Malware may have allowed attackers to make off with the personal information of thousands of people connected to Indiana University Health Goshen Hospital.

How many victims? 12,374 job applicants and fewer than 500 patients.

What type of personal information? Names, addresses, and Social Security numbers of applicants, and Social Security numbers, insurance data and medical service information belonging to people who registered for  outpatient procedures and for the maternity unit.

What happened? On Dec. 22, a virus was discovered on a server. A security firm determined that hackers indeed did try to access the information, but it is unclear if they were successful.

What was the response? Letters were sent to victims, and the hospital plans to provide one year of free credit monitoring to them.

Source: chicagotribune.com, Associated Press, "N. Ind. hospital: Records may have been breached," Jan. 31, 2012. southbendtribune.com, "IU Health Goshen data hit by virus," Feb. 1, 2012.

A laptop storing patient data was stolen from the neurology department of Lexington Clinic on the night of Dec. 7, 2011.

How many customers? Lexington Clinic is sending letters to 1,018 patients.

What type of personal information? The computer stored patient names, contact information and diagnoses for some Lexington Clinic patients receiving services within the neurology department.

What happened? A laptop containing personally identifiable information of patients of Lexington Clinic was stolen overnight on Dec. 7, 2011. 

Details: Lexington Clinic, which operates offices in more than 25 locations throughout Central and Eastern Kentucky, said the stolen laptop did not contain the personal financial information of patients, such as Social Security, credit card or bank account numbers. Upon learning of the theft, the facility notified law enforcement authorities, and all door locks to the neurology department were changed. Additionally, the clinic publicly disclosed the breach to local media, and posted information about the breach on its website.

Quote: “There is no evidence thus far that any patient information has been misused..."

Source: Lexington Clinic release, Jan. 30, 2012, Lexington Clinic Notifying Patients of Information Security Breach

Unauthorized individuals gained access to the personal data belonging to customers of New York State Electric & Gas (NYSEG) and Rochester Gas & Electric (RG&E), which are owned by Iberdrola USA. But an outside contractor is to blame.

How many customers? The companies did not disclose how many people were affected, but reports said the two utilities have about 1.8 million customers between them.

What type of personal information? Social Security numbers, birth dates and, in some cases, bank account numbers.

What happened? For unknown reasons, an employee at a third-party software development consulting firm permitted unauthorized access to one of the company's customer information systems.

Details: There is thus no far no reason to believe that any of the information has been misused or that there was malicious intent on behalf of the employee.

Quote: “Public utilities are custodians of a great deal of personal customer information,” New York State Public Service Commission Chairman Garry Brown said. “As a result of this apparent data security breach, I have asked staff of the Department of Public Service to immediately initiate an investigation of the facts and circumstances surrounding this event.”

Source: NYSEG news release, Jan. 23, 2012. thedailynewsonline.com, The Daily News, RG&E, "NYSEG say customer information compromised," Jan. 23, 2012.

Fingers are being pointed at criminal networks based in Russia and China as the culprits behind the more-than-decade-long siphoning of personal banking information from students, faculty and staff of the City College of San Francisco.

How many victims? Perhaps tens of thousands.

What type of personal information? Personal banking information.

What happened? Following the Thanksgiving holiday, the college's data security monitoring service, USDN, detected at least seven viruses activated each day at 10 p.m. that trawled the college's system (including its administrative, instructional and wireless networks), relaying data back to servers in Russia, China and several other countries.

What was the response? Victims, according to state law, must be notified. The college's CTO, David Hotchkiss, shut down the computer lab where the virus was originally detected and notified officials. An investigation is ongoing.

Source: www.sfgate.com, San Francisco Chronicle, "Viruses stole City College of S.F. data for years," Jan. 13, 2012

The private medical records belonging to some 1,300 patients and/or their guarantors at Loma Linda University Medical Center in California were compromised when a former hospital employee violated policy and brought the data home.

How many victims? 1,336.

What type of personal information? Birth dates, addresses, medical record numbers, driver's license numbers and, in some cases, Social Security numbers.

What happened? It is unclear how the worker accessed the data or whether it was used for fraud (or intended to be), but the records have since been secured.

What was the response? The worker was fired, and the hospital is investigating. Victims will receive one year of credit monitoring services.

Source: www.pe.com, The Press-Enterprise, "Loma Linda: Security breach affects 1,300-plus patients," Dec. 28, 2011.

Hackers breached the systems of New York-based food services wholesaler Restaurant Depot, and stole hundreds of thousands of credit and debit card numbers.

How many victims? More than 200,000, according to reports. 

What type of personal information? Names, credit and debit card numbers, expiration dates and verification codes.

What happened? The thieves inserted malware into the company's credit and debit card processing systems, according to a Finextra report. The malware collected card information as it was processed and then sent it to a remote server in Russia.

Details: The breach affected those who shopped at Restaurant Depot wholesale outlets from Sept. 21 to Nov. 18. Some customers have been the victims of credit card fraud as a result of the breach.

