Chronology of Data Breaches
Transcription
Chronology of Data Breaches
Published on Privacy Rights Clearinghouse (http://www.privacyrights.org) Today's Date: Aug 04, 2010 Source URL (retrieved on 2010-08-04 04:30 ): http://www.privacyrights.org/data-breach Chronology of Data Breaches Chronology of Data Breaches Security Breaches 2005-Present Posted Date: April 20, 2005 Updated Date: August 3, 2010 Save or Print PDF of Entire Breach List [1] (* Including introduction.) Save or Print PDF If you do not have access to PDF, print Chronology in landscape view. Skip the introductory text and go directly to the listing [3] What does the Chronology of Data Breaches contain? What does the Total Number indicate? (* Select filters.) of data breaches below. [4] [5] Is the Chronology of Data Breaches a complete listing of all breaches? Are there state-specific breach listings? How often is the Chronology updated? [2] [6] [7] [8] Where do you obtain information about the data breaches that are reported on this Web page? What should I do if my personal information has been compromised in a data breach? [9] [10] Are there resources for businesses and other organizations on how to avoid having sensitive data breached? What should I do if my business or organization experiences a security breach? [11] [12] Do states have laws that require those entities that experience a data breach to notify the affected individuals? [13] Which states have laws that require breached organizations to report breaches and submit notice letters to a central clearinghouse? [14] Has anyone analyzed this and other data breach listings in order to compile statistics and arrive at other observations? Have any analyses of security breach laws been published? [15] Are there other resources with additional information about security breaches? [16] Go directly to the listing of data breaches [3] What does the Chronology of Data Breaches contain? The data breaches noted below [3] have been reported because the personal information compromised includes data elements useful to identity thieves, such as Social Security numbers, account numbers, and driver's license numbers. Some breaches that do NOT expose such sensitive information have been included in order to underscore the variety and frequency of data breaches. However, we have not included the number of records involved in such breaches in the total because we want this compilation to reflect breaches that expose individuals to identity theft as well as breaches that qualify for disclosure under state laws. The breaches posted below include only those reported in the United States. They do not include incidents in other countries. What does the Total Number indicate? The running total [17] we maintain at the end of the Chronology represents the approximate number of *records* that have been compromised due to security breaches, not necessarily the number of *individuals* affected. Some individuals may be the victims of more than one breach, which would affect the totals. In reality, the number given below should be much larger. For many of the breaches listed, the number of records is unknown. Further, this list is not a comprehensive compilation of all breach data (see below [15] ). 1 Is the Chronology of Data Breaches a complete listing of all breaches? No, it is not a complete listing of breaches. The list is a useful indication of the types of breaches that occur, the categories of entities that experience breaches, and the size of such breaches. But the list is not a comprehensive listing. Most of the information is derived from the Open Security Foundation list-serve (see below) which is in turn derived from verifiable media stories, government web sites/pages, or blog posts with information pertinent to the breach in question. Many breaches (particularly smaller ones) may not be reported. If a breached entity has failed to notify its customers or a government agency of a breach, then it is unlikely that the breach will be reported anywhere. If you are aware of a breach that is not included in our list, below, feel free to contact us here: http://www.privacyrights.org/about_us.htm [18] . Are there state-specific breach listings? Some states have state laws that require breaches to be reported to a centralized data base. These states include Maine, Maryland, New York, New Hampshire, North Carolina, Vermont and Virginia (Virginia’s notification law only applies to electronic breaches affecting more than 1,000 residents). However, a number of other states have some level of notification that has been made publicly available, primarily through Freedom of Information requests. These states include California, Colorado, Florida, Illinois, Massachusetts, Michigan, Nebraska, Hawaii and Wisconsin. For details, see the Open Security Foundation Datalossdb website: http://datalossdb.org/primary_sources [19] How often is the Chronology updated? We usually update this list twice each week. Where do you obtain information about the data breaches that are reported on this Web page? Most of the breaches summarized below on this page have been obtained from the Open Security Foundation list-serve. As of January 2010, we have expanded our sources to also include Databreaches.net, PHI Privacy and NAID. The Open Security Foundation's DataLossDB.org (www.datalossdb.org [20] ) offers a free e-mail list-serve on the latest breaches. To subscribe to DataLoss, send a message to: dataloss-subscribe@datalossdb.org [21] The DataLossDB.org page includes a search engine and news articles for the breaches listed below, and also provides an open source database of its data breach records. It is a flat comma-separated value file that can be imported into a database or spreadsheet program for your own data analysis. Visit http://datalossdb.org/download. [22] Beginning in January 2010, we have expanded the sources of our breaches. We now include the following sources: Databreaches.net (www.databreaches.net [23] ) is a spinoff from www.PogoWasRight.org [24] and compiles a wide range of breach reports since January 2009. Personal Health Information Privacy (www.phiprivacy.net/ [25] ), affiliated with Databreaches.net [23] , is a database that compiles only medical data breaches. National Associaion for Information Destruction, Inc (www.naidonline.org [26] ) provides monthly newsletters that include a number of data breaches largely due to improper document destruction. What should I do if my personal information has been compromised in a data breach? For tips on what to do if your personal information has been exposed due to a security breach, read our guide http://www.privacyrights.org/fs/fs17b-SecurityBreach.htm [27] at [27] . Are there resources for businesses and other organizations on how to avoid having sensitive data breached? Learn about security and privacy protection practices for your workplace. "How Global Organizations Approach the Challenge of Protecting Personal Data," from Accenture (released April 27, 2010) https://microsite.accenture.com/dataprivacyreport/Pages/default.aspx [28] and https://microsite.accenture.com/dataprivacyreport/Documents/Accenture_Data_Privacy_Report.pdf [29] "Forrester Consulting Study, “The Value of Corporate Secrets: How Compliance and Collaboration Affect Enterprise Perceptions of Risk,” (April 2010) sponsored by RSA and Microsoft, available at www.rsa.com/CorporateSecrets. For press release, see http://www.microsoft.com/Presspass/press/2010/apr10/04-05MSRSAPR.mspx?rss_fdn=Press%20Releases [30] . "Data Breach and Incident Readiness Planning Guide" from the Online Trust Alliance (January 2010). https://www.otalliance.org/resources/Incident.html [31] "Security & Privacy -- Made Simpler,"from the Better Business Bureau www.bbb.org/securityandprivacy/SecurityPrivacyMadeSimpler.pdf [32] “Protecting Personal Information: A Guide for Business,”from the Federal Trade Commission. www.ftc.gov/bcp/edu/pubs/business/idtheft/bus69.pdf [33] “Information Security Handbook,”from the National Institute of Standards and Technology http://csrc.nist.gov/publications/nistpubs/800-100/SP800-100-Mar07-2007.pdf [34] “Prevent Identity Theft with Responsible Information-Handling Practices in the Workplace,” from the Privacy Rights Clearinghouse www.privacyrights.org/ar/PreventITWorkplace.htm [35] The California Office of Privacy Protection has developed a series of Recommended Practices. Several of the guides may be helpful in protecting your business whether or not you are located in California. “Recommended Practices on California Information-Sharing Disclosures and Privacy Policy Statements,” www.privacyprotection.ca.gov/res/docs/pdf/infosharingdisclos.pdf [36] 2 “A California Business Privacy Handbook,” www.privacyprotection.ca.gov/res/docs/pdf/infosharingdisclos.pdf [36] '“Recommended Practices for Protecting the Confidentiality of Social Security numbers,” www.privacyprotection.ca.gov/res/docs/pdf/ssnrecommendations.pdf [37] What should I do if my business or organization experiences a security breach? The following resources guide businesses who have experienced a security breach through the notification process and in working with law enforcement. “Recommended Practices on Notification of Security Breach Involving Personal Information,” from the California Office of Privacy Protection may be useful whether or not you are located in California. www.privacyprotection.ca.gov/res/docs/pdf/COPP_Breach_Reco_Practices_6-09.pdf [38] “Dealing with a Data Breach,” from the Federal Trade Commission www.ftc.gov/bcp/edu/microsites/idtheft/business/data-breach.html [39] Do states have laws that require those entities that experience a data breach to notify those affected? Yes. The catalyst for reporting data breaches to the affected individuals has been the California law that requires notice of security breaches. It is the first of its kind in the nation, implemented July 2003. www.privacyrights.org/ar/SecurityBreach.htm [40] (description of California law, SB 1386) http://www.privacyprotection.ca.gov/res/docs/pdf/COPP_Breach_Reco_Practices_6-09.pdf [38] (recommended practices for compliance with the law) More than 40 of states have since passed laws requiring that individuals be notified of security breaches. For a list of states enacting security breach and freeze laws, visit these Web sites: Security breach notice laws provided by Consumers Union. www.defendyourdollars.org/2005/02/states_with_not.html [41] Nymity map, "Breach Notification laws of the United States," http://www.nymity.com/FormDownload.aspx?docid=E5AE006F-1947-4163-BDAC-0BFE129E5C89 Security Breach Notification Chart (Perkins, Coie) www.digestiblelaw.com/files/upload/securitybreach.pdf [43] State Data Breach Notification Laws (Scott&Scott) www.scottandscottllp.com/resources/state_data_breach_notification_law.pdf [44] State Data Security Breach Legislation Survey & Matrix (Mintz Levin) [42] (registration required) www.mintz.com/newsletter/2007/PrivSec-DataBreachLaws-02-07/state_data_breach_matrix.pdf [45] State Laws Governing Security Breach Notification (Crowell Moring) www.crowell.com/pdf/SecurityBreachTable.pdf [46] Security freeze laws (Consumers Union) www.consumersunion.org/campaigns//learn_more/003484indiv.html [47] (Note: As of November 2007, the three credit bureaus enable individuals nationwide to freeze their credit reports.) PIRG's list of breach and freeze laws www.pirg.org/consumer/credit/statelaws.htm [48] Which states have laws that require breached organizations to report breaches and submit notice letters to a central clearinghouse? The state of Massachusetts requires that breached entities report data breaches to the Massachusetts Office of Consumer Affairs and Business Regulation. Breach report, September 18, 2008, www.mass.gov/Eoca/docs/idtheft/notificationsrpt20080918.pdf [49] The Open Security Foundation and Chris Walsh have compiled breach notice letters from the states that require breached entities to submit such letters to a central repository. These states are: Maryland, New Hampshire, New York, North Carolina, and Vermont. To view these letters, visit http://datalossdb.org/primary_sources [19] . Has anyone analyzed this and other data breach listings in order to compile statistics and arrive at other observations? Have any analyses of security breach laws been published? STATISTICAL ANALYSES HIMSS and Kroll study, "2010 HIMSS Analytics Report: Security of Patient Data" (April 2010). Study, www.krollfraudsolutions.com/about-kroll/HIMSS-Security-Patient-Data-Report.aspx [50] . (Registration required) News story, http://www.healthcareitnews.com/news/study-points-critical-gaps-hospital-data-security [51] . Fourth Annual U.S. Cost of Data Breach study (Ponemon Institute) (January 2009) http://blogs.findlaw.com/technologist/2010/02/data-security-breaches-cost-real-money.html [52] http://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/20082009%20US%20Cost%20of%20Data%20Breach%20Report%20Final.pdf [53] Outpacing Change: Ernst & Young's 12th Annual Global Information Security Survey (2009) http://www.ey.com/Publication/vwLUAssets/12th_annual_GISS/$FILE/12th_annual_GISS.pdf [54] Deloitte 2009 TMT Global Security Survey (May 14, 2009) www.deloitte.com/dtt/article/0%2C1002%2Ccid%25253D262321%2C00.html?wt.mc_id=prDcom [55] 3 Your Botnet is My Botnet: Analysis of a Botnet Takeover (Brett Stone-Gross, et al, UC-Santa Barbara, 2009) http://www.cs.ucsb.edu/~seclab/projects/torpig/torpig.pdf [56] (analysis of Torpig) Using Science to Battle Data Loss: Analyzing Breaches by Type and Industry (Interhack, Matthew Curtin and Lee Ayres, April 2009) http://web.interhack.com/news/n2009/taxonomy [57] 2009 Data Breach Investigations Report (Verizon) http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf [58] Airport Insecurity: The Case of Lost & Missing Laptops (Larry Ponemon, June 30, 2008) http://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/Dell%20Executive%20Summary%20FINAL%20063008.pdf [59] More Than Half of Ex-Employees Admit to Stealing Company Data According to New Study, (Symantec, Ponemon, Feb. 2009) www.symantec.com/about/news/release/article.jsp?prid=20090223_01 [60] Data Hemorrhages in the Health-Care Sector [on P2P networks]. (Eric Johnson, Dartmouth College, Feb. 2009), http://mba.tuck.dartmouth.edu/digital/Research/ResearchProjects/JohnsonHemorrhagesFC09Proceedingd.pdf [61] Data Leakage Worldwide: White Paper (Cisco, 2008), http://cisco.com/en/US/solutions/collateral/ns170/ns896/ns895/white_paper_c11-506224.html [62] "Education Sector Data Breach Study"(Joseph Campana, Nov. 2008), http://www.jcampana.com/JCampanaDocuments/EducationSectorDataBreachStudy.pdf [63] 2008 Data Breach Investigations Report (Verizon), www.verizonbusiness.com/resources/security/databreachreport.pdf [64] Adam Dodge has compiled a report, "ESI Year in Review - 2007," on the information security incidents occurring at colleges and universities around the world as reported in the news during 2007(posted February 10, 2008).http://www.adamdodge.com/esi/yir_2007 [65] For a statistical breakdown of types of breaches and an analysis by industry sector for 2006, see Beth Rosenberg's report,www.privacyrights.org/ar/DataBreaches2006-Analysis.htm [66] Jimmy Atkinson's "Ask the Advisor" blog features a post, "How Many Times Has Your Personal Information Been Stolen This Year?" at www.yourcreditadvisor.com/blog/2007/07/how_many_times.html [67] To use an online "calculator" to arrive at an estimated cost of a breach based on the number of records exposed, visit this Web site: www.tech-404.com/calculator.html [68] (no product endorsements are implied). LEGAL ANALYSES Read "Breach Patrol" (Christopher Danzig, Mary Swanton and Lauren Williamson, in Inside Counsel, May 2009), [69] www.insidecounsel.com/Issues/2009/May-2009/Pages/Breach-Patrol.aspx [69] Data Breach Notification Law Across the World from California to Australia (Alana Maurushat, Univ. of New South Wales Faculty of Law Research Series, 2009) http://law.bepress.com/cgi/viewcontent.cgi?article=1153&context=unswwps [70] Read the June 2008 study,"Do Data Breach Disclosure Laws Reduce Identity Theft?" (Sasha Romanosky et al) http://ssrn.com/abstract=1268926 [71] CSO Online, "Data Breach Notification Laws, State by State (with map)," (Feb. 12, 2008), www.csoonline.com/read/020108/ammap/ammap.html [72] . Read an analysis by California attorney Alan Mansfield about the California security breach law, [73] www.privacyrights.org/ar/notification_laws.htm [74] Read law school professors Schwartz and Janger's law review article on data breach notice laws, www.paulschwartz.net/pdf/datasec_schwartz-janger.pdf [75] Read commentary by Jeffrey Rawitz, Jones Day law firm, "Security Breach Notification Requirements" www.jonesday.com/pubs/pubs_detail.aspx?pubID=S3225 [76] Read an analysis [77] of state security breach notice laws by Alan Wernick, Esq., in the Journal of AHIMA (Nov.-Dec, 2006) Read "Security Breach Notifications: a State and Federal Law Maze," (July 27, 2005) by Gibson, Dunn & Crutcher LLP [78] www.gibsondunn.com/publications/pages/SecurityBreachNotificationsaStateandFederalLawMaze.aspx [79] For a state-bystate analysis, view this chart [80] . Read "The Cyber Risks of Outsourcing " by Branner and Freeman (Sept. 2007) www.findarticles.com/p/articles/mi_m0BJK/is_10_18/ai_n19521336 [81] . Are there other resources with additional information about security breaches? U.S. Health & Human Services list of health-related breaches http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/postedbreaches.html [82] Maine Attorney General's Office, breach listing, as posted by Datalossdb: http://datalossdb.org/search/primary_sources/7-maine-attorney-general [83] Identity Theft Resource Center (contains links to news stories) www.idtheftcenter.org/artman2/publish/lib_survey/Press_Release_-_2007_Breach_List.shtml [84] New Hampshire Dept. of Justice Security Breach List http://doj.nh.gov/consumer/breaches.html [85] Adam Shostack's blog http://emergentchaos.com/archives/category/breaches [86] Pogo Was Right 4 www.pogowasright.org [24] Read more about security breaches www.databreaches.net [87] , a service of Pogo Was Right (see above). Educational Security Incidents (Adam Dodge) www.adamdodge.com/esi/stolen_sungard_higher_education_laptop_contained_csu_system_student_information [88] Security Beat (includes links to news articles and offers free e-mail list-serve) www.numbrx.net [89] World Privacy Forum, Security Breaches in the Digital Medical Environment (scroll to section D of testimony) www.worldprivacyforum.org/testimony/NCVHStestimony_092005.html [90] Choose the Types of Breaches to Display: Select organization Select type(s): year(s): Click or unclick the boxes then select go. BSO - Businesses Unintended disclosure (DISC) - Sensitive information posted publicly on a website, mishandled or sent to the wrong party via email, fax or mail. Hacking or malware (HACK) - Electronic entry by an outside party, malware and spyware. - Other BSF - Businesses - Financial and Insurance Services BSR - Businesses Payment Card Fraud (CARD) - Fraud involving debit and credit cards that is not accomplished via hacking. For example, skimming devices at point-of-service terminals. Insider ( INSD) - Someone with legitimate access - Retail/Merchant 2005 2006 2007 2008 2009 2010 EDU - Educational Institutions GOV - GO! Select intentionally breaches information - such as an employee or Government and features, contractor. Military then click Physical loss (PHYS) - Lost, discarded or stolen nonMED - Healthcare GO. electronic records, such as paper documents - Medical Providers Portable device (PORT) - Lost, discarded or stolen NGO - Nonprofit Reset laptop, PDA, smartphone, portable memory device, CD, Organizations hard drive, data tape, etc Stationary device (STAT) - Lost, discarded or stolen stationary electronic device such as a computer or server not designed for mobility. Unknown or other (UNKN) Breach Total 494,692,655 RECORDS BREACHED (Please see explanation [91] about this total.) from 1,651 DATA BREACHES made public since 2005 Save or Print PDF [2] (* Select filters.) Save or Print PDF of Entire Breach List [1] (* Including introduction.) If you do not have access to PDF, print Chronology in landscape view. Search the entire database for a company or organization by name Search Date Made Public [92] Name Entity Type August 1, 2010 Guttenberg Housing Authority Guttenberg, New Jersey GOV HACK Total Records [93] Unknown An unauthorized individual may have accessed sensitive information on housing applicants and residents in late December 2009. The information may have included Social Security numbers, names and other personal identifying information. Information Source: Databreaches.net records from this breach used in our total: 0 1,101 (No reports of 5 July 31, 2010 The Center for Neurosciences Tucson, Arizona MED PORT 1,101 (No reports of SSNs or financial information) A visitor stole a laptop from an electromyogram and nerve conduction studies exam room on December 15, 2009. The computer contained names, dates of birth, referring physicians and reasons for neurophysiological tests. Information Source: PHIPrivacy.net July 31, 2010 records from this breach used in our total: 0 Montefiore Medical Center Bronx, New York MED STAT 39,000 Two computers were stolen during the weekend of May 22nd. Names, medical record numbers, Social Security numbers, dates of birth, insurers, and hospital admission dates for an unknown number of patients were on the computers. UPDATE (8/3/10): One computer was from the Finance Department and had the information of 16,000 patients; the second computer theft affected the records of 23,000 students from the School Health Program and their families. Information Source: PHIPrivacy.net July 30, 2010 records from this breach used in our total: 39,000 FIrst Advantage Tax Consulting Services (TCS) Indianapolis, Indiana BSF PORT 32,842 A laptop that contained personal information was lost or stolen during an airport layover. The Social Security numbers of people who were employed by companies that used TCS for tax help were on the laptop. The laptop did have a password and after it was lost its access to TCS's network was blocked. Information Source: Databreaches.net July 30, 2010 records from this breach used in our total: 32,842 Texas Children's Hospital in Houston Houston, Texas NGO PORT 1600 (No SSNs or financial information reported) A physician's laptop was stolen from an office on May 13th. The laptop contained personal information on cardiology patients. Affected persons were notified that their names, dates of service, medical record numbers, diagnoses and dates of birth were on the password-protected laptop. Information Source: PHIPrivacy.net July 29, 2010 records from this breach used in our total: 0 University of Virginia Charlottesville, Virginia EDU PORT Unknown A transient was ordered to spend time in a men's diversion program after pleading guilty to stealing credit cards and electronics. One of the laptops he stole was a University-owned laptop. The man served 12 months in jail before being sentenced and slept in his car and in the University library during the time of the thefts. Information Source: Databreaches.net July 29, 2010 records from this breach used in our total: 0 DebtStoppers USA, Robert J. Semrad and Associates BSF PHYS hundreds of documents (At least 100) 6 July 29, 2010 Chicago, Illinois BSF PHYS (At least 100) Documents from the Joilet office were involved A tipster led to the discovery of hundreds of personal and financial documents in a trash bin outside the attorney's office. The documents included Social Security numbers, names, addresses, driver's license numbers, and signed debit card authorizations from clients. Information Source: Databreaches.net July 29, 2010 records from this breach used in our total: 100 Rowland Equipment Co. Smithfield, Virginia BSR INSD Over 30 customers Linda Rowland pleaded guilty to wire fraud and identity theft. She used customer names and information to falsify loan agreements for over 10 years. Information Source: Databreaches.net July 28, 2010 records from this breach used in our total: 30 Wendy's Tukwila, Washington BSR INSD At least 135 accounts A dishonest employee used a skimmer between September 14, 2009 and July 21, 2010 to commit identity theft and make fraudulent charges to customer credit accounts. Information Source: Databreaches.net July 28, 2010 records from this breach used in our total: 135 Time Warner Cable New York, New York BSR INSD Unknown A former employee was convicted of installing spyware on three company computers. The employee intended to capture the passwords of users who had access to a customer database and a billing system. Information Source: Databreaches.net July 27, 2010 records from this breach used in our total: 0 Rite Aid Corporation Camp Hill, Pennsylvania BSR PHYS Unknown Etters, PA is also mentioned as Rite Aid's headquarters Rite Aid paid one million dollars to settle HIPAA privacy violations. Rite Aid also agreed to update corporate policies and procedures so that patient medical information would be properly disposed, employees would be properly trained in disposal of patient information, and employees would be held accountable if they did not dispose of patient information properly. Information Source: PHIPrivacy.net July 27, 2010 records from this breach used in our total: 0 Office of Attorney David Naworski San Antonio, Texas BSO PHYS 75 Attorney Naworski left legal files in a public dumpster. Naworski thought it was appropriate to dispose of the files in this way since the accounts were old and closed. The documents contained names, addresses, bank account information, Social 7 Security numbers, driver's license numbers, and dates of birth. Information Source: Databreaches.net July 27, 2010 records from this breach used in our total: 75 Cooper University Hospital Camden, MED PORT Unknown A flash drive with the personal information of graduate medical residents and fellows was reported missing on July 23rd. The personal information included Social Security numbers, addresses, and phone numbers. Information Source: Databreaches.net July 27, 2010 records from this breach used in our total: 0 Citigroup Inc. New York, New York BSR DISC 117,600 users with app (No incidents reported) Citigroup's mobile banking application for Apple's iphone has a security flaw that saves user account numbers, bill payments and security access codes into a hidden file on the iphone and the user's computer. An upgrade that will fix the problem is available. Information Source: Media July 26, 2010 records from this breach used in our total: 0 United States Post Office Batesburg-Leesville Batesburg-Leesville, South Carolina GOV PHYS Two employees reported Improperly reusing office paper led to the mailing out of names and Social Security numbers of two post office employees. Two women reported receiving the personal information, which was probably from a timecard, on the back of a post office receipt. Information Source: Databreaches.net July 26, 2010 records from this breach used in our total: 2 Natchez Police Department Natchez, Mississippi GOV INSD Unknown A police officer with the Natchez department fraudulently used and encouraged others to use stolen credit and debit cards. Information Source: Databreaches.net July 24, 2010 records from this breach used in our total: 0 University of Texas Arlington Arlington, Texas EDU HACK 27,000 (2,048 SSNs reported) Student records dating from 2000 to June 21, 2010 were compromised on a University file server on four separate occasions within the last two years. The server contained student health center prescription records. Information Source: Databreaches.net records from this breach used in our total: 2,048 8 July 23, 2010 Thomas Jefferson University Hospitals Philadelphia, Pennsylvania EDU PORT Approximately 21,000 A password-protected laptop was stolen from the office of an employee on June 14th. The computer should not have contained protected health information, but did. It also contained patient name, birth date, gender, ethnicity, diagnosis, Social Security number, insurance information, and hospital account number. Information Source: Databreaches.net July 23, 2010 records from this breach used in our total: 21,000 University of California San Francisco (UCSF) Medical Center San Francisco, California EDU INSD Possibly hundreds A former employee used the Social Security numbers of his colleagues to obtain vouchers for Amazon.com purchases. He secretly used the Social Security numbers to create hundreds of accounts and complete 382 online surveys in exchange for $100 online vouchers. Information Source: Databreaches.net July 22, 2010 records from this breach used in our total: 100 The Loft and Comedy Club Columbus, Georgia BSR DISC 60 customers Names, addresses, phone numbers, and credit card information from customers of The Loft and Comedy Club were discovered through a Google search. Customer data from 2004 to 2008 was posted. The Loft fixed the problem and is working on having the site removed. Information Source: Databreaches.net July 22, 2010 records from this breach used in our total: 60 Colorado Department of Health Care Policy and Financing Denver, Colorado GOV PORT 105,470 (0 SSNs and financial information reported) A hard drive containing personal information for clients enrolled in state-provided health insurance was stolen from the Colorado Office of Information Technology. The information included names, state ID number and the name of the client's program. The Agency is certain that contact information, financial information and Social Security numbers were not involved. Information Source: Databreaches.net July 22, 2010 records from this breach used in our total: 0 Arizona Federal Credit Union Phoenix, Arizona BSF INSD At least 4 A former employee is accused of using bank member information to run credit checks on victims and apply for credit in their names. The former employee was fired and arrested on identity theft charges. Information Source: Databreaches.net July 22, 2010 records from this breach used in our total: 4 Iowa Department of Agriculture and Land Stewardship Des Moines, Iowa GOV PORT 3,404 A laptop containing personal information from Iowa residents was stolen from a locked state vehicle. The computer was 9 encryption protected and contained names, addresses, phone numbers and Social Security numbers. Iowa residents who participate in the Iowa Horse and Dog Breeding Program were notified. Information Source: Databreaches.net July 21, 2010 records from this breach used in our total: 3,404 Lincoln National Life Insurance Radnor, Pennsylvania BSF PHYS 26,840 A vendor printed a user name and password for agents and authorized brokers in a brochure. The brochure was also posted on an agent's public website. The login information enable access to a website containing medical records and other personal information form individuals seeking life insurance. Applicant name, Social Security number, address, policy number, driver's license number and credit information is also on the website. Information Source: Databreaches.net July 20, 2010 records from this breach used in our total: 26,840 Long Island Consultation Center (LICC) Rego Park, New York MED PORT 800 (0 reports of SSNs or financial information) A computer device containing doctor reports was reported missing from a secured area at LICC on May 24th. Names, dates of birth, diagnostic information and treatment information of some patients may have been included on the device. Information Source: PHIPrivacy.net July 20, 2010 records from this breach used in our total: 0 South Shore Hospital South Weymouth, Massachusetts MED PORT 800,000 (unknown number of SSNs and financial information) Computer files containing personal, health and financial information of volunteers, patients, vendors, business partners and employees from January 1996 through January 2010 may have been lost by a professional data management company. Depending on the person's association with the hospital, the information exposed could be full name, address, phone number, date of birth, Social Security number, driver's license number, medical record number, patient number, bank account information, credit card number, diagnoses and treatment. Information Source: PHIPrivacy.net July 20, 2010 records from this breach used in our total: 0 Maryland Department of Human Resources Baltimore, Maryland GOV INSD 3,000 clients An employee posted Social Security numbers and other personal information of around 3,000 clients on an outside website. The organization provides food stamps and other benefits and aid to clients. The employee was placed on administrative leave. Information Source: Databreaches.net July 19, 2010 records from this breach used in our total: 3,000 LV Financial Services Orlando, Florida BSF PHYS Unknown Dozens of boxes of files from medical offices that hired LV to collect unpaid bills were found in an Orlando public dumpster. The files contained names, addresses, Social Security numbers, driver's license copies and credit reports. The collection 10 agency went out of business in 2005 and the location of the files prior to this incident is unknown. Information Source: records from this breach used in our total: 0 Dataloss DB July 16, 2010 United Healthcare (UnitedHealthcare), Deere and Company Minneapolis, Minnesota MED PHYS 1,097 (no SSNs or financial information reported) Deere and Company is headquartered in Moline, Illinois United Healthcare notified members of a Deere and Company employee benefits plan of a mistake that led to claims summary statements being sent to the wrong addresses. Dates of services, categories of service, cost of service, and physician names were included. Information Source: PHIPrivacy.net July 16, 2010 records from this breach used in our total: 0 Buena Vista University Storm Lake, Iowa EDU HACK 93,000 Someone gained unauthorized access to a BVU database. The database contained records of names, Social Security numbers, and driver's license numbers of BVU applicants, current and former students, parents, current and former faculty and staff, alumni and donors. These records go back as far as 1987. Information Source: Databreaches.net July 16, 2010 records from this breach used in our total: 93,000 Connecticut Department of Labor Bridgeport, Connecticut GOV PORT 5,000 A highly encrypted laptop was stolen from the office of the Connecticut Department of Labor. The laptop contained confidential information about unemployment insurance claims, wage discrepancy complaints and some Bridgeport area employers. Information Source: Databreaches.net July 15, 2010 records from this breach used in our total: 5,000 Office of Dr. Thomas K. Lee Barstow, California MED PHYS Hundreds of records An anonymous tipster called the Sheriff's Department and reported unattended boxes of personal records outside the dental office. The boxes contained patient records from the early 1990's to the present. These records had personal information such as Social Security numbers, names, birth dates, credit card numbers, and addresses. The Sheriff's Department destroyed the records and warned patients of dentists Lee, Sang H. Yoon and Patricia Patterson. Information Source: Databreaches.net July 15, 2010 records from this breach used in our total: 0 Prince William County Intellectual Disabilities Case Management Woodbridge, Virginia GOV PORT 669 On June 18th or 19th, a government-issued Blackberry was stolen from an employee's car. The Blackberry had personal information on patients enrolled in the program. The County notified residents that their Social Security numbers, names, addresses, dates of birth, phone numbers, and Medicaid numbers may have been accessed. 