An employee of the Boston Children's Hospital lost a laptop holding patient information.

How many victims? 2,159

What type of personal information? Names, birth dates, and diagnoses and treatment information (but no financial data or Social Security numbers)

What happened? The employee was in Buenos Aires, Argentina for a conference and lost the laptop, which contained a file with the patient data.

What was the response? Patients and their families were sent emails notifying them of the incident. Daniel Nigrin, the facility's chief information officer, released a statement to the media stating that "additional steps" will be taken to prevent further breaches in the future. Affected individuals were advised to call the hospital at (855) 281-5730.

Details: The exposed data was not saved to the lost computer's hard drive, but was contained in an email attachment. The laptop was password protected, though not encrypted.

Quote: “Boston Children's takes this incident and the protection of protected health and personal information extremely seriously," Nigrin said.

Source: The Boston Globe, bostonglobe.com, "Laptop lost with data for more than 2,000 patients, Boston Children's reports," May 22, 2012.

Sensitive data belonging to people who made web-based purchases at the University of Maine's (UMaine) Orono Campus may have been stolen after the school's server suffered a security breach.

How many victims? 3,825

What type of personal information? Social Security and credit card numbers.

What happened? One of UMaine's servers was hacked, exposing the personal information of 2,818 customers who made online purchases using a web-based tool hosted by the school.

What was the response? Local, state and federal authorities are currently investigating the situation and are working with an identity protection firm to notify individuals whose information has been compromised. Those affected will receive free identity protection, including credit monitoring, for one year.

Details: The web-based application used by customers, developed by UMaine's Computer Connection store, was licensed to share with the University of Arkansas, which was believed to have had up to 1,007 transaction records on the server. Officials at the school became aware of the breach after reading an article online posted by a gang of hackers known as Team GhostShell. They notified UMaine on April 27 and the server was promptly shut down.

Quote: “Any time these attacks occur anywhere in the world, it heightens our awareness and vigilence,” said Janet Waldron, vice president for finance and administration at UMaine.

The personal information of home care workers and their elderly and disabled recipients may have been compromised when the storage device on which it was contained was lost in the mail.

How many victims? 700,000

What type of personal information? Full names, Social Security numbers, wages, and state identification numbers.

What happened? A package of microfiche containing the sensitive data was shipped last month by Hewlett-Packard via the U.S. Postal Service to a state In-Home Supportive Services office in Riverside, Calif. The package arrived tampered with and with some contents missing.

What was the response? The state notified authorities, and an internal investigation is underway. Notices have been sent to anyone affected by the breach. Officials are reviewing policies to avert future problems.

Details: The potentially hijacked information, dating from October to December 2011, was mailed April 26 and was received at the Riverside office on May 1. According to information posted on a state website, there was a weeklong delay before the state received word of the breach.

Quote: “It's hard for us to believe that in one of the largest states in the union, we're using such an antiquated system,” said Steve Mehlman, a labor union spokesman.

Source: latimes.com, Los Angeles Times, “Personal data for home care workers, recipients lost in the mail,” May 12, 2012.

The Social Security numbers and financial account information of students and staff at the University of North Carolina at Charlotte (UNC-Charlotte) was exposed during an online security breach.

How many victims? 350,000

What type of personal information? Full names, Social Security numbers, addresses, and financial account information.

What happened? Incorrect access settings and a system misconfiguration caused a large amount of personal data hosted by the university to leak onto the internet.

What was the response? School officials alerted students and staff, and created a website to provide additional information. UNC-Charlotte has enhanced its internal review procedures to monitor for suspicious activity.

Details: The breach was first discovered by university officials in January, but the college informed students and staff in mid-February. The leak was caused by two exposure issues, one affecting the general university systems over a period of three months, and another that impacted the school's College of Engineering systems for more than a decade.

Quote: “It makes me feel unsafe to think my information could be out there and that somebody could take my credit and do what they want to with my Social Security [number],” said Jennifer Affinito, a student at UNC-Charlotte.

Source: wbtv.com, Channel 3 WBTV, “UNC Charlotte: 350,000 Social Security numbers exposed during Internet breach,” May 9, 2012.

The personal information of employees of the Florida Department of Children and Families (DCF) was breached.

How many victims? 100,000

What type of personal information? Full names, dates of birth, and Social Security numbers.

What happened? An unnamed third-party service provider stored the employees' personal information online, but the data was not password protected.

What was the response? The DCF sent letters to 100,000 child care workers asking them to monitor their accounts and place fraud alerts on their credit reports.

Details: While the sensitive data was vulnerable when it was online, it was not easily accessible through search engines. Letters were sent to victims.

Quote: “During the time the information was unprotected, there was only legitimate uses for that information, only legitimate uses conducted by the vendor,” said Kristi Gray, a spokeswoman for DCF.

Source: wftv.com, Channel 9 WFTV, “DCF warns child care workers of possible computer security breach,” May 2, 2012.

The personal information of 14,000 students, former students and faculty at Volunteer Community College in Gallatin, Tenn., was placed on a web server that was not secure.

How many victims? 14,000

What type of personal information? Full names and Social Security numbers.

What happened? Files containing the names and Social Security numbers of Volunteer Community College students, former students and faculty were placed on an unsecure server by school employees.

What was the response? A web site was created to provide more information on the situation. College officials said they notified all affected students and faculty, adding that one-year of credit protection will be given upon request to students whose personal information was on the server.

Details: The files containing the sensitive data were placed on a web server that was not protected. School employees believed it was secure because a login and password was requested for access, university officials said. There is no evidence that the information has been used inappropriately.

Quote: “We have contacted the major credit reporting agencies and informed them that some of our students' and faculty members' personal information may have been accessible,” said Bruce Scism, Volunteer Community College interim president.

Source: tennessean.com, The Tennessean, “Vol State: Personal information found vulnerable for 14,000 students, faculty,” April 30, 2012.

The Social Security numbers of millions of Texas voters were mistakenly given to opposing lawyers by the state attorney's office as part of a voter ID case.

How many victims? While there were 13 million records handed over, only half contained the full Social Security number of Texas voters.

What type of personal information? Social Security numbers, though they were encrypted and password protected.

What happened? After lawyers challenged the voter ID law in Texas, the state was ordered to give them a voter database for analysis. State Attorney General Greg Abbott's office inadvertently handed over the personal records of 13 million Texas voters, half of which included full Social Security numbers.

What was the response? The state attorney's office dispatched a state police officer to New York, Washington D.C., and Boston to retrieve the encrypted disks.

Details: The records were given to opposing lawyers on password-protected, encrypted disks. The error was brought to light by an analyst who opened the disks.

Quote: "At no time were these Social Security numbers exposed to the public," First Attorney General Daniel Hodge said.

Source: chron.com, The Houston Chronicle, “Texas AG releases voters' Social Security numbers in mix-up,” April 25, 2012.

South Carolina Medicaid data was leaked after the information was transferred to a personal email account.

How many victims? 228,000.

What type of personal information? Names, addresses, phone numbers, and Social Security numbers, which also double as Medicaid ID numbers.

What happened? South Carolina Medicaid employee, Christopher Lykes Jr., 36, improperly transferred information on more than 228,000 people to his personal email account. The data was compiled over several months.

What was the response? Lykes was arrested and charged with violating medical confidentiality laws. He also was fired. New security measures are in place, and victims will be notified and offered free identity theft protection services.

Details: After an investigation launched earlier this month by the state Department of Health and Human Services (HHS), officials concluded that the information was transferred to one other person, apparently intentionally, though they are unsure of the motive. There are no reports that the information has so far been misused. The state Law Enforcement Division is investigating.

Quote: “I've woken up every morning for the past week praying somehow I could find a reason or the individual who committed the act would tell us this is just a big mistake,” said Anthony Keck, director of HHS.

Source: myrtlebeachonline.com, The State, "SC agency says information leaked on 228K people," April 19, 2012.

Emory Healthcare in Atlanta lost the personal information of surgery patients treated at its three hospitals when 10 backup discs went missing.

How many victims? 315,000 patients treated from September 1990 to April 2007.

What type of personal information? Names, Social Security numbers (on 228,000 patients), surgery dates, diagnoses, and other information about the procedures, such as whom performed them and what types of devices were used.

What happened? The discs went missing from a storage area at Emory University Hospital. An investigation concluded that the discs were removed at some point between Feb. 7 and 20.

What was the response? Victims are being notified by letter and will receive free identity protection services. In addition, the health care system has launched an investigation that will seek to "reinforce and clarify" current security and privacy policies.

Details: The data contained in the discs, covering patients at Emory University Hospital, Emory University Hospital Midtown and The Emory Clinic Ambulatory Surgery Center, has not been accessed by physicians since 2010. There is no indication that any of the missing information has been misused.

Quote: "We sincerely regret this incident and want to assure our patients that we are committed to safeguarding their personal information," said John Fox, president and CEO of Emory Healthcare.

Source: emory.edu, news release, "Emory Healthcare notifies individuals regarding missing data," April 18, 2012.

Thousands of patients of Memorial Healthcare System in Hollywood, Fla. may be at risk for identity theft after two former employees improperly accessed their records.

How many victims? 9,500.

What type of personal information? Names, Social Security numbers and birth dates.

What happened? The two workers, who have since been fired, got access to the records with the intention of possibly using the information to file false tax returns.

What was the response? The system, made up of five hospitals in Broward County, is notifying victims and offering them one year of free credit monitoring. In addition, officials are looking to tighten security in light of the breach.

Source: miamiherald.com, The Miami Herald, "Two Memorial Healthcare System employees fired over information breach," April 12, 2012.

Statements containing confidential information were filed by Duke University Health System (DUHS) as part of patients' bankruptcy actions.

How many victims? Undisclosed.

What type of personal information? Names, addresses, DUHS internal record numbers, health insurance carrier(s), the last several digits of subscriber number(s) and clinical information describing patient visits.

What happened? Outstanding billing statements from DUHS containing personal information were used to support proofs of claim filed in Chapter 13 bankruptcy actions by patients.

What was the response? DUHS notified the patients by mail and set up a call center to assist them.

Details: The billing statements did not contain Social Security numbers or credit card information. DUHS claimed it does not believe that the compromised information was misused. It has requested that these billing statements be sealed by the Bankruptcy Court and will no longer use them in claim filings. 

Source:  DukeHealth.org news release, “Notice to Patients Who Previously Filed Chapter 13 Bankruptcy,” March 23, 2012.

A Connecticut community college reported the potential exposure of confidential records following a malware infection.

How many victims? 87,000 records of staff, students and faculty members at Housatonic Community College (HCC) in Bridgepoint, Conn.

What type of personal information? Names, Social Security numbers, addresses and dates of birth.

What happened? “Zero-day" malware” infected two computers in campus offices and was discovered during a nightly scan of the network. The compromised machines were removed from the offices and sent for forensic analysis in Hartford, where it was confirmed that the potentially exposed files contained confidential information.

What was the response? HCC is sending letters to the individuals whose records were compromised and offering two years of free identity theft protection.

Details: The school plans to change how confidential information is accessed on its systems and will add new software to prevent viruses. Officials at the college said there is no indication that any personal data was actually stolen.

This is the second college in Connecticut this year to succumb to a major malware infestation.

Quote: “We take the protection of personal information very seriously and are taking steps to prevent future occurrences through a combination of new technical and operational controls,” said HCC President Anita Gliniecki.

Source: ctpost.com, Connecticut Post, “HCC records potentially exposed in security breach,” April 13, 2012. connecticut.cbslocal.com, CBS Connecticut, “Data Breach At Community College,” April 12, 2012.

Hackers, believed to be operating out of Eastern Europe, breached a server at the Utah Department of Health (UDOH) to access thousands of Medicaid records.

How many victims? 24,000 claims were compromised. The state has 260,000 Medicaid patients.

What type of personal information? That remains under investigation. But typically claims include names, Social Security numbers, addresses, birth dates, doctor names and tax ID numbers.

What happened? The Utah Department of Technology Services (DTS) recently migrated the claims to a new server, which was supposed to be protected with multiple layers of security. Either the server was not properly secured, or the hackers were able to evade the defenses that were in place.

The attackers compromised the server on Friday and began downloading information Sunday night. The breach was discovered the following day, and the server has since been taken offline.

Details: The intruders, whose activity was traced back to Eastern Europe (though investigators are unsure if that's exactly where they were located), apparently used passwords to gain access to the server.

What was the response? UDOH is still investigating exactly how many people were affected, and it will notify them via mail. Individuals whose claims included Social Security numbers will receive one year of free credit monitoring.

As it performs this work, the agency is advising all Medicaid recipients in the state to check their credit and bank statements for possible indicators of fraud.

Meanwhile, DTS is analyzing all state servers to ensure they are protected, as well as reviewing statewide IT policies and procedures.

