Hackers may have accessed the personal health data belonging to patients of Denver area-based Metro Community Provider Network, a nonprofit health care provider for low-income individuals and families.

How many victims? Approximately 2,000.

What type of personal information? Names, phone numbers, dates of birth, diagnoses and internal account numbers.

What happened? An employee responded to a phishing email that allowed hackers to steal credentials, giving them access to the corporate network.

What was the response? As the organization investigates, employees are being asked to change their login information.

Quote: "Metro Community Provider Network sincerely apologizes for the inconvenience and concern this incident causes," it said in a statement.

How many customers? 1,219.

What type of personal information? Age, gender, diagnosis and treatment data, from 2005 to 2011.

What happened? On Nov. 24, vandals broke into a car belonging to a pathologist from the University of Miami Miller School of Medicine. A briefcase, which held a USB drive containing the patient data, was taken.

Details: Officials, in a statement, said no financial information or Social Security numbers were stored on the stolen drive. The statement also said that “there is no indication that the information was accessed or misused in any way.” However, the facility is following federal requirements to notify patients involved, and the theft was reported to local law enforcement for investigation, as well as to the U.S. Department of Health and Human Services.

Quote: “The university will continue to review and refine its physical and electronic safeguards to ensure that personal information remains secure.” – UM letter

Source: MiamiHerald.com, Jan. 30, 2012, "UM patient data stolen."

Malware may have allowed attackers to make off with the personal information of thousands of people connected to Indiana University Health Goshen Hospital.

How many victims? 12,374 job applicants and fewer than 500 patients.

What type of personal information? Names, addresses, and Social Security numbers of applicants, and Social Security numbers, insurance data and medical service information belonging to people who registered for  outpatient procedures and for the maternity unit.

What happened? On Dec. 22, a virus was discovered on a server. A security firm determined that hackers indeed did try to access the information, but it is unclear if they were successful.

What was the response? Letters were sent to victims, and the hospital plans to provide one year of free credit monitoring to them.

Source: chicagotribune.com, Associated Press, "N. Ind. hospital: Records may have been breached," Jan. 31, 2012. southbendtribune.com, "IU Health Goshen data hit by virus," Feb. 1, 2012.

How many customers? Lexington Clinic is sending letters to 1,018 patients.

What type of personal information? The computer stored patient names, contact information and diagnoses for some Lexington Clinic patients receiving services within the neurology department.

What happened? A laptop containing personally identifiable information of patients of Lexington Clinic was stolen overnight on Dec. 7, 2011. 

Details: Lexington Clinic, which operates offices in more than 25 locations throughout Central and Eastern Kentucky, said the stolen laptop did not contain the personal financial information of patients, such as Social Security, credit card or bank account numbers. Upon learning of the theft, the facility notified law enforcement authorities, and all door locks to the neurology department were changed. Additionally, the clinic publicly disclosed the breach to local media, and posted information about the breach on its website.

Quote: “There is no evidence thus far that any patient information has been misused..."

Source: Lexington Clinic release, Jan. 30, 2012, Lexington Clinic Notifying Patients of Information Security Breach

Unauthorized individuals gained access to the personal data belonging to customers of New York State Electric & Gas (NYSEG) and Rochester Gas & Electric (RG&E), which are owned by Iberdrola USA. But an outside contractor is to blame.

How many customers? The companies did not disclose how many people were affected, but reports said the two utilities have about 1.8 million customers between them.

What type of personal information? Social Security numbers, birth dates and, in some cases, bank account numbers.

What happened? For unknown reasons, an employee at a third-party software development consulting firm permitted unauthorized access to one of the company's customer information systems.

Details: There is thus no far no reason to believe that any of the information has been misused or that there was malicious intent on behalf of the employee.

Quote: “Public utilities are custodians of a great deal of personal customer information,” New York State Public Service Commission Chairman Garry Brown said. “As a result of this apparent data security breach, I have asked staff of the Department of Public Service to immediately initiate an investigation of the facts and circumstances surrounding this event.”

Source: NYSEG news release, Jan. 23, 2012. thedailynewsonline.com, The Daily News, RG&E, "NYSEG say customer information compromised," Jan. 23, 2012.

How many victims? Perhaps tens of thousands.

What type of personal information? Personal banking information.

What happened? Following the Thanksgiving holiday, the college's data security monitoring service, USDN, detected at least seven viruses activated each day at 10 p.m. that trawled the college's system (including its administrative, instructional and wireless networks), relaying data back to servers in Russia, China and several other countries.

What was the response? Victims, according to state law, must be notified. The college's CTO, David Hotchkiss, shut down the computer lab where the virus was originally detected and notified officials. An investigation is ongoing.

Source: www.sfgate.com, San Francisco Chronicle, "Viruses stole City College of S.F. data for years," Jan. 13, 2012

The private medical records belonging to some 1,300 patients and/or their guarantors at Loma Linda University Medical Center in California were compromised when a former hospital employee violated policy and brought the data home.

How many victims? 1,336.

What type of personal information? Birth dates, addresses, medical record numbers, driver's license numbers and, in some cases, Social Security numbers.

What happened? It is unclear how the worker accessed the data or whether it was used for fraud (or intended to be), but the records have since been secured.

What was the response? The worker was fired, and the hospital is investigating. Victims will receive one year of credit monitoring services.

Source: www.pe.com, The Press-Enterprise, "Loma Linda: Security breach affects 1,300-plus patients," Dec. 28, 2011.

How many victims? More than 200,000, according to reports. 

What type of personal information? Names, credit and debit card numbers, expiration dates and verification codes.

What happened? The thieves inserted malware into the company's credit and debit card processing systems, according to a Finextra report. The malware collected card information as it was processed and then sent it to a remote server in Russia.

Details: The breach affected those who shopped at Restaurant Depot wholesale outlets from Sept. 21 to Nov. 18. Some customers have been the victims of credit card fraud as a result of the breach.

What was the response?  The company hired a computer forensic firm to investigate the incident and has taken unspecified steps to better protect card data. Restaurant Depot is offering affected individuals free credit monitoring and said it would reimburse victims for any breach-related costs they “reasonably incur.”

Hackers compromised cash registers at campus dining locations at the University of California, Riverside to hijack credit and debit card numbers.

How many victims? 5,000.

What types of personal information? Cardholder names, card numbers, expiration dates and encrypted versions of debit card PINs.

What happened? It is not clear how the hackers were able to compromise the registers.

What was the response? People who used their credit or debit cards at UC Riverside Dining Services locations from this past summer through Nov. 16 are being advised to monitor their credit card activity and report any fraud. The college has set up an information hot line.

Quote: "We are doing everything we can think of to notify people." Vice Chancellor Gretchen Bolar said.

Source: UCR Newsroom press release, "UC Riverside experiences a credit/debit card security breach," Nov. 29, 2011.

How many victims? 176,567.

What type of personal information? Names or electronic identification, Social Security numbers and, in some cases, dates of birth and home addresses. Affected individuals include current and former VCU and VCU Health System faculty, staff, students and affiliates, such as contractors and visiting professors. VCU Health System patients were not affected.

What happened? During routine monitoring, suspicious files were found Oct. 24 on a server containing sensitive data. The affected server was taken offline, and a forensic examination showed that intruders accessed the system from an IP address within the United States and stayed connected for 16 minutes.

Five days later, university officials found two unauthorized programs on a second server. Investigators determined that the attackers planted malicious programs on the first breached server, which enabled them to perform subsequent attacks and access other systems.

Details: School officials do not believe the attackers accessed the information for the purpose of conducting identity theft, though they did not say what they believe the hackers' motivation was. This is not the first breach VCU has experienced. In 2009, a university computer containing 17,214 Social Security numbers was stolen.

What was the response? The university is planning to hire an outside consultant to examine its information technology systems. Affected individuals are being notified. VCU police and the FBI are investigating the incident. The university is not providing affected individuals with free identity protection services because it deems the risk of identity theft low.

Source: http://www2.timesdispatch.com/, Richmond Times-Dispatch, “Breach exposes data at VCU,” Nov. 12, 2011.

How many victims? More than nine million.

What type of personal information? Identification numbers, full names, addresses, dates of birth, information on family relationships, and other details.

What happened? According to authorities, in 2006, an Israeli government contractor made a copy of the data, which came from the country's "Population Registry," and took it home from work.

Details: The stolen information was then sold or provided for free to several individuals, including a developer who created a software program called “Agron 2006,” which allowed for detailed queries of the data. This searchable database was then uploaded to the internet by an individual with the alias “aRi,” who attempted to conceal his IP address.

Quote: The uploading of the database “will make it easier to carry out forgery and fraud, and provide the necessary information to carry out identity theft," Israel's Justice Ministry said in a statement. "It helps create fraudulent documents that appear authentic, therefore allowing people to bypass security systems. It could also have an effect on the democratic processes in elections, in that it makes it easier for someone to impersonate someone else in the voting booth."

What was the response? The Israeli Law, Information and Technology Authority has been investigating the case since 2009. Six people have been arrested in connection to the data leak, including the government contractor and “aRi.”

Sources: www.jpost.com, The Jerusalem Post, “Contract worker stole all Israelis' personal information,” Oct. 24, 2011.

www.jpost.com, The Jerusalem Post, “Justice Ministry cracks case of massive information theft,” Oct. 25, 2011.

How many victims? 1.6 million

What type of personal information? Names, addresses, dates of birth, Social Security numbers, direct deposit bank account numbers, and data on insurance and medical treatments.

What happened? The tapes, which were stored in a locked cabinet following a computer systems conversion completed in 2004, were reported missing on Sept. 8. It is believed they were removed around Aug. 10, during a facility remodeling project.

Details: The breach affects patients and their guarantors, vendors and employees at Nemours facilities in Delaware, Pennsylvania, New Jersey and Florida and who provided information between 1994 and 2004. 

Quote: “This is an isolated incident unrelated to patient care and safety,” said David Bailey, president and chief executive officer of Nemours. “The privacy of our patients, their families and our employees and business partners is a high priority to all of us at Nemours.”

What was the response? Affected individuals are being notified and offered one year of free credit monitoring and identity theft protection. In addition, the company is taking steps to strengthen its data security practices, such as encrypting all computer backup tapes.

Source: http://www.nemours.org/, Nemours, “Nemours Reports Old Computer Backup Tapes Missing,” Oct. 7, 2011.

How many victims? 18,931 staff and faculty members.

What type of personal information? Names, Social Security numbers, dates of birth, dates of employment, gender, race, home phone numbers and home addresses.

What happened? The data file, which had been created for legitimate administrative purposes, was placed on a publicly available web server, where it remained from at least 2008 until 2011. School officials have since removed the file.

Quote: “We deeply regret this situation and will take steps to notify and support the affected current and former faculty and staff,” said Timothy Chester, UGA's chief information officer.

What was the response? Affected individuals are being notified by mail. The university is working with an outside firm to find ways to reduce the risk of another breach.

This is not the first time UGA has suffered a breach, however. Back in 2008, the school revealed that the personal information of 4,000 residents of a housing complex had been exposed after hackers accessed a server.

Source: http://athens.patch.com, Athens Patch, “Oops! 'Private' UGA Data Went Public,” Oct. 7, 2011.

How many victims? 40,000.

What type of personal information? Credit and debit card information.

What happened? An unauthorized individual broke into the company's point-of-sale systems used to process credit and debit card transactions at resorts in Tennessee and Wisconsin.

Details: The affected resorts are Wilderness Waterpark Resort in Wisconsin Dells and the Smokies Resort in Sevierville, Tenn.

What was the response?  The company shut down the affected systems after discovering the breach. It is issuing warnings to customers who used a credit or debit card at either arcade between Dec. 12, 2008 and May 25, 2011.

Source: Associated Press via NBC26, “Data Breach-Vacationland Vendors,” Sept. 12, 2011.

How many victims? 5,800.

What type of personal information? PHI for patients dating back to 2004, including names, addresses, diagnosis data, test results and prescribed drugs.

What happened? The breach was initially discovered during a privacy audit. Upon further investigation, it was determined that an unnamed employee inappropriately accessed information.