11 Information Source: PHIPrivacy.net July 15, 2010 records from this breach used in our total: 669 Utah Department of Workforce Services Salt Lake City, Utah GOV INSD 1,300 (Unknown number of SSNs) A leak that allowed anti-immigration activists to post and circulate the names, Social Security numbers, medical information, addresses, workplaces, and phone numbers of alleged illegal immigrants in Utah has been linked to Utah's Department of Workforce Services. A large number of employees had access to this information. Information Source: Databreaches.net July 15, 2010 records from this breach used in our total: 0 Nix Check Cashing Manhattan Beach, California BSF STAT Unknown (over one hundred from New Hampshire) The May 17th theft of a computer resulted in the exposure of customer names, addresses, phone numbers, Social Security numbers and driver's license numbers. Affected customers were notified on June 30th. Information Source: Databreaches.net July 15, 2010 records from this breach used in our total: 100 NBTY Bohemia, New York BSR DISC Unknown An email containing current and former employees' and plan participants' personal information was sent to the wrong recipient on June 15th. The information in the email included names, dates of birth, and Social Security numbers. Information Source: Databreaches.net July 15, 2010 records from this breach used in our total: 0 Alcoa Global Mobility Group New York, New York BSO DISC Unknown An electronic folder containing personal information on current and former expatriates and others who received assistance from Alcoa's Global Mobility Group was shared as a public folder within its network. The personal information included names, dates of birth, family members' names and dates of birth, salary compensation, Social Security numbers, and some people's medical information. Information Source: Databreaches.net July 14, 2010 records from this breach used in our total: 0 SunBridge Healthcare Albuquerque, New Mexico MED PORT 3,830 Residents of Arizona, Colorado, Montana, California, New Mexico, Oklahoma, Idaho, Washington, Wyoming and Utah affected A laptop containing Social Security numbers, medical record numbers, dates of service, health insurance numbers and names was stolen in May. The laptop was password-protected. Information Source: PHIPrivacy.net records from this breach used in our total: 3,830 12 July 14, 2010 Oregon State University Corvallis, Oregon EDU HACK 34,000 current and former employees (unknown number of SSNs) A University computer containing personal information of current and former employees was found to be infected by a virus. Employee records from 1999 to 2005 contained Social Security numbers. Information Source: Databreaches.net July 14, 2010 records from this breach used in our total: 0 Carle Clinic Association Urbana, Illinois MED PHYS Approximately 1,300 (no SSNs or financial information reported) An impostor posing as a representative of the organization's recycling service removed several barrels of purged x-ray films and film jackets. The health information included patient names, dates of birth, gender, clinic medical numbers, internal accession numbers, site locations, physician or provider names, and internal provider numbers. Information Source: PHIPrivacy.net July 14, 2010 records from this breach used in our total: 0 Blue Island Radiology Blue Island, Illinois MED PORT 2,000 (number and type of financial account numbers and SSNs unknown) A backup data tape and compact disc containing protected health information were never received. Individuals demographic, financial and clinical information were on the CD. Information Source: PHIPrivacy.net July 14, 2010 records from this breach used in our total: 0 Blue Cross Blue Shield Association Chicago, Illinois MED PHYS Approximately 15,000 (0 SSNs and financial information reported) An error in the quarterly address update process resulted in the mailing of protected health information to incorrect addresses. The information in the letters included demographic information, explanation of benefits, clinical information, and diagnoses. The returned mail was collected and the organization verified whether or not it had been delivered. Information Source: PHIPrivacy.net July 14, 2010 records from this breach used in our total: 0 VHS Genesis Lab Berwyn, Illinois MED PHYS Over 500 (0 SSNs and financial information involved) A month's worth of client invoices went missing. It does not appear that they were mailed. The invoices contained health information such as names, dates of birth, and medical testing information. Information 13 Source: PHIPrivacy.net July 14, 2010 records from this breach used in our total: 0 University of Pittsburgh Student Health Services Pittsburgh, Pennsylvania EDU INSD 8,000 (Not included because no specific type of financial information stated) An employee dishonestly took documents containing names and financial information. The employee was fired. Information Source: PHIPrivacy.net July 14, 2010 records from this breach used in our total: 0 Tomah Memorial Hospital Tomah, Wisconsin MED INSD 600 A nurse used patient names and account numbers to illegally obtain narcotics. The nurse was fired. Information Source: PHIPrivacy.net July 13, 2010 records from this breach used in our total: 0 Carolina Center for Development and Rehabilitation Charlotte, North Carolina MED PHYS Approximately 1,590 After a doctor left office cleaning to his sons, they mistakenly threw out hundreds of medical records. The medical records were left in a public recycling bin and included medical histories, pictures of patients and Social Security numbers. UPDATE (7/31/10): The psychologist has contacted 1,590 of his patients. Information Source: NAID July 12, 2010 records from this breach used in our total: 1,590 Connecticut Department of Education, State Teachers' Retirement Board Hartford, Connecticut GOV PORT Unknown An encrypted flash drive containing 2007-2008 member annual statement data has been lost or stolen. It is unlikely that outside parties could read the pension and employment credit. Information Source: Databreaches.net July 12, 2010 records from this breach used in our total: 0 Marsh and Mercer Washington, District Of Columbia BSF PORT At least 3,000 Marsh and Mercer's Seabury and Smith, Inc. and Mercer Health and Benefits LLC operations were involved. The list of known organizations with affected employees includes Idaho Power, Saint Luke's health System and Saint Alphonsus Regional Medical Center. The location is listed as Seabury and Smith's office. The insurance broker and benefits consulting firm reported the loss of a backup tape during transport. The tape contained employee benefits information for companies that used Marsh and Mercer for consultation. Names, addresses, Social Security numbers, dates of birth, account information and driver's license numbers were on the tape. Information Source: Databreaches.net records from this breach used in our total: 3,000 14 July 10, 2010 Ohio Department of Developmental Disabilities Columbus, Ohio MED DISC 200 Within a two week period personal information of 200 people using the Department's services was accidentally posted online. The Social Security numbers, names, addresses, medical records, and treatment information were only available for viewing through the state computer network. Information Source: PHIPrivacy.net July 10, 2010 records from this breach used in our total: 200 Village of Big Bend Big Bend, Wisconsin BSO PORT Unknown A laptop containing payroll information for the village's employees was stolen from the car of the village's payroll provider in Milwaukee. Police have not recovered the laptop. The provider reported the theft and sent letters to employees to inform them their personal information was not secure. The provider recommended that employees contact a credit bureau that would place a 90-day alert on their information to prevent identity theft. Information Source: Dataloss DB July 10, 2010 records from this breach used in our total: 0 Cisco Live 2010 Las Vagas, Nevada BSO HACK Unknown Someone hacked the list of attendees for the recent Cisco Live 2010 users' conference, a security breach that led Cisco to notify the customers as well as a broader group who have dealings with the company. A vendor told Cisco that someone had made "an unexpected attempt to access attendee information through ciscolive2010.com," the event Web site. That lead to the general notification that Cisco sent to attendees and others who had been invited but did not attend. According to Cisco, details about less than 20% of those on the list were compromised. The breach was closed quickly, "but not before some conference listings were accessed." The compromised information consisted of Cisco Live badge numbers, names, titles, company addresses and e-mail addresses. "No other information was available or accessed," according to the warning Cisco Live's event team sent via e-mail. Information Source: Dataloss DB July 9, 2010 records from this breach used in our total: 0 Emily Morgan Hotel San Antonio, Texas BSO PHYS 17,000 hotel guests Identity thieves obtained stacks of credit card receipts from one of the hotel's storage rooms in 2006. Hundreds of thousands of dollars in fraudulent charges were then made in three different states. Investigators first became aware of a large identity theft issue in the area during the beginning of 2009. Information Source: records from this breach used in our total: 17,000 Databreaches.net July 8, 2010 Waukesha County Big Bend, Wisconsin GOV PORT Unknown A laptop was stolen from a payroll services provider of the county. It is unknown what types of Big Bend employee payroll information were contained on the laptop. Information Source: Dataloss DB records from this breach used in our total: 0 15 July 7, 2010 University of Hawaii Honolulu, Hawaii EDU STAT 53,000 53,000 people may have had their personal information exposed after a breach to the University of Hawaii computer system was discovered. The university released statement that more than 40,000 Social Security numbers and 200 credit card numbers were part of the exposed information that was housed on a computer server used by the Manoa campus parking office. Information Source: Dataloss DB July 7, 2010 records from this breach used in our total: 53,000 Massachusetts Secretary of State, Securities Division Boston, Massachusetts GOV PORT 139,000 The Massachusetts Secretary of State's office accidentally released confidential personal information earlier this year on 139,000 investment advisers registered with the state. The data, including the advisers' Social Security numbers, were on a CD-ROM sent to IA Week, an investment industry publication that had requested public information from the Securities Division. Secretary of State IA Week had asked for a list of registered investment companies. The Securities Division responded by sending a list of individual investment professionals. In addition to their names and Social Security numbers, this list included their dates and locations of birth, height, weight, hair color, and eye color. Information Source: Dataloss DB July 6, 2010 records from this breach used in our total: 139,000 Massachusetts Secretary of State Office Boston, Massachusetts GOV PHYS 139,000 investment advisers In an attempt to release public information from the Securities Division, the Massachusetts Secretary of State's office released the Social Security and driver's license information of 139,000 investment advisers registered with the state. The information was sent on a CD-ROM sent to IA Week, an investment industry publication. Information Source: Databreaches.net July 6, 2010 records from this breach used in our total: 139,000 University of Florida Gainesville, Florida EDU PHYS 2,047 Social Security numbers or Medicaid identification numbers were shared with a telephone survey company and included on address labels sent out to request research participation. The letters were sent through the U.S. Postal Service on May 24th and the issue was discovered on June 6th. Information Source: PHIPrivacy.net July 6, 2010 records from this breach used in our total: 2,047 DentaQuest Chicago, Illinois MED DISC 76,000 In a statement datelined out of Nashville, DentaQuest reported the laptop theft occurred March 20 in Chicago and was informed of the incident April. DentaQuest reported the laptop contained a database which held the personal information of approximately 76,000 clients. The contractor advised most of the data is not considered sensitive, but the device did contain the first names, last names and Social Security Numbers of about 21,000 individuals. Some 10,500 are Tennessee residents. Information Source: Dataloss DB records from this breach used in our total: 76,000 16 July 4, 2010 AMR Corporation Fort Worth, Texas BSO PORT 79,000 American Airlines parent company said Friday the personal information of about 79,000 retirees, former and current employees has been compromised after a hard drive was stolen from its Fort Worth headquarters. No customer data was affected. The data was held by the company's pension department. The drive contained images of microfilm files, which included names, addresses, dates of birth, Social Security numbers and a "limited amount" of bank account information. Some health insurance information may have also been included -- mostly enrollment forms, but also details about coverage, treatment, and other administrative information. The data spans a period from 1960 to 1995. AMR also believes some of the employee files also contained information on beneficiaries, dependents and other employees from 1960 to 1995. Information Source: Dataloss DB July 4, 2010 records from this breach used in our total: 79,000 Beautiful Brands International West Lafayette, Indiana BSR HACK Unknown Computer hackers have infiltrated the credit card processing system. Information Source: Dataloss DB July 2, 2010 records from this breach used in our total: 0 AMR Corporation Fort Worth, Texas BSO STAT 79,000 Retirees, current, and former employees who participated in AMR's pension plan may have had their names, Social Security numbers, addresses, dates of birth, and other personal information stolen by the theft of a hard drive containing microfilm files. Employees and beneficiaries of employees who were enrolled between 1960 and 1995 are at risk. Information Source: Databreaches.net July 2, 2010 records from this breach used in our total: 79,000 Cornerstone Nashville, Tennessee NGO PHYS 1,537 clients According to Cornerstone: "During the weekend of April 30th, 2010, flood waters broke windows of our administrative office for School-Based Services... As a result of the unprecedented flooding that occurred, some clinical record information, along with name, Centerstone ID#, Social Security number, and date of birth, may have been removed from the building by flood waters." Information Source: PHIPrivacy.net July 1, 2010 records from this breach used in our total: 1,537 NYU Langone Medical Center Hospital for Joint Diseases New York, New York MED PORT 2,563 (no SSNs or financial information reported) An unencrypted portable USB was lost or stolen sometime around May 12th. It contained patient names, medical record numbers, sex, age, procedure, attending physician, time of arrival in recovery room and time of discharge from recovery room. Information Source: PHIPrivacy.net records from this breach used in our total: 0 17 June 30, 2010 Lincoln Medical and Mental Health Center Bronx, New York MED PORT 130,495 patient Multiple CDs containing patient personal information were lost in transit by FedEx. Information included dates of birth, driver's license numbers, descriptions of medical procedures, addresses, and Social Security numbers. Siemens Medical Solutions USA, the Hospital's billing contractor, shipped the CDs around March 16th. They were never received. Information Source: records from this breach used in our total: 130,495 PHIPrivacy.net June 29, 2010 University of Oklahoma Norman, Colorado EDU HACK Unknown The university's Information Technology department noticed unusual Internet activity on a laptop computer associated with its network. It determined the computer belonged to an employee and was infected with a virus known as Zeus or Z-Bod. The employee's laptop had access to computer files that contain student names and Social Security numbers. Information Source: Dataloss DB June 29, 2010 records from this breach used in our total: 0 University of Maine Orono, Maine EDU HACK 4,585 Hackers compromised the personal information of 4,585 students who received services from the school's counseling center. The center provides students with support and mental health services. The information on the servers included names, Social Security numbers and clinical information on every student who sought counseling services from the center between August 8, 2002 and June 21 of this year. Information Source: Dataloss DB June 29, 2010 records from this breach used in our total: 4,585 Destination Hotels & Resorts Englewood, Colorado BSO HACK 700 customers Hackers have broken into the payment processing system of Destination Hotels & Resorts, a high-end chain best known for its resort hotels in destinations such as Vail, Colorado; Lake Tahoe, California; and Maui, Hawaii. Destination has uncovered a malicious software program inserted into its credit card processing system from a remote source. Destination Hotels is in the process of notifying victims but will not say how many people have had their credit card numbers stolen. The attackers appear to have hit only point-of-sale processing systems, where credit cards are swiped for purchases. Personal information such as guests' home addresses was not compromised. UPDATE (7/2/2010): Around 700 customers were affected nationwide by the hack; including dozens of customers of the Driskill Hotel of Austin, Texas. Information Source: Dataloss DB June 29, 2010 records from this breach used in our total: 700 Cal State San Bernardino (CSSB) San Bernardino, California EDU DISC 36 students Information such as names and Social Security numbers was exposed to the public through a web server. The students affected were on the class roster for a computer science and engineering course. The files were discovered and removed on June 10th. Information Source: Databreaches.net records from this breach used in our total: 36 18 June 29, 2010 Sparta Board of Education Sparta Township, New Jersey GOV DISC At least 200 Several vendor Social Security numbers and tax identification numbers were accidentally sent out via email to a local activist requesting information on Sparta Board of Education vendors. UPDATE (7/8/10): The activist mentioned is Jesse Wolosky and he has not returned the information because "they could get lost in cyberspace or go to the wrong inbox." Wolosky also claims that state agencies are looking into the matter. The number of Social Security numbers is still unknown since Wolosky claims 600-800 and the district claims 200-300. Information Source: Databreaches.net June 29, 2010 records from this breach used in our total: 200 Brooklyn Tech High School Brooklyn, New York EDU HACK 2,416; 103 Social Security numbers Hackers accessed PSAT information from the school and posted the names, home addresses, citizenship status, and Social Security numbers of students. The information was discovered on the school's website. Information Source: Databreaches.net June 29, 2010 records from this breach used in our total: 103 Merrimack Mortgage Greer, South Carolina BSF PHYS Unknown Personal documents from Merrimack Mortgage were found in an unsecured public dumpster. The documents were not shredded and contained Social Security numbers, credit scores, bank information, and other personal information. Information Source: Databreaches.net June 29, 2010 records from this breach used in our total: 0 A Woman's Place Ketchikan, Alaska MED DISC Around 400 (0 SSNs reported) An ACLU lawsuit claims that police acted inappropriately during a raid of A Woman's Place clinic. The lawsuit claims that police not only confiscated medical records, but read them and revealed sensitive medical information about patients to outside parties. Information Source: PHIPrivacy.net June 29, 2010 records from this breach used in our total: 0 Ridgefield High School Ridgefield, Connecticut EDU HACK Unknown (the students of a few teachers) Two students were arrested for hacking into their school's computer system. Their goal appears to be changing their own grades; but they had access to the grades and personal information of other students. Information Source: Databreaches.net June 28, 2010 records from this breach used in our total: 0 Children's Hospital of Orange County Orange, California MED PHYS Unknown 19 The Hospital is checking its database for accuracy after discovering that patient files have been faxed to the wrong location at least twice. Patient records were faxed to an auto shop in 2009, and the wrong doctor on a separate occasion. Information Source: PHIPrivacy.net June 28, 2010 records from this breach used in our total: 0 Eastern Connecticut Health Network Pension Plan Manchester, Connecticut BSF PHYS 3,178 Mercer, the firm's consulting group, provided a subcontractor with a file containing Pension Plan participant addresses and Social Security numbers. The Social Security numbers were exposed on the mailing label. Information Source: PHIPrivacy.net June 26, 2010 records from this breach used in our total: 3,178 Federal Aviation Administration Washington, District Of Columbia GOV DISC 3,000,000 airmen and airwomen An investigation into the Federal Aviation Administration found that the medical and personal information of airmen and airwomen is at risk. Names, addresses, Social Security numbers, mental and physical health certification information and other personal information is vulnerable to unauthorized access from former staff and could be accessed through the installation of malicious codes. The computer system was hacked in 2009. Information Source: PHIPrivacy.net June 25, 2010 records from this breach used in our total: 3,000,000 University Hospital Augusta, Georgia MED PORT 13,000 patient records Two backup tapes containing personal information have gone missing. The hospital does not suspect theft and does believe that there is a very low probability that the personal information on the tapes can be misused. However, credit monitoring services are being offered to those who were affected. The hospital gave up looking for the tapes on May 7th and began notifying patients in late June. Per phone interview with University Hospital, Social Security number were involved but they are unaware of any financial data involved in this breach. Information Source: Dataloss DB June 23, 2010 records from this breach used in our total: 13,000 Anthem Blue Cross, WellPoint Pasadena, California BSF DISC 470,000 More than 200,000 Anthem Blue Cross customers this week received letters informing them that their personal information might have been accessed during a security breach of the company's website. Only customers who had pending insurance applications in the system are being contacted because information was viewed through an on-line tool that allows users to track the status of their application. Social Security and credit card numbers were potentially viewed. Anthem Blue Cross merged with WellPoint in 2004. UPDATE (6/29/10): Around 470,000 customers in 10 states were notified of the breach. The original story states that only applicants were affected, but existing customers also received notification of a possible breach of their information. UPDATE (7/12/10): 20,000 Louisville, Kentucky residents received notification that a security mistake online resulted in the exposure of their Social Security numbers and financial information. It is unclear whether these residents are included in the original 470,000 customers. Only customers who were self insured were affected. WellPoint is claiming that this and other recent breaches were committed by an attorney or attorneys attempting to gain information for a lawsuit against WellPoint. Information Source: records from this breach used in our total: 470,000 20 Dataloss DB June 23, 2010 Florida International University Miami, Florida EDU DISC 19,495 Florida International University is in the process of sending notification letters to 19 407 students and 88 faculty members after the university’s IT Security Office discovered personal data may have been exposed over the internet via a database’s external search function. An announcement posted on the FIU website lists the personal data as GPAs, test scores, and Social Security numbers that were stored on the College of Education’s E-Folio software app. This database kept track of student data related to state mastery standards, grade tracking, assignments, and Social Security numbers for both students and faculty. Information Source: Dataloss DB June 22, 2010 records from this breach used in our total: 19,495 Oregon National Guard Portland, Oregon GOV PORT Over 3,500 A laptop belonging to an Oregon National Guard member was stolen and the military is contacting service members who might be affected by the theft. According to the Oregon National Guard, the laptop was stolen from a vehicle. The Guard member had been using the laptop to conduct work from home. Although this laptop is password protected, there is still potential for exposure of individual personal information. UPDATE (7/1/10): The 3,500 National Guard members who were affected have been notified. Information Source: Dataloss DB June 21, 2010 records from this breach used in our total: 3,500 TeleTech, Sony Electronics Englewood, Colorado BSR UNKN Unknown Customers who placed orders through Sony Style Telesales Department between May 23rd and June 3rd 2010 may have had their credit card information illegitimately copied and sent to parties outside of the TeleTech network. TeleTech is a third party service provider of Sony. Information Source: Databreaches.net June 20, 2010 records from this breach used in our total: 0 Mercy Willard Hospital Willard, Ohio MED INSD Unknown A former employee kept patient photographs, videos, memos, schedules, and forms. Some of the documents included patient Social Security numbers and other personal information. The employee is also being accused of voyeurism and possession of child pornography; though this is unrelated to these findings. Information Source: PHIPrivacy.net June 18, 2010 records from this breach used in our total: 0 St. Francis Federal Credit Union Tulsa, Oklahoma BSF PORT 8,400 Saint Francis Federal Credit Union has notified 8,400 customers that a backup tape containing customer information was lost. SFFCU believes the tape was accidentally destroyed and that no member information has been misused as a result of the loss. Information 21 Source: Databreaches.net June 18, 2010 records from this breach used in our total: 8,400 University of Nevada Reno, Nevada EDU STAT 7,526 patients Some patient information from the University Health System may have been accessed after the theft of computer equipment at the Reno office on June 11th. Patient names, Social Security numbers, patient account numbers, medical information, birth dates and addresses may have been viewed. Information Source: Databreaches.net June 18, 2010 records from this breach used in our total: 7,526 Family Care Center Clinton, Washington MED PORT 8,000 (0 SSNs reported) Operations in Clinton, Freeland, and Oak Harbor A thief or thieves entered the physical therapy office on June 12th. Cash, other items, and a laptop containing encrypted patient information such as names and account numbers were stolen. It appears that a door was left unlocked. Information Source: records from this breach used in our total: 0 PHIPrivacy.net June 18, 2010 Ebony Medical Equipment and Supplies, Inc. Tyler, Texas MED INSD Unknown The owner used patient medical information to fraudulently obtain over $70,000 from Medicare and Medicaid. The owner is also charged with buying patient information. Information Source: PHIPrivacy.net records from this breach used in our total: 0 Over 11,388 students June 17, 2010 Ocean Lakes High School Virgina Beach, Virginia EDU HACK calculated from the Virginia Beach City County Public Schools page of publicschoolreview.com Schools that may have been accessed: Advanced Technology Center, Corporate Landing Middle School, Creeds Elementary School, Fairfield Elementary School, Indian Lakes Elementary School, Kellam High School, Kingston Elementary School, Landstown Middle School, Linkhorn Park Elementary School, Lynnhaven Middle School, New Castle Elementary School, Ocean Lakes Elementary School, Ocean Lakes High School, Red Mill Elementary School, Renaissance Academy, Rosemont Elementary School, Salem Elementary School, Technical & Career Education Center, Thalia Elementary School, Three Oaks Elementary School, Windsor Oaks Elementary School Because of an incorrect security setting, an Ocean Lakes High School student was able to access a temporary file on a server that contained the names, addresses and Social Security numbers of students at 22 schools. The breach was discovered when the student tried to print some of the information in the school library. In addition to names, addresses and Social Security numbers, the student files also contain parent names, phone numbers, class schedules, birth dates and student ID numbers. Information Source: records from this breach used in our total: 11,388 Dataloss DB Quantum Corporation 22 June 17, 2010 Quantum Corporation Bellevue, Washington BSR PORT At least 4 Laptops were stolen on June 13th. One of the laptops was password protected and contained sensitive employee information such as Social Security numbers, addresses, and names. Information Source: Databreaches.net June 16, 2010 records from this breach used in our total: 4 AT&T Dallas, Texas BSR DISC Unknown AT&T customers who were using their own usernames and passwords to log into their accounts reported being sent to the accounts of other AT&T customers. The account information did not include Social Security numbers or credit card informaiton. Information Source: Databreaches.net June 14, 2010 records from this breach used in our total: 0 Frankling County Treasurer's Office Columbus, Ohio GOV DISC 0 Although it has a newer and better protected website for paying property taxes, the Franklin County Treasurer's Office continues to allow taxpayers to use an older URL which was recently discovered to be vulnerable to hackers. This may expose taxpayer credit card and checking account numbers. Information Source: Databreaches.net June 13, 2010 records from this breach used in our total: 0 Butler County Department of Job and Family Services Middle, Ohio GOV PHYS 10,600 The Agency learned in 2008 that confidential records were being left in public dumpsters without being shredded. Documents from Medicaid, Food Stamps, Ohio Works First, and child care programs included information such as Social Security number, name, address, phone number and pay stub. The agency failed to notify those who were affected. Information Source: Databreaches.net June 12, 2010 records from this breach used in our total: 10,600 J.P. Morgan Chase Hackettstown, New Jersey BSF INSD 12 A Chase