Source: Utah Department of Health, news release, "State Agencies Investigating Data Breach," April 4, 2012. The Salt Lake Tribune, sltrib.com, "Worker error exposes Utah Medicaid patients to hackers," April 4, 2102.

UPDATED: State officials said the number of victims was actually much higher than initially believed because the stolen records were actually files, not individual claim forms.

A number of unencrypted storage devices belonging to the California Department of Child Support Services went missing.

How many victims? 800,000, including adults and children who use the state's child support services.

What type of personal information? Names, Social Security numbers, addresses, driver's license numbers, health insurance identification numbers, and names of health insurance providers and employers.

What happened? The devices, which reportedly were being transported by Iron Mountain as part of a disaster recovery exercise, were lost March 12 while in transit from an IBM facility in Colorado to one in California.

What was the response? The state has begun notifying victims by mail and is encouraging them to protect their identities, through methods such as placing fraud alerts on their credit cards and requesting copies of their credit reports.

Details: There have been no reports of the information being misused, and the backup data, though unencrypted, was stored on cartridges that are not easy to read without using customized software and hardware.

Quote: "Because the devices are in a specialized format, we have no reason to believe, at this time, that the data have been accessed or utilized in any way," said Kathleen Hrepich, interim director of the department.

Source: MercuryNews.com, San Jose Mercury News, "Sensitive personal information missing on 800,000 California residents," March 29, 2012.

Letters have gone out to patients of Howard University Hospital in Washington, D.C., after their personal information was exposed when a laptop was stolen from the car of a contractor.

How many victims? 34,503 patients who received treatment at the hospital, primarily between December 2010 and October 2011, but some data extended back to 2007.

What type of personal information? Names, addresses, Social Security numbers, identification numbers, medical record numbers, birth dates, admission dates, diagnosis-related information and discharge dates.

What happened? A former contractor's personal laptop containing patient information was stolen from a car in late January. The hospital said in a Tuesday press release that the laptop was password protected, and no evidence exists that the data has been misused.

What was the response? Victims will receive one year of free credit monitoring, and the hospital is encouraging them to contact their banks to inform them about the possible exposure of their Social Security numbers.

From a security perspective, the hospital plans to toughen its contractor policies regarding laptop usage. As well, all laptops distributed to personnel of Howard University Health Sciences will be encrypted.

Quote: “We regret this incident, and we have already put in new procedures to prevent similar violations in the future.” – Larry Warren, CEO, Howard University Hospital

Source: Howard University Hospital, "Howard University Hospital Notifies Patients of Possible Patient Information Disclosure," March 27, 2012

The personal information of more than 1,000 public employees of Wayne County, Mich., was exposed when a spreadsheet containing their data was inadvertently attached to an email blast.

How many victims? Approximately 1,300.

What type of personal information? Names, employee ID numbers, Social Security numbers, birth dates, addresses and other information.

What happened? An email blast regarding health insurance from the county's department of personnel/human resources was sent out on Friday with a spreadsheet inadvertently attached. The blast was sent to union members of the American Federation of State, County and Municipal Employees (AFSCME) Locals 25, 101, 409 and 1659.

What was the response? Livia Calderoni, director/HR benefits administration division, sent out a letter (on the letterhead of Wayne County Executive Robert Ficano) on March 19 to the affected union members explaining that the spreadsheet containing the personal information was intended only to be used internally to gather email addresses and not meant to be included in the blast.

She explained in the letter that the office then took four steps: recalled the email message through Outlook; the office's technology staff then confirmed that most of the external emails were blocked from being sent out; a follow-up email was sent out to the original intended recipients notifying them of the error and advising them to delete the email; and identity-theft insurance and monitioring services for all affected employees was put in place retroactive to the date the information was released in error.

Details: Brooke Blackwell, press secretary to Wayne County Executive Robert Ficano, released a statement to local TV station 7 Action News, explaining that a union employee in the county's personnel department inadvertently sent an email to union employees that contained personal information. The message intended to inform some 1,230 AFSCME members of an open enrollment period for health benefits. In addition to the steps being taken noted above, the state of Michigan attorney general's office was notified owing to HIPAA guidelines.

Quote: "If you know of anyone who forwarded or printed out the personal data contained in the file, we ask that you please report this to our office immediately," Livia Calderoni, director/HR benefits administration, Wayne County, Mich., wrote to county employees.

Authorities said the person responsible for the incident would not be disciplined as it was an honest mistake.

Thousands of University of Tampa (UT) students, faculty and staff have become candidates for identity theft after students and IT personnel discovered publicly available files on the internet containing personal information.

How many victims? Roughly 30,000.

What type of personal information? Names, Social Security numbers, college identification numbers and birth dates.

What happened? As part of a class project, a group of students stumbled upon a file containing the sensitive information of about 6,818 fall 2011-enrolled students, after conducting an advanced Google search. The file was live from approximately July 2011 to March 13 of this year.

Upon reporting their discovery to the IT department, investigators turned up two other files containing the confidential data of another 22,722 faculty, staff and students. These files were also publicly reachable, but were not indexed by any search engine.

The university blames a "server management error" for the breaches.

What was the response? Google removed the cached file related to the first file. The other two files were accessed by one student, but it was determined the student did not save any of the information to his or her computer. The university has notified victims and plans to offer them free identity-protection services.

Details: The files were "created to help resolve a problem with UT identification cards that occurred when a new server was made operational in July 2011. Unfortunately, the file consisting of current student data was later inadvertently indexed by Google," according to the university.

There have been no reports that any of the data has been misused. In addition, the university said the information contained on the files was presented in such a way that would not be obvious to the casual observer of what they contained.

But considering names combined with Social Security numbers were involved, ID theft is a real possibility if the criminally minded person viewed the data.

Quote: "I'm not sure I can find words to express how worried they should be," said Cpl. Bruce Crumpler of the Hillsborough County Sheriff's Office. "I think they should be very concerned."

Source: Tampa Bay Online, TBO.com, "Data breach hits University of Tampa students," March 16, 2012.

University of Tampa, ut.edu news release "Data Breach," last updated March 19, 2012.

The health records of more than 30,000 patients at five California hospitals may have been publicly accessible via search engines due to improper server configurations.

How many patients? 31,800 people being treated from February to August 2011 at St. Jute Medical Center, Mission Hospital, Queen of the Valley Medical Center, Santa Rosa Memorial Hospital and Petaluma Valley Hospital.

What type of personal information? Names, blood pressures, lab results, medication allergies and demographic data, as well as other medical details, such as body-mass index, and smoking and advance directive status.

What happened? Incorrect security settings enabled the information to be available on search engines Google and Yahoo. However, to come across the information, one would have had to conduct a detailed search using a string of terms. The data was available from early 2011 through February.

Details: The hospitals were notified about the breach from the lawyer of a patient, who somehow found the data online. Hospital officials contacted the search engine providers to ensure the information was expunged. There is no reason to believe any of the data was misused.

What was the response? Patients were notified by mail.

Quote: "I think that the most important thing is our response was rapid," said Clyde Wesp, chief medical information officer for the St. Joseph Health System.

Source: ocregister.com, The Orange County Register, "Up to 21,300 patients' records put at risk, St. Joseph says," Feb. 16, 2012.

The Zbot, or Zeus, trojan infected a computer at Central Connecticut State University (CCSU) in New Britain to expose the Social Security numbers of thousands of people related to the college.

How many victims? 18,275 current and former faculty, staff and student workers.

What type of personal information? Social Security numbers.

What happened? A computer in the CCSU business office was infected with the trojan in December, and sat on the system for eight days before it was detected and removed. A forensic analysis could not conclude whether the information was stolen or used in a wrongful way.

What was the response? The university is in the process of corresponding names with the Social Security numbers in order to notify victims. The university will provide them with two years of free identity protection services.

Quote: "I deeply regret any inconvenience or anxiety this incident may cause you and your family," school President Jack Miller said. "All of us involved in responding to this incident understand how important one's personal information is and how critical it is to safeguard it."

Source: www.ccsu.edu, "CCSU warns of potential personal information breach," Feb. 16, 2012.

Hackers may have accessed the personal health data belonging to patients of Denver area-based Metro Community Provider Network, a nonprofit health care provider for low-income individuals and families.

How many victims? Approximately 2,000.

What type of personal information? Names, phone numbers, dates of birth, diagnoses and internal account numbers.

What happened? An employee responded to a phishing email that allowed hackers to steal credentials, giving them access to the corporate network.

What was the response? As the organization investigates, employees are being asked to change their login information.

Quote: "Metro Community Provider Network sincerely apologizes for the inconvenience and concern this incident causes," it said in a statement.

How many customers? 1,219.

What type of personal information? Age, gender, diagnosis and treatment data, from 2005 to 2011.

What happened? On Nov. 24, vandals broke into a car belonging to a pathologist from the University of Miami Miller School of Medicine. A briefcase, which held a USB drive containing the patient data, was taken.

Details: Officials, in a statement, said no financial information or Social Security numbers were stored on the stolen drive. The statement also said that “there is no indication that the information was accessed or misused in any way.” However, the facility is following federal requirements to notify patients involved, and the theft was reported to local law enforcement for investigation, as well as to the U.S. Department of Health and Human Services.

Quote: “The university will continue to review and refine its physical and electronic safeguards to ensure that personal information remains secure.” – UM letter

Source: MiamiHerald.com, Jan. 30, 2012, "UM patient data stolen."

Malware may have allowed attackers to make off with the personal information of thousands of people connected to Indiana University Health Goshen Hospital.

How many victims? 12,374 job applicants and fewer than 500 patients.

What type of personal information? Names, addresses, and Social Security numbers of applicants, and Social Security numbers, insurance data and medical service information belonging to people who registered for  outpatient procedures and for the maternity unit.

What happened? On Dec. 22, a virus was discovered on a server. A security firm determined that hackers indeed did try to access the information, but it is unclear if they were successful.

What was the response? Letters were sent to victims, and the hospital plans to provide one year of free credit monitoring to them.

Source: chicagotribune.com, Associated Press, "N. Ind. hospital: Records may have been breached," Jan. 31, 2012. southbendtribune.com, "IU Health Goshen data hit by virus," Feb. 1, 2012.

How many customers? Lexington Clinic is sending letters to 1,018 patients.

What type of personal information? The computer stored patient names, contact information and diagnoses for some Lexington Clinic patients receiving services within the neurology department.

What happened? A laptop containing personally identifiable information of patients of Lexington Clinic was stolen overnight on Dec. 7, 2011. 

Details: Lexington Clinic, which operates offices in more than 25 locations throughout Central and Eastern Kentucky, said the stolen laptop did not contain the personal financial information of patients, such as Social Security, credit card or bank account numbers. Upon learning of the theft, the facility notified law enforcement authorities, and all door locks to the neurology department were changed. Additionally, the clinic publicly disclosed the breach to local media, and posted information about the breach on its website.

Quote: “There is no evidence thus far that any patient information has been misused..."

Source: Lexington Clinic release, Jan. 30, 2012, Lexington Clinic Notifying Patients of Information Security Breach

Unauthorized individuals gained access to the personal data belonging to customers of New York State Electric & Gas (NYSEG) and Rochester Gas & Electric (RG&E), which are owned by Iberdrola USA. But an outside contractor is to blame.

How many customers? The companies did not disclose how many people were affected, but reports said the two utilities have about 1.8 million customers between them.

What type of personal information? Social Security numbers, birth dates and, in some cases, bank account numbers.

What happened? For unknown reasons, an employee at a third-party software development consulting firm permitted unauthorized access to one of the company's customer information systems.

Details: There is thus no far no reason to believe that any of the information has been misused or that there was malicious intent on behalf of the employee.

Quote: “Public utilities are custodians of a great deal of personal customer information,” New York State Public Service Commission Chairman Garry Brown said. “As a result of this apparent data security breach, I have asked staff of the Department of Public Service to immediately initiate an investigation of the facts and circumstances surrounding this event.”

Source: NYSEG news release, Jan. 23, 2012. thedailynewsonline.com, The Daily News, RG&E, "NYSEG say customer information compromised," Jan. 23, 2012.

How many victims? Perhaps tens of thousands.

What type of personal information? Personal banking information.

What happened? Following the Thanksgiving holiday, the college's data security monitoring service, USDN, detected at least seven viruses activated each day at 10 p.m. that trawled the college's system (including its administrative, instructional and wireless networks), relaying data back to servers in Russia, China and several other countries.

What was the response? Victims, according to state law, must be notified. The college's CTO, David Hotchkiss, shut down the computer lab where the virus was originally detected and notified officials. An investigation is ongoing.