Details: Hospital officials believe the data was not shared with any other staff members or individuals outside of the hospital.

What was the response? Affected individuals were notified by letter. In light of the incident, the hospital has taken measures to improve protections for PHI and to provide additional education to employees regarding data security and privacy.

Additionally, the hospital implemented more rigorous audits to detect attempts of unauthorized access to health care data. The Ontario College of Nurses and Information and Privacy Commission of Ontario have been informed of the breach.

Source: North Bay Regional Health Centre in Ontario, news release, “Breach of Privacy Occurs at North Bay Regional Health Centre Affecting 5,800 Patients,” Sept. 6, 2011.

How many victims? 20,000

What type of personal information? Names, diagnosis codes, account numbers, admission and discharge dates, and billing charges, (Did not include Social Security numbers, birth dates or credit card accounts).

What happened?  A spreadsheet containing data for patients seen at Stanford Hospital's emergency room during a six-month period in 2009 was posted to a website, called “Student of Fortune,” which assists students with their school assignments. The hospital said that in September 2010, one of its vendors, a billing contractor Multi-Specialty Collection Services, posted an attachment containing the database in response to a question about converting the patient data into a bar graph.

Details: Following disclosure of the breach, the hospital canceled its contract with the provider and received a signed promise that files would be destroyed or returned.

What was the response? The hospital has made free identity protection services available to affected patients.

Source: New York Times, Sept. 8, 2011

How many victims? 91,763.

What type of personal information? Names and Social Security numbers.

What happened? The issue involved a sensitive database maintained by affiliates The Lincoln National Life Insurance Co. and Lincoln Life & Annuity Co. of New York.  

Due to a programming weakness affecting the database search function, administrators were able to view information about individuals not part their plan. Consequently, if an administrator searched a participant's first or last name, the results would have included all plan participants with the same name, and displayed their Social Security numbers. The company was notified of the flaw July 18 by a plan administrator.

Details: The programming error existed in the database search function since 2009. There is no evidence to believe that information in the database was misused.

What was the response? Upon learning of the error, the company disabled the database search function. Once the issue was investigated, participants' Social Security numbers were truncated. The search feature has not yet been restored, as the company is still working on an appropriate solution. Affected individuals are being notified and offered free credit monitoring services.

Meanwhile, this is not the first data breach Lincoln has experienced in recent months. In July, the company said an email error exposed the names and Social Security numbers of 705 people.

Source: Letter to New Hampshire Attorney General Michael Delaney, August 15, 2011.

A Google search could have yielded the personal information of tens of thousands of people connected to Yale University in New Haven, Conn.

How many victims? 43,000 students, faculty, staff and alumni affiliated with the university in 1999.

What type of personal information? Names and Social Security numbers.

What happened? A file contained on a server was publicly searchable via Google for 10 months.

Details: The data was stored on a file-transfer protocol (FTP) server, which became searchable last September when Google began indexing FTP servers. Most of the information belonged to people who worked at Yale in 1999. It is unclear how many times the file was accessed, but school officials said it contained an "inconspicuous" name.

What was the response? The university created a center to handle questions from affected individuals, and is offering them two years of free credit monitoring and identity theft services.

Quote: "We immediately blocked that server from the internet, removed the file and did a complete scan of the server to make sure there were no additional at-risk files," IT Services Director Len Peters said.

Source: yaledailynews.com, Yale Daily News, "Yale affiliates' SSNs were searchable on Google," Aug. 17, 2011.

A computer server containing the personal information of thousands of former Purdue University students was accessed by hackers.

How many victims? 7,093.

What type of personal information? Social Security numbers.

What happened? Hackers on April 5, 2010 broke into a university server containing course records from 2000 through the summer session of 2005. 

Details: School officials said there is no evidence that the sensitive information was accessed. Instead, they believe the hackers aimed to use the infected computer system to attack other servers.

Quote: “Through our investigation, we found no evidence that the unauthorized user attempted to find or read any files with personal information in our system, but felt informing people who may have been affected was a necessary precaution," Laszlo Lempert, head of the Department of Mathematics, said in a statement. "We regret the breach occurred, and we've taken extensive measures to prevent this from happening again."

What was the response?  The school on Monday mailed notification letters to affected individuals. Though the breach occurred over a year ago, it took school officials until June to sort through the information on the server and identify the extent of the breach. The Indiana Attorney General's office has been notified.

Source: jconline.com, Journal and Courier, “Purdue warns ex-students of data breach,” Aug. 17, 2011.

How many victims? 75,000.

What type of personal information? Names and Social Security numbers.

What happened? The school's technology staff on May 25 discovered malware on a server that housed a software system used by several departments to manage sensitive data. The affected system included a database of confidential information that would have been accessible to attackers.

Details: School officials, however, do not believe the attackers got away with any sensitive data. In addition, no financial information was affected.

Quote: “We are a research institution with a significant number of projects under way,” said Tom Luljak, UWM's vice chancellor for university relations. “It is theorized that this may have been an attempt to look at work being done."

What was the response? After discovering the malware, the university promptly shut down the affected server and cleaned the infection before restarting it. Local and federal authorities were notified. The college alerted victims, and set up a website and helpline to provide information. In addition, the university has updated security on its systems to better protect against attacks.

Sources: 4.uwm.edu, University of Wisconsin- Milwaukee, “Information on Computer Security Incident at UW-Milwaukee,” Aug. 10, 2011.

JsOnline.com, Milwaukee Journal Sentinel, “UWM computers hacked; data on 75,000 exposed,” Aug. 10, 2011.

How many victims? 20,000.

What type of personal information? Social Security numbers.

What happened? A hospital employee working at home in April made accidental changes to his home network that  could have allowed others to access information on his computer through an internet search. The sensitive data was exposed for nine weeks before being discovered by an unknown person.

Hospital policy prohibits employees from keeping personal information on home computers.

Details: Affected individuals worked for the hospital in 1994, 1995, 2002, 2003, 2004 and 2006. Some are still employed there.

There is no evidence that the exposed data has been used to perpetrate any fraud.

What was the response?  The hospital is providing victims with a free subscription for identity protection services. In addition, it is working to improve its security and user awareness training.

Source: seattletimes.nwsource.com, The Seattle Times, “20,000 Swedish employees personal data breached,” July 20, 2011.

How many potential victims? Nearly 12,000.

What type of personal information? Names, birth dates, genders, health card numbers, and colon cancer screening information and results.

What happened? Cancer Care Ontario, the provincial agency charged with improving cancer services, cannot confirm whether 15 reports containing the personal health information of 6,490 Ontarians were successfully delivered to their intended recipients. The agency is also looking into the delivery status of an additional 11 reports containing 5,440 records.

The reports, which contain information from Ontario residents ages 50 to 75 in the ColonCancerCheck program, an initiative to screen people for colon cancer, were mailed to family doctors in February and March.

The agency used Canada Post's Xpresspost courier service to mail the reports. Canada Post mail carriers are supposed to hand over the packages only after receiving a doctor's signature and return them to the agency if a signature is not obtained.

Some of the reports were, however, delivered without a signature confirmation.

Details: Ontario's privacy commissioner, Ann Cavoukian, launched an investigation in late June and instructed the agency to visit doctors' offices to look for the reports.

Quote: “Medical test results rank among the most sensitive personal information about an individual,” Cavoukian said. “I am astounded that such a loss could take place. The first step is to minimize any harm by locating as many of these reports as possible. As part of our investigation, we will be looking at steps that can be taken to ensure that this type of breach doesn't happen again.”

What was the response? An investigation was launched to determine the scope of the incident. The agency is notifying the appropriate primary care physicians, patients and the public over the next several weeks.

Source: http://www.cbc.ca/, CBC News, “Ontario cancer tests may be lost in mail,” July 26, 2011.

In one of the largest health care data breaches this year, a computer containing hundreds of thousands of patient records was stolen from South Carolina's Spartanburg Regional Healthcare System.

How many victims? 400,000.

What type of personal information? Social Security numbers, names, addresses, dates of birth and medical billing codes.

What happened? A desktop computer containing the sensitive data was stolen from an employee's car on March 28. The employee was authorized to have the computer.

Details: The health care system posted a notification about the breach on its website in late May, though it did not reveal how many patients were affected. The U.S. Department of Health and Human Services last week revealed the number of impacted individuals.

There is no evidence that the information has been misused.

What was the response? Spartanburg reported the theft to authorities. An investigation was launched. The company also took unspecified steps to enhance its security procedures. Affected individuals have been notified and offered a free subscription for identity theft consultation and credit monitoring services.

Sources: SpartanburgRegional.com, Letter to Patients, May 2011.

HHS.gov, U.S. Department of Health and Human Services, Breaches Affecting 500 or More Individuals.

How many victims? 34,000.

What type of personal information? Names, addresses, account and tax identification numbers, as well as the income earned on investments in 2010, and some clients' Social Security numbers.

What happened? Two CD-ROMs containing the sensitive information went missing after being mailed to the New York State Department of Taxation and Finance. It appears that the package made it to the department intact, but by the time it reached its intended recipient the discs were missing. The state notified Morgan Stanley Smith Barney about the breach on June 8.

Details: The discs were were password-protected, but not encrypted.

Quote: "There's no evidence that there was any criminal intent here, or actual misuse of this information," Jim Wiggins, according to a spokesman for Morgan Stanley Smith Barney.

What was the response?  The investment firm conducted a search of its facilities and did not locate the discs. Notification letters were sent to affected individuals on June 24. The company has offered to provide a one-year, free subscription for monitoring services to those whose Social Security or tax identification numbers were lost.  

Morgan Stanley Smith Barney said it will work with the state to improve the security of data transmissions.

Source: ABCNews.com, ABC News, “Data of 34,000 Morgan Stanley Clients Lost or Stolen,” July 6, 2011.

How many victims? 3,590.

What type of personal information? Names, addresses and state identification numbers.

What happened? The disk was lost while on its way between two state agencies. It was discovered missing on May 6.

Details: The missing data did not include birth dates or Social Security numbers.

A similar incident occurred last summer, when the agency lost a computer hard disk containing the personal information of 100,000 residents.

What was the response? The agency is working to notify affected individuals.

Source: denverpost.com, The Denver Post, “Colorado agency loses records,” July 1, 2011.

The personal information of thousands of current and former California state employees was improperly copied to a hard drive and removed from state offices.

How many victims? 9,000

What type of personal information? Names, addresses, some Social Security numbers, ethnicities, birth dates, information on next of kin and workers' compensation documents.

What happened? IT staff at the California Department of Public Health (CDPH)  detected unusual network activity on April 5. It initiated an investigation and discovered that an employee had removed the information without authorization. The employee was placed on administrative leave until the investigation is complete.

Details: The breach affects most current CDPH and California Department of Health Care Services (DHCS) employees, as well as nearly 3,000 employees of the former Department of Health Services (DHS).

There is currently no indication that the information has been misused or further disclosed.

Quote: "We regret that the personal information of our employees was compromised," CDPH Director Ron Chapman said in a statement. "We take the breach of any secure documents very seriously and are committed to taking steps to minimize any impact of this action and further strengthen our security policy."

What was the response? The department has begun implementing unspecified internal safeguards to protect employee information. In addition, the agency is conducting a review of its information security policies and has promised to put in place any additional safeguards necessary to ensure a similar incident does not recur.

Affected individuals are being offered credit monitoring services.

Source: California Department of Public Health, “Current and former state employees advised of breach of personal information,” June 26, 2011.

How many victims? 300,000,

What type of personal information? Names and Social Security numbers.

What happened? The electronic files, which belonged to Southern California Medical-Legal Consultants (SCMLC), a company that helps medical providers recover workers' compensation insurance funds, were discovered by a data security firm through automated Google searching. The information was stored on a computer that was intended for internal purposes.

What was the response? The company took “immediate steps to remediate the situation” and is taking other unspecified measures to ensure a similar incident does not recur. Affected individuals are being notified.

Quote: "We take data security and privacy very seriously," Joel Hecht, president of SCMLC, said in a statement. "Unfortunately, our internal security policies and procedures were not followed.”

How many victims? 15,727.

