE on this topic. Although late, the CE provided breach notification to HHS, affected individuals, and the media, as well as on its website. In response to the breach, the CE retained a compliance consultant, performed a risk assessment, revised its policies and procedures, improved its training program and implemented additional technical safeguards. OCR obtained assurances that it has implemented the corrective actions listed above. Location of breached information: Laptop, Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","27.664827","-81.515754" "December 31, 2013","New Mexico Oncology Hematology Consultants, LTD","","New Mexico","PHYS","MED","12,354","The covered entity (CE), New Mexico Oncology Hematology Consultants, reported the November 13, 2013, theft of a laptop computer from its Albuquerque office. The unencrypted laptop contained the protected health information (PHI) of 12,354 individuals including patients' names, medical record numbers, dates of birth, addresses, telephone numbers, clinical testing results, diagnoses, treatment information, and insurance information. Following discovery of the breach, the CE strengthened its security program by conducting a new risk analysis, implementing additional physical safeguards, and encrypting mobile devices. It also revised administrative policies and retrained staff. The CE provided breach notification to HHS, the media, and affected individuals. OCR obtained assurances that the CE implemented the corrective actions noted above. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2013","40.760537","-73.978890" "January 2, 2014","Houston Methodist Hospital","Houston","Texas","HACK","MED","0","Location of breached information: Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","29.760427","-95.369803" "January 2, 2014","Colorado Community Health Alliance (CCHA)/Physicians Health Partners","","Colorado","DISC","MED","1,918","On January 2, 2014, the covered entity (CE), Colorado Department of Health Care Policy and Financing, reported a breach by its business associate (BA), Colorado Community Health Alliance. On November 21, 2013, a temporary employee working for the BA’s subcontractor, Aerotek, sent a list via unencrypted email containing the electronic protected health information (ePHI) of 1,918 individuals to her personal email account. The ePHI included patients’ names, addresses, dates of birth, Medicaid identification numbers, and health conditions. The BA detected the email through its auditing program. The CE provided breach notification to HHS and the BA provided breach notification to affected individuals and the media and posted substitute notice. After the incident, the BA developed and implemented a policy requiring that emails containing ePHI be encrypted to prevent a similar incident from occurring in the future, and trained its workforce members accordingly. OCR provided substantial technical assistance to the BA, which implemented additional procedures and technical safeguards and provided written assurance that it will complete an enterprise-wide risk analysis. Location of breached information: Email Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","39.550051","-105.782067" "January 3, 2014","Horizon Healthcare Services, Inc., doing business as Horizon Blue Cross Blue Shield of New Jersey, and its affiliates","","New Jersey","PHYS","MED","839,711","\N Location of breached information: Laptop Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.058324","-74.405661" "January 3, 2014","Phoebe Putney Memorial Hospital","","Georgia","PHYS","MED","6,989","\N Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "January 3, 2014","Coulee Medical Center","","Washington","PHYS","MED","2,500","The covered entity (CE), Coulee Medical Center, reported that a CE-employed physician disclosed electronic protected health information (ePHI) to his wife without authorization. The ePHI involved in the breach included names, hospital account numbers, dates of service, CPT codes, and service descriptions for approximately 2,500 individuals. The CE provided breach notification to HHS and affected individuals. Upon discovering the breach, the CE sanctioned the physician, required the physician to complete comprehensive HIPAA training, and required all workforce members to complete annual HIPAA training. As a result of OCR's investigation, the CE implemented new information security policies and procedures to better safeguard its ePHI. OCR provided the CE with technical assistance regarding what constitutes an adequate Security Rule risk analysis and risk management plan, as well as what constitutes adequate notice to the media pursuant to the Breach Notification Rule. \ \ Location of breached information: Email, Laptop, Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "January 6, 2014","RevSpring, Inc.","","Michigan","UNKN","MED","3,000","Due to a printing error at the covered entity’s (CE) business associate (BA), RevSpring, Inc., patients received billing statements containing other patients’ protected health information (PHI). The breach affected approximately 3,000 individuals. The types of PHI involved in the breach included names, account numbers, balances owed, procedure codes, procedure descriptions, providers’ names, and dates of services. Following the breach, the CE obtained assurances from the BA that additional safeguards would be implemented to prevent future disclosures. OCR reviewed the CE’s policies and procedures to ensure compliance with the Privacy and Security Rules. Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "January 6, 2014","North Carolina Department of Health and Human Services ","","North Carolina","DISC","MED","48,752","\N Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "January 8, 2014","101 Family Medical Group, Privacy Manager Breach","","California","PHYS","MED","2,500","A laptop computer owned by Phressia, Inc., a business associate (BA) of the covered entity (CE), Family Medical Group, was stolen from the parked car of a Phreesia workforce member. In violation of the BA’s policies and procedures, both the hard drive of the laptop, and the workforce member’s Dropbox account, which was accessible through the laptop, contained the electronic protected health information (ePHI) of approximately 2,500 patients. The types of PHI involved in the breach included patients’ names, addresses, identification numbers, phone numbers, email addresses, dates of birth, social security numbers, and insurance identification numbers. Following the breach, the BA sanctioned the responsible workforce member and retrained workforce members on its privacy and security policies and procedures. The CE provided breach notification HHS, affected individuals, and the media. In response to OCR's investigation, the BA updated its policies and procedures on device and media controls and employee sanctions. Location of breached information: Laptop Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "January 10, 2014","Tri Lakes Medical Center","","Mississippi","HACK","MED","1,489","\N Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "January 10, 2014","Virginia Premier Health Plan (VPHP)","","Virginia","PHYS","MED","25,513","Virginia Premier Health Plan, a business associate (BA) of the covered entity (CE), Virginia Department of Medical Assistance Services (VA-DMAS), mailed incorrect postcards to Virginia Medicaid members. The breach included 13,357 postcards that were mailed to the wrong address and 12,156 postcards that contained incorrect services information. The information did not include social security numbers or financial information. The BA provided breach notification to HHS, the media, and to affected individuals in English and Spanish. Following this breach, the BA improved safeguards by retraining employees on safeguards for protected health information, updating procedures for mailings, and implementing additional quality control checks. OCR obtained assurances that the BA implemented the corrective action listed above. Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "January 11, 2014","Cook County Health & Hospitals System","","Illinois","UNKN","MED","22,511","The covered entity (CE), Cook County Health and Hospital Systems, reported that on November 12, 2013, as part of a public health project between the CE and another academic medical center, a physician at the CE sent an unencrypted email with an excel attachment to a collaborator outside the CE’s firewall. The attachment contained the protected health information (PHI) of 22,511 individuals. The attachment was not encrypted as required by organizational policy. The types of PHI involved in the breach included demographic information and lab results. The CE provided breach notification to HHS, affected individuals, and the media. The CE disciplined the employee with a 14 day suspension, implemented a new email security program, and retrained its employees and staff on the program. OCR obtained documentation from the CE that it implemented the corrective actions listed above. Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "January 13, 2014","Riverside Medical Group","Riverside","California","HACK","MED","0","Location of breached information: Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","37.244007","-80.176468" "January 13, 2014","Temple Physicians Inc.","Philidelphia","Pennsylvania","HACK","MED","0","Location of breached information: Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","39.952584","-75.165222" "January 13, 2014","Southwest General Health Center","","Ohio","UNKN","MED","953","The covered entity (CE) misplaced a binder containing the protected health information (PHI) of approximately 953 individuals from its Maternity Unit. The PHI involved in the breach included names, dates of birth, medical record numbers and limited clinical information. The CE provided breach notification to affected individuals, HHS, and the media. To prevent a similar breach from occurring in the future, the covered entity strengthened its physical safeguards and retrained employees on safeguarding PHI. OCR obtained assurances that the corrective actions listed above were completed. Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.417287","-82.907123" "January 13, 2014","RGH Enterprises, Inc.","","Ohio","PHYS","MED","4,230","Computer hackers installed malware that intercepted the electronic protected health information (ePHI) of approximately 4,230 individuals using the covered entity's (CE's) website. The ePHI included names, dates of birth, phone numbers, shipping and billing addresses, email addresses, credit card issuers, expiration dates, the last 4 digits of credit card numbers, account numbers, primary physicians, diagnoses, order histories, and health insurers. Following the breach, the CE removed the malware from the affected computer servers, migrated the website to non-compromised Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.417287","-82.907123" "January 15, 2014","Network Pharmacy Knoxville","","Tennessee","PHYS","MED","9,602","\N Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "January 16, 2014","Saint Francis Hospital and Medical Center","","Connecticut","PHYS","MED","858","\N Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "January 16, 2014","Sentara Healthcare","","Virginia","PHYS","MED","3,861","Two former employees of the covered entity (CE), Sentara Healthcare, accessed protected health information (PHI) outside of their normal job duties and used this information to process fraudulent tax returns. The US Attorney’s office investigated the matter and both individuals received prison sentences. The breach report indicated that the PHI of approximately 3,645 individuals was involved in the breach; however, the CE verified that the final count of affected individuals was 3,891. The CE provided breach notification to HHS, affected individuals, and the media. The CE also offered complimentary credit monitoring and identity theft protection services to all eligible individuals. Following this incident, the CE increased safeguards by installing a new software system to help monitor and detect inappropriate access to its electronic medical records system, updated its security policies and procedures, re-trained employees, and initiated steps to address and mitigate the issues identified in its 2014 risk analysis. OCR obtained assurances that the corrective actions listed above were completed and/or initiated as described. Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "January 16, 2014","Health Dimensions","","Michigan","PHYS","MED","5,370","\N Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "January 21, 2014","COMPLETE MEDICAL HOMECARE","","Kansas","DISC","MED","1,700","On December 12, 2013, the covered entity’s (CE) business partner, All American Medical Supplies (AAMS) received a portable computer drive containing protected health information (PHI), including electronic copies of medical records from the CE, that was delivered in error. The incident affected approximately 1,700 individuals and the types of PHI included patients’ names, addresses, medical diagnoses, and in some cases social security numbers. Although AAMS accessed the portable drive, it subsequently deleted the data and returned the drive to the CE. The CE provided breach notification to HHS and affected individuals. As a result of OCR’s investigation, the CE began developing policies and procedures related to breach notification, training, removal of hardware and electronic media, and encryption and decryption of PHI, and indicated that it would train its workforce on the new policies and procedures once they were implemented. On December 5, 2016, the CE’s former parent company provided written documentation that the CE legally dissolved on December 23, 2015, and has ceased carrying on business. Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "January 21, 2014","Hospital for Special Surgery","","New York","PHYS","MED","937","\N Location of breached information: Desktop Computer, Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "January 22, 2014","The Brooklyn Hospital Center","","New York","PHYS","MED","2,172","\N Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "January 23, 2014","Geisinger Bloomsburg Hospital","","Pennsylvania","PHYS","MED","3,101","Archived protected health information (PHI) for 3,101 individuals could not be located by the CE, Geisinger Bloomsburg Hospital, after it was acquired by Geisinger, although copies of the PHI were available. There was no evidence that the PHI had been impermissibly disclosed or stolen. OCR provided the CE with information on what constitutes a breach under the Breach Notification Rule. The CE posted notice on its website and notified the media and patients although there was no indication that PHI had been accessed, used, or disclosed. The CE also re-trained staff on safeguards and proper disposal of PHI and stated that additional corrective steps would be taken to reinforce privacy practices in its new facility. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "January 24, 2014","Robert B. Neves, M.D.","","California","PHYS","MED","611","Location of breached information: Laptop Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","36.778261","-119.417932" "January 24, 2014","Triple-S Salud, Inc. - Breach Case#2","","","PHYS","MED","398,000","Triple-S Management Corporation (“TRIPLE-S”), on behalf of its wholly owned subsidiaries, Triple-S Salud Inc., Triple-C Inc. and Triple-S Advantage Inc. , formerly known as American Health Medicare Inc., has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR). TRIPLE-S will pay $3.5 million and will adopt a robust corrective action plan to correct deficiencies in its HIPAA compliance program, an effort it has already begun. “OCR remains committed to strong enforcement of the HIPAA Rules,” said OCR Director Jocelyn Samuels. “This case sends an important message for HIPAA Covered Entities not only about compliance with the requirements of the Security Rule, including risk analysis, but compliance with the requirements of the Privacy Rule, including those addressing business associate agreements and the minimum necessary use of protected health information.” TRIPLE-S is an insurance holding company based in San Juan, Puerto Rico, which offers a wide range of insurance products and services to residents of Puerto Rico through its subsidiaries. TRIPLE-S has fully cooperated with HHS in investigating this case and has agreed to put in place a comprehensive HIPAA compliance program as a condition for settlement. After receiving multiple breach notifications from TRIPLE-S involving unsecured protected health information (PHI), OCR initiated investigations to ascertain the entities’ compliance with HIPAA Rules. OCR’s investigations indicated widespread non-compliance throughout the various subsidiaries of Triple-S, including: Failure to implement appropriate administrative, physical, and technical safeguards to protect the privacy of its beneficiaries’ PHI; Impermissible disclosure of its beneficiaries’ PHI to an outside vendor with which it did not have an appropriate business associate agreement; Use or Disclosure of more PHI than was necessary to carry out mailings; Failure to conduct an accurate and thorough risk analysis that incorporates all IT equipment, applications, and data systems utilizing ePHI; and Failure to implement security measures sufficient to reduce the risks and vulnerabilities to its ePHI to a reasonable and appropriate level. The settlement requires TRIPLE-S to establish a comprehensive compliance program designed to protect the security, confidentiality, and integrity of the personal information it collects from its beneficiaries, that includes: A risk analysis and a risk management plan; A process to evaluate and address any environmental or operational changes that affect the security of the ePHI it holds; Policies and procedures to facilitate compliance with requirements of the HIPAA Rules; and A training program covering the requirements of the Privacy, Security, and Breach Notification Rules, intended to be used for all members of the workforce and business associates providing services on TRIPLE-S premises. Triple-S, with the help of OCR through its technical assistance, had already begun to take extensive corrective action, as required by the Corrective Action Plan, and will continue to work with OCR to come into compliance with HIPAA. “Triple-S is committed to protecting the privacy and security of its beneficiaries’ health information and implementing the Corrective Action Plan entered into with OCR,” said President and CEO of Triple-S Management Corporation, Ramon M. Ruiz. “We are pleased with the agreement and regard it as an opportunity to strengthen our privacy policies. We have appreciated OCR’s technical assistance to date, and look forward to our collaboration in the future.” Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","37.090240","-95.712891" "January 24, 2014","Triple-C, Inc.","","Puerto Rico","PHYS","MED","8,000","\N Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","18.220833","-66.590149" "January 24, 2014","Birmingham Printing and Publishing, Inc dba Paper Airplane","","Alabama","UNKN","MED","1,085","On September 6, 2013, the covered entity (CE), discovered that its business associate (BA) had mislabeled invitations for an event for cancer survivor patients. While the address was correct, the name on the envelope was incorrect for 1,085 individuals. The BA re-sent the invitations to the correct names and addresses with a letter explaining the mistake to the affected individuals. In response to the breach, the CE terminated its business relationship with the BA and changed to processing bulk mailings in-house. Although the CE had a policy in place before the breach that clearly outlined breach notification requirements, the CE did not perform media notification after this breach. OCR provided technical assistance on this topic. In addition, OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Other Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "January 27, 2014","Medical Mutual of Ohio","","Ohio","DISC","MED","1,420","\N Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "January 30, 2014","University of Wisconsin-Madison School of Pharmacy","","Wisconsin","PHYS","MED","41,437","\N Location of breached information: Other Portable Electronic Device Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "January 31, 2014","The University of Texas MD Anderson Cancer Center","","Texas","PHYS","MED","3,598","\N Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "January 31, 2014","Presence Health ","","Illinois","PHYS","MED","836","\N Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "January 31, 2014","Beebe Medical Center","","Delaware","UNKN","MED","1,883","The covered entity (CE), Beebe Physician Network, learned that a temporary contractor handling the electronic protected health information (ePHI) of 1,883 individuals had previously been arrested for identity theft. The ePHI included social security numbers, driver’s license numbers, and other demographic information. Although no inappropriate access was identified, the CE learned that the contractor had been convicted of 5 counts of identity theft in the state of Pennsylvania in 2009, while working in a physician practice. The CE provided substitute notice and provided breach notification to HHS and the media. The CE offered one year of free identity theft monitoring and insurance to affected individuals. Following this breach, the CE reviewed its policies and procedures, worked with electronic medical record vendors to enhance its reports mechanisms, and re-assessed its requirements for staffing agencies. As a result of OCR’s investigation, the CE revised its procedures regarding backgrounds checks for newly employed staff. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "February 5, 2014","St Joseph Health System","","Texas","HACK","MED","405,000","A computer server containing the records of 405,124 patients of the covered entity (CE), St. Joseph Health System, was hacked during a power surge. The electronic protected health information (ePHI) on the server included names, dates of birth, social security numbers, medical information, bank account information, and addresses. The CE provided breach notification to HHS, affected individuals, and the media. The CE improved administrative and technical security and developed and revised policies and procedures addressing the breach. OCR obtained assurances that the CE implemented the corrective actions listed. Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "February 5, 2014","Min Yi, M.D.","","California","PHYS","MED","4,676","A desktop computer hard drive and a backup external hard drive containing the electronic protected health information (ePHI) of 4,676 individuals were stolen from the office of the covered entity (CE), Dr. K. Min Yi. The ePHI on the external hard drive included names, addresses, phone numbers, insurance identification numbers, social security numbers, checking account information, medical and surgical information, diagnosis and procedure codes, and dates of birth. The CE provided breach notification to HHS, the media, and affected individuals, and provided credit monitoring to patients who contacted her with privacy concerns. In response to the breach the CE improved physical safeguards, implemented revised administrative policies and encrypted ePHI. OCR’s investigation resulted in the CE improving its HIPAA practices. Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "February 7, 2014","Easter Seal Society of Superior California, Privacy Manager Breach","","California","PHYS","MED","3,026","A work-issued laptop computer containing 3,026 clients’ protected health information (ePHI) was stolen out of an employee’s locked car. The types of ePHI involved in the breach included financial, demographic, and clinical information. The covered entity’s (CE) investigation revealed that, although the computer was powered off, password protected and not connected to the internet at the time of the theft, e-mails containing the respective e-PHI could still be accessed. The CE provided breach notification to HHS, affected individuals, and the media, and posted substitute notice on its website. It also provided affected individuals with one free year of credit monitoring and restoration, tips on protecting against ID theft, and a confidential privacy line to call with questions or concerns. Upon learning of the theft, the CE launched an internal investigation, hired specialized data security counsel to assist in responding to the incident, and retained external forensic experts to assist in determining the scope of the breach. The CE improved safeguards by reviewing its privacy and security policies and procedures, implementing a risk mitigation plan that reflects the current work environment, encrypting its laptop computers, and updating its policies and procedures on portable/mobile devices. It also retrained workforce members. OCR provided technical assistance regarding the HIPAA Security Rule requirements and obtained written documentation that the CE implemented the corrective actions listed above. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "February 7, 2014","PruittHealth Pharmacy Services","","Georgia","PHYS","MED","841","A manager's unencrypted laptop computer was stolen from the back seat of an employee's car. The laptop contained the protected health information (PHI) of 841 individuals and included names, possible diagnoses, prescription names, dates of service, and service locations. The covered entity (CE) has improved safeguards by encrypting devices and employing devices that do not allow local storage. The CE has also revised its privacy and security policies and re-trained employees. OCR has consolidated this review into a compliance review that involves the same corporate entity and another stolen unencrypted laptop. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "February 10, 2014","Kmart Corporation","","Illinois","PHYS","MED","16,446","\N Location of breached information: Electronic Medical Record, Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.633125","-89.398528" "February 11, 2014","WA State Department of Social & Health Services","","Washington","DISC","MED","3,104","The covered entity (CE) erroneously sent mail to 3,104 clients at incorrect addresses due to a coding error in an internal database. The protected health information (PHI) contained in the mailing may have included clients’ names, addresses, and client identification numbers, and some letters also included dates of birth, social security numbers, diagnoses, and financial information. The CE provided breach notification to HHS, affected individuals, and the media, and posted substitute notice on its website. Following the breach, the CE hired a firm to conduct an independent evaluation of the data breach to identify and correct the root causes of this incident. The CE formed a Quality Improvement Team to increase oversight of production and ensure that quality assurance processes are strictly followed. As a result of OCR’s investigation, OCR provided technical assistance on the timeliness of notifications and incident reporting and obtained assurances that the corrective actions listed above were completed. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","47.751074","-120.740139" "February 12, 2014","Lewis J. Sims, DPM, PC dba Sims and Associates Podiatry ","","New York","PHYS","MED","6,475","\N Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.712784","-74.005941" "February 12, 2014","University of Miami","","Florida","PHYS","MED","13,074","The covered entity (CE), University of Miami Health System, reported that on or around June 27, 2013, it learned from Iron Mountain, its business associate (BA), that 15 boxes containing patients’ protected health information (PHI) were lost during the transfer between its new and old storage/shredding vendors. The boxes contained a mix of billing and research records of 13,074 patients that included financial and clinical information. Following the breach, the CE provided breach notification to HHS, affected individuals, and the media and also posted substitute notice on its website. The CE offered credit monitoring and identity theft protection to all affected individuals. The CE and BA reviewed the BA’s processes for the transfer, pick up, and storage of records and worked together to revise procedures for safeguarding archived PHI. The CE required the BA to re-train all of its personnel who handle the CE’s data and re-trained its workforce on its HIPAA Privacy and Security policies and procedures. Additionally, the CE hired a new HIPAA Privacy Officer, revised procedures for retaining records in order to avoid sending records containing billing information to off-site storage, and developed a new sanctions policy specific to privacy violations. The CE also improved technical safeguards by implementing the Fair Warning System, a cloud-based security solution. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "February 13, 2014","Supportive Concepts for Families, Inc.","","Pennsylvania","DISC","MED","593","The CE inadvertently made an internal database containing the electronic protected health information (ePHI) of 593 individuals accessible on the Internet. The ePHI involved in the breach included names, dates of birth, social security numbers, addresses, dates of services, and customer service notes. The CE immediately removed the database from the Internet and secured it against further unauthorized disclosures. The CE provided breach notification to affected individuals, HHS, and the media, and posted substitute notice online. Following the breach, the CE provided further HIPAA training to its staff and sanctioned the responsible employees. The CE also took measures to reduce the vulnerabilities identified its most recent risk analysis. As a result of OCR’s Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "February 14, 2014","Health Care Solutions at Home Inc.","","Ohio","PHYS","MED","1,139","The covered entity (CE) mistakenly mailed protected health information (PHI) to the wrong addresses of approximately 1,139 individuals following a computer error at the business associate (BA). The PHI involved in the breach included names, addresses, dates of birth, dates of service, claims information, and diagnoses. The CE provided breach notification to affected individuals, HHS, and the media, and posted substitute notice on its website. To prevent a similar breach from happening in the future, the CE and BA improved safeguards by updating policies to require multiple reviews of PHI in mailings. Following OCR's investigation, the CE updated its policies and procedures relating to the minimum necessary standard. Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "February 14, 2014","UC Davis Medical Center, Privacy Manager Breach","","California","HACK","MED","2,269","The covered entity (CE), University of California, Davis Medical Center, reported that on December 13, 2013, a fraudulent phishing email was sent to employees. The email instructed employees to go to a fraudulent website and input authentication credentials. Three employee email accounts were impacted by the phishing scam. The email accounts contained the electronic protected health information (ePHI) of approximately 2,269 individuals. The types of ePHI potentially affected by the incident included patient names, medical record numbers, and limited health information. The CE determined that there was a low probability that specific email content was accessed during this event. The CE provided breach notification to HHS, affected individuals, and the media. Immediately following its discovery of the breach incident, the CE took steps to mitigate harm including blocking further access to the initiating IP address, deleting all similar phishing emails from employee accounts, and immediately notifying staff of the pending threat. In response to this incident, the CE implemented a new procedure to help guard against, detect, and report malicious software. OCR obtained assurances that the CE implemented the corrective action described above. Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "February 18, 2014","St. Vincent Hospital and Healthcare Inc","","Indiana","PHYS","MED","1,142","\N Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "February 21, 2014","StayWell Health Management, LLC","","Minnesota","DISC","MED","4,786","StayWell Health Management, a business associate (BA) for multiple covered entities (CE), reported that, from March 29, 2012, until January 21, 2014, spreadsheets containing the protected health information (PHI) of 19,474 individuals who participated in wellness programs were unintentionally available online when an internal administrative tool generated reports and placed those reports in a public facing folder. The types of PHI on the spreadsheets included the participants’ names, email addresses, unique BA identification numbers, and information about participation in the program. The BA provided breach notification to HHS, affected individuals, and the media on behalf of the CEs affected by the breach: Regents of the University of Minnesota, Missouri Consolidated health Care Plan, Clorox Company Group Insurance Plan, Nissan North America, Inc., and QBE Holdings, Inc. Upon discovery of the breach, the BA upgraded its platform and revised and implemented its policies and procedures. OCR obtained assurances that the BA implemented the corrective actions listed above. Steps were also taken to restrict access to and to remove the data entirely from Google, Bing, Yahoo, and other search engines. Separate breach cases have been opened for each of the affected CEs. Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "February 21, 2014","Inspira Health Network Inc.","","New Jersey","PHYS","MED","1,411","\N Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "February 25, 2014","StayWell Health Management, LLC","","Minnesota","DISC","MED","1,511","\N Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "February 26, 2014","Care Advantage, Inc.","","Virginia","PHYS","MED","3,458","The covered entity (CE), Care Advantage, Inc., experienced a break-in at a satellite office and the theft of 4 laptops. The laptops, which were password protected, contained the electronic protected health information (ePHI) relating to information used in a web based scheduling program. The breach report indicated that 3458 individuals were affected. Upon discovering the breach, the CE’s investigation revealed that the actual number of affected individuals was 420. The CE provided breach notification to HHS, and affected individuals and also posted notice of the incident on its website. Following the breach, the CE assessed and updated its HIPAA security policy, and conducted employee training. As a result of OCR’s investigation, OCR obtained written assurance that the CE has implemented the corrective action steps listed above. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "February 26, 2014","Pair Networks Inc.","","Pennsylvania","DISC","MED","8,845","\N Location of breached information: Other Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "February 26, 2014","The Kroger Co., for itself and its affiliates and subsidiaries","","Ohio","UNKN","MED","504","\N Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.417287","-82.907123" "February 26, 2014","Cornerstone Health Care, PA","","North Carolina","PHYS","MED","548","\N Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","35.759573","-79.019300" "February 27, 2014","Joseph Michael Benson M.D","","Texas","PHYS","MED","7,500","\N Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","31.968599","-99.901813" "February 28, 2014","Data Media","","Georgia","UNKN","MED","600","\N Location of breached information: Other Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "March 4, 2014","Eureka Internal Medicine","","California","PHYS","MED","3,534","\N Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "March 5, 2014","St. Joseph Health System","","Texas","HACK","MED","3,300","\N Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "March 5, 2014","Banner Health","","Arizona","UNKN","MED","55,207","\N Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "March 7, 2014","PracMan, Inc.","","Alabama","HACK","MED","1,145","On January 10, 2014, a business associate (BA), PracMan, Inc., of two covered entities (CE), Monarch Women’s Health (Monarch) and Punuru J.M. Reddy, M.D., Inc. (Dr. Reddy), impermissibly disclosed the protected health information (PHI) of the CEs’ patients when the BA’s technology subcontractor, MASHNet, copied and stored computer files in error on an unsecured server. The PHI included demographic, clinical, and financial information, including names, account numbers, insurance providers, procedures, diagnoses, social security numbers (SSN), and account balances affecting approximately 1,179 of Dr. Reddy’s patients and approximately 1,145 of Monarch’s patients. The BA provided breach notification to HHS, affected individuals, and the media. It also established a toll-free number and website dedicated to providing information regarding the breach, and offered one year of free credit monitoring to individuals whose SSN was potentially exposed online. In response to the breach, the BA engaged a third party to perform a risk analysis of its operations and updated its privacy and security policies. The BA ensured that the data was removed from the unsecured server and all cached copies of links to the PHI were removed. OCR obtained assurances that the BA implemented the corrective actions listed above. Additionally, the BA terminated its relationship with the subcontractor and restructured its corporate network. Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "March 10, 2014","PracMan, Inc.","","Alabama","HACK","MED","1,179","\N Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "March 10, 2014","Iowa Dept. of Human Services","","Iowa","UNKN","MED","2,042","Employees of the covered entity (CE), Iowa Department of Human Services, used personal email accounts, personal online storage accounts and personal electronic devices for work purposes. From February 5, 2010 to January 17, 2014, the protected health information (PHI) of 2,042 individuals was transferred outside of the CE’s secure network in this manner. The types of information included names, mailing addresses, social security numbers, state ID numbers, dates of birth, PHI obtained during case assessment, and incident information. The CE stated that it notified affected individuals and media and also offered free credit monitoring to the affected individuals. OCR has consolidated this breach with another breach involving this CE. Location of breached information: Email, Laptop, Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "March 12, 2014","Mission City Community Network","","California","PHYS","MED","7,800","In violation of the employer’s policies, a workforce member of the covered entity (CE), Mission City Community Network, Inc., sent an unsecured email to a business associate (BA) containing the protected health information (PHI) of 7,800 individuals. The PHI included names, addresses, dates of birth, and insurance information. During the investigation, OCR determined that the disclosure to the BA for payment purposes was permissible, as the email reached the intended BA, and there was no evidence that PHI was impermissibly disclosed to any other party. OCR provided technical assistance to the CE. As a result of OCR’s investigation, the CE initiated a review and improvements to its HIPAA practices. Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "March 12, 2014","University of California San Francisco , Privacy Manager Breach","","California","PHYS","MED","9,861","On or about January 11, 2014, unencrypted desktop computers and unencrypted portable computer drives were stolen from the covered entity (CE), University of California San Francisco Family Medicine Center. The types of protected health information (PHI) involved in the breach included names, dates of birth, mailing addresses, medical record numbers, social security numbers, and health insurance identification numbers, affecting 9,861 individuals. The CE provided breach notification to HHS, affected individuals, and the media. In response to the breach, the CE improved physical safeguards, changed or disabled usernames and passwords for accounts that were potentially at risk of compromise, and encrypted the remaining computers at the affected location as well as the replacement computers. OCR obtained assurances that the CE implemented the corrective actions noted above. Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "March 13, 2014","Detroit Medical Center - Harper University Hospital","","Michigan","PHYS","MED","1,087","Patients’ medical information was found in the possession of an employee who had worked for the covered entity, Detroit Medical Center Harper University. The protected health information (PHI) included the names, dates of birth, age, gender and reasons for visits for approximately 1,087 individuals. The CE provided breach notification to HHS, affected individuals, and the media, and offered one year of credit protection and monitoring service at no cost to all affected patients. OCR obtained documentation which showed that the CE implemented the corrective actions listed. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","44.314844","-85.602364" "March 13, 2014","Todd M. Burton, M.D.","","Texas","PHYS","MED","5,000","\N Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","31.968599","-99.901813" "March 14, 2014","Partners In Nephrology & Endocrinology, P.C.","Butler","Pennsylvania","HACK","MED","0","Location of breached information: Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.861176","-79.895333" "March 14, 2014","Valley View Hospital Association","","Colorado","HACK","MED","5,415","\N Location of breached information: Desktop Computer, Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","39.550051","-105.782067" "March 16, 2014","Hospitalists of Arizona","","Arizona","PHYS","MED","1,706","\N Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","34.048928","-111.093731" "March 17, 2014","TMA Practice Management Group","","Texas","PHYS","MED","2,260","The covered entity (CE), McBroom Clinic, PA, signed a business associate (BA) agreement with TMA Practice Management Group to provide an operational assessment/audit. As part of the assessment the BA requested, and the CE provided, certain health information about patients. The protected health information (PHI) included clinical and insurance/payment information about patients. The CE copied some of the PHI to an unencrypted portable USB flash drive and sent it to the BA with other information in a package on January 7, 2014. Upon receipt of the empty package, the BA subsequently discarded it in the recycling receptacle. On or around February 21, 2014, the Clinic contracted with AllClear ID to assist with the patient notification and mitigation efforts. As a result of the breach, the CE instituted new procedures for extracting and sending PHI via portable media, including encryption. Due to OCR’s investigation, the CE was made aware of the following areas of improvement: risk analysis and staff training on policies and procedures. Location of breached information: Other Portable Electronic Device Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","31.968599","-99.901813" "March 18, 2014","StayWell Health Management, LLC","","Minnesota","DISC","MED","1,746","The covered entity (CE), QBE Holdings, Inc. reported that its business associate (BA), StayWell Health Management LLC, disclosed 1,746 individual’s protected health information on the internet. The PHI included names, email addresses, unique StayWell identification numbers, and information about participation in a wellness program. The BA provided breach notification to HHS and affected individuals. The BA also filed a separate breach report which was investigated by OCR. As a result of the breach, the BA implemented procedures to address the data compromise issue which included the performance of an initial analysis and risk assessment. Further, the BA implemented policies and procedures to safeguard PHI and trained its employees. OCR obtained assurances that the BA implemented the corrective actions listed above. Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "March 20, 2014","Berea College","","Kentucky","UNKN","MED","1,000","\N Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "March 21, 2014","HealthPartners Inc","","Minnesota","DISC","MED","27,839","\N Location of breached information: Desktop Computer, Laptop, Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "March 21, 2014","HealthPartners Administrators, Inc.","","Minnesota","DISC","MED","715","\N Location of breached information: Desktop Computer, Laptop, Other Portable Electronic Device Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "March 21, 2014","Sutherland Healthcare Solutions","","California","PHYS","MED","55,900","On March 21, 2014, the covered entity (CE), San Francisco General Hospital & Trauma Center reported that eight desktop computers were stolen from Southerland Healthcare Solutions, Inc., the CE’s business associate (BA). The computers contained the electronic protected health information (ePHI) of 27,676 individuals. The ePHI involved in the breach included names, addresses, birth dates, social security numbers, admission and discharge information, treatment location, diagnosis and billing information. The CE provided breach notification to HHS, affected individuals and the media. The CE trained its workforce members on the policies and procedures for responding and reporting security incidents. OCR obtained assurances that the CE implemented the corrective actions noted above. Location of breached information: Desktop Computer Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "March 24, 2014","Talyst","","Washington","PHYS","MED","1,079","\N Location of breached information: Laptop Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "March 24, 2014","Yellowstone Boys and Girls Ranch","","Montana","PHYS","MED","543","Sometime between July 11, 2013, and January 27, 2014, the covered entity (CE), Yellowstone Boys and Girls Ranch, lost a resource notebook for on-call staff in its Lewiston office. The notebook included documents containing the protected health information (PHI) of 543 individuals including clients’ names, addresses, dates of birth, schools, treatment providers, and community-based program information. The CE provided breach notification to HHS, affected individuals, and the media. The CE immediately stopped storing PHI in the on-call resource book and sanctioned the responsible personnel. As a result of OCR’s investigation, and with substantial technical assistance from OCR, the CE began developing and revising necessary policies and procedures governing the storage, transportation, and handling of PHI. Additionally, the CE provided OCR with written assurance that it will train its staff on the new policies and procedures. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "March 24, 2014","Orlando Health, Inc.","","Florida","PHYS","MED","586","An unencrypted portable data drive was lost by a pharmacy resident of the Arnold Palmer Hospital, a part of the covered entity (CE). The drive contained the protected health information (PHI) of 586 individuals, including names, birth weights, gestational age, admission and discharge dates, medical record numbers, and some transfer dates. The missing drive also stored personal items, a research study proposal, and two spreadsheets containing limited information on 586 babies who were part of a study. The CE provided breach notification to HHS, the media, and to the parents of the affected individuals because they were all minors. Substitute notice was posted on the CE’s website. The CE updated its policies and procedures for its data loss prevention system and added controls. The CE retrained the resident involved in the loss of data and provided additional information to all employees and medical staff members regarding the use of portable data devices through education and published articles. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "March 25, 2014","Stoetzel's Planet Chiropractic","","Illinois","PHYS","MED","1,000","An unauthorized individual broke into the covered entity's (CE) facility and stole a laptop computer containing the electronic protected health information (ePHI) of approximately 1,000 individuals, including names, credit card numbers, bank account numbers, treatment information, and x-ray images. The CE provided breach notification to HHS, affected individuals, and prominent media outlets in Illinois. Following the breach, the CE reported the theft to the local police department, relocated to a new facility, and implemented facility security measures, including a security alarm system. It also enhanced its policies and procedures implementing the Privacy and Security Rules. OCR obtained assurances that the CE implemented the corrective actions listed. Location of breached information: Laptop, Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "March 27, 2014","NOVA Chiropractic & Rehab Center","","Virginia","PHYS","MED","5,534","The covered entity (CE), NOVA Chiropractic and Rehabilitation Center, misplaced a mobile device within its office. The device contained the electronic protected health information (ePHI) of approximately 5,534 patients, including names, dates of birth, and addresses. The CE found no evidence that the ePHI was inappropriately used outside of the CE’s office. The CE provided breach notification to HHS, affected individuals, and the media, and posted substitute notice on its website. As a result of OCR’s investigation, the CE cleared and encrypted its thumb drives that contained ePHI. The CE improved physical safeguards by installing a new security alarm system, and updated its policy for removal of PHI from the office. OCR obtained assurances that the CE has executed business associate agreements for its email and cloud system providers. Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "March 27, 2014","Susquehanna Health","","Pennsylvania","DISC","MED","657","In response to an insurer’s routine claims request, an employee provided more protected health information (PHI) than was necessary to complete the intended purpose. Approximately 657 patients were affected. The impermissible disclosure included patients’ names, addresses, social security numbers, dates of birth, health insurance information, payment information, encounter identification, physicians’ names, diagnosis codes, and patients’ employers. The covered entity (CE), Susquehanna Health, provided breach notification to HHS and affected individuals. The CE also offered one year of free identity theft protection and credit monitoring to affected individuals. Following the breach, the CE immediately ensured that all recipients of the PHI deleted the data from their computers and shredded all hard copies. OCR obtained and reviewed copies of the CE’s policies and procedures related to the issues raised in this complaint, as well as a copy of its current risk assessment. As a result of OCR’s investigation, the CE sanctioned the staff member, retrained the entire department, and revised its email policies. Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","41.203322","-77.194525" "March 28, 2014","Jewish Hospital","","Kentucky","UNKN","MED","2,992","A small number of employees of the covered entity (CE), Jewish Hospital, responded to “phishing” emails that appeared legitimate and disclosed the demographic and clinical protected health information (PHI) of approximately 2,992 individuals. The PHI involved in the breach included names, addresses, birthdates, diagnoses, treatments received, health insurance information and the social security numbers of a few individuals. In response to the incident, the CE secured the affected email accounts and arranged for a forensic investigation. While the CE has no evidence that the electronic PHI in the employees’ mailboxes was accessed or otherwise infiltrated by the phishing scheme, it nonetheless sent breach notification letters and offered one year of free credit monitoring and identity theft protection services to all potentially affected individuals. It also provided breach notification to HHS and the media and provided substitute notice. Following the breach, the CE deployed anti-phishing software, accelerated its employee phishing education campaign, established a quick reaction team for proactively blocking phishing or other web-based threats, and enhanced its auditing and logging controls. OCR obtained assurances that the corrective actions listed above were completed. Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","37.839333","-84.270018" "March 28, 2014","Franciscan Medical Group","","Washington","UNKN","MED","8,300","Numerous employees of the CE responded to an email phishing attack which requested the employee’s email username and password to authenticate their accounts. As a result, a number of employee direct deposit paychecks were diverted without notification and any electronic protected health information (ePHI) stored on the affected email accounts was made accessible. The affected email accounts contained the combined ePHI of 8,311 individuals. The ePHI involved in the breach included patients’ demographic, clinical and health insurance information and in some cases, social security numbers. In response to the incident, the affected users changed their passwords and the CE adjusted web filters. The CE improved technical safeguards to prevent future phishing attacks of this nature and accelerated the time table for its existing phishing education campaign for all employees. The CE provided a year of free credit monitoring and identity theft protection services to affected individuals. OCR’s investigation confirmed that the appropriate notifications were made and that corrective actions steps were taken. Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "March 28, 2014","Palomar Health, Privacy Manager Breach","","California","PHYS","MED","5,499","A workforce member’s car was broken into resulting in the theft and loss of two unencrypted flash drives containing the protected health information (PHI) of 5,499 individuals. Types of PHI involved in the breach included names, dates of birth, diagnoses/treatment information, and insurance information, including some Medicare numbers. The CE provided breach notification to HHS, affected individuals, and the media, and provided credit monitoring and identity theft protection for the affected individuals. In response to the breach, the CE sanctioned and retrained the workforce member involved with the breach who was not following the CE's policies and procedures and retrained other workforce members on its HIPAA security procedures. The CE also implemented a USB encryption lockdown project which enhanced the CE's technical safeguards. OCR’s investigation resulted in improved HIPAA practices at the covered entity. Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "March 29, 2014","Myriad Genetic Laboratories, Inc.","","Utah","DISC","MED","643","An employee of the covered entity (CE), Myriad Genetic Laboratories, Inc., emailed unsecured protected health information (PHI) to his personal email account as a means of storing the information he used to carry out his job functions. The PHI of the affected 643 individuals included patients’ names, dates of birth, addresses, physicians’ name, genetic test results, test identification numbers, family and personal medical histories, and family pedigree information. The CE provided breach notification to HHS and affected individuals and also posted substitute notice of the breach. It also provided one year of free identify theft protection services to affected individuals. Following the breach, the CE revised its procedures for encrypting emails containing PHI and retrained the employee who had caused the breach. OCR provided technical assistance regarding the risk analysis and risk management requirements of the Security Rule. Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "March 31, 2014","Medical Center of Plano","","Texas","DISC","MED","1,000","The covered entity (CE), Medical Center of Plano, reported that the business associate (BA), Relay-Health, inadvertently sent an incorrect mailing affecting 1,000 individuals. The CE learned that the actual number of individuals affected by the breach was one patient and filed an addendum to reflect the correct number of patients affected by the breach. The protected health information (PHI) involved in the breach included the individual’s name, address, account number, admission and discharge dates, and payment information. Following the breach, the BA reviewed the standard operating procedure with the entire project management team and modified its mailing process. It also contacted the affected individual and provided contact information if needed to address concerns and questions in reference to the incident. Location of breached information: Other Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "March 31, 2014","Policy Studies, Inc. / Postal Center International, Inc.","","Florida","DISC","MED","580","\N Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "March 31, 2014","Midwest Orthopaedics at Rush, LLC","","Illinois","HACK","MED","1,256","On February 10, 2014, an unknown party gained unauthorized access to the personal email account of a physician at Midwest Orthopaedics at Rush, the covered entity (CE), disclosing protected health information (PHI) that affected approximately 1,256 individuals. The emails contained electronic PHI including names, physicians' surgical schedules, surgical descriptions, codes, dates and instructions. The CE provided breach notification to HHS, affected individuals, and the media. The CE also conducted an investigation and determined the root cause of the breach. Additionally, the CE disabled the physician’s Gmail account to which the PHI was sent, and trained the physician and his staff on the use of the secure email. The CE revised email procedures by eliminating all external email addresses from the CE's distribution list of physicians and support staff and discontinued the use of outside email addresses for sending or receiving of PHI. OCR obtained documented assurances that the CE implemented the corrective actions listed above. Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "April 1, 2014","Indian Health Service","","Maryland","DISC","MED","214,000","\N Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "April 2, 2014","KP Northern CA Department of Research","","California","HACK","MED","5,178","The covered entity (CE), Kaiser Permanente Northern California Division of Research, reported a breach of 5,178 individuals’ electronic protected health information (e-PHI), as a result of a malware software infection on its computer server. The types of ePHI involved in the breach included names, dates of birth, genders, addresses, race/ethnicity information, medical record numbers, lab results, and responses patients provided to research-related questions. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE conducted an updated security analysis, revised its policies and procedures, and provided training to its workforce members. OCR obtained written assurances that the CE implemented the corrective actions noted above and provided technical assistance regarding the HIPAA Security Rule. Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "April 2, 2014","Triple-S Salud ","","Puerto Rico","PHYS","MED","5,795","Triple-S Management Corporation (“TRIPLE-S”), on behalf of its wholly owned subsidiaries, Triple-S Salud Inc., Triple-C Inc. and Triple-S Advantage Inc. , formerly known as American Health Medicare Inc., has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR). TRIPLE-S will pay $3.5 million and will adopt a robust corrective action plan to correct deficiencies in its HIPAA compliance program, an effort it has already begun. “OCR remains committed to strong enforcement of the HIPAA Rules,” said OCR Director Jocelyn Samuels. “This case sends an important message for HIPAA Covered Entities not only about compliance with the requirements of the Security Rule, including risk analysis, but compliance with the requirements of the Privacy Rule, including those addressing business associate agreements and the minimum necessary use of protected health information.” TRIPLE-S is an insurance holding company based in San Juan, Puerto Rico, which offers a wide range of insurance products and services to residents of Puerto Rico through its subsidiaries. TRIPLE-S has fully cooperated with HHS in investigating this case and has agreed to put in place a comprehensive HIPAA compliance program as a condition for settlement. After receiving multiple breach notifications from TRIPLE-S involving unsecured protected health information (PHI), OCR initiated investigations to ascertain the entities’ compliance with HIPAA Rules. OCR’s investigations indicated widespread non-compliance throughout the various subsidiaries of Triple-S, including: Failure to implement appropriate administrative, physical, and technical safeguards to protect the privacy of its beneficiaries’ PHI; Impermissible disclosure of its beneficiaries’ PHI to an outside vendor with which it did not have an appropriate business associate agreement; Use or Disclosure of more PHI than was necessary to carry out mailings; Failure to conduct an accurate and thorough risk analysis that incorporates all IT equipment, applications, and data systems utilizing ePHI; and Failure to implement security measures sufficient to reduce the risks and vulnerabilities to its ePHI to a reasonable and appropriate level. The settlement requires TRIPLE-S to establish a comprehensive compliance program designed to protect the security, confidentiality, and integrity of the personal information it collects from its beneficiaries, that includes: A risk analysis and a risk management plan; A process to evaluate and address any environmental or operational changes that affect the security of the ePHI it holds; Policies and procedures to facilitate compliance with requirements of the HIPAA Rules; and A training program covering the requirements of the Privacy, Security, and Breach Notification Rules, intended to be used for all members of the workforce and business associates providing services on TRIPLE-S premises. Triple-S, with the help of OCR through its technical assistance, had already begun to take extensive corrective action, as required by the Corrective Action Plan, and will continue to work with OCR to come into compliance with HIPAA. “Triple-S is committed to protecting the privacy and security of its beneficiaries’ health information and implementing the Corrective Action Plan entered into with OCR,” said President and CEO of Triple-S Management Corporation, Ramon M. Ruiz. “We are pleased with the agreement and regard it as an opportunity to strengthen our privacy policies. We have appreciated OCR’s technical assistance to date, and look forward to our collaboration in the future.” Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "April 3, 2014","American Health Inc. ","","Puerto Rico","PHYS","MED","17,776","Triple-S Management Corporation (“TRIPLE-S”), on behalf of its wholly owned subsidiaries, Triple-S Salud Inc., Triple-C Inc. and Triple-S Advantage Inc. , formerly known as American Health Medicare Inc., has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR). TRIPLE-S will pay $3.5 million and will adopt a robust corrective action plan to correct deficiencies in its HIPAA compliance program, an effort it has already begun. “OCR remains committed to strong enforcement of the HIPAA Rules,” said OCR Director Jocelyn Samuels. “This case sends an important message for HIPAA Covered Entities not only about compliance with the requirements of the Security Rule, including risk analysis, but compliance with the requirements of the Privacy Rule, including those addressing business associate agreements and the minimum necessary use of protected health information.” TRIPLE-S is an insurance holding company based in San Juan, Puerto Rico, which offers a wide range of insurance products and services to residents of Puerto Rico through its subsidiaries. TRIPLE-S has fully cooperated with HHS in investigating this case and has agreed to put in place a comprehensive HIPAA compliance program as a condition for settlement. After receiving multiple breach notifications from TRIPLE-S involving unsecured protected health information (PHI), OCR initiated investigations to ascertain the entities’ compliance with HIPAA Rules. OCR’s investigations indicated widespread non-compliance throughout the various subsidiaries of Triple-S, including: Failure to implement appropriate administrative, physical, and technical safeguards to protect the privacy of its beneficiaries’ PHI; Impermissible disclosure of its beneficiaries’ PHI to an outside vendor with which it did not have an appropriate business associate agreement; Use or Disclosure of more PHI than was necessary to carry out mailings; Failure to conduct an accurate and thorough risk analysis that incorporates all IT equipment, applications, and data systems utilizing ePHI; and Failure to implement security measures sufficient to reduce the risks and vulnerabilities to its ePHI to a reasonable and appropriate level. The settlement requires TRIPLE-S to establish a comprehensive compliance program designed to protect the security, confidentiality, and integrity of the personal information it collects from its beneficiaries, that includes: A risk analysis and a risk management plan; A process to evaluate and address any environmental or operational changes that affect the security of the ePHI it holds; Policies and procedures to facilitate compliance with requirements of the HIPAA Rules; and A training program covering the requirements of the Privacy, Security, and Breach Notification Rules, intended to be used for all members of the workforce and business associates providing services on TRIPLE-S premises. Triple-S, with the help of OCR through its technical assistance, had already begun to take extensive corrective action, as required by the Corrective Action Plan, and will continue to work with OCR to come into compliance with HIPAA. “Triple-S is committed to protecting the privacy and security of its beneficiaries’ health information and implementing the Corrective Action Plan entered into with OCR,” said President and CEO of Triple-S Management Corporation, Ramon M. Ruiz. “We are pleased with the agreement and regard it as an opportunity to strengthen our privacy policies. We have appreciated OCR’s technical assistance to date, and look forward to our collaboration in the future.” Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "April 3, 2014","State Long Term Care Ombudsmans Office, Michigan Department of Community Health","","Michigan","PHYS","MED","2,595","\N Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "April 4, 2014","Presence St. Joseph's Medical Center","","Illinois","UNKN","MED","836","\N Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "April 9, 2014","Clinical Reference Laboratory, Inc.","","Kansas","PHYS","MED","979","The covered entity (CE), Clinical Reference Laboratory, Inc., sent a parcel which was damaged and opened during the mailing process by the United States Postal Services (USPS). The protected health information (PHI) involved in the breach included the names, dates of birth, partial social security numbers, and lab test types of approximately 979 individuals residing in multiple states. The CE provided breach notification to HHS and affected individuals. Since multiple breach reports have been received involving the same CE and fact pattern, this investigation was consolidated into one investigation. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "April 9, 2014","Cigna","","Connecticut","PHYS","MED","527","\N Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "April 10, 2014","Amerigroup Texas, Inc. ","","Virginia","PHYS","MED","75,026","\N Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "April 11, 2014","BLUE CROSS AND BLUE SHIELD OF KANSAS CITY","","Missouri","DISC","MED","2,546","In February 2014, two members of the covered entity (CE), Blue Cross Blue Shield of Kansas City Plan, reported unauthorized charges on credit cards they used to make payments by phone to the CE. The CE determined that an employee violated its policies and procedures and may have put the financial information of 2,546 individuals at risk. The breach affected members that spoke with this employee regarding payment of premiums. The CE provided breach notification to HHS, affected individuals, and the media, and reported the matter to the FBI and local law enforcement. The CE reported that its background check contractor, Verifications Inc. (VI) provided an inaccurate criminal background check, which resulted in the hiring of the involved employee although the employee had been convicted of felony identity theft in April 2012. To prevent similar breaches from happening in the future, the CE terminated its contract with VI and established a relationship with a new background check vendor. The CE provided training to its workforce on its policies and procedures regarding HIPAA Security. OCR obtained documented evidence demonstrating that the CE implemented the corrective action listed above. The CE also ended the involved employee’s employment. Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "April 14, 2014","Healthy Connections, Inc","","California","PHYS","MED","793","In April 2014, the covered entity (CE), Healthy Connections Inc., reported that an unencrypted mobile computer drive containing patients' electronic protected health information (ePHI) was lost in transit between the CE and another CE. The breach was noticed when the other CE received the envelope minus the flash drive in the mail. The breach affected the demographic and clinical information of 793 individuals. The CE provided breach notification to HHS, affected individuals, and the media. As a result of OCR's investigation, the CE conducted a comprehensive system-wide risk analysis, implemented a risk management plan, and enhanced its entire electronic and technical security system. OCR obtained assurances that the CE implemented the corrective actions noted above. Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "April 15, 2014","Administracion de Seguros de Salud - Triple S Salud Inc (BA)","","","PHYS","MED","46,473","On March 27, 2014, the covered entity (CE), Puerto Rico Health Insurance Administration, also known as the Administracion de Seguros Salud de Puerto Rico, reported that on January 14, 2014, it became aware that sometime before October 9, 2013, a former employee of Triple-S Salud’s business associate (BA), Triple-S Advantage Solutions, copied beneficiaries’ electronic protected health information (ePHI) onto a compact disk which he took home for an unspecified period of time and which he subsequently downloaded onto a computer at his new employer. The ePHI included beneficiary enrollment information, including names, dates of births, contract numbers, health insurance claim number, home addresses, and social security numbers of 54,384 of the CE’s beneficiaries. The CE provided breach notification to HHS, affected individuals, and the media. Due to OCR’s investigation, the CE committed to conduct a risk analysis, implement a risk management plan, revise its policies and procedures, and re-train its staff within a specified period. Location of breached information: Other Portable Electronic Device Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","37.090240","-95.712891" "April 16, 2014","Greenwood Leflore Hospital","","Mississippi","PHYS","MED","3,750","The covered entity (CE), Greenwood Leflore Hospital, discovered that an ex-employee of a business associate (BA) the CE used to recycle and destroy old x-ray films, stole x-ray films which contained the names, dates of birth and x-ray images of 3,750 patients. This individual’s employment had been terminated by the BA prior to the breach, and therefore he was not authorized to take possession of these x-ray films. The CE provided breach notification to HHS, affected individuals, and the media, and also posted substitute notice. In response to the breach, the CE filed a police report, attempted to recover the x-ray films, and sanctioned and re-trained the employees involved. The CE also filed a civil lawsuit against the individual who took the films. The individual was later arrested and found guilty of petit larceny and was ordered to pay restitution to the CE. The CE provided additional training to its entire workforce regarding its BA access and breach policies, and terminated its business relationship with the BA. OCR obtained the CE’s policies and procedures related to the cited Privacy Rule provisions, as well as documentation related to employee training on the Privacy and Security Rules. Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "April 17, 2014","Courier Express/Atlanta, Courier Express/Charlotte & Courier Express US, Inc.","","Georgia","PHYS","MED","2,523","\N Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "April 18, 2014","Shaker Clinic","","Ohio","PHYS","MED","617","\N Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "April 18, 2014","VGM Homelink","","Iowa","DISC","MED","1,400","A business associate (BA), Tri State Adjustments, of the covered entity (CE), VGM Homelink, committed a programing error which resulted in individuals receiving the wrong billing statements. This breach affected approximately 1,400 individuals and included patients’ names, addresses, insurance information, and the medical equipment provided to them. The CE provided breach notification to HHS, affected individuals, and the media, and placed a notification about the breach on its website. The CE required its BA to implement new safeguards to prevent a similar breach from occurring. As a result of OCR’s investigation, the CE had its BA update its policy and procedures for Breach Rule notification. Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "April 18, 2014","Larsen Dental Care LLC","","Idaho","PHYS","MED","6,900","An unencrypted external hard drive containing the electronic protected health information (ePHI) of 6,900 individuals was stolen from a workforce member’s vehicle. The ePHI involved in the breach included names, addresses, dates of birth, email addresses, telephone numbers, dental records, medical history, health insurance numbers, and social security numbers. The covered entity (CE), Larson Dental Care LLC, provided breach notification to HHS, affected individuals and the media, and also posted notice online. Following the breach, the CE terminated the employment of the responsible workforce member. It also conducted a new risk assessment, implemented new security and privacy policies, including device and media control policies, and retrained staff. The CE improved safeguards by encrypting all computers and mobile devices containing ePHI and installing comprehensive security upgrades to its computer network. OCR obtained assurances that the CE implemented these corrective actions. Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "April 22, 2014","Centura Health","","Colorado","HACK","MED","12,286","\N Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "April 23, 2014","Ladies First Choice, Inc.","","Florida","PHYS","MED","2,365","In January, 2014, the covered entity (CE), Ladies First Choice Inc., learned that a former employee took and misappropriated a confidential computer program that contained customers’ demographic and healthcare information. The computer program contained the electronic protected health information (ePHI) of 2,365 individuals and included names, dates of birth, social security numbers, addresses, and identifying codes. The CE provided breach notification to HHS, affected individuals, and the media. As a result of the breach, the CE identified the vulnerabilities that contributed to the theft, re-trained its staff, reviewed all of its safeguards policies and internal procedures, including its incident reporting policies, and performed a new risk analysis. OCR obtained assurances that the CE implemented the corrective actions listed above. The CE also created new security features for its computer systems, including encryption and secure back up of PHI stored on hard drives. Additionally, the CE filed a civil action against the former employee to enjoin her from using the PHI she obtained. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "April 24, 2014","Tufts Associated Health Maintenance Organization, Inc. and Tufts Insurance Company ","","Massachusetts","PHYS","MED","8,830","\N Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "April 24, 2014","Inclusion Research Institute","","District Of Columbia","DISC","MED","2,200","The covered entity’s (CE) subcontractor, on behalf of the CE’s business associate (BA), Inclusion Research Institute, sent postcards to 2,200 individuals indicating they were receiving services at the CE, Developmental Disabilities Administration, Maryland Department of Health and Mental Hygiene. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE directed the subcontractor to cease and desist sending the postcards. OCR obtained assurances that the CE implemented the corrective actions listed. Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "April 25, 2014","Baylor Medical Center at McKinney","","Texas","HACK","MED","1,253","\N Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "April 25, 2014","Baylor Medical Center at Irving","","Texas","HACK","MED","2,308","\N Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "April 25, 2014","Baylor Regional Medical Center at Plano","","Texas","HACK","MED","1,981","\N Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "April 25, 2014","HealthTexas Provider Network","","Texas","HACK","MED","2,742","\N Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "April 25, 2014","Ferguson Advertising, Inc.","","Indiana","HACK","MED","1,361","\N Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "April 25, 2014","Iowa Medicaid Enterprise","","Iowa","DISC","MED","862","The covered entity (CE), Iowa Medicaid Enterprise, erroneously mailed a patient listing of 862 individuals to a provider on February 26, 2014. The protected health information (PHI) involved in the breach included names and addresses. The CE stated that it discovered this breach was due to an error in its mailing process. The CE stated that it notified the affected individuals and the media. The CE also stated that it shall no longer mail patient listings to providers. OCR has consolidated this breach with another breach involving the Iowa Department of Human Services. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "April 25, 2014","Flowers Hospital","","Alabama","PHYS","MED","629","The covered entity (CE), Flowers Hospital was informed by law enforcement on February 27, 2014, that while one of its employees was being arrested, the CE’s paper facesheets were found in his possession. An internal investigation revealed that the employee may have accessed or allowed another individual access to the clinical and demographic information of 1,208 individuals. The CE provided breach notification to HHS, to affected individuals, and to the media. In response to the breach, the CE implemented procedures to further restrict access to paper records and improved its maintenance and storage procedures. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "April 29, 2014","Reading Health System","","Pennsylvania","PHYS","MED","1,845","A medical practice moved and a vendor/patient stored three boxes of paper medical billing records in the vendor’s crawl space from March 2012 until March 2014. The boxes contained the protected health information (PHI) of approximately 1,845 individuals. The types of PHI involved in the breach included names, addresses, dates of birth, social security numbers, insurance information, medical practice billing codes, and diagnoses. Following the breach, the covered entity (CE), Reading Health System, interviewed the vendor/patient and determined no disclosures had occurred. The CE provided breach notification to HHS and affected individuals and offered all living patients a year of free credit monitoring. The CE established a professionally staffed call Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "April 29, 2014","MDF Transcription Services","","Massachusetts","UNKN","MED","15,265","\N Location of breached information: Other Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "May 6, 2014","Porter, MD, Steven","","Utah","PHYS","MED","0","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "May 6, 2014","KEYSTONE INSURERS GROUP","","Indiana","UNKN","MED","1,008","The covered entity (CE), City of Henderson, discovered that on several occasions between January 23, 2013, and March 3, 2013, its business associate (BA) broker, Keystone Insurers Group, disclosed more than the minimum necessary information to several health care providers who were being considered as a possible partner with the City in development of a City-run healthcare clinic. The BA had been hired to assist in the evaluation process of determining whether a City-operated health clinic would reduce health care costs. The types of protected health information (PHI) involved in the breach included demographic information such as names, insurance numbers, addresses, birthdates, and clinical information, such as diagnoses, treatment, prescriptions, and expenses. The CE provided breach notification to HHS, affected individuals, and the media, and posted substitute notice on its website. In response to the incident, the CE obtained certificates of deletion and destruction from the recipients of the PHI and it terminated its agreement with the BA. The CE also revised its request for proposals process to include information about potential brokers’ HIPAA training and any prior HIPAA breaches. In response to OCR’s investigation, the CE created and implemented privacy policies and procedures, and trained staff on its HIPAA policies. Location of breached information: Email Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "May 9, 2014","Options Counseling Center","","New Jersey","PHYS","MED","2,828","OCR opened an investigation of the covered entity (CE), Options Counseling Center, after the CE reported that, between May 1, 2011 and July 29, 2011, an employee made photocopies of documents and printed documents from the computer system containing 2,828 patients’ protected health information (PHI) and disclosed the documents to his attorney. The types of PHI involved in the breach included, variously for different individuals, patients’ names, counseling session attendance verifications, internal CE account codes, charges, payments, addresses, telephone numbers, dates of birth, health insurance account information, and account balances, as well as 46 social security numbers. Upon discovery of the breach, the CE ensured the destruction of the PHI possessed by the (then former) employee and/or his attorney, and retrained staff. The CE also implemented new safeguards, including restricting the number of personnel who hold keys to the rooms and file cabinets that contain PHI, and converting its paper billing system to an electronic billing system, which establishes password-protected role-based access rights to varying levels of information. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "May 10, 2014","Molina Healthcare of New Mexico, Inc.","","New Mexico","DISC","MED","4,744","On behalf of the covered entity (CE), Molina Healthcare of California Partner Plan, Inc., a business associate (BA) subcontractor, printed and mailed postcards to the CE’s former members addressed generically to “Resident” and containing a tracking number, that in some cases, was the member’s social security number. Approximately 4,744 individuals were affected by this breach. The CE provided breach notification to HHS, affected individuals, and the media and posted substitute notification on its website. It also offered affected individuals one year of free identity theft protection services. As a result of the incident, the CE revised and developed HIPAA policies and procedures to better safeguard protected health information (PHI) during mailing projects. It also counseled the workforce members involved in the incident pursuant to its policies. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "May 10, 2014","Howard L. Weinstein D.P.M.","","Texas","PHYS","MED","1,000","Four encrypted laptop computers and the back-up system containing the electronic protected health information (ePHI) of approximately 1,000 individuals were stolen as a result of a break-in at the office of the covered entity (CE), Howard L. Weinstein, D.P.M. The CE immediately reported the incident to police and an investigation ensued. The ePHI involved in the theft was encrypted and the CE determined that a breach of ePHI was unlikely. However, the CE responded to the incident as though a breach had occurred and personnel notified the potential affected parties through mailing, media notification, and website notification. They also followed the procedure to file a Breach Notification Report with HHS. The CE implemented additional physical, technical, and administrative safeguards to ensure the security of ePHI. In addition, the CE immediately acted on the recovery plan, and has moved data to a cloud encrypted storage system. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "May 18, 2014","American Health Inc. ","","Puerto Rico","DISC","MED","11,531","Triple-S Management Corporation (“TRIPLE-S”), on behalf of its wholly owned subsidiaries, Triple-S Salud Inc., Triple-C Inc. and Triple-S Advantage Inc. , formerly known as American Health Medicare Inc., has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR). TRIPLE-S will pay $3.5 million and will adopt a robust corrective action plan to correct deficiencies in its HIPAA compliance program, an effort it has already begun. “OCR remains committed to strong enforcement of the HIPAA Rules,” said OCR Director Jocelyn Samuels. “This case sends an important message for HIPAA Covered Entities not only about compliance with the requirements of the Security Rule, including risk analysis, but compliance with the requirements of the Privacy Rule, including those addressing business associate agreements and the minimum necessary use of protected health information.” TRIPLE-S is an insurance holding company based in San Juan, Puerto Rico, which offers a wide range of insurance products and services to residents of Puerto Rico through its subsidiaries. TRIPLE-S has fully cooperated with HHS in investigating this case and has agreed to put in place a comprehensive HIPAA compliance program as a condition for settlement. After receiving multiple breach notifications from TRIPLE-S involving unsecured protected health information (PHI), OCR initiated investigations to ascertain the entities’ compliance with HIPAA Rules. OCR’s investigations indicated widespread non-compliance throughout the various subsidiaries of Triple-S, including: Failure to implement appropriate administrative, physical, and technical safeguards to protect the privacy of its beneficiaries’ PHI; Impermissible disclosure of its beneficiaries’ PHI to an outside vendor with which it did not have an appropriate business associate agreement; Use or Disclosure of more PHI than was necessary to carry out mailings; Failure to conduct an accurate and thorough risk analysis that incorporates all IT equipment, applications, and data systems utilizing ePHI; and Failure to implement security measures sufficient to reduce the risks and vulnerabilities to its ePHI to a reasonable and appropriate level. The settlement requires TRIPLE-S to establish a comprehensive compliance program designed to protect the security, confidentiality, and integrity of the personal information it collects from its beneficiaries, that includes: A risk analysis and a risk management plan; A process to evaluate and address any environmental or operational changes that affect the security of the ePHI it holds; Policies and procedures to facilitate compliance with requirements of the HIPAA Rules; and A training program covering the requirements of the Privacy, Security, and Breach Notification Rules, intended to be used for all members of the workforce and business associates providing services on TRIPLE-S premises. Triple-S, with the help of OCR through its technical assistance, had already begun to take extensive corrective action, as required by the Corrective Action Plan, and will continue to work with OCR to come into compliance with HIPAA. “Triple-S is committed to protecting the privacy and security of its beneficiaries’ health information and implementing the Corrective Action Plan entered into with OCR,” said President and CEO of Triple-S Management Corporation, Ramon M. Ruiz. “We are pleased with the agreement and regard it as an opportunity to strengthen our privacy policies. We have appreciated OCR’s technical assistance to date, and look forward to our collaboration in the future.” Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "May 19, 2014","Central City Concern","","Oregon","DISC","MED","17,914","Law enforcement investigated a former employee of the covered entity (CE), Central City Concern, for identity theft and notified the CE that the former employee admitted to misusing approximately 15 Employment Access Center (EAC) clients’ information. The personal information involved in the breach included names, social security numbers, addresses, dates of birth and other identifiers, but no data from the CE’s health care component. The CE provided breach notification to HHS, the media, and all 17,914 clients whose information was accessible by the former employee, as well as posting substitute notice on its website. It also provided a year of free credit monitoring for affected individuals. As a result of the incident, the CE improved safeguards for the EAC database. The CE also contracted with a third party to complete a security risk assessment of all its locations and updated its privacy and security policies and procedures. OCR’s investigation confirmed that the appropriate notifications were made and that corrective actions steps were taken. Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "May 19, 2014","Blue Cross Blue Shield of Michigan Blue Care Network","","Michigan","DISC","MED","502","\N Location of breached information: Email Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "May 21, 2014","Elliot Health System","","New Hampshire","PHYS","MED","1,208","\N Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "May 22, 2014","Sutherland Healthcare Solutions, Inc.","","New Jersey","PHYS","MED","342,197","\\ Location of breached information: Email, Laptop Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "May 23, 2014","Humana Inc [case #15381]","","Kentucky","PHYS","MED","2,962","On April 2, 2014, an unencrypted portable media device containing electronic protected health information (ePHI) was stolen from an employee’s locked vehicle. The portable media device contained the demographic data (including some social security numbers), clinical, and health insurance information of 2,962 individuals. The CE provided breach notification to HHS, affected individuals, and the media. The offending employee was terminated as a direct result of violating the CE’s policy prohibiting the use of unencrypted devices to store and transport PHI. In addition, the CE re-educated employees about this policy and instructed management teams to ensure that proper procedures were being followed. OCR obtained assurances that the corrective actions were taken. Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "May 23, 2014","Jamaica Hospital Medical Center","","New York","DISC","MED","26,162","\N Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "May 28, 2014","Bay Park Hospital","","Ohio","DISC","MED","594","An employee of the covered entity (CE), Bay Park Hospital, accessed the electronic protected health information (ePHI) of 594 individuals without a necessary business reason to do so. The ePHI included names, dates of birth, diagnoses and other clinical information. The CE provided breach notification to HHS, affected individuals, and the media. Upon discovering the breach, the CE questioned the responsible workforce member, who immediately resigned, and retrained its workforce members on its HIPAA policies and procedures. OCR obtained assurances that the corrective actions listed above were completed. Location of breached information: Electronic Medical Record, Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "May 29, 2014","Triple-S Salud ","","Puerto Rico","DISC","MED","56,853","Triple-S Management Corporation (“TRIPLE-S”), on behalf of its wholly owned subsidiaries, Triple-S Salud Inc., Triple-C Inc. and Triple-S Advantage Inc. , formerly known as American Health Medicare Inc., has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR). TRIPLE-S will pay $3.5 million and will adopt a robust corrective action plan to correct deficiencies in its HIPAA compliance program, an effort it has already begun. “OCR remains committed to strong enforcement of the HIPAA Rules,” said OCR Director Jocelyn Samuels. “This case sends an important message for HIPAA Covered Entities not only about compliance with the requirements of the Security Rule, including risk analysis, but compliance with the requirements of the Privacy Rule, including those addressing business associate agreements and the minimum necessary use of protected health information.” TRIPLE-S is an insurance holding company based in San Juan, Puerto Rico, which offers a wide range of insurance products and services to residents of Puerto Rico through its subsidiaries. TRIPLE-S has fully cooperated with HHS in investigating this case and has agreed to put in place a comprehensive HIPAA compliance program as a condition for settlement. After receiving multiple breach notifications from TRIPLE-S involving unsecured protected health information (PHI), OCR initiated investigations to ascertain the entities’ compliance with HIPAA Rules. OCR’s investigations indicated widespread non-compliance throughout the various subsidiaries of Triple-S, including: Failure to implement appropriate administrative, physical, and technical safeguards to protect the privacy of its beneficiaries’ PHI; Impermissible disclosure of its beneficiaries’ PHI to an outside vendor with which it did not have an appropriate business associate agreement; Use or Disclosure of more PHI than was necessary to carry out mailings; Failure to conduct an accurate and thorough risk analysis that incorporates all IT equipment, applications, and data systems utilizing ePHI; and Failure to implement security measures sufficient to reduce the risks and vulnerabilities to its ePHI to a reasonable and appropriate level. The settlement requires TRIPLE-S to establish a comprehensive compliance program designed to protect the security, confidentiality, and integrity of the personal information it collects from its beneficiaries, that includes: A risk analysis and a risk management plan; A process to evaluate and address any environmental or operational changes that affect the security of the ePHI it holds; Policies and procedures to facilitate compliance with requirements of the HIPAA Rules; and A training program covering the requirements of the Privacy, Security, and Breach Notification Rules, intended to be used for all members of the workforce and business associates providing services on TRIPLE-S premises. Triple-S, with the help of OCR through its technical assistance, had already begun to take extensive corrective action, as required by the Corrective Action Plan, and will continue to work with OCR to come into compliance with HIPAA. “Triple-S is committed to protecting the privacy and security of its beneficiaries’ health information and implementing the Corrective Action Plan entered into with OCR,” said President and CEO of Triple-S Management Corporation, Ramon M. Ruiz. “We are pleased with the agreement and regard it as an opportunity to strengthen our privacy policies. We have appreciated OCR’s technical assistance to date, and look forward to our collaboration in the future.” Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "May 30, 2014","NFP Maschino, Hudelson & Associates","","Oklahoma","PHYS","MED","3,814","An unencrypted laptop was stolen from the vehicle of an employee of Maschino, Hudelson & Associates, a broker and business associate (BA) of the covered entity (CE), Aetna. The laptop contained the protected health information (PHI) of 3,814 of the CE's customers. The types of PHI involved in the breach included names, dates of birth, addresses, social security numbers and account information. The BA provided breach notification to affected individuals and the media. OCR provided technical assistance to the CE regarding the requirements for notification to HHS. OCR verified that the CE had a proper BA agreement in place at the time of this breach. Location of breached information: Laptop Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "June 5, 2014","Salina Health Education dba Salina Healthcare Center","","Kansas","DISC","MED","9,640","An employee of the covered entity (CE), Salina Family Healthcare Center, sent an email containing electronic protected health information (ePHI) to a third party as part of a research case study. The types of PHI involved in the breach included names, dates of birth, addresses, chart numbers, and procedure codes affecting approximately 9,640 individuals. The CE provided breach notification to HHS, affected individuals, and the media. The CE responded to the breach by obtaining assurances that the email was destroyed by the third party, and sanctioning the responsible employee. As a result of OCR’s investigation, the CE updated and trained staff on its policies relating to the e-mailing of PHI and uses and disclosures of PHI. Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "June 5, 2014","Open Cities Health Center ","","Minnesota","UNKN","MED","1,304","\N Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "June 6, 2014","Mark A. Gillispie","","California","PHYS","MED","5,845","On June 5, 2014, the covered entity (CE), reported that a trusted physician who had worked in the office for four years left, and prior to leaving, copied patients’ demographic information including names, social security numbers, addresses, dates of birth, phone numbers, emails, insurance information and recall dates. The protected health information (PHI) of 5,845 individuals was affected by the breach. Following the breach, the CE improved technical safeguards by installing a firewall, securing browser sessions, implementing strong authentication, antivirus software, and logical access control, and encrypting wireless connections. It also improved physical security and reported that it revised its HIPAA Privacy and Security policies and procedures. During the course of the investigation, OCR learned that the CE is no longer a CE. Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "June 6, 2014","Penn State Milton S. Hershey Medical Center","","Pennsylvania","DISC","MED","1,801","An employee of the covered entity (CE), Penn State Milton S. Hershey Medical Center, downloaded protected health information (PHI) onto an unsecured flash drive and used the device in his personal computer to complete work which he then emailed to the CE using his personal email account. The types of PHI involved in the breach included the demographic and clinical information for 1,801 individuals. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE performed a risk assessment and updated encryption measures. The CE also reminded all clinical laboratory staff and faculty of expected practices pertaining to safeguarding PHI, and provided staff a listing of the relevant policies concerning encryption and electronic messaging and links to the corresponding policies. As a result of OCR's investigation, the CE submitted to OCR copies of its policies regarding use of personal devices and emails, storing PHI on third party owned or managed media and use of approved electronic connections, systems and/or services. OCR verified that appropriate policy was in place at the time of the incident and the employee did not follow the policy. OCR obtained assurances that the CE has implemented the corrective actions listed above. Location of breached information: Email, Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "June 6, 2014","Walgreen Co.","","Illinois","PHYS","MED","540","\N Location of breached information: Desktop Computer, Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "June 9, 2014","St. Francis Hospital","","Georgia","DISC","MED","1,175","On May 30, 2014, a staff member sent an email to approximately 1,175 patients that erroneously permitted them to see the email addresses of all recipients. The covered entity (CE), St. Francis Hospital, investigated the incident, replaced its information technology department leadership and its security officer, and counseled the employee involved. Additionally, the CE updated its HIPAA policies and trained the entire workforce on its updated policies. The CE also began upgrading its equipment to better prevent security incidents. The CE provided breach notification to the affected individuals via e-mail message, sent notification to the media, and placed a conspicuous notice on its website. In response to OCR’s provision of technical assistance, the CE provided written notification to the affected individuals. Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "June 11, 2014","Doctors First Choice Billings, Inc","","Florida","PHYS","MED","9,255","Location of breached information: Other Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "June 12, 2014","Doctors First Choice Billings, Inc.","","Florida","HACK","MED","1,831","\N Location of breached information: Other Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "June 13, 2014","Santa Rosa Memorial Hospital, Privacy Manager Breach","","California","PHYS","MED","33,702","A thumb drive containing data pertaining to X-rays provided between February 2, 2009 and May 13, 2014, was believed to have been stolen from a staff member's locker during a burglary that occurred on June 2, 2014, at the Santa Rosa Memorial Imaging Center. The thumb drive contained information pertaining to X-rays provided by the Redwood Regional Medical Group and Santa Rosa Memorial Hospital. The types of electronic protected health information (ePHI) included in the breach included names, medical record numbers, dates of birth, genders, dates and times of service, body part(s) examined, names of technologists, and data related to the amount of radiation to produce the X-ray. The breach affected approximately 33,702 individuals. This breach was resolved as part of the Resolution Agreement and Corrective Action Plan for St. Joseph Health which may be found on the OCR website athttp://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreem.... Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "June 13, 2014","Baylor Medical Center at Carrollton","","Texas","DISC","MED","2,874","\N Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "June 16, 2014","Group Health Plan of Hurley Medical Center","","Michigan","DISC","MED","2,289","\N Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "June 19, 2014","IHS","","Maryland","DISC","MED","620","\N Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "June 19, 2014","David DiGiallorenzo, D.M.D.","","Pennsylvania","HACK","MED","11,000","An individual hacked into the Dentrix software of the covered entity (CE), Lanap & Implant Center of Pennsylvania (David DiGiallorenzo), and posted patients’ protected health information (PHI) on a “BitTorrent” website (which distributes files over the Internet), piratebay.com. The breach involved the PHI of 11,000 individuals and included names, as well as dates of birth and social security numbers for some of the individuals. The CE provided breach notification to HHS, affected individuals whose PHI was compromised, and the media, as well as substitute notification. Following the breach, the CE received security updates from Dentrix. As a result of OCR’s investigation, the CE increased safeguards by implementing security measures on its electronic systems. Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "June 20, 2014","NRAD Medical Associates, P.C.","","New York","HACK","MED","97,000","\N Location of breached information: Desktop Computer, Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "June 20, 2014","NYU Hospitals Center","","New York","PHYS","MED","872","\N Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "June 20, 2014","Abrham Tekola, M.D.,INC","","California","PHYS","MED","5,471","Two unencrypted desktop computers and one unencrypted laptop computer were stolen during a burglary. The breach affected 5,471 individuals and the types of protected health information (PHI) involved included patients’ names, social security numbers, addresses, dates of births, and medical information. Upon learning of the theft, the covered entity (CE) hired a legal firm to assist with responding and notifying all individuals affected. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE hired specialized data security personnel, conducted a Security Rule risk analysis, and implemented a risk mitigation plan that reflects the current work environment. Additionally, the CE improved safeguards by updating its policies and procedures on portable/mobile devices and encrypting its electronic equipment. The CE completed security awareness training of its workforce members. OCR obtained documentation that the CE implemented the corrective actions noted above and provided technical assistance regarding the HIPAA Security Rule. Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "June 23, 2014","Colorado Neurodiagnostics, PLLC","","Colorado","PHYS","MED","750","An unencrypted laptop computer containing protected health information (PHI) was stolen from Colorado Neurodiagnostics’ locked offices on April 25, 2014, affecting approximately 750 individuals. The PHI on the laptop included patients’ names, dates of birth, diagnoses, conditions, laboratory results, medications, and treatment information. The covered entity (CE) provided breach notification to affected individuals, the media, and HHS. It also immediately filed a police report and implemented additional physical safeguards. As a result of OCR’s investigation and technical assistance, the CE conducted a risk analysis, developed a risk management plan, encrypted its electronic devices containing PHI, and implemented additional technical safeguards. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "June 24, 2014","Sloane Stecker Physical Therapy, PC","","New York","PHYS","MED","2,000","A workforce member, a physical therapist, accessed the electronic health record system and obtained 2,000 patients’ names, addresses and telephone numbers for the purpose of contacting or soliciting these patients to join a new physical therapy practice. The covered entity (CE), Sloane Stecker Physical Therapy, PC, provided breach notification to HHS, affected individuals, and the media and posted substitute notice on its website. The also CE provided free credit monitoring for the affected individuals. Following the breach, the CE retrieved the patient information and retrained staff. As a result of OCR’s investigation and technical assistance, the CE is expected to perform an enterprise-wide risk analysis and establish a risk management plan. It is also expected to implement mechanisms to record and examine activity in information systems that contain or use electronic PHI. Additionally, the CE is expected to implement a security incident policy and procedure, implement procedures for identity verification for access to electronic PHI, and provide training to all staff on the newly implemented policies and procedures. Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "June 24, 2014","Riverside County Regional Medical Center","","California","PHYS","MED","563","The covered entity (CE), Riverside County Regional Medical Center, reported that on or around June 18, 2014, a laptop computer used with an electromyography (EMG) machine was a lost or stolen. The laptop contained 563 patients’ electronic protected health information (ePHI) and included patients’ names, medical record numbers, dates of birth, ages, genders, patients’ heights and weights, physicians’ names, clinical data, and study reports. The CE provided breach notification to HHS, affected individuals and the media, and also reported the incident to local law enforcement. Following the breach, the CE encrypted the laptop, locked the department during non-business hours, and changed EMG data transfer processes. Additionally, the CE took steps to address gaps in its security management program to further safeguard ePHI, especially after two additional lost or stolen laptops (breach incidents) occurred within a six month period, which OCR investigated jointly with this breach. OCR obtained assurances that the CE implemented the corrective actions noted above and provided technical assistance on the requirements of the HIPAA Security Rule. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "June 24, 2014","Rady Children's Hospital - San Diego","","California","DISC","MED","14,121","\N Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "June 25, 2014","Rady Children's Hospital - San Diego","","California","DISC","MED","6,307","\N Location of breached information: Email, Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "June 26, 2014","Alabama Department of Public Health","","Alabama","PHYS","MED","1,200","An employee of the covered entity (CE), Alabama Department of Public Health, disclosed the protected health information (PHI) of approximately 1,200 individuals to a third party, potentially for tax fraud purposes. Federal law enforcement informed the CE of the breach on March 21, 2014. The U.S. District Court, Middle District of Alabama indicted the workforce member responsible for the breach for her criminal activities related to the breach, and she is no longer employed by the CE. Following the breach, the CE implemented additional safeguards. Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "June 27, 2014","The Union Labor Life Insurance Company","","Maryland","PHYS","MED","42,713","Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "July 4, 2014","VA Long Beach Healthcare System","","California","DISC","MED","592","\N Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "July 7, 2014","D&J Optical Inc. ","","Alabama","HACK","MED","1,100","In June 2014, the covered entity (CE), D&J Optical, suspected that a former independently contracted optometrist had created credentials for herself and accessed electronic protected health information (ePHI) without authorization. This inappropriate access would have exposed the demographic and clinical information of 1,100 individuals. The CE filed a breach report with HHS and met the requirements of the Breach Notification Rule. In response to this suspected incident, the CE increased security for access to its server and software, eliminated wireless internet capabilities in its office, and strengthened procedures for password access. OCR reviewed evidence of the subsequent investigation by a computer forensic expert which revealed that no inappropriate access had occurred and no ePHI was disclosed. Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "July 7, 2014","Montana Department of Public Health & Human Services","","Montana","HACK","MED","1,062,510","\N Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "July 8, 2014","Highmark Inc.","","Pennsylvania","PHYS","MED","2,589","Health profile and care summaries and corresponding cover letters were incorrectly mailed to senior members of the covered entity (CE), Highmark Health, and their physicians. The protected health information involved in the breach included the names, addresses, telephone numbers, dates of birth, unique medical identifiers (UMI), gender, medications, and health information of 2,589 individuals. The CE provided breach notification to HHS, the media, and affected individuals. Following the breach, the CE issued a new UMI to each member impacted by the incident. The CE determined that a process failure by an employee was the root cause for the incorrect mailing and subsequently terminated the employee. As a result of OCR's investigation, the CE instituted new quality review procedures for mailings and retrained employees on its privacy practices and departmental policies, processes and procedures. OCR obtained details of the CE's revised policies on its health profiles to assure they include only the minimum necessary information. Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "July 8, 2014","Haley Chiropractic Clinic","","Washington","PHYS","MED","6,000","One laptop and two desktop computers containing the electronic protected health information (ePHI) of about 6,000 patients were stolen during a break-in at the covered entity (CE), Haley Chiropractic Clinic. The machines and the clinic’s electronic health record (EHR) application were password-protected, but the devices were not encrypted. One of the desktop computers provided access to the web-based EHR system that included names, treatment notes, addresses, phone numbers, dates of birth, insurance information, and social security numbers. The stolen laptop contained patients’ names, social security numbers, height and weight, and range of motion data. The CE filed a police report, provided breach notification to HHS, affected individuals, and the media, and posted substitute notice on its website. Following the breach, the CE improved safeguards by installing a new physical security alarm and video surveillance system, changing all computer passwords, and encrypting computers. OCR’s review found that the media notice did not comply with the content requirements of the Breach Notification Rule. Based on OCR’s technical assistance, the CE provided a compliant notice to regional media. Location of breached information: Desktop Computer, Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "July 9, 2014","St. Vincent Hospital and Health Care Center, Inc.","","Indiana","DISC","MED","63,325","\N Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "July 11, 2014","InSync Computer Solutions, Inc.","","Alabama","UNKN","MED","50,918","\N Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "July 12, 2014","Western Regional Center for Brain and Spine Surgery","","Nevada","PHYS","MED","12,000","\N Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "July 15, 2014","Indian Health Service -Rosebud","","Maryland","PHYS","MED","620","The covered entity (CE), Indian Health Service IHS), Rosebud Service Unit, reported that on May 30, 2014, its employee left a folder of records containing protected health information (PHI) in a public restroom at the IHS’ Rapid City Hospital when she was at the hospital for a meeting. The folder contained the records of 620 individuals and included patient names and social security numbers. The CE provided breach notification to HHS, affected individuals, and the media and also offered credit monitoring and identity theft insurance to affected individuals. Following the breach, the CE sanctioned the employee. OCR obtained written assurances from the CE that it will implement policies and procedures regarding breach notification and mitigation in accordance with the technical assistance provided by OCR pursuant to this investigation. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "July 16, 2014","University of Pennsylvania Health System","","Pennsylvania","PHYS","MED","661","A bag containing a compact disk - read only memory (CD-ROM) was stolen from the vehicle of a physician associated with the covered entity (CE). The CD-ROM involved in the breach contained names, dates of birth, social security numbers, medical histories, and the treatment information of approximately 2,046 individuals. Following the breach, the CE filed a police report and provided breach notification to affected individuals, HHS, and the media. The CE sanctioned and retrained the physician whose bag was stolen and implemented organization wide improvements to its compliance with the Privacy and Security Rules. As a result of OCR's investigation the covered entity posted substitute notification of the breach in the local paper and confirmed that corrective actions steps were taken. \ \ \ Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","41.203322","-77.194525" "July 16, 2014","Bay Area Pain Medical Associates ","","California","PHYS","MED","2,780","The offices of the covered entity (CE), Bay Area Pain Management Associates, were broken into and three desktop computers were stolen. One unencrypted document on a stolen computer contained the names, and dates of service of 2,780 individuals. In response to the breach the CE improved physical safeguards by adding a security alarm system, and increasing security features on doors. The CE improved technical safeguards by implementing an encryption file management program. As a result of OCR’s investigation the CE improved its HIPAA practices. Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","36.778261","-119.417932" "July 17, 2014","Minneapolis VA Health Care System","","Minnesota","DISC","MED","500","The covered entity (CE) sent a batch of 500 generic letters to its members informing them of a new community based outpatient clinic opening that erroneously caused another member’s full name and address to appear on the back side of the document. The CE provided breach notification to HHS, affected individuals, and the media, and it also posted a notice on its website. To prevent a similar breach from happening in the future, the CE implemented a quality assurance check for batch mail. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","46.729553","-94.685900" "July 18, 2014","Administracion de Seguros de Salud - Triple S Salud Inc (BA)","","","DISC","MED","7,911","On April 15, 2014, the covered entity (CE), Puerto Rico Health Insurance Administration, also known as the Administracion de Seguros Salud de Puerto Rico reported to HHS that on January 14, 2014, they became aware that sometime before October 9, 2013, a former employee of American Health Medicare’s (AHM) business associate (BA), Triple-S Advantage Solutions, copied beneficiaries’ electronic protected health information (ePHI) onto a compact disk which he took home for an unknown period of time and which he subsequently downloaded onto a computer at his new employer. The ePHI included the enrollment information of 7,911 of the CE’s beneficiaries, including names, dates of births, contract numbers, health insurance claim numbers, home addresses, and social security numbers. AHM, which was acting as both a CE and a BA, provided breach notification to affected individuals and the media. As a result of OCR’s investigation, the CE committed to conduct a risk analysis, implement a risk management plan, revise its policies and procedures, and re-train staff within a specified period. Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","37.090240","-95.712891" "July 23, 2014","Midwest Orthopaedic Center SC","","Illinois","DISC","MED","680","A former affiliate of the covered entity’s (CE) former business associate(BA), McKesson Corporation, that provided specialized billing services, unintentionally made records containing patient information potentially accessible on the Internet. The protected health information (PHI) of approximately 680 individuals was accessible using very specific Google search terms between December 1, 2013 and April 17, 2014. The former BA immediately safeguarded the information and made it inaccessible on the Internet. The former BA confirmed that the web server was properly removed from public Internet access, confirmed from its former affiliate that the data at issue was destroyed, contacted Google to ensure all caches pages were destroyed, and confirmed the information could not be accessed through any web search. The former BA also confirmed with its former affiliate that no other information was available via the computer server at issue or any other server. The CE confirmed that the former BA’s policies related to data security were in compliance with the CE’s data security requirements. The CE provided breach notification to HHS, affected individuals, and the media, and offered credit monitoring to the affected individuals. OCR obtained written assurances that the CE and BA implemented the corrective actions listed above. Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.633125","-89.398528" "July 23, 2014","Xand Corporation","","New York","UNKN","MED","3,334","\N Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.712784","-74.005941" "July 25, 2014","Self Regional Healthcare ","","South Carolina","PHYS","MED","38,906","On May 25, 2014, a password-protected, unencrypted laptop computer containing the protected health information (PHI) of 38,906 patients was stolen from the covered entity’s (CE) administrative offices during a break-in. The PHI involved in the breach included patients’ names, social security numbers, driver license numbers, treating physician names, insurance policy numbers, patient account numbers, service dates, diagnosis/procedure information, payment card information, financial account information, and possibly addresses. The CE provided breach notification to HHS, the media, and affected individuals, and offered credit monitoring. The CE also contacted the local police department and conducted an internal investigation. Following the breach the CE revised its HIPAA policies and procedures and retrained its entire workforce on its policies and procedures. The CE also improved facility access safeguards and encrypted computers. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "July 25, 2014","Urological Associates of Southern Arizona, P.C.","","Arizona","PHYS","MED","3,529","\N Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "July 28, 2014","Dr. Veronica Joann Barber","","California","DISC","MED","4,000","Another provider, Veronica Joann Barber, O.D., (VB) copied the covered entity’s (CE) entire data base and used the electronic protected health information (ePHI) to solicit patients for her own practice. VB worked at the CE’s office under a space-sharing agreement until the CE terminated the agreement. The CE requested that VB cease and desist using the PHI, but she did not agree. The theft occurred on December 15, 2013, and affected 4,000 individuals. The ePHI involved in the breach included individuals’ names, social security numbers, addresses, driver’s licenses, dates of births, other identifiers, credit card and bank account numbers, claims information, other financial information, diagnoses and medical conditions, medications, and other treatment information. The CE provided breach notification to HHS and affected individuals. Following the breach the CE installed computer firewalls. Based on OCR’s provision of technical assistance, the CE notified the media and completed a risk assessment. It also improved safeguards by denying access by unlicensed persons to its computer systems and updating its policies and procedures regarding computer user names and passwords. The CE improved physical safeguards by moving the computer with the ePHI behind a 5-foot tall counter. Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "July 29, 2014","PRN Medical Services, LLC dba Symbius Medical, LLC","","Arizona","DISC","MED","13,877","\N Location of breached information: Email, Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "July 30, 2014","Midwest Urological Group","","Illinois","PHYS","MED","982","On May 30, 2014, an unencrypted laptop computer was stolen from a company closet. The laptop contained the protected health information (PHI) of approximately 982 individuals, including names and data from medical tests. The covered entity (CE) provided breach notification to HHS, affected individuals, and the media and also notified police. Following the breach, the CE sanctioned and retrained the employee responsible for securing the computer and implemented new policies and procedures to improve safeguards to PHI. OCR obtained written assurances that the CE implemented the corrective actions listed above. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "July 30, 2014","Rite Aid Store 5256","","Washington","PHYS","MED","522","A box containing paper prescription records was removed from the backroom at the covered entity’s (CE) Milton, WA location. The box contained the protected health information (PHI) of approximately 522 individuals and included names, addresses, and dates of birth. The CE provided breach notification to affected individuals, HHS, and the media. The CE offered one year of free identity theft protection to affected individuals. Following the breach, the CE improved physical safeguards by moving all remaining hard copy prescription records to a more secure area. The CE contacted all other stores in the region to ensure that prescription records were being appropriately secured. As a result of OCR’s investigation, the CE clarified its PHI storage policies to store managers in Washington State, and implemented new security procedures at the affected location. OCR provided the CE with technical assistance regarding adequate safeguards to PHI, as well as what constitutes adequate notice to the media pursuant to the Breach Notification Rule. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "July 31, 2014","StayWell Health Management, LLC","","Minnesota","HACK","MED","4,487","\N Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "July 31, 2014","Cancer Specialists of Tidewater","","Virginia","PHYS","MED","2,318","The covered entity (CE), Cancer Specialists of Tidewater, was notified by the Chesapeake Virginia Police Department that an employee was arrested and charged with taking credit card information from patients’ belongings during office visits. The breach report indicated that over 500 individuals were affected and the types of protected health information (PHI) involved in the breach included demographic and financial information. Following the CE’s investigation and electronic audit, it provided breach notification to a total of 2,318 patients, HHS, and the media, and posted substitute notice on its website. Following the breach, the CE conducted a risk assessment, upgraded breach detection software, and increased its auditing capabilities. It also conducted employee training. OCR obtained written assurance that the CE implemented the corrective actions listed above. Additionally, the CE terminated the employment of the involved employee. Location of breached information: Electronic Medical Record, Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "August 6, 2014","MobilexUSA","","Ohio","PHYS","MED","605","\N Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "August 7, 2014","Jersey City Medical Center - Barnabas Health","","New Jersey","PHYS","MED","36,400","\N Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "August 7, 2014","Diamond Computing Company","","Georgia","DISC","MED","7,016","OCR notified the covered entity, Diatherix, that electronic protected health information (ePHI) of its patients was potentially accessible online. The CE conducted an internal investigation and determined that its business associate (BA), Diamond Computing Company, Inc., was maintaining an insecure file transfer protocol (FTP) site containing the ePHI of approximately 7,016 individuals. The ePHI involved in the breach included names, social security numbers, dates of birth, addresses, diagnoses, and billing information, as well as other data. In response to this incident, the CE engaged a data forensic firm to determine the scope and cause of the breach. The CE provided breach notification to HHS, the media, and affected individuals, and offered one year of identity theft protection. In addition, the CE performed a risk assessment, took steps to remove cached copies of ePHI from the Internet, and revised its existing policies to ensure its vendors enforce appropriate security measures to protect ePHI. As a result of OCR’s investigation, OCR obtained assurances that the corrective actions listed above were completed. Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","32.165622","-82.900075" "August 7, 2014","Central Utah Clinic","","Utah","HACK","MED","31,677","\N Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","39.320980","-111.093731" "August 8, 2014","PST Services Inc, a McKesson Co.","","Georgia","HACK","MED","10,104","\N Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","32.165622","-82.900075" "August 8, 2014","Onsite Health Diagnostics (OHD)","","Texas","HACK","MED","60,582","\N Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","31.968599","-99.901813" "August 12, 2014","Apple Valley Care Center","","California","HACK","MED","1,251","\N Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","36.778261","-119.417932" "August 12, 2014","Kaiser Foundation Health Plan of Colorado","","Colorado","DISC","MED","11,551","The covered entity (CE), Kaiser Foundation Health Plan of Colorado, reported that on July 24, 2014, it erroneously mailed letters containing protected health information (PHI) to incorrect recipients, affecting 11,551 individuals. Each letter contained the name of another program member in a chronic condition management program. The CE provided breach notification to HHS, affected individuals, and the media. As a result of OCR's investigation, the CE sanctioned and retrained the responsible employee. Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","39.550051","-105.782067" "August 12, 2014","CareAll Management, LLC","","Tennessee","PHYS","MED","28,300","\N Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "August 13, 2014","Iron Mountain Records Management","","California","PHYS","MED","1,674","\N Location of breached information: Other Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "August 14, 2014","24 ON Physicians, PC/In Compass Health,Inc.","","Georgia","HACK","MED","520","On December 1, 2013, a subcontractor of 20 ON Physicians PC/ In Compass Health Inc., Williamson Medical Center’s former business associate (BA), unintentionally made a computer server containing protected health information (PHI) potentially available for access on the internet. The PHI that was potentially available on the internet included the names, dates of service, charge amounts, and billing codes of 520 patients. The CE investigated and verified that its BA and its subcontractor had taken all necessary corrective steps to mitigate the breach. Specifically, the subject server was removed from public internet access, all data provided to the subcontractor was destroyed, and all cached pages were removed. Additionally, the CE worked with the BA to provide breach notification to HHS, affected individuals, and the media, and also posted substitute notice on its website. Additionally, the CE reviewed and confirmed that all of its BA agreements contain provisions addressing subcontractors and data security and conducted an in-depth review of its risk analysis. A separate breach investigation was opened for the BA, 20 ON Physicians PC/In Compass Health Inc. OCR reviewed the BA agreement and Breach Notification Rule policy and determined that they were sufficient. Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "August 15, 2014","Iron Mountain Incorporated","","Massachusetts","PHYS","MED","10,000","\N Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "August 15, 2014","Iron Mountain","","California","PHYS","MED","49,714","\N Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "August 15, 2014","Children's Mercy Hospital","","Missouri","HACK","MED","4,067","The covered entity (CE), Children's Mercy Hospital, reported that the protected health information (PHI) of 4,067 individuals stored in an online registration system by the subcontractor, Onsite Health Diagnostics, of its business associate (BA), StayWell Health Management, was hacked. The hacked information included names, encrypted passwords, email addresses, physical addresses, phone numbers, genders, and dates of birth. Because the subcontractor-generated passwords were encrypted/hashed, they were rendered unusable. The CE provided breach notification to HHS, affected individuals, and the media. The CE reported that the subcontractor moved all data from the affected scheduling application, moved all of its clients to a new scheduling platform, and completely decommissioned the vulnerable platform. The subcontractor also conducted a comprehensive security audit and found no other improper uses of protected health information or vulnerabilities. As a result of OCR's investigation, the CE provided documentation substantiating all actions taken. Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","37.964253","-91.831833" "August 15, 2014","University Health","","Louisiana","HACK","MED","6,073","On August 15, 2014, the covered entity (CE), University Health, reported a breach when a professor from City College of San Francisco notified them by email of security issues. Protected health information (PHI) from the E.A. Conway Medical Center was contained on an unsecured server that was accessible online. The types of PHI involved in the breach included financial and medical information and affected 6,075 individuals. The CE immediately took the server off-line, which discontinued any unauthorized access. The CE provided breach notification to HHS, affected individuals, and the media. Following the incident, the CE hired a third-party company to conduct and assess a thorough external penetration test. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "August 18, 2014","Tri-City Medical Center","","California","PHYS","MED","500","On August 7, 2014, an employee who was being terminated for cause took emergency department (ED) logs for 500 patients of the covered entity (CE), Tri-City Medical Center, and gave them to the California Department of Public Health (DPH) and the North County Newspaper. Upon learning of the theft, the CE contacted DPH which advised that it had the logs and would give them to the local police department once the CE filed a report for theft. The CE contacted the local police department and created a report of the 500 patients’ electronic protected health information (ePHI). The CE provided breach notification to HHS, affected individuals, and the media and created an 800-number to provide information for affected patients. The CE improved safeguards by reformatting the ED logs required for Emergency Medical Treatment and Labor Act (EMTALA) to be handled only electronically, placing all ED paper logs in a locked/secured cabinet, converted locks, and relocated all its printers and faxes to secure areas. The CE also retrieved the ED logs from the police department, retrained its entire workforce, and developed a facility policy for tracking the check-in and check-out of facility logs. OCR obtained written assurances that the CE implemented the corrective actions listed. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "August 19, 2014","Dennis Flynn MD","","Illinois","PHYS","MED","13,646","\N Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "August 20, 2014","Community Health Systems Professional Services Corporation","","Tennessee","PHYS","MED","4,500,000","Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "August 21, 2014","Community Health Systems Professional Services Corporations","Franklin","Tennessee","HACK","MED","0","Location of breached information: Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","35.925064","-86.868890" "August 22, 2014","Oklahoma City Indian Clinic","","Oklahoma","DISC","MED","6,000","A staff member of the covered entity (CE), Oklahoma City Indian Clinic, sent an email to 412 recipients that erroneously included an attachment that contained the electronic protected health information (ePHI) of 6,044 individuals. Following an attempted recall of the message, a corrected email without the attachment was sent, asking the recipients to delete the erroneous email and the attachment. The ePHI involved in the breach included patients’ names, chart numbers, and email addresses. The CE provided breach notification to HHS, affected individuals, and the media, and provided substitute notice. Following the breach, the CE re-trained staff on its encryption policy. In addition, the CE improved safeguards by developing a policy regarding electronic transmission of patient information. The policy limits identifying patient information contained in electronic communications within the CE’s network, and requires password protection for electronic files including ePHI. As a result of OCR’s investigation, OCR obtained assurances that the corrective actions listed above were completed. Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","35.007752","-97.092877" "August 22, 2014","Steven A. Goldman, MD Inc.","","Ohio","PHYS","MED","6,141","\N Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.417287","-82.907123" "August 25, 2014","Specialty Clinics Of Georgia - Orthopaedics","","Georgia","PHYS","MED","2,350","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","32.165622","-82.900075" "August 26, 2014","St. Elizabeth's Medical Center","","Massachusetts","PHYS","MED","595","\N Location of breached information: Laptop, Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","42.407211","-71.382437" "August 26, 2014","Aventura Hospital and Medical Center","","Florida","PHYS","MED","948","Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","27.664827","-81.515754" "August 27, 2014","Group Health Incorporated","","New York","DISC","MED","802","\N Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "August 28, 2014","The Longstreet Clinic, P. C.","","Georgia","PHYS","MED","720","\N Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "August 29, 2014","Metropolitan Government of Nashville and Davidson County (Metro) Public Health Department","","Tennessee","UNKN","MED","1,717","The covered entity (CE), Metropolitan Government of Nashville and Davidson County Public Health Department, reported that on July 18, 2014, during the relocation of the Children's Special Services Clinic, two small metal filing units, holding standard sized paper index cards on patients seen in the CSS clinic, were inadvertently tipped over and the index cards fell out of the filing units. The index cards contained full names, addresses, dates of birth, social security numbers, and diagnosis codes of 1,717 patients. The CE provided breach notification to HHS, affected individuals, and the media, placed a conspicuous notice on its website, and offered credit monitoring and identity theft protection to all affected individuals. In response to the incident, the CE investigated, interviewed all relevant staff and the contractor’s employees, and reviewed surveillance recordings. As a result of its investigation, the CE eliminated the index card system, re-evaluated its process on retention and use of paper records, created and implemented additional HIPAA policies and procedures, and retrained staff. OCR obtained assurances that the CE implemented the corrective actions listed. Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "August 29, 2014","Duke University Health System","","North Carolina","PHYS","MED","10,993","\N Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "August 29, 2014","Memorial Hermann Health System","","Texas","DISC","MED","10,604","On July 7, 2014, Memorial Hermann Health System's audit program identified that a workforce member had inappropriately accessed the protected health information (PHI) of approximately 10,600 individuals. The covered entity (CE) provided breach notification to HHS, affected individuals, and the media. It also promptly terminated the involved workforce member. OCR reviewed copies of the CE's policies and procedures related to the incident and information related to its HIPAA training program and audit protocols in place at the time of the incident. Following the incident, the CE took corrective actions including expanding its IT audit program and hiring additional audit staff. Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "August 29, 2014","AltaMed Health Services Corporation","","California","PHYS","MED","3,206","\N Location of breached information: Desktop Computer, Network Server, Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "September 4, 2014","Bulloch Pediatric Group, LLC","","Georgia","DISC","MED","10,000","The covered entity (CE), Bullock Pediatric Group, LLC, rented two locked storage units from a facility that was burglarized for its metal shelves. Boxes containing the protected health information (PHI) of approximately 10,000 individuals were strewn about on the floor along with the documents in the boxes. The documents contained demographic, financial, and clinical information, including Explanation of Benefits (EOB) forms from insurance companies, cleared checks, credit card information, balance sheets, end of day reports, some social security numbers, and possibly names and addresses. The CE provided breach notification to HHS, affected individuals, and the media, and posted notification on its website. It also offered one year of free credit monitoring. Following the breach, the CE moved its documents to another storage facility with improved safeguards. In addition, the CE destroyed documents pursuant to the state medical record retention laws. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "September 4, 2014","Emdeon","","Tennessee","PHYS","MED","566","Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "September 5, 2014","Temple University Physicians","","Pennsylvania","PHYS","MED","3,780","\N Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "September 8, 2014","The WellPoint Affiliated Covered Entities ","","Indiana","DISC","MED","1,464","\N Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "September 9, 2014","Thomas Cristello, Chiropractor PC","","New York","PHYS","MED","914","\N Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.712784","-74.005941" "September 9, 2014","ENT Partners of Texas (legally known as Irving-Coppell Ear, Nose and Throat) ","","Texas","PHYS","MED","789","As the result of a burglary, a computer, two laptops, and a camera were stolen from the covered entity (CE), ENT Partners of Texas. These systems contained the electronic protected health information (ePHI) of 659 individuals. The PHI involved in the breach, included variously, names, audiology tests, dates of birth, CT scans, and clinical photographs of skin. The laptops and computer were password protected. The CE notified law enforcement as soon as the break-in was discovered. Breach notification was provided to HHS, affected individuals, and the media, and substitute notice was posted on the CE’s website and at the CE’s office. Following the breach, the CE changed the access passwords for ePHI, and the CE’s information technology (IT) provider initiated monitoring to detect whether the stolen the laptops are connected to the Internet, so that the IT provider may attempt to remotely erase the breached ePHI. Since the break-in, the CE improved physical security. The CE improved technical safeguards by installing remote wiping software on all laptops and phones and moving patient data software to a password protected and encrypted server. In addition, the CE updated its policies and procedure to prohibit public access on the CE’s wireless network and empty the contents of cameras daily. Following OCR’s investigation, the CE implemented a process for tracking security incidents and updating electronic systems. Location of breached information: Laptop, Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","31.968599","-99.901813" "September 9, 2014","Bon Secours Kentucky","","Kentucky","DISC","MED","697","The covered entity (CE), Bon Secours Kentucky, discovered suspicious activity on its billing software from the user account of a former employee. The CE found it had not properly deactivated access, putting at risk the demographic and clinical information of 697 individuals. The CE provided breach notification to HHS, affected individuals, and posted substitute notice on its website. Media notice was not performed because the number of affected individuals in each state was less than 500. In response to the breach, the CE revised its access monitoring policy and centralized its access allowance procedures. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "September 9, 2014","Valesco Ventures","","Florida","PHYS","MED","82,601","\N Location of breached information: Electronic Medical Record Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","27.664827","-81.515754" "September 10, 2014","Wm. Jennings Bryan Dorn VA Medical Center","","South Carolina","DISC","MED","3,637","\N Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "September 10, 2014","Kmart Corporation","","Illinois","DISC","MED","1,866","Printed pharmacy reports containing protected health information (PHI) about patients’ prescriptions was disclosed to an acquaintance of a former pharmacy employee in Sebring, Florida. The PHI involved in the breach included the names, addresses, prescribers, and medications for approximately 1,866 individuals. The CE provided breach notification to HHS, affected individuals, and the media. The CE also contacted law enforcement and reinforced with the pharmacy staff the CE’s HIPAA policies and procedures pertaining to the appropriate use, disclosure, and the safeguarding of PHI. OCR obtained written assurances that the CE implemented the corrective actions listed above. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.633125","-89.398528" "September 10, 2014","Xerox State Healthcare, LLC","","Texas","DISC","MED","2,000,000","\N Location of breached information: Desktop Computer, Email, Laptop, Network Server, Other, Other Portable Electronic Device Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","31.968599","-99.901813" "September 10, 2014","Cedars-Sinai Health System","","California","PHYS","MED","33,136","The covered entity (CE), Cedars-Sinai Health System, reported that an employee’s unencrypted laptop computer was stolen during a residential burglary. Although the computer was used primarily for troubleshooting pathology software, some electronic protected health information (ePHI) of approximately 33,136 individuals was potentially stored in temporary files on the laptop’s hard drive. The CE terminated the laptop’s remote access capabilities and conducted an internal investigation. Although the CE’s laptops are encrypted as per its policy, the encryption for this laptop was disabled by a helpdesk service provider when providing assistance. The CE provided breach notification to HHS, affected individuals, and the media, and posted notice of the incident on its website. The CE has not learned of any identity theft or other misuse of the potentially affected information resulting from this incident. Following OCR’s investigation, the CE updated its policies and procedures related to the storage, transmission and encryption of ePHI, as well as the enforcement of its employees’ adherence to these policies and procedures. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","36.778261","-119.417932" "September 12, 2014","Tampa General Hospital","","Florida","DISC","MED","675","\N Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "September 12, 2014","Santa Fe Medical Group","","New Mexico","PHYS","MED","843","On March 2, 2016, Santa Fe Medical Group/Atrinea Health filed for a Chapter 7 bankruptcy petition and provided OCR documentation of such petition. Under these circumstances Santa Fe Medical Group/Atrinea Health is no longer a covered entity and is not subject to the requirements of HIPAA. Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "September 12, 2014","Emdeon","","Tennessee","PHYS","MED","800","Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "September 17, 2014","South Suburban HIV/AIDS Regional Clinics","","Illinois","UNKN","MED","767","\N Location of breached information: Email Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "September 18, 2014","New Mexico VA Health Care System","","New Mexico","DISC","MED","2,657","\N Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "September 22, 2014","Research Integrity, LLC","","Kentucky","DISC","MED","4,077","\N Location of breached information: Other Portable Electronic Device Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "September 26, 2014","Madison Street Provider Network","","Colorado","PHYS","MED","523","\N Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "September 26, 2014","Compassionate Care Hospice of Central Louisiana, LLC","","Louisiana","PHYS","MED","707","Ten encrypted laptop computers and one external hard drive containing the electronic protected health information (ePHI) of approximately 707 individuals were stolen from the covered entity (CE), Compassionate Care Hospice of Central Louisiana. The laptops contained two reports. The first report listed the names, ages, admitting and discharge dates, location, medication class and other items related to 120 patients. The second report contained the names of 97 patients. The hard drive contained one file, a bereavement report listing the names, addresses, phone numbers and date of death of deceased patients. The CE provided breach notification to HHS, affected individuals and the media. Following the breach, the CE remotely wiped the stolen laptops. Additionally, it inventoried and assessed devices and equipment containing ePHI and brought them into compliance with the CE’s policies, including encryption requirements. OCR obtained a copy of the CE's current risk analysis and risk management plan with evidence of implementation for security measures, including evidence of security measures to reduce the risk of computer theft. Location of breached information: Laptop, Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "September 30, 2014","American Family Care, Inc.","","Alabama","PHYS","MED","2,588","On July 17, 2014, two password-protected, unencrypted laptop computers belonging to the covered entity (CE), American Family Care, were stolen from an employee’s vehicle while he was on business travel. The laptops contained the electronic protected health information (ePHI) of 2,500 individuals, and included different types of data for different individuals, such as patients’ names, dates of visits, patient identification numbers, social security numbers, dates of birth, and specific health information. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE contacted the local police department and conducted an internal investigation. The CE also revised its HIPAA policies and procedures, retrained its workforce, and encrypted all of its laptops. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "October 1, 2014","U.S. Health Holdings, Ltd. o/b/o Macomb County, Michigan","","Michigan","DISC","MED","6,302","\N Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "October 3, 2014","Mount Sinai Beth Israel","","New York","PHYS","MED","10,793","\N Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "October 3, 2014","Touchstone Medical Imaging, LLC","","Tennessee","DISC","MED","307,528","\N Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "October 6, 2014","Albertina Kerr Centers","","Oregon","PHYS","MED","1,320","Thieves took two notebook computers belonging to the covered entity (CE), Albertina Kerr Centers, which contained the electronic protected health information (ePHI) of 1,320 patients. The CE reported the burglary to the local law enforcement, but neither computer was recovered. The computers were encrypted, but certain cache files for email were unencrypted. The types of ePHI involved in the breach included names, addresses, dates of birth, social security numbers, phone numbers, medications, and treatments. The CE provided breach notification to HHS, affected individuals, and the media and posted substitute notice on its website. To prevent a similar breach from happening in the future, the CE enhanced mobile device security and encryption, improved the physical security of its facility, revised its policies and procedures, and retrained its workforce members. OCR obtained assurances that the CE implemented the corrective actions listed. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "October 6, 2014","Vcarve LLC d/b/a MD Manage","","New Jersey","DISC","MED","585","\N Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "October 7, 2014","VARO Healthcare","","Pennsylvania","DISC","MED","1,667","\N Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","41.203322","-77.194525" "October 8, 2014","vonica chau DDS PA","","Texas","PHYS","MED","810","\N Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","31.968599","-99.901813" "October 8, 2014","UC Davis Medical Center, Privacy Manager Breach","","California","HACK","MED","1,326","\N Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","36.778261","-119.417932" "October 9, 2014","South Texas Veterans Health Care System","","Texas","DISC","MED","4,000","The covered entity (CE), South Texas Veterans Health Care System, incorrectly mailed 2,000 letters with another veteran’s protected health information (PHI) printed on the other side. The types of PHI involved in the breach included patients’ names, addresses, and medication information. The CE provided breach notification to HHS, affected individuals, and the media. As a result of OCR’s investigation, the CE updated its procedures for fulfilling mailing requests and issued a memorandum to the print shop staff with the revised procedures and forms. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","31.968599","-99.901813" "October 9, 2014","Cone Health Medical Group","","North Carolina","DISC","MED","1,872","\N Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "October 9, 2014","Region Six of the Georgia Department of Behavioral Health and Developmental Disabilities","","Georgia","PHYS","MED","3,397","\N Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "October 10, 2014","NYU Urology Associates","","New York","DISC","MED","835","\N Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "October 10, 2014","Colorado Department of Health Care Policy & Financing","","Colorado","DISC","MED","15,380","On July 30 and September 3, 2014, a business associate (BA) mistakenly sent postcards to the covered entity’s (CE) clients that contained viewable protected health information (PHI). The breached PHI included names, addresses, and referred to each client’s status as a public assistance client receiving behavioral health care services. The resulting breach affected approximately 15,380 individuals. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE and its BA ceased using postcards to conduct client satisfaction operations and implemented new policies and procedures to address the circumstances that led to the breach. The CE and BA also counseled and trained the employee responsible for approving the postcard and provided additional privacy training to all workforce members of the departments responsible for approving such mailings. OCR obtained assurances that the CE and BA implemented the corrective actions noted above. Location of breached information: Other Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "October 10, 2014","M&M Computer Services","","Texas","HACK","MED","4,500","An unknown third party intruder hacked into a server of a business associate (BA) which maintained electronic health records for the covered entity (CE), Penn Highlands Brookville. The breach potentially affected the protected health information (PHI) of 4,500 individuals and included names, dates of birth, social security numbers, and clinical information. The CE provided breach notification to HHS, affected individuals, and the media, and offered affected individuals one year of credit monitoring. Following the breach, the CE terminated its relationship with the BA. OCR initiated a compliance review of the BA in July of 2015, but learned that it was no longer doing business or acting as a BA. As a result of OCR’s investigation, the CE developed a checklist to use to ensure that electronic health record systems used by medical practices acquired by the CE comply with the HIPAA Privacy and Security Rules and to ensure that proper BA agreements are in place. Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "October 10, 2014","New York City Health & Hospitals Corporation","","New York","DISC","MED","10,058","\N Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "October 10, 2014","Southwest Virginia Physicians for Women","","Virginia","PHYS","MED","568","An employee’s husband, who was also a contractor of the covered entity (CE), Southwest Virginia Physicians for Women, stole protected health information (PHI) from its office, obtaining access to paper charts and other records. The PHI involved in the breach included clinical information affecting approximately 568 individuals. The CE, with the help of the Virginia State Police, retrieved the PHI the day after it was stolen. The CE provided breach notification to HHS, affected individuals, and the media, and posted substitute notification on its website. Following the breach, the CE transitioned from paper to electronic charts and updated its login, logoff, and password policies and procedures for authorized users of its online record management system. The CE also updated its policies regarding required business associate agreements. As a result of OCR’s investigation, the CE completed a risk analysis, implemented new physical security procedures, and retrained its staff regarding the changes Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "October 15, 2014","City of Dallas Fire-Rescue Department","","Texas","PHYS","MED","1,000","Multiple laptop computers containing EKG strips were lost, stolen, or unaccounted for from the covered entity (CE), City of Dallas Fire-Rescue Department. The electronic protected health information (ePHI) on the laptops included EKG strips in addition to the names, addresses, medical history, diagnoses, dates of birth, and the social security numbers of approximately 1,000 individuals. Upon discovering the breach, the CE formed a breach assessment team to review and address investigation findings. The CE provided breach notification to HHS, affected individuals, and the media. The CE improved physical security to address deficiencies within its system. OCR obtained assurances that the CE implemented the corrective actions listed. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "October 15, 2014","Graybill Medical Group","","California","PHYS","MED","1,863","A group of x-rays of poor quality were placed in the covered entity’s (CE) trash container for destruction. The cleaning personnel mistook the x-rays for regular trash and disposed of them in the usual manner. The CE, Graybill Medical Center, initiated an immediate search but the x-rays had already been taken to the landfill. The breach occurred on September 9, 2014, and affected 1,863 patients. The protected health information (PHI) contained patients’ names, addresses, dates of birth, physician/medical provider information, and, possibly, images of some areas of patients’ bodies. The CE provided breach notification to HHS, affected individuals and the media, and offered credit monitoring. Following the breach, the CE improved safeguards by ordering locked bins for x-rays that are to be destroyed, ordering covers for the PHI being transported, and implementing procedures requiring x-rays to be recycled weekly so as to more easily distinguish them from regular trash. The CE also retrained its workforce on its HIPAA policies. OCR obtained assurances that the CE implemented the corrective actions listed. Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "October 22, 2014","Heard County EMA","Franklin","Georgia","HACK","MED","0","Location of breached information: Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","33.277618","-85.097997" "October 22, 2014","MD Manage (Vcarve LLC)","","New Jersey","DISC","MED","35,357","\N Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.058324","-74.405661" "October 22, 2014","Seven Counties Services, Inc.","","Kentucky","DISC","MED","727","A former employee mistakenly took home a basket of items, including documents containing the protected health information (PHI) of 727 patients, which were flagged for shredding. The documents were taken to an elementary school with other materials that had been stored at the employee's home for the summer. The PHI included social security numbers, diagnosis codes, guardians’ names and phone numbers, supervisor recommendations concerning treatment, and insurance identification codes. The covered entity (CE), Seven Counties Services, provided breach notification to HHS, affected individuals, and the media, placed a conspicuous notice on its website, and set up a toll free information number. The CE investigated the breach and interviewed all involved individuals. As a result of OCR’s investigation, the CE developed new HIPAA awareness training focused on protecting paper records, revised its HIPAA policies and procedures regarding the disposal of documents containing PHI, and retrained staff on the new policies and procedures. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","37.839333","-84.270018" "October 22, 2014","Quraishi, Nisar A ","","New York","PHYS","MED","20,000","The covered entity (CE), Tribeca Medical Center, reported that on October 21, 2014, patients’ medical records stored in the CE’s storage shed were stolen. The breach affected potentially 20,000 patients and the protected health information (PHI) included names, addresses, zip codes, telephone numbers, dates of birth, social security numbers, health plan information, diagnoses, medical and clinical histories. The CE provided breach notification to HHS, affected individuals, and the media. As a result of OCR’s investigation, the CE has ceased storing PHI in the storage unit. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.712784","-74.005941" "October 28, 2014","Multilingual Psychotherapy Centers, Inc","","Florida","PHYS","MED","3,500","An encrypted server was stolen from the covered entity (CE), Multilingual Psychotherapy Centers, Inc., on October 20, 2014, as a result of a break-in. The server contained the protected health information (PHI) of 3,500 individuals and included patients’ names, dates of birth, social security numbers, addresses, and Medicaid ID numbers. The CE provided notice to HHS and individuals whose information was contained in the stolen server. Following this incident, the CE increased its physical safeguards, modified its policies, and developed a plan to train its workforce specifically regarding data security breaches. OCR determined the CE had adequate policies and procedures in place for securing electronic information via encryption. Under OCR’s guidance, the CE provided media notice and altered its procedures to ensure such notification is performed in the event of a breach affecting more than 500 individuals. Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "October 28, 2014","Burlington Northern Santa Fe Group Benefits Plan","","Texas","PHYS","MED","507","On October 27, 2014, the covered entity (CE), Burlington Northern Santa Fe Group Benefits Plan, reported a breach when a workforce member that was on a business trip lost an unsecured flash drive that contained employees’ protected health information (PHI). The flash drive contained the demographic and clinical information of 507 individuals. The CE provided breach notification to HHS, affected individuals, and the media. Following the incident, the CE sanctioned the workforce member, revised its policy limiting the ability of employees to transfer PHI to portable devices, installed encryption software, and retrained staff on its privacy and security policies. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "October 29, 2014","Portland VA Medical Center","","Oregon","PHYS","MED","1,740","An employee of the covered entity (CE), Veterans Health Administration Portland VA Medical Center, took home paper lists of patients’ protected health information (PHI) to work on over the weekend and forgot to return the information. The employee’s husband subsequently found the lists in their garage six months later. The lists included names, social security numbers, provider names, eligibility codes, and diagnostic, clinical and demographic information for about 1,740 individuals. The employee’s husband who found the lists returned the PHI and signed a statement that he made no copies of the documents and that he knew of no others that had viewed the lists. The CE retrained the employee who took the lists home. The CE provided breach notification to HHS, the media, and affected individuals, and offered free credit monitoring for a year. OCR’s investigation confirmed that the CE took the corrective action steps listed and provided substitute notification. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "October 30, 2014","Memorial Healthcare System","","Florida","DISC","MED","1,782","\N Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "October 31, 2014","Coordinated Health ","","Pennsylvania","PHYS","MED","13,907","\N Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "November 3, 2014","Jessie Trice Community Health Center, Inc.","","Florida","PHYS","MED","7,888","\N Location of breached information: Desktop Computer, Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "November 7, 2014","Central Dermatology Center, P.A.","","North Carolina","PHYS","MED","76,258","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "November 7, 2014","Weill Cornell Medical College","","New York","PHYS","MED","3,936","Location of breached information: Electronic Medical Record, Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "November 10, 2014","Visionworks Inc.","","Texas","PHYS","MED","74,944","The covered entity (CE), Visionworks Inc., mislaid a partially encrypted, decommissioned computer server from its in-store lab in Annapolis, Maryland which was not recovered. The server’s hard drive contained the unencrypted protected health information (PHI) of approximately 74,000 individuals. The PHI on the server contained demographic, financial, and clinical information. Following the breach, the CE fully encrypted all servers at all of their locations and replaced servers. The CE provided breach notification to HHS, affected individuals, and the media, and offered one year of free credit monitoring. The CE also sent letters to each State Attorney General and posted information on the CE’s website regarding the server incident. In addition, the CE re-trained workforce members, instituted new training requirements on privacy and security awareness, and provided refresher training on incident management. Following OCR’s investigation, the CE secured servers with cable locks and tested and installed a maximum security system that encrypts all hard drives on each server. Additionally, the CE completed a company-wide server inventory and hard drive destruction and performed a physical audit of all servers’ boxes. In addition, the CE created a comprehensive system disposal plan. Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "November 13, 2014","Indian Health Service, Aberdeen Area Office","Aberdeen","South Dakota","HACK","MED","0","Location of breached information: Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","45.464699","-98.486483" "November 14, 2014","Loi Luu","","California","PHYS","MED","13,177","OCR investigated the covered entity (CE), Loi Luu, M.D., after the CE reported a breach of 13,177 individuals’ protected health information (PHI) and electronic PHI due to lost or stolen computer equipment and compromised lab results on, or around September 17, 2014. The breach affected patients’ names, addresses, phone numbers, dates of birth, social security numbers, medical insurance information and/or blood test results. The CE reported the incident to local law enforcement. In response to OCR’s contact in this matter, the CE ensured the proper breach notifications were provided, took steps to prevent the risk of future physical theft incidents at its office (such as by adding locks, cameras, and alarms), increased its technical controls of ePHI (such as utilizing encrypted software and conducting risk assessments), adopted HIPAA policies and procedures, and engaged in HIPAA training. The CE provided documentation of these corrective steps to OCR. Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","36.778261","-119.417932" "November 14, 2014","Iron Mountain","","California","PHYS","MED","2,691","\N Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","36.778261","-119.417932" "November 14, 2014","Colorado River Indian Tribes","","Arizona","UNKN","MED","1,296","An employee of the covered entity’s (CE) health care component, Department of Health and Human Services, emailed a file containing electronic protected health information (ePHI) to his personal web-based email account in October 2013 to complete his work off-site. The breach affected the ePHI of 1,296 individuals, including demographic, financial, clinical, and other information. The CE provided breach notifications to individuals, the media, and HHS. Following the breach, the CE sanctioned the involved employee and retrained employees. It also strengthened its administrative, technical and physical safeguards for ePHI, analyzed risks to its ePHI, and took steps to manage risks regarding ePHI. It also revised its written security policies and procedures. OCR obtained assurances that the CE implemented the corrective actions noted above. Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","34.048928","-111.093731" "November 15, 2014","REEVE-WOODS EYE CENTER","","California","PHYS","MED","30,000","OCR investigated the covered entity (CE), Reeve-Woods Eye Center, after the CE reported a breach of 43,000 individuals’ electronic protected health information (ePHI) regarding malware that infiltrated its electronic network on, or around, August 1 through September 17, 2014. The malware caused, among other things, the system to disclose screenshots and keystrokes outside the CE’s network. The types of ePHI involved in the breach included patients' names, social security numbers, dates of birth, addresses, telephone numbers, dates of service, insurance information, diagnosis codes, treatment information, and medical histories. The CE informed and cooperated with the FBI regarding the incident. In response to OCR’s contact in this matter, the CE ensured the proper breach notifications were provided, cleared the system of the malware, and took steps to increase its safeguards and technical security measures. Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","36.778261","-119.417932" "November 17, 2014","Brigham and Women's Hospital","","Massachusetts","PHYS","MED","999","An employee of the covered entity (CE), Brigham & Women’s Hospital, had an encrypted laptop and cell phone stolen during an armed robbery and was forced to disclose password and encryption keys during the robbery. The devices contained the protected health information PHI) of 999 individuals. The types of PHI involved in the breach included names, medical records numbers, age, and diagnostic information. In response to OCR’s investigation, the CE initiated a new enterprise wide risk analysis. Location of breached information: Laptop, Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "November 19, 2014","Kirkbride Center","","Pennsylvania","PHYS","MED","860","In August 2014, an Assistant U.S. Attorney contacted the CE, Kirkbride Center, to advise that an individual was arrested in Florida and would be tried for identity theft. This individual had hard copies of the CE’s daily census reports containing patients’ names, dates of birth, and some social security numbers, affecting approximately 869 individuals. The arrestee was not known to have direct ties to the CE’s facility and was convicted of identity theft. The CE’s internal investigation determined that a rogue employee stole the reports and the CE continued the investigation in hopes of determining which employee was responsible for the theft. The CE provided breach notification HHS, the media, and affected individuals, and posted notice on its website. The CE also offered affected individuals one year of free identity theft protection. Due to OCR’s investigation, the CE began using a new billing software system, which allows it to revise the daily census report to exclude patients’ dates of birth and social security numbers. Furthermore, the CE revised the report distribution process to limit the distribution of the report to specific unit personnel. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "November 20, 2014","MetroPlus Health Plan, Inc.","","New York","UNKN","MED","31,980","\N Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "November 20, 2014","Baptist Primary Care, Inc.","","Florida","DISC","MED","1,449","\N Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "November 21, 2014","Visionworks Inc.","","Texas","PHYS","MED","47,683","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "November 21, 2014","True Vision Eyecare","","Ohio","PHYS","MED","542","A burglar stole two laptop computers from the covered entity’s (CE) office. One of the stolen laptops contained the protected health information (PHI) of 542 individuals that included first and last names and eyeglass prescriptions. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE purchased new laptops that are password protected with automatic shut-off features, and also retrained staff on security. OCR obtained documentation that the CE implemented the corrective actions it took in this matter. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "November 25, 2014","AdminisTEP","","Texas","DISC","MED","4,469","The covered entity’s (CE) print and mail sorting vendor, Administep, improperly stuffed and mailed letters which contained other enrollees’ names, addresses, subscriber identifications, claims amounts, and service descriptions. The breach affected approximately 4,469 of the CE’s enrollees. The CE provided breach notification to HHS, the media, and affected individuals, and offered individuals free one-year identity theft protection services. In response to the incident, the CE provided evidence that it placed the business associate (BA) responsible for the breach on a corrective action plan which required the BA to complete a documented quality assurance check for each new implementation or modification of a mailing project. This includes administrative sign- offs and ongoing, random audits on a sample of envelopes for each project. OCR obtained assurances that the CE implemented the corrective actions listed. Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "November 25, 2014","Northfield Hospital & Clinics","","Minnesota","PHYS","MED","1,778","\N Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "November 26, 2014","Computer Programs and Systems, Inc. ","","Alabama","PHYS","MED","25,764","Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "December 1, 2014","North Big Horn Hospital","","Wyoming","PHYS","MED","1,607","The covered entity (CE), North Big Horn Hospital, reported that on October 2, 2014, it discovered that an Emergency Department (ED) logbook containing protected health information (PHI) was lost, affecting 1,607 individuals. The logbook contained the demographic and clinical information of patients seen in the ED from May 2012 through October 2013. The CE provided breach notification to HHS, affected individuals, and the media. OCR obtained and reviewed the CE's relevant HIPAA policies and procedures and provided technical assistance. On August 25, 2015, the CE reported that during a recent re-organization it found the reported logbook in a locked office on a shelf behind several binders. Accordingly, OCR has closed the investigation. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "December 5, 2014","The Hearing Zone","","Utah","PHYS","MED","623","\N Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "December 8, 2014","Florida Department of Health","","Florida","UNKN","MED","2,477","An employee of the covered entity (CE), Florida Department of Health, sent an unencrypted email with an attachment containing the electronic protected health information (ePHI) of 2,477 patients to four physicians who were the intended recipients of the email. The ePHI in the attachment included patients’ dates of birth, social security numbers, screening test results, and diagnoses. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE contacted the recipients of the emails and verified that the emails were deleted and that the ePHI was not further used or disclosed. The responsible workforce member submitted her resignation before CE’s investigation was completed. The CE also reviewed its privacy and security policies and procedures and retrained staff. OCR obtained and reviewed copies of the CE’s policies and procedures and documentation of staff training. Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "December 9, 2014","ReachOut Home Care [Case #16687]","","Kentucky","PHYS","MED","4,500","Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "December 11, 2014","Highlands Cashier Hospital","","North Carolina","DISC","MED","0","A business associate (BA), Computer Programs and Systems, Inc., adjusted the covered entity's (CE) firewall in a manner that potentially exposed the protected health information (PHI) of 26,115 individuals on the internet. The types of PHI included patients' names, addresses, dates of birth, treatment information, and social security numbers (for 21,072 individuals). The CE sent timely breach notification to HHS, affected individuals, and the media. The CE also posted notification about the breach on its website. In response to the breach, the CE implemented additional firewall safeguard procedures, began monitoring traffic to and from its website, and began conducting external vulnerability scans. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "December 12, 2014","Sony Pictures Entertainment Health and Welfare Benefits Plan (the Plan)","","California","HACK","MED","30,000","OCR determined that no breach occurred in this case. Location of breached information: Desktop Computer, Laptop, Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "December 12, 2014","District Medical Group, Privacy Manager Breach","","Arizona","DISC","MED","616","On December 12, 2014, the covered entity (CE), District Medical Group, reported that when a workforce member used a thumb drive while working from home the contents of the thumb drive became accessible on the Internet. The media device contained the electronic protected health information (ePHI) of approximately 616 individuals. The PHI involved in the breach included names, addresses, social security numbers, transaction amounts and clinical information. The CE provided breach notification to HHS, the affected individuals and the media. The CE revised its policies and procedures and retrained workforce members. OCR obtained assurances that the CE implemented the corrective actions noted above. Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "December 12, 2014","Clay County Hospital","","Maryland","HACK","MED","7","name, address, ssn, dob Location of breached information: Email Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.633125","-89.398528" "December 12, 2014","St. Mary Mercy Hospital","","Michigan","DISC","MED","1,488","\N Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","44.314844","-85.602364" "December 15, 2014","Walgreen Co.","","Illinois","UNKN","MED","160,000","The covered entity (CE), Walgreens, mailed patient notification letters to incorrect third parties. The letters included first and last names, addresses, dates of birth, phone numbers, provider names, and details of the vaccines administered and affected approximately 160,000 individuals. The CE provided breach notification to HHS, affected individuals, and the media, and placed notice on its website. Following the breach, the CE resolved issues in its use of the electronic health record (EHR) that were factors in the breach, updated data in the prescriber database and trained its staff on the new requirements. As a result of OCR’s investigation, Walgreens improved safeguards by resolving two issues in its use of the EHR. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.633125","-89.398528" "December 19, 2014","Pediatric Gastroenterology Consultants","","Colorado","PHYS","MED","5,000","On October 16, 2014, an employee of the covered entity (CE), Pediatric Gastroenterology Consultants, P.C., discovered that a laptop owned by the CE had been stolen from his vehicle. The laptop was password-protected but unencrypted, and it contained the electronic protected health information (ePHI) of approximately 5,000 individuals. Specifically, it contained patients’ first and last names, dates of birth, dates of service, and medical information including, medical histories, lab test results, diagnoses, and medical treatment recommendations. The CE provided breach notification HHS, affected individuals, the media. Following the breach, the CE implemented corrective actions, such as encryption and employee security training, to prevent similar breaches from occurring in the future. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","39.550051","-105.782067" "December 19, 2014","The Corvallis Clinic, P.C.","","Oregon","PHYS","MED","41,000","A personal laptop computer belonging to an employee of the covered entity (CE), The Corvallis Clinic, P.C., was stolen from the employee’s locked automobile. The stolen laptop contained the electronic protected health information (ePHI) of 41,000 individuals and included patients’ names, addresses, dates of birth, phone numbers, appointment dates, and the names of treating providers. The CE provided the required notifications under the Breach Notification Rule. Following the breach the CE sanctioned the involved employee and implemented network access control software that restricts employees from gaining access to internal network resources using personally owned equipment. OCR’s investigation confirmed that the appropriate notifications were made and that corrective action steps were taken. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","43.804133","-120.554201" "December 22, 2014","Mercy Medical Center Redding - Oncology Clinic, Privacy Manager Breach","Redding","California","HACK","MED","0","On December 13, 2014, the covered entity (CE), Mercy Medical Center’s Redding Oncology Clinic, reported that electronic protected health information (ePHI) was accessible on the Internet when its business associate (BA), Write-Type, Inc., left the ePHI on its website. The website contained the ePHI of approximately 616 individuals and included names, addresses, medical record numbers, physicians’ names, and clinical information such as diagnoses, medications, lab reports, and other treatment information. The CE provided breach notification to HHS, affected individuals and the media. The CE revised its policies and procedures. OCR obtained assurances that the CE implemented the corrective actions noted above. Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.586540","-122.391675" "December 23, 2014","Northwestern Memorial HealthCare","Chicago","Illinois","HACK","MED","0","Location of breached information: Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","41.878114","-87.629798" "December 26, 2014","Independence Blue Cross and AmeriHealth New Jersey ","","Pennsylvania","PHYS","MED","12,450","Members of the covered entity’s (CE) maintenance team improperly disposed of four boxes of paper records containing the protected health information (PHI) of approximately 12,450 individuals in error during the course of an office move within the building. The trash was collected by the CE’s trash removal vendor the next day and transported to a recycling plant. The PHI involved in the breach included names, addresses, identification numbers (including social security numbers), home phone numbers, physician information, health care plans, and group numbers. The CE was not able to determine whether or not someone at the recycling center may have acquired or viewed the PHI. The CE, Independence Blue Cross, provided breach notification to HHS, the media, and affected individuals. The CE offered all members who had their member identification number compromised one year of free credit monitoring. As a result of OCR’s investigation, the CE revised its policies and procedures for trash disposal, as well as maintenance and disposal of provider reports. The CE also sent a reminder to all associates regarding its policies and procedures for proper handling of paper documents and proper disposal of trash and documents containing PHI. Furthermore, the CE sanctioned the employees responsible for the incident. The CE initiated plans to provide additional staff training on its HIPAA policies and procedures for trash disposal. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","41.203322","-77.194525" "December 30, 2014","Murali Menon, Privacy Manager Breach","","California","PHYS","MED","0","The covered entity (CE), Murali Menon and Physicians Skin and Weight Centers , reported that on November 4, 2014, an employee’s password protected laptop computer and external hard drive containing the protected health information (PHI) of 2,855 individuals were stolen from a locked vehicle. The theft was discovered within an hour and police were immediately notified. The types of PHI involved in the breach included demographic, financial and clinical information, including names, addresses, dates of birth, social security numbers, credit card/bank account numbers, claims information, and other treatment information. The CE provided breach notification to HHS, the media, and affected individuals, and provided the affected individuals one year of free credit monitoring. As a result of OCR’s investigation, the CE discontinued all use of external hard drives and encrypted all its laptops within 30 days. Additionally the CE revised its policies regarding the removal of electronic devices from the work site, re-trained staff, and provided OCR with its policies and procedures regarding the administrative, physical, and technical safeguarding of electronic PHI. Location of breached information: Laptop, Other Portable Electronic Device, Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "January 5, 2015","mdINR LLC","","Florida","DISC","MED","1,859","The covered entity (CE), MDINR, LLC, discovered that on November 3, 2014, an information technology employee sent an unsecured email to a manufacturer representative. The email had an attached spreadsheet that included 1,859 patients’ protected health information (PHI). The PHI in the attached excel spreadsheet included patients’ names, billing account numbers, patients’ reporting dates, internal site codes, and the address of the CE-affiliated facility that delivered the equipment. Following the breach, the CE sanctioned the employee who caused the breach with a written warning. The CE confirmed its practice of providing HIPAA Training to all new employees within 30 days of hiring and safeguarding data by providing system access to employees based on an employee’s job title or role. The CE provided breach notification to HHS, and notice to the 1,859 affected individuals. Media notice was not provided due to fewer than 500 affected individuals being in any one state. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "January 7, 2015","VA Corporate Data Center Operations/Austin Information Technology Center ","","Texas","HACK","MED","7,029","The covered entity (CE), Veterans Health Administration, discovered that its public facing telehealth website administered by one of its business associates (BA), AuthentiDate Holding Corporation, potentially impermissibly disclosed the protected health information (PHI) of 7,054 individuals. The types of PHI potentially involved in the breach included names, addresses, birthdates, phone numbers, and VA patient identification numbers of veterans who used the telehealth system. The CE provided breach notification to individuals, HHS, and the media, and also provided credit monitoring to the affected individuals. OCR verified that the CE had a proper BA agreement in place that restricted the BA’s use and disclosure of PHI and required the BA to safeguard all PHI. Upon discovery of the breach, the CE took steps to enforce the requirements of its BA agreement and determined not to renew the agreement with the identified BA. The CE reported that they are no longer doing business with the identified BA. OCR opened a separate case to review the BA’s compliance with the HIPAA Security Rule. Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "January 7, 2015","Saint Louis County Department of Health","","Missouri","DISC","MED","4,000","On November 18, 2014, an employee of the covered entity (CE), Saint Louis County Department of Health, resigned her position and then impermissibly emailed her personal email account a spreadsheet that was used to reconcile bills for medical services provided to the CE's patients. The types of protected health information (PHI) contained in the spreadsheet included the names, social security numbers, and dates of service of approximately 4,000 patients, along with the names of the medical providers. The CE provided breach notification to HHS, affected individuals, and the media, and also filed a police report. The CE terminated the former employee’s access to its patient database and retrained employees on its HIPAA policies and procedures regarding HIPAA. OCR obtained assurances that the CE implemented the corrective actions listed. Location of breached information: Email, Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "January 7, 2015","Aspire Indiana, Inc.","","Indiana","PHYS","MED","43,890","Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "January 12, 2015","Children's Eyewear Sight","","California","PHYS","MED","1,030","Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "January 13, 2015","Tennessee Rural Health Improvement Association","","Tennessee","DISC","MED","79,000","A business associate (BA), BlueCross BlueShield, created a mailing list of its members for the purpose of selling Medicare Advantage marketing products, an activity that was outside of that permitted by the BA agreement. This breached affected 79,000 individuals and included their demographic information. The covered entity (CE), Tennessee Rural Health Improvement Association, provided breach notification to its members that were enrolled in the Medicare supplement insurance plans and non-Medicare insurance plans, as well as to HHS and the media. Following the breach, the CE revised its policies, implemented new technical safeguards, and improved physical security. In addition, it retrained its workforce on the appropriate usage of protected health information (PHI), and minimum necessary determinations for the use and disclosure of PHI. OCR reviewed the BA agreement in place between the CE and BA and determined that it met the requirements of the HIPAA Breach Notification Rule. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "January 15, 2015","University Hospitals","","Ohio","DISC","MED","833","Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "January 15, 2015","National Pain Institute","","Florida","PHYS","MED","500","From July 13, 2013, to August 13, 2013, the covered entity (CE), National Pain Institute, distributed outdated computers to its employees for their personal use without first deleting all electronic protected health information (ePHI) from the computers. The computers contained the PHI of approximately 500 individuals, including names, addresses, dates of birth, diagnoses, and other treatment information. The CE provided breach notification to HHS, affected individuals, and the media. In response to the incident, The CE tracked the computers, repossessed those computers that it was able to locate, and obtained written acknowledgement from the former employees that the PHI from the computers was not used or disclosed to others. In addition, the CE improved safeguards by encrypting all computers, upgrading the malware and software of desktop computers, improving network and email security, improving identity management, and automating and standardizing security for devices containing ePHI. The CE also updated its HIPAA policies and procedures, including a policy for responding to security incidents. OCR obtained assurances that the CE implemented the corrective actions listed. Location of breached information: Desktop Computer, Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "January 16, 2015","Rainier Surgical, Incorporated","","Texas","PHYS","MED","4,920","OCR opened an investigation of the covered entity (CE), Rainier Surgical, Inc., after it reported that a file drawer with explanations of benefits containing the protected health information (PHI) of 4,290 individuals was stolen from a warehouse. The PHI included names, addresses, dates of birth, health insurance information, explanations of benefits, and in some cases, credit card numbers and social security numbers. Upon discovering the breach, the CE filed a police report. The CE provided substitute notice and media notification in the localities with greater than 500 individuals affected. The CE offered one year of free credit monitoring services to individuals whose social security numbers may have been compromised. Following this breach, the CE retrained employees, reviewed its policies and procedures, and began storing some PHI with an on-site third party secure storage vendor. OCR confirmed that the CE took the actions described above. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","31.968599","-99.901813" "January 23, 2015","St. Peter's Health Partners","","New York","PHYS","MED","5,117","Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "January 23, 2015","Ronald D. Garrett-Roe, MD","","Texas","HACK","MED","1,600","Alleged hackers gained unauthorized access to one or two hard drives on the desktop computers of the covered entity (CE), Dr. Ronald D. Garrett-Roe, affecting approximately 1,600 patients’ protected health information. The CE reported that the hard drive had been removed, all of the files copied, and the hard drive formatted, which caused all of the computer programs, the operating system, and many patient records to be erased. Dr. Garrett-Roe is no longer a covered entity. Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","31.968599","-99.901813" "January 23, 2015","California Pacific Medical Center ","","California","DISC","MED","845","On or about October 15, 2014, during a routine review of workforce members’ use of electronic protected health information (ePHI), the covered entity (CE), California Pacific Medical Center, discovered that a workforce member in the pharmacy department had impermissibly accessed the medical records of 13 coworkers. A subsequent audit showed that from October 2013 to October 2014, the workforce member had impermissibly used the medical records of a total of 845 individuals. The ePHI accessed included patient demographics, last four digits of social security numbers, clinical information about diagnoses, clinical notes, physician order information, laboratory and radiological data, and prescription information. OCR verified that the CE applied employee sanctions pursuant to its policy and procedure, provided breach notification to HHS, affected individuals, and the media, and retrained employees on relevant HIPAA policies and procedures. Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","36.778261","-119.417932" "January 28, 2015","Diana S. Guth DBA Home Respiratory Care","","California","DISC","MED","1,285","The covered entity (CE), Home Respiratory Care, reported a breach of 1,285 individuals’ electronic protected health information (ePHI), as a result of a workforce member emailing holiday cards and newsletters to its patients in a group email without masking the recipients' addresses. This action, or lack thereof, left every recipient's email address exposed, which may have included names, as well as an implicit indication that the individual had received respiratory treatment. The CE provided OCR with evidence that it responded to the security incident and undertook steps to prevent the risk of future security incidents by implementing new mail merge safeguards; implementing new, technical safeguards; sanctioning the workforce members involved; and re-training the entire workforce. OCR provided technical assistance regarding the HIPAA Security Rule. Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","36.778261","-119.417932" "January 29, 2015","David E. Hansen DDS PS ","","Washington","PHYS","MED","2,000","On January 29, 2015, the covered entity (CE), David E. Hansen DDS PS, reported that a password protected computer back-up disk, 20 encrypted flash drives and 32 paper dental patients' records were stolen during a break-in at the CE’s facility. The media devices contained the electronic protected health information (ePHI) of approximately 2000 individuals. The PHI involved in the breach included patients’ names, diagnoses, medications, and other clinical information. The CE provided breach notification to HHS, affected individuals, and the media. The CE improved physical security and retrained workforce members. OCR obtained assurances that the CE implemented the corrective actions noted above. Location of breached information: Other Portable Electronic Device, Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","47.751074","-120.740139" "January 29, 2015","Kaiser Foundation Health Plan of the Mid-Atlantic States, Inc.","","Maryland","DISC","MED","630","Due to a printing error, patients received appointment reminders containing other patients’ protected health information (PHI). The PHI involved in the breach included the names, medical record numbers, the types of appointments to be scheduled, and provider information for approximately 630 individuals. Following the breach, additional safeguards were implemented to prevent future disclosures. OCR reviewed the covered entity’s policies and procedures to ensure compliance with the Privacy and Security Rules. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","39.045755","-76.641271" "January 29, 2015","Riverside County Regional Medical Center","","California","PHYS","MED","7,925","Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","36.778261","-119.417932" "January 29, 2015","North Dallas Urogynecology, PLLC.","","Texas","PHYS","MED","678","The covered entity (CE), North Dallas Urogynecology, reported the theft of several items and four unencrypted laptops as a result of a break-in. The incident was immediately reported to the police and an investigation ensued. Approximately 678 patients’ protected health information (PHI) was affected by the breach, which included patient’s names, social security numbers, dates of birth, and lab results. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach the CE increased security within the office and implemented additional physical, technical, and administrative safeguards to ensure the security of electronic PHI. All laptops have encryption technology. In addition, all workforce members were trained or retrained concerning the requirements for compliance with the Privacy, Security, and Breach Notification Rules. OCR obtained assurances that the CE implemented the corrective actions listed. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "January 30, 2015","UMass Memorial Medical Group, Inc.","","Massachusetts","PHYS","MED","14,100","Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "February 2, 2015","Boston Baskin Cancer Foundation","","Tennessee","PHYS","MED","56,694","On December 2, 2014, a Boston Baskin Cancer Foundation employee’s laptop computer and external hard drive were stolen. The external hard drive contained the electronic protected health information (ePHI) of 56,000 individuals and included patients' names, dates of birth, social security numbers, addresses, phone numbers, clinic medical record numbers, and the first and last dates seen by the clinic. The investigation concluded that the ePHI was copied and stored on an unencrypted external hard. The covered entity (CE) provided breach notification to HHS, affected individuals, and the media, and offered affected individuals complimentary credit monitoring. In response to the breach, the CE deployed software to prevent the downloading of unencrypted documents from computers to portable media. The CE implemented a policy requiring employees to create a passcode for their mobile devices. The CE also revised its risk management policy and established procedures for the removal of hardware and electronic media containing ePHI. After the breach the CE retrained staff and physicians on its HIPAA policies. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "February 4, 2015","South Sunflower County Hospital","","Mississippi","PHYS","MED","19,000","A local merchant sent a package with shredded documents containing protected health information (PHI) from the covered entity (CE), South Sunflower County Hospital, used as packing material. The PHI included the dates of service, providers’ names, diagnoses, patients’ names, social security numbers, and dates of birth of 19,345 individuals. The CE retrieved the remaining shredded documents and stored them in a locked room with limited access. The CE provided breach notification to HHS, affected individuals, and the media. The CE investigated and modified its policies and procedures. It contracted with a document shredding company to destroy all hospital paper waste containing PHI and initiated a process to convert health records to an electronic format. As a result of the investigation, OCR reviewed the CE’s HIPAA policies and procedures. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "February 5, 2015","Planned Parenthood Southwest Ohio","","Ohio","PHYS","MED","5,000","On October 1, 2014, the Covered Entity (CE) mistakenly disposed of binders containing protected health information (PHI). The CE’s archived prescription dispensing logs and waived lab test logs were left in an unlocked closet after business hours and a custodian mistakenly put them in a trash dumpster. The following morning, the dumpster was emptied by the trash collector who took it to be buried with other garbage at a landfill that same day. The PHI involved in the incident included the names, dates of birth, lab results, and medications of approximately 5,000 individuals. After the CE filed the breach report, it determined that the incident was a non-reportable breach based on a four-part breach assessment and a low probability that the PHI in the binders had been compromised. The CE stated that its breach filing to OCR was not untimely, but was made in error. The CE conducted an investigation, re-trained all staff regarding its HIPAA policies and procedures, completed on-site HIPAA compliance audits, and implemented a new policy to address bulk trash removal from the health centers. OCR obtained written assurances that the voluntary actions of the CE listed above were taken. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "February 6, 2015","Senior Health Partners, a Healthfirst company","","New York","PHYS","MED","2,772","Location of breached information: Laptop, Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "February 9, 2015","Tomas, Arturo","","Illinois","PHYS","MED","680","On February 2, 2014, Artuo D. Tomas, MD LTD's office, the covered entity (CE), discovered that a package containing the protected health information (PHI) of approximately 680 individuals had been lost in the process of shipment to its billing company through the U.S. Postal Service (USPS). The PHI included individuals’ names, addresses, phone numbers, dates of birth, referring physician names, medical record numbers, diagnoses, and clinical information. The CE provided notification of the breach to the affected individuals, HHS, and the media. The CE also filed a claim with the USPS regarding the missing package. Following the breach, the CE implemented a new procedure for sending PHI to the billing company that requires PHI to be transmitted either electronically through a secure and encrypted portal or through a third-party mail service with tracking capabilities. Additionally, the CE developed policies and procedures regarding compliance with the Breach Notification Rule. OCR obtained assurances that the CE implemented the corrective actions listed. Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "February 9, 2015","Haywood County NC","","North Carolina","PHYS","MED","955","On or around October 31, 2014, a paper accounts receivable report went missing from the covered entity’s (CE) billing office. The report contained the protected health information (PHI) of 955 individuals and included patients’ internal identification numbers, names, clinics visited, and amounts owed. The CE provided breach notification to HHS, affected individuals, and the media, and set up a toll free number answer line and e-mail contact. In response to the incident, the CE conducted an internal investigation and also contacted law enforcement and asked them to investigate. As a result of its investigation, the CE enhanced the physical security for the billing office, provided locked file cabinets, and restricted access to that office. In addition, the CE retrained staff, updated the roles and responsibilities for its HIPAA officer, and reviewed all HIPAA policies and procedures. As part of this investigation, OCR obtained and reviewed the CE’s relevant HIPAA policies and procedures and documentation of staff training. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "February 11, 2015","Courier Corporation of Hawaii","","Hawaii","PHYS","MED","2,809","Documents containing the protected health information (PHI) of 3,959 Kaiser Permanente patients, spilled onto the highway when the business associate (BA), Courier Corporation of Hawaii, transported the covered entity’s (CE) documents to storage. Many but not all of the documents were retrieved from the road. The types of PHI involved in the breach included names, addresses, dates of birth, driver’s license information, social security numbers, and other identifiers. The CE provided breach notification to HHS, affected individuals, and the media, and provided affected individuals with free credit monitoring. To prevent a similar breach from happening in the future, the CE and BA retrained staff on HIPAA requirements, revised policies and procedures, and sanctioned workforce members (including termination). The CE and BA also took steps to mitigate harm. As a result of OCR’s investigation, OCR obtained assurances that the notifications and corrective actions listed above were completed. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "February 12, 2015","Pathway to Hope","","Florida","DISC","MED","600","The covered entity (CE), Pathway to Hope, discovered in January 2015, that a former employee emailed the protected health information (PHI) of 600 individuals to her personal email account, before her last day of employment with the CE for the purpose of building her own practice. The types of PHI in the email included the full names, referral sources, insurance information, and general diagnoses/conditions (i.e. mental health/substance abuse). The CE provided breach notification to HHS and to affected individuals. Media notice was not required. OCR provided technical assistance to the CE regarding the Privacy, Security and Breach Notification Rules. In response to the breach, the CE counseled workforce members, improved its training program, substantially revised its policies and procedures, hired a compliance officer, and began requiring that employees sign non-compete, non-solicitation confidentiality agreements. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "February 13, 2015","Anthem (Working file)","","Indiana","HACK","MED","0","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "February 18, 2015","Hunt Regional Medical Partners","","Texas","DISC","MED","3,000","Vandals broke into a building storing paper protected health information (PHI) for the covered entity (CE), Hunt Regional Medical Partners. The types of PHI involved in the breach included patients' names, addresses, dates of birth, social security numbers, claims information, and patients' chart information. Approximately 3,000 individuals were affected. Upon discovering the breach, the CE filed a police report. The CE provided breach notification to HHS, affected individuals, and the media. The CE improved physical safeguards and retrained staff. OCR obtained assurances that the CE implemented the corrective actions listed. Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","31.968599","-99.901813" "February 20, 2015","Marketing Clique","","Texas","DISC","MED","8,700","Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","31.968599","-99.901813" "February 24, 2015","Children's National Medical Center","","District Of Columbia","HACK","MED","18,000","Employees of the covered entity (CE), Children’s National Medical Center (CNMS), responded to phishing emails they believed were legitimate emails. Over 20,000 individuals were affected by the breach which involved demographic, clinical and health insurance information, including a limited number of social security numbers. The CE provided breach notification to HHS, affected individuals, and the media, and offered 12 months of free identity monitoring for those whose social security number was compromised. Following the breach, the CE identified source attacks, remediated accounts, removed exfiltration software, and implemented safeguards to increase firewall protections and inspection of e-mails (monitoring, scanning, and rewriting of embedded Internet addresses). In addition, the CE updated its security policy and retrained employees. OCR obtained assurances that the CE has implemented the corrective actions listed above. Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","38.907192","-77.036871" "February 26, 2015","Raymond Mark Turner, M.D.","","Nevada","PHYS","MED","2,153","One unencrypted laptop computer was stolen during business hours while the office of Dr. Robert Mark Turner was in the process of updating and encrypting its computers. A file on the stolen laptop contained the electronic protected health information (ePHI) of 2,153 individuals which included names, addresses, dates of birth, social security numbers, driver’s license numbers, health insurance information, and records of medical treatment. The covered entity (CE) provided breach notification to HHS, affected individuals, and the media and provided credit monitoring and identity theft protection to affected individuals. In response to the breach, the CE improved physical safeguards and enhanced technical safeguards by implementing an encryption management program for all computer systems. OCR reviewed the CE's HIPAA risk assessment and provided technical assistance on the required elements of a risk analysis and risk management plan. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "February 27, 2015","St.Vincent Hospital and Health Care Center, Inc.","","Indiana","DISC","MED","63,325","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "February 27, 2015","Cathrine Steinborn, DDS","","California","PHYS","MED","3,224","The covered entity (CE) reported a breach of 3,224 individuals’ electronic protected health information (ePHI), as a result of an office burglary on January 5, 2015. The stolen server contained names, addresses, dates of birth, telephone numbers, social security numbers, insurance information, medical information, and billing information. The CE provided OCR with evidence that it responded to the security incident and undertook steps to prevent the risk of future security incidents by implementing physical and technical security safeguards; updating security analysis, and training the entire workforce. OCR provided technical assistance regarding the HIPAA Security Rule. Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "February 27, 2015","Aventura Hospital and Medical Center","","Florida","DISC","MED","686","Location of breached information: Desktop Computer, Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "March 1, 2015","Amedisys","","Louisiana","DISC","MED","6,909","Location of breached information: Desktop Computer, Electronic Medical Record, Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "March 2, 2015","Advance Rehabilitation & Consulting LTD","","Georgia","HACK","MED","570","On December 30, 2014, the covered entity (CE), Advance Rehabilitation & Consulting LTD, discovered that a port on one of its servers was publically accessible to the Internet and allowed an automated botnet attack to the server. Internal investigation revealed that one spreadsheet from 2009 was accessed, but there was no way of knowing if the spreadsheet was viewed. The spreadsheet contained patients' names, diagnoses, dates of visits, account types, and therapists'/physicians' names for 570 patients. In response to the breach, the CE conducted a security risk analysis and improved deficient areas with a detailed risk management plan. The CE provided breach notification to HHS and affected individuals. OCR provided technical assistance regarding media notification and such notification was made. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "March 2, 2015","Georgia Department of Community Health ","","Georgia","HACK","MED","355,127","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "March 3, 2015","Clinical Reference Laboratory, Inc.","","Kansas","PHYS","MED","4,668","The covered entity (CE), Clinical Reference Laboratory, Inc., sent a parcel which was damaged and opened during the mailing process by the United States Postal Services (USPS). The protected health information (PHI) involved in the breach included the names, dates of service, partial social security numbers, and lab test types of approximately 4,668 individuals. The CE provided breach notification to HHS, affected individuals, and the media. Since multiple breach reports have been received involving the same CE and fact pattern, this investigation was consolidated into one investigation. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "March 5, 2015","St. Mary's Health","","Indiana","HACK","MED","3,952","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "March 5, 2015","Mosaic Medical","","Oregon","DISC","MED","2,207","An intruder entered the administrative office of the covered entity (CE) through a window. Nothing was stolen; however, the protected health information (PHI) of 2,202 individuals was stored in the office. The PHI involved in the breach included names, medical information, medical insurance information, addresses, phone numbers, and email addresses. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE moved its administrative office to another location with improved physical safeguards. In addition, the CE instructed staff on its procedures for securely storing PHI. OCR obtained assurances that the CE implemented the corrective action listed above. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "March 5, 2015","Sharon J. Jones M.D.","","California","PHYS","MED","1,342","OCR opened an investigation of the covered entity (CE), Sharon J. Jones, after it reported a breach of 1,342 patients’ protected health information (PHI) when its office was burglarized on January 8, 2015. The CE immediately reported the incident to local law enforcement. The compromised PHI included a combination of first and last names, dates of birth, addresses, telephone numbers, social security numbers, medical insurance information, medical records, and the last four digits of credit card numbers. The CE provided breach notification to HHS, affected individuals, and the media and provided affected individuals with complimentary identity theft protection for one year. Following the breach the CE improved safeguards for paper PHI, especially after having a second burglary on March 20, 2015, which resulted in another breach that OCR investigated separately. The CE secured a new office lease and moved its operations to a more secure building and location. It drafted a facility security plan and implemented physical security enhancements, such as utilizing interior locks, installing alarms and cameras, and shredding unnecessary paper documents. The CE also updated its policies and procedures and provided additional training to its workforce members. OCR obtained assurances that the CE implemented the corrective action listed above. Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","36.778261","-119.417932" "March 6, 2015","Valley COmmunity Healthcare","","California","PHYS","MED","1,233","On February 24, 2015, the covered entity (CE), Valley Community Healthcare, discovered that a laptop computer connected to the EKG/ECG machine was missing, and it was never recovered. The password protected, unencrypted laptop contained the demographic information of 1,233 individuals The CE provided breach notification to HHS, affected individuals, and the media. As a result of OCR’s investigation, the CE evaluated the threats and vulnerabilities to its electronic protected health information. In addition, the CE implemented encryption pursuant to the Security Rule and increased the frequency of emails reminding employees to change their passwords. OCR obtained assurances that the CE implemented the corrective actions noted above. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","36.778261","-119.417932" "March 6, 2015","Indiana State Medical Association","","Indiana","PHYS","MED","38,351","Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.267194","-86.134902" "March 6, 2015","San Franciso General Hospital and Trauma Center","","California","PHYS","MED","2,500","Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","36.778261","-119.417932" "March 11, 2015","Dr. Anthony T. R. Green DDS","","New York","DISC","MED","7,448","A self-storage facility in Hollis, New York auctioned off the contents of a unit rented by the covered entity (CE) that contained medical records of 8,636 individuals. Ultimately, many of the records were left unattended in a Home Depot parking lot in Jamaica, New York. The protected health information (PHI) involved in the breach included names, dates of birth, addresses, social security numbers, diagnoses, conditions, lab results, and other treatment information. Following the breach, the CE provided breach notification to HHS, affected individuals, and the media, and provided credit and identity theft services to individuals at no cost. The CE also ended its practice of storing patient files outside of the office and implemented policies and procedures that prohibit business associates from having access to PHI before a business associate agreement is in place. OCR obtained assurances that the CE implemented the corrective actions listed above. Additionally, the New York Attorney General and the CE agreed to enter into an Assurance of Discontinuance that requires the CE to take additional corrective actions. Location of breached information: Other, Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.712784","-74.005941" "March 12, 2015","Virginia Department of Medical Assistance Services (VA-DMAS)","","Virginia","HACK","MED","697,586","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","37.431573","-78.656894" "March 13, 2015","Anthem, Inc. Affiliated Covered Entity","","Indiana","HACK","MED","78,800,000","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "March 13, 2015","EyeCare of Bartlesville","","Oklahoma","HACK","MED","4,000","The covered entity’s (CE) database was hacked and held by an outside malware virus. The computer server’s hard drive contained the unencrypted, password protected health information (PHI) of approximately 4,000 individuals. The electronic PHI (ePHI) contained names, addresses, telephone numbers, dates of birth, insurance identification numbers, and diagnosis codes. Since the malware virus was discovered, the CE confirmed that nothing had been copied or removed from the computer, just locked. The CE destroyed the hard drive so that no further access to the hard drive was possible. The CE provided breach notification to HHS, affected individuals, and posted notice on its website. In addition, the CE retrained workforce members, and instituted a requirement of quarterly employee privacy and security awareness training. The CE improved safeguards by changing all passwords. Following OCR’s investigation, the CE further improved safeguards by changing anti-virus software, encrypting all information saved to its hard drive, and moving ePHI to a cloud based system. It revised procedures to require weekly computer virus scans and monthly audit reports. It also changed vendors to those that require HIPAA training. Finally, OCR reviewed the CE’s comprehensive risk analysis plan. Location of breached information: Desktop Computer, Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "March 16, 2015","Sacred Heart Health System, Inc.","","Florida","HACK","MED","14,177","Sacred Heart Health System, Inc.’s business associate (BA), St. Vincent Health, Inc., a third party billing vendor, was subject to an email phishing attack resulting in the exposure of protected health information for 14,177 individuals. This case has been consolidated with an investigation of the BA. Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "March 17, 2015","Premera Blue Cross","","Washington","HACK","MED","11,000,000","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "March 17, 2015","Blue Cross Blue Shield of Michigan ","","Michigan","PHYS","MED","3,903","OCR opened an investigation of the covered entity (CE), Blue Cross Blue Shield of Michigan, after it reported that the protected health information (PHI) of 3,903 of its patients had been stolen for the purposes of identity fraud. The types of PHI disclosed included names, ages, genders, dates of birth, contract numbers, group names and numbers, and social security numbers. The CE provided breach notification to HHS, the media and affected individuals. Following the breach, the CE improved safeguards by masking social security numbers, removing members’ dates of birth, limiting search results to 25 records, and installing new printing devices that require employees to scan their coded badges when printing. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "March 18, 2015","Advantage Consolidated LLC","","Oregon","HACK","MED","151,626","In February 2015, the covered entity (CE), Advantage Consolidated, LLC, reported that the access credentials of one of its users were wrongfully, acquired through the use of malicious software that had been installed on the user's computer. The intrusion was detected by the CE's intrusion detection system. The breach affected the e-PHI (names, addresses, DOBs, and SSNs of 151,626 individuals. The CE provided breach notification to HHS, the affected individuals, and to the media. Following the breach, the CE updated its risk analysis and risk management plan and enhanced its electronic and technical security. OCR obtained assurances that the CE implemented the corrective actions noted above. Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "March 19, 2015","Career Education Corporation","","Illinois","HACK","MED","2,743","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "March 19, 2015","Kane Hall Barry Neurology","","Texas","PHYS","MED","600","The covered entity (CE), Kane Hall Barry Neurology, reported that on January 20, 2015, an unencrypted laptop computer that contained the protected health information (PHI) of 600 patients was stolen out of a workforce member’s car. The PHI included patients' names, addresses, dates of birth, diagnoses, conditions, and medications. As a result of this breach, the CE improved technical safeguards for its laptop computers and other software devices containing PHI to ensure they are encrypted and password protected. In addition, the CE implemented new policies and trained workforce members on the requirements of HIPAA. The CE provided breach notification to HHS, affected individuals, and the media. It also offered one year of free identity theft protection to affected individuals and established a toll free breach helpline. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "March 20, 2015","Community Health Network","","Indiana","PHYS","MED","650","On February 2, 2015, the covered entity (CE) learned that one of its facilities was unable to locate a binder containing point-of-care test results. The missing binder was never found. The binder contained the protected health information of approximately 650 individuals. The types of protected health information involved in the breach included names, dates of service, test types, test results, and possibly dates of birth. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE retrained its staff, implemented a new quality control log, and instructed medical practices to store information in its electronic medical record. OCR obtained assurances the CE implemented the corrective actions listed above. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "March 20, 2015","Florida Hospital","","Florida","DISC","MED","8,700","Law enforcement discovered paper records belonging to the covered entity (CE), Florida Hospital, during the course of an investigation. An internal investigation revealed that two employees had been accessing and printing records in excess of their job duties. The protected health information (PHI) involved in the breach included demographic data (including social security numbers), clinical information, and health insurance information affecting 8,816 individuals. The CE provided breach notification to HHS, affected individuals, and the media, and posted notice on its website. In response to the breach, the CE retrained its staff and began the process of masking social security numbers and eliminating the need to print facesheets. OCR obtained assurances that the CE implemented the corrective actions listed above. The CE also terminated the employees involved in the breach. Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "March 20, 2015","Mount Sinai Medical Center","","Florida","DISC","MED","1,406","The covered entity (CE), Mt. Sinai, discovered that an employee was printing paper face sheets in excess of her job duties for an illicit purpose. The face sheets contained the demographic and clinical information of 1,406 individuals. The CE provided breach notification to HHS, affected individuals, and the media. In response to the breach, the CE altered its policies to limit the users allowed to print face sheets. In addition, the CE retrained its workforce and disseminated educational material. OCR obtained assurances that the CE implemented the corrective actions listed. The CE also terminated the employment of the involved employee. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","27.664827","-81.515754" "March 20, 2015","Life Care Center of Attleboro","","Massachusetts","PHYS","MED","2,473","A business associate (BA), Iron Mountain, discovered that five boxes of archived paper records it was storing for the covered entity (CE), Life Care Center of Attleboro, were unaccounted for or lost. During the course of the investigation, the BA located two of the missing boxes, thus the loss affected the protected health information (PHI) of approximately 927 individuals. The records included demographic, financial, and clinical information. OCR obtained evidence of timely notification of the breach to individuals, the media and HHS and reviewed the BA agreement with Iron Mountain. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "March 23, 2015","AT&T Group Health Plan","","Texas","HACK","MED","50,000","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","31.968599","-99.901813" "March 24, 2015","Freelancers Insurance Company","","New York","HACK","MED","43,068","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.712784","-74.005941" "March 24, 2015","Pediatric Associates","","Florida","PHYS","MED","627","The covered entity (CE), Pediatric Associates, discovered that a binder containing paper logs of patient record releases was missing on January 24, 2015. After a search and investigation, the CE determined that most likely the binder was unintentionally discarded. The types of protected health information (PHI) contained in the logs included patients' names, internal chart numbers, recipients of releases, and explanations for the record release (i.e. “parent requested”). The CE provided breach notification to HHS, affected individuals, and the media. In response to the breach, the CE changed its procedures to require that record releases be logged electronically. The CE archived or shredded all paper record release logs. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","27.664827","-81.515754" "March 24, 2015","McDermott Will & Emery LLP is the plan sponsor for the McDermott medical plan","","Illinois","HACK","MED","880","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.633125","-89.398528" "March 25, 2015","7-Eleven, Inc. Comprehensive Welfare Benefits Plan No. 525","","Texas","HACK","MED","1,688","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "March 27, 2015","New","","Florida","HACK","MED","500","Entity is not covered by HIPAA. Location of breached information: Desktop Computer, Electronic Medical Record, Email, Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "March 27, 2015","Project Vida Health Center","","Texas","PHYS","MED","7,700","Encrypted servers containing the electronic protected health information (ePHI) of approximately 7,7A0 individuals were stolen from the covered entity's (CE), Project Vida Health Center facility. The thieves by-passed the locks and the sensors to the facility's security system by entering through a window that was secured with steel bars. The ePHI included patients' names, dates of birth, social security numbers, addresses, and zip codes. The CE provided breach notification to HHS, affected individuals and the media. Notices to the public were provided in English and Spanish. Following the breach incident, the CE transitioned from a server based systems to a cloud hosted system. The CE demonstrated that it immediately acted to recover data for the purpose of business continuity. The CE provided documentation of the new security measures implemented to sufficiently reduce the risks and vulnerabilities to ePHI. In addition the CE encrypted data and implemented access controls on its information systems. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "March 31, 2015","Triple S Advantage, Inc","","Puerto Rico","DISC","MED","1,458","Triple-S Management Corporation (“TRIPLE-S”), on behalf of its wholly owned subsidiaries, Triple-S Salud Inc., Triple-C Inc. and Triple-S Advantage Inc., formerly known as American Health Medicare Inc., has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR). TRIPLE-S will pay $3.5 million and will adopt a robust corrective action plan to correct deficiencies in its HIPAA compliance program, an effort it has already begun. “OCR remains committed to strong enforcement of the HIPAA Rules,” said OCR Director Jocelyn Samuels. “This case sends an important message for HIPAA Covered Entities not only about compliance with the requirements of the Security Rule, including risk analysis, but compliance with the requirements of the Privacy Rule, including those addressing business associate agreements and the minimum necessary use of protected health information.” TRIPLE-S is an insurance holding company based in San Juan, Puerto Rico, which offers a wide range of insurance products and services to residents of Puerto Rico through its subsidiaries. TRIPLE-S has fully cooperated with HHS in investigating this case and has agreed to put in place a comprehensive HIPAA compliance program as a condition for settlement. After receiving multiple breach notifications from TRIPLE-S involving unsecured protected health information (PHI), OCR initiated investigations to ascertain the entities’ compliance with HIPAA Rules. OCR’s investigations indicated widespread non-compliance throughout the various subsidiaries of Triple-S, including: Failure to implement appropriate administrative, physical, and technical safeguards to protect the privacy of its beneficiaries’ PHI; Impermissible disclosure of its beneficiaries’ PHI to an outside vendor with which it did not have an appropriate business associate agreement; Use or Disclosure of more PHI than was necessary to carry out mailings; Failure to conduct an accurate and thorough risk analysis that incorporates all IT equipment, applications, and data systems utilizing ePHI; and Failure to implement security measures sufficient to reduce the risks and vulnerabilities to its ePHI to a reasonable and appropriate level. The settlement requires TRIPLE-S to establish a comprehensive compliance program designed to protect the security, confidentiality, and integrity of the personal information it collects from its beneficiaries, that includes: A risk analysis and a risk management plan; A process to evaluate and address any environmental or operational changes that affect the security of the ePHI it holds; Policies and procedures to facilitate compliance with requirements of the HIPAA Rules; and A training program covering the requirements of the Privacy, Security, and Breach Notification Rules, intended to be used for all members of the workforce and business associates providing services on TRIPLE-S premises. Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "April 2, 2015","VA Eastern Colorado Health Care System(ECHCS)","","Colorado","DISC","MED","508","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "April 2, 2015","Cigna-HealthSpring","","Tennessee","DISC","MED","862","The covered entity (CE), Cigna-HealthSpring, discovered that on January 30, 2015, an employee accidently mislabeled envelopes containing health risk assessment surveys which were mailed to 862 patients. The CE provided breach notification to HHS, affected individuals, and the media. In response to the breach, the CE created new procedures for mailings and provided training to staff members. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "April 2, 2015","Schaeffler Group USA","","South Carolina","HACK","MED","550","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "April 2, 2015","PIH Health Hospital - Whittier","","California","PHYS","MED","826","Documents containing the protected health information (PHI) of 826 PIH Health Hospital patients were stolen from a resident doctor’s private vehicle. The PHI involved in the breach included names, dates of birth, diagnoses, primary providers, hospital unist, and assigned nurses names. The covered entity (CE) provided breach notification to HHS, affected individuals, and the media. In response to the breach, the CE sanctioned and retrained the doctor responsible for the breach, trained all residents, developed a new policy prohibiting residents from taking PHI off-campus, and developed signage reminding residents of the new policy. OCR obtained written assurances of breach notifications provided and corrective actions taken. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "April 2, 2015","CDC/NIOSH World Trade Center Health Program (WTCHP)","","Georgia","DISC","MED","958","On February 5, 2015, a remittance advice report containing the health services and financial information of approximately 958 individuals was ripped open while at the U.S. postal office, improperly disclosing the individuals’ protected health information (PHI), including patients’ names, member numbers, services rendered, dates of service, and provider information. The postal office rewrapped the remaining pages from the package, and delivered them to a business associate (BA) of the covered entity (CE), World Trade Center Health Program, to which they were addressed. The CE provided breach notification to HHS and affected individuals, but no media notice was required due to the geographic locations of the affected individuals. In response to the breach, the CE revised its HIPAA training program. Additionally, National Government Services, the BA that sent the mailing on behalf of the CE, revised its mailing processes and procedures by using only non-tear envelopes or boxes for future mailings. OCR obtained assurances that the CE implemented the correction actions listed above. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "April 2, 2015","City of Philadelphia Fire Department Emergency Medical Services Unit","","Pennsylvania","DISC","MED","81,463","In 2012 a rogue employee of the covered entity’s (CE) business associate (BA), Intermedix (dba Advanced Data Processing, Inc.), improperly accessed and disclosed the account information of individuals served by 27 ambulance agencies in 17 states. The CE was initially notified that none of its data was involved; however, on February 3, 2015, the CE was notified by law enforcement in Opa-Locka, Florida that a sheet of paper containing account information regarding the CE’s services was found on a person arrested on that date. Following the 2015 notification, the BA’s investigation confirmed 34 known disclosures, 746 likely disclosures and 80,684 individuals’ protected health information (PHI) that was at risk of disclosure. The types of PHI involved in the breach included demographic information, social security numbers, and health insurance information. The CE provided breach notification to HHS, affected individuals, and the media, and posted substitute notice on its website. The BA offered 36 months of free credit monitoring and fraud resolution services. Following the breach, the BA created an information security team within its Compliance Department, integrated new security measures into its billing system, and developed a new user interface placing further restrictions on employees based on specific job roles. The CE revised the BA agreement. OCR also obtained assurances that the BA implemented the corrective measured listed above. Location of breached information: Desktop Computer, Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "April 2, 2015","Western Montana Clinic","","Montana","HACK","MED","7,038","Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","46.879682","-110.362566" "April 2, 2015","Tulare County Health & Human Services Agency","","California","DISC","MED","845","The covered entity (CE) reported a breach of 845 individuals’ electronic protected health information (e-PHI), as a result of a workforce member e-mailing information regarding logging into CE’s health care portal, without blind copying the patients, and encrypting the e-mails. This action, or lack thereof, left every patient’s e-mail address exposed. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE improved safeguards by changing and strengthening password requirements, disabling all patients’ health portal accounts, and implementing new technical safeguards. In addition, the CE required all affected patients to re-register with its online portal, and revised and implemented new policies and procedures. The CE sanctioned the workforce members involved and re-trained the entire workforce. OCR provided technical assistance regarding the HIPAA Security Rule and obtained documented assurances that the CE implemented the corrective actions listed above. Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "April 3, 2015","Children's Heart Center","","Nevada","DISC","MED","8,791","An employee was arrested on-site for suspicion of identity theft after using electronic protected health information (ePHI) obtained while employed by the covered entity (CE) to open a credit card account in another individual’s name. The employee had a criminal history which was not identified during the CE’s hiring process. The CE provided breach notification to HHS, affect individuals, and the media. It also cooperated with the subsequent law enforcement investigation. Following the breach, the CE sanctioned the employee and terminated and replaced its vendor for background checks of potential employees. The CE also improved its physical security, enhanced technical safeguards for ePHI, formed a committee to formalize written policies for safeguarding ePHI, and enhanced staff training. OCR obtained assurances that the CE implemented the corrective actions noted above. Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "April 3, 2015","Health Plan sponsored by Covenant Ministries of Benevolance","","Illinois","HACK","MED","782","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "April 3, 2015","SUPERVALU Group Health Plan","","Minnesota","HACK","MED","10,946","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "April 3, 2015","Elizabeth Kerner, M.D.","","Texas","DISC","MED","873","The covered entity's (CE) staff member sent an email that contained a list of names and email addresses for 873 patients to an unintended recipient. The recipient informed the CE that he had received the information. The types of protected health information (PHI) involved in the breach included patients’ names and email addresses. The CE provided breach notification to HHS, affected individuals, and the media. Following the incident, the intended recipient, a web designer, changed his email address. The CE implemented an encryption policy and re-trained workforce members. The CE provided OCR with a copy of its encryption policy and OCR determined that it complied with the Security Rule. Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "April 6, 2015","Allina Health","","Minnesota","DISC","MED","838","The covered entity (CE), Allina Health, erroneously mailed a number of letters to patients about preventative screenings which resulted in individuals receiving a letter and a screening sample collection kit at their address, but labeled with another individual’s name. Two business associate (BA) vendors were also involved in processing the mailing. The breach affected approximately 838 individuals and the protected health information (PH)I involved in the breach included individuals’ name. Following the breach, the CE immediately ceased mailing preventative screening kits until it was able to complete an investigation to determine the root cause of the breach, which included reviewing its business associate’s practices regarding the mailing of the screening kits to ensure it had quality control processes in place and were appropriately followed. The CE also initiated and implemented its incident system to timely and effectively manage the investigation, patient notification, and risk mitigation. The CE provided breach notification to HHS, affected individuals, media outlets, and a Minnesota state senator. The CE engaged an outside vendor to mail the individual notifications and establish a call center to accommodate any patient inquiries. The CE also implemented a new workflow in its mailing processes to reduce the number of manual steps and incorporated an additional quality check so as to reduce the potential for error and to ensure the accuracy of mailing lists. The CE also retrained its employees on safeguarding PHI when mailing correspondence, and verified that its employees received the training. OCR obtained documentation evidencing that the CE implemented the corrective actions listed. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "April 7, 2015","ADT LLC Group Health & Welfare Plan","","Florida","HACK","MED","3,074","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "April 9, 2015","International Union of Operating Engineers Local Unions 181, 320 & TVA Health and Welfare Trust Fund","","Kentucky","HACK","MED","5,440","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "April 9, 2015","Denton County Health Department","","Texas","DISC","MED","874","On April 9, 2015, OCR received a breach report from the covered entity (CE), Denton County Health Department, stating that on February 15, 2015, an employee used an unencrypted portable computer, to save and print a personal document at FedEx/Kinko’s. The mobile drive contained the protected health information (PHI) of approximately 874 individuals from the tuberculosis clinic. The PHI included lab test results, demographic information, and clinical data. Based on the information gathered during the investigation, OCR has opened a compliance review regarding the CE's potential non-compliance with multiple HIPAA standards and is consolidating this investigation with that review. Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "April 10, 2015","St.Vincent Medical Group, Inc.","","Indiana","HACK","MED","756","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "April 10, 2015","New York State Office of Mental Health","","New York","PHYS","MED","563","Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "April 13, 2015","Suburban Lung Associates","","Illinois","DISC","MED","2,984","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "April 16, 2015","Concordia Plan Services on behalf of the Concordia Health Plan","","Missouri","HACK","MED","12,500","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "April 16, 2015","American Sleep Medicine","","California","PHYS","MED","1,787","The covered entity (CE), American Sleep Medicine of San Diego, California reported a breach of 1,787 individuals’ electronic protected health information (ePHI), as a result of a stolen backup computer hard drive. The hard drive contained names, birthdates, medical histories, physicians' names, and study results. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE improved physical safeguards, conducted a new security analysis, revised policies and procedures, and trained its workforce. As a result of OCR’s investigation OCR provided technical assistance regarding the HIPAA Security Rule. Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "April 17, 2015","Jersey City Medical Center","","New Jersey","DISC","MED","1,447","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "April 22, 2015","Puerto Rico Department of Heatlh - Medicaid Program","","","PHYS","MED","500","Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","37.090240","-95.712891" "April 23, 2015","CompuNet Clinical Laboratories","","Ohio","PHYS","MED","2,584","On March 17, 2015, the covered entity (CE) learned that a box containing health insurance claim forms was damaged by a Federal Express (FedEx) hub in Memphis, Tennessee. The protected health information (PHI) involved in the breach included the names, addresses, dates of birth, genders, diagnosis codes, procedure codes, insurance identification numbers, and some social security numbers of 2,584 individuals. Through retained legal counsel the CE investigated the incident to determine what and how many forms were missing, and to retrieve as many missing forms as possible. The CE provided breach notification to HHS, affected individuals, and the media, and offered one year of credit protection to affected individuals. Additionally, the CE decreased the size of batch mailings to limit the potential size of a data breach associated with a lost or damaged box. OCR obtained assurances that the corrective actions were taken. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "April 24, 2015","Saint Agnes Health Care, Inc.","","Maryland","HACK","MED","24,967","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "April 24, 2015","Seton Family of Hospitals","","Texas","HACK","MED","39,000","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "April 24, 2015","Wellmont Health System","","Tennessee","PHYS","MED","1,726","On March 1, 2015, the covered entity (CE), Wellmont Health System, discovered that one of its employees had disposed of hand-written notes containing protected information (PHI) for 1,726 individuals at a local recycling center. The types of PHI involved in the breach included demographic and clinical information. The employee voluntarily resigned from her position. The CE provided breach notification to HHS, to affected individuals, to the media, and on its website. In response to the breach, the CE retrained its workforce to emphasize the importance of safeguarding and properly disposing of PHI. In addition, the CE reported that employees now utilize laptops and other mobile devices to create notes in patient records, making paper notes virtually nonexistent. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Other, Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "April 27, 2015","Community Mercy Health Partners","","Ohio","DISC","MED","2,000","An individual was accidently sent the invoices of numerous patients of the covered entity (CE) due to human error after guarantor information on an institutional account was inadvertently changed to an individual patient. The protected health information (PHI) involved in the breach included the demographic, financial, and clinical information of 1,999 individuals. The CE provided breach notification to HHS, affected individuals, and the media. To prevent a future similar occurrence, the covered entity re-educated its patient access/registration staff and began revising processes for institutional payers. OCR reviewed the CE’s relevant HIPAA policies and procedures and obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.417287","-82.907123" "April 27, 2015","CEMEX, Inc.","","Texas","HACK","MED","880","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","31.968599","-99.901813" "April 28, 2015","Clinical Reference Laboratory, Inc.","","Kansas","PHYS","MED","864","The covered entity (CE), Clinical Reference Laboratory, Inc. sent a parcel to Massachusetts Mutual Life that was opened and damaged during the mailing process by the United States Postal Services (USPS). The damaged parcel contained the protected health information (PHI) of approximately 864 individuals, including names, partial and full social security numbers, dates of birth, and clinical test codes. OCR received two other breach reports from the CE which involved the same or similar fact patterns as the breach report for this case. OCR consolidated these investigations into one breach compliance review. The CE investigated the breaches and concluded that the likelihood of misuse or further disclosure of the PHI was remote since the USPS confirmed that all unmatched pages were segregated and shredded. The CE provided breach notification to HHS, affected individuals, and notified appropriate authorities required by each jurisdiction that included an affected individual. The CE also offered affected individuals a free two-year subscription to credit monitoring services and credit report controls. Following the breach, the CE appointed a new privacy officer, who was required to complete HIPAA training, and verified that its workforce received HIPAA-related training. The CE also implemented a new breach reporting procedure and initiated the implementation of a secure online portal for clients to obtain PHI electronically. OCR obtained documentation evidencing that the CE implemented the corrective actions listed. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","39.011902","-98.484247" "April 28, 2015","University of Illinois at Chicago","","Illinois","PHYS","MED","3,000","A physician’s assigned laptop computer containing the electronic protected health information (ePHI) of approximately 3,000 individuals was stolen. The type of ePHI involved in the breach included diagnoses and conditions of the individuals. The covered entity (CE) provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE updated relevant HIPAA policies, including encryption, to ensure the safeguarding of ePHI and sanctioned the physician involved. OCR obtained assurances that the CE implemented the corrective actions listed above. The CE also notified the deans and directors of all the CE’s healthcare components of the corrective actions taken in response to this incident. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.633125","-89.398528" "April 28, 2015","Consolidated Tribal Health Project, Inc. ","","California","DISC","MED","4,885","Location of breached information: Desktop Computer, Electronic Medical Record, Email, Laptop, Network Server, Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "April 28, 2015","Bellevue Hospital Center","","New York","DISC","MED","3,334","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "April 28, 2015","Jacobi Medical Center","","New York","DISC","MED","90,060","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "April 29, 2015","County of Los Angeles ","","California","PHYS","MED","880","The covered entity (CE), County of Los Angeles, reported that on April 3, 2015, during the execution of a search warrant at the home of a an individual who was employed at the County Department of Health Services (DHS) LAC+USC Medical Center, Hawkins Mental Health Center (Hawkins), in a matter unrelated to County business, law enforcement discovered and seized items that contained confidential patient information for approximately 880 Hawkins patients, treated between 2011 and 2015. The types of protected health information (PHI) involved in the breach included financial, demographic, and clinical information. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE sanctioned the involved employee and terminated the employee’s electronic and information technology access, as well as physical access to DHS’ systems. DHS provided in-service HIPAA training to Hawkins’ staff. OCR obtained assurances that the CE implemented the corrective actions listed. The employee resigned following the breach incident. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "May 1, 2015","Partners HealthCare System, Inc.","","Massachusetts","HACK","MED","3,321","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "May 1, 2015","Walgreen Co.","","Illinois","PHYS","MED","1,138","On March 4, 2015, the covered entity (CE), Walgreens Pharmacy, reported that it discovered its pharmacy paper log in Stafford, Texas was missing. The approximate number of individuals affected by the breach was 1,138. The protected health information (PHI) involved in the breach included patients’ prescription numbers, first and last names, dates of birth, addresses, photo identification types, and the number of individuals who picked up prescriptions. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE re-trained its pharmacy staff and communicated to them the importance of safeguarding patient information. OCR obtained documentation which showed that the CE implemented the corrective actions listed. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "May 6, 2015","Ventura County Health Care Agency","","California","PHYS","MED","1,339","The covered entity (CE), Ventura County Health Care Agency, discovered that a backpack containing documents for 1,399 patients was left at an elementary school after it was stolen from an employee’s car. All of the files were intact, and the types of protected health information (PHI) involved in the breach included names, balances owed, and internal account numbers. The CE provided breach notification to HHS, affected individuals, and the media and posted notice on its website, In response to the breach, the CE sanctioned the workforce member in question and retrained staff. The CE also provided OCR with additional documentation, specifically its HIPAA Notice of Privacy Practices Policy, as relevant to this breach investigation. Additionally, the CE provided OCR with written assurance that it provided refresher reminders to all staff members about its HIPAA Privacy policies and procedures. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "May 11, 2015","Unity Recovery Group, Inc.,Starting Point Detox LLC, Lakeside Treatment Center LLC, Changing Tides Transitional Living LLC, Unity Recovery Center, Inc","","Florida","DISC","MED","1,000","Unity Recovery Group, Inc. (Unity) shared patient information with other covered entities for continuation of substance abuse treatment. It erroneously believed this practice to be an impermissible disclosure and filed a breach report with HHS. After OCR determined that no breach had occurred, OCR provided technical assistance to Unity regarding permissible disclosures for treatment purposes, the difference between “consent” and “authorization” under HIPAA, the definition of a breach of protected health information, when notification must be provided, and when notification is not required. Further, Unity and its affiliates permanently closed on December 31, 2015 with no intention to resume future operations in the same legal entity name. Location of breached information: Email, Network Server, Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "May 15, 2015","UPMC","","Pennsylvania","PHYS","MED","2,259","A business associate (BA) employee disclosed the protected health information (PHI) of approximately 2,259 of the covered entity’s (CE) patients to outside parties. The PHI involved in the breach included names, dates of birth, and social security numbers. Following the breach, the CE terminated its relationship with the BA. OCR reviewed the CE’s risk analysis to ensure compliance with the Security Rule. Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "May 15, 2015","Medical Management, LLC (MML)","","North Carolina","PHYS","MED","20,512","Medical Management LLC provides billing services as a business associate (BA) for more than 30 medical facilities in various states, with BA agreements in place for each covered entity (CE). On March 16, 2015, the IRS notified the BA that one of its employees was involved in an identity theft ring. The employee confessed to the activity and was terminated. The BA determined that, during her employment, the employee had access to 30,556 patient’s records containing protected health information (PHI), including demographic information (names, dates of birth and social security numbers). The BA notified each CE of the breach, established a call center, sent letters to the potentially affected individuals on behalf of its CEs, offered credit monitoring and ID theft protection, sent media notice to 12 newspapers, and notified HHS. In response to the breach, the BA upgraded to an improved billing system with more security controls, masked social security numbers where appropriate, and retrained its staff. In addition, the BA implemented software for tracking and monitoring access and user activity, which is monitored by IT staff, in order to identify any abnormal access. OCR obtained assurances that the BA implemented the corrective actions listed above. Location of breached information: Other Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "May 15, 2015","Duke LifePoint Conemaugh Memorial Medical Center","","Pennsylvania","PHYS","MED","1,551","An employee of the covered entity’s (CE) business associate (BA), Medical Management, LLC (“MML”), disclosed the demographic information of 1,551 of the CE’s patients to outside parties. The protected health information (PHI) involved in the breach included names, dates of birth, and social security numbers. Following the breach, the CE assisted the BA in responding to the breach and notifying affected individuals. Additionally, OCR reviewed the CE’s risk analysis to ensure compliance with the Security Rule Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "May 15, 2015","The MetroHealth System","","Ohio","HACK","MED","981","Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.417287","-82.907123" "May 15, 2015","Aflac","","Georgia","DISC","MED","6,166","Some of the covered entity’s (CE) policyholders erroneously received welcome packets in the mail that contained the protected health information (PHI) of other individuals on a summary page. The breach affected 6,166 individuals and the types of PHI involved in the incident included policyholders’ names, coverage applied for, premium amounts, whether the applicant was a new employee, codes or names representing employees’ departments, and denial or acceptance of insurance coverage. In response to the breach, the CE updated its privacy and security procedures, which included updating its mailing process. The CE installed new printer software on all IT quality assurance (QA) desktops and on additional machines located in the IT QA lab. The CE also purchased and installed new local printers that will allow IT testers and coders to confirm packet accuracy. The CE provided breach notification to HHS, affected individuals, and the media. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","32.165622","-82.900075" "May 18, 2015","Associated Dentists","","Minnesota","PHYS","MED","4,725","Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","46.729553","-94.685900" "May 19, 2015","Alexian Brothers Medical Center","","Illinois","DISC","MED","632","On April 13, 2015, several files containing electronic protected health information (ePHI) were discovered on computers accessible to the public in the medical library at the covered entity (CE), Alexian Brothers Medical Center. The files included the first and last names, medical record numbers, and medication information related to 618 patients, and other clinical information for 14 patients. Approximately 632 individuals were affected by this breach. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach the CE posted signs noting that the computers were “public computers” and not to save files on the device, secured computers so that no data could be saved onto the virtual desktop or the hard drive, and essentially rendered folders as “read only”. The CE also implemented a process to track user access on all but one of the public computers. The CE retrained workforce groups involved in the breach. OCR obtained documented assurances that the CE implemented the corrective actions listed above. Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.633125","-89.398528" "May 19, 2015","Sharon J. Jones, M.D.","","California","PHYS","MED","1,342","A burglar broke into the office of the covered entity (CE) and stole 17 paper patient charts, an unencrypted desktop computer, two unencrypted laptop computers, and one encrypted computer server. The breach affected approximately 1,342 individuals’ protected health information (PHI) and included demographic, financial, and clinical information. The CE provided breach notification to HHS, affected individuals, and the media. It also established a dedicated call center to answer questions related to the incident and offered free credit monitoring to the affected individuals. Following the breach, the CE moved to a more secure locale and completed risk analyses in July 2015 and February 2016. The CE implemented a risk mitigation plan to reflect the current work environment, updated its policies and procedures on mobile devices, enhanced physical security, and trained workforce members on security awareness. OCR provided technical assistance regarding the HIPAA Security Rule and obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Desktop Computer, Laptop, Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "May 20, 2015","Success 4 Kids & Families, Inc.","","Florida","PHYS","MED","506","On April 5, 2015, a Success 4 Kids & Family employee’s laptop computer was stolen out of his vehicle while parked during non-work hours. The laptop contained the protected health information (PHI) of 506 individuals, and included clients’ names, addresses, dates of birth, social security numbers, and limited treatment-related information. The laptop was password protected, but was not encrypted. The covered entity (CE) provided breach notification to HHS, affected individuals, and the media, and posted substitute notice on its website. In response to this incident, the CE contracted with an IT vendor to upgrade servers and provide cloud backup service, encrypted all computers, reviewed its policies and procedures, implemented an encryption policy, and trained staff. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "May 20, 2015","CareFirst BlueCross BlueShield","","Maryland","HACK","MED","1,100,000","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "May 21, 2015","Thomas H. Boyd Memorial Hospital","","Illinois","DISC","MED","8,300","A facility where the covered entity (CE) had stored its medical records since 1994 was sold to a third party and possession of this property was given to the new owner for five days, unbeknownst to the CE. The protected health information (PHI) involved in the breach included the clinical, demographic and financial information of 8,300 individuals. Upon discovery of the breach, the CE immediately retrieved all records at the facility. There was no evidence that the records were otherwise compromised. The CE provided breach notification to HHS, affected individuals, and the media. The CE retrained employees on its revised policies and procedures, including the proper storage of PHI and distribution of its revised policies and procedures. OCR obtained assurances that the CE implemented the corrective actions listed. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "May 22, 2015","Beacon Health System","","Indiana","HACK","MED","306,789","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.267194","-86.134902" "May 22, 2015","University of Rochester Medical Center & Affiliates","","New York","DISC","MED","3,403","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "May 28, 2015","BUFFALO HEART GROUP","","New York","DISC","MED","567","Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "June 1, 2015","Metropolitan Hospital Center","","New York","DISC","MED","3,957","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "June 1, 2015","Oregon's Health CO-OP","","Oregon","PHYS","MED","14,000","A personal laptop belonging to an Oregon Health CO-OP's employee was stolen from his unattended, locked car. The laptop was unencrypted and contained the electronic protected health information (ePHI) of approximately 14,000 individuals. The e-PHI involved in the breach was demographic information and included names, addresses, social security numbers, dates of birth, health plan identification numbers, and health plan numbers. Following the breach, the covered entity (CE) sanctioned the employee, implemented additional technical safeguards to prevent the downloading of e-PHI onto a personal electronic device, and trained its employees on these technical safeguards. OCR provided the CE with technical assistance regarding risk analysis and risk management implementation. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "June 3, 2015","Rite Aid Corporation","","Pennsylvania","PHYS","MED","2,345","On April 27, 2015, rioters in Baltimore, MD broke into, vandalized, and looted eight locations of the covered entity (CE), Rite Aid, taking 2,345 filled prescriptions. The “will-call” prescriptions involved in the breach contained patients’ names, addresses, and medication names. The CE provided breach notification to HHS, the media, and affected individuals and offered credit monitoring. All of the vandalized locations, except the one that was burned, have been re-opened with full security restored. OCR obtained assurances that the CE implemented the corrective actions listed. Location of breached information: Other, Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "June 3, 2015","Gallant Risk & Insurance Services, Inc.","","California","PHYS","MED","995","On April 4, 2015, laptop computers belonging to the business associate (BA), Gallant Risk & Insurance Services, Inc., were stolen due to an office break-in. The breach affected 995 individuals’ protected health information (PHI), including a combination of individuals’ names, addresses, dates of birth, social security numbers, group policy numbers, and insurance identification numbers. The BA reported the incident to local law enforcement and to the affected covered entities. In response to OCR’s investigation, the BA ensured the proper breach notifications were provided, increased physical security, increased technical safeguards for electronic PHI (such as utilizing additional encryption), and adopted HIPAA policies and procedures. OCR obtained documented assurances that the BA implemented these corrective steps.. Location of breached information: Laptop Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","36.778261","-119.417932" "June 4, 2015","Lancaster County EMS","","South Carolina","PHYS","MED","50,000","A safe containing two unencrypted computer flash drives and two unencrypted hard drives went missing from the administration building of covered entity (CE), Lancaster County EMS. The protected health information (PHI) stored on the missing hard drives and flash drives included patients' names, addresses, dates of birth, social security numbers, medications, medical histories, medical treatment, and healthcare insurance information for 55,000 individuals. The CE provided breach notification to HHS, the 55,000 affected individuals, and the media. In response to the breach, the CE implemented universal controls to ensure that only the CE's devices can connect to its network.. The CE also implemented security controls and physical safeguards to further restrict access to its server room. In addition, the CE implemented video security system monitoring of its server room. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","33.836081","-81.163725" "June 4, 2015","Stanislaus Surgical Hospital","","California","PHYS","MED","1,170","On April 4, 2015, two paper binders containing the protected health information (PHI) of up to 1,166 individuals were stolen from one of the covered entity’s (CE) facilities along with several other items that did not contain PHI. The type of PHI involved in the breach was financial information. The CE filed a formal police report and police identified two potential suspects. The CE provided breach notification to HHS, affected individuals, and the media and offered credit monitoring to all individuals affected. Following the breach, the CE improved physical security for the facility and the locked file cabinets that contain PHI and updated security procedures for employees’ access to the premises. It also converted its payment system to a paperless, all electronic system and implemented an encryption requirement for all information that is stored on a shared drive. The CE also trained all employees on the changes to its security policies and procedures. OCR obtained assurances that the CE implemented the corrective actions listed. Location of breached information: Desktop Computer, Other Portable Electronic Device, Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "June 5, 2015","Fred Finch Youth Center","","California","PHYS","MED","6,871","Location of breached information: Network Server, Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "June 9, 2015","Truman Medical Center, Incorporated","","Missouri","DISC","MED","503","An employee of the covered entity (CE), Truman Medical Center, found a list of patients on the internet. The list contained names, addresses, and internal identification numbers for 503 of the CE's patients. The CE determined that the list was posted to a file transfer protocol (FTP) site by the public relations department and was a mailing list used to notify patients that a clinic was moving to a new location. The list was available on the internet from September 2012 until March 2015. The CE provided breach notification to HHS, affected individuals and the media, and provided substitute notice on its website. Following the breach, the CE immediately removed and deleted the patient list from FTP site and reviewed the other information posted on the site. The CE improved safeguards by enabling the public relations employees to send encrypted emails and providing instructions on how to use secure email. The CE also required additional training for workforce members in the public relations department. OCR obtained written assurances that the CE implemented the corrective actions listed above. Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "June 9, 2015","Keystone Pharmacy, Inc.","","Maryland","DISC","MED","500","On April 27, 2015, rioting broke out in Baltimore, MD and the covered entity (CE), Keystone Pharmacy, was broken into, vandalized and looted. Multiple prescriptions and stock bottles of narcotics were taken. About 150 prescription bags containing patient names and the medications were stolen. The types of protected health information (PHI) contained on the prescriptions included names, addresses, and prescription information. The CE provided breach notification to HHS, affected individuals, and the media, and offered credit monitoring. The location was immediately secured. The CE installed a new front door and upgraded the security system. OCR obtained assurances that the CE implemented the corrective actions listed. Location of breached information: Other, Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "June 9, 2015","California Physicians' Service d/b/a Blue Shield of California","","California","DISC","MED","843","On May 18 2015, the covered entity (CE), Blue Shield of California, discovered that several authorized users who logged into their accounts were able to access the protected health information (PHI) of individuals who were not affiliated with their line of business due to a faulty update to the restricted web portal. The PHI of 843 individuals was affected and included names, addresses, birthdates, social security numbers, and other identifiers. The CE provided breach notification to HHS, affected individuals, and the media. In response to the breach, the CE disabled the portal, deployed a patch code to correct the problem, and improved the code testing process. The CE also sanctioned the developer who failed to follow the code merge process. OCR reviewed the CE’s HIPAA Notice of Privacy Practices Policy, as relevant to this breach investigation, and obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "June 10, 2015","United Seating and Mobility, LLC d/b/a Numotion","","Connecticut","PHYS","MED","2,722","On March 26, 2015, a break-in occurred at the Tacoma, Washington branch office of Numotion, the covered entity (CE). The items stolen included five laptop computers that accessed service work orders, quotes, labor guides and delivery checklists. The breach affected 2,722 individuals' protected health information (PHI) and included names, addresses, phone numbers, and the serial numbers of customer equipment. Some documents may have also contained dates of birth, insurance policy numbers, or diagnosis codes. The stolen laptops required a password to obtain access to information. The CE provided breach notification to HHS, affected individuals, and the media. It also offered affected customers one year of free credit monitoring. The CE was able to successfully wipe the data from two of the computers via remote access. As a result of this investigation, the CE updated its password policy and completed full disk encryption of computer hard drives in all its locations. OCR provided technical assistance to the CE on conducting a compliant Security Rule risk analysis. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "June 10, 2015","Implants, Dentures & Dental","","Nevada","PHYS","MED","12,000","Implants, Dentures and Dental, Inc., the covered entity (CE), reported that on June 8, 2015, its computer server was removed from its facility without its consent. The CE reported that it worked with law enforcement to investigate the incident. The server contained the electronic protected health information (ePHI) of approximately 12,000 individuals. The types of ePHI involved in this incident included digital x-rays, demographic, financial, and clinical information. Following the removal of the server, the CE's employees were unable to access practice management software. In response to the incident, the CE reported that it adopted encryption technologies, changed passwords, and strengthened password requirements. Additionally, the CE revised its business associate (BA) contracts, as the removal of the server was related to a complicated BA arrangement. The CE also reported that it implemented new technical safeguards, improved physical security, performed risk assessments, and provided workforce members and business associates with additional HIPAA training. Following OCR’s investigation of the incident, the CE reported that it had closed its business. OCR independently confirmed that the CE is no longer open for business. Location of breached information: Electronic Medical Record, Laptop, Network Server, Other, Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "June 11, 2015","The Department of Aging and Disability Services","","Texas","DISC","MED","6,600","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "June 12, 2015","National Seating & Mobility, Inc.","","Tennessee","PHYS","MED","9,627","On April 14, 2015, two unencrypted tablet computers, a smartphone, and a backpack containing paper files—were stolen from two company vehicles of the covered entity (CE), National Seating & Mobility, Inc. The breach involved the protected health information (PHI) of 9,627 individuals and included demographic, clinical and financial information. The CE provided breach notification to HHS, affected individuals, and the media and posted substitute notice on its website. In response to the breach, the CE revised its policies and procedures, encrypted its desktop, laptop and tablet computers and employed remote wiping and tracking technology. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Email, Laptop, Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "June 12, 2015","Global Care Delivery, Inc.","","Texas","PHYS","MED","18,213","Five password-protected, but unencrypted laptop computers were stolen from Global Care Delivery, a business associate (BA) of the covered entity (CE), North Shore LIJ Health System in September 2014. The laptops contained the protected health information (PHI) of 18,213 individuals, including names, dates of birth, insurance identification numbers (which contained social security numbers), and diagnoses and/or treatment codes related to claims. The BA notified police at the time of the incident, but did not notify the CE until May 11, 2015. The BA retained Knoll, Inc. to assist with individual notification and provide call center services to answer questions from individuals impacted by the breach. Breach notification was provided to HHS and affected individuals, and the BA offered complimentary one-year identity theft protection services. The business relationship between the CE and BA ended effective May 11, 2015. The BA has closed its business. Location of breached information: Laptop Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "June 15, 2015","St. Martin Parish School Based Health Centers","","Louisiana","PHYS","MED","3,000","On June 15, 2015, St. Martin Parish School Based Health Centers reported a breach at one of its clinics, Cecilia School Based Health Center (CSBHS). The covered entity (CE) experienced a breach of protected health information (PHI) affecting 3,000 individuals when four desktop computers, one laptop, a wireless router, and several printers were stolen during an office break-in on April 30, 2016. The types of PHI involved in the breach included names, addresses, dates of birth, social security numbers, diagnoses, and procedure codes. The CE provided breach notification to HHS, affected individuals, and the media. As a result of this incident, the CE conducted a post-incident risk analysis and directed staff to change and update all passwords. The CE also remotely disabled the login capability for each computer. The CE improved physical security at the CSBHS facility. In addition, the CE stated that no data is stored locally on its computers. OCR obtained assurances from the CE that it implemented the corrective actions listed above. Location of breached information: Desktop Computer, Electronic Medical Record, Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "June 17, 2015","University of California Irvine Medical Center","","California","DISC","MED","4,859","Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "June 19, 2015","Central Brooklyn Medical Group, PC","","New York","DISC","MED","4,223","Between January 1, 2015 and April 18, 2015, a physician employed by the covered entity (CE), Central Brooklyn Medical Group, PC, impermissibly disclosed the protected health information (PHI) of approximately 500 patients to his former medical assistants via facsimile on multiple occasions. On one occasion, the physician accidentally transposed digits in the intended facsimile number and disclosed the PHI of 88 patients to an unrelated third party. The types of PHI involved in the breach included patients’ names, ages, sex, appointment dates, times and reasons for visits, treating physician’s names, and medical conditions. The CE sent breach notification letters to 4,135 patients who had been scheduled to see the physician in the year prior to the breach because the CE could not identify which specific patients were affected; however, they were most likely within this group. The CE also provided breach notification to HHS and the media. Upon discovery of the breach, the CE confirmed the destruction of any PHI possessed by the unrelated third party and the medical assistant and sanctioned the physician. The CE also retrained its workforce members regarding HIPAA compliance, including the CE’s policy regarding communications via facsimile. OCR obtained assurances that the CE implemented the corrective actions listed above. In addition, the CE reported the physician to the State Office for Professional Medical Conduct. Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "June 24, 2015","Heartland Dental, LLC","","Illinois","HACK","MED","2,860","Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "June 25, 2015","Episcopal Health Services Inc. d/b/a St. John's Episcopal Hospital","","New York","PHYS","MED","509","OCR opened an investigation of the covered entity (CE), Episcopal Health Services Inc., d/b/a St. John’s Episcopal Hospital, after it reported that its business associate's (BA) employee sold 509 patients' data to unknown persons. The protected health information (PHI) included patients’ names, addresses, dates of birth, gender, email addresses, social security numbers, account numbers, dates of service, medications, insurance information, diagnoses, billing codes, and reasons for treatment. The BA, Zotec Partners, LLC, d/b/a Medical Management LLC, also filed a separate breach report. As a result of the breach, the BA transitioned to an improved billing system that offers more security controls, implemented software for tracking and monitoring access and user activity, and masked social security numbers from employees whose job duties do not require full access. In addition, the BA conducted updated training on the Privacy and Security Rule standards for all employees. OCR obtained assurances for this case that the BA implemented the corrective actions noted above and also opened a separate investigation of the BA. Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "June 26, 2015","CVS Health","","Rhode Island","PHYS","MED","12,914","Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "June 26, 2015","Meritus Medical Center, Inc.","","Maryland","DISC","MED","1,029","The covered entity (CE), Meritus Medical Center, reported that an audit revealed that a vendors’s employee (from Walgreens pharmacy) accessed the protected health information (PHI) of approximately 1,029 patients without a business need to do so. The types of PHI potentially accessed included demographic information such as names, dates of birth, medical record numbers and, in some instances health insurance information or Medicare identification numbers, as well as clinical information. The CE confirmed that it terminated the employee’s access to the electronic health record (EHR) and escorted the employee from the Meritus campus. The CE provided breach notification to HHS, the media, and affected individuals and offered credit monitoring. The CE implemented a new system for implementing technical measures so that the vendor’s employees’ access is limited to a separate system that interfaces with the EHR and pulls only limited patient information specifically related to those patients receiving Walgreens’ services. OCR obtained assurances that the CE implemented the corrective actions listed. Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "July 2, 2015","UPMC Health Plan","","Pennsylvania","DISC","MED","722","An employee of the covered entity (CE), UPMC Health Plan, inadvertently sent an unsecure email with protected health information (PHI) to an incorrect, third-party email address. The breach included the electronic PHI of 722 individuals and included names, dates of birth, member identification numbers, phone numbers, types of insurance, and members' primary care providers. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE retrained staff members. OCR reviewed UPMC Health Plan’s risk analysis to ensure compliance with the Security Rule and obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "July 2, 2015","Orlando Health","","Florida","DISC","MED","3,421","The covered entity (CE), Orlando Health, discovered during audit on May 27, 2015, that an employee was accessing protected health information (PHI) outside the scope of her employment. The PHI contained the names, dates of birth and clinical records of 3,421 individuals. The CE provided breach notification to HHS, affected individuals, and the media and posted substitute notice. In response to the breach, the CE retraining employees. In addition, the CE offered credit monitoring to the affected individuals. OCR obtained assurances that the CE implemented the corrective actions listed above. Additionally, the employee involved in the incident was terminated. Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "July 3, 2015","University of Oklahoma, Department of Obstetrics and Gynecology","","Oklahoma","PHYS","MED","7,693","An unencrypted, password-protected laptop computer was stolen from a resident physician’s car. The laptop contained the electronic protected health information (ePHI) of approximately 7,693 individuals and included patients’ names, dates of birth, medical procedure dates, medications, lab results, admission and discharge dates, treating physicians’ names, and treatment plans. The covered entity (CE), University of Oklahoma, provided breach notification to HHS, affected individuals, and the media. It also offered identity protection services to affected individuals and posted substitute notice on its website. Following the breach, the CE retrained the resident physicians on its encryption policies and procedures and counseled and sanctioned the involved resident. As a result of OCR’s investigation, the CE developed a policy on encryption of laptops for all first-year residents. It also instituted a requirement for all first-year residents to disclose all laptops, tablets, and smartphones to be used for the CE’s business and to ensure they are encrypted by the CE’s representatives. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "July 3, 2015","FireKeepers Casino Hotel","","Michigan","HACK","MED","7,666","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","44.314844","-85.602364" "July 8, 2015","Georgia Department of Human Services","","Georgia","DISC","MED","2,983","Georgia Department of Human Services, the covered entity (CE), discovered that on June 8, 2015, an employee emailed a password protected spreadsheet containing protected health information (PHI) to three recipients at a contractor of the CE for research purposes. The contractor was not considered a business associate of the CE. The CE investigated and determined that the spreadsheet contained PHI for 2,983 individuals, including full names, general geographic areas of residence, internal identification numbers, dates of most recent medical assessments, and the diagnoses associated with those assessments. The CE obtained assurances from the recipients that all versions of the spreadsheet and corresponding email chains were deleted and not accessed by anyone else The CE timely breach notification to HHS, affected individuals, and the media. In response to the breach, the CE retrained its workforce, revised its policies and procedures, improved its training program, and implemented additional clearance and approval requirements for the sharing of data. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","32.165622","-82.900075" "July 8, 2015","Massachusetts General Hospital","","Massachusetts","DISC","MED","648","An employee of the covered entity (CE), Massachusetts General Hospital, sent an unencrypted e-mail to the incorrect e-mail address. The e-mail contained the protected health information (PHI of 648 individuals. The types of PHI involved in the breach included names, dates of birth, medical record number sand social security numbers. Following the breach, the CE sanctioned the employee in question and changed its policy to use a secure storage application instead of e-mail to send PHI. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","42.407211","-71.382437" "July 10, 2015","Integral Health Plan, Inc.","","Florida","DISC","MED","7,549","The covered entity (CE), Integral Health Plan, Inc., discovered on May 15, 2015, that its business associate (BA), Independent Living Solutions LLC, sent Explanation of Benefits (EOBs) information to incorrect network providers. The EOBs contained patients' names, dates of birth, Medicaid identification numbers (if applicable), and diagnosis and procedure codes, affecting 7,549 individuals. The CE had a BA agreement in place with the BA since July 2013. The CE provided breach notification to HHS, affected individuals, and the media, and also posted notice on its website. In response to the breach, the CE provided additional training material to its BA. In addition, the CE and BA revised payment processes to implement a two-step verification process before material is mailed. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","27.664827","-81.515754" "July 10, 2015","Howard University","","District Of Columbia","DISC","MED","1,445","On May 6, 2015, business associates (BAs) sent out 1,445 misdirected collection letters on behalf of the covered entity (CE), Howard University Faculty Practice Plan. The types of protected health information (PHI) involved in the breach included names, account numbers, and dates of service. The BAs involved in the CE's collections efforts included California Healthcare Medical Billing, Inc. (“CHMB”) and JP Recovery Services, Inc. (“JPRS”). The CE provided breach notification to HHS, affected individuals, and the media, and posted substitute notification on its website. Following the breach, CHMB developed policies and procedures to enhance its quality assurance process for reports containing PHI. The JPRS IT staff worked closely with the CE to ensure that all future placement data files are verified as correct prior to downloading them into the collection system. The CE provided OCR with copies of the BA agreements between the CE and the two BAs. OCR obtained assurances that the CE implemented the corrective actions listed. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","38.907192","-77.036871" "July 10, 2015","Amsterdam Nursing Home Corporation (1992)","","New York","PHYS","MED","621","OCR opened an investigation of the covered entity (CE), Amsterdam Nursing Home Corporation (1992), after it reported that on January 31, 2015, some of its protected health information (PHI) stored at its business associate (BA), Citistorage, LLC, may have been impermissibly disclosed during efforts to extinguish a fire. The incident affected 621 individuals. The typed of PHI involved in the breach included residents’ names, addresses, dates of birth, health insurance information, social security numbers, and information about health status and treatment. The CE provided breach notification HHS, affected individuals, and the media and posted a substitute notification on its website. As a result of OCR’s investigation, the CE recorded the impermissible disclosure of the affected individuals’ PHI for accounting of disclosure purposes, reminded the BA of its notification obligations as set forth in the BA agreement, and obtained written assurances from the BA that the BA is in compliance with all relevant building and safety codes. The CE also re-issued HIPAA-compliant breach notification letters to the affected individuals residing in Massachusetts. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.712784","-74.005941" "July 13, 2015","Mayo Clinic Health System- Red Wing","","Minnesota","DISC","MED","601","On May 18, 2015, an access audit revealed that the covered entity's (CE) employee accessed patients’ electronic medical records beyond the scope of authorized access and assigned job responsibilities. The CE discovered that the unauthorized access dated back to 2009. The breach affected approximately 601 individuals and the types of protected health information (PHI) involved in the breach included patients' diagnoses and medical conditions. The CE provided breach notification to HHS, affected individuals, and the media. During OCR’s investigation, the CE retrained the revenue department in its Red Wing SE Minnesota Region on its privacy rules. OCR obtained written assurances that the CE implemented the corrective action steps listed above. Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","46.729553","-94.685900" "July 14, 2015","Maricopa Special Health Care District - Maricopa Integrated Health System","","Arizona","PHYS","MED","633","A medical resident lost an unencrypted thumb drive that contained the names, dates of birth, and clinical information or diagnoses of 633 patients selected for a chart review. The covered entity (CE), Maricopa Integrated Health System, provided breach notification to HHS, affected individuals, and the media. In response to the breach, the CE comprehensively reviewed its privacy and security practices and updated its HIPAA policies and procedures. It sanctioned and retrained the medical resident and retrained other workforce members on its HIPAA security procedures. OCR’s investigation resulted in the covered entity improving its HIPAA practices. Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","34.048928","-111.093731" "July 14, 2015","Arkansas Blue Cross and Blue Shield","","Arkansas","PHYS","MED","560","On June 16, 2015, two unencrypted desktop computers containing the protected health information (PHI) of approximately 560 individuals were stolen from the business associate (BA), Treat Insurance Agency, at its North Little Rock offices. The BA is an insurance broker that solicits and submits applications for health insurance coverage to the covered entity (CE), Arkansas Blue Cross and Blue Shield. The types of PHI involved in the breach included demographic, clinical and financial information. The CE provided breach notification to HHS, affected individuals, and the media. OCR reviewed the BA agreement in place between the CE and the BA and determined that the BA agreement was compliant with 45 C.F.R. §§ 164.314 and 164.504. Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "July 17, 2015","University of California, Los Angeles Health","","California","HACK","MED","4,500,000","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "July 20, 2015","Special Agents Mutual Benefit Association","","Maryland","HACK","MED","1,475","OCR closed this investigation and consolidated this review into a compliance review that involves the same hacking incident involving CareFirst BlueCross BlueShield. Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "July 22, 2015","Montefiore Medical Center ","","New York","PHYS","MED","12,517","Location of breached information: Desktop Computer, Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "July 23, 2015","Medical Informatics Engineering","","Indiana","HACK","MED","3,900,000","Location of breached information: Electronic Medical Record, Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "July 24, 2015","Urology Associates, Professional Corporation","","Montana","DISC","MED","6,500","The covered entity (CE), Urology Associates, reported that 6,500 individuals were affected by a breach that occurred when unknown individuals broke into a locked storage unit at a secure storage facility where it stored medical records. The boxes containing the medical records had clearly been rifled through, but there was no indication that records were removed. The CE provided breach notification to HHS, affected individuals, and the media. It also provided one year of free credit monitoring to affected individuals. Following the breach, the CE removed the medical records from the storage facility and shredded them after scanning them into a secure encrypted computer database. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "July 24, 2015","Healthfirst Affiliates that include Healthfirst PHSP, Inc., Managed Health, Inc., HF Management Services, LLC, and Senior Health Partners ","","New York","HACK","MED","5,338","Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "July 24, 2015","Advanced Radiology Consultants, LLC","","Connecticut","DISC","MED","855","A patient scheduler of the covered entity (CE), Advanced Radiology Consultants, emailed 754 patients’ protected health information (PHI) from her work email account to a personal email account in order to keep a separate record for any performance issues. An additional 100 patients were affected by the breach because the scheduler had access to PHI about them in emails and a USB device (854 total individuals affected). The PHI involved in the breach included patients’ names, dates of birth, phone numbers, account balances, insurance information, treatment and examination information, appointment dates and times, appointment notes, and referring physicians’ information. Following discovery of the breach, the CE sanctioned the workforce member and requested that she delete the PHI she sent to her personal email account. The CE also provided breach notification to HHS, affected individuals, and the media, and provided individuals with credit monitoring services at no cost. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "July 24, 2015","OhioHealth","","Ohio","PHYS","MED","1,006","On May 29, 2015, the covered entity (CE), OhioHealth, discovered that an unencrypted portable computer drive (‘thumb drive”) was missing. This breach affected approximately 1,006 individuals. The types of protected health information (PHI) involved in the breach included patients’ names, medical record numbers, names of insurance companies, addresses, dates of birth, physicians’ names, referral and treatment dates, type of procedures, and in certain limited instances, clinical information and social security numbers. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE sanctioned and retrained the employee who lost the thumb drive, suspended use of thumb drives in the involved department, and retrained employees. The CE also revised its policies on mobile storage device security and usage and on disposition of thumb drives. Additionally, the CE encrypted mobile storage devices and revised and launched annual compliance education for its employees. OCR obtained documentation that the CE implemented the corrective actions steps noted above. Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "July 28, 2015","The McLean Hospital Corporation","","Massachusetts","PHYS","MED","12,673","Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "July 29, 2015","East Bay Perinatal Medical Associates","","California","DISC","MED","1,494","Location of breached information: Laptop Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","36.778261","-119.417932" "July 29, 2015","Prima CARE, PC","","Massachusetts","DISC","MED","1,651","Two binders belonging to a former employee were discovered at Dave’s Beach in Fall River, MA on May 25, 2015. The binders contained the protected health information (PHI) of 1,651 patients of the covered entity (CE), Prima Care, P.C. The PHI predominantly consisted of names, dates of birth, diagnoses, admission and treatment dates, medical record numbers, and hospital account number. For three individuals, the PHI also included partial or complete social security numbers. The CE provided breach notification to HHS, affected individuals, and the media. It also provided a dedicated telephone number for questions and free credit monitoring services to those with breached social security numbers. As a result of the breach and OCR’s investigation, the CE revised its policies and procedures related to uses and disclosures of PHI, safeguards, and the minimum necessary standard. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","42.407211","-71.382437" "July 30, 2015","Sioux Falls VA Health Care System","","South Dakota","PHYS","MED","1,111","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","43.969515","-99.901813" "July 31, 2015","Siouxland Anesthesiology, Ltd.","","South Dakota","HACK","MED","13,000","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","43.969515","-99.901813" "July 31, 2015","North East Medical Services (NEMS)","","California","PHYS","MED","69,246","The covered entity (CE), North East Medical Services, reported that on July 11, 2015, an unencrypted laptop computer used to store electronic protected health information (ePHI) was stolen from the trunk of a workforce member’s car. At the time of the breach, the laptop stored ePHI associated with 69,246 individuals. The ePHI included patients’ names, dates of birth, genders, contact information, payers/insurers, diagnoses, medications, treatment information, test results, appointment information, and, in some cases, social security numbers. The CE provided breach notification to HHS, affected individuals, and the media. In response to the breach, the CE implemented encryption technology. It also updated relevant policies and procedures, including its policy on the use of encryption technology and strengthened password requirements for access to ePHI. Additionally, the CE sanctioned the workforce member responsible for the breach and provided additional training to all workforce members on its policies and procedures on uses and disclosures of PHI and encryption technology, In response to OCR’s investigation, the CE performed an updated Risk Analysis. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","36.778261","-119.417932" "August 3, 2015","Orlantino Dyoco, M.D.","","California","PHYS","MED","9,000","The covered entity (CE) reported to OCR that its office was burglarized, and a laptop and desktop computer, as well as its backup data were stolen. The computers contained the protected health information (PHI) of approximately 9,000 individuals. The PHI involved in the breach included names, addresses, dates of birth, some social security numbers, and claims information. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE strengthened its physical safeguards, encrypted its computers, and began storing its backup data at an off-site encrypted server. OCR’s investigation resulted in the CE undertaking a new risk analysis and risk management plan and enhancing its practices for safeguarding PHI and ePHI. Location of breached information: Desktop Computer, Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","36.778261","-119.417932" "August 4, 2015","VA Black Hills Health Care System","","South Dakota","DISC","MED","1,168","The covered entity (CE), Veterans Affairs, reported that between May 15 and 17, 2015, paper records containing protected health information (PHI) were left in an outside trash dumpster on its Hot Springs campus. The breach affected 1,168 individuals and involved names, partial and full social security numbers, addresses, and dates of birth. Following the breach, the CE destroyed the records. Although the CE complied with its breach notification requirements, as a result of OCR’s substantial technical assistance, it initiated a revision of its breach notification procedure. The CE also offered credit monitoring to the 980 veterans whose full social security numbers were potentially breached. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "August 5, 2015","Lawrence General Hospital","","Massachusetts","PHYS","MED","2,071","The covered entity (CE), Lawrence General Hospital, discovered that a portable computer drive (a ""thumb"" drive), which was not encrypted or password-protected, was missing following a theft in the laboratory. The protected health information involved included names, laboratory testing codes, and slide identification numbers, affecting 2,071 individuals. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE eliminated the need to use a thumb drive in the pathology laboratory and accelerated the completion of reconfiguring all compatible computer ports (""USB"" ports) to disable the use of unencrypted thumb drives. The CE also implemented new procedures to monitor the receipt of media and devices. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","42.407211","-71.382437" "August 7, 2015","T.J. Samson Community Hospital","","Kentucky","DISC","MED","2,060","The covered entity (CE), TJ Samson Community Hospital, discovered that on June 8, 2015, it had sent an advertisement email to 2,060 patients that inadvertently exposed the names and email addresses of the recipients. The CE provided breach notification to HHS, affected individuals, and the media. In response to the breach, the CE drafted a new policy which details the internal use of its patient portal to communicate with patients. It also counseled its marketing staff on disseminating information. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "August 7, 2015","Max M Bayard MD, PC","","Vermont","PHYS","MED","2,000","Two unencrypted laptops and one portable storage device (thumb drive) were stolen during a burglary on August 5, 2015. They collectively contained the electronic protected health information (ePHI) of 2,154 individuals. The ePHI involved in the breach included names, dates of birth, insurance information, social security numbers, dates of treatment, types of treatment, and diagnoses. Following the breach, the office of Dr. Bayard, the covered entity (CE), notified HHS, the individuals affected by the breach, and the media. The CE provided individuals with identity protection services and credit monitoring services at no cost. As a result of OCR’s investigation, the CE implemented facility access control policies and procedures and installed an office alarm system and four surveillance cameras. The CE also encrypted computer workstations and initiated a requirement for the use of privacy screens and a locked storage room when the equipment is not in use. Location of breached information: Laptop, Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "August 7, 2015","Baylor College of Medicine","","Texas","PHYS","MED","1,004","A physician’s backpack containing five unencrypted portable data drives and a handwritten notebook with the protected health information (PHI) of approximately 1,004 pediatric patients was stolen from an automobile. The types of PHI involved in the breach included names, dates of birth, hospital medical record numbers, types of surgery performed, and treating physicians’ names. One of the drives contained surgical images of twenty patients. The breach affected approximately 876 patients of Texas Children's Hospital (TCH) and 128 patients of Memorial-Hermann. The physician, a surgical fellow for the covered entity (CE), Baylor College of Medicine, reported the theft to the police and notified TCH. TCH initiated an investigation and notified the CE of the breach on July 15, 2015. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE distributed an acknowledgment and attestation document to each medical resident and fellow addressing the CE’s patient privacy and security policies, including incident reporting procedures. Due to OCR’s involvement, all residents, fellows and learners are required to complete the acknowledgment and attestation at the beginning of each academic year. The CE also initiated a policy to require the acknowledgment and attestation to be included in each graduate medical education program participant’s contract at the beginning of each academic year. Location of breached information: Other Portable Electronic Device, Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "August 7, 2015","Walgreen Co.","","Illinois","DISC","MED","8,345","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "August 14, 2015","Endocrinology Associates, Inc.","","Ohio","DISC","MED","1,400","OCR opened an investigation of Endocrinology Associates, the covered entity (CE), after it reported that on June 15, 2015, and June 19, 2015, it discovered that an unauthorized individual had broken and removed the lock securing a portable on demand (POD) storage container that held the protected health information (PHI) of approximately 1,400 individuals. The PHI included individuals’ names, addresses, dates of birth, social security numbers, lab results, diagnoses, and clinical information. The CE provided notification of the breach to the individuals affected by the breach, HHS, and the media. Following the breach, the CE reported the incidents to the local police department, enhanced the physical safeguards applied to the POD storage container, and retrained workforce members on its HIPAA policies and procedures. OCR obtained assurances that the CE implemented the corrective actions listed. Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "August 17, 2015","Cancer Care Northwest","","Washington","PHYS","MED","1,426","A workforce member of the covered entity (CE), Cancer Care Northwest, lost a paper binder containing protected health information (PHI). The binder was likely thrown away with the garbage when it was not properly safeguarded in an otherwise secure office. Approximately 1,426 individuals were affected by this breach. The PHI included names, dates of birth, diagnoses/conditions and other treatment information. To prevent a similar breach from happening in the future, the CE instructed the work force member to only take notes electronically and retrained the workforce member on its HIPAA policies. The CE provided breach notification to HHS, affected individuals, and the media, and offered identity theft and fraud protection services to affected individuals. OCR obtained assurances that the CE implemented these corrective actions. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "August 18, 2015","Colorado Department of Health Care Policy and Financing","","Colorado","DISC","MED","1,622","Between May 25, 2015 and July 5, 2015, the Governors’ Office of Technology, a business associate (BA), sent letters containing protected health information (PHI) on behalf of the covered entity (CE), the Colorado Department of Health Care Policy and Financing, to the wrong Medical Assistance Program clients due to a technical error in the BA’s computer system. The breach affected up to 3,537 individuals, and the types of PHI involved (which varied from household to household) included names, addresses, state identification numbers, Medicaid case numbers, employers’ names, amount of income, amount of approved Advanced Premium Tax Credit, approvals/denials for the Medical Assistance Program, and dates of birth. The CE provided breach notification to HHS, affected individuals, and the media. To prevent a recurrence of this type of incident, the BA’s subcontractor, Deloitte, fixed the software that is used for the Colorado Benefits Management System to ensure that the CE’s letters are addressed to the appropriate recipients, and implemented additional procedures for quality control of mailings. OCR obtained written assurances that the CE, BA and its subcontractor implemented the corrective actions noted above. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "August 20, 2015","Empi Inc and DJO, LLC","","Minnesota","PHYS","MED","160,000","Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "August 21, 2015","Pediatric Group LLC","","Illinois","HACK","MED","10,000","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "August 21, 2015","PT Northwest, LLC","","Oregon","DISC","MED","1,500","The covered entity (CE), PT Northwest, LLC inadvertently emailed a questionnaire to patients that was copied to 1,500 patients. The e-mail should have been distributed to recipients as a blind carbon copy. Some of the e-mail addresses contained patients' names. Following the breach, the CE sanctioned the employee who was responsible for the impermissible disclosure. The CE provided breach notification to HHS, affected individuals, and the media. As a result of OCR’s investigation, the CE conducted companywide annual HIPAA training, and started the process of conducting in person follow-up HIPAA trainings to be completed by December 2015. Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "August 24, 2015","Pediatric Gastroenterology, Hepatology & Nutrition of Florida, P.A.","","Florida","PHYS","MED","13,000","On June 25, 2015, the Tampa Police Department notified the covered entity (CE), Pediatric Gastroenterology, Hepatology & Nutrition of Florida, P.A., that paper printouts from their facility were found during a criminal investigation. An employee of the CE removed appointment sheets containing the names, social security numbers, dates of birth, and account numbers of 13,000 patients from the premises without authorization. The CE provided breach notification to HHS and affected individuals and set up a toll free number to answer questions. Following the breach the CE reviewed its policies and retrained staff on its HIPAA privacy and security policies. The CE also implemented physical security procedures to reduce the risk of unauthorized access to printed documents and implemented role based access procedures to limit access to electronic PHI. The CE also improved administrative safeguards by requiring random background checks on its employees throughout the duration of their employment. OCR obtained assurances that the CE implemented the corrective actions noted. The CE also terminated the involved employee's employment. The employee was criminally investigated for actions related to this breach. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "August 24, 2015","Lancaster Cardiology Medical Group, and Sunder Heart Institute and Vascular Medical Clinic","","California","PHYS","MED","1,200","The covered entity (CE), Lancaster Cardiology Medical Group and Sunder Heart Institute & Vascular Medical Clinic, reported that sometime between June 20, 2015, and June 21, 2015, laptop computers, desktop computers, servers, and other portable electronic devices were stolen from its facility during a burglary. Approximately 2,071 individuals were affected by this breach. The types of electronic protected health information (ePHI) involved in the breach included clinical and demographic information. Following the breach, the CE promptly reported the incident to law enforcement. It provided breach notification to HHS, affected individuals, and the media. As a result of this incident, as well as OCR’s corresponding investigation, the CE implemented a plan to encrypt all ePHI stored on its devices. The CE also implemented additional physical safeguards, which included the installation of new locks and improved video surveillance. The CE updated its policies and procedures addressing administrative, technical, and physical safeguards. OCR obtained assurances that the CE implemented the corrective actions noted above. Location of breached information: Desktop Computer, Laptop, Network Server, Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "August 26, 2015","Children's Hospital Medical Center of Akron","","Ohio","PHYS","MED","7,664","The covered entity (CE) reported that a hard drive was missing that contained approximately 1,800 hours of voice recordings that were communications between dispatchers and medical staff prior to or during medical transport between September 18, 2014, and June 3, 2015. The hard drive was not searchable without a separate application and many of the recordings did not contain protected health information The hard drive was missing from the CE's locked, secure area. The breach affected 7,664 individuals and included clinical and demographic information. The CE provided breach notification to HHS, affected individuals, and the media. Upon discovery of the breach, the CE installed a security camera in the area the hard drive was located, ceased storing back-up transport voice recordings on a mobile device, encrypted all mobile devices, and retrained staff. OCR obtained documentation that the CE implemented the compliance actions listed. Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "August 26, 2015","ROBERT SOPER, M.D.","","California","PHYS","MED","2,000","On June 27, 2015, the covered entity (CE), Robert Soper, M.D., discovered that electronic protected health information (ePHI) he was maintaining had been breached when a desktop computer was stolen from the trunk of his car. Approximately 2,000 individuals’ ePHI was affected by the breach. The breach affected the following types of ePHI: patients' names, dates of birth, phone numbers, clinical notes, and e-mails. The CE provided breach notification to HHS, affected individuals, and the media. OCR provided the CE with guidance materials and other technical assistance regarding HIPAA Security Rule compliance. In response to OCR’s technical assistance, the CE implemented a security awareness training program and encryption technology within its medical practice. Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "August 26, 2015","Merit Health Northwest Mississippi","","Mississippi","PHYS","MED","846","An employee of Merit Health Northwest Mississippi, the covered entity (CE), impermissibly obtained protected health information (PHI) for identity theft and fraud purposes by photographing documents with a personal mobile device, writing patient information in a notebook, and removing paper medical records from the facility. After working with law enforcement and conducting an internal investigation, the CE determined that the stolen patient information included the names, dates of birth, addresses, social security numbers, medical record numbers, health insurance and clinical information of 847 individuals. The CE provided timely breach notification to HHS, to affected individuals and to the media. In addition, the CE offered free credit monitoring to the affected individuals and provided substitute notice on its website. In response to the breach, the CE re-trained its employees and revised its policy on the printing of social security numbers. The employee at fault for this incident is no longer employed by the CE. OCR obtained assurances that the CE has implemented the corrective actions listed above. Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","32.354668","-89.398528" "August 27, 2015","Metropolitan Atlanta Rapid Transit Authority","","Georgia","DISC","MED","800","The Metropolitan Atlanta Rapid Transit Authority (MARTA), acting on behalf of its self-insured health plan, mailed 785 Voluntary Critical Illness Insurance forms to the incorrect employees. The correspondence contained protected health information (PHI) including names, addresses, social security numbers, and dates of birth. MARTA conducted a breach assessment and provided breach notification to HHS, affected individuals, and the media. In response to the incident, MARTA developed standard operating procedure for the Benefits Office for handling employees’ PHI and trained employees. Under the new procedures, the staff will not prepopulate employee forms, applications, worksheets, and confirmation statements with individually identifiable information nor will they send documents containing individually identifiable data to the internal print shop. OCR obtained assurances that MARTA implemented the corrective actions listed above. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","32.165622","-82.900075" "August 31, 2015","Minneapolis Clinic of Neurology, Ltd.","","Minnesota","PHYS","MED","1,450","On July 8, 2015, the covered entity (CE), Minneapolis Clinic of Neurology, Ltd., discovered that a laptop computer was missing from one of its clinics. The breach affected approximately 1,450 individuals and the types of protected health information (PHI) involved in the breach included patients' names and addresses. The CE provided breach notification to HHS, affected individuals and the media. Following the breach, the CE sanctioned the involved employee with a written warning, distributed its computer network and internet access policy to all employees, and retrained all employees ahead of its annual training. The CE also implemented policies and procedures contained in a new HIPAA Privacy and Security Handbook, increased technical and security safeguards on its mobile electronic devices, and updated the security on its virtual private network software. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","46.729553","-94.685900" "September 1, 2015","University of California, Los Angeles Health","","California","PHYS","MED","1,242","Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","36.778261","-119.417932" "September 7, 2015","Lee Memorial Health System","","Florida","DISC","MED","1,508","The covered entity (CE), Lee Memorial Health System, erroneously sent a letter to about 1,600 patients with the incorrect patients’ names due to an administrative error. The CE determined that the protected health information (PHI) of 1,508 individuals was involved in the breach, including names, physicians’ names and specialties. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE reviewed the incident, determined where the breakdown occurred, and identified opportunities for improvement. Additionally, the CE improved administrative safeguards by implementing new procedures for data requests. The CE also retrained the responsible workforce members. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "September 9, 2015","Oakland Family Services","","Michigan","HACK","MED","16,107","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "September 9, 2015","Excellus Health Plan, Inc.","","New York","HACK","MED","10,000,000","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "September 11, 2015","Blue Cross Blue Shield of North Carolina","","North Carolina","DISC","MED","1,530","The covered entity (CE), Blue Cross Blue Shield of North Carolina, discovered on August 14, 2015, that its business associate (BA), EDM Americas, had accidently sent invoices to members that contained information for other members, affecting 1,530 individuals. The types of protected health Information (PHI) in the invoice included member names, addresses, internal account numbers, group numbers, coverage dates, and premium amounts due. The CE provided breach notification to HHS, on its website and to the media. The BA sent individual notification on behalf of the CE. In response to the breach, the BA retrained its staff and revised its internal validation and quality control procedures. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "September 11, 2015","Sutter Medical Foundation","","California","DISC","MED","2,302","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "September 14, 2015","Affinity Health Plan, Inc.","","New York","DISC","MED","721","The covered entity (CE), Affinity Health Plan, Inc., mistakenly sent renewal letters to members that contained a different member’s name and address and their children’s names and identification numbers and coverage information. The breach affected 497 heads of household and 224 children. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE placed a hold on outgoing bulk mailings. As a result of OCR’s investigation, the CE reviewed and revised the organization’s mailing procedures to ensure that they comply with minimum necessary standards, and quality standards. The CE also retrained all staff on its updated policies and procedures and on HIPAA safeguards for members’ PHI. OCR obtained assurance that the CE implemented the corrective actions noted above. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "September 15, 2015","Louisiana State University Health Sciences Center-New Orleans","","Louisiana","PHYS","MED","14,500","Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "September 16, 2015","Daniel A. Sheldon, M.D., P.A.","","Florida","HACK","MED","2,075","On May 18, 2013, OCR received an anonymous complaint alleging that the protected health information (PHI) of the patients of the covered entity (CE), Dr. Daniel Sheldon, M.D., P.A., was accessible on the internet via Google. OCR confirmed the allegations when it identified web search results containing private medical records from a website associated with the practice. Following an investigation by OCR, the practice submitted a breach notification to HHS on September 16, 2015, in which it reported that the PHI of approximately 2,075 patients was potentially viewable online, including addresses, dates of birth, names, and clinical information. In response to the incident, the CE contacted its electronic medical record (“EMR”) hosting company, IOS Health Systems (“IOS”), which immediately secured the information and conducted an internal investigation. IOS changed the file locations of the practice’s EMR records, renamed the file structures, obfuscated file directories, conducted standard security inspections, and began an audit trail review to determine any unauthorized access to the CE's records. Additionally, the CE ensured that users did not share any documents or links via non-secure methods, changed all passwords for all users, confirmed username and password confidentiality policies with all employees, ensured proper antivirus and spyware applications were installed, and verified that its firewall was properly configured with the latest version of security upgrades. In response to OCR’s investigation, the practice provided evidence that provided breach notification to HHS, affected individuals and the media, and offered identity theft protection services. It also terminated its relationship with its EMR system hosting company, IOS, and entered into a revised business associate agreement with a new EMR hosting company. Finally, the CE created new policies regarding its breach notification procedures. Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "September 17, 2015","Health Care Service Corporation","","Illinois","PHYS","MED","501","This case has been consolidated with another review of the same covered entity. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "September 18, 2015","Molina Healthcare","","California","PHYS","MED","54,203","A former employee of the covered entity’s (CE) business associate (BA), CVS Health, impermissibly exfiltrated the CE’s member information from its systems and saved the protected health information (PHI) onto his personal computer. The PHI involved in the breach included full names, member identification numbers, health card numbers, plan codes and states, and start and end dates. The breach affected approximately 54,203 individuals. The CE provided breach notification to HHS, affected individuals, and the media, and also provided substitute notification. The CE also offered individuals one year of free identity theft protection membership. As a result of this incident, the CE required the BA to improve safeguards by enhancing security for the BA’s fraud management tool and databases containing PHI, and updating its security procedures. OCR reviewed the CE’s policies, procedures, and/or documentation related to impermissible disclosures, safeguards, business associates, and breach notification and obtained assurances that the BA implemented the corrective actions listed above. Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "September 21, 2015","Heartland Health Clinic","","Virginia","HACK","MED","3,650","Heartland Clinic is not a covered entity as defined by the Privacy Rule. All patients are self pay. Location of breached information: Desktop Computer, Electronic Medical Record, Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","37.431573","-78.656894" "September 21, 2015","Skin and Cancer Center of Arizona","","Arizona","DISC","MED","3,311","OCR investigated the covered entity (CE), Skin and Cancer Center of Arizona, after the CE reported a breach of 3,311 individuals’ protected health information (PHI) that it learned about on July 29, 2015. A former employee possessed PHI from the CE's office, which was further disclosed to the former employee’s new employer after her employment ended on March 18, 2015. The breach affected patients' names, dates of birth, telephone numbers, insurance company names, and reasons for appointment(s). The CE provided breach notification to HHS, affected individuals, and the media. In response to OCR’s contact in this matter, the CE retrieved all the breached PHI, ensured the former employee and the former employee’s new employer no longer had copies of the PHI, and that they ceased from further use or disclosure of the PHI. The CE also took steps to retrain workforce members, implemented regular workforce HIPAA reminders, and increased the physical security of its employee workspace. OCR obtained documentation that the CE implemented these corrective actions. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","34.048928","-111.093731" "September 24, 2015","Barrington Orthopedic Specialists, Ltd","","Illinois","PHYS","MED","1,009","On August 18, 2015, an employee of the covered entity (CE), Barrington Orthopedic Specialists, Ltd., discovered that a laptop and an electromyography (EMG) machine were stolen from her vehicle. The laptop and the EMG machine contained the names, dates of birth, and clinical and demographic information of approximately 1,009 individuals. The CE provided breach notification to HHS, affected individuals, and the media. It also filed a police report. To prevent similar breaches from happening in the future, the CE added additional units to its inventory, and stopped transporting EMG machines. The CE also retrained and counseled the employee involved in this matter on its HIPAA policies and procedures. OCR obtained and reviewed documentation that substantiates all the CE's actions taken in response to the breach incident. Location of breached information: Laptop, Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.633125","-89.398528" "September 24, 2015","Sunquest Information Systems","","Arizona","PHYS","MED","2,100","Location of breached information: Laptop Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","34.048928","-111.093731" "September 25, 2015","Silverberg Surgical and Medical Group","","California","DISC","MED","857","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "September 25, 2015","Kindred Nursing Centers West, L.L.C.","","California","PHYS","MED","1,125","On August 31, 2015, the covered entity (CE), Kindred Nursing Centers West, LLC, discovered that a password-protected office computer had been stolen from a locked office within its facility. The types of protected health information (PHI) contained in computer included the names of 1,125 patients and one or more of the following: admission and discharge dates, facility names, patient ID numbers, and certain accounting-related information. The CE provided breach notification to HHS, the affected individuals, and the media. OCR obtained assurances that the CE improved its physical safeguards, revised its encryption policy, strengthened its password requirements, and retrained workforce members. Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "September 30, 2015","Humana Inc [Case 18652]","","Kentucky","PHYS","MED","2,815","Humana, Inc., the covered entity (CE), discovered that on August 20, 2015, a market staff employee’s briefcase containing an encrypted laptop computer and unsecured paper documents was stolen from her locked vehicle. The CE investigated and determined that the stolen documents contained the protected health information (PHI) of 2,815 individuals, including full names, dates of birth, clinic names, and health insurance information. The CE issued new health insurance member identification numbers to affected individuals, and provided timely breach notification to HHS, to affected individuals, on its website and to the media. In response to the breach, the CE retrained its workforce, disseminated guidance material specifically addressing the proper handling and safeguarding of PHI, and revised procedures to eliminate transportation of PHI in paper format. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Laptop, Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "October 1, 2015","Baptist Health and Arkansas Health Group","","Arkansas","DISC","MED","6,500","On October 1, 2015, Baptist Health and Arkansas Health Group (CE) reported a breach when a workforce member accessed and downloaded the electronic protected health information of 6,500 individuals. The CE provided breach notification to HHS, affected individuals, and the media. The workforce member left the CE to conduct health care services with another CE. OCR determined in its investigation, that the incident was not a breach, but is considered a continuation or coordination of care. Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "October 2, 2015","Sentara Healthcare ","","Virginia","PHYS","MED","1,040","Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "October 6, 2015","CarePlus Health Plans [case 18772]","","Kentucky","DISC","MED","2,873","On September 18, 2015, the covered entity (CE), CarePlus Health Plans, discovered that “Late Enrollment Penalty Premium Statements” mailed to members on September 11, 2015, had been mailed to incorrect members. The printing apparatus was accidently programmed to insert two statements per envelope instead of one. The types of protected health information (PHI) involved in the mailing included the names, addresses, and identification number of 2,873 members. In response to the breach, the CE mailed correct statements, sanctioned the responsible employee, and retrained employees in the printing and correspondence department. The CE provided breach notification to HHS, to affected individuals, on its website and to the media. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "October 8, 2015","Insurance Data Services","","Michigan","PHYS","MED","2,918","On September 15, 2015, a zippered bag was stolen from a delivery service vehicle with month-end reports for Insurance Data Services, a business associate (BA) of the covered entity (CE), Claystone Clinical Associates. The BA reported that this breach affected 2,918 individuals. The types of protected health information (PHI) involved in the breach included patients’ names, dates of service, balances, insurance providers, diagnostic and procedure codes, addresses, and phone numbers. The BA investigated the breach and assured that the theft was reported to the police. The BA provided breach notification to HHS, affected individuals, and the media. The BA also updated its procedures to utilize a secure client portal to transmit PHI with clients. As a result of OCR’s investigation the BA created policies and procedures relating to safeguarding PHI, using and disclosing PHI, and Breach Rule Notification and trained its staff on its policies. OCR obtained written assurances that the CE completed the corrective actions listed. Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "October 8, 2015","Anne Arundel Health System","","Maryland","DISC","MED","2,208","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "October 9, 2015","Aspire Home Care and Hospice","","Oklahoma","HACK","MED","4,278","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "October 9, 2015","The Johns Hopkins Hospital","","Maryland","PHYS","MED","571","On October 10, 2015, the covered entity (CE), Johns Hopkins Hospital, reported that a physician’s unencrypted laptop computer storing the electronic protected health information (ePHI) of 571 individuals was stolen at an international airport with all of her belongings. The types of ePHI contained in the laptop included physicians' names, patients' names, medical record numbers, and clinical information. The CE provided breach notification to HHS, the media, affected individuals, and offered credit monitoring. The CE sanctioned the physician involved in accordance with the CE's HIPAA sanctions policy. The CE also circulated a broadcast reminder to its workforce members of their existing policy requiring all devices that contain or may contain PHI to be encrypted and password protected. OCR obtained assurances that any of the CE's portable devices that stores ePHI is required to use the CE's encryption program. Additionally, the CE submitted a copy of its most recent risk analysis and risk management program to OCR. They also provided OCR with information related to their new encryption program that would inform a user when he or she is out of compliance and send them to a website that would refer them to local IT administration. OCR obtained assurances that the CE implemented the corrective actions listed. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","39.045755","-76.641271" "October 9, 2015","SSM Health Cancer Care","","Missouri","DISC","MED","643","The covered entity (CE), SSM Health Cancer Care, erroneously mailed letters to the addresses of other patients due to using an inaccurate electronic file. The breach affected 670 individuals and included individuals’ names and their inferred treatment relationship. The CE provided breach notification to HHS, affected individuals, and the media. The CE performed a root cause analysis to identify risk areas and opportunities to strengthen controls and also retrained the individual who had erroneously sent out the mailings. The CE also created a new policy and procedures for patient mailings. OCR obtained documentation evidencing that the CE implemented the corrective actions listed. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","37.964253","-91.831833" "October 10, 2015","University of Oklahoma Department of Urology","","Oklahoma","PHYS","MED","9,300","On October 10, 2015, the covered entity (CE), University of Oklahoma Health Sciences Center, reported a breach affecting approximately 9,300 individuals. An unencrypted laptop computer used by a former physician in the Pediatric Urology program was stolen from his vehicle. The laptop contained protected health information (PHI) including patients’ first and last names, medical record numbers, and dates of birth, and in some cases, patients’ age, physicians’ names, and diagnosis, treatment, and/or billing codes. The CE provided the required breach notifications to HHS, affected individuals, and the media. Following discovery of the incident, the CE implemented additional technical safeguards for devices containing electronic PHI and retrained workforce members regarding safeguarding PHI. The CE also revised its physician exit interview to require physicians to attest that all PHI had been removed from personally owned devices at the time of departure. OCR obtained assurances the CE implemented the corrective actions listed above. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "October 15, 2015","Centene Management Corporation","","Missouri","PHYS","MED","8,208","An employee of a business associate (BA), Centene Management Company, impermissibly downloaded several data files containing the protected health information (PHI) of 8,208 individuals to an unauthorized removable storage device and then resigned from the organization. The former employee returned his company issued laptop on March 23, 2015. However, in violation of standard procedures, the laptop was not connected to the network for processing/reimagining at the time it was returned which allowed the impermissible downloads to go undetected. On October 8, 2015, a data loss prevention tool discovered the impermissible downloads when the former employee’s laptop was connected to the network for processing. The PHI involved in the breach included names, addresses, dates of birth, medical identification numbers, and in some cases social security numbers. The PHI downloaded belonged to members of the covered entities, Bridgeway Health Solutions and Superior Health Plan. The BA provided breach notification to HHS, affected individuals, and the media and also provided substitute notice. In response to the breach, the BA implemented and communicated a policy to help ensure the timely processing of returned information technology equipment. It also implemented a policy and software solution prohibiting the downloading of data to unauthorized, external storage. OCR provided technical assistance regarding the risk analysis and risk management provisions of the Security Rule. Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","37.964253","-91.831833" "October 16, 2015","Nephropathology Associates, PLC","","Arkansas","DISC","MED","1,260","On July 30, 2015, a physician e-mailed a spreadsheet containing 1,260 patients’ names and clinical information to a vendor that the covered entity (CE), Nephropathology Associates, PLC, was considering for a potential project. The CE notified the hospitals that had referred its patients to the CE and provided breach notification to HHS and affected individuals. The CE did not contact the media because the impermissible disclosures affected less than 500 patients in any one state. Following the breach, the CE obtained assurances from the vendor that it destroyed all files and e-mails that it received from the CE or created using the protected health information (PHI) and that the electronic PHI (ePHI) was not copied or transferred to any other entity. As a result of this incident, the CE issued a written warning to the responsible workforce member and also retrained the employee regarding safeguarding PHI. The CE reminded workforce members to safeguard PHI, including ePHI. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","35.201050","-91.831833" "October 16, 2015","Emergence Health Network","","Texas","HACK","MED","11,100","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "October 19, 2015"," Woodhull Medical and Mental Health Center ","","New York","PHYS","MED","1,581","Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "October 19, 2015","BeHealthy Florida, Inc.","","Florida","DISC","MED","835","On September 23, 2015, the covered entity’s (CE) business associate (BA), RR Donnelly, inadvertently placed individuals' health insurance claim number (HICN) on the outside of envelopes containing benefit information packets that were mailed to the CE's members. The HICN is a Medicare beneficiary's identification number and it typically contains the beneficiary's social security number. The breach affected 835 individuals. The CE, BeHealthy, Florida, provided breach notification to HHS, affected individuals, and the media. The CE discussed with the BA the development of a standard procedure for any ad hoc manual member mailings, to be used in the event automated processes are unavailable. It also made processing and procedural changes to prevent similar breaches in the future. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "October 19, 2015","North Carolina Department of Health and Human Services","","North Carolina","HACK","MED","1,615","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "October 20, 2015","OsteoMed LP","","Texas","PHYS","MED","1,134","Upon review of information provided from the reporting entity, OCR determined that the material identified in the breach report did not meet the definition of protected health information as it was employment records (i.e., human resource data). Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "October 20, 2015","Huntington Medical Research Institutes","","California","DISC","MED","4,300","A workforce member took 4,300 patients’ protected health information (PHI) with her on several external computer hard drives when her employment with the covered entity (CE), Huntington Medical Research Institutes was terminated. The types of PHI involved in the breach included, variously, financial, demographic and financial information. The CE provided substitute notice, notice to the media, and notice to OCR pursuant to the requirements of the Breach Notification Rule. Following the breach, the CE worked with the workforce member’s counsel to recover the PHI in a secure manner and engaged a forensic expert to confirm that all PHI was recovered. The CE also reassigned privacy and security responsibilities and began considering the need to augment its privacy and security staff. The CE improved safeguards by encrypting all computer workstations, as well as phones that access PHI. In response to OCR’s investigation, the CE developed a comprehensive enterprise-wide risk analysis report and corresponding risk management plan. Location of breached information: Laptop, Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "October 22, 2015","Indian Territory Home Health and Hospice","","Oklahoma","HACK","MED","4,500","This review has been consolidated with a review of Aspire Home Care and Hospice. Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "October 23, 2015","EnvisionRx","","Ohio","DISC","MED","540","Due to a processing error, the business associate (BA), EnvisionRx, mailed letters to the covered entity’s (CE) members that contained other members' protected health information (PHI). The names, medications, and dates of service of 540 individuals were involved in the breach. The BA provided breach notification to HHS, affected individuals, and the media. The BA responded to the breach by implementing additional quality control procedures, updating its Breach Rule Notification policy, and training the appropriate staff. As a result of OCR’s investigation the BA updated it BA agreement with the CE, Orange-Ulster School District Health Plan. The BA also provided OCR with documentation of its corrective actions. Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "October 23, 2015","Florida Department of Health, Children's Medical Services","","Florida","DISC","MED","500","The covered entity (CE), Florida Department of Health, Children’s Medical Services, discovered that that an employee faxed an e-mail roster with all patients that needed medical supplies to each of their medical vendors. The policy is that the medical supply vendor only receives the names of patients to whom it will directly supply orthopedic supplies. The protected health information (PHI) on the e-mail roster included patients' names, dates of birth, and the insurance information of 523 individuals. The CE provided breach notification to HHS, affected individuals, and the media, and also posted substitute notice on its website. The CE also set up a toll free telephone number to answer questions. In response to the breach, the CE ceased the practice of sending daily rosters containing patient information to vendors. The CE sanctioned and re-trained the employee involved in this breach and retrained all employees on its HIPAA policies and procedures. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "October 26, 2015","Bon Secours Saint Francis ","","South Carolina","DISC","MED","1,997","On July 27, 2015, the covered entity, Bon Secours St. Francis Health Systems, Inc., received a complaint that an employee was committing insurance fraud involving billing co-workers’ insurance for an experimental topical cream. The CE audited the electronic system containing protected health information (PHI) and concluded on October 15, 2015, that the employee accessed the PHI of 1,997 patients without a discernible professional need. The types of PHI involved in the breach included patients' names, dates of birth, addresses, diagnoses, treatment plans, and scanned insurance cards and driver’s licenses. The CE provided breach notification to HHS, affected individuals, and the media. In response to this incident, the CE reviewed its policies, re-trained staff, and assessed whether behavior-based auditing software programs would be an appropriate addition to current security measures. OCR obtained assurances that the CE implemented the corrective actions listed above. The CE also terminated the involved employee's employment. Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "October 28, 2015","Children's Medical Clinics of East Texas","","Texas","DISC","MED","16,000","Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "October 28, 2015","LTC Dental, P.C.","","Alabama","PHYS","MED","1,680","Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","32.318231","-86.902298" "November 6, 2015","Rush University Medical Center","","Illinois","DISC","MED","1,529","On September 9, 2015, a business associate (BA), Standard Register, erroneously mailed announcements concerning a retirement for the covered entity (CE), Rush University Medical Center, which resulted in misdirected letters being sent to the wrong patients associated with the clinic. The breach affected 1,529 individuals and included patients’ names. The CE provided breach notification to HHS, the media, and affected individuals, and provided substitute notice on its website. The CE also entered into a BA agreement with Standard Register and created policies and procedures to establish quality measures for mass mailings. OCR obtained documentation confirming that the CE implemented the corrective actions listed above. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.633125","-89.398528" "November 11, 2015","Dean Health Plan","","Wisconsin","PHYS","MED","960","A mailing that contained estimate of payment (EOP) documents was damaged in transit from the covered entity’s (CE) business associate (BA), Emdeon, to a bank via United Parcel Services (UPS). On September 25, 2015, the United States Postal Service returned 31 pages of the 148 page mailing to the CE. The breach incident involved the protected health information (PHI) of approximately 960 individuals and included dates of service, member names, health plan member identification numbers, and procedure codes. The CE investigated the breach but was unable to determine who was at fault. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE worked with the BA to develop and implement procedures to reduce the number of paper documents transmitted. As a result of OCR’s investigation, OCR reviewed copies of the correspondence with the BA and UPS regarding this matter, the BA agreement, and the CE’s HIPAA policies and procedures. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "November 12, 2015","Good Care Pediatric, LLP","","New York","HACK","MED","2,300","OCR opened an investigation of the covered entity (CE), Good Care Pediatric, LLP, after it reported that a Trojan Horse virus affected one computer device and caused patient billing files to be accessible by unauthorized individuals online from January 1 through April 3 of 2014. The incident affected 2,300 individuals. The types of electronic protected health information (ePHI) involved included patients’ names, addresses, telephone numbers, dates of birth, and diagnosis codes. As a result of the breach, the CE shut down the external access to the unsecured computer device, conducted a full virus and malware scan of all of its computer devices, and changed passwords for its router, firewall administration, and workforce members. The CE also encrypted all patients’ billing files, retrained its workforce members with respect to its HIPAA policies and procedures, and updated its risk analysis and risk management plan. OCR provided the CE with technical assistance regarding the execution of risk analyses and the implementation of procedures for guarding against, detecting, and reporting malicious software. Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "November 13, 2015","North Carolina Department of Health and Human Services","","North Carolina","DISC","MED","524","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "November 13, 2015","OH Muhlenberg, LLC ","","Kentucky","HACK","MED","84,681","Location of breached information: Desktop Computer, Email, Laptop, Network Server, Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "November 13, 2015","HealthPoint","","Washington","PHYS","MED","1,300","The covered entity (CE) reported a breach concerning the theft of a laptop computer from its medical office. The laptop was used for eye scans and contained the names, dates of birth, and medical record numbers of 1,300 patients. The CE provided breach notification to HHS, affected individuals, and the media. As a result of OCR’s investigation, and to prevent a similar breach from happening in the future, the CE undertook a comprehensive risk analysis, encrypted its mobile devices, and ensured that physical safeguards were in place. It also retrained employees and revised its security policies and procedures. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "November 13, 2015","Midlands Orthopaedics, P.A. ","","South Carolina","HACK","MED","3,902","On September 15, 2015, the covered entity (CE), Arcis Healthcare, LLC d/b/a Midlands Orthopaedics, discovered that an unknown party identified as “Slyhacker” accessed a patient database. The database contained the names, addresses, and phone numbers of 3,902 individuals. The database was housed on a third party internet site by the CE’s business associate, PlanetHosting.com, The CE provided breach notification to HHS, affected individuals, and the media. In response to the breach, the CE removed the database from the internet-based computer server, hired a digital forensics firm to investigate, and implemented a plan for securing this and other databases containing protected health information. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "November 14, 2015","UC Health, LLC","","Ohio","DISC","MED","1,064","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "November 19, 2015","Alaska Orthopedic Specialists, Inc.","","Alaska","PHYS","MED","553","A workforce member of the covered entity (CE), Alaska Orthopedic Specialists, impermissibly sent copies of electronic protected health information (ePHI) to a personal email account between December 18, 2014 and April 14, 2015, which potentially affected approximately 553 individuals. The ePHI included demographic, financial and clinical information. The CE provided breach notification to HHS, affected individuals, and the media. The CE established a website, a related call center, and offered identity-theft protection at no charge. After discovering the breach, the CE hired a digital services consultant to investigate the matter and audit the company’s computer server and email to identify the scope and content of the breach. The CE issued a “cease and desist” letter to the former employee, demanding that the former employee take steps to secure the information and return it. The CE securely stored its remaining paper records and the computer server containing ePHI. OCR verified that business operations for the sole practitioner were officially dissolved on December 31, 2016. Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "November 23, 2015","Cigna Home Delivery Pharmacy","","Connecticut","DISC","MED","592","A printing error affected 592 individuals, living in 13 states: The covered entity (CE) printed two customer letters on one sheet of paper (front and back) during a mailing to customers. The protected health information involved in the breach included names, mailing addresses, and medication information. The CE provided breach notification to HHS and affected individuals and provided free credit monitoring services. To prevent a printing error from occurring in the future, the CE implemented a new letter creation procedure. OCR obtained assurances that the CE implemented the corrective actions noted above. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "November 24, 2015","Pathways Professional Counseling","","Alabama","PHYS","MED","986","On September 25, 2015, an employee's unencrypted, password-protected laptop computer was stolen from his vehicle. The computer contained the protected health information (PHI) of 985 patients, including addresses, names, dates of birth, clinical diagnoses, financial information, social security numbers, email addresses, physician information, health insurance information, treatment information, and medication information. The CE, Pathways Professional Counseling, provided breach notification to HHS, affected individuals, and the media. In response to this breach, the CE engaged a third party to encrypt its computers and retrain employees who may use, disclose, or access PHI. It also revised its HIPAA Compliance Plan, implemented a policy requiring encryption for mobile devices before access is granted, and implemented a policy requiring reasonable security measures when employees use their own electronic devices. The CE also sanctioned the employee involved in the breach. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "November 25, 2015","New Dimension Group, LLC","","North Carolina","PHYS","MED","1,275","The covered entity (“CE”), New Dimensions Group, LLC, discovered that on September 29, 2015, three unencrypted flash drives were reported missing. The breach affected 1,200 individuals, and the protected health information (PHI) that was potentially exposed included names, dates of birth, social security numbers, driver’s license numbers, and clinical information. The CE provided timely breach notification to HHS, to affected individuals, and on its website. Media notification was issued to the Duplin Times and the Star News. The CE provided free credit monitoring for the affected individuals for 12 months. In response to the breach, the CE banned the use of flash drives, developed policies and procedures for media and device controls, and updated its policies and procedures to protect patient PHI. The CE purchased new software to encrypt emails containing PHI and trained employees on its policies and procedures. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","35.759573","-79.019300" "November 30, 2015","Carolyn B Lyde, MD, PA","","Texas","PHYS","MED","1,500","An unencrypted, password protected laptop computer containing the protected health information (PHI) of approximately 1,500 individuals, was stolen from the covered entity (CE), Dermatology Center of Lewisville. The laptop was used as a storage device and individuals' names and images of individuals' skin conditions. As a result of OCR’s investigation, the CE adopted encryption technologies, updated its Risk Analysis, implemented its corresponding Risk Management Plan, improved physical security, and retrained its workforce members on its revised policies and procedures. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","31.968599","-99.901813" "November 30, 2015","PeaceHealth","","Washington","DISC","MED","1,407","A former PeaceHealth mployee continued to access the electronic protected health information (ePHI) of the covered entity's (CE) patients through websites used for third-party prior authorization and insurance verification. Approximately 1,407 individuals were affected by the breach. The types of ePHI involved in the breach included names, addresses, dates of birth, social security numbers, diagnoses/conditions, medications, medical record numbers, and payor identification numbers. In response to the breach, the CE implemented database tracking for employees who have third party portal access, so that the database will alert management when an employee leaves employment and the portal companies will be immediately contacted to terminate access. The CE provided breach notification to HHS, affected individuals, and the media. The CE also provided one year of free credit monitoring for those individuals whose social security numbers were included in the breach. OCR provided the CE with technical assistance regarding the risk analysis and risk management provisions of the Security Rule. Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","47.751074","-120.740139" "December 1, 2015","Centegra Health System ","","Illinois","DISC","MED","2,929","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.633125","-89.398528" "December 1, 2015","Cottage Health","","California","DISC","MED","11,000","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","36.778261","-119.417932" "December 2, 2015","University of Colorado Health","","Colorado","DISC","MED","827","On October 9, 2015, University of Colorado Health, the covered entity (CE) discovered that a nurse working in one of the CE’s network hospitals impermissibly accessed 827 individuals’ medical records between October 2014 and September 2015. The CE discovered the nurse’s impermissible accesses after an anonymous individual telephoned the CE’s privacy hotline regarding the nurse’s suspected conduct. To carry out these impermissible accesses, the nurse utilized the CE’s electronic health record (EHR) application. The CE provided breach notification to HHS, the media, and affected individuals. Based on the breach and OCR’s investigation, the CE sanctioned the nurse and terminated her access to the EHR. The CE also retrained nursing staff regarding use of the EHR in accordance with HIPAA. The CE has reported similar breaches to OCR, and OCR has consolidated the unresolved issues from this breach into a review along with related compliance concerns arising from the CE’s other breaches. Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "December 3, 2015","Camelback Women's Health","","Arizona","DISC","MED","810","In early September 2015, the covered entity (CE), Camel Back Women’s Health, discovered that a former employee retained of copies 1,564 patients’ documents to solicit the CE’s patients for her own practice. The types of protected health information (PHI) in the documents included names, addresses, social security numbers, dates of birth, diagnoses and medical conditions, medications, and other treatment information. The CE provided breach notification to HHS, affected individuals, and the media. In response to the breach, the CE asked the former nurse practitioner to return and/or destroy all of its patients’ PHI in her possession and hired a lawyer to ensure that the former employee signed an affidavit and return all of the documents. Additionally, the CE revised policies and procedures and retrained workforce members. The CE also provided OCR with additional documentation including its HIPAA Notice of Privacy Practices Policy, as relevant to this breach investigation. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "December 4, 2015","Middlesex Hospital","","Connecticut","HACK","MED","946","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "December 8, 2015","Maine General Health","","Maine","HACK","MED","500","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "December 11, 2015","Mary Ruth Buchness, MD, Dermatologist, P.C.","","New York","DISC","MED","14,910","Location of breached information: Email Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "December 11, 2015","Northwest Primary Care Group","","Oregon","PHYS","MED","5,327","On October 13, 2015, the covered entity (CE), Northwest Primary Care Group, discovered that a former employee, prior to being terminated, had impermissibly accessed and downloaded information from a desktop computer within the facility. Local law enforcement notified the CE that the former employee had accessed and printed a fifty-two (52) page document that contained the protected health information of 5,327 individuals. The types of PHI contained in the document included the names of 5,327 patients, and one or more of the following: social security numbers, dates of birth, credit card and/or bank account information. The CE notified HHS, affected individuals, and the media pursuant to the Breach Notification Rule. It also offered one year of free credit monitoring to all affected individuals. Following the breach, the CE implemented technical safeguards, revised its HIPAA policies and procedures, and retrained workforce members. OCR obtained satisfactory assurances that the CE implemented the corrective actions noted above. Location of breached information: Desktop Computer, Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "December 15, 2015","New Mexico Department of Health","","New Mexico","PHYS","MED","561","The covered entity (CE), New Mexico Department of Health, experienced a breach of protected health information (PHI) affecting 561 individuals when a workforce member’s laptop computer was stolen out of her locked vehicle on October 4, 2015. The laptop contained patients’ names, dates of birth, diagnoses, and medications. The CE provided breach notification to HHS and affected individuals. As a result of this incident, the CE investigated the incident, modified procedures to ensure all information technology (IT) equipment is delivered directly to the IT department and all laptops are automatically encrypted. The CE also initiated a process to identify all laptops across the enterprise that did not have full disk encryption installed and revised its security awareness training to include protection/loss prevention of mobile devices. Additionally, the CE procured a mobile device management system and a security event and incident management solution and developed an implementation schedule for these tools. OCR obtained assurances from the CE that it implemented the actions listed above. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "December 15, 2015","Fidelis Care ","","New York","DISC","MED","738","The covered entity (CE), Fidelis Care, mailed Explanation of Benefits (EOB) letters to the wrong members. The EOBs contained the names, addresses, identification numbers and recent claim activities of 738 individuals. The CE provided breach notification to HHS and affected individuals and offered credit monitoring. Upon discovering the breach, the CE performed a risk assessment. As a result of OCR’s investigation, the CE revised its safeguards policy regarding the printing of documents containing protected health information (PHI) and implemented a quality review process to assist with the inspection of outgoing mail that contains PHI. Additionally, the CE sanctioned and retrained the employees involved in the breach. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "December 18, 2015","Physicians Health Plan of Northern Indiana, Inc.","","Indiana","DISC","MED","1,708","The covered entity (CE) mistakenly mailed protected health information (PHI) to unauthorized individuals following a folder/inserter machine error. Approximately 1,708 individuals that include all dependents of the CE's subscribers were affected by this breach. The erroneous billing statement mailing included names, addresses, PHP member identification numbers, and premium amounts. The CE provided breach notification to HHS, affected individuals, and the media. To prevent a similar breach from happening in the future, the CE implemented a formal audit checklist that requires independent verification by mailroom personnel. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "December 18, 2015","Belgrade Regional Health Center","","Maine","DISC","MED","854","A business associate (BA), The Snowman Group, working on behalf of the covered entity (CE), Belgrade Health Center, erroneously mailed letters to patients containing the name of another individual due to a printing mistake, affecting 854 individuals. The protected health information involved included names and an indication of a treatment relationship with the CE. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE changed its template for letters to prevent this printing mistake from occurring again. OCR reviewed the BA agreement between the CE and the BA and obtained assurances that the CE implemented the corrective actions noted above. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","45.253783","-69.445469" "December 22, 2015","Oceans Acquisition, Inc.","","Texas","PHYS","MED","659","A laptop computer from the covered entity (CE), Oceans Acquisition, Inc., was stolen from a workforce member’s vehicle. The electronic protected health information (ePHI) on the laptop included patients' first and last names, diagnoses, dates of treatment, dates of birth, insurance providers, and medical record numbers for approximately 659 individuals. Upon discovering the theft, the CE filed a report with the county sheriff's office. Additionally, the CE provided breach notification to HHS, affected individuals, and the media. The CE also improved safeguards, sanctioned the involved workforce member, and retrained staff. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","31.968599","-99.901813" "December 23, 2015","WhiteGlove Health","","Texas","DISC","MED","975","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","31.968599","-99.901813" "December 23, 2015","Allina Health","","Minnesota","PHYS","MED","6,195","On October 27, 2015, the covered entity (CE), Alina Health, discovered that its janitorial vendor erroneously placed its patients’ protected health information (PHI) in the trash dumpster. The breach affected 6,195 individuals and the types of PHI involved included financial, demographic, and clinical information. The CE provided notification of the breach to HHS, affected individuals, and the media and also posted substitute notice on its website. Following the breach, the CE investigated the breach, updated its physical safeguards policy, and educated its workforce on its updated policy. OCR obtained a copy of the CE’s business associate agreement with Iron Mountain for PHI disposal services. OCR obtained documented assurances that the CE implemented the corrective actions taken in response to this breach incident. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "December 23, 2015","ST Psychotherapy, LLC","","Wisconsin","PHYS","MED","509","The covered entity (CE), ST Psychotherapy, LLC, was burglarized sometime between October 21, 2015 and October 23, 2015, and a laptop computer containing the electronic protected health information (ePHI) of approximately 509 individuals was stolen. The laptop computer contained patients’ names, driver’s license numbers, dates of birth, social security numbers, clinical, and demographic information. The CE provided breach notification to HHS, affected individuals, and the media, and also filed a police report. To prevent similar breaches from happening in the future, the CE changed the locks on its office. The CE also encrypted the laptop that replaced the stolen one and completed training on safeguarding PHI and the uses and disclosures of PHI. OCR obtained written assurances that the CE implemented the corrective actions noted above. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "December 24, 2015","HealthSouth Rehabilitation Hospital of Round Rock","","Texas","PHYS","MED","1,359","The CE reported that an employee’s unencrypted laptop computer was stolen from a vehicle. The CE determined that the laptop, which was password-protected, potentially included local copies of e-mails containing individuals’ names, addresses, dates of birth, social security numbers, phone numbers, insurance numbers, diagnoses, referral identification numbers or medical record numbers. The CE provided breach notification to HHS, affected individuals, and the media. At the time of the incident, the CE was in the process of acquiring another facility and encrypting laptops owned by the facility. In response to the breach, the CE took additional steps to locate and secure any other remaining laptops owned by the facility it was acquiring. Further, the CE implemented additional technical safeguards to prevent similar breaches and sanctioned the involved workforce member. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "December 28, 2015","Michael Benjamin, M.D., Inc.","","California","PHYS","MED","1,300","The covered entity (CE), Michael Benjamin, M.D., Inc., reported that the office and file cabinets were broken into and patient charts containing protected health information (PHI) were taken. The types of PHI involved in the breach included demographic information, recorded vital signs, insurance eligibility information, and some copies of insurance cards and driver’s licenses or identification. Although 1,300 patient charts were in the cabinet, only 100 were actually taken, and 30 of the 100 were recovered from law enforcement. The CE provided breach notification to affected individuals, HHS, and the media. Following the break-in, the CE implemented more robust HIPAA policies and procedures. The CE improved safeguards by reinforced the physical security of its office. OCR obtained assurances that the CE implemented the corrective actions noted above. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "December 30, 2015","Hillsides","","California","DISC","MED","502","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "December 30, 2015","St. Luke's Cornwall Hospital","","New York","PHYS","MED","29,156","Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "December 31, 2015","Pittman Family Dental","","Ohio","HACK","MED","8,830","An unauthorized third-party accessed protected health information (PHI), according to the forensic firm that the covered entity (CE), Pittman Family Dental, retained to investigate abnormal activity on its computer server. Approximately 8,830 individuals were affected by the breach. The server included full names, social security numbers (of 5,007 individuals), driver’s license numbers, dates of birth, home addresses, treatment notes, and insurance information. The CE provided breach notification to HHS, affected individuals, and the media. To prevent a similar breach from happening in the future, the CE scrubbed and reinstalled its server, installed an anti-virus/malware solution, and contracted with a company to provide an updated risk analysis and additional training. OCR obtained written assurances that the CE implemented the corrective actions listed above. Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2015","40.760537","-73.978890" "January 4, 2016","Elite Imaging","","Florida","PHYS","MED","1,457","A log book (sign-in book) containing information about the covered entity’s (CE) patients was stolen from its offices and returned anonymously with a letter. The log-book contained the patients’ full names and the name of the procedure conducted for each patient. The breach affected 1,457 patients. The CE provided breach notification to HHS, affected individuals, and the media. The CE conducted a full review of the incident and filed a police report. It also reviewed and modified its safeguards policies and internal procedures, implemented a new log in procedure, updated its software, and re-trained all staff received on its new policies. The CE’s shredding vendor securely disposed of the log books. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "January 6, 2016","AHRC Nassau ","","New York","DISC","MED","1,200","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "January 11, 2016","Brigham and Women's Hospital","","Massachusetts","HACK","MED","1,009","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "January 14, 2016","G&S Medical Associates, LLC","","New Jersey","HACK","MED","3,000","Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.058324","-74.405661" "January 14, 2016","Felicia Lewis, MD Lakewood Hills Internal Medicine","","Texas","HACK","MED","1,500","OCR closed the investigation after it determined that the covered entity (CE) had closed its medical practice and was no longer a CE. Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","31.968599","-99.901813" "January 14, 2016","Blue Shield of California","","California","DISC","MED","20,764","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","36.778261","-119.417932" "January 15, 2016","CDC/NIOSH/ World Trade Center Health Program (WTCHP)","","Georgia","DISC","MED","597","The covered entity (CE), CDC/NIOSH/World Trade Center Health Program, discovered that mail sent via the U.S. Postal Service (USPS) containing protected health information (PHI) was damaged en route to the recipient and some of the pages were missing upon receipt. The missing documents contained the names, provider names and numbers, medical codes, dates of service, and the treatment information for 597 individuals. The CE provided breach notification to HHS, affected individuals, and substitute notice on its website. The CE also set up a toll free telephone number to answer questions. Notification to a prominent media outlet was not required as the breach did not affect 500 or more individuals residing in the same region. In response to the breach, the CE requested that the USPS conduct a Mail Recovery Search to locate the lost and/or unidentifiable pages, but the missing documents were not found. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","32.165622","-82.900075" "January 15, 2016","Hawai‘i Medical Service Association","","Hawaii","DISC","MED","10,179","Between April and November 2015, the covered entity (CE), Hawai'i Medical Service Association, mistakenly sent care management letters to incorrect addresses, affecting approximately 10,179 patients’ protected health information (PHI). The types of PHI involved in the breach included names and the implied suggestion that individuals may have certain medical conditions. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE updated its risk analysis and risk management plan and enhanced physical security. OCR obtained assurances that the CE implemented the corrective actions noted above. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "January 15, 2016","New West Health Services d/b/a New West Medicare ","","Montana","PHYS","MED","28,209","OCR opened an investigation of the covered entity (CE), New West Health Services, dba New West Medicare, after it reported that an employee’s unencrypted laptop computer was stolen from a hotel meeting room. The types of electronic protected health information (ePHI) involved in the breach included demographic information, social security numbers, Medicare claim numbers, financial information, diagnoses, medical histories, and prescription information, and affected 28,209 individuals. The CE provided breach notification to HHS, affected individuals, and the media and provided individuals' with free credit monitoring and identity theft protection services. Following the breach, the CE improved safeguards by recalling all of its laptops to ensure they were encrypted, installing geo-location capabilities on all of its laptops, and installing remote wiping software on all of its company-issued BlackBerry devices. The CE also sanctioned the employee whose laptop was stolen, retrained its staff on HIPAA privacy and security requirements, and created a new data incident response plan. OCR obtained assurances that the CE implemented the corrective actions noted above. Due to financial considerations, the CE announced that it will cease all operations in 2017 after it fulfills its 2016 insurance plan requirements. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "January 21, 2016","The University of Texas System Administration","","Texas","DISC","MED","794","The CE sent an email reminder to approximately 794 COBRA participants regarding their premium due date that, inadvertently, displayed the email addresses of all individuals who received the reminder. The email contained names and identified individuals as a plan participant. Upon discovering the breach, the CE implemented additional technical safeguards to prevent similar incidents from occurring. The CE sanctioned the workforce member responsible for the error and re-trained workforce members on its policy regarding the emailing of electronic PHI. The CE provided breach notification to HHS, affected individuals, and the media. The CE also amended its Breach Notification policies and procedures to better clarify the notice requirements specified under the Breach Notification Rule. OCR obtained assurances that the CE implemented the corrective actions listed. Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "January 25, 2016","Livongo Health, Inc.","","Illinois","DISC","MED","1,950","The covered entity (CE) learned that its business associate (BA) mislabeled certain packages containing lancet devices so that the devices were sent and delivered to the correct address, but the shipping label stated the wrong name for the CE's members. The label included the wrong member’s name and information from which it could be incorrectly inferred that the individual was to receive a lancet device from the CE and had diabetes. This breach affected 1,950 individuals. The CE provided breach notice to HHS and affected individuals. Following the breach, the CE terminated its relationship with this BA, added a quality assurance process, and communicated the new process to its staff. OCR obtained documented assurances that the CE implemented the corrective actions listed above. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "January 25, 2016","Community Mercy Health Partners","","Ohio","PHYS","MED","113,528","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "January 29, 2016","Crown Point Health Center","","Indiana","PHYS","MED","1,854","Patients’ empty paper file folders with protected health information (PHI) appearing on the front cover were improperly disposed of when an employee put them in the regular trash. The PHI on the cover included patients' dates of birth, medical record numbers, and guarantors' names. Approximately 1,854 individuals were affected by this breach. The covered entity (CE) provided breach notification to HHS, affected individuals and the media. The notification letter informed the individuals that a hotline had been established to address their questions and provided the hotline phone number. To prevent a similar breach from happening in the future, the CE sanctioned the involved employee and counseled the remaining staff regarding this matter. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "February 2, 2016","Louisiana Healthcare Connections","","Louisiana","PHYS","MED","13,086","Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "February 2, 2016","Grx Holdings, LLC dba Medicap Pharmacy","","Iowa","PHYS","MED","2,300","An external hard drive containing the clinical and demographic information of approximately 2,300 individuals inadvertently fell into a garage can around November 5, 2015. The covered entity (CE), Grx Holdings, LLC dba Medicap Pharmacy, provided breach notification to HHS, affected individuals, and the media. In response to the breach, the CE adhered the external hard drives to the wall and initiated a change to eliminate the use of external hard drives as a data backup. It also sanctioned and retrained the involved employees. OCR obtained documentation that the CE implemented these corrective action steps. Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "February 3, 2016","Rite Aid Store 01617","","New York","DISC","MED","976","From November 19, 2014, through November 18, 2015, an employee of the covered entity (CE), Rite Aid Pharmacy Store 01617, obtained customers’ credit card information along with other personal identifiers, which he used to commit credit card fraud. The incident affected 976 individuals. The electronic protected health information (ePHI) involved included patients’ names, addresses, dates of birth, and credit card information. As a result of the breach, the CE conducted an internal investigation, sanctioned the employee responsible for the incident, and revised its policy regarding handling of payment cards. The CE provided breach notification to HHS, affected individuals, and the media and provided one year free of credit monitoring services. OCR provided the CE with technical assistance regarding the requirements of the HIPAA Security Rule with respect to risk analyses, development of risk management plans, and implementation of procedures to review records of information system activity, grant access to ePHI, and deploy audit controls. In this case, employee sanctions included termination of employment. Location of breached information: Desktop Computer, Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "February 5, 2016","Borgess Medical Center d/b/a Borgess Rheumatology","","Michigan","DISC","MED","700","On April 13, 2015, the covered entity (CE), Borgess Medical Center-Borgess Rheumatology, impermissibly disclosed protected health information (PHI) due to an erroneous use of “mail merge,” which mixed up 700 patients’ names and addresses. The PHI involved in the breach included patients’ names, medications, and their association with Borgess Rheumatology as patients. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE implemented a new process that included verification of the data files used for mail merges, including a Privacy Officer review. It also trained workforce members and added an informal quality check of spreadsheets involving patient information. OCR obtained documented assurances that the CE implemented the corrective actions noted above. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "February 8, 2016","SEIM JOHNSON, LLP","","Nebraska","PHYS","MED","30,972","A business associate (BA), Seim Johnson, LLP, reported on behalf of 10 health care provider clients that its health care auditor took his firm-issued laptop computer on a non-business weekend trip. When the employee arrived home from this trip, he discovered the backpack containing the laptop was missing. The laptop contained the protected health information (PHI) of 30,972 individuals and included demographic, clinical, and financial information. The BA provided breach notification to HHS, affected individuals, and the media. After investigating this incident, the BA determined that the laptop may not have been effectively encrypted. Following the breach, the BA sanctioned the involved employee and its security officer, retrained employees on security risks involving portable devices, and implemented new policies and procedures. OCR obtained assurances that the BA implemented the corrective actions listed above. Location of breached information: Laptop Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "February 9, 2016","Washington State Health Care Authority (HCA)","","Washington","DISC","MED","91,187","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "February 12, 2016","BlueCross BlueShield of South Carolina ","","South Carolina","DISC","MED","998","A business associate (BA), BlueCross\BlueShield, of the covered entity (CE), South Carolina Public Employee Benefit Authority, incorrectly mailed pre-authorization dental letters to the CE’s members due to a computer error. During the mailing sorting process, the names of the envelopes were not matched to the correct addresses. The breach affected 998 individuals and included financial, demographic, and clinical information. The BA provided breach notification to HHS, affected individuals, and the media. Following the breach, the BA revised its procedures for ensuring data integrity and accuracy and enhanced procedures to include a quality control validation step. The BA trained systems support staff and confirmed that it requires all of its employees, contractors and consultants employed or retained for longer than 45 days to receive HIPAA training. OCR obtained assurances that the BA implemented the corrective actions listed above. Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "February 12, 2016","DataStat, Inc.","","Michigan","DISC","MED","552","An employee of a business associate (BA), DataStat, erroneously misdirected surveys to 487 individuals after failing to following the BA’s re-print protocol after a printer paper jam. The types of protected health information (PHI) involved in the breach included demographic information, including names and addresses. The CE provided breach notification to HHS and affected individuals. The BA also improved technical safeguards to assist with quality assessment checks and sanctioned the involved employee with a written warning. OCR obtained documentation that the BA implemented the corrective actions steps listed above. Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "February 12, 2016","Radiology Regional Center, PA","","Florida","PHYS","MED","483,063","On December 19, 2015, 12 boxes containing 483,063 patients’ records fell off of the business associate’s (BA) truck and onto the street while being transported to the incinerator. The types of PHI in the records included patients’ names, addresses, dates of birth, social security numbers, claims information, credit card/bank information, diagnosis codes, lab results, and treatment information. The CE provided breach notification to HHS, affected individuals, and the media and also posted substitute notice on its website. It also activated a call center on January 12th, 2016, which provided information about the breach for 90 days, and provided identity protection for one year to the affected individuals. In response to the incident, the CE opened an internal investigation and interviewed all relevant staff and its business associate. The CE ended its business relationship with the BA, Lee County Solid Waste Division, and improved safeguards by changed the process for records’ destruction. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "February 15, 2016","Alliance Health Networks, LLC","","Utah","HACK","MED","42,372","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","39.320980","-111.093731" "February 19, 2016","Public Health Trust of Miami-Dade County, Florida","","Florida","DISC","MED","24,188","Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","27.664827","-81.515754" "February 19, 2016","Roark's Pharmacy","","Tennessee","PHYS","MED","3,000","The covered entity (CE), Roark’s Pharmacy, discovered on January 13, 2016, that its facility had been broken into and computer hard drives containing the protected health information (PHI) of 3,000 individuals were stolen. The types of PHI on the hard drives included patients' names, dates of birth, addresses, diagnoses, conditions, medications, health insurance information, and social security numbers (when used as ID numbers for certain insurance carriers). The CE provided breach notification to HHS and to affected individuals. OCR provided technical assistance to the CE regarding the Breach Notification Rule and impermissible disclosures. In addition, OCR provided resource materials regarding small businesses and the Privacy and Security Rules. In response to the breach, the CE increased its physical security by installing a metal gate over its front door, improving its security alarm system, and physically hiding and securing sensitive equipment. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","35.517491","-86.580447" "February 24, 2016","ELLIOT J MARTIN CHIROPRACTIC PC","","New York","HACK","MED","1,200","Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.712784","-74.005941" "February 26, 2016","BJC HealthCare ACO, LLC","","Missouri","DISC","MED","2,393","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","37.964253","-91.831833" "February 26, 2016","Locust Fork Pharmacy","","Alabama","DISC","MED","5,000","On February 15, 2016, the covered entity (CE), Locust Fork Pharmacy, discovered the lock on one of their storage units was broken. The storage unit contained boxes of records for approximately 5,000 individuals. Protected health Information (PHI) in the records included names, addresses, and birth dates. The CE determined that all the boxes were stacked in sequence, none was missing, and all remained sealed. The CE worked with local police in the investigation of the incident, and updated its policies and procedures related to breach response, breach mitigation, and physical security of the storage unit. The CE provided breach notification to HHS and posted media notice in its geographic area for two weeks in March 2016. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","32.318231","-86.902298" "February 26, 2016","Vancouver Radiologists, PC","","Washington","DISC","MED","603","The covered entity (CE), Vancouver Radiologists, PC, on January 4, 2016, received telephone calls from a few patients that they received a postcard mammogram reminder, but with another patient’s name. The CE mailed 603 postcards which contained names, addresses, and generic reminders to schedule a mammogram. The CE submitted a breach notification report to HHS, affected individuals, and the media. In response to the breach, the CE stopped mailing the postcard reminder and revised its mailing procedures. The CE provided OCR with additional documentation specifically its HIPAA Notice of Privacy Practices Policy, as relevant to this breach investigation. OCR obtained assurances that the CE implemented the corrective actions listed above. The CE also provided refresher reminders to all staff members about its HIPAA privacy policies and procedures. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","47.751074","-120.740139" "February 26, 2016","Valley Hope Association ","","Kansas","PHYS","MED","52,076","Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","39.011902","-98.484247" "February 26, 2016","Nintendo of America Inc.","","Washington","HACK","MED","6,248","The covered entity (CE), Nintendo of America, Inc., reported that on May 5, 2014, attackers impermissibly accessed and acquired data in possession of its business associate (BA), Premera. This data included the protected health information (PHI) of former and current participants in health plans of certain members of the Blue Cross Blue Shield Association dating back to 2002. The BA is a member of the Blue Cross Blue Shield Association and is the third-party administrator for the health plan. As a result, some former and current plan participants have been impacted. The CE reported that 6,248 individuals were affected and the PHI involved in the breach included demographic, clinical, and financial information. The BA provided breach notification to HHS, affected individuals, and the media. The CE had a BA agreement in place with Premera. OCR determined that Nintendo is in compliance with the Privacy, Security, and Breach Notification Rules. Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "February 26, 2016","Ecolab Health and Welfare Benefits Plan","","Minnesota","HACK","MED","1,550","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "February 26, 2016","Freeport Memorial Hospital","","Illinois","PHYS","MED","1,349","Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "February 26, 2016","Eye Institute of Corpus Christi","","Texas","PHYS","MED","43,961","After review of the response from the entity, OCR determined that a breach of protected health information did not occur. Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "February 27, 2016","Mind Springs Health","","Colorado","DISC","MED","2,147","On January 8, 2016 a foreign transcription services subcontractor to Mind Springs Health’s former business associate (BA), Stratton Consulting Services, Inc., mistakenly published electronic protected health information (ePHI) on the internet during a software update. The types of ePHI involved in the breach included names, dates of birth, medications, and physicians’ notes, affecting 2,147 individuals who received treatment from the covered entity (CE) between January 2009 and March 2010. Following the breach, the subcontractor removed the information from the internet. The CE provided breach notification to HHS, affected individuals, and the media. Subsequent to the breach, the CE established BA agreements with its contractors. OCR provided technical assistance regarding relevant issues pursuant to the Privacy and Security Rules. Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "February 29, 2016","Group Life Hospital and Medical Program","","Connecticut","HACK","MED","3,000","Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "March 1, 2016","Walmart Stores, Inc.","","Arkansas","DISC","MED","4,800","Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "March 3, 2016","Centers Plan for Healthy Living ","","New York","PHYS","MED","6,893","Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "March 4, 2016","City of Hope","","California","HACK","MED","1,024","The covered entity (CE), City of Hope, received a phishing email on January 18, 2016, causing unauthorized access to several employee email accounts. The protected health information (PHI) involved in the breach included patients' names, medical record numbers, dates of birth, addresses, email addresses, telephone numbers, clinical information, test results, and dates of service and for one patient, the social security number and financial information. Approximately 1,024 individuals were affected by the breach. The CE provided breach notification to HHS, affected individuals, and the media, and also posted substitute notice. Following the breach, the CE blocked access to a form in the embedded link contained in the phishing email, blocked the sender of the phishing email from sending additional emails, updated its spam filter, removed the email from the inboxes of users who received it, and sent an email to all staff to advise them of the issue. Additionally, the CE began updating its anti-phishing defenses and has upgraded its firewall. OCR provided the CE with technical assistance regarding the Security Rule including risk analysis and risk management. Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","36.778261","-119.417932" "March 4, 2016","Cardiology Associates of Jonesboro, Inc.","","Arkansas","DISC","MED","1,669","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","35.201050","-91.831833" "March 4, 2016","Premier Healthcare, LLC","","Indiana","PHYS","MED","205,748","Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "March 4, 2016","Walgreen Co.","","Illinois","PHYS","MED","880","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.633125","-89.398528" "March 7, 2016","Complete Family Foot Care","","Nebraska","HACK","MED","5,883","Bizmatics, Inc., a business associate (BA) that the covered entity (CE), Complete Family Foot Care, employs for the online storage and management of its patient health records, discovered an unauthorized access to the computer servers on which the CE's’s patient files were stored. The breach affected 5,883 individuals and included clinical information. Upon request of the CE, the BA provided breach notification to affected individuals and complimentary identity recovery services for individuals victimized by identity theft. The CE also provided breach notification to HHS and the media and posted substitute notice on its website. Following the breach the BA comprehensively scanned for malware and any external vulnerabilities, upgraded all anti-virus and anti-malware programs as well as system hardware and operating systems, updated server and account passwords, and revised its firewall configurations. The BA also implemented stricter password policies and initiated the installation of an active traffic-monitoring solution for its network. OCR obtained written assurances that the CE and BA implemented the corrective actions listed above. Location of breached information: Electronic Medical Record, Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","41.492537","-99.901813" "March 8, 2016","Illinois Valley Podiatry Group","","Illinois","HACK","MED","26,588","Bizmatics, Inc., a business associate (BA) that provided online storage and management of patient health records for the covered entity (CE), Illinois Valley Podiatry Group, discovered an unauthorized access to the servers on which the CE's patient files were stored. The breach affected 26,588 individuals' electronic protected health information (ePHI). The types of ePHI involved in the breach included diagnoses and conditions, medications, and other treatment information. The CE provided breach notification to HHS and the media and posted substitute notice on its website. The BA provided breach notification to affected individuals at the direction of the CE. As a result of OCR’s investigation, the CE executed a new BA agreement with Bizmatics with provisions regarding the use, disclosure, and safeguarding of protected health information (PHI). OCR obtained documented assurances that the BA and CE implemented the corrective actions noted above. Location of breached information: Electronic Medical Record, Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.633125","-89.398528" "March 10, 2016","Cromwell Fire District","","Connecticut","DISC","MED","500","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","41.603221","-73.087749" "March 10, 2016","Vidant Health","","North Carolina","DISC","MED","897","Vidant Health, the covered entity (CE), discovered that it filed numerous bankruptcy documents, from December 1, 2007, through March 9, 2016, that listed protected health information (PHI) that was not necessary for the filing. The breach affected 897 individuals and included patients' billing account numbers, social security numbers, medical record numbers, dates of birth, telephone numbers, sex, marital status, names, service dates, and account balances. The CE sent timely breach notification to HHS, affected individuals, and the media and posted substitute notification on its website. The CE provided identity theft protection for affected individuals for one year. In response to the breach, the CE revised and redacted its bankruptcy filings, filed blanked protective orders, and sealed proofs of claims in the public record. It also retrained applicable staff. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "March 10, 2016","UHHS Geauga Medical Center","","Ohio","DISC","MED","677","Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "March 10, 2016","Karmanos Cancer Center","","Michigan","PHYS","MED","2,808","The covered entity (CE), Karmanos Cancer Center, lost an unencrypted flash drive that contained the protected health information (PHI) of approximately 2,808 individuals. The CE provided breach notification to HHS, affected individuals, and the media, and it offered 12 months of credit monitoring to affected individuals. Following the breach, the CE retrained staff, published an article in its newsletter about encryption, and audited its business associate agreements. OCR obtained documented assurances that the CE implemented the corrective actions listed above. Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "March 11, 2016","Virtua Medical Group","","New Jersey","DISC","MED","1,654","Location of breached information: Network Server, Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "March 11, 2016","Vibrant Body Wellness","","California","PHYS","MED","726","On March 5, 2016, a password protected laptop computer and a backup computer drive were stolen from the covered entity (CE), Vibrant Body Wellness, as a result of a break-in. The laptop computer contained the protected health information (PHI) of 726 individuals, including patients’ addresses, dates of birth, names, clinical diagnoses/conditions, and financial claims information. The CE provided breach notification to HHS, affected individuals, and the media. It also notified law enforcement. The PHI which was on the stolen external hard drive was encrypted. Following the breach, the CE trained staff regarding its policies and procedures for safeguarding electronic PHI. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Laptop, Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "March 14, 2016","JASACare","","New York","HACK","MED","1,154","Unauthorized individuals hacked a workforce member’s email account and accessed the electronic protected health information (ePHI) of 1,154 patients. The types of ePHI involved in the breach included names, addresses, phone numbers, dates of birth, social security numbers, insurance identification numbers, insurance information, and account balance information. The covered entity (CE), JASACare, provided breach notification to HHS, affected individuals, and the media and posted substitute notice on its website. The CE also provided one year free credit monitoring services for the affected individuals. Following the breach, the CE shut down the workforce member’s email account and reset all login information. As a result of OCR’s investigation and technical assistance, the CE developed new policies regarding emailing ePHI and distributed them to its workforce members. The CE is expected to perform a thorough and accurate risk analysis and establish a risk management plan. It is also expected to implement mechanisms to record and examine activity in information systems that contain or use ePHI. Additionally, the CE is expected to implement technical security measures to guard against unauthorized access to ePHI, implement procedures for identity verification for access to ePHI, and provide training to all staff on the newly implemented policies and procedures. Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "March 15, 2016","Laborers Funds Administrative Office of Northern California, Inc.","","California","DISC","MED","2,373","On February 17, 2016, the covered entity (CE), Laborers Funds Administrative Office of Northern California, Inc, discovered that a tax sent to its clients and beneficiaries inadvertently contained protected health information (PHI) about unrelated individuals. The breach affected approximately 800 individuals and included names, social security numbers, and eligibility information. The CE provided breach notification to HHS, affected individuals, and the media. In response to the breach, the CE implemented new technical safeguards for creating and transmitting this type of data, conducted a new/updated security analysis, revised its HIPAA policies and procedures, and trained its workforce. The CE also provided OCR with additional documentation including its HIPAA Notice of Privacy Practices Policy, as relevant to this breach investigation. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "March 17, 2016","W. Christopher Bryant DDS PC","","Michigan","PHYS","MED","2,200","Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "March 17, 2016","Hospital for Special Surgery","","New York","DISC","MED","647","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "March 18, 2016","Lindsay House Surgery Center, LLC","","New York","PHYS","MED","773","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "March 18, 2016","Val Verde Regional Medical Center","","Texas","HACK","MED","2,000","On or about December 18, 2015, the covered entity (CE), Val Verde Regional Medical Center, determined that a member of its medical staff had impermissibly used protected health information (PHI) and sent unsecured emails containing PHI to two unapproved, personal email addresses. The emailed PHI included patients' names, genders, medical record numbers, dates of birth, modalities, study dates, ages, telephone numbers and/or account numbers, affecting 2,412 individuals. the CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE revised policies and procedures and retrained staff. The CE conducted a new risk analysis and took actions to mitigate identified risks. During the investigation, OCR provided technical assistance regarding multiple standards of the HIPAA Rules. Location of breached information: Desktop Computer, Electronic Medical Record, Email, Laptop, Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "March 21, 2016","Bozeman Health Deaconess Hospital","","Montana","DISC","MED","1,124","Due to a misaligned spreadsheet, on or about February 19, 2016, Executive Services, a business associate (BA) of the covered entity (CE), Bozeman Health Deaconess Hospital, erroneously sent letters to 1,124 patients containing the another patient’s name. The type of protected health information (PHI) involved in the breach included names. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE implemented a new process for sending mass mailings, required the responsible employee, as well as managers and supervisors, to attend HIPAA refresher training, and required the responsible employee to take a class on specific spreadsheet software. OCR obtained assurances that the CE implemented the corrective actions noted above. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "March 21, 2016","National Counseling Group","","Virginia","HACK","MED","23,000","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "March 22, 2016","Metropolitan Jewish Health System, Inc. d/b/a MJHS","","New York","HACK","MED","2,483","Location of breached information: Email Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "March 23, 2016","Excel Plus Home Health, Incorporated","","Texas","PHYS","MED","524","Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "March 24, 2016","Morton Medical Center, PLLC","","Washington","HACK","MED","3,000","In March 2016, the covered entity (CE), Morton Medical Center, reported that a virus encrypted many of its merge documents and held them for ransom, preventing the CE from printing any documents that required merging data. An internal investigation revealed that the ransomware had been introduced into its systems through an “add-on” through the Internet. After paying the ransom, the hacker(s) released the CE's entire electronic protected health information (ePHI). The breach affected the ePHI of approximately 3,000 individuals; however, there were no indications that ePHI was actually uploaded or accessed. If the hackers accessed the ePHI, it would have contained names, addresses, demographic information and, possibly, some diagnostic information. Following the breach, the CE conducted an enterprise-wide analysis of the various risks to its ePHI and developed a risk management plan. The CE then overhauled its entire information technology system, focusing on strengthening its physical, administrative, and technical safeguards. The CE also re-trained its workforce members and implemented a new policy that prohibits Internet access for other than business reasons. OCR provided technical assistance regarding the requirements of the Breach Notification Rule. Location of breached information: Desktop Computer, Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "March 25, 2016","Mercy Iowa City","","Iowa","HACK","MED","15,625","Location of breached information: Desktop Computer, Email, Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "April 1, 2016","Aurora Health Care, Inc.","","Wisconsin","DISC","MED","869","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "April 1, 2016","Pointe Medical Services, Inc.","","Florida","PHYS","MED","2,000","The covered entity (CE), Pointe Medical Services, Inc., discovered on February 11, 2016, that a former nurse practitioner was soliciting patients to her new practice from information she had downloaded from the CE between October 23, 2015 and until she was terminated on December 15, 2015. Information on the reports included: patients' names, dates of birth, phone numbers, reasons for appointments, appointment status (i.e. no show, cancelled, etc.), service sites, diagnoses, conditions, and health insurance information including insurance providers and plan types. The breach affected 2,055 patients. The CE provided breach notification to HHS, to affected individuals, on its website and to various media outlets across Georgia and Florida. In response to the breach, the CE retrained its workforce, disabled the ability to download information to removable electronic storage devices, and increased the frequency of its electronic health record activity audits. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Desktop Computer, Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "April 1, 2016","Einstein Healthcare Network ","","Pennsylvania","DISC","MED","2,939","The covered entity (CE), Einstein Healthcare Network, reported that between April 11, 2013 and March 21, 2017, its website, Einstein.edu, contained a webpage form where a visitor could “Request an Appointment” that allowed protected health information (PHI) to be left accessible via the internet, including demographic and clinical information. The CE staff used this data to schedule the requested appointment(s) for patients. The CE learned that it was possible to cause the website to display PHI by submitting an unexpected string of characters in the universal resource locator (URL). Google accessed these specially crafted URL’s in order to attempt to add these web pages to the list of pages that can be searched by Google. The CE reviewed the information provided on the forms and determined that it demonstrated a low probability of compromise for most patients. The CE provided breach notification to the remaining 2,034 patients, HHS, and the media. Following the breach, the CE worked with Google to have the information removed from indexing. Subsequently, the CE conducted a system wide risk assessment and penetration test to specifically assess for security vulnerabilities on the website, changed the vendor used for website creation and hosting and built and tested a new ""Einstein.edu"" website. OCR obtained assurances that the CE implemented the corrective actions listed. Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "April 5, 2016","Sisters of Charity of Leavenworth Health System Health Benefits Plan","","Colorado","DISC","MED","540","A sub-subcontractor for the business associate (BA), Kaiser Permanente Insurance Company, incorrectly changed a setting on a printer press during maintenance, resulting in errors on printed, explanation of benefit (EOB), letters. The error impacted the letters of 540 individuals. The protected health information (PHI) involved in the breach included names, addresses, annual deductibles, annual out of pocket maximums, dollars spent “year-to-date” towards the deductible, and out-of-pocket maximums. The BA provided breach notification to HHS, affected individuals, and the media. Following the breach, the subcontractor BA responsible for printing the EOB’s updated its procedures to include additional oversight by its workforce members and additional print testing during printer updates or maintenance. OCR reviewed the applicable BA agreements, and its investigation resulted in the BA improving safeguards for the printing of PHI for the CE's health plan. Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "April 5, 2016","Target Corporation Health Plan","","Minnesota","DISC","MED","719","During the maintenance of a printer press, a technician incorrectly changed a printer setting resulting in errors on printed explanation of benefit (EOB) letters sent by a subcontractor on behalf of a business associate (BA), Kaiser Permanente Insurance Company. The error impacted the letters of 719 individuals. The protected health information (PHI) involved in the breach included names, addresses, annual deductibles, annual out of pocket maximum, dollars spent “year to date” towards the deductible, and out of pocket maximums. The BA provided breach notification to HHS, affected individuals, and the media. Following the breach, the subcontractor BA updated its procedures to include additional oversight and additional print testing during printer updates or maintenance. OCR’s investigation resulted in the subcontractor BA improving safeguards in the printing of PHI for the covered entity's health plan. Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "April 5, 2016","Pacific Gas and Electric Company","","California","DISC","MED","2,426","A vendor incorrectly changed a printer press setting during maintenance resulting in errors on printed, explanation of benefit (EOB), letters for the covered entity (CE), Pacific Gas and Electric Company Health Benefits Plan. The CE's self-funded health plan is administered by a business associate (BA), Kaiser Permanente Insurance Company. The error impacted the letters of 2,426 individuals. The protected health information (PHI) involved in the breach included names, addresses, annual deductibles, annual out of pocket maximum, dollars spent “year to date” towards the deductible, and out of pocket maximums. The BA provided breach notification to HHS, affected individuals, and the media. Following the breach, a subcontractor BA responsible for printing the EOB’s updated its procedures to include additional oversight by its workforce members and additional print testing during printer updates or maintenance. OCR’s investigation resulted in the subcontractor BA improving safeguards in the printing of PHI. Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "April 7, 2016","RMA Medical Centers of Florida","","Florida","PHYS","MED","3,906","RMA Medical Centers of Florida, the covered entity (CE), discovered that on February 6, 2016, a password protected company laptop computer was stolen from an employee’s hotel room. The laptop was not encrypted. It contained 3,906 individuals’ protected health information (PHI) and included patients’ names, dates of birth, health plan identification numbers, diagnoses, and primary care physicians’ names. The CE provided breach notification to HHS, affected individuals, and the media and posted substitute notice on its website. It also offered complimentary one-year identity theft protection to affected individuals. Following the breach, the CE encrypted all laptops containing PHI and revised certain HIPAA policies to improve safeguards. The CE educated and retrained its employees on its policies. Finally, the CE sanctioned the employee responsible for the breach. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "April 7, 2016","Indian Health Service Northern Navajo Medical Center","","New Mexico","PHYS","MED","7,421","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "April 8, 2016","BioReference Laboratories, Inc","","New Jersey","DISC","MED","3,563","Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "April 11, 2016","Pain Treatment Centers of America ","","Arkansas","HACK","MED","19,397","PIMS TN: 16-235969 Covered Entity: Pain Treatment Centers of America OCR opened an investigation of the covered entity (CE), Pain Treatment Centers of America, after it reported a hacking attacking on its business associate’s (BA), Bizmatics, data servers. This breach resulted in unauthorized access to the BA/s customer records including those of the CE. The breach encompassed 17,339 individuals’ information, which included individuals’ names, addresses, dates of birth, driver's license numbers, social security numbers, claims information, diagnoses/conditions, lab results, medications and other treatment information. The CE provided breach notification to HHS, affected individuals, and the media and also provided and identity theft and credit monitoring service to affected individuals. As a result of OCR’s investigation, the CE updated its BA agreement with the BA to reflect all requirements of 45 C.F.R. §§ 164.314 (a) and 164.504(a). Location of breached information: Electronic Medical Record, Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "April 12, 2016","Mark Anthony Quintero, M.D., L.L.C.","","Florida","HACK","MED","650","In January, 2015, a business associate (BA), Bizmatics, discovered that one of its computer servers was compromised by an unknown individual or individuals (hackers). The breach affected approximately 650 of the covered entity's (CE) patients. The CE cooperated with OCR and accepted the technical assistance provided until it closed for business in February 2017. Based on the foregoing, OCR decided not to further investigate. Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "April 12, 2016","Sacred Heart Health System, Inc","","Florida","DISC","MED","532","On February 16, 2016, the American College of Cardiology Foundation, a business associate (BA), notified the covered entity (CE), Sacred Heart Health System, Inc., that some of its protected health information (PHI) had been inadvertently transferred to a testing environment made accessible to four vendors who were working with a software developer of the BA. The CE conducted an internal investigation and determined that the names, dates of birth, social security numbers, and internal patient identification numbers for 532 individuals had been exposed as a result of the incident. The CE immediately terminated access to the database containing the PHI, and obtained assurances from the vendors and software developer that the PHI had not been retained, or made accessible to any other unauthorized individuals. In response to the breach, the CE reviewed its policies and procedures, retrained its staff. The BA revised its policies and procedures for transferring data and added additional safeguard controls to ensure the security of PHI. Additionally, the CE provided breach notification to HHS, to the affected individuals, to the media, and posted a notice on its website. OCR obtained assurances that the CE and BA implemented the corrective actions listed above. Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "April 12, 2016","OptumRx, Inc.","","California","PHYS","MED","6,229","Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "April 12, 2016","United Community & Family Services","","Connecticut","DISC","MED","1,000","United Community Family Services, the covered entity (CE), mistakenly sent an email blast that advertised dental services, to current and former patients, with email addresses visible to all of the other recipients of the email. The emails were encrypted so that that only the recipients could have accessed them. Approximately 1,095 individuals were affected by this breach. The types of protected health information (PHI) involved in the breach included some names as part of the email addresses and the implied suggestion that these individuals had received dental services from this CE. The CE provided breach notification to HHS, affected individuals, and the media. As a result of OCR’s investigation, the CE implemented plans to review and revise its policies to ensure adequate safeguards of electronic PHI. Additionally, the covered entity re-trained staff on its HIPAA policies and issued periodic HIPAA reminders to staff. Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","41.603221","-73.087749" "April 13, 2016","American Fidelity Assurance Company","","Oklahoma","DISC","MED","2,664","The covered entity (CE), American Fidelity Assurance Company, erroneously mailed letters to customers containing pages that belonged to another customer due to a mailroom equipment malfunction and manual sorting by an employee. The types of protected health information (PHI) involved in the breach included providers’ names, treatment dates, customers’ names, customers’ employers’ names, and customers’ employer identification numbers. Approximately 2,664 individuals were affected by this incident. The CE provided breach notification to HHS, all potentially affected individuals, and the media. The CE also offered credit monitoring services. The CE retrained staff on safeguarding PHI and verbally reprimanded the employee involved in the incident. As a result of this incident, the CE decided to outsource its mailing and sorting process with a business associate using a fully automated sorting process which provides positive assurance and audit capability. In addition, the CE added quality control measures to their mailing process. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","35.007752","-97.092877" "April 13, 2016","Florida Department of Health","","Florida","DISC","MED","1,076","The covered entity (CE), Florida Department of Health, discovered on February 17, 2016, that an additional 1,076 individuals were affected by a breach previously reported in 2013 as affecting 877 individuals. The breach occurred when an employee with legitimate access to PHI stole demographic information for illegal purposes. The CE provided breach notification to HHS, the additionally identified individuals, and the media, as well as posting substitute notice on its website. Following the 2013 breach, the CE reviewed and revised its policies relating to access to PHI and began masking social security numbers. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","27.664827","-81.515754" "April 15, 2016","Oneida Tribe of Indians of Wisconsin","","Wisconsin","PHYS","MED","2,734","The covered entity (CE), Oneida Tribe of Indians of Wisconsin, reported an employee’s personal flash drive containing the electronic protected health information (ePHI) approximately 2,734 individuals was stolen from its dental offices. The ePHI involved in the breach included names, patient identification numbers, dental insurance plan numbers and dates of service. Following the breach, the CE sanctioned and retrained the employees involved in the breach. Also, the CE notified employees that it banned the use of all external electronic data storage devices, unless they are encrypted and approved by the CE. As a result of OCR’s investigation, the CE updated its policy related to Breach Rule Notification and distributed the updated policy to its workforce. OCR obtained documented assurances that it implemented the corrective actions listed above. Location of breached information: Desktop Computer, Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","43.784440","-88.787868" "April 15, 2016","Atique Orthodontics","","Oregon","HACK","MED","1,506","On February 29, 2016, the covered entity (CE), Atique Orthodontics, reported that files on its web server were compromised by a potential unauthorized access through one of its computers. The files on the server contained the names, dates of birth, addresses, phone numbers, credit card numbers, insurance information, and social security numbers of approximately 1,506 individuals. The CE provided breach notification to HHS and affected individuals and offered identity theft protection services. Following the breach, the CE disconnected the computer from the network server, reconfigured it, and disabled the remote desktop connection. The CE also implemented access controls, upgraded its firewall and anti-virus and other anti-malware protection software, and encrypted its electronic protected health information (ePHI). Additionally, the CE developed a plan to perform periodic system audits, adopted policies and procedures to ensure that ePHI is not stored on laptops, desktops, or other mobile device, and updated its log-off policy for unattended computers. The CE also inventoried hardware and software which is stored off site and updated workforce members' training with the new policies and procedures. OCR obtained assurances from the CE that it implemented the corrective actions listed above. Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "April 18, 2016","Florida Hospital Medical Group","","Florida","DISC","MED","1,906","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "April 19, 2016","Quarles & Brady, LLP","","Wisconsin","PHYS","MED","1,032","Location of breached information: Laptop Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "April 20, 2016","Lake Pulmonary Critical Care PA","","Florida","PHYS","MED","648","The covered entity (CE), Lake Pulmonary Critical Care, PA, discovered that a former employee removed patient medical records from the office and took them home. The theft of this protected health information (PHI) affected 648 individuals. The medical information included patients’ names, addresses, phone numbers, dates of birth, social security numbers, health insurance information, medical diagnoses, lab results, medications, and other treatment information. The CE provided timely breach notification to HHS, to affected individuals, and to the media. In response to the breach, the CE improved safeguards by installing employee lockers for all personal items and installing privacy walls at the nurses’ stations. In addition, the CE arranged for HIPAA training for its employees and doctors. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "April 20, 2016","Lake Pulmonary Critical PA","","Florida","PHYS","MED","648","This case was consolidated into another review of this covered entity. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "April 20, 2016","Wyoming Medical Center","","Wyoming","HACK","MED","3,184","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "April 22, 2016","Kaiser Foundation Health Plan, Inc.","","California","PHYS","MED","2,451","Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "April 22, 2016","Edwin Shaw Rehabilitation","","Ohio","PHYS","MED","975","On February 19, 2016, an employee of the covered entity (CE), Edwin Shaw Rehabilitation, mistakenly left behind a day planner that contained an unencrypted mobile computer drive (a universal serial bus, or “USB” drive), at a business-related function. The drive contained a spreadsheet file that included the names, medical record numbers, insurance providers’ names, and limited clinical information of 975 individuals. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE sanctioned the involved employee, conducted mandatory privacy and security training for all members of its leadership team, and implemented a month-long security awareness campaign for all employees that included HIPAA education and collection of unencrypted USB drives. The CE also deployed new forms for employees to request an encrypted mobile computer drive. OCR obtained written assurances that the CE implemented the corrective actions noted above. Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "April 22, 2016","Ohio Department of Mental Health and Addiction Services","","Ohio","DISC","MED","59,000","Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "April 23, 2016","Mayfield Clinic Inc","","Ohio","HACK","MED","23,341","An unauthorized person sent a fraudulent email with an attachment that triggered a download of a ransomware virus to 23,341 email addresses held by the covered entity’s (CE’s) business associate (BA) on its behalf. The protected health information (PHI) involved in the breach included email addresses. The CE sent an email notification to affected individuals on the day of the incident and sent another email notification two days later. The CE provided breach notification to HHS, affected individuals, and the media and also posted substitute notice on its web site. Following the breach, the CE assessed system controls, provided anti-scanning updates to its employees’ email, deleted the email addresses it maintained on its BA’s systems, and put a hold on the future electronic distribution of newsletters. OCR obtained written assurances that the CE implemented the corrective actions listed above. Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.417287","-82.907123" "April 25, 2016","Children's National Medical Center","","District Of Columbia","DISC","MED","4,107","A former business associate (BA) of the covered entity (CE), Children’s Medical Center, Ascend Health System, misconfigured a File Transfer Protocol site (FTP), which may have allowed access from the internet to transcription documents from a number of healthcare entities, including the CE. The breach was discovered in December 2015; however, the CE had ceased doing business with the BA on June 23, 2014. The transcriptions may have contained protected health information including children's names, dates of birth, medications, and attending physicians' names. The CE provided breach notification to HHS, affected individuals, and the media. OCR obtained copies of the notification letters and BA agreement, as well as assurances that the CE implemented the corrective actions listed above. Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","38.907192","-77.036871" "April 25, 2016","Comanche County Hospital Authority","","Oklahoma","HACK","MED","2,199","A business associate (BA), Avatar Solutions, e-mailed satisfaction surveys for patients who visited Memorial Medical Group, a provider affiliate of the covered entity (CE), Comanche County Hospital Authority, to incorrect e-mail addresses. The surveys contained patients’ and providers’ names and affected 2,199 individuals. In response to the incident, the BA updated its Security Management Plan, implemented new technical safeguards, applied policy changes to mitigate harm, and implemented training to prevent further incidents. In response to OCR’s investigation, the CE provided evidence it provided breach notification to the media and affected individuals and offered affected individuals a year of free credit monitoring and identity theft protection. Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","35.007752","-97.092877" "April 27, 2016","Family & Children's Services of Mid Michigan, Inc.","","Michigan","HACK","MED","981","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","44.314844","-85.602364" "April 28, 2016","Northstar Healthcare Acquisitions LLC","","Texas","PHYS","MED","19,898","A laptop computer containing the electronic protected health information (ePHI) of 19,898 individuals was stolen from vehicle of an employee of Equalize Revenue Cycle Management (ERCM). ERCM is a business associate (BA) of Northstar Healthcare Acquisitions, LLC, the covered entity (CE). The ePHI included insurance and treatment information and other demographic information. Upon discovering the breach, the BA informed law enforcement. The BA notified the affected individuals, provided substitute notice via its website, and media notification. The BA offered one year of free credit monitoring services to affected individuals. Following the breach, the BA adopted encryption technologies, revised policies and procedures, and conducted an updated risk analysis. The BA also sanctioned the workforce members involved and retrained employees. OCR obtained assurances that the BA implemented the corrective action listed above. OCR also verified that the CE had a proper BA agreement in place, which restricted the BA’s use and disclosure of PHI and required the BA to safeguard all PHI. Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "April 29, 2016","PruittHealth Home Health -- Low Country","","South Carolina","DISC","MED","1,500","On March 2, 2016, a break-in occurred at the office of the covered entity (CE), PruittHealth. The perpetrators broke the glass of the front door and broke into the file cabinets, but it did not appear that any medical records were taken. The perpetrators had the opportunity to access the paper medical records of 1,500 individuals. The types of protected health information (PHI) contained in the records included patients’ names, addresses, social security numbers, dates of birth, dates of service, location of service, and other clinical information. The CE provided breach notification to HHS, affected individuals and media and also provided substitute notice on its website. The CE also set up a toll free telephone number to answer questions about the breach. Following the breach, the CE reviewed its policies and retrained staff. Additionally, the CE initiated a criminal investigation with local law enforcement, repaired the door used to gain access to the building, purchased file cabinets with more secure locks, and initiated a search for a more secure office location. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "May 1, 2016","Managed Health Services","","Indiana","DISC","MED","610","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "May 4, 2016","Florida Medical Clinic, PA","","Florida","DISC","MED","1,000","Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "May 4, 2016","UnitedHealth Group Single Affiliated Covered Entity (SACE)","","Minnesota","DISC","MED","5,330","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "May 5, 2016","Southeast Eye Institute, P.A. dba eye Associates of Pinellas","","Florida","HACK","MED","87,314","Southeast Eye Institute, P.A., the covered entity (CE), discovered that its business associate (BA), Bizmatics Inc., suffered a breach after a hacker accessed its servers. The breach affected 87,000 individuals and included patients' names, addresses, social security numbers, and health visit information. The CE timely sent breach notification to HHS, to affected individuals, to the media, and posted notification on the main page of its website. The CE did not have a BA agreement with Bizmatics at the time of the breach, but following the breach, the CE decided to terminate its relationship with the BA. After terminating its relationship with the BA, the CE received a certificate of records destruction from the, which confirmed that all of the CE’s patient records stored by the BA were destroyed. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "May 9, 2016","Lafayette Pain Care PC","","Indiana","HACK","MED","7,500","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "May 11, 2016","UnityPoint Health Affiliated Covered Entity","","Iowa","DISC","MED","1,620","Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "May 11, 2016","HeartCare Consultants","","Florida","HACK","MED","16,000","Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "May 11, 2016","Family Medicine of Weston","","Florida","HACK","MED","500","Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "May 11, 2016","Northwest Oncology & Hematology, S.C. ","","Illinois","DISC","MED","1,625","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.633125","-89.398528" "May 11, 2016","Medical Colleagues of Texas, LLP ","","Texas","HACK","MED","68,631","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","31.968599","-99.901813" "May 12, 2016","Pulaski County Special School District-Employee Benefits Division","","Arkansas","DISC","MED","2,602","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "May 13, 2016","Imperial Valley Family Care Medical Group, APC","","California","PHYS","MED","649","Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "May 15, 2016","California Correctional Health Care Services","","California","PHYS","MED","400,000","Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "May 16, 2016","Associates In EyeCare, P.S.C.","","Kentucky","PHYS","MED","971","An office of the covered entity (CE), Associates in EyeCare, P.S.C., was broken into and two laptop computers and an external hard drive were stolen. The breach affected 971 individuals and the types of protected health information (PHI) involved in the breach included patients’ names, internal account numbers, optical images, technical information about the images, and dates of birth. The CE provided timely breach notification to HHS, affected individuals, and the media. The CE also posted notification about the breach to its website. In response to the breach, the CE changed the exterior locks on the clinic doors, revised its policies for moving laptops between offices, began saving all patient information to the cloud, and equipped its new laptop with encryption and physical security. Further, CE revised its security policies. OCR obtained assurances that the CE will train its employees on its updated policies. Location of breached information: Laptop, Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "May 16, 2016","Surgical Care Affiliates","","Alabama","PHYS","MED","9,009","Surgical Care Affiliates, the covered entity (“CE”), discovered that on March 17, 2016, a laptop computer had been stolen from an employee’s house. The laptop was password protected; however the employee’s username and password were with the laptop at the time of the theft. There was no patient information stored on the laptop, but Outlook emails were potentially cached on the hard drive. The CE opened an internal investigation and determined that 9,009 individuals may have had their names, addresses, dates of birth, social security numbers, treatment information, and health insurance information exposed as a result of this incident. The CE provided timely breach notification to HHS, to affected individuals, on its website, and to the media. In response to the breach, the CE retrained the employee involved to reinforce its existing HIPAA policies pertaining to the safeguarding of electronic devices and password management, and provided free credit monitoring to the affected individuals whose social security numbers may have been exposed. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Laptop Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "May 17, 2016","San Juan County New Mexico","","New Mexico","HACK","MED","12,500","Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "May 17, 2016","Complete Chiropractic & Bodywork Therapies","","Michigan","HACK","MED","4,082","On March 7, 2016, the covered entity (CE) discovered a malfunction on certain of its computer workstations. The CE hired a forensic expert who concluded that the CE's server was left vulnerable to access by unauthorized users from November 19, 2015 to March 10, 2016. The types of protected health information (PHI) on the server included patients’ full names, social security numbers, dates of birth, home addresses, and treatment notes. Approximately 4,082 individuals were affected by the breach. The CE provided breach notification to HHS, affected individuals, and the media and offered free identity protection for 1 year to the affected individuals. To prevent a similar breach from happening in the future, the CE installed a new firewall to monitor all incoming and outgoing traffic to and from the server. It also hired a new IT vendor and Security Rule experts to enhance safeguards. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Desktop Computer, Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "May 19, 2016","Emergency Room Associates doing business as Emergency Medicine Associates","","Arizona","PHYS","MED","1,067","Five months’ worth of hospital labels containing protected health information (PHI) were stolen from the car of a workforce member physician that was parked offsite from the covered entity (CE). The PHI was located in a locked briefcase within the car. The types of PHI involved in the breach included patients’ names, birthdates, ages, sex, and treatment facilities. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE filed a report with local law enforcement and retrained the workforce member involved. As a result of OCR’s investigation, the CE provided assurances that it conducted a full risk assessment and reviewed and updated its policies and procedures. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "May 20, 2016","Tallahassee Memorial HealthCare, Inc.","","Florida","HACK","MED","505","Tallahassee Memorial HealthCare, Inc., the covered entity (CE), discovered that an employee attempted to upload protected health information (PHI) containing patients' names, insurance numbers, payor financial information numbers, and account numbers to an unauthorized website. The breach affected 505 individuals. The CE sent timely breach notification to HHS and to affected individuals and provided free credit monitoring to affected individuals. In response to the breach, the CE sanctioned the responsible employee, flagged patient accounts in its internal billing system, revised its website filter to block additional web sites, and updated its employee training. OCR obtained assurances from the CE that it implemented the corrective actions listed above. Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "May 20, 2016","Coordinated Health Mutual, Inc.","","Ohio","DISC","MED","591","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "May 20, 2016","Aflac","","Georgia","DISC","MED","930","Due to a vendor error, the covered entity (CE), Aflac, erroneously sent correspondence containing protected health information (PHI) to the wrong customers, affecting 930 policyholders. The types of PHI included names, policy numbers, types of coverage, employee numbers, and premium amounts, depending on the type of correspondence mailed. In addition, six policyholders’ social security numbers were potentially comprised. In response to the breach, the CE retrained employees and revised its impermissible disclosures and safeguard policies. Additionally, the CE sanctioned the manager who led the address standardization project and terminated its contract with all third party vendors and contractors involved in the breach. The CE provided breach notification to HHS, and affected individuals. Media notice was not required because the incident did not involve more than 500 residents in any particular state. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "May 24, 2016","Berkeley Endocrine Clinic","","California","DISC","MED","1,370","The covered entity (CE) reported to OCR that it disclosed electronic protected health information (ePHI) when it inadvertently sent a notification to 1,370 individuals without blind copying the recipients. The ePHI involved in the breach included patients' first and last names and email addresses. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE revised administrative procedures for email communications, enhanced technical measures (including encryption for desktop computers), and retrained staff. OCR’s investigation resulted in the CE enhancing its practices for safeguarding ePHI. Location of breached information: Email Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "May 24, 2016","Keystone Rural Health Consortia, Inc.","","Pennsylvania","PHYS","MED","800","A former employee stole a printout of a patient listing created in January 2015 that was hanging in the locked medical records room and used the information to send letters to several patients. The breach included the protected health information (PHI) of approximately 800 individuals and included demographic information, dates of birth, insurance information, and providers' names. The covered entity (CE), Keystone Rural Health Consortia, Inc., provided breach notification to HHS, affected individuals, and the media. OCR reviewed the CE’s most recent risk analysis to ensure compliance with the Privacy and Security Rules and obtained assurances that the CE strengthened physical safeguards to prevent similar occurrences in the future. Location of breached information: Electronic Medical Record, Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "May 25, 2016","Integrated Health Solutions PC","","Pennsylvania","HACK","MED","19,776","The covered entity (CE), Integrated Health Solutions (IHS), notified HHS of a potential breach of unsecured electronic protected health information (ePHI) through its business associate (BA), Bizmatics. Specifically, the BA experienced a hacking or information technology incident which may have exposed up to 19,776 of the CE's patient records. OCR obtained a copy of the signed BA agreement between the CE and BA. OCR obtained assurances from the CE that all Security Rule policies and procedures are in place. This review has been consolidated into another review of this BA. Location of breached information: Electronic Medical Record, Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "May 25, 2016","California Health & Longevity Institute","","California","DISC","MED","4,386","This case has been consolidated into an existing review. Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "May 25, 2016","Stamford Podiatry Group .P.C","","Connecticut","HACK","MED","40,491","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "May 26, 2016","Orchid MPS Holdings, LLC Welfare Benefit Plan","","Michigan","DISC","MED","771","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "May 31, 2016","Washington DC VA Medical Center","","District Of Columbia","PHYS","MED","1,062","On March 31, 2016, the covered entity's (CE) Lead Narcotic Inspector discovered that the monthly narcotic reports were missing. On April 6, 2016, CE's police notified the facility Privacy Officer of the incident and reported the incident to the VA Network and Security Operations Center. The CE provided breach notification to HHS, the media, and affected individuals and offered credit monitoring. The CE's Police Security Service reviewed the available closed circuit television footage and could not determine who removed the documents from the location. The CE transferred the duties of the Lead Narcotic Inspector to another employee. OCR obtained assurances that the CE implemented the corrective actions listed. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "May 31, 2016","ENT and Allergy Center","","Arkansas","HACK","MED","16,200","One or more hackers attacked the data servers of Bizmatics, a business associate (BA) for the covered entity (CE), ENT & Allergy Center, which resulted in unauthorized access to Bizmatics’ customer records including those of the CE. Approximately 16,200 patient’s electronic medical records were compromised. The types of protected health information involved in the breach included demographic and clinical information. OCR opened an investigation of the CE to determine if the CE complied with the HIPAA Privacy and Security Rules with respect to business associate contracts. OCR reviewed the business associate agreement between the CE and BA and determined that it appears to be consistent with the requirements of the Privacy and Security Rules. OCR initiated a separate investigation of Bizmatics. Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "June 1, 2016","My Pediatrician, PA","","Florida","HACK","MED","2,500","A hacker gained access to the protected health information (PHI) for 2,385 of the covered entity’s (CE) patients. The CE’s business associate (BA), Bizmatics, Inc., informed the CE, My Pediatrician, PA, about this incident. The CE provided breach notification to HHS, affected individuals, and the media. The CE also created a website with information about the breach and posted substitute notification about the breach. To mitigate harm, the CE sent notice of the breach to Equifax, Transunion, and Experian and provided affected individuals with instructions for registering a fraud alert with a credit reporting agency and instructions on how to obtain a free annual credit report. The CE also trained its staff on HIPAA awareness and retained outside counsel to provide further training and to review its policies. The CE did not have a BA agreement with the BA at the time of the breach, but entered into an agreement with the BA on July 12, 2016. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "June 3, 2016","The University of New Mexico","","New Mexico","DISC","MED","2,827","The covered entity (CE), The University of New Mexico, inadvertently mailed invoices intended for third party payers to random patients’ addresses due to an error in the CE’s billing system. The protected health information (PHI) included patients' names, patient care service categories, clinic names, pharmacies, and dates of service for 2,898 individuals. Upon discovering the breach, the CE manually reviewed its billing programs and put a hold on the billing program that created the error. The CE provided breach notification to HHS, affected individuals, and the media. As a result of the breach, the CE improved technical and administrative safeguards and retrained appropriate staff on its updated procedures. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","34.519940","-105.870090" "June 3, 2016","The Vein Doctor","","Missouri","HACK","MED","3,000","Location of breached information: Electronic Medical Record, Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","37.964253","-91.831833" "June 7, 2016","Vincent Vein Center","","Colorado","HACK","MED","2,250","The covered entity (CE), Vincent Vein Center, reported that its business associate (BA), Bizmatics, had owned data servers containing the CE's patient information that were accessed by unauthorized persons. Approximately 2,250 of the CE's patients were affected by the breach. The electronic protected health information (ePHI) involved in the breach included patients' names, addresses, social security numbers, and health visit information. The CE provided breach notification to affected individuals, HHS, and the media. Following the breach, the CE began evaluating the use of alternate electronic medical record and practice management software. As a result of OCR’s investigation and technical assistance, the CE provided written assurances that it will revise and/or implement its relevant breach notification and BA contract policies and procedures in compliance with HIPAA. OCR opened a separate investigation of the BA. Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","39.550051","-105.782067" "June 7, 2016","Grace Primary Care, PC","","Tennessee","HACK","MED","6,853","Grace Primary Care, PC, the covered entity (CE), discovered that its business associate (BA), Bizmatics, suffered a malicious cyber-attack to its computer servers, potentially exposing the names, dates of birth, addresses, phone numbers, email addresses, social security numbers, health insurance numbers, diagnoses, and treatment information for 6,853 individuals. In addition, while the CE was completing breach notification requirements, some of the notification letters to the affected individuals were inadvertently mailed to invalid addresses due to a spreadsheet error. The CE recovered all but 135 letters, unopened, and conducted a breach risk assessment. The CE determined that the 135 letters had a low probability of impermissible disclosure, and OCR provided technical assistance to the CE concerning the elements which constitute PHI. The CE provided timely breach notification to the affected individuals, to HHS, and to the media. OCR determined that a BA agreement was in place at the time of the breach and the subsequent investigation. In response to the breach, the CE offered free identity protection services to the affected individuals, and initiated a process of terminating its business relationship with the BA, which is its electronic health records provider. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "June 7, 2016","Midland County Hospital District d/b/a Midland Memorial Hospital","","Texas","DISC","MED","1,468","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","31.968599","-99.901813" "June 8, 2016","Wal-Mart Stores, Inc.","","Arkansas","DISC","MED","27,393","OCR opened an investigation of the covered entity (CE), Wal-Mart Stores, after it discovered an erroneous mailing of refund checks by its business associate (BA), Harte-Hanks Direct Marketing/Kansas City, LLC. This breach resulted in unauthorized disclosure of 27,379 individuals’ protected health information, which included names, store locations, refund amounts, prescription or order numbers, and order dates. The CE provided breach notification to HHS, affected individuals, and the media. OCR obtained assurances that the CE implemented the corrective actions noted above. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","35.201050","-91.831833" "June 9, 2016","North Ottawa Medical Group","","Michigan","DISC","MED","22,000","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "June 9, 2016","PruittHealth Hospice Beaufort","","South Carolina","DISC","MED","1,437","On April 11, 2016, the covered entity (CE), PruittHealth Hospice, experienced a break-in at its Beaufort offices. The perpetrators entered the offices by breaking a side window and then broke into the file cabinets, although it did not appear that any medical records were disturbed or taken. The perpetrators had the opportunity to access the paper medical records for 1,437 individuals. The types of protected health information (PHI) contained in the paper medical records included patients' names, addresses, social security numbers, dates of birth, dates of service, service locations, and other clinical information. Following the breach, the CE reviewed its policies and trained staff on data privacy and information security. Additionally, the CE initiated a criminal investigation with local law enforcement. It improved physical safeguards by replacing the broken window, purchasing file cabinets with more secure locks, and purchasing a monitored security system. The CE provided breach notification to HHS, all patients it ever served, and the media. It also provided substitute notice on its website and set up a toll free information line for affected individuals. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "June 10, 2016","Saints Mary and Elizabeth Hospital","","Kentucky","DISC","MED","1,682","An employee of the covered entity (CE), Saints Mary and Elizabeth Hospital, sent an email reminder to potential participants of the hospital’s bariatric patient support group and inadvertently attached a spreadsheet of patients’ names associated with bariatric-related surgery. The spreadsheet contained the names, surgery dates, addresses, emails, and phone numbers of 1,682 individuals. The CE unsuccessfully tried to recall the message. The CE’s internal investigation determined that the involved employee failed to utilize the auto-encryption feature for email containing protected health information (PHI). The CE provided breach notification to HHS, affected individuals, and the media and posted substitute notices on its website. Following the breach, the CE retrained its employees on email policies and procedures and best practices for securing PHI sent through email. The CE sanctioned the involved employee and ceased using email to send reminders about support group activities. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "June 10, 2016","EDWARD G. MYERS D.O. INC","","Ohio","HACK","MED","6,441","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "June 10, 2016","Riverside Health System","","Virginia","DISC","MED","578","An employee authorized to work from home failed to return paper records to the physician practice. Her ex-husband discovered the records and returned them to the physician practice. The breach included the protected health information (PHI) of 578 individuals. The PHI involved in the breach included demographic information, dates of birth, social security numbers, medical records numbers, and clinical information. Following the breach, the covered entity re-educated all employees. OCR reviewed the CE's risk analysis to ensure compliance with the HIPAA Privacy and Security Rules. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "June 14, 2016","Laser & Dermatologic Surgery Center ","","Missouri","HACK","MED","31,000","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "June 14, 2016","Kern County Mental Health","","California","PHYS","MED","1,212","The covered entity (CE), Kern County Mental Health, discovered a 290-page paper printout of accounts receivables for the month of September 2006 in an open file container that was left in a vacated area of their facility on April 15, 2016. The protected health information (PHI) involved in the breach included patients' names, medical record numbers, dates of service, numerical service codes, and amounts billed. Approximately 1,212 individuals were affected by this breach. The CE initially provided substitute and media breach notifications and notification to HHS. After receiving technical assistance from OCR, the CE provided individual breach notification. Following the breach, the CE revised its policies and procedures for moving and vacating office space to ensure that a thorough walk-through of the area is completed prior to vacating an area. The CE also retrained staff on these revised policies and procedures to ensure they are implemented. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "June 14, 2016","Texas Health and Human Services Commission","","Texas","PHYS","MED","600","Between April 19, 2016 and May 10, 2016, Iron Mountain, a business associate (BA) of the covered entity (CE), Texas Health and Human Services Commission, was unable to locate sixteen cartons of records containing protected health information (PHI). The types of PHI involved in the breach included the names, addresses, social security numbers, social security claim numbers, dates of birth, medical record numbers, Medicaid/individual numbers, case numbers, and bank account numbers for over 500 individuals. The CE provided breach notification to HHS, affected individuals, and the media. Following the incident, the CE ensured that the BA retrained its workforce members on privacy and appropriate storage and tracking procedures. Additionally, the CE initiated a change to its procedure for reconciling file inventories and verifying file box destruction. OCR obtained assurances that the CE implemented the corrective actions noted above. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "June 17, 2016","Allergy, Asthma & Immunology of the Rockies, PC ","","Colorado","HACK","MED","6,851","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "June 17, 2016","Midland Women's Clinic","","Texas","DISC","MED","717","On April 26, 2016, the covered entity (CE), Midland Women’s Clinic, learned that patient documents had been discovered, unsecured, at an unauthorized offsite location. The documents contained the protected health information (PHI) of approximately 717 individuals and included names, dates of birth, social security numbers, addresses and zip codes, diagnoses/conditions, lab results, medications, and other treatment information. Following the breach, the CE secured the patient records, updated its policies and procedures, and provided additional HIPAA training to its employees. OCR reviewed the CE’s breach notifications to the affected individuals and the media and provided technical assistance regarding the breach notification requirements. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "June 21, 2016","Uncommon Care, P.A.","","North Carolina","HACK","MED","13,674","Uncommon Care, P.A., the covered entity (CE), discovered that its business associate (BA), Bizmatics, Inc., was the victim of a computer hacking incident. The incident resulted in potential unauthorized access to the CE’s electronic medical records stored on Bizmatics’ servers. The breach affected 13,674 individuals and included patients' addresses, dates of birth, names, social security numbers, diagnoses, test results, medications, and other treatment information. The CE sent timely breach notification to HHS, to affected individuals, and to the media. The CE also posted notification about the breach on its website. In response to the breach, the CE offered one year of free credit monitoring to the affected individuals. Prior to OCR's investigation, the CE determined that its BA agreement with the BA was not fully executed and entered into an effective BA agreement on June 7, 2016. The CE decided to continue its services contract with the BA and obtained assurances from the BA that improvements have been and will be made to its computer network, servers, and network monitoring activities. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","35.759573","-79.019300" "June 27, 2016","Ceaton C Falgiano","","New York","DISC","MED","650","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.712784","-74.005941" "June 27, 2016","Linda J White, DDS, PC","","Virginia","PHYS","MED","2,000","On June 27, 2016, the covered entity (CE), Dr. Linda White, reported that an external hard drive device containing a backup of the dental practice's computer server was not returned for proper destruction by an employee. Approximately 2,000 individuals were affected by the breach and the types of protected health information (PHI) stolen included patients’ names, dates of births, social security numbers, and limited medical information. The CE provided breach notification to HHS, affected individuals, and the media. The CE determined after a formal risk assessment that the level of risk was very low because the stolen hard drive required specific software to be utilized for the employee to gain access to the patients’ PHI. OCR obtained assurances that the CE implemented the corrective actions listed. County officials initiated prosecution of the employee who possessed the hard drive device. Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","37.431573","-78.656894" "June 29, 2016","Massachusetts General Hospital ","","Massachusetts","HACK","MED","4,293","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","42.407211","-71.382437" "June 29, 2016","Mercy Medical Center Redding","","California","DISC","MED","520","An employee of a business associate (BA), naviHealth, provided services to the covered entity’s (CE) patients using an assumed name and nursing license from June 1, 2015, to May 13, 2016, and accessed protected health information (PHI) in the course of employment. The breach affected 520 individuals who were patients of the CE's Redding facility and a total of 1,253 Dignity Health patients in California and Nevada. The types of PHI involved in the breach included full names, addresses, dates of birth, social security numbers, claims information, diagnoses/conditions, lab results, and medications. The CE provided breach notification to HHS, affected individuals, and the media and also provided substitute notice. OCR reviewed the BA agreement in place between the CE and BA and obtained assurances that the CE implemented the corrective actions listed above. In response to the breach, the BA sanctioned the responsible employee, terminated the employee’s access to all PHI, and contacted law enforcement to report the incident. The BA also reviewed recorded calls made by the employee and PHI accessed by the employee to ensure that PHI was accessed to provide patients with services according to the job function. In addition, the BA improved administrative safeguards by revising its workforce clearance policies and procedures. Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "July 1, 2016","Planned Parenthood of the Heartland","","Iowa","DISC","MED","2,506","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","41.878003","-93.097702" "July 7, 2016","The Ambulatory Surgery Center at St. Mary","","Pennsylvania","HACK","MED","13,000","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","41.203322","-77.194525" "July 7, 2016","Heart Center of Southern Maryland, L.L.P.","","Maryland","HACK","MED","1,350","Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "July 11, 2016","Dr. Q Pain and Spine d/b/a Arkansas Spine and Pain","","Arkansas","HACK","MED","17,100","A virus or malware was potentially installed on the information systems of Bizmatics, Inc., a business associate (BA) of the covered entity, Arkansas Spine and Pain (CE). Approximately 17,100 individuals' electronic medical records were compromised, but the BA and CE were unable to determine whose records or what information, if any, was accessed. OCR obtained a copy of the BA agreement in place between the CE and this BA. This review has been addressed by a separate review of the BA. Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "July 11, 2016","Health Incent, LLC","","Tennessee","HACK","MED","1,100","Health Incent, the covered entity (CE), discovered on June 8, 2016 that a patient database containing electronic protected health information (ePHI) was available on the internet through web searches. The breach affected 1,100 individuals and the types of ePHI involved in the breach included patient names, dates of birth, email addresses, and mailing addresses. The CE provided timely breach notification to HHS, affected individuals, and the media. The CE successfully contacted all affected individuals who did not receive the initial notification. In response to the breach, CE sanctioned those responsible for the breach and created a new process for uploading files to its website. OCR obtained assurances from CE that it implemented the corrective actions noted above. Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "July 11, 2016","Lasair Aesthetic Health, P.C.","","Colorado","DISC","MED","1,835","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "July 12, 2016","Kaiser Permanente Northern California","","California","PHYS","MED","1,136","Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "July 14, 2016","Cefalu Eye-Tech of Green, Inc.","","Ohio","DISC","MED","850","An employee of Cefalu Eye-Tech of Green, Inc. (Cefalu) photographed computer screens containing the protected health information (PHI) of approximately 850 individuals, including names, addresses, email addresses, and codes for diagnosis and conditions. Following the breach, Cefalu investigated the breach and provided breach notification to HHS and the affected individuals. OCR determined that the reporting entity is no longer a covered entity. OCR obtained documentation supporting its finding that Cefalu is no longer a covered entity. Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "July 14, 2016","SUNSHINE STATE HEALTH PLAN, INC.","","Florida","DISC","MED","1,479","The covered entity (CE), Sunshine State Health Plan, Inc., discovered that a case manager emailed a daily inpatient census report to an incorrect email address. The email contained the protected health information (PHI) of 1,479 individuals including member names, addresses, dates of birth, plan and eligibility information, hospitalization dates, Medicaid and Medicare ID numbers, diagnoses, and procedures. The CE provided breach notification to HHS, affected individuals, and the media and also posted substitute notice on its website. The CE offered free credit monitoring and identity theft restoration services. In response to the breach, the CE revised its encryption and decryption policy and procedures to require all employees to encrypt emails containing PHI and sensitive data. The CE also revised its confidentiality and release of PHI policy and its mitigation policies and procedures. The CE sanctioned the involved employee for violating its policies. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "July 14, 2016","Blaine Chiropractic Center","","Minnesota","HACK","MED","1,945","On or around May 10, 2016, the covered entity’s (CE) office manager noticed that its computer server was crashing and programs were running slowly. The CE found that its new patient record management system created and hid an administrative account that was using a very weak and predictable user ID and password. This administrative account was used to hack the CE’s server. The protected health information (PHI) on the server included patients’ full names, addresses, telephone numbers, appointment activity, clinical care notes, insurance information and for 51 of these affected individuals, their social security numbers. Approximately 1,945 individuals were affected by this breach. The CE provided breach notification to HHS, affected individuals, and the media and offered credit monitoring free of charge for one year. Following the breach, the CE removed the unauthorized account and application. The CE retained a forensic expert and provided OCR with a copy of the forensic report. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "July 15, 2016","Lee Rice D.O., Medical Corp DBA Lifewellness Institute","","California","HACK","MED","2,473","Malware was installed by cyber-intruders into PrognoCIS, the medical records system of the business associate (BA), Bizmatics, Inc. The breach affected approximately 2,473 individuals who were patients of the covered entity (CE), Lee Rice D.O. Medical Corporation d/b/a Lifewellness Institute. The types of protected health information (PHI) involved included full names, addresses, dates of birth, phone numbers, sex, marital status, social security numbers, claims information, diagnoses/conditions, lab results, and medications. The CE provided breach notification to HHS, affected individuals, and the media and also provided substitute notice. In response to the breach, the BA notified and cooperated with the FBI in its investigation. In addition, the BA consulted with an independent cyber-security firm to assess the extent of the breach and to implement additional protective measures to prevent a similar breach from occurring in the future. OCR obtained assurances that the CE and BA implemented the corrective actions noted above. Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "July 15, 2016","Providence Medical Group- Gateway Clinics","","Oregon","DISC","MED","5,978","Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "July 19, 2016","Access Health Care Physicians, LLC","","Florida","PHYS","MED","2,500","Access Health Care Physicians, LLC, the covered entity (CE), discovered that on May 26, 2016, an intruder broke into one of the physician’s locked offices and pried open locked file cabinets where patients’ financial records were stored, affecting the demographic and clinical information of approximately 2,500 individuals. The file cabinets contained records which included patients’ names, dates of birth, phone numbers, home addresses, diagnoses code, social security numbers, and insurance information. The CE provided timely breach notification to HHS, affected individuals, and the media. In response to the breach, the CE immediately secured the physician’s office where the breach occurred, changed the locks, and installed an alarm system. It moved the records of former patients to a secure offsite storage facility. The CE conducted a survey of all of its affiliated physician offices to ensure every office installed an alarm system. OCR obtained assurances that the CE has implemented the corrective actions listed above. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "July 20, 2016","Neurology Physicians LLC","","Maryland","HACK","MED","4,831","Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","39.045755","-76.641271" "July 20, 2016","Premier Family Care I, Inc.","","Texas","DISC","MED","1,326","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","31.968599","-99.901813" "July 20, 2016","Memorial Hermann Health System, reporting on behalf of Memorial Hermann Health System Employee Group Health Plan","","Texas","DISC","MED","12,061","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "July 21, 2016","Sunbury Plaza Dental","","Ohio","PHYS","MED","7,784","OCR opened an investigation of the covered entity (CE), Sunbury Plaza Dental, after it reported that a secured storage unit containing paper protected health information (PHI) was burglarized. The storage unit contained PHI for 7,981 individuals. The medical records contained at this location included names, addresses, dates of birth, social security numbers, and treatment information. The CE provided breach notification to HHS, affected individuals, and the media, and also posted substitute notice on its website. The CE offered one year of identity monitoring to all affected individuals. Following the breach, the CE revised its records retention policies to minimize the number of paper records in storage. OCR obtained assurances that the CE implemented the corrective actions noted above. Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "July 22, 2016","Ambucor Health Solutions, an unincorporated division of The ScottCare Corporation","","Delaware","DISC","MED","1,679","Location of breached information: Email, Other Portable Electronic Device Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "July 22, 2016","Caring for Women, PA","","Texas","DISC","MED","697","An employee of FTGU Medical Consulting, LLC (FTGU) sent the electronic protected health information (ePHI) of approximately 700 individuals to an unknown third party. FTGU is a business associate (BA) of Caring for Women, PA, the covered entity (CE). The ePHI included clinical (diagnostic and treatment) information, as well as financial information related to billing. The BA discovered the breach when the recipient of the ePHI notified the BA that he was not the intended recipient. The BA requested that the recipient delete the ePHI file from his email and his computer and received assurances from the recipient that he would comply with this request. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE provided the BA with additional training. In addition, the BA took steps to increase or implement technological safeguards, implement periodic evaluations, and retrain employees. OCR also verified that the CE had a proper BA agreement in place, which restricted the BA’s use and disclosure of PHI and required the BA to safeguard all PHI. Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "July 25, 2016","American Family Care, Inc.","","Alabama","DISC","MED","7,200","Location of breached information: Electronic Medical Record, Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "July 25, 2016","StarCare Speciality Health System","","Texas","PHYS","MED","2,844","Location of breached information: Laptop, Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "July 26, 2016","Midwest Orthopedic Pain and Spine","","Missouri","HACK","MED","29,153","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "July 28, 2016","Athletes' Performance Los Angeles, LLC","","Arizona","PHYS","MED","854","Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "July 29, 2016","Athens Orthopedic Clinic, P.A.","","Georgia","DISC","MED","201,000","Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "July 29, 2016","Jefferson Medical Associates, P.A.","","Mississippi","HACK","MED","10,401","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "August 4, 2016","The Carle Foundation","","Illinois","DISC","MED","1,185","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.633125","-89.398528" "August 5, 2016","Center for Minimmally Invasive Bariatric and General Surgery","","Pennsylvania","DISC","MED","992","An employee erroneously emailed a group of 992 patients about a support group and copied other patients so that they were able to see the email addresses of all the other individuals to whom the email was sent. The types of protected health information (PHI) involved in this incident included email addresses and information which may have suggested that the individual was a patient of the covered entity (CE). The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE revised its policies and procedures, attempted to recall the email, and retrained workforce members. OCR obtained assurances that the CE implemented the corrective actions noted above and provided technical assistance on reasonable safeguards. Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","41.203322","-77.194525" "August 7, 2016","Prosthetic & Orthotic Care, Inc.","","Missouri","HACK","MED","23,015","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","37.964253","-91.831833" "August 9, 2016","Professional Dermatology Care, P.C.","","Virginia","HACK","MED","13,237","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","37.431573","-78.656894" "August 9, 2016","Newkirk Products, Inc.","","New York","HACK","MED","3,466,120","Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.712784","-74.005941" "August 10, 2016","Autism Home Support Services","","Illinois","DISC","MED","533","The covered entity’s (CE) employee disclosed protected health information (PHI) to a university practicum student who contacted individuals by email to ask if they would like to participate in a survey related to autism. The PHI involved in the breach included the demographic information of approximately 533 individuals. The CE provided breach notification to HHS and affected individuals. Following the breach, the CE sanctioned and re-trained the involved employee and confirmed that the practicum student destroyed the PHI received. OCR obtained documentation that the CE implemented the corrective actions listed above. Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "August 10, 2016","Cardiology Associates","","Maryland","DISC","MED","907","A Cardiology Associates’ employee mailed patients’ protected health information (PHI) to her personal email address without a legitimate business purpose. The breach included the PHI of 907 individuals and included names, dates of birth, and social security numbers. Following the breach, the covered entity (CE) sanctioned the employee, which included termination in this case, and notified the Federal Bureau of Investigation. OCR reviewed the CE's risk assessment to ensure compliance with the Security Rule. Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "August 11, 2016","Rotech Healthcare Inc.","","Florida","DISC","MED","957","Rotech Healthcare, Inc., the covered entity (“CE”), discovered that medical records from its electronic medical records system were printed, removed from the office, and recovered by the Secret Service. The breach affected 957 patients in 27 states. There were less than 500 individuals affected in any given state. The records involved in the breach contained patients' names, social security numbers, patients' numbers, dates of birth, dates of death, addresses, phone numbers, and the names of the Rotech subsidiary companies from which the individual received healthcare services. The CE sent timely breach notification to HHS and to affected individuals, and posted notification to its website. The CE also offered two years of free identity protection to affected individuals. In response to the breach, the CE revised its data monitoring policies and procedures, revised physical safeguards in office locations with the highest risk factors for a future breach, and sanctioned the employees alleged to have been involved in the breach. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "August 12, 2016","Valley Anesthesiology Consultants, Inc. d/b/a Valley Anesthesiology and Pain Consultants","","Arizona","HACK","MED","882,590","The covered entity (CE), Valley Anesthesiology Consultants, Inc., d/b/a Valley Anesthesiology and Pain Consultants, was acquired by Sheridan Healthcorp, Inc., and became its subsidiary. A third party may have gained unauthorized access to the CE’s computer systems on March 30, 2016, affecting 88,590 individuals. The types of electronic protected health information (ePHI) that were potentially accessed included demographic and clinical information. In response to the breach, the CE immediately disabled the account through which unauthorized access was potentially gained. A forensics firm investigated the breach and reported that approximately nine additional foreign internet protocol (IP) addresses attempted to use remote desktop protocols to access various parts of the CE’s computer systems using accounts with administrator privileges. The CE “blacklisted” these IP addresses as the investigation continued in order to allow the firewall to block any attempts to access the electronic health record program through the remote desktop protocol. The forensics firm also identified fifteen suspicious local accounts and three administration accounts that were potentially compromised. The CE provided breach notification to HHS, affected individuals, and the media, and posted substitute notice in accordance with the Breach Notification Rule. OCR provided technical assistance regarding the CE’s obligations to conduct a comprehensive and current security risk analysis and implement a corresponding risk management/mitigation plan to address any findings. OCR also provided TA regarding the CE’s obligations to document evidence of its implemented security awareness training program, to include training material (not just email reminders), and a record of completion by workforce and management. Additionally, OCR stated the expectation that the CE clarify why non-ePHI applications are not governed by the same user access review procedures. Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "August 12, 2016","Bon Secours Health System Incorporated","","Maryland","DISC","MED","651,971","Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "August 14, 2016","John E. Gonzalez DDS","","California","PHYS","MED","1,025","Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "August 15, 2016","Phoenix Dental Care","","Tennessee","PHYS","MED","500","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "August 15, 2016","New York State Office of Mental Health","","New York","HACK","MED","21,880","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "August 18, 2016","Village of Oak Park, Illinois","","Illinois","DISC","MED","688","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "August 19, 2016","Orleans Medical Clinic","","Indiana","HACK","MED","6,890","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "August 19, 2016","The Outer Banks Hospital","","North Carolina","PHYS","MED","1,000","The covered entity (CE), Outer Banks Hospital, lost two unencrypted portable computer drives (""flash"" drives) containing the protected health information (PHI) of approximately 1,000 individuals during a move. The types of PHI on the lost flash drives included names, addresses, birthdates, social security numbers, diagnoses/conditions, and other treatment information. The CE provided breach notification to HHS, affected individuals, and the media. In response to the breach, the CE retrained its workforce with respect to appropriate portable devices and media storage. Additionally, the CE initiated the deployment of new technology on all computer workstations to detect and prevent PHI from being downloaded to portable storage media devices. The CE also began using auto-encryption technology rather than relying on user actions to encrypt data and implemented related procedures. Further, the CE drafted a new procedure for physical practice acquisitions which includes a more thorough risk assessment of privacy and security components. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "August 22, 2016","SCAN Health Plan","","California","DISC","MED","87,069","Person(s) with electronic account access impermissibly used a sales database containing the protected health information of the covered entity's (CE) prospective and enrolled members. Approximately 87,069 individuals were affected. The electronic PHI (ePHI) involved in the breach included names, addresses, phone numbers, dates of birth, social security numbers (of 498 individuals), and sales call notes related to diagnoses/health conditions, medications, and physicians' names. The CE provided breach notification to HHS, affected individual, and the media. Following the breach, the CE implemented procedures to increase the monitoring of the database and enhanced its technical security procedures regarding authentication for database access. OCR’s investigation resulted in the CE enhancing its practices for safeguarding ePHI. Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","36.778261","-119.417932" "August 22, 2016","CalOptima","","California","DISC","MED","1,000","Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","36.778261","-119.417932" "August 23, 2016","Summit Medical Group, Inc. dba St. Elizabeth Physicians ","","Kentucky","DISC","MED","674","The covered entity (CE), Summit Medical Group, Inc. dba St. Elizabeth Physicians, discovered that an employee at its Weight Management Center (WMC) sent an email on July 12, 2016, notifying recipients of an upcoming vitamin presentation, but inadvertently failed to blind copy the recipients. Recipients were able to see all other recipients’ email addresses. The email was sent to 811 addresses, but because some were undeliverable and some belonged to the CE’s employees, the CE calculated the number of individuals affected as 674. On August 23, 2016, the CE provided breach notification to HHS, affected individuals, and the media. In response to the breach and as a result of OCR’s investigation, the CE reviewed and adjusted its emailing procedures, sanctioned the WMC employee, and provided training to its leadership and the WMC workforce. Additionally, the employee who sent the email started a multi-session individual training program. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","37.839333","-84.270018" "August 26, 2016","Planned Parenthood of Greater Washington and North Idaho","","Washington","DISC","MED","10,700","In August 2016, the covered entity (CE), Planned Parenthood of Greater Washington and North Idaho (PPGWNI), reported that its business associate (BA), athenahealth, inc., inadvertently sent some e-mails, inviting individuals to the CE's online portal, to the wrong addresses, The e-mails included the first and last names of 10,700 individuals. Upon discovery of the breach, the CE and BA shut down the portal to determine the root cause of the breach and to implement additional safeguards. The CE provided breach notification to HHS, affected individuals, and the media. The BA and CE reestablished the online portal after re-confirming permissions and processes related to the business associate contract/relationship. OCR obtained documented assurances that the CE and BA implemented the corrective actions noted above. Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","47.751074","-120.740139" "August 30, 2016","County of Los Angeles","","California","PHYS","MED","743","Paper documents were stolen from an employee car, while off-site. The paper documents contained the protected health information (PHI) of approximately 743 individuals. The types of PHI involved in the breach included first and last names, dates of birth, medical record numbers, telephone numbers, gender information, names of treatment clinics, appointment types, date and time of appointment(s), and reasons for the examination and/or diagnosis. Following the breach, the covered entity (CE) notified local law enforcement and re-trained staff. The CE provided breach notification to HHS, affected individuals and the media. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","36.778261","-119.417932" "August 31, 2016","Center for Neurosurgical & Spine Disorders, LLC","","Louisiana","HACK","MED","824","Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","30.984298","-91.962333" "August 31, 2016","Willow Bend Dental","","Texas","PHYS","MED","625","Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","31.968599","-99.901813" "September 1, 2016","CHI Franciscan Healthcare Highline Medical Center","","Washington","DISC","MED","18,399","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "September 2, 2016","Santa Cruz County Health Services Agency","","California","DISC","MED","25,000","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "September 2, 2016","Burrell Behavioral Health","","Missouri","DISC","MED","7,748","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "September 2, 2016","Medical College of Wisconsin","","Wisconsin","HACK","MED","3,179","An unauthorized third-party comprised the protected health information (PHI) found in an employee’s email account for a period of three days. The compromised email account contained the PHI of 3,225 individuals. The types of PHI involved in the breach included full names, home addresses, dates of birth, medical record numbers, diagnoses, and/or treatment information, and the social security numbers of two patients. The covered entity (CE), Medical College of Wisconsin, provided breach notification to HHS, affected individuals, and the media and also posted a substitute notice. Following the breach, the CE retained a forensic firm, retrained the employee with the compromised email account, and implemented new safeguards. OCR obtained written assurances that the CE implemented the actions listed above. Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "September 7, 2016","Geisinger Health Plan","","Pennsylvania","DISC","MED","2,814","Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "September 7, 2016","Decatur Health Systems ","","Kansas","PHYS","MED","707","A CAT scan log binder containing protected health information (PHI) went missing from the covered entity (CE), Decatur Health Systems, sometime between July 22, 2016, and July 25, 2016. The breach affected 707 individuals and the types of PHI contained in the binder included patients’ names, dates of birth, exam dates, diagnoses, ordering providers, and x-ray exposure levels. The CE provided breach notification to HHS, affected individuals, and the media. It also reported the incident to the proper law enforcement authorities. In response to the breach the CE enhanced physical safeguards in every department. Additionally, the CE implemented new privacy and security practices and retrained staff on its HIPAA policies and procedures. The CE also revised its policy to clarify how patients and third parties can access PHI, including associated fees, and educated staff on the policy. OCR obtained documentation that the CE implemented the corrective actions noted above. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "September 8, 2016","University Gastroenterology, Inc.","","Rhode Island","HACK","MED","15,478","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "September 8, 2016","Man Alive, Inc. and Lane Treatment Center, LLC","","Maryland","HACK","MED","860","The covered entity (CE), Man Alive, Inc. and Lane Treatment Center, reported that on September 8, 2016, through remote access, a cyber-attacker hacked the CE’s computer system and installed ransomware on an employee’s computer to gain unauthorized access into the electronic patient record system. The CE determined that the hacker accessed and downloaded summary patient profiles and lists consisting of 860 patients’ names, birthdates, social security numbers, drug dosage information, insurance identification numbers, street addresses, phone numbers, employment status and some demographic data. The CE immediately removed the infected computer from the network and any data that was subjected to malicious encryption was restored. The CE provided breach notification to HHS, affected individuals, and the media, and also posted substitute notice on its website. It also notified the FBI and vendor partners. Following the breach, the CE disabled all user remote access with the exception of a few vendors and implemented a security appliance that performs virus scanning at the gateway level, blocks unwanted protocols by policy, and provides firewalls. The CE also strengthened the complexity requirements for all user passwords. OCR obtained sufficient assurances that the CE implemented the corrective actions listed above. Location of breached information: Desktop Computer, Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "September 9, 2016","Public Education Employees' Health Insurance Plan","","Alabama","DISC","MED","1,349","The covered entity (CE), Public Education Employees’ Health Insurance Plan, discovered that as a result of an information technology (IT) upgrade some documents that included protected health information (PHI) related to multiple members inadvertently became viewable to other members through its Member Online System (MOS). The PHI involved in the breach included members’ and dependents’ names, program identification numbers, birth dates, and retirement dates pertaining to 1,349 individuals. Some of the document also contained social security numbers. The CE provided breach notification to HHS, affected individuals, and the media. The CE provided credit monitoring services to all affected individuals for 12 months at no cost to them. In response to the breach, the CE investigated and worked in conjunction with Deloitte (the company hired to provide software and professional services for the new IT system) to revise the newly implemented software coding to terminate access to the documents involved in this incident. The CE and Deloitte were able to apply an emergency fix on the same day that the incident was discovered. Additionally, the CE revised its internal protocols for uploading documents. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "September 9, 2016","Martin Army Community Hospital","","Georgia","PHYS","MED","1,000","In December 2013 The IRS notified the covered entity (CE), Martin Army Community Hospital,that one of its employees was involved in identity theft activities. This review was consolidated with another review of this CE. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "September 9, 2016","Asante","","Oregon","DISC","MED","2,400","Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "September 9, 2016","U.S. HealthWorks","","California","PHYS","MED","1,400","Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "September 12, 2016","Codman Square Health Center ","","Massachusetts","DISC","MED","3,840","A workforce member provided an unauthorized individual with the workforce member’s credentials so as to allow the individual access to the New England Health Exchange Network (NEHEN) via computer. The unauthorized individual was thus able to access the protected health information (PHI) of 102 patients of the covered entity (CE), Codman Square Health Center. The types of PHI involved in the breach included patients’ names, addresses, birthdates, medical insurance information, and for patients receiving Medicaid, social security numbers. The CE provided breach notification to the affected individuals, the media and HHS. The CE also provided individuals fraud resolution and credit monitoring services at no cost. Following discovery of the breach, the CE sanctioned the involved employees and re-trained all employees. As a result of OCR’s investigation, the CE revised its Breach Notification policy and implemented related procedures. Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","42.407211","-71.382437" "September 12, 2016","Pratap S. Kurra, M.D.","","California","PHYS","MED","2,029","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "September 13, 2016","King of Prussia Dental Associates","","Pennsylvania","HACK","MED","16,228","King of Prussia Dental Associates’ network server was hacked. The breach affected the electronic protected health information (ePHI) of 16,768 individuals and included names, dates of birth, social security numbers, and addresses, as well as clinical information. The covered entity (CE) provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE strengthened its technical safeguards, including its firewalls and anti-virus protection. OCR reviewed the CE's risk analysis to ensure compliance with the Security Rule. The CE provided OCR with assurances it would continue to strengthen its technical safeguards. Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","41.203322","-77.194525" "September 15, 2016","Heritage Medical Partners, LLC","","South Carolina","DISC","MED","812","The covered entity (CE), Heritage Medical Partners, while moving to a new facility, left medical records unsecured in the former facility from November 17, 2014 to January 22, 2015, affecting 1,019 individuals. The types of protected health information (PHI) on the documents included patients' names, dates of birth, addresses, phone numbers, social security numbers, genders, ages, ethnicity, height and weight, facility names, treating physicians, dates of tests, and clinical information. OCR provided technical assistance so that the CE provided breach notification to HHS, affected individuals, and the media, and on a website set up by the CE. The CE was in the process of dissolving and stopped treating patients in December 2015. The CE reported that medical records are stored in secure areas of the individual providers’ current facilities with access limited to authorized employees. OCR provided technical assistance regarding proper retention and destruction of PHI. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "September 16, 2016","CHI Franciscan Health St. Clare Hospital and St. Joseph Medical Center","","Washington","DISC","MED","2,818","Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "September 19, 2016","KidsPeace","","Pennsylvania","PHYS","MED","1,456","The covered entity (CE), Kids Peace, discovered that a box of documents from the medical records department was missing. It is believed that a custodian threw the box, which was left next to a wastepaper basket, in the trash. The breach included the protected health information (PHI) of 1,456 individuals and included names, dates of birth, medical record and patient account numbers, and service dates. Following the breach, the CE retrained staff and restricted custodians’ access to the medical records department. Additionally, OCR reviewed the CE’s risk analysis to ensure compliance with the Security Rule. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "September 20, 2016","Ventura County Health Care Agency","","California","DISC","MED","777","An employee took home paperwork containing the protected health information (PHI) of 777 individuals that was later recovered by an acquaintance of the employee and returned to the covered entity (CE), Ventura County Health Care Agency. The CE provided breach notification to HHS, affected individuals, and the media. The CE also notified the California Department of Public Health. Following the breach, the CE assigned all necessary employees for retraining, sanctioned the responsible employee, and sent a memo to all necessary staff prohibiting the removal of PHI from the facility. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "September 21, 2016","McLaren Greater Lansing Cardiovascular Group","","Michigan","DISC","MED","1,000","Location of breached information: Desktop Computer, Electronic Medical Record, Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "September 21, 2016","USC Keck and Norris Hospitals","","California","HACK","MED","16,000","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "September 22, 2016","New Jersey Spine Center","","New Jersey","HACK","MED","28,000","Location of breached information: Electronic Medical Record, Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "September 23, 2016","Jennie Stuart Medical Center","","Kentucky","HACK","MED","1,500","Hackers placed ransomware on the covered entity's (CE) computer server. The servers stored protected health information (PH)I—addresses, dates of birth, driver’s license data, names, social security numbers, claims information, credit card and bank account information, medical diagnoses, lab results, medications, and other treatment information—for approximately 1,500 individuals. The data on the servers was encrypted and the hackers placed encryption on top of the CE’s encryption, preventing access by the CE. The hackers demanded a ransom, which the CE paid. After payment of the ransom, the CE re-gained access to the data on the server. The CE hired a third party to perform a forensic investigation, and the CE provided a complete copy of the investigative report to OCR. The CE also provided OCR with a detailed analysis of its risk assessment and its determination that the probability that data was compromised was very low. Out of an abundance of caution, the CE expanded its data security monitoring, updated its security management policies, and provided additional training to staff. OCR obtained assurances that the CE implemented the actions listed above. Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "September 23, 2016","Hal Meadows, M.D.","","California","HACK","MED","6,000","Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "September 23, 2016","Central Ohio Urology Group, Inc.","","Ohio","HACK","MED","300,000","Electronic protected health information (ePHI) contained on the covered entity’s (CE) computer server was compromised by an unauthorized third-party from July 18 to August 2, 2016. The PHI involved in the compromised server included full names, Social Security numbers, dates of birth, home addresses, drivers’ licenses, claims information, credit/bank account numbers, and treatment notes pertaining to 300,000 individuals. The CE provided breach notification to HHS, affected individuals, and the media, and also posted substitute notice on its website. Following the breach, the CE retained a forensic firm, conducted a new risk assessment, installed an enhanced firewall system, updated its anti-virus software, and implemented safeguards related to access. OCR obtained written assurances that the CE implemented the corrective actions listed above. Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "September 23, 2016","Group Health","","Washington","DISC","MED","668","The covered entity (CE), through its business associate (BA), erroneously mailed coverage termination letters to the wrong members/patients. The paper documents contained the protected health information (PHI) of approximately 668 individuals and included names, addresses, insurance group names, and medical record numbers. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE worked with the BA to take additional quality control steps. OCR obtained assurances that the CE/BA implemented the corrective actions listed above. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "September 26, 2016","Prima Medical Foundation ","","California","HACK","MED","2,933","Medical Practice Concepts, Inc., a business associate (BA) that provides the covered entity (CE), Prima Medical Foundation, with business and health care system services, experienced a ransomware infection. A third party forensic firm hired to investigate this incident found no evidence that protected health information was accessed, viewed, or transferred. However, the BA informed the CE that during the data restoration process one of their backup systems failed, causing the loss of certain information documented by the CE's physicians during the period from July 11, 2016 through July 26, 2016. OCR has consolidated the review of this case into a review of the BA. Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","36.778261","-119.417932" "September 27, 2016","Marin Healthcare District","","California","HACK","MED","2,292","Ransomware infected systems operated by the covered entity’s (CE) business associate (BA), Marin Medical Practice Concepts, Inc. A third party forensic firm hired to investigate the incident found no evidence that patients’ personal, financial, or health information was accessed, viewed, or transferred. However, during the restoration process, one of the BA’s backup systems failed, causing the loss of protected health information (PHI) documented by the CE’s physicians during the period from July 11, 2016 through July 26, 2016. The PHI included vital signs, limited clinical histories, documentation of physical examinations, and records of the communications between patients and their physicians during their visits. OCR consolidated this review with an existing review of the BA involved in this case. Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","36.778261","-119.417932" "September 28, 2016","Thomasville Eye Center","","Georgia","DISC","MED","10,891","The covered entity (CE), Thomasville Eye Center, discovered that one of its employees opened a credit account for a patient without authorization. The employee was able to access patient names, addresses, dates of birth, Social Security numbers, and billing information. Although the CE only knows of one patient being impacted, the employee accessed records of 11,137 individuals during her employment, all of whom may have been affected. The CE provided breach notification to HHS, the individuals who may have been affected, the media, and on its website. Following the breach, the CE retrained employees and revised policies and procedures to limit employee access to protected information. OCR obtained assurances that the CE implemented the corrective actions listed above. The CE also terminated the employee involved, notified local law enforcement, and the FBI. Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "September 29, 2016","San Juan Oncology Associates","","New Mexico","HACK","MED","500","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","34.519940","-105.870090" "September 29, 2016","Fred's Stores of Tennessee, Incorporated","","Tennessee","PHYS","MED","9,624","Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","35.517491","-86.580447" "September 30, 2016","Urgent Care Clinic of Oxford","","Mississippi","HACK","MED","64,000","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","32.354668","-89.398528" "September 30, 2016","University of Wisconsin Hospitals and Clinics Authority","","Wisconsin","DISC","MED","6,923","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","43.784440","-88.787868" "October 3, 2016","Rainbow Children's Clinic","","Texas","HACK","MED","33,698","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "October 4, 2016","Francisco Jaume, D.O.","","Arizona","HACK","MED","14,236","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "October 4, 2016","Apria Healthcare","","California","DISC","MED","1,987","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "October 5, 2016","Baxter Regional Medical Center - Home Health Facility","","Arkansas","DISC","MED","2,124","On August 5, 2016, intruders broke into the covered entity (CE), Baxter Regional Medical Center, potentially breaching the protected health information (PHI) of approximately 2,124 individuals. The intruders broke into locked offices which contained PHI in paper-based patient files although nothing appeared to be missing. Following the breach, the CE improved physical security. Additionally, it moved all non-current patient records to a secure, off-site storage facility and trained employees on its HIPAA practices. The CE provided breach notification to HHS, affected individuals, and the media. During OCR’s investigation, OCR reviewed the notification to HHS and provided technical assistance regarding the Breach Notification Rule. Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "October 5, 2016","Napa Valley Dentistry","","California","PHYS","MED","4,262","Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "October 6, 2016","The Seattle Indian Health Board","","Washington","HACK","MED","793","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "October 7, 2016","Genesis Physical Therapy, Inc.","","California","DISC","MED","2,245","Rehab Billing Solutions (RBS) is a business associate (BA), which handled the billing and medical records, for the covered entity (CE), Genesis Physical Therapy, Inc. A third party impermissibly accessed protected health information (PHI) by exploiting a vulnerability in the BA’s application that stores scanned documents. The demographic and/or financial information of 2,245 individuals was potentially involved in the breach. The CE ended the BA agreement with this BA on August 31, 2016, and did not have access to the application at the time of the breach. The CE provided breach notification to HHS, affected individuals and the media pursuant to the Breach Notification Rule. In response to OCR’s investigation, the CE provided OCR with a copy of its BA agreement with RBS, which contained satisfactory assurances regarding safeguarding PHI pursuant to the requirements of the Privacy and Security Rules. Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "October 7, 2016","Northwest Community Healthcare","","Illinois","DISC","MED","540","Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "October 7, 2016","Warren Clinic","","Oklahoma","HACK","MED","2,938","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "October 10, 2016","Baxter Healthcare","","Illinois","DISC","MED","992","On September 15, 2016, an employee transmitted an email to patients inviting them to participate in a product-specific Patient Advisory Council. The email contained patients’ complete email addresses in the “To” field of the email message, so that recipients could see other recipient’s email addresses, which may have also included names. Approximately 992 individuals were affected by the breach. The covered entity (CE), Baxter Healthcare, provided breach notification to HHS, affected individuals, and the media, and also filed a police report. To prevent similar breaches from happening in the future, the CE reeducated and counseled the employee involved in this matter on its HIPAA policies and procedures and sanctioned the employee in accordance with its sanctions policy. The CE also provided training to its workforce on its policies and procedures regarding HIPAA, which highlighted the risks involved with emailing protected health information. OCR obtained written assurances that the CE implemented the corrective actions noted above. Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "October 13, 2016","Mercy Hospital and Medical Center","","Illinois","PHYS","MED","547","Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "October 14, 2016","Peabody Retirement Community","","Indiana","HACK","MED","1,466","Location of breached information: Email, Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.267194","-86.134902" "October 14, 2016","Integrity Transitional Hospital","","Texas","HACK","MED","29,514","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","31.968599","-99.901813" "October 14, 2016","Gibson Insurance Agency, Inc.","","Indiana","PHYS","MED","7,242","Location of breached information: Laptop Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.267194","-86.134902" "October 18, 2016","Four Star Drug of Bethany, Inc.","","Nebraska","PHYS","MED","647","On August 30, 2016, the covered entity (CE), Four Star Drug of Bethany, Inc., discovered that it left boxes containing protected health information (PHI) outdoors in an unprotected area where a garbage truck eventually retrieved the boxes and transported them to a recycling plant. The breach affected the PHI of approximately 647 individuals and included patients’ names, dates of birth, social security numbers, clinical and demographic information, claims information, and medications. The CE provided breach notification to HHS, affected individuals, and the media. The CE further advised HHS that on May 24, 2016, its pharmacy department was sold, and consequently it was closed at the time of the breach incident that occurred on August 30, 2016. Following the breach, the CE updated its HIPAA policies and procedures to ensure that its remaining records that contain PHI are safeguarded and disposed of properly. The CE no longer generates records containing PHI because it is closed. OCR obtained documented assurances that the CE implemented the corrective actions listed above. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","41.492537","-99.901813" "October 19, 2016","MGA Home Healthcare Colorado, Inc.","","Arizona","PHYS","MED","3,119","Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "October 20, 2016","You and Your Health Family Care, Inc.","","Florida","HACK","MED","3,000","The covered entity (CE), You and Your Health Family Care, Inc., discovered a ransomware virus accessed its server through an open firewall port on September 11, 2016. The ransomware accessed data that included patient names, addresses, dates of birth, Social Security numbers, and clinical information for 1,456 individuals. The CE provided breach notification to HHS, affected individuals, and the media. In response to the breach, the CE initiated a comprehensive review of its privacy and security safeguards, secured all open ports in its firewall, reviewed and secured all user accounts and strengthened passwords, and installed additional security software. It developed a plan to implement an audit system and encryption mechanisms, and retrain all staff after it finishes the in-depth review and update of its privacy and security policies. Additionally, it will conduct a risk analysis on an annual basis moving forward. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","27.664827","-81.515754" "October 20, 2016","Harrisonburg OB GYN Associates, P.C.","","Virginia","PHYS","MED","800","Harrisonburg Obstetrics and Gynecology Associates, P.C., the covered entity (CE), reported that on August 11, 20, 2016, a physician and former president of the CE, printed out the protected health information (PHI) of approximately 800 patients prior to his resignation. The CE determined that the reports showed patients' names, account numbers, phone numbers, addresses, dates of service and reasons for the visits. At the time of OCR's review, the CE was in litigation for the return of the reports. The CE disabled all access to such reports except by a few employees with a business need. The CE provided breach notification to HHS, the media, and affected individuals. OCR obtained assurances that the CE implemented the corrective actions listed. Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "October 20, 2016","The Finley Center","","Nevada","PHYS","MED","3,000","On September 17, 2015, a desktop computer containing scheduling software was stolen from the covered entity (CE), The Finley Center. The computer contained the demographic and financial information of approximately 3,000 individuals. The CE provided breach notification to HHS and affected individuals. In response to the breach, as well as OCR’s investigation of the breach incident, the CE implemented new technical, administrative, and physical safeguards, and revised its HIPAA policies and procedures. Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "October 21, 2016","Baystate Health, Inc.","","Massachusetts","HACK","MED","13,112","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "October 21, 2016","Florida Hospital Medical Group","","Florida","PHYS","MED","6,786","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "October 21, 2016","Singh and Arora Oncology Hematology, P.C.","","Michigan","HACK","MED","16,000","Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "October 24, 2016","Silver Creek Fitness & Physical Therapy, Silver Creek Physical Therapy Gilroy, Silver Creek Physical Therapy Sunnyvale, Silver Creek Physical Therapy ","","California","DISC","MED","8,009","An electronic data storage account belonging to a business associate (BA), Rehab Billing Solutions, was accessible to persons outside its organization from May, 2016 to September 11, 2016. A third party security researcher from a software company accessed and downloaded protected health information (PHI) about the covered entity’s (CE) patients from this account. The types of PHI potentially involved in the breach included names, Medicare numbers, dates of birth, social security numbers, driver’s license numbers, prescriptions, treatment locations, treatment dates, and progress notes. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the BA took steps to secure the storage account and launched an investigation . The CE worked with the BA to confirm that the security researcher deleted all of the downloaded information. The CE offered one year of free credit monitoring and identity restoration services to all affected individuals. OCR reviewed the BA agreement between the CE and the BA and obtained assurances that the CE and BA implemented the corrective actions noted above. Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "October 24, 2016","Dr. Dennis T. Myers, D.D.S., P.A.","","Missouri","HACK","MED","3,364","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "October 26, 2016","Anthem, Inc.","","Indiana","DISC","MED","3,525","The covered entity’s (CE) employee emailed protected health information (PHI) to himself, claiming it was for commission reconciliation purposes. The CE ensured that all the PHI was deleted from the employee’s home computer and smart phones. The employee resigned from the company, and attested that all PHI was deleted from his devices. The CE provided breach notification to HHS, affected individuals, and the media and substitute notice was posted on the CE's websites on October 29, 2016, and will remain posted through January 27, 2017. To prevent a similar breach from happening in the future, the CE retrained its Medicare sales workforce, took steps to ensure that the former employee can no longer work or sell the CE's products, and changed its commission statement to reflect only the minimum necessary PHI. OCR obtained written assurances that the CE implemented the corrective actions listed above. Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "November 4, 2016","Kinetorehab Physical Therapy, PLLC","","New York","PHYS","MED","665","Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "November 4, 2016","Wal-Mart Stores, Inc","","Arkansas","DISC","MED","771","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "November 6, 2016","Kaiser Foundation Health Plan of the Northwest","","Oregon","DISC","MED","544","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "November 6, 2016","Kaiser Foundation Healthplan, Inc. of Southern California","","California","DISC","MED","3,044","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "November 7, 2016","Kaiser Permanente Health Plan, Inc of Northern California","","California","DISC","MED","4,432","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "November 7, 2016","HP Enterprise Services, LLC","","Texas","PHYS","MED","1,235","HP Enterprise Services, LLC, a business associate (BA) of the Indiana Family Social Services Administration, reported the theft of a laptop bag from an employee’s vehicle. The bag contained an encrypted laptop computer and an unsecured printed report which contained the protected health information (PHI) of 1,235 individuals. The PHI included demographic information. The BA provided breach notification to HHS, affected individuals, and the media and offered the affected individuals free credit monitoring services. Following the breach, the BA sanctioned the employee responsible for the breach in accordance with its sanction policy. As a result of OCR’s investigation, the BA updated its policies and procedures to prevent similar incidents. As a result of OCR's investigation, OCR provided technical assistance regarding breach notification requirements and the BA revised its breach notification template. Location of breached information: Other Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "November 7, 2016","Austin Pulmonary Consultants","","Texas","PHYS","MED","889","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "November 8, 2016","VA Eastern Colorado Health Care System","","Colorado","DISC","MED","2,130","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "November 8, 2016","Consultants in Neurological Surgery, LLP","","Florida","DISC","MED","800","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "November 9, 2016","Lister Healthcare","","Alabama","PHYS","MED","1,349","Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "November 9, 2016","Briar Hill Management","","Mississippi","PHYS","MED","2,000","The covered entity (CE), Briar Hill Management, discovered that an employee lost a laptop computer containing protected health information (PHI) in violation of the CE’s policy. The laptop contained the names, addresses, social security numbers, dates of birth, dates of service, prescription information, and services provided pertaining to 1,994 individuals. The CE provided breach notification to HHS, affected individuals, the media, and on its website. It also notified local police. In response to the breach, the CE sanctioned the involved employee. As a result of OCR’s investigation, the CE reviewed its security risks and implemented several new security measures, including providing additional training to employees, installing software that allows the CE to track and remove data from devices remotely, and encrypting all mobile devices. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Laptop Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","32.354668","-89.398528" "November 10, 2016","Best Health Physical Therapy, LLC ","","Connecticut","DISC","MED","1,100","Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "November 10, 2016","Vascular Surgical Associates","","Georgia","HACK","MED","36,496","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "November 14, 2016","Lebanon Cardiology Associates, PC","","Pennsylvania","DISC","MED","537","A business associate (BA), Ambucor Health Solutions, for the covered entity (CE), Lebanon Cardiology Associates, reported a breach by a rogue employee. The CE and BA both reported the breach to HHS. The BA's employee, who is now incarcerated on unrelated matters, downloaded protected health information (PHI) onto two portable computer drives (i.e., ""thumb"" drives) which have been recovered. The types of PHI that were involved varied by patient, but may have included the first and last names, phone numbers, diagnoses, medications, dates of birth, race, home addresses, testing data, patient identification numbers, and medical device information of 537 of the CE’s patients. In addition, the thumb drives contained the social security numbers of about 650 patients of several covered entities with PHI that was also affected by the same breach incident. OCR reviewed a copy of the signed BA agreement between the BA and the CE. OCR confirmed that breach notification letters were mailed to affected individuals on June 27, 2016. This investigation has been consolidated into an existing review filed by the BA to ensure that all the requirements under the Breach Notification Rule have been met. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "November 16, 2016","Vision Care Florida, LLC","","Florida","DISC","MED","7,500","Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "November 16, 2016","The Biomechanics LLC","","Arizona","HACK","MED","1,049","A security researcher accessed the covered entity's electronic protected health information (ePHI) due to a vulnerability in a business associate's (BA) data storage system. The researcher reportedly did not intend to use or disclose the information. The breach affected 1,049 individuals and involved in the breach included names, addresses, birthdates, driver's license numbers, social security numbers, and clinical information such as diagnoses, lab results, and medications. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the BA returned the ePHI to the covered entity. The BA was closing its business at the time of the breach and is now out of business. OCR obtained a copy of the CE's BA agreement with this BA. As a result of OCR’s investigation the CE increased its awareness of its responsibilities with respect to its BAs. Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "November 17, 2016","Watsonville Chiropractic, Inc.","","California","DISC","MED","829","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "November 17, 2016","Luque Chiropractic, Inc. ","","California","DISC","MED","1,341","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "November 18, 2016","Peachtree Orthopaedic Clinic","","Georgia","HACK","MED","531,000","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "November 18, 2016","Washington National Insurance Company","","Indiana","PHYS","MED","1,458","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "November 18, 2016","Pinellas County Board of County Commissioners","","Florida","DISC","MED","2,800","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "November 18, 2016","OptumHealth New Mexico","","Minnesota","PHYS","MED","2,006","Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","46.729553","-94.685900" "November 21, 2016","North Texas Heart Center, P.A.","","Texas","PHYS","MED","4,210","OCR opened an investigation of the covered entity (CE), North Texas Heart Center, after it reported, on behalf of its business associate (BA), Ambucor, that law enforcement discovered mobile computer drives containing the electronic protected health information (ePHI) of 4,210 individuals in connection with the activities of a former employee. The ePHI included patients’ names, dates of birth, addresses, social security numbers, laboratory results, and other treatment information. Upon discovering the breach, the BA worked with federal law enforcement to recover the mobile devices. OCR obtained a draft copy of the BA's breach notification to individuals and the media. The BA offered one year of free credit monitoring services to affected individuals. OCR initiated a separate investigation of the BA. Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","31.968599","-99.901813" "November 21, 2016","Camas Center Clinic, Kalispel Tribe of Indians ","","Washington","DISC","MED","504","Location of breached information: Desktop Computer, Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","47.751074","-120.740139" "November 22, 2016","Stony Brook Internists, University Faculty Practice Corporation (UFPC)","","New York","PHYS","MED","1,878","On May 19, 2016 the business associate (BA), Ambucor Health Solutions, notified the covered entity (CE), Stony Brook Internists, University Faculty Practice Corporation (a member of the Stony Brook Organized Health Care Arrangement), of an investigation into possible breach activities by a former employee affecting the protected health information (PHI) of 55 of the CE’s patients, including demographic and clinical information. On November 18, 2016 the BA notified the CE that an additional 1,823 patients were affected by the breach. The CE and BA both provided breach notification to HHS. The investigation of this breach has been consolidated into an existing review of the BA. As of this submission, the BA has not reported misuse of the breached PHI. OCR obtained and reviewed a copy of the BA agreement between this CE and BA. Location of breached information: Email, Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.712784","-74.005941" "November 22, 2016","UnitedHealth Group Single Affiliated Covered Entity","","Minnesota","DISC","MED","1,408","Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","46.729553","-94.685900" "November 22, 2016","Emblem Health - GHI","","New York","DISC","MED","81,122","Location of breached information: Network Server, Other, Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.712775","-74.005973" "November 22, 2016","LCS Westminster Partnership IV, LLP d/b/a Sagewood","","Arizona","HACK","MED","863","Location of breached information: Email, Laptop, Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "November 23, 2016","Berkshire Medical Center","","Massachusetts","DISC","MED","1,745","A former employee of a business associate (BA), Ambucor Health Solutions, stole the protected health information (PHI) of the covered entity's (CE) patients that was contained in a mobile computer drive. The types of PHI involved in the breach included clinical and demographic information such as patients' names, dates of birth, diagnoses, and treatment, and affected1,745 individuals. OCR reviewed the CE's BA agreement and determined that it is compliance with the Privacy Rule. OCR obtained assurances that individuals affected by this breach were notified in accordance with the Breach Notification Rule. Location of breached information: Email, Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "November 23, 2016","Akron General Medical Center","","Ohio","DISC","MED","730","The business associate (BA), Ambucor Health Solutions, filed a separate breach report for an incident also reported by this covered entity, (CE), Akron General Medical Center. OCR obtained a copy of the BA agreement between this CE and BA and a copy of the breach notification letter sent to the affected individuals. This case has been consolidated into the other review of the BA. Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "November 23, 2016","New Mexico Heart Institute","","New Mexico","DISC","MED","4,185","Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "November 28, 2016","Aetna Inc.","","Connecticut","PHYS","MED","18,854","Location of breached information: Other Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","41.603221","-73.087749" "November 28, 2016","Young Adult Institute, Inc.","","New York","PHYS","MED","913","The covered entity's (CE) former Chief Information Officer instructed a former Assistant IT Director to copy files containing the protected health information (PHI) of 913 clients onto a portable computer drive. Subsequently, the former CIO took the drive with him to his new employer after he was terminated. The types of PHI involved in the breach included names, addresses, dates of birth, social security numbers, Medicaid numbers and diagnoses The CE provided breach notification to HHS, the affected individuals, and the media. As a result of OCR’s investigation, the CE revised its procedures with respect to assigning an approval process for access to removable media. In addition, the CE conducted a risk analysis and established a risk management plan to manage and reduce the risks identified in the risk analysis, including, but not limited to, access to removable drives. As a result of OCR's investigation it is expected to implement technical security measures to guard against unauthorized access to ePHI, and review and revise its policies and procedures and training materials regarding the Security Rule. Additionally, the CE is expected to execute HIPAA-compliant business associate agreements with all existing business associates by September 1, 2017. Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "November 28, 2016","CHI Franciscan Health Hospice-Tacoma ","","Washington","PHYS","MED","12,413","Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "November 28, 2016","Glendale Adventist Medical Center","","California","DISC","MED","528","Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "November 29, 2016","Managed Health Services","","Indiana","PHYS","MED","5,500","Location of breached information: Email, Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "November 30, 2016","Louisiana Health Cooperative, Inc. in Rehabilitation","","Louisiana","HACK","MED","8,000","OCR opened an investigation of the covered entity (CE), Louisiana Health Cooperative, Inc., after it reported a breach involving its business associate (BA), Summit Reinsurance Services, Inc. The BA discovered ransomware on a server containing the unencrypted electronic protected health information (ePHI) of approximately 8,000 members of the CE. The ePHI included social security numbers, insurance and treatment information, and other demographic information. Upon discovery of the breach, the BA initiated an investigation to determine the nature and extent of the attack as well as to assess the system vulnerabilities. The CE provided breach notification to HHS and posted substitute notice on its website. The BA provided breach notification to the affected individuals and the media. OCR verified that CE had a proper BA agreement in place, which restricted the BA's use and disclosure of PHI and required the BA to safeguard all PHI. Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","30.984298","-91.962333" "November 30, 2016","Seguin Dermatology, Office of Robert J. Magnon, MD","","Texas","HACK","MED","29,969","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","31.968599","-99.901813" "December 1, 2016","Advanced Fertility Center of Chicago","","Illinois","HACK","MED","19,000","Location of breached information: Desktop Computer, Electronic Medical Record, Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.633125","-89.398528" "December 2, 2016","Washington Health System","","Pennsylvania","PHYS","MED","544","Washington Health System Greene Home care reported that on September 27, 2016, an employee emailed a patient census list to her personal home email account and provided that information to another home health agency, Harmony Home Care (HHC). The list contained the names and addresses of approximately 544 homecare patients. Following the breach, the CE immediately sent Attestations of Destruction and Return of Patient Information letters to HHC and the former employee. The CEO of HHC signed the attestation and returned the patient list indicating that 182 letters were returned as undeliverable. The former employee indicated that she had no copies of the patient list and did not send the list to anyone else. The CE closed operations on October 30, 2016. The CE provided breach notification to 530 affected individuals and to HHS. The CE also filed reports with both the Pennsylvania State Police and the Department of Health. OCR obtained assurances that the CE implemented the corrective actions listed. Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","41.203322","-77.194525" "December 5, 2016","CVS Health","","Rhode Island","PHYS","MED","626","An individual broke into a CVS Pharmacy in Whiteville, NC during Hurricane Matthew. The thief stole 626 individuals' completed prescriptions. The types of PHI on the prescriptions included names, partial birthdates, addresses, medication names and doses, providers' names, and prescription numbers. The covered entity (CE) provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE assessed the damage and secured the store to prevent any other unauthorized access. OCR reviewed the CE's policies and procedures on uses and disclosure of PHI and safeguarding PHI, and determined that they were in compliance with the Privacy Rule. OCR obtained assurances that the CE implemented the corrective actions noted above. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","41.580095","-71.477429" "December 5, 2016","Meigs County EMS","","Ohio","HACK","MED","817","Location of breached information: Desktop Computer, Email, Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "December 5, 2016","Dr. Melissa D. Selke","","New Jersey","HACK","MED","4,277","Location of breached information: Desktop Computer, Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "December 7, 2016","Preventice Services, LLC","","Texas","DISC","MED","6,800","Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "December 8, 2016","Black Hawk College","","Illinois","HACK","MED","1,000","A computer server for the covered entity’s (CE) reinsurer was infected with ransomware from March 12 to August 8, 2016, making protected health information (PHI) accessible. The PHI included the names, addresses, dates of birth, Social Security numbers, and clinical data pertaining to approximately 1,000 individuals. The CE submitted a breach report to HHS out of caution even though the reinsurer was not a business associate (BA). The CE provided evidence that a BA was not necessary and the disclosures were permitted under HIPAA for health care operations purposes. The reinsurer provided breach notification to the affected individuals and the CE sent notice to the media and posted a substitute notice on its website. The CE also retrained staff and reviewed its BA agreements and its HIPAA policies and procedures. OCR obtained documentation that the CE implemented the actions listed above. Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "December 10, 2016","Appalachian Gastroenterology, P.A.","","North Carolina","HACK","MED","11,000","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "December 11, 2016","Charles Stamitoles","","Florida","PHYS","MED","5,600","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "December 12, 2016","Quest Diagnostics","","New Jersey","HACK","MED","34,055","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "December 14, 2016","Oak Cliff Orthopaedic Associates","","Texas","PHYS","MED","1,057","On October 17, 2016, the covered entity (CE), Oak Cliff Orthopaedic Associates, received a call from the local police stating that two boxes with protected health information (PHI) pertaining to its patients were recovered from a hotel located in Texas. The boxes contained patients’ demographic, financial, and clinical information. The CE filed a police report and retrieved the boxes from the police department the next day. On Dec. 9, 2016, the CE contracted with a third-party vendor to mail breach notification to the affected individuals. The CE completed media notification and offered the affected individuals one (1) year of free identity theft protection services. In addition, it set up a call center to assists individuals with questions. The CE also improved physical security. OCR provided technical assistance regarding business associates and obtained documented assurances that the CE implemented the corrective actions noted above. Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "December 15, 2016","East Valley Community Health Center, Inc.","","California","HACK","MED","65,000","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "December 16, 2016","Fairbanks Hospital","","Indiana","DISC","MED","12,994","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "December 16, 2016","Southcentral Foundation","","Alaska","HACK","MED","14,719","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "December 16, 2016","County of Los Angeles Departments of Health and Mental Health","","California","HACK","MED","749,017","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "December 19, 2016","Humana Inc. [case #HU16004F3]","","Kentucky","DISC","MED","3,674","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "December 19, 2016","Brodhead Dental Center","","Pennsylvania","HACK","MED","5,872","Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "December 20, 2016","Alliant Health Plans, Inc.","","Georgia","HACK","MED","1,042","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "December 20, 2016","Desert Care Family and Sports Medicine","","Arizona","HACK","MED","500","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "December 21, 2016","Henry County Health Department","","Ohio","PHYS","MED","574","Location of breached information: Electronic Medical Record, Email, Laptop, Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "December 21, 2016","Community Health Plan of Washington","","Washington","HACK","MED","381,504","Location of breached information: Network Server, Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "December 22, 2016","ADVANTAGE Health Solutions","","Indiana","HACK","MED","2,387","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "December 22, 2016","Stephen J. Helvie, M.D.","","California","PHYS","MED","2,013","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","36.778261","-119.417932" "December 23, 2016","Waiting Room Solutions Limited Liability Limited Partnership","","New York","DISC","MED","700","Location of breached information: Email Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.712784","-74.005941" "December 23, 2016","Brandywine Pediatrics, P.A.","","Delaware","HACK","MED","26,873","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "December 27, 2016","Susan M Hughes Center","","New Jersey","HACK","MED","11,400","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "December 28, 2016","Maryland Medical Center/Dr. Morrill","","Maryland","HACK","MED","10,000","Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "December 29, 2016","PrimeWest Health","","Minnesota","HACK","MED","2,441","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "December 29, 2016","PathGroup","","Tennessee","DISC","MED","1,443","Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "December 30, 2016","Horizon Healthcare Services Inc. doing business as Horizon Blue Cross Blue Shield of New Jersey and its affiliates","","New Jersey","DISC","MED","55,700","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "December 30, 2016","State of New Hampshire, Department of Health and Human Services","","New Hampshire","HACK","MED","15,000","Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "December 30, 2016","Bryan Myers, MD PC, Ashley DeWitt, DO PC, Michael Nobles, MD PC","","Tennessee","HACK","MED","13,150","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","40.760537","-73.978890" "January 3, 2017","MetroPlus Health Plan","","New York","DISC","MED","808","Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","40.712775","-74.005973" "January 3, 2017","Community Health Plan of Washington","","Washington","HACK","MED","1,375","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","40.760537","-73.978890" "January 5, 2017","American Urgent Care Center, PSC","","Kentucky","PHYS","MED","822","The covered entity (CE), American Urgent Care Center, PSC, discovered that, upon her resignation, a former employee took an x-ray logbook on October 28, 2016. The log book contained the names and treatment dates of 822 individuals. Following the breach, the CE revised its policies and re-trained staff, including providers and management. The CE also revised its procedures to eliminate the use of the paper x-ray log book. As a result of technical assistance from OCR, the CE provided breach notification to HHS, to affected individuals, and in the local newspaper. OCR obtained assurances that the CE implemented the corrective actions listed above. Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.839333","-84.270018" "January 6, 2017","Complete Wellness","","Maryland","PHYS","MED","600","Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","39.045755","-76.641271" "January 9, 2017","Office of Dr. David Elbaum","","California","PHYS","MED","500","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","40.760537","-73.978890" "January 10, 2017","SSM Dean Medical Group","","Wisconsin","DISC","MED","4,800","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","43.784440","-88.787868" "January 11, 2017","Verity Medical Foundation","","California","HACK","MED","10,164","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","36.778261","-119.417932" "January 12, 2017","Escambia County Alabama Community Hospitals, Inc. D/B/A Atmore Community Hospital","","Alabama","DISC","MED","1,090","Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","32.318231","-86.902298" "January 13, 2017","University of Maryland Orthopaedic Associates, P.A.","","Maryland","HACK","MED","1,320","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","40.760537","-73.978890" "January 16, 2017","St. Luke's Hospital","","North Dakota","HACK","MED","600","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","47.551493","-101.002012" "January 16, 2017","Sentara Healthcare","","Virginia","HACK","MED","5,454","Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.431573","-78.656894" "January 19, 2017","TriHealth, Inc.","","Ohio","DISC","MED","1,126","Due to a technical error during a data conversion process, the covered entity (CE) sent correspondence to 1,126 patients’ incorrect addresses. The types of protected health information (PHI) involved in the breach varied based on the correspondence and may have included the full names, former addresses, birthdates, claims information, diagnoses/conditions, lab results, medications, and other treatment information. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE retrained staff, corrected addresses, and developed a plan to implement additional safeguards for data conversions. OCR obtained documented assurances that the CE implemented the corrective actions noted above. Location of breached information: Network Server, Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","40.417287","-82.907123" "January 20, 2017","Associated Catholic Charities Incorporated","","Maryland","DISC","MED","1,145","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","39.045755","-76.641271" "January 20, 2017","Covenant Medical Center, Inc.","","Michigan","DISC","MED","6,197","Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","44.314844","-85.602364" "January 20, 2017","Multnomah County","","Oregon","DISC","MED","1,700","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","43.804133","-120.554201" "January 23, 2017","Stephenville Medical & Surgical Clinic","","Texas","DISC","MED","75,000","Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","31.968599","-99.901813" "January 24, 2017","Roper St. Francis Healthcare","","South Carolina","PHYS","MED","576","Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","33.836081","-81.163725" "January 26, 2017","MultiCare Health System ","","Washington","HACK","MED","1,249","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","47.751074","-120.740139" "January 26, 2017","THE R.O.A.D.S. Foundation Inc. DBA R.O.A.D.S. Community Care Clinic","","California","PHYS","MED","670","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","36.778261","-119.417932" "January 27, 2017","Princeton Pain Management","","New Jersey","HACK","MED","4,668","Location of breached information: Desktop Computer, Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","40.058324","-74.405661" "January 27, 2017","Synergy Specialists Medical Group, Inc / Jay S. Berenter, DPM","","California","HACK","MED","569","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","36.778261","-119.417932" "January 27, 2017","Shiel Sexton","","Indiana","DISC","MED","710","Location of breached information: Other Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","40.760537","-73.978890" "January 27, 2017","WellCare Health Plans, Inc.","","Florida","HACK","MED","24,809","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","27.664827","-81.515754" "January 31, 2017","Vertiv Co. Health & Welfare Plan","","Ohio","DISC","MED","955","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","40.417287","-82.907123" "January 31, 2017","The Affiliated Sante Group","","Maryland","DISC","MED","550","Location of breached information: Electronic Medical Record Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","39.045755","-76.641271" "February 2, 2017","Catalina Post-Acute Care and Rehabilitation","","Arizona","PHYS","MED","2,953","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","34.048928","-111.093731" "February 3, 2017","Family Medicine East, Chartered","","Kansas","PHYS","MED","6,800","Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","40.760537","-73.978890" "February 3, 2017","Walgreen Co.","","Illinois","DISC","MED","4,500","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","40.633125","-89.398528" "February 9, 2017","Medical Information Management Systems, LLC","","Florida","HACK","MED","11,707","Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","27.664827","-81.515754" "February 9, 2017","Bloom Physical Therapy, LLC dba Physicians Physical Therapy Service","","Arizona","DISC","MED","500","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","34.048928","-111.093731" "February 10, 2017","Benesch, Friedlander, Coplan & Aronoff LLP ","","Ohio","PHYS","MED","1,134","Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","40.417287","-82.907123" "February 13, 2017","St. Joseph's Hospital and Medical Center","","Arizona","DISC","MED","623","Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","40.760537","-73.978890" "February 13, 2017","2020 On-Site Optometry","","Massachusetts","HACK","MED","15,400","Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","42.407211","-71.382437" "February 16, 2017","Hillsborough County Aging Services Department","","Florida","PHYS","MED","650","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","27.664827","-81.515754" "February 17, 2017","Robert E Torti, MD, PA dba Retina Specialists","","Texas","PHYS","MED","887","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","40.760537","-73.978890" "February 17, 2017","Family Service Rochester","","Minnesota","HACK","MED","17,037","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","46.729553","-94.685900" "February 17, 2017","Emblem Health - GHI","","New York","DISC","MED","703","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","40.712775","-74.005973" "February 19, 2017","Chadron Community Hospital & Health Services","","Nebraska","DISC","MED","702","Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","41.492537","-99.901813" "February 23, 2017","Syed Ahmed, MD PA","","Texas","PHYS","MED","500","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","31.968599","-99.901813" "February 23, 2017","Allina Health System","","Minnesota","PHYS","MED","776","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","46.729553","-94.685900" "February 23, 2017","North Carolina Department of Health and Human Services","","North Carolina","DISC","MED","12,731","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","35.759573","-79.019300" "February 24, 2017","West Virginia University Hospitals-East, Inc. DBA University Healthcare","","West Virginia","PHYS","MED","7,445","Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","38.597626","-80.454903" "February 28, 2017","Leo Edwards, Jr., M.D. ","","Texas","HACK","MED","19,564","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","31.968599","-99.901813" "February 28, 2017","Sharp Memorial Hospital","","California","PHYS","MED","754","Location of breached information: Laptop, Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","40.760537","-73.978890" "March 1, 2017","VA St. Louis Health Care System","","Missouri","DISC","MED","724","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.964253","-91.831833" "March 1, 2017","Memphis VA Medical Center","","Tennessee","DISC","MED","687","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","35.517491","-86.580447" "March 1, 2017","Commonwealth Health Corporation","","Kentucky","PHYS","MED","697,800","Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.839333","-84.270018" "March 2, 2017","VisionQuest Eyecare","","Indiana","HACK","MED","85,995","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","40.267194","-86.134902" "March 3, 2017","Saliba's Extended Care Pharmacy","","Arizona","DISC","MED","6,599","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","34.048928","-111.093731" "March 6, 2017","American Home Patient","","Tennessee","PHYS","MED","13,861","Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","35.517491","-86.580447" "March 8, 2017","CVS Health","","Rhode Island","PHYS","MED","724","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","41.580095","-71.477429" "March 9, 2017","Primary Care Specialists, Inc.","","Tennessee","HACK","MED","65,000","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","35.517491","-86.580447" "March 9, 2017","St. Louis Children's Hospital","","Missouri","DISC","MED","643","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.964253","-91.831833" "March 13, 2017","Local 693 Plumbers & Pipefitters Health & Welfare Fund","","Vermont","PHYS","MED","1,291","Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","44.558803","-72.577842" "March 16, 2017","Estill County Chiropractic, PLLC","","Kentucky","HACK","MED","5,335","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.839333","-84.270018" "March 16, 2017","St. Charles Health System","","Oregon","DISC","MED","2,459","Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","43.804133","-120.554201" "March 17, 2017","Houston Methodist Hospital","","Texas","DISC","MED","1,417","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","31.968599","-99.901813" "March 17, 2017","Rocky Mountain Health Maintenance Organization, Inc.","","Colorado","DISC","MED","1,320","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","39.550051","-105.782067" "March 20, 2017","Highland Rivers Community Service Board","","Georgia","DISC","MED","967","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","40.760537","-73.978890" "March 20, 2017","UNC Health Care","","North Carolina","DISC","MED","1,298","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","35.759573","-79.019300" "March 22, 2017","Urology Austin, PLLC","","Texas","HACK","MED","279,663","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","31.968599","-99.901813" "March 23, 2017","Hospice of North Central Ohio","","Ohio","DISC","MED","1,051","Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","40.417287","-82.907123" "March 23, 2017","Specialty Dental Partners of Philadelphia, PLLC.