Source: www.sfgate.com, San Francisco Chronicle, "Viruses stole City College of S.F. data for years," Jan. 13, 2012

The private medical records belonging to some 1,300 patients and/or their guarantors at Loma Linda University Medical Center in California were compromised when a former hospital employee violated policy and brought the data home.

How many victims? 1,336.

What type of personal information? Birth dates, addresses, medical record numbers, driver's license numbers and, in some cases, Social Security numbers.

What happened? It is unclear how the worker accessed the data or whether it was used for fraud (or intended to be), but the records have since been secured.

What was the response? The worker was fired, and the hospital is investigating. Victims will receive one year of credit monitoring services.

Source: www.pe.com, The Press-Enterprise, "Loma Linda: Security breach affects 1,300-plus patients," Dec. 28, 2011.

How many victims? More than 200,000, according to reports. 

What type of personal information? Names, credit and debit card numbers, expiration dates and verification codes.

What happened? The thieves inserted malware into the company's credit and debit card processing systems, according to a Finextra report. The malware collected card information as it was processed and then sent it to a remote server in Russia.

Details: The breach affected those who shopped at Restaurant Depot wholesale outlets from Sept. 21 to Nov. 18. Some customers have been the victims of credit card fraud as a result of the breach.

What was the response?  The company hired a computer forensic firm to investigate the incident and has taken unspecified steps to better protect card data. Restaurant Depot is offering affected individuals free credit monitoring and said it would reimburse victims for any breach-related costs they “reasonably incur.”

Hackers compromised cash registers at campus dining locations at the University of California, Riverside to hijack credit and debit card numbers.

How many victims? 5,000.

What types of personal information? Cardholder names, card numbers, expiration dates and encrypted versions of debit card PINs.

What happened? It is not clear how the hackers were able to compromise the registers.

What was the response? People who used their credit or debit cards at UC Riverside Dining Services locations from this past summer through Nov. 16 are being advised to monitor their credit card activity and report any fraud. The college has set up an information hot line.

Quote: "We are doing everything we can think of to notify people." Vice Chancellor Gretchen Bolar said.

Source: UCR Newsroom press release, "UC Riverside experiences a credit/debit card security breach," Nov. 29, 2011.

How many victims? 176,567.

What type of personal information? Names or electronic identification, Social Security numbers and, in some cases, dates of birth and home addresses. Affected individuals include current and former VCU and VCU Health System faculty, staff, students and affiliates, such as contractors and visiting professors. VCU Health System patients were not affected.

What happened? During routine monitoring, suspicious files were found Oct. 24 on a server containing sensitive data. The affected server was taken offline, and a forensic examination showed that intruders accessed the system from an IP address within the United States and stayed connected for 16 minutes.

Five days later, university officials found two unauthorized programs on a second server. Investigators determined that the attackers planted malicious programs on the first breached server, which enabled them to perform subsequent attacks and access other systems.

Details: School officials do not believe the attackers accessed the information for the purpose of conducting identity theft, though they did not say what they believe the hackers' motivation was. This is not the first breach VCU has experienced. In 2009, a university computer containing 17,214 Social Security numbers was stolen.

What was the response? The university is planning to hire an outside consultant to examine its information technology systems. Affected individuals are being notified. VCU police and the FBI are investigating the incident. The university is not providing affected individuals with free identity protection services because it deems the risk of identity theft low.

Source: http://www2.timesdispatch.com/, Richmond Times-Dispatch, “Breach exposes data at VCU,” Nov. 12, 2011.

How many victims? More than nine million.

What type of personal information? Identification numbers, full names, addresses, dates of birth, information on family relationships, and other details.

What happened? According to authorities, in 2006, an Israeli government contractor made a copy of the data, which came from the country's "Population Registry," and took it home from work.

Details: The stolen information was then sold or provided for free to several individuals, including a developer who created a software program called “Agron 2006,” which allowed for detailed queries of the data. This searchable database was then uploaded to the internet by an individual with the alias “aRi,” who attempted to conceal his IP address.

Quote: The uploading of the database “will make it easier to carry out forgery and fraud, and provide the necessary information to carry out identity theft," Israel's Justice Ministry said in a statement. "It helps create fraudulent documents that appear authentic, therefore allowing people to bypass security systems. It could also have an effect on the democratic processes in elections, in that it makes it easier for someone to impersonate someone else in the voting booth."

What was the response? The Israeli Law, Information and Technology Authority has been investigating the case since 2009. Six people have been arrested in connection to the data leak, including the government contractor and “aRi.”

Sources: www.jpost.com, The Jerusalem Post, “Contract worker stole all Israelis' personal information,” Oct. 24, 2011.

www.jpost.com, The Jerusalem Post, “Justice Ministry cracks case of massive information theft,” Oct. 25, 2011.

How many victims? 1.6 million

What type of personal information? Names, addresses, dates of birth, Social Security numbers, direct deposit bank account numbers, and data on insurance and medical treatments.

What happened? The tapes, which were stored in a locked cabinet following a computer systems conversion completed in 2004, were reported missing on Sept. 8. It is believed they were removed around Aug. 10, during a facility remodeling project.

Details: The breach affects patients and their guarantors, vendors and employees at Nemours facilities in Delaware, Pennsylvania, New Jersey and Florida and who provided information between 1994 and 2004. 

Quote: “This is an isolated incident unrelated to patient care and safety,” said David Bailey, president and chief executive officer of Nemours. “The privacy of our patients, their families and our employees and business partners is a high priority to all of us at Nemours.”

What was the response? Affected individuals are being notified and offered one year of free credit monitoring and identity theft protection. In addition, the company is taking steps to strengthen its data security practices, such as encrypting all computer backup tapes.

Source: http://www.nemours.org/, Nemours, “Nemours Reports Old Computer Backup Tapes Missing,” Oct. 7, 2011.

How many victims? 18,931 staff and faculty members.

What type of personal information? Names, Social Security numbers, dates of birth, dates of employment, gender, race, home phone numbers and home addresses.

What happened? The data file, which had been created for legitimate administrative purposes, was placed on a publicly available web server, where it remained from at least 2008 until 2011. School officials have since removed the file.

Quote: “We deeply regret this situation and will take steps to notify and support the affected current and former faculty and staff,” said Timothy Chester, UGA's chief information officer.

What was the response? Affected individuals are being notified by mail. The university is working with an outside firm to find ways to reduce the risk of another breach.

This is not the first time UGA has suffered a breach, however. Back in 2008, the school revealed that the personal information of 4,000 residents of a housing complex had been exposed after hackers accessed a server.

Source: http://athens.patch.com, Athens Patch, “Oops! 'Private' UGA Data Went Public,” Oct. 7, 2011.

How many victims? 40,000.

What type of personal information? Credit and debit card information.

What happened? An unauthorized individual broke into the company's point-of-sale systems used to process credit and debit card transactions at resorts in Tennessee and Wisconsin.

Details: The affected resorts are Wilderness Waterpark Resort in Wisconsin Dells and the Smokies Resort in Sevierville, Tenn.

What was the response?  The company shut down the affected systems after discovering the breach. It is issuing warnings to customers who used a credit or debit card at either arcade between Dec. 12, 2008 and May 25, 2011.

Source: Associated Press via NBC26, “Data Breach-Vacationland Vendors,” Sept. 12, 2011.

How many victims? 5,800.

What type of personal information? PHI for patients dating back to 2004, including names, addresses, diagnosis data, test results and prescribed drugs.

What happened? The breach was initially discovered during a privacy audit. Upon further investigation, it was determined that an unnamed employee inappropriately accessed information.

Details: Hospital officials believe the data was not shared with any other staff members or individuals outside of the hospital.

What was the response? Affected individuals were notified by letter. In light of the incident, the hospital has taken measures to improve protections for PHI and to provide additional education to employees regarding data security and privacy.

Additionally, the hospital implemented more rigorous audits to detect attempts of unauthorized access to health care data. The Ontario College of Nurses and Information and Privacy Commission of Ontario have been informed of the breach.

Source: North Bay Regional Health Centre in Ontario, news release, “Breach of Privacy Occurs at North Bay Regional Health Centre Affecting 5,800 Patients,” Sept. 6, 2011.

How many victims? 20,000

What type of personal information? Names, diagnosis codes, account numbers, admission and discharge dates, and billing charges, (Did not include Social Security numbers, birth dates or credit card accounts).

What happened?  A spreadsheet containing data for patients seen at Stanford Hospital's emergency room during a six-month period in 2009 was posted to a website, called “Student of Fortune,” which assists students with their school assignments. The hospital said that in September 2010, one of its vendors, a billing contractor Multi-Specialty Collection Services, posted an attachment containing the database in response to a question about converting the patient data into a bar graph.

Details: Following disclosure of the breach, the hospital canceled its contract with the provider and received a signed promise that files would be destroyed or returned.

What was the response? The hospital has made free identity protection services available to affected patients.

Source: New York Times, Sept. 8, 2011

How many victims? 91,763.

What type of personal information? Names and Social Security numbers.

What happened? The issue involved a sensitive database maintained by affiliates The Lincoln National Life Insurance Co. and Lincoln Life & Annuity Co. of New York.  

Due to a programming weakness affecting the database search function, administrators were able to view information about individuals not part their plan. Consequently, if an administrator searched a participant's first or last name, the results would have included all plan participants with the same name, and displayed their Social Security numbers. The company was notified of the flaw July 18 by a plan administrator.

Details: The programming error existed in the database search function since 2009. There is no evidence to believe that information in the database was misused.

What was the response? Upon learning of the error, the company disabled the database search function. Once the issue was investigated, participants' Social Security numbers were truncated. The search feature has not yet been restored, as the company is still working on an appropriate solution. Affected individuals are being notified and offered free credit monitoring services.

Meanwhile, this is not the first data breach Lincoln has experienced in recent months. In July, the company said an email error exposed the names and Social Security numbers of 705 people.

Source: Letter to New Hampshire Attorney General Michael Delaney, August 15, 2011.

A Google search could have yielded the personal information of tens of thousands of people connected to Yale University in New Haven, Conn.

How many victims? 43,000 students, faculty, staff and alumni affiliated with the university in 1999.

What type of personal information? Names and Social Security numbers.

What happened? A file contained on a server was publicly searchable via Google for 10 months.

Details: The data was stored on a file-transfer protocol (FTP) server, which became searchable last September when Google began indexing FTP servers. Most of the information belonged to people who worked at Yale in 1999. It is unclear how many times the file was accessed, but school officials said it contained an "inconspicuous" name.

What was the response? The university created a center to handle questions from affected individuals, and is offering them two years of free credit monitoring and identity theft services.

Quote: "We immediately blocked that server from the internet, removed the file and did a complete scan of the server to make sure there were no additional at-risk files," IT Services Director Len Peters said.

Source: yaledailynews.com, Yale Daily News, "Yale affiliates' SSNs were searchable on Google," Aug. 17, 2011.

A computer server containing the personal information of thousands of former Purdue University students was accessed by hackers.

How many victims? 7,093.

What type of personal information? Social Security numbers.

What happened? Hackers on April 5, 2010 broke into a university server containing course records from 2000 through the summer session of 2005. 

Details: School officials said there is no evidence that the sensitive information was accessed. Instead, they believe the hackers aimed to use the infected computer system to attack other servers.

Quote: “Through our investigation, we found no evidence that the unauthorized user attempted to find or read any files with personal information in our system, but felt informing people who may have been affected was a necessary precaution," Laszlo Lempert, head of the Department of Mathematics, said in a statement. "We regret the breach occurred, and we've taken extensive measures to prevent this from happening again."

What was the response?  The school on Monday mailed notification letters to affected individuals. Though the breach occurred over a year ago, it took school officials until June to sort through the information on the server and identify the extent of the breach. The Indiana Attorney General's office has been notified.

Source: jconline.com, Journal and Courier, “Purdue warns ex-students of data breach,” Aug. 17, 2011.

How many victims? 75,000.

What type of personal information? Names and Social Security numbers.

What happened? The school's technology staff on May 25 discovered malware on a server that housed a software system used by several departments to manage sensitive data. The affected system included a database of confidential information that would have been accessible to attackers.

Details: School officials, however, do not believe the attackers got away with any sensitive data. In addition, no financial information was affected.

Quote: “We are a research institution with a significant number of projects under way,” said Tom Luljak, UWM's vice chancellor for university relations. “It is theorized that this may have been an attempt to look at work being done."

What was the response? After discovering the malware, the university promptly shut down the affected server and cleaned the infection before restarting it. Local and federal authorities were notified. The college alerted victims, and set up a website and helpline to provide information. In addition, the university has updated security on its systems to better protect against attacks.

Sources: 4.uwm.edu, University of Wisconsin- Milwaukee, “Information on Computer Security Incident at UW-Milwaukee,” Aug. 10, 2011.