What type of personal information? Names, addresses, birth dates, medical record numbers, health plan ID numbers, and treating physician names, as well as information about diagnoses, treatment plans, progress notes, prescriptions, referrals, and authorizations.

What happened? Thieves broke into Health Care Partners' Pasadena and Long Beach, Calif. offices and stole 19 computers containing the data. They also stole a safe containing checks and credit card receipts. The theft was discovered on April 18.

Details: HealthCare Partners said it believes that the risk of harm is low because an investigation indicated the equipment was stolen for its monetary value, not the information it contained.

What was the response? Upon discovering the theft, HealthCare Partners notified local law enforcement and initiated an investigation into the incident. Affected individuals have been alerted and offered a free subscription of identity protection services. In addition, the company has promised to work with patients whose personal information was compromised to help minimize the impact of the incident.

Quote: "HealthCare Partners understands the importance of safeguarding our patients' personal information and takes that responsibility very seriously," Robert Margolis, chairman and CEO, said in a statement. "We regret that this incident has occurred, and we are committed to preventing such occurrences in the future.”

Source: http://www.healthcarepartners.com, “HealthCare Partners Notifies Patients of Breach of Unsecured Personal Information,” June 3, 2011.

The personal data belonging to Honda and Acura customers in Canada was stolen after attackers accessed the information off the companies' e-commerce sites.

How many victims? 283,000.

What type of personal information? Names, addresses and vehicle identification numbers. Data such as birth dates, telephone numbers, email addresses, credit card numbers, bank account information and lists of transactions was not taken.

What happened? Hackers infiltrated the myHonda and myAcura e-commerce sites to steal the account information stored in a database. The records in that database should have been destroyed but were not.

What was the response? Honda is notifying affected customers by mail. It informed customers about the incident but said they are not at risk for identity theft.

Details: The information was collected two years ago from customers who registered at the websites. Experts worry the stolen data may be used in phishing scams that seek more valuable personal information. Honda, which owns Acura, has since been sued over the breach, with the plaintiffs seeking $200 million in damages.

Source: The Toronto Star, thestar.com, "Honda hacked: 283,000 car owners lose personal data," May, 26, 2011.

How many victims? 4,000.

What type of personal information? Social Security numbers and payroll information.

What happened? The email was sent May 4 by an employee at the U.S. Department of the Interior's National Business Center, a service center in charge of payroll, human resources and financial reporting for dozens of federal agencies, including the SEC. The contractor forgot to encrypt the message, and software in place to detect such an error failed.

Details: The personal data was exposed for about one minute, while in transit. There is no indication that the data was intercepted.

The National Business Center recently has had several other breaches of employee information. In February 2010, a similar software malfunction nearly exposed personnel data, but an employee caught the mistake. Then in May, the center reported that a CD, containing sensitive information on about 7,500 federal employees from several government agencies, was lost.

What was the response? An investigation was launched after the most recent breach was discovered. An assessment of the software and security protocols at the National Business Center is ongoing.

Affected employees are being offered 60 days of free credit monitoring.

How many victims? 17,000 ticket holders.

What type of personal information? Names, addresses, phone numbers and email addresses of "non-premium" season ticket holders. The spreadsheet also contained Yankee account numbers and seat assignments. No financial data or Social Security numbers were compromised.

What happened? An employee working in the club's ticketing department meant to send an attachment with newsletter information to Yankees season ticket licensees. Instead, the individual mistakenly attached the internal spreadsheet.

Details: Premium account holders, some of which are celebrities, were not affected. Less than half of all season ticket holders were impacted.

Quote: "A mistake was made and we're being as transparent as we possibly can be," a team spokesman said. "We've already taken steps to be sure it cannot and will not happen again."

What was the response? The team has notified affected individuals by letter.

A USB stick containing the personal information of thousands of employees of Alberta's Edmonton Public School Board has gone missing.

How many victims? 7,000.

What type of personal information? Resumes, employment records and possibly banking data.

What happened? A school board computer technician working in the human resources department lost the flash drive on March 22.

Details: School board staff violated policy by retaining too much data for too long and failing to keep a record of the information downloaded to the USB drive, said Frank Work, Alberta's privacy commissioner.

Quote: "According to school board policy, you're not supposed to use an unencrypted stick," Work said. "They did.”

What was the response? The school board has sent notification letters to affected individuals. The board has spent thousands of dollars to respond to the incident.

Source: CBC News, “School board loses memory stick with employee data,” April 13, 2011.

MidState Medical Center, located in Meriden, Conn., has reported missing a hard drive containing the personal information of tens of thousands of hospital patients.

How many victims? 93,500.  

What type of personal information? Names, addresses, dates of birth, Social Security numbers and medical record numbers.

What happened? An employee of MidState's sister facility, Hartford Hospital, violated company policy by transferring patients' sensitive data to a personal hard drive to work from home.

Details: The drive was discovered missing on Feb. 15 and the employee has since been dismissed. The hospital does not believe that any information on patient diagnosis or treatment was compromised.There is currently no evidence that the information has been misused.

What was the response? After discovering the breach, the hospital launched an investigation and reported the incident to law enforcement. Affected individuals are being notified and offered two years of identity protection services. In addition, MidState Medical Center and other affiliated facilities are reviewing their policies and taking unspecified steps to prevent a recurrence.

Sources: MidState Medical Center, “Important Notice to Patients Regarding Misplaced Personal Information,” April 5, 2011.

The Hartford Courant, “Hospital Records Breach Involves 93,500 Patients,” April 5, 2011.

How many victims? About 3,900.

What type of personal information? Birth dates, relatives' names, Social Security numbers, medical treatment data and other unspecified information.

What happened? The files were in a locked storage room in Maryville's Des Plaines facility when they went missing. It is not known whether the files were stolen or misplaced.

Details: The files contained information about children who lived at agency facilities since 1992. They did not include information about children cared for at the agency's crisis nursery, children's health care center, psychiatric hospital or girl's shelter.

Quote: "We are reaching out to the members of our Maryville family who may be affected by these missing files to offer our assistance," Sister Catherine Ryan, Maryville's executive director, said in the statement.

What was the response? The agency is investigating.

Source: Chicago Breaking News, chicagobreakingnews.com, “Computer files lost at Maryville,” March 25, 2011.

A BP employee lost a laptop containing the personal information of thousands of Louisiana residents who filed compensation claims after last year's devastating oil spill in the Gulf of Mexico.

How many victims? 13,000.  

What type of personal information? Names, Social Security numbers, phone numbers and addresses.

What happened? The laptop went missing on March 1 while the BP worker was traveling for work. Though the laptop was password protected, the information was not encrypted.

Details: The data included a spreadsheet of information about individuals who filed claims with BP before the Gulf Coast Claims Facility took over the processing of claims last August. There is no indication that the data has been misused.

What was the response? BP has mailed letters to affected individuals and offered them free credit monitoring services. The company has reported the missing laptop to law enforcement.

Source: The Denver Post, denverpost.com, “Lost BP laptop holds personal data of 13,000 oil-spill claimants,” March 30, 2011.

Tens of thousands of Indiana Statewide Testing for Educational Progress-Plus (ISTEP) tests may have to be discarded after an exam question was posted on Facebook.

What happened? The Indiana Department of Education (DoE) believes a test coordinator copied an essay question from the eighth-grade language arts exam and shared it with others. It briefly was posted on a Facebook page connected with a state teacher's group.

The test was administered to 80,000 eighth-graders in the state.

Details: The question asked students' opinion on school vouchers that use taxpayer money to help parents send their children to private schools.

Pending state legislation supported by Republicans would give parents “special scholarships” using public funds for their children to attend private school. Some have said the exposure was meant to sway public opinion and promote the voucher plan. The state DoE and superintendent have denied such claims.

The DoE is considering whether to suppress the question or invalidate the affected portion of the test. The investigation and response could cost the state several hundred thousand dollars.

Quote: "It has the potential to cost taxpayers a great deal of money," said Lt. Gov. Becky Skillman.

What was the response? The Indiana DoE has launched a statewide investigation. Any teachers involved could lose their licenses.

Officials at Missouri State University in Springfield are notifying thousands of students whose personal information inadvertently was exposed online.

How many victims? 6,030.

What type of personal information? Names and Social Security numbers.

What happened? In preparation for an accreditation, the Missouri State University's College of Education late last year prepared electronic lists of students, by semester. They were to be made available on secure servers accessible by university personnel working on the accreditation.

Instead, the lists were posted in October to November to an unsecured server and were searchable on Google. The university discovered the breach on Feb. 22. 

Details: The lists contained information about students who attended the College of Education between 2005 and 2009.

Quote: “It is very unfortunate that this breach occurred,” said Jeff Morrissey, chief information officer at Missouri State. “We are taking this breach very seriously, and we hope these steps will prevent inappropriate use of the personal information that was compromised.”

What was the response? Since learning of the breach, the university has worked with Google to remove all the lists and is notifying affected individuals, who will be offered identity theft protection insurance. In addition, the university notified the state's attorney general and will discipline the employee who posted the information. Finally, the university has secured all College of Education accreditation lists and is working with all other college deans to prevent future inadvertent data exposures.

Source: Missouri State University, “College of Education students notified of security breach,” March 3, 2011.

The New York City Health and Hospitals Corp. (HHC), the city's municipal hospital system, has begun notifying 1.7 million individuals about the theft of electronic record files that contained their personal information.

What type of personal information? Full names, addresses, Social Security numbers, medical record numbers, health insurance information, diagnosis and treatment data, telephone numbers, mothers' maiden names and birth, admission and discharge dates.

What happened? The computer backup tapes were stolen on Dec. 23 from the truck of HHC's record management services vendor, GRM Information Management Services, while being transported to a secure location. At the time of the crime, the truck was parked on the street in Manhattan while the driver was making a pickup from another GRM customer.

The stolen backup tapes contain 20 years of information about patients, staff, contractors, vendors and anyone else who was treated by or provided services at HHC's North Bronx Healthcare Network hospitals and clinics. This consists of Jacobi Medical Center, North Central Bronx Hospital, along with two other community health care centers: the Health Center at Tremont and the Health Center at Gun Hill

Details: Only those with specialized knowledge and access to the right software and hardware would be able to view the information on the stolen tapes. There is currently no evidence that any of the stolen data was accessed.

Quote: “We apologize for the concern this incident may cause you and assure you steps are being taken to ensure that a similar incident does not recur, including the encryption of all future backup tapes,” William Nash, network senior vice president at North Bronx Healthcare Network, said in the notification letter.

What was the response? Upon discovery of the theft, the New York City Police Department was notified and launched an investigation. The stolen tapes have not been found, and police have no suspects.

HHC has fired GRM and has filed a lawsuit to cover the costs of the breach, according to reports.  

Affected individuals have been notified and offered one year of free credit monitoring and fraud resolution services. HHS also set up a phone hotline at (877) 412-7148 to answer any questions about the incident.

Source: New York City Health and Hospitals Corp., “Data Theft Notification to Jacobi Medical Center and North Central Bronx Hospital Patients, Staff, Contractors, Vendors, and Others," Feb. 9, 2011.

The University of Connecticut (UConn) is warning thousands of customers who bought merchandise at HuskyDirect.com that their credit card numbers and other sensitive information may have been stolen.  

How many victims? 18,000.

What type of personal information? Names, addresses, emails, telephone numbers and credit card information, including expiration dates and security codes.

What happened? A hacker gained access to a database containing billing information for HuskyDirect.com.

Details: The website, used by customers to buy team merchandise from the UConn co-op, is operated by an unnamed vendor who notified the university about the breach. The vendor has secured the database, the co-op said, but as of Jan. 20 the website remained inactive.

Customers who shopped at the co-op store in person are not affected.

Quote: "We are investigating how many accounts were actually accessed," the co-op said.

What was the response? Notification letters have been sent to affected individuals who will be offered credit protection.

Source: The Hartford Courant, courant.com, “Hacker Breaks Into UConn Husky Store Website,” Jan. 12, 2011.

The personal information of thousands of South Carolina state employees may have been stolen by hackers.

How many victims? 5,600.

What type of personal information? Names, addresses, Social Security numbers and birth dates.