bank teller sold twelve customer account profiles to outside parties between 2008 and 2009. These customer accounts were then fraudulently charged over $60,000. The former employee and the outside parties were all caught. Information Source: Databreaches.net June 12, 2010 records from this breach used in our total: 12 Middle Township Municipal Hall Middle Township, New Jersey GOV PHYS Unknown Personal information from Municipal Hall was found in a public dumpster. The information was not shredded and included police reports, Social Security numbers, home addresses, telephone numbers, names, and tax records. The improper disposal of information continued after the first dumpster discovery. Information Source: records from this breach used in our total: 0 23 Source: Databreaches.net June 11, 2010 records from this breach used in our total: 0 Payless Shoe Store Bellmore, New York BSR INSD 11 An employee used a skimming device to obtain customer credit card information. He made fraudulent purchases totaling nearly $11,000 and was charged with grand larceny, possession of a forged device, and identity theft. Information Source: records from this breach used in our total: 11 Databreaches.net June 10, 2010 Durham County Government Durham, North Carolina GOV PHYS 8,700 employees A group of people obtained a list of Durham employees which included Social Security numbers, birth dates, and employment information. They then used their personal information to commit credit card fraud and identity theft. Police report that more than 200 employees were victims. Information Source: records from this breach used in our total: 8,700 Databreaches.net June 10, 2010 City of Springfield Springfield, Illinois GOV DISC Unknown The city of Springfield put documents online that contained sensitive information such as Social Security numbers, driver’s license numbers, home and work telephone numbers, bank account numbers and the name of someone who called the state anonymously to report suspected child abuse. The documents were posted on the city’s website in response to Freedom of Information Act requests as part of an initiative to make public information available to anyone with a computer. But personal information such as home phone numbers, Social Security numbers and driver’s license numbers are exempt from disclosure under state law. Information Source: records from this breach used in our total: 0 Dataloss DB June 9, 2010 Apple Inc. Cupertino, California BSR HACK Unknown A security breach has exposed iPad owners including dozens of CEOs, military officials, and top politicians. They—and every other buyer of the cellular-enabled tablet—could be vulnerable to spam marketing and malicious hacking. The breach exposed the most exclusive email list on the planet, a collection of early-adopter iPad 3G subscribers that includes thousands of A-listers in finance, politics and media, from New York Times Co. CEO Janet Robinson to Diane Sawyer of ABC News to film mogul Harvey Weinstein to Mayor Michael Bloomberg. It even appears that White House Chief of Staff Rahm Emanuel's information was compromised. It doesn't stop there. According to the data we were given by the web security group that exploited vulnerabilities on the AT&T network, we believe 114,000 user accounts have been compromised, although it's possible that confidential information about every iPad 3G owner in the U.S. has been exposed. Information Source: Dataloss DB June 9, 2010 records from this breach used in our total: 0 TennCare, New Mexico Human Services Department Chicago, Illinois 76,000 9,600 from New MED PORT Mexico; over 10,000 from Tennessee This theft affects people in Tennessee and New Mexico. An employee from a subcontractor company called West Monroe Partners was robbed of a laptop containing information for a Medicaid billing company named DentaQuest. DentaQuest was responsible for dental benefits of the New Mexico Human 24 Services Department and TennCare. Around 21,000 people had their full names and Social Security numbers on the stolen laptop. Approximately 55,000 others had some form of personal information on the laptop. Information Source: records from this breach used in our total: 21,000 Databreaches.net June 9, 2010 Office of Dr. David Brown St. John, Missouri MED DISC Unknown Patient files were found outside the office of Dr. David Brown. Dr. Brown admitted to failing to shred the old papers and claimed that he ran out of space for the files. Information Source: records from this breach used in our total: 0 NAID June 8, 2010 Bank of America Sun City, Florida BSF INSD Uknown An employee in one of Bank of America's customer call centers has admitted he stole sensitive account information and tried to sell it for cash. The man met with two individuals whom he later learned were undercover FBI agents and offered to sell them names, dates of birth, telephonic passwords, and other details for Bank of America customers, according to court records. He was looking for accomplices who knew how to milk the accounts by establishing phony credit cards in the customers' names or through other means. Information Source: records from this breach used in our total: 0 Dataloss DB June 8, 2010 Tri-City Medical Center Oceanside, California MED INSD Unknown Employees shared patient information on Facebook. Differing reports leave it unclear if these employees were nurses, and whether or not they were fired. Information Source: PHIPrivacy.net June 8, 2010 records from this breach used in our total: 0 Los Angeles County Department of Public Social Services Los Angeles, California GOV INSD 155 A dishonest employee used welfare beneficiary information to file for two million dollars worth of tax refunds. The employee was caught and charged with 11 counts of identity theft and 11 counts of making false claims to the United States. Information Source: records from this breach used in our total: 155 Databreaches.net June 7, 2010 Wal-Mart, Sam's Club Bentonville, Arkansas BSR HACK 117 Sam's Club and Wal-Mart stores in Connecticut, New Jersey, Massachusetts, Rhode Island, New Hampshire, New York, Pennsylvania, Maryland, Delaware, and Puerto Rico During a credit card fraud scheme, a man obtained and misused customer information. His scheme involved using customer information to impersonate customers and open new lines of store credit in their names. Total loses amounted to $781,571.80. Information Source: records from this breach used in our total: 117 25 Databreaches.net June 7, 2010 New York City Department of Education New York City, New York EDU HACK Unknown The New York City’s Special Commissioner Office revealed a hacker stole more than $640,000 from the Department of Education’s petty cash account at JP Morgan Chase and distributed the codes to others to use to pay for student loans, gas bills and other purchases. The hacker allowed individuals to pay personal bills through EFTs and, in turn, he was given cash. The scam was discovered when an unidentified woman informed Chase someone was trying to pay bills using the account. Information Source: Dataloss DB June 7, 2010 records from this breach used in our total: 0 Nursing Visioned Medical Services Nashville, Tennessee MED PHYS At least 2,000 Thousands of patient records, surgery information, Social Security numbers and bank information were found dumped behind Nashville Center Point Church of the Nazarene. The documents came from the now defunct and bankrupt Nursing Visioned Medical Services group. Maryland-based Impulse Monitoring, Inc. bought the assets to NVMS last year when they filed bankruptcy. They said they are not responsible for the patient information because the services NVMS provided were one-time services. The old owners had shredded a bunch of old documents and the more recent ones had been passed on to the company (Impulse) that bought NVMS back in January. It is unclear where the documents came from. Information Source: records from this breach used in our total: 2,000 Dataloss DB June 6, 2010 Offices of Doctors J. and M. Vyas Chino Hills, California MED PHYS 600 patient files (0 reports of SSNs or financial information) Confidential medical files were found in a dumpster near the medical office of the two doctors. The doctors were in the process of moving to a new location. Information Source: PHIPrivacy.net June 5, 2010 records from this breach used in our total: 0 National Highway Traffic Safety Administration (NHTSA) Washington, District Of Columbia GOV DISC Unknown A limited search of NHTSA's public complaint database uncovered Social Security numbers, names, birth dates, addresses, VINs, and drivers' license numbers. Public access to the database of 792,000 complaint cases was temporarily ended. Information Source: Databreaches.net June 5, 2010 records from this breach used in our total: 0 Marco's Restaurant Indianapolis, Indiana BSR HACK 500 The encrypted Internet connection of a restaurant was breached by hackers outside of the organization. Customer credit and debit card information was lost and fraudulently used. Information Source: records from this breach used in our total: 500 Databreaches.net Digital River Inc. 26 June 4, 2010 Digital River Inc. Eden Prairie, Minnesota BSF HACK 200,000 A massive data theft from the e-commerce company Digital River Inc. has led investigators to hackers in India and a 19year-old in New York who allegedly tried to sell the information to a Colorado marketing firm for half a million dollars. The Eden Prairie company obtained a secret court order last month to block Eric Porat of Brooklyn from selling, destroying, altering or distributing purloined data on nearly 200,000 individuals. Digital River suspects that the information was stolen by hackers in New Delhi, India, possibly with help from a contractor working for Digital River. Information Source: records from this breach used in our total: 200,000 Dataloss DB June 3, 2010 Penn State University Park, Pennsylvania EDU DISC 15,806, 25,000 more later discovered The Pennsylvania State University sent data breach notification letters to 15 806 individuals who at one time had their personal information, including Social Security numbers, stored in a university database. Penn State issued a press release statement on Wednesday informing the university community that a computer in its Outreach Market Research and Data office was found to be actively communicating with a botnet CNC. According to the statement, the database used by the office had previously contained Social Security numbers on individuals. The university, which discontinued use of SSNs for identification purposes in 2005, nevertheless found that an archived copy of the information went undetected in the computer’s cache. UPDATE (6/8/2010): An additional 25,000 individuals may have been affected. Information Source: Dataloss DB June 3, 2010 records from this breach used in our total: 40,806 Safe Harbor Med Santa Cruz, California MED PORT Unknown Burglars stole client records, a suitcase and two bags of cookies from a medicinal marijuana referral office. Burglars also stole a computer hard drive that contained a client database, including Social Security numbers, ID numbers and other sensitive information. The burglars apparently cut power to the building — so the alarm didn't go off — and shattered a window to get into the office. Information Source: Dataloss DB June 2, 2010 records from this breach used in our total: 0 Avalon Center Cheektowaga, New York MED DISC Unknown Sensitive medical information was dumped outside of a DMV office. The medical information came from a eating disorder clinic that had recently closed. Patient information such as medical treatment and Social Security number was exposed. It is unknown how the information ended up in the dumpster. Information Source: Databreaches.net June 2, 2010 records from this breach used in our total: 0 Rainbow Hospice and Palliative Care Park Ridge, Illinois MED PORT Unknown http://www.rainbowhospice.org/protection/ [94] According to their website: "On April 12, 2010, one of our laptop computers, which contained personal information, was stolen during a patient visit. The laptop had security measures in place, but there is a very small chance that protected information such as name, address, date of birth, Social Security number, insurance information, medications, treatment, and diagnoses may have been inappropriately accessed." 27 Information Source: Dataloss DB June 2, 2010 records from this breach used in our total: 0 Roanoke City Public Schools Roanoke, Virginia EDU PORT 2000 Personal information of more than 2,000 Roanoke City Public Schools employees may be at risk. School officials said the hard drives of eight computers were not removed before the units were sold as surplus. "We believe that we have recovered all of the hard drives," said Superintendent Rita Bishop. The drives contained the names, school locations and Social Security numbers of the division's employees as of November 2006. The division will be setting up a hotline for employees to call with questions and concerns. Free credit monitoring service will be offered to affected employees. Information Source: Dataloss DB June 2, 2010 records from this breach used in our total: 2,000 University of Louisville Louisville, Kentucky EDU DISC 709 A University of Louisville database of 708 names that included Social Security numbers and dialysis details was available on the Internet without password protection for nearly a year and a half. The Web site was disabled on May 17 when the university discovered the flaw. University officials said in a statement that accessing the database would not have been easy, and no direct links to the database were discovered. The information was available so long because the U of L doctor who set up the Web site thought the information was protected by a password and other precautions. U of L was finally notified when someone outside the university sent an e-mail about open access to the information. The Web site was shut down an hour later. Information Source: Dataloss DB June 1, 2010 records from this breach used in our total: 709 Brew HaHa! Wilmington, Delaware BSR HACK Over 30 Outdated and improperly managed software caused customer debit and credit cards to be exposed to fraudulent charges. Between 20 and 30 customers of one bank had fraudulent charges from overseas added to their statements. It is not known how many other customers were affected. Information Source: Databreaches.net May 28, 2010 records from this breach used in our total: 30 Aetna South Windsor, Connecticut BSO PHYS 6,372 clients from New Jersey and Pennsylvania A cabinet full of documents with sensitive information was found sitting on the side of the road. A woman made the discovery about a month ago and gave the documents to investigators with Aetna Insurance Co. The woman said she saw a bureau on the side of the road in front of Admiral Storage in South Windsor with a sign that said "free." She brought it home and discovered the documents. There were eight bags of nothing but Social Security numbers, names, and death benefits. Information also included patient records and medications. Aetna responded by saying, "Aetna is committed to protecting the privacy of our members and we take this situation seriously. We have policies for properly safeguarding our members’ information, and we are investigating how this incident occurred, but it appears to be human error. The woman contacted us via e-mail on the evening of May 5, and we immediately responded the next morning. She has consistently declined to give us her name or phone number, or to make arrangements to allow us to retrieve the documents at a place convenient for her, or to return them to us. As of today, we now have the files, and will go through each of them to determine the contents and whether any member information has been breached. If it has been, we will notify those members and take steps to mitigate any potential harm." 28 The woman attempted to arrange the hand-off, however, a short time after she got off the phone with the company, three men from Aetna showed up at her workplace, unannounced, and asked for the documents immediately. The woman said, "But when they sent the three guys to my work yesterday, it was an intimidation tactic and I didn't appreciate it. So that told me what I was going to do. That they were going to try and hide it." Aetna said someone from the company made a "serious human error," and it will now go through the files to make sure no sensitive information was lost. What's more troubling, the woman said, is that the bureau wasn't the only piece of furniture offered for free that day. "Out of the pieces that were up for grabs, whose to say that I've got the only piece that was full of Aetna papers." The woman has also contacted the state to investigate the situation. Aetna has clients across the country. UPDATE (8/2/10): Aetna notified 7,250 clients of the breach and reported that 6,372 were affected. Information Source: Dataloss DB May 28, 2010 records from this breach used in our total: 6,372 Cincinnati Children's Hospital Medical Center Cincinnati, Ohio 61,000 (0 SSNs and MED PORT financial information reported) A laptop containing the names, medical record numbers, and medical services provided of patients was stolen from an employee's car while it was parked at his or her home. As a precaution, no additional laptops will be allowed outside the hospital unless they are encrypted. Information Source: Databreaches.net May 28, 2010 records from this breach used in our total: 0 Interior National Business Center Denver, Colorado GOV PORT 7,500 (0 SSNs reported) A disc containing employee information was lost or stolen. The Interior Department reported that it was encrypted and password-protected personally identifiable federal employee information. Information Source: records from this breach used in our total: 0 Databreaches.net May 26, 2010 Inovis Alpharetta, Georgia BSO PORT Unknown On May 4th a laptop containing employee information was stolen from an employee of GXS who was helping with their merger. A letter notified an unknown number of Inovis employees that their addresses, Social Security numbers, names and salary information were on the laptop. Information Source: records from this breach used in our total: 0 Databreaches.net May 26, 2010 Children's Hospital and Research Center at Oakland Oakland, California MED PHYS 1000 (0 SSNs reported) http://www.childrenshospitaloakland.org/EnhancedPatientPrivacyProtection... [95] Approximately 1,000 patients were mailed information about themselves and other patients. According to the Hospital's website "equipment designed to generate, fold and stuff documents for mailing was programmed to fold and stuff two pages rather than one. This programming error caused guarantor billing statements prepared on May 25 and May 26 to be collated and mailed incorrectly." Information Source: records from this breach used in our total: 0 29 PHIPrivacy.net May 25, 2010 Loma Linda University Medical Center Loma Linda, California MED PHYS 500 (877) 558-6208 A thief has stolen personal information regarding more than 500 surgical patients of Loma Linda University Medical Center, according to hospital officials. A desktop computer containing the information disappeared April 5 from the department of surgery's administrative office on Campus Street. The missing information includes each patient's name, medical record number, diagnosis, surgery date, and the type of procedure. Information Source: records from this breach used in our total: 500 Dataloss DB May 25, 2010 AT&T/Ferrell Communication Jacksonville, Florida BSO DISC Unknown A woman got quite a surprise when she looked in her recycle bin. Someone had dumped hundreds of files of people's personal information. The manila folders that were found contained personal information of AT&T cell phone customers, including credit card numbers, driver's licenses and Social Security numbers. It appears the information was collected by another company called Ferrell Communication, which was located in a strip mall. It's no longer there, and the phone number listed isn't valid. The information is contracts for AT&T wireless service customers dating back to 1999 or 2000. The information is old, but could still be valid. Information Source: Dataloss DB May 25, 2010 records from this breach used in our total: 0 City of Charlotte Charlotte, North Carolina GOV PHYS 5,220 (888) 435-6031 The city of Charlotte says the personal information of 5,220 current and former city employees and elected officials has been lost. The loss affects individuals who received health insurance from the city in early 2002. Two DVDs containing the Social Security numbers of the affected individuals failed to arrive at the offices of Towers Watson & Co., the city’s benefits consulting firm, in Atlanta. The discs also contained prescription-drug information for five individuals. Information Source: records from this breach used in our total: 5,220 Dataloss DB May 25, 2010 Local Coffee San Antonio, Texas BSR HACK Unknown Hackers may have gained access to credit and debit card information by exploiting Aloha software weaknesses. After a purchase at Local Coffee, a customer's debit card was canceled. This prompted Local Coffee to temporarily stop using Aloha. Another San Antonio eating establishment, Aldaco, also encountered hacking problems while using Aloha software. Information Source: Databreaches.net May 25, 2010 records from this breach used in our total: 0 Lincoln Financial Group Radnor, Pennsylvania BSF DISC 1,286 (0 SSNs reported) In 2002, 2008, and 2010 records of correspondence between agents and clients were misplaced. Technical errors caused the names, addresses, policies or contract numbers, account values, trade and transaction activities, and dates of birth of the clients to be accessible. 30 Information Source: records from this breach used in our total: 0 Databreaches.net May 25, 2010 Wells Fargo San Francisco, California BSF INSD 1,023 A former stock broker left the firm with the personal information of 1,023 clients. Names, addresses, Social Security numbers and brokerage account numbers were taken. Information Source: Databreaches.net May 25, 2010 records from this breach used in our total: 1,023 Wells Fargo San Francisco, California BSF INSD At least 5 A former Wells Fargo employee inappropriately held the pers onal information of clients . Law enforcement found documents containing names , dates of birth, Social Security numbers and mortgage loan account numbers when acting on a s earch warrant for the home of a former Wells Fargo team member. Information Source: Databreaches.net May 24, 2010 records from this breach used in our total: 5 Cheesecake Factory Washington, District Of Columbia BSR INSD Unknown Three servers from the Cheesecake Factory at 5345 Wisconsin Avenue were charged with using skimming devices to make over $117,000 in fraudulent charges to customer credit card accounts. Information Source: Databreaches.net May 24, 2010 records from this breach used in our total: 0 Lake Ridge Middle School Woodbridge, Virginia EDU PORT Over 1,200 (0 SSNs reported) A USB drive containing student names, identification numbers, phone numbers, and medical information was stolen from the unlocked car of a school administrator at the employee's home. Information Source: Databreaches.net May 22, 2010 records from this breach used in our total: 0 Staff Jennings Boats Portland, Oregon BSR DISC Unknown, at least two cases of SSN Sales documents dating back 20 years were found in a dumpster. The personal financial information of customers included Social Security numbers and information on purchases. Staff Jennings went out of business in April of 2010. Information Source: Databreaches.net May 21, 2010 records from this breach used in our total: 2 Aldaco's Mexican Cuisine San Antonio, Texas BSR HACK Unknown 31 Aldaco's Mexican Cuisine at Stone Oak had a data security breach. Customers were notified of fraudulent charges; some were from places outside of the U.S. Aldaco urged customers who had used their credit cards at the restaurant to cancel them. Information Source: Databreaches.net May 21, 2010 records from this breach used in our total: 0 Tufts University Medford, Massachusetts EDU HACK "Thousands" of alumni records, at least 2,000 Campus computers with former student files were exposed to a virus. Alumni may have had their Social Security numbers and other information exposed. Information Source: records from this breach used in our total: 2,000 Databreaches.net May 20, 2010 Rockbridge Area Community Services Lexington, Virginia MED STAT 500 On March 3rd, at least one computer and one laptop containing personal information were stolen. Information such as names and Social Security numbers may have been compromised. Information Source: Databreaches.net May 20, 2010 records from this breach used in our total: 500 Strong Memorial Hospital Rochester, New York Around 1250 (0 SSNs MED DISC and credit cards involved) Around half of all patient medical bills were sent to the wrong address. The billing statements included patient names, name and address of the person responsible for paying the bill, description of services received and the dates of services, dollar amount owed, health insurance plan and subscriber number. Information Source: Databreaches.net May 18, 2010 records from this breach used in our total: 0 The Vine Tavern and Eatery Tempe, Arizona Unknown, "thousands BSR PHYS of pages of sensitive information" Personal documents including applicant names, Social Security numbers, and dates of birth were found in a dumpster. Customer checks with banking information and credit card receipts were also found. Information Source: records from this breach used in our total: 0 NAID May 18, 2010 Capitol One McLean, Virginia BSF UNKN Unknown A fraud ring may have accessed customer information. The information included names, addresses, Social Security numbers, and other personal information. It is not known how the information was obtained or how many customers were affected. The information may have been accessed sometime between December of 2009 and February of 2010. 32 Information Source: Databreaches.net May 17, 2010 records from this breach used in our total: 0 Edward Waters College Jacksonville, Florida EDU DISC At least 210 Staff and prospective student names, Social Security numbers, driver's license numbers, and addresses were accessible to the public through a Google or Yahoo! search. The cause was a mistake in setting up software. Information Source: records from this breach used in our total: 210 Databreaches.net May 17, 2010 Silicon Valley Eyecare Optometry and Contact Lenses Santa Clara, California MED STAT 40,000 A computer and a plasma TV were stolen from the office on Friday April 2nd, 2010. The computer server contained patient names, addresses, phone numbers, email addresses, birth dates, family member names, medical insurance information, medical records, and in some cases, Social Security numbers. The data were password protected. Information Source: records from this breach used in our total: 40,000 Databreaches.net May 15, 2010 Los Angeles Firemen's Credit Union Los Angeles, California BSF DISC Unknown An extremely small percentage” of member files were “not properly moved” when the CU relocated from an old location. The data that could have been compromised included members names, addresses, phone numbers, account numbers, Social Security numbers and other identifiers. The CU sought to reassure members that it did not believe any of their information had been compromised and that the CU had “state of the art protocols” available to validate member identifies. The CU also arranged for CU members who chose to do so to be able to enroll in a credit monitoring service for the next two years at no cost to them. Information Source: Dataloss DB May 15, 2010 records from this breach used in our total: 0 Mellow Mushroom Warner Robins, Georgia BSR HACK 2,000 Customers of the Mellow Mushroom eatery had their credit and debit card information hacked sometime around March 11th. Customers of other merchants have been affected, but a hack of Mellow Mushroom's processor is believed to be the source. Information Source: records from this breach used in our total: 2,000 Databreaches.net May 14, 2010 Department of Veterans Affairs Washington, District Of Columbia GOV PORT 616 The Department of Veterans Affairs has suffered another possible breach of private data as a thief recently stole an unencrypted laptop that had held the Social Security numbers and other information of 616 veterans. Theft of the laptop was owned by a contractor and not the VA. Information Source: Dataloss DB records from this breach used in our total: 616 33 May 14, 2010 Principal Financial Group Des Moines, Iowa BSF HACK Unknown, at least two from New Hampshire An unauthorized person using a valid employer password and user name accessed group contract number, member name, Social Security number, age and employment status of certain individuals with a connection to Principal Life Insurance. Information Source: Databreaches.net May 13, 2010 records from this breach used in our total: 2 Army Reserve/Serco Inc. Morrow, Georgia GOV PORT 207,000 A laptop containing the names, address and Social Security numbers of more than 207,000 Army reservists has been stolen from a government contractor in Georgia. A CD-Rom containing the personal identifiable information was in one of three laptops stolen from the Morrow, Ga., offices of Serco Inc., a government contractor based in Reston, Va. The other laptops did not contain sensitive personal information. Serco had a contract with the U.S. Army's Family and Morale, Welfare and Recreation Division, so some of the pilfered information also could belong to reservists' family members. Information Source: Dataloss DB May 11, 2010 records from this breach used in our total: 207,000 New Mexico Medicaid Santa Fe, New Mexico GOV PORT 9,500 (877) 453-8424 A employee of a subcontractor for the company that processes claims and provides dental benefits for the State’s Medicaid program, filed a stolen car report for a vehicle whose trunk contained an ”unencrypted” laptop loaded with patient information. The patient information in the laptop included name, health plan identification number, which in some cases is the individual’s Social Security number, and a provider identification number but not the name of the provider. The agency sent out a message today saying that it was in the process of notifying 9,500 New Mexicans who use its Medicaid Salud plan of a possible security breach. Information Source: Dataloss DB May 10, 2010 records from this breach used in our total: 9,500 Monarch High School, Plantation High School Coconut Creek, Florida EDU INSD 6 from Plantation and Monarch, 7 victims total A former teacher of Monarch High School received six months of house arrest for opening or attempting to open 17 credit cards in other people's names. Information Source: Databreaches.net May 7, 2010 records from this breach used in our total: 7 FHG Finance Pleasant Hill, California BSF DISC 300 The financial and personal details of about 300 property loan applicants were compromised when confidential documents were mistakenly tossed into an outdoor waste bin. The documents, which contained bank account and Social Security numbers, were found by employees at a neighboring store, who alerted FHG. The company padlocked the trash bin until the documents could be shredded. Information Source: records from this breach used in our total: 300 Dataloss DB 34 May 7, 2010 Fast Cash Knoxville, Tennessee BSF PHYS Unknown Hundreds, maybe thousands, of documents with personal information were dumped behind a shopping center. The documents scattered around a dumpster behind the business listing Social Security numbers, names, addresses, bank account numbers and signatures. Information Source: records from this breach used in our total: 0 Dataloss DB May 7, 2010 Bureau of Engraving and Printing Washington, District Of Columbia BSF HACK Unknown Hackers have caused the Bureau of Engraving and Printing (BEP), a part of the US Department of the Treasury, to shut down a number of websites. The BEP confirmed to IT PRO that the hosting company it uses experienced an intrusion and as a result of the breach numerous websites were affected, including non-BEP sites. Those URLs are: bep.gov; bep.treas.gov; moneyfactory.gov and moneyfactory.com. BEP has since suspended the website. The chief research officer at IT security company AVG, indicated that the BEP websites had a line of code injected into them. Upon accessing the US Treasury website (treas.gov, bep.gov, or moneyfactory.gov), the iframe silently redirects victims through statistic servers and exploit packs which will carry the victim onto the second stage of the attack. The exploit kit determined that Java was the “best method” for infecting his test machine. Once infected, users' web browsers will start directing them to ads and “other nasty things” like rogueware. Information Source: records from this breach used in our total: 0 Dataloss DB May 4, 2010 Millennium Medical Management Resources Westmont, Illinois MED PORT 180,111 Health records belonging to patients were stolen in a break-in. The records were on a portable hard drive and stolen from the Westmont office of Millennium Medical Management Resources. Millenium believes the hard drive contained personally identifiable information about EHP patients including name, address, phone, date of birth, and Social Security number. In some cases other information such as diagnosis, procedure (and/or codes), medical record number, account number, drivers license number and health insurance info. It was NOT encrypted. Information Source: Dataloss DB April 30, 2010 records from this breach used in our total: 180,111 Our Lady of Peace Louisville, Kentucky MED PHYS 24,600 A flash drive containing personal information on 24,600 patients is missing from Our Lady of Peace psychiatric hospital. The drive contained the following information on patients admitted since 2002: patient names, room numbers, insurance company names and admission and discharge dates. It didn’t include diagnoses or treatments, Social Security numbers, dates of birth, telephone numbers or addresses for these patients. The drive also included the following information on patients assessed since 2009 but never admitted: name, date of assessment, date of birth and the time they left the hospital. For these patients, the information on the drive didn’t include diagnoses or treatments, Social Security numbers, telephone numbers, addresses or insurance information. Information Source: Dataloss DB April 30, 2010 records from this breach used in our total: 24,600 North Country Health Services Bemidji, Minnesota MED HACK 349 The online bill payment website was hacked. The credit card and debit card account information of customers who paid online was exposed. 