JsOnline.com, Milwaukee Journal Sentinel, “UWM computers hacked; data on 75,000 exposed,” Aug. 10, 2011.

How many victims? 20,000.

What type of personal information? Social Security numbers.

What happened? A hospital employee working at home in April made accidental changes to his home network that  could have allowed others to access information on his computer through an internet search. The sensitive data was exposed for nine weeks before being discovered by an unknown person.

Hospital policy prohibits employees from keeping personal information on home computers.

Details: Affected individuals worked for the hospital in 1994, 1995, 2002, 2003, 2004 and 2006. Some are still employed there.

There is no evidence that the exposed data has been used to perpetrate any fraud.

What was the response?  The hospital is providing victims with a free subscription for identity protection services. In addition, it is working to improve its security and user awareness training.

Source: seattletimes.nwsource.com, The Seattle Times, “20,000 Swedish employees personal data breached,” July 20, 2011.

How many potential victims? Nearly 12,000.

What type of personal information? Names, birth dates, genders, health card numbers, and colon cancer screening information and results.

What happened? Cancer Care Ontario, the provincial agency charged with improving cancer services, cannot confirm whether 15 reports containing the personal health information of 6,490 Ontarians were successfully delivered to their intended recipients. The agency is also looking into the delivery status of an additional 11 reports containing 5,440 records.

The reports, which contain information from Ontario residents ages 50 to 75 in the ColonCancerCheck program, an initiative to screen people for colon cancer, were mailed to family doctors in February and March.

The agency used Canada Post's Xpresspost courier service to mail the reports. Canada Post mail carriers are supposed to hand over the packages only after receiving a doctor's signature and return them to the agency if a signature is not obtained.

Some of the reports were, however, delivered without a signature confirmation.

Details: Ontario's privacy commissioner, Ann Cavoukian, launched an investigation in late June and instructed the agency to visit doctors' offices to look for the reports.

Quote: “Medical test results rank among the most sensitive personal information about an individual,” Cavoukian said. “I am astounded that such a loss could take place. The first step is to minimize any harm by locating as many of these reports as possible. As part of our investigation, we will be looking at steps that can be taken to ensure that this type of breach doesn't happen again.”

What was the response? An investigation was launched to determine the scope of the incident. The agency is notifying the appropriate primary care physicians, patients and the public over the next several weeks.

Source: http://www.cbc.ca/, CBC News, “Ontario cancer tests may be lost in mail,” July 26, 2011.

In one of the largest health care data breaches this year, a computer containing hundreds of thousands of patient records was stolen from South Carolina's Spartanburg Regional Healthcare System.

How many victims? 400,000.

What type of personal information? Social Security numbers, names, addresses, dates of birth and medical billing codes.

What happened? A desktop computer containing the sensitive data was stolen from an employee's car on March 28. The employee was authorized to have the computer.

Details: The health care system posted a notification about the breach on its website in late May, though it did not reveal how many patients were affected. The U.S. Department of Health and Human Services last week revealed the number of impacted individuals.

There is no evidence that the information has been misused.

What was the response? Spartanburg reported the theft to authorities. An investigation was launched. The company also took unspecified steps to enhance its security procedures. Affected individuals have been notified and offered a free subscription for identity theft consultation and credit monitoring services.

Sources: SpartanburgRegional.com, Letter to Patients, May 2011.

HHS.gov, U.S. Department of Health and Human Services, Breaches Affecting 500 or More Individuals.

How many victims? 34,000.

What type of personal information? Names, addresses, account and tax identification numbers, as well as the income earned on investments in 2010, and some clients' Social Security numbers.

What happened? Two CD-ROMs containing the sensitive information went missing after being mailed to the New York State Department of Taxation and Finance. It appears that the package made it to the department intact, but by the time it reached its intended recipient the discs were missing. The state notified Morgan Stanley Smith Barney about the breach on June 8.

Details: The discs were were password-protected, but not encrypted.

Quote: "There's no evidence that there was any criminal intent here, or actual misuse of this information," Jim Wiggins, according to a spokesman for Morgan Stanley Smith Barney.

What was the response?  The investment firm conducted a search of its facilities and did not locate the discs. Notification letters were sent to affected individuals on June 24. The company has offered to provide a one-year, free subscription for monitoring services to those whose Social Security or tax identification numbers were lost.  

Morgan Stanley Smith Barney said it will work with the state to improve the security of data transmissions.

Source: ABCNews.com, ABC News, “Data of 34,000 Morgan Stanley Clients Lost or Stolen,” July 6, 2011.

How many victims? 3,590.

What type of personal information? Names, addresses and state identification numbers.

What happened? The disk was lost while on its way between two state agencies. It was discovered missing on May 6.

Details: The missing data did not include birth dates or Social Security numbers.

A similar incident occurred last summer, when the agency lost a computer hard disk containing the personal information of 100,000 residents.

What was the response? The agency is working to notify affected individuals.

Source: denverpost.com, The Denver Post, “Colorado agency loses records,” July 1, 2011.

The personal information of thousands of current and former California state employees was improperly copied to a hard drive and removed from state offices.

How many victims? 9,000

What type of personal information? Names, addresses, some Social Security numbers, ethnicities, birth dates, information on next of kin and workers' compensation documents.

What happened? IT staff at the California Department of Public Health (CDPH)  detected unusual network activity on April 5. It initiated an investigation and discovered that an employee had removed the information without authorization. The employee was placed on administrative leave until the investigation is complete.

Details: The breach affects most current CDPH and California Department of Health Care Services (DHCS) employees, as well as nearly 3,000 employees of the former Department of Health Services (DHS).

There is currently no indication that the information has been misused or further disclosed.

Quote: "We regret that the personal information of our employees was compromised," CDPH Director Ron Chapman said in a statement. "We take the breach of any secure documents very seriously and are committed to taking steps to minimize any impact of this action and further strengthen our security policy."

What was the response? The department has begun implementing unspecified internal safeguards to protect employee information. In addition, the agency is conducting a review of its information security policies and has promised to put in place any additional safeguards necessary to ensure a similar incident does not recur.

Affected individuals are being offered credit monitoring services.

Source: California Department of Public Health, “Current and former state employees advised of breach of personal information,” June 26, 2011.

How many victims? 300,000,

What type of personal information? Names and Social Security numbers.

What happened? The electronic files, which belonged to Southern California Medical-Legal Consultants (SCMLC), a company that helps medical providers recover workers' compensation insurance funds, were discovered by a data security firm through automated Google searching. The information was stored on a computer that was intended for internal purposes.

What was the response? The company took “immediate steps to remediate the situation” and is taking other unspecified measures to ensure a similar incident does not recur. Affected individuals are being notified.

Quote: "We take data security and privacy very seriously," Joel Hecht, president of SCMLC, said in a statement. "Unfortunately, our internal security policies and procedures were not followed.”

How many victims? 15,727.

What type of personal information? Names, addresses, birth dates, medical record numbers, health plan ID numbers, and treating physician names, as well as information about diagnoses, treatment plans, progress notes, prescriptions, referrals, and authorizations.

What happened? Thieves broke into Health Care Partners' Pasadena and Long Beach, Calif. offices and stole 19 computers containing the data. They also stole a safe containing checks and credit card receipts. The theft was discovered on April 18.

Details: HealthCare Partners said it believes that the risk of harm is low because an investigation indicated the equipment was stolen for its monetary value, not the information it contained.

What was the response? Upon discovering the theft, HealthCare Partners notified local law enforcement and initiated an investigation into the incident. Affected individuals have been alerted and offered a free subscription of identity protection services. In addition, the company has promised to work with patients whose personal information was compromised to help minimize the impact of the incident.

Quote: "HealthCare Partners understands the importance of safeguarding our patients' personal information and takes that responsibility very seriously," Robert Margolis, chairman and CEO, said in a statement. "We regret that this incident has occurred, and we are committed to preventing such occurrences in the future.”

Source: http://www.healthcarepartners.com, “HealthCare Partners Notifies Patients of Breach of Unsecured Personal Information,” June 3, 2011.

The personal data belonging to Honda and Acura customers in Canada was stolen after attackers accessed the information off the companies' e-commerce sites.

How many victims? 283,000.

What type of personal information? Names, addresses and vehicle identification numbers. Data such as birth dates, telephone numbers, email addresses, credit card numbers, bank account information and lists of transactions was not taken.

What happened? Hackers infiltrated the myHonda and myAcura e-commerce sites to steal the account information stored in a database. The records in that database should have been destroyed but were not.

What was the response? Honda is notifying affected customers by mail. It informed customers about the incident but said they are not at risk for identity theft.

Details: The information was collected two years ago from customers who registered at the websites. Experts worry the stolen data may be used in phishing scams that seek more valuable personal information. Honda, which owns Acura, has since been sued over the breach, with the plaintiffs seeking $200 million in damages.

Source: The Toronto Star, thestar.com, "Honda hacked: 283,000 car owners lose personal data," May, 26, 2011.

How many victims? 4,000.

What type of personal information? Social Security numbers and payroll information.

What happened? The email was sent May 4 by an employee at the U.S. Department of the Interior's National Business Center, a service center in charge of payroll, human resources and financial reporting for dozens of federal agencies, including the SEC. The contractor forgot to encrypt the message, and software in place to detect such an error failed.

Details: The personal data was exposed for about one minute, while in transit. There is no indication that the data was intercepted.

The National Business Center recently has had several other breaches of employee information. In February 2010, a similar software malfunction nearly exposed personnel data, but an employee caught the mistake. Then in May, the center reported that a CD, containing sensitive information on about 7,500 federal employees from several government agencies, was lost.

What was the response? An investigation was launched after the most recent breach was discovered. An assessment of the software and security protocols at the National Business Center is ongoing.

Affected employees are being offered 60 days of free credit monitoring.

How many victims? 17,000 ticket holders.

What type of personal information? Names, addresses, phone numbers and email addresses of "non-premium" season ticket holders. The spreadsheet also contained Yankee account numbers and seat assignments. No financial data or Social Security numbers were compromised.

What happened? An employee working in the club's ticketing department meant to send an attachment with newsletter information to Yankees season ticket licensees. Instead, the individual mistakenly attached the internal spreadsheet.

Details: Premium account holders, some of which are celebrities, were not affected. Less than half of all season ticket holders were impacted.

Quote: "A mistake was made and we're being as transparent as we possibly can be," a team spokesman said. "We've already taken steps to be sure it cannot and will not happen again."

What was the response? The team has notified affected individuals by letter.

A USB stick containing the personal information of thousands of employees of Alberta's Edmonton Public School Board has gone missing.

How many victims? 7,000.

What type of personal information? Resumes, employment records and possibly banking data.

What happened? A school board computer technician working in the human resources department lost the flash drive on March 22.

Details: School board staff violated policy by retaining too much data for too long and failing to keep a record of the information downloaded to the USB drive, said Frank Work, Alberta's privacy commissioner.

Quote: "According to school board policy, you're not supposed to use an unencrypted stick," Work said. "They did.”

What was the response? The school board has sent notification letters to affected individuals. The board has spent thousands of dollars to respond to the incident.

Source: CBC News, “School board loses memory stick with employee data,” April 13, 2011.

MidState Medical Center, located in Meriden, Conn., has reported missing a hard drive containing the personal information of tens of thousands of hospital patients.

How many victims? 93,500.  

What type of personal information? Names, addresses, dates of birth, Social Security numbers and medical record numbers.

What happened? An employee of MidState's sister facility, Hartford Hospital, violated company policy by transferring patients' sensitive data to a personal hard drive to work from home.

Details: The drive was discovered missing on Feb. 15 and the employee has since been dismissed. The hospital does not believe that any information on patient diagnosis or treatment was compromised.There is currently no evidence that the information has been misused.

What was the response? After discovering the breach, the hospital launched an investigation and reported the incident to law enforcement. Affected individuals are being notified and offered two years of identity protection services. In addition, MidState Medical Center and other affiliated facilities are reviewing their policies and taking unspecified steps to prevent a recurrence.

Sources: MidState Medical Center, “Important Notice to Patients Regarding Misplaced Personal Information,” April 5, 2011.

The Hartford Courant, “Hospital Records Breach Involves 93,500 Patients,” April 5, 2011.

How many victims? About 3,900.

What type of personal information? Birth dates, relatives' names, Social Security numbers, medical treatment data and other unspecified information.

What happened? The files were in a locked storage room in Maryville's Des Plaines facility when they went missing. It is not known whether the files were stolen or misplaced.

Details: The files contained information about children who lived at agency facilities since 1992. They did not include information about children cared for at the agency's crisis nursery, children's health care center, psychiatric hospital or girl's shelter.

Quote: "We are reaching out to the members of our Maryville family who may be affected by these missing files to offer our assistance," Sister Catherine Ryan, Maryville's executive director, said in the statement.