What was the response?  The company hired a computer forensic firm to investigate the incident and has taken unspecified steps to better protect card data. Restaurant Depot is offering affected individuals free credit monitoring and said it would reimburse victims for any breach-related costs they “reasonably incur.”

Source: Restaurant Depot letter to customers, Nov. 25, 2011.

Hackers compromised cash registers at campus dining locations at the University of California, Riverside to hijack credit and debit card numbers.

How many victims? 5,000.

What types of personal information? Cardholder names, card numbers, expiration dates and encrypted versions of debit card PINs.

What happened? It is not clear how the hackers were able to compromise the registers.

What was the response? People who used their credit or debit cards at UC Riverside Dining Services locations from this past summer through Nov. 16 are being advised to monitor their credit card activity and report any fraud. The college has set up an information hot line.

Quote: "We are doing everything we can think of to notify people." Vice Chancellor Gretchen Bolar said.

Source: UCR Newsroom press release, "UC Riverside experiences a credit/debit card security breach," Nov. 29, 2011.

Hackers accessed a sensitive computer server containing the personal information of faculty and students at Virginia Commonwealth University (VCU) in Richmond.

How many victims? 176,567.

What type of personal information? Names or electronic identification, Social Security numbers and, in some cases, dates of birth and home addresses. Affected individuals include current and former VCU and VCU Health System faculty, staff, students and affiliates, such as contractors and visiting professors. VCU Health System patients were not affected.

What happened? During routine monitoring, suspicious files were found Oct. 24 on a server containing sensitive data. The affected server was taken offline, and a forensic examination showed that intruders accessed the system from an IP address within the United States and stayed connected for 16 minutes.

Five days later, university officials found two unauthorized programs on a second server. Investigators determined that the attackers planted malicious programs on the first breached server, which enabled them to perform subsequent attacks and access other systems.

Details: School officials do not believe the attackers accessed the information for the purpose of conducting identity theft, though they did not say what they believe the hackers' motivation was. This is not the first breach VCU has experienced. In 2009, a university computer containing 17,214 Social Security numbers was stolen.

What was the response? The university is planning to hire an outside consultant to examine its information technology systems. Affected individuals are being notified. VCU police and the FBI are investigating the incident. The university is not providing affected individuals with free identity protection services because it deems the risk of identity theft low.

Source: http://www2.timesdispatch.com/, Richmond Times-Dispatch, “Breach exposes data at VCU,” Nov. 12, 2011.

Details emerged this week of an Israeli government contract worker believed to be behind a massive information theft case, in which the personal data of millions of Israeli citizens' was stolen and subsequently posted online in a searchable database.

How many victims? More than nine million.

What type of personal information? Identification numbers, full names, addresses, dates of birth, information on family relationships, and other details.

What happened? According to authorities, in 2006, an Israeli government contractor made a copy of the data, which came from the country's "Population Registry," and took it home from work.

Details: The stolen information was then sold or provided for free to several individuals, including a developer who created a software program called “Agron 2006,” which allowed for detailed queries of the data. This searchable database was then uploaded to the internet by an individual with the alias “aRi,” who attempted to conceal his IP address.

Quote: The uploading of the database “will make it easier to carry out forgery and fraud, and provide the necessary information to carry out identity theft," Israel's Justice Ministry said in a statement. "It helps create fraudulent documents that appear authentic, therefore allowing people to bypass security systems. It could also have an effect on the democratic processes in elections, in that it makes it easier for someone to impersonate someone else in the voting booth."

What was the response? The Israeli Law, Information and Technology Authority has been investigating the case since 2009. Six people have been arrested in connection to the data leak, including the government contractor and “aRi.”

Sources: www.jpost.com, The Jerusalem Post, “Contract worker stole all Israelis' personal information,” Oct. 24, 2011.

www.jpost.com, The Jerusalem Post, “Justice Ministry cracks case of massive information theft,” Oct. 25, 2011.

Three unencrypted backup tapes containing the personal information of more than a million and a half individuals have gone missing from Nemours, a children's health system based in Wilmington, Del.

How many victims? 1.6 million

What type of personal information? Names, addresses, dates of birth, Social Security numbers, direct deposit bank account numbers, and data on insurance and medical treatments.

What happened? The tapes, which were stored in a locked cabinet following a computer systems conversion completed in 2004, were reported missing on Sept. 8. It is believed they were removed around Aug. 10, during a facility remodeling project.

Details: The breach affects patients and their guarantors, vendors and employees at Nemours facilities in Delaware, Pennsylvania, New Jersey and Florida and who provided information between 1994 and 2004. 

Quote: “This is an isolated incident unrelated to patient care and safety,” said David Bailey, president and chief executive officer of Nemours. “The privacy of our patients, their families and our employees and business partners is a high priority to all of us at Nemours.”

What was the response? Affected individuals are being notified and offered one year of free credit monitoring and identity theft protection. In addition, the company is taking steps to strengthen its data security practices, such as encrypting all computer backup tapes.

Source: http://www.nemours.org/, Nemours, “Nemours Reports Old Computer Backup Tapes Missing,” Oct. 7, 2011.