35 Information Source: records from this breach used in our total: 349 PHIPrivacy.net April 29, 2010 St. Jude Heritage Medical Group Orange, California MED PHYS 20,000 (800) 627-8106 20,000 patients may have had their personal information stolen after a break-in at the St. Jude Heritage Healthcare Clinical Management Services building in Fullerton. The thieves stole five computers. The stolen patient data included Social Security numbers, dates of birth and in some cases, health related information. Information Source: Dataloss DB April 28, 2010 records from this breach used in our total: 20,000 The Medical Center Bowling Green, Kentucky MED PORT 5,418 The Medical Center at Bowling Green is notifying 5,418 patients whose medical information may have been breached when a computer hard drive was stolen. The computer hard drive was taken from the hospital's mammography suite and contained information from patients who underwent bone density testing between 1997 and 2009. Information Source: Dataloss DB April 28, 2010 records from this breach used in our total: 5,418 Montana Tech Butte, Montana EDU DISC 260 A Montana Tech employee mistakenly included the personal information of former students in an e-mail message sent to faculty, staff and students last week. The e-mail was an invitation to watch students present their research projects. But the file that this year's information was taken from included the names, addresses, Social Security numbers and in some cases birth dates of students whose research projects were done from 1998 through 2005. Information Source: records from this breach used in our total: 260 Dataloss DB April 26, 2010 South Carolina Department of Health and Environmental Control Columbia, South Carolina GOV PHYS At least 1,824 (0 SSNs and financial information reported) Over 1,800 people's information was found in a dumpster. It is not known what kind of personal information was included in the documents. Information Source: NAID April 23, 2010 records from this breach used in our total: 0 ESB Financial Ellwood City, Pennsylvania BSF DISC 3,097 ESB Financial officials announced that a data backup seven years ago had inadvertently been sent to an unauthorized storage source. Only checking and money-market account information was backed up to the incorrect outside data-storage company. A total of 3,097 customers could have been affected by the backup. Names, addresses, account numbers and, in some cases, Social Security numbers, would have been available to someone who found them on the Internet. However, the jumble of numbers would not have been easily recognizable and ESB was not identified as the source of the information. Information 36 Source: Dataloss DB April 23, 2010 records from this breach used in our total: 3,097 Blippy.com Palo Alto, California BSO DISC Unknown Blippy is a social Web service that lets users share with the world all their credit card transactions. One big problem though: Blippy appears to have inadvertently published some of its users' credit card numbers. Google search resulted in viewing of some of the credit card numbers. Information Source: records from this breach used in our total: 0 Dataloss DB April 23, 2010 Chattanooga State Chattanooga, Tennessee EDU PHYS 1,700 Nearly two thousand students records from Chattanooga State are missing. The company hired to scan the documents, mishandled them. The school took the records to a company, United Imaging in Walker County, where the papers would be converted to computer discs. The school was contacted by individuals who said there was something awry going on at this scanning site. That's when the school found their records in disarray, and brought them back. The papers included students' names, Social Security numbers, addresses, phone numbers, some even contained high school transcripts. Chattanooga State went through each item, hand by hand, and found nearly 2000 missing documents from 2007. Information Source: Dataloss DB April 23, 2010 records from this breach used in our total: 1,700 DRC Physical Therapy Plus Monticello, New York MED PHYS Unknown Officials have seized hundreds, perhaps thousands, of files containing Social Security numbers and other private patient information found dumped outside the shuttered office of DRC Physical Therapy Plus. The manila folders, dating back to at least 1998, include information sheets showing the names, addresses and birth dates of patients and, in some cases, Social Security numbers. Deputies impounded a dump truck loaded with patient files and about a dozen or so boxes stacked inside the bucket of a front-loader. Information Source: Dataloss DB April 23, 2010 records from this breach used in our total: 0 Hutcheson Medical Center Chattanooga, Tennessee MED PHYS Unknown Anyone who peered inside the mixed paper bin at the Dupont Recycling Center in May of 2009 got an eyeful. Files, in plain sight, which contained sensitive medical and identity information. Authorities don't know how those thousands of files got there. Some of the records came from Hutcheson and a plastic surgery office in the area. The information inside those files included graphic photos, and Social Security numbers. Information Source: records from this breach used in our total: 0 Dataloss DB April 22, 2010 JE Systems Inc. Fort Smith, Arkansas BSF HACK Unknown The company in Arkansas lost more than $110,000 this month when hackers stole the firm’s online banking credentials and drained its payroll account. On Wednesday, Apr. 7, Ft. Smith based JE Systems Inc. received a call from its bank stating that the company needed to move more money into its payroll account. Over the course of two days, someone had approved two batches of payroll payments — one for $45,000 and another for $67,000. A few days later, the First National Bank of Fort Smith sent JE Systems a letter saying the bank would not be responsible for the loss. It was their internet address that was used to process the payments, and their online banking user name and password. 37 Information Source: Dataloss DB April 21, 2010 records from this breach used in our total: 0 Massachusetts Eye and Ear Infirmary Boston, Massachusetts MED PORT 3,526 On February 19, 2010, a laptop belonging to a physician affiliated with the Massachusetts Eye and Ear Infirmary was stolen while the physician was lecturing in South Korea. The laptop belonged to a neurologist with a particular focus on ringing in the ears, or tinnitus. The following types of information about affected individuals associated with Mass. Eye and Ear may have been present on laptop, Names, Addresses, Telephone numbers, E-mails, Date of birth and age, Sex, Medical record numbers, Dates of service, Medical information, including diagnoses, symptoms, test results, and prescriptions, Name and contact information for patient pharmacies, and Research participant status. In addition, four individuals’ information also included their pharmacy insurance account number. Information Source: records from this breach used in our total: 3,526 Dataloss DB April 21, 2010 US Army Reserve Fort Totten, New York GOV PHYS 12,000 The Army is warning about 12,000 military and civilian personnel once associated with a reserve command based at Fort Totten that they should check their credit records, after discovering that it cannot locate files containing information that could make them vulnerable to identity theft. The records cover reservists from Long Island, New York City and upstate who were assigned to the 77th Regional Readiness Command and its subordinate units from 2001 until the unit was absorbed by the 99th Regional Support Command in 2008. The files were discovered missing when the new command asked for an accounting of the old unit’s records. They could have been burned, shredded or stolen. Information Source: Dataloss DB April 21, 2010 records from this breach used in our total: 12,000 Affinity Health Plan Bronx, New York MED PORT 409,262 Affinity Health Plan, a New York managed care service, is notifying more than 400,000 current and former customers employees that their personal data might have been leaked through the loss of an unerased digital copier hard drive. Some personal records were found on the hard drive of a copier found in a New Jersey warehouse. The copier had previously been leased by Affinity and was then returned to the leasing company. Affinity Health Plan says it has not had a chance to review the data found on the copier. The figure of 409,262 notifications includes former and current employees, providers, applicants for jobs, members, and applicants for coverage. Information Source: records from this breach used in our total: 409,262 Dataloss DB April 21, 2010 Brooke Army Medical Center San Antonio, Texas MED PORT 1,272 An Army three-ring binder that may have included detailed information on soldiers and families being treated at Brooke Army Medical Center was stolen on Oct. 16 from a car belonging to a case manager. Names, phone numbers and health information of 1,272 patients being treated at hospitals may have been breached by the car break-in. Information Source: records from this breach used in our total: 1,272 Dataloss DB April 21, 2010 St. Mary and Elizabeth Hospital Women's Center Louisville, Kentucky MED STAT 77 patients (0 SSNs reported) 38 A hard drive was stolen from a locked area. Medical information such as biopsy images, patient names, and medical exams were on the stolen hard drive. Information Source: records from this breach used in our total: 0 PHIPrivacy.net April 18, 2010 Rapid Return Tax San Antonio, Texas BSF PHYS Dozens Dozens of legible tax documents were found among ashes in a dumpster outside of a tax return business. Social Security numbers may have been on the documents. This appears to be the result of a failure to burn all of the documents. Information Source: records from this breach used in our total: 0 Databreaches.net April 16, 2010 Blue Cross and Blue Shield of Rhode Island (BCBSRI) Providence, Rhode Island MED PHYS Approximately 12,000 A filing cabinet containing survey information from approximately 12,000 BlueCHIP for Medicare members was donated to a local nonprofit organization. The surveys were from 2001 to early 2004 and contained information such as names, Social Security numbers, telephone numbers, addresses and Medicare Identification numbers. Information Source: records from this breach used in our total: 12,000 Databreaches.net April 16, 2010 Higher Education Serives Corp. Albany, New York BSF DISC 1,433 A "process error" may have lead to Social Security numbers and last names going through Internet servers outside of HESC's control. Those who may have been affected received letters and free credit monitoring services. Information Source: Databreaches.net April 14, 2010 records from this breach used in our total: 1,433 Strategic Workforce Solutions, Tatum SFN division New York, New York BSO PORT Unknown The Tatum division of SFN (Strategic Workforce Solutions) notified employees that a portable electronic device was stolen from the trunk of a car. The device contained unencrypted files with names, addresses and Social Security numbers. Information Source: records from this breach used in our total: 0 Databreaches.net April 14, 2010 Lam Research Corp. Fremont, California BSO PORT Unknown A laptop containing the information of people regularly employed at Lam Research Corp. on or after January 1, 2009 was stolen from an employee's car. Temporary employees and contractors from August 1, 2007 and beyond may have also been affected. The information included names and Social Security number; however, it was protected by passwords and fingerprints checks. Information Source: records from this breach used in our total: 0 Databreaches.net 39 April 14, 2010 Bay Pines VA Medical Center Bay Pines, Florida GOV PHYS Nearly 800 (unknown number of SSNs) Up to 800 police files were left in an area where the general public could easily access them. Some of the files contained Social Security numbers, patient addresses, and treatment information. Information Source: records from this breach used in our total: 0 Databreaches.net April 13, 2010 Virginia Beach Dept. of Social Services Virginia Beach, Virginia GOV INSD Unknown At least eight human services employees, including supervisors, have been fired or disciplined in the past year for wrongfully accessing confidential and personal information about former employees, family members and clients. The violations include a boss who forced her employees to gather information from a state database about her husband's child and a worker who checked on the status of a dead client's Medicaid benefits to help the client's family. Most of the cases stemmed from the agency's financial assistance department, which handles food stamps, Medicaid assistance, grants for the disabled and emergency relief for needy families. As part of their jobs, the 330 employees in the department who provide social services have varying degrees of access to secured databases. They need the information to determine whether a client qualifies for financial help. Information Source: Dataloss DB April 13, 2010 records from this breach used in our total: 0 St. Peter's Hospital Albany, New York MED INSD Unknown An East Greenbush man who worked as a medical records clerk at St. Peter's Hospital is accused of stealing personal information from patient's files to open credit card accounts. The man allegedly stole Social Security numbers and other personal information from patient's records, then used the data to open credit card accounts for making personal purchases online. The man was charged April 12 with five counts of felony second-degree forgery, three counts of felony seconddegree identity theft and three counts of misdemeanor second-degree criminal impersonation. Information Source: Dataloss DB April 13, 2010 records from this breach used in our total: 0 Lorillard Tobacco, General Agencies Welfare Benefits Program, National Gypsum, Towers Watson BSR PORT At least 1,874 Greensboro, North Carolina Two unencrypted DVDs containing employee information were lost in transit by a benefits consulting firm. Multiple organizations were involved. Benefits consulting firm Towers Watson notified Lorillard and the General Council on Finance and Administration, which administers the General Agencies Welfare Benefits Program, of the loss in February. The DVDs contained names, addresses, dates of birth, and Social Security numbers of current and former employees and their family members. UPDATE (6/22/2010): National Gypsum notified the New Hampshire Attorney General Office of the possible exposure of employee data related to this incident in June. Information Source: records from this breach used in our total: 1,874 Databreaches.net April 13, 2010 Room Store Annapolis, Maryland BSR PHYS Unknown A Maryland man found his own credit application lying on the ground near a dumpster. The dumpster contained thousands of old credit applications and some newer ones. The information included Social Security numbers, driver's licence numbers, names, addresses, and phone numbers. Room Store employees were doing a massive cleanup and unknowingly 40 dumped the bag of documents without shredding them. Information Source: Databreaches.net April 13, 2010 records from this breach used in our total: 0 Atlanta Firefighters Atlanta, Georgia GOV DISC 1000 While attending a seminar on security, Atlanta police officers were astonished to discover that personal information from city firefighters was being used as an example of what could be found on the Internet. The information included Social Security numbers, names and addresses. It is believed that the information was hacked and/or uploaded to a file sharing website from a city employee's off-site laptop. Information Source: records from this breach used in our total: 1,000 Databreaches.net April 12, 2010 Kern County Employee's Retirment Asociation Bakersfield, California GOV INSD 37,000 A former employee was convicted of using the Social Security number of a member to create a false identity. The county employee opened a line of credit and had committed felonies before being hired at KCERA in a position with access to retirees' personal information. Information Source: Databreaches.net April 9, 2010 records from this breach used in our total: 37,000 Hollywood Video Sparks, Nevada BSR PHYS Unknown This Hollywood Video like many others has closed. Hundreds, perhaps thousands of pieces of paper, receipts, records and worst of all membership forms, were exposed. It appears they were not even placed in the dumpster, but left out in the open and scattered everywhere by the wind. On these forms were names, addresses, birth dates, I-D numbers, credit card numbers and signatures. Information Source: records from this breach used in our total: 0 Dataloss DB April 9, 2010 Mad Capper Saloon & Eatery Stillwater, Minnesota BSR HACK 200 Police have received about 80 complaints of victims' whose credit cards have been compromised. The police have connected the scam to cards used at the Mad Capper Saloon & Eatery. The owner of the Mad Capper Saloon & Eatery has been cooperating with police, he is frustrated that somehow his 30-year-old business is linked to identity theft. The restaurant's owner, has taken steps to make sure his customers are protected. "We've looked into our credit card processing. We've looked into our software program -- our routers in the building, We've scanned everything -- combed it with a fine tooth comb and we can't find anything off of it, so its frustrating." UPDATE (4/10/10): The number of people affected is now nearing 200. Information Source: Dataloss DB April 9, 2010 records from this breach used in our total: 200 Charles Schwab Albany, New York BSF HACK Unknown A Russian national was sentenced to 37 months in prison for hacking into victims' brokerage accounts at Charles Schwab, laundering more than $246,000 and sending a portion back to co-conspirators in Russia. The man also sold approximately 41 180 stolen credit card numbers to a cooperating witness and directed that they be fabricated into credit cards. According to the indictment, from approximately September 2006 through December 2007 two men participated in a scheme to steal funds from bank and brokerage accounts by hacking into those accounts through the Internet, using personal financial information obtained through a Trojan computer viruses and then laundering the stolen proceeds. Information Source: records from this breach used in our total: 0 Dataloss DB April 9, 2010 Woodbury Financial Services Woodbury, Minnesota BSF PORT At least three A USB containing client names, Social Security numbers, addresses, and dates of birth went missing. The data was unencrypted. Woodbury is a broker with The Hartford. Information Source: Databreaches.net April 8, 2010 records from this breach used in our total: 3 St. Francis Hospital Tulsa, Oklahoma MED INSD 60 A Sand Springs woman has been indicted on allegations that she used personal identifying information she copied from her then-employer's computer system as part of a scheme involving fraudulent credit cards and stolen mail. The indictment, released Wednesday in federal court in Tulsa, a 45 year old woman, exceeded her computer-access authority at St. Francis Hospital to obtain information such as Social Security numbers and dates of birth of at least 60 people. Information Source: records from this breach used in our total: 60 Dataloss DB April 8, 2010 H&R Block Bronx, New York BSF INSD At least 20 Police are investigating whether former H&R Block employees received fraudulent tax refunds by using customer information. At least customers 20 have come forward, but there could be many more customers who were affected. Information Source: records from this breach used in our total: 20 Databreaches.net April 8, 2010 HBDirect.com Waterbury Center, Vermont BSO HACK Unknown A security breach resulted in the possibility that hackers accessed customer names, addresses, credit card information, email addresses and phone numbers. Customers who used the site between December 1, 2009 and February 10th, 2010 may have been affected. Information Source: records from this breach used in our total: 0 Databreaches.net April 8, 2010 ManorCare Health Services Wheaton, Maryland MED INSD Unknown Montgomery County's Department of Health and Human Services is looking into how numerous Wheaton nursing home papers containing sensitive patient information have made their way into nearby neighbors' yards over the past few months. The county sent a nursing home inspector to investigate complaints from residents in the Wheaton Regional Park Civic Association who said they have found internal documents from the nearby ManorCare Health Services that contain patient conditions, names and Social Security numbers. The inspector cited ManorCare for inappropriate conduct. Information 42 Source: Dataloss DB April 7, 2010 records from this breach used in our total: 0 Bank of America Charlotte, North Carolina BSF INSD Unknown An IT staff member of Bank of America plead guilty to installing illegal software on Bank of America ATMs. The software caused the ATMs to erroneously dispense money; some of it may have affected customer accounts. Information Source: records from this breach used in our total: 0 Databreaches.net April 6, 2010 Amarillo Tex's Steakhouse Alton, Illinois BSO CARD At least four An employee made a deal with an outside party to allow a skimmer device to collect customer credit card information. Four people reported identity theft to the police, but it is unknown how many were affected. Information Source: Databreaches.net April 6, 2010 records from this breach used in our total: 4 Pediatric Sports and Spine Associates Brentwood, Tennessee MED PORT 955 A laptop was stolen from an employee on February 10. The theft occurred off-site. The laptop contained names, addresses, phone numbers, dates of birth, medical information and Social Security numbers. Information Source: PHIPrivacy.net April 6, 2010 records from this breach used in our total: 955 Providence Hospital Southfield, Minnesota MED PORT 12 The hospital has sent letters alerting patients that a hard drive used for backing up data has been "lost or stolen from a locked office suite. The hospital explained that the data included patient names, medical record numbers and/or clinical information, addresses and phone numbers of some employees, and what the hospital called proprietary businesses information. The hospital would not comment on how many patients may be affected, but said only 12 patients' Social Security numbers were on the hard drive. Information Source: Dataloss DB April 5, 2010 records from this breach used in our total: 12 John Muir Physician Network Walnut Creek, California MED PORT 5,450 John Muir Health, the Walnut Creek-based hospital system, has begun notifying 5,450 patients by mail of a potential breach of their personal and health information. Two months ago two laptop computers at the John Muir Physician Network Perinatal office in Walnut Creek were stolen. The laptops were password protected and contained data in a format that would not be readily accessible. External vendors and internal experts discovered that the missing laptops contained personal and health information going back more than three years. Information Source: Dataloss DB April 3, 2010 records from this breach used in our total: 5,450 Middletown City Public Works and Utilities Middletown, Ohio GOV PHYS Unknown 43 Middletown, Ohio A mound of city documents containing Social Security numbers, phone numbers and carbon copies of checks filled a Dumpster at Smith Park, where they were accessible to anyone. Countless junked records containing personal information for Middletown residents, along with blueprints, contracts and tax papers were found. Most appear to have originated in the city’s public works and utilities department, with a few from the police and finance departments. Somebody made a mistake and threw something away that should have been shredded. Information Source: Dataloss DB April 3, 2010 records from this breach used in our total: 0 Middletown City Government Building: Public Works, Utilities, Police, and Finance Departments GOV PHYS Unknown Middletown, Ohio Personal documents that originated from the city building were left in a dumpster. The documents contained Social Security numbers, phone numbers, and carbon copies of checks. Information Source: Databreaches.net April 2, 2010 records from this breach used in our total: 0 Naval Facilities Engineering Service Center Port Hueneme, California GOV PHYS 244 More than 200 employees were notified that a non-government entity may have seen their personal information. The nongovernment entity were lawyers for two of three workers who fought a security access suspension against them. It take the Navy 17 months to inform employees at the Naval Facilities Engineering Service Center in Port Hueneme, Calif., that their Social Security numbers had been inadvertently released. Information Source: Dataloss DB March 30, 2010 records from this breach used in our total: 244 Three Rivers Community College Norwich, Connecticut EDU HACK Unknown Three Rivers Community College may have suffered a security breach due to unauthorized access to its computer network. Data made vulnerable in the breach included names and Social Security numbers. Those affected would have been involved in the following programs during these years: 1997-2009: Participants in 2004-2009: Participants in 2003-2006: Participants in 2004-2006: Participants in the the the the Real Estate programs Life Long Learners programs Patient Care Technicians programs Certified Nursing Assistant programs 2004-2005: Participants in the Electric Boat academic programs 2007-2008: Participants in the Bridges to Health Care Careers programs 2006-2008: Participants in the Photons for Educators programs 2004-2009: Faculty or staff members of the Three Rivers Continuing Education office. Information Source: Dataloss DB March 30, 2010 records from this breach used in our total: 0 Boulder Community Hospital, Family Medical Associates Lafayette, Colorado MED PHYS At least 14 Anonymous letters were sent to at least 14 patients of the Family Medical Associates clinic in Lafayette. The letters contained Social Security numbers, medical records, dates of birth and names. The sender claimed that the clinic was improperly disposing patient personal information. Information Source: PHIPrivacy.net records from this breach used in our total: 14 44 March 29, 2010 Proxima Alfa Investments LLC New York, New York BSF PORT Unknown In November the firm discovered that several backup tapes were missing from its office. The tapes contained customer information such as names, e-mail addresses, addresses, phone numbers, Social Security numbers, bank account information, passport numbers and sometimes scans of passports. The firm ceased operations in mid-2009. Information Source: Databreaches.net March 29, 2010 records from this breach used in our total: 0 University MRI Diagnostic Center, Holy Cross Hospital, North Ridge Medical Center, and Oncology and Hematology Associates of West Broward , Florida MED INSD Unknown In Fort Lauderdale and Tamarac Florida A former employee of these organizations was involved in a identity theft scheme involving at least three other partners. The woman had access to patient records such as names, dates of birth, Social Security numbers, Medicare numbers, and addresses. The stolen information was used to obtain Care Credit accounts and Chevron Visa credit cards. Victims lost a total of approximately $162,000. Information Source: records from this breach used in our total: 0 Databreaches.net March 29, 2010 Griffin Hospital Derby, Connecticut MED INSD 957 (0 SSNs and financial documents reported) A former employee appears to have continued accessing patient names, medical information, dates of birth and medical record numbers. Patients received soliciting phone calls from a physician at another hospital. Information Source: PHIPrivacy.net March 27, 2010 records from this breach used in our total: 0 Laboration Corporation of America LabCorp Burlington, North Carolina MED PHYS Thousands Thousands of medical documents fell out of a truck bed while in transit. The scattered documents contained billing information and possibly medical records from 1993 or later. Information Source: Media March 26, 2010 records from this breach used in our total: 0 Educational Credit Management Corporation ST. Paul, Minnesota BSF PORT 3,300,000 ECMC, a guarantor of federal student loans, said that a theft has occurred from its headquarters involving portable media with personally identifiable information. The data was in two stolen safes and contained information on approximately 3.3 million individuals and included names, addresses, dates of birth and Social Security numbers. No bank account or other financial account information was included in the data. UPDATE (4/16/10): The information was recovered shortly after the theft and discovered weeks later in a police evidence room. Information 45 Source: Dataloss DB March 25, 2010 records from this breach used in our total: 3,300,000 Evergreen Public Schools Vancouver, Washington EDU INSD 5,000 A 21-year-old former Evergreen Public Schools student has pleaded guilty to criminal charges in connection with a computerized payroll security breach that put more than 5,000 past and current Vancouver district school employees at risk of identity theft. The man had "shoulder-surfed" a password from an Evergreen school employee while still a student there. Information Source: records from this breach used in our total: 5,000 Dataloss DB March 25, 2010 Northwestern Medical Faculty Foundation Chicago, Illinois (877) 705-5544 legalinquiry@nmff.org MED INSD At least 245 [96] The Cook County Sheriff’s Department has uncovered an identity theft ring, a limited part of which may involve an employee of Millard Cleaning Service, the service contracted to clean the Foundation’s offices. The suspect may have stolen information from paper records, including names, dates of birth, Social Security numbers, and addresses. NMFF has reviewed the Sheriff’s Department’s list of identity theft victims in Illinois and other states. It has identified approximately 65 people who were recent patients of NMFF, and it is contacting those who are known identity theft victims and offering assistance. While the Sheriff’s Department has identified hundreds of other identity theft victims, the majority of them have no connection to NMFF and their personal information was not stolen from NMFF. UPDATE (3/25/10): At least seven individuals linked to the Millard Cleaning Service janitor have been connected to the theft ring. Information Source: Dataloss DB March 25, 2010 records from this breach used in our total: 245 New York State DMV , New York Over 200 (0 reports of GOV INSD SSNs or financial information) Two employees from the New York City office Seven people, including two former New York State DMV employees from New York City, were indicted in a theft ring. The identify fraud ring involved New York State driver's licenses, learner's permits, and identification cards. The information was then sold to felons. Fifteen other people were charged with buying the stolen information. Information Source: Databreaches.net March 25, 2010 records from this breach used in our total: 0 Valencia High School Valencia, California EDU INSD Unknown A student gained access to the entire district of Hart's system, but only went into his high school's portion. The student claimed he changed some things and then returned them. The student most likely used a password, but it is not known whether he used a district computer or a personal one. The district is providing one year of free credit monitoring services. Information Source: records from this breach used in our total: 0 Databreaches.net 46 March 25, 2010 Yuma Proving Ground Yuma, Arizona GOV HACK 700 A home computer that contained personnel data may have picked up a virus from the Internet. This