What was the response? The agency is investigating.

Source: Chicago Breaking News, chicagobreakingnews.com, “Computer files lost at Maryville,” March 25, 2011.

A BP employee lost a laptop containing the personal information of thousands of Louisiana residents who filed compensation claims after last year's devastating oil spill in the Gulf of Mexico.

How many victims? 13,000.  

What type of personal information? Names, Social Security numbers, phone numbers and addresses.

What happened? The laptop went missing on March 1 while the BP worker was traveling for work. Though the laptop was password protected, the information was not encrypted.

Details: The data included a spreadsheet of information about individuals who filed claims with BP before the Gulf Coast Claims Facility took over the processing of claims last August. There is no indication that the data has been misused.

What was the response? BP has mailed letters to affected individuals and offered them free credit monitoring services. The company has reported the missing laptop to law enforcement.

Source: The Denver Post, denverpost.com, “Lost BP laptop holds personal data of 13,000 oil-spill claimants,” March 30, 2011.

Tens of thousands of Indiana Statewide Testing for Educational Progress-Plus (ISTEP) tests may have to be discarded after an exam question was posted on Facebook.

What happened? The Indiana Department of Education (DoE) believes a test coordinator copied an essay question from the eighth-grade language arts exam and shared it with others. It briefly was posted on a Facebook page connected with a state teacher's group.

The test was administered to 80,000 eighth-graders in the state.

Details: The question asked students' opinion on school vouchers that use taxpayer money to help parents send their children to private schools.

Pending state legislation supported by Republicans would give parents “special scholarships” using public funds for their children to attend private school. Some have said the exposure was meant to sway public opinion and promote the voucher plan. The state DoE and superintendent have denied such claims.

The DoE is considering whether to suppress the question or invalidate the affected portion of the test. The investigation and response could cost the state several hundred thousand dollars.

Quote: "It has the potential to cost taxpayers a great deal of money," said Lt. Gov. Becky Skillman.

What was the response? The Indiana DoE has launched a statewide investigation. Any teachers involved could lose their licenses.

Officials at Missouri State University in Springfield are notifying thousands of students whose personal information inadvertently was exposed online.

How many victims? 6,030.

What type of personal information? Names and Social Security numbers.

What happened? In preparation for an accreditation, the Missouri State University's College of Education late last year prepared electronic lists of students, by semester. They were to be made available on secure servers accessible by university personnel working on the accreditation.

Instead, the lists were posted in October to November to an unsecured server and were searchable on Google. The university discovered the breach on Feb. 22. 

Details: The lists contained information about students who attended the College of Education between 2005 and 2009.

Quote: “It is very unfortunate that this breach occurred,” said Jeff Morrissey, chief information officer at Missouri State. “We are taking this breach very seriously, and we hope these steps will prevent inappropriate use of the personal information that was compromised.”

What was the response? Since learning of the breach, the university has worked with Google to remove all the lists and is notifying affected individuals, who will be offered identity theft protection insurance. In addition, the university notified the state's attorney general and will discipline the employee who posted the information. Finally, the university has secured all College of Education accreditation lists and is working with all other college deans to prevent future inadvertent data exposures.

Source: Missouri State University, “College of Education students notified of security breach,” March 3, 2011.

The New York City Health and Hospitals Corp. (HHC), the city's municipal hospital system, has begun notifying 1.7 million individuals about the theft of electronic record files that contained their personal information.

What type of personal information? Full names, addresses, Social Security numbers, medical record numbers, health insurance information, diagnosis and treatment data, telephone numbers, mothers' maiden names and birth, admission and discharge dates.

What happened? The computer backup tapes were stolen on Dec. 23 from the truck of HHC's record management services vendor, GRM Information Management Services, while being transported to a secure location. At the time of the crime, the truck was parked on the street in Manhattan while the driver was making a pickup from another GRM customer.

The stolen backup tapes contain 20 years of information about patients, staff, contractors, vendors and anyone else who was treated by or provided services at HHC's North Bronx Healthcare Network hospitals and clinics. This consists of Jacobi Medical Center, North Central Bronx Hospital, along with two other community health care centers: the Health Center at Tremont and the Health Center at Gun Hill

Details: Only those with specialized knowledge and access to the right software and hardware would be able to view the information on the stolen tapes. There is currently no evidence that any of the stolen data was accessed.

Quote: “We apologize for the concern this incident may cause you and assure you steps are being taken to ensure that a similar incident does not recur, including the encryption of all future backup tapes,” William Nash, network senior vice president at North Bronx Healthcare Network, said in the notification letter.

What was the response? Upon discovery of the theft, the New York City Police Department was notified and launched an investigation. The stolen tapes have not been found, and police have no suspects.

HHC has fired GRM and has filed a lawsuit to cover the costs of the breach, according to reports.  

Affected individuals have been notified and offered one year of free credit monitoring and fraud resolution services. HHS also set up a phone hotline at (877) 412-7148 to answer any questions about the incident.

Source: New York City Health and Hospitals Corp., “Data Theft Notification to Jacobi Medical Center and North Central Bronx Hospital Patients, Staff, Contractors, Vendors, and Others," Feb. 9, 2011.

The University of Connecticut (UConn) is warning thousands of customers who bought merchandise at HuskyDirect.com that their credit card numbers and other sensitive information may have been stolen.  

How many victims? 18,000.

What type of personal information? Names, addresses, emails, telephone numbers and credit card information, including expiration dates and security codes.

What happened? A hacker gained access to a database containing billing information for HuskyDirect.com.

Details: The website, used by customers to buy team merchandise from the UConn co-op, is operated by an unnamed vendor who notified the university about the breach. The vendor has secured the database, the co-op said, but as of Jan. 20 the website remained inactive.

Customers who shopped at the co-op store in person are not affected.

Quote: "We are investigating how many accounts were actually accessed," the co-op said.

What was the response? Notification letters have been sent to affected individuals who will be offered credit protection.

Source: The Hartford Courant, courant.com, “Hacker Breaks Into UConn Husky Store Website,” Jan. 12, 2011.

The personal information of thousands of South Carolina state employees may have been stolen by hackers.

How many victims? 5,600.

What type of personal information? Names, addresses, Social Security numbers and birth dates.

What happened? A computer containing the sensitive data of thousands of state employees, retirees, dependents and survivors who were covered by the state's Employee Insurance Program was infected by a virus that may have permitted hacker access. The breach was discovered Nov. 18, about 10 days after it began.

Details: The affected computer contained the records of about 800 people who are dead. 

Quote: "Obviously, this is a terrible situation, and we feel for all those whose privacy may have been compromised," said Rob Godfrey, a spokesman for the state Budget and Control Board.

What was the response? The board has mailed notification letters to affected individuals. In addition, officials hireda new director who is "committed to making sure that changes are implemented, quickly, so something like this never happens again," Godfrey said.

The South Carolina Law Enforcement Division has been notified about the intrusion.

Source: Associated Press via aikenstandard.com, “Agency: Records of employees may have been breached,” Jan. 17, 2011.

The credit card details belonging to customers of CitySights NY were stolen when a database belonging to the sightseeing bus tours company was hacked.

How many victims? Approximately 110,000.

What type of personal information? Names, home addresses, email addresses, credit card numbers, expiration dates and CVV2 numbers.

What happened? Thieves exploited a SQL vulnerability to access a database on the company's web server. The hackers launched the SQL script on Sept. 26 and gained access to the database until Oct. 19. Six days later, a web programmer discovered the exploit.

What was the response? CitySights NY notified affected customers and provided them with one year of free credit monitoring and identity theft protection services. In addition, victims received a coupon good for 50 percent off select tours. They were told to purchase online, using the code of "012345."

The company has taken steps to improve its security posture, including tightening password use, closing database vulnerabilities, deploying an application firewall and conducting penetration tests.

Quote: "The company continues to monitor its systems and has reconfigured its systems so that transactions will be processed without storing credit card data on the company's servers," wrote attorney Theodore Augustinos in a letter to the New Hampshire attorney general's office.

Source: Letter to New Hampshire attorney general's office, Dec. 9, 2010.

How many victims? 760,000.

What type of personal information? Names, Social Security numbers, dates of birth and addresses. No OSU Medical Center patient records or student health records were involved.

What happened? The intrusion was confirmed last month, but the university did not disclose how the hackers were able to access the server because the incident is still under investigation. University police do not currently know who hacked the system.

An investigation revealed that the unauthorized access was used for launching cyberattacks on other businesses, the university said. There is no evidence that the data was stolen.

Details: Current and former faculty, students and applications as well as other individuals affiliated with the university could be affected.

Quote: "We regret that this has occurred and are exercising an abundance of caution in choosing to notify those affected," said OSU Provost Joseph Alutto.

What was the response? The university has notified affected individuals, who have been offered one year of free credit protection services. The university has hired two computer security consulting firms to forensically investigate the incident and help improve security. As a result of the breach, OSU is seeking to strengthen its IT systems.

OSU has suffered several other smaller beaches over the past few years.

In 2007, two separate incidents left the personal information of 17,500 students, faculty members and staff compromised. In 2008, the university notified 18,000 current and former students after it was discovered that their personal information was inadvertently posted online. And last year, 350 OSU Dining Services student employees had their Social Security numbers leaked in an e-mail.

The latest breach is expected to cost the university $4 million in expenses related to investigative consulting, beach notification and credit card security.

Sources: http://www.thelantern.com, The Lantern, “Hacked: Data breach costly for Ohio State, victims of compromised info,” Dec. 15, 2010.

http://www.osu.edu/creditsafety/, Ohio State University Credit Safety.

Hackers infiltrated the University of Wisconsin (UW)-Madison computer systems and accessed the personal information of tens of thousands of individuals affiliated with the college.

How many victims? 60,000.

What type of personal information? Names, photos and Social Security numbers.

What happened? UW-Madison officials became aware of the intrusion on Oct. 26. The breach affected mostly former students, faculty and staff members.

Details: One of the files in system contained old university photo IDs containing Social Security numbers and corresponding cardholder names. An investigation by the UW-Madison division of information technology and office of computer security found nothing to suggest that the data had been downloaded or used maliciously. The identities of the hackers remain unknown.

Quote: "Before privacy was taken as seriously as it is today, a student's Social Security number was embedded inside that ID card number," said UW-Madison spokesman John Lucas.

What was the response? Letters have been sent to affected individuals.

Source: http://host.madison.com/wsj/, Wisconsin State Journal, “UW-Madison warns 60,000 of card data theft,” Dec. 10, 2010.

More than 20 years worth of personal and investigative Sheriff's Department records from Mesa County, Colo. were inadvertently posted online, where they remained for several months.

How many victims? As many as 200,000.

What type of personal information? Secure law enforcement files that included the names of confidential informants, emails about crime victims and homicide investigations. In addition, the files included the names, Social Security numbers and addresses of current and former sheriff's office employees, along with the names of employees' spouses, children and schools the children attend.

What happened? An employee in the county's information technology department in April loaded the files onto what he believed was an encrypted county server while working on a project to integrate law enforcement computer databases.

The information was instead posted to a county URL that was not password protected. Authorities have determined that the data was accessed by someone outside the country in late October. The data was also accessed multiple times from local, national and international computers.

The site was taken down on Nov. 24, after an individual found their name mentioned in the files while searching the internet and notified authorities.

Quote: “My flush reaction is it's obviously a cyber disaster,” said former Sheriff Riecke Claussen. “I think that obviously with the type of information that the sheriff's office deals with, that security of information is of top concern.”

Details: The employee responsible for the breach, whose name hasn't been released, is no longer working for the county. Authorities are still determining the extent of the breach and do not know how many people obtained the information or how much of it remains online on other sites.

What was the response? County administrators are working to notify affected individuals.

Source: GJSentinel.com, Grand Junction Daily Sentinel, “Breach could put people at risk,” Dec. 3, 2010.

A laptop containing sensitive patient information was recently stolen from Henry Ford Health Systems in Detroit.

How many victims? Undisclosed.

What type of personal information? Patient names, medical record numbers, dates of birth, mailing and e-mail addresses, telephone numbers, treatment and doctor visits. No Social Security numbers or health insurance information were breached.

What happened? The device was stolen on Sept. 24 from an unlocked medical urology office. It was password protected but there is still a possibility that personal patient information could be at risk.

Details: The laptop contained patient information related to prostate services received between 1997 and 2008.

Quote: "The security of our patients' health information is very important to us, and we sincerely apologize for what happened," said Meredith Phillips, chief privacy officer at Henry Ford Health Systems. "This laptop did not have the proper security protections that we require for laptop computers storing patient information."

What was the response? The hospital has begun sending notification letters to affected patients, who are being offered one-year free credit monitoring. In addition, the hospital is providing employees with additional training on how to protect patient information stored on computers.