What happened? A computer containing the sensitive data of thousands of state employees, retirees, dependents and survivors who were covered by the state's Employee Insurance Program was infected by a virus that may have permitted hacker access. The breach was discovered Nov. 18, about 10 days after it began.

Details: The affected computer contained the records of about 800 people who are dead. 

Quote: "Obviously, this is a terrible situation, and we feel for all those whose privacy may have been compromised," said Rob Godfrey, a spokesman for the state Budget and Control Board.

What was the response? The board has mailed notification letters to affected individuals. In addition, officials hireda new director who is "committed to making sure that changes are implemented, quickly, so something like this never happens again," Godfrey said.

The South Carolina Law Enforcement Division has been notified about the intrusion.

Source: Associated Press via aikenstandard.com, “Agency: Records of employees may have been breached,” Jan. 17, 2011.

The credit card details belonging to customers of CitySights NY were stolen when a database belonging to the sightseeing bus tours company was hacked.

How many victims? Approximately 110,000.

What type of personal information? Names, home addresses, email addresses, credit card numbers, expiration dates and CVV2 numbers.

What happened? Thieves exploited a SQL vulnerability to access a database on the company's web server. The hackers launched the SQL script on Sept. 26 and gained access to the database until Oct. 19. Six days later, a web programmer discovered the exploit.

What was the response? CitySights NY notified affected customers and provided them with one year of free credit monitoring and identity theft protection services. In addition, victims received a coupon good for 50 percent off select tours. They were told to purchase online, using the code of "012345."

The company has taken steps to improve its security posture, including tightening password use, closing database vulnerabilities, deploying an application firewall and conducting penetration tests.

Quote: "The company continues to monitor its systems and has reconfigured its systems so that transactions will be processed without storing credit card data on the company's servers," wrote attorney Theodore Augustinos in a letter to the New Hampshire attorney general's office.

Source: Letter to New Hampshire attorney general's office, Dec. 9, 2010.

How many victims? 760,000.

What type of personal information? Names, Social Security numbers, dates of birth and addresses. No OSU Medical Center patient records or student health records were involved.

What happened? The intrusion was confirmed last month, but the university did not disclose how the hackers were able to access the server because the incident is still under investigation. University police do not currently know who hacked the system.

An investigation revealed that the unauthorized access was used for launching cyberattacks on other businesses, the university said. There is no evidence that the data was stolen.

Details: Current and former faculty, students and applications as well as other individuals affiliated with the university could be affected.

Quote: "We regret that this has occurred and are exercising an abundance of caution in choosing to notify those affected," said OSU Provost Joseph Alutto.

What was the response? The university has notified affected individuals, who have been offered one year of free credit protection services. The university has hired two computer security consulting firms to forensically investigate the incident and help improve security. As a result of the breach, OSU is seeking to strengthen its IT systems.

OSU has suffered several other smaller beaches over the past few years.

In 2007, two separate incidents left the personal information of 17,500 students, faculty members and staff compromised. In 2008, the university notified 18,000 current and former students after it was discovered that their personal information was inadvertently posted online. And last year, 350 OSU Dining Services student employees had their Social Security numbers leaked in an e-mail.

The latest breach is expected to cost the university $4 million in expenses related to investigative consulting, beach notification and credit card security.

Sources: http://www.thelantern.com, The Lantern, “Hacked: Data breach costly for Ohio State, victims of compromised info,” Dec. 15, 2010.

http://www.osu.edu/creditsafety/, Ohio State University Credit Safety.

Hackers infiltrated the University of Wisconsin (UW)-Madison computer systems and accessed the personal information of tens of thousands of individuals affiliated with the college.

How many victims? 60,000.

What type of personal information? Names, photos and Social Security numbers.

What happened? UW-Madison officials became aware of the intrusion on Oct. 26. The breach affected mostly former students, faculty and staff members.

Details: One of the files in system contained old university photo IDs containing Social Security numbers and corresponding cardholder names. An investigation by the UW-Madison division of information technology and office of computer security found nothing to suggest that the data had been downloaded or used maliciously. The identities of the hackers remain unknown.

Quote: "Before privacy was taken as seriously as it is today, a student's Social Security number was embedded inside that ID card number," said UW-Madison spokesman John Lucas.

What was the response? Letters have been sent to affected individuals.

Source: http://host.madison.com/wsj/, Wisconsin State Journal, “UW-Madison warns 60,000 of card data theft,” Dec. 10, 2010.

More than 20 years worth of personal and investigative Sheriff's Department records from Mesa County, Colo. were inadvertently posted online, where they remained for several months.

How many victims? As many as 200,000.

What type of personal information? Secure law enforcement files that included the names of confidential informants, emails about crime victims and homicide investigations. In addition, the files included the names, Social Security numbers and addresses of current and former sheriff's office employees, along with the names of employees' spouses, children and schools the children attend.

What happened? An employee in the county's information technology department in April loaded the files onto what he believed was an encrypted county server while working on a project to integrate law enforcement computer databases.

The information was instead posted to a county URL that was not password protected. Authorities have determined that the data was accessed by someone outside the country in late October. The data was also accessed multiple times from local, national and international computers.

The site was taken down on Nov. 24, after an individual found their name mentioned in the files while searching the internet and notified authorities.

Quote: “My flush reaction is it's obviously a cyber disaster,” said former Sheriff Riecke Claussen. “I think that obviously with the type of information that the sheriff's office deals with, that security of information is of top concern.”

Details: The employee responsible for the breach, whose name hasn't been released, is no longer working for the county. Authorities are still determining the extent of the breach and do not know how many people obtained the information or how much of it remains online on other sites.

What was the response? County administrators are working to notify affected individuals.

Source: GJSentinel.com, Grand Junction Daily Sentinel, “Breach could put people at risk,” Dec. 3, 2010.

A laptop containing sensitive patient information was recently stolen from Henry Ford Health Systems in Detroit.

How many victims? Undisclosed.

What type of personal information? Patient names, medical record numbers, dates of birth, mailing and e-mail addresses, telephone numbers, treatment and doctor visits. No Social Security numbers or health insurance information were breached.

What happened? The device was stolen on Sept. 24 from an unlocked medical urology office. It was password protected but there is still a possibility that personal patient information could be at risk.

Details: The laptop contained patient information related to prostate services received between 1997 and 2008.

Quote: "The security of our patients' health information is very important to us, and we sincerely apologize for what happened," said Meredith Phillips, chief privacy officer at Henry Ford Health Systems. "This laptop did not have the proper security protections that we require for laptop computers storing patient information."

What was the response? The hospital has begun sending notification letters to affected patients, who are being offered one-year free credit monitoring. In addition, the hospital is providing employees with additional training on how to protect patient information stored on computers.

Source: clickondetroit.com, WDIV Detroit, “Detroit Hospital Security Breach,” Nov. 15, 2010.

An unauthorized individual recently gained access to a Louisiana state licensing database that contained the  personal information of tens of thousands of emergency medical technicians (EMTs).

How many victims? 56,000.

What type of personal information? Names and Social Security numbers.

What happened? It is believed that on Sept. 17 hackers gained access to a state Department of Health and Hospitals (DHH) database that contained information about individuals who have applied for classes or who are certified as first responders or EMTs in Louisiana. The list includes high school seniors who are in EMS-related programs through the Education Department.

The breach was discovered by personnel with the state's Bureau of Emergency Medical Services. A computer screen displayed the message: “You have been hacked.”

Details: The portal is internet accessible because instructors and other authorized individuals throughout the state use the database.

Quote: “Although we have no indication that information was actually released, we know that it was accessed,” said Tony Keck, deputy secretary at the DHH.

What was the response? The DHH has sent letters to affected individuals. In addition, the agency has taken steps to prevent a future breach, such as strengthening password requirements. Local law enforcement and the Louisiana attorney general's office are investigating.

Source: 2theadvocate.com, The Adovcate, “Hacker may have accessed DHH database,” Oct. 28, 2010.

The sensitive information of tens of thousands of former University of Hawaii students was inadvertently posted online, where it remained for nearly a year before being removed.

How many victims? 40,000.

What type of personal information? Names, Social Security numbers, addresses, birth dates and educational data.

What happened? Last December, a faculty member inadvertently uploaded the sensitive files to an unencrypted web server. The faculty member, who recently retired from UH's West Oahu campus, was conducting a study about students.

Details: Those affected are students who attended UH's Manoa campus from 1990 to 1998 and during 2001. In addition, students who attended UH's West Oahu campus during fall of 1994 or graduated from 1988 to 1993 may be impacted.

The incident follows a separate UH breach disclosed in July that involved the personal information of 53,000 individuals.  

What was the response? The university removed the files and disconnected the affected server from the network, after Liberty Coalition, a nonprofit group based in Washington D.C., notified university officials about the exposure on Oct. 18. Affected individuals are being notified.

The FBI and Honolulu Police Department have been notified. The university currently has no evidence that anyone's personal information was accessed for malicious intent. Meanwhile, the UH West Oahu campus is also working to adopt more proactive security measures to ensure a similar incident does not occur in the future.

Source: http://manoa.hawaii.edu/, University of Hawaii – Manoa, “Inadvertent exposure by UH West O'ahu affects Mānoa students,” Oct. 28, 2010.

How many victims? 280,000.

What type of personal information? Names, addresses and other health data.

What happened? AmeriHealth Mercy and Keystone Mercy Health Plan, both of which are Medicaid managed plan providers, said the drive was discovered missing from the companies' corporate offices on Sept. 20. The same drive was also used at community health fairs.

The companies have not disclosed whether the computer drive was encrypted.

Details: The last four digits of 801 members' Social Security numbers were also contained on the drive, along with full Social Security numbers of seven members.

There have not been any reports of misuse of the information stored on the drive.

Keystone Mercy Health Plan provides insurance to 300,000 Medicaid members in Pennsylvania, and AmeriHealth serves 100,000 in the state. The breach, which involves nearly two-thirds of the insurers' subscribers, represents one of the largest incidents involving health data loss in recent memory.

Quote: "We deeply regret this unfortunate incident," said Jay Feldstein, president of the managed care plans for both insurers.

What was the response? The breach was reported to the state Department of Public Welfare. In addition, the companies have been working to notify affected individuals and evaluate and improve their security measure so that a similar incident does not again occur.

Source: www.philly.com/inquirer/, Philadelphia Inquirer, “Medical-data breach said to be major,” Oct. 21, 2010.

The personal information of thousands of Mississippi National Guard personnel was inadvertently posted online for several weeks, beginning in early September.

How many victims? Nearly 3,000.

What type of personal information? Names, Social Security numbers, dates of birth, security clearance data, ranks and pay grades and home and cell phone numbers.

What happened? The breached administrative records belonged to members of the 155th Brigade Combat Team and were compiled at various times between 2006 and 2008, including while the brigade was deployed in Iraq. The files were posted on Sept. 10, to the brigade's Microsoft SharePoint website, which did not require a password to access. The guard is investigating how the breach occurred, but officials believe that it inadvertently happened when someone uploaded the files to a new computer system.

Details: The National Guard was notified about the breach by Aaron Titus, information privacy director of Liberty Coalition, a Washington-based policy institute. The group operates the website, NationalIDWatch.org, where users can find out if their personal information has been compromised.

During the time the files were posted, they could have been potentially viewed by anyone online.

The website can no longer be accessed.

Quote: "Information management is working feverishly to get to the bottom of it," Tim Powell, a spokesman for the National Guard, said. "We take this very seriously and are incorporating numerous layers of internet security on our website."

Source: Associated Press via the Army Times, “Miss. Guard personnel information compromised,” Oct. 8, 2010.

A University of North Florida (UNF) computer file containing the sensitive information of students may have been accessed by a foreign hacker.

How many victims? 106,884.

What type of personal information? Names, Social Security numbers and dates of birth

What happened? An unauthorized individual outside of the United States gained access to a school computer server some time between Sept. 24 and 29. A sensitive file on the server contained the personal information of UNF students and others who have expressed interest in the college. The information was collected during the recruitment and application process.