breach puts employee names and Social Security numbers at risk. Information Source: Databreaches.net March 25, 2010 records from this breach used in our total: 700 Johns Hopkins University School of Education Baltimore, Maryland EDU DISC Unknown A file containing student enrollment information was accessible online. Student names, races, genders, Social Security numbers, identification numbers and dates of birth were accessible for at least one month. Information Source: Databreaches.net March 24, 2010 records from this breach used in our total: 0 Wachovia Alexandria, Washington BSF CARD Unknown A skimming device was spotted outside a Wachovia branch in Alexandria, Washington. It is estimated that over $60,000 in fraudulent charges was stolen from ATM customers of the Wachovia King Street branch. Information Source: Databreaches.net March 23, 2010 records from this breach used in our total: 0 H&R Block Chicago, Illinois BSF INSD 60 After Highland, Ind., police pulled over a driver for suspicion of driving under the influence. A search of the car uncovered a treasure-trove of evidence: a file box full of H&R Block client information, numerous blank W-2 forms, more than 100 debit cards and yellow legal pads with columns of Social Security numbers, PIN numbers, dates of tax filings and whether the returns had been accepted or rejected. The two women stole the identities of more than 60 H&R Block customers from the East Chicago branch. Fraudulent tax returns were then filed in their names since January, and refunds went to bank accounts set up by the two, the complaint alleged. IRS agents have found 17 bank accounts with deposits totaling almost $290,000. Information Source: records from this breach used in our total: 60 Dataloss DB March 23, 2010 Connecticut Office of Policy and Management Hartford, Connecticut GOV INSD 11,000 Police are investigating the theft of personal information — including Social Security numbers, names and addresses — from as many as 11,000 people who had applied for furnace rebate programs with the state. The investigation by Hartford and state police has led them to a woman who worked at the state Office of Policy and Management from May 2008 until May 2009. There have been no arrests. The state collected Social Security numbers because the refunds are federally taxable and the state was required to send a 1099 tax form to the recipients. Information Source: records from this breach used in our total: 11,000 Dataloss DB March 23, 2010 Montefiore Medical Center Bronx, New York MED PORT 625 (Unknown number of SSNs and financial accounts) 47 A laptop containing private health information was stolen on February 20th. Information Source: PHIPrivacy.net March 22, 2010 records from this breach used in our total: 0 Arkansas Crime Information Center Little Rock, Arkansas BSO INSD Unknown It appears that the owner of a bail bonds business accessed criminal, family, and financial background information by misusing a police password. The Arkansas Crime Information Center database was fraudulently accessed 1,200 times in less than one year. Information Source: records from this breach used in our total: 0 Databreaches.net March 22, 2010 Yuma Proving Ground Yuma, Arizona BSO HACK 700 The personal information of more than 700 Yuma Proving Ground employees may be at risk of identity theft because a home computer that contained their data may have been compromised. According to YPG spokesman, personnel information from 2005-2007, which included the names and Social Security numbers of the employees at that time, was being stored on the personal home computer of an employee of the installation's Resource Management Division. That information, which was being maintained by the Department of the Army, could have been compromised and possibly accessed during that time because the employee's computer may have picked up a virus from the Internet. Information Source: records from this breach used in our total: 700 Dataloss DB March 19, 2010 PNC Financial Services Group Inc. Dayton, Ohio BSF HACK Unknown PNC Financial Services Group is investigating a possible security breach involving some debit cards issued by the former National City Corp., which it acquired in December 2008. The problem surfaced when former National City customers began reporting unauthorized charges on their accounts. The breach involves a small number of cards in the Cincinnati area, and it appears to have been committed by someone outside PNC or National City prior to the merger. It doesn’t involve any PNCbranded cards or longtime PNC customers. PNC has shut down National City debit cards in the Cincinnati area and asks that customers who have not yet done so activate their PNC debit cards. PNC is working one-on-one with customers to refund accounts, and has been returning funds within 24 hours. Information Source: Media March 19, 2010 records from this breach used in our total: 0 National Realty and Investment Advisors, LLC Hoboken, New Jersey BSF HACK Unknown Certain consumer information was accessed without proper authorization on March 9, 2010. Names and addresses were accessed, as well as additional information that may have included Social Security numbers, dates of birth and/or account numbers. Information Source: records from this breach used in our total: 0 Dataloss DB March 19, 2010 MyPilotStore.com Scottsdale, Arizona BSO HACK Unknown 48 In February, it was discovered that a database containing customer names, addresses, e-mails, telephone numbers, and credit card information had been hacked. Some customers received phony charges to their accounts as a result of this hack. Information Source: Databreaches.net March 18, 2010 records from this breach used in our total: 0 California State University, Los Angeles (Cal State Los Angeles) Los Angeles, California EDU STAT 232 Cal State Los Angeles has notified 232 former students that a computer stolen from the mathematics department office last month may have contained personal information such as their Social Security numbers and grades. Information Source: Dataloss DB March 18, 2010 records from this breach used in our total: 232 Vanderbilt University Nashville, Tennessee EDU STAT 7,174 A professor's desktop computer, containing the names and Social Security numbers of 7,174 current and former students was stolen some time during the weekend of Feb. 6. Information Source: Dataloss DB March 18, 2010 records from this breach used in our total: 7,174 Mary's Pizza Shack Sonoma, California BSO HACK 50 The Plaza location of Mary's Pizza Shack has been identified as the target of Internet hackers who penetrated the restaurant's computer system with a "logger" virus that captured credit card numbers at the transaction terminal. Only credit card numbers were taken by the virus, Albano emphasized, no personal identification information, such as Social Security numbers or bank account records were exposed, although VISA and MasterCard debit accounts were apparently raided. Trustwave identified and removed the virus doing the damage. Information Source: records from this breach used in our total: 50 Dataloss DB March 17, 2010 Medical Office of Michael Branch, M.D. Lake Mary, Florida MED PHYS Unknown Police were looking for evidence of another crime when they found personal documents in the dumpster outside of a doctor's office. The doctor specializes in treating the ear, nose, and throat and claims there was nothing about patients in the documents. The doctor agreed to shred the documents while the police investigated whether or not patient information was compromised. Information Source: NAID March 16, 2010 records from this breach used in our total: 0 Albany Police Department (ADP Georgia) Albany, Georgia GOV DISC Unknown Sensitive city documents were found near a garbage can in an alley. The documents may have contained Social Security numbers. It is believed that officers failed to shred the documents and dispose of them properly. Information Source: records from this breach used in our total: 0 Databreaches.net 49 March 15, 2010 Pizza Hut Littleton, Colorado BSR DISC 5 Littleton Colorado Pizza Hut employee information was left in an envelope in a trash can. The envelope contained employment applications, Social Security numbers, and tax information. It also contained invoices. Information Source: Databreaches.net March 13, 2010 records from this breach used in our total: 5 St. Louis Metropolitan Police Department St. Louis, Missouri GOV HACK 24 24 people may have had their personal information compromised following the cyber attack of one computer in the St. Louis Metropolitan Police Department. The attack came through an e-mail. The department’s website was not attacked. The names, addresses and Social Security numbers of the 24 people may have been viewed. Information Source: Dataloss DB March 13, 2010 records from this breach used in our total: 24 John Hancock Financial Services Boston, Massachusetts BSF PORT At least 1,085 A CD that contained customer names, Social Security numbers, and dates of birth went missing. The CD was password protected and encrypted and credit monitoring services were offered to customers who may have been affected. Information Source: Databreaches.net March 13, 2010 records from this breach used in our total: 1,085 Beer and Wine Hobby Woburn, Massachusetts BSR HACK 35,000 (0 complete credit card numbers reported) Personal information may have been accessed during a breach of Beer and Wine Hobby's computer system. The personal information included partial credit card numbers. Information Source: Databreaches.net March 13, 2010 records from this breach used in our total: 0 TD Bank Mount Laurel, New Jersey BSF INSD Unknown A former TD Bank employee provided information to outside accomplices who stole over $200,000 from customer accounts. The insider passed along driver's license numbers and bank account numbers. Information Source: Databreaches.net March 13, 2010 records from this breach used in our total: 0 California Pizza Kitchen Plymouth Meeting, Pennsylvania BSR CARD Unknown A credit card thief and his partner used skimming devices to obtain credit card account information. The thief provided his partner with a skimming device while she worked at a California Pizza Kitchen in Plymouth Meeting, Pa. from 2008 to 2009. Around 26 customer credit cards were fraudulently charged. Information 50 Source: Databreaches.net March 13, 2010 records from this breach used in our total: 0 Beecher Carlson Boston, Massachusetts BSO PORT 1,012 Two laptops were stolen from employees attending an off-site company meeting in January. The laptops contained names and Social Security numbers for employees of Beecher Carlson’s clients, including 1,012 people who live in Massachusetts. Information Source: Dataloss DB March 13, 2010 records from this breach used in our total: 1,012 Nuance Communications Inc. Burlington, Massachusetts BSO PORT 1,191 Nuance Communications Inc., a Burlington speech technology company, reported a laptop stolen from a locked car in Burlington may have contained personal information such as names and Social Security numbers of 1,191 Massachusetts residents.The company notified its employees, installed security and encryption software on laptops, and purchased credit monitoring services for those workers whose information was on the laptop. Information Source: records from this breach used in our total: 1,191 Dataloss DB March 12, 2010 Beecher Carlson Holdings Inc. Atlanta, Georgia BSF PORT At least 1,012 Two laptops were stolen from employees while they were off-site. The laptops contained employee names and Social Security numbers. Many more people may have been affected since the total number of Massachusetts residents affected is 1,012. Information Source: Databreaches.net March 11, 2010 records from this breach used in our total: 1,012 monoprice.com Rancho Cucamonga, California BSR HACK Unknown The company took their web site offline, after it received e-mails and phone calls from several customers complaining about fraudulent charges on their debit and credit cards that they had used on monoprice.com. Information Source: Dataloss DB March 11, 2010 records from this breach used in our total: 0 First Convenience Bank Killeen, Texas BSF INSD Unknown A former employee sold customer information which led to the theft of at least $53,000 from customer accounts. Information Source: Databreaches.net March 11, 2010 records from this breach used in our total: 0 Bennett College Greensboro, North Carolina EDU HACK 1,100 A payroll computer was breached. Names, Social Security numbers, birth dates, pay rates, and bank transit numbers were exposed. 51 Information Source: Databreaches.net March 10, 2010 records from this breach used in our total: 1,100 Atlanta Veterans Affairs Medical Center Atlanta, Georgia MED INSD Unknown An assistant allegedly recorded two sets of patient data on to a personal laptop for research purposes. One set included three years' worth of patient data and another held 18 years of medical information. The physician assistant's laptop was never connected to the VA network and any data she recorded on her laptop was hand entered. The department has not disclosed the number of patients involved in the incident, what kind of personal data was copied, or whether it plans to notify the veterans whose records were downloaded. Information Source: Media March 10, 2010 records from this breach used in our total: 0 Thrivent Financial for Lutherans Mechanicsburg, Pennsylvania BSF PORT Unknown Thrivent Financial for Lutherans, Minneapolis, experienced a break-in at one of its offices in Pennsylvania. A laptop computer was among the items stolen. The laptop had safeguards to protect sensitive information, including strong password protection and encryption. But Thrivent Financial says the information stored on the laptop may be at risk. The information on the laptop included personal information, including names, addresses, Social Security numbers and health information. Information Source: Dataloss DB March 10, 2010 records from this breach used in our total: 0 Wickenburg Unified School District EDU Wickenburg, Arizona DISC 1,438 State auditors found that the District's network was accessible to unauthorized users. Backup servers were kept in an easily accessible room. Names, Social Security numbers, addresses and birth dates of students were left exposed. Information Source: Databreaches.net March 9, 2010 records from this breach used in our total: 1,438 LPL Financial Boston, Massachusetts BSF PORT Unknown An unencrypted portable hard drive was stolen from a car of an LPL representative. As a result of the theft, private client information, including names, addresses, dates of birth and Social Security numbers may have been breached. Information Source: records from this breach used in our total: 0 Dataloss DB March 8, 2010 Arrow Electornics Melville, New York BSR PORT 4,004 A laptop containing current and former employee personal information was stolen. The information included names, Social Security numbers, addresses, telephone numbers, and some corporate and personal credit cards. Information Source: Databreaches.net records from this breach used in our total: 4,004 52 March 8, 2010 Huntington Place Senior Community Chalmette, Louisiana MED DISC Unknown Personal documents were found in the abandoned nursing home. The documents included names, Social Security numbers, medical records and dates of birth of patients. Information Source: PHIPrivacy.net March 8, 2010 records from this breach used in our total: 0 McNair Eye Center Heber Springs, Arkansas MED STAT 9,000 A computer server with patient personal information was stolen. Information Source: PHIPrivacy.net March 8, 2010 records from this breach used in our total: 9,000 Arrow Electronics Melville, New York BSO PORT 4,004 The theft of a laptop from the office of Arrow Electronics has resulted in the company notifying 4,004 current and former employees that their personal information was on the laptop. The laptop was stolen during a break-in on February 18. Personal information on the laptop included names, addresses, telephone numbers, and for some of those who used company Blackberry, wireless AirCard and calling card services, their Social Security numbers, some credit card information such as last four digits, security code, and expiration date. Information Source: Media March 7, 2010 records from this breach used in our total: 4,004 Randle Eastern Ambulance Service inc. Miami, Florida MED INSD Unknown A man and his wife who were previously charged with selling patient information in 2009, were charged with stealing personal informaiton of individuals transported by Randle Eastern Amubulance Service inc. (American Medical Response). The information was then sold to South Florida personal injury attorneys and clinics. The stolen information included names, telephone numbers, medical diagnoses, and addresses. They used the help of a former AMR employee. Information Source: records from this breach used in our total: 0 Databreaches.net March 6, 2010 Westin Bonaventure Hotel & Suites Los Angeles, California BSO HACK Unknown Westin Bonaventure Hotel & Suites four restaurants in Lake View Bistro, Lobby Court Bar, Bonavista Lounge and L.A. Prime., along with its valet parking operation, may have been hacked at some time between April and December, disclosing names, credit card numbers and expiration dates printed on customers' debit and credit cards. Information Source: Dataloss DB March 5, 2010 records from this breach used in our total: 0 Arkansas Army National Guard Camp Robinson, Arkansas GOV PORT 35,000 An external hard drive has gone missing. Approximately 35,000 current and former members of the Arkansas Army National Guard are affected by the loss. The drive included names, Social Security numbers and other personal information which potentially places the affected soldiers at risk for identity theft. 53 UPDATE (5/18/10): The external hard drive containing personal information on over 32,000 current and former Arkansas Guardsmen that was reported missing on February 22 has now been recovered and destroyed. The drive was reported missing by an Arkansas Soldier who used the device as a personal backup of his work related information. This included a copy of the Guard's personnel database which contained personal information on all Soldiers who have served in the Arkansas Army National Guard since 1991. Information Source: Dataloss DB March 5, 2010 records from this breach used in our total: 35,000 UT Southwestern Medical Center Dallas, Texas MED INSD 200 UT Southwestern recently sent out a mass mailing to 10,000 of its patients, claiming that a former employee disclosed patients' information to a third party that intended to use it for credit, loans and open bank accounts. UT Southwestern representatives claim 200 patients were actually affected. Information Source: Dataloss DB March 5, 2010 records from this breach used in our total: 200 University of Texas Southwestern Medical Center Dallas, Texas GOV INSD At least 200 A former employee was arrested on patient information and identity theft. The stolen patient information includes names, Social Security numbers, birth dates, addresses, phone numbers and financial data. The employee allegedly sold patient information to an outside party for the purpose of creating bank accounts and misusing credit and loans. Information Source: Databreaches.net March 5, 2010 records from this breach used in our total: 200 Hancock Fabrics Baldwyn, Mississippi BSR DISC Unknown Employee documents were found near a dumpster behind the Huntsville, Alabama store. The documents were not shredded and contained payroll records dating back to 2005 with Social Security numbers, names, and pay rates. Information Source: Databreaches.net March 4, 2010 records from this breach used in our total: 0 Wake Forest United Baptist Medical Center (WFUBMC) Winston-Salem, North Carolina MED PORT 554 A bag containing a document with the names and Social Security numbers of 554 patients was stolen from an employee's locked car. Information Source: Databreaches.net March 4, 2010 records from this breach used in our total: 554 Courage to Change Houston, Texas MED INSD Unknown The owner of the business used patient Medicaid information to fraudulently claim $968,583 from Medicaid between January of 2003 and September of 2006. Information Source: PHIPrivacy.net records from this breach used in our total: 0 54 March 4, 2010 Akel Business Services (also Silva Bookkeeping and Tax Services) La Mesa, California BSF INSD At least 32 A dishonest business owner filed fraudulent tax returns by using his clients' information. He also created fictitious identities by using the Social Security numbers of his clients' children. Information Source: records from this breach used in our total: 32 Databreaches.net March 3, 2010 Small Dog Electronics Waitsfield, Vermont BSR HACK 3,000 After Small Dog began collecting and matching customer donations for Haiti relief efforts, a hacker breached the website and began stealing customer credit card information. The breach lasted from December of 2009 to January of 2010. Information Source: Databreaches.net March 2, 2010 records from this breach used in our total: 3,000 Shands at UF Gainesville, Florida MED PORT 12,500 Shands at UF sent notification letters to about 12,500 people Monday warning them that a laptop containing their personal and medical information was stolen. An employee had uploaded the information onto his home laptop for work-related purposes. The laptop held information about patients referred to the gastroenterology clinical services department. Included were names, addresses, medical record numbers, and in the case of 650 patients, Social Security numbers. Information Source: Dataloss DB March 2, 2010 records from this breach used in our total: 12,500 Open Door Clinic of Greater Elgin Elgin, Illinois MED HACK 260 According to a lawsuit, the clinic stores patient information, including Social Security numbers, addresses, telephone numbers, insurance information and medical history on a file-sharing network. That network is accessible to employees’ personal laptops and home computers. A spreadsheet with information of about 260 of its patients was leaked as a result of the installation and use of file sharing software on computers containing patients’ personally identifiable information. Information Source: Dataloss DB March 2, 2010 records from this breach used in our total: 260 Family Health Center Reston, Virginia MED DISC Unknown Boxes containing patient information ended up in a dump. The easily accessible information included health history, surgeries performed, test results, pictures, insurance cards, bank account information and addresses. The boxes were traced back to Family Health Center on Town Center Parkway. Information Source: records from this breach used in our total: 0 PHIPrivacy.net March 2, 2010 Diabetes Direct Inc Juniper, Florida MED INSD Unknown A former employee is accused of stealing patient information to commit identity theft. The former employee also had multiple driver's licenses and was able to open utility, bank and credit accounts. 55 Information Source: Databreaches.net March 1, 2010 records from this breach used in our total: 0 US Bank Cleveland, Ohio BSF PORT Unknown A laptop was stolen from the desk of a financial adviser. The laptop contained personal information about bank customers. This occurred at the 5154 Wilson Mills branch in Cleveland, Ohio. Information Source: Databreaches.net February 28, 2010 records from this breach used in our total: 0 Wyndham Hotels & Resorts Dallas, Texas BSO HACK Unknown International hotel group Wyndham Hotels and Resorts (WHR) has suffered yet another serious data breach after hackers broke into its computer systems, stealing customer names and payment card information. UPDATE (5/18/10): An open letter from Wyndham to its customers: www.wyndhamworldwide.com/customer_care/dataclaim.cfm [97] Information Source: Dataloss DB February 27, 2010 records from this breach used in our total: 0 AT&T Chicago, Illinois BSF INSD Unknown A former employee of an unknown service provided for AT&T removed documents that contained customer credit card information. The information may have also included Social Security numbers, driver's license numbers, names and addresses. Information Source: Databreaches.net February 27, 2010 records from this breach used in our total: 0 GroupM New York, New York BSO PORT 1,501 Eight laptops were stolen from an office. They most likely contained unencrypted employee information such as Social Security numbers and bank account information. Information Source: Databreaches.net February 27, 2010 records from this breach used in our total: 1,501 California Business Bureau Inc., Medical Billing Services Monrovia, California MED INSD 8,861 A former employee accessed unencrypted files between December of 2006 and March of 2008. The files contained patient Social Security numbers, names, addresses, and dates of birth. Information Source: records from this breach used in our total: 8,861 PHIPrivacy.net February 27, 2010 Ameripath Palm Beach Gardens, Florida MED PORT Unknown 56 A laptop containing sensitive information was stolen from an employee. The data included names, Social Security numbers, and addresses for patients, employees, or both. Information Source: PHIPrivacy.net February 25, 2010 records from this breach used in our total: 0 Wyoming Department of Health Cheyenne, Wyoming GOV DISC 9,000 The personal information of about 9,000 children in the state's children's health insurance program could have been exposed on the Internet. The error resulted in the names, birthdays, Social Security numbers, addresses and phone numbers of Kid Care CHIP participants being accessible on an unsecured Web page for months. Information Source: Dataloss DB February 25, 2010 records from this breach used in our total: 9,000 Logic World Medical Houston, Texas MED INSD Unknown The owner and operator of Logic World Medical used the names, addresses, and account numbers of Medicaid beneficiaries to file false claims for payment of services and goods that he never provided. Approximately $1,101,865.37 was fraudulently claimed between April of 2004 and August of 2006. Information Source: records from this breach used in our total: 0 PHIPrivacy.net February 24, 2010 Citigroup New York, New York BSF DISC 600,000 AR-M450_20100223_180300223.pdf [98] About 600,000 Citigroup customers got a shock earlier this month when they received their annual tax documents with their Social Security numbers printed on the outside of the envelope. The digits were not identified as a Social Security number, and they were printed at the lower edge of the mailing envelope with other numbers and letters that together resembled a mail routing number. Information Source: records from this breach used in our total: 600,000 Dataloss DB February 24, 2010 University of Washington Medical Center (UWMC) Seattle, Washington MED INSD 210 The UWMC sent letters to patients telling them that their Social Security numbers, credit card information, birth dates and addresses were accessed by dishonest persons. The personal information was found in the possession of a convicted felon who had ties to an employee who works with the hospital. The employee worked at NCO Financial Systems, a company which UWMC uses to process patient payments. Information Source: Databreaches.net February 24, 2010 records from this breach used in our total: 210 7-Eleven Sandy, Utah BSR CARD Unknown A skimming device monitored transactions at a gas station pump in Sandy, Utah. The device could have been active for 60 days before being discovered and was used to steal over $11,000. Information Source: records from this breach used in our total: 0 57 Databreaches.net February 22, 2010 SunTrust Bank Atlanta, Georgia BSF CARD Well over 200 Throughout the summer of 2009, four men put skimming devices on SunTrust Bank ATMs in the Florida counties of Hillsborough and Pinellas. Information Source: Databreaches.net February 19, 2010 records from this breach used in our total: 200 TennCare Nashville, Tennessee MED DISC 3,900 An electronic error caused information such as Social Security numbers for about 3,900 enrollees to be sent to incorrect addresses. The error was the result of a modification to the system that pulls addresses into an electronic file for TennCare, the state's expanded Medicaid program. Letters and cards that contained one or more pieces of personal information were sent to incorrect addresses. Information Source: Dataloss DB February 19, 2010 records from this breach used in our total: 3,900 Valdosta State University Valdosta, Georgia EDU HACK 170,000 http://www.valdosta.edu/notify/ [99] A Valdosta State server that was reported as being breached could have exposed the information of up to 170,000 students and faculty. Valdosta State officials reported the discovery of a breach on Dec. 11 and estimated it began on Nov. 11. The university said the grades and Social Security numbers of up to 170,000 students and faculty were exposed in the breach. Information Source: Dataloss DB records from this breach used in our total: 170,000 8,000 Not included in February 17, 2010 Cardiology Consultant Inc. Pensacola, Florida MED PORT total because Social Security numbers and financial information not involved. Cardiology Consultants Inc. today reported that a laptop used to process ultrasound images was stolen from one of its Pensacola offices. The computer did not contain patient financial information or Social Security numbers. The stolen computer did contain the first and last names, dates of birth, medical record numbers, exam dates and in some cases, the reason for the ultrasound. Information Source: records from this breach used in our total: 0 Dataloss DB February 17, 2010 Southern Illinois University Carbondale, Illinois EDU HACK 900 A computer security breach at Southern Illinois University may have put hundreds of alumni at risk of identity theft. A faculty member's computer in the Mathematics Department was found to be infected with malicious software. When the computer files were searched, university officials discovered there were Social Security numbers for approximately 900 students who took introductory math classes at SIU in 2004 and 2005 stored on the hard drive. Information 58 Source: Dataloss DB February 17, 2010 records from this breach used in our total: 900 Dairy Queen Hanceville, Alabama BSO HACK Unknown Hanceville police are cautioning residents to be on guard against a sophisticated debit card wire scam that has leached hundreds of thousands of dollars from customers whose card numbers have been stolen remotely from pay terminals at one or more local businesses. The primary target in the theft so far has been the Dairy Queen restaurant. It's unsure whether this is ultimately involving other businesses. At the Dairy Queen location, somebody has apparently tapped into the Internet server and hacked into the debit card system. They are printing the customers’ debit card numbers and using them all over California and Georgia. Information Source: Dataloss DB February 17, 2010 records from this breach used in our total: 0 T.G.I. Friday's (TGIF) Coon Rapids, Minnesota BSR CARD At least 5 A former employee used a skimming device to gain credit card information from customers of the Coon Rapids T.G.I. Friday's. The dishonest employee was involved with a partner who used skimming devices in a variety of locations throughout Minnesota. Information Source: Databreaches.net February 16, 2010 records from this breach used in our total: 5 New York Social Security Administration New York, New York GOV PORT 969 A computer disc containing detailed personal information about 969 New Yorkers was lost by a Social Security Administration employee traveling to Queens from the Bronx. The disc was lost as the employee was going to the Queens Social Security hearing office, and the information on it included administrative decisions, medical evidence and internal agency documents containing people’s names and Social Security numbers. Information Source: records from this breach used in our total: 969 Dataloss DB February 16, 2010 Eclipse Property Solutions St. Petersburg, Florida BSO INSD Unknown A St. Petersburg man has been charged with stealing customers' credit card numbers from a marketing company he worked for to buy nearly $30,000 in dinners, limos and other luxuries. The man and another employee, listened from their cubicles as co-workers repeated customer credit card information aloud to confirm accounts. Information Source: Dataloss DB February 15, 2010 records from this breach used in our total: 0 West Memphis Police Department Memphis, Tennessee GOV INSD Unknown FBI is investigating, after the security of the West Memphis Police Department's computer network was apparently compromised. The FBI had information that somebody had used a computer that shouldn't have used it. The suspect in the breach was a detective in the police department. Files containing the names and Social Security numbers of police department employees were stored on the computer network, making the employees vulnerable to identity theft. Information Source: records from this breach used in our total: 0 59 Dataloss DB February 12, 2010 Galeton, Gloves Inc. Mansfield, Massachusetts BSR HACK At least 89 The Gloves Inc. website for Galeton was hacked. Customer names, addresses, credit card numbers and expiration dates were exposed. Information