- DBA Rich Orthodontics","","Pennsylvania","PHYS","MED","960","Location of breached information: Desktop Computer, Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","41.203322","-77.194525" "March 23, 2017","WellSpan Health","","Pennsylvania","DISC","MED","732","Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","41.203322","-77.194525" "March 25, 2017","Washington University School of Medicine","","Missouri","HACK","MED","80,270","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.964253","-91.831833" "March 25, 2017","Lane Community College Health Clinic","","Oregon","HACK","MED","1,911","Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","43.804133","-120.554201" "March 26, 2017","ABCD Pediatrics, P.A.","San Antonio","Texas","HACK","MED","55,447","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","29.424122","-98.493628" "March 31, 2017","Women's Care of Somerset","","Kentucky","DISC","MED","1,806","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.839333","-84.270018" "March 31, 2017","Skin Cancer Specialists, P.C.","","Georgia","HACK","MED","3,365","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","32.165622","-82.900075" "March 31, 2017","Apex EDI, Inc.","","Utah","HACK","MED","1,132","Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","39.320980","-111.093731" "April 3, 2017","Memorial Healthcare","","Michigan","DISC","MED","685","Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","44.314844","-85.602364" "April 4, 2017","Ashland Women's Health","","Kentucky","HACK","MED","19,727","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.839333","-84.270018" "April 4, 2017","University of Oklahoma, OU Physicians","","Oklahoma","DISC","MED","1,637","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","40.760537","-73.978890" "April 4, 2017","Carson Valley Medical Center","","Nevada","DISC","MED","11,368","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","38.802610","-116.419389" "April 7, 2017","Cardiology Center of Acadiana","","Louisiana","HACK","MED","9,681","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","30.984298","-91.962333" "April 11, 2017","Amedisys West Virginia, LLC","","West Virginia","PHYS","MED","611","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","38.597626","-80.454903" "April 12, 2017","Eyecare Services Partners Management, LLC","","Texas","DISC","MED","9,129","Location of breached information: Other Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","40.760537","-73.978890" "April 13, 2017","Area Agency of Aging 1-B","","Michigan","DISC","MED","1,741","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","44.314844","-85.602364" "April 14, 2017","MVP Health Care, Inc.","","New York","DISC","MED","951","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","40.760537","-73.978890" "April 14, 2017","Western Health Screening","","Montana","PHYS","MED","15,326","Location of breached information: Other Portable Electronic Device Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","46.879682","-110.362566" "April 18, 2017","Humana Inc [case # HU17001CC]","","Kentucky","HACK","MED","3,831","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.839333","-84.270018" "April 19, 2017","Valley Women's Health, S.C.","","Illinois","HACK","MED","5,155","Location of breached information: Electronic Medical Record, Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","40.633125","-89.398528" "April 21, 2017","Behavioral Health Center","","Maine","HACK","MED","4,229","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","45.253783","-69.445469" "April 21, 2017","Lifespan Corporation","","Rhode Island","PHYS","MED","20,431","Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","41.580095","-71.477429" "April 21, 2017","Iowa Veterans Home","","Iowa","DISC","MED","2,969","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","41.878003","-93.097702" "April 21, 2017","Atlantic Digestive Specialists ","","New Hampshire","HACK","MED","2,081","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","43.193852","-71.572395" "April 26, 2017","Memorial Hospital Clinic South","","Texas","HACK","MED","842","Memorial Hospital Clinic South reported a breach when computer malware (i.e.,ransomware) was found on its network server. This breach affected the protected health information (PHI) of 842 individuals, and included clinical and demographic information. The specific types of PHI involved in the breach included addresses, birthdates, driver's license numbers, names, social security numbers, diagnoses/conditions, lab results, medications, and other treatment information. This review has been consolidated with another review of this covered entity. Location of breached information: Electronic Medical Record, Network Server Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx?subfolder=2015","2014","31.968599","-99.901813" "April 28, 2017","Spine Specialist","","New Jersey","PHYS","MED","600","Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","40.058324","-74.405661" "April 28, 2017","Harrisburg Gastroenterology Ltd","","Pennsylvania","HACK","MED","93,323","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","41.203322","-77.194525" "April 28, 2017","Diamond Institute for Fertility and Menopause, LLC","","New Jersey","HACK","MED","14,633","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","40.058324","-74.405661" "April 28, 2017","Michagan Facial Aesthetic Surgeons d/b/a University Physician Group","","Michigan","PHYS","MED","3,467","Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","40.760537","-73.978890" "May 2, 2017","Nova Southeastern University","","Florida","PHYS","MED","1,086","Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","27.664827","-81.515754" "May 2, 2017","Capital Nephrology","","Maryland","HACK","MED","4,000","Location of breached information: Electronic Medical Record, Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","39.045755","-76.641271" "May 4, 2017","LSU Healthcare Network","","Louisiana","PHYS","MED","2,200","Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","30.984298","-91.962333" "May 4, 2017","AeroCare Holdings","","Florida","DISC","MED","860","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","27.664827","-81.515754" "May 4, 2017","Mecklenburg County, North Carolina","","North Carolina","DISC","MED","2,000","Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","35.759573","-79.019300" "May 5, 2017","Clinton County Board of Developmental Disabilities","","Ohio","HACK","MED","1,243","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","40.417287","-82.907123" "May 5, 2017","Jones Family Practice, P.A.","","North Carolina","DISC","MED","742","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","35.759573","-79.019300" "May 9, 2017","New York City Health and Hospitals Corporation - Coney Island Hospital","","New York","DISC","MED","3,494","Location of breached information: Other, Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","40.712784","-74.005941" "May 12, 2017","Walnut Place","","Texas","HACK","MED","5,000","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","31.968599","-99.901813" "May 19, 2017","Vine","Stamford","Connecticut","DISC","BSO","0","""Twitter is alerting Vine users of a bug that exposed their email addresses and, in some cases, phone numbers to third parties. It’s also advising affected users to be cautious about any emails from unknown senders as a result. The company says the bug was only active for 24 hours before being patched, and doesn’t believe that the data was misused in any way, at this time.To be clear, Twitter was not hacked nor is this considered a data breach – instead, the email address or phone number the company had on file for some Vine users was only available under certain circumstances, the company says.The company declined to officially comment on the specifics of how the bug was discovered or how it may have been seen by third parties, but we understand that this data was not published on the Vine archive website where anyone on the public internet could have seen it. Instead, if anyone was to have seen the data at the time of exposure, they would have had to do so through a more technical means – such as using an API to pull the information.Twitter is only alerting users out of a desire to be transparent in disclosing the vulnerability, not because they believe that anyone actually captured the user data or misused it in any way.""","Media","https://techcrunch.com/2017/05/19/twitter-says-vine-users-emails-and-phone-numbers-were-exposed-for-a-day-but-werent-misused/","2017","41.042321","-73.562486" "May 23, 2017","Florida Department of Agriculture","Jacksonville","Florida","HACK","GOV","16,659","""The names of thousands of concealed carry permit holders in Florida may have been leaked as the result of a recent data breach, state officials said. An online payment system utilized by the Florida Department of Agriculture and Consumer Services (FDACS) was compromised about two weeks ago, the office acknowledged Monday, in turn exposing the Social Security numbers of 469 customers as well as the names of 16,190 concealed weapon licensees. The breach appears to have originated overseas and is currently the subject of an investigation undertaken by the Florida Department of Law Enforcement, FDACS said in a statement. No financial information was obtained in the breach, and any additional records possibly compromised were already publicly available and pose “no risk of identity theft,” the announcement said. “The social security numbers that may have been obtained had been entered in an online field where either a social security number or Federal Employer Identification Number could be entered,” the statement said. “In 2009, the department began only to request a FEIN in this field and stopped the prior practice of requesting either a Social Security number or FEIN. “Only concealed weapon licensees who renewed online may have had their names accessed,” the announcement continued. “The department’s Office of Inspector General determined that there is no risk of identity theft to these licensees.”","Media","http://www.washingtontimes.com/news/2017/may/23/concealed-weapons-permit-holders-exposed-data-brea/","2017","30.332184","-81.655651" "January 11, 2016","Blucora (TaxAct)","Cedar Rapids","Iowa","HACK","BSF","0","""Fighting tax-related identity theft is a high priority for TaxAct. We have been working diligently with the IRS, state regulators and other tax software providers to identify new security measures we can use to deter such fraudulent activity. As part of that ongoing process, we recently discovered suspicious activity related to your TaxAct account.We have concluded that an unauthorized third party accessed your TaxAct account between November 10 and December 4, 2015. We have no evidence that any TaxAct system has been compromised and believe the third party used username and password combinations obtained from sources outside of our own system.   In order to stop this unauthorized access, we have temporarily disabled your account.What information was involved? In addition to your username and password, we have reviewed our website logs for account activity after this attempted access, and found that the tax return(s) stored in your account may have been opened or printed. These documents may contain your name and Social Security number, and may also contain your address, driver’s license number, and bank account information.""","Vermont Attorney General","http://ago.vermont.gov/assets/files/Consumer/Security_Breach/Blucora%20(Tax%20Act)%20Notice%20to%20Consumers.pdf","2016","42.037549","-91.657429" "January 13, 2016","JB Autosports.com","Des Moines","Iowa","HACK","BSO","0","""You are a valued customer of JB Autosports, Inc., which is why you are receiving this notice about a security breach at http://subispeed.com and http://ft86speedfactory.com (“the websites”) that may have affected your personal information.   From approximately August 1, 2015 through November 9, 2015, the websites’ checkout page where customers input their payment information to purchase products from JB Autosports was the target of a cyberattack originating from a Russian IP address. The breach affected customers who used Visa, MasterCard, Discover, and American Express branded cards to pay for their purchases from the websites. The breach allowed cyberattackers to intercept customer names, addresses, credit card numbers, credit card expiration dates, CID numbers, CAV2 numbers, CVC2 numbers, and CVV2 numbers (“Customer Information”). The Customer Information was intercepted after it was entered on the checkout page as it was being transmitted to PayPal for processing. JB Autosports’ policy is to not store customer credit card information.""","Vermont Attorney General","http://ago.vermont.gov/assets/files/Consumer/Security_Breach/JB%20Autosports%20Notice%20to%20Consumers.pdf","2016","41.609761","-93.617782" "January 13, 2016","HSBC SBN","Depew","New York","DISC","BSF","0","""We recently became aware of an incident in which HSBC's mortgage servicing provider sent encrypted and password protected disks, which inadvertently included some of your personal information, to an unauthorized commercial third party (a firm that performs financial analytics). The information was sent between December 7, 2015 and December 8, 2015.  Upon review of some of the data, the third party realized the disks included more information than requested and returned all the disks to the mortgage servicing provider.  While the third party has attested that HSBC customer data was not loaded, accessed, or viewed by their personnel, HSBC is notifying you out of an abundance of caution.  The security of your information is very important to us and HSBC takes this matter very seriously.  HSBC has received assurance from our mortgage servicing provider that they have made changes to their processes to avoid future incidents.The information on the disks included your name, mailing and property address, Social Security Number, mortgage account number, deposit account numbers, payment history details, demographic data and other information required to service your mortgage.""","Vermont Attorney General","http://ago.vermont.gov/assets/files/Consumer/Security_Breach/HSBC%20SBN%20to%20Consumers.pdf","2016","42.909337","-78.727082" "May 17, 2017","Sabre Corporation","Southlake","Texas","HACK","BSO","0","""Breaches involving major players in the hospitality industry continue to pile up. Today, travel industry giant Sabre Corp. disclosed what could be a significant breach of payment and customer data tied to bookings processed through a reservations system that serves more than 32,000 hotels and other lodging establishments.In a quarterly filing with the U.S. Securities and Exchange Commission (SEC) today, Southlake, Texas-based Sabre said it was “investigating an incident of unauthorized access to payment information contained in a subset of hotel reservations processed through our Hospitality Solutions SynXis Central Reservations system.”According to Sabre’s marketing literature, more than 32,000 properties use Sabre’s SynXis reservations system, described as an inventory management Software-as-a-Service (SaaS) application that “enables hoteliers to support a multitude of rate, inventory and distribution strategies to achieve their business goals.”","Krebs On Security","https://krebsonsecurity.com/2017/05/breach-at-sabre-corp-s-hospitality-unit/","2017","32.982529","-97.160795" "May 26, 2017","The Arizona Department of Health Services","Phoenix","Arizona","PHYS","MED","2,500","""State health officials have warned 2,500 individuals and families with newborns that a box containing sensitive health, financial and personal information has been lost in the mail. The Arizona Department of Health Services saidits newborn-screening program gathered the information for billing purposes.The misplaced records may include health information for children tested in the program and their mothers, as well as their addresses, birth dates, health-insurance records, names, phone numbers and Social Security numbers. ADHS said families whose records are affected will be mailed notices of the possible data breach. The state said those families should monitor for fraud alerts that signal improper use of their personal information.State officials added that there's no evidence that unauthorized people have accessed the records — they just don't know where the records currently are located.On April 20, two parcels holding billing records that contained ""protected health information"" were mailed to the state's billing contractor, Midwest Medical Practice Management of Carbondale, Illinois. The records were mailed to allow the out-of-state vendor to bill for newborn-screening services performed by ADHS.Both parcels were sent via the U.S. Postal Service, but only one arrived. According to a statement released by ADHS, a tracking website showed the parcel reached a Postal Service facility in Phoenix on the night of April 20. Two days later, the tracking website indicated that the parcel was ""(i)n (t)ransit to (d)estination"" — a status that hasn't changed since April 22."" ","Media","http://www.azcentral.com/story/news/local/arizona/2017/05/27/department-health-data-breach-newborn-screening/350682001/","2017","33.449974","-112.099034" "May 17, 2017","MolinaHealthcare.com","Long Beach","California","DISC","MED","0","""Earlier this month, KrebsOnSecurity featured a story about a basic security flaw in the Web site of medical diagnostics firm True Health Group that let anyone who was logged in to the site view all other patient records. In that story I mentioned True Health was one of three major healthcare providers with similar website problems, and that the other two providers didn’t even require a login to view all patient records. Today we’ll examine a flaw that was just fixed by Molina Healthcare, a Fortune 500 company that until recently was exposing countless patient medical claims to the entire Internet without requiring any authentication.In April 2017 I received an anonymous tip from a reader who said he’d figured out that just by changing a single number in the Web address when accessing his recent medical claim at MolinaHealthcare.com he could then view any and all other patient claims.More alarmingly, the link he was given to access his claim with Molina was accessible to anyone who had the link; no authentication was required to view it. Nor was any authentication required to view any other records that could be accessed by fiddling with the numbers after the bit at the end of Molinahealthcare.com address (e.g., claimID=123456789).In other words, having access to a single hyperlink to a patient record would allow an attacker to enumerate and download all other claims. The source showed me screenshots of his medical records at Molina, and how when he changed a single number in the URL it happily displayed another patient’s records.The records did not appear to include Social Security numbers, but they do include patient names, addresses and dates of birth, as well as potentially sensitive information that may point to specific diseases, such as medical procedure codes and any prescribed medications.I contacted Molina about the issue, and the company released a brief statement saying it had fixed the problem. Molina also said it was trying to figure out how such a mistake was made, and if there was any evidence to suggest the Web site bug had been widely abused.“The previously identified security issue has been remediated,” the company said. “Because protecting our members’ information is of utmost importance to Molina and out of an abundance of caution, we are taking our ePortal temporarily offline to perform additional testing of our system security. Molina has also engaged Mandiant to assist the company in continuing to strengthen our system security.”","Krebs On Security","https://krebsonsecurity.com/2017/05/molinahealthcare-com-exposed-patient-records/","2017","33.770050","-118.193740" "May 23, 2017","Cameron County","Brownsville","Texas","DISC","GOV","0","""The personal information of tens of thousands of Rio Grande Valley residents were put at risk, as estimated in a CHANNEL 5 NEWS investigation of a computer server found at a local flea market.Tens of thousands of names, addresses and Social Security numbers were contained on files accessed without the need of a password. The server once belonged to Cameron County.CHANNEL 5 NEWS obtained the server from an anonymous source, who described himself as a hacker. He said he found the treasure of information at the 77 Flea Market in Brownsville.“I knew exactly what it was… I knew exactly what I had from the moment I saw it,” he said. “I saw this and I thought, you know, ‘This is a major security flaw.’”The man said he knew the server was still accessible, because all six of its hard drives were still installed. However, he didn’t know at that point what was in it or how easy it would be to break into it.CHANNEL 5 NEWS Chief Engineer Michael Leal evaluated how to get into the 15-year-old server. He loaded a small version of Windows allowing him to see the file system without inputting a password.“Right now, I can see everything on this computer. It’s as though I logged on with Windows and everything’s available to me,” he said.After accessing the file system, Leal said he discovered a law enforcement database easily accessible.  The database contained hundreds, if not thousands, of case files.""","Media","http://www.krgv.com/story/35502088/investigation-your-life-for-sale","2017","25.901747","-97.497484" "May 27, 2017","Augusta University and Augusta University Medical Center","Augusta","Georgia","HACK","MED","0","""Augusta University says a phishing attack hit faculty email accounts containing the health information of patients. A spokesperson for A-U confirms less than one percent of patients are impacted by the security breach.  Officials say an unauthorized third party broke into the medical faculty email accounts.The breach happened between September 7th and September 9th of last year. In addition to patients’ full names, the e-mail accounts may have contained any of the following patient information: home address, date of birth, Social Security number, financial account information, medical record number, insurance information.Forensics investigators cannot say for sure if any patient information was shared or downloaded. Augusta University says it sent letters to all patients whose information is at risk. FOX54s calls for additional information have not been returned yet.""","Media","http://www.wfxg.com/story/35533360/investigation-into-phishing-attack-at-augusta-university","2017","33.473498","-82.010515" "May 29, 2017","Mallard Creek High School","Charlotte ","North Carolina","PHYS","EDU","0","""A Channel 9 viewer said she warned Charlotte-Mecklenburg Schools’ officials after finding documents with students’ names, addresses and other personal information blowing in the wind.But when Channel 9 arrived to the area near Johnston-Oehler Road in north Charlotte, the documents were still there. The unshredded documents are from Mallard Creek High School and contained disciplinary actions and names of students.One woman, who didn't want to be identified, found the papers Friday morning and was shocked.""My biggest concern was someone stealing a child's information and someone targeting that child,"" she said. ""I was reading parents' information, notes from kids who were bringing doctor's notes to school.""","Media","http://www.wsoctv.com/news/local/documents-with-cms-students-senstive-information-found-blowing-in-wind/526986136","2017","35.227087","-80.843127" "June 1, 2017","OneLogin","San Francisco","California","HACK","BSO","0","""Password manager and single sign-on provider OneLogin has been hacked, the company has confirmed.In a brief blog post, the company's chief security officer Alvaro Hoyos said that it had ""detected unauthorized access to OneLogin data in our The blog post had no further information or technical details about the incident -- though, the post omitted that hackers had stolen sensitive customer data, which was only cursorily mentioned in an email to customers, seen by ZDNet.""OneLogin believes that all customers served by our US data center are affected and customer data was potentially compromised,"" the email read.Hackers have ""the ability to decrypt encrypted data,"" says a support page, accessible only to OneLogin customers (a copy of the post was published online).The company has advised customers to change their passwords, generate new API keys for their services, and create new OAuth tokens -- used for logging into accounts -- as well as to create new security certificates. The company said that information stored in its Secure Notes feature, used by IT administrators to store sensitive network passwords, can be decrypted.But questions remain over how the hackers had access to data that could be decrypted in the first place.""","Media","http://www.zdnet.com/article/onelogin-hit-by-data-breached-exposing-sensitive-customer-data/","2017","37.774930","-122.419416" "June 5, 2017","Dr. Zain Kadri","Beverly Hills","California","INSD","MED","15,000","""The theft of confidential files from a prominent Beverly Hills surgeon could affect the privacy and financial security of as many as 15,000 patients, according to a spokesman for the doctor and law enforcement officials.A statement issued by Dr. Zain Kadri’s office said a former staff member “stole credit card information, debit card information, IDs, copies of checks, usernames, passwords” and photographed patients before and during surgery. A spokesman for Kadri’s office, who declined to be identified, said the theft might affect patients in at least 17 states and seven countries outside the United States.“Despite having only recently being discovered, the breach, which affects thousands of patients, started shortly after the ... staffer was hired in September of 2016,” the statement read.A Palmdale residence belonging to Kadri was also burglarized May 5, according to a statement issued Thursday by the Los Angeles County Sheriff’s Department. Patient files, medical supplies and electronic devices were stolen, authorities said. Kadri’s spokesman described the residence as an “administrative office” the surgeon uses when performing procedures in a Palmdale office.“Nobody knows it’s there except for us. It’s our registered address for all business documents,” the spokesman said.Though Kadri said in the statement that he believes the break-in was carried out by the same employee, the Sheriff’s Department said there were no witnesses. Investigators want to question the ex-employee, who has not yet been detained, according to the department statement.Calls to the Palmdale Sheriff’s Station on Friday seeking additional comment were not immediately returned.Kadri’s office also learned recently that an Instagram account was created to host what are believed to be illegal recordings of patients during surgery. The account, which contains videos of procedures and pictures of patients, published its earliest post in January.“These patients did not approve this,” the spokesman said. “We did not approve this.”The employee was hired as a driver for Kadri in September 2016, and over time she began to take on additional duties. She quit in March of this year after Kadri and his staff accused her of embezzling from the company, the spokesman said.""","Media","http://enewspaper.latimes.com/infinity/article_popover_share.aspx?guid=0511a587-c9aa-4ea2-a331-64f54856baeb","2017","34.073620","-118.400356" "May 18, 2017","Kennewick General Hospital dba Trios Health","","Washington","DISC","MED","569","Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","47.751074","-120.740139" "May 18, 2017","Neeley-Nemeth, LLP d/b/a Barton Oaks Dental Group","","Texas","HACK","MED","17,090","Location of breached information: Desktop Computer, Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","31.968599","-99.901813" "May 19, 2017","Children's Mercy Hospital","","Missouri","DISC","MED","5,511","Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.964253","-91.831833" "May 24, 2017","D. Andrew Loomis MD, Paula Schulze MD,Tammara Stefanelli MD, Christen Vu DO, Anja Crider MD","","Washington","HACK","MED","9,000","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","47.751074","-120.740139" "May 26, 2017","Mississippi Division of Medicaid","","Mississippi","DISC","MED","5,220","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","32.354668","-89.398528" "May 30, 2017","N. Fred Eaglstein, D.O. d/b/a Dermatology and Laser Center","","Florida","DISC","MED","2,000","Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","27.664827","-81.515754" "June 2, 2017","Game Stop","Grapevine","Texas","HACK","BSO","0","""GameStop recently identified and addressed a security incident that may have involved your payment card information.  We are providing this notice to inform you of the incident and to call your attention to some steps you can take to protect yourself.  At GameStop, we value our customers and understand the importance of protecting customer personal information.  We sincerely apologize for any inconvenience or concern this incident may cause.What HappenedAfter receiving a report that data from payment cards used on www.GameStop.com may have been obtained by unauthorized individuals, we immediately began and investigation and hired a leading cybersecurity firm to assist us.  Although the investigation did not identify evidence of unauthorized access to payment card data, we determined on April 18, 2017 that the potential for that to have occurred existed for certain transactions."" ","Security Breach Letter","","2017","32.902598","-97.087469" "June 19, 2017","Deep Root Analytics","Arlington","Virginia","DISC","BSO","198,000,000","""A Republican data analysis company called DeepRootAnalytics left exposed an online database containing the personal information of almost all of America's 200 million registered voters, the cyber security firm UpGuard has found.The data contained in the breach includes an unsettling amount of personal information, including voters' first and last names, birth dates, home and mailing addresses, phone numbers, registered party, self-reported racial demographic and voter registration status.A Deep Root spokesman confirmed the breach in an email to HuffPost, saying ""We take full responsibility for this situation.""The company added it is undertaking a full review of the lapse, which is believed to have begun June 1 and lasted through June 14. UpGuard Cyber Risk Analyst Chris Vickery, who found the files, notified federal authorities of the exposure.Deep Root said it believes only Vickery accessed the database during that time.Vickery was able to download 1.1 terabytes of “entirely unsecured” data, which uses 9.5 billion data points to describe 198 million potential U.S. voters’ likely political preferences across 48 different categories. Those categories span nearly every major political debate, including a voter’s likely stance on abortion, gun control, stem cell research and environmental issues.The exposure of such personal data for so many voters is the largest breach of its sort.""","Media","http://www.huffingtonpost.com/entry/deep-root-analytics-gop-data-breach-voters_us_59402d52e4b09ad4fbe396c5","2017","38.879970","-77.106770" "June 20, 2017","The Buckle Inc.","Kearney","Nebraska","HACK","BSR","0","""The Buckle Inc., an apparel retailer that operates more than 450 stores in 44 U.S. states, disclosed Friday that its retail locations were hit by malicious software designed to steal customer credit card data. The disclosure came hours after KrebsOnSecurity contacted the company regarding reports from sources in the financial sector about a possible breach at the retailer. The Buckle released a statement saying that point-of-sale malware was found installed on cash registers at the company’s retail stores, and that it believes the malware was stealing customer credit card data between Oct. 28, 2016 and April 14, 2017. The Buckle said purchases made on its online store were not affected.""","Media","http://www.mytotalretail.com/article/buckle-suffers-credit-card-breach/#.WUu_fLGIpLg.email","2017","40.700693","-99.113008" "June 14, 2017","Oklahoma University","Norman","Oklahoma","DISC","EDU","29,000","""The University of Oklahoma unintentionally exposed thousands of students’ educational records — including social security numbers, financial aid information and grades in records dating to at least 2002 — through lax privacy settings in a campus file-sharing network, violating federal law.The university scrambled to safeguard the files late Tuesday after learning The OU Daily had discovered the breach last week. The Daily spoke to vice president for admissions and records Matt Hamilton Tuesday afternoon, when he said OU IT was aware of the breach and was working to secure the files.OU press secretary Matt Epting provided the following statement late Tuesday night: “The IT Security team has found no evidence to confirm that there has been a breach by an outside party, and is investigating the scenario that enabled an individual to access the files the individual has claimed to download.”At no point did The Daily suggest there had been an outside breach, but rather that lax security measures allowed email users more access to educational records than should have been allowed.In just 30 of the hundreds of documents made publicly discoverable on Microsoft Office Delve, there were more than 29,000 instances in which students’ private information was made public to users within OU’s email system. Each instance could constitute a violation of the Family Educational Rights and Privacy Act, which gives students control over who can access their educational records.""","Media","http://oklahomawatch.org/2017/06/14/security-breach-at-ou-exposes-thousands-of-students-data/","2017","35.208504","-97.445681" "June 21, 2017","Miami Dade County School District","Miami","Florida","DISC","EDU","2","""Two former Miami-Dade students are suing the School Board after they found their Social Security numbers and test scores online along with the personal information of hundreds of other students.The plaintiffs did a basic online search of their names and discovered that the information was posted on the Miami-Dade school district’s website, according to the lawsuit.“The carelessness with how the district manages students’ private information needs to be addressed,” lawyer Stephanie Langer said in a statement. The students are asking for both monetary damages and an “overhaul” of school district policies on the protection of student information. ""Read more here: http://www.miamiherald.com/news/local/education/article157361084.html#st...","Media","http://www.miamiherald.com/news/local/education/article157361084.html","2017","25.761680","-80.191790" "May 18, 2017","Kennewick General Hospital dba Trios Health","","Washington","DISC","MED","569","Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","47.751074","-120.740139" "May 18, 2017","Neeley-Nemeth, LLP d/b/a Barton Oaks Dental Group","","Texas","HACK","MED","17,090","Location of breached information: Desktop Computer, Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","31.968599","-99.901813" "May 19, 2017","Children's Mercy Hospital","","Missouri","DISC","MED","5,511","Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.964253","-91.831833" "May 24, 2017","D. Andrew Loomis MD, Paula Schulze MD,Tammara Stefanelli MD, Christen Vu DO, Anja Crider MD","","Washington","HACK","MED","9,000","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","40.760537","-73.978890" "May 25, 2017","UW Health","","Wisconsin","HACK","MED","2,036","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","43.784440","-88.787868" "May 26, 2017","Mississippi Division of Medicaid","","Mississippi","DISC","MED","5,220","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","32.354668","-89.398528" "May 26, 2017","AU Medical Center, Inc.","","Georgia","HACK","MED","5,600","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","32.165622","-82.900075" "May 26, 2017","Beacon Health System","","Indiana","DISC","MED","1,239","Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","40.267194","-86.134902" "May 26, 2017","Sound Community Services, Inc.","","Connecticut","HACK","MED","1,278","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","41.603221","-73.087749" "May 26, 2017","Arizona Department of Health Services","","Arizona","PHYS","MED","2,500","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","34.048928","-111.093731" "May 30, 2017","N. Fred Eaglstein, D.O. d/b/a Dermatology and Laser Center","","Florida","DISC","MED","2,000","Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","27.664827","-81.515754" "June 1, 2017","CCHI Insurance Services","","California","PHYS","MED","1,000","Location of breached information: Desktop Computer, Electronic Medical Record, Email, Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","36.778261","-119.417932" "June 1, 2017","LKM ENTERPRISES, INC.","","Oklahoma","PHYS","MED","3,400","Location of breached information: Desktop Computer, Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","35.007752","-97.092877" "June 1, 2017","North Dakota Department of Human Services","","North Dakota","PHYS","MED","2,452","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","40.760537","-73.978890" "June 5, 2017","Toth Enterprises II d/b/a Victory Medical","","Texas","DISC","MED","2,000","Location of breached information: Email, Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","31.968599","-99.901813" "June 7, 2017","Southwest Community Health Center","","Connecticut","PHYS","MED","6,000","Location of breached information: Desktop Computer, Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","41.603221","-73.087749" "June 8, 2017","Tennessee Rural Health Improvement Association","","Tennessee","PHYS","MED","588","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","35.517491","-86.580447" "June 9, 2017","SSM DePaul Medical Group (Dr. Syed Khader)","","Missouri","PHYS","MED","836","Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.964253","-91.831833" "June 15, 2017","Texas Health and Human Services","","Texas","PHYS","MED","1,842","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","31.968599","-99.901813" "June 16, 2017","Airway Oxygen, Inc.","","Michigan","HACK","MED","500,000","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","44.314844","-85.602364" "June 12, 2017","Yeo & Yeo CPAs & Business Consultants","Lansing","Michigan","HACK","BSF","0","""Yeo & Yeo values the relationship we have with our clients and understands the importance of protecting both our clients’ and their family members’ personal information.  Regrettably, we are writing to notify you of an incident involving some of that information. This letter provides additional information to our clients, who we previously notified on April 25, 2017.    On May 12, 2017, we concluded our investigation of suspicious activity in our computer systems.  Our investigation, which included the assistance of a leading computer forensics company, determined that there was unauthorized access to certain 2015 tax returns.  No 2016 tax or other financial information was involved. Our investigation determined that your 2015 tax information was accessed by unauthorized individual(s).  The information contained in the tax returns included your name, address, and Social Security number.""","Vermont Attorney General","http://ago.vermont.gov/assets/files/Consumer/Security_Breach/Yeo%20&%20Yeo%20SBN%20to%20Consumers.pdf","2017","42.725070","-84.646677" "June 19, 2017","Torrance Memorial Medical Center","Torrance","California","HACK","MED","0","""What Happened? On April 20, 2017, Torrance Memorial Medical Center (""Torrance Memorial"") discovered that it had experienced an email security incident that allowed access to two staff members' email accounts which contained work-related reports.  Torrance Memorial immediately launched an investigation, which included working with third-party forensic investigators, to determine the full nature and scope of this incident.  The investigation determined that personal information for certain individuals was present in some impacted emails.  Based upon availalbe forensic evidence, it appears these cyber attacks took place on April 18 and 19, 2017. What Information Was Involved? While Torrance Memorial's investigation is ongoing to date, Torrance Memorial has no evidence of any actual or attempted misuse of information as a result of this incident.  Based on the investigation, we have determined that the information affected may include your name, Social Security number, address, health insurance information, date of birth, and treatment/diagnostic information.""","California Attorney General","https://oag.ca.gov/ecrime/databreach/reports/sb24-97527","2017","33.835849","-118.340629" "June 3, 2017","Signature Hardware","Erlanger","Kentucky","HACK","BSO","0","""What Happened?On or around April 24, 2017, an unauthorized person gained access to the third-party platform we utilize to host our checkout process.  Through this access, the unauthorized person loaded code onto our site that enabled them to access information provided by customers during checkout as it was entered.  The unauthorized person is believed to have only obtained information on a limited number of days, namely April 28-May, and for a few hours on each of the following days: May 10, 22, 25, 27 and 30. What Information Was Involved?The information that may have been accessed includes any information entered during the Signature hardware checkout process, including credit card number, expiration date, and CVV number (the three or four digits on the back of your card). Other information that is optional to provide at checkout, such as name and address, may also have been accessed, if you provided such information during the check-out process.""","California Attorney General","https://oag.ca.gov/ecrime/databreach/reports/sb24-72355","2017","39.016728","-84.600777" "June 27, 2017","Texas Association of School Boards","Corpus Chrisit","","DISC","GOV","6,100","""Some Corpus Christi Independent School District employee names and Social Security numbers from late 2016 through early 2017 were inadvertently made visible online, a district news release states. The Texas Association of School Boards notified the Corpus Christi ISD of the incident, which was discovered May 22. ""All employee information has been taken down,"" a district news release states.The school board association, which administers a group unemployment compensation program for Texas school districts, reports there is no evidence that the personal information was accessed or used in any way, the release states. Districts officials notified employees via email and online communications, the release states. In CCISD, 6,100 people will receive notification of the incident.The incident potentially affected employees throughout Texas and other entities that participate in the unemployment insurance program administered by the association.CCISD is required to send a quarterly report to the association, listing all CCISD employees who received any payment from CCISD for work performed, the release states. The report does not include employee financial information.""","Media","http://www.caller.com/story/news/education/2017/06/21/ccisd-employee-information-inadvertently-made-visible-online/416663001/","2017","27.800583","-97.396381" "June 16, 2017","GOLFTEC","Englewood","Colorado","HACK","BSO","0","""What Happened & What Information Was Involved You are receiving this letter because GOLFTEC was victim of a recent security breach at your specific GOLFTECCenter and your credit card information was potentially compromised. These were in-center transactions and no online transactions were affected. We experienced malicious point-of-sale terminal intrusions at select GOLFTEC centersfrom March 2–June15, 2017. A relatively small number of transactions within that time period were affected,however, this may have put your personal information at risk. Remedies–What We’re Doing To Support You Our sincerest apologies for any inconvenience this might cause. We have conducted a full investigation and haveconfirmed the incident has been contained. Upon discovery of the breach, we immediately took the necessary steps to fully remediate the situation, including notifying the proper authorities.""","California Attorney General","https://oag.ca.gov/system/files/GOLFTEC-Security%20Breach%20Letter%20%286.14.17%29-California%20Version_0.pdf?","2017","39.581175","-104.855831" "July 5, 2017","DXC Technology","Indianapolis","Indiana","DISC","BSO","0","""Medicaid members may receive a letter about a possible data breach involving personal information.DXC Technology, the fiscal agent for the Indiana Health Coverage Program (IHCP), says an internet hyperlink containing patient information was accessible between February and May of this year, according to The Indy Channel.The information included patient’s names, Medicaid ID numbers, names and addresses of healthcare providers, patient numbers, procedure codes, dates of service, and payment amounts.No financial information, social security numbers or patient addresses were released.The Family and Social Services Administration and DXC do not believe any patient information was stolen, but letters are being sent out as a precaution.If you were affected, you will be receiving a letter from the company responsible for maintaining the state’s Medicaid software, along with a year of free credit monitoring, according to 44 News.""","Media","https://www.wowo.com/possible-data-breach-medicaid-patients/","2017","39.768403","-86.158068" "June 19, 2017","Torrance Memorial Medical Center","","California","HACK","MED","46,632","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","40.760537","-73.978890" "June 19, 2017","Family Tree Health Clinic","","Texas","HACK","MED","13,402","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","31.968599","-99.901813" "June 20, 2017","Cleveland Medical Associates, PLLC","","Tennessee","HACK","MED","22,000","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","35.517491","-86.580447" "June 20, 2017","Tampa Bay Surgery Center","","Florida","HACK","MED","25,848","Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","27.664827","-81.515754" "June 20, 2017","Aetna Inc.","","Connecticut","DISC","MED","5,002","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","41.603221","-73.087749" "June 22, 2017","Saint Thomas Rutherford Hospital","","Tennessee","PHYS","MED","2,837","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","35.517491","-86.580447" "June 27, 2017","Enterprise Services LLC","","Indiana","DISC","MED","56,075","Location of breached information: Network Server, Other Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","40.267194","-86.134902" "December 1, 2014","Godiva Chocolatier, Inc.","","Maryland","PHYS","MED","0","name, address, medical diagnosis, ssn Location of breached information: stolen laptop Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "October 14, 2014","Cyberswim, Inc.","","Maryland","HACK","MED","833","Name, payment card info, website username and pw, address Location of breached information: Website Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "October 14, 2014","International Dairy Queen, Inc.","","Maryland","HACK","MED","0","name, payment card info Location of breached information: Payment card system Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "October 14, 2014","Pulte Mortgage LLC","","Maryland","PHYS","MED","5","name, address, phone or email, ssn, financial account numbers Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "December 26, 2014","Allianz Life Insurance Company of North America","","Maryland","DISC","MED","5","name, address, contract number, ssn Location of breached information: Paper Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "December 23, 2014","Transamerica Premier Life Insurance Company","","Maryland","DISC","MED","1","name, ssn, bank account info Location of breached information: Paper Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "December 26, 2014","Six Red Marbles","","Maryland","DISC","MED","41","name, dob, address, ssn Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "December 18, 2014","Novo Nordisk Inc.","","Maryland","DISC","MED","3","name, email address, ssn Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "November 24, 2014","Cultivian Ventures, LLC","","Maryland","HACK","MED","1","name, address, ssn, financial info Location of breached information: Website Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "November 24, 2014","fairway independent mortgage corporation","","Maryland","HACK","MED","0","name, ssn, financial information Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "December 4, 2014","Conference USA, Inc.","","Maryland","HACK","MED","0","name, address, dob, ssn Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "December 12, 2014","Sony Pictures Entertainment","","Maryland","HACK","MED","45","name, address, ssn, dln, credit card info, username/pw, compensation Location of breached information: Website Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","39.045755","-76.641271" "December 19, 2014","Quest Diagnostics","","Maryland","DISC","MED","571","name, address, ssn, dob Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "December 11, 2014","Mosaic Sales SOlutions US Operating Co. LLC","","Maryland","PHYS","MED","3,477","name, dob, ssn, email address, employee id number, phone number, address Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "December 15, 2014","Point Loma Nazarene University","","Maryland","HACK","MED","2","names,SSN, credit card numbers and CVV code or expiration date, usernames and passwords, dln Location of breached information: Email Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "December 15, 2014","Apple Leisure Group and AMResorts","","Maryland","HACK","MED","27","name, payment card info, dob, address, phone number, email address Location of breached information: Payment card system Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "December 17, 2014","Ascena Retail Group, Inc.","","Maryland","DISC","MED","0","email address, ssn Location of breached information: Website Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "December 18, 2014","ID Parts, LLC","","Maryland","HACK","MED","375","name, payment card info Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "December 18, 2014","Dutch Bros. Coffee","","Maryland","HACK","MED","18","name, address, credit card info Location of breached information: Website Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "December 19, 2014","Staples, Inc.","","Maryland","HACK","MED","0","name, payment card info Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "December 20, 2014","BolderImage Company","","Maryland","HACK","MED","4","name, address, phone number, credit card info, email address Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "December 22, 2014","Azusa Pacific University","","Maryland","PHYS","MED","2","name, ssn Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "December 24, 2014","Corday Productions, Inc.","","Maryland","HACK","MED","2","Name; address; social security number or federal identification number; salary or wage information; telephone number; and if the employee had his/her wages directly deposited, information regarding the employee’s bank name and bank account number Location of breached information: Website Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "December 24, 2014","Lokai Holdings LLC","","Maryland","HACK","MED","1,847","name, address, payment card info, username and password Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "December 31, 2014","Park 'N Fly","","Maryland","HACK","MED","0","(No Maryland residents affected at this point) name, payment card info Location of breached information: Payment card system Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "December 31, 2014","La Jolla Group, Inc.","","Maryland","HACK","MED","28","name, address, phone number, email address, credit card info Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "November 21, 2014","AlliedBarton Security Services LLC","","Maryland","INSD","MED","25","name, dln, Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "November 20, 2014","Prince George's County Public Schools","","Maryland","DISC","MED","10,400","name, ssn, dob employee identification number Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "November 21, 2014","APi Group, Inc.","","Maryland","DISC","MED","32","name, ssn, dob Location of breached information: Email Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","39.045755","-76.641271" "November 24, 2014","Simms Fishing Products","","Maryland","HACK","MED","29","name, address, payment card info Location of breached information: Payment card system Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","39.045755","-76.641271" "November 25, 2014","American Residuals and Talent, Inc.","","Maryland","HACK","MED","47","name, address, ssn, dob, bank account info, email address, phone number Location of breached information: Website Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "November 25, 2014","Oregon Educators Benefit Board","","Maryland","DISC","MED","49","name, benefit number, address, dob, ssn, benefit plan selections, names of dependents, Location of breached information: Website Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","39.045755","-76.641271" "November 26, 2014","Calypso St. Barth, Inc.","","Maryland","HACK","MED","33","name and credit card info Location of breached information: Website Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "December 1, 2014","Holiday Motel","","Maryland","HACK","MED","17","names, address, phone number, email address, payment card info Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "December 1, 2014","Blue Mountain Community Foundation","","Maryland","DISC","MED","2","name, ssn Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "December 5, 2014","Sands Casino Resort Bethlehem","","Maryland","HACK","MED","12","name, ssn, dln, passport number, email address, job titles Location of breached information: Payment card system Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "December 5, 2014","Bebe Stores, Inc.","","Maryland","HACK","MED","1,339","name, payment card info Location of breached information: Payment card system Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "November 12, 2014","Visionworks","","Maryland","PHYS","MED","71,701","name, address, phone number, health insurance info, dates of visit, health information Location of breached information: Servers Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","40.760537","-73.978890" "October 8, 2014","City of Alexandria Fire Department","Alexandria","Virginia","INSD","MED","0","name, dob, ssn, record identifier Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","38.804836","-77.046921" "October 23, 2014","Reeves Inernational, Inc.","","Maryland","HACK","MED","379","name, address, website username, payment card info Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","39.045755","-76.641271" "October 23, 2014","CareFirst BlueCross BlueShield","","Maryland","DISC","MED","1","name, ssn Location of breached information: Paper Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","39.045755","-76.641271" "October 15, 2014","Gold's Gym","","Maryland","INSD","MED","1","name, credit card info Location of breached information: Desktop Computer Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "October 28, 2014","Arizona State Retirement System","","Maryland","DISC","MED","18","name, ssn Location of breached information: Portable device Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "October 27, 2014","Duluth Pack","","Maryland","HACK","MED","1","name, address, payment account numbers, email address Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "November 3, 2014","Camp Bow Wow Franchising, Inc.","","Maryland","HACK","MED","2","name, address, ssn, financial account info, routing numbers Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "November 3, 2014","Wyndham Vacation Resorts, Inc.","","Maryland","INSD","MED","1","name, address, ssn, financial account info Location of breached information: Desktop Computer Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "October 27, 2014","Direct Learning Systems, Inc., d/b/a 123ce.com","","Maryland","HACK","MED","34","names, financial information Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "October 31, 2014","Nationstar Mortgage LLC d/b/a Champion Mortgage","","Maryland","DISC","MED","74","name, address, account number Location of breached information: Paper Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "October 27, 2014","Modern Gun School","","Maryland","HACK","MED","8","names, financial information Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "November 14, 2014","EZ Prints, Inc.","","Maryland","HACK","MED","53","name, payment card info Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "October 16, 2014","Primerica","","Maryland","PHYS","MED","4","name, dob, address, ssn, dln Location of breached information: Laptop Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "October 20, 2014","Experian","","Maryland","HACK","MED","2","name, dob, address, ssn, account numbers Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "November 21, 2014","Experian","","Maryland","HACK","MED","9","name, address, ssn, dob, account numbers Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "October 9, 2014","International Dairy Queen","","Ontario","HACK","MED","0","name, credit/debit card info Location of breached information: Payment card system Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","38.300403","-76.507454" "November 3, 2014","Experian","","Maryland","DISC","MED","4","name, ssn, dob, account number Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","39.045755","-76.641271" "November 13, 2014","Citibank, N.A.","","Maryland","DISC","MED","6","name, banking information Location of breached information: email Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "October 9, 2014","Penn Highlands Brookville","","Maryland","HACK","MED","2","name, dob, ssn insurance info, medical info, gender Location of breached information: Network Server Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "October 14, 2014","Asset Marketing Services, LLC d/b/a GovMint.com","","Maryland","HACK","MED","0","name, address, email address, and credit card info Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "October 10, 2014","National Domestic Workers","","Maryland","HACK","MED","18","name, ssn, deposit account numbers, insurance enrollment info Location of breached information: email Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "October 20, 2014","Sourcebooks, Inc.","","Maryland","HACK","MED","286","name address, payment card information Location of breached information: Payment card system Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "October 20, 2014","Columbia Southern University","","Maryland","DISC","MED","59","name, address, ssn Location of breached information: email Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "October 22, 2014","Townsend Enterprises, Inc. d/b/a The Sinclair Institute","","Maryland","HACK","MED","6","name, credit card info Location of breached information: Payment card system Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "October 17, 2014","Backcountry Gear","","Maryland","HACK","MED","2","customer names, email addresses, billing and mailing addresses, purchase information, credit card or debit card numbers, the card expiration date and security code on the back of the cards Location of breached information: Payment card system Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "October 23, 2014","Alliance Workplace Solutions, LLC","","Maryland","PHYS","MED","93","name, dob, ssn, Location of breached information: Laptop Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "October 24, 2014","Benefit Express Services","","Maryland","DISC","MED","3","name, address, dob, SSN Location of breached information: Email Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "October 24, 2014","c3controls","","Maryland","HACK","MED","0","name, billing address, credit card info Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "November 18, 2014","MemberClicks, Inc. d/b/a Moolah Payments","","Maryland","PHYS","MED","11","name, address, dob, ssn Location of breached information: Laptop Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","39.045755","-76.641271" "October 28, 2014","One Love Organics, Inc.","Saint Simons Island","Georgia","HACK","MED","0","customer account info, name, email address, billing and shipping address, phone number and credit card info Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","31.161514","-81.389776" "October 28, 2014","US Investigations Services, LLC (USIS)","Washington","District Of Columbia","HACK","MED","0","name, dob, ssn, username/passwords Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","39.641762","-77.719993" "October 29, 2014","American Athletic Conference","","Maryland","HACK","MED","6","name, ssn, address, email address, phone number, dob, Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","39.045755","-76.641271" "October 30, 2014","Delaware River & Bay Authority","New Castle","Delaware","HACK","MED","0","credit/debit card data, name Location of breached information: Payment card system Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","39.539298","-75.667356" "November 7, 2014","Weill Cornell Medical College","New York","New York","INSD","MED","0","clinical data pertaining to the condition, treatment, and tests for some patients. Location of breached information: Desktop Computer Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.764354","-73.955163" "November 2, 2014","M&T Bank (Identity Theft)","","Maryland","PHYS","MED","41","as name, address, telephone number, social security number, and account numbers Location of breached information: Paper Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","39.045755","-76.641271" "November 6, 2014","Nova Southeastern University","","Maryland","HACK","MED","13","name, dob, address, email address, phone number, NSU identification number, SSN Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","39.045755","-76.641271" "November 7, 2014","Aarow Equipment & Services Inc.","Mechanicsville","Maryland","PHYS","MED","16","name, SSN, DOB, DLN Location of breached information: Laptop Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx?subfolder=2015","2014","38.442165","-76.743977" "October 9, 2014","Evolution Nature Corp., d/b/a The Evolution Store","","Maryland","HACK","MED","23","name, email address, phone number, billing address, shipping address, order info, user name, credit/debit card data, Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "September 24, 2014","Valeritas","","Maryland","DISC","MED","1","names, address, dob, ssn Location of breached information: Network Server Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "September 22, 2014","North American Title Company","","Maryland","DISC","MED","1","information associated with loan documents Location of breached information: paper Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "September 23, 2014","Six Continents Hotels, Inc.","","Maryland","INSD","MED","1","name, payment card info Location of breached information: Desktop Computer Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "September 23, 2014","Rentrak Corporation","","Maryland","PHYS","MED","1","name, address, social security number, and title and salary information Location of breached information: Laptop Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "September 24, 2014","Jimmy John's Franchises LLC","","Maryland","HACK","MED","0","name, payment card info Location of breached information: Payment card system Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "September 24, 2014","Pacific Biosciences of California, Inc.","","Maryland","PHYS","MED","16","name, dob, contact information, ssn, banking info, compensation info, insurance info Location of breached information: Laptop Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "September 18, 2014","CareCentrix, Inc.","","Maryland","INSD","MED","1","name, address, dob, ssn, health plan numbers Location of breached information: Desktop Computer Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "September 18, 2014","Booking.com","","Maryland","HACK","MED","1","name, address, and payment card info Location of breached information: Payment card system Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "September 18, 2014","Viator","","Maryland","HACK","MED","8,421","payment card info, email address, Viator account info Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","39.045755","-76.641271" "September 17, 2014","Mercy Health Services","","Maryland","DISC","MED","1","PHI (Protected health information) Location of breached information: email Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","39.045755","-76.641271" "September 13, 2014","Legacy Consulting LLC","","Maryland","DISC","MED","2","name, address, ssn Location of breached information: paper Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "September 29, 2014","USAA Federal Savings Bank","San Antonio","Texas","HACK","MED","0","USAA debit or atm card information Location of breached information: Desktop Computer Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","29.416740","-98.452291" "September 29, 2014","UIL Holdings Corporation","","Maryland","PHYS","MED","5","names, Social Security Numbers, addresses, earnings data, and/or dates of birth. Location of breached information: Laptop Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","39.045755","-76.641271" "October 1, 2014","Flinn Scientific, Inc.","","Maryland","HACK","MED","127","payment card number, card verification code, expiration date, name, address, and email address Location of breached information: Payment card system Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","39.045755","-76.641271" "October 3, 2014","The County of Hertford County, North Carolina","","Maryland","DISC","MED","19","name, ssn Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","39.045755","-76.641271" "September 9, 2014","Ameriprise Financial Services, Inc.","Minneapolis","Minnesota","PHYS","MED","2","name, dob, ssn, account number, address Location of breached information: Desktop Computer Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","44.853231","-93.374696" "September 9, 2014","Home Depot, Inc.","","Maryland","HACK","MED","0","name, credit card number, expiration date, Location of breached information: Payment card system Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "September 11, 2014","TREMEC","","Maryland","PHYS","MED","5","sensitive information Location of breached information: Laptop Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "September 9, 2014","California State University, East Bay","","Maryland","HACK","MED","10","name, ssn, address Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "September 9, 2014","Yandy.com","Phoenix","Arizona","HACK","MED","941","name, address, credit/debit card info Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx?subfolder=2015","2014","33.517059","-112.082453" "September 15, 2014","Bartell Hotels","","Maryland","HACK","MED","81","name, address, credit/debit card info Location of breached information: Payment card system Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "September 8, 2014","Holy Cross Hospital","","Maryland","HACK","MED","3","name, address, credit card number and expiration date Location of breached information: Network Server Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "September 17, 2014","Tim McCoy & Associates DBA NEAT Management Group","Austin","Texas","PHYS","MED","151","name, ssn, dob, phone number, address, EIN, and email address Location of breached information: Laptop Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","30.358608","-97.703321" "September 24, 2014","Metropolitan Life Insurance Company","","Maryland","DISC","MED","10","name, address, Social Security number, and contract data, contract number, issue date, value and balances Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "September 26, 2014","Experian","","Maryland","HACK","MED","19","name, dob, ssn, address Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","39.045755","-76.641271" "September 26, 2014","Fidelity Investments","","Maryland","DISC","MED","1","name, ssn, brokerage account number Location of breached information: email Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","39.045755","-76.641271" "August 12, 2014","Freedom Management Group, LLC","","Maryland","HACK","MED","155","name, address, credit card number, cvv, expiration date, and in some cases email address and account password (if the customer elected to create an account) Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","39.045755","-76.641271" "August 14, 2014","SUPERVALU Inc.","Eden Prairie","Minnesota","HACK","MED","0","account numbers, and in some cases also the expiration date, other numerical information and/or the cardholder's name, from payment cards Location of breached information: Payment card system Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","44.813498","-93.376290" "August 14, 2014","AB Acquisition LLC","Boise","Idaho","HACK","MED","0","credit and debit card info Location of breached information: Payment card system Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx?subfolder=2015","2014","39.185008","-77.310596" "August 20, 2014","M&T Bank","","Maryland","DISC","MED","1","name, address, phone number, dob, ssn Location of breached information: email Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "August 22, 2014","Liberty Tax","","Maryland","HACK","MED","0","tax information Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "August 21, 2014","Geekface LLC","","Maryland","HACK","MED","0","name, address, username, password, ssn Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "September 5, 2014","Republic Bank & Trust Company","","Maryland","PHYS","MED","2","name, address, telephone number, ssn, dln Location of breached information: paper Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "August 6, 2014","Polish Falcons of America","Pittsburgh","Pennsylvania","PHYS","MED","1","name, ssn, credit card info Location of breached information: Laptop Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.421935","-80.046211" "August 1, 2014","Signal Outdoor Advertising, LLC","","Maryland","DISC","MED","33","credit card payment info Location of breached information: email Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "August 27, 2014","Imhoff and Associates, P.C.","","Maryland","PHYS","MED","0","name, ssn, dln, contact info Location of breached information: Portable device Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "September 2, 2014","Goodwill Industries International","","Maryland","HACK","MED","0","name, payment card info Location of breached information: Payment card system Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "September 2, 2014","LPL Financial LLC","Boston","Massachusetts","DISC","MED","11","name, account number, account balance Location of breached information: email Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","42.360083","-71.058880" "September 2, 2014","ClamCase, LLC","Los Angeles","California","HACK","MED","0","Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","33.711829","-117.792406" "September 2, 2014","Nationstar Mortgage LLC","","Maryland","DISC","MED","1","name, address, mortgage loan numbers Location of breached information: email Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","39.045755","-76.641271" "August 4, 2014","Test Effects, LLC (Wireless Emporium)","Concord","New Hampshire","HACK","MED","0","Location of breached information: Website Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2014","37.944006","-121.952315" "August 8, 2014","Diatherix Laboratories","","Maryland","HACK","MED","1","Name, ssn, dob, insurance, test information Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","39.045755","-76.641271" "August 12, 2014","Harry Barker","","Maryland","HACK","MED","43","name, address, phone number, email address, credit card number Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "August 12, 2014","Kleiner Perkins Caufield & Byers","","Maryland","PHYS","MED","0","name, contact info, ssn, banking info Location of breached information: Laptop Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "August 14, 2014","Tokyo Electric Power Company, Inc.","","Maryland","DISC","MED","7","name, ssn Location of breached information: email Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "August 7, 2014","Anderson & Murison, Inc.","","Maryland","HACK","MED","14","name, dob, dln,address Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "August 7, 2014","Crothall Services Group","","Maryland","DISC","MED","27","name, dob, ssn Location of breached information: email Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "August 8, 2014","St. Francis College","","Maryland","PHYS","MED","15","name, address, phone number, email address, ssn Location of breached information: Portable device Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "July 29, 2014","The Northern Trust Company","","Maryland","DISC","MED","10,172","name, address, ssn, benefits plan, payment information, banking info Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "July 30, 2014","Reading Partners","","Maryland","PHYS","MED","11","SSN, compensation info, and other employment info Location of breached information: Laptop Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "July 30, 2014","Lasko Group, Inc.","","Maryland","HACK","MED","210","name, email address, phone number, credit card info Location of breached information: email Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "July 30, 2014","Dreslyn","","Maryland","HACK","MED","11","credit/debit card info Location of breached information: Payment card system Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","39.045755","-76.641271" "July 31, 2014","USAA","San Antonio","Texas","DISC","MED","16","name, address, ssn, checking and savings account number, loan balance, insurance policy info Location of breached information: Network Server Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","29.416740","-98.452291" "July 31, 2014","Chicago Yacht Club","Chicago","Illinois","HACK","MED","0","name, address, potentially bank/credit card info Location of breached information: Payment card system Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","41.819738","-87.606006" "August 1, 2014","P. F. Chang's China Bistro","Scottsdale","Arizona","HACK","MED","0","name, credit card info Location of breached information: Payment card system Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","39.421439","-76.655395" "August 5, 2014","Vibram USA, Inc.","","Maryland","HACK","MED","109","name, credit card info Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "July 29, 2014","SourceMedia, Inc.","","Maryland","HACK","MED","0","name, encrypted password, email address, phone number, credit card info Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "July 28, 2014","Backcountry Gear","","Maryland","HACK","MED","92","name, address, credit/debit info Location of breached information: Payment card system Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "July 28, 2014","Seattle University","","Maryland","DISC","MED","26","name, bank routing and checking account info Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "July 25, 2014","NorthShore University Healthsystem","","Maryland","HACK","MED","1","name, address, email address, dob, marital status, benefits info, ssn Location of breached information: email Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "July 24, 2014","OppenheimerFunds Services","","Maryland","DISC","MED","1","name, account number, ssn Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "July 9, 2014","TotalBank","","Maryland","HACK","MED","63","name, address, account number, account balance, personal identification number (SSN, DLN, passport number, alien registration number) Location of breached information: Network Server Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "July 17, 2014","Bank of America","","Maryland","DISC","MED","26","name, ssn Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "July 1, 2014","Maryland Department Of Health And Mental Hygiene","","Maryland","DISC","MED","0","name, ssn Location of breached information: email Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "July 23, 2014","Washington National Insurance Company","","Maryland","HACK","MED","1","name, address, dob, age, phone number, ssn Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "July 21, 2014","Experian","","Maryland","HACK","MED","23","unauthorized access Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "July 10, 2014","AECOM Technology Corporation","","Maryland","HACK","MED","1,892","name, address, ssn, personal bank account info Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "July 10, 2014","Park Hill School District","","Maryland","INSD","MED","1","name, ssn, state identification number, and health plan insurance number Location of breached information: Portable device Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "July 15, 2014","Freshology, Inc.","","Maryland","HACK","MED","0","name, address, payment card info Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "July 16, 2014","United Air Temp Conditioning & Heating, Inc.","","Maryland","INSD","MED","0","Name, payment card info Location of breached information: Credit Card Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "July 8, 2014","ABM Parking Services, Inc.","","Maryland","INSD","MED","3","Location of breached information: Desktop Computer Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "July 8, 2014","Citi","","Maryland","DISC","MED","17","Location of breached information: paper Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "July 1, 2014","P.F. Chang's","","Maryland","HACK","MED","0","name, debit/credit card info Location of breached information: Payment card system Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "June 9, 2014","Intuit, Inc.","","Maryland","HACK","MED","1","address, name, ssn FEINs,and bank account number Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "June 5, 2014","AT&T","","Maryland","INSD","MED","3","name, ssn, dob Location of breached information: Desktop Computer Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "June 5, 2014","National Credit Adjusters, LLC","","Maryland","HACK","MED","57","name, address, debt balance, dob, ssn Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "June 10, 2014","Herbaria","St. Louis","Missouri","HACK","MED","0","name, credit/debit card info Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","38.624514","-90.150647" "June 12, 2014","Ullico Inc.","","Maryland","PHYS","MED","396","name, ssn, dob, address Location of breached information: Laptop Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","39.045755","-76.641271" "June 16, 2014","Polyone Designed Structures and Solutions","","Maryland","HACK","MED","0","name, contact info, tax info, ssn, bank info Location of breached information: Network Server Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "June 20, 2014","Primerica","","Maryland","PHYS","MED","27","name, dob, address, ssn, dln Location of breached information: Laptop Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","39.045755","-76.641271" "June 2, 2014","Rowan Companies, Inc.","","Maryland","HACK","MED","2","Location of breached information: Desktop Computer Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","39.045755","-76.641271" "June 2, 2014","Gordon Feinblatt LLC","","Maryland","HACK","MED","197","name, ssn, bank account tin Location of breached information: email Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","39.045755","-76.641271" "June 27, 2014","Seterus","","Maryland","DISC","MED","1","laon number, borrower name, property address, loan details Location of breached information: Paper Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","39.045755","-76.641271" "June 27, 2014","Baltimore School of Massage Therapy","","Maryland","DISC","MED","683","name, ssn, phone number, address, student ID number Location of breached information: email Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","39.045755","-76.641271" "June 27, 2014","Benjamin F. Edwards and Co.","","Maryland","HACK","MED","1,139","malware Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","39.045755","-76.641271" "June 30, 2014","Sterne Agee","Birmingham","Alabama","HACK","MED","0","stolen laptop Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","33.520952","-86.720718" "June 23, 2014","Giant Eagle, Inc.","","Maryland","INSD","MED","469","error in internal HR portal Location of breached information: Desktop Computer Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "June 27, 2014","Invest Financial Corporation","","Maryland","DISC","MED","1","physical file may have been copied Location of breached information: Paper Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "June 2, 2014","Kimpton","","Maryland","HACK","MED","1","malware Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "June 12, 2014","Fidelity National Financial, Inc.","","Maryland","HACK","MED","40","targeted phishing attack Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "June 12, 2014","SafetyFirst","","Maryland","DISC","MED","97","unauthorized access to server Location of breached information: Network Server Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "June 16, 2014","David Stanley Dodge","","Maryland","HACK","MED","1","vulnerability on computer network Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "June 17, 2014","Specialized Eye Care","","Maryland","HACK","MED","28","employee improperly accessed info Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "June 17, 2014","Papa John's USA, Inc.","","Maryland","HACK","MED","371","password protected desktop computer stolen during armed robbery Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "June 18, 2014","Bell Nursery USA, LLC","","Maryland","INSD","MED","25","stolen laptop Location of breached information: Desktop Computer Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "June 18, 2014","Record Assist, LLC","","Maryland","HACK","MED","331","hackers Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "June 19, 2014","Metropolitan Companies, Inc.","","Maryland","PHYS","MED","17","unauthorized third party accessed computer systems and potentially removed documents Location of breached information: Portable device Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","39.045755","-76.641271" "June 23, 2014","Montana Department of Public Health and Human Service","","Maryland","DISC","MED","5","Hackers Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","39.045755","-76.641271" "June 25, 2014","Butler University","","Maryland","DISC","MED","1,626","unauthorized hacking between Nov. 2013 and May 2014 Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","39.045755","-76.641271" "June 27, 2014","Atlantic Automotive Corp. DBA MileOne, Inc.","","Maryland","HACK","MED","350","hackers Location of breached information: email Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","39.045755","-76.641271" "June 27, 2014","Legal Sea Foods, LLC","Boston","Massachusetts","HACK","MED","0","unauthorized person gained access to server Location of breached information: Payment card system Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","42.311651","-71.055323" "June 30, 2014","Dennis East International, LLC","","Maryland","HACK","MED","3","hackers Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","39.045755","-76.641271" "July 1, 2014","Thomson Reuters","","Maryland","HACK","MED","36","online contractor used customer credit cards to make unauthorized online purchases Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "July 2, 2014","Wayneburg University","","Maryland","HACK","MED","5","info saved to drive that was capable of being access through the internet Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","39.045755","-76.641271" "May 22, 2014","Ebay","San Jose","California","DISC","MED","0","PDF attachment accidentally included in email Location of breached information: email Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","38.354738","-76.410332" "May 22, 2014","Experian","","Maryland","HACK","MED","3","info accessed without proper authorization Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "May 27, 2014","Power Equipment Direct, Inc.","","Maryland","HACK","MED","12","malicious computer code Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "May 27, 2014","Service Alternatives, Inc.","","Maryland","DISC","MED","2","unauthorized access to payroll systems Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "May 22, 2014","CenturyLink","","Maryland","HACK","MED","1","unauthorized access to server Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "May 27, 2014","Walgreen Co.","","Maryland","INSD","MED","0","information stolen by employee Location of breached information: Desktop Computer Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "May 27, 2014","Placemark Investments, Inc.","","Maryland","HACK","MED","11","malware Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "May 23, 2014","The Home Depot, Inc.","","Maryland","INSD","MED","3","improper access by employee Location of breached information: Desktop Computer Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "May 22, 2014","Hilbert College","","Maryland","DISC","MED","1","paperwork distributed at financial aid workshop inadvertently contained personal info Location of breached information: Paper Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "May 21, 2014","Hanover Foods Corporation","Hanover","Pennsylvania","HACK","MED","677","Hackers Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx?subfolder=2015","2014","39.195504","-76.722823" "May 20, 2014","Paytime Harrisburg, Inc. DBA Paytime, Inc.","Mechanicsburg","Pennsylvania","HACK","MED","8,261","hackers Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx?subfolder=2015","2014","40.213877","-76.999437" "May 16, 2014","Affinity Gaming","Las Vegas","Nevada","HACK","MED","0","unauthorized intrusion Location of breached information: Payment card system Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","36.143358","-115.134952" "May 14, 2014","AutoNation, Inc.","Fort Lauderdale","Florida","HACK","MED","29","hacking Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx?subfolder=2015","2014","26.205941","-80.145935" "May 14, 2014","Precision Planting LLC","","Maryland","HACK","MED","14","unauthorized access to systems by an outside party Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","39.045755","-76.641271" "May 13, 2014","Hubbard-Bert, Inc.","Erie","Pennsylvania","DISC","MED","22","spreadsheets containing Lake Erie College of Osteopathic Medicine inadvertently exposed to internet Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx?subfolder=2015","2014","39.376215","-77.154704" "May 12, 2014","Santander Bank, N. A.","Boston","Massachusetts","INSD","MED","1","employee improperly accessed and retained info Location of breached information: Desktop Computer Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx?subfolder=2015","2014","42.360083","-71.058880" "May 8, 2014","PREIT","","Maryland","HACK","MED","91","unauthorized user obtained access Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","39.045755","-76.641271" "May 7, 2014","Entercom Portland, LLC","Portland","Oregon","PHYS","MED","5","backup of data server stolen from car Location of breached information: Portable device Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx?subfolder=2015","2014","45.523062","-122.676482" "May 7, 2014","Mercer HR Services, LLC","","Maryland","DISC","MED","4","improper disclosure by employee Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "May 7, 2014","American Dental Association","Chicago","Illinois","DISC","MED","2","error during website upgrade Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx?subfolder=2015","2014","41.819738","-87.606006" "April 22, 2014","Larsen Dental Care","","Maryland","PHYS","MED","3","stolen hard drive Location of breached information: Portable device Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "April 7, 2014","FujiFilm","Valhalla","New York","HACK","MED","1","email system accessed without authorization Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx?subfolder=2015","2014","39.501681","-76.979392" "April 14, 2014","CareFirst BlueCross BlueShield","","Maryland","DISC","MED","2","info inadvertently mailed Location of breached information: email Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "April 1, 2014","Susquehanna Health","Williamsport","Pennsylvania","DISC","MED","2","info included on unencrypted email Location of breached information: email Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx?subfolder=2015","2014","39.600652","-77.820551" "April 30, 2014","Boomerang Tags","","Maryland","HACK","MED","593","malicious software Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "April 29, 2014","Seterus","Beaverton","Oregon","DISC","MED","2","foreclosure correspondence sent to incorrect address Location of breached information: paper Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx?subfolder=2015","2014","39.358331","-77.418602" "April 25, 2014","NCO Financial Systems, Inc.","","Maryland","DISC","MED","46","PDF attachment accidentally included in email Location of breached information: email Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "April 25, 2014","Federal Home Loan Mortgage Corporation (Freddie Mac)","Richmond","Virginia","HACK","MED","0","Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx?subfolder=2015","2014","37.917561","-76.710563" "April 22, 2014","Seattle University","Seattle","Washington","HACK","MED","0","Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx?subfolder=2015","2014","47.593013","-122.383731" "April 22, 2014","Snelling Staffing, LLC","","Maryland","DISC","MED","19","personal information inadvertently made available on the internet due to errors made during the installation of a cloud based server Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","39.045755","-76.641271" "May 5, 2014","Gingerbread Shed Corporation","","Maryland","HACK","MED","78","unauthorized third party gained access to personal information Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "May 5, 2014","Maschino, Hudelson & Associates","Oklahoma City","Oklahoma","PHYS","MED","0","laptop stolen from trunk of car Location of breached information: Laptop Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","35.428550","-97.413608" "April 21, 2014","L Brands, Inc.","Columbus","Ohio","HACK","MED","0","concealed skimming device Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","39.961176","-82.998794" "April 22, 2014","Johns Hopkins University (Identity Theft)","","Maryland","DISC","MED","725","files inadvertently made accessible on the internet Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","39.045755","-76.641271" "April 24, 2014","JCM Partners, LLC","","Maryland","HACK","MED","18","name, ssn, DLN, email and mailing address Location of breached information: unauthorized access to database Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","39.045755","-76.641271" "April 25, 2014","Central City Concern","","Maryland","INSD","MED","10","name, dob, ssn, health info Location of breached information: Desktop Computer Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","39.045755","-76.641271" "April 2, 2014","Citibank, N.A.","","Maryland","HACK","MED","0","Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "April 15, 2014","USAA","","Maryland","DISC","MED","1","name, address, ssn, member account number, and financial info Location of breached information: paper Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "April 17, 2014","Michaels Stores, Inc.","","Maryland","HACK","MED","0","payment card information, such as credit card number and expiration date Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "April 3, 2014","Logos Management Software, LLC","","Maryland","HACK","MED","15","credit card info Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "April 11, 2014","LaCie USA","","Maryland","HACK","MED","0","Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "April 11, 2014","Society for Science & the Public","","Maryland","HACK","MED","0","Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "April 11, 2014","Blue Cross and Blue Shield of Kansas City, Inc.","","Maryland","INSD","MED","0","name, credit card info, bank account info Location of breached information: Desktop Computer Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "April 11, 2014","Veterans of Foreign Wars of the U.S. (VFW)","","Maryland","HACK","MED","1,074","name, address, SSN Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "April 14, 2014","Mid Atlantic Professionals, Inc. DBA SSI","","Maryland","DISC","MED","0","Social Security Numbers, Date of Birth, Mailing Addresses Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "April 15, 2014","Mimeo.com","","Maryland","INSD","MED","2","name, DOB, SSN, address Location of breached information: Desktop Computer Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "April 18, 2014","Willis North America Inc. Medical Expense Benefit Plan","","Maryland","DISC","MED","129","name, dob, ssn, employee ID number Location of breached information: email Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","39.045755","-76.641271" "April 7, 2014","Deltek GovWin IQ","Herndon","Virginia","HACK","MED","0","name, billing address, phone number, email address, credit card info, and username Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","38.953502","-77.398586" "April 2, 2014","American Health Information Management Association (AHIMA)","","Maryland","INSD","MED","4","credit card info Location of breached information: Desktop Computer Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","39.045755","-76.641271" "April 2, 2014","City of Crossville, Tennessee","","Maryland","DISC","MED","7","name, bank numbers, Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "February 24, 2014","DST Systems, Inc.","","Maryland","DISC","MED","0","home address, ssn Location of breached information: paper Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "February 18, 2014","John Hancock Life & Health Insurance Company","","Maryland","DISC","MED","0","name, address, ssn, member id number, dob, policy number, Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","39.045755","-76.641271" "February 24, 2014","Merrill Lynch Wealth management","","Maryland","DISC","MED","1","name, address, ssn, account number Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","39.045755","-76.641271" "February 25, 2014","eScreen, Inc.","","Maryland","INSD","MED","5","name, ssn Location of breached information: Desktop Computer Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","39.045755","-76.641271" "February 28, 2014","Digia USA, Inc.","","Maryland","PHYS","MED","0","name, address, dob ssn, health insurance, beneficiary data, DLN, banking data Location of breached information: Laptop Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "February 27, 2014","J.M. Smucker Company","","Maryland","HACK","MED","0","name, addrses, email addrses, phone, credit/debit card info Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2014","40.760537","-73.978890" "February 27, 2014","ProAssurance Mid-Continent Underwriters, Inc.","Houston","Texas","HACK","MED","1","name, ssn Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx?subfolder=2015","2014","29.746762","-95.399365" "February 26, 2014","Mkenna Long & Aldridge","Washington","District Of Columbia","HACK","MED","0","name, address, wages, tax and ssn information, DOB, age, gender, ethnicity, visa and passport info Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx?subfolder=2015","2014","39.641762","-77.719993" "February 20, 2014","Aflac","Columbus","Georgia","INSD","MED","12","personal information Location of breached information: Desktop Computer Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx?subfolder=2015","2014","39.977260","-82.945992" "February 11, 2014","Fresenius Medical Care","Waltham","Maryland","PHYS","MED","8","ssn, insurance account number, phone number, address, insurance payment info, info on patient's ability to pay Location of breached information: Portable device Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx?subfolder=2015","2014","39.429035","-76.609748" "February 11, 2014","Embassy suites","Memphis","Tennessee","HACK","MED","12","payment card info Location of breached information: Payment card system Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx?subfolder=2015","2014","35.122760","-90.053632" "February 11, 2014","TD Bank","Greenville","South Carolina","DISC","MED","8","names and bank accounts Location of breached information: email Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx?subfolder=2015","2014","35.599329","-77.338203" "February 6, 2014","Bank of the West","San Francisco","California","HACK","MED","10","name, ssn Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx?subfolder=2015","2014","37.751174","-122.382747" "February 7, 2014","Farmers and Merchants Trust Company of Chambersburg","Chambersburg","Pennsylvania","INSD","MED","6","name, address, phone number, account number, account value, dob, and investment products Location of breached information: Desktop Computer Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx?subfolder=2015","2014","39.641763","-77.719993" "February 3, 2014","Greenleaf Book Group, LLC","Austin","Texas","PHYS","MED","6","name, credit card info, email address, mailing address Location of breached information: Laptop Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx?subfolder=2015","2014","30.358608","-97.703321" "January 30, 2014","Nielsen","New York","New York","DISC","MED","0","name, ssn Location of breached information: email Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx?subfolder=2015","2014","42.568979","-74.850713" "January 23, 2014","DaVita Healthcare Partners","Denver","Colorado","DISC","MED","1","name, ssn, clinical diagnoses, health insurance info, dialysis info Location of breached information: paper Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx?subfolder=2015","2014","39.274830","-76.627783" "January 21, 2014","Complete Medical Homecare","Lenexa","Kansas","INSD","MED","16","patient names, addresses, ssn, dob, and certain medical diagnoses Location of breached information: email Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx?subfolder=2015","2014","38.953617","-94.733571" "February 28, 2014","Sands","Las Vegas","Nevada","HACK","MED","0","name, emails address, ssn, job titles Location of breached information: hackers Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx?subfolder=2015","2014","36.134026","-115.136870" "February 27, 2014","Oak Assosiates Funds","Cleveland","Ohio","PHYS","MED","12","names, address, email address, phone number, ssn, certain financial info Location of breached information: Portable device Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx?subfolder=2015","2014","41.439645","-81.629658" "February 26, 2014","Variable Annuity Life Insurance Company","Houston","Texas","INSD","MED","25,855","name, ssn Location of breached information: Desktop Computer Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx?subfolder=2015","2014","29.746762","-95.399365" "February 24, 2014","Alaska Communications Systems Holdings, Inc.","Anchorage","Alaska","HACK","MED","4","name, address, dob, ssn Location of breached information: computer virus Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx?subfolder=2015","2014","38.795672","-76.138278" "February 21, 2014","Assisted Living Concepts, LLC","San Diego","California","HACK","MED","0","names, address, DOB, ssn Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx?subfolder=2015","2014","32.759671","-117.150961" "February 14, 2014","Rubin Lublin, LLC","Peachtree Corners","Georgia","DISC","MED","0","tax info, name, ssn Location of breached information: paper Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx?subfolder=2015","2014","33.904084","-84.261345" "February 13, 2014","Carmike Cinemas, Inc.","Columbus","Ohio","PHYS","MED","1","name, address, ssn Location of breached information: paper Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx?subfolder=2015","2014","39.977260","-82.945992" "February 7, 2014","Catamaran","Schaumburg","Illinois","DISC","MED","37","SSN, name, address Location of breached information: Network Server Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx?subfolder=2015","2014","42.006669","-88.055512" "February 6, 2014","White Lodging Services Corporation","Merrillville","Indiana","HACK","MED","0","names, credit and debit card information Location of breached information: hackers Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx?subfolder=2015","2014","41.450477","-87.329304" "January 30, 2014","Tribeca Film Institute","New York","New York","HACK","MED","1","payroll info Location of breached information: unauthorized access to payroll info Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx?subfolder=2015","2014","42.568979","-74.850713" "July 22, 2017","Washington State University","Olympia","Washington","PHYS","EDU","1,000,000","""When thieves broke into an Olympia storage locker in April and hauled away an 85-pound locked safe, they set in motion a series of events that forced Washington State University to send letters to 1 million people advising them their data might have been compromised.The safe contained a computer hard drive — a backup containing personal information, including Social Security numbers, that was stored off-site by WSU’s Social & Economic Sciences Research Center. The center, a research arm of the university, contracts with state agencies to evaluate the quality of the data those agencies are collecting, said Phil Weiler, vice president for marketing and communication at WSU.WSU doesn’t have any idea if the thieves were able to break into the safe, if they know what to do with the hard drive, or if they’re able to interpret the data, which is stored in a relational database that requires some expertise to unravel, Weiler said. In addition, some of the files were encrypted, and some were password protected, he said.But there’s certainly a chance they’ll figure it out, which is why WSU hired a computer-forensics firm to determine what data had been backed up onto the hard drive. This month, WSU sent letters to 1 million people warning them of the breach. The university is offering those affected a year subscription to free credit-monitoring and identity-theft protection.The data includes names and a mix of personal information, including Social Security numbers for some of those affected. Some of it comes from school districts who track their students after graduation to find out if they’re going on to college, or getting jobs, Weiler said. The research center also has contracted with state job-training programs that track their clients to see if they were able to find employment.Weiler said the hard drive contained data from 1998 to 2013. Some of the research center’s work includes long-term studies that track participants over many years.""","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx?subfolder=2015","2014","47.037874","-122.900695" "July 5, 2017","Erie County Office of Children and Youth","Erie","Pennsylvania","DISC","GOV","30","""Officials with the Erie County Office of Children and Youth said that fewer than 30 Erie County children had their identities compromised as part of a recent data security breach involving a third-party vendor that affected approximately 1,800 child welfare cases statewide.The data breach was discovered in May and involved what is known as Child Accounting and Profile System databases maintained by Avanco International, a Fairfax, Virginia-based company that specializes in software integration, contracting and consulting for federal, state and local governments.The information has since been removed from the Internet.WJAC-TV in Johnstown reported the data breach was discovered after a Pennsylvania-based child welfare worker found a link on the internet to a client file, which should not have been viewable online.Erie County and several other counties statewide use that system, county OCY Director Lana Rees said.""It's a system we input our (case) files into,"" Rees said, adding that names, dates of birth and Social Security numbers would be included in the database. ""The problem has been corrected.""Rees said she did not know how long the information was viewable onlineLetters were sent to affected individuals or their families on June 30, she said, and the County Commissioners Association of Pennsylvania worked with county government solicitors across the state on a probe into what caused the data breach.CCAP is a statewide association that represents county commissioners, chief clerks, administrators and solicitors. It also represents county council members and executives in home-rule charter counties such as Erie County.The organization, according to Erie County officials, also consulted with lawyers expert in cyber law and a digital forensics company regarding the data breach, and put protective measures in place. There is no indication that the information was inappropriately used, officials said.""","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx?subfolder=2015","2014","42.129224","-80.085059" "July 12, 2017","Verizon","Basking Ridge","New Jersey","DISC","BSO","6,000,000","""The security issue, uncovered by research from cybersecurity firm UpGuard, was caused by a misconfigured security setting on a cloud server due to ""human error."" The error made customer phone numbers, names, and some PIN codes publicly available online. PIN codes are used to confirm the identity of people who call for customer service.No loss or theft of customer information occurred, Verizon told CNN Tech.UpGuard -- the same company that discovered leaked voter data in June -- initially said the error could impact up to 14 million accounts.Chris Vickery, a researcher at UpGuard, discovered the Verizon data was exposed by NICE Systems, an Israel-based company Verizon was working with to facilitate customer service calls. The data was collected over the last six months.Vickery alerted Verizon to the leak on June 13. The security hole was closed on June 22.The incident stemmed from NICE security measures that were not set up properly. The company made a security setting public, instead of private, on an Amazon S3 storage server -- a common technology used by businesses to keep data in the cloud. This means Verizon data stored in the cloud was temporarily visible to anyone who had the public link.""","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx?subfolder=2015","2014","40.725154","-74.533949" "July 12, 2017","YMCA of San Diego","San Diego","California","DISC","NGO","0","""What Happened? On or about June 14, 2017, the YMCA became aware that an Excel spreadsheet containing personal information of certain YMCA employees was inadvertently sent over email to certain YMCA employees.  Upon learning of the event, the YMCA immediately launched an investigation to determine its nature and scope, including remediating the incident with the assistance of the YMCA IT department.   What Information Was Involved? While our investigation is ongoing, we determined the  employee information contained in the Excel spreadsheet included: first and last name; Social Security number; address; date of birth; phone number; salary; former/maiden name; and disability code. This employee information was located in the second tab of a larger spreadsheet.""","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx?subfolder=2015","2014","32.715738","-117.161084" "May 4, 2017","Sabre Corporation","Southlake","Texas","HACK","BSO","32,000","""Sabre Corporation disclosed a breach of its hospitality solutions SynXis central-reservations system that may have exposed consumers' payment card data and personally identifiable information.According to an SEC filing made by the company on Tuesday, the $3.37 billion corporation acknowledged that its SynXis software-as-a-service platform was accessed by an unauthorized party, who gained access to payment information corresponding to a subset of hotel reservations. Sabre did not specify when or how the actual intrusion took place or how many records are potentially affected. Sabre does not believe any other system was affected.""The unauthorized access has been shut off and there is no evidence of continued unauthorized activity. There is no reason to believe that any other Sabre systems beyond SynXis Central Reservations have been affected,"" the company reported in its quarterly filing and a related press statement.Sabre contacted law enforcement, began notifying affected customers and hired the cybersecurity investigatory firm Mandiant to investigate. According to Sabre’s marketing literature, more than 32,000 properties use Sabre’s SynXis reservations system.Sabre told customers that it didn’t have any additional details about the breach to share at this time, so it remains unclear what the exact cause of the breach may be or for how long it may have persisted, reports Krebs on Security. A card involving traveler transactions for even a small percentage of the 32,000 properties that are using Sabre’s impacted technology could jeopardize a significant number of customer credit cards in a short amount of time.""","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx?subfolder=2015","2014","32.941236","-97.134178" "June 28, 2017","Pediatric Healthcare Solutions, a Division of ProHEALTH","","New York","HACK","MED","6,932","Location of breached information: Network Server Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx?subfolder=2015","2014","40.760537","-73.978890" "June 29, 2017","FastHealth Corporation","","Alabama","HACK","MED","9,289","Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","40.760537","-73.978890" "June 30, 2017","California Pacific Orthopaedics and Sports Medicine","","California","PHYS","MED","2,263","Location of breached information: Laptop, Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","40.760537","-73.978890" "June 30, 2017","Community Link Inc","","Wisconsin","HACK","MED","5,524","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","40.760537","-73.978890" "June 30, 2017","Baptist Medical Center South","","Florida","PHYS","MED","531","Location of breached information: Other Portable Electronic Device Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx?subfolder=2015","2014","40.760537","-73.978890" "June 30, 2017","Enterprise Services LLC","","Colorado","DISC","MED","822","Location of breached information: Network Server, Other Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","39.550051","-105.782067" "July 3, 2017","PVHS-ICM Employee Health and Wellness, LLC as covered entity and business associate","","Colorado","HACK","MED","10,143","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","40.760537","-73.978890" "July 9, 2017","Ledet Family Chiropractic Cener","","Pennsylvania","HACK","MED","530","Location of breached information: Network Server Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx?subfolder=2015","2014","40.760537","-73.978890" "July 9, 2017","Rosalind Franklin University of Medicine ","","Illinois","HACK","MED","859","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","40.760537","-73.978890" "May 15, 2017","Talx Corporation","St. Louis","Missouri","HACK","BSO","0","""Talx Corporation (“TALX”), a wholly owned subsidiary of Equifax Inc., is writing to inform you about a data security incident that may have resulted in the unauthorized access to an electronic copy of your Allegis Group, Inc., or Allegis Group, Inc. subsidiary (“Allegis”), W-2 tax form. We take the protection of such information very seriously. Accordingly, out of an abundance of caution, we are notifying a broad group of individuals who may have been affected.What Happened?TALX provides payroll-related services for Allegis, your current or former employer, that you are able to access through TALX’s online portal available at www.mytaxform.com or https://PaperlessPay.TALX.com/allegis (“online portal”). We recently discovered that an unauthorized third-party(ies) accessed the accounts of certain employees during various time periods from January 4, 2016 through March 29, 2017. Upon learning of the unauthorized access, TALX and Allegis worked together promptly to understand what happened, and determined that, in some instances, the unauthorized third-party(ies) successfully answered personal questions about the affected employees in order to reset the employees’ PINs (i.e., the password to access the online portal). We have no indication that either TALX or Allegis was the source of any of the information used to reset the PINs and access the accounts. While we are continuing to investigate the incident, out of an abundance of caution, we are notifying a broad group of individuals who may have been affected.What Information Was Involved?An unauthorized third-party(ies) may have accessed an electronic copy of your W-2 tax form, which includes your name, address, Social Security number, and earnings information. The unauthorized third-party(ies) may have also accessed other information maintained in your online portal account, including your name, address, phone number, date of birth, Social Security number, wage and direct deposit information, employee identification number, email address, gender, and marital status.""","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx?subfolder=2015","2014","38.627003","-90.199404" "May 15, 2017","KURU Footwear","Salt Lake City","Utah","HACK","BSR","0","""What Happened? On February 2, 2017, we began investigating some unusual activity reported by our credit cardprocessor. We immediately began to work with third-party forensic experts to investigate these reports and toidentify any signs of compromise on our systems. On February 23, 2017, we discovered that we were the victim ofa sophisticated cyber-attack that resulted in the potential compromise of some customers’ debit and credit card dataused at www.kurufootwear.com between December 20, 2016 and March 3, 2017.Since that time, we have been working with third-party forensic investigators to determine what happened, whatinformation was affected and to implement additional procedures to further protect the security of customer debitand credit cards. We removed the malware at issue to prevent any further unauthorized access to customer debit orcredit card information. We are also working with the Federal Bureau of Investigations to investigate this incident.Through this process, we can now confirm you can safely use your payment card at our website. What Information Was Involved?Through the ongoing third-party forensic investigations, we confirmed onFebruary 23, 2017 that malware may have stolen credit or debit card data from some credit and debit cards used atwww.kurufootwear.com between December 20, 2016 and March 3, 2017. The information at risk as a result of thisevent includes the cardholder’s name, address, card number, expiration date and CVV.""","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx?subfolder=2015","2014","40.760779","-111.891047" "May 17, 2017","UNM Foundation","Albuquerque","New Mexico","HACK","NGO","0","""What Happened?In mid-April, 2017, we discovered that an unauthorized individual had gained access to our network through an account with our security services provider.  This unauthorized individual may have had access to certain systems that contained personal information of our donors.  While our investigation is ongoing, we are providing this notice out of an abundance of caution to alert you to the incident because information about you was available through the affected system.What Information Was Involved?Information that may have been available includes names, contact information, donation amount and the checking and routing information displayed on your donation checks. While this information should not typically be sufficient to grant access to your accounts with your financial institutions, we place a high priority on the confidentiality of our donor information, and wanted to alert you to this incident so that you may be vigilant against phishing attempts or other fraudulent requests, and monitor your accounts for any suspicious activity.""","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx?subfolder=2015","2014","35.085334","-106.605553" "May 17, 2017","ITA Group","Cambridge","Massachusetts","DISC","BSO","0","""What Happened? It was discovered on April 7, 2017 that a system error associated with the website was temporarily allowing for potential unauthorized access to certain program participants’ account information. We worked to investigate the issue and confirm its full nature and scope. The possibility of unauthorized access has been corrected. We have received no reportsof misuse of the information, but the possibility of unauthorized access did exist. What Information Was Involved? The sensitive information in your account that was accessible included the bank account information associated with the referral program.""","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx?subfolder=2015","2014","42.373616","-71.109734" "May 17, 2017","Rite Aid","Camp Hill","Pennsylvania","HACK","BSR","0","""What Happened?We recently learned that unauthorized third parties accessed Rite Aid Online Store's e-commerce platform and acquired certain personal information of customers who manually entered their payment card details at the online store between January 30, 2017 and April 11, 2017.What Information Was Involved?The personal information that may have been affected includes your name, address, email address, and payment card data, including credit card number, expiration date, and card verification number.""","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx?subfolder=2015","2014","40.239812","-76.919974" "July 13, 2017","Walk in the Word Ministries","Elgin","Illinois","HACK","NGO","0","""What happened and what information was involved: On May 30, 2017, we were notified by our third-party e-commerce provider that an unknown individual may have accessed your credit card, debit card, or checking account information used to donate to WITW on our website. Because we take the security of your personal information very seriously, we are bringing this information to your attention as quickly as prudently possible, so you can take action along with us to hopefully eliminate any potential harm. When WITW became aware of the incident, we immediately took action to ensure the third-party vendor’s system was fixed and secure. At the same time we commenced an investigation to determine what information may have been accessed. We also have notified law enforcement and are cooperating with their investigation. We determined that the unknown individual may have accessed payment information, including name, address, telephone number, credit/debit card, or checking account information depending on the form of payment you used on our website. What we are doing and what can you do: Out of an abundance of caution, please consider reviewing your past and current card statements for unusual or suspicious activity and, if any is found, report it to your bank or credit card Company. Additional tips for protecting your information can be found on the reverse side of this letter. We want to assure you that we have taken steps to prevent a similar event from occurring in the future and to protect the privacy and security of your information. We have worked with the third-party vendor to address the vulnerabilities in its payment processing system, moved our website to a separate server with increased security, and now have an additional layer of continuous security monitoring. All of the steps we have taken are to further enhance security in order to prevent a similar event from occurring in the future, thereby protecting the privacy and security of your information going forward.""","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx?subfolder=2015","2014","42.035408","-88.282567" "July 12, 2017","La Quinta Center for Cosmetic Surgery","La Quinta","California","HACK","MED","0","""What HappenedThe FBI contacted us on June 15, 2017 to inform us of a security breach by a criminal cyber group.  Upon learning this, we immediately contacted our IT specialists to review and locate the source of entry. Our IT specialist determined that this unauthorized breach happened around August 26, 2016.  This time frame coincides around the time when one of our vendors had authoized access to our computer.  On an as-needed-basis, we obtain technical support for our software and equipment.  Technical support teams gain access remotely to our computers to resolve software, x-ray and CT scan related technical issues.What Information Was InvolvedIt was determined the information that may have been affected includes your name, billing address, email address, phone numbers, some patients social security numbers, and some patients very limited health history.  Patients of record after August 2016 may not be affected at all.""","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx?subfolder=2015","2014","33.663357","-116.310010" "July 10, 2017","Movement Mortgage, LLC","Indian Land","South Carolina","HACK","BSF","0","""What Happened? On September 8, 2016, Movement became aware of suspicious logins to certain company email accounts by an unknown source as the result of sophisticated phishing attacks on its email system. In response, Movement began an investigation and brought in an outside computer forensics expert to determine which employee email accounts were subject to unauthorized logins and what types of information inside those email accounts might be affected. It was confirmed that between approximately early August of 2016 and early October 2016, a company email account containing your personal information was subject to unauthorized log-ins by an unknown source. What Information Was Involved? Movement’s investigation determined that data relating to your personal information was stored within an affected company email account at the time unauthorized log-in’s to that account occurred, including your (name, Social Security number, driver’s license or state identification card number, bank account number, and payment card information, including card number, expiration date, and card security code).""","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx?subfolder=2015","2014","34.999114","-80.871201" "July 21, 2017","Kansas Department of Commerce","Kansas City","Kansas","HACK","GOV","5,500,000","""Hackers who breached a Kansas Department of Commerce data system used by multiple states gained access to more than 5.5 million Social Security Numbers and put the agency on the hook to pay for credit monitoring services for all victims.The number of SSNs exposed across the 10 states whose data was accessed has not been previously reported. The Kansas News Service, a collaboration of KCUR, Kansas Public Radio, KMUW and High Plains Public Radio, obtained the information through an open records request.More than half a million of the SSNs were from Kansas, according to the Department of Commerce.The data is from websites that help connect people to jobs, such as Kansasworks.com, where members of the public seeking employment can post their resumes and search job openings. Kansas was managing data for 16 states at the time of the hack, but not all were affected.In addition to the 5.5 million personal user accounts that included SSNs, about 805,000 more accounts that did not contain SSNs were also exposed.""","Media","http://kcur.org/post/hackers-kansas-system-accessed-social-security-numbers-millions-10-states#stream/0","2017","39.099727","-94.578567" "July 18, 2017","Keller Williams Realty","Austin","Texas","HACK","BSO","0"," "" What Happened We recently learned that an unauthorized third party was able to gain access to portions of the Keller Williams network and, while on the network, may have been able to access certain associate files stored in our systems. What Information Was Involved We believe that certain associate and information, including first and last name, addresses, Social Security number, and in some cases Keller Williams usernames and passwords, were contained in these files and could be affected as a result of this incident.  Please note that at this time, we are not aware of any fraud or misuse of your information as a result of this incident.""","California Attorney General","https://oag.ca.gov/ecrime/databreach/reports/sb24-100388","2017","30.263443","-97.785737" "July 18, 2017","Sports Memorabilia.com","Sunrise ","Florida","HACK","BSO","0","""What Happened:  On May 29, 2017 we received a report regarding payment card activity that caused us to investigate and subsequently identify unauthorized computer code that was added to the code that operates the checkout page of www.sportsmemorabilia.com.  We immediately removed the code and hired a leading cybersecurity firm.  Findings from the investigation indicate that the code may have been present and capable of capturing information entered during the checkout process from October 12, 2016 to May 31, 2017.What Information Was Involved: Although we did not find actual evidence that the code captured information from any transactions, in an abundance of caution we are notifying you of the possibility because your name and payment card ending in was or may have been entered on the checkout page during this time frame. The information on the checkout page that the code could have potentially accessed includes name, address, phone number, email address, payment card number, expiration date, and card security code (CVV).""","California Attorney General","https://oag.ca.gov/ecrime/databreach/reports/sb24-100394","2017","26.166971","-80.256595" "July 19, 2017","Hathaway-Sycamores Child and Family Services","Pasadena","California","HACK","BSO","0","""What happened? We have recently received reports from several employees who have discovered fraudulent tax filings have been made in their names. We are investigating those reports and we have contacted our cyber security advisers and insurers. So far, we have not discovered a compromise of our computer systems or networks. What information was involved? The fact that several employees have reported tax fraud indicates that the information contained on IRS W-2 Forms, which includes names, addresses, Social Security Numbers, and wage information, may be involved.""","California Attorney General","https://oag.ca.gov/ecrime/databreach/reports/sb24-100424","2017","34.142037","-118.151694" "July 20, 2017","J. Palmer & Company","Visalia","California","HACK","BSF","0","""What happened?We discovered a cyberattack on our system on June 6th, 2017. Our forensic team was hired right away to conduct an investigation. This led us to believe cybercriminals attacked the remote-access system, used by our outside IT personnel, to    access our tax filing software around that time. This allowed the cybercriminals to access our system and files, including the use of what appears to be one staff’s credentials.  We then discovered that the cybercriminals used the information they obtained to attempt to file fictitious Federal tax returns to fraudulently receive refunds. Fortunately, we were able to inform and work with the Internal Revenue Service. Currently, only Federal tax returns were filed. Unfortunately, as we discussed, such fictitious tax returns were filed for you. What information was involved?We are notifying you of this incident because your personal identifying information was accessed or obtained by these cybercriminals. Given the nature of our relationship, this information may have included E-file authorization forms, copies of your tax returns, brokerage statements and real estate settlement statements. Documents could include your: full name, telephone number(s), address, Social Security Number, all employment W-2 information if applicable, 1099 information if applicable (which may include account number if provided), direct deposit bank account information (including account number and routing number if provided), email addresses (if provided to us), and supporting records.""","California Attorney General","https://oag.ca.gov/ecrime/databreach/reports/sb24-100465","2017","36.296691","-119.289810" "July 21, 2017","Value Eyecare Network, Inc (39dollarglasses.com)","White Plains","New York","HACK","BSO","0","""We represent Value Eyecare Network, Inc. d/b/a 39dollarglasses.com (“39DollarGlasses”), located in Hauppauge, New York, with respect to a potential data security incident described in more detail below.  39DollarGlasses takes the security and privacy of the information in its control very seriously, and has taken steps to prevent a similar incident from occurring in the future.   1. Nature of security incident.   On June 8, 2017, 39DollarGlasses learned that an unknown individual may have captured customer payment card information used to make purchases at its online store.  39DollarGlasses immediately took action and commenced an investigation to determine what information may have been accessed.  39DollarGlasses determined that the unknown individual may have accessed some of its customer names, addresses, telephone numbers, and credit/debit card information.   2. Number of California residents affected.  Approximately fourteen thousand, six hundred and forty-seven (14,647) California residents may have been potentially affected by this incident.  Notification letters to these individuals were mailed on July 21, 2017, by first class mail.  A sample copy of the notification letter is included with this letter.""","California Attorney General","https://oag.ca.gov/ecrime/databreach/reports/sb24-100477","2017","41.010684","-73.726734" "July 31, 2017","Wells Fargo","San Francisco","California","DISC","BSF","50,000","""When a lawyer for Gary Sinderbrand, a former Wells Fargo employee, subpoenaed the bank as part of a defamation lawsuit against a bank employee, he and Mr. Sinderbrand expected to receive a selection of emails and documents related to the case.But what landed in Mr. Sinderbrand’s hands on July 8 went far beyond what his lawyer had asked for: Wells Fargo had turned over — by accident, according to the bank’s lawyer — a vast trove of confidential information about tens of thousands of the bank’s wealthiest clients.The 1.4 gigabytes of files that Wells Fargo’s lawyer sent included copious spreadsheets with customers’ names and Social Security numbers, paired with financial details like the size of their investment portfolios and the fees the bank charged them. Most are customers of Wells Fargo Advisors, the arm of the bank that caters to high-net-worth investors.By Mr. Sinderbrand’s estimate, he has financial information for at least 50,000 individual customers. In all, Mr. Sinderbrand said, these clients have tens of billions of dollars invested through Wells Fargo, all laid out in vivid detail for him as part of the discovery process in his lawsuit.The files were handed over to Mr. Sinderbrand with no protective orders and no written confidentiality agreement in place between his lawyers and Wells Fargo’s. While the documents were not filed in court, it would be perfectly legal for Mr. Sinderbrand and his lawyer to release most of the material or include it in their legal filings, which would then become part of the public record.The documents were sent by Angela A. Turiano, a lawyer with Bressler, Amery & Ross, an outside law firm in Florham Park, N.J., hired by Wells Fargo, which is not a party to the suit. Mr. Sinderbrand and one of his lawyers, Aaron Zeisler, notified Ms. Turiano on Thursday morning about the sensitive documents now in their hands."" ","Media","https://www.nytimes.com/2017/07/21/business/dealbook/wells-fargo-confidential-data-release.html","2017","37.793377","-122.402620" "July 28, 2017","Steel Technology LLC dba Hydro Flask","Bend","Oregon","HACK","BSO","0","""WHAT HAPPENEDOn or about May 2, 2017, Hydro Flask learned that the security of personal information Hydro Flask received about you during your visit to our e-commerce website (http://www.hydroflask.com/) may have been compromised.WHAT ARE WE DOING Upon becoming aware of the system disruption, Hydro Flask immediately took actions to secure its security systems by engaging recognized security consultants to investigate the nature of the disruption, conducting system scans, resetting access credentials, and building a new server. We have also secured the services of Kroll to provide you one year of identity monitoring at no cost to you. Your identity monitoring services include Credit Monitoring, Fraud Consultation, and Identity Theft Restoration.Visit my.idmonitoringservice.com to activate and take advantage of your identity monitoring services. You have until October 26, 2017 to activate your identity monitoring services. Membership Number: To receive credit services by mail instead of online, please call 1-855-366-0139. Additional information describing your services is included with this letter.WHAT INFORMATION WAS INVOLVED Although Hydro Flask is still investigating the scope of the disruption, Hydro Flask believes that an intruder may have had unauthorized access to customer order pages on our website that may have contained your name, billing and shipping address, email address, and credit card information.""","California Attorney General","https://oag.ca.gov/system/files/HydroFlask%20-%20Sample%20Customer%20Notice_0.pdf","2017","44.056021","-121.357710" "July 27, 2017","Hamilton Zanze Real Estate Investments","San Francisco","California","PHYS","BSF","0","""What Happened?On June 29, 2017, an HZ employee became the victim of a crime when his locked vehicle, together with the car next to it, was broken into while parked in a Whole Foods parking garage.  The employee’s work bag, including an HZ password protected laptop, was stolen.  The smash and grab burglary was discovered within approximately fifteen minutes of its occurrence and the employee immediately reported the incident to the police and to HZ.  The employee’s network and all other IT credentials were immediately disabled, and the laptop was instructed to automatically wipe its contents upon connecting to the internet.We are notifying you of this incident because some of your client information is believed to have been on the password protected laptop.  It bears repeating that there is no evidence that any of the multi-layers of security on the laptop were penetrated, and that there is no evidence that any information has been accessed, viewed, or used inappropriately by an unauthorized person.What Information Was Involved?The information may have included your: full name, date of birth, telephone number(s), address, and/or Social Security number.  Each individual may have been impacted differently.""","California Attorney General","https://oag.ca.gov/system/files/HZ%20Notice_0.pdf","2017","37.800730","-122.456371" "July 31, 2017","Anthem","Indianapolis","Indiana","INSD","BSF","18,500","""A data breach may have exposed personal health information of more than 18,000 Anthem Medicare enrollees, after one of the insurer's health care consulting firms discovered that one of its employees had been involved in identity theft.Anthem says it was contacted about the breach by the consulting firm LaunchPoint Ventures on June 14. LaunchPoint discovered two months earlier that one of its employees had been involved in involved in a case of identity theft, and further investigation discovered that the worker had ""emailed a file with information about Anthem companies' members to his personal email address,"" a year ago.In all, more than 18,500 Anthem Medicare members' Social Security and Medicare identification data may have been exposed. The health insurer reported the breach to the Department of Health and Human services on July 24, the same day LaunchPoint began notifying members, according to an Anthem spokeswoman.""Anthem post: https://www.anthem.com/blog/member-news/launchpoint-privacy-concern-impacts-medicare-members/","Media","https://www.cnbc.com/2017/07/31/new-anthem-data-breach-by-contractor-affects-more-than-18000-enrollees.html","2017","39.769063","-86.158684" "July 27, 2017","Hilderbrand and Clark Certified Public Accountant","San Ramon","California","HACK","BSF","0","""What Happened?After experiencing unusual activity when filing two tax returns on extension, we immediately notified the IRS and had our local IT firm review our system.  Further, we hired a specialized forensic IT firm to investigate. On Monday, July 10, 2017, the specialized forensic IT firm determined that there was unauthorized access to our system from a foreign IP address on June 14, 2017. Unfortunately, the forensic IT firm cannot determine which files were accessed so we are notifying everyone whose information was accessible out of an abundance of caution.What Information Was Involved?If Hilderbrand & Clark prepared tax returns for you, the information may have included all information provided to the taxing authorities including your: full name, date of birth, telephone number(s), address, Social Security number, all employment (W-2) information, all 1099 information (including account number if provided to us), driver’s license information (if provided to us), and direct deposit bank account information (including account number and routing information if provided to us). If Hilderbrand & Clark did not prepare your tax return, you are receiving this letter because you are either a partner, employee, or beneficiary of a partnership, company, or trust we performed work for. The information may have included your: full name, address, Social Security number, and line item totals of income and expense you received from the partnership, company, or trust.""","California Attorney General","https://oag.ca.gov/system/files/Hilderbrand%20Notice_0.pdf","2017","37.775043","-121.971721" "July 26, 2017","Virgin America","Burlingame","California","HACK","BSO","0","""What Happened?On March 13, 2017, during security monitoring activities, our data security team identified potential unauthorized access to certain Virgin America computer systems. We immediately took steps to respond to the incident, including initiating our incident response protocol and taking measures to mitigate the impact to affected individuals. We retained cybersecurity forensic experts to investigate the incident and reported the matter to law enforcement. Nevertheless, it appears that a third party may have accessed information about certain Virgin America employees and contractors without authorization.What Information Was InvolvedThe unauthorized third party gained access to your login information and password that you use to access Virgin America’s corporate network.""","California Attorney General","https://oag.ca.gov/system/files/Notification%20Letter%20-%20California_0.pdf","2017","37.588928","-122.339137" "July 26, 2017","Avanti Markets Inc.","Tukwila","Washington","HACK","BSO","0","""What Happened?On July 4, 2017, we were alerted to an intrusion of sophisticated malware attack which affected kiosks at some Avanti Markets.  At this stage, we have determined the attack was not successful on all kiosks an many kiosks have not been adversely affected.What Information Was Involved?At this point, it appears the malware was designed to gather certain payment card information including the cardholder's first and last name, credit/debit card number and expiration date. Customers who used their Market Card to make payment may have had their names and email addresses compromised.  Many kiosks encrypt credit card information and payment card data on those kiosks would not be subject to this incident.""","California Attorney General","https://oag.ca.gov/system/files/Notice%20and%20FAQs_0.pdf","2017","47.479518","-122.283972" "July 31, 2017","HBO","New York","New York","HACK","BSO","0","""In an email sent to employees on Monday and shared with CNN Tech, chairman and CEO Richard Plepler said a cyber intrusion resulted in ""some stolen proprietary information, including some of our programming."" ""Any intrusion of this nature is obviously disruptive, unsettling, and disturbing for all of us,"" Plepler said.It's unclear what information hackers stole and potentially leaked. According to Entertainment Weekly, which first reported the intrusion, hackers published one episode each of ""Ballers"" and ""Room 104,"" as well as the alleged script to next week's ""Game of Thrones.""","Media","http://money.cnn.com/2017/07/31/technology/business/hbo-hack-investigation-leak/index.html","2017","40.755057","-73.983687" "July 20, 2017","Kevin J. Palmer and Company, An Accounting Corporation","Visalia","California","HACK","BSF","0","""What happened?We discovered a cyberattack on our system on June 6th, 2017. Our forensic team was hired right away to conduct an investigation. This led us to believe cybercriminals attacked the remote-access system, used by our outside IT personnel, to    access our tax filing software around that time. This allowed the cybercriminals to access our system and files, including the use of what appears to be one staff’s credentials.  We then discovered that the cybercriminals used the information they obtained to attempt to file fictitious Federal tax returns to fraudulently receive refunds. Fortunately, we were able to inform and work with the Internal Revenue Service. Currently, only Federal tax returns were filed. Unfortunately, as we discussed, such fictitious tax returns were filed for you. What information was involved?We are notifying you of this incident because your personal identifying information was accessed or obtained by these cybercriminals. Given the nature of our relationship, this information may have included E-file authorization forms, copies of your tax returns, brokerage statements and real estate settlement statements. Documents could include your: full name, telephone number(s), address, Social Security Number, all employment W-2 information if applicable, 1099 information if applicable (which may include account number if provided), direct deposit bank account information (including account number and routing number if provided), email addresses (if provided to us), and supporting records.""","California Attorney General","https://oag.ca.gov/system/files/California%20Notice%20Templates_1.pdf","2017","36.296691","-119.289810" "July 6, 2017","Real Estate Business Services, Inc.","Los Angeles","California","HACK","BSO","0","""WHAT HAPPENED?We recently learned that malicious code(“malware”)uploaded by an unauthorized third party was present in payment processing software usedforstore.car.org. This malware may have copied and transmitted to an unknown third party personal information that briefly went through our servers during the store.car.org payment processing step of purchases of REBS (Real Estate Business Services) products and services between March 13, 2017 and May 15, 2017. The malware was removed from our systems, and we now use an entirely different payment system through PayPal.WHAT INFORMATION WAS INVOLVED?The data accessed included personal information entered in connection with a purchase of products from our online storefront. The data may have included the user’s name, address, credit card number, credit card expiration date and, in some instances, credit card verification code (CVC code).We do not request or use a user’s social security number or driver’s license number, and they are not stored or held on our systems in connection with payment transactions. Therefore, we believe that information was not among the data accessed.""","California Attorney General","https://oag.ca.gov/system/files/REBS%20Notice%20of%20Breach%207.3.17_0.pdf","2017","34.052234","-118.243685" "July 6, 2017","Spark Pay","Melville","New York","HACK","BSO","0","""WHAT HAPPENED.  