It is possible the intruder was seeking to disrupt normal business or use the computer's processing power to launch similar attacks on other computers, UNF said. There is currently no proof that any confidential information was stolen.

Details: Of those affected, 52,853 had their names and Social Security numbers compromised and 54,031 had their names and dates of birth compromised. In some cases, the intruder may have had access to ACT and/or SAT test scores, which are collected as part of the application process. UNF academic grades, financial aid information and course histories are not at risk.

What was the response? Immediate steps were taken to contain the breach and to prevent further unauthorized access. In addition, the university has notified affected individuals by letter. The university Police Department is working with the FBI to investigate the breach.

UNF has set up a phone number, (904) 620-2114, and an email account, databreach@unf.edu, for questions concerning the data breach. Affected individuals are being advised to place a fraud alert on their credit files.

Source: http://www.unf.edu/info/databreach/, “UNF Alert," undated.

How many victims? 19,264.

What type of personal information? Patient names, telephone numbers, addresses, birth dates, Social Security numbers, medical records, insurance numbers, procedure billing codes, diagnosis codes, lab reports, office notes, radiology reports and service dates. In some records, guarantor information was also included.

What happened? The virus was detected on or about July 28.

Details: It is not possible to determine if any sensitive documents were accessed. Further, neither the university nor the clinic has any indication that the information has been used for illegal or wrongful purposes.

What was the response? An investigation into the incident was initiated after the compromise was discovered. The clinic has implemented steps to ensure the safety and privacy of data, such as increasing the frequency of software and security updates. Letters have been sent to affected patients. Those with questions about the breach are being advised to contact the clinic at (918) 619-4542 or (866) 836-3150.

Sources: News release, “OU Tulsa Neurology Clinic Computer Compromised,” Sept. 24, 2010.
U.S. Department of Health and Human Services, "Breaches Affecting 500 or More Individuals."

What type of personal information? Names, card account numbers, PINs.

What happened? The altered payment terminals were placed between June 1 and Aug. 31 at stores in  Connecticut, Georgia, Illinois, Indiana, Maryland, New Jersey, New York, North Carolina, Pennsylvania, South Carolina and Virginia.

Details: An Aldi spokeswoman declined to say how many stores, payment card terminals or customers were affected by the breach. However, more than 200 people who had shopped at an Aldi store in Wheeling, Ill. told law enforcement that they discovered unauthorized withdrawals of $100 to $900 from their bank accounts, according to reports. And, police in St. Charles, Ill. have said they received 32 reports of debit card fraud from people who had shopped at Aldi.

The company said it does not believe that any employees were involved in the breach.

Quote: “We take our obligation to safeguard our customers' personal information very seriously and we sincerely regret that this incident may affect our customers,” Terry Pfortmiller, vice president of finance and administration at ALDI, said in a statement.

Aldi has recommended customers review and monitor their payment card statements and credit reports. Those who believe they were affected by the breach should immediately contact their bank or payment card company and local law enforcement. Customers with questions are advised to call Aldi at (877) 412-7152 or visit www.aldi.us.

A device containing the personal information of thousands of faculty and staff members at Rice University in Houston was recently stolen.

How many victims? 7,250.

What type of personal information? Names, addresses, birth dates, employee identification numbers, salaries and emergency contacts.

What happened? To protect victims, the Rice University Police Department is not releasing specific details about how the theft occurred.

Details: The device contained at least two sensitive files, one of which included Social Security numbers, mostly for Rice employees. The other document contained the personal information, excluding Social Security numbers, of Rice employees and students on the university payroll as of January.

To date, there is no evidence that an unauthorized person has discovered or used the data.

What was the response? Letters are being sent to affected individuals, who will be offered resources to help protect them from identity theft. Houston police are investigating the incident.

Source: http://abclocal.go.com/ktrk/index, KTRK-TV Houston, “Personal info stolen from 7,250 associated with Rice U.,” Sept. 13, 2010.

How many victims? 7,000.

What type of personal information? Names and Social Security numbers.

What happened? The computer, which was password protected but contained a database full of sensitive information about City College of New York (CCNY) students, was stolen a few weeks ago and has not yet been found.

What was the response? Letters are being sent to affected individuals. A spokesperson for the school said there is no evidence that anyone's personal information has been compromised. CCNY said it is making efforts to ensure that computers containing sensitive information are better protected in the future.

Source: 7online.com, WABC-TV, “Computer stolen with students' information,” Sept. 7, 2010

How many victims? 22,000.

What type of personal information? Social Security numbers, genders and dates of birth.

What happened? The RFP, which contained sensitive state retirees' information, was prepared by Aon, a consulting company that provides services to the state of Delaware for health and benefit programs. Aon prepared the document for the state to solicit bids from insurance companies interested in providing vision benefits to state employees and retirees. The RFP was posted to the procurement section of the state website to allow interested bidders access to the proposal document.

State staff discovered and removed the document five days after it was posted.

Details: The document did not include retiree names or current state employee information.

What was the response? Letters are being sent to affected individuals who will be offered one year of free credit monitoring.

Source: http://www.newarkpostonline.com/, Newark (Del.) Post, “State employee retirees' Social Security numbers posted on website by vendor,” Aug. 30, 2010.

How many victims? 10,174.

What type of personal information? Names and Social Security numbers.

What happened? The laptop, which was being kept in a storage cabinet at the UConn West Hartford campus' information technology department, was discovered missing on Aug. 3.

Details: The computer had undergraduate admissions files that contained contact information and Social Security numbers of the applicants. The information spans the period from 2004 through July 30, 2010.

There is no indication the laptop was stolen for the purpose of identify theft.

What was the response? Steps have been taken to prevent unauthorized access to the university through the computer. UConn police are looking into whether school security policies were followed.

Affected individuals are being notified about the breach and offered free credit monitoring coverage for two years.

Source: www.westhartfordnews.com, West Hartford News, “Laptop with Social Security numbers stolen from UConn West Hartford,” Aug. 19, 2010.

How many victims? 4,000 Portland, Ore. psychology patients and 2,900 unemployed state residents.

What happened? An unsecured laptop containing patient names, Social Security numbers and diagnoses was stolen from Oregon psychologist David Gostnell's vehicle during the weekend of Aug. 6. Separately, a data storage device containing the names and Social Security numbers of unemployed residents of Multnomah County in Oregon was stolen from the car of a Portland Community College (PCC) employee on Aug. 5.

Details: Gostnell runs a private practice in northeast Portland and works at Oregon Health & Science University. Records from patients Gostnell treated at OHSU were not on the stolen laptop.

The laptop was password-protected, but a disc left in the CD drive contained a partial backup of the hard drive, including sensitive patient information. His briefcase, which also contained patient evaluation records, also was stolen. All of those records were recovered in a nearby trash bin shortly after the theft. Gostnell does not believe the items were stolen to obtain patient information.

Meanwhile, the PCC-related burglary involved the theft of a flash drive containing the personal information of participants in the Oregon Food Stamp Employment Transition Program, which is operated at PCC and provides support and job-hunting skills for unemployed Oregon residents. A PCC employee who worked at multiple sites was transferring the data from one site to another when the theft occurred. The flash drive was in a bag that was stolen from the car.

Quote: "There is no evidence that any name or Social Security number has been used so far," said Dana Haynes, spokesman for PCC.

What was the response? Individuals who have been evaluated by Gostnell can call (877) 461-7657, if they have questions about the matter.

PCC has sent letters to affected individuals and offered them a one-year subscription for credit-protection services. The college also has posted credit protection information online.

Source: http://www.oregonlive.com/, The Oregonian, “Car thieves get personal data on Portland psychology patients, unemployed Oregonians,” Aug. 12, 2010.

The confidential information of students and employees at six Florida community colleges was publicly available on the internet for five days due to a state library service center software glitch.

How many victims? 126,000.

What type of personal information? Unspecified data that is protected under Florida state law. This means it may have included names, Social Security numbers and driver's license or Florida information card numbers. Compromised information did not include financial or library records.

What happened? The College Center for Library Automation (CCLA), which provides services and resources to Florida's public colleges, determined the breach happened as a result of a software upgrade.

The information was available online from May 29 to June 2. Six state community college colleges were affected because their borrower records were contained in temporary work files that were being processed at the time the breach occurred. The library agency learned of the incident on June 23, after a student reported finding personal information through a Google search.

Officials from the library agency said they believe the information was viewed by unauthorized individuals, but there is no evidence the data has been misused.

Details: Employees and students were affected at Broward College, Florida State College at Jacksonville, Northwest Florida State College, Pensacola State College, South Florida Community College and Tallahassee Community College.

Quote: "We pride ourselves on protecting private information and deeply regret this inadvertent exposure," said Richard Madaus, CEO of CCLA. "I apologize to those involved for any worry or inconvenience this may cause them. We will continue to enhance our technology to safeguard all of the information entrusted to us."

What was the response? Affected individuals are being notified by letter. Additionally, the agency began an investigation after discovering the breach, and the case has also been turned over to the county sheriff's office.

Source: Sun-Sentinel.com, South Florida Sun-Sentinel, “Broward College student data exposed,” Aug. 10, 2010.

How many victims? 21,000.

What type of personal information? Names, birth dates, insurance information and Social Security numbers.

What happened? The laptop was stolen from an office in the hospital on June 14.

A hospital employee violated policy by copying data from the hospital's computer system to a laptop. The employee will be subject to unspecified disciplinary action.

Details: The laptop was password-protected, but the data was not encrypted.

Quote: “As upsetting as it is for me, I know it is even more upsetting for the people who have gone through it and I am really sorry that they have to deal with this,” said Thomas Lewis, Jefferson's president and chief executive.

What was the response? Jefferson has notified affected individuals and offered to provide them with identity theft protection services. Risk consultancy firm Kroll was brought in to conduct an investigation into the incident. Also, an internal review of hospital policies and procedures was carried out to ensure a similar incident does not occur in the future.

Source: Philly.com, “Huge loss of patient data at Jefferson,” July 29, 2010.

How many victims? Unspecified.

What type of personal information? Social Security numbers, addresses and phone numbers.

Details: The thumb drive went missing on July 8. No employee or patient information is believed to have been compromised.

What was the response? Affected individuals have been notified. Additionally, the hospital reported the incident to state and local police, who are investigating the incident. The hospital also is conducting an investigation and has initiated a plan to protect any personnel who could be affected by the breach. 

Quote: "Cooper University Hospital is investigating the circumstances surrounding a missing thumb drive," the hospital said in a statement.

Source: 6abc.com, 6 ABC Action News, “Potential security breach at Cooper Univ. Hospital,” July 28, 2010.

How many victims? 3,000.

What type of personal information? Social Security numbers and other unspecified personal information.

What happened? The information was posted by an employee of the Maryland DHR, a state agency that provides benefits, such as food stamps and other aid, to clients. The employee has since been placed on administrative leave and could face disciplinary action.

The breach was discovered by staff of the Liberty Coalition, a nonprofit that promotes individual freedoms. The group's privacy director, Aaron Titus, said the information was posted from April 27 to July 14.

Staff members at Liberty Coalition tried to notify DHR officials about the breach on July 9 but were unsuccessful until July 12. The data was taken down on July 14.

Details: There currently is no evidence that the information was used for identity theft.

Quote: "We take the privacy of the data that's entrusted to us very seriously," said DHR spokeswoman Nancy Lineman.

What was the response? An investigation into the incident was initiated. Affected individuals are being notified and offered a one-year subscription for credit monitoring services.

Source: www.baltimoresun.com, The Baltimore Sun, “State employee posts nearly 3,000 SSNs online,” July 19, 2010.

How many victims? 93,000.

What type of personal information? Social Security numbers, addresses and driver's license information.

What happened? An investigation conducted by auditing and advisory firm KPMG revealed "some irregularities" in Buena Vista University's network. It was confirmed that unauthorized access to the database occurred in June.

Details: Personal information of students and staff dating back to 1987 could be vulnerable.

University President Frederick Moore has apologized for the incident and said that the university is trying to mitigate potential harm.

Quote: “We do not believe any of the information was misused or provided to a third party,” a university spokesperson said.

What was the response? The case has been handed over to the U.S. attorney's office, which is conducting an  investigation into the matter.