Source: clickondetroit.com, WDIV Detroit, “Detroit Hospital Security Breach,” Nov. 15, 2010.

An unauthorized individual recently gained access to a Louisiana state licensing database that contained the  personal information of tens of thousands of emergency medical technicians (EMTs).

How many victims? 56,000.

What type of personal information? Names and Social Security numbers.

What happened? It is believed that on Sept. 17 hackers gained access to a state Department of Health and Hospitals (DHH) database that contained information about individuals who have applied for classes or who are certified as first responders or EMTs in Louisiana. The list includes high school seniors who are in EMS-related programs through the Education Department.

The breach was discovered by personnel with the state's Bureau of Emergency Medical Services. A computer screen displayed the message: “You have been hacked.”

Details: The portal is internet accessible because instructors and other authorized individuals throughout the state use the database.

Quote: “Although we have no indication that information was actually released, we know that it was accessed,” said Tony Keck, deputy secretary at the DHH.

What was the response? The DHH has sent letters to affected individuals. In addition, the agency has taken steps to prevent a future breach, such as strengthening password requirements. Local law enforcement and the Louisiana attorney general's office are investigating.

Source: 2theadvocate.com, The Adovcate, “Hacker may have accessed DHH database,” Oct. 28, 2010.

The sensitive information of tens of thousands of former University of Hawaii students was inadvertently posted online, where it remained for nearly a year before being removed.

How many victims? 40,000.

What type of personal information? Names, Social Security numbers, addresses, birth dates and educational data.

What happened? Last December, a faculty member inadvertently uploaded the sensitive files to an unencrypted web server. The faculty member, who recently retired from UH's West Oahu campus, was conducting a study about students.

Details: Those affected are students who attended UH's Manoa campus from 1990 to 1998 and during 2001. In addition, students who attended UH's West Oahu campus during fall of 1994 or graduated from 1988 to 1993 may be impacted.

The incident follows a separate UH breach disclosed in July that involved the personal information of 53,000 individuals.  

What was the response? The university removed the files and disconnected the affected server from the network, after Liberty Coalition, a nonprofit group based in Washington D.C., notified university officials about the exposure on Oct. 18. Affected individuals are being notified.

The FBI and Honolulu Police Department have been notified. The university currently has no evidence that anyone's personal information was accessed for malicious intent. Meanwhile, the UH West Oahu campus is also working to adopt more proactive security measures to ensure a similar incident does not occur in the future.

Source: http://manoa.hawaii.edu/, University of Hawaii – Manoa, “Inadvertent exposure by UH West O'ahu affects Mānoa students,” Oct. 28, 2010.

How many victims? 280,000.

What type of personal information? Names, addresses and other health data.

What happened? AmeriHealth Mercy and Keystone Mercy Health Plan, both of which are Medicaid managed plan providers, said the drive was discovered missing from the companies' corporate offices on Sept. 20. The same drive was also used at community health fairs.

The companies have not disclosed whether the computer drive was encrypted.

Details: The last four digits of 801 members' Social Security numbers were also contained on the drive, along with full Social Security numbers of seven members.

There have not been any reports of misuse of the information stored on the drive.

Keystone Mercy Health Plan provides insurance to 300,000 Medicaid members in Pennsylvania, and AmeriHealth serves 100,000 in the state. The breach, which involves nearly two-thirds of the insurers' subscribers, represents one of the largest incidents involving health data loss in recent memory.

Quote: "We deeply regret this unfortunate incident," said Jay Feldstein, president of the managed care plans for both insurers.

What was the response? The breach was reported to the state Department of Public Welfare. In addition, the companies have been working to notify affected individuals and evaluate and improve their security measure so that a similar incident does not again occur.

Source: www.philly.com/inquirer/, Philadelphia Inquirer, “Medical-data breach said to be major,” Oct. 21, 2010.

The personal information of thousands of Mississippi National Guard personnel was inadvertently posted online for several weeks, beginning in early September.

How many victims? Nearly 3,000.

What type of personal information? Names, Social Security numbers, dates of birth, security clearance data, ranks and pay grades and home and cell phone numbers.

What happened? The breached administrative records belonged to members of the 155th Brigade Combat Team and were compiled at various times between 2006 and 2008, including while the brigade was deployed in Iraq. The files were posted on Sept. 10, to the brigade's Microsoft SharePoint website, which did not require a password to access. The guard is investigating how the breach occurred, but officials believe that it inadvertently happened when someone uploaded the files to a new computer system.

Details: The National Guard was notified about the breach by Aaron Titus, information privacy director of Liberty Coalition, a Washington-based policy institute. The group operates the website, NationalIDWatch.org, where users can find out if their personal information has been compromised.

During the time the files were posted, they could have been potentially viewed by anyone online.

The website can no longer be accessed.

Quote: "Information management is working feverishly to get to the bottom of it," Tim Powell, a spokesman for the National Guard, said. "We take this very seriously and are incorporating numerous layers of internet security on our website."

Source: Associated Press via the Army Times, “Miss. Guard personnel information compromised,” Oct. 8, 2010.

A University of North Florida (UNF) computer file containing the sensitive information of students may have been accessed by a foreign hacker.

How many victims? 106,884.

What type of personal information? Names, Social Security numbers and dates of birth

What happened? An unauthorized individual outside of the United States gained access to a school computer server some time between Sept. 24 and 29. A sensitive file on the server contained the personal information of UNF students and others who have expressed interest in the college. The information was collected during the recruitment and application process.

It is possible the intruder was seeking to disrupt normal business or use the computer's processing power to launch similar attacks on other computers, UNF said. There is currently no proof that any confidential information was stolen.

Details: Of those affected, 52,853 had their names and Social Security numbers compromised and 54,031 had their names and dates of birth compromised. In some cases, the intruder may have had access to ACT and/or SAT test scores, which are collected as part of the application process. UNF academic grades, financial aid information and course histories are not at risk.

What was the response? Immediate steps were taken to contain the breach and to prevent further unauthorized access. In addition, the university has notified affected individuals by letter. The university Police Department is working with the FBI to investigate the breach.

UNF has set up a phone number, (904) 620-2114, and an email account, databreach@unf.edu, for questions concerning the data breach. Affected individuals are being advised to place a fraud alert on their credit files.

Source: http://www.unf.edu/info/databreach/, “UNF Alert," undated.

How many victims? 19,264.

What type of personal information? Patient names, telephone numbers, addresses, birth dates, Social Security numbers, medical records, insurance numbers, procedure billing codes, diagnosis codes, lab reports, office notes, radiology reports and service dates. In some records, guarantor information was also included.

What happened? The virus was detected on or about July 28.

Details: It is not possible to determine if any sensitive documents were accessed. Further, neither the university nor the clinic has any indication that the information has been used for illegal or wrongful purposes.

What was the response? An investigation into the incident was initiated after the compromise was discovered. The clinic has implemented steps to ensure the safety and privacy of data, such as increasing the frequency of software and security updates. Letters have been sent to affected patients. Those with questions about the breach are being advised to contact the clinic at (918) 619-4542 or (866) 836-3150.

Sources: News release, “OU Tulsa Neurology Clinic Computer Compromised,” Sept. 24, 2010.
U.S. Department of Health and Human Services, "Breaches Affecting 500 or More Individuals."

What type of personal information? Names, card account numbers, PINs.

What happened? The altered payment terminals were placed between June 1 and Aug. 31 at stores in  Connecticut, Georgia, Illinois, Indiana, Maryland, New Jersey, New York, North Carolina, Pennsylvania, South Carolina and Virginia.

Details: An Aldi spokeswoman declined to say how many stores, payment card terminals or customers were affected by the breach. However, more than 200 people who had shopped at an Aldi store in Wheeling, Ill. told law enforcement that they discovered unauthorized withdrawals of $100 to $900 from their bank accounts, according to reports. And, police in St. Charles, Ill. have said they received 32 reports of debit card fraud from people who had shopped at Aldi.

The company said it does not believe that any employees were involved in the breach.

Quote: “We take our obligation to safeguard our customers' personal information very seriously and we sincerely regret that this incident may affect our customers,” Terry Pfortmiller, vice president of finance and administration at ALDI, said in a statement.

Aldi has recommended customers review and monitor their payment card statements and credit reports. Those who believe they were affected by the breach should immediately contact their bank or payment card company and local law enforcement. Customers with questions are advised to call Aldi at (877) 412-7152 or visit www.aldi.us.

A device containing the personal information of thousands of faculty and staff members at Rice University in Houston was recently stolen.

How many victims? 7,250.

What type of personal information? Names, addresses, birth dates, employee identification numbers, salaries and emergency contacts.

What happened? To protect victims, the Rice University Police Department is not releasing specific details about how the theft occurred.

Details: The device contained at least two sensitive files, one of which included Social Security numbers, mostly for Rice employees. The other document contained the personal information, excluding Social Security numbers, of Rice employees and students on the university payroll as of January.

To date, there is no evidence that an unauthorized person has discovered or used the data.

What was the response? Letters are being sent to affected individuals, who will be offered resources to help protect them from identity theft. Houston police are investigating the incident.

Source: http://abclocal.go.com/ktrk/index, KTRK-TV Houston, “Personal info stolen from 7,250 associated with Rice U.,” Sept. 13, 2010.

How many victims? 7,000.

What type of personal information? Names and Social Security numbers.

What happened? The computer, which was password protected but contained a database full of sensitive information about City College of New York (CCNY) students, was stolen a few weeks ago and has not yet been found.

What was the response? Letters are being sent to affected individuals. A spokesperson for the school said there is no evidence that anyone's personal information has been compromised. CCNY said it is making efforts to ensure that computers containing sensitive information are better protected in the future.

Source: 7online.com, WABC-TV, “Computer stolen with students' information,” Sept. 7, 2010

How many victims? 22,000.

What type of personal information? Social Security numbers, genders and dates of birth.

What happened? The RFP, which contained sensitive state retirees' information, was prepared by Aon, a consulting company that provides services to the state of Delaware for health and benefit programs. Aon prepared the document for the state to solicit bids from insurance companies interested in providing vision benefits to state employees and retirees. The RFP was posted to the procurement section of the state website to allow interested bidders access to the proposal document.

State staff discovered and removed the document five days after it was posted.

Details: The document did not include retiree names or current state employee information.

What was the response? Letters are being sent to affected individuals who will be offered one year of free credit monitoring.

Source: http://www.newarkpostonline.com/, Newark (Del.) Post, “State employee retirees' Social Security numbers posted on website by vendor,” Aug. 30, 2010.

How many victims? 10,174.

What type of personal information? Names and Social Security numbers.

What happened? The laptop, which was being kept in a storage cabinet at the UConn West Hartford campus' information technology department, was discovered missing on Aug. 3.

Details: The computer had undergraduate admissions files that contained contact information and Social Security numbers of the applicants. The information spans the period from 2004 through July 30, 2010.

There is no indication the laptop was stolen for the purpose of identify theft.

What was the response? Steps have been taken to prevent unauthorized access to the university through the computer. UConn police are looking into whether school security policies were followed.

Affected individuals are being notified about the breach and offered free credit monitoring coverage for two years.

Source: www.westhartfordnews.com, West Hartford News, “Laptop with Social Security numbers stolen from UConn West Hartford,” Aug. 19, 2010.

How many victims? 4,000 Portland, Ore. psychology patients and 2,900 unemployed state residents.

What happened? An unsecured laptop containing patient names, Social Security numbers and diagnoses was stolen from Oregon psychologist David Gostnell's vehicle during the weekend of Aug. 6. Separately, a data storage device containing the names and Social Security numbers of unemployed residents of Multnomah County in Oregon was stolen from the car of a Portland Community College (PCC) employee on Aug. 5.

Details: Gostnell runs a private practice in northeast Portland and works at Oregon Health & Science University. Records from patients Gostnell treated at OHSU were not on the stolen laptop.

The laptop was password-protected, but a disc left in the CD drive contained a partial backup of the hard drive, including sensitive patient information. His briefcase, which also contained patient evaluation records, also was stolen. All of those records were recovered in a nearby trash bin shortly after the theft. Gostnell does not believe the items were stolen to obtain patient information.

Meanwhile, the PCC-related burglary involved the theft of a flash drive containing the personal information of participants in the Oregon Food Stamp Employment Transition Program, which is operated at PCC and provides support and job-hunting skills for unemployed Oregon residents. A PCC employee who worked at multiple sites was transferring the data from one site to another when the theft occurred. The flash drive was in a bag that was stolen from the car.

Quote: "There is no evidence that any name or Social Security number has been used so far," said Dana Haynes, spokesman for PCC.

What was the response? Individuals who have been evaluated by Gostnell can call (877) 461-7657, if they have questions about the matter.

PCC has sent letters to affected individuals and offered them a one-year subscription for credit-protection services. The college also has posted credit protection information online.