Source: Databreaches.net February 12, 2010 records from this breach used in our total: 89 Daedalus Books Inc. Columbia, Maryland BSR HACK At least 1,285 A hacker accessed a database with customer information. The information included names, addresses, and credit card numbers from people who made orders between August 25, 2009 and November 23, 2009. Information Source: Databreaches.net February 12, 2010 records from this breach used in our total: 1,285 ING Fund Amsterdam, BSF DISC 106 Customer information was accessible through a web search from August of 2008 through January of 2010. The information included names, Social Security numbers, addresses, and account numbers of shareholders in New Hampshire and other locations. Information Source: records from this breach used in our total: 106 Databreaches.net February 11, 2010 Equifax Atlanta, Georgia BSF DISC Unknown An unknown number of current and former employees of credit reporting firm Equifax received W-2 forms in the mail with their Social Security numbers visible through a window on the envelope. Some of the tax forms mailed by Equifax's payroll vendor through the U.S. Postal Service had the Social Security number in a Control Number field, which was partially or fully viewable through the return address window. Information Source: Dataloss DB February 11, 2010 records from this breach used in our total: 0 University of Texas Medical Branch Galveston, Texas MED INSD 2,400 The University of Texas Medical Branch has mailed letters notifying 1,200 patients that sensitive information about them had been available to a woman charged with identity theft in an unrelated case. Officials sent out the letters this week after MedAssets, which the medical branch hired to assist with billing from third-party payers, warned of a security breach by one of its employees. Law enforcement officials notified MedAssets that a former employee had been arrested and charged with identity theft. The person also was alleged to have used a stolen identity to misrepresent herself and gain employment at Georgia-based MedAssets and had been involved in other instances of identity theft. That employee is implicated in a widespread identity theft investigation involving cases from Texas to Wisconsin and losses upward of $1 million. Update (3/9/10): 1,200 more letters were sent out to people who's financial information may have been exposed. Information Source: Dataloss DB records from this breach used in our total: 1,200 60 February 11, 2010 Lawrence Welk Resort BSR Escondido, California HACK 1,427 After its security system was disabled, customer credit and debit card information was exposed. The exposure of the information led to some unauthorized transactions. Information Source: Databreaches.net February 11, 2010 records from this breach used in our total: 1,427 Sandwich Board Cafe Greenwood Village, Colorado BSO INSD Unknown An employee used customer credit card information to purchase $200,000 worth of Wal-Mart shopping cards. Information Source: Databreaches.net February 10, 2010 records from this breach used in our total: 0 Wellpoint, Anthem/Blue Cross and Blue Shield Chicago, Illinois MED INSD Unknown A former employee accessed health care professionals' Social Security numbers, names, dates of birth, and home addresses. Between 2007 and 2010, the employee created fictitious identities and created e-mail addresses, opened bank accounts and credit card accounts. Information Source: records from this breach used in our total: 0 Databreaches.net February 9, 2010 California Department of Health Care Services Sacramento, California GOV DISC 50,000 The personal security of nearly 50,000 people may have been breached by the California Department of Health Care Services. Social Security numbers were printed on the address labels of letters that were mailed by the department. State employees mistakenly included the numbers in a list of patient addresses. The list was sent to an outside contractor, who printed and mailed the envelopes. Information Source: Dataloss DB February 9, 2010 records from this breach used in our total: 50,000 Ohio Department of Administrative Services Columbus, Ohio GOV DISC 6,000 Personal banking information for 6,000 state employees was inadvertently included in a e-mail distributed to dozens of payroll officers of state agencies. The e-mail from an unnamed administrative-services employee included an attached spreadsheet listing 6,000 state employees whose bank accounts are to be moved from National City Bank, which was bought by PNC Bank. Information Source: Media February 9, 2010 records from this breach used in our total: 6,000 Kansas City Art Institute Kansas City, Kansas EDU STAT 145 About 145 employees at the Kansas City Art Institute have been notified of potential identity theft in connection with the disappearance of a computer from the campus. An Apple computer that contained Social Security numbers, dates of birth and other personal information about the school's professors and staff employees was stolen from the human resource 61 office. Information Source: Dataloss DB February 6, 2010 records from this breach used in our total: 145 University of Texas, El Paso El Paso, Texas EDU DISC 15,000 University of Texas at El Paso is notifing students that their Social Security number were visible when their tax form was sent out. The University notified 15,000 students but they don't know exactly how many students were affected. UTEP blames a glitch in a machine used to fold letters when student’s forms were sent out. Some of the forms were folded in such a way that the document shifted on the envelope and allowed for the Social Security numbers to be visible through the mailing window on the envelope. Information Source: Dataloss DB February 6, 2010 records from this breach used in our total: 15,000 AvMed Health Plans Gainesville, Florida 208,000 MED PORT Additional 860,000 added June 3rd AvMed Health Plans announced that personal information of some current and former subscribers may have been compromised by the theft of two company laptops from its corporate offices in Gainesville. The information included names, addresses, phone numbers, Social Security numbers and protected health information. The theft was immediately reported to local authorities but attempts to locate the laptops have been unsuccessful. AvMed determined that the data on one of the laptops may not have been protected properly, and approximately 80,000 of AvMed's current subscribers and their dependents may be affected. An additional approximate 128,000 former subscribers and their dependents, dating back to April 2003, may also have been affected. UPDATE (6/3/2010): The theft of the laptops compromised the identity data of 860,000 more Avmed members than originally thought. The total now nears 1.1 million. Information Source: records from this breach used in our total: 1,068,000 Dataloss DB February 5, 2010 Wyoming Department of Health Kid Care CHIP Cheyenne, Wyoming GOV DISC About 5,000 Applicants of the Wyoming Kid Care CHIP program had their information exposed online. Family home addresses and the Social Security numbers of children involved were available to the general public via a Google search. Information Source: Databreaches.net February 4, 2010 records from this breach used in our total: 5,000 Highmark Insurance Pittsburgh, Pennsylvania MED PHYS 3,700 Highmark was notifying some 3,700 members that documents containing their names, policy identification and Social Security numbers were missing, the second such data spill involving the region’s dominant health insurer in four months. In January, the company mailed a premium billing statement to Boscov’s Department Store, a client in Reading, according to Highmark. The envelope arrived damaged and torn and pages were missing. The pages included the names and other identifying information for some 3,700 members. Information Source: Dataloss DB February 4, 2010 records from this breach used in our total: 3,700 Ozarks Area Community Action Corporation Springfield, Missouri NGO DISC 250 62 The organization printed two 1099 forms on one piece of paper. They were supposed to separate them and send each to the rightful owner. Instead one person got both. The mistake sent tax forms and Social Security numbers to strangers. More than 500 landlords work with OACAC. On January 28, 2010, half of those landlords didn't receive tax forms. The other half got their forms and someone else's private information. Information Source: records from this breach used in our total: 250 Dataloss DB February 4, 2010 Ceridian Corporation Bloomington, Minnesota BSF HACK 27,000 A hacker attack at payroll processing firm Ceridian Corp. of Bloomington has potentially revealed the names, Social Security numbers, and, in some cases, the birth dates and bank accounts of 27,000 employees working at 1,900 companies nationwide. In a Jan. 29 letter to an affected worker obtained by the Star Tribune, Ceridian said a hacker attacked its Internet payroll system Dec. 22 and 23 Information Source: Dataloss DB February 4, 2010 records from this breach used in our total: 27,000 HyCentral Medical Supplies and Equipment Derry, New Hampshire MED INSD Unknown The owner of the business used Medicare client information to obtain approximately $1.6 million worth of fraudulent claims. Information Source: PHIPrivacy.net February 3, 2010 records from this breach used in our total: 0 Memorial Hermann Hospital Houston, Texas MED INSD At least one A former employee stole a document that contained the name, Social Security number, date of birth, and address from a deceased patient's medical records. Information Source: Databreaches.net February 3, 2010 records from this breach used in our total: 1 Dr. Barry Bupp's Dental Practice in Medical Commons One Greensburg, Pennsylvania MED PORT Unknown A laptop containing patient information was stolen. Information Source: Databreaches.net February 3, 2010 records from this breach used in our total: 0 Dr. Elie Abdallah's office in Medical Arts Building Greensburg, Pennsylvania MED PORT Unknown A laptop containing patient information was stolen. Information Source: Databreaches.net February 1, 2010 records from this breach used in our total: 0 West Virginia University Morgantown, West Virginia EDU DISC 53 Around 53 West Virginia University students’ personal information was available to others following an "operational error" during a routine update of tax information. The students’ 1098-T forms, which include their Social Security number and tax identification numbers, among others, were uploaded to the University’s 1098-T Web site. The forms are distributed to WVU students who are U.S. citizens who paid tuition during the 2009 calendar year. They can be used to claim federal tax credit. Students can typically access their forms on the site for tax purposes, but the error made the information viewable to any 63 WVU student on the site. Information Source: records from this breach used in our total: 53 Dataloss DB January 31, 2010 Iowa Racing and Gaming Commission Des Moines, Iowa GOV HACK 80,000 The Iowa Racing and Gaming Commission says someone gained access to a computer server that holds more than 80,000 records containing casino employee information. The person who hacked into the system had used a computer with an external account. The server contains records including names, birth dates and Social Security numbers. Information Source: Dataloss DB January 30, 2010 records from this breach used in our total: 80,000 Ameriquest Mortgage Company Apple Valley, Minnesota BSF INSD 100 A man working for Ameriquest Mortgage Company as a mortgage associate for only six weeks. Turned out to be a pretty fruitful month and a half for him -- and a pretty costly one to nearly 100 people and several financial institutions. Using personal information he lifted from the mortgage applications of nearly 100 people -- as well as mail and even items taken from gym lockers of a couple of hundred more. The man eventually stole more than $150,000 from at least eight banks. The man used stolen personal information to create fraudulent identification documents and checks, which he then used to obtain cash, pay for services and buy items. For example, he used one victim's identification to obtain a credit card through U.S. Bank. With that card, he wound up withdrawing $30,529.63 in cash from ATMs throughout Minnesota. Those withdrawals were charged to the victim Information Source: Dataloss DB January 28, 2010 records from this breach used in our total: 100 PricewaterhouseCoopers New York, New York BSO UNKN 77,000 The names, birth dates and Social Security numbers of 77,000 people were lost in their Chicago office. The people at risk for identify theft are those who were in the PERS and TRS system in 2003-04 as active or inactive employees or retirees. PricewaterhouseCoopers has agreed in a settlement to pay for credit monitoring and other security measures and cover any losses to individuals caused by its mishandling of the information. Information Source: records from this breach used in our total: 77,000 Dataloss DB January 28, 2010 Humboldt State University Arcata, California EDU HACK 3,500 A Humboldt State University computer infected with a virus may have exposed the personal information of 3,500 people employed by the school between 2002 and 2006. The computer was found to have a sophisticated virus that is used to steal login information. Information Source: Dataloss DB January 28, 2010 records from this breach used in our total: 3,500 University Medical Clinics Port St. Lucie, Florida MED PHYS Unknown Files containing Social Security numbers, phone numbers, patient names, and addresses were found in a trash bin outside of the clinic. A woman found the files and notified police after receiving an anonymous tip. 64 Information Source: NAID January 27, 2010 records from this breach used in our total: 0 Department of Commerce Washington, District Of Columbia GOV DISC Unknown A Department of Commerce employee inadvertently transmitted over the Internet a file containing the Personally Identifiable Information (PII) of Commerce employees to other Department employees. Although the Department employees were authorized to send and receive the PII, the transmission of the PII over the Internet in unencrypted form may have compromised their name and Social Security numbers. Information Source: Dataloss DB records from this breach used in our total: 0 7,300 Not included in University of California, San Francisco (UCSF) School of Medicine January 27, 2010 San Francisco, California MED PORT the total because information did not contain any Social Security numbers or other financial data A laptop containing files with information on 4,400 patients was stolen from a UCSF School of Medicine employee. Information “potentially exposed” included name, medical record number, age and clinical information, but the stolen laptop did not contain any Social Security numbers or other financial data. The same laptop also contained data for approximately 2,900 patients at Beth Israel Deaconess Medical Center in Boston Information Source: Dataloss DB January 27, 2010 records from this breach used in our total: 0 Seattle Municipal Court Seattle, Washington GOV INSD Unknown A former customer service representative sold the names and credit card information of court customers to ID thieves who then used the information to make fake credit cards in the victims' names. Information Source: Databreaches.net January 27, 2010 records from this breach used in our total: 0 Methodist Hospital Houston, Texas MED PORT 689 Methodist Hospital notified people that someone stole a laptop from an office at the Smith Tower in the Texas Medical Center. A thief took the laptop on January 18. The computer was attached to a medical device that tests pulmonary function and contained private health information and Social Security numbers. Information Source: records from this breach used in our total: 689 Dataloss DB January 22, 2010 Brio Tuscan Grille in Country Club Plaza Kansas City, Missouri BSR CARD 20 A man used a skimming device to obtain the credit card information of customers while working as a waiter at Brio Tuscan Grille of Kansas City, Missouri. UPDATE (7/26/10): The former employee was sentenced to three years of federal prison time for credit card fraud and mail fraud. He originally gained access to the customer information during July and August of 2008. His fraudulent purchases 65 totalled thousands of dollars. Information Source: records from this breach used in our total: 20 Databreaches.net January 21, 2010 Columbus Public Health Columbus, Ohio GOV UNKN Unknown An investigation is under way after hundreds of city health workers’ personal information was stolen. Investigators have identified a person of interest in connection with the stolen information. The person of interest was an employee within the department over the past three years. Current employees and those who previously worked at the department within the last three years may be affected Information Source: Dataloss DB January 21, 2010 records from this breach used in our total: 0 University of Missouri System Columbia, Missouri EDU DISC 75,000 About 100 people responded to an e-mail notifying students that their Social Security numbers may have been visible in the envelope window of a tax form sent by the University of Missouri System. More than 75,000 Form 1098-Ts were mailed. The four-campus system has no way of assessing how many envelopes displayed the numbers. Form 1098-T is an Internal Revenue Service form that reports tuition billed and paid. Campus Mail Services committed the folding errors. Information Source: records from this breach used in our total: 75,000 Dataloss DB January 19, 2010 CHASE Louisville, Kentucky BSF DISC Unknown CHASE customer information that was sold to another business was accidentally posted on a website. The information included names, addresses and bank account numbers. Information Source: records from this breach used in our total: 0 Databreaches.net January 18, 2010 Goodwill Industries of Grand Rapids Grand Rapids, Michigan NGO PORT Unknown A man broke into a Goodwill store and stole a safe, but instead of money that thief got the names, addresses, dates of birth, and Social Security numbers from thousands of people. Information Source: Dataloss DB January 18, 2010 records from this breach used in our total: 0 City of Oakridge Oakridge, Oregon GOV DISC Unknown A list of the names, addresses and Social Security numbers of employees of the City of Oakridge was sent out with monthly water bills in this town of about 1,400 households. The city has signed up all employees for a credit monitoring service. The city does not know how many people received the list of employee information in a newsletter included with their water bill Information Source: Dataloss DB records from this breach used in our total: 0 18,000 Not added to Defense Finance and Accounting Service/ Defense Department’s Document January 14, 2010 Automation and Production Service GOV DISC total No Social Security numbers or financial 66 Automation and Production Service Arlington, Virginia information was on the statements Pay statements containing names and sensitive information about the finances of about 18,000 recipients of a special pay for disabled retirees were sent to wrong addressees. The statements, a page of which contained information about annual increases in Concurrent Retirement and Disability Pay, mistakenly listed data including at least a portion of another recipient’s name, their bank or insurance company name, the amount of their allotment and the allotment type. There is “no indication” that any Social Security numbers, bank account numbers or phone numbers were listed on the erroneously mailed pages. Information Source: Media January 14, 2010 records from this breach used in our total: 0 Lincoln National Corporation Radnor, Pennsylvania BSF INSD 1,200,000 Lincoln National Corp. (LNC) last week disclosed a security vulnerability in its portfolio information system that could have compromised the account data of approximately 1.2 million customers. In a disclosure letter sent to the Attorney General of New Hampshire Jan. 4, attorneys for the financial services firm revealed that a breach of the Lincoln portfolio information system had been reported to the Financial Industry Regulatory Authority (FINRA) by an unidentified source. The unidentified source sent FINRA a username and password to the portfolio management system. "This username and password had been shared among certain employees of [Lincoln Financial Services] and employees of affiliated companies," the letter says. "The sharing of usernames and passwords is not permitted under the LNC security policy." Information Source: records from this breach used in our total: 1,200,000 Media January 14, 2010 BlueCross BlueShield Chattanooga, Tennessee MED PORT 220,000 Additional locations: Memphis, Jackson, Knoxville, Nashville and additional locations in Tennessee The theft of 57 hard drives from a BlueCross BlueShield of Tennessee training facility last October has put at risk the private information of approximately 500,000 customers in at least 32 states. The hard drives containing 1.3 million audio files and 300,000 video files. The files contained customers' personal data and protected health information that was encoded but not encrypted, including: Names and BlueCross ID numbers. In some recordings-but not all-diagnostic information, date of birth, and/or a Social Security number. BCBS of TN estimates that the Social Security numbers of approximately 220,000 customers may be at risk. UPDATE (4/29/10): The number of plan members whose data were exposed has grown from 521,761,an estimate made in March, to nearly 1 million, as of April 2, according to a report issued by Mary Thompson, spokeswoman for the Tennessee Blues. Information Source: Dataloss DB January 14, 2010 records from this breach used in our total: 220,000 Perinton Square Post Office Perinton, New York GOV PHYS 20 A group of thieves was able to obtain letters from an outdoor mailbox. They used the information to forge around $75,000 worth of checks; and affected 20 victims. Information Source: Databreaches.net January 12, 2010 records from this breach used in our total: 20 Suffolk County National Bank Long Island, New York BSF HACK 8,373 Hackers have stolen the login credentials for more than 8,300 customers of small New York bank after breaching its security 67 and accessing a server that hosted its online banking system. The intrusion at Suffolk County National Bank happened over a six-day period that started on November 18. It was discovered on December 24 during an internal security review. In all, credentials for 8,378 online accounts were pilfered, a number that represents less than 10 percent of SCNB's total customer base. Information Source: Dataloss DB January 12, 2010 records from this breach used in our total: 8,373 SouthTrust Bossier, Louisiana BSF PHYS Unknown The financial planning company left sensitive retirement information in a publicly accessible dumpster. The information included account ID numbers, personal addresses, and Social Security numbers. Information about people living in Shreveport, Haughton, Minden, Monroe, Farmerville, Eros and Downsville, Louisiana was found. Information from people living in Orange, Port Neches, Vidor and Deweyville, Texas was also found. Information Source: NAID records from this breach used in our total: 0 15,500 Not added to January 12, 2010 Valley Kaiser, Kaiser Permanente Sacramento, California MED total because no Social Security numbers or PORT financial information of patients were on the device Additional location: Fresno, CA An electronic storage device stolen from an employee's car in Sacramento last month contained health information from 15,500 patients, including about 800 in the Fresno area. Information included patient names, medical-record numbers and, for some individuals, ages, dates of birth, gender, phone numbers and other information related to their care and treatment. Information Source: Dataloss DB January 6, 2010 records from this breach used in our total: 0 Eugene School District Eugene, Oregon databreach@4j.lane.edu [100] , EDU HACK Unknown (541) 790-7730 Hackers breached the security of a computer server containing the names, phone numbers and employee ID numbers of current and former Eugene School District employees. The server in question did not contain other personal information but was attached to servers that contain Social Security numbers and other sensitive data. It is possible that the individuals responsible may have accessed names, addresses, dates of birth, Social Security numbers, tax identification numbers and direct-deposit bank account information for current and former staff members. Information Source: Dataloss DB January 5, 2010 records from this breach used in our total: 0 Housing Authority of New Orleans (HANO) Algiers, Louisiana GOV PHYS Unknown Personal documents relating to section 8 were left in an unsecured and abandoned office. The documents included copies of birth certificates, driver's license numbers, pay stubs, and Social Security cards. Information Source: records from this breach used in our total: 0 NAID 68 January 5, 2010 Metropark Los Angeles, California BSR DISC Unknown Personal documents were found at the Palisades Mall in West Nyack, New York. The documents had names, Social Security numbers, contact information, and other personal information. They appeared to be mishandled applications from a clothing store called Metropark. Information Source: Databreaches.net January 3, 2010 records from this breach used in our total: 0 Logan International Airport Boston, Massachusetts GOV INSD 16 A Lynn couple is accused of selling the identities of at least 16 TSA workers at Logan. The ID data was taken by a female TSA contract worker who is related to one of the two Lynn suspects. The couple got the stolen TSA employee names from their niece, a contract clerical worker in the TSA human resources department at Logan. She no longer works there. The couple sold the names, Social Security numbers and dates of birth for $40 each to a contact who set up phony cable, gas and cell phone accounts Information Source: Dataloss DB January 1, 2010 records from this breach used in our total: 16 collective2.com Tenafly, New Jersey BSO HACK 25,000 Users of the do-it-yourself trading site collective2.com received an “urgent” e-mail notifying them that the company's computer database had been breached by a hacker and that all users should log in to change their passwords immediately. That e-mail stated that the information accessed by the hacker included names, e-mail addresses, passwords and credit card information. Information Source: records from this breach used in our total: 25,000 Media January 1, 2010 Washington Department of Corrections Tumwater, Washington GOV PHYS 43 A briefcase full of sensitive personnel records was stolen from the vehicle of a Larch Corrections Center manager. Larch human resources manager reportedly took the records home over last weekend to review them, then left his briefcase on the seat of his car while he worked out at the 24-Hour Fitness Center. While he was inside, someone smashed a window in the car. He returned to find the briefcase and 43 files missing. Others had spilled out of the briefcase inside the car. He took the files home to conduct an annual review required by the U.S. Department of Homeland Security. The files contained forms known as I-9s, which provide documentation that employees are legally able to work in the United States. They included driver’s license and Social Security information such as home addresses and dates of birth. Information Source: Dataloss DB January 1, 2010 records from this breach used in our total: 43 Netflix Los Gatos, California BSO UNKN 100 million not added to total A class action suit was filed against Netflix, Inc., in United States District Court for the Northern District of California. Plaintiffs in the suit are claiming that Netflix has “perpetrated the largest voluntary privacy breach to date.” According to the Complaint, Netflix knowingly and voluntarily disclosed the sensitive and personal information of approximately 480,000 Netflix subscribers when Netflix provided participants in a contest initiated to improve Netflix’s movie recommendation systems with data sets containing over 100 million subscriber movie ratings and preferences. Netflix has claimed that the data sets provided to the contest participants were anonymized and that the subscribers’ movie ratings were accompanied only by “a 69 numeric identifier unique to the subscriber” (as opposed to the subscriber’s name or other personal information). However, the complaint cites the results of several researchers who, in fact, were able to crack Netflix’s anonymization process and identify individual subscribers. Information Source: Media December 31, 2009 records from this breach used in our total: 0 Eastern Washington University Cheney, Washington EDU HACK 130,000 Eastern Washington University is trying to notify up to 130,000 current or former students whose names, Social Security numbers and dates of birth were on a computer network involved in a security breach. The student information goes back to 1987. The notification process could take up to two weeks. The University recently discovered the breach during an assessment of its network. Information-technology staff also discovered that the hacker installed software to store and share video files on the system. Information Source: Dataloss DB December 31, 2009 records from this breach used in our total: 130,000 Time Inc. New York, New York MED INSD Unknown A customer service center employee may have misused customer credit card information. Information Source: Databreaches.net December 28, 2009 records from this breach used in our total: 0 Providence Health Portland, Oregon MED DISC 4,500 Providence Health Plans is re-issuing thousands of insurance cards after personal information was accidentally sent to the wrong policy-holders. Officials with Providence Health Plans say about 4,500 mailings were sent out with the incorrect group and member ID numbers, meaning that some policy holders received others’ information. Officials noticed the problem Monday. Information Source: Dataloss DB December 23, 2009 records from this breach used in our total: 4,500 Penn State University University Park, Pennsylvania EDU HACK 30,000 The University sent out letters notifying those potentially affected by malware infections, which are believed responsible for breaches. The areas and extent of the records involved in the malicious software attack included Eberly College of Science, 7,758 records; the College of Health and Human Development, 6,827 records; and one of Penn State's campuses outside of University Park, approximately 15,000 records. Information Source: records from this breach used in our total: 30,000 Dataloss DB December 22, 2009 Western Michigan University Kalamazoo, Michigan EDU DISC Unknown University officials discovered that student employee information was viewable online. The information included names, addresses and Social Security numbers. Information 70 Source: Databreaches.net December 18, 2009 records from this breach used in our total: 0 Dickinson School of Law Carlisle, Pennsylvania EDU HACK 261 A computer in the Dickinson School of Law that contained 261 Social Security numbers from an archived class list was found to be infected with malware that enabled it to communicate with an unauthorized computer outside the network. Information Source: Dataloss DB December 17, 2009 records from this breach used in our total: 261 North Carolina Libraries Raleigh, North Carolina EDU HACK 51,000 Library users at 25 campuses, were the victims of a security breach in August. The libraries collect drivers license and Social Security numbers to help identify computer users. The information is stored on a central server in Raleigh. Other campuses affected are Alamance, Beaufort, Bladen, Blue Ridge, Brunswick, Central Carolina, College of the Albemarle, Gaston, Halifax, Haywood, Lenoir, Martin, Nash, Pamlico, Piedmont, Richmond, Roanoke-Chowan, Rowan-Cabarrus, Sandhills, Southwestern, Tri-County, Vance Granville and Wilson. Information Source: Dataloss DB December 15, 2009 records from this breach used in our total: 51,000 U.S. Army Fort Belvoir, Virginia GOV PORT 42,000 http://www.army.mil/-news/2009/12/16/31955-laptop-containing-personal-information-about-mwr-customers-stolen/ [101] A laptop computer belonging to a Family and Morale, Welfare and Recreation Command (FMWRC) employee was stolen. Types of information compromised included name, Social Security number, home address, date of birth, encrypted credit card information, personal e-mail address, personal telephone number and family member information. Information Source: Dataloss DB December 15, 2009 records from this breach used in our total: 42,000 RockYou Redwood City, California BSR HACK Unknown The security firm Imperva issued a warning to RockYou that there was a serious SQL Injection flaw in their database. Such a flaw could grant hackers access to the the service's entire list of user names and passwords in the database. Imperva said that after it notified RockYou about the flaw, it was apparently fixed over the weekend. But that's not before at least one hacker gained access to what they claim is all of the 32 million accounts. 