Affected individuals are being notified and offered a one year subscription for credit monitoring services.

Source: www.SCMagazineUK.com, SC Magazine UK, “Personal details of 93,000 staff and students at US university could be exposed after database compromise,” July 19, 2010.

How many victims? 79,000.

What type of personal information? Names, addresses, dates of birth, Social Security numbers and a "limited amount" of bank account information. Additionally, some health insurance information may have also been included — mostly enrollment forms, but also details about coverage, treatment, and other administrative information.

Details: The stolen hard drive contained images of microfilm files that contained the sensitive information. Some of the employee files also contained information on beneficiaries and dependents. The data spans a period from 1960 to 1995.

What was the response? Affected individuals have been notified and offered one year of free credit monitoring services. Additionally, the airline has increased security at its headquarters, including testing its computers for vulnerabilities. An investigation into the incident is currently ongoing.

Source: cbs11tv.com, “American Air Parent Claims Worker Data Compromised,” July 2, 2010.

A cybercriminal recently gained access to a University of Hawaii at Manoa (UH-Manoa) parking office computer server that contained the personal information of tens of thousands of individuals.

How many victims? 53,000.

What type of personal information? Names, Social Security numbers, addresses, driver's license numbers, vehicle information and credit card information

Details: A server used by the UH-Manoa parking office was accessed on May 30, though school officials are unsure how the cybercriminal gained entry. The hacker left behind a virus on the server. The breach was discovered during a routine audit on June 15.

There were 40,870 Social Security numbers and 200 credit card numbers on the server. Those affected include UH-Manoa faculty and staff members employed in 1998, along with anyone who did business with the parking office between Jan. 1, 1998, and June 30, 2009.

Students who paid for parking passes using a credit card were not affected.

Quote: "There is no indication that any information was misused, downloaded or viewed by the hacker,” said Gregg Takayama, a university spokesman.

What was the response? Social Security numbers, which are no longer used for parking transactions, are being removed from all parking databases. The university is strengthening its internal automated network monitoring practices and performing evaluations of systems to identify other potential security risks.

Affected individuals have been notified by mail and email. The matter was turned over to Honolulu police, the FBI and UH-Manoa's forensic investigator.

Source: Staradvertiser.com, Honolulu Star Advertiser, “UH breach affects 53,000,” July 7, 2010.

The Massachusetts secretary of state's office earlier this year accidentally released the confidential personal information of state-registered investment advisers to a business publication.

How many victims? 139,000.

What type of personal information? Names, Social Security numbers, birth dates and locations, in addition to  height, weight, and hair and eye color.

Details: The information was on a CD-ROM sent to IA Week, an investment industry publication, in response to a request for public information. The publication originally asked the office's Securities Division, overseen by Secretary of State William Galvin, for a list of registered investment companies but was instead sent a list of individual investment professionals.

A new employee working in the division caused the error by failing to delete the Social Security numbers and other information, which is normally withheld. IA Week returned the CD-ROM in June with a letter stating it had not made any copies of the data.

Quote: “It's an unfortunate mistake,” said Brian McNiff, a spokesman for Galvin. “It obviously was not done according to [standard] practice.”

What was the response? The Securities Division currently is trying to determine whether it needs to notify affected individuals, since all data was recovered, and there is no reason to believe it was ever misused.

Source: boston.com, The Boston Globe, “State's error unveiled Social Security numbers,” July 6, 2010.

Guests at 21 Destination Hotels & Resorts' properties may have been subjected to credit card theft after the chain discovered malware installed in its credit card processing system.

How many victims? Unknown.

What type of personal information? Credit card numbers.

What happened? According to the hotel, remote attackers installed a malicious program into the card processing system.

Details: Only those hotels where credit cards are physically swiped appear to be affected. The malware has been removed, and the locations again are normally processing transactions.

What was the response? The Englewood, Colo.-based hotel chain is notifying guests who stayed at the affected properties and encouraging them to contact their credit card companies to ensure no fraud was perpetrated.

Quote: “We are concerned for our guests and we sincerely regret any inconvenience this may cause them,” said Charlie Peck, the hotel's president and chief operating officer.  “We know we are not the first hotel company to be victimized by this kind of attack, but our greatest concern is for our guests who may be affected as well.”

Source: Destination Hotels & Resorts news release. "Destination Hotels reacts swiftly to credit card interception," June 24, 2010.

How many victims? 4,585.

What type of personal information? Names, Social Security numbers and clinical information.

Details: Every student who sought counseling services from the school's counseling center between Aug. 8, 2002 and June 21 of this year are affected, school officials said. Currently, it is unclear whether the data was viewed or downloaded.

The university's investigation began on June 16, after counseling center staff reported having trouble obtaining files on the server. The investigation revealed that one of the servers was compromised as early as March 4. After gaining access to the initial machine, the hackers infiltrated a second server.

The Maine Legislature also announced this week that one of its websites was hacked and infected with malware, IT officials said. The site, which details the status of bills, currently remains offline.

Both incidents likely are related.

Quote: "This sort of crime is in every way, shape and form an insidious affront to the rightful privacy expectations of our students," said University of Maine's Dean of Students Robert Dana.

What was the response? University of Maine police are leading an investigation into the hacking incident, along with federal prosecutors and computer crimes experts from the U.S. Secret Service. Affected individuals will receive a one-year subscription for credit monitoring services. In addition, the school is taking additional but unspecified steps to prevent future breaches.

Source: http://www.mpbn.net, The Maine Public Broadcasting Network, “Hackers Compromise UMaine Servers, Legislative Web site,” June 29, 2010.

How many victims? 19,000 students and 88 faculty members.

What type of personal information? GPAs, test scores and Social Security numbers.

What happened? The unsecured database was used in connection with the College of Education students' E-Folio software application, used to capture students' mastery of state of Florida and national teacher education standards through the tracking of grades, test scores, completed assignments and other data elements. The database has since been secured.

Details: There is no indication that any unauthorized individuals retrieved information from the database.

What was the response? The university is notifying all affected individuals.

Source: news.FIU.edu, News at FIU – Florida International University, " University to notify students and faculty regarding unsecure database,” June 22, 2010.

UPDATE: Indianapolis-based health insurance company WellPoint, which runs Blue Cross plans in 14 states, recently revealed that it has notified a total of 470,000 individuals potentially affected by this breach, including the 230,000 customers of its Anthem Blue Cross subsidiary in California.

The personal information of hundreds of thousands of Blue Cross customers was recently exposed following a website glitch made by a third party.

How many victims? 230,000.

What type of personal information? Medical records and Social Security numbers.

What happened? The appropriate security measures were not put in place following an October 2009 upgrade of the company's website made by a third-party vendor, said Anthem spokeswoman Cynthia Sanders. As a result, a site user was able to manipulate web addresses to access confidential information.

A class-action lawsuit was filed on behalf of individuals whose information was in jeopardy.

It's unknown how many people worldwide may have accessed the site illegally. According to Anthem's investigation, the vast majority of unauthorized access was from the plaintiff of the lawsuit and her attorneys, Sanders said.

The attorneys downloaded some information from the site, but have since returned it to the court system.

Meanwhile, this is not the first time WellPoint has experienced a breach. In 2008, it was discovered that the personal information of about 128,000 WellPoint customers from several states was publicly available on the internet. And in 2006, backup computer tapes containing the personal information of 200,000 members were stolen.  

Quote: “We were told by a third-party vendor that all security measures were in place,” Sanders said. “As soon as we heard about the attorneys, we went in, discovered the problem and fixed it immediately.”

Details: Applicants under age 65 who were applying for individual policies were affected by the breach.

What was the response? The company is offering affected individuals a one year free subscription for identity protection services.

Source: Associated Press, “Anthem Blue Cross glitch exposed personal data,” June 23, 2010.

Update Source: Associated Press, “Security glitch exposes WellPoint data again,” June 29, 2010.

A computer containing thousands of Social Security numbers was found to be under the control of a botnet.

How many victims? 15,800.

What type of personal information? Social Security numbers.

What happened? The university discovered that a machine in the campus' Outreach Market Research and Data office was communicating with a botnet's command-and-control center. As it turned out, the computer contained a cached copy of Social Security numbers, which formerly were housed in a database that was removed from the computer in 2005 when the university stopped using the numbers as identifiers.

Details: There is no evidence the information has been exposed to criminals.

What was the response? The university plans to send out notification letters to victims.

Source: http://www.centredaily.com, Centre Daily Times, PSU notifying 15,800 on Social Security breach, June, 3, 2010.

How many victims? 5,220.

What type of personal information? Social Security numbers for all those affected and prescription-drug information for five individuals.

What happened? Two DVDs containing the sensitive information failed to arrive at the offices of Towers Watson & Co., the city's benefits consulting firm, based in Atlanta. The city of Charlotte was notified of the lapse on Feb. 23 and has blamed a mail-service provider working with Towers Watson.

Details: The files on the DVDs were not encrypted and thus were in violation of Towers Watson's policies.

What was the response? The city has notified all affected individuals, the North Carolina attorney general's office and the secretary of health and human services.

Towers Watson has offered affected individuals two years of free identity-theft monitoring services.

Source: http://charlotte.bizjournals.com, Charlotte Business Journal, “Charlotte loses data on 5,220 city workers,” May 26, 2010.

UPDATE: The stolen laptop also contained the personal information of more than 10,000 Tennessee residents enrolled in TennCare, Tennessee's Medicaid managed care program, and CoverKids, a program that provides free health coverage for uninsured Tennessee children. Of the affected Tennessee residents, 12 were CoverKids members and the rest were TennCare members. DentaQuest plans to send notification letters to affected Tennessee residents next week. Those affected will be offered one year of free ID theft prevention services.

An unencrypted laptop containing the personal information of thousands of New Mexico citizens enrolled in the state's Medicaid Salud plan was stolen in late March.

How many victims? 9,500

What type of personal information? Names, health plan identification numbers and provider identification numbers. In some cases, health plan identification numbers were the same an individual's Social Security number.

What happened? The laptop was in the trunk of a vehicle that was stolen on March 20 in Chicago. The vehicle belonged to an employee of a subcontractor to DentaQuest, the company that processes claims and provides dental benefits for the New Mexico's Medicaid program.

Details: The computer was password protected but did not have any other safeguards to prevent unauthorized access to the information.

Quote: “At this time, the stolen car and laptop have not been recovered, and it is not known whether the information on the laptop has been accessed,” the New Mexico Human Services Department said in a statement

What was the response? The state agency has informed the U.S. Department of Health and Human Services and is working to notify affected individuals. In addition, the agency launched an investigation into the breach. 

Source: http://newmexicoindependent.com, The New Mexico Independent, “Stolen laptop puts thousands of New Mexicans at risk for ID theft,” May 11, 2010.

Update Source: www.wsmv.com, WSMV 4 News, “Stolen Computer Contains Private TennCare Info,” June 11, 2010.

A flash drive containing personal patient information recently went missing from Our Lady of Peace, a 278-bed psychiatric hospital in Louisville, Ky.

How many victims? 24,600.

What type of personal information? The flash drive may have included patient names, room numbers, date of assessment, date of birth, insurance company names, along with admission and discharge dates. It did not include diagnoses or treatments, Social Security numbers, dates of birth, telephone numbers or addresses.

What happened? The drive went missing on either March 31 or April 1 and has not yet been found. The hospital's compliance and privacy officers were notified of the loss on April 1. Hospital staff subsequently conducted an investigation that involved reviewing security tapes, interviewing employees and analyzing the computer's usage history.

Hospital officials have not revealed how the breach happened.

Details: Hospital staff has taken “appropriate disciplinary action” following the incident but would not provide any additional details.

Quote: “We have taken this breach very seriously,” the hospital said in a statement. “Patient confidentiality is sacred to us and our patients.”

What was the response? Letters have been sent to affected individuals. In addition, hospital officials said they are taking steps internally to prevent similar breaches from occurring in the future. These steps include re-educating employees about how to handle patient and protect electronic information and using encryption devices on software and computers.

Source: courier-journal.com, The (Louisville, Ky.) Courier-Journal, “Data on 24,600 hospital patients missing,” April 29, 2010.