Source: http://www.oregonlive.com/, The Oregonian, “Car thieves get personal data on Portland psychology patients, unemployed Oregonians,” Aug. 12, 2010.

The confidential information of students and employees at six Florida community colleges was publicly available on the internet for five days due to a state library service center software glitch.

How many victims? 126,000.

What type of personal information? Unspecified data that is protected under Florida state law. This means it may have included names, Social Security numbers and driver's license or Florida information card numbers. Compromised information did not include financial or library records.

What happened? The College Center for Library Automation (CCLA), which provides services and resources to Florida's public colleges, determined the breach happened as a result of a software upgrade.

The information was available online from May 29 to June 2. Six state community college colleges were affected because their borrower records were contained in temporary work files that were being processed at the time the breach occurred. The library agency learned of the incident on June 23, after a student reported finding personal information through a Google search.

Officials from the library agency said they believe the information was viewed by unauthorized individuals, but there is no evidence the data has been misused.

Details: Employees and students were affected at Broward College, Florida State College at Jacksonville, Northwest Florida State College, Pensacola State College, South Florida Community College and Tallahassee Community College.

Quote: "We pride ourselves on protecting private information and deeply regret this inadvertent exposure," said Richard Madaus, CEO of CCLA. "I apologize to those involved for any worry or inconvenience this may cause them. We will continue to enhance our technology to safeguard all of the information entrusted to us."

What was the response? Affected individuals are being notified by letter. Additionally, the agency began an investigation after discovering the breach, and the case has also been turned over to the county sheriff's office.

Source: Sun-Sentinel.com, South Florida Sun-Sentinel, “Broward College student data exposed,” Aug. 10, 2010.

How many victims? 21,000.

What type of personal information? Names, birth dates, insurance information and Social Security numbers.

What happened? The laptop was stolen from an office in the hospital on June 14.

A hospital employee violated policy by copying data from the hospital's computer system to a laptop. The employee will be subject to unspecified disciplinary action.

Details: The laptop was password-protected, but the data was not encrypted.

Quote: “As upsetting as it is for me, I know it is even more upsetting for the people who have gone through it and I am really sorry that they have to deal with this,” said Thomas Lewis, Jefferson's president and chief executive.

What was the response? Jefferson has notified affected individuals and offered to provide them with identity theft protection services. Risk consultancy firm Kroll was brought in to conduct an investigation into the incident. Also, an internal review of hospital policies and procedures was carried out to ensure a similar incident does not occur in the future.

Source: Philly.com, “Huge loss of patient data at Jefferson,” July 29, 2010.

How many victims? Unspecified.

What type of personal information? Social Security numbers, addresses and phone numbers.

Details: The thumb drive went missing on July 8. No employee or patient information is believed to have been compromised.

What was the response? Affected individuals have been notified. Additionally, the hospital reported the incident to state and local police, who are investigating the incident. The hospital also is conducting an investigation and has initiated a plan to protect any personnel who could be affected by the breach. 

Quote: "Cooper University Hospital is investigating the circumstances surrounding a missing thumb drive," the hospital said in a statement.

Source: 6abc.com, 6 ABC Action News, “Potential security breach at Cooper Univ. Hospital,” July 28, 2010.

How many victims? 3,000.

What type of personal information? Social Security numbers and other unspecified personal information.

What happened? The information was posted by an employee of the Maryland DHR, a state agency that provides benefits, such as food stamps and other aid, to clients. The employee has since been placed on administrative leave and could face disciplinary action.

The breach was discovered by staff of the Liberty Coalition, a nonprofit that promotes individual freedoms. The group's privacy director, Aaron Titus, said the information was posted from April 27 to July 14.

Staff members at Liberty Coalition tried to notify DHR officials about the breach on July 9 but were unsuccessful until July 12. The data was taken down on July 14.

Details: There currently is no evidence that the information was used for identity theft.

Quote: "We take the privacy of the data that's entrusted to us very seriously," said DHR spokeswoman Nancy Lineman.

What was the response? An investigation into the incident was initiated. Affected individuals are being notified and offered a one-year subscription for credit monitoring services.

Source: www.baltimoresun.com, The Baltimore Sun, “State employee posts nearly 3,000 SSNs online,” July 19, 2010.

How many victims? 93,000.

What type of personal information? Social Security numbers, addresses and driver's license information.

What happened? An investigation conducted by auditing and advisory firm KPMG revealed "some irregularities" in Buena Vista University's network. It was confirmed that unauthorized access to the database occurred in June.

Details: Personal information of students and staff dating back to 1987 could be vulnerable.

University President Frederick Moore has apologized for the incident and said that the university is trying to mitigate potential harm.

Quote: “We do not believe any of the information was misused or provided to a third party,” a university spokesperson said.

What was the response? The case has been handed over to the U.S. attorney's office, which is conducting an  investigation into the matter.

Affected individuals are being notified and offered a one year subscription for credit monitoring services.

Source: www.SCMagazineUK.com, SC Magazine UK, “Personal details of 93,000 staff and students at US university could be exposed after database compromise,” July 19, 2010.

How many victims? 79,000.

What type of personal information? Names, addresses, dates of birth, Social Security numbers and a "limited amount" of bank account information. Additionally, some health insurance information may have also been included — mostly enrollment forms, but also details about coverage, treatment, and other administrative information.

Details: The stolen hard drive contained images of microfilm files that contained the sensitive information. Some of the employee files also contained information on beneficiaries and dependents. The data spans a period from 1960 to 1995.

What was the response? Affected individuals have been notified and offered one year of free credit monitoring services. Additionally, the airline has increased security at its headquarters, including testing its computers for vulnerabilities. An investigation into the incident is currently ongoing.

Source: cbs11tv.com, “American Air Parent Claims Worker Data Compromised,” July 2, 2010.

A cybercriminal recently gained access to a University of Hawaii at Manoa (UH-Manoa) parking office computer server that contained the personal information of tens of thousands of individuals.

How many victims? 53,000.

What type of personal information? Names, Social Security numbers, addresses, driver's license numbers, vehicle information and credit card information

Details: A server used by the UH-Manoa parking office was accessed on May 30, though school officials are unsure how the cybercriminal gained entry. The hacker left behind a virus on the server. The breach was discovered during a routine audit on June 15.

There were 40,870 Social Security numbers and 200 credit card numbers on the server. Those affected include UH-Manoa faculty and staff members employed in 1998, along with anyone who did business with the parking office between Jan. 1, 1998, and June 30, 2009.

Students who paid for parking passes using a credit card were not affected.

Quote: "There is no indication that any information was misused, downloaded or viewed by the hacker,” said Gregg Takayama, a university spokesman.

What was the response? Social Security numbers, which are no longer used for parking transactions, are being removed from all parking databases. The university is strengthening its internal automated network monitoring practices and performing evaluations of systems to identify other potential security risks.

Affected individuals have been notified by mail and email. The matter was turned over to Honolulu police, the FBI and UH-Manoa's forensic investigator.

Source: Staradvertiser.com, Honolulu Star Advertiser, “UH breach affects 53,000,” July 7, 2010.

The Massachusetts secretary of state's office earlier this year accidentally released the confidential personal information of state-registered investment advisers to a business publication.

How many victims? 139,000.

What type of personal information? Names, Social Security numbers, birth dates and locations, in addition to  height, weight, and hair and eye color.

Details: The information was on a CD-ROM sent to IA Week, an investment industry publication, in response to a request for public information. The publication originally asked the office's Securities Division, overseen by Secretary of State William Galvin, for a list of registered investment companies but was instead sent a list of individual investment professionals.

A new employee working in the division caused the error by failing to delete the Social Security numbers and other information, which is normally withheld. IA Week returned the CD-ROM in June with a letter stating it had not made any copies of the data.

Quote: “It's an unfortunate mistake,” said Brian McNiff, a spokesman for Galvin. “It obviously was not done according to [standard] practice.”

What was the response? The Securities Division currently is trying to determine whether it needs to notify affected individuals, since all data was recovered, and there is no reason to believe it was ever misused.

Source: boston.com, The Boston Globe, “State's error unveiled Social Security numbers,” July 6, 2010.

Guests at 21 Destination Hotels & Resorts' properties may have been subjected to credit card theft after the chain discovered malware installed in its credit card processing system.

How many victims? Unknown.

What type of personal information? Credit card numbers.

What happened? According to the hotel, remote attackers installed a malicious program into the card processing system.

Details: Only those hotels where credit cards are physically swiped appear to be affected. The malware has been removed, and the locations again are normally processing transactions.

What was the response? The Englewood, Colo.-based hotel chain is notifying guests who stayed at the affected properties and encouraging them to contact their credit card companies to ensure no fraud was perpetrated.

Quote: “We are concerned for our guests and we sincerely regret any inconvenience this may cause them,” said Charlie Peck, the hotel's president and chief operating officer.  “We know we are not the first hotel company to be victimized by this kind of attack, but our greatest concern is for our guests who may be affected as well.”

Source: Destination Hotels & Resorts news release. "Destination Hotels reacts swiftly to credit card interception," June 24, 2010.

How many victims? 4,585.

What type of personal information? Names, Social Security numbers and clinical information.

Details: Every student who sought counseling services from the school's counseling center between Aug. 8, 2002 and June 21 of this year are affected, school officials said. Currently, it is unclear whether the data was viewed or downloaded.

The university's investigation began on June 16, after counseling center staff reported having trouble obtaining files on the server. The investigation revealed that one of the servers was compromised as early as March 4. After gaining access to the initial machine, the hackers infiltrated a second server.

The Maine Legislature also announced this week that one of its websites was hacked and infected with malware, IT officials said. The site, which details the status of bills, currently remains offline.

Both incidents likely are related.

Quote: "This sort of crime is in every way, shape and form an insidious affront to the rightful privacy expectations of our students," said University of Maine's Dean of Students Robert Dana.

What was the response? University of Maine police are leading an investigation into the hacking incident, along with federal prosecutors and computer crimes experts from the U.S. Secret Service. Affected individuals will receive a one-year subscription for credit monitoring services. In addition, the school is taking additional but unspecified steps to prevent future breaches.

Source: http://www.mpbn.net, The Maine Public Broadcasting Network, “Hackers Compromise UMaine Servers, Legislative Web site,” June 29, 2010.

How many victims? 19,000 students and 88 faculty members.

What type of personal information? GPAs, test scores and Social Security numbers.

What happened? The unsecured database was used in connection with the College of Education students' E-Folio software application, used to capture students' mastery of state of Florida and national teacher education standards through the tracking of grades, test scores, completed assignments and other data elements. The database has since been secured.

Details: There is no indication that any unauthorized individuals retrieved information from the database.

What was the response? The university is notifying all affected individuals.

Source: news.FIU.edu, News at FIU – Florida International University, " University to notify students and faculty regarding unsecure database,” June 22, 2010.

UPDATE: Indianapolis-based health insurance company WellPoint, which runs Blue Cross plans in 14 states, recently revealed that it has notified a total of 470,000 individuals potentially affected by this breach, including the 230,000 customers of its Anthem Blue Cross subsidiary in California.

The personal information of hundreds of thousands of Blue Cross customers was recently exposed following a website glitch made by a third party.

How many victims? 230,000.

What type of personal information? Medical records and Social Security numbers.

What happened? The appropriate security measures were not put in place following an October 2009 upgrade of the company's website made by a third-party vendor, said Anthem spokeswoman Cynthia Sanders. As a result, a site user was able to manipulate web addresses to access confidential information.

A class-action lawsuit was filed on behalf of individuals whose information was in jeopardy.

It's unknown how many people worldwide may have accessed the site illegally. According to Anthem's investigation, the vast majority of unauthorized access was from the plaintiff of the lawsuit and her attorneys, Sanders said.

The attorneys downloaded some information from the site, but have since returned it to the court system.

Meanwhile, this is not the first time WellPoint has experienced a breach. In 2008, it was discovered that the personal information of about 128,000 WellPoint customers from several states was publicly available on the internet. And in 2006, backup computer tapes containing the personal information of 200,000 members were stolen.  

Quote: “We were told by a third-party vendor that all security measures were in place,” Sanders said. “As soon as we heard about the attorneys, we went in, discovered the problem and fixed it immediately.”

Details: Applicants under age 65 who were applying for individual policies were affected by the breach.

What was the response? The company is offering affected individuals a one year free subscription for identity protection services.

Source: Associated Press, “Anthem Blue Cross glitch exposed personal data,” June 23, 2010.

Update Source: Associated Press, “Security glitch exposes WellPoint data again,” June 29, 2010.

A computer containing thousands of Social Security numbers was found to be under the control of a botnet.

How many victims? 15,800.

What type of personal information? Social Security numbers.