32,603,388 to be exact. The database included a full list of unprotected plain text passwords and email addresses. Information Source: records from this breach used in our total: 0 Dataloss DB December 15, 2009 The Beijing Center for Chinese Studies Chicago, Illinois EDU PORT Unknown (877) TBS-5060 http://www.thebeijingcenter.org/securityqns [102] A Stolen laptop exposes applications for study abroad students. Names and Social Security numbers exposed. unknown number of NH residents affected. 71 Information Source: Dataloss DB December 15, 2009 records from this breach used in our total: 0 Detroit's Health Department Detroit, Michigan GOV PORT 5,000 (877) 737-4780 Police are investigating two incidents in which patients' medical records -- including social security numbers -- were stolen from the city's health department. The first theft occurred in late October when a flash drive was stolen from a health department employee's car. It contained files with birth certificate information for babies born in 2008 and the first half of 2009 whose parents reside in the 48202 and 48205 zip codes. Also a part of the files were information on the mothers' names and health conditions, the fathers' names, addresses, Medicaid numbers and social security numbers. The second incident happened over the Thanksgiving break when five computers were stolen from the immunization program at the department's Herman Kiefer Health Complex. One of the computers contained Medicare and Medicaid seasonal flu billing information for 2008. Information Source: Dataloss DB December 11, 2009 records from this breach used in our total: 5,000 Lookout Services Bellaire, Texas BSO DISC 500 The state of Minnesota has directed all of its agencies to stop using a Texas company state officials hired to verify the identities of new employees. A state official told MPR News that it is notifying some 500 employees that their personal data -including names, dates of birth and Social Security numbers -- may have been accessible on the company's Web site. For more than three months, state agencies have used Lookout Services of Bellaire, Texas, to verify that new hires are authorized to work in the United States. The state had paid the company $1.50 a name to run employee data through the federal Department of Homeland Security's E-Verify program, which confirms that a worker has legal status and a valid Social Security number. Information Source: Dataloss DB December 10, 2009 records from this breach used in our total: 500 Bushland Elementary School Bushland, Texas EDU PHYS 100 A Potter County school district has improved security protecting its student records after paperwork containing Social Security numbers, family incomes and student addresses was discovered at a recycling site in Canyon. The documents listed names of about 100 students at Bushland Elementary School who were eligible for free or reduced-price meals through a federal program during the 2003-04 and 2005-06 school years. Applications for subsidized meals from more than 20 families included their Social Security numbers, incomes, addresses and phone numbers. Information Source: Dataloss DB December 7, 2009 records from this breach used in our total: 100 Gateway Community College New Haven, Connecticut EDU HACK Unknown The College attempted to notify potential victims of a breach caused by malware discovered on campus computers. College alumni who donated to the College, potential donors, and students receiving scholarships between 2004 and 2006 may have been affected. Information Source: Databreaches.net December 5, records from this breach used in our total: 0 Wake County Schools EDU DISC 5,000 72 2009 Raleigh, North Carolina EDU DISC 5,000 The Wake County school system accidentally sent out about 5,000 postcards with students' Social Security Numbers printed on the front. Wake schools mailed about 15,000 reminders asking parents to specify if they want to keep their children in magnet or traditional calendar schools. About a third of those cards had the Social Security Numbers printed alongside the child's name - a holdover from recent years when those nine-digit numbers were used to identify students. Information Source: records from this breach used in our total: 5,000 Dataloss DB December 4, 2009 Eastern Illinois University Charleston, Illinois EDU HACK 9,000 A computer was compromised by a virus. That caused the university’s Office of Admissions server to be infected with a number of viruses, including several that could allow an external person to access the server. The incident was discovered during a routine security check. The investigation later determined the breach extended to two other computers with personal data from student files or applications. Information Source: Dataloss DB December 4, 2009 records from this breach used in our total: 9,000 MedSolutions Raleigh, North Carolina MED DISC Unknown For a period of time that has not been clearly defined the name, address, email, and taxpayer ID number (which in some cases is the physician’s Social Security number) for an undetermined number of NC physicians could be viewed on the MedSolutions website. Access to this information apparently was not limited to physicians or physician staff. Based on the information available at the time of this posting, any person with an email address could enter physician names and view the information. Information Source: Dataloss DB December 4, 2009 records from this breach used in our total: 0 University of Nebraska Omaha, Nebraska EDU HACK 1,400 A computer in the College of Education and Human Sciences at the Lincoln campus was breached. The security breach was discovered last month at the University of Nebraska involving the names, addresses and Social Security Numbers of 1,400 Hinsdale High School District 86 graduates. The University's investigation revealed the computer had not been adequately secured, allowing unauthorized external access to the computer and its information. Information Source: Dataloss DB December 4, 2009 records from this breach used in our total: 1,400 Eastern Illinois University Charleston, Illinois EDU HACK 9,000 A computer was compromised by a virus. That caused the University’s Office of Admissions server to be infected with a number of viruses, including several that could allow an external person to access the server. The incident was discovered during a routine security check. The investigation later determined the breach extended to two other computers with personal data from student files or applications. Information Source: records from this breach used in our total: 9,000 Dataloss DB December 4, Deo B. Colburn Foundation Scholarship EDU DISC 341 73 2009 Lake Placid, New York EDU DISC 341 If you received the Deo B. Colburn scholarship for the 2003-04 academic year, your Social Security number may have been made public. Hundreds of Social Security numbers of former students from all over the northern Adirondacks, including Lake Placid, were released onto the Internet, potentially compromising those people's credit and financial status. Information included names, addresses, academic institutions, the amount of money recieved and Social Security numbers of the scholarship recipients. Information Source: records from this breach used in our total: 341 Dataloss DB December 1, 2009 Children's Hospital of Philadelphia Philadelphia, Pennsylvania MED PORT 942 A laptop computer containing Social Security Numbers and other personal information was stolen from a car outside an employee's home on Oct. 20. The billing information on the computer was password-protected, but an analysis found it was possible to decode the security controls on the laptop and gain access to the personal information. Information Source: Dataloss DB November 29, 2009 records from this breach used in our total: 942 Salem Housing and Community Services Salem, Oregon GOV DISC Unknown Sloppy handling of confidential records by a state agency in Salem left people's names, Social Security numbers, ages and addresses exposed in an open recycling bin outdoors. In a separate security lapse by another state agency, confidential records with the names and Social Security numbers of former state parks and recreation employees landed in the same recycling bin. Information Source: records from this breach used in our total: 0 Dataloss DB November 26, 2009 Penn State University Park, Pennsylvania EDU HACK 303 A Penn State professor's grade book from 2001 to 2004 that contained 303 students' Social Security numbers, among other personal information, was found to be compromised by a computer virus. Information Source: Dataloss DB November 25, 2009 records from this breach used in our total: 303 Aurora St. Luke's Medical Center Milwaukee, Wisconsin MED PORT 6,400 6,400 people who were in-patients at St. Luke's are being warned that their name, Social Security number and other information may have landed in the hands of thieves, due to a stolen laptop computer. All of the at-risk individuals were cared for there at some point by a hospitalist, a physician other than the patient's primary care doctor, who works for an independent physician group called Cogent Healthcare. The computer was stolen from a locked office in a secure physician office building that is located adjacent to the hospital; the computer belonged to an employee of Cogent Healthcare of Wisconsin. Information Source: Dataloss DB November 24, 2009 records from this breach used in our total: 6,400 ACORN San Diego, California BSO DISC Unknown 74 Documents that contained personnel information were accidentally thrown away in a dumpster. San Diego staff were doing an office clean-up in preparation for a major 10-station phone bank program being set up in their offices; it appears that included in the piles of garbage being thrown out there were some documents containing private information. Information Source: records from this breach used in our total: 0 Dataloss DB November 23, 2009 Hancock Fabrics Baldwyn, Mississippi BSR HACK At least 140 Bank customers in California, Wisconsin and Missouri are reporting fraudulent ATM withdrawals that are tied to transactions conducted with the Hancock Fabrics retail chain. The Hancock Fabrics store in Napa was the "common thread" among the numerous people who reported credit and debit card fraud. The store had recently replaced its point-of-sale machines. At about the same time, as many as 70 Wisconsin victims reported suspicious ATM withdrawals from their accounts. Information Source: Dataloss DB November 21, 2009 records from this breach used in our total: 140 Notre Dame University Notre Dame, Indiana EDU DISC Unknown Notre Dame is warning university employees to keep an eye on their bank accounts after a security breach.Personal information of some past and current employees - including name, Social Security number and birth date - was accidentally posted onto a public website. The error was corrected and the information removed from the website. Information Source: records from this breach used in our total: 0 Dataloss DB November 20, 2009 University Medical Center Las Vegas, Nevada MED INSD Unknown Someone at UMC is selling a compilation of the hospital’s daily registration forms for accident patients. This is confidential information — including names, birth dates, Social Security numbers and injuries. Private information about accident victims treated at University Medical Center has apparently been leaking for months, allegedly so ambulance-chasing attorneys could mine for clients. UPDATE (4/29/10): A man was indicted today by a federal grand jury in an alleged conspiracy to pay a University Medical Center employee for private information about traffic accident victims that was used to drum up clients. The man was indicted on one count of conspiracy to illegally disclose personal health information, in violation of the Health Insurance Portability and Accountability Act, better known as HIPAA. Between January and November 19, 2009 the man allegedly conspired with people, including a UMC employee, to use hospital "face sheets" to solicit personal injury cases for attorneys. The UMC employee faxed the registration sheets of trauma patients to the man on at least 55 occasions and was paid about $8,000, the indictment said. The U.S. Attorney's press release said theh man has been summoned for a May 14 hearing. If convicted, he faces up to five years in prison and a $250,000 fine. Information Source: Dataloss DB November 20, 2009 records from this breach used in our total: 0 Johns Hopkins Medicine Baltimore, Maryland MED INSD 100 A woman who worked as a patient services coordinator for Johns Hopkins Medicine has been sentenced to 18 months in prison for stealing patient information. Thirty-one-year-old woman of Baltimore was also ordered to pay more than $200,000 in restitution. According to her plea agreement and court documents, from August 2005 to April 2007, the woman provided a conspirator with names, Social Security numbers and other identifying information of more than 100 current and former patients of Johns Hopkins. That information was used to apply for credit. Information Source: records from this breach used in our total: 100 75 Dataloss DB November 19, 2009 TAD Gear San Francisco, California action@tadgear.com BSR HACK Unknown [103] TAD Gear recently learned that their database was illegally accessed from an external source, and it appears that some customer data was taken, which may include customer names, contact information and credit card data. The possibility of a security breach came to their attention when certain customers notified them that unauthorized charges had appeared on their credit cards. Upon learning of the potential breach of security, TAD Gear immediately initiated an investigation, and took corrective steps. Information Source: records from this breach used in our total: 0 Dataloss DB November 19, 2009 FCI USA Manchester, New Hampshire BSO PORT 2,000 An employee's laptop was stolen. The laptop contained a spreadsheet with Social Security numbers, dates of birth and names for 2,000 employees. Information Source: Databreaches.net November 18, 2009 records from this breach used in our total: 2,000 Universal American Action Network St. Petersburg, Pennsylvania MED DISC 80,000 Thousands of Pennsylvanians are at risk for identity theft because postcards were sent to their homes with their Social Security numbers printed in plain view. The postcards were from the Universal American Action Network, a subsidiary of Universal American Insurance. 80,000 postcards with SSNs on them were sent to Universal clients throughout the country. More than 10,000 were mailed to Medicare participants in Pennsylvania. Information Source: records from this breach used in our total: 80,000 Dataloss DB November 18, 2009 Health Net Shelton, Connecticut MED PORT 1,500,000 The personal information for almost half a million Connecticut residents could be at risk after a portable disk drive disappeared from Health Net six months ago. Health Net is a regional health plan and the drive included health information, Social Security number and bank account numbers for all 446,000 Connecticut patients, 1.5 million nationally. The information had been compressed, but not encrypted, although a specialized computer program is required to read it. Patients in Arizona, New Jersey and New York were also affected. UPDATE(1/22/10): Connecticut Attorney General (AG) Richard Blumenthal is suing Health Net of Connecticut for failing to secure private patient medical records and financial information involving 446,000 Connecticut enrollees and promptly notify consumers exposed by the security breach. The AG is seeking a court order blocking Health Net from continued violations of HIPAA by requiring that any protected health information contained on a portable electronic device be encrypted. This case marks the first action by a state attorney general involving violations of HIPAA since the Health Information Technology for Economic and Clinical Health (HITECH) Act, which authorized state attorneys general to enforce HIPAA. UPDATE(7/7/10): Health Net and the Connecticut AG reached a $250,000 settlement in connection with this incident. Information Source: Dataloss DB November 17, records from this breach used in our total: 1,500,000 Nebraska Workers' Compensation Court GOV HACK Unknown 76 2009 Omaha, Nebraska GOV HACK Unknown Someone broke into a server that temporarily held injury reports. Whenever a worker has a job-related injury, a report is filed with the Workers' Compensation Court and the information is temporarily stored on that server. Personal information, including birth dates and Social Security numbers, would have been on the server. Information Source: Dataloss DB November 10, 2009 records from this breach used in our total: 0 Obsidian Financial Group Woodbury, New York BSF INSD Unknown A former employee broke into a Woodbury financial services company, photocopied customers' Social Security numbers and bank reference numbers and took the photocopied data with him when he left. Information Source: records from this breach used in our total: 0 Dataloss DB November 7, 2009 Renal Treatment Centers Southeast, DaVita Inc. Denver, Colorado MED STAT Unknown Multiple desktop computers were stolen from a facility in Dallas. The computers contained the names, addresses, Social Security numbers, insurance numbers, and other personal information of patients. Information Source: records from this breach used in our total: 0 PHIPrivacy.net November 6, 2009 National Archives and Records Administration College Park, Maryland GOV STAT 250,000 The National Archives and Records Administration violated its information security policies by returning failed hard drives from systems containing personally identifiable information of current government employees and military veterans back to vendors. By agency policy, NARA is supposed to destroy the hard drives rather than return them. On two separate occasions the agency sent defective disk drives back to vendors under a maintenance contract, rather than destroying and disposing of them in-house. UPDATE (1/12/2010):There was a rather large amount of data on this hard drive -- as much as two terabytes of data. The NARA is having to, in effect, do a forensic analysis to try to identify individuals and their information. They had a rolling production of notices to individuals. It had been 26,000, and then their forensic contractor came up with a new group, which was as many as 150,000 names. UPDATE (1/27/2010) Media stories now put the number of records involved at 250,000. Information Source: Dataloss DB November 6, 2009 records from this breach used in our total: 250,000 Chaminade University Honolulu, Hawaii EDU DISC 4,500 www.chaminade.edu/infosecure [104] infosecure@chaminade.edu Chaminade University inadvertently posted confidential information, including Social Security numbers, of thousands of students, on its Web site for months. An investigation determined the report was placed on obscure -- though publicly accessible -- Web pages because of human error, according to a university news release. The information was accessible for about eight months, although there is no evidence of its use, officials said. The university estimates that personally identifiable data for 4,500 students were in the report. Those affected include undergraduate students who attended the university from 1997 to 2006. 77 Information Source: Dataloss DB November 6, 2009 records from this breach used in our total: 4,500 MassMutual Springfield, Massachusetts BSF HACK Unknown According to MassMutual, a "limited amount" of personal employee information maintained in a database by an outside vendor may have been subject to unauthorized access. The vendor engaged a forensics team to investigate, and at this time they believe that no misuse of the information or fraudulent activity involving the data has occurred. This database does not include client or field representative information; it also did not contain personal Social Security or bank account information, according to the company. Information Source: Dataloss DB October 27, 2009 records from this breach used in our total: 0 Baptist Hospital East Loiuisville, Kentucky MED DISC 350 Hundreds of people in Kentuckiana are worrying about identity theft after their employer accidentally released their Social Security numbers. 350 names and Social Security numbers of hospital employees appear on a list that was circulated in an e-mail. Information Source: records from this breach used in our total: 350 Dataloss DB October 27, 2009 FirstMerit Bank Streetsboro, Ohio BSF PHYS Unknown Additional locations; Westlake and Elyria, OH Police in three Ohio cities are investigating the theft of three large storage bins from bank branches earlier this month. The storage bins were used to store paper waiting to be shredded. Three branches of the FirstMerit Bank in Streetsboro, Westlake and Elyria, OH each reported a bin missing beginning on October 7. One of the three bins contained personal documents of bank customers. Information Source: records from this breach used in our total: 0 Media October 26, 2009 CalOptima Orange County, California MED PORT 68,000 Personally identifiable information on members of CalOptima, a Medicaid managed care plan, may have been compromised after several CDs containing the information went missing. The unencrypted data on the CDs includes member names, home addresses, dates of birth, medical procedure codes, diagnosis codes and member ID numbers, and an unspecified number of Social Security numbers. The discs had been put in a box and sent via certified mail to CalOptima by one of its claims-scanning vendors, according to a statement by the health plan. CalOptima received the external packaging material minus the box of discs. Information Source: Dataloss DB October 21, 2009 records from this breach used in our total: 68,000 Bullitt County Public Schools Shepherdsville, Kentucky EDU DISC 676 A Bullitt County Public Schools employee accidentally sent an e-mail message to about 1,800 school district workers that included the names and Social Security numbers of 676 district employees. The employees were identified as not having completed the district's 2010 open-enrollment process for insurance, and the e-mail was intended as a reminder to complete 78 the process. Information Source: records from this breach used in our total: 676 Dataloss DB October 21, 2009 Roane State Community College Harriman, Tennessee EDU PORT 14,783 Hotline (865) 882-4688, (866) 462-7722 ext. 4688 Roane State Community College has announced that the names and Social Security numbers of 9,747 current or former students were on a data storage device stolen from an employee's vehicle, along with 1,194 current/former employees' information. The Social Security numbers alone, with no names, were also stolen for 5,036 additional current or former students. The data was on a 4GB USB drive used for work-related purposes. An employee took it home to do work after hours, and left it in the car. The employee forgot to lock the car doors. The USB drive was stolen along with a personal handheld device. Information Source: Dataloss DB October 20, 2009 records from this breach used in our total: 14,783 ChoicePoint BSO Alpharetta, Georgia http://www.ftc.gov/opa/2009/10/choicepoint.shtm DISC 13,750 [105] ChoicePoint has been fined $275,000 by the U.S. Federal Trade Commission for a data breach that exposed personal information of 13,750 people last year. In April 2008, ChoicePoint turned off a key electronic security tool that it used to monitor access to one of its databases and failed to notice the problem for four months, according to an FTC statement. During that period, unauthorized searches were conducted for 30 days on a ChoicePoint database that contained Social Security numbers and other sensitive information. Information Source: records from this breach used in our total: 13,750 Dataloss DB October 17, 2009 Feeney Insurance Agency Pittsburgh, Pennsylvania BSF STAT Unknown A break in resulted in the theft of an unencrypted computer. The computer contained contact information, Social Security numbers, birth dates, and driver's license numbers. Information Source: Databreaches.net October 15, 2009 records from this breach used in our total: 0 Virginia Department of Education Richmond, Virginia EDU PORT 103,000 (877) 347-5224 A flash drive containing the personal information of more than 103,000 former adult education students in Virginia was misplaced. The information included names, Social Security numbers and employment and demographic information. The flash drive contained information on all students who finished an adult education course in Virginia from April 2007 through June 2009 or who passed a high school equivalency test between January 2001 and June 2009. Information Source: Dataloss DB October 15, 2009 records from this breach used in our total: 103,000 Halifax Health Daytona Beach, Florida MED PORT 33,000 79 A laptop computer from a Halifax Health employee's vehicle in Orange County was stolen -- which might have contained password protected patient information. Information Source: Dataloss DB October 15, 2009 records from this breach used in our total: 33,000 PayChoice Moorestown, New Jersey BSF HACK Unknown Hackers broke into the company's servers and stole customer user names and passwords. The attackers then included that information in e-mails to PayChoice's customers warning them that they needed to download a Web browser plug-in in order to maintain uninterrupted access to onlineemployer.com. The plug-in was instead malicious software designed to steal the victim's user names and passwords. Information Source: Dataloss DB October 13, 2009 records from this breach used in our total: 0 Pitt County Memorial Hospital Greenville, North Carolina MED PORT 1,700 (877) 676-0376 Patient names and Social Security numbers were placed onto a portable computer storage device, used to move the information between different computer systems. Employees have since discovered that USB flashdrive is missing from where it was stored. Information Source: records from this breach used in our total: 1,700 Dataloss DB October 7, 2009 CLP Skilled Trade Solutions Palm Springs, Florida BSO PHYS Unknown Boxes full of documents that had the CLP Skilled Trade Solutions logo on them were found in a dumpster in the back of a Newport Café. Some of the information found included Social Security cards, tax papers, driver's licenses and home IDs. Many of the documents were from a company that CLP acquired a few years ago. Information Source: Dataloss DB October 6, 2009 records from this breach used in our total: 0 BlueCross BlueShield Assn. Chicago, Illinois MED PORT 187,000 A file containing identifying information for every physician in the country contracted with a Blues-affiliated insurance plan was on a laptop computer stolen from a BlueCross BlueShield Assn. employee. The file included the name, address, tax identification number and national provider identifier number for about 850,000 doctors. Some 16% to 22% of those physicians listed -- as many as 187,000 -- used their Social Security numbers as a tax ID or NPI number. Information Source: Dataloss DB October 5, 2009 records from this breach used in our total: 187,000 U.S. Army Special Forces Fort Bragg, North Carolina GOV DISC 463 A recent breach involved a U.S. Army Special Forces document containing the names, Social Security numbers, home phone numbers and home addresses of 463 soldiers. The document also contained names and ages of soldiers' spouses and children. The document was discovered in connection with a Congressional move to address the continuing risk of data 80 leaks on peer-to-peer (P2P) networks. Through its research, the firm, Tiversa, turned up the document among 240 others belonging to federal government agencies and military branches, all sitting on P2P networks. Information Source: Media October 4, 2009 records from this breach used in our total: 463 Suffolk Community College Selden, New York EDU DISC 300 Suffolk Community College has agreed to pay a company for the next year to monitor the credit of 300 students whose last names and Social Security numbers were mistakenly listed in an attachment to an e-mail sent to those students last month. Information Source: Dataloss DB October 2, 2009 records from this breach used in our total: 300 U.S. Military Veterans Washington, District Of Columbia GOV PORT 76 Million The issue involves a defective hard drive the agency sent back to its vendor for repair and recycling without first destroying the data. The hard drive helped power eVetRecs, the system veterans use to request copies of their health records and discharge papers. When the drive failed last year, the agency returned the drive to GMRI, the contractor that sold it to them, for repair. GMRI determined it couldn't be fixed, and ultimately passed it to another firm to be recycled. The drive was part of a RAID array of six drives containing an Oracle database that held detailed records on 76 million veterans, including millions of Social Security numbers dating to 1972, when the military began using individuals' Social Security numbers as their service numbers. Information Source: Dataloss DB September 28, 2009 records from this breach used in our total: 76,000,000 Penrose Hospital Colorado Springs, Colorado MED PHYS 175 Officials at Penrose Hospital believe someone has stolen the personal information of 175 patients. The missing information consists of names, addresses, phone numbers, Social Security numbers and the reason for the patients' visits. The information was stored on a computer print-out and kept in a binder stored in a cabinet. The print out has gone missing. Information Source: Dataloss DB September 25, 2009 records from this breach used in our total: 175 University of North Carolina, Chapel Hill Chapel Hill, North Carolina EDU HACK 236,000 (Only 163,000 was added to the total.) A hacker has infiltrated a computer server housing the personal data of 236,000 women enrolled in a UNC Chapel Hill research study. Among the information exposed: the Social Security numbers of 163,000 participants. The data is part of the Carolina Mammography Registry, a 14-year-old project that compiles and analyzes mammography data submitted by radiologists across North Carolina. Information Source: Dataloss DB September 25, 2009 records from this breach used in our total: 163,000 Doctors' offices in Tennessee Nashville, Tennessee GOV DISC Unknown Doctors' offices in Tennessee have been accidentally sending patient information, including Social Security numbers and medical histories, to an Indiana businessman's fax machine for the past three years. The sensitive medical information was 81 supposed to be sent to the Tennessee Department of Human Services, but the owner of SunRise Solar Inc. in Indiana, says hundreds of confidential medical faxes having been coming to him. Information Source: Dataloss DB September 23, 2009 records from this breach used in our total: 0 Eastern Kentucky University Richmond, Kentucky (859) 622-7777, ecert@eku.edu EDU DISC 5,045 [106] The names and Social Security numbers of about 5,000 Eastern Kentucky University faculty, staff and student workers were posted inadvertently on the Internet last September, where they have been displayed for a year. Information Source: Dataloss DB September 22, 2009 records from this breach used in our total: 5,045 Bernard Madoff Investors Dallas, Texas BSF PORT 2,246 More than 2,200 Bernard Madoff investors are learning that some of their personal and financial information has potentially been breached after the theft of a laptop in Dallas. The names, addresses, Social Security numbers and some Madoff account information on 2,246 investors was contained in a computer stolen from the car of an employee of AlixPartners Llp. Information Source: records from this breach used in our total: 2,246 Dataloss DB September 22, 2009 Sagebrush Medical Plaza/Kern Medical Center Bakersfield, California MED PHYS 31,000 Thousands of patients at a Kern County health clinic have been warned their personal information could have been stolen. A break-in happened at the Sagebrush Medical Plaza in July, and Kern Medical Center officials have notified 31,000 patients to take precautions against possible identity theft. One or more unknown individuals broke into a locked storage area that contained confidential patient information. All patient information has now been moved to a location inside the clinic building. Information Source: Dataloss DB September 21, 2009 records from this breach used in our total: 31,000 Rocky Mountain Bank Pinedale, Wyoming BSF DISC 1,325 A customer of the Rocky Mountain Bank asked a bank employee to send certain loan statements to a representative of the customer. The employee, however, inadvertently sent the e-mail to the wrong Gmail address. Additionally, the employee had attached a sensitive file to the e-mail that should not have been sent at all. The attachment contained confidential information on 1,325 individual and business customers that included their names, addresses, tax identification or Social Security numbers and loan information. Information Source: Dataloss DB September 17, 2009 records from this breach used in our total: 1,325 Akron Children's Hospital Akron, Ohio MED HACK Unknown A 38-year-old Avon Lake, Ohio, man is set to plead guilty to federal charges after spyware he allegedly meant to