Five stolen laptops containing tens of thousands of medical records were recently stolen from Fullerton, Calif.-based St. Jude Heritage Medical Group.

How many victims? More than 20,000.

What type of personal information? Social Security numbers, dates of birth and, in some cases, health-related information.

What happened? Thieves stole the computers from the St. Jude Heritage Healthcare Clinical Management Services building.

Details: There have been no reports of stolen personal information being used illegally.

Quote: "The data that was stolen originated from private practice physicians," St. Jude Heritage Healthcare spokesman Kevin Andrus said in a statement. “St. Jude Heritage Healthcare is an administrative foundation that contracts with physicians, so that's why the data was there.”

What was the response? Letters have been sent to affected individuals, who have been offered a one-year subscription for credit monitoring and restoration services.

Source: http://abclocal.go.com/kabc/index, KABC-TV Los Angeles, “O.C. St. Jude warns patients of stolen data,” April 20, 2010.

How many victims? 3,526.

What type of personal information? Compromised information may have included: names, addresses, telephone numbers, email addresses, birth dates, ages, sex, medical record numbers and dates of service. In addition, the compromised information may have included medical information, such as diagnoses, symptoms, test results and prescriptions, along with patient pharmacy information. Information on four individuals also included their pharmacy insurance account numbers.

What happened? The laptop, which belonged to a neurologist who focuses on ringing in the ears, was stolen on February 19 while the physician was lecturing in South Korea.

Details: The laptop contained information about patients who were treated by the physician between Feb. 3, 1988 and Feb. 16, 2010, and of a small number of individuals who participated in tinnitus research.

The computer was password protected and contained a tracking device that on April 9 was used to permanently disable the hard drive and render any information, including information about affected patients, permanently unreadable.

There is no indication that the information on the stolen computer was accessed or used inappropriately .

Quote: "Mass. Eye and Ear apologizes to those affected for any concern, inconvenience, or risk that this incident may cause," John Fernandez, Mass. Eye and Ear president and CEO said in a statement. "We regret that this incident occurred and are taking appropriate steps to protect individuals associated with Mass. Eye and Ear who may have been affected by this breach and to limit or prevent where possible such breaches in the future."

What was the response?  Letters are being sent to affected individuals at their last known address. In addition, the hospital has posted a notice about the breach on its website.

Affected individuals are being offered a free year-long subscription for credit monitoring, identity theft insurance and restoration services.

To prevent future breaches, Mass. Eye and Ear is updating its information security program by deploying encryption to laptop computers that connect to the organization's computer network. In addition, employees are being provided education about the importance of limiting data stored on laptops.

Source: http://www.masseyeandear.org, Massachusetts Eye and Ear Infirmary, “Mass. Eye and Ear Alerts Patients to Laptop Theft and Data Breach,” April 20, 2010.

How many victims? 5,450.

What type of personal information? Unspecified.

What happened? The laptops, which contained patient information dating back more than three years, were stolen in February from a locked and guarded building at the John Muir Physician Network Perinatal office in Walnut Creek, Calif.

Details: The laptops were password protected and contained data in a format that would not have been readily accessible. There is currently no evidence that the sensitive information has been accessed or used inappropriately.

Quote: “We apologize for any inconvenience or anxiety this incident may cause our patients,” said Hala Helm, John Muir's vice president and chief compliance and privacy officer. “We take this issue very seriously and are committed to protecting the personal and health information of our patients.”

What was the response? After discovering the theft, local police and the U.S. Department of Health and Human Services were notified. An investigation into the incident was carried out by law enforcement, external vendors and internal experts to determine what information was stored on the laptops and whether it could be accessed.

Affected individuals have been notified and offered a one-year free subscription for credit monitoring services.

John Muir has implemented additional security measures, including data encryption software on laptops, to protect patient information.

Source: http://sanfrancisco.bizjournals.com/sanfrancisco/, San Francisco Business Times, “John Muir Health to notify 5,450 patients of data breach,” April 5, 2010.

How many victims? 7,174.

What type of personal information? Names and Social Security numbers.

What happened? The theft occurred during the weekend of Feb. 6 at the Nashville, Tenn. university.

Details: The desktop belonged to a professor who kept a database of his grade book, including Social Security numbers for some students. Among the victims, the breach affects 1,173 current undergraduate students and 174 current graduate students.

What was the response? Letters have been sent to affected individuals, who have been offered a fee year of identity protection and credit monitoring services, along with a $1 million identity theft insurance policy.

In addition, a letter was sent to all academic deans advising them to eliminate personal student information from their files and to not collect it in the future.

Source: InsideVandy.com, InsideVandy, “Student information part of security breach,” Mar. 16, 2010.

UPDATE: The external hard drive was discovered at the home of a guard member's family member in Virginia while the solider was on temporary duty there. The drive was recovered and destroyed on May 15, 2010.

An external hard drive containing the personal information about tens of thousands of Arkansas National Guard soldiers recently went missing.

How many victims? 35,000.

What type of personal information? Names, Social Security numbers and other unspecified personal information.

What happened? An Arkansas National Guard soldier reported the loss after conducting an unsuccessful search to find the drive when it was first realized as missing on Feb. 15. The unencrypted drive was a backup storage device used by the soldier to archive work related information over the past six years.

The device was last used in November.

Details: A team of guardsmen searching data known to be on the missing drive have discovered that one of the files was a personnel database containing information on all soldiers who have served in the Arkansas Army National Guard since 1991.

There is no evidence that the device was stolen.

What was the response? The guard is working to identify those affected and alert them of the breach. The incident is under investigation to help ensure steps are taken to help prevent a similar breach from occurring in the future.

Source: KTLO.com, KTLO News, “Arkansas National Guard alerting soldiers of data loss," March 5.

How many victims? Unspecified.

What type of personal information? Names, credit or debit card numbers and card expiration dates

What happened? At some point between April and December 2009, the point-of-sale system for the hotel's four restaurants and valet parking service may have been illegally accessed by outside hackers. The intruders may have used this entry to obtain sensitive information

Details: The hackers did not obtain any information from the computer system used to store hotel guest information. In addition, the compromise did not affect any charges made to guests' rooms.

Quote: “We value our customers' privacy and deeply regret that this incident may have occurred,” the hotel wrote in a notification letter on its website.

What was the response?  The hotel is working with law enforcement and forensic investigators. In addition, it has conducted a review of its computer systems to ensure a similar incident does not recur. The hotel is offering free credit-monitoring services for one year to affected individuals.  

Source: Westin Bonaventure Hotel & Suite, “Data Security Notification,” Feb. 20, 2010.

How many victims? Unknown, but the breach affects a “small percentage of our WHR customers,” the company said in an open letter to customers.

What type of personal information? Cardholder names and card numbers, expiration dates and other data from the card's magnetic stripe.

Birth dates, Social Security numbers, addresses or other personally identifying information were not kept by the hotels and are not part of the compromise.

What happened? In late January, WHR discovered that a sophisticated hacker broke into the computer systems of one of its data centers. By going through the centralized network connections, the hacker was able to access and download sensitive customer information from several, but not all, of the WHR hotels.

Details: Last year, WHR suffered a separate data breach after a hacker accessed its computer systems and downloaded information from several WHR properties.

Quote: “We deeply regret that this incident occurred and are doing everything we can to notify our customers directly, to address and remedy the problem,” WHR's open letter to customers states.

What was the response?  The company ensured the hack was immediately caught and stopped, and the chain retained an investigator to assess the problem and help the company improve security. In addition, each impacted property is being investigated by a firm specializing in the Payment Card Industry Data Security Standard (PCI DSS) to assess and improve compliance.

WHR is working to notify affected individuals and plans to offer them free credit monitoring services. WHR has also notified the U.S. Secret Service, as well as several states' attorneys general offices with information about the breach.

Source: Wyndham Hotels and Resorts, “Open letter to our customers,” February 2010.

How many victims? 170,000.

What type of personal information? Grades and Social Security numbers.

What happened? Joe Newton, director of information technology at the university, said the breach was first detected on Dec. 11. It was determined that unauthorized access dated back to Nov. 11.

Details: An investigation has not yet determined if any personal data was stolen.

Quote: “An initial investigation has found no evidence that any personal data was accessed or transferred,” Newton said. “We regret the incident and are reviewing and revising our procedures and practices to minimize the risk of a recurrence.”

What was the response? The affected server was removed from the network and secured. The university is notifying affected individuals.

In addition, the university's police and division of information technology are conducting an investigation with the assistance of the Georgia Bureau of Investigation.

Source: http://www.valdosta.edu/notify/, Valdosta State University, “Breach Notification for December 11, 2009 Security Incident.”

How many victims? 200,000.

What type of personal information? Names, addresses, phone numbers, Social Security numbers and protected health information.

What happened? The laptops were stolen from a locked conference room at AvMed's corporate offices in Gainesville, Fla. The theft was discovered Dec. 11.

A company security employee said the only people with keys to the conference room were security staff and cleaning crew.

Quote: "We don't want to jump to any conclusions," said AvMed spokeswoman Cochita Ruiz-Topinka when asked if the laptops were stolen by a company insider.

What was the response? Attempts to locate the laptops have been unsuccessful, and an investigation remains open. Breach victims will receive identity protection services.

How many victims? 27,000.

What type of personal information? Names, Social Security numbers, and, in some cases, birth dates and bank accounts.

What happened? A hacker attacked Ceridian's internet payroll system on Dec. 22 and 23.

Details: The breach affects less than one-tenth of one percent of the employees for whom Ceridian provides payroll services.

This is the second security breach at Ceridian in three years. In 2007, a former employee stole financial information.

Quote: "We took immediate preventive steps to ensure no further incident of this type would occur," said Keith Peterson, spokesman for Ceridian. "While the total number of employees affected is small, in our minds one is too many, and we are handling this incident according to our established protocol."

What was the response? The breach was reported to the FBI and local authorities. In addition, affected individuals have been notified.

Hackers, believed to be from China, gained access to an Iowa government database, which contained the personal information of current and former employees of Iowa's casino and racing industries.

How many victims? 80,000.

What type of personal information? Names, Social Security numbers, home addresses and birth dates.  

What happened? Hackers gained entry to the state's computer system on Jan. 26 while the Iowa Communications Network, the state agency that administers Iowa's telecommunications network, was performing routine maintenance on a firewall.

Once inside, the intruders accessed a database of the Iowa Racing and Gaming Commission. It is unclear whether any personal information was downloaded.

The hackers were able to get into the database because a firewall on the commission's computer system had not been properly patched by a private contractor.

Ambient Consulting of Minneapolis maintains the commission's computer system and has said that a computer log indicated before the breach occurred that all appropriate software patches had been installed. In reality, they were not. The problem has since been fixed.

A forensic investigation revealed that China was the source of the hacking incident. State officials, however, are not certain of this because some hackers try to disguise their true country of origin by masking IP addresses.

Details: Most of the people in the database are Iowa residents but it also includes individuals from Illinois, Minnesota, Nebraska, South Dakota and Wisconsin, among other states.

The list includes workers such as card dealers, slot machine technicians, jockeys, trainers and owners of horses and greyhounds.

Quote: "There is nothing to show that even if all the patches had been installed, they still wouldn't have gotten in because they had already gotten through the state's firewall," said Robert Keller, chief technology officer, Ambient Consulting of Minneapolis.

What was the response? Ambient is working with Iowa officials to improve security. In addition, letters are being sent to affected individuals.

How many victims? 4,400.

What type of personal information? Names, medical record numbers, ages and clinical information.

The stolen laptop did not contain any Social Security numbers or financial data.

What happened? The laptop was stolen on Nov. 30. UCSF's police department began an investigation Dec. 1, and the laptop was recovered in Southern California on Jan. 8.

Details: The UCSF Enterprise Information Security department determined that a file on the laptop contained “limited” information for some patients about their treatment at the medical center in 2008 and 2009.

In addition, the laptop also contained files from the employee's prior employer, Beth Israel Deaconess Medical Center in Boston. Those files contained data about Beth Israel patients.

Quote: “There is no indication that unauthorized access to the files or the laptop actually took place,” UCSF said in a statement.