We discovered malicious code on [merchant website]. The code was designed to allow fraudsters to obtain customer payment information. We immediately began investigating the issue, analyzed [merchant website], removed the malicious code and performed security testing.   WHAT INFORMATION WAS INVOLVED.  Based on our investigation, we believe the fraudster may have accessed your name, address, phone number, email address, payment card number, expiration date, and CVV for any transactions you made on [merchant website] between [variable dates between April 10, 2017 and June 7, 2017].""   ","California Attorney General","https://oag.ca.gov/system/files/SPOS%20-%20Consumer_Letter_0.pdf","2017","40.784191","-73.415576" "June 30, 2017","White Blossom Care Center","San Jose","California","INSD","MED","0","""What happened. On May 25, 2017, we received information that a former White Blossom employee may have improperly accessed resident data while employed at the facility. We immediately engaged an independent technical security expert to investigate this incident. We also contacted state and federal law enforcement and continue to work closely with them on their investigations. What information was involved. Based on the available information, we believe data relating to approximately 800 residents may have been inappropriately acquired. We do not know when this took place. We currently believe that a limited number of the inappropriately acquired files contained some combination of resident names with social security numbers, dates of birth, health insurance carrier and account numbers, and/or limited medical information, such as admission dates, diagnoses, medications, and/or procedures. Based on available information, we do not believe bank account numbers or any other financial information is impacted.""","California Attorney General","https://oag.ca.gov/system/files/S027_v05.pdf_Resident%20Notice%20FINAL_1.pdf","2017","37.338208","-121.886329" "June 30, 2017","Meepos & Company CPA's","Marina Del Rey","California","HACK","BSF","0","""What Happened? On May 19, 2017, Meepos & Company (“Meepos”) received reports of issues with certain clients’ 2016 tax filings.  Meepos immediately launched an investigation and has been working diligently, with the assistance of third party forensic investigators, to determine what caused the issues and whether other clients may be affected.  Through the investigation, Meepos determined that an unauthorized actor or actors gained access to certain parts of Meepos’s network due to a misconfiguration of our two-factor password authentication and, as a result, may have had access to personal information for certain Meepos clients in our tax filing system, including documents that may be associated with our business client tax filings.  After discovering the unauthorized access, we immediately worked with our IT professionals to identify the access point, quarantined the affected system and completed enterprise wide password changes to better prevent further unauthorized access to our systems.  We also immediately contacted the IRS to alert them of the situation in order to stop the issuance of any fraudulent refunds.  The investigation has determined that the unauthorized actor(s) may have had access to Meepos’s system beginning on February 24, 2017, although the first known access to tax information and fraudulent filings did not occur until May 2017.What Information Was Involved? The information relating to you that was present on the affected systems would be located in documents attached to your business’ tax filings and may include the following categories of information: (1) name; (2) address; and (3) Social Security number or employer identification number.""","California Attorney General","https://oag.ca.gov/system/files/Meepos%20-%20notice%20only_0.pdf","2017","33.980289","-118.451745" "July 28, 2017","Braun Dermatology & Skin Cancer Center","","District Of Columbia","DISC","MED","1,200","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","38.907192","-77.036871" "July 21, 2017","The University of Vermont Medical Center","","Vermont","HACK","MED","2,300","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","44.558803","-72.577842" "July 21, 2017","Performance Physical Therapy and Wellness","","Connecticut","HACK","MED","571","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","41.603221","-73.087749" "July 21, 2017","Massachusetts Department of Public Health - Tewksbury Hospital","","Massachusetts","DISC","MED","1,176","Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","42.407211","-71.382437" "July 19, 2017","SAGE DENTAL MANAGEMENT, LLC","","Florida","PHYS","MED","5,000","Location of breached information: Other Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","27.664827","-81.515754" "July 15, 2017","Women's Health Care Group of PA, LLC","","Pennsylvania","HACK","MED","300,000","Location of breached information: Desktop Computer, Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","41.203322","-77.194525" "July 14, 2017","Braun Internal Medicine, P.C.","","Georgia","DISC","MED","680","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","32.165622","-82.900075" "July 13, 2017","Detroit Medical Center","","Michigan","PHYS","MED","1,529","Location of breached information: Desktop Computer, Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","44.314844","-85.602364" "July 13, 2017","Professional Counseling & Medical Associates","","Tennessee","HACK","MED","2,500","Location of breached information: Electronic Medical Record Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","35.517491","-86.580447" "July 11, 2017","LC&Z General and Cosmetic Dentistry","","Florida","DISC","MED","4,391","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","40.760537","-73.978890" "July 10, 2017","White Coats Wellness","","Florida","HACK","MED","10,000","Location of breached information: Email Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","27.664827","-81.515754" "July 10, 2017","Andrea Yaley, DDS","","California","HACK","MED","1,200","Location of breached information: Desktop Computer, Electronic Medical Record, Email, Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","36.778261","-119.417932" "July 7, 2017","University of Mississippi Medical Center","","Mississippi","HACK","MED","7,492","Location of breached information: Electronic Medical Record, Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","32.354668","-89.398528" "July 7, 2017","Unconditional Love, Incorporated","","Florida","DISC","MED","643","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","27.664827","-81.515754" "July 7, 2017","Peachtree Neurological Clinic, P.C.","","Georgia","HACK","MED","176,295","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","32.165622","-82.900075" "July 6, 2017","University of California Davis Health","","California","HACK","MED","14,900","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","36.778261","-119.417932" "July 5, 2017","Walnut Place","","Texas","HACK","MED","5,000","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","31.968599","-99.901813" "July 5, 2017","The Dermatology Center of Raleigh PA","","North Carolina","DISC","MED","3,000","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","35.759573","-79.019300" "July 3, 2017","Kennebunk Center for Dentistry ","","Maine","DISC","MED","1,900","Location of breached information: Electronic Medical Record, Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","45.253783","-69.445469" "June 30, 2017","White Blossom Care Center","","California","DISC","MED","800","Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","36.778261","-119.417932" "June 29, 2017","Paul C. Gering, Jr., M.D.","","Oregon","PHYS","MED","2,000","Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","43.804133","-120.554201" "August 2, 2017","Shelby County Tennessee","Shelby County","Tennessee","DISC","GOV","650,000","""A polling machine sold on eBay and purchased for use at the DEF CON hacker conference in Las Vegas has been found to contain the personal information of over 650,000 voters.Organizers purchased what they believed to be a decommissioned machine, an ExpressPoll-5000, for use at the DEF CON Voting Village, where hackers tested the security of voting machines (with frightening results). Rather than a blank machine, with all sensitive information wiped from its memory, hackers discovered the personal data of hundreds of thousands of voters from Shelby County in Tennessee.According to Gizmodo, whose reporter views some of the records, the information included name, address, birth date as well as political party and method of voting - in absentee or after providing identification.""","Media","https://www.dailydot.com/layer8/hackers-650000-voter-records-voting-machine-ebay/","2017","35.126855","-89.925323" "August 5, 2017","Parkbytext","","Dublin","HACK","BSO","0","""Motorists who use the parkbytext service have been told of a potential breach to customer data by ""malicious software"" during a service outage.The mobile parking operator said it does not believe that any customer data was compromised but ""we cannot say this with 100% certainty at this stage"", until further investigation is completed.The company said credit and debit card information along with customer passwords are encrypted and have not been compromised.However, the customer data that may have been compromised includes phone numbers, email addresses, home addresses and vehicle registrations.""","Media","https://www.rte.ie/news/ireland/2017/0805/895442-parkbytext-breach/","2017","53.349805","-6.260310" "August 4, 2017","Bloomberg","New York","New York","DISC","BSF","325,000","""Nearly one thousand Bloomberg terminal users participating in an anonymous chat room had their identities unmasked this week when a London investment company sent out a list of the participants — including names and employers — to people in the chat room, The Post has learned.The data breach, one of the largest ever for former Mayor Mike Bloomberg’s financial information company, led moderators to shut down the metal and mining chat, as well as two others — one that focused on macroeconomic data and another on energy, according to participants.But the effect of the ""unmasking,"" as users have come to call it, is likely to be even greater than that as news of the breach is rippling throughout the company's 325,000 subscribers.But the effect of the “unmasking,” as users have come to call it, is likely to be even greater than that as news of the breach is rippling throughout the company’s 325,000 subscribers.""","Media","http://nypost.com/2017/08/04/data-breach-unmasks-bloomberg-terminal-chat-room-users/","2017","40.712784","-74.005941" "August 4, 2017","Linn County Auditor","Cedar Rapids","Iowa","DISC","GOV","0","""Linn County Auditor Joel Miller tells CBS2/FOX28 that a clerical error exposed sensitive voter data. It happened while a worker was fulfilling a legal request for voter data. The sent information accidentally included the last four digits of hundreds of thousands of Social Security numbers. Miller says the confidential data went out to four email addresses. The Auditor's office was able to contact three of the emails and ensure the data was safely deleted. But the other is no responding and his office is not sure whether the email is still active or not. Right now they are working with the email provider to try and ensure the information was not taken by someone for sinister reasons.""","Media","http://cbs2iowa.com/news/local/breaking-linn-county-auditor-reports-accidental-data-breach","2017","41.977880","-91.665623" "August 5, 2017","UCLA","Los Angeles","California","HACK","EDU","30,000","""More than 30,000 current and former UCLA students are being warned Saturday about a potential security breach.The university said someone hacked into a server containing some students' personal data.Officials don't believe the hacker obtained any sensitive information, though UCLA is offering one year of free identity-protection services to anyone affected.""","Media","http://abc7.com/technology/30k-ucla-students-warned-about-potential-security-breach/2279390/","2017","34.052234","-118.243685" "August 14, 2017","Performant Financial Corporation","Cincinnati","Ohio","HACK","BSF","0","""What Happened?By letter dated April 7, 2017, C&T informed Performant that after noticing unusual activity on its network, C&T had hired a specialist forensic information technology firm to investigate. As a result of that investigation it was determined that an unauthorized individual had accessed a C&T network drive between January 27, 2017, and February 2, 2017. C&T, however, could not determine whether any specific files were accessed.  The network drive, unfortunately, contained the Company’s 401K audit files for certain years.Upon receiving C&T’s notification of a potential data breach, Performant undertook its own investigation to determine what specific information may have been compromised.  Performant attempted multiple times to obtain specific answers and definitive records from C&T to accurately determine whose information may have been compromised. Performant also attempted to gain details regarding C&Ts incident notification procedure, including information about C&T’s notification to employees of its client’s employees, such as Performant’s employees participating in the Company’s 401K plan.  On June 27, 2017, C&T, for the first time, provided Performant with access to the Company’s specific files stored on the C&T network drive that was compromised.  After receiving the files, Performant engaged in a detailed review to determine what, if any, personal information of its current or former employees was potentially compromised. The review revealed that your information may have been compromised by the incident at C&T.   What Information Was Involved? Although C&T cannot determine whether or not Performant’s files were accessed by the unauthorized individual, the security incident may have involved your first name, last name, date of birth, and Social Security number, as a result of your participation in the Company’s 401K plan in the years of 2010, 2011, and/or 2015.   Please note that the data files related to this incident did not include other information about the 401K plan or information about your personal 401K, such as account access information or account balances.""  ","California Attorney General","https://oag.ca.gov/ecrime/databreach/reports/sb24-101052","2017","39.103118","-84.512020" "June 29, 2017","Paul Stuart","New York","New York","HACK","BSO","0","""What happened and what information was involved:  On May 15, 2017, we learned that an unknown individual may have accessed your credit or debit card information used to make purchases at our online store.  We immediately took action to secure our system and commenced an investigation to determine what information may have been accessed.  We determined that the unknown individual may have accessed customer payment card information, including name, address, telephone number, and credit/debit card information.  What we are doing and what can you do:  We recommend that you check your current and past credit or debit card statements for unusual or suspicious activity, and if any is found, report it to your bank or credit card company.  Additional tips for protecting your information can be found on the reverse side of this letter."" ","California Attorney General","https://oag.ca.gov/system/files/Paul%20Stuart%20notice%20only_0.pdf","2017","40.754866","-73.978754" "June 22, 2017","Caliber Home Loans","Oklahoma City","Oklahoma","HACK","BSF","0","""What HappenedBased upon an extensive investigation conducted by a leading forensic firm, it appears that beginning on approximately January 18, 2017, unauthorized individuals gained the ability to access a limited number of electronically-stored loan files, and may have had access to other documents containing personally-identifying information.  In addition, the unauthorized individuals may have had access to sufficient information in order to gain access to certain customers' online Caliber accounts, if the customer had not previously set up such an account.What Information Was Involved?The files and documents that were subject to unauthorized access may have contained certain customers' sensitive or identifying information, such as social security number, driver's license number, military or other government ID number, or date of birth, financial account names, numbers, and statements digital signatures, and/or information that an individual may be able to use to access a customer's online Caliber account or data storage sites containing borrower submissions.  A limited number of customers' files may also have contained information related to health insurance, including member ID numbers.""","California Attorney General","https://oag.ca.gov/ecrime/databreach/reports/sb24-99077","2017","35.467560","-97.516428" "August 17, 2017","South Washington County School District","Cottage Grove","Minnesota","DISC","EDU","9,600","""Personal information about thousands of students and their families was sent out in a mass back-to-school officials are calling ""an inadvertent employee error""In a statement issued Thursday, the district said the e-mails sent Wednesday by its transportation department were intended to provided bus information for the coming school year.  But also included was a document that revealed students' names, grades, student identification numbers, e-mail and mailing addresses, phone numbers, bus routes, pickup and drop-off times and locations, and schools of attendance."" ","Media","http://www.sowashco.org/","2017","44.829798","-92.956356" "August 16, 2017","Mercy Family Medicine","","Colorado","PHYS","MED","2,069","Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","39.550051","-105.782067" "August 10, 2017","Pacific Alliance Medical Center","","California","HACK","MED","266,123","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","36.778261","-119.417932" "August 10, 2017","MDeverywhere, Inc.","","Texas","DISC","MED","1,396","Location of breached information: Other Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","31.968599","-99.901813" "August 5, 2017","Surgical Dermatology Group","","Alabama","HACK","MED","14,000","Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","32.318231","-86.902298" "August 3, 2017","City of Hope","","California","HACK","MED","3,400","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","36.778261","-119.417932" "July 31, 2017","Northwest Rheumatology","","Arizona","HACK","MED","7,468","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","34.048928","-111.093731" "August 16, 2017","Native Canada Footwear","","British Columbia","HACK","BSO","0","""What Happened?Native Shoes became aware of a potential vulnerability in the security of our website in late June 2017 immediately launched an investigation.  That investigation has confirmed that malware may have infected the Native Shoes website as early as April 2015.  As a result, we are informing you that it is possible that your payment information was compromised if you bought shoes from nativeshoes.com using Visa or MasterCard between April 28, 2015, and June 23, 2017.  If that payment information was indeed stolen, your information may be affected.What Information Was Involved?Based on the facts known to the company at this time, the personal information at-issue may have included:Credit or debit card information used to buy from nativeshoes.comYour name, address, email address, and telephone number. ""","California Attorney General","https://oag.ca.gov/ecrime/databreach/reports/sb24-101141","2017","56.130366","-106.346771" "June 19, 2017","Occidental College","Los Angeles","California","HACK","EDU","0","""What Happened?The college has reason to believe that on or around June 1, 2017, an unauthorized person may have gained access to a computer file containing a limited amount of personality identifiable information.  The college has conducted a thorough investigation into what happened.What Information Was InvolvedThe file in question included names, Oxy ID numbers and associated encoded data that enables Oxy ID cards to function as on-campus debit cards.  The file did NOT include Social Security numbers, driver's license or other state-issued ID numbers, financial information (Such as credit card or banking information), or other sensitive personal data."" ","California Attorney General","https://oag.ca.gov/ecrime/databreach/reports/sb24-97508","2017","34.127323","-118.210296" "June 19, 2017","Bed Bath & Beyond","Union","New Jersey","HACK","BSO","0","""Dear First Name,We detected recent irregular activity on our website that suggests that your Bed Bath & Beyond online account may have been compromised.No unauthorized use of any credit card information you may have stored in your account could have resulted from this activity.We have no reason to believe that any unauthorized activity or purchases occurred on your Bed Bath & Beyond online account.As a result of this incident, and for your protection out of an abundance of caution, we have locked your account and are requiring you to reset your password by doing the following: Visit https://www.bedbathandbeyond.com/store/account/Login or go to our website and click on the Login linkClick ""Reset Password?"" and follow the instructions""","California Attorney General","https://oag.ca.gov/ecrime/databreach/reports/sb24-97500","2017","40.697541","-74.304805" "August 23, 2017","The City Of Oceanside","Oceanside","California","HACK","GOV","0","""The city of Oceanside has shut down its online bill-paying system for utility customers while it investigates a possible data breach of customers’ account and credit card information.Twenty-five residents who recently paid their water, sewer or trash bills through the city’s online portal contacted the city on Aug. 13 to report unauthorized charges on the credit cards they used to set up their city accounts. To prevent any further problems, the city shut down the service immediately, said Jane McPherson, Oceanside’s financial services director.Utility customers who used the online service have been contacted and asked to check their credit cards and accounts if they used a card to pay one of their utility bills between July 1 and Aug. 13."" ","Media","http://www.sandiegouniontribune.com/communities/north-county/sd-no-oceanside-fraud-20170823-story.html","2017","33.195870","-117.379483" "August 24, 2017","Aetna","Hartford","Connecticut","DISC","BSF","12,000","""Two legal organizations say health insurer Aetna revealed the HIV status of patients in several states by mailing envelopes with a large, clear window that showed information on purchasing HIV prescriptions.The Legal Action Center and the AIDS Law Project of Pennsylvania say some patients' relatives and neighbors learned of their HIV status as a result.""","Media","http://www.nj.com/news/index.ssf/2017/08/aetna_revealed_hiv_status_of_patients_with_mailing.html","2017","41.763711","-72.685093" "August 24, 2017","The City of Beaumont","Beaumont","California","HACK","GOV","0","""The City of Beaumont has suspended its online water bill payment system due to a potential data breach, chief technology officer Bart Bartkowiak said.Bartkowiak said the City of Beaumont received several notifications of unauthorized iTunes charges on bill-payers' accounts. Bartkowiak suggested any residents who have paid their water bills online between Aug. 1 and Aug. 24 to check their accounts for suspicious activity. He said that anyone who finds suspicious activity on their account should report it to their credit card issuer and their bank, to ask that their card be deactivated, to request that a fraud alert be placed on their account, and to request copies of all credit reports.""","Media","http://www.beaumontenterprise.com/news/article/Beaumont-suspends-online-water-payment-system-11956425.php","2017","33.929461","-116.977248" "March 29, 2017","CFG Community Bank","Baltimore","Maryland","HACK","BSF","155","Names, addresses, SSN's, and W2 tax information compromised in a phishing attack according to Maryland AG's office. ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2017","39.379950","-76.658552" "March 21, 2017","National Safety Council","Itasca","Illinois","HACK","BSO","2","Names, addresses, SSN, W2 tax information compromised.","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2017","41.965392","-88.029776" "March 17, 2017","TIC Gums Inc.","White Marsh","Maryland","HACK","BSO","0","Name, addresses, ssn, w2 tax information compromised in phishing attack.","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2017","39.378830","-76.438385" "March 15, 2017","Looking Glass Cyber Solutions Inc.","Reston","Virginia","HACK","BSO","69","Names, addresses, ssn's, w2 tax information compromised in a phishing attack.","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2017","38.945927","-77.314191" "March 16, 2017","Aflac","Columbus","Georgia","HACK","BSF","0","Names, ssn, banking information compromised.","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2017","39.961176","-82.998794" "March 15, 2017","Rand McNally","Skokie","Illinois","HACK","BSO","0","Names, payment card information compromised through malware.","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2017","42.032403","-87.741625" "March 15, 2017","Vertex Wireless","Chicago","Illinois","HACK","BSO","48","Names, addresses, payment card information compromised in malware attack. ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2017","41.876410","-88.228538" "March 13, 2017","Tyler Technologies Inc.","Plano","Texas","DISC","BSO","2","Names, addresses, ssn, income information compromised when information was inadvertently disclosed in an email. ","","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2017","33.019843","-96.698886" "March 13, 2017","Faller Kincheloe & Co., PLC","DeMoines","Iowa","HACK","BSF","0","Names, tax return info, address, dob, ssn, bank account information compromised via a hacking.","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2017","41.600545","-93.609106" "March 13, 2017","Biomedical Systems Corp","St. Louis","Missouri","HACK","BSO","0","Names, addresses, ssn, w2 tax information was compromised in a phishing attack. ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2017","38.627003","-90.199404" "February 28, 2017","Atwood Distributing L.P.","Tyler","Texas","HACK","BSO","17","Names, addresses, payment card information was compromised due to malware.","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2017","32.351260","-95.301062" "March 9, 2017","Matthews Carter and Boyce CPA Advisors","Fairfax ","Virginia","DISC","BSF","0","Names, 1099 tax form information was inadvertently disclosed.","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2017","38.861044","-77.381294" "March 8, 2017","Friedman & Perry, CPA's","Fremont","California","HACK","BSF","9","Names, dates of birth, telephone number(s), addresses, social security numbers, employment (W-2) information, and 1099 information was compromised via a hacking incident. ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2017","37.559308","-121.956476" "February 24, 2017","Mrs. Prindables","Niles","Illinois","HACK","BSO","0","Names, addresses, payment card information was compromised via unauthorized access. ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2017","42.016099","-87.784471" "February 27, 2017","Affy Tapple, LLC dba Affy Tapple","Niles","Illinois","HACK","BSO","0","Names, addresses, payment card information was compromised via unauthorized access.","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2017","42.016099","-87.784471" "March 8, 2017","Taconic Biosciences Inc.","Hudson","New York","HACK","BSO","0","Name, addresses, ssn's, w2 tax information was compromised due to a phishing attack. ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx","2017","42.247883","-73.780476" "August 25, 2017","Zymo Research","Irvine","California","HACK","BSO","0","""What Happened?Unfortunately, on or about August 2, 2017, Zymo Research Corporation (“Zymo”) discovered that its external cloud e-commerce network may have been accessed by an unknown actor. The unauthorized access appears to have occurred on or about March 15, 2017. In particular, the unauthorized access occurred when an unknown actor placed code on Zymo’s system allowing for access to a database containing personal information about its customers.What Information Was Involved?The personal information about Zymo’s customers maintained in the database affected by the unauthorized access included first and last names; physical addresses; email addresses as well as hashed passwords; and credit card information, including credit card number, card verification code, and expiration date.""","California Attorney General","https://oag.ca.gov/ecrime/databreach/reports/sb24-101370","2017","33.686111","-117.830478" "August 24, 2017","St. Marks Surgery Center","Ft. Meyers","Florida","HACK","MED","34,000","""St. Mark’s Surgery Center was hit by a ransomware attack that may have impacted the personal health information of 33,877 patients.The Florida provider discovered a ransomware attack on May 8, although the attack occurred from April 13 until April 17. The installed virus prevented patient data from being accessed during that time.The impacted servers contained patient names, dates of birth, Social Security numbers and medical information.""","","http://www.healthcareitnews.com/news/surgery-center-says-34000-patient-records-potentially-breached","2017","26.640628","-81.872308" "July 31, 2017","Plastic Surgery Associates of South Dakota","Sioux Falls","South Dakota","HACK","MED","10,000","""A ransomware attack on Plastic Surgery Associates of South Dakota may have breached the data of 10,200 patients.The provider discovered on Feb. 12  that some of its systems were infected with ransomware. Officials said Plastic Surgery Associates immediately began to attempt removing the virus and decrypting the data. It also hired third-party experts.While the investigation found the hackers were unable to access the majority of Plastic Surgery Associates’ medical data, officials lost access to evidence during the cleanup efforts on April 24. As a result, officials can’t rule out whether the attackers were able to access some patient data.""Social Security numbers, driver licenses, state identification numbers, credit/debit cards, medical conditions, dates of birth, lab results, diagnostic results and health insurance information may have been compromised. ","Media","http://www.healthcareitnews.com/news/ransomware-attack-south-dakota-provider-breaches-data-10000-patients","2017","43.505656","-96.732421" "July 26, 2017","Women's Health Care Group of Pennsylvania","Phoenixville","Pennsylvania","HACK","MED","300,000","""The Women’s Health Care Group of Pennsylvania, with 45 offices throughout the state, has notified 300,000 of its patients that a ransomware attack has put their personal health information at risk.The health system discovered a server and workstation at one of its practices was infected by ransomware on May 16. Officials said the infected server and workstation were removed from the network, before officials launched an investigation by a computer forensics team.The investigation revealed the cybercriminals began hacking the system as early as January 2017, by leveraging a security vulnerability. Officials said the security flaw allowed limited access to patient information before it encrypted certain files.The health system couldn’t determine if patient information acquired or viewed. The data stolen by hackers included names, Social Security numbers, birth dates, pregnancy histories, blood type information, lab results, medical record numbers, insurance information and medical diagnoses. Officials said the encrypted files were restored from backups and didn’t disrupt patient care.""","Media","http://www.healthcareitnews.com/news/300000-records-breached-ransomware-attack-pennsylvania-health-system","2017","40.130382","-75.514913" "July 17, 2017","UC Davis Health","Davis","California","HACK","MED","15,000","""A phishing attack on the University of California Davis Health may have compromised the personal health information of 15,000 patients.Officials discovered the breach on May 15, when an employee responded to a phishing email with his or her email account login credentials. The hacker proceeded to access that account.Once inside, the hacker was able to access the employee’s email messages and both view and or obtain patient PHI. However, officials said the investigation did not find evidence the hacker viewed the information, but it could not rule out the possibility.""","Media","http://www.healthcareitnews.com/news/phishing-attack-uc-davis-health-breaches-data-15000-patients","2017","38.544907","-121.740517" "August 30, 2017","Silver Cross Hospital","New Lenox","Illinois","HACK","MED","9,000","""A northeastern Illinois hospital has experienced a data breach that exposed patient information of up to 9,000 people.Officials of Silver Cross Hospital in New Lenox said there's no evidence showing any unauthorized people gained access to the data.""Silver Cross Hospital recently learned that a vendor that manages parts of its website experienced a data incident that affected the information of certain Silver Cross patients and others,"" hospital officials said on its website.""Names, Social Security numbers, health insurance information, addresses, birth dates were compromised","Media","https://www.usnews.com/news/best-states/illinois/articles/2017-08-30/new-lennox-hospital-breach-exposes-9-000-patients-data","2017","41.511976","-87.965610" "August 30, 2017","Kaiser","Riverside","California","DISC","MED","600","""Kaiser Permanente is notifying some 600 member from Riverside and ""surrounding areas"" by mail about a patient data breach of names, medical record numbers and procedures, but no other indentifying informaiton, according to a news release. The breach was detected Aug. 9 when a list of information was ""inadvertently sent to an unintended email address,"" the statement noted.  The information did not include Social Security numbers, financial information or other member information.""","Media","http://www.pe.com/2017/08/30/kaiser-permanente-says-600-riverside-area-members-affected-by-data-breach/","2017","33.953349","-117.396156" "August 30, 2017","Instagram","Meno Park","California","HACK","BSO","0","""Instagram said at least one hacker was able to steal personal information from high-profile user accounts, blaming the breach on a bug in its system that has now been fixed. ""We recently discovered that one or more individuals obtained unlawful access to a number of high-profile Instagram users' contact  information - specifically email address and phone number - by exploiting a bug in an Instagram API,"" a rep said in a statement.""","Media","http://variety.com/2017/digital/news/instagram-hackers-obtained-users-email-addresses-phone-numbers-1202543339/","2017","37.452960","-122.181725" "August 31, 2017","Kaleida Health","New York","New York","HACK","MED","2,800","""Kaleida Health, New York’s largest provider, is once again notifying patients of a phishing incident. This one involves 744 patients.The organization discovered the incident on June 26, when it found an unauthorized third-party gained access to an employee’s email account. Officials said that after an investigation, the hacker was able to access a “small number of Kaleida Health email accounts.”Included in those accounts were patient names, medical record number, diagnoses, treatment information and other clinical data. For some patients, it also included Social Security numbers. Officials said the financial information wasn’t included.""","Media","http://www.healthcareitnews.com/news/hackers-breach-new-yorks-largest-provider-phishing-attacks","2017","40.712775","-74.005973" "August 31, 2017","McLaren Medical Group (MMG)","","Michigan","HACK","MED","106,008","In March of 2017, Michigan-based McLaren Medical Group (MMG) learned its computer system had been accessed by an unauthorized party, leading to a health data breach, according to an MMG statement issued to HealthITSecurity.com.The accessed system stored scanned documents including information related to authorizations, orders, appointment scheduling, and similar data. The breach occurred at MMG’s Mid-Michigan Physicians P.C. practice.Scanned documents may have included patient information such as patient names, dates of birth, addresses, phone numbers, medical record numbers, diagnoses, and Social Security numbers.","Media","https://healthitsecurity.com/news/mi-computer-system-health-data-breach-may-involve-data-of-106k","2017","44.314844","-85.602364" "September 5, 2017","BroadSoft","Gaithersburg","Maryland","DISC","BSO","4,000,000","""Time Warner Cable, now known as Spectrum, became the latest company to realize exactly how vulnerable its data is when a third-party vendor entrusted with its safety made an error exposing millions of records.Kromtech Security Center researchers discovered late last week that about four million Time Warner customer records were exposed when it found two cloud-based AWS S3 buckets, connected to software and service provider BroadSoft, open to the public. The information compromised spanned the period from November 10, 2010 to July 7, 2017, and included transaction numbers, MAC numbers, user names, account numbers types of service purchased along with internal development information like SQL database dumps and code with login credentials, Kromtech said.""","Media","https://www.scmagazine.com/data-breach-exposes-about-4-million-time-warner-customer-records/article/686592/","2017","39.143441","-77.201371" "August 29, 2017","CoreLogic/Credco","San Diego","California","HACK","BSF","0","""What Happened? Credco learned that between July 21, 2017 and August 7, 2017 an individual obtained access to Credco’s system to obtain your consumer information without proper authorization. Upon notification of this incident, on August 7, 2017, Credco immediately disabled the individual’s access the same day and conducted a review of our internal controls and safeguards to prevent a recurrence. What Information Was Involved? The consumer information accessed consists of information typically found on a consumer credit report. Such informationincludes your name and address and one or more of the following:Social Security Number, date of birth and account numbers. While we have no specific evidence that your information has been used for identity theft, we recommend that you monitor your credit for the next several months.""","California Attorney General","https://oag.ca.gov/ecrime/databreach/reports/sb24-101467","2017","32.908169","-117.108808" "August 29, 2017","Massachusetts Mutual Life Insurance Company","Springfield","Massachusetts","HACK","BSF","0","""What happened: On August 20, 2017, Mass Mutual’s fraud prevention team identified potential fraudulent telephone activity directed toward MassMutual call centers. Upon conducting an investigation into that the activity identified, it was determined that beginning on August 17, 2017 an unknown perpetrator contacted MassMutual call centers purporting to be two separate MassMutual insurance agents.The perpetrator requested assistance in resetting those two agents’ system access credentials (e.g., user name, password, multi-factor authentication). The perpetrator had readily available nonpublic personal information associated with these two agents and, through social engineering tactics, was able to provide such information to the call center personnel to successfully authenticate as the respective agents resulting in the access credentials being reset. Mass Mutual identified that this individual then used the credentials to access MassMutual business systems that included nonpublic personally identifiable information associated with each agents’ clients.What information was involved: Your personal information that may have been involved includes your name, Social Security number, MassMutual policy/account number, [address],[date of birth], [and telephone number].""","California Attorney General","https://oag.ca.gov/ecrime/databreach/reports/sb24-101464","2017","42.101483","-72.589811" "September 6, 2017","Alaska Department of Health and Social Services","Anchorage","Alaska","HACK","GOV","0","""Two computers of the Alaska Department of Health and Social Services were hit by malware attacks, which potentially breached the records  of some of its patients.A Trojan horse virus was found on the two computers on July 5 and July 8. Trojan malware is masked as legitimate software and are used by hackers as leverage into a network.""Data compromised included Children's Services information, medical information and observation, family case files, and other personal information.","Media","http://www.healthcareitnews.com/news/alaska-dhss-facing-potential-breach-after-two-trojan-malware-attacks","2017","61.218056","-149.900278" "September 7, 2017","Equifax Corporation","Atlanta","Georgia","HACK","BSF","145,500,000","""Equifax, which supplies credit information and other information services, said Thursday that a data breach could have potentially affected 143 million consumers in the United States.Equifax said it discovered the breach on July 29. ""Criminals exploited a U.S. website application vulnerability to gain access to certain files,"" the company said.""Equifax said exposed data includes names, birth dates, Social Security numbers, addresses and some driver's license numbers, all of which the company aims to protect for its customers.The company added that 209,000 U.S. credit card numbers were obtained, in addition to ""certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers.""Link to Equifax breach notification: https://www.equifaxsecurity2017.com/ UPDATE: (10/02/2017): ""Equifax said hackers may have stolen the personal information of 2.5 million more U.S. consumers than it initially estimated, bringing the total to 145.5 million.The company said the additional customers  were not victims of a new attack but rather victims who the company had not counted before. Equifax hired the forensic security firm Mandiant to investigate the breach, and it finished its report on Sunday.""https://www.usatoday.com/story/tech/2017/10/02/equifax-breach-hit-2-5-mi... UPDATE: (02/10/2017): ""On Friday, Senator Elizabeth Warren (D-Mass.) sent a letter to Paulino do Rego Barros Jr. , interim CEO of Equifax, citing 'what appears to be misleading, incomplete, or contradictory information' provided to Congress and the public about the breach of data on 145 million Americans. She demanded answers within a week.Equifax stated last year that hackers primarily accessed 'names, Social Security numbers, birth dates, and, in some instances, driver’s license numbers…credit numbers…and certain dispute documents with personal identifying information,' Warren said.But The Wall Street Journal reported on Friday that hackers accessed 'such data as tax identification numbers, email addresses, and drivers' license information beyond the license numbers [Equifax] originally disclosed,'  Warren added.""https://www.mediapost.com/publications/article/314389/","Media","https://www.cnbc.com/2017/09/07/credit-reporting-firm-equifax-says-cybersecurity-incident-could-potentially-affect-143-million-us-consumers.html","2017","33.748995","-84.387982" "September 14, 2017","Equals3","Minneapolis","Minnesota","DISC","BSO","593,328","""A cache of voter records on over a half-million Americans has been found online.The records, totaling 593,328 individual sets of records, appear to contain every registered voter in the state of Alaska, according to security researchers at the Kromtech Security Research Center, who found the database.The records were stored in a misconfigured CouchDB database, which was accessible to anyone with a web browser -- no password needed -- until Monday when the data was secured and subsequently pulled offline.""","Media","http://www.zdnet.com/google-amp/article/yet-another-trove-of-sensitive-of-us-voter-records-has-leaked/","2017","44.977753","-93.265011" "September 16, 2017","Arkansas Department of Medicaid ","Searcy","Arkansas","INSD","GOV","26,000","""The confidentiality of more than 26,000 Medicaid recipients' medical information was broken earlier this year, state officials said Friday as they prepared to notify those individuals about the breach.The information -- including names, medical procedure codes, birth dates, diagnoses and Medicaid identification numbers -- was sent to a fired Department of Human Services employee's personal email account, a department spokesman said Friday.The department discovered the information in an email on Aug. 7 while conducting research for its defense of a federal lawsuit filed by Yolanda Farrar over her dismissal from her job as a payment integrity coding analyst, spokesman Amy Webb said.The email was sent to Farrar's personal account on March 23 ""within minutes"" of a discussion over issues that led to Farrar's firing the next day, Webb said.""","Media","http://www.arkansasonline.com/news/2017/sep/16/medicaid-data-breach-hits-state-2017091/","2017","35.246820","-91.733685" "September 11, 2017","ABB Inc.","","","HACK","BSO","0","""What happened?ABB, Inc. (“ABB”), received notice on August 25, 2017, that an employee’s email account had suspicious login activity as the result of a hacker sending a phishing scheme email to ABB employees on or around August 25, 2017. ABB conducted a full assessment to determine the scope of the data loss and identify any potentially affected individuals.What information was involved?The compromised email account(s) may have stored your personal information, including your name, address social security number and medical record(s) used in ABB Employee Benefits, FMLA, and in some instances direct deposit information for a few number of hourly staff located in one selected location. If your spouse and/or children’s information was potentially affected, they will receive a separate notification letter.""","California Attorney General","https://oag.ca.gov/ecrime/databreach/reports/sb24-101735","2017","40.760537","-73.978890" "September 8, 2017","Cohn Handles Sturm","Los Angeles","California","PORT","BSF","0","""What Happened? On July 29, 2017, a partner’s pin protected cell phone was stolen from his person. Upon the robbery, the partner’s work account log-in information was changed and his email account was instructed to remotely delete from his phone immediately when connecting to the internet.   While there is currently no evidence of data viewing or exfiltration of client information, we wanted to notify you of the incident because the email account was accessible from the phone.    What Information Was Involved? Potentially any emails and attachments exchanged with asturm@cohnhandler.com. This information may have included your Social Security number.""","California Attorney General","https://oag.ca.gov/ecrime/databreach/reports/sb24-101725","2017","34.052234","-118.243685" "September 16, 2017","The MS Center of Saint Louis and Mercy Clinic Neurology - Town and Country ","","Missouri","DISC","MED","1,081","Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.964253","-91.831833" "September 15, 2017","Medical Mutual of Ohio","","Ohio","DISC","MED","6,119","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","40.417287","-82.907123" "September 11, 2017","ABB, Inc.","Cary","North Carolina","HACK","MED","28,012","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","35.791540","-78.781117" "September 8, 2017","Children's Hospital Colorado","","Colorado","HACK","MED","3,370","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","39.550051","-105.782067" "September 8, 2017","Network Health","","Wisconsin","HACK","MED","51,232","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","40.760537","-73.978890" "September 8, 2017","Ridgeview Medical Center","","Minnesota","DISC","MED","1,074","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","46.729553","-94.685900" "September 7, 2017","University of Wisconsin - Madison","","Wisconsin","DISC","EDU","1,000","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","43.784440","-88.787868" "September 7, 2017","Florida Healthy Kids Corporation","Tallahassee","Florida","HACK","MED","2,000","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","30.438256","-84.280733" "September 5, 2017","Community Memorial Health System","","California","HACK","MED","959","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","36.778261","-119.417932" "September 5, 2017","CBS Consolidated, Inc.","","Nebraska","HACK","MED","21,856","Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","41.492537","-99.901813" "September 2, 2017","Med-Cert, Inc.","Tampa","Florida","HACK","MED","7,253","Location of breached information: Network Server, Other Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","27.950575","-82.457178" "September 1, 2017","State of Alaska Department of Health and Social Services","","Alaska","HACK","MED","501","Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","40.760537","-73.978890" "September 1, 2017","Hand & Upper Extremity Centers dba Hand Rehabilitation Specialists","Simi Valley","California","HACK","MED","12,806","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","34.269447","-118.781482" "September 1, 2017","Adult Internal Medicine of North Scottsdale","","Arizona","HACK","MED","11,798","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","34.048928","-111.093731" "September 1, 2017","Consultants Choice, P.A.","","Florida","HACK","MED","1,458","Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","27.664827","-81.515754" "September 1, 2017","MetroPlus Health Plan, Inc. ","","New York","DISC","MED","15,212","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","40.712775","-74.005973" "September 1, 2017","The Neurology Foundation, Inc.","","Rhode Island","DISC","MED","12,861","Location of breached information: Desktop Computer, Electronic Medical Record, Network Server, Other Portable Electronic Device, Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","41.580095","-71.477429" "August 30, 2017","Mercy Hospital Logan County ","","Oklahoma","PHYS","MED","629","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","35.007752","-97.092877" "August 29, 2017","Aetna Inc.","","Connecticut","DISC","MED","11,887","Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","40.760537","-73.978890" "August 29, 2017","Medical Oncology Hematology Consultants,PA","","Delaware","HACK","MED","19,203","Location of breached information: Desktop Computer, Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","40.760537","-73.978890" "August 28, 2017","Waco Otolaryngology Associates d/b/a Waco Ear, Nose, & Throat","","Texas","HACK","MED","500","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","31.968599","-99.901813" "August 25, 2017","Kaleida Health","","New York","HACK","MED","744","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","40.712775","-74.005973" "August 24, 2017","McLaren Medical Group, Mid-Michigan Physicians Imaging Center","","Michigan","HACK","MED","106,008","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","40.760537","-73.978890" "August 22, 2017","Oncology Consultants, P.A.","","Texas","HACK","MED","19,114","Location of breached information: Desktop Computer, Email, Laptop, Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","40.760537","-73.978890" "August 18, 2017","Northeast OB/GYN Associates","San Antonio","Texas","HACK","MED","10,198","Location of breached information: Desktop Computer, Laptop, Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","29.424122","-98.493628" "August 18, 2017","Institute for Women's Health","","Texas","HACK","MED","15,761","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","40.760537","-73.978890" "August 18, 2017","South Bend Orthopaedic Associates Inc","","Indiana","PHYS","MED","1,272","Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","40.760537","-73.978890" "September 20, 2017","SEC","Washington","District Of Columbia","HACK","GOV","0","""Companies that took advantage of the chance to practice filing sensitive information with the U.S. Securities and Exchange Commission might wish they hadn’t.While the SEC is providing few details, the regulator did say the hack of its online database of corporate filings targeted what the agency calls its test Edgar system. It lets startups unfamiliar with filling out SEC forms get comfortable with the process without publicly blasting out market-moving announcements.Now an initiative that was grounded in good intentions is causing the SEC headaches. The agency disclosed Wednesday that not only had cybercriminals breached Edgar, but they may have stolen corporate secrets that they profited from. The SEC blamed the 2016 intrusion -- which it was slow to reveal -- on a software vulnerability in its test system.Edgar houses millions of filings on disclosures ranging from corporate earnings to statements on mergers and acquisitions. Infiltrating it to review announcements before they are released publicly would serve as a virtual treasure trove for a hacker seeking to make easy money. SEC Chairman Jay Clayton said the agency’s review of the breach is ongoing and that it’s “coordinating with the appropriate authorities.”","Media","https://www.bloomberg.com/news/articles/2017-09-21/sec-says-hack-of-edgar-may-have-led-to-illicit-trading-profits","2017","38.907192","-77.036871" "September 8, 2017","Home Point Financial","San Diego","California","HACK","BSF","0","""What HappenedOn March 30, 2017, we learned that an unauthorized individual utilized a phishing scheme and may have gained access to employees' email accounts beginning in November 2016. When we learned of this, we immediately secured the email accounts, reset passwords, and began an investigation.What Information Was InvolvedWe conducted a thorough review of the employees' email accounts and determined that they contained information that you may have included with your loan application such as your name, address, Social Security number, date of birth, driver's license/passport/state identification number, payment card number, and financial account numbers.""","California Attorney General","https://oag.ca.gov/ecrime/databreach/reports/sb24-101718","2017","32.715738","-117.161084" "September 21, 2017","SVR Tracking","San Diego","California","DISC","BSO","540,000","""The Kromtech Security Center recently found over half a million records belonging to SVR Tracking, a company that specializes in “vehicle recovery,” publicly accessible online. SVR provides its customers with around-the-clock surveillance of cars and trucks, just in case those vehicles are towed or stolen. To achieve “continuous” and “live” updates of a vehicle’s location, a tracking device is attached in a discreet location, somewhere an unauthorized driver isn’t likely to notice it.According to SVR’s website, the tracking unit provides “continuous vehicle tracking, every two minutes when moving” and a “four hour heartbeat when stopped.” Basically, everywhere the car has been in the past 120 days should be accessible, so long as you have the right login credentials for SVR’s app, which is downloadable for desktops, laptops, and almost any mobile device.""Email, addresses and passwords, license plates and vehicle identifications numbers were compromised.","Media","https://gizmodo.com/passwords-to-access-over-a-half-million-car-tracking-de-1818624272","2017","32.715738","-117.161084" "March 29, 2017","CFG Community Bank","Baltimore","Maryland","HACK","MED","0","name, address, ssn, w2 tax info Location of breached information: Email Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx?subfolder=2015","2017","39.290385","-76.612189" "March 21, 2017","National Safety Council","Itasca","Illinois","HACK","MED","0","name, address, ssn, w2 tax info Location of breached information: Email Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx?subfolder=2015","2017","41.975029","-88.007291" "March 17, 2017","TIC Gums, Inc","Belcamp","Maryland","HACK","MED","0","name, address, ssn, w2 tax info Location of breached information: Email Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx?subfolder=2015","2017","39.473720","-76.241345" "March 16, 2017","Defense Point Security LLC","Alexandria","Virginia","HACK","MED","0","name, address, ssn, w2 tax info Location of breached information: Email Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx?subfolder=2015","2017","38.804836","-77.046921" "March 15, 2017","LookingGlass Cyber Solutions Inc.","Reston","Virginia","HACK","MED","0","name, address, ssn, w2 tax info Location of breached information: Email Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx?subfolder=2015","2017","38.958631","-77.357003" "March 9, 2017","Matthews Carter and Boyce CPA Advisors","Fairfax","Virginia","HACK","MED","0","name, 1099 tax form Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx?subfolder=2015","2017","38.908547","-77.240515" "March 8, 2017","Tarleton Medical","Stephenville","Texas","HACK","MED","0","names, addresses, dates of birth, Social Security numbers, and data related to health care claims Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx?subfolder=2015","2017","38.980668","-76.314400" "March 8, 2017","Friedman & Perry, CPAs","Fremont","California","HACK","MED","0","name, date of birth, telephone number(s), address, social security number, employment (W-2) information, and 1099 information Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx?subfolder=2015","2017","39.287716","-76.628573" "February 7, 2017","Astadia, Inc.","Jacksonville","Florida","HACK","MED","0","name, address, ssn, w2 tax info Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx?subfolder=2015","2017","30.332184","-81.655651" "March 8, 2017","Taconic Biosciences, Inc.","Albany","New York","HACK","MED","0","name, address, ssn, w2 tax info Location of breached information: Email Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx?subfolder=2015","2017","42.740052","-73.862059" "March 7, 2017","RealTruck, Inc.","Fargo","North Dakota","HACK","MED","0","name, social security number, driver’s license number, date of birth, and bank account number Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx?subfolder=2015","2017","39.322703","-76.545682" "March 6, 2017","Barclays Bank Delaware","Wilmington","Delaware","HACK","MED","0","name, addrss, payment card number Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx?subfolder=2015","2017","39.725754","-75.589046" "March 6, 2017","American Homepatient","San Diego","California","PHYS","MED","0","names, addresses, American HomePatient account numbers, Social Security Numbers, diagnosis codes, date of birth, financial information, and treatment information Location of breached information: Hard drive Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx?subfolder=2015","2017","38.814497","-76.857096" "March 6, 2017","Toscano Clements Taylor","New York","New York","HACK","MED","0","name, address, ssn, w2 tax info Location of breached information: Email Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx?subfolder=2015","2017","40.712775","-74.005973" "March 3, 2017","Weekends Only, Inc.","St. Louis","Missouri","HACK","MED","0","name, payment card info, address Location of breached information: Website Business associate present: No ","California Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx?subfolder=2015","2017","38.713107","-90.429840" "March 30, 2017","Huckstep Holdings Corp. d/b/a TechWise","Colorado Springs","Colorado","HACK","MED","0","name, addres, ssn, w2 tax info Location of breached information: Email Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx?subfolder=2015","2017","38.833882","-104.821363" "March 2, 2017","Bostwick Laboratories","Glen Allen","Virginia","HACK","MED","0","name, address, ssn, w2 tax info Location of breached information: Email Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx?subfolder=2015","2017","37.665978","-77.506374" "March 1, 2017","Merchants Metals, Inc.","Atlanta","Georgia","HACK","MED","0","name, address, ssn, w2 tax info Location of breached information: Email Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx?subfolder=2015","2017","33.748995","-84.387982" "February 28, 2017","Rederal Direct Tax Services","Indianapolis","Indiana","HACK","MED","0","name, dob, ssn Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx?subfolder=2015","2017","39.765557","-86.160393" "February 23, 2017","PCA Skin","Scottsdale","Arizona","HACK","MED","0","name, address, ssn, w2 tax info Location of breached information: Email Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx?subfolder=2015","2017","33.494170","-111.926052" "February 23, 2017","Abbott Nutrition","Abbott Park","Illinois","HACK","MED","0","name, address, payment card info Location of breached information: Website Business associate present: No ","Maryland Attorney General","http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx?subfolder=2015","2017","42.304505","-87.896071" "September 25, 2017","Deloitte","","London","HACK","BSF","0","""One of the world’s “big four” accountancy firms has been targeted by a sophisticated hack that compromised the confidential emails and plans of some of its blue-chip clients, the Guardian can reveal.The Guardian understands Deloitte clients across all of these sectors had material in the company email system that was breached. The companies include household names as well as US government departments.So far, six of Deloitte’s clients have been told their information was “impacted” by the hack. Deloitte’s internal review into the incident is ongoing.The Guardian understands Deloitte discovered the hack in March this year, but it is believed the attackers may have had access to its systems since October or November 2016.""","Media","https://www.theguardian.com/business/2017/sep/25/deloitte-hit-by-cyber-attack-revealing-clients-secret-emails","2017","51.507351","-0.127758" "September 20, 2017","Viacom","Los Angeles","California","DISC","BSO","0","""A mishandling of Viacom's master AWS key has left the credentials of hundreds of digital properties, including Comedy Central, Paramount, MTV and other entertainment companies, exposed.On Aug. 30, 2017 UpGuard Director of Cyber Risk Research Chris Vickery spotted a publicly downloadable Amazon Web Services S3 cloud storage bucket containing what appeared to be nothing less than either the primary or backup configuration of Viacom's IT infrastructure.The servers contained the passwords and manifests for Viacom's servers as well as data needed to maintain and expand the IT infrastructure in addition to the access key and secret key for the corporations AWS account, according to a Sept. 19 blog post.""","Media","https://www.scmagazine.com/viacom-exposes-paramount-pictures-comedy-central-mtv-and-hundreds-more-in-aws-leak/article/690117/","2017","34.052234","-118.243685" "September 15, 2017","Vevo","Playa del Rey","California","HACK","BSO","0","""The OurMine hacking collective broke into the servers of music video hosting service Vevo and on late Thursday posted approximately 3.12 terabytes of stolen documents and data on its website, in an unusually aggressive attack by the group.Normally, OurMine is known for accessing celebrities' or companies' social media accounts and defacing their corresponding pages. In such circumstances, the group typically claims to be testing victims' security and offers to help improve their defenses. But the data dump constitutes a more serious infraction, as it involves the posting of private documents.""","Media","https://www.scmagazine.com/sour-notes-ourmine-hackers-briefly-post-private-files-from-vevo-music-video-service/article/689184/","2017","33.956419","-118.442232" "September 26, 2017","Sonic Drive-In","Oklahoma City","Oklahoma","HACK","BSO","0","""Sonic Drive-In, a fast-food chain with nearly 3,600 locations across 45 U.S. states, has acknowledged a breach affecting an unknown number of store payment systems. The ongoing breach may have led to a fire sale on millions of stolen credit and debit card accounts that are now being peddled in shadowy underground cybercrime stores, KrebsOnSecurity has learned.The first hints of a breach at Oklahoma City-based Sonic came last week when I began hearing from sources at multiple financial institutions who noticed a recent pattern of fraudulent transactions on cards that had all previously been used at Sonic.""","Krebs On Security","https://krebsonsecurity.com/2017/09/breach-at-sonic-drive-in-may-have-impacted-millions-of-credit-debit-cards/","2017","35.467560","-97.516428" "September 29, 2017","Whole Foods","Austin","Texas","HACK","BSR","0","""Whole Foods, which was recently acquired by Amazon, suffered a data breach of credit card information used in taprooms and full table-service restaurants in some of the grocery chain's stores, the company said Thursday.Whole Foods noted these venues use a different point-of-sale system than the main checkout systems. Credit cards used at those systems were not affected, the company said.""","Media","https://www.cnbc.com/2017/09/28/whole-foods-suffers-data-breach-in-some-stores.html","2017","30.267153","-97.743061" "September 25, 2017","Adobe","San Jose","California","DISC","BSO","0","""Adobe has earned mockery after accidentally posting its private PGP key on the firm's official security blog.Last week, Adobe's product security incident response team (PSIRT) accidentally published the private PGP key on the PSIRT blog on Friday, a lesson in what you should never reveal unless you want others to impersonate you.""","Media","http://www.zdnet.com/article/adobe-accidentally-releases-private-pgp-key/","2017","37.338208","-121.886329" "October 2, 2017","Arkansas Oral Facial Surgery","Fayetteville","Arkansas","HACK","MED","128,000","""A ransomware attack on Fayetteville-based Arkansas Oral Facial Surgery Center has potentially breached the data of 128,000 of its patients.An investigation found the cyberattack occurred between July 25 and 26, and while quickly detected, the virus encrypted x-ray images, files and documents. Fortunately, the patient database was not encrypted.However, hackers managed to infect the data of a small number of patients who visited the provider within three weeks prior to the incident.""","Media","http://www.healthcareitnews.com/news/ransomware-attack-breaches-128000-patient-records-arkansas-provider","2017","36.082156","-94.171854" "September 5, 2017","MongoDB","New York","New York","HACK","BSO","26,000","Three hacking groups are once again targeting MongoDB databases, hijacking 26,000 open servers and asking for a ransom to release the data, according to security researcher Victor Gevers, chairman of the GDI Foundation.""One of the hacking groups hijacked 22,000. And all groups are demanding about $650 to restore the data.The initial attacks were first discovered by hackers in late 2016 and continued into early 2017. These attacks were simple for hackers to launch: They simply scanned the internet for MongoDB databases left open to external content, wiped the content and replaced data with a ransom demand.""","Media","http://www.healthcareitnews.com/news/hackers-are-ransoming-26000-unsecured-mongodb-databases-security-researchers-find","2017","40.712775","-74.005973" "August 31, 2017","Kaleida Health","Buffalo","New York","HACK","MED","744","""Kaleida Health, New York’s largest provider, is once again notifying patients of a phishing incident. This one involves 744 patients.The organization discovered the incident on June 26, when it found an unauthorized third-party gained access to an employee’s email account. Officials said that after an investigation, the hacker was able to access a “small number of Kaleida Health email accounts.”Included in those accounts were patient names, medical record number, diagnoses, treatment information and other clinical data. For some patients, it also included Social Security numbers. Officials said the financial information wasn’t included.""","Media","http://www.healthcareitnews.com/news/hackers-breach-new-yorks-largest-provider-phishing-attacks","2017","42.886447","-78.878369" "August 24, 2017","St. Mark's Surgery Center","Fort Meyers","Florida","HACK","MED","33,877","""St. Mark’s Surgery Center was hit by a ransomware attack that may have impacted the personal health information of 33,877 patients.The Florida provider discovered a ransomware attack on May 8, although the attack occurred from April 13 until April 17. The installed virus prevented patient data from being accessed during that time.""The impacted servers contained patient names, dates of birth, Social Security numbers and medical information.","Media","http://www.healthcareitnews.com/news/surgery-center-says-34000-patient-records-potentially-breached","2017","26.640628","-81.872308" "July 31, 2017","Anthem Blue Cross Blue Shield","Indianapolis","Indiana","INSD","MED","18,000","""Anthem BlueCross BlueShield began notifying customers last week of a breach affecting about 18,000 Medicare members. The breach stemmed from Anthem’s Medicare insurance coordination services vendor LaunchPoint Ventures, based in Indiana.LaunchPoint discovered on April 12 that an employee was likely stealing and misusing Anthem and non-Anthem data. The employee emailed a file containing information about Anthem’s members to his personal address on July 8, 2016.The file contained Medicare ID numbers, including Social Security numbers, Health Plan ID numbers, names and dates of enrollment. Officials said limited last names and dates of birth were included.""","Media","http://www.healthcareitnews.com/news/anthem-insider-theft-exposes-data-18000-medicare-members","2017","39.768403","-86.158068" "November 3, 2017","Valley Family Medicine","","Virginia","DISC","MED","8,450","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","40.760537","-73.978890" "October 31, 2017","East Central Kansas Area Agency on Aging","","Kansas","HACK","MED","8,750","Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","40.760537","-73.978890" "October 27, 2017","Texas Children's Health Plan","","Texas","DISC","MED","932","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","40.760537","-73.978890" "October 27, 2017","Florida Blue ","","Florida","DISC","MED","939","Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","40.760537","-73.978890" "October 27, 2017","Catholic Charities of the Diocese of Albany","","New York","HACK","MED","4,624","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","40.760537","-73.978890" "October 27, 2017","Cook County Health & Hospitals System","","Illinois","DISC","MED","727","Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","40.760537","-73.978890" "October 26, 2017","Arch City Dental, LLC - Drs. Baloy and Donatelli","","Ohio","DISC","MED","1,716","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","40.760537","-73.978890" "October 25, 2017","MGA Home Healthcare Colorado, Inc.","","Arizona","HACK","MED","2,898","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","40.760537","-73.978890" "October 24, 2017","TJ Samson Community Hospital","","Kentucky","DISC","MED","683","Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","40.760537","-73.978890" "October 24, 2017","Brevard Physician Associates","","Florida","PHYS","MED","7,976","Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","40.760537","-73.978890" "October 23, 2017","Aetna, Inc.","","Connecticut","DISC","MED","1,506","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","40.760537","-73.978890" "October 21, 2017","Recovery Institute of the South East P.A.","","Florida","HACK","MED","689","Location of breached information: Desktop Computer, Electronic Medical Record, Email, Laptop, Network Server, Other, Other Portable Electronic Device, Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","40.760537","-73.978890" "October 20, 2017","Kaiser Foundation Health Plan","","California","DISC","MED","720","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","40.760537","-73.978890" "October 20, 2017","EMERGENCY COVERAGE CORPORATION ","","Tennessee","PHYS","MED","719","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","40.760537","-73.978890" "October 20, 2017","Iowa Department of Human Services","","Iowa","HACK","MED","820","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","40.760537","-73.978890" "October 19, 2017","The Union Labor Life Insurance Company","","Maryland","DISC","MED","664","Location of breached information: Email Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","40.760537","-73.978890" "October 19, 2017","Mann-Grandstaff VA Medical Center","","Washington","PHYS","MED","1,915","Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","40.760537","-73.978890" "October 17, 2017","Insulet Corporation","","Massachusetts","DISC","MED","1,469","Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","40.760537","-73.978890" "October 16, 2017","Carolina Oncology Specialists","","North Carolina","DISC","MED","1,551","Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","40.760537","-73.978890" "October 13, 2017","MHC Coalition for Health and Wellness","","Virginia","PHYS","MED","5,806","Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","40.760537","-73.978890" "October 13, 2017","CVS Pharmacy","","Rhode Island","PHYS","MED","836","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","40.760537","-73.978890" "October 12, 2017","Bridget P Early MD LLC d/b/a Namaste Health Care","","Missouri","HACK","MED","1,617","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","40.760537","-73.978890" "October 12, 2017","Orthopedics NY, LLP","","New York","DISC","MED","2,493","Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","40.760537","-73.978890" "October 9, 2017","RiverMend Health, LLC","","Georgia","HACK","MED","1,300","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","40.760537","-73.978890" "October 9, 2017","Lifestyle Therapy & Coaching","","Alabama","DISC","MED","550","Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","40.760537","-73.978890" "October 6, 2017","John Hancock Life Insurance Company (U.S.A.)","","Massachusetts","DISC","MED","1,715","Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","40.760537","-73.978890" "October 3, 2017","Chase Brexton Health Care","","Maryland","HACK","MED","16,562","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","40.760537","-73.978890" "October 2, 2017","LSU Health Care Services Division","","Louisiana","DISC","MED","1,200","Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","40.760537","-73.978890" "September 29, 2017","Amida Care","","New York","DISC","MED","6,231","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","40.760537","-73.978890" "September 29, 2017","Briggs & Stratton Corporation","","Wisconsin","HACK","MED","12,789","Location of breached information: Desktop Computer, Laptop, Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","40.760537","-73.978890" "September 28, 2017","Riaz Baber, M.D., S.C.","","Illinois","DISC","MED","10,500","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","40.760537","-73.978890" "September 27, 2017","Advanced Spine & Pain Center","","Texas","HACK","MED","8,352","Location of breached information: Electronic Medical Record, Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","40.760537","-73.978890" "September 26, 2017","Kraig R. Pepper, D.O., P.A.","","Texas","DISC","MED","653","Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","40.760537","-73.978890" "September 26, 2017","Patients Choice","","Texas","HACK","MED","1,069","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","40.760537","-73.978890" "September 25, 2017","Houston Methodist Hospital","","Texas","DISC","MED","1,359","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","40.760537","-73.978890" "September 22, 2017","Our Lady of the Angels Hospital","","Louisiana","DISC","MED","1,140","Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","40.760537","-73.978890" "September 20, 2017","Spokane VA Medical Center","","Washington","PHYS","MED","3,275","Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","40.760537","-73.978890" "September 20, 2017","Mercy Health Love County Hospital and Clinic ","","Oklahoma","PHYS","MED","13,004","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","40.760537","-73.978890" "September 19, 2017","PeaceHealth","","Washington","DISC","MED","1,969","Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","40.760537","-73.978890" "September 18, 2017","MN Urology","","Minnesota","DISC","MED","939","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","40.760537","-73.978890" "September 18, 2017","W. W. Grainger, Inc.","","Illinois","PHYS","MED","1,594","Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","40.760537","-73.978890" "September 18, 2017","Urological Associates of Central Jersey P.A.","","New Jersey","HACK","MED","1,800","Location of breached information: Desktop Computer, Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","40.760537","-73.978890" "October 16, 2017","We Heart It","San Francisco","California","HACK","BSO","8,000,000","""We Heart It, an image-sharing site used by 40 million teens as of a couple of years ago, is informing users their personal data may have been compromised. The company was alerted to a possible security breach last week that involved over 8 million accounts, it said on Friday. The breach took place a few years ago and includes email addresses, usernames and encrypted passwords for We Heart It accounts created between 2008 and November 2013.Although the passwords were encrypted, they are not secure, the company notes.""","Media","https://techcrunch.com/2017/10/16/we-heart-it-says-a-data-breach-affected-over-8-million-accounts-included-emails-and-passwords/","2017","37.774930","-122.419416" "November 8, 2017","Aetna Inc.","","Connecticut","DISC","MED","0","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","40.760537","-73.978890" "November 11, 2017","Lovense","Hong Kong","","PHYS","BSO","0","""A user of the Lovense smart sex toy discovered that the app companion to the device had a six-minute recording of a private moment with a significant other. The app evidently made the recording while using the remote-controlled app paired with the smart vibrator, and was saved in the mobile phone's media storage.  Ideally, as as per the company webiste, the app is merely meant to turn the user's smartphone into a remote control for the sex toys.  This may even be done in long distances as long as the partner also has the app and added as the user's friend.  However, it was not meant to make a recording of the private moments, much less withouth the knowledge of the user.""","Media","http://www.techtimes.com/articles/215586/20171111/bug-causes-smart-sex-toy-to-secretly-record-customers-privacy-breach-in-smart-devices.htm","2017","22.396428","114.109497" "November 17, 2017","UPMC Susquehanna","Williamsport","Pennsylvania","HACK","MED","1,200","""UPMC Susquehanna has notified 1,200 patients treated at various UPMC Susquehanna locations that their personal information — including names, dates of birth, contact information and Social Security numbers — may have been inappropriately accessed.In a release sent out Friday morning, UPMC Susquehanna privacy officer David Samar said health care system apologized for the breach. “We apologize for any concern or inconvenience that this may cause for our patients. I want to stress that patient care was never affected. UPMC is committed to meeting our patients’ privacy expectations. We cannot confirm if any of the information was used for improper purposes, but out of an abundance of caution we deemed it appropriate to inform those possibly affected by this breach.”The breach was discovered on Sept. 21, when an employee reported suspicious activity to the information technology staff. As a result of UPMC Susquehanna’s internal investigation, it is believed that through a phishing attack the information may have been accessed.""","Media","http://www.dailyitem.com/news/upmc-susquehanna-notifies-patients-of-data-breach/article_ee1b32c6-cbb6-11e7-97e6-bf68278e1b03.html","2017","41.241190","-77.001079" "November 17, 2017","Forever 21","Los Angeles","California","HACK","BSR","0","""Over the past several years we have seen a multitude of security problems plague major retail stores around the world. Breaches have come in many forms and have frequently targeted credit card information, though in some cases personal data has been part of the haul.Now we find ourselves looking at yet another incident. Retail chain Forever 21, which is wildly popular among young people in the United States -- you can barely find a mall that doesn't have one -- has officially announced that its systems were compromised.The extent of the damage is not fully known as of yet. The company posted a brief statement on its website to warn its customers. It seems to downplay the breach to a certain extent, claiming it boosted security back in 2015, but that some stores hadn't yet been brought up to speed. This resulted in point-of-sale attacks at certain locations. The investigation is focusing on transactions between March and October of this year.""","Media","https://betanews.com/2017/11/17/forever-21-becomes-the-latest-retail-chain-to-suffer-a-security-breach/","2017","34.052234","-118.243685" "November 18, 2017","Medical College of Wisconsin","Wauwatosa","Wisconsin","HACK","MED","9,500","""The Medical College of Wisconsin has notified thousands of patients their confidential information may have been compromised.The information includes addresses, bank accounts and Social Security numbers.The Medical College has disclosed 9,500 of its patients are now victims of a targeted attack that happened sometime in late July.An unauthorized third party accessed employee email accounts, which contained private patient information such as their date of birth, home address, medical record numbers and diagnosis.""","Media","http://www.wqow.com/story/36879172/2017/11/Saturday/medical-college-of-wisconsin-hit-by-data-security-breach","2017","43.049457","-88.007588" "November 13, 2017","Main Department of Health and Human Services","Augusta","Maine","DISC","GOV","2,100","""The Maine state government is notifying 2,100 Mainers who have received foster care benefits that their personal information was temporarily compromised.The Maine Office of Information Technology said Monday that names, addresses and Social Security numbers of people involved with the Department of Health and Human Services' foster care system, including children and their legal guardians, were posted on a third-party website and taken down when state officials noticed.""","Media","https://bangordailynews.com/2017/11/13/news/state/data-breach-briefly-exposes-2100-maine-foster-families/","2017","33.473498","-82.010515" "November 17, 2017","Pizza Hut","Plano","Texas","HACK","BSO","60,000","""If you kicked October off with a Pizza Hut pizza, you might want to keep a close eye on your credit report – and credit card statement.The chain has emailed some patrons alerting them their personal information might have been compromised after hackers gained access to its website and app.Roughly 60,000 customers are thought to have been impacted by the “third party security intrusion.” Emails to customers said the hack occurred over a 28-hour period from the morning of Oct. 1 to midday Oct. 2.Among the data that might have been compromised are customer names, billing ZIP codes, delivery addresses, email addresses, and payment card information, such as account numbers, expiration dates and Card Verification Value numbers.""","Media","http://fortune.com/2017/10/17/pizza-hut-data-breach/","2017","33.074711","-96.835125" "November 16, 2017","Hyatt Hotels","Chicago","Illinois","HACK","BSO","0","""Multinational hotel corporation Hyatt recently alerted its customer of a credit card breach at some of its hotels – the second major incident of its kind in two years.The corporation said that its cyber security team discovered evidence of unauthorized access to payment card information from cards manually entered or swiped at the front desk of 41 of its hotels in locations such as Hawaii (three locations breached), Guam (1), Puerto Rico (1), and China (18, the highest number of breaches reported), between March 18 and July 02, 2017.""","Media","http://www.insurancebusinessmag.com/us/news/cyber/hyatt-hotels-suffers-major-credit-card-breach-again-82025.aspx","2017","41.878114","-87.629798" "October 12, 2017","T-Mobile","Houston","Texas","HACK","BSO","69,600,000","""A bug on T-Mobile‘s website may have allowed hackers to view your personal information. The bug, which has since been patched, allowed hackers to view your email address, account number, and even your phone’s IMSI number (a unique number that identifies subscribers). According to the researcher that found the bug, there was no way to prevent someone writing a script and finding out the information for all 69.6 million potential victims.""","Media","https://www.androidauthority.com/t-mobile-exploit-reveals-customer-information-806750/","2017","29.760427","-95.369803" "October 16, 2017","Catholic United Financial","St. Paul","Minnesota","HACK","BSF","127,310","""A data breach at an Arden Hills-based financial services company serving Catholic Church members in the upper Midwest has affected nearly 130,000 current and former members.The unidentified hacker accessed the first and last names, mailing addresses, dates of birth, email addresses, insurance policy information, and Social Security numbers of members. Beneficiary information, log-in credentials and other information were not accessed.""","Media","http://www.twincities.com/2017/10/16/catholic-united-financial-data-breach-may-have-affected-nearly-130k-accounts/","2017","44.953703","-93.089958" "May 19, 2017","Rite Aid","Camp Hill","Pennsylvania","HACK","BSR","0","""Pharmacy chain Rite Aid has discovered unauthorized individuals gained access to the e-commerce platform of its online store and stole sensitive information of its customers over a period of 10 weeks. The attackers gained access to, and stole, personal information and credit/debit card details.An investigation into the breach revealed that access to the platform was first gained on January 30, 2017 and continued until April 11, 2017 when the intrusion was detected and unauthorized access was blocked.During the time that unauthorized individuals had access to its e-commerce platform they obtained customers names, addresses and payment card information including card numbers expiry dates and CVV numbers.  The incident impacts all customers who used the online store between the above dates and manually entered their payment card details.""","Media","https://www.hipaajournal.com/rite-aid-announces-breach-online-store-8814/","2017","40.239812","-76.919974" "October 24, 2017","Tarte Cosmetics","New York","New York","DISC","BSO","2,000,000","""Tarte Cosmetics, a cruelty-free cosmetics brand carried by major retailers like Sephora and Ulta, exposed the personal information of nearly two million customers in two unsecured online databases.The databases were publicly accessible and included customer names, email addresses, mailing addresses, and the last four digits of credit card numbers, according to the Kromtech Security Center, the firm that discovered the exposed data.""","Media","https://gizmodo.com/cosmetics-brand-tarte-exposed-personal-information-abou-1819723431","2017","40.712775","-74.005973" "November 21, 2017","Uber","San Francisco","California","HACK","BSO","57,000,000","""Uber disclosed Tuesday that hackers had stolen 57 million driver and rider accounts and that the company had kept the data breach secret for more than a year after paying a $100,000 ransom.The deal was arranged by the company’s chief security officer and under the watch of the former chief executive, Travis Kalanick, according to several current and former employees who spoke on the condition of anonymity because the details were private.The security officer, Joe Sullivan, has been fired. Mr. Kalanick was forced out in June, although he remains on Uber’s board.The two hackers stole data about the company’s riders and drivers — including phone numbers, email addresses and names — from a third-party server and then approached Uber and demanded $100,000 to delete their copy of the data, the employees said.""","Media","https://www.nytimes.com/2017/11/21/technology/uber-hack.html","2017","37.774930","-122.419416" "November 27, 2017","Imgur","San Francisco","California","HACK","BSO","1,700,000","""Image-hosting website Imgur discovered at the end of last week that hackers broke into its systems in 2014, and stole the account details of some 1.7 million registered users.Imgur found out about the historic hack when HaveIBeenPwned‘s Troy Hunt contacted the company on Thursday 23 November, which was a national Thanksgiving holiday in the United States.On November 23, Imgur was notified of a potential security breach that occurred in 2014 that affected the email addresses and passwords of 1.7 million user accounts. While we are still actively investigating the intrusion, we wanted to inform you as quickly as possible as to what we know and what we are doing in response.""","Media","https://www.welivesecurity.com/2017/11/27/imgur-hackers-stole-email-addresses-passwords/","2014","37.774930","-122.419416" "November 27, 2017","Bulletproof","Bellevue","Washington","HACK","BSO","0","""What Happened: In mid-October 2017, Bulletproof identified unauthorized computer code that had been added to the software that operates the checkout page at www.bulletproof.com. When we discovered the unauthorized code, we immediately removed it and began an investigation. We have been working with leading computer security firms to examine our systems. We have also been working with law enforcement. Based on our investigation, we determined that the unauthorized code may have been capable of capturing information entered during the checkout process during the period from May 20, 2017 through October 13, 2017 and October 15-19, 2017. You are receiving this notice because your payment card may have been entered on the checkout page during this time period.What Information Was Involved: The information on the checkout page that the code may have accessed includes customers’ names, addresses, email addresses, payment card numbers, expiration dates, and card security codes (CVV).""","California Attorney General","https://oag.ca.gov/privacy/databreach/list","2017","47.610150","-122.201516" "November 21, 2017","ArmorGames","Irvine","California","HACK","BSO","0","""What Happened? On Oct 24, 2014, we discovered that a third party obtained access to our users’ emails and “hashed’ passwords. That means that the passwords were encrypted in such a way that it is nearly impossible for anyone, even us, to read it. However, on Oct 24, 2017, a security researcher informed us of a file containing emails and plaintext passwords which claims the data had come from us (Armor Games) and another company (Coupon Mom). We are investigating whether we are the true source of the breach, since the number of leaked emails/passwords is far less than the number of emails breached on either our system or Coupon Mom’s system in 2013. Our users’ passwords were hashed (this makes it unlikely that they could extract plaintext passwords from our data), and some users are reporting that their passwords were included in this breach though they have never used either site. As we investigate the source of the data in this file, we are taking the precautionary measure of treating this as a data breach of our own users.What Information Was Involved? The information in the file contains 11 million emails and plain text passwords. No financial information, names, addresses, or game data was contained in this document.""","California Attorney General","https://oag.ca.gov/ecrime/databreach/reports/sb24-112355","2014","33.696361","-117.838988" "November 27, 2017","USA Hoist Company, Inc./Mid-American Elevator/Mid-American Equipment","Chicago","Illinois","HACK","BSO","0","""What Happened: A server used by USA Hoist Company, Inc., Mid-American Elevator Company, Inc., and Mid-American Elevator Equipment Company, Inc. to store employee and vendor information was subject to a ransomware attack by the hacker group called ""the Dark Overlord."" We discovered the attack on the morning of Tuesday, October 17, 2017, when we could not access certain of our data systems as a result of the breach. On Thursday, October 19, 2017, the FBI visited our offices to inform us that we may become the subject of a such an attack, but by that time the attack had already occurred.What Information was Involved: The information breached contained employee names, mailing addresses, cancelled checks for employee direct deposits, direct payment account numbers for employees and vendors, non-union member employee health insurance applications, and/or employee Social Security numbers. To our knowledge, other information (bank account PIN, security codes, etc.) was not breached.""","California Attorney General","https://oag.ca.gov/ecrime/databreach/reports/sb24-112319","2017","41.878114","-87.629798" "November 17, 2017","Brinderson","Costa Mesa","California","HACK","BSO","0","""What Happened On October 24, 2017, we discovered that an unauthorized individual may have gained access to one of our computer systems. Upon learning of this, we blocked the intruder’s access to our systems, shut down the affected systems, and immediately began an investigation to determine the scope of the incident. We also engaged a forensic security firm to assist in our investigation.What Information Was Involved Our investigation has determined that some of your information was stored on systems potentially accessed by the unauthorized individual. That information includes your name, address, Social Security number, date of birth, and other employment related information.""","California Attorney General","https://oag.ca.gov/ecrime/databreach/reports/sb24-110862","2017","33.641216","-117.918822" "November 17, 2017","Academy of Art University","San Francisco","California","DISC","EDU","0","""What Happened?The Academy of Art University is committed to safeguarding the personal information of our employees. On November 8, 2017, an Academy employee mistakenly sent an internal e-mail with an attachment (subject of email: Reminder! 2017 Difference Card Reimbursement Claims), and one of the spreadsheet tabs included in the attachment contained your personal information. The file containing your personal information was originally on a working document that was stored in a secured drive. The employee needed the information contained on the working spreadsheet document to prepare the email distribution list. The employee failed to remove the spreadsheet attachment before the email was sent. The department has policies, procedures and training in place to prevent inadvertent disclosures, but the mistake still occurred as a result of human error. The Academy’s technical security measures, however, prevented this email from being forwarded from the Academy email system to external addresses. We are not aware of the email being sent to anyone other than Academy employees. The Academy has no reason to believe that any information about you has been misused, but nonetheless wants to make sure you are aware of the issue. Those that are not impacted are not receiving this notification.What Information Was Involved?The attachment to the e-mail contained several spreadsheet tabs, one of which listed your first name, last name, and Social Security number.""","California Attorney General","https://oag.ca.gov/ecrime/databreach/reports/sb24-110849","2017","37.774930","-122.419416" "November 16, 2017","Club Sport San Ramon/Oakwood Athletic Club","San Ramon","California","HACK","BSO","0","""What Happened and What Information was involved?On July 31, 2017, we discovered that an employee was the subject of a phishing attack when they received an email that appeared to be from an executive, requesting copies of employees W-2 wage and tax statements. In response to that email, individual employee W-2 information was sent to an unauthorized email address. From our investigation, it appears that this contained your personal information, including your name, address, Social Security number, and wage and tax information from 2016. This DID NOT include personal banking or financial account information. Local law enforcement and the IRS have been notified of this incident and we are cooperating with their investigations.""","California Attorney General","https://oag.ca.gov/ecrime/databreach/reports/sb24-110719","2017","37.772317","-121.944562" "November 15, 2017","Cheddar's Scratch Kitchen","Irving","Texas","PHYS","BSO","0","""What HappenedEarly on July 21, 2017, there was a break-in at locked corporate facility for Cheddar's Scratch Kitchen in Texas that resulted in the theft of several laptops and a hard drive containing personal some team members' personal information and very limited guest information. The incident was promptly reported to the police and their investigation is ongoing.What Information Was InvolvedWhile the investigation continues, our current understanding is that the personal information that may have been involved in the incident likely includes your Social Security number; contact information, such as your name, address, email address, and telephone number; other employment-related information and limited guest information, if applicable. In some cases, a photocopy of your ID may have been included. We regret that your personal information may be affected.""","California Attorney General","https://oag.ca.gov/ecrime/databreach/reports/sb24-110643","2017","32.814018","-96.948895" "November 15, 2017","Far Niente Winery","Napa Valley","California","HACK","BSO","0","""What Happened?On August 21, 2017, files on Far Niente’s computers were encrypted by an individual who gained unauthorized access to Far Niente’s computer network. The individual demanded a ransom in exchange for restoring access to the encrypted files. We immediately began an investigation and retained a leading computer forensic firm to help us. The forensic firm determined on August 21, 2017, that the unauthorized person may have had access to our computer network for several hours before encrypting our computer files. We terminated the unauthorized access and restored the encrypted files with unaffected back-up files. We did not pay the ransom demanded by the individual.What Information Was Involved?We have no evidence that the unauthorized person viewed or obtained any information that was stored on our computer network. However, your name, address, and Social Security number were included in a document on the network.""","California Attorney General","https://oag.ca.gov/ecrime/databreach/reports/sb24-108214","2017","38.502469","-122.265389" "November 15, 2017","CafeMom","New York","New York","HACK","BSO","0","""We were recently alerted to a possible security breach involving account information that had occurred several years ago. We immediately investigated the situation and are reaching out to share what we've learned and how we are protecting your data.Our investigation showed that email addresses and passwords for CafeMom accounts created before July 2011 were compromised at some point in the past.  At this time, we have found no evidence of unauthorized access or wrongdoing and teh systems that powered cafemom.com in 2011 are no longer the systems that run the site today.""","California Attorney General","https://oag.ca.gov/ecrime/databreach/reports/sb24-108202","2017","40.712775","-74.005973" "November 14, 2017","ABM Industries","New York","New York","HACK","BSO","0","""What Happened? On or about August 1, 2017, we discovered that ABM had become the target of a phishing email campaign. For background, phishing is a type of electronic attack where outside individuals impersonate a trusted person or company to obtain information or install dangerous software. Several ABM employees had clicked on the phishing emails and entered their credentials. As is our protocol, we immediately took steps to secure these employees’ email accounts and launched an in-depth investigation to determine whether any sensitive information was accessed or acquired. We subsequently determined, with the help of outside computer forensic investigators, that an unknown actor had gained access to certain ABM email accounts. ABM determined, after a programmatic and manual review of the contents of the affected email accounts, the types of protected information contained in the affected email accounts and to which individuals the information relates.What Information Was Involved? While we currently have no evidence that the unauthorized individual or individuals actually accessed or acquired your information, we have confirmed that your name accessible within the affected email accounts."" ","California Attorney General","https://oag.ca.gov/ecrime/databreach/reports/sb24-104263","2017","40.712775","-74.005973" "November 14, 2017","Bakersfield City School District","Bakersfield","California","DISC","EDU","0","""What happened?On November 9, 2017, at or about 4:24 p.m., the Board Docs Agenda was posted to the District’s website. In this agenda packet under the Certificated Human Resources Report, a report of certificated extra-time was inadvertently attached. It was confirmed that the personal information contained in this attachment included that of approximately 1,250 certificated employees and/or substitutes who worked extra-time. The error was identified at approximately 7:45 p.m. and immediately removed. The total time this information remained online was approximately three hours and twenty-one minutes.What information was involved?The individuals affected include certificated employees and certificated substitutes. The personal information potentially compromised includes their names and Social Security numbers.""","California Attorney General","https://oag.ca.gov/ecrime/databreach/reports/sb24-104262","2017","35.373292","-119.018713" "November 13, 2017","Los Angeles County Department of Mental Health","Los Angeles","California","DISC","GOV","0","""What Happened?On October 24, 2017, a LACDMH employee sent an email to candidates who responded to a job posting for a position within LACDMH. Inadvertently attached to that email was a spreadsheet that contained the PII of candidates, including you.What Information Was Involved?The information that may have been compromised included your name, promulgation date, email address, and Social Security Number.""","California Attorney General","https://oag.ca.gov/ecrime/databreach/reports/sb24-104241","2017","34.052234","-118.243685" "November 13, 2017","GNAC","Chesterfield","Missouri","HACK","BSO","0","""What Happened? On September 21, 2017, our system monitoring tools identified unusual activity relating to a database within our network that is tied to a web application used by customers. We disabled the web application and immediately launched an investigation to determine the nature and scope of this activity. A leading third-party forensic investigation firm was retained to assist with our own internal investigation. Although the investigation is ongoing, we determined on October 6, 2017 that there was evidence a small amount of data left our system between June 18, 2017 and September 19, 2017. As we cannot determine the contents of this data, we cannot rule out that this data included personal information relating to [Data Owner] members stored in the database.What Information Was Involved? While our investigation is ongoing, we have determined the names and Social Security numbers of [insert number] individuals affiliated with your organization were contained in the database during the period that traffic was identified.""","California Attorney General","https://oag.ca.gov/ecrime/databreach/reports/sb24-104236","2017","38.603599","-90.701027" "November 13, 2017","Gary W. Janke","Northridge","California","PHYS","BSF","0","""What happened and what information was involved:On the night of September 26, 2017, a thief broke into the back of the office building in Northridge, California.The building security alarms went off and the Los Angeles Police Department was dispatched. There is video of the thief in the offices and prints were recovered. However, before the first officers arrived, the thief stole a number of items from various offices in the building. Unfortunately, he stole two old computers from my offices. The computers contained tax information from 2012 and prior year tax returns that I had prepared. The data on the computers contained your personal information, including your name(s), address, Social Security number(s) and date of birth. It also included dependent information including name, social security number and date of birth. (For business clients, the data would have included federal identification numbers.) Your tax return information regarding income amounts andsources was also contained on the computers. If you were having your refunds directly deposited into your bank account, the bank account information would have been on one computer. Otherwise, your financial account numbers would not be part of the information stored. Copies of your W-2s and other financial documents were not scanned onto the computers. Please keep in mind that the information stolen was from 2012 and prior income tax returns.""","California Attorney General","https://oag.ca.gov/ecrime/databreach/reports/sb24-104191","2017","34.249919","-118.503187" "November 9, 2017","Corovan/Corodata/Klinger Moving ","San Diego","California","DISC","BSO","0","""What Happened?On October 17, 2017, we became aware that certain Company files containing sensitive information that were stored on a Company server had become browsable for a brief period of time through a directed search on the Google search engine. What Information Was Involved?As part of the investigation into this incident, we determined a file containing the following information related to you was temporarily accessible through a directed search on Google:name, address, .To date, we have no evidence of any attempted or actual misuse of personal data contained within the files that were accessible as a result of this incident.""","California Attorney General","https://oag.ca.gov/ecrime/databreach/reports/sb24-104174","2017","32.715738","-117.161084" "November 9, 2017","Chapman University","Orange","California","PHYS","EDU","0","""WHAT HAPPENEDLast week an external hard drive went missing from Chapman University’s Harry and Diane Rinker Health Science Campus. The employee who was assigned the external drive had access to several University network drives. Chapman University cannot determine the actual contents of the missing external disk drive but it is treating the entire content of all drives that the assigned employee had access to as potential content on the missing external drive. WHAT INFORMATION WAS INVOLVEDI regret to inform you that a copy of your W9 form was among the content found on the network drives that could have been accessed and downloaded to the external drive. While the content stored on the network drives themselves are secure, the unauthorized back up of these files onto an external disk drive may have put the files at risk of disclosure toan unauthorized person when the external drive was taken.""","California Attorney General","https://oag.ca.gov/ecrime/databreach/reports/sb24-103336","2017","33.792820","-117.853717" "November 9, 2017","Tween Brands, Inc.","Austin","Texas","HACK","BSO","0","""What Happened?On September 7, 2017, we discovered signs indicating attempts had been made to gain access to one of our web servers. We immediately removed the server from our network and began an investigation with the assistance of aleading computer forensics firm. The investigation determined that an unauthorized individual may have gainedaccess to the server and may have used that access to connect to a database server. What Information Was Involved?The database included information including the username and password combination that you use to access thevendor portal, vendors.tweenbrands.com.""","California Attorney General","https://oag.ca.gov/ecrime/databreach/reports/sb24-103242","2017","30.267153","-97.743061" "November 3, 2017","HumanGood","Pleasanton","California","HACK","BSO","4,844","""Dear Sir or Madam: I represent HumanGood, located in Pleasanton, California. This letter is being sent pursuant to California Civil Code §1798.82 because HumanGood learned on September 27, 2017 that the personal information of 4,844 HumanGood employees who reside in California may have been involved in a data security incident. The information that may have been involved included names, addresses, email addresses, dates of birth, wage information and health information that is maintained by a HumanGood third-party service provider. The incident occurred on September 27, 2017. Immediately upon discovering the incident, HumanGood notified the service provider and conducted an investigation of the incident. HumanGood also notified the Federal Bureau of Investigation and the Pleasanton Police Department to prevent fraudulent activity. HumanGood has notified the affectedCalifornia residents with the attached letter. As referenced in the letter, HumanGood will provide 12 months of credit monitoring and identity protection services through AllClear ID. Please contact me should you have any questions.""","California Attorney General","https://oag.ca.gov/ecrime/databreach/reports/sb24-103240","2017","37.662431","-121.874679" "November 2, 2017","Kimberly-Clark","Neenah","Wisconsin","HACK","BSO","0","""What happened?We have extensive measures in place to protect the information that you provide to us; however, around October 20, 2017, we identified an organized effort to access registered accounts on our website/app from other compromised sites not related to Kimberly-Clar nor any of its brand like Huggies or Kleenex, etc. we took immediate action to block this attempt. Unfortunately, a very small number of accounts, including yours, had account profile information potentially exposed.What information was involved?The account profile information that was potentially exposed includes information such as name, date of birth, e-mail address, and child name and date of birth (if provided). It's important to note that your account profile does not include any financial information or social security numbers.""","California Attorney General","https://oag.ca.gov/ecrime/databreach/reports/sb24-103174","2017","44.202681","-88.518434" "October 30, 2017","Home Box Office (HBO)","New York","New York","HACK","BSO","0","""What Happened In late July 2017, HBO became aware of an incident in which an unauthorized third party claimed to haveaccessed HBO’s information technology network. We began investigating the incident as soon as we becameaware of the potential breach. Our investigation has revealed that an unauthorized third party illegally accessedHBO’s network, including some personally identifiable information about you. What Information Was InvolvedThough the investigation is still underway, we have determined that the information involved in this incidentincluded the following types of your personally identifiable information: [Personal Information Categories].""","California Attorney General","https://oag.ca.gov/ecrime/databreach/reports/sb24-103102","2017","40.712775","-74.005973" "October 27, 2017","Chiorini, Hunt & Jacobs, Certified Public Accountants","Santa Cruz","California","HACK","BSF","0","""What Happened? On September 27, 2017, we became aware that some clients received an e-mail that appeared to be from DavidJacobs, but it was not. All firm email credentials were immediately changed and we began an investigation into the matter, including hiring a third-party IT firm. After a thorough investigation, the IT firm has determined that the david@chj.com email account credentials were compromised and used on July 1, 2017 and September 27, 2017, to  access our externally hosted email server. The attacker had access to email boxes for david@chj.com, elaina@chj.comand vanessa@chj.com. Because of this breach, we are notifying you out of an abundance of caution. However please note there was no access to our internal network, servers, or the data within those systems. What Information Was Involved? Any information received from or sent to david@chj.com, elaina@chj.com and vanessa@chj.com may have beencompromised. In some cases this could have included a copy of a tax return which involves your full name, birthdate,telephone number(s), address, Social Security number, or W-2s, 1099s and various other tax related documents, anddirect deposit bank account information includingrouting numbers and account numbers if provided to us.Despite the use of encrypted password protected email attachments since 2011, your data still could have been compromised.""","California Attorney General","https://oag.ca.gov/ecrime/databreach/reports/sb24-103063","2017","36.974963","-122.029292" "October 17, 2017","Union Labor Life Insurance Company","Washington","District Of Columbia","HACK","BSF","0","""What Happened:An unauthorized external user was able to briefly access the Outlook email account of an employee of The Union Labor Life Insurance Company (the “Company”) on June 22, 2017. The unauthorized user sent a  spam email from the employee's email account to the employee's various personal and business contacts via email which appeared to be a legitimate email from the employee. The body of each email included either a Dropbox or two PDF documents that have links to malicious websites. A forensic review of the PDF documents performed by the Company’s Information Technology team determinedthat the PDF itself was not malicious, but it  did contain links to sites known to be. The Company’s Information Technology department was notified of the issue within an hour and immediately disabled the account and reset the password, which stopped the flow of spam emails. Within 24-hours of the unauthorized access, the Companyimplemented its Data Incident Response Plan that includes company officers, legal and compliance personnel, IT staff and an external data forensics firm.What Information Was Involved: A forensic review of the emails in the email account's inbox and archived folders identified emails and attachments that may have contained non-public personal information of individuals. A closer review of those emails and attachments revealed that your personal information, specifically your name,SSN and personal health information, including claim numbers, dates of service, diagnosis codes and claim payments were accessible in an attachment, and may have been viewed by the unauthorized user. Your information was not included in the spam e-mail sent from the e-mail account. We have no information indicating that your personal information was in fact accessed by the unauthorized user during the limited time the e-mailaccount was accessible or that you are likely to encounter future identity security problems.""","California Attorney General","https://oag.ca.gov/ecrime/databreach/reports/sb24-103061","2017","47.751074","-120.740139" "December 4, 2017","Stanford University","Palo Alto","California","DISC","EDU","10,000","""A student staff member of the Stanford Daily discovered a data breach and reported it to campus privacy authorities on November 9. The student was able to access unidentified sexual assault reports which were being collected under the Clery Act from 2005 to 2012.The data was stored on the Andrew Filed Sharing platform and was accessible to any AFS user, including those outside of Stanford, according to Stanford News. “We greatly appreciate the Stanford Daily’s responsible handling of the confidential information and for their prompt reporting to the university,” says Wendi Wright, Stanford’s chief privacy officer. “We were able to secure confidential AFS files within two hours of learning of the exposure and promptly launched an intensive investigation. In addition, we have urgently reached out to all managers of shared file servers to review access permissions and to delete old files.”While the University Privacy Office and the Graduate School of Business IT teams investigated the November 9 exposure, they discovered a file on November 21 which contained names, birthdates, Social Security numbers and salary information for nearly 10,000 non-teaching university employees from an August 2008 snapshot. Confidential financial aid information for MBA students was accessible as well.""","Media","https://www.campussafetymagazine.com/university/stanford-rutgers-data-breach/","2017","37.441883","-122.143020" "December 4, 2017","Rutgers University","New Brunswick","New Jersey","DISC","EDU","1,700","""At Rutgers University, academic information for 1,700 students was exposed during a “data security” incident on November 8 and November 9, reports Tap into Plainfield.University spokesman Neal Buccino says the affected students were in the Department of Computer Science and shared information included ID numbers, cumulative GPAs and class schedules. No Social Security numbers, addresses or financial information were leaked, according to Buccino.The leak, blamed on an “administrative error”, was discovered when 18 students were able to access the data. The school notified the students who were able to view the information that the data was confidential.""","Media","https://www.campussafetymagazine.com/university/stanford-rutgers-data-breach/","2017","40.486216","-74.451819" "November 28, 2017","Alere Toxicology","","Massachusetts","DISC","MED","2,146","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "November 21, 2017","Humana Inc ","","Kentucky","DISC","MED","5,764","Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "November 17, 2017","Clinical Pathology Laboratories Southeast","","Florida","PHYS","MED","500","Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "November 17, 2017","The Medical College of Wisconsin, Inc.","","Wisconsin","HACK","EDU","9,500","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "November 16, 2017","Rocky Mountain Health Care Services","","Colorado","PHYS","MED","909","Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "November 15, 2017","UPMC Susquehanna","","Pennsylvania","HACK","MED","1,208","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "November 14, 2017","Sports Medicine & Rehabilitation Therapy, Inc.","","Massachusetts","HACK","MED","7,000","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "November 13, 2017","Family & Cosmetic Dentistry of the Rockies","","Colorado","PHYS","MED","1,850","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "November 10, 2017","The Lowell General Hospital","","Massachusetts","DISC","MED","769","Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "November 10, 2017","Otolaryngology Associates of Central New Jersey, P.C.","","New Jersey","PHYS","MED","1,551","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "December 4, 2017","TIO Networks ","Vancouver","British Columbia","HACK","BSO","1,600,000","""PayPal's recently-acquired payment processor TIO Networks has revealed that up to 1.6 million customers have had their information stolen in a recent data breach.Last week, the Vancouver, Canada-based TIO Networks said that following the suspension of operations, evidence has been uncovered of a data breach due to ""unauthorized access.""In a statement, the company said that unknown attackers were able to gain access to ""locations that stored personal information of some of TIO's customers and customers of TIO billers.""In total, up to 1.6 million customers may have had their information leaked, which could include personally identifiable information (PII) or potentially financial data.""","Media","http://www.zdnet.com/article/paypals-tio-networks-reveals-data-breach-impacted-1-6-million-users/","2017","49.282729","-123.120738" "December 8, 2017","Mount Carmel Health System","","Ohio","DISC","MED","836","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "December 5, 2017","Bronson Healthcare Group","","Michigan","HACK","MED","8,256","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "December 5, 2017","Oklahoma Department of Human Services","","Oklahoma","HACK","MED","47,000","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "December 1, 2017","Sinai Health System ","","Illinois","HACK","MED","11,347","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "December 1, 2017","Washington Health System Greene","","Pennsylvania","PHYS","MED","4,145","Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "December 1, 2017","CCRM Minneapolis, P.C.","","Minnesota","HACK","MED","3,280","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "December 8, 2017","Mount Carmel Health System","","Ohio","DISC","MED","836","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "December 6, 2017","Austin Manual Therapy Associates","","Texas","HACK","MED","1,750","Location of breached information: Laptop, Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "December 5, 2017","Bronson Healthcare Group","","Michigan","HACK","MED","8,256","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "December 5, 2017","Oklahoma Department of Human Services","","Oklahoma","HACK","MED","47,000","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "December 1, 2017","Sinai Health System ","","Illinois","HACK","MED","11,347","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "December 1, 2017","Washington Health System Greene","","Pennsylvania","PHYS","MED","4,145","Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "December 1, 2017","CCRM Minneapolis, P.C.","","Minnesota","HACK","MED","3,280","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "November 28, 2017","Hackensack Sleep and Pulmonary Center","","New Jersey","HACK","MED","16,474","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "November 27, 2017","University of Alabama at Birmingham","","Alabama","PHYS","EDU","652","Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "November 27, 2017","Pulmonary Specialists of Louisville, PSC","","Kentucky","HACK","MED","32,000","Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "November 22, 2017","Sutter Valley Medical Foundation d/b/a Sutter Medical Foundation","","California","PHYS","MED","1,303","Location of breached information: Laptop, Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "November 21, 2017","Baptist Health Louisville","","Kentucky","HACK","MED","880","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "December 21, 2017","Molina Healthcare","","Florida","DISC","MED","1,380","Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "December 19, 2017","MidMichigan Medical Center-Alpena","","Michigan","PHYS","MED","1,900","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "December 15, 2017","Emory Healthcare ","","Georgia","DISC","MED","24,000","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "December 15, 2017","Chilton Medical Center","","New Jersey","PHYS","MED","4,600","Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "December 15, 2017","NYU School of Medicine - Pediatric Surgery Associates","","New York","PHYS","MED","2,158","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "December 14, 2017","Compassion Care Hospice Las Vegas, LLC","","Nevada","HACK","MED","1,128","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "December 14, 2017","Memphis Pathology Laboratory d/b/a American Esoteric Laboratory ","","Tennessee","PHYS","MED","500","Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "December 12, 2017","Midland County Hospital District d/b/a Midland Memorial Hospital ","","Texas","HACK","MED","1,160","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "December 12, 2017","Pharmacy Innovations","","New York","HACK","MED","1,205","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "December 11, 2017","University of South Florida, USF Health Care","","Florida","DISC","EDU","1,279","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "December 9, 2017","Franciscan Physician Network of Illinois and Specialty Physicians of Illinois, LLC (formerly known as WellGroup Health Partners, LLC)","","Illinois","PHYS","MED","22,000","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "December 28, 2017","SSM Health","","Missouri","DISC","MED","29,579","Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "December 27, 2017","Longs Peak Family Practice, P.C.","","Colorado","HACK","MED","16,238","Location of breached information: Desktop Computer, Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "December 22, 2017","Kaiser Foundation Health Plan, Inc.","","California","DISC","MED","638","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "December 20, 2017","Absolute Dental Hygiene, LLC","","Oregon","HACK","MED","871","Location of breached information: Desktop Computer, Electronic Medical Record, Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "December 19, 2017","Dignity Health Medical Foundation","","California","DISC","MED","2,189","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "December 19, 2017","Sheldon M. Golden O.D., Optometric Corporation","","California","HACK","MED","7,583","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "December 14, 2017","Kaiser Foundation Health Plan, Inc.","","California","HACK","MED","4,389","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "December 8, 2017","Central Iowa Hospital Corporation d/b/a Blank Children's Hospital","","Iowa","DISC","MED","557","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "December 8, 2017","UNC Health Care System","","North Carolina","PHYS","MED","27,113","Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "December 23, 2017","Ancestry's RootsWeb.com","Lehi","Utah","DISC","BSR","300,000","Ancestry's RootsWeb.com server, which hosts a free genealogical community site, exposed a file containing emails, login information, and passwords of 300,000 users.hile the 300,000 accounts were affiliated with RootsWeb.com's surname list service that it retired earlier this year, 55,000 of the user names belonged to both the free RootsWeb.com site and also to Ancestry.com, which charges for some of its genealogical services.  The company noted that 7,000 of the emails and log-in credentials belonged to active Ancestry.com users.RootsWeb does not host sensitive information like credit card and social security numbers, the company stated, further noting it has ""no reason to believe that any Ancestry systems were compromised.""https://blogs.ancestry.com/ancestry/2017/12/23/rootsweb-security-update/","Media","https://blogs.ancestry.com/ancestry/2017/12/23/rootsweb-security-update/","2017","40.391617","-111.850766" "January 8, 2018","Penn Medicine","King of Prussia","Pennsylvania","PORT","MED","1,000","About 1,000 patients at Penn Medicine are receiving letters saying a computer with some of their personal information on it was stolen. A laptop containing patient files was reported stolen from a car at the King of Prussia Mall parking lot on Nov. 30, according to a spokesperson at the University of Pennsylvania Health System. So far,  there is no indication the computer has been turned on or the patient information accessed, they stated.Patient names, birth dates, medical records, account numbers, and some other demographic and medical information were on the computer.  There were no Social Security numbers, credit card or bank account information, patient addresses or telephone numbers stolen, according to Penn Medicine. Patients with questions can contact the Penn Medicine Incident Response Line at 1-833-214-8740.","Media","http://www.philly.com/philly/health/penn-medicine-patient-information-stolen-identity-theft-hipaa-20180102.html","2017","40.101286","-75.383553" "January 5, 2018","Flagship","Menlo Park","California","PHYS","BSF","0"," On or about December 5, 2017, Flagship determined that a company-owned HP Elite Laptop (“Laptop”) was missing from 190 Jefferson, Menlo Park, California 94025. The Laptop was kept in a secure facility and was password protected although the password was shared internally by up to ten employees. The Laptop was approximately four years old and was being used internally to operate B5000 software to process I-9 forms and to record information about individuals who were applying for employment with Flagship in the United States. The Laptop contained.pdf images of U.S. Passports presented with I-9 Forms.What Can You Do? Flagship is offering you one year of identity protection at no cost to you through Experian, one of the three nationwide credit bureaus. The identity protection product, called IdentityWorks Credit Plus, provides identity restoration services, fraud detection tools, and other benefits which includes monitoring your credit file. Starting today, if you suspect that your personal information has been used fraudulently, you can call Experian’s identity restoration agents to assist you to investigate and resolve any incidents of fraud. You may take advantage of this benefit, at any time, until 04/30/2018, by calling the following toll-free number: 1-877-890-9332. No enrollment or activation is necessary. The terms and conditions for identity restoration are located at: www.ExperianIDWorks.com/restoration.While identity restoration is immediately available to you, we also encourage you to activate the fraud detection tools available through Experian IdentityWorks™ as a complimentary one-year membership. This product provides you with superior identity detection and resolution of identity theft. To start monitoring your identity, please follow the steps below:• Ensure that you enroll by 04/30/2018. Your code will not work after this date.• Visit the Experian IdentityWorks website to enroll: https://www.experianidworks.com/3bplus• Provide your activation code: W4DGYMRVP• The deadline for enrollment is 04/30/2018","California Attorney General","https://oag.ca.gov/system/files/FlagShip%20Data%20Breach%20Notification%20Letter%20January%202018_0.pdf","2017","37.452960","-122.181725" "January 5, 2018","BeautyBlender","Bethlehem","Pennsylvania","HACK","BSR","3,982","Beautyblender was recently contacted by two customers reporting fraud on credit cards used to make purchases on our site. Beautyblender discovered what it believed was a form of malicious code on its site on October 26, 2017 which it then removed. The specific information that may have been obtained by the unidentified third party included the customers’ name, billing address, full credit card number, expiration date, and CVV number, affecting 3,673 California residents. A third party forensic investigator was also retained to assist with beautyblender’s investigation. On November 27, 2017, the forensic investigator confirmed that the malware inserted into the website collected certain payment card information used at checkout.On January 5, 2018, beautyblender will begin providing written notice of this incident to all potentially affected customers, which includes three thousand, six hundred and seventy-three (3,673) California residents. On January 5, 2018, beautyblender will begin providing written notice of this incident to all potentially affected customers, which includes three hundred and nine (309) Oregon residents. ","California Attorney General","https://oag.ca.gov/system/files/Rea.deeming%20Beauty%20-%20Notice%20of%20Data%20Event%20-%20CA%20-%20Exhibit%201_0.pdf","2017","40.625932","-75.370458" "January 5, 2018","LiveGlam, Inc.","Los Angeles","California","HACK","BSR","0","On December 11, 2017, we confirmed that an unauthorized individual may have gained access to a section of our online store at www.liveglam.com that processes customer orders. Our investigation has determined user information was stored on systems potentially accessed by the unauthorized individual. That information includes credit card numbers, and associated CVV codes. ","California Attorney General","https://oag.ca.gov/system/files/US%20-%20General%20Letters_0.pdf","2017","34.052234","-118.243685" "December 28, 2017","Forever21","Los Angeles","California","HACK","BSR","0","After receiving reports of access to payment cards used at certain Forever21 stores, an internal investigation determined that the encryption technology on some point-of-sale (POS) devices at some stores was not always on and also found signs of unauthorized network access and installation of malware on some POS devices designed to search for payment card data. The malware searched only for track data read from a payment card as it was being routed through the POS device. In most instances, the malware only found track data that did not have cardholder name – only card number, expiration date, and internal verification code – but occasionally the cardholder name was found.","California Attorney General","https://oag.ca.gov/system/files/Forever%2021%20CA%20Substitute%20Notice%2012.28.17_0.pdf","2017","34.052234","-118.243685" "December 18, 2017","Kaiser Foundation Health Plan, Inc.","","","DISC","MED","0","On or about October 9, 2017, a letter containing protected health information was inadvertently mailed to another Kaiser Permanente member. The data elements disclosed included the individual's name and prescription medication.","California Attorney General","https://oag.ca.gov/system/files/West%20LA%20breach-%20Adult%20PDF_0.pdf","2017","37.090240","-95.712891" "December 28, 2017","NextGen Global Resources","Chicago","Illinois","HACK","BSO","0","On November 12, 2017, we discovered that an employee had inadvertently responded to a phishing attack email, allowing an unauthorized person to create an email rule in that employee’s email account automatically forwarding incoming email to an unknown third party,  to date we have learned that the unauthorized access appears to date back to July 2017. Typically only the name of the worker was provided, or in some instances the name and the last four digits of the worker’s social security number with two exceptions: (i) for some workers accepted by the customer, the customer requested and received a follow up email with the first five digits of the worker’s social security number and date of birth, to complete the customer’s records; and (ii) for other workers, a customer confirmed the workers under consideration in a spreadsheet which included the worker’s name and social security number. ","","","2017","41.878114","-87.629798" "December 28, 2017","SAY San Diego","San Diego","California","DISC","NGO","0"," On October 27, 2017, SAY San Diego was notified by the County of San Diego Health & Human Services Agency (“HHSA”) that a citizen had returned some paper files to their office that were found in a filing cabinet purchased from a salvage store. The files were reviewed and assessed by our team on October 30, 2017 at which time we confirmed the documents in the files related to participants in SAY San Diego’s Dual Diagnosis youth program from January through June 2013. However, the files from March and April of 2013 were not returned, and have not been recovered to date. While we currently have no evidence that the information was subject to misuse, we have confirmed that the files contained the name, case number, dates and length of service, location of service, and provider name. The files did not contain any Social Security numbers, dates of birth, or Driver’s License numbers or financial account information.","California Attorney General","https://oag.ca.gov/system/files/SAY%20San%20Diego%20Ad%20r4fin_0.pdf","2017","32.715738","-117.161084" "January 11, 2018","Multnomah Athletic Club","Portland","Oregon","PHYS","BSR","250","Multiple shredding bins on the premises were stolen on Dec. 2, 2017. It is possible that one or more of the bins contained name, addresses, social security numbers, passports, drier's license numbers and or bank account information. To date they are not aware of any reports of identity fraud or improper use of PII as a direct result of the incident. ","","https://justice.oregon.gov/consumer/DataBreach/Home/GetBreach/1161073650","2017","45.523062","-122.676482" "January 15, 2018","Jason's Deli - Deli Management, Inc. ","","","CARD","BSR","2,000,000","On December 22, 2017, Jason’s Deli was notified by payment processors that credit card security personnel had informed it that a large quantity of payment card information had appeared for sale on the “dark web,” and that an analysis of the data indicated that at least a portion of the data may have come from various Jason’s Deli locations. From our initial investigation findings, criminals deployed RAM-scraping malware on a number of our point-of-sales (POS) terminals at various corporate-owned Jason’s Deli restaurants Based on the facts known to Jason’s Deli at this time, the Company believes that the criminals used the malware to obtain payment card information off of the POS terminals beginning on June 8, 2017. Our investigation has determined that approximately 2 million unique payment card numbers may have been impacted in total.","Government Agency","https://justice.oregon.gov/consumer/DataBreach/Home/GetBreach/593620175","2017","37.090240","-95.712891" "January 3, 2018","WEI Mortgage","","","HACK","BSF","263","On or around September 20, 2017, WEI Mortgage received reports of unusual activity in an employee’s email account. WEI Mortgage immediately launched an investigation to confirm the security of its network and determine the nature and scope of the incident, which included working with third-party forensic investigators. Through the investigation, WEI Mortgage learned it was the victim of an email phishing attack, resulting in unauthorized access to certain employee email accounts. The investigation determined personal information for certain individuals was present in impacted email accounts. Based upon available forensic evidence, it appears the impacted email accounts may have been subject to unauthorized access between September 13 and September 28, 2017. The investigation determined that the following information for certain Oregon residents was present in the impacted email accounts: name, address, and Social Security number. To date, the investigation has found no evidence of actual or attempted misuse of personal information present in the impacted email accounts.Notice to Oregon Residents:Beginning on or around December 8, 2017, WEI Mortgage began mailing written notice of this incident to potentially affected individuals, which includes approximately two hundred sixty-three (263) Oregon residents","Government Agency","https://justice.oregon.gov/consumer/DataBreach/Home/GetBreach/715950427","2017","37.090240","-95.712891" "January 15, 2018","High Plains Surgical Associates","","Wyoming","DISC","MED","607","Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "January 8, 2018","Charles River Medical Associates, pc","","Massachusetts","PHYS","MED","9,387","Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "January 5, 2018","Agency for Health Care Administration","","Florida","HACK","MED","30,000","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "January 5, 2018","Oklahoma State University Center for Health Sciences","","Oklahoma","HACK","EDU","279,865","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "January 2, 2018","Penn Medicine","","Pennsylvania","PHYS","MED","1,050","Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "January 10, 2018","Alton Lane ","Concord","New Hampshire","HACK","BSR","1,208","In late Nov. 2017, Alton Lane received notice that in or about November of 2017, malicious code was injected into its IT systems, allowing unauthorized access to certain data, including personal and financial information, that was stored on or managed by the systems. The time period of this code appears to have impacted users is approximately November of 2016 through November of 2017, unauthorized users may have had access to consumer information collected by Alton Lane via its website, affecting five (5) New Hampshire residents.  ","Government Agency","https://www.doj.nh.gov/consumer/security-breaches/documents/alton-lane-20180110.pdf","2016","43.208137","-71.537572" "January 22, 2018","Questar Assesment ","Jefferson County","Mississippi","HACK","EDU","663"," Mississippi education officials said Monday that a recently disclosed data breach by a testing vendor has exposed information from 663 students in Tupelo and Jefferson County.State Superintendent Carey Wright said that Questar Assessment believes an unauthorized user gained access to records from 2016 tests for 490 students at Tupelo Middle School, 72 at Tupelo High School and 101 at Jefferson County Junior High on Dec. 31 or Jan. 1.Among the items exposed were student names, state identification numbers, grade levels, teacher names and test results. Mississippi officials say they don't share addresses or Social Security numbers with Questar.","Media","https://www.usnews.com/news/best-states/new-york/articles/2018-01-22/breach-at-testing-vendor-exposes-mississippi-students-data","2016","39.580030","-105.266293" "January 21, 2018","Kansas - Crosscheck Program","","Kansas","DISC","GOV","945","Kansas Secretary of State Kris Kobach’s quest to discover voter fraud exposed sensitive data for nearly 1,000 Kansans when an official tried to compare partial Social Security numbers sent via an unsecured email to election staff in Florida.The revelation led the Florida Department of State to offer a year of free fraud detection and protection services in a news release issued FridayIn 2013, a Kansas official sent a list of 945 potential double registrants — Kansas and Florida voters who shared a first and last name and date of birth. The spreadsheet, sent over an unsecured email, included Kansans’ partial Social Security numbers, and the official requested that Florida officials check the list with their voters’ Social Security numbers to verify the identities truly matched. The Florida Department of State then released that list in September in response to an open records request filed by Anita Parsa, a Mission Hills resident interested in Kansas’ role leading Crosscheck.","Media","http://www.gctelegram.com/news/20180121/crosscheck-compromises-945-voters-data","2013","37.090240","-95.712891" "January 19, 2018","Questar Assessment ","Apple Valley","Minnesota","HACK","EDU","52","A data breach at testing vendor Questar Assessment exposed personal information of about 52 students in five New York schools, state Education Commissioner MaryEllen Elia said Thursday.Questar, headquartered in Apple Valley, Minnesota, reported that someone accessed a small amount of “personally identifiable” information from Dec. 30 to Jan. 2, Elia said. The data included some student names, identification numbers, grade levels and teachers’ names, but not student addresses, Social Security numbers, disability status or test scores.","Media","http://newyork.cbslocal.com/2018/01/19/questar-data-breach/","2017","34.500831","-117.185876" "January 19, 2018","OnePlus","Shenzhen","Guangdong","HACK","BSR","40,000","OnePlus has confirmed that up to 40,000 customers have been affected by a credit card breach, in the latest embarrassing misstep for the Chinese handset maker. The news comes several days after OnePlus shut down credit card processing following complaints from customers about fraudulent charges landing on their cards after they bought products through OnePlus’s online store.OnePlus offered an explanation of what had happened on its website.“One of our systems was attacked, and a malicious script was injected into the payment page code to sniff out credit card info while it was being entered,” the company said. “The malicious script operated intermittently, capturing and sending data directly from the user’s browser. It has since been eliminated. We have quarantined the infected server and reinforced all relevant system structures.”The affected users entered their card information on OnePlus’s store between mid-November and January. Customers who made purchases with a saved card “should not” be affected, OnePlus said. The same goes for ones who paid with PayPal or credit card via PayPal. Affected users will be offered a year of credit monitoring.","Media","https://forums.oneplus.net/threads/jan-19-update-an-update-on-credit-card-security.752415/","2017","22.543096","114.057865" "January 25, 2018","Rocky Mountain Women's Health Center, Inc.","","Utah","PHYS","MED","1,123","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "January 23, 2018","Central States Southeast and Southwest Areas Health and Welfare Fund","","Illinois","DISC","MED","634","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "January 22, 2018","RGH Enterprises, Inc.","","Ohio","DISC","MED","4,586","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "January 19, 2018","Westminster Ingleside King Farm Presbyterian Retirement Communities, Inc.","","Maryland","HACK","MED","5,228","Location of breached information: Desktop Computer, Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "January 18, 2018","The Pediatric Endocrinology and Diabetes Specialists","","Nevada","HACK","MED","1,021","Location of breached information: Desktop Computer, Electronic Medical Record, Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "January 12, 2018","Western Washington Medical Group Inc.","","Washington","PHYS","MED","842","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "January 12, 2018","Pedes Orange County, Inc.","","California","DISC","MED","917","Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "January 12, 2018","Onco360 and CareMed Specialty Pharmacy ","","Kentucky","HACK","MED","53,173","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "January 9, 2018","Alicia Ann Oswald","","California","DISC","MED","800","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "January 8, 2018","Palomar Health (Palomar Medical Center (Escondido)","","California","DISC","MED","1,309","Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "February 1, 2018","Department of Homeland Security ","","District Of Columbia","HACK","GOV","246,167","A data breach at the Department of Homeland Security has exposed the personal information of more than 240,000 current and former DHS employees, such as their social security numbers, dates of birth, positions, grades, and duty stations, the agency said. On January 3, 2018, select DHS employees received notification letters that they may have been impacted by a privacy incident related to the DHS Office of Inspector General (OIG) Case Management System.  The privacy incident did not stem from a cyber-attack by external actors, and the evidence indicates that affected individual’s personal information was not the primary target of the unauthorized unauthorized transfer of data.What we know: The department said the breach was not carried out as part of a ""cyber-attack by external actors."" Instead, the data was discovered in the possession of a former employee of the agency's Office of Inspector General during an ongoing criminal investigation last MayGo deeper with the department's full memo. ","Government Agency","https://www.dhs.gov/news/2018/01/18/privacy-incident-involving-dhs-oig-case-management-system-update","2017","37.090240","-95.712891" "January 24, 2018","Gourmesso","","Maine","CARD","BSR","1","Discover Card account information of 1 Maine citizen breached. ","Government Agency","http://www.maine.gov/ag/consumer/identity_theft/","2017","37.090240","-95.712891" "January 19, 2018","Rosewood Hotel Group","","Maine","UNKN","BSR","8","Guest name and payment card information (cardholder name, payment card number, exp date and security code) for 8 records breached.","Government Agency","http://www.maine.gov/ag/consumer/identity_theft/","2017","37.090240","-95.712891" "January 19, 2018","Westminster Ingleside King Farm Presbyterian Retirement Communities, Inc.(Rockville, MD)","Rockville","Maryland","UNKN","BSR","12","Name, address, birthdate, SSN, financial account information & protected health information for 12 Maine citizens breached.","Government Agency","http://www.maine.gov/ag/consumer/identity_theft/","2017","39.083997","-77.152758" "January 12, 2018","PharMerica Corporation","","Maine","UNKN","MED","135","Demographic info, medication and clinical info, health insurance info and SSN of 135 Maine Citizens breached..  Some may have had their financial account info impacted as well","Government Agency","http://www.maine.gov/ag/consumer/identity_theft/","2017","37.090240","-95.712891" "January 18, 2018","Employer Leasing Company","Powway","California","UNKN","BSO","912","Name or other personal identifier in combination with SSN and Driver's license number or non-driver ID number for one Maine citizen breached.","Government Agency","http://www.maine.gov/ag/consumer/identity_theft/","2017","32.962823","-117.035865" "January 12, 2018","Monticello Central School District","Monticello","New York","UNKN","EDU","2,598","Name or other personal identifier in combination with SSN for 2 Maine citizens breached.","Security Breach Letter","http://www.maine.gov/ag/consumer/identity_theft/","2017","38.008604","-78.453199" "January 5, 2018","Northeast Arc","Danvers","Massachusetts","UNKN","BSO","1,837","Name or other personal identifier in combination with SSN, and financial account number or credit or debit card number, in combination with the security code, access code, password, or PIN for the account for 1837 records, and 3 Maine citizens breached.","Security Breach Letter","http://www.maine.gov/ag/consumer/identity_theft/","2014","42.575001","-70.932122" "December 29, 2017","Mid-Atlantic Carpenters' Training Center","Marlboro","Maryland","UNKN","BSO","9","Name or other personal identifire in combination with SSN, Driver's license number or non-driver ID number for 9 Maine citizens breached.","Government Agency","http://www.maine.gov/ag/consumer/identity_theft/","2017","40.338095","-74.268729" "January 1, 2018","Tio Networks","Livonia","Michigan","UNKN","BSO","336","Name, contact information and subscriber/billing account numbers (also payment card info, bank acct info, SSN and other government ID numbers and account usernames and passwords for an estimated 336 Maine citizens breached.","Government Agency","http://www.maine.gov/ag/consumer/identity_theft/","2014","42.368370","-83.352710" "January 29, 2018","Nevro","Dublin","Ohio","PHYS","MED","1","What Happened? Nevro was recently the victim of a criminal break-in at our corporate headquarters in which several laptop computers were stolen. Nearby businesses were also targeted by the same perpetrators, who stole laptops from those businesses as well. Nevro has been unable to recover the stolen laptops on which limited information relating to you has been stored.We have no indication that these laptops were stolen in order to acquire the data on them, nor any indication that the data on the laptops has been accessed or used in any way. All the stolen Nevro laptops were password-protected, although not all were encrypted. Because limited information about your treatment relationship with Nevro was stored on one or more of the stolen laptops, and applicable state law considers this type of information sufficient to warrant a notification, we are reaching out to advise you of these equipment thefts.  What Information Was Involved? Limited categories of information about certain patients who use Nevro’s HF10 therapy were contained in files stored on one or more of the unencrypted laptops. The categories of information varied by file or patient, but the data fields were limited to patient name, street address, birth date, procedure date, medical device identifiers (such as serial number), and contact information for the patient’s physician or other medical provider.Nevro does not possess, and none of these laptops contained, sensitive identifying information such as Social Security or other government-issued identification numbers or credit card or financial institution information. None of these laptops contained treatment or medical information other than the information directly related to the fact of the use of the device","Security Breach Letter","https://oag.ca.gov/system/files/Notification%20Letter%20-%20%20Nevro_0.pdf","2017","40.099229","-83.114077" "January 26, 2018","Jeffrey Born, CPA, Inc.","Portland","Oregon","PHYS","BSF","250","Office was physically broken into and that two password protected laptops were stolen. The Sacramento County Sheriff’s Department was immediately called and promptly arrived at the office, investigating the matter. What Information Was Involved? This may have included : full name, birthdate, telephone number, address, Social Security number, all employment (W-2) and self-employment information, 1099 information (including account number if provided to my office), entity identification and income earned/amounts received from participation in S-Corp/partnership/LLC/trust, Affordable Care Act insurance data (your medical insurance policy number if you provided us with a Form 1095-A), and direct deposit bank account information (including account number and routing information if provided to my office).","Security Breach Letter","https://oag.ca.gov/system/files/Born%20Notification_0.pdf","2017","45.523062","-122.676482" "February 1, 2018","Steven Yang, D.D.S., Inc.","Reseda","California","PHYS","MED","1","What Happened On the morning of January 6, 2018,  dental office was burglarized and two laptops were stolen. Once discovered, the matter was immediately reported to the Los Angeles Police Department and an internal investigation was started to determine what, if any, health information may have been stored on those devices. What Information Was Involved An investigation has determined that files contained on those devices may have included names, addresses, social security numbers, health insurance numbers and other information regarding California citizens' dental care. To date, they have been unable to locate the stolen devices. ","Security Breach Letter","https://oag.ca.gov/system/files/T875_v02%20-%20Notice_0.pdf","2018","34.201114","-118.536052" "January 24, 2018","Gourmesso","","Maine","UNKN","BSR","1","Discover Card account information of 1 Maine citizen breached.","","","2017","37.090240","-95.712891" "February 5, 2018","City of Detroit","","Michigan","PHYS","MED","544","Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "February 2, 2018","Eastern Maine Medical Center","","Maine","PHYS","MED","660","Location of breached information: Other Portable Electronic Device Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "February 1, 2018","Forrest General Hospital","","Mississippi","HACK","MED","1,670","Location of breached information: Email Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "January 26, 2018","Steven Yang, D.D.S., INC.","","California","PHYS","MED","3,202","Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "January 26, 2018","Decatur County General Hospital","","Tennessee","HACK","MED","24,000","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "January 22, 2018","Robert Smith DMD, PC","","Tennessee","HACK","MED","1,500","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "January 10, 2018","Alton Lane","","New Hampshire","HACK","BSR","5","In late November 2017, Alton Lane received notice that in or about November 2016, malicious code was injected into its information technology systems. Unauthorized users may have had access to consumer information collected by Alton Lane via its website. ","Security Breach Letter","https://www.doj.nh.gov/consumer/security-breaches/documents/alton-lane-20180110.pdf","2017","37.090240","-95.712891" "February 2, 2018","Ron's Pharmacy Services","San Diego","California","HACK","MED","500","On October 3, 2017, Ron’s Pharmacy identified unusual activity in an employee email account. Ron’s Pharmacy immediately changed the employee’s credentials and commenced an investigation, with the assistance of third-party forensic investigators, to determine what happened. As part of this investigation, determined that the employee’s email account was subject to unauthorized access and certain emails were viewed as a result of the unauthorized individual(s) using software to crack the employee’s email account password. On December 21, 2017, as part of Ron’s Pharmacy’s ongoing investigation, it was determined that the following information relating was accessed:  names,  internal account numbers at Ron’s Pharmacy, prescription medication information, and payment adjustment information, which relates to credits made to accounts. Importantly, no Social Security, health insurance, or financial account information was accessed.","","","2017","32.715738","-117.161084" "February 2, 2018","Advanced-Online","","California","HACK","BSR","500","Advanced-Online learned on January 3, 2018 that certain personal information housed on the company’s online platform may have been subject to unauthorized access. The date range for the incident appears to be April 29, 2017 until January 12, 2018. Upon becoming aware of the potential unauthorized access, Advanced-Online promptly engaged a nationally recognized cybersecurity and forensics firm to assess and address the situation.WHAT INFORMATION WAS INVOLVED? Advanced-Online and our cybersecurity and forensics firm believe that the following categories of information may have been compromised: name, address, username/email address, password, and payment card information (account number, expiration date, CVV number).","","","2017","37.090240","-95.712891" "February 7, 2018","Nevro","","California","HACK","MED","500"," Nevro was recently the victim of a criminal break-in at our corporate headquarters in which several laptop computers were stolen. Nearby businesses were also targeted by the same perpetrators, who stole laptops from those businesses as well. Nevro has been unable to recover the stolen laptops on which limited information relating to you has been stored. Nevro has no indication that these laptops were stolen in order to acquire the data on them, nor any indication that the data on the laptops has been accessed or used in any way. All the stolen Nevro laptops were password-protected, although not all were encrypted. Because limited information about individual customer treatment relationships with Nevro was stored on one or more of the stolen laptops, and applicable state law considers this type of information sufficient to warrant a notification, we are reaching out to advise customers of these equipment thefts.What Information Was Involved? Limited categories of information about certain patients who use Nevro’s HF10 therapy were contained in files stored on one or more of the unencrypted laptops. The categories of information varied by file or patient, but the data fields were limited to patient name, street address, birth date, procedure date, medical device identifiers (such as serial number), and contact information for the patient’s physician or other medical provider. Nevro does not possess, and none of these laptops contained, sensitive identifying information such as Social Security or other government-issued identification numbers or credit card or financial institution information. None of these laptops contained treatment or medical information other than the information directly related to the fact of the use of the device.","Security Breach Letter","https://oag.ca.gov/system/files/Notification%20Letter%20-%20%20Nevro_0.pdf","2017","37.090240","-95.712891" "February 2, 2018","The Sacramento Bee","Sacramento","California","DISC","BSR","19,501,300","The Sacramento Bee said in a statement that a firewall protecting its database was not restored during routine maintenance last month, leaving the 19,501,258 voter files publicly accessible. Additionally, the names, home addresses, email addresses, and phone numbers of 52,873 Sacramento Bee subscribers were compromised.“We take this incident seriously and have begun efforts to notify each of the individuals on the contact list and to provide them resources to help guard against potential misuse of their personal contact information,” the paper said in a statement. “We are also working with the Secretary of State’s office to share with them the details of this intrusion.”","Media","https://gizmodo.com/sacramento-bee-leaked-19-5-million-california-voter-rec-1822835127","2018","38.581572","-121.494400" "January 18, 2018","University of Idaho","Moscow","Idaho","HACK","EDU","257","The university detected that one of their accounts was being used to send phishing email. An investigation determined that the employees email messages contained personal information for 257 individuals. Information included names, addresses and social security numbers. ","Security Breach Letter","","2017","0.000000","0.000000" "February 8, 2018","Riverside Unified School District","Riverside","California","DISC","EDU","1","On December 5, 2017, a San Diego County office of Education employee inadvertently sent an employee retirement contribution spreadsheet to San Diego County Office of Education's retirement contribution contacts at forty-four (44) school districts throughout Southern California. The impact likely affected 1 Idaho resident.","Security Breach Letter","","2017","0.000000","0.000000" "January 19, 2018","Idaho Transportation Department","","Idaho","HACK","GOV","8","On Jan. 2, 2018, the Idaho Transportation Department's Cyber Security Unit discovered an internal email account was compromised through a phishing attack. The Division of Motor Vehicles employee account was accessible from Nov. 11, 2017 through Dec. 7, 2017. The email account contained personal identifiable and payment card information for eight individuals. ","Security Breach Letter","","2017","37.090240","-95.712891" "January 8, 2018","CyrusOne, Inc.","Dallas","Texas","DISC","BSR","402","CyrusOne, Inc. learned of a breach on 10/18/2017 affecting 402 Indiana residents. Breach resulted in social security numbers being exposed.","Security Breach Letter","","2017","32.776664","-96.796988" "January 8, 2018","Cetera Advisors, LLC","Denver","Colorado","HACK","BSF","1,280","Cetera Advisors, LLC suffered a hack on 11/8/2017, affecting 1,260 records, exposing social security numbers.","Security Breach Letter","","2017","39.739236","-104.990251" "January 5, 2018","Rea.deeming Beauty, Inc. /d/b/a/ beautyblender","Bethlehem","Pennsylvania","HACK","BSO","18,133","On 4/23/2015 Rea.deeming Beauty, Inc. suffered a data breach affecting 18,133 records, including credit card or financial account information. The breach was discovered on 11/27/2017 and consumers were notified on 1/5/2018.  ","Security Breach Letter","","2017","40.625932","-75.370458" "January 9, 2018","talentReef, Inc.","Denver","Colorado","HACK","BSO","11,603","On Nov. 29, 2017, talentReef, Inc. discovered that an unauthorized individual may have gained access to an employees email account. The breach affected 11,603 records, including Social security numbers, name, driver's license number, credit card or financial information and debit card numbers. ","Security Breach Letter","","2017","39.739236","-104.990251" "January 11, 2018","Fidelity Investments","Boston","Massachusetts","DISC","BSF","348","Fidelity Investments suffered an inadvertent disclosure on 11/24/17 that affected 348 records, including social security numbers. ","Security Breach Letter","","2017","42.360083","-71.058880" "January 10, 2018","Broward College","Fort Lauderdale","Florida","HACK","EDU","44,000","On or about August 3, 2017, Broward College employees received a spam phishing email to their email accounts. The school learned that certain employees had clicked on the link and provided their credentials. Between July 18, 2017 and September 8 2017, Broward college determined that records were exposed including name, date of birth, address, social security number, financial account numbers, credit/debit card numbers, and/or driver's license or state identification card number. The breach affected 44,000 records.","Security Breach Letter","","2017","26.122439","-80.137317" "January 10, 2018","St. Vincent Warrick","Boonville","Indiana","DISC","MED","1","St. Vincent learned of an inadvertent disclosure of 1 record on 12/15 2017, including name and social security number, and notified the consumer on 1/10/2018. ","","","2017","38.973639","-92.743242" "January 12, 2018","Guaranteed Rate, Inc.","Chicago","Illinois","HACK","BSF","187,788","Guaranteed Rate, Inc. suffered a breach on 6/9/2017 until 10/2/2017 affecting 187,788 records, including Social Security numbers, names, driver's license numbers, credit and debit card information and account information, and state ID numbers. ","Security Breach Letter","","2017","41.878114","-87.629798" "January 12, 2018","Onco360 and CareMed Speciality Pharmacy","Louisville","Kentucky","HACK","MED","53,173","Breach affecting 53,173 records was reported on 1/12/2018, including social security numbers, names, and credit card or financial account information. ","Security Breach Letter","","2017","38.252665","-85.758456" "January 12, 2018","Hallmark Home Mortgage","Columbus","Ohio","INSD","BSF","2,816","Hallmark suffered a breach on 11/17/2017 that affected 2816 records, including SS numbers, Names, Drivers License Numbers, and Credit Card or Financial Account Information.","Security Breach Letter","","2017","39.961176","-82.998794" "February 13, 2018","Pension Fund of the Christian Church","Indianapolis","Indiana","PHYS","NGO","20,966","On Dec. 16, 2017, Pension Fund learned that a password protected employee laptop had been stolen that contained personal information for 10981 records, including SS numbers, as well as credit card or financial account information. ","Security Breach Letter","","2017","39.768403","-86.158068" "January 17, 2018","Ameriprise Financial, Inc.","Minneapolis","Minnesota","DISC","BSF","56","Ameriprise Financial suffered an inadvertent disclosure of 56 records, including SS numbers and names. ","Security Breach Letter","","2017","44.977753","-93.265011" "January 22, 2018","Tx: Team Rehab, Inc.","Indianapolis","Indiana","HACK","MED","56","Tx:Team suffered a hack on 10/30/2017 that affected 6 records, including SS numbers as well as names and credit card or financial account information.","Security Breach Letter","","2017","39.768403","-86.158068" "January 19, 2018","Westminster Ingleside King Farm Presbyterian Retirement Communities, Inc.","Rockville","Maryland","HACK","NGO","9,769","On 16/21/2017 Westminster Ingleside suffered a hack that affected 9769 records, including SS numbers, names, and credit card or financial account information. ","Security Breach Letter","","2017","39.083997","-77.152758" "January 17, 2018","Franciscan Health Indianapolis","Indianapolis","Indiana","DISC","MED","2","On 1/6/2018 Franciscan Health Indianpolis suffered a hack that affected 2 records, including names as well as driver's license numbers.","Security Breach Letter","","2018","39.768403","-86.158068" "February 13, 2018","Community Hospital of Bremen","Bremen","Indiana","DISC","MED","115","On 1/17/2018, suffered a breach affecting 115 records. Acquired information includes SS numbers and names.","Security Breach Letter","","2018","33.721218","-85.145504" "January 22, 2018","The Coca-Cola Company","Atlanta","Georgia","HACK","BSR","2,181","In July, 2017, The Coca-Cola company suffered a phishing attack that resulted in the exposure of 2181 records, which included social security numbers. ","Security Breach Letter","","2017","33.748995","-84.387982" "February 13, 2018","Mindlance, Inc.","Union","New Jersey","HACK","BSO","3,085","On 12/28/2017, Mindlance, Inc. suffered a system breach (hack) that affected 3085 records, including SS numbers and names. ","Security Breach Letter","","2017","40.697590","-74.263164" "January 17, 2018","Valley of the Sun YMCA","Phoenix","Arizona","HACK","NGO","2,649","On 9/21/2017 Valley of the Sun YMCA suffered a system breach (hack) that affected 2649 records, which included names as well as credit card or financial account information.","Security Breach Letter","","2017","33.448377","-112.074037" "January 12, 2018","Deconess Hospital","Evansville","Indiana","INSD","MED","4","On 12/08/2017, as a result of insider wrong-doing, Deaconess Hospital suffered a breach that resulted in the exposure of 4 records including Social Security numbers.","Security Breach Letter","","2017","37.971559","-87.571090" "January 25, 2018","The National Registry of Emergency Medical Technicians","Columbus","Ohio","HACK","MED","843","On 11/17/2017 The National Registry of Emergency Medical Technicians suffered a hack affecting 843 records, including first and last names, address information ,and Social Security numbers. ","Security Breach Letter","","2017","39.961176","-82.998794" "January 26, 2018","Goldleaf Partners Services, Inc.","Bloomington","Minnesota","HACK","BSF","6,020","On 10/31/2017 Goldleaf Partners Services, Inc. suffered a hack that affected 6020 records, including Social Security numbers as well as names and credit card or financial account information.","Security Breach Letter","","2017","39.165325","-86.526386" "January 26, 2018","Member First Mortgage, LLC","Grand Rapids","Michigan","HACK","BSF","36,840","On 11/25/2017 Member First Mortgage, LLC, experienced an unauthorized access to their internal systems exposing 36840 records, including Social Security numbers as well as names and credit card or financial account information. ","Security Breach Letter","","2017","42.963360","-85.668086" "January 23, 2018","Union Hospital","Terre Haute","Indiana","DISC","MED","1","Union Hospital suffered an inadvertent disclosure on approximately 1/18/16 that resulted in 1 record being exposed, which included social security numbers. ","Security Breach Letter","","2016","39.466703","-87.413909" "January 26, 2018","Pentair Aquatic Eco Systems, Inc.","Apopka","Florida","HACK","BSO","239","Pentair Aquatic Eco Systems, Inc., suffered a hack on 12/19/2017 that resulted in the exposure of 239 records, which included names, credit card or financial account information and debit card numbers.","Security Breach Letter","","2017","28.693408","-81.532215" "January 23, 2018","Carite Inc.","Madison Heights","Michigan","HACK","BSO","346","On 1/17 2018 Carite Inc. suffered a breach affecting 346 records, including social security numbers and names. ","Security Breach Letter","","2018","42.485869","-83.105203" "January 5, 2018","RBC Royal Bank","Toronto","Ontario","HACK","BSF","66,000","On 10/3/2017 the RBC Royal Bank suffered a hack that affected approximately 66,000 records, which included credit card or financial account information. ","Security Breach Letter","","2017","43.653226","-79.383184" "January 2, 2018","Multnomah Athletic Club","Olympia","Washington","HACK","BSO","661","Multnomah Athletic Club suffered a security breach that resulted in the exposure of six hundred sixty one (661) Washington residents, when multiple shredding bins located on the premises were stolen by multiple unknown individuals on December 2, 2017. ","Security Breach Letter","http://agportal-s3bucket.s3.amazonaws.com/uploadedfiles/Another/Supporting_Law_Enforcement/MultnomahAthleticClub.2018-01-10.pdf","2017","47.037874","-122.900695" "February 5, 2018","Partners HealthCare System, Inc.","","Massachusetts","HACK","MED","2,450","Location of breached information: Desktop Computer, Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "February 5, 2018","CarePlus Health Plan [case #HU1800066]","","Kentucky","DISC","MED","11,248","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "February 2, 2018","Ron's Pharmacy Services ","","California","HACK","MED","6,781","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "February 2, 2018","Triple-S Advantage, Inc. ","","","DISC","MED","36,305","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "February 1, 2018","Coastal Cape Fear Eye Associates, P.A.","","North Carolina","HACK","MED","925","Location of breached information: Desktop Computer, Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "January 29, 2018","QuadMed","","Wisconsin","DISC","MED","4,549","Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "January 25, 2018","Zachary E. Adkins, DDS","","New Mexico","PHYS","MED","3,677","Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "January 18, 2018","Gillette Medical Imaging","","Wyoming","DISC","MED","4,476","Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "February 19, 2018","FedEx","","Tennessee","DISC","BSR","119,000","Personal information of thousands of FedEx customers worldwide was exposed on the web due to an Amazon Web Services (AWS) cloud storage server which was not secured with a password. Security researchers from Kromtech Security found the open AWS bucket which contained 119,000 scanned documents, including passports, drivers’ licenses and Applications for Delivery of Mail Through Agent forms, which contain names, home addresses, phone numbers and ZIP codes.  ","Media","https://www.cbronline.com/news/fedex-aws-silo-leak","2017","37.090240","-95.712891" "February 26, 2018","Massachusetts Department of Revenue","","Massachusetts","UNKN","GOV","39,000","Officials with Massachusetts' tax collection agency suffered a data breach affecting 39,000 business taxpayers. The breach lasted from early August through Jan. 23, 2017, and allowed companies to view other business's names, tax identification numbers, amount and date of tax payments, number of employees and banking information about their payroll processor. Only one social security number was exposed.","Media","http://www.thestate.com/news/business/national-business/article201539559.html","2017","37.090240","-95.712891" "February 22, 2018","University of Alaska","Fairbanks","Alaska","HACK","EDU","50","A data breach at the University of Alaska has impacted dozens of current and former employees and students, officials said.. . . The university said the accounts of 50 people were impacted.","Media","https://www.seattletimes.com/nation-world/data-breach-at-university-of-alaska-impacts-staff-students/","2018","0.000000","0.000000" "February 21, 2018","Missouri Dept. of Mental Health","","Missouri","DISC","MED","1,000","Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "January 10, 2018","PetSmart, Inc.","Phoenix","Arizona","HACK","BSR","1,434","Petssmart suffered a breach affecting 1,434 records from 12/19/2017-12/26/2017. The breach was discovered on 12/22/2017 and notified the public on 1/10/2018","Security Breach Letter","","2017","33.448377","-112.074037" "February 26, 2018","Southern National Bancorp of Virginia, Inc. d/b/a/ Sonabank","Glen Allen","Virginia","HACK","BSF","24,999","Southern National Bancorp of Virginia suffered a breach affecting 24,999 records, including social security numbers, driver's license number or non-driver identification card numbers, as well as financial account numbers or credit card numbers, in combination with the security code, access code, password or PIN for the account. ","Security Breach Letter","","2017","37.665978","-77.506374" "February 27, 2018","University of Virginia Health System","Charlottesville","Virginia","HACK","EDU","1,882","""A laptop computer and other computing devices of a physician affiliated with the University of Virginia Health System allowed an unauthorized individual to see medical information that the physician was viewing on his devices.The unauthorized access continued for about 18 months, and now, 1,882 patients are being notified and encouraged to review healthcare statements and call their insurer if there are charges for services they did not receive. . .On December 23, 2017, the health system determined that the unauthorized third-party may have been able to view patient information from May 3, 2015 to December 27, 2016.Compromised protected health information included patient names, diagnoses, treatments, addresses and dates of birth. Social Security numbers and financial information were not accessed."" ","Media","https://www.information-management.com/news/social-security-numbers-and-financial-information-were-not-accessed","2017","0.000000","0.000000" "February 20, 2018","Riverside Logistics Services","Henrico","Virginia","DISC","BSR","142","On February 5, 2018, personal information for certain employees and former employees may have been accessed without authorization. As soon as Riverside discovered the incident, it reported the matter to the FBI’s Internet Crime Complaint Center and notified the Internal Revenue Service/Criminal Investigation to prevent fraudulent activity.","Security Breach Letter","","2018","37.505933","-77.332443" "February 20, 2018","OneMain Financial","Baltimore","Maryland","PHYS","BSF","1","The branch received customer files from a branch that closed. A review of the files revealed that one customer file was missing.","Security Breach Letter","","2018","39.290385","-76.612189" "March 2, 2018","Trimont Real Estate Advisors","Atlanta","Georgia","HACK","BSF","6","From approximately January 30, 2018, through February 6, 2018, an unknown person, without authorization, had access to the business email account of a Trimont employee. Trimont first learned that the account was potentially compromised on February 6, 2018, and immediately terminated the intruder's access to the email account and launched an investigation. The investigation has determined that the compromise began with a phishing email sent by the unknown person to the employee on January 30, 2018.","Security Breach Letter","","2018","33.748995","-84.387982" "February 19, 2018","Cascade Health Services, LLC","Seattle","Washington","INSD","MED","700","On January 26, 2018, Cascade Training Center learned that a company employee gained unauthorized access to the company's payroll and payment platform.Records taken include Account numbers, Drivers license numbers and SSN","Security Breach Letter","","2018","47.606210","-122.332071" "February 19, 2018","American Neighborhood Mortgage Acceptance Company LLC d/b/a AnnieMac Home Mortgage","Mount Laurel","New Jersey","HACK","BSF","109","""Unauthorized parties accessed certain AnnieMac Home Mortgage employee email accounts through an email phishing scheme. After learning of this incident, AnnieMac Home Mortgage conducted a thorough investigation and determined that the unauthorized parties gained access to the personal information of some of our customers. The personal information that was the subject of the incident was in electronic form.""Records exposed include Account Number and SSN","Security Breach Letter","","2018","39.934002","-74.890999" "February 16, 2018","Wesley Enhanced Living","Media","Pennsylvania","DISC","MED","300","Wesley Enhanced Living suffered a breach affecting SSN records of 300 record holders. ","Security Breach Letter","","2018","39.916778","-75.387693" "February 16, 2018","Jemison Internal Medicine, PC","Jemison","Alabama","HACK","MED","6,550","Recently, Jemison's computer system was infected by a ransomware virus that encrypted its electronic medical records system containing its patient's medical records. The ransomware demanded monetary payment from JIM in order to decrypt the files and allow the practice to regain access to them. JIM did not pay the ransom to the cyber criminals, but was instead able to restore its files and the functionality of its system through backup records. Subsequent scans of JIM's system show no further sign of the ransomware, and its investigation does not show any indication that the ransomware exfiltrated any data off its system. However, through its investigation of the incident, JIM discovered that its computer system previously had been accessed without its knowledge by unauthorized individuals not affiliated with JIM between September and December 2017. JIM is not able to confirm which, if any, files or patient information were accessed by these unauthorized individuals, but it is possible that they could have accessed JIM's electronic medical records system containing patient names, addresses, telephone numbers, Social Security numbers, dates of birth, driver's license numbers, treatment or procedure information, prescription information, and/or healthcare insurance information. Although JIM is unable to confirm that any personally identifying information or patient health information was accessed by unauthorized individuals, out of an abundance of caution and because of its commitment to data security and privacy, JIM is notifying all of its patients about the incident in compliance with the Health Insurance Portability and Accountability Act (HIPAA).","Security Breach Letter","","2017","32.959845","-86.746652" "February 16, 2018","Navistar, Inc.","Lisle","Illinois","DISC","BSR","253","A third-party vendor failed to follow instructed mailing folding protocols. As a result, personal information may have been visible through the envelope window of 1099 mailings, when only a name and address were meant to be seen. Records breached include SSN.","Security Breach Letter","","2018","41.801141","-88.074788" "February 16, 2018","Marriott International Inc.","Bethesda","Maryland","HACK","BSR","27","Specifically, on February 5, 2018, Mariott discovered that between January 23, 2018 and February 5, 2018, a third party obtained unauthorized access to employee information. A third party successfully posed as a Marriott employee by providing valid employee credentials in order to obtain access to Marriott employee Human Resources accounts. Through  investigation,  have determined that third party had access to the employees' direct deposit information, pay statement and W2 information. Mariott has taken steps to block access to compromised employee accounts and are actively monitoring for fraudulent activity.Breached records include SSN and Account #.","Security Breach Letter","","2018","38.984652","-77.094709" "February 16, 2018","Country Mutual Insurance Company","Bloomington","Illinois","PHYS","BSF","1,418","""A large mailing was mailed out by our third party vendor. Three COUNTRY Financial packages containing documents with individual personally identifiable information (PII) failed to be delivered by the United States Postal Service to the servicing COUNTRY Representative. They have also been unable to track the current location of these three packages. One additional package containing the same documents was damaged while in transit with the United States Postal Service. In their attempt to resolve the issue they removed the documents and repackaged them. All documents were received by the COUNTRY Representative.""Records breached include Account Numbers and SSN.","Security Breach Letter","","2018","39.165325","-86.526386" "March 2, 2018","Novozymes US, Inc.","Davis","California","HACK","BSR","158","On or about December 25, 2017, an unauthorized individual executed an email-based attack and gained access to certain emails from a Novozymes employee's email account. Some of the email potentially accessed included the personal information of North Carolina residents. Novozymes discovered the breach on January 11, 2018 and took immediate action to prevent further unauthorized access. Novozymes also promptly investigated the issue, engaged outside counsel, and is notifying affected individuals and offering them consumer protection services. Novozymes is reviewing its policies and procedures and evaluating additional safeguards to help prevent this type of incident in the future.Breached records include Account #, Driver's License, Passport, SSN.","Security Breach Letter","","2018","38.544907","-121.740517" "February 15, 2018","Balasa Dinverno Foltz LLC","Chicago","Illinois","HACK","BSF","76","On 01/ 24, Aperio, an investment manager that manages certain BDF client assets through its portfolio management platform, informed us that some of our client data was unintentionally compromised.On 01/11, Aperio discovered two Aperio employee email accounts were compromised by a phishing scam that placed an unauthorized auto-forward rule on such accounts. All emails (including emails with sensitive information) sent to such accounts from 08/21/2017 to 01/11/2018 were blind cc'd to two external email addresses.","Security Breach Letter","","2018","41.878114","-87.629798" "February 15, 2018","Balasa Dinverno Foltz LLC","Chicago","Illinois","HACK","BSF","76","On 01/ 24, Aperio, an investment manager that manages certain BDF client assets through its portfolio management platform, informed us that some of our client data was unintentionally compromised.On 01/11, Aperio discovered two Aperio employee email accounts were compromised by a phishing scam that placed an unauthorized auto-forward rule on such accounts. All emails (including emails with sensitive information) sent to such accounts from 08/21/2017 to 01/11/2018 were blind cc'd to two external email addresses.","Security Breach Letter","","2018","41.878114","-87.629798" "February 15, 2018","The Saint Louis Trust Company","St. Louis","Missouri","HACK","BSF","90","The Saint Louis Trust Company suffered a breach affecting 90 records, which included Account #.","Security Breach Letter","","2018","38.627003","-90.199404" "February 15, 2018","Dollar General Corporation","Goodlettsville","Tennessee","DISC","BSR","43","On January 15, 2018, one of our service providers, Ernst & Young LLP (EY), became aware that on three separate occasions during the week of January 8, 2018, one of their tax professionals had mistyped a fax number while transmitting a total of forty-four (44) Tax Credit and Incentive Forms which contained personal information pertaining to 43 current employees and prospective hires of Dollar General. These faxes were transmitted in connection with the Work Opportunity Tax Credit (WOTC) services EY provides to Dollar General. Due to the EY tax professional transposing digits in the fax number, the Forms were sent to an unintended recipient's fax machine (instead of the fax machine located at another EY office).","Security Breach Letter","","2018","36.323107","-86.713330" "February 15, 2018","LendKey Technologies, Inc.","New York","New York","DISC","MED","6,403","LendKey Technologies, Inc. suffered a breach affecting 6403 records, including Account Numbers, Driver's Licenses, and SSN.","Security Breach Letter","","2018","43.299429","-74.217933" "February 15, 2018","UNC Health Care","Chapel Hill","North Carolina","DISC","MED","1","Patient's personal information was accidentally faxed to another patient's daughter. The error was immediately identified and the recipient was quickly contacted. The recipient agreed to delete the electronic fax.","Security Breach Letter","","2018","35.913200","-79.055845" "February 15, 2018","Hobe & Lucas Certified Public Accountants, Inc.","Independence","Ohio","HACK","BSR","91","On November 17, 2017, Hobe & Lucas discovered that an unknown individual gained access to an employee's email account. Hobe & Lucas quickly responded by taking action to prevent any further access, and immediately conducted an investigation to determine what information was potentially accessible during the intrusion. It is possible that potentially accessible email correspondence contained clients' personal information, including their name, address and Social Security number.","Security Breach Letter","","2017","39.091116","-94.415507" "February 15, 2018","Massachusetts Mutual Life Insurance Company","Springfield","Massachusetts","HACK","BSF","27","Massachusetts Mutual Life Insurance Company suffered a breach affecting 27 records, including Account # and SSN.","Security Breach Letter","","2018","42.101483","-72.589811" "February 9, 2018","OneMain Financial","Baltimore","Maryland","HACK","BSF","1,253","""An unauthorized individual apparently compromised the personal or work email accts of OneMain customers, & used the email accts to access certain customers OneMain online accts. Based on the review, it does not appear that OneMain was the source of or responsible for the apparent compromise of accts. The personal info involved may have included 1st & last name, phone #, OneMain loan acct #, OneMain rewards acct, & type of ins. purchased.""","Security Breach Letter","","2018","39.290385","-76.612189" "February 14, 2018","Engle Martin & Associates","Atlanta","Georgia","HACK","BSF","2,508","Engle Martin & Associates suffered a breach affecting 2508 records, including account # and SSN.","Security Breach Letter","","2018","33.748995","-84.387982" "February 14, 2018","Palo Alto Unified School District","Palo Alto","California","PHYS","EDU","353","On January 18, 2018, Palo Alto Unified School District learned that an employee was storing confidential parent information on his laptop. This same employee had a prior laptop stolen and based on this information, the District conducted an investigation to determine whether personal information was affected by the prior incident. The District's investigation determined that although the stolen laptop was password protected, confidential information may have been stored on the device, including the name, address, and Social Security number for seven (7) North Carolina residents. The District will begin notifying North Carolina residents by U.S. Mail in accordance with North Carolina law in substantially the same form as the document enclosed herewith. The District is also offering the affected individuals a complimentary one year membership in credit monitoring and identity theft protection services through Experian and has provided a dedicated phone number to answer any questions that individuals may have regarding the incident.","Security Breach Letter","","2018","37.441883","-122.143020" "February 14, 2018","Flexible Benefit Service Corporation","Chicago","Illinois","HACK","BSF","19,438","Flexible Benefit Service Corporation suffered a breach which affected 19438 records, including Medical Information and SSN.","Security Breach Letter","","2017","41.878114","-87.629798" "February 14, 2018","Advanced Technology International, Inc.","Summerville","South Carolina","DISC","BSR","67","On January 25, 2018, ATI began the process of mailing out Form 1099s to individuals and companies for the 2017 tax year. However, during the mailing process, an error occurred whereby approximately sixty-seven (67) recipients received their Form 1099 and the Form 1099 belonging to an unrelated individual or entity. On or around January 30, 2018, ATI discovered the error. ATI immediately commenced an investigation and confirmed the incident was the result of human error. ATI took steps to address the error to reduce the likelihood of a similar incident occurring in the future.","Security Breach Letter","","2017","33.018504","-80.175648" "February 14, 2018","Hamilton Acquisition Corp. t/a Stallings Group","Chesapeake","Virginia","DISC","BSR","7","The Social Security number of each employee was visible through the window of the envelope used to mail W2s to employees.","Security Breach Letter","","2018","36.768209","-76.287493" "February 14, 2018","Management Services, LLC","Chesapeake","Virginia","DISC","BSR","53","The Social Security number of each employee was visible through the window of the envelope used to mail W2s to employees.","Security Breach Letter","","2018","36.768209","-76.287493" "February 14, 2018","AHM, Inc. on behalf of the Staybridge Suites Lexington & Holiday Inn Express New Buffalo","Cheboygan","Michigan","HACK","BSR","244","AHM, Inc. on behalf of the Staybridge Suites Lexington & Holiday Inn Express New Buffalo suffered a breach that affected 344 records, which included Account # and CC/DC account information.","Security Breach Letter","","2017","45.646956","-84.474480" "February 14, 2018","Thomas Edison State University","Trenton","New Jersey","HACK","EDU","557","Thomas Edison State University discovered that an unauthorized user accessed a Thomas Edison employee's email account. Based upon its investigation to date, Thomas Edison reasonably believes that the Unauthorized User improperly acquired the personal information of 557 individuals, including 13 residents of the North Carolina. The personal information acquired includes names and Social Security numbers. This incident was isolated to a single email account and the Unauthorized User did not gain access to Thomas Edison's network.","Security Breach Letter","","2018","40.217053","-74.742938" "February 13, 2018","Medical Science & Computing, LLC","Rockville","Maryland","DISC","BSR","137","Medical Science & Computing, LLC suffered a breach affecting 139 (paper) records, which included account numbers.","Security Breach Letter","","2018","39.083997","-77.152758" "February 13, 2018","Bed Bath & Beyond, Inc.","Union","New Jersey","INSD","BSR","139","A call center employee processing orders over the phone illegally compromised three customers' credit card information. BB&B recently determined that this same employee processed an order for one North Carolina resident over the phone between November 21, 2017 and December 8, 2017, although they do not know if that customer's credit card number was compromised.","Security Breach Letter","","2018","40.697590","-74.263164" "February 13, 2018","Central Islip Union Free School District","Central Islip","New York","DISC","EDU","1,362","On February 1, 2018, Central Islip Union Free School District  learned of a potential data incident which may have resulted in unauthorized access to certain personal information. Specifically, a window envelope was utilized to mail certain forms to current and former employees of the District. It appears if the contents were placed in a certain way within the envelope and the envelope was tapped in various ways it may have permitted some information to be viewable through the envelope's window. The data elements involved may have included name, address, and Social Security number.","Security Breach Letter","","2018","40.790654","-73.201781" "February 13, 2018","Kingston Residence of Hickory, LLC","Hickory","North Carolina","DISC","MED","10","A clerical mistake lead to including 2 separate 1099's in one envelope resulting in the unauthorized disclosure of 1099 information to other vendors","Security Breach Letter","","2018","35.734454","-81.344457" "February 13, 2018","Perry & Associates CPA's A.C.","Marietta","Ohio","HACK","BSR","2,450","Perry & Associates recently learned that malware may have been deployed upon Perry & Associates' computer network. Upon learning of the incident, Perry & Associates commenced a prompt and thorough investigation and has been working closely with the IRS. Perry & Associates has devoted considerable time and effort to determine whether client data was at risk as a result of the malware. The extensive forensic investigation concluded that a limited number of computer files may have been compromised on November 18, 2017. Since completing the investigation, Perry & Associates concluded that because some computer files may have been compromised, an unknown individual may have had access, via those compromised computer documents, to personal information belonging to clients. Perry & Associates discovered on January 16, 2018 that the information available in the potentially compromised files included client full name and Social Security number, and may have also included driver's license number and bank account information, to the extent that information was provided to Perry & Associates.","Security Breach Letter","","2018","33.952602","-84.549933" "February 13, 2018","Principal Life Insurance Company","Des Moines","Iowa","DISC","BSF","1","Principal received a Pension Death Benefit Claim form in the mail room via Federal Express from the customer. When the package arrived at the recipients desk, it was empty.","Security Breach Letter","","2018","41.600545","-93.609106" "February 13, 2018","Eastern Shore Rural Health, Inc.","Onancock","Virginia","HACK","MED","287","On February 2, 2018, Eastern Shore began to receive reports from several employees that unauthorized individuals attempted to file fraudulent tax returns in their name. At this point, there is no indication that employee data was accessed without authorization on Eastern Shore's systems. However, due to the timing of the reports of fraudulent tax returns being filed, Eastern Shore is notifying its employees of the potential incident so they can take steps to protect themselves. Eastern Shore will continue to investigate the incident and remediate any issues discovered.","Security Breach Letter","","2018","37.711797","-75.749097" "February 12, 2018","Goldman Sachs & Co. LLC","New York","New York","HACK","BSF","32","On January 11, 2018, Aperio Group, LLC, a third party investment manager used by Goldman Sachs, discovered that the email accounts of two of its employees were compromised by a sophisticated phishing attack which resulted in an unauthorized auto-forward rule being applied to those two employees' accounts. This caused all emails sent to those accounts between August 21, 2017, and January 11, 2018, to be blind copied to two external email addresses. The personal information involved in the incident consisted of the account name and account number for a Goldman Sachs account owned by two residents of North Carolina.","Security Breach Letter","","2018","43.299429","-74.217933" "February 9, 2018","Inspire Homes Loans, Inc.","Irvine","California","HACK","BSF","5,403","On December 14, 2017, our client, Inspire Home Loans Inc, learned that a small number of customers had received fraudulent emails that appeared to come from email addresses associated with Inspire and their affiliated entities. Inspire immediately commenced an investigation, reset all email account passwords, and engaged a professional forensic security firm to determine whether employee email accounts had been accessed without authorization. Inspire has determined that messages in the employee's email account may have contained personal information for North Carolina residents, including their name, address, and Social Security number. Even though its investigation is still on-going, Inspire will begin notifying seventeen (17) North Carolina residents by U.S. Mail in accordance with North Carolina law in substantially the same form as the document enclosed herewith. Inspire is also offering the affected individuals a complimentary one year membership in credit monitoring and identity theft protection services through Experian and has provided a dedicated phone number to answer any questions that individuals may have regarding the incident.","Security Breach Letter","","2017","33.684567","-117.826505" "February 9, 2018","Driscoll's, Inc.","Watsonville","California","HACK","BSF","1,530","Driscoll's Inc., suffered a data breach that affected 1530 records, including SSN data. ","Security Breach Letter","","2017","36.910231","-121.756895" "February 9, 2018","Connecticut Airport Authority","Windsor Locks","Connecticut","HACK","GOV","144","Connecticut Airport Authority suffered a data breach of 144 records which included Driver's Licenses.","Security Breach Letter","","2017","41.924292","-72.645447" "February 9, 2018","Intuit Inc.","Mountain View","California","HACK","BSF","31","Intuit, Inc. suffered a data breach that affected 31 records, which included both Driver's License and SSN data.","Security Breach Letter","","2018","37.386052","-122.083851" "February 9, 2018","City of Thomasville","Thomasville","North Carolina","DISC","GOV","269","A public records request for employee payroll information was received. The documents were prepared by the Human Resources Department. One of the documents that was released had un-formatted SSN. They were not identified as SSN. Once the document was released to the person who requested they posted the information on a Closed Facebook page. The SSN were not identified. I was notified about the post and contacted our City Attorney. Person posting info and Facebook was notified and the information was taken down approximately 3 hours after we learned it was posted.","Security Breach Letter","","2018","30.836582","-83.978781" "February 9, 2018","Kinetics Systems, Inc.","Livermore","California","HACK","BSR","875","On February 1, 2018, Kinetics received notice that an inadvertent data exposure occurred on January 25, 2018. Kinetics experienced a ""phishing"" attack - via fraudulent email a scammer posed as an Officer of Kinetics, and obtained personal information of current and past employees who worked at Kinetics during 2017.","Security Breach Letter","","2018","37.681875","-121.768009" "February 8, 2018","Fontainebleau Miami Beach","Miami Beach","Florida","INSD","BSR","158","Fontainebleau Miami Beach suffered a data breach affecting 158 records which included both Credit card and debit card information.","Security Breach Letter","","2018","25.790654","-80.130046" "February 8, 2018","Corporate Employment Resources, Inc.","Southfield","Michigan","DISC","BSR","4,086","On January 26, 2018, a Company employee sent an e-mail  to other current and former Company employees who were authorized to receive the e-mail but inadvertently attached a document not intended for the recipients. The erroneous attachment contained the intended recipients' personal information as well as the personal information of other current and former employees, including first and last names and Social Security numbers. The Company employee realized her error almost immediately in sending the January 26 e-mail and promptly notified the Company on that day. The Company has asked all recipients of the January 26 e-mail to delete it (along with the erroneous attachment) and to confirm the deletion. The Company is in the process of collecting confirmations of the deletion.","Security Breach Letter","","2018","42.473369","-83.221873" "February 8, 2018","TrueNet Communications","Jacksonville","Florida","HACK","BSR","161","TrueNet Communications discovered on December 19, 2017 that an unauthorized third party gained access to a TrueNet employee's email credentials and redirected certain emails, which allowed the authorized third party to access the emails. They determined on January 15, 2018 that certain of these emails contained employee and contractor information.","Security Breach Letter","","2017","30.332184","-81.655651" "February 8, 2018","Daintree Advisors LLC","Boston","Massachusetts","HACK","BSF","74","Daintree Advisors LLC partners with Aperio Group to invest funds on behalf of its clients. Aperio discovered that two Aperio employee email accounts were compromised in a phishing scam. This resulted in unauthorized access to emails sent to and from those accounts between August 21, 2017, and January 11, 2018. Based on Aperio's review of the emails in question, Aperio discovered that some account names, account numbers, balances, and in some cases, personal email addresses were compromised.","Security Breach Letter","","2018","42.360083","-71.058880" "February 8, 2018","Moore Business Solutions","Greenville","North Carolina","HACK","BSF","600","In December had ransom ware on a computer and server. They did not suspect any thing  was compromised until tax filing season began. The IRS is investigating but does not know at this time if they were breached or not but suggests Moore Business Solutions, Inc. err on the side of caution.","Security Breach Letter","","2018","34.852618","-82.394010" "February 7, 2018","XOS Technologies d/b/a XOS Digital, Inc.","Wilmington","Massachusetts","HACK","BSR","10","In 2017 XOS Technologies d/b/a XOS Digital, Inc. suffered a data breach affecting 10 records incl. account user names and passwords","Security Breach Letter","","2017","39.739072","-75.539788" "January 23, 2018","Revolution Partners, LLC","Memphis","Tennessee","HACK","BSF","228","On December 14, 2017, our client, Revolution Partners, discovered that an unauthorized individual may have gained access to an employee's email account. When Revolution Partners learned of this, they immediately reset all email account passwords and began an investigation to determine the scope of the incident. Revolution Partners also hired an outside forensic investigation firm to assist in their investigation. Revolution Partners submits this notice after learning that some of the potentially accessed email messages contained the name, address, and Social Security number for two (2) North Carolina residents. Revolution Partners began notifying individuals by U.S. Mail on January 22, 2018 in accordance with North Carolina law in substantially the same form as the document enclosed herewith. Revolution Partners is also offering affected individuals one year of identity theft protection services through Experian has provided a dedicated phone number to answer any questions that individuals may have regarding the incident.","Security Breach Letter","","2017","35.149534","-90.048980" "January 22, 2018","National Stores, Inc.","Street Gardena","California","HACK","BSR","609,064","On December 22, 2017, National Stores received an alert that its point-of-sale systems were affected by malware, and that customer payment card information may have been accessed without authorization. National Stores immediately launched an investigation and engaged digital cybersecurity firms to assist with the investigation. National Stores also contacted the Federal Bureau of Investigation and payment card brands to prevent fraudulent activity on payment cards that may have been affected. The affected payment card holders have not yet been identified, although National Stores is diligently attempting to do so. Additional Information on this security breach is provided by the Office of the Indiana Attorney General.","Security Breach Letter","","2017","33.914358","-118.303665" "January 22, 2018","EASTCONN","Hampton","Connecticut","INSD","EDU","194","In Dec. 2017 EASTCONN suffered a data breach affecting 194 records, incl. Driver's license and SSN.","Security Breach Letter","","2017","40.924616","-72.354792" "January 22, 2018","Housing Authority of the City of Charlotte","Charlotte","North Carolina","HACK","GOV","341","An email was sent purportedly from the CEO requesting W-2s for 2016 and 2017. The staff member thought it was the CEO and sent the information.","Security Breach Letter","","2018","35.227087","-80.843127" "January 22, 2018","Netcracker Technology Corporation","Waltham","Massachusetts","HACK","BSR","9","Between approximately January 4, 2018 and January 12, 2018, Netcracker learned that a few of its employees were the target of an e-mail phishing incident. Those employees received an email that appeared to be from Netcracker's payroll provider, Automatic Data Processing (“ADP”). Employees who clicked on a link in the e-mail and entered their ADP login information on the landing page enabled access by the scammer to their ADP account and to view personal information in that account. The account contains employees' personal information, including financial account number, e-mail address and ADP username with password or security question and answer, and Social Security number. The employee's ADP account does not contain driver's license number or state identification card number, any credit or debit card number, or medical or health insurance information.","Security Breach Letter","","2018","42.376485","-71.235611" "January 19, 2018","Securadyne Systems LLC","Dallas","Texas","HACK","BSR","112","On or about September 12, 2017, Securadyne discovered that it had become the target of a phishing email campaign and that several employees had clicked on the phishing email and entered their credentials. Securadyne immediately took steps to secure the employees' email accounts and launched an in-depth investigation to determine whether any sensitive information was accessed or acquired. Securadyne subsequently determined, with the help of outside computer forensic investigators, that an unknown actor had gained access to the Securadyne employees' email accounts. On November 7, 2017, Securadyne determined, after a lengthy programmatic and manual review of the contents of the email accounts, the types of protected information contained in the email accounts and to which individuals the information relates, and immediately launched a review of its files to ascertain address information for the impacted individuals.","Security Breach Letter","","2017","32.776664","-96.796988" "February 21, 2018","University of Virginia Medical Center","","Virginia","HACK","EDU","1,882","Location of breached information: Desktop Computer, Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "February 16, 2018","Jemison Internal Medicine, PC","","Alabama","HACK","MED","6,550","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "February 16, 2018","Tufts Associated Health Maintenance Organization, Inc.","","Massachusetts","DISC","MED","70,320","Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "March 6, 2018","Fresno State","Fresno","California","PHYS","EDU","15,000","Fresno State says that the personal information data of about 15,000 people may have been exposed after a hard drive was stolen.In a news release, the university says that the external drive contained information on former student-athletes, sports-camp attendees, and Athletic Corporation employees. The data files may have contained names, addresses, phone numbers, dates of birth, full or last four digits of Social Security numbers, credit card numbers, driver's license numbers, passport numbers, usernames and passwords, health-insurance numbers and personal health information.The vast majority of data files were from 2003 to 2014. About 300 of the affected people are still currently affiliated with the University. ","Media","http://abc30.com/fresno-state-data-breach-exposes-personal-information-of-15000-people/3182146/","2014","36.746842","-119.772587" "March 8, 2018","Kansas Department for Aging and Disability Services (KDADS)","","Kansas","HACK","GOV","11,000","The Kansas Department for Aging and Disability Services (KDADS) has begun to notify individual consumers about a recent incident in which personal or protected health information was disseminated to a specific group of KDADS business associates.On February 23, 2018, KDADS became aware of a potential breach of personal or protected health information after an employee sent an unauthorized email containing personal or protected health information to a group of current KDADS business associates. . . The email contained an attachment which included consumer names, addresses, dates of birth, Social Security numbers, gender, in-home services program participation information and Medicaid identification numbers. No banking, credit card or driver license information was included.All involved consumers identified by KDADS will be sent an individual letter explaining the situation. Please check the KDADS website at http://www.kdads.ks.gov for any additional information, which will be posted as it becomes available. Consumers and other interested persons may contact KDADS by telephone without incurring charges at 1-800-432-3535. Please leave a message for Kahlea Porter requesting a return call.","Government Agency","https://www.kdads.ks.gov/media-center/news-releases/2018/03/01/kdads-notifies-consumers-about-potential-breach-of-protected-health-information","2018","37.090240","-95.712891" "March 15, 2018","BJC Healthcare","St. Louis","Missouri","DISC","MED","33,000","BJC HealthCare said a data storage error potentially compromised 33,420 patient records when the information was accidentally made publicly available for nine months.BJC, based in St. Louis, said in a statement that a misconfigured server was left without a security protocol in place making it possible for someone to view scanned documents containing patient's driver's licenses, insurance cards and treatment-related documents from 2003 to 2009. Other patient data that was possibly left visible included name, address, telephone number, date of birth, Social Security number, driver's license number, insurance information and treatment-related inform. The server itself was left unsecure from May 9, 2017 through January 23, 2018.","Media","https://www.scmagazine.com/bjc-healthcare-data-breach-33000-affected/article/751419/","2017","38.627003","-90.199404" "March 20, 2018","Orbitz","Chicago","Illinois","HACK","BSR","880,000","Travel booking website Orbitz has announced that it discovered a potential data breach that exposed information for thousands of customers, as reported by Engadget. The incident, discovered by the company on March 1st, may have exposed information tied to about 880,000 credit cards.The consumer data in question is from an older booking platform, where information may have been accessed between October and December 2017. Orbitz partner platform data, such as travel booked via Amex Travel, submitted between January 1st, 2016 and December 22nd, 2017 may have also been compromised. The Expedia-owned company says that names, payment card information, dates of birth, email addresses, physical billing addresses, gender, and phone numbers may have been accessed, but it doesn’t yet have “direct evidence” that any information was taken from the website.","Media","https://www.theverge.com/2018/3/20/17144482/orbitz-data-breach-credit-cards","2016","41.878114","-87.629798" "March 16, 2018","Primary Health Care, Inc.","","Iowa","HACK","MED","10,313","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "March 15, 2018","North Texas Medical Center ","","Texas","DISC","MED","3,350","Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "March 15, 2018","UnitedHealth Group Single Affiliated Covered Entity ","","Minnesota","DISC","MED","1,755","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "March 14, 2018","Saint Francis Hospital","","Georgia","PHYS","MED","1,412","Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "March 14, 2018","Serene Sedation, LLC","","Maryland","HACK","MED","5,207","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "March 13, 2018","Special Agents Mutual Benefit Association","","Maryland","DISC","MED","13,942","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "March 12, 2018","ATI Holdings, LLC and its subsidiaries ","","Illinois","HACK","MED","35,136","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "March 12, 2018","Barnes-Jewish St. Peters Hospital","","Missouri","DISC","MED","15,046","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "March 12, 2018","Barnes-Jewish Hospital","","Missouri","DISC","MED","18,436","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "March 9, 2018","The Arc of Erie County","","New York","DISC","MED","3,751","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "March 9, 2018","inSite Digestive Health Care","","California","PHYS","MED","1,424","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "March 7, 2018","Front Range Dermatology Associates, P.C.","","Colorado","DISC","MED","1,070","Location of breached information: Electronic Medical Record, Email, Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "March 7, 2018","John J. Pershing VA Medical Center","","Missouri","DISC","MED","1,843","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "February 28, 2018","Memorial Hospital at Gulfport","","Mississippi","DISC","MED","1,512","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "February 28, 2018","St. Peter's Ambulatory Surgery Center LLC - d/b/a St. Peter's Surgery & Endoscopy Center","","New York","HACK","MED","134,512","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "February 28, 2018","Union Lake Supermarket, LLC","","New Jersey","PHYS","MED","9,956","Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "February 27, 2018","FastHealth Corporation","","Alabama","HACK","MED","1,345","Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "February 27, 2018","Rhode Island Executive Office of Health and Human Services ","","Rhode Island","DISC","MED","5,600","Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "February 27, 2018","Rhode Island Executive Office of Health and Human Services","","Rhode Island","DISC","MED","1,100","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "February 26, 2018","California College of Arts","","California","PHYS","EDU","623","Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "February 26, 2018","Quad/Med, LLC","","Wisconsin","DISC","MED","2,834","Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "February 26, 2018","Center for Sports Medicine and Orthopedics ","","Tennessee","DISC","MED","800","Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "February 22, 2018","Walmart, Inc.","","Arkansas","DISC","MED","735","Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "February 21, 2018","ConnectiCare","","Connecticut","DISC","MED","1,834","Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "February 16, 2018","Flexible Benefit Service Corporation","","Illinois","HACK","MED","5,123","Location of breached information: Email Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "March 30, 2018","Under Armour","","California","HACK","BSR","150,000,000","Under Armour says roughly 150 million MyFitnessPal users are affected by a breach of their wildly popular fitness app ""MyFitnessPal"", which it discovered earlier this week. It said on Thursday that an ""unauthorized party"" acquired data about these users late last month.""Under Armour is working with leading data security firms to assist in its investigation, and also coordinating with law enforcement authorities,"" the company said in a statement. ""The investigation indicates that the affected information included usernames, email addresses, and hashed passwords — the majority with the hashing function called bcrypt used to secure passwords.""Under Armour said the hacker would not have been able to obtain users' payment details or information like Social Security numbers or driver's license numbers. The company has begun notifying users via messages in the app and emails.","Media","http://www.businessinsider.com/under-armour-data-breach-myfitnesspal-2018-3","2018","37.090240","-95.712891" "April 1, 2018","Lord & Taylor's, Saks","","New Jersey","HACK","BSR","5,000,000","Hackers have stolen the personal and financial information of customers who shop at Lord and Taylor and Saks Fifth Avenue in the latest of a string of data breaches in recent years.Records for more than five million credit and debit cards used at all the chains’ North American locations were compromised, according to Gemini Advisory, a cybersecurity firm. Most were obtained from stores in New York and New Jersey, Gemini said.","Media","https://www.usatoday.com/story/money/2018/04/01/data-breach-hits-lord-taylors-saks/476838002/","2018","37.090240","-95.712891" "April 3, 2018","Panera Bread","","","DISC","BSR","37,000,000","KrebsOnSecurity has discovered that Panera Bread left millions of customer sign-up records (possibly 37 million) in plain text on its website, including email addresses, home addresses, phone numbers and loyalty account numbers.There was no payment info, thankfully, but it would have been patently easy for evildoers to harvest that information and use it as part of identity fraud or spam campaigns.Crucially, Panera Bread didn't appear to be responsive to the problem. Houlihan notified the company about the problem in August 2017 and got a response promising that its team was ""working on a resolution,"" but it didn't take down the info until KrebsOnSecurity got involved -- twice. In a statement, Panera Bread said it was still investigating the vulnerability but indicated that there was ""no evidence"" of either payment info or anyone accessing a ""large number"" of the accounts.","Media","https://www.engadget.com/2018/04/02/panera-bread-left-millions-of-customer-records-exposed/","2018","37.090240","-95.712891" "April 6, 2018","Delta Air Lines, Inc.","","California","HACK","BSR","200,000","Delta now says that payment-card information for about “several hundred thousand” airline customers may have been exposed by a malware breach last fall that also hit Sears and other companies.The airline says that the malware attack may have exposed customers’ names, addresses, credit card numbers, card security codes and expiration dates.Delta Air Lines Inc. offered the additional details about the attack on Thursday, a day after saying that only a “small subset” of customers was affected.The Atlanta-based airline said that it wasn’t sure whether customers’ information was actually compromised by malware that it believes was in software used by (24)7.ai, which provided the airline with online chat services for customers, for about two weeks. The software company said it discovered and fixed the breach in October.","Media","http://sacramento.cbslocal.com/2018/04/05/delta-data-breach/","2018","37.090240","-95.712891" "April 6, 2018","Sears","","Illinois","HACK","BSR","90,000","Department store chain Sears Holding Corp (SHLD.O) and Delta Air Lines Inc (DAL.N) said on Wednesday some of their customer payment information may have been exposed in a cyber security breach at software service provider [ 24]7.ai.Department store chain Sears Holding Corp (SHLD.O) and Delta Air Lines Inc (DAL.N) said on Wednesday some of their customer payment information may have been exposed in a cyber security breach at software service provider [ 24]7.ai.A Delta Air Lines flight is pushed put of its gate at the airport in Salt Lake City, Utah, U.S., January 12, 2018. REUTERS/Mike BlakeSears said it was notified of the incident in mid-March and the incident led to unauthorized access to the credit card information of under 100,000 of its customers.Technology firm [ 24]7.ai, which provides online support services for Delta, Sears and Kmart among other companies, found that a cyber security incident affected online customer payment information of its clients, it said.The incident happened on or after Sept. 26, 2017 last year and was found and resolved on Oct. 12, the company said.","Media","https://www.reuters.com/article/us-delta-air-cyber-24-7-ai/sears-holding-delta-air-hit-by-customer-data-breach-at-tech-firm-idUSKCN1HC089?utm_campaign=trueAnthem%3A%20Trending%20Content&utm_content=5ac5ab0004d3015b09b97dbd&utm_medium=trueAnthem&utm_source=twitter","2017","37.090240","-95.712891" "April 6, 2018","[24]7.ai.","San Jose","California","HACK","BSR","150,000","A payment card breach suffered by [24]7.ai. between September 26 and October 12, 2017, is impacting major firm, including Best Buy, After Delta Air Lines and Sears Holdings.The intrusion occurred between September 26 and October 12, 2017.“We understand malware present in [24]7.ai’s software between Sept. 26 and Oct. 12, 2017, made unauthorized access possible for the following fields of information when manually completing a payment card purchase on any page of the delta.com desktop platform during the same timeframe: name, address, payment card number, CVV number, and expiration date.” reads the advisory published by Delta Airline.“No other customer personal information, such as passport, government ID, security or SkyMiles information was impacted.”","Media","https://securityaffairs.co/wordpress/71109/data-breach/247-ai-security-breach.html","2017","37.338208","-121.886329" "April 6, 2018","Best Buy","","","HACK","BSR","1","After Delta Air Lines and Sears Holdings, Best Buy has also come forward to warn customers that their payment card information may have been compromised as a result of a breach suffered by online services provider [24]7.ai.Similar to Delta and Sears, Best Buy contracted [24]7.ai for online chat/support services. The retailer says it will contact impacted customers and provide free credit monitoring if needed.Best Buy has not specified exactly how many of its customers are impacted, but noted that “only a small fraction of our overall online customer population could have been caught up in this [24]7.ai incident, whether or not they used the chat function.”","Media","https://www.securityweek.com/best-buy-hit-247ai-payment-card-breach","2017","37.090240","-95.712891" "April 2, 2018","Fondren Orthopedic Group L.L.P.","","Texas","DISC","MED","11,552","Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "April 2, 2018","West Kendall Baptist Hospital","","Florida","DISC","MED","1,480","Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "March 30, 2018","Milligan Chiropractic Group, Inc. d/b/a Del Mar Chiropractic Sports Group","","California","PHYS","MED","2,640","Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "March 29, 2018","Middletown Medical P.C.","","New York","DISC","MED","63,551","Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "March 29, 2018","NYC Health + Hospitals/Harlem","","New York","PHYS","MED","595","Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "March 28, 2018","Cambridge Health Alliance","","Massachusetts","HACK","MED","2,280","Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "March 26, 2018","Walmart Inc.","","Arkansas","DISC","MED","741","Location of breached information: Email, Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "March 26, 2018","Mississippi State Department of Health","","Mississippi","DISC","MED","30,799","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "March 26, 2018","VA Palo Alto Health Care System","","California","DISC","MED","1,600","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "April 18, 2018","Localblox","Bellevue","Washington","DISC","BSO","47,000,000","Quoting the article that exposed this breach on ZDNet, ""Localblox, a Bellevue, Wash.-based firm, says it 'automatically crawls, discovers, extracts, indexes, maps and augments data in a variety of formats from the web and from exchange networks.' Since its founding in 2010, the company has focused its collection on publicly accessible data sources, like social networks Facebook, Twitter, and LinkedIn, and real estate site Zillow to name a few, to produce profiles.But earlier this year, the company left a massive store of profile data on a public but unlisted Amazon S3 storage bucket without a password, allowing anyone to download its contents.The bucket, labeled 'lbdumps,' contained a file that unpacked to a single file over 1.2 terabytes in size. The file listed 48 million individual records, scraped from public profiles, consolidated, then stitched together.""","Media","https://www.zdnet.com/article/data-firm-leaks-48-million-user-profiles-it-scraped-from-facebook-linkedin-others/","2018","47.610150","-122.201516" "April 20, 2018","SunTrust Banks, Inc.","Atlanta","Georgia","HACK","BSF","1,500,000","""SunTrust Banks Inc. said an employee may have stolen the information of about 1.5 million customers and provided it to a “criminal third party,” the latest example of a potential breach that underscores the vulnerability of consumers’ private data.The Atlanta-based bank on Friday said the employee, who no longer works at SunTrust, attempted to access client information, although it has “not identified significant fraudulent activity” around the accounts involved.""","Media","https://www.wsj.com/articles/suntrust-employee-may-have-stolen-information-about-1-5-million-clients-1524231553","2018","33.748995","-84.387982" "April 20, 2018","UnityPoint Health","West Des Moines","Iowa","HACK","MED","16,000","UnityPoint Health confirmed that its dealing with an information breach that impacted patients. ""After a detailed forensic investigation and document review, UnityPoint Health determined that protected health information was contained in impacted email accounts, including patient names and one or more of the following: dates of birth, medical record numbers, treatment information, surgical information, diagnoses, lab results, medications, providers, dates of service and/or insurance information. For a limited number of impacted individuals, information that may have been viewed included Social Security Numbers or other financial information."" They said they are not aware of any fraud issues at this point, but they still want the people impacted to be aware of the problem. They are advising people to follow these steps:  Only share your health insurance cards with your health care providers and other family members who are covered under your insurance plan or who help you with your medical care.Review your “explanation of benefits statement” which you receive from your health insurance company. Follow up with your insurance company or care provider for any items you do not recognize. If necessary, contact the care provider on the explanation of benefits statement and ask for copies of medical records from the date of the potential access (noted above) to current date. Ask your insurance company for a current year-to-date report of all services paid for you as a beneficiary. Follow up with your insurance company or the care provider for any items you do not recognize.The hospital has apologized to patients for this problem. If you want to learn if your information was compromised or you have questions, call 855-331-3612.","Media","http://www.wkow.com/story/38002617/2018/04/20/unitypoint-health-affected-by-data-breach","2018","41.577212","-93.711332" "April 19, 2018","Blue Shield of California","","California","DISC","MED","0"," Blue Shield of California admitted to a PHI data breach involving an insurance broker who was not authorized to receive patient information, according to a breach notification submitted to the California Attorney General’s Office. The Blue Shield of California Privacy Office received confirmation on March 23, 2018 that a breach had occurred in November 2017 during the 2018 Medicare Annual Enrolment Period when a Blue Shield employee emailed a document containing PHI to an insurance broker “in violation of Blue Shield policies.”The PHI included names, home addresses, mailing addresses, Blue Shield subscriber identification numbers, telephone numbers, and subscribers’ Blue Shield Medicare Advantage plan numbers.Blue Shield of California said that it believes the insurance broker may have contacted some of the individuals identified in the document to sell a Medicare Advantage Plan offered by another health insurance company.The health insurer said that individuals affected by the disclosure are eligible for free identity repair and credit monitoring services.","Security Breach Letter","https://oag.ca.gov/system/files/Notice%20Letter%20Template%20Final_0.pdf","2017","37.090240","-95.712891" "April 15, 2018","Texas Health Resources","Arlington","Texas","DISC","MED","4,000","Texas Health Resources says emails containing private patient information may have gotten into the hands of an unauthorized third party.Officials with the Arlington-based healthcare corporation have mailed letters to the patients — fewer than 4,000 — who may have been affected and have established a call center to answer any questions patients might have, a spokesperson said.Law enforcement personnel told Texas Health about the possible data breach in January but asked the company to not notify their patients or the public while they pursued their investigation, company officials said.Texas Health was recently given the OK to speak openly about the investigation, which they said is part of a much larger investigation that's nationwide in scope. The Texas Health breach affected patients who received care primarily in October.","Media","http://www.star-telegram.com/news/local/community/fort-worth/article208928464.html","2018","38.881621","-77.090981" "April 30, 2018","Access Group Education Lending","West Chester","Pennsylvania","DISC","EDU","16,500","A student loan services company recently notified 16,500 borrowers that files containing personal data were released to a business that wasn't authorized to receive them.Access Group Education Lending said in a letter to those affected that the data breach happened on March 23 when one of its vendors sent out files - including borrowers' names, driver's license numbers and Social Security numbers - to another business. The business was not identified, but has been described as a student loan lender.Access Group said in the letter that it learned of the release on March 28 and it was assured that the vendor who received the files deleted them and didn't retain copies. The company did not begin notifying borrowers until three weeks later.According to information on its website, Access Group stopped making loans in 2010, due to legislation that eliminated the federally guaranteed student loan program.Access Group Education Lending is the servicing, loan portfolio management and default division of AccessLex Institute. AccessLex Institute is a nonprofit company, based in West Chester, Pennsylvania, that focuses on serving law students. The company works to make legal education accessible to people from all backgrounds and has programs to help law students manage their personal finances, its website says.","Media","http://6abc.com/student-loan-data-breach-affects-16500-borrowers/3402556/","2010","39.960664","-75.605488" "March 30, 2018","Bezop","","California","DISC","BSF","25,000","On Mar 30, researchers at Kromtech Security identified a database open to the public containing full names, addresses, email addresses, encrypted passwords, wallet information, along with links to scanned passports, driver's licenses, and other IDs for over 25,000 investors of the newly created Bezop.  The information was found within a MongoDB database without any security.John Mcafee, an adviser on the board for Bezop, described Bezop as “a distributed version of Amazon.com” in a recent Twitter post.  It is that, but it's also a cryptocurrency.  Bezop is adding, and has in fact already added, it's own cryptocurrency, which they call “Bezop tokens”, into the stream of transactions.","Media","https://mackeepersecurity.com/post/cryptocurrency-leaks-personal-information-for-thousands-of-investors","2018","37.090240","-95.712891" "May 1, 2018","American Esoteric Laboratories","","Alabama","HACK","MED","0","A data breach may have resulted in the exposure of the personal and protected health information of patients of a medical lab chain with multiple Alabama locations.American Esoteric Laboratories announced Friday that it had become aware of a ""data security incident"" that could impact patients' data security.An AEL employees' company-issued laptop was stolen on Oct. 15, the company said in a press release. The laptop may have contained sensitive information about ""some AEI patients and their payment guarantors,"" according to the company.Upon learning of the incident, AEL disabled the affected employee's email account, disabled the stolen laptop's access to its computer network, and reported the laptop theft to the local police,"" the press release stated.An internal AEL investigation found that a wide range of personal information about patients may have been stored on the laptop, including ""names, addresses, Social Security numbers, dates of birth, health insurance information, and/or medical treatment information.""The company has also set up a hotline people can call with any questions or concerns about the breach. The phone number is 888-285-9795.AEL, which is based in Tennessee, has three locations in Alabama, one each in Birmingham, Montgomery and Prattville.","Media","http://www.al.com/news/birmingham/index.ssf/2018/04/data_breach_could_impact_some.html","2018","37.090240","-95.712891" "February 1, 2018","Ventiv Technology, Inc.","Atlanta","Georgia","HACK","BSO","239","Ventiv Technology, Inc. experienced a phishing attack and exposed the records of 239 individuals. The breach occurred from 10/14/17 until 12/5/17, was discovered on 1/5/18 and Ventiv began notifying consumers on 2/1/2018. Information that was exposed included Social Security numbers.","Security Breach Letter","","2017","33.877891","-84.458103" "January 26, 2018","Scoppechio","Louisville","Kentucky","HACK","BSO","204","Scoppachio, an advertising agency, experienced a phishing incident that resulted in the exposure of 204 records.","Security Breach Letter","","2018","38.254687","-85.757612" "May 4, 2018","PAR Electrical Contractors, Inc.","Kansas City","Missouri","PHYS","BSO","25,000","According to a breach notification form and letter sent to the Indiana Office of Attorney General, PAR Electrical Contractors, Inc. experienced a data breach that resulted in the exposure of ""~25,000"" persons. According to the accompanying notification letter, ""On or about December 22, 2017, a thief stole a container holding daily backup tapes that, as part of PAR's regular practices, had been taken off-site. . . The backup tapes included data from PAR's employment records for present and former employees.We believe the data included your name, contact information, Social Security number, date of birth, and payroll dataincluding bank account number if used for direct deposit). In addition, the tapes may have included your driver'slicense or passport number (if submitted as part of the new hire process).""","Security Breach Letter","","2017","39.179218","-94.591707" "February 5, 2018","1st Mariner Bank","Baltimore","Maryland","HACK","BSF","1,500","1st Mariner Bank experienced a phishing attack that resulted in the exposure of the records of 1500 persons. Information exposed included Social Security Numbers, as well as names in combination with credit card or financial account information. ","Security Breach Letter","","2017","39.276127","-76.568781" "February 2, 2018","Doral Corporation","Milwaukee","Wisconsin","HACK","BSF","335","The Doral Corporation experienced a phishing attack that resulted in the exposure of 335 records. Exposed records included social security numbers in combination with first and last names.","Security Breach Letter","","2018","43.006678","-87.900685" "February 1, 2018","Remote DBA Experts, LLC","Warrendale","Pennsylvania","DISC","NGO","281","Remote DBA Experts, LLC experienced a phishing attack that resulted in the exposure of 281 records.  According  to the breach notification letter they provided to the Indiana Office of Attorney General, ""On January 17, 2018, an unauthorized individual impersonating an RDX executive emailed an RDXemployee  to request 2017 W-2 infonnation for our employees. Before we determined that the request wasfraudulent, the employee provided the data to the unauthorized third party. The data included your first name,last name, mailing address, Social Security number, and 2017 compensation and deduction information.""","Security Breach Letter","","2018","40.658820","-80.100940" "February 5, 2018","Charles Komar & Sons, Inc.","Jersey City","New Jersey","UNKN","BSO","99","","Security Breach Letter","","2017","40.715202","-74.033868" "February 2, 2018","Make-up Designory","Valencia","California","DISC","EDU","670","According to the data breach notification form sent to the Indiana Office of Attorney General, ""Each January our client is required to send a tax document (1098-T Statement) to students and graduates. The information for this form i s gathered by Its accounting office and securely transferred to a certified public accounting firm. The accounting firm works with a financial communications service provider that specializes in creating and mailing these and similar type tax forms to be sent by US mall. This year was no different, except an error occurred In the preparation of the mailing that cause three individual ta~documents to be placed In one envelope, As a result, some students received their own 1098-T Statements and Statements fur two other students. We are contacting all students affected by this Incident to notify them of the unintentional disclosure and requesting the return of all 1098-T Statements that were mailed in error. We will follow-up with such students to confirm that the Statements are returned to the school and/or destroyed.""","Security Breach Letter","","2018","34.434752","-118.579205" "February 2, 2018","Advanced Graphic Products, Inc. /dba/ ""Advanced-Online""","Coppell","Texas","HACK","BSO","22,182","""Advanced-Online"", or Advanced graphic Products, Inc., experienced a data breach exposing 22,182 records. According to the breach notification form sent to the Indiana Office of Attorney General, ""Advanced-Online learned on January 3, 2018 that certain personal information housed on the company's online platform  may have been subject to unauthorized access. The date range for the incident appears to be April 29, 2017until January 12, 2018.""","Security Breach Letter","","2017","32.946178","-97.016748" "April 30, 2018","Worldwide Insurance Services, LLC","","Pennsylvania","HACK","MED","1,692","Location of breached information: Email Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "April 27, 2018","Billings Clinic","","Montana","HACK","MED","949","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "April 23, 2018","Capital Digestive Care, Inc.","","Maryland","DISC","MED","17,639","Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "April 20, 2018","Riverside Medical Center","","Illinois","PHYS","MED","501","Location of breached information: Desktop Computer, Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "April 20, 2018","Capital District Physicians’ Health Plan","","New York","DISC","MED","839","Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "April 20, 2018","Michael Gruber DMD PA","","New Jersey","HACK","MED","4,624","Location of breached information: Desktop Computer, Email, Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "April 18, 2018","Center for Orthopaedic Specialists - Providence Medical Institute (PMI)","","California","HACK","MED","81,550","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "April 17, 2018","Kansas Department for Aging and Disability Services","","Kansas","DISC","MED","11,000","Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "April 17, 2018","Inogen, Inc.","","California","HACK","MED","29,528","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "April 17, 2018","MAXIMUS, Inc. / Business Ink, Co.","","Virginia","DISC","MED","3,029","Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "April 16, 2018","Iowa Health System d/b/a UnityPoint Health","","Iowa","HACK","MED","16,429","Location of breached information: Email Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "April 16, 2018","Athens Heart Center, P.C.","","Georgia","HACK","MED","12,158","Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "April 16, 2018","Cornerstone Foot & Ankle","","New Jersey","DISC","MED","533","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "April 13, 2018","Texas Health Physicians Group","","Texas","HACK","MED","3,808","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "April 13, 2018","California Physicians Service d/b/a Blue Shield of California","","California","DISC","MED","1,717","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "April 13, 2018","ATI Holdings, LLC and its subsidiaries","","Illinois","HACK","MED","1,776","Location of breached information: Email Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "April 13, 2018","MorshedEye, PLLC","","Kentucky","DISC","MED","1,100","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "April 12, 2018","Polk County Health Services, Inc","","Iowa","DISC","MED","1,071","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "April 9, 2018","Integrated Rehab Consultants","","Illinois","DISC","MED","4,292","Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "April 6, 2018","CA Department of Developmental Services","","California","PHYS","MED","582,174","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "April 6, 2018","Walgreen Co.","","Illinois","PHYS","MED","910","Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "April 6, 2018","Chesapeake Regional Medical Center","","Virginia","PHYS","MED","2,100","Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "April 5, 2018","Diagnostic Radiology & Imaging, LLC","","North Carolina","HACK","MED","800","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "April 3, 2018","Wisconsin Department of Health Services","","Wisconsin","PHYS","MED","779","Location of breached information: Laptop Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "April 2, 2018","QUALITY-CARE PHARMACY","","California","PHYS","MED","2,000","Location of breached information: Desktop Computer, Other, Other Portable Electronic Device, Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "March 30, 2018","Sonoma County Indian Health Project, Inc","","California","DISC","MED","662","Location of breached information: Desktop Computer, Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "March 30, 2018","Guardian Pharmacy of Jacksonville","","Florida","HACK","MED","11,521","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "March 30, 2018","Children’s National Medical Center ","","District Of Columbia","PHYS","MED","722","Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "March 22, 2018","City of Houston Medical Plan","","Texas","PHYS","MED","34,637","Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "March 21, 2018","National Mentor Healthcare, LLC.","","Massachusetts","PHYS","MED","1,015","Location of breached information: Other Portable Electronic Device Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "March 21, 2018","Mentor ABI, LLC","","Massachusetts","PHYS","MED","994","Location of breached information: Other Portable Electronic Device Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "March 21, 2018","Center for Comprehensive Services, Inc.","","Massachusetts","PHYS","MED","1,176","Location of breached information: Other Portable Electronic Device Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "March 21, 2018","CareMeridian, LLC","","Massachusetts","PHYS","MED","1,922","Location of breached information: Other Portable Electronic Device Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "March 20, 2018","Prestera Center for Mental Health Services, Inc.","","West Virginia","HACK","MED","670","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "March 1, 2018","Florida Agency Persons for Disabilities","","Florida","HACK","MED","63,627","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "April 20, 2018","Orbitz","","","HACK","BSO","0","Between Oct. 1, 201 and Dec. 22, 2017, Orbitz determined that an unauthorized third party may have accessed personal information stored on a third party business partner platform. Information affected including name, payment card number and expiration date, phone number, email address and physical and/or billing address. Certain hotel reservations made through Southwest.com, whih was powere dby orbitz, may have been affected. ","Security Breach Letter","https://oag.ca.gov/system/files/Orbitz-%20SW-%20CA%20Letter_1.pdf","2017","37.090240","-95.712891" "April 20, 2018","W. W. Grainger, Inc.","","California","HACK","BSO","0","On April 10, 2018, Grainger as notified by [24]7.ai that [24]7.ai was involved in a cyber incident, during which time, credit card information of those conducting business with certain [24]7.ai clients, including Grainger, may have been accessed. Customers who used guest check out and manually entered credit card information on Grainger.com or its app were potentially affected. Information includes credit card numbers, security codes, card expiration dates, names and addresses.","Security Breach Letter","https://oag.ca.gov/system/files/Grainger_Template%20Notification%20Letter_0.pdf","2017","37.090240","-95.712891" "April 20, 2018","AccessLex Institute d/b/a Access Group","","California","DISC","BSF","0","On March 28, 2018 AccessLex learned that on March 23, 2018, a vendor they use to help provide student loan processing services inadvert sently sent a copy of certain loan files, to another business that was not authorized to receive them. Shortly after they learned of the inadvertent file transfer, we contacted managers of the second business that received the files. The second business confirmed it had deleted the transferred files and agreed that the appropriate manager would sign a sworn statement confirming it had deleted the files and retained no copies.The information involved included names, driver’s license numbers, and Social Security numbers.","Security Breach Letter","https://oag.ca.gov/system/files/CA%20notification%20letter_0.pdf","2018","37.090240","-95.712891" "April 13, 2018","Pierre Fabre","","California","HACK","MED","0","On March 12, 2018, we discovered that information entered on some of our websites (aveneusa.com, renefurtererusa.com, kloraneusa.com, and glytone-usa.com (the “Websites”)) had been captured and potentially sent to unauthori zed third parties. Any information entered on any  of the Websites between  February 20, 2018 and March 15, 2 018 may have been exposed.Information affected included: name, credit or debit card information or other payment account information, phone number, email address, shipping address, billing address and/or Website account password. ","Security Breach Letter","https://oag.ca.gov/system/files/CA%20-%20Notification%20of%20Breach_0.pdf","2018","37.090240","-95.712891" "April 12, 2018","Mise En Place Restaurant Services, Inc. ","","California","HACK","BSR","0","Mise en Place Restaurant Services, Inc. experienced a ransomware attack on March 15, 2018. Information exposed may include names, addresses and social security numbers of Mise en Place cients, employees or investors of  Mise En Place clients.","Security Breach Letter","https://oag.ca.gov/system/files/MEP%20Notification_0.pdf","2018","37.090240","-95.712891" "April 12, 2018","Walker Advertising, LLC ","","California","HACK","BSO","0","Two senior Walker employees' corporate email accounts were hacked between Jan 29, 2018 and Feb 22, 2018. At least one account was used to send phishing emails to solicit individuals to respond with access credentials to Walker's electronic information system. An investigation determined that personal information was exposed as a result of the attacks. Information included names, social security numbers, driver's license numbers, medical information and health insurance information.","Security Breach Letter","https://oag.ca.gov/system/files/Indivdiual%20Notification%20California-%20Experian%20%28Client%20Approved%29%20%28153764016_2%29_0.pdf","2018","37.090240","-95.712891" "May 9, 2018","Dollar Shave Club, Inc.","","California","HACK","BSR","0","On March 21, 2018, Dollar Shave Club Inc.'s tech team identified attempts by a third party system using email and password combinations obtained elsewhere (not from Dollar Shave Club) to log in to certain Dollar Shave Club customers’ e-commerce accounts. This incident involved the email address and password combinations (obtained through some other source, not Dollar Shave Club) that were then used to access a Dollar Shave Club online account, which allows someone to view the information in an account, including name, address, and the last four digits of the payment card on file (if you’ve provided that information). Based on ts investigation, Dollar Shave Club has no reason to believe that any Dollar Shave Club additional systems, accounts, personal information or financial information were affected.","Security Breach Letter","https://oag.ca.gov/system/files/California%20-%20Data%20Incident%20Consumer%20Notification_0.pdf","2018","37.090240","-95.712891" "April 11, 2018","City of Thousand Oaks","","California","HACK","GOV","0","On Feb 28, 2018, City of Thousand Oaks Financial Department learned that an unauthorized individual may have gained access to the computer used by the City's vendor to process credit card transactions. During the incident, information entered into the City of Thousand Oaks' online payment system (Click2 Gov) between Jan 4 and Jan 10 may be have been accessed. This information may have included name, payment card number and expiration date.","Security Breach Letter","https://oag.ca.gov/system/files/CA%20Letter_City%20of%20Thousand%20Oaks_0.pdf","2018","37.090240","-95.712891" "March 30, 2018","Santa Cruz Biotechnology, Inc. ","","California","PHYS","MED","2,657","On Monday, December 18, 2017, Santa Cruz Biotechnology, Inc. discovered a burglary had occurred in the Santa Cruz office on or around December 17, 2017. As a result of an investigation, they determined that two computers were stolen, both of which were used for HR functions, one of which contained information on consumers, including their full name, postal address, date of birth, social security number, and medical and health insurance information.","Security Breach Letter","https://oag.ca.gov/system/files/TEMPLATE_Santa_Cruz_Biotechnology_Consumer_Notification__Mar__30__2018__0.pdf","2017","37.090240","-95.712891" "May 25, 2018","The Trustees of Purdue University","","Indiana","HACK","EDU","1,711","Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "May 21, 2018","Echo Canyon Healthcare, Incorporated dba Heritage Court Post Acute of Scottsdale","","Arizona","PHYS","MED","1,765","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "May 18, 2018","Holland Eye Surgery and Laser Center","","Michigan","HACK","MED","42,200","Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "May 18, 2018","Associates in Psychiatry and Psychology","","Minnesota","HACK","MED","6,546","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "May 17, 2018","Hancock County Board of Developmental Disabilities","","Ohio","DISC","MED","607","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "May 15, 2018","LifeBridge Health, Inc","","Maryland","HACK","MED","538,127","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "May 14, 2018","OrthoWest, Ltd.","","Ohio","DISC","MED","2,300","Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "May 11, 2018","New York City Human Resources Administration/Department of Social Services","","New York","DISC","MED","2,078","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "May 11, 2018","Capitol Administrators, Inc","","California","HACK","MED","1,733","Location of breached information: Email Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "May 10, 2018","Dignity Health St. Rose Dominican Hospitals - San Martin","","Nevada","DISC","MED","1,764","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "May 10, 2018","Dignity Health St. Rose Dominican Hospitals - Siena","","Nevada","DISC","MED","2,098","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "May 10, 2018","Dignity Health St. Rose Dominican Hospitals-DeLIma","","Nevada","DISC","MED","2,174","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "May 9, 2018","Cambridge Dental Consulting Group","","Nevada","DISC","MED","3,758","Location of breached information: Other Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "May 8, 2018","USACS Management Group, Ltd.","","Ohio","HACK","MED","15,552","Location of breached information: Email Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "May 8, 2018","The Oregon Clinic, P.C. (“The Oregon Clinic”)","","Oregon","HACK","MED","64,487","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "May 8, 2018","Cerebral Palsy Research Foundation of Kansas, Inc.","","Kansas","DISC","MED","8,300","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "May 7, 2018","Baptist Health","","Arkansas","DISC","MED","3,453","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "May 4, 2018","baystate family dental inc","","Massachusetts","PHYS","MED","500","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "May 3, 2018","Florida Hospital ","","Florida","HACK","MED","12,724","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "April 30, 2018","Complete Family Medicine, LLC","","Nebraska","PHYS","MED","1,331","Location of breached information: Laptop, Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "April 30, 2018","Medical Center Ophthalmology Associates","","Texas","DISC","MED","3,017","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "April 27, 2018","Walgreen Co.","","Illinois","PHYS","MED","703","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "April 27, 2018","Knoxville Heart Group, Inc.","","Tennessee","HACK","MED","15,995","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "April 27, 2018","MedWatch LLC","","Florida","DISC","MED","40,621","Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "April 27, 2018","Eye Care Surgery Center, Inc. ","","Louisiana","PHYS","MED","2,553","Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "April 27, 2018","Tiger Vision, LLC","","Louisiana","PHYS","MED","2,553","Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "April 26, 2018","Carolina Digestive Health Associates, PA","","North Carolina","DISC","MED","10,988","Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "April 26, 2018","CareFirst BlueCross BlueShield","","Maryland","HACK","MED","6,200","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "April 26, 2018","Illinois Department of Healthcare and Family Services","","Illinois","DISC","MED","8,000","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "April 24, 2018","Scenic Bluffs Health Center Inc","","Wisconsin","HACK","MED","2,889","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "April 11, 2018","Atchison Hospital Association","","Kansas","HACK","MED","667","Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "April 10, 2018","Henry Ford Health System","","Michigan","PHYS","MED","1,658","Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "April 10, 2018","ViaTech Publishing Solutions, Inc.","","Minnesota","DISC","MED","2,431","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "May 23, 2018","California Department of Public Health","","California","PHYS","GOV","500","A CDPH Contractor who performs health facilities inspections on behalf of the department's vehicle was broken into and some documents and a laptop were stolen. Information included on the laptop included first and last name, date of birth, social security number, address, diagnoses and other health information, health insurance information and demographic information. ** Disclaimer: ** The number of breached records reported reflects our best estimate, based on all the data currently available. Because the specific number of breached records was not disclosed in the notification letter sent to the California Attorney General’s Office, the number is estimated as the minimum number of breached records necessary to trigger the obligation to notify the Attorney General.Under Cal. Civ. Code §§ 1798.29, 1798.82, notification to the Attorney General is only required whenever a breach of records affects more than 500 California residents. If you are a business representative and believe this number is inaccurate, please contact us at chronology@privacyrights.org and we will review and update this record. ","Security Breach Letter","https://oag.ca.gov/system/files/Sample%20CDPH%20Breach%20Notification%20Letter_5_23_18_0.pdf","2018","37.090240","-95.712891" "May 22, 2018","Golden 1 Credit Union","","California","HACK","BSF","500","  ** Disclaimer ** The number of breached records reported reflects our best estimate, based on all the data currently available. Because the specific number of breached records was not disclosed in the notification letter sent to the California Attorney General’s Office, the number is estimated as the minimum number of breached records necessary to trigger the obligation to notify the Attorney General. Under Cal. Civ. Code §§ 1798.29, 1798.82, notification to the Attorney General is only required whenever a breach of records affects more than 500 California residents.If you are a business representative and believe this number is inaccurate, please contact us at chronology@privacyrights.org and we will review and update this record.  ","Security Breach Letter","https://oag.ca.gov/system/files/Sample%20Notice%20of%20Data%20Breach_0.pdf","2018","37.090240","-95.712891" "May 22, 2018","Muir Medical Group, IPA. Inc.","","California","PHYS","MED","500","What happened? On March 7, 2018, Muir discovered that a former employee of Muir IPA took with her certain information in the possession of Muir IPA before her employment ended with Muir IPA in December 2017. . What information was involved? The information taken by Muir IPA’s former employee may have included your personal information, including demographic information (such as your name, address, email address, telephone number, date of birth, and Social Security number to the extent your Medicare number is derived from your Social Security number), insurance information (such as your health insurance plan name and health insurance identification number), and clinical information (such as your diagnoses, test results, medication information, and other treatment information in Muir IPA’s possession) ** Disclaimer ** The number of breached records reported reflects our best estimate, based on all the data currently available. Because the specific number of breached records was not disclosed in the notification letter sent to the California Attorney General’s Office, the number is estimated as the minimum number of breached records necessary to trigger the obligation to notify the Attorney General. Under Cal. Civ. Code §§ 1798.29, 1798.82, notification to the Attorney General is only required whenever a breach of records affects more than 500 California residents.If you are a business representative and believe this number is inaccurate, please contact us at chronology@privacyrights.org and we will review and update this record. ","Security Breach Letter","https://oag.ca.gov/system/files/Patient%20Notice%20Template%20%28002%29_0.PDF","2017","37.090240","-95.712891" "June 1, 2018","Worldwide Services Insurance Agency, LLC","","","HACK","MED","500","Worldwide Services Insurance Agency, LLC determined that an unauthorized party obtained credentials to two employees’ email accounts through a phishing email scheme. Their investigation determined that unauthorized access to those email accounts could have occurred between the dates of October 11, 2017 and October 13, 2017. As a result, the unauthorized party may have viewed or accessed emails in one employee’s email account that contained information provided to them in connection with your international health insurance plan.  ** Disclaimer ** The number of breached records reported reflects our best estimate, based on all the data currently available. Because the specific number of breached records was not disclosed in the notification letter sent to the California Attorney General’s Office, the number is estimated as the minimum number of breached records necessary to trigger the obligation to notify the Attorney General. Under Cal. Civ. Code §§ 1798.29, 1798.82, notification to the Attorney General is only required whenever a breach of records affects more than 500 California residents.If you are a business representative and believe this number is inaccurate, please contact us at chronology@privacyrights.org and we will review and update this record. ","Security Breach Letter","https://oag.ca.gov/system/files/GeoBlue%20Adult%20CM_0.pdf","2018","37.090240","-95.712891" "May 18, 2018","Bombas, LLC","","California","HACK","BSO","41,000","Bombas sells socks online using an outside vendor to develop and manage their website and a third party e-commerce platform for purchases. Malware in the code of the e-commerce platform was identified and initially removed from their website on January 15, 2015, and then finally removed on February 9, 2015. They cannot determine which transactions were impacted, and are sending notice to all of the approximately 41,000 customers who made a credit card purchase on the website during the period the malware may have existed, essentially from the date of launch of the website, September 1, 2013, until the day the identified malware was finally removed.What Information was Involved?The data accessed may have included personal information such as name, address, and credit card information.","Security Breach Letter","https://oag.ca.gov/system/files/Bombas%20Ad%20r4prf%20%28002%29_0.pdf","2018","37.090240","-95.712891" "May 17, 2018","Black Phoenix, Inc","","California","HACK","BSO","500","See security breach letter for more information.  ** Disclaimer ** The number of breached records reported reflects our best estimate, based on all the data currently available. Because the specific number of breached records was not disclosed in the notification letter sent to the California Attorney General’s Office, the number is estimated as the minimum number of breached records necessary to trigger the obligation to notify the Attorney General. Under Cal. Civ. Code §§ 1798.29, 1798.82, notification to the Attorney General is only required whenever a breach of records affects more than 500 California residents.If you are a business representative and believe this number is inaccurate, please contact us at chronology@privacyrights.org and we will review and update this record. ","Security Breach Letter","https://oag.ca.gov/system/files/NOTICE%20OF%20DATA%20BREACH%20-%20BP_0.pdf","2018","37.090240","-95.712891" "May 16, 2018","Providence Saint John's Health Center","","California","HACK","MED","500","For more information, see the security breach letter sent to the California Attorney General's Office. ** Disclaimer ** The number of breached records reported reflects our best estimate, based on all the data currently available. Because the specific number of breached records was not disclosed in the notification letter sent to the California Attorney General’s Office, the number is estimated as the minimum number of breached records necessary to trigger the obligation to notify the Attorney General. Under Cal. Civ. Code §§ 1798.29, 1798.82, notification to the Attorney General is only required whenever a breach of records affects more than 500 California residents.If you are a business representative and believe this number is inaccurate, please contact us at chronology@privacyrights.org and we will review and update this record. ","Security Breach Letter","https://oag.ca.gov/system/files/Nuance%20PSJH%20Notification%20Letter_0.pdf","2017","37.090240","-95.712891" "June 1, 2018","Farmgirl Flowers, Inc.","","California","HACK","BSR","1,870","For more information, see the security breach letter submitted to the California Attorney General.   ","Security Breach Letter","https://oag.ca.gov/system/files/Farmgirl%20Breach%20Notice%20Sample_3.pdf","2018","37.090240","-95.712891" "May 24, 2018","T-Mobile","","","DISC","BSR","74,000,000","ZDNet's Zach Whittaker reports:""A bug in T-Mobile's website let anyone access the personal account details of any customer with just their cell phone number.The flaw, since fixed, could have been exploited by anyone who knew where to look -- a little-known T-Mobile subdomain that staff use as a customer care portal to access the company's internal tools. The subdomain -- promotool.t-mobile.com, which can be easily found on search engines -- contained a hidden API that would return T-Mobile customer data simply by adding the customer's cell phone number to the end of the web address.. . . .The returned data included a customer's full name, postal address, billing account number, and in some cases information about tax identification numbers. The data also included customers' account information, such as if a bill is past-due or if the customer had their service suspended.The data also included references to account PINs used by customers as a security question when contacting phone support.""T-Mobile had 74 million customers. Though it is unknown how many records were stolen or inappropriately accessed, reportedly all 74 million customers records were inappropriately exposed.","Media","https://www.zdnet.com/article/tmobile-bug-let-anyone-see-any-customers-account-details/","2018","37.090240","-95.712891" "June 1, 2018","PumpUp, inc.","","Ontario","DISC","BSR","6,000,000","ZDNet's Zach Whittaker reports:""A popular fitness app that claims over six million users was leaking private and sensitive data, including health information and private messages sent between users.PumpUp, an Ontario-based company, bills itself as a fitness community, allowing subscribers to discover new workouts and record their results, and get advice from fitness coaches and other users.But the company left a core backend server, hosted on Amazon's cloud, exposed without a password, allowing anyone to see who was signing on and who was sending messages -- and their contents -- in real-time.. . .Each time a user sent a message to another user, the app exposed user profile data -- and the private contents of that message.The exposed data included email addresses, dates of birth, gender, and the city or town of the user's location and timezone. The data also included the user's app bio, workout and activity goals, and users' full resolution profile photos, who a user has blocked, and if the user has rated the app.The app also exposed user-submitted health information -- such as height, weight, and other data points, like caffeine and alcohol consumption, smoking frequency, health concerns, medications, and injuries.Also included in the exposed data was device data, such as iOS and Android advertiser identifiers, users' IP addresses, and session tokens for the app which could be used to gain access to a user's account without needing their password.Users who signed in using Facebook also had their access tokens exposed, putting their Facebook account at risk.In some cases, we also found unencrypted credit card data -- including card numbers, expiry dates, and card verification values ","Media","https://www.zdnet.com/article/fitness-app-pumpup-leaked-health-data-private-messages/?ftag=COS-05-10aaa0g&utm_campaign=trueAnthem%3A%20Trending%20Content&utm_content=5b1197bf04d3013c47cffb9f&utm_medium=trueAnthem&utm_source=twitter","2018","36.778261","-119.417932" "June 7, 2018","RISE Wisconsin, Inc.","","Wisconsin","HACK","MED","3,731","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "June 2, 2018","University of Utah Health","","Utah","PHYS","EDU","607","Location of breached information: Laptop, Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "June 1, 2018","Capitol Anesthesiology Association","","Texas","HACK","MED","2,231","Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "May 31, 2018","Dignity Health","","California","DISC","MED","55,947","Location of breached information: Email Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "May 30, 2018","Dino-Peds","","Colorado","DISC","MED","1,357","Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "May 29, 2018","Aflac","","Georgia","HACK","MED","10,396","Location of breached information: Email Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "May 25, 2018","Care Partners Hospice and Palliative Care","","Oregon","HACK","MED","600","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "May 25, 2018","Aultman Hospital","","Ohio","HACK","MED","42,625","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "May 25, 2018","BioIQ Inc.","","California","DISC","MED","4,059","Location of breached information: Email Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "June 12, 2018","Ticketfly","San Francisco","California","HACK","BSR","27,000,000","Ticketfly was the target of a malicious cyber attack, and user information names, addresses, email addresses and phone numbers connected to approximately 27 million Ticketfly accounts was accessed. Third-party forensic cybersecurity experts can now confirm that credit and debit card information was not accessed","Media","https://support.ticketfly.com/customer/en/portal/articles/2941983-ticketfly-cyber-incident-update","2018","37.774930","-122.419416" "June 4, 2018","MyHeritage","","","DISC","BSO","92,283,900","According to MyHeritage's statement, published on June 4, 2018:[On] June 4, 2018 at approximately 1pm EST, MyHeritage’s Chief Information Security Officer received a message from a security researcher that he had found a file named myheritage containing email addresses and hashed passwords, on a private server outside of MyHeritage. Our Information Security Team received the file from the security researcher, reviewed it, and confirmed that its contents originated from MyHeritage and included all the email addresses of users who signed up to MyHeritage up to October 26, 2017, and their hashed passwords.Immediately upon receipt of the file, MyHeritage’s Information Security Team analyzed the file and began an investigation to determine how its contents were obtained and to identify any potential exploitation of the MyHeritage system. We determined that the file was legitimate and included the email addresses and hashed passwords of 92,283,889 users who had signed up to MyHeritage up to and including Oct 26, 2017 which is the date of the breach.. . .We believe the intrusion is limited to the user email addresses. We have no reason to believe that any other MyHeritage systems were compromised. As an example, credit card information is not stored on MyHeritage to begin with, but only on trusted third-party billing providers (e.g. BlueSnap, PayPal) utilized by MyHeritage. Other types of sensitive data such as family trees and DNA data are stored by MyHeritage on segregated systems, separate from those that store the email addresses, and they include added layers of security. We have no reason to believe those systems have been compromised.","Media","https://blog.myheritage.com/2018/06/myheritage-statement-about-a-cybersecurity-incident/","2018","0.000000","0.000000" "June 12, 2018","PageUp","","","HACK","BSO","2,000,000","TechRadar reports:PageUp, an Australia-based software company, has revealed that its IT systems were breached in late May of this year, potentially compromising the personal data of over two million customers worldwide.The company is responsible for producing cloud-based HR software for recruitment companies across 190 countries, including the US, UK, Australia and Singapore, which is used to manage employment within many major companies.While the full extent of the breach is yet to be revealed, data such as bank details, personal information and Australian tax file numbers was stored on the IT system that experienced the malware. PageUp is an Australian company but multiple colleges and universities in the United States use PageUp for their recruitment and onboarding software. This includes Swarthmore College, University of Wisconsin Oshkosh, Mississippi State University, University of Massachusetts, Kansas State, Bucknell University, Colorado School of Mines, and Rollins college - according to PageUp's Testimonials page. ","Media","https://www.techradar.com/news/over-2-million-jobseekers-potentially-exposed-in-global-pageup-data-breach","2018","0.000000","0.000000" "June 12, 2018","Terros Health","Phoenix","Arizona","DISC","MED","1,600","ABC15 Arizona reports:Officials with Terros Health say a data breach has possibly compromised personal information of more than one thousand of its patients.In a news release Friday, June 8, the company says it mailed letters to 1,600 people whose information may have been accessed by an unauthorized third party.Patients' name, date of birth, physical and email address, diagnosis, medical records number and ""other protected health information"" may have been exposed.Nearly all of those potentially impacted by the breach received treatment at the clinic near 23rd and Dunlap avenues in Phoenix. Additionally, the company said 1,241 of the 1,600 patients may have only had their name and birthday disclosed.","Media","https://www.abc15.com/news/region-phoenix-metro/central-phoenix/terros-health-data-breach-1600-patients-potentially-impacted","2018","33.448377","-112.074037" "June 12, 2018","Nuance Communications","","California","INSD","BSO","45,000","Bank Info Security reports:Nuance Communications, which specializes in speech recognition software, says an unauthorized third party accessed one of its medical transcription platforms, exposing 45,000 individuals' records.See Also: Matching Application Security to Business NeedsSo far, it appears only one of its customers, the San Francisco Department of Health, has reached out to affected patients.. . . .Breach victims include patients who visited Zuckerberg San Francisco General Hospital and Laguna Honda Hospital. The health department says in a news release that it delayed notifying patients at the request of the FBI and Justice Department, which have been investigating the breach.Their investigation ""determined that a former Nuance employee breached Nuance's servers and accessed the personal information of thousands of individuals from several contracted clients, including the San Francisco Department of Public Health,"" the department says. ","Media","https://www.bankinfosecurity.com/nuance-communications-breach-affected-45000-patients-a-11002","2018","37.090240","-95.712891" "June 12, 2018","Facebook, inc.","San Francisco","California","DISC","BSR","3,000,000","New Scientist reports:Data from millions of Facebook users who used a popular personality app, including their answers to intimate questionnaires, was left exposed online for anyone to access, a New Scientist investigation has found.Academics at the University of Cambridge distributed the data from the personality quiz app myPersonality to hundreds of researchers via a website with insufficient security provisions, which led to it being left vulnerable to access for four years. Gaining access illicitly was relatively easy.The data was highly sensitive, revealing personal details of Facebook users, such as the results of psychological tests. It was meant to be stored and shared anonymously, however such poor precautions were taken that deanonymising would not be hard.. . . .Facebook suspended myPersonality from its platform on 7 April saying the app may have violated its policies due to the language used in the app and on its website to describe how data is shared.More than 6 million people completed the tests on the myPersonality app and nearly half agreed to share data from their Facebook profiles with the project. All of this data was then scooped up and the names removed before it was put on a website to share with other researchers. The terms allow the myPersonality team to use and distribute the data “in an anonymous manner such that the information cannot be traced back to the individual user”.To get access to the full data set people had to register as a collaborator to the project. More than 280 people from nearly 150 institutions did this, including researchers at universities and at companies like Facebook, Google, Microsoft and Yahoo.. . . .For the last four years, a working username and password has been available online that could be found from a single web search. Anyone who wanted access to the data set could have found the key to download it in less than a minute.The publicly available username and password were sitting on the code-sharing website GitHub. They had been passed from a university lecturer to some students for a course project on creating a tool for processing Facebook dataThe credentials gave access to the “Big Five” personality scores of 3.1 million users. These scores are used in psychology to assess people’s characteristics, such as conscientiousness, agreeableness and neuroticism. The credentials also allowed access to 22 million status updates from over 150,000 users, alongside details such as age, gender and relationship status from 4.3 million people.. . . .Each user in the data set was given a unique ID, which tied together data such as their age, gender, location, status updates, results on the personality quiz and more. With that much information, de-anonymising the data can be done very easily. “You could re-identify someone online from a status update, gender and date,” says Dixon.","Media","https://www.newscientist.com/article/2168713-huge-new-facebook-data-leak-exposed-intimate-details-of-3m-users/","2018","37.774930","-122.419416" "May 17, 2018","211 LA County","Los Angeles","California","DISC","NGO","3,500,000","Los Angeles Times reports:The nonprofit organization that operates Los Angeles County's social services hotline inadvertently exposed personal information that was stored online, according to county officials and a private security firm that discovered the vulnerability.UpGuard, a cybersecurity firm based in Mountain View, Calif., said it notified the county in April that it discovered exposed Social Security numbers, addresses and sensitive notes about calls regarding mental health and abuse.. . . .It was not immediately clear whether any unauthorized people accessed the data, which was kept in a cloud storage repository maintained by 211 L.A. County, the nonprofit group that operates the county's 211 hotline.. . . . .Chris Vickery, director of UpGuard's cyberspace risk research team, said the information he discovered included names, email addresses and weakly encrypted passwords of users operating the 211 system, potentially opening them to attack. He said it was available for public download from an Amazon web server.The data also contained records for 3.5 million calls and a substantial amount of personally identifiable information, Vickery said. That included 33,000 Social Security numbers, and in many cases full names and addresses — as well as detailed notes for 200,000 calls logged between 2010 and 2016.In one example, the notes described an elderly woman with dementia who was allegedly being abused by her son. In another, they described a meth addict who said she was suicidal. A third example included details about a woman who suffered from paranoia and was on the verge of being evicted. The firm provided The Times with screen shots of redacted records to document its discovery.","Media","http://www.latimes.com/local/lanow/la-me-ln-211-data-20180515-story.html","2018","34.052234","-118.243685" "June 12, 2018","University at Buffalo","Buffalo","New York","HACK","EDU","2,500","WIVB4 is reporting:University at Buffalo leaders, along with their security team, are investigating a data breach of external third-party accounts. They say it's affected more than 25-hundred accounts campus wide. About 18-hundred of those are student accounts.. . .Affected accounts:28 faculty and staff accounts862 alumni accounts1,800 student accounts","Media","http://www.wivb.com/news/local-news/thousands-of-ub-logins-stolen-in-third-party-data-breach/1188486364","2018","0.000000","0.000000" "May 20, 2018","TeenSafe","Los Angeles","California","DISC","BSR","10,200","ZDNet's Zack Whittaker reports:At least one server used by an app for parents to monitor their teenagers' phone activity has leaked tens of thousands of accounts of both parents and children.The mobile app, TeenSafe, bills itself as a ""secure"" monitoring app for iOS and Android, which lets parents view their child's text messages and location, monitor who they're calling and when, access their web browsing history, and find out which apps they have installed.Although teen monitoring apps are controversial and privacy-invasive, the company says it doesn't require parents to obtain the consent of their children.But the Los Angeles, Calif.