install on the computer of a woman he'd had a relationship with ended up infecting computers at Akron Children's Hospital. He allegedly sent the spyware to the woman's Yahoo e-mail address, hoping that it would give him a way to monitor what she was doing on her PC. But instead, she opened the spyware on a computer in the hospital's pediatric cardiac surgery 82 department, creating a regulatory nightmare for the hospital. Between March 19 and March 28 the spyware sent more than 1,000 screen captures via e-mail. They included details of medical procedures, diagnostic notes and other confidential information relating to 62 hospital patients. He was also able to obtain e-mail and financial records of four other hospital employees as well, the plea agreement states. Information Source: Dataloss DB September 16, 2009 records from this breach used in our total: 0 Downeast Energy & Building Supply Brunswick, Maine BSO HACK 800 Downeast sent a notice after discovering that hackers had broken in and stolen more than $200,000 from the company's online bank account. Sometime prior to September, attackers planted keystroke logging malware on Downeast's computer systems, and stole the credentials the company uses to manage its bank accounts online. Hackers had gained access to the bank account the company uses to let customers pay for fuel with electronic transfers from their checking accounts. Then, on or around Sept. 2, the hackers used that access to initiate a series of sub-$10,000 money transfers out of the company's account to at least 20 individuals around the United States who had no prior business with Downeast Energy. The personal information to which the thieves had access included customers' names, banks and checking account numbers Information Source: Dataloss DB September 14, 2009 records from this breach used in our total: 800 University of Florida Gainesville, Florida EDU DISC 25 (866) 876-HIPA (4472) In August, the University's Privacy Office was notified of a privacy breach after the discovery of an unprotected computer file containing 34 names and 25 Social Security numbers. It's believed the personal information belongs to trainers working with the Florida Traffic and Bicycle Safety Education program in 2006. The file was immediately removed. Information Source: Dataloss DB September 14, 2009 records from this breach used in our total: 25 Jones General Store/Root of the Hill Boulder, Colorado BSR PHYS Unknown Boulder police are investigating two burglaries on University Hill that could have compromised some local shoppers' personal and credit card information. A manager for Jones General Store called police to report an overnight break-in and theft of credit card receipts. A short time later, an owner of Root of the Hill, a business in the same building, called officers to report a break-in, theft and extensive vandalism. Information Source: Dataloss DB September 7, 2009 records from this breach used in our total: 0 School for the Physical City New York, New York EDU PHYS Unknown Boxes of student records were piled in the street in front of the old home of the School for the Physical City. Some records contained the Social Security numbers, grades, signatures and even psychological reports of former students of the public intermediate high school. The boxes were sitting next to a trash bin filled with old desks and other discarded school supplies. The School for the Physical City moved to a new location over the summer and apparently the records were thrown out with the trash during the relocation. Information Source: Dataloss DB records from this breach used in our total: 0 83 September 5, 2009 Mitsubishi Corp. New York, New York BSR HACK 52,000 A Mitsubishi Corp. Internet shopping unit lost credit card details on 52,000 customers after its servers were hacked from overseas. The company has informed customers and relevant authorities of the leaks and has suspended the Web site until it can improve the system. Information Source: Dataloss DB September 2, 2009 records from this breach used in our total: 52,000 Bluegrass Community and Technical College Danville, Kentucky EDU UNKN 100 A file containing the personal information including Social Security numbers of nearly 100 students at the Bluegrass Community and Technical College has been stolen. Information Source: records from this breach used in our total: 100 Dataloss DB September 2, 2009 Naval Hospital Pensacola Pensacola, Florida MED PORT 38,000 Naval Hospital Pensacola will be notifying thousands of beneficiaries who use its pharmacy services, following the disappearance of a laptop computer. The computer's database contains a registry of 38,000 pharmacy service customers' names, Social Security numbers and dates of birth on all patients that used the pharmacy in the last year. It does not contain any personal health information. Information Source: Dataloss DB August 21, 2009 records from this breach used in our total: 38,000 Battleground Urgent Care/Prompt Med Greensboro, North Carolina MED PHYS 623 Medical files were found in a dumpster. It seems a third party moving company was hired to transfer the boxes from one warehouse to another. It is unknown at this time how the files ended up in the dumpster. The information in the files contained Social Security numbers, driver's license copies, medical histories, and employers. UPDATE (5/24/10): Prompt Med agreed to pay a $50,000 fine to the state of North Carolina. Information Source: records from this breach used in our total: 623 Dataloss DB August 21, 2009 University of Massachusetts Amherst, Massachusetts EDU HACK Unknown Nearly a year ago, hackers broke into a computer server that contained Social Security numbers and a very limited amount of credit card information for graduates of University of Massachusetts. Hackers gained access to one server on the university's computer system, which held information of students who attended UMass between 1982 and 2002, as well as a few who attended before 1982. A UMass spokesman declined to say how many people's records were exposed, except that it was a large number of undergraduate and graduate students who attended the university during the 20-year period. Information Source: records from this breach used in our total: 0 Dataloss DB August 20, 2009 Cal State Los Angeles EDU PORT 600 84 August 20, 2009 Los Angeles, California EDU PORT 600 (800) 883-4029 The theft of two desktop and 12 laptop computers from an office at Cal State Los Angeles is causing identity theft concerns for more than 600 students and faculty members. Someone broke a window in the office of the university's Minority Opportunities in Research program to steal the computer. The computers stolen contained individual names, Social Security numbers and addresses, according to campus. Information Source: records from this breach used in our total: 600 Dataloss DB August 15, 2009 Northern Kentucky University Highland Heights, Kentucky EDU PORT 200 A Northern Kentucky University employee's laptop computer - which contained personal information about some current and former students -- was stolen from a restricted area. The personal information stored on the employee's computer included Social Security numbers of at least 200 current and former students. Information Source: records from this breach used in our total: 200 Dataloss DB August 14, 2009 American Express New York, New York BSF INSD Unknown Some American Express card members' accounts may have been compromised by an employee's recent theft of data. The former employee has been arrested and the company is investigating how the data was obtained. American Express declined to disclose any more details about the incident. The company has put additional fraud monitoring and protection controls on the accounts at issue. Information Source: records from this breach used in our total: 0 Media August 14, 2009 Calhoun Area Career Center Battle Creek, Michigan EDU DISC 455 Personal information from 455 students at Calhoun Area Career Center during the 2005-2006 school year was available online for more than three years. The information included names, Social Security numbers, 2006 addresses and telephone numbers, birth dates and school information. There were about 1,000 students at the career center during that time, but an investigation by the Calhoun County Intermediate School district found that information for 455 students was available. Information Source: Dataloss DB August 13, 2009 records from this breach used in our total: 455 National Guard Bureau Arlington, Virginia GOV PORT 131,000 An Army contractor had a laptop stolen containing personal information on 131,000 soldiers. on the stolen laptop contained personal information on soldiers enrolled in the Army National Guard Bonus and Incentives Program. The data includes names, Social Security numbers, incentive payment amounts and payment dates. Information Source: records from this breach used in our total: 131,000 Dataloss DB August 11, 2009 Bank of America Corp. Charlotte, North Carolina BSF CARD Unknown 85 Charlotte-based BofA (NYSE:BAC) and Citigroup (NYSE:C) each recently issued replacement cards to consumers, telling them that their account numbers may have been compromised. Account information from certain Bank of America debit cards may have been compromised at an undisclosed third-party location. Bank officials are not certain if this is a new breach or a previously disclosed one. Information Source: Media August 11, 2009 records from this breach used in our total: 0 Citigroup Inc. New York, New York BSF CARD Unknown Citigroup (NYSE:C) each recently issued replacement cards to consumers, telling them that their account numbers may have been compromised. Citigroup told credit-card customers in Massachusetts your account number may have been illegally obtained as a result of a merchant database compromise and could be at risk for unauthorized use. Bank officials are not certain if this is a new breach or a previously disclosed one. Information Source: records from this breach used in our total: 0 Media August 11, 2009 University of California, Berkeley School of Journalism Berkeley, California https://security.berkeley.edu/jschool-info EDU HACK 493 [107] Campus officials discovered during a computer security check that a hacker had gained access to the journalism school's primary Web server. The server contained much of the same material visible on the public face of the Web site. However, the server also contained a database with Social Security numbers and/or dates of birth belonging to 493 individuals who applied for admission to the journalism school between September 2007 and May 2009. Information Source: records from this breach used in our total: 493 Dataloss DB August 4, 2009 New Hampshire Department of Corrections Laconia, New Hampshire GOV PHYS 1,000 A 64-page list containing the names and Social Security numbers of about 1,000 employees of the state Department of Corrections ended up under the mattress of a minimum security prisoner. The prison contracts with vendors to shred documents and investigators are trying to find out why documents were not destroyed. Information Source: Dataloss DB August 3, 2009 records from this breach used in our total: 1,000 National Finance Center Washington, District Of Columbia GOV DISC 27,000 An employee with the National Finance Center mistakenly sent an Excel spreadsheet containing the employees' personal information to a co-worker via e-mail in an unencrypted form. The names and Social Security numbers of at least 27,000 Commerce Department employees were exposed. Information Source: records from this breach used in our total: 27,000 Media August 1, 2009 Williams Cos. Inc. Tulsa, Oklahoma BSO PORT 4,400 A laptop containing personal and compensation information for more than 4,400 current and former employees was stolen from a worker's vehicle. The computer had names, birth dates, Social Security numbers and compensation data for every 86 Williams employee since Jan. 1, 2007. Information Source: records from this breach used in our total: 4,400 Dataloss DB July 31, 2009 Jackson Memorial Hospital Miami, Florida MED INSD Unknown A Miami man was charged with buying confidential patient records from a Jackson Memorial Hospital employee over the past two years, and selling them to a lawyer suspected of soliciting the patients to file personal-injury claims. Information Source: records from this breach used in our total: 0 Media July 29, 2009 University of Colorado, Colorado Springs Colorado Springs, Colorado EDU PORT 766 The university is notifying nearly 800 students and alumni that some of their personal information may have been on a stolen laptop. That laptop was taken from a professor's home on July 5th after the home was burglarized. The laptop contained class roster information - name, student ID number, e-mail address, graduating class year and grade information - for current and past UCCS students. No financial information was stored on the laptop, but there is a possibility that Social Security numbers may have been involved for students enrolled prior to summer, 2005. Information Source: records from this breach used in our total: 766 Dataloss DB July 24, 2009 Hampton Redevelopment and Housing Authority Hampton, Virginia NGO PHYS 900 The Social Security numbers and other personal information of nearly 900 people who were banned from public housing in Hampton were accidentally given to a resident who requested the information. A housing authority employee printed a spreadsheet and mailed it but forgot to exclude the personal information. Information Source: records from this breach used in our total: 900 Dataloss DB July 24, 2009 Network Solutions Herndon, Virginia BSO HACK 573,000 Hackers have broken into Web servers owned by domain registrar and hosting provider Network Solutions, planting rogue code that resulted in the compromise of more than 573,000 debit and credit card accounts over the past three months. Network Solutions discovered that attackers had hacked into Web servers the company uses to provide e-commerce services - a package that includes everything from Web hosting to payment processing -- to at least 4,343 customers, mostly mom-and-pop online stores. The malicious code left behind by the attackers allowed them to intercept personal and financial information for customers who purchased from those stores. Information Source: Dataloss DB July 22, 2009 records from this breach used in our total: 573,000 A Honolulu hospital Honolulu, Hawaii MED INSD Unknown In June 2009, a Hawaii woman was sentenced to a year in prison for illegally accessing another woman's medical records and posting on MySpace that she had HIV. The State of Hawaii brought charges under a state law that criminalizes unauthorized access to a computer as a class B felony. The defendant was employed by a hospital and had access to patient medical records. 87 Information Source: records from this breach used in our total: 0 Media July 20, 2009 St. Vincent Health System MED Little Rock, Arkansas INSD 1 A physician and two former employees of the St. Vincent Health System pleaded guilty today to misdemeanor federal charges for accessing the medical records of slain television anchor Anne Pressly. All three said they accessed Pressly's files out of curiosity. Information Source: Media July 17, 2009 records from this breach used in our total: 1 Francis Howell School District EDU St. Charles, Missouri PORT 1,700 A laptop computer theft could have compromised personal information. Tthe computer could have contained names and Social Security numbers for 1,700 noncertified employees. Anyone who worked for the district from 2005 through 2008 could be affected. The computer belonged to a Francis Howell employee in the district human resources department. Information Source: records from this breach used in our total: 1,700 Dataloss DB July 16, 2009 Moores Cancer Center San Diego, California MED HACK 30,000 A hacker breached the Center's computers and gained access to patients' personal information. A letter was sent to 30,000 patients informing them that their personal information may have been in the compromised databases. Types of information in breach included names, dates of birth, medical record number, diagnosis and treatment dates and some Social Security numbers. The majority of patients' information did not include Social Security numbers. Information Source: Dataloss DB July 16, 2009 records from this breach used in our total: 30,000 Elance BSO Mountain View, California HACK Unknown http://www.elance.com/p/trust/account_security.html>http://www.elance.com/p/trust/account_security.html [108] A warning from Elances customer service was emailed, saying that the site has been hacked or attacked in some way. The data accessed was contact information - specifically name, email address, telephone number, city location and Elance username. This incident did not involve any credit card, bank account, social security or tax ID numbers. Information Source: records from this breach used in our total: 0 Media July 14, 2009 Canyons School District Cottonwood Heights, Utah EDU PORT 6,000 Canyons School District officials are investigating the disappearance of a thumb drive that contained the personal information of more than 6,000 current and recent employees. The USB flash drive is believed to have contained employee addresses, phone numbers, dates of birth and Social Security numbers. A district-level worker was using it to transfer data for apparently legitimate, job-related purposes. Information Source: Dataloss DB records from this breach used in our total: 6,000 88 Dataloss DB July 14, 2009 Leander School District Leander, Texas EDU UNKN Unknown School officials sent a notice home with special needs students to alert parents that someone gained access to private information. It appears that one individual gained unauthorized electronic access to confidential information. Information Source: Media July 13, 2009 records from this breach used in our total: 0 Florida Department of Education Tallahassee, Florida GOV PHYS 475 The agency is notifying 475 student-loan borrowers that their financial records have been exposed to identity theft because the OSFA managed to lose 1,186 promissory notes that they signed when they were going to school, and have now fallen behind. The missing files bear Social Security numbers, names and addresses, birth dates, personal references and lots of other little tidbits that could come in handy for an identity thief. Information Source: records from this breach used in our total: 475 Dataloss DB July 13, 2009 LexisNexis Dayton, Ohio BSO UNKN 13,329 LexisNexis has warned more than 13,000 consumers that a Florida man who is facing charges in an alleged mafia racketeering conspiracy may have accessed some of the same sensitive consumer databases that were once used to track terrorists. The accused would provide names, addresses and account numbers as part of a fake check-cashing operation. But he's also accused of using computer databases to get information on potential extortion or assault targets as well as individuals suspected by the Enterprise members of being involved with law enforcement. Information Source: records from this breach used in our total: 13,329 Dataloss DB July 10, 2009 Northern California dumpsters Bay Area to Central Valley San Francisco, California BSF PHYS 1,500 A criminal complaint filed against 30-year-old suspect claims that he made more than 1,000 fake ID cards that he used to rip off people, stores and banks. He also allegedly admitted to stealing the identities of more than 500 people all across Northern California, ranging from the Bay Area to the Central Valley. Federal agents say the man said it was easy to find new victims: All he needed to do was visit a local bank and search their dumpsters. Using the sensitive materials he found in the trash, He was able to use a computer to mock up fake identification cards and blank checks, according to authorities. He also allegedly confessed to stealing between one to two million dollars in cash and merchandise. Information Source: Media July 9, 2009 records from this breach used in our total: 1,500 Mountain Medical Center Salt Lake, Utah MED PHYS Unknown Names, credit card numbers, Social Security numbers were found in a dumpster. A man was throwing away some stuff in a dumpster and found it was chock full of medical records. There's everything in there from canceled checks to routing numbers, he said. Salt Lake Police packed away perhaps twenty boxes of papers, and said they would protect the documents, as they dug into the matter. Information Source: records from this breach used in our total: 0 Media 89 July 8, 2009 AT&T Chicago, Illinois BSO INSD 2,100 A temporary employee for AT&T was arrested today on charges she stole personal information on 2,100 co-workers and then pocketed more than $70,000 by taking out short-term payday loans in the names of 130 of them. Information Source: records from this breach used in our total: 2,100 Dataloss DB July 1, 2009 Carrell Clinic Dallas, Texas MED HACK Unknown An Arlington security guard was arrested on federal charges for hacking into hospital's computer system. The defendant allegedly posted video of himself compromising a hospital's computer system on YouTube. The system and computers contained confidential patient information. Information Source: Media July 1, 2009 records from this breach used in our total: 0 Bike Nashbar Asheville, North Carolina custserv@nashbar.com [109] , BSR HACK Unknown 1-800-NASHBAR The company's computer servers were hacked and credit card information was compromised. Letters with more details will be mailed to affected customers. Information Source: Media June 30, 2009 records from this breach used in our total: 0 Sutter Health Sacramento, California MED PORT 6,000 Hundreds of current and former employees with Sutter Health had their personal data compromised. The company's Sacramento Sierra region were contacted by a computer repair shop. The repair people did the right thing and told us they had our laptop, said Sutter Communication Coordinator . The laptop contained names and Social Security numbers of 6,000 Sutter Health workers. Information Source: Dataloss DB records from this breach used in our total: 6,000 The University sent June 26, 2009 University of Central Missouri Police Department (UCM) Warrensburg, Missouri EDU INSD letters to 7,000 students, but the final number of victims appears to be closer to 250 After two documents containing student personal information were stolen, it was discovered that a former University police officer and his wife were responsible. They used the names, Social Security numbers, and birth dates of students enrolled in 2005 and 2006 summer sessions. The thieves fraudulently opened bank accounts, received student loans, and applied for credit and debit cards. The losses total more than $30,000. Information Source: records from this breach used in our total: 250 Databreaches.net 90 June 24, 2009 Florida Department of Revenue Tallahassee, Florida GOV PORT 2,828 The names, addresses and Social Security numbers of about 3,000 people employed by a handful of state businesses were on a password-protected flash drive stolen from the car of a Florida Department of Revenue employee in Georgia. The people were current or past employees of six large corporations that are being audited by the state. Information Source: records from this breach used in our total: 2,828 Dataloss DB June 24, 2009 Battle Creek City Battle Creek, Michigan GOV DISC 65 Some Battle Creek city employees are getting free identity protection help after the mayor posted a document with personnel information to a public Web site. Information on city workers, including Social Security numbers, was listed on a city check registry that the mayor put online and linked to using his Twitter.com account. The registry is no longer online and the city has worked with law enforcement and Twitter, to remove any archived references to the information. Information Source: records from this breach used in our total: 65 Media June 23, 2009 Cornell University Ithaca, New York EDU PORT 45,277 A stolen Cornell University computer has compromised the personal information of thousands of members of the University community. The computer contains the names and Social Security numbers of current and former students as well as current and former faculty and staff members. Information Source: records from this breach used in our total: 45,277 Dataloss DB June 22, 2009 Baptist Medical Center Montgomery, Alabama MED PHYS Unknown Folder upon folder were found in a land fill dump site, labeled Radiology Department, Baptist Medical Center. Hundreds of medical records were out in the open, all with sensitive information. Sensitive patient information that was thrown out included names, x-rays, ultrasounds, MRIs and Social Security numbers. Baptist was quickly pointed out at fault, while files from at least 5 other facilities were found at the same site. UPDATE (8/5/08): Former Hospital Employee Convicted for Aggravated Identity Theft. A former employee of an Alabama hospital has been sentenced to two years and one day in federal prison for wire fraud and stealing the identities of patients, according to a Department of Justice press release. Adrienne Denise Stovall, 30, pled guilty in January to one count of wire fraud and one count of aggravated identity theft, which carries a mandatory sentence of two years. Stovall worked at Montgomery's Baptist Hospital from August 2006 to early 2007. Her position gave her access to the hospital's computer system, containing confidential information including patient names, dates of birth and Social Security numbers. Stovall used the information to apply for credit and credit cards. http://www.justice.gov/usao/alm/press/current_press/2010_05_05_stovall.pdf [110] Information Source: Media June 22, 2009 records from this breach used in our total: 0 Broadridge Financial Solutions, Inc. Jersey City, New Jersey BSF DISC Unknown Broadridge Financial Solutions, Inc. provides proxy services for clients, including the processing, distribution and tabulation of Annual Meeting Proxy materials for registered shareholders of publically traded companies. The firm inadvertently disclosed Dynegy shareholder information including name, address, Social Security number and other account information to another client. The total number of shareowners affected was not reported. 91 Information Source: Media records from this breach used in our total: 0 56,000 Not added to June 18, 2009 Suncoast Schools Federal Credit Union Tampa, Florida BSF HACK the total because it's included in the huge number already attributed for Heartland. Some members of Suncoast Schools Federal Credit Union have been notified that their debit card accounts were exposed to fraud. It is the latest casualty of last year's breach of Heartland Payment Systems, one of the country's largest credit card processors, where information from more than 100 million credit and debit card transactions was exposed. Not until the end of May did Suncoast discover that some of its customers who use Visa Check Cards could be in danger. The Tampa credit union is issuing new cards to all members whose accounts were compromised. Information Source: records from this breach used in our total: 0 Media June 17, 2009 Blackbaud Inc. Charleston, South Carolina BSO PORT 84,000 A computer that was stolen from a car in Charleston, SC, last year contained personal financial information on 84,000 University of North Dakota donors. The missing laptop belonged to Daniel Island-based software giant Blackbaud Inc., which stressed that all of the information was password-protected and encrypted. Information Source: Media June 16, 2009 records from this breach used in our total: 84,000 Redondo Beach Arco Gas Station Redondo Beach, California BSR INSD 1,000 An organized-crime ring that police believe is Russian or Armenian targeted a high-volume Redondo Beach Arco gas station, assigned a low-level soldier to infiltrate it and waited eight months while he worked himself into a position where he could implant a tiny, high-tech skimmer to steal customers' credit-card information. Armed with a fresh batch of personalinformation numbers, the gang began draining thousands of Southern California bank accounts soon after Erick, the model employee who was by then entrusted with opening the station every day at 5 a.m., vanished in late April along with 1,500 packs of cigarettes, $1,000, a laptop, his employee application form - and the two digital video recorders used for surveillance. The skimmer scam left a string of more than 1,000 victims, stretching from Santa Barbara to Newport Beach. Information Source: records from this breach used in our total: 1,000 Media June 15, 2009 Beam Global Spirits & Wine Inc. Deerfield, Illinois BSR INSD Unknown Unauthorization access to a human resources payroll database by a former employee exposes names, addresses and Social Security numbers of past and present employees. Information Source: records from this breach used in our total: 0 Dataloss DB June 12, 2009 Kirkwood Community College Cedar Rapids, Iowa EDU PORT 1,600 92 Someone took a storage device from a counselor's office in Iowa City. That device contained names and Social Security numbers for participants in the PROMISE JOBS program. Information Source: records from this breach used in our total: 1,600 Dataloss DB June 12, 2009 Oregon Health & Science University Portland, Oregon EDU PORT 1,000 (Not added to total) A physician's laptop was stolen from a car parked at the doctor's Washington County home. Patient names, treatment dates, short medical treatment summaries and medical record numbers were stored on the computer. There were no home addresses, billing information or Social Security numbers stored on the laptop. Information Source: records from this breach used in our total: 0 Dataloss DB June 7, 2009 T-Mobile USA Bellevue, Washington BSO HACK Unknown T-Mobile USA is investigating claims that a hacker has broken into its data bases and stolen customer and company information. Someone anonymously posted the claims on the security mailing list Full Disclosure. In that post, the hacker claims to have gotten access to everything -- their databases, confidential documents, scripts and programs from their servers, financial documents up to 2009. They claim they have been in touch with the carrier's competitors trying to sell the data, but have been unsuccessful. They threatened to sell it to the highest bidder. T-Mobile later confirmed a hacker obtained a document. Information Source: records from this breach used in our total: 0 Media June 6, 2009 Ohio State Dining Services Columbus, Ohio EDU DISC 350 Student employees had their Social Security numbers accidentally leaked in an e-mail. The hiring coordinator for Dining Services, an OSU student, received an e-mail with an attachment that included students' names and SSNs. He accidentally sent the attachment in an e-mail reminding student employees to sign their waivers for the Ohio Employees Retirement System. After realizing the mistake, the hiring coordinator called the Office of Information Technology, which stopped the emails before all of them were sent. Information Source: records from this breach used in our total: 350 Dataloss DB June 5, 2009 Virginia Commonwealth University Richmond, Virginia EDU STAT 17,214 A desktop computer was stolen from a secured area within Cabell Library in mid-April. The computer may have contained student names, Social Security numbers and test scores dating from October 2005 to the present. VCU discontinued use of Social Security numbers as ID numbers in January 2007. An additional 22,500 students are being notified that their names and test scores may have also been on the computer. No Social Security numbers were recorded with those names, but computer-generated student ID numbers may have been. Information Source: records from this breach used in our total: 17,214 Dataloss DB June 4, 2009 Maine Office of Information Technology Augusta, Maine GOV PHYS 597 93 Through a printing error, 597 people receiving unemployment benefits last week got direct-deposit information including Social Security numbers belonging to another person. We received a print job and were running it, and there was an equipment malfunction, Thompson said. In restarting the piece of equipment, a mistake was made and it started one page off. It was an error and our quality assurance didn't pick it up. Recipients received one page with their own information and another page with information belonging to a different person. Information Source: records from this breach used in our total: 597 Dataloss DB June 3, 2009 Aviva Concord, New Hampshire BSF HACK 550 The data breach affected customers who opened accounts in the U.S. or beneficiaries of accounts opened in the U.S. The breach, caused by malware on an Aviva computer, happened between Dec. 30 and Feb. 24. A vendor helping Aviva locate policyholders and beneficiaries whose mail was undeliverable found 3 Aviva USA customers' Social Security numbers and other personal information while searching for them. The company believed 550 customers had their Social Security numbers exposed in this manner. Aviva says it has removed the compromised hardware and taken steps to prevent future malware attacks. Information Source: Dataloss DB June 1, 2009 records from this breach used in our total: 550 University of Nevada Las Vegas, Nevada EDU HACK 20 