What was the response? The university is alerting affected individuals. In addition, a toll-free number (1-877-809-1270 ext. 74005) was established to provide more information about the breach.

Source: http://sanfrancisco.bizjournals.com/sanfrancisco/, San Francisco Business Times, “UCSF says laptop with 4,400 patient records stolen, then recovered,” Jan. 27, 2010.

This entry was updated Tuesday, April 13, 2010 at 12:43 p.m. EST to reflect an increase in reported victims.

Stolen computer hard drives belonging to BlueCross BlueShield of Tennessee contained sensitive member information.

How many victims? One million.

What type of personal information? Some of the stolen hard drives contain member's Social Security numbers, birth dates, addresses and medical information.

What happened? On Oct. 2, a thief stole 57 hard drives from the closet of a BlueCross call center in Chattanooga, Tenn.

Data on the stolen hard drives was encoded but not encrypted.

Details: Currently, there is no evidence that any of the stolen data has been used. Investigators are looking for the hard drives. BlueCross has backup files of all the stolen data.

What was the response? Employees and temporary staff have been reviewing video surveillance footage to determine the extent of the breach.

Notification letters are being sent to affected members who will be offered a one-year subscription for identity protection monitoring services.

Source: Associated Press, “More than 220,000 customers affected by stolen BlueCross BlueShield of Tennessee data,” Dec. 25, 2009.

Timesfreepress.com, Chattanooga Times Free Press, “BlueCross theft alert widens,” April 13, 2010.

How many victims? 1.2 million.

What type of personal information? Information contained on the affected system includes customer names, addresses, Social Security numbers, account numbers, account registration information, transaction details, account balances, and, in some cases, birth dates and email addresses.

What happened? The affected portfolio information system is used by LNC subsidiaries, Lincoln Financial Securities (LFS) Corp., based in Concord, N.H. and Lincoln Financial Advisors (LFA) Corp., based in Hartford, Conn. The system is used for analyzing and reporting customer financial accounts.

On Aug. 17, the Financial Industry Regulatory Authority (FINRA), an independent securities regulator, notified LFS that it received a username and password from an unidentified source that provided access to the portfolio information system.  

The username and password were shared by certain employees of LRS, a violation of LNC security policy. In addition, it was discovered that LFA employees also shared usernames and passwords to access the portfolio information system.

Details: An investigation revealed that between LFS and LFA, there were six shared passwords for the system, created as early as 2002.

There is no evidence that anyone outside of the company had access to the shared passwords, that former employees accessed the system after leaving the company or that any current employees used the credentials for anything other than work purposes. But there is no way to be sure that unauthorized access did not occur.

What was the response? Computer forensic organization Kroll Ontrack was brought on to conduct an investigation to determine the scope of the breach. All shared usernames and passwords have been discontinued. Affected individuals will be notified and offered free credit monitoring services.

An external drive containing the sensitive data of thousands of patients was stolen from an employee of health insurance provider Kaiser Permanente.

How many victims? 15,500 patients throughout Northern California.

What type of personal information? Names, medical-record numbers and some dates of birth, gender data, phone numbers and other information related to patients' care and treatment.

The device did not contain any Social Security numbers or financial information.  

What happened? The external drive was stolen on Dec. 1 from an employee's car at her home in Sacramento. The employee notified Kaiser of the theft on Dec. 8.

Details: Kaiser officials determined through an internal investigation that the employee was storing the information for work and not for inappropriate purposes.

But the employee, who was not identified, was subsequently fired for violating Kaiser policy by storing the files on a personal device without encryption, and without getting permission to do so.

What was the response? Kaiser notified state and federal regulatory agencies and the Sacramento Police Department. Patients were notified by mail.

In addition, staff members are undergoing security awareness training.  

How many victims? 8,378.

What type of personal information? Online banking login credentials.

What happened? The breach was discovered through a recent internal security review. It was determined that the unauthorized access occurred during a six-day-period between November 18 and 23, 2009.

Details: To date, there has been no evidence of unauthorized access to customer online banking accounts, SCNB said in a news release. The bank has not received any reports from customers of unusual activity or financial loss.

Quote: "The security of customers' information is of utmost importance to SCNB," J. Gordon Huszagh, president and CEO of Suffolk Bankcorp, said in a news release. "While we know that our diligence in this regard allowed us to uncover this incident, and to take action rapidly to protect our customers, we also recognize that the provision of financial services over the internet requires our dedication to continuous monitoring and security."

Affected customers will receive a free two-year subscription for credit monitoring services.

Source: News release, Suffolk Bankcorp, “Suffolk Bancorp Thwarts Data Intrusion at Banking Subsidiary,” Jan. 11, 2010.

How many victims? 130,000.

What type of personal information? Social Security numbers and birth dates.

What happened? IT staff recently discovered the breach during an assessment of the university's network. It was determined that the hacker installed software to store and share video files on the system.

Details: The student information involved in the breach dates back to 1987.

Quote: "EWU regrets that anyone's personal information may have been subject to unauthorized disclosure," President Rodolfo Arevalo said in a statement, obtained by The Seattle Times. "The university is taking this matter seriously and is committed to maintaining everyone's privacy. Eastern is continually putting new measures in place to protect personal information and will do everything it can to protect against further intrusions."

What was the response? Letters are being sent to affected individuals. A website and hot line have been set up to provide information about the breach.

How many victims? 30,000.

What type of personal information? Social Security numbers.

What happened? The breach was caused by malware.

Details: The breach involves 7,758 records from the Eberly College of Science, 6,827 records from the College of Health and Human Development and approximately 15,000 records from one of Penn State's campuses outside of University Park.

What was the response? School officials notified campus officials and began sending letters to affected individuals on Dec. 23. There is no evidence that anyone's information was accessed.

Quote: "Even when theft is only a remote possibility, we alert anyone who may have been affected and arm them with information and steps to take to mitigate their risk," Sarah Morrow, chief privacy officer for Penn State, said.

Sensitive data belonging to the library users at a number of North Carolina state-run community colleges may have been compromised when a server was hacked.

How many victims? 51,000.

What type of personal information? Social Security and driver's license numbers.

What happened? A hacker, earlier this year, was able to access a central server used by libraries at 25 community college campuses. The server stored the personal information, which was used to identify library users.

What was the response? The affected colleges are notifying victims, and officials plan to remove any personal data stored on the server.

Quote: "Our colleges and our system office are making every effort to ensure that personal information is permanently removed from our records," said Saundra Williams, a senior vice president with the state Community College System.

Source: The News & Observer, newsobserver.com ,"Hacker hit community college system," Dec. 17, 2009.

How many victims? 9,000.

What type of personal information? Unspecified data from student files and applications.

What happened? A machine was infected with the Virut computer virus, which spread to two other computers and the university's Office of Admissions server. The server became infected with a number of viruses, some of which gave attackers the ability to access it.

The breach was discovered Nov. 16 during a routine security check.

Those who did not submit their admission applications electronically are not affected by this breach.

Quote: “A machine was compromised by a virus so we don't believe it was a targeted attack against the university data system,” Adam Dodge, assistant director of information security for Eastern Information Technology Services told the Journal Gazette/Times-Courier.

“The Virut computer virus caused this,” Dodge said. “It has been around for a while, but new variants pop up often. We have updated the computers. It was spread by bad practice by a computer user.”

What was the response? The breach is currently under investigation and victims will be offered one year free credit monitoring. The university has created a web page with information about the breach.

How many victims? 6,400.

What type of personal information? Names, Social Security numbers, dates of birth, diagnosis codes and medical record numbers. Medical records were not contained on the stolen laptop.

Quote: "There is absolutely no danger that Aurora medical records of these patients would be, or could be, in jeopardy through this theft," Aurora Health care spokesman Adam Beeson told WISN.com.

What was the response? Letters have been sent to affected individuals. Cogent Healthcare is offering free credit protection to those who were impacted by the breach.

How many victims? 1.5 million.

What type of personal information? Social Security numbers, medical records and health information.

What happened? The missing portable, external hard drive contained sensitive information dating as far back as 2002 for past and present customers in Arizona, Connecticut, New Jersey and New York. The hard drive went missing from the insurer's Northeast headquarters in Shelton, Conn. about six months ago.

Details: The sensitive data was compressed and saved as image files that require a special computer program to be read. The data was not encrypted.

Health Net officials notified the Conn. attorney general and the state's Department of Insurance about the breach this week. The insurer said it waited six months to reveal the breach due to an investigation into the incident, which included a forensic review by computer experts. 

Quote: "Health Net's incomprehensible foot-dragging demonstrates shocking disregard for patients' financial security, as well as loss of their highly sensitive and confidential personal health information," Conn. Attorney General Richard Blumenthal, said in a statement, according to the Hartford Courant.

What was the response? Affected individuals will be notified by letter and offered a free, two year subscription for credit monitoring services.

How many victims? 60,000.

What type of personal information? Names and Social Security numbers.

Quote: “Right now the focus is on investigating [the incident], alerting people who may be affected and taking measures to make sure it doesn't happen again,” Maj. Mark Young, a Corps of Engineers spokesman told the ArmyTimes.

What was the response? Affected individuals are being notified by email.

The personal information about employees of Springfield, Massachusetts-based insurance provider, Mass Mutual might be at risk after a company database was accessed by an individual without authorization.

How many victims? Unknown.

What type of personal information? Unspecified benefits information.

What happened? A database that was maintained by an outside vendor and contained a limited amount of personal employee information, may have been subject to unauthorized access, Mass Mutual spokesman Jim Lacey said in a statement.

Details: The database did not include Social Security numbers, bank account information, or any client or field representative information.

What was the response? The vendor hired a forensics team to investigate the breach and it was determined that no misuse of the information or fraudulent activity involving the data occurred. Mass Mutual is working with its vendor to ensure a similar incident does not happen again. In addition, affected individuals have been offered a free subscription for credit monitoring services.

School officials at Chaminade University in Honolulu recently disclosed that a report containing the confidential information of thousands of students was inadvertently posed to the school's website, where it remained for eight months.

How many victims? 4,500.

What type of personal information? Personal information including Social Security numbers.

What happened? The report was posted to publicly accessible web pages due to human error, an investigation has determined. The report was discovered Wednesday and taken offline the same day.

Details: Those affected include undergraduate students who attended the university from 1997 to 2006.

Affected individuals will be notified.

A USB drive containing the personal information of thousands of Roane State Community College (RSCC) students and employees was recently stolen.

How many victims? 15,977.

What type of personal information? Names and Social Security numbers.

What happened? A school employee copied the information to a 4GB USB drive and brought it home for the weekend on Oct. 9 to do work after hours. The drive was stolen from the employee's unlocked car and school officials were notified the following Monday, Oct. 12.

The employee acted against RSCC policy by copying school data and taking it off property but has not been reprimanded.

Details: The names and Social Security numbers of 9,747 current and former students and 1,194 current and former employees were contained on the stolen USB drive. In addition, there were 5,036 additional Social Security numbers alone, with no names, on the device.

There were no academic records on the device.

Quote: "We deeply regret the inconvenience this has caused our students and our employees," Danny Gibbs, vice president for business and finance at RSCC said in a statement. "When something like this happens, you step back and take a look at everything you're doing and see if there's any way you can improve and strengthen."

What was the response? Affected individuals have been notified and offered one year free credit monitoring. Also, the school has established a phone line and website to provide information about the breach.

In addition, the breach is being investigated by the local sheriff's office and an internal review of school policies and procedures will take place.

How many victims? 10,000.

What type of personal information? Social Security numbers.

What happened? An employee of Anthem Blue Cross and Blue Shield transferred a file that may have contained the Social Security numbers of N.H. doctors, dentists and other health care service providers to a personal laptop that was later stolen. Transferring the file to a personal computer was against the insurer's security policies.

Details: The file did not contain any information about N.H. Anthem Blue Cross and Blue Shield members or their medical conditions.  

Early last month it was revealed that the loss of a separate laptop belonging to Blue Cross put the sensitive information of 39,000 physicians at risk.

What was the response? Affected individuals will be offered free credit monitoring for one year.