-based company left its servers, hosted on Amazon's cloud, unprotected and accessible by anyone without a password.. . . .The database stores the parent's email address associated with TeenSafe, as well as their corresponding child's Apple ID email address. It also includes the child's device name -- which is often just their name -- and their device's unique identifier. The data contains the plaintext passwords for the child's Apple ID. Because the app requires that two-factor authentication is turned off, a malicious actor viewing this data only needs to use the credentials to break into the child's account to access their personal content data.None of the records contained content data, such as photos or messages, or the locations of either parents or children.The data also contained error messages associated with a failed account action, such as if a parent looking up a child's real-time location didn't complete.Shortly before the server went offline, there were at least 10,200 records from the past three months containing customers data -- but some are duplicates.TeenSafe claims to have over a million parents using the service.   ","Media","https://www.zdnet.com/article/teen-phone-monitoring-app-leaks-thousands-of-users-data/","2018","34.052234","-118.243685" "June 15, 2018","Dean Health Plan","","Wisconsin","DISC","MED","1,311","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "June 12, 2018","HealthEquity, Inc.","","Utah","HACK","MED","16,000","Location of breached information: Email Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "June 8, 2018","New England Baptist Health","","Massachusetts","DISC","MED","7,582","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "June 8, 2018","Massac County Surgery Center dba Orthopaedic Institute Surgery Center","","Illinois","HACK","MED","2,000","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "June 7, 2018","Benefit Outsourcing Solutions","","Michigan","DISC","MED","1,144","Location of breached information: Other Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "June 1, 2018","Florida Agency for Persons with Disabilities","","Florida","DISC","MED","1,951","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "June 1, 2018","SimplyWell","","Texas","DISC","MED","597","Location of breached information: Other Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "June 27, 2018","Children's Mercy Hospital","","Missouri","DISC","MED","1,463","Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "June 25, 2018","University of Michigan/Michigan Medicine","Ann Arbor","Michigan","PHYS","EDU","871","Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "June 25, 2018","Progressions Behavioral Health Services, Inc.","","Pennsylvania","HACK","MED","1,303","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "June 22, 2018","InfuSystem, Inc.","","Michigan","HACK","MED","3,882","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "June 22, 2018","VA Long Beach Healthcare System","","California","DISC","MED","1,030","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "June 19, 2018","Peter J Parker, M.D., Inc.","","California","DISC","MED","628","Location of breached information: Electronic Medical Record Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "June 16, 2018","David S. Ng, O.D.","","California","PHYS","MED","758","Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "June 15, 2018","New Jersey Department of Human Services","","New Jersey","DISC","MED","1,263","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "June 15, 2018","CHRISTUS Spohn Hospital Corpus Christi-Shoreline","","Texas","PHYS","MED","1,805","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "June 14, 2018","Gwenn S Robinson MD","","New Mexico","HACK","MED","2,500","Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "June 14, 2018","Med Associates, Inc.","","New York","HACK","MED","276,057","Location of breached information: Desktop Computer Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "June 13, 2018","Black River Medical Center","","Missouri","HACK","MED","13,443","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "June 13, 2018","WellCare Health Plans, Inc.","","Florida","DISC","MED","1,101","Location of breached information: Other Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "June 13, 2018","Kelley Imaging Systems","","Washington","HACK","MED","627","Location of breached information: Desktop Computer, Electronic Medical Record, Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "June 11, 2018","Denise M. Bowden, LAc","","California","PHYS","MED","538","Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "June 10, 2018","Healthland Inc.","","Minnesota","DISC","MED","614","Location of breached information: Other Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "June 28, 2018","Adidas","","California","HACK","BSR","2,000,000","The athletic-wear company alerted customers on Thursday about a possible data breach on its U.S. website. A preliminary investigation found the leaked data includes contact information, usernames and encrypted passwords, the company said in a statement. Adidas said it does not believe any credit card or health and fitness information was compromised.“We are alerting certain consumers who purchased on adidas.com/US about a potential data security incident. At this time this is a few million consumers,” a spokeswoman said in an email. ","Media","https://www.digitalcommerce360.com/2018/07/02/adidas-suffers-data-breach-with-millions-of-customers-potentially-at-risk/","2018","37.090240","-95.712891" "July 3, 2018","Exactis","Palm Coast","Florida","DISC","BSO","340,000,000","According to Wired, ""Exactis, a data broker based in Palm Coast, Florida, had exposed a database that contained close to 340 million individual records on a publicly accessible server. The haul comprises close to 2 terabytes of data that appears to include personal information on hundreds of millions of American adults, as well as millions of businesses. While the precise number of individuals included in the data isn't clear—and the leak doesn't seem to contain credit card information or Social Security numbers—it does go into minute detail for each individual listed, including phone numbers, home addresses, email addresses, and other highly personal characteristics for every name. The categories range from interests and habits to the number, age, and gender of the person's children.""It seems like this is a database with pretty much every US citizen in it,"" says Troia, who is the founder of his own New York-based security company, Night Lion Security. Troia notes that almost every person he's searched for in the database, he's found. And when WIRED asked him to find records for a list of 10 specific people in the database, he very quickly found six of them. ""I don’t know where the data is coming from, but it’s one of the most comprehensive collections I’ve ever seen,"" he says.""Aside from the sheer breadth of the Exactis leak, it may be even more remarkable for its depth: Each record contains entries that go far beyond contact information and public records to include more than 400 variables on a vast range of specific characteristics: whether the person smokes, their religion, whether they have dogs or cats, and interests as varied as scuba diving and plus-size apparel. WIRED independently analyzed a sample of the data Troia shared and confirmed its authenticity, though in some cases the information is outdated or inaccurate."" ","Media","https://www.wired.com/story/exactis-database-leak-340-million-records/","2018","29.584452","-81.207870" "June 22, 2018","PDQ Restuarants ","Tampa","Florida","HACK","BSR","0","According to PDQ, ""We have been the target of a cyber-attack.  An unauthorized person (hacker) exploited part of our computer related system and accessed and or acquired personal information from some of our customers. We believe the attacker gained entry through an outside technology vendor’s remote connection tool. Based on an investigation, the unauthorized access and or acquisition occurred from May 19, 2017 – April 20, 2018 (breach time period). We learned on June 8, 2018 that credit card information and or some names may have been hacked.All PDQ locations in operation during some or all of the breach time period, May 19, 2017 – April 20, 2018, were affected. However, the following locations were not affected: Tampa International Airport location at 4100 George J Bean Pkwy, Tampa, FL 33607, Amalie Arena location at 401 Channelside Drive, Tampa, FL 33602, and PNC Arena location at 1400 Edwards Mill Road, Raleigh, NC 27607The information accessed and or acquired included some or all of the following: names, credit card numbers, expiration dates, and cardholder verification value. However, it should be noted that the cardholder verification value that may have been accessed or acquired is not the same as the security code printed on the back of certain payment cards (e.g., Discover, MasterCard, and Visa) or printed on the front of other payment cards (e.g., American Express). Based on the nature of the breach, it was not possible to determine the identity or exact number of credit card numbers or names that were accessed or acquired during the breach time period.","Media","https://www.eatpdq.com/promos/news/2018/06/22/guestinfo","2018","27.950575","-82.457178" "July 3, 2018","Advanced Law Enforcement Rapid Response Training, Texas State University","San Marcos","Texas","DISC","EDU","50,000","According to ZDNet, ""A data breach at a federally funded active shooter training center has exposed the personal data of thousands of US law enforcement officials, ZDNet has learned.The cache of data contained identifiable information on local and state police officers, and federal agents, who sought out or underwent active shooter response training in the past few years. The backend database powers the website of Advanced Law Enforcement Rapid Response Training -- known as ALERRT -- at Texas State University.The database dates back to April 2017 and was uploaded a year later to a web server, believed to be owned by the organization, with no password protection.. . . .The database contained thousands of personal data records, including law enforcement officer's work contact information, with many of the records listing personal email addresses, work addresses, and cell numbers.Officials from the FBI, Customs and Border Protection (CBP), and the US Border Patrol were listed in the database.In another table, some 65,000 officers who had taken an ALERRT course and provided feedback had their full name and zip code exposed.Another table listed detailed histories on instructors, including their skills and training, while another contained the names of more than 17,000 instructors.Another table contained 51,345 sets of geolocation coordinates of schools, courts, police departments, and government buildings, like city halls and administrative offices. The data also included places of interest, such as where people gather -- like universities and malls. The list also contained, in some cases, police officers' home addresses. We confirmed this using Google's Street View, which in several cases revealed marked police vehicles outside the residence.Many of the emails contained or asked for sensitive data. Password reset emails would often ask users for their date of birth or the last four digits of their Social Security number for their profile. It's not clear why this data was needed, or if it was stored in another database.Other emails informed law enforcement staff of successful enrollment in classes, which contained names, email addresses, phone numbers, the course they were taking, and where and when the course was offered.That data alone would give anyone insight into the capabilities of police and law enforcement departments across the country.""** Disclaimer ** The number of breached records reported reflects our best estimate, based on all the data currently available.If you are a business representative and believe this number is inaccurate, please contact us at chronology@privacyrights.org and we will review and update this record. ","Media","https://www.zdnet.com/article/a-massive-cache-of-law-enforcement-personnel-data-has-leaked/","2018","0.000000","0.000000" "June 27, 2018","NameTests","","California","DISC","BSR","120,000,000","According to a post on Medium by the security researcher that discovered the flaw, Inti De Ceukelaire, ""Nametests.com, the website behind the quizzes, recently fixed a flaw that publicly exposed information of their more than 120 million monthly users — even after they deleted the app. . . .Who was affected?According to Facebook, NameTests has more than 120 million active monthly users. I have no insights in how many users have given their data to the app since their launch early 2015. It is important to note that if this flaw was ever abused, only the users that actually visited the attacker’s website would have their data leaked to the attacker.What Data could have been leaked?Depending on what quizzes you took, the javascript could leak your facebook ID, first name, last name, language, gender, date of birth, profile picture, cover photo, currency, devices you use, when your information was last updated, your posts and statuses, your photos and your friends.What data could have been leaked after the app was deleted?If you ever took a quiz and removed the app afterwards, external websites would still be able to read your facebook id, first name, last name, language, gender, date of birth. You could have only prevented this from happening if you manually deleted your cookies, as the website does not offer a logout functionality."" ","Media","https://medium.com/@intideceukelaire/this-popular-facebook-app-publicly-exposed-your-data-for-years-12483418eff8","2017","37.090240","-95.712891" "July 6, 2018","VCU Health System ","","Virginia","DISC","MED","4,686","Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "July 3, 2018","Home for Little Wanderers","","Massachusetts","DISC","MED","861","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "July 3, 2018","Physician Associates, LLC","","Florida","DISC","MED","710","Location of breached information: Other Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "July 2, 2018","Advanced Orthopedic Center","","Florida","HACK","MED","1,647","Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "June 29, 2018","Planned Parenthood of the Heartland","","Iowa","DISC","MED","515","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "June 29, 2018","Arkansas Children's Hospital","","Arkansas","DISC","MED","4,521","Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "June 28, 2018","Associated Dermatology & Skin Cancer Clinic of Helena, PC","","Montana","PHYS","MED","1,254","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "June 25, 2018","San Francisco Department of Public Health","","California","DISC","MED","900","Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "June 19, 2018","Family Healthcare of Lake Norman","","North Carolina","HACK","MED","500","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "June 5, 2018","Terros Incorporated","","Arizona","HACK","MED","1,618","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "May 31, 2018","The University of Texas MD Anderson Cancer Center","","Texas","DISC","EDU","1,266","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "May 22, 2018","MSK Group","","Tennessee","HACK","MED","566,236","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "May 22, 2018","Muir Medical Group, IPA, Inc.","","California","DISC","MED","5,485","Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "May 21, 2018","Elmcroft Senior Living, Inc.","","Texas","HACK","MED","10,000","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "May 18, 2018","UT Physicians","","Texas","DISC","MED","2,793","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "May 9, 2018","Boys Town National Research Hospital","","Nebraska","HACK","MED","2,182","Location of breached information: Email Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "May 4, 2018","Baystate Family Dental, Inc.","","Massachusetts","PHYS","MED","500","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "March 1, 2018","Esther V. Rettig, M.D., P.A.","","Kansas","HACK","MED","13,500","Location of breached information: Desktop Computer, Electronic Medical Record, Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "February 27, 2018","Artesia General Hospital","","New Mexico","HACK","MED","864","Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "January 31, 2018","Children's Mercy Hospital","","Missouri","HACK","MED","63,049","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "December 28, 2017","Miracle-Ear, Inc. and Amplifon (USA), Inc.","","Minnesota","HACK","MED","554","Location of breached information: Email Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "December 27, 2017","Colorado Department of Human Services","","Colorado","HACK","MED","639","Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "December 26, 2017","Blue Cross Blue Shield of Massachusetts","","Massachusetts","DISC","MED","1,843","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "December 22, 2017","SAY San Diego","","California","PHYS","MED","1,272","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "December 20, 2017","BEE Reno Dental, LLC","","Nevada","HACK","MED","3,898","Location of breached information: Desktop Computer, Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "December 7, 2017","Columbus Surgery Center, LLC ","","Nebraska","HACK","MED","7,221","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "December 7, 2017","Eye Physicians, P.C.","","Nebraska","HACK","MED","2,620","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "December 4, 2017","Golden Rule Insurance Company","","Indiana","DISC","MED","9,305","Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "December 1, 2017","Henry Ford Health System","","Michigan","PHYS","MED","43,563","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "November 17, 2017","Metrocare Services","","Texas","HACK","MED","500","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "November 16, 2017","Washington State Department of Social and Health Services","","Washington","DISC","MED","515","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "November 8, 2017","The Center For Health Care Services ","","Texas","PHYS","MED","501","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "November 8, 2017","Aetna Inc.","","Connecticut","DISC","MED","1,600","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "November 3, 2017","Indiana University Health","","Indiana","PHYS","EDU","1,399","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "November 3, 2017","Shop-Rite Supermarkets, Incorporated","","New York","PHYS","MED","12,172","Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "October 13, 2017","Martinsville Henry County Coalition for Health and Wellness","","Virginia","PHYS","MED","5,806","Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "October 9, 2017","Lifestyle Therapy & Coaching","","Alabama","DISC","MED","550","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "October 6, 2017","John Hancock Life Insurance Company (U.S.A.)","","Massachusetts","HACK","MED","1,715","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "September 29, 2017","Amida Care","","New York","DISC","MED","6,231","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "September 29, 2017","Briggs & Stratton Corporation","","Wisconsin","HACK","MED","12,789","Location of breached information: Desktop Computer, Laptop, Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "September 28, 2017","Riaz Baber, M.D., S.C.","","Illinois","DISC","MED","10,500","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "September 27, 2017","Advanced Spine & Pain Center","","Texas","HACK","MED","8,352","Location of breached information: Electronic Medical Record, Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "September 26, 2017","Patients Choice","","Texas","HACK","MED","1,069","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "September 25, 2017","Houston Methodist Hospital","","Texas","DISC","MED","1,359","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "September 24, 2017","Arkansas Oral & Facial Surgery Center ","","Arkansas","HACK","MED","128,000","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "September 20, 2017","Mercy Health Love County Hospital and Clinic ","","Oklahoma","PHYS","MED","13,004","Location of breached information: Laptop, Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "September 19, 2017","PeaceHealth","","Washington","DISC","MED","1,969","Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "September 18, 2017","MN Urology","","Minnesota","DISC","MED","939","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "September 18, 2017","W. W. Grainger, Inc.","","Illinois","PHYS","MED","1,594","Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "September 18, 2017","Urological Associates of Central Jersey P.A.","","New Jersey","HACK","MED","1,800","Location of breached information: Desktop Computer, Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "September 15, 2017","AU Medical Center, Inc.","","Georgia","HACK","MED","6,109","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "September 15, 2017","Arkansas Department of Human Services","","Arkansas","DISC","MED","26,000","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "September 12, 2017","Indiana Health Centers, Inc.","","Indiana","PHYS","MED","1,697","Location of breached information: Desktop Computer, Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "September 7, 2017","Department of Human Services, Commonwealth of Pennsylvania","","Pennsylvania","DISC","MED","517","Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "August 21, 2017","Feinstein and Roe Mds Inc.","","California","HACK","MED","6,642","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "August 16, 2017","Salina Family Healthcare Center","","Kansas","HACK","MED","77,337","Location of breached information: Desktop Computer, Electronic Medical Record, Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "August 14, 2017","TRUEbenefits LLC","","Washington","HACK","MED","17,309","Location of breached information: Email Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "August 11, 2017","MJHS Home Care","","New York","HACK","MED","6,000","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "August 11, 2017","Silver Cross Hospital","","Illinois","DISC","MED","8,862","Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "August 8, 2017","National DCP Health Plan ","","Georgia","HACK","MED","1,190","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "August 5, 2017","Elderplan, Inc. ","","New York","HACK","MED","22,000","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "August 3, 2017","Spectrum Health System","","Michigan","PHYS","MED","902","Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "August 2, 2017","Bluetail Medical Group","","Missouri","HACK","MED","11,000","Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "August 1, 2017","Daniel Drake Center for Post-Acute Care","","Ohio","DISC","MED","4,721","Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "July 27, 2017","Plastic Surgery Associates of South Dakota","","South Dakota","HACK","MED","10,229","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "July 24, 2017","Anthem, Inc.","","Indiana","DISC","MED","18,580","Location of breached information: Email Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "July 21, 2017","BlueCross BlueShield of TN, Inc.","","Tennessee","DISC","MED","2,117","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "July 21, 2017","Kaleida Health","","New York","HACK","MED","2,789","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "July 20, 2017","Vision Care Specialists, Inc.","","Colorado","PHYS","MED","703","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "July 19, 2017","Metropolitan Life Insurance Company","","New York","DISC","MED","4,220","Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "June 27, 2017","GI Care for Kids Endoscopy Center","","Georgia","HACK","MED","1,700","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "June 26, 2017","Henry Ford Health System","","Michigan","PHYS","MED","596","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "June 23, 2017","Southern Illinois Hospital Services","","Illinois","DISC","MED","613","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "June 23, 2017","Pharma Medica Research Inc.","","Missouri","DISC","MED","2,718","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "June 21, 2017","Adams Industries, Inc.","","Nebraska","HACK","MED","647","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "June 12, 2017","Cove Family and Sports Medicine, LLC","","Alabama","HACK","MED","4,300","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "May 5, 2017","Blue Cross and Blue Shield of Kansas City","","Missouri","DISC","MED","725","Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "April 14, 2017","BioReference Laboratories, Inc.","","New Jersey","PHYS","MED","1,772","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "March 10, 2017","Metropolitan Urology Group","","Wisconsin","HACK","MED","17,634","Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "February 24, 2017","Vanderbilt University Medical Center","","Tennessee","DISC","EDU","3,247","Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "February 21, 2017","Emory Healthcare ","","Georgia","HACK","MED","79,930","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "January 16, 2017","St. Luke's Medical Center","","North Dakota","HACK","MED","600","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","37.090240","-95.712891" "August 3, 2016","Banner Health","","Arizona","HACK","MED","3,620,000","Location of breached information: Network Server, Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2016","37.090240","-95.712891" "July 17, 2018","Ruben U. Carvajal, MD","","New York","HACK","MED","3,775","Location of breached information: Desktop Computer, Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "July 13, 2018","Rocky Mountain Health Care Services","","Colorado","PHYS","MED","1,087","Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "July 13, 2018","Central New York Cardiology","","New York","PHYS","MED","824","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "July 13, 2018","Billings Clinic","","Montana","HACK","MED","8,435","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "July 13, 2018","New England Dermatology, P.C.","","Massachusetts","PHYS","MED","16,154","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "July 10, 2018","MedEvolve","","Arkansas","DISC","MED","205,434","Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "July 9, 2018","GOLDEN HEART ADMINISTRATIVE PROFESSIONALS","","Alaska","HACK","MED","44,600","Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "July 6, 2018","The Terteling Co., Inc., Group Benefit Plan ","","Idaho","HACK","MED","4,824","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "July 6, 2018","Overlake arthritis and Osteoporosis Center","","Washington","HACK","MED","627","Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "July 5, 2018","Health Alliance Plan","","Michigan","HACK","MED","2,814","Location of breached information: Desktop Computer, Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "June 29, 2018","Hunt Memorial Hospital District","","Texas","DISC","MED","1,887","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "June 26, 2018","Community Cancer Center","","Illinois","HACK","MED","500","Location of breached information: Desktop Computer, Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "June 15, 2018","Central christian college of kansas","McPherson","Kansas","UNKN","EDU","631","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2017","0.000000","0.000000" "June 7, 2018","Erpiron ore llc","","","UNKN","UNKN","700","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2015","0.000000","0.000000" "July 17, 2018","Physicians home care","","","UNKN","UNKN","1","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "July 16, 2018","Indiana bureauof motor vehicles","","","UNKN","UNKN","1","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "July 16, 2018","Pinnacle trailer sales inc","","","UNKN","UNKN","1,215","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "July 16, 2018","Platinum partners credit opportunities master fund l p","","","UNKN","UNKN","77","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "July 16, 2018","The cityof bozeman montana","","","UNKN","UNKN","2,962","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2017","0.000000","0.000000" "July 13, 2018","Healthand hospital corporationof marion county","","","UNKN","UNKN","1","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "July 13, 2018","Purdue university","West Lafayette","Indiana","UNKN","EDU","26,598","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "July 13, 2018","Sanford heisler sharp","","","UNKN","UNKN","413","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "July 11, 2018","The fruitful yield inc","","","UNKN","UNKN","632","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "July 11, 2018","Tommie copper inc","","","UNKN","UNKN","28,437","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2017","0.000000","0.000000" "July 9, 2018","Fidelity national financialonbehalfof chicago title company llc","","","UNKN","BSF","","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "July 9, 2018","Jewish federationof cincinnati","","","UNKN","UNKN","812","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "July 9, 2018","Life span inc","","","UNKN","UNKN","91","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "July 9, 2018","S j gorowitz accountingand tax services p c","","","UNKN","UNKN","513","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "July 6, 2018","Career technology centersof licking county","","","UNKN","UNKN","9,578","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "July 6, 2018","Coty inc","","","UNKN","UNKN","4,753","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "July 6, 2018","Lipscomb pitts insurance llc","","","UNKN","UNKN","457","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "July 6, 2018","The international mission board","","","UNKN","UNKN","187,749","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "July 5, 2018","The information and referral federation of los angeles county, inc. dba 211 l a county","","","UNKN","UNKN","26,678","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "July 3, 2018","Macys inc","","","UNKN","UNKN","162,507","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "July 3, 2018","Naviaux dubow harris llc","","","UNKN","UNKN","325","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "July 2, 2018","Franciscan health indianapolis","","","UNKN","UNKN","4","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2013","0.000000","0.000000" "August 7, 2018","InterAct of Michigan, Inc.","","Michigan","HACK","MED","1,290","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "August 3, 2018","Don White, RN, DC, PC dba Canyon Rd Chiropractic and Massage","","Oregon","HACK","MED","2,900","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "August 3, 2018","Kaiser Foundation Health Plan of Colorado","","Colorado","DISC","MED","900","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "August 1, 2018","Southwestern Eye Center","","Arizona","DISC","MED","667","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "July 30, 2018","SSM Health St. Mary's Hospital - Jefferson City","","Missouri","PHYS","MED","301,000","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "July 27, 2018","Confluence Health","","Washington","HACK","MED","33,821","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "July 27, 2018","Ambercare Corporation, Inc.","","New Mexico","PHYS","MED","2,284","Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "July 27, 2018","Longwood Orthopedic Associates, Inc.","","Massachusetts","DISC","MED","10,000","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "July 20, 2018","Institute on Aging","","California","HACK","MED","3,907","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "July 20, 2018","Boys Town National Research Hospital","","Nebraska","HACK","MED","105,309","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "July 20, 2018","NorthStar Anesthesia","","Texas","HACK","MED","19,807","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "July 20, 2018","MedSpring of Texas, PA","","Texas","HACK","MED","13,034","Location of breached information: Email Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "July 20, 2018","StatCare Group LLC","","Maryland","HACK","MED","679","Location of breached information: Email Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "July 20, 2018","Orlando Orthopaedic Center","","Florida","DISC","MED","19,101","Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "July 19, 2018","Fairbanks North Star Borough","","Alaska","HACK","BSF","6,346","Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "July 19, 2018","Family Physicians of Old Town Fairfax PC ","","Virginia","HACK","MED","500","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "July 16, 2018","Sunspire Health ","","New Jersey","HACK","MED","6,737","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "July 16, 2018","PA Dept. of Human Services","","Pennsylvania","DISC","MED","2,130","Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "July 13, 2018","Alive Hospice","","Tennessee","HACK","MED","1,868","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "July 13, 2018","Charles Cole Memorial Hospital","","Pennsylvania","HACK","MED","790","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "July 12, 2018","Midwestern Regional Medical Center, Inc.","","Illinois","DISC","MED","2,675","Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "July 10, 2018","Blue Springs Family Care, P.C.","","Missouri","HACK","MED","44,979","Location of breached information: Electronic Medical Record, Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "September 1, 2018","Reliable Respiratory","","Massachusetts","HACK","MED","21,311","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "August 31, 2018","Carpenters Benefit Funds of Philadelphia","","Pennsylvania","HACK","MED","20,015","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "August 31, 2018","Hopebridge","","Indiana","HACK","MED","1,411","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "August 31, 2018","United Methodist Homes","","New York","DISC","MED","843","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "August 30, 2018","Greigh I. Hirata M.D. Inc, dba. Fetal Diagnostic Institute of the Pacific","","Hawaii","HACK","MED","40,800","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "August 30, 2018","South Alamo Medical Group P.A","","Texas","DISC","MED","2,180","Location of breached information: Electronic Medical Record, Email, Laptop, Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "August 27, 2018","First coast podiatric surgery and wound","","Florida","DISC","MED","500","Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "August 22, 2018","Family Medical Group Northeast PC","","Oregon","DISC","MED","2,077","Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "August 20, 2018","Legacy Health","","Oregon","HACK","MED","38,000","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "August 17, 2018","Acadiana Computer Systems, Inc.","","Louisiana","HACK","MED","31,151","Location of breached information: Email Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "August 17, 2018","Chapman & Chapman, Inc.","","Ohio","HACK","MED","2,032","Location of breached information: Email Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "August 17, 2018","Monroe Operations, LLC d/b/a Newport Academy and Center for Families","","Tennessee","HACK","MED","1,165","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "August 17, 2018","Authentic Recovery Center, LLC","","California","HACK","MED","1,790","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "August 16, 2018","Wardell Orthopaedics, P.C.","","Virginia","DISC","MED","552","Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "August 16, 2018","University Medical Center Physicians","","Texas","HACK","MED","18,500","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "August 16, 2018","AU Medical Center, INC","","Georgia","HACK","MED","417,000","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "August 10, 2018","Gordon Schanzlin New Vision Institute","","California","PHYS","MED","1,130","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "August 10, 2018","Wells Pharmacy Network","","Florida","DISC","MED","10,000","Location of breached information: Email, Laptop, Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "August 9, 2018","Anne Arundel Dermatology, P.A.","","Maryland","PHYS","MED","1,310","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "September 5, 2018","Elkhart county prosecutor attorney office i v d child support","","","UNKN","UNKN","2","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "September 4, 2018","Franciscan health indianapolis","","","UNKN","UNKN","19","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "September 4, 2018","Indiana bureauof motor vehicles","","","UNKN","UNKN","1","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "September 1, 2018","Zurich american insurance company","","","UNKN","UNKN","789","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2013","0.000000","0.000000" "August 31, 2018","Academy mortgage corporation","","","UNKN","UNKN","357","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "August 31, 2018","North american risk services inc","","","UNKN","UNKN","2,693","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "August 28, 2018","Humana inc","","","UNKN","UNKN","287","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "August 28, 2018","Joint commission resources inc","","","UNKN","UNKN","191","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "August 28, 2018","Orrstown bank","","","UNKN","BSF","54,000","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2017","0.000000","0.000000" "August 28, 2018","Sierra nevada brewing co","","","UNKN","UNKN","630","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "August 27, 2018","Affiliated service providersof indiana inc","","","UNKN","UNKN","25","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "August 26, 2018","TKC Holdings inc","","","UNKN","BSF","2,128","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "August 23, 2018","Tipmont REMC","","","UNKN","UNKN","8","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "August 22, 2018","Chipotle mexican grill inc","","","UNKN","UNKN","33","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "August 22, 2018","Health management concepts inc","","","UNKN","UNKN","2,583","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "August 22, 2018","Hoosier hills credit union","","","UNKN","UNKN","150","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "August 22, 2018","Redhorse corporation","","","UNKN","UNKN","73","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "August 21, 2018","Exam one","","","UNKN","UNKN","1","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "August 21, 2018","The conlan company","","","UNKN","UNKN","597","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "August 20, 2018","Munroand company inc","","","UNKN","UNKN","728","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "August 20, 2018","Whitmerand company c p as llp","","","UNKN","UNKN","653","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2017","0.000000","0.000000" "August 17, 2018","Aetna inc","","","UNKN","UNKN","178","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "August 17, 2018","BMW Bank of North America","","","UNKN","BSF","54","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "August 17, 2018","Maestro health inc","","","UNKN","UNKN","57","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "August 17, 2018","Wiese USA Inc.","","","UNKN","UNKN","24","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "August 16, 2018","Chapmanand chapman inc","","","UNKN","UNKN","2,545","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "August 16, 2018","Mondelez global llc","","","UNKN","UNKN","105","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "August 15, 2018","Baptist health medical group","","","UNKN","UNKN","1","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "August 15, 2018","C n g financial corporation inc","","","UNKN","BSF","104,649","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "August 15, 2018","Cortland partners","","","UNKN","UNKN","588","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "August 15, 2018","Delicato vineyards","","","UNKN","UNKN","1,087","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "August 15, 2018","United services automobile association","","","UNKN","UNKN","1","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "August 13, 2018","Departmentof child services","","","UNKN","UNKN","3","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "August 13, 2018","Franciscan ACO Inc.","","","UNKN","UNKN","1","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "August 13, 2018","Nekoosa coated products llc","","","UNKN","UNKN","720","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "August 10, 2018","CCRM San Francisco","","","UNKN","UNKN","366","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "August 9, 2018","Trinity college of nursing and health sciences","Rock Island","Illinois","UNKN","EDU","137","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "August 7, 2018","American institute of aeronautics and astronautics","","","UNKN","EDU","671","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "August 7, 2018","Hasbro inc","","","UNKN","UNKN","2,039","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2017","0.000000","0.000000" "August 7, 2018","Healthand hospital corporationof marion county","","","UNKN","UNKN","32","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "August 6, 2018","Healthand hospital corporationof marion county","","","UNKN","UNKN","1","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "August 6, 2018","Feld entertainment inc","","","UNKN","UNKN","867","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "August 3, 2018","Austin foam plastics inc","","","UNKN","UNKN","66","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2017","0.000000","0.000000" "August 3, 2018","Our honeymoon wishes inc","","","UNKN","UNKN","220","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "August 3, 2018","TCM Bank ","","","UNKN","BSF","9,549","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2017","0.000000","0.000000" "August 3, 2018","Healthand hospital corporationof marion county","","","UNKN","UNKN","1","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "August 2, 2018","Community rehabilitation hospital south","","","UNKN","UNKN","9","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "August 2, 2018","Healthand hospital corporationof marion county","","","UNKN","UNKN","7","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "August 2, 2018","JE Sandifer financial consultants inc","","","UNKN","BSF","357","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "August 1, 2018","Doyleand associates p c","","","UNKN","UNKN","489","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "July 30, 2018","Bankof hope","","","UNKN","BSF","11,362","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "July 30, 2018","Healthand hospital corporationof marion county","","","UNKN","UNKN","1","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "July 27, 2018","Chosen healthcare","","","UNKN","UNKN","310","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "July 27, 2018","CVS health","","","UNKN","UNKN","12","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "July 27, 2018","Delta steel inc","","","UNKN","UNKN","443","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "July 27, 2018","Exam one","","","UNKN","UNKN","1","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "July 27, 2018","Paradigm equities inc","","","UNKN","UNKN","1,131","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "July 27, 2018","Sunspire health","","","UNKN","UNKN","6,737","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "July 26, 2018","Optoma technology inc","","","UNKN","UNKN","685","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "July 26, 2018","SVAM international inc","","","UNKN","UNKN","193","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "July 25, 2018","Welk resort group inc","","","UNKN","UNKN","1,464","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2017","0.000000","0.000000" "July 24, 2018","Indianapolis neighborhood housing partnership","","","UNKN","UNKN","5","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "July 24, 2018","Trade motion","","","UNKN","UNKN","81,782","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2017","0.000000","0.000000" "July 23, 2018","Cityof midwest city oklahoma","","","UNKN","UNKN","4,559","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2017","0.000000","0.000000" "July 23, 2018","Indiana bureauof motor vehicles","","","UNKN","UNKN","3","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "July 23, 2018","Moore stephens tiller llc","","","UNKN","UNKN","1,032","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "July 20, 2018","Boys town national research hospital","","","UNKN","UNKN","105,626","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "July 20, 2018","Guardian consumer service incdba pavaso inc","","","UNKN","UNKN","99","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "July 20, 2018","Helly hansen AS","","","UNKN","UNKN","3,817","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "July 19, 2018","CBIZ MHM llc","","","UNKN","UNKN","1,246","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "July 19, 2018","Fairbanks north star borough","","","UNKN","BSF","6,346","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "July 19, 2018","L a fashion enterprise l t d","","","UNKN","UNKN","34,097","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2017","0.000000","0.000000" "July 17, 2018","Automated pet care products inc","","","UNKN","UNKN","2,693","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2017","0.000000","0.000000" "July 17, 2018","One main financial","","","UNKN","BSF","1","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "July 16, 2018","Blue springs family care p c","","","UNKN","UNKN","44,977","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "July 16, 2018","EBSCO sign group inc","","","UNKN","UNKN","871","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2017","0.000000","0.000000" "July 13, 2018","Concannon millerand co p c","","","UNKN","UNKN","292","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "July 13, 2018","Plant therapy","","","UNKN","UNKN","13,927","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "July 13, 2018","Salin bankand trust company","","","UNKN","BSF","8","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "July 12, 2018","Heacock insurance group llcand heacock payroll llc","","","UNKN","UNKN","4,348","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "July 11, 2018","Schlage lock company llc","","","UNKN","UNKN","18","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "September 19, 2018","SaverSpy","","California","DISC","BSR","11,000,000","According to reporting by Catalin Cimbanu for ZDNet, ""On Monday, a security researcher specialized in finding exposed databases has identified an unsecured MongoDB server that was leaking the personal details of nearly 11 million users. The server appears to belong to an email marketing firm based in California.The data, contained in a 43.5GB dataset, included full names, email addresses, gender information, and physical addresses such as state, city, and ZIP code for 10,999,535 users.All email addresses contained in this database were Yahoo-based, suggesting this was only a small part of a larger dataset, most likely stored on multiple servers.. . .While initially it was not clear who was the owner of this database, one small suffix in several records --such as ""Content-SaverSpy-09092018""-- suggested this data may belong to a company named SaverSpy.Combining a simple Google search along with the nature of the user records found in the exposed database led both this reporter and Diachenko to believe the data belonged to SaverSpy.com, a daily deals website. The SaverSpy.com website claims to operate under the Coupons.com brand, but a Quotient spokesperson told ZDNet today that SaverSpy is only part of an affiliate program.""","Media","https://www.zdnet.com/article/mongodb-server-leaks-11-million-user-records-from-e-marketing-service/","2018","0.000000","0.000000" "September 20, 2018","Personal Assistance Services of Colorado, LLC","","Colorado","HACK","MED","1,839","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "September 19, 2018","Pulse Systems, Inc.","","Kansas","DISC","MED","722","Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "September 18, 2018","Southwest Oregon IPA","","Oregon","DISC","MED","1,449","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "September 17, 2018","Independence Blue Cross, LLC","","Pennsylvania","DISC","MED","16,762","Location of breached information: Other Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "September 14, 2018","Guardant Health, Inc.","","California","HACK","MED","1,112","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "September 13, 2018","Blue Cross & Blue Shield of Rhode Island","","Rhode Island","DISC","MED","1,567","Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "September 13, 2018","Leominster Dermatology LLP","","Massachusetts","DISC","MED","500","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "September 10, 2018","Simonian Sports Medicine Clinic, A Medical Corporation","","California","DISC","MED","1,541","Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "September 7, 2018","Ohio Living","","Ohio","HACK","MED","6,510","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "September 7, 2018","TMC HealthCare","","Arizona","DISC","MED","1,776","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "September 7, 2018","Rockdale Blackhawk, LLC d/b/a Little River Healthcare","","Texas","DISC","MED","1,494","Location of breached information: Electronic Medical Record, Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "September 7, 2018","Boston Health Care for the Homeless Program","","Massachusetts","DISC","MED","861","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "September 7, 2018","Catholic Charities Neighborhood Services, Inc.","","New York","HACK","MED","565","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "September 28, 2018","Facebook, Inc.","","California","HACK","BSO","50,000,000","According to the New York Times, Facebook suffered an ""attack"" on their system that led to the exposure of information of 50,000,000 users. ""The company discovered the breach earlier this week, finding that attackers had exploited a feature in Facebook’s code that allowed them to take over user accounts. Facebook fixed the vulnerability and notified law enforcement officials.More than 90 million of Facebook’s users were forced to log out of their accounts Friday morning, a common safety measure for compromised accounts.Facebook said it did not know the origin or identity of the attackers, nor had it fully assessed the scope of the attack. The company is in the beginning stages of its investigation.""  ","Media","https://www.nytimes.com/2018/09/28/technology/facebook-hack-data-breach.html","2018","0.000000","0.000000" "October 8, 2018","Alphabet, Inc. - Google+","","California","DISC","BSR","500,000","According to a press release, Alphabet Inc. is shutting down the social network Google+ following discovery of a bug affecting the profiles of nearly 500,000 users.Underlining this, as part of our Project Strobe audit, we discovered a bug in one of the Google+ People APIs:Users can grant access to their Profile data, and the public Profile information of their friends, to Google+ apps, via the API.The bug meant that apps also had access to Profile fields that were shared with the user, but not marked as public.  This data is limited to static, optional Google+ Profile fields including name, email address, occupation, gender and age. (See the full list on our developer site.) It does not include any other data you may have posted or connected to Google+ or any other service, like Google+ posts, messages, Google account data, phone numbers or G Suite content.We discovered and immediately patched this bug in March 2018. We believe it occurred after launch as a result of the API’s interaction with a subsequent Google+ code change.We made Google+ with privacy in mind and therefore keep this API’s log data for only two weeks. That means we cannot confirm which users were impacted by this bug. However, we ran a detailed analysis over the two weeks prior to patching the bug, and from that analysis, the Profiles of up to 500,000 Google+ accounts were potentially affected. Our analysis showed that up to 438 applications may have used this API.We found no evidence that any developer was aware of this bug, or abusing the API, and we found no evidence that any Profile data was misused.","Media","https://www.blog.google/technology/safety-security/project-strobe/","2018","0.000000","0.000000" "October 1, 2018","Chegg","Santa Clara","California","HACK","EDU","40,000,000","According to a filing the company left with the SEC, Chegg, a technology giant specializing in textbook rental, has confirmed a data breach affecting some 40 million customers. Data exposed included usernames, email addresses, shipping addresses and hashed passwords. The company does not believe that financial data was taken.","Government Agency","https://www.sec.gov/Archives/edgar/data/1364954/000136495418000187/cyrus.htm","2018","0.000000","0.000000" "October 11, 2018","MindBody - FitMetrix","Atlanta","Georgia","DISC","BSR","113,500,000","As reported by TechChrunch:FitMetrix, a fitness technology and performance tracking company owned by gym booking giant Mindbody, has exposed millions of user records because it left several of its servers without a password. . .Last week, a security researcher found three FitMetrix unprotected servers leaking customer data.It isn’t known how long the servers had been exposed, but the servers were indexed by Shodan, a search engine for open ports and databases, in September.Bob Diachenko, Hacken.io’s director of cyber risk research, found the databases containing 113.5 million records — though it’s not known how many users were directly affected. Each record contained a user’s name, gender, email address, phone numbers, profile photos, their primary workout location, emergency contacts and more. Many of the records were not fully complete.","Media","https://techcrunch.com/2018/10/11/fitmetrix-mindbody-data-exposed-password/","2018","0.000000","0.000000" "October 11, 2018","BioMarin Pharmaceutical Inc.","","","UNKN","UNKN","500","Information on this security breach is provided by the Office of the California Attorney General. ** Disclaimer: ** The number of breached records reported reflects our best estimate, based on all the data currently available, surrounding this breach. Because the specific number of breached records was not disclosed in the notification letter sent to the California Attorney General?s Office, the number is estimated as the minimum number of breached records necessary to trigger the obligation of notification to the Attorney General under California statute. Under Cal. Civ. Code 1798.29, 1798.82, notification to the Attorney General is only required whenever a breach of records affects more than 500 California residents. If you believe this number is inaccurate, please contact us at chronology@privacyrights.org ","California Attorney General","https://oag.ca.gov/system/files/BioMarin%20-%20California%20Notification%20Letter%20-%20sample_0.pdf","2018","0.000000","0.000000" "October 10, 2018","Envision healthcare corporation","","","UNKN","UNKN","21,757","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "October 10, 2018","Shein","","","UNKN","UNKN","500","Information on this security breach is provided by the Office of the California Attorney General. ** Disclaimer: ** The number of breached records reported reflects our best estimate, based on all the data currently available, surrounding this breach. Because the specific number of breached records was not disclosed in the notification letter sent to the California Attorney General?s Office, the number is estimated as the minimum number of breached records necessary to trigger the obligation of notification to the Attorney General under California statute. Under Cal. Civ. Code 1798.29, 1798.82, notification to the Attorney General is only required whenever a breach of records affects more than 500 California residents. If you believe this number is inaccurate, please contact us at chronology@privacyrights.org ","California Attorney General","https://oag.ca.gov/system/files/Shein%20PressReleaseUS92118v1_0.pdf","2018","0.000000","0.000000" "October 9, 2018","Roadrunner Transportation Systems, Inc.","","","UNKN","UNKN","500","Information on this security breach is provided by the Office of the California Attorney General. ** Disclaimer: ** The number of breached records reported reflects our best estimate, based on all the data currently available, surrounding this breach. Because the specific number of breached records was not disclosed in the notification letter sent to the California Attorney General?s Office, the number is estimated as the minimum number of breached records necessary to trigger the obligation of notification to the Attorney General under California statute. Under Cal. Civ. Code 1798.29, 1798.82, notification to the Attorney General is only required whenever a breach of records affects more than 500 California residents. If you believe this number is inaccurate, please contact us at chronology@privacyrights.org ","California Attorney General","https://oag.ca.gov/system/files/RRTS%20-%20July%202018%20-%20Supplemental%20Notice%20of%20Data%20Event%20-%20CA%20-%20Exhibit%201_0.pdf","2018","0.000000","0.000000" "October 5, 2018","North American Risk Services, Inc.","","","UNKN","UNKN","500","Information on this security breach is provided by the Office of the California Attorney General. ** Disclaimer: ** The number of breached records reported reflects our best estimate, based on all the data currently available, surrounding this breach. Because the specific number of breached records was not disclosed in the notification letter sent to the California Attorney General?s Office, the number is estimated as the minimum number of breached records necessary to trigger the obligation of notification to the Attorney General under California statute. Under Cal. Civ. Code 1798.29, 1798.82, notification to the Attorney General is only required whenever a breach of records affects more than 500 California residents. If you believe this number is inaccurate, please contact us at chronology@privacyrights.org ","California Attorney General","https://oag.ca.gov/system/files/NARS%20-%20CA%20Exhibit%201_0.pdf","2018","0.000000","0.000000" "October 5, 2018","Gold Coast Health Plan","","","UNKN","UNKN","500","Information on this security breach is provided by the Office of the California Attorney General. ** Disclaimer: ** The number of breached records reported reflects our best estimate, based on all the data currently available, surrounding this breach. Because the specific number of breached records was not disclosed in the notification letter sent to the California Attorney General?s Office, the number is estimated as the minimum number of breached records necessary to trigger the obligation of notification to the Attorney General under California statute. Under Cal. Civ. Code 1798.29, 1798.82, notification to the Attorney General is only required whenever a breach of records affects more than 500 California residents. If you believe this number is inaccurate, please contact us at chronology@privacyrights.org ","California Attorney General","https://oag.ca.gov/system/files/GCHP%20PHI%20Breach%20Notification%20Letter%2010.05.2018_0.pdf","2018","0.000000","0.000000" "October 5, 2018","California state university east bay","","","UNKN","UNKN","9,941","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "October 4, 2018","Kennedy High School","","","UNKN","UNKN","500","Information on this security breach is provided by the Office of the California Attorney General. ** Disclaimer: ** The number of breached records reported reflects our best estimate, based on all the data currently available, surrounding this breach. Because the specific number of breached records was not disclosed in the notification letter sent to the California Attorney General?s Office, the number is estimated as the minimum number of breached records necessary to trigger the obligation of notification to the Attorney General under California statute. Under Cal. Civ. Code 1798.29, 1798.82, notification to the Attorney General is only required whenever a breach of records affects more than 500 California residents. If you believe this number is inaccurate, please contact us at chronology@privacyrights.org ","California Attorney General","https://oag.ca.gov/system/files/LTR%20to%20Parents%20re%20Data%20Security%20Breach%20100318%20ANW_0.pdf","2018","0.000000","0.000000" "October 2, 2018","Another Planet Entertainment","","","UNKN","UNKN","500","Information on this security breach is provided by the Office of the California Attorney General. ** Disclaimer: ** The number of breached records reported reflects our best estimate, based on all the data currently available, surrounding this breach. Because the specific number of breached records was not disclosed in the notification letter sent to the California Attorney General?s Office, the number is estimated as the minimum number of breached records necessary to trigger the obligation of notification to the Attorney General under California statute. Under Cal. Civ. Code 1798.29, 1798.82, notification to the Attorney General is only required whenever a breach of records affects more than 500 California residents. If you believe this number is inaccurate, please contact us at chronology@privacyrights.org ","California Attorney General","https://oag.ca.gov/system/files/APE%20-%20Notice%20Letter%20CA%20AG_0.pdf","2018","0.000000","0.000000" "October 1, 2018","Rite Aid Corporation","","","UNKN","UNKN","500","Information on this security breach is provided by the Office of the California Attorney General. ** Disclaimer: ** The number of breached records reported reflects our best estimate, based on all the data currently available, surrounding this breach. Because the specific number of breached records was not disclosed in the notification letter sent to the California Attorney General?s Office, the number is estimated as the minimum number of breached records necessary to trigger the obligation of notification to the Attorney General under California statute. Under Cal. Civ. Code 1798.29, 1798.82, notification to the Attorney General is only required whenever a breach of records affects more than 500 California residents. If you believe this number is inaccurate, please contact us at chronology@privacyrights.org ","California Attorney General","https://oag.ca.gov/system/files/Rite%20Aid-Individual%20Notification%2010-18_0.pdf","2018","0.000000","0.000000" "September 25, 2018","Travis Credit Union","","","UNKN","UNKN","500","Information on this security breach is provided by the Office of the California Attorney General. ** Disclaimer: ** The number of breached records reported reflects our best estimate, based on all the data currently available, surrounding this breach. Because the specific number of breached records was not disclosed in the notification letter sent to the California Attorney General?s Office, the number is estimated as the minimum number of breached records necessary to trigger the obligation of notification to the Attorney General under California statute. Under Cal. Civ. Code 1798.29, 1798.82, notification to the Attorney General is only required whenever a breach of records affects more than 500 California residents. If you believe this number is inaccurate, please contact us at chronology@privacyrights.org ","California Attorney General","https://oag.ca.gov/system/files/Notice%20of%20breach%20-%20CA%20AG_0.pdf","2018","0.000000","0.000000" "September 22, 2018","Mark’s International Wines","","","UNKN","UNKN","500","Information on this security breach is provided by the Office of the California Attorney General. ** Disclaimer: ** The number of breached records reported reflects our best estimate, based on all the data currently available, surrounding this breach. Because the specific number of breached records was not disclosed in the notification letter sent to the California Attorney General’s Office, the number is estimated as the minimum number of breached records necessary to trigger the obligation of notification to the Attorney General under California statute. Under Cal. Civ. Code 1798.29, 1798.82, notification to the Attorney General is only required whenever a breach of records affects more than 500 California residents. If you believe this number is inaccurate, please contact us at chronology@privacyrights.org ","California Attorney General","https://oag.ca.gov/system/files/ID%20Experts%20Breach%20Notification%20Letter%20FINAL_0.pdf","2018","0.000000","0.000000" "September 21, 2018","YRC Worldwide Inc.","","","UNKN","UNKN","500","Information on this security breach is provided by the Office of the California Attorney General. ** Disclaimer: ** The number of breached records reported reflects our best estimate, based on all the data currently available, surrounding this breach. Because the specific number of breached records was not disclosed in the notification letter sent to the California Attorney General?s Office, the number is estimated as the minimum number of breached records necessary to trigger the obligation of notification to the Attorney General under California statute. Under Cal. Civ. Code 1798.29, 1798.82, notification to the Attorney General is only required whenever a breach of records affects more than 500 California residents. If you believe this number is inaccurate, please contact us at chronology@privacyrights.org ","California Attorney General","https://oag.ca.gov/system/files/California_4%20%28revised%29_1.pdf","2018","0.000000","0.000000" "September 20, 2018","Blood Systems, Inc.","","","UNKN","UNKN","500","Information on this security breach is provided by the Office of the California Attorney General. ** Disclaimer: ** The number of breached records reported reflects our best estimate, based on all the data currently available, surrounding this breach. Because the specific number of breached records was not disclosed in the notification letter sent to the California Attorney General?s Office, the number is estimated as the minimum number of breached records necessary to trigger the obligation of notification to the Attorney General under California statute. Under Cal. Civ. Code 1798.29, 1798.82, notification to the Attorney General is only required whenever a breach of records affects more than 500 California residents. If you believe this number is inaccurate, please contact us at chronology@privacyrights.org ","California Attorney General","https://oag.ca.gov/system/files/Blood%20Systems%2C%20Inc.%20Data%20Breach%20Donor%20Notice%20Letter_%20Mailed_0.pdf","2018","0.000000","0.000000" "September 19, 2018","Tech Rabbit LLC","","","UNKN","UNKN","500","Information on this security breach is provided by the Office of the California Attorney General. ** Disclaimer: ** The number of breached records reported reflects our best estimate, based on all the data currently available, surrounding this breach. Because the specific number of breached records was not disclosed in the notification letter sent to the California Attorney General?s Office, the number is estimated as the minimum number of breached records necessary to trigger the obligation of notification to the Attorney General under California statute. Under Cal. Civ. Code 1798.29, 1798.82, notification to the Attorney General is only required whenever a breach of records affects more than 500 California residents. If you believe this number is inaccurate, please contact us at chronology@privacyrights.org ","California Attorney General","https://oag.ca.gov/system/files/Tech%20Rabbit%20LLC%20Sample%20Notice%20of%20Security%20Incident_1.pdf","2017","0.000000","0.000000" "September 19, 2018","The Affiliated Group","","","UNKN","UNKN","500","Information on this security breach is provided by the Office of the California Attorney General. ** Disclaimer: ** The number of breached records reported reflects our best estimate, based on all the data currently available, surrounding this breach. Because the specific number of breached records was not disclosed in the notification letter sent to the California Attorney General?s Office, the number is estimated as the minimum number of breached records necessary to trigger the obligation of notification to the Attorney General under California statute. Under Cal. Civ. Code 1798.29, 1798.82, notification to the Attorney General is only required whenever a breach of records affects more than 500 California residents. If you believe this number is inaccurate, please contact us at chronology@privacyrights.org ","California Attorney General","https://oag.ca.gov/system/files/TAG%20-%20Notice%20of%20Data%20Event%20-%20Exhibit%201%20-%20CA_0.pdf","2017","0.000000","0.000000" "September 18, 2018","ELS Language Services, Inc.","","","UNKN","UNKN","500","Information on this security breach is provided by the Office of the California Attorney General. ** Disclaimer: ** The number of breached records reported reflects our best estimate, based on all the data currently available, surrounding this breach. Because the specific number of breached records was not disclosed in the notification letter sent to the California Attorney General?s Office, the number is estimated as the minimum number of breached records necessary to trigger the obligation of notification to the Attorney General under California statute. Under Cal. Civ. Code 1798.29, 1798.82, notification to the Attorney General is only required whenever a breach of records affects more than 500 California residents. If you believe this number is inaccurate, please contact us at chronology@privacyrights.org ","California Attorney General","https://oag.ca.gov/system/files/ELS%20Language%20Services%2C%20Inc._0.PDF","2018","0.000000","0.000000" "September 11, 2018","Peaceful Valley Farm & Garden Supply","","","UNKN","UNKN","500","Information on this security breach is provided by the Office of the California Attorney General. ** Disclaimer: ** The number of breached records reported reflects our best estimate, based on all the data currently available, surrounding this breach. Because the specific number of breached records was not disclosed in the notification letter sent to the California Attorney General?s Office, the number is estimated as the minimum number of breached records necessary to trigger the obligation of notification to the Attorney General under California statute. Under Cal. Civ. Code 1798.29, 1798.82, notification to the Attorney General is only required whenever a breach of records affects more than 500 California residents. If you believe this number is inaccurate, please contact us at chronology@privacyrights.org ","California Attorney General","https://oag.ca.gov/system/files/Notification%20Letter_2.pdf","2018","0.000000","0.000000" "September 10, 2018","Surgerical Specialties of Arroyo Grande, LLC, dba Oak Park Surgery Center","","","UNKN","UNKN","500","Information on this security breach is provided by the Office of the California Attorney General. ** Disclaimer: ** The number of breached records reported reflects our best estimate, based on all the data currently available, surrounding this breach. Because the specific number of breached records was not disclosed in the notification letter sent to the California Attorney General?s Office, the number is estimated as the minimum number of breached records necessary to trigger the obligation of notification to the Attorney General under California statute. Under Cal. Civ. Code 1798.29, 1798.82, notification to the Attorney General is only required whenever a breach of records affects more than 500 California residents. If you believe this number is inaccurate, please contact us at chronology@privacyrights.org ","California Attorney General","https://oag.ca.gov/system/files/Notice%20of%20Data%20Breach%20-%20Oak%20Park%20Surgery%20Center_0.pdf","2018","0.000000","0.000000" "September 7, 2018","Mt. Diablo Unified School District","","","UNKN","UNKN","500","Information on this security breach is provided by the Office of the California Attorney General. ** Disclaimer: ** The number of breached records reported reflects our best estimate, based on all the data currently available, surrounding this breach. Because the specific number of breached records was not disclosed in the notification letter sent to the California Attorney General?s Office, the number is estimated as the minimum number of breached records necessary to trigger the obligation of notification to the Attorney General under California statute. Under Cal. Civ. Code 1798.29, 1798.82, notification to the Attorney General is only required whenever a breach of records affects more than 500 California residents. If you believe this number is inaccurate, please contact us at chronology@privacyrights.org ","California Attorney General","https://oag.ca.gov/system/files/WAES%20breach%20notification%20letter_2018-08-29_07-57-07_0.pdf","2018","0.000000","0.000000" "September 4, 2018","Reddit, Inc.","","","UNKN","UNKN","500","Information on this security breach is provided by the Office of the California Attorney General. ** Disclaimer: ** The number of breached records reported reflects our best estimate, based on all the data currently available, surrounding this breach. Because the specific number of breached records was not disclosed in the notification letter sent to the California Attorney General?s Office, the number is estimated as the minimum number of breached records necessary to trigger the obligation of notification to the Attorney General under California statute. Under Cal. Civ. Code 1798.29, 1798.82, notification to the Attorney General is only required whenever a breach of records affects more than 500 California residents. If you believe this number is inaccurate, please contact us at chronology@privacyrights.org ","California Attorney General","https://oag.ca.gov/system/files/Reddit%20breach%20notice%20%28email%29_0.pdf","2018","0.000000","0.000000" "August 29, 2018","Richard Owen Nursery, Inc. d/b/a Dutch Gardens USA","","","UNKN","UNKN","500","Information on this security breach is provided by the Office of the California Attorney General. ** Disclaimer: ** The number of breached records reported reflects our best estimate, based on all the data currently available, surrounding this breach. Because the specific number of breached records was not disclosed in the notification letter sent to the California Attorney General’s Office, the number is estimated as the minimum number of breached records necessary to trigger the obligation of notification to the Attorney General under California statute. Under Cal. Civ. Code 1798.29, 1798.82, notification to the Attorney General is only required whenever a breach of records affects more than 500 California residents. If you believe this number is inaccurate, please contact us at chronology@privacyrights.org ","California Attorney General","https://oag.ca.gov/system/files/Richard%20Owen%20Sample-%20All%20States_0.pdf","2017","0.000000","0.000000" "August 29, 2018","LÍLLÉbaby","","","UNKN","UNKN","500","Information on this security breach is provided by the Office of the California Attorney General. ** Disclaimer: ** The number of breached records reported reflects our best estimate, based on all the data currently available, surrounding this breach. Because the specific number of breached records was not disclosed in the notification letter sent to the California Attorney General’s Office, the number is estimated as the minimum number of breached records necessary to trigger the obligation of notification to the Attorney General under California statute. Under Cal. Civ. Code 1798.29, 1798.82, notification to the Attorney General is only required whenever a breach of records affects more than 500 California residents. If you believe this number is inaccurate, please contact us at chronology@privacyrights.org ","California Attorney General","https://oag.ca.gov/system/files/Lillebaby%20--%20Notification%20--%20CA%20AG_0.pdf","2016","0.000000","0.000000" "August 22, 2018","Quality-Care Pharmacy","","","UNKN","UNKN","500","Information on this security breach is provided by the Office of the California Attorney General. ** Disclaimer: ** The number of breached records reported reflects our best estimate, based on all the data currently available, surrounding this breach. Because the specific number of breached records was not disclosed in the notification letter sent to the California Attorney General’s Office, the number is estimated as the minimum number of breached records necessary to trigger the obligation of notification to the Attorney General under California statute. Under Cal. Civ. Code 1798.29, 1798.82, notification to the Attorney General is only required whenever a breach of records affects more than 500 California residents. If you believe this number is inaccurate, please contact us at chronology@privacyrights.org ","California Attorney General","https://oag.ca.gov/system/files/Quality-Care%20-%20Sample_Redacted_0.pdf","2018","0.000000","0.000000" "August 20, 2018","Bank of the West","","","UNKN","UNKN","500","Information on this security breach is provided by the Office of the California Attorney General. ** Disclaimer: ** The number of breached records reported reflects our best estimate, based on all the data currently available, surrounding this breach. Because the specific number of breached records was not disclosed in the notification letter sent to the California Attorney General’s Office, the number is estimated as the minimum number of breached records necessary to trigger the obligation of notification to the Attorney General under California statute. Under Cal. Civ. Code 1798.29, 1798.82, notification to the Attorney General is only required whenever a breach of records affects more than 500 California residents. If you believe this number is inaccurate, please contact us at chronology@privacyrights.org ","California Attorney General","https://oag.ca.gov/system/files/LS%200818-088%20GLBA%20Incident_0.pdf","2018","0.000000","0.000000" "August 17, 2018","Authentic Recovery Center, LLC","","","UNKN","UNKN","500","Information on this security breach is provided by the Office of the California Attorney General. ** Disclaimer: ** The number of breached records reported reflects our best estimate, based on all the data currently available, surrounding this breach. Because the specific number of breached records was not disclosed in the notification letter sent to the California Attorney General’s Office, the number is estimated as the minimum number of breached records necessary to trigger the obligation of notification to the Attorney General under California statute. Under Cal. Civ. Code 1798.29, 1798.82, notification to the Attorney General is only required whenever a breach of records affects more than 500 California residents. If you believe this number is inaccurate, please contact us at chronology@privacyrights.org ","California Attorney General","https://oag.ca.gov/system/files/Adult%20Notification%20Letters%20submitted%20with%20CA%20Online%20Data%20Security%20Breach_0.pdf","2018","0.000000","0.000000" "August 16, 2018","Gordon Schanzlin New Vision Institute","","","UNKN","UNKN","500","Information on this security breach is provided by the Office of the California Attorney General. ** Disclaimer: ** The number of breached records reported reflects our best estimate, based on all the data currently available, surrounding this breach. Because the specific number of breached records was not disclosed in the notification letter sent to the California Attorney General’s Office, the number is estimated as the minimum number of breached records necessary to trigger the obligation of notification to the Attorney General under California statute. Under Cal. Civ. Code 1798.29, 1798.82, notification to the Attorney General is only required whenever a breach of records affects more than 500 California residents. If you believe this number is inaccurate, please contact us at chronology@privacyrights.org ","California Attorney General","https://oag.ca.gov/system/files/CA-%20Notice%20of%20Data%20Event%20Packet_2.pdf","2017","0.000000","0.000000" "August 16, 2018","Animoto Inc.","","","UNKN","UNKN","500","Information on this security breach is provided by the Office of the California Attorney General. ** Disclaimer: ** The number of breached records reported reflects our best estimate, based on all the data currently available, surrounding this breach. Because the specific number of breached records was not disclosed in the notification letter sent to the California Attorney General’s Office, the number is estimated as the minimum number of breached records necessary to trigger the obligation of notification to the Attorney General under California statute. Under Cal. Civ. Code 1798.29, 1798.82, notification to the Attorney General is only required whenever a breach of records affects more than 500 California residents. If you believe this number is inaccurate, please contact us at chronology@privacyrights.org ","California Attorney General","https://oag.ca.gov/system/files/CA-%20Notice%20of%20Data%20Event_0.pdf","2018","0.000000","0.000000" "August 10, 2018","JPMorgan Chase Bank, N.A.","","","UNKN","UNKN","500","Information on this security breach is provided by the Office of the California Attorney General. ** Disclaimer: ** The number of breached records reported reflects our best estimate, based on all the data currently available, surrounding this breach. Because the specific number of breached records was not disclosed in the notification letter sent to the California Attorney General’s Office, the number is estimated as the minimum number of breached records necessary to trigger the obligation of notification to the Attorney General under California statute. Under Cal. Civ. Code 1798.29, 1798.82, notification to the Attorney General is only required whenever a breach of records affects more than 500 California residents. If you believe this number is inaccurate, please contact us at chronology@privacyrights.org ","California Attorney General","https://oag.ca.gov/system/files/2018_8_10_CCB_customer_notice_CA_0.pdf","2018","0.000000","0.000000" "August 9, 2018","Capital One","","","UNKN","UNKN","500","Information on this security breach is provided by the Office of the California Attorney General. ** Disclaimer: ** The number of breached records reported reflects our best estimate, based on all the data currently available, surrounding this breach. Because the specific number of breached records was not disclosed in the notification letter sent to the California Attorney General’s Office, the number is estimated as the minimum number of breached records necessary to trigger the obligation of notification to the Attorney General under California statute. Under Cal. Civ. Code 1798.29, 1798.82, notification to the Attorney General is only required whenever a breach of records affects more than 500 California residents. If you believe this number is inaccurate, please contact us at chronology@privacyrights.org ","California Attorney General","https://oag.ca.gov/system/files/CA%20AG%20Notice%20Remediation%20Letter%2041952117_0.pdf","2017","0.000000","0.000000" "August 6, 2018","TCM Bank, N.A. (“TCM Bank”)","","","UNKN","UNKN","500","Information on this security breach is provided by the Office of the California Attorney General. ** Disclaimer: ** The number of breached records reported reflects our best estimate, based on all the data currently available, surrounding this breach. Because the specific number of breached records was not disclosed in the notification letter sent to the California Attorney General’s Office, the number is estimated as the minimum number of breached records necessary to trigger the obligation of notification to the Attorney General under California statute. Under Cal. Civ. Code 1798.29, 1798.82, notification to the Attorney General is only required whenever a breach of records affects more than 500 California residents. If you believe this number is inaccurate, please contact us at chronology@privacyrights.org ","California Attorney General","https://oag.ca.gov/system/files/TCM-%20CA%20Letter%20Template_0.pdf","2017","0.000000","0.000000" "August 2, 2018","American Express Travel Related Services Company, Inc.","","","UNKN","UNKN","500","Information on this security breach is provided by the Office of the California Attorney General. ** Disclaimer: ** The number of breached records reported reflects our best estimate, based on all the data currently available, surrounding this breach. Because the specific number of breached records was not disclosed in the notification letter sent to the California Attorney General’s Office, the number is estimated as the minimum number of breached records necessary to trigger the obligation of notification to the Attorney General under California statute. Under Cal. Civ. Code 1798.29, 1798.82, notification to the Attorney General is only required whenever a breach of records affects more than 500 California residents. If you believe this number is inaccurate, please contact us at chronology@privacyrights.org ","California Attorney General","https://oag.ca.gov/system/files/Customer%20Notification%20C1807014816_1.pdf","2018","0.000000","0.000000" "October 10, 2018","Cigna","","Connecticut","HACK","MED","3,500","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "October 9, 2018","Minnesota Department of Human Services","","Minnesota","HACK","MED","20,800","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "October 8, 2018","Oklahoma Department of Human Services","","Oklahoma","HACK","MED","813","Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "October 7, 2018","Dr. Robert Carpenter","","Texas","HACK","MED","3,000","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "October 7, 2018","Dr. Amy Woodruff","","Texas","HACK","MED","10,862","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "October 5, 2018","Northwest Surgical Specialists, P.C. ","","Washington","HACK","MED","2,050","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "October 5, 2018","Gold Coast Health Plan","","California","HACK","MED","37,005","Location of breached information: Email Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "October 5, 2018","National Ambulatory Hernia Institute","","California","HACK","MED","15,974","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "October 5, 2018","University Of Missouri Health","","Missouri","DISC","MED","706","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "October 3, 2018","Tillamook Chiropractic, PC","","Oregon","HACK","MED","4,058","Location of breached information: Desktop Computer, Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "October 2, 2018","New Mexico Retiree Health Care Authority","","New Mexico","DISC","MED","586","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "October 22, 2018","The Centers for Medicare and Medicaid Services - ","Baltimore","Maryland","HACK","GOV","75,000","According to the press release on their website, ""Earlier this week, CMS staff detected anomalous activity in the Federally Facilitated Exchanges, or FFE’s Direct Enrollment pathway for agents and brokers. The Direct Enrollment pathway, first launched in 2013, allows agents and brokers to assist consumers with applications for coverage in the FFE. At this time, we believe that approximately 75,000 individuals’ files were accessed. While this is a small fraction of consumer records present on the FFE, any breach of our system is unacceptable."" ","Media","https://www.cms.gov/newsroom/press-releases/cms-responding-suspicious-activity-agent-and-broker-exchanges-portal","2018","0.000000","0.000000" "October 23, 2018","The Children's Hospital of Philadelphia","","Pennsylvania","HACK","MED","5,368","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "October 22, 2018","Day Kimball Healthcare","","Connecticut","DISC","MED","698","Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "October 17, 2018","Smith Dental Care","","Texas","HACK","MED","5,000","Location of breached information: Desktop Computer, Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "October 17, 2018","Yale University","","Connecticut","DISC","MED","1,102","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "October 15, 2018","HealthFitness","","Illinois","DISC","MED","1,332","Location of breached information: Other Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "October 15, 2018","Employees Retirement System of Texas","","Texas","DISC","MED","1,248,260","Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "October 12, 2018","FirstCare Health Plans","","Texas","DISC","MED","8,056","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "October 12, 2018","Catawba Valley Medical Center","","North Carolina","HACK","MED","20,000","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "October 11, 2018","West Sound Treatment Center","","Washington","PHYS","MED","2,300","Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "October 11, 2018","Indiana University School of Medicine","","Indiana","PHYS","MED","1,431","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "October 11, 2018","The May Eye Care Center","","Pennsylvania","HACK","MED","30,000","Location of breached information: Desktop Computer, Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "October 10, 2018","Hormone Logics","","Florida","PHYS","MED","3,000","Location of breached information: Desktop Computer, Email, Laptop, Network Server, Other Portable Electronic Device, Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "October 5, 2018","Health First, Inc","","Florida","HACK","MED","42,000","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "October 30, 2018","Northbay healthcare corporation","","","UNKN","UNKN","1,567","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "October 26, 2018","Raley's/Bel Air Mart/Nob Hill General Store, Inc.","","","UNKN","UNKN","500","Information on this security breach is provided by the Office of the California Attorney General. ** Disclaimer: ** The number of breached records reported reflects our best estimate, based on all the data currently available, surrounding this breach. Because the specific number of breached records was not disclosed in the notification letter sent to the California Attorney General?s Office, the number is estimated as the minimum number of breached records necessary to trigger the obligation of notification to the Attorney General under California statute. Under Cal. Civ. Code 1798.29, 1798.82, notification to the Attorney General is only required whenever a breach of records affects more than 500 California residents. If you believe this number is inaccurate, please contact us at chronology@privacyrights.org ","California Attorney General","https://oag.ca.gov/system/files/HIPAA%20Breach%20Notification%20Letter_0.pdf","2018","0.000000","0.000000" "October 26, 2018","TengoInternet, Inc.","","","UNKN","UNKN","500","Information on this security breach is provided by the Office of the California Attorney General. ** Disclaimer: ** The number of breached records reported reflects our best estimate, based on all the data currently available, surrounding this breach. Because the specific number of breached records was not disclosed in the notification letter sent to the California Attorney General?s Office, the number is estimated as the minimum number of breached records necessary to trigger the obligation of notification to the Attorney General under California statute. Under Cal. Civ. Code 1798.29, 1798.82, notification to the Attorney General is only required whenever a breach of records affects more than 500 California residents. If you believe this number is inaccurate, please contact us at chronology@privacyrights.org ","California Attorney General","https://oag.ca.gov/system/files/CA-%20Notice%20of%20Data%20Event_1.pdf","2018","0.000000","0.000000" "October 25, 2018","Bankers Life (BL) - BL is the marketing brand of Bankers Life and Casualty Co., Medicare Supplement insurance policies sold by Colonial Penn Life Insurance Co. and select policies sold in NY by Bankers Conseco Life Insurance Company, a NY licensed ins. co","","","UNKN","UNKN","500","Information on this security breach is provided by the Office of the California Attorney General. ** Disclaimer: ** The number of breached records reported reflects our best estimate, based on all the data currently available, surrounding this breach. Because the specific number of breached records was not disclosed in the notification letter sent to the California Attorney General?s Office, the number is estimated as the minimum number of breached records necessary to trigger the obligation of notification to the Attorney General under California statute. Under Cal. Civ. Code 1798.29, 1798.82, notification to the Attorney General is only required whenever a breach of records affects more than 500 California residents. If you believe this number is inaccurate, please contact us at chronology@privacyrights.org ","California Attorney General","https://oag.ca.gov/system/files/CNO%20CA1%20Notice%20%282%29%20%282%29_0.pdf","2018","0.000000","0.000000" "October 25, 2018","GS1 US, Inc.","","","UNKN","UNKN","500","Information on this security breach is provided by the Office of the California Attorney General. ** Disclaimer: ** The number of breached records reported reflects our best estimate, based on all the data currently available, surrounding this breach. Because the specific number of breached records was not disclosed in the notification letter sent to the California Attorney General?s Office, the number is estimated as the minimum number of breached records necessary to trigger the obligation of notification to the Attorney General under California statute. Under Cal. Civ. Code 1798.29, 1798.82, notification to the Attorney General is only required whenever a breach of records affects more than 500 California residents. If you believe this number is inaccurate, please contact us at chronology@privacyrights.org ","California Attorney General","https://oag.ca.gov/system/files/Consumer%20Notification%20Letter_0.pdf","2017","0.000000","0.000000" "October 25, 2018","Girl Scouts of Orange County","","","UNKN","UNKN","500","Information on this security breach is provided by the Office of the California Attorney General. ** Disclaimer: ** The number of breached records reported reflects our best estimate, based on all the data currently available, surrounding this breach. Because the specific number of breached records was not disclosed in the notification letter sent to the California Attorney General?s Office, the number is estimated as the minimum number of breached records necessary to trigger the obligation of notification to the Attorney General under California statute. Under Cal. Civ. Code 1798.29, 1798.82, notification to the Attorney General is only required whenever a breach of records affects more than 500 California residents. If you believe this number is inaccurate, please contact us at chronology@privacyrights.org ","California Attorney General","https://oag.ca.gov/system/files/Troop%20Travel%20Breech%2010222018_0.pdf","2018","0.000000","0.000000" "October 25, 2018","STL International, Inc. d/b/a Teeter","","","UNKN","UNKN","500","Information on this security breach is provided by the Office of the California Attorney General. ** Disclaimer: ** The number of breached records reported reflects our best estimate, based on all the data currently available, surrounding this breach. Because the specific number of breached records was not disclosed in the notification letter sent to the California Attorney General?s Office, the number is estimated as the minimum number of breached records necessary to trigger the obligation of notification to the Attorney General under California statute. Under Cal. Civ. Code 1798.29, 1798.82, notification to the Attorney General is only required whenever a breach of records affects more than 500 California residents. If you believe this number is inaccurate, please contact us at chronology@privacyrights.org ","California Attorney General","https://oag.ca.gov/system/files/Sample%20Consumer%20Notification%20Letter_1.pdf","2018","0.000000","0.000000" "October 25, 2018","Net32, Inc.","","","UNKN","UNKN","500","Information on this security breach is provided by the Office of the California Attorney General. ** Disclaimer: ** The number of breached records reported reflects our best estimate, based on all the data currently available, surrounding this breach. Because the specific number of breached records was not disclosed in the notification letter sent to the California Attorney General?s Office, the number is estimated as the minimum number of breached records necessary to trigger the obligation of notification to the Attorney General under California statute. Under Cal. Civ. Code 1798.29, 1798.82, notification to the Attorney General is only required whenever a breach of records affects more than 500 California residents. If you believe this number is inaccurate, please contact us at chronology@privacyrights.org ","California Attorney General","https://oag.ca.gov/system/files/Net32%20Sample%20Notice%20Letter_0.PDF","2018","0.000000","0.000000" "October 25, 2018","TravisMathew, LLC","","","UNKN","UNKN","500","Information on this security breach is provided by the Office of the California Attorney General. ** Disclaimer: ** The number of breached records reported reflects our best estimate, based on all the data currently available, surrounding this breach. Because the specific number of breached records was not disclosed in the notification letter sent to the California Attorney General?s Office, the number is estimated as the minimum number of breached records necessary to trigger the obligation of notification to the Attorney General under California statute. Under Cal. Civ. Code 1798.29, 1798.82, notification to the Attorney General is only required whenever a breach of records affects more than 500 California residents. If you believe this number is inaccurate, please contact us at chronology@privacyrights.org ","California Attorney General","https://oag.ca.gov/system/files/Travis%20Mathew.CreditCard.Notification.Letter.CA__0.pdf","2018","0.000000","0.000000" "October 24, 2018","ShopStyle Inc.","","","UNKN","UNKN","500","Information on this security breach is provided by the Office of the California Attorney General. ** Disclaimer: ** The number of breached records reported reflects our best estimate, based on all the data currently available, surrounding this breach. Because the specific number of breached records was not disclosed in the notification letter sent to the California Attorney General?s Office, the number is estimated as the minimum number of breached records necessary to trigger the obligation of notification to the Attorney General under California statute. Under Cal. Civ. Code 1798.29, 1798.82, notification to the Attorney General is only required whenever a breach of records affects more than 500 California residents. If you believe this number is inaccurate, please contact us at chronology@privacyrights.org ","California Attorney General","https://oag.ca.gov/system/files/ShopStyle%20-%20CA%20Exhibits%20Packet%20FINAL_0.pdf","2018","0.000000","0.000000" "October 18, 2018","Renaissance Philanthropic Solutions Group (?RenPSG?)","","","UNKN","UNKN","500","Information on this security breach is provided by the Office of the California Attorney General. ** Disclaimer: ** The number of breached records reported reflects our best estimate, based on all the data currently available, surrounding this breach. Because the specific number of breached records was not disclosed in the notification letter sent to the California Attorney General?s Office, the number is estimated as the minimum number of breached records necessary to trigger the obligation of notification to the Attorney General under California statute. Under Cal. Civ. Code 1798.29, 1798.82, notification to the Attorney General is only required whenever a breach of records affects more than 500 California residents. If you believe this number is inaccurate, please contact us at chronology@privacyrights.org ","California Attorney General","https://oag.ca.gov/system/files/RenPSG-%20Notice%20of%20Data%20Event-CA%20Exhibit%201_0.pdf","2018","0.000000","0.000000" "October 12, 2018","California State University East Bay","","","UNKN","UNKN","500","Information on this security breach is provided by the Office of the California Attorney General. ** Disclaimer: ** The number of breached records reported reflects our best estimate, based on all the data currently available, surrounding this breach. Because the specific number of breached records was not disclosed in the notification letter sent to the California Attorney General?s Office, the number is estimated as the minimum number of breached records necessary to trigger the obligation of notification to the Attorney General under California statute. Under Cal. Civ. Code 1798.29, 1798.82, notification to the Attorney General is only required whenever a breach of records affects more than 500 California residents. If you believe this number is inaccurate, please contact us at chronology@privacyrights.org ","California Attorney General","https://oag.ca.gov/system/files/California%20State%20University%20East%20Bay%20CA%20Notification%20Letter_0_1.pdf","2017","0.000000","0.000000" "October 12, 2018","City of Indio/Indio Water Authority","","","UNKN","UNKN","500","Information on this security breach is provided by the Office of the California Attorney General. ** Disclaimer: ** The number of breached records reported reflects our best estimate, based on all the data currently available, surrounding this breach. Because the specific number of breached records was not disclosed in the notification letter sent to the California Attorney General?s Office, the number is estimated as the minimum number of breached records necessary to trigger the obligation of notification to the Attorney General under California statute. Under Cal. Civ. Code 1798.29, 1798.82, notification to the Attorney General is only required whenever a breach of records affects more than 500 California residents. If you believe this number is inaccurate, please contact us at chronology@privacyrights.org ","California Attorney General","https://oag.ca.gov/system/files/City%20of%20Indio_CA%20Notification%20Letter_1.pdf","2017","0.000000","0.000000" "September 26, 2018","Chegg, Inc.","","","UNKN","UNKN","500","Information on this security breach is provided by the Office of the California Attorney General. ** Disclaimer: ** The number of breached records reported reflects our best estimate, based on all the data currently available, surrounding this breach. Because the specific number of breached records was not disclosed in the notification letter sent to the California Attorney General?s Office, the number is estimated as the minimum number of breached records necessary to trigger the obligation of notification to the Attorney General under California statute. Under Cal. Civ. Code 1798.29, 1798.82, notification to the Attorney General is only required whenever a breach of records affects more than 500 California residents. If you believe this number is inaccurate, please contact us at chronology@privacyrights.org ","California Attorney General","https://oag.ca.gov/system/files/California%20-%20Notice%20Letter%20to%20Consumers_0.PDF","2018","0.000000","0.000000" "September 22, 2018","Mark?s International Wines","","","UNKN","UNKN","500","Information on this security breach is provided by the Office of the California Attorney General. ** Disclaimer: ** The number of breached records reported reflects our best estimate, based on all the data currently available, surrounding this breach. Because the specific number of breached records was not disclosed in the notification letter sent to the California Attorney General?s Office, the number is estimated as the minimum number of breached records necessary to trigger the obligation of notification to the Attorney General under California statute. Under Cal. Civ. Code 1798.29, 1798.82, notification to the Attorney General is only required whenever a breach of records affects more than 500 California residents. If you believe this number is inaccurate, please contact us at chronology@privacyrights.org ","California Attorney General","https://oag.ca.gov/system/files/ID%20Experts%20Breach%20Notification%20Letter%20FINAL_0.pdf","2018","0.000000","0.000000" "November 9, 2018","American Medical Response, Inc.","","Texas","HACK","MED","912","Location of breached information: Email Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "November 9, 2018","SUNY Upstate Medical University","","New York","DISC","MED","1,216","Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "November 9, 2018","James R. Etzkorn, MD","","Missouri","HACK","MED","6,845","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "November 6, 2018","Veterans Health Administration","","District Of Columbia","DISC","MED","19,254","Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "November 3, 2018","FHN Family Counseling Center","","Illinois","PHYS","MED","4,458","Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "November 2, 2018","Rollins Brook Community Hospital","","Texas","PHYS","MED","5,019","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "November 2, 2018","Summit Medical Group","","New Jersey","PHYS","MED","525","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "November 2, 2018","Oprex Surgery (Baytown), L.P. d/b/a Altus Baytown Hospital","","Texas","HACK","MED","40,000","Location of breached information: Desktop Computer, Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "November 2, 2018","Inova Health System","","Virginia","PHYS","MED","12,331","Location of breached information: Electronic Medical Record, Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "November 1, 2018","Dallas County Mental Health Mental Retardation Center dba Metrocare Services","","Texas","HACK","MED","1,804","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "October 28, 2018","HealthFitness","","Illinois","DISC","MED","614","Location of breached information: Other Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "October 26, 2018","Raley's/Bel Air Mart/Nob Hill General Store, Inc.","","California","PHYS","MED","10,124","Location of breached information: Laptop Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "October 25, 2018","CNO Financial Group, Inc.","","Indiana","DISC","MED","566,217","Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "October 22, 2018","CJ Elmwood Partners, L.P.","","Iowa","HACK","MED","22,416","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "October 22, 2018","Jones Eye Center, P.C.","","Iowa","HACK","MED","39,605","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "November 30, 2018","Marriott International ","","Maryland","HACK","BSR","327,000,000","Marriott International disclosed a massive security breach of the reservations system for its Starwood Hotels and Resorts brand, a hack it said Friday may have compromised private info on up to 500 million guests.According to Marriott, for around 327 million Starwood guests, the database included such personal information as name, mailing address, phone number, email address, passport number, date of birth, and gender. For some Starwood customers, the hacked database also stored payment card numbers and expiration dates, although Marriott said that information was encrypted.","Media","https://answers.kroll.com/","2018","0.000000","0.000000" "November 27, 2018","Health equity inc","","","UNKN","UNKN","189,957","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "November 23, 2018","Independence community college","","","UNKN","UNKN","4,839","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "November 21, 2018","Lundberg family farms","","","UNKN","UNKN","201","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "November 20, 2018","R r bowker llc","","","UNKN","UNKN","18,578","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "November 19, 2018","Francescas services corporation","","","UNKN","UNKN","84,275","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2017","0.000000","0.000000" "November 17, 2018","LPL Financial llc","","","UNKN","UNKN","270,000","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "November 16, 2018","Jo ann jody hendryx","","","UNKN","UNKN","67","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "November 16, 2018","Pentegra services inc","","","UNKN","UNKN","301","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2017","0.000000","0.000000" "November 16, 2018","Smithand nephew","","","UNKN","UNKN","22","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "November 15, 2018","Newegg inc","","","UNKN","UNKN","202,231","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "November 14, 2018","Hatscom","","","UNKN","UNKN","1,268","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "November 14, 2018","Jones lang la salle","","","UNKN","UNKN","106","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "November 14, 2018","S a b i c innovative plastics","","","UNKN","UNKN","106","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "November 13, 2018","1800 contacts inc","","","UNKN","UNKN","150","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "November 13, 2018","Pharmacy times officeof continuing professional education llc","","","UNKN","UNKN","128,211","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "November 13, 2018","Stein mart inc","","","UNKN","UNKN","108,322","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2017","0.000000","0.000000" "November 12, 2018","Entrust energy","","","UNKN","UNKN","4,782","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "November 12, 2018","Jennifer miller l t d","","","UNKN","UNKN","1,050","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "November 12, 2018","Rainforest alliance holding inc","","","UNKN","UNKN","24","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "November 12, 2018","The cityof bakersfield","","","UNKN","UNKN","2,180","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "November 9, 2018","Franciscan physician network","","","UNKN","UNKN","1","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "November 9, 2018","Franciscan physician networkdba coolspring health center","","","UNKN","UNKN","1","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "November 9, 2018","H s b c bank u s a n a","","","UNKN","UNKN","6,733","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "November 9, 2018","Our pieceofthe pie","","","UNKN","UNKN","1,836","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "November 8, 2018","Health authorityforthe cityof huntsville","","","UNKN","UNKN","18,156","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "November 8, 2018","Indiana bureauof motor vehicles","","","UNKN","UNKN","1","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "November 7, 2018","Julep beauty inc","","","UNKN","UNKN","1,150","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "November 7, 2018","Unified trust company n a","","","UNKN","UNKN","43,000","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2017","0.000000","0.000000" "November 5, 2018","Nordstrom inc","","","UNKN","UNKN","107,106","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "November 5, 2018","Principal life insurance company- security breach","","","UNKN","UNKN","1,077","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "November 5, 2018","Sirchie acquisition company","","","UNKN","UNKN","95","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "November 2, 2018","El paso los angeles limousine express inc","","","UNKN","UNKN","68,647","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2016","0.000000","0.000000" "November 2, 2018","Five guys holdings inc","","","UNKN","UNKN","19,191","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "November 2, 2018","Franciscan physician netowrkdba lowell health center","","","UNKN","UNKN","1","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "November 2, 2018","Hall structured finance","","","UNKN","UNKN","122","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "November 2, 2018","Hemenwayand barnes","","","UNKN","UNKN","2,116","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "November 2, 2018","Impact assets inc","","","UNKN","UNKN","1,216","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "November 2, 2018","Transamerica retirement solutions llc","","","UNKN","UNKN","10,636","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "November 1, 2018","Community hospital south","","","UNKN","UNKN","1","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "November 1, 2018","Mutualof omaha bank","","","UNKN","UNKN","47","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "November 1, 2018","O x o","","","UNKN","UNKN","3,242","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "October 31, 2018","Whole foods market group inc","","","UNKN","UNKN","644","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "October 30, 2018","Reid health","","","UNKN","UNKN","1","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "October 30, 2018","Residential care x i i i llcdba aster place","","","UNKN","UNKN","73","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "October 26, 2018","International societyof explosives engineers","","","UNKN","UNKN","133","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "October 26, 2018","Lyric operaof chicago","","","UNKN","UNKN","302","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "October 26, 2018","Star title partnersof palm harbor llc","","","UNKN","UNKN","2,059","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "October 25, 2018","Bankers life","","","UNKN","UNKN","799,563","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","37.090240","-95.712891" "October 25, 2018","Cendera funding inc","","","UNKN","UNKN","5,328","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","37.090240","-95.712891" "October 25, 2018","Ceres partners llc","","","UNKN","UNKN","8","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","37.090240","-95.712891" "October 25, 2018","Forethought life insurance company","","","UNKN","UNKN","16","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","37.090240","-95.712891" "October 25, 2018","G s1 u s inc","","","UNKN","UNKN","78,907","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2017","0.000000","0.000000" "October 25, 2018","Heartland hotel corporation","","","UNKN","UNKN","2,011","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","37.090240","-95.712891" "October 25, 2018","Net32 inc","","","UNKN","UNKN","10,000","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","37.090240","-95.712891" "October 25, 2018","Travis mathew, llc","","","UNKN","UNKN","5,754","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","37.090240","-95.712891" "October 24, 2018","Exam one","","","UNKN","UNKN","2","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","37.090240","-95.712891" "October 24, 2018","Indiana university","","","UNKN","UNKN","1","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","37.090240","-95.712891" "October 24, 2018","Uber technologies inc","","","UNKN","UNKN","197","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","37.090240","-95.712891" "October 23, 2018","Trans union llc","","","UNKN","UNKN","7,492","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2017","37.090240","-95.712891" "October 22, 2018","Byram healthcare","","","UNKN","UNKN","52","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2016","37.090240","-95.712891" "October 22, 2018","Challenger sports inc","","","UNKN","UNKN","11,123","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","37.090240","-95.712891" "October 22, 2018","S t l international incdba teeter","","","UNKN","UNKN","12,561","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "October 19, 2018","Scrapbook.com llc","","","UNKN","UNKN","728","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","37.090240","-95.712891" "October 18, 2018","Adelman travel systems inc","","","UNKN","UNKN","48","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","37.090240","-95.712891" "October 18, 2018","L j cooper capital management llcdba l j cooper wealth advisors","","","UNKN","UNKN","1,202","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","37.090240","-95.712891" "October 18, 2018","Quad assoc llc","","","UNKN","UNKN","3,855","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","37.090240","-95.712891" "October 18, 2018","Renaissance philanthropic solutions group","","","UNKN","UNKN","33,663","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","37.090240","-95.712891" "October 17, 2018","Tallahassee memorial healthcare inc","","","UNKN","UNKN","5,988","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","37.090240","-95.712891" "October 16, 2018","Chicago property managementand investments","","","UNKN","UNKN","79","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2017","37.090240","-95.712891" "October 15, 2018","C r i s f","","","UNKN","UNKN","118","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","0.000000","0.000000" "October 12, 2018","Buehlers fresh foods llc","","","UNKN","UNKN","2,040","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2016","37.090240","-95.712891" "October 12, 2018","Illinois auto electric co","","","UNKN","UNKN","177","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","37.090240","-95.712891" "October 12, 2018","Indianapolis neighborhood housing partnership","","","UNKN","UNKN","1","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","37.090240","-95.712891" "October 12, 2018","Liquidity services","","","UNKN","UNKN","3,000","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","37.090240","-95.712891" "October 11, 2018","Prudential insurance companyof america","","","UNKN","UNKN","1,637","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","37.090240","-95.712891" "October 10, 2018","The northwestern mutual life insurance company","","","UNKN","UNKN","2,604","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","37.090240","-95.712891" "October 9, 2018","Givaudan flavors corporationand givaudan fragrances corporation","","","UNKN","UNKN","4,200","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","37.090240","-95.712891" "October 9, 2018","Goody tickets","","","UNKN","UNKN","259","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","37.090240","-95.712891" "October 9, 2018","Indiana university","","","UNKN","UNKN","22","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","37.090240","-95.712891" "October 8, 2018","Land o lakes inc","","","UNKN","UNKN","1","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","37.090240","-95.712891" "October 8, 2018","Massachusetts mutual life insurance company","","","UNKN","UNKN","2","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","37.090240","-95.712891" "October 8, 2018","Trans union llc","","","UNKN","UNKN","242","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2017","37.090240","-95.712891" "October 5, 2018","Five below inc","","","UNKN","UNKN","3,234","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","37.090240","-95.712891" "October 5, 2018","Florida farm bureau casualty insurance company","","","UNKN","UNKN","4,000","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","37.090240","-95.712891" "October 5, 2018","Logansport memorial hospital","","","UNKN","UNKN","1","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","37.090240","-95.712891" "October 5, 2018","Northwest surgical specialists p cdba rebound orthopedics neurosurgery","","","UNKN","UNKN","2,245","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","37.090240","-95.712891" "October 4, 2018","Leaf filter north llc","","","UNKN","UNKN","2,310","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","37.090240","-95.712891" "October 4, 2018","Professional publications inc","","","UNKN","UNKN","1,162","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2017","37.090240","-95.712891" "October 3, 2018","Shoe station inc","","","UNKN","UNKN","216","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","37.090240","-95.712891" "October 2, 2018","New penn financial llcdba shellpoint mortgage servicing","","","UNKN","UNKN","157","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","37.090240","-95.712891" "October 1, 2018","Data intensity","","","UNKN","UNKN","266","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","37.090240","-95.712891" "October 1, 2018","FSSA on behalf of Phoenix Data Corporation","","","UNKN","UNKN","2","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","37.090240","-95.712891" "October 1, 2018","Snider fleet solutions","","","UNKN","UNKN","2,566","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","37.090240","-95.712891" "October 1, 2018","Toyota industries north america inc","","","UNKN","UNKN","19,320","Information on this security breach is provided by the Office of the Indiana Attorney General ","Indiana Attorney General","https://www.in.gov/attorneygeneral/2874.htm","2018","37.090240","-95.712891" "November 30, 2018","CHI Health Care, Inc.","","Maryland","DISC","MED","722","Location of breached information: Other Portable Electronic Device, Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","39.045755","-76.641271" "November 30, 2018","Mind and Motion, LLC","","Georgia","HACK","MED","16,000","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","32.165622","-82.900075" "November 30, 2018","CCRM Dallas-Fort Worth","","Texas","HACK","MED","1,117","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","31.968599","-99.901813" "November 30, 2018","Thielen Student Health Center","","Iowa","DISC","MED","599","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","41.878003","-93.097702" "November 30, 2018","Prairie Fields Family Medicine, PC","","Nebraska","DISC","MED","6,450","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","41.492537","-99.901813" "November 28, 2018","OrthoTexas Physicians and Surgeons, PLLC","","Texas","DISC","MED","2,172","Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","31.968599","-99.901813" "November 28, 2018","Steward Medical Group","","Massachusetts","HACK","MED","16,276","Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","42.407211","-71.382437" "November 27, 2018"," AccuDoc Solutions, Inc.","","North Carolina","HACK","MED","2,652,540","Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","35.759573","-79.019300" "November 26, 2018","Cancer Treatment Centers of America (CTCA) at Western Regional Medical Center","","Arizona","HACK","MED","41,948","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","34.048928","-111.093731" "November 26, 2018","Baylor Scott & White Medical Center - Frisco","","Texas","HACK","MED","47,984","Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","31.968599","-99.901813" "November 26, 2018","Mercy Medical Center- North Iowa","","Iowa","DISC","MED","1,971","Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","41.878003","-93.097702" "November 21, 2018","Tandigm Health","","Pennsylvania","HACK","MED","7,376","Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","41.203322","-77.194525" "November 20, 2018","East End Disability Associates, Inc.","","New York","HACK","MED","896","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","40.712775","-74.005973" "November 19, 2018","Inova Health System","","Virginia","HACK","MED","857","Location of breached information: Electronic Medical Record Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.431573","-78.656894" "November 19, 2018","James R. Etzkorn, MD","","Missouri","DISC","MED","6,845","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.964253","-91.831833" "November 17, 2018","HealthEquity, Inc.","","Utah","HACK","MED","165,800","Location of breached information: Email Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","39.320980","-111.093731" "November 16, 2018","Texas VSI, LLC","","Texas","HACK","MED","500","Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","31.968599","-99.901813" "November 16, 2018","New York Oncology Hematology, P.C.","","New York","HACK","MED","128,400","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","40.712775","-74.005973" "November 16, 2018","Center for Vitreo-Retinal Diseases","","Illinois","DISC","MED","20,371","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","40.633125","-89.398528" "November 16, 2018","Georgia Spine & Orthopaedics of Atlanta, LLC","","Georgia","HACK","MED","7,012","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","32.165622","-82.900075" "November 13, 2018","San Mateo Medical Center","","California","DISC","MED","5,000","Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","36.778261","-119.417932" "November 9, 2018","Arthritis & Osteoporosis Consultants of the Carolinas","","North Carolina","PHYS","MED","3,930","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","35.759573","-79.019300" "November 7, 2018","Utah Healing Center","","Utah","DISC","MED","543","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","39.320980","-111.093731" "November 6, 2018","Southwest Washington Regional Surgery Center, LLC","","Washington","HACK","MED","2,393","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","47.751074","-120.740139" "October 24, 2018","Missouri Department of Mental Health","","Missouri","DISC","MED","9,000","Location of breached information: Other Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.964253","-91.831833" "October 11, 2018","Blue Cross and Blue Shield of North Carolina (Blue Cross NC)","","North Carolina","DISC","MED","631","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","35.759573","-79.019300" "December 21, 2018","San Diego Unified School District","San Diego","California","HACK","EDU","500,000","As reported at the Los Angeles Times, ""The personal information of San Diego Unified students, former students and employees may have been compromised in a data breach that officials believe happened in January, the school district said Friday.The breach could affect as many as 500,000 students who attended San Diego Unified schools as far back as the 2008-09 school year, officials said.The breach may have included information about students and staff such as addresses and dates of birth, discipline, health, scheduling and grade information, according to an email sent to school families on Friday. Social Security numbers were also affected.About 50 staff members’ accounts are known to have been compromised and have been reset, according to the district.“The San Diego Unified School District has taken the steps necessary to eliminate the threat to your personal data and implement improvements to prevent such unauthorized access from happening again,” the district said in the email.""","Media","https://www.latimes.com/local/lanow/la-me-ln-san-diego-unified-data-breach-20181221-story.html","2018","32.715738","-117.161084" "December 31, 2018","Humana Inc ","","Kentucky","PHYS","MED","684","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "December 29, 2018","Choice Rehabilitation","","Missouri","HACK","MED","4,309","Location of breached information: Email, Laptop Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "December 27, 2018","WEA Insurance Corporation","","Wisconsin","HACK","MED","850","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "December 21, 2018","SEIU Local 32BJ, District 36 Building Operators Welfare Trust Fund","","Pennsylvania","DISC","MED","911","Location of breached information: Email Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "December 21, 2018","Kent County Community Mental Health Authority","","Michigan","HACK","MED","2,284","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "December 21, 2018","DePaul University","","Illinois","DISC","MED","656","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "December 20, 2018","JAND Inc. d/b/a Warby Parker ","","New York","HACK","MED","177,890","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "December 20, 2018","The Podiatric Offices of Bobby Yee","","California","HACK","MED","24,000","Location of breached information: Desktop Computer, Laptop, Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "December 20, 2018","Dermatologists of Southwest Ohio","","Ohio","PHYS","MED","733","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "December 19, 2018","Virtual Radiologic Professionals, LLC","","Minnesota","HACK","MED","2,568","Location of breached information: Other Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "December 18, 2018","Tift Regional Medical Center","","Georgia","HACK","MED","1,045","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "December 18, 2018","Barnes-Jewish Hospital","","Missouri","HACK","MED","1,643","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "December 17, 2018","University of Vermont Health Network - Elizabethtown Community Hospital","","New York","HACK","MED","32,470","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "December 17, 2018","Fort Defiance Indian Hospital","","Arizona","HACK","MED","1,000","Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","37.090240","-95.712891" "December 28, 2018","Wolverine Solutions Group","","Michigan","HACK","MED","48,471","Location of breached information: Desktop Computer, Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "December 16, 2018","Ben-Ora, Hansen & Vanesian Imaging, Ltd d/b/a Solis Mammography","","Arizona","PHYS","MED","500","Location of breached information: Desktop Computer Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "December 14, 2018","Massachusetts General Hospital","","Massachusetts","DISC","MED","588","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "December 13, 2018","Contra Costa Health Plan","","California","DISC","MED","862","Location of breached information: Electronic Medical Record, Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "December 13, 2018","Smile Designs by Sandwick ","","Minnesota","HACK","MED","900","Location of breached information: Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "December 11, 2018","Adams County","","Wisconsin","DISC","MED","258,120","Location of breached information: Network Server, Other Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "December 11, 2018","Ramsey County","","Minnesota","HACK","MED","599","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "December 8, 2018","Leon A Cohen MM.,PA","","Florida","PHYS","MED","2,122","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "December 4, 2018","Butler County Board of County Commissioners","","Ohio","DISC","MED","1,912","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "November 30, 2018","Georgia Department of Human Services","","Georgia","DISC","MED","435,339","Location of breached information: Network Server, Other Portable Electronic Device Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "November 19, 2018","Episcopal Health Services","","New York","HACK","MED","218,055","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "September 28, 2018","Reichert Prosthetics & Orthotics, LLC","","Wisconsin","PHYS","MED","3,380","Location of breached information: Other Portable Electronic Device Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "September 28, 2018","Toyota Industries North America, Inc. as plan sponsor to the Toyota Industries North America, Inc. Welfare Benefit Plan","","Indiana","HACK","MED","19,320","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "September 28, 2018","University of Michigan/Michigan Medicine","","Michigan","DISC","MED","3,624","Location of breached information: Paper/Films Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "September 25, 2018","J&J MEDICAL SERVICE NETWORK INC","","Texas","HACK","MED","2,500","Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "September 25, 2018","Ransom Memorial Hospital ","","Kansas","HACK","MED","14,329","Location of breached information: Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "September 18, 2018","The University of Texas Health Science Center at Houston","","Texas","PHYS","MED","500","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "September 12, 2018","Total Diagnostix II, LLC","","Texas","DISC","MED","855","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "September 5, 2018","J.A. Stokes Ltd.","","Nevada","HACK","MED","3,200","Location of breached information: Desktop Computer, Electronic Medical Record, Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "September 4, 2018","Nebraska Department of Health and Human Services","","Nebraska","DISC","MED","516","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "August 31, 2018","David G. Simon, DMD, PA, d/b/a Simon Orthodontics","","Florida","HACK","MED","15,129","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "August 30, 2018","Family Tree Relief Nursery","","Oregon","HACK","MED","2,000","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "August 28, 2018","Crossroads Behavioral Health","","Iowa","PHYS","MED","5,000","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "August 22, 2018","Health Management Concepts, Inc.","","Florida","HACK","MED","502,416","Location of breached information: Network Server Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "August 6, 2018","CoreLink Administrative Solutions, LLC","","North Dakota","HACK","MED","1,813","Location of breached information: Email Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "August 3, 2018","Central Colorado Dermatology, PC","","Colorado","HACK","MED","4,065","Location of breached information: Network Server Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "August 3, 2018","CoreSource, Inc.","","Illinois","DISC","MED","769","Location of breached information: Other Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "August 1, 2018","Lane County Health & Human Services","","Oregon","PHYS","MED","715","Location of breached information: Paper/Films Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "July 30, 2018","Iowa Health System d/b/a UnityPoint Health ","","Iowa","HACK","MED","1,421,110","Location of breached information: Email Business associate present: Yes ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "June 28, 2018","State of Alaska Department of Health and Social Services","","Alaska","HACK","MED","501","Location of breached information: Desktop Computer, Email Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "February 26, 2018","QuadMed, LLC (Hillenbrand)","","Wisconsin","DISC","MED","2,471","Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "February 26, 2018","QuadMed, LLC (Stoughton Trailers)","","Wisconsin","DISC","MED","2,834","Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "January 29, 2018","QuadMed, LLC (Whirlpool)","","Wisconsin","DISC","MED","4,549","Location of breached information: Electronic Medical Record Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2018","0.000000","0.000000" "August 16, 2017","Centura Health, Mercy Family Medicine","","Colorado","PHYS","MED","2,069","Location of breached information: Other Portable Electronic Device Business associate present: No ","US Department of Health and Human Services","https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf","2017","0.000000","0.000000"