What happened? The university discovered that a machine in the campus' Outreach Market Research and Data office was communicating with a botnet's command-and-control center. As it turned out, the computer contained a cached copy of Social Security numbers, which formerly were housed in a database that was removed from the computer in 2005 when the university stopped using the numbers as identifiers.

Details: There is no evidence the information has been exposed to criminals.

What was the response? The university plans to send out notification letters to victims.

Source: http://www.centredaily.com, Centre Daily Times, PSU notifying 15,800 on Social Security breach, June, 3, 2010.

How many victims? 5,220.

What type of personal information? Social Security numbers for all those affected and prescription-drug information for five individuals.

What happened? Two DVDs containing the sensitive information failed to arrive at the offices of Towers Watson & Co., the city's benefits consulting firm, based in Atlanta. The city of Charlotte was notified of the lapse on Feb. 23 and has blamed a mail-service provider working with Towers Watson.

Details: The files on the DVDs were not encrypted and thus were in violation of Towers Watson's policies.

What was the response? The city has notified all affected individuals, the North Carolina attorney general's office and the secretary of health and human services.

Towers Watson has offered affected individuals two years of free identity-theft monitoring services.

Source: http://charlotte.bizjournals.com, Charlotte Business Journal, “Charlotte loses data on 5,220 city workers,” May 26, 2010.

UPDATE: The stolen laptop also contained the personal information of more than 10,000 Tennessee residents enrolled in TennCare, Tennessee's Medicaid managed care program, and CoverKids, a program that provides free health coverage for uninsured Tennessee children. Of the affected Tennessee residents, 12 were CoverKids members and the rest were TennCare members. DentaQuest plans to send notification letters to affected Tennessee residents next week. Those affected will be offered one year of free ID theft prevention services.

An unencrypted laptop containing the personal information of thousands of New Mexico citizens enrolled in the state's Medicaid Salud plan was stolen in late March.

How many victims? 9,500

What type of personal information? Names, health plan identification numbers and provider identification numbers. In some cases, health plan identification numbers were the same an individual's Social Security number.

What happened? The laptop was in the trunk of a vehicle that was stolen on March 20 in Chicago. The vehicle belonged to an employee of a subcontractor to DentaQuest, the company that processes claims and provides dental benefits for the New Mexico's Medicaid program.

Details: The computer was password protected but did not have any other safeguards to prevent unauthorized access to the information.

Quote: “At this time, the stolen car and laptop have not been recovered, and it is not known whether the information on the laptop has been accessed,” the New Mexico Human Services Department said in a statement

What was the response? The state agency has informed the U.S. Department of Health and Human Services and is working to notify affected individuals. In addition, the agency launched an investigation into the breach. 

Source: http://newmexicoindependent.com, The New Mexico Independent, “Stolen laptop puts thousands of New Mexicans at risk for ID theft,” May 11, 2010.

Update Source: www.wsmv.com, WSMV 4 News, “Stolen Computer Contains Private TennCare Info,” June 11, 2010.

A flash drive containing personal patient information recently went missing from Our Lady of Peace, a 278-bed psychiatric hospital in Louisville, Ky.

How many victims? 24,600.

What type of personal information? The flash drive may have included patient names, room numbers, date of assessment, date of birth, insurance company names, along with admission and discharge dates. It did not include diagnoses or treatments, Social Security numbers, dates of birth, telephone numbers or addresses.

What happened? The drive went missing on either March 31 or April 1 and has not yet been found. The hospital's compliance and privacy officers were notified of the loss on April 1. Hospital staff subsequently conducted an investigation that involved reviewing security tapes, interviewing employees and analyzing the computer's usage history.

Hospital officials have not revealed how the breach happened.

Details: Hospital staff has taken “appropriate disciplinary action” following the incident but would not provide any additional details.

Quote: “We have taken this breach very seriously,” the hospital said in a statement. “Patient confidentiality is sacred to us and our patients.”

What was the response? Letters have been sent to affected individuals. In addition, hospital officials said they are taking steps internally to prevent similar breaches from occurring in the future. These steps include re-educating employees about how to handle patient and protect electronic information and using encryption devices on software and computers.

Source: courier-journal.com, The (Louisville, Ky.) Courier-Journal, “Data on 24,600 hospital patients missing,” April 29, 2010.

Five stolen laptops containing tens of thousands of medical records were recently stolen from Fullerton, Calif.-based St. Jude Heritage Medical Group.

How many victims? More than 20,000.

What type of personal information? Social Security numbers, dates of birth and, in some cases, health-related information.

What happened? Thieves stole the computers from the St. Jude Heritage Healthcare Clinical Management Services building.

Details: There have been no reports of stolen personal information being used illegally.

Quote: "The data that was stolen originated from private practice physicians," St. Jude Heritage Healthcare spokesman Kevin Andrus said in a statement. “St. Jude Heritage Healthcare is an administrative foundation that contracts with physicians, so that's why the data was there.”

What was the response? Letters have been sent to affected individuals, who have been offered a one-year subscription for credit monitoring and restoration services.

Source: http://abclocal.go.com/kabc/index, KABC-TV Los Angeles, “O.C. St. Jude warns patients of stolen data,” April 20, 2010.

How many victims? 3,526.

What type of personal information? Compromised information may have included: names, addresses, telephone numbers, email addresses, birth dates, ages, sex, medical record numbers and dates of service. In addition, the compromised information may have included medical information, such as diagnoses, symptoms, test results and prescriptions, along with patient pharmacy information. Information on four individuals also included their pharmacy insurance account numbers.

What happened? The laptop, which belonged to a neurologist who focuses on ringing in the ears, was stolen on February 19 while the physician was lecturing in South Korea.

Details: The laptop contained information about patients who were treated by the physician between Feb. 3, 1988 and Feb. 16, 2010, and of a small number of individuals who participated in tinnitus research.

The computer was password protected and contained a tracking device that on April 9 was used to permanently disable the hard drive and render any information, including information about affected patients, permanently unreadable.

There is no indication that the information on the stolen computer was accessed or used inappropriately .

Quote: "Mass. Eye and Ear apologizes to those affected for any concern, inconvenience, or risk that this incident may cause," John Fernandez, Mass. Eye and Ear president and CEO said in a statement. "We regret that this incident occurred and are taking appropriate steps to protect individuals associated with Mass. Eye and Ear who may have been affected by this breach and to limit or prevent where possible such breaches in the future."

What was the response?  Letters are being sent to affected individuals at their last known address. In addition, the hospital has posted a notice about the breach on its website.

Affected individuals are being offered a free year-long subscription for credit monitoring, identity theft insurance and restoration services.

To prevent future breaches, Mass. Eye and Ear is updating its information security program by deploying encryption to laptop computers that connect to the organization's computer network. In addition, employees are being provided education about the importance of limiting data stored on laptops.

Source: http://www.masseyeandear.org, Massachusetts Eye and Ear Infirmary, “Mass. Eye and Ear Alerts Patients to Laptop Theft and Data Breach,” April 20, 2010.

How many victims? 5,450.

What type of personal information? Unspecified.

What happened? The laptops, which contained patient information dating back more than three years, were stolen in February from a locked and guarded building at the John Muir Physician Network Perinatal office in Walnut Creek, Calif.

Details: The laptops were password protected and contained data in a format that would not have been readily accessible. There is currently no evidence that the sensitive information has been accessed or used inappropriately.

Quote: “We apologize for any inconvenience or anxiety this incident may cause our patients,” said Hala Helm, John Muir's vice president and chief compliance and privacy officer. “We take this issue very seriously and are committed to protecting the personal and health information of our patients.”

What was the response? After discovering the theft, local police and the U.S. Department of Health and Human Services were notified. An investigation into the incident was carried out by law enforcement, external vendors and internal experts to determine what information was stored on the laptops and whether it could be accessed.

Affected individuals have been notified and offered a one-year free subscription for credit monitoring services.

John Muir has implemented additional security measures, including data encryption software on laptops, to protect patient information.

Source: http://sanfrancisco.bizjournals.com/sanfrancisco/, San Francisco Business Times, “John Muir Health to notify 5,450 patients of data breach,” April 5, 2010.

How many victims? 7,174.

What type of personal information? Names and Social Security numbers.

What happened? The theft occurred during the weekend of Feb. 6 at the Nashville, Tenn. university.

Details: The desktop belonged to a professor who kept a database of his grade book, including Social Security numbers for some students. Among the victims, the breach affects 1,173 current undergraduate students and 174 current graduate students.

What was the response? Letters have been sent to affected individuals, who have been offered a fee year of identity protection and credit monitoring services, along with a $1 million identity theft insurance policy.

In addition, a letter was sent to all academic deans advising them to eliminate personal student information from their files and to not collect it in the future.

Source: InsideVandy.com, InsideVandy, “Student information part of security breach,” Mar. 16, 2010.

UPDATE: The external hard drive was discovered at the home of a guard member's family member in Virginia while the solider was on temporary duty there. The drive was recovered and destroyed on May 15, 2010.

An external hard drive containing the personal information about tens of thousands of Arkansas National Guard soldiers recently went missing.

How many victims? 35,000.

What type of personal information? Names, Social Security numbers and other unspecified personal information.

What happened? An Arkansas National Guard soldier reported the loss after conducting an unsuccessful search to find the drive when it was first realized as missing on Feb. 15. The unencrypted drive was a backup storage device used by the soldier to archive work related information over the past six years.

The device was last used in November.

Details: A team of guardsmen searching data known to be on the missing drive have discovered that one of the files was a personnel database containing information on all soldiers who have served in the Arkansas Army National Guard since 1991.

There is no evidence that the device was stolen.

What was the response? The guard is working to identify those affected and alert them of the breach. The incident is under investigation to help ensure steps are taken to help prevent a similar breach from occurring in the future.

Source: KTLO.com, KTLO News, “Arkansas National Guard alerting soldiers of data loss," March 5.

How many victims? Unspecified.

What type of personal information? Names, credit or debit card numbers and card expiration dates

What happened? At some point between April and December 2009, the point-of-sale system for the hotel's four restaurants and valet parking service may have been illegally accessed by outside hackers. The intruders may have used this entry to obtain sensitive information

Details: The hackers did not obtain any information from the computer system used to store hotel guest information. In addition, the compromise did not affect any charges made to guests' rooms.

Quote: “We value our customers' privacy and deeply regret that this incident may have occurred,” the hotel wrote in a notification letter on its website.

What was the response?  The hotel is working with law enforcement and forensic investigators. In addition, it has conducted a review of its computer systems to ensure a similar incident does not recur. The hotel is offering free credit-monitoring services for one year to affected individuals.  

Source: Westin Bonaventure Hotel & Suite, “Data Security Notification,” Feb. 20, 2010.

How many victims? Unknown, but the breach affects a “small percentage of our WHR customers,” the company said in an open letter to customers.

What type of personal information? Cardholder names and card numbers, expiration dates and other data from the card's magnetic stripe.

Birth dates, Social Security numbers, addresses or other personally identifying information were not kept by the hotels and are not part of the compromise.

What happened? In late January, WHR discovered that a sophisticated hacker broke into the computer systems of one of its data centers. By going through the centralized network connections, the hacker was able to access and download sensitive customer information from several, but not all, of the WHR hotels.

Details: Last year, WHR suffered a separate data breach after a hacker accessed its computer systems and downloaded information from several WHR properties.

Quote: “We deeply regret that this incident occurred and are doing everything we can to notify our customers directly, to address and remedy the problem,” WHR's open letter to customers states.

What was the response?  The company ensured the hack was immediately caught and stopped, and the chain retained an investigator to assess the problem and help the company improve security. In addition, each impacted property is being investigated by a firm specializing in the Payment Card Industry Data Security Standard (PCI DSS) to assess and improve compliance.

WHR is working to notify affected individuals and plans to offer them free credit monitoring services. WHR has also notified the U.S. Secret Service, as well as several states' attorneys general offices with information about the breach.

Source: Wyndham Hotels and Resorts, “Open letter to our customers,” February 2010.

How many victims? 170,000.

What type of personal information? Grades and Social Security numbers.

What happened? Joe Newton, director of information technology at the university, said the breach was first detected on Dec. 11. It was determined that unauthorized access dated back to Nov. 11.

Details: An investigation has not yet determined if any personal data was stolen.

Quote: “An initial investigation has found no evidence that any personal data was accessed or transferred,” Newton said. “We regret the incident and are reviewing and revising our procedures and practices to minimize the risk of a recurrence.”

What was the response? The affected server was removed from the network and secured. The university is notifying affected individuals.

In addition, the university's police and division of information technology are conducting an investigation with the assistance of the Georgia Bureau of Investigation.

Source: http://www.valdosta.edu/notify/, Valdosta State University, “Breach Notification for December 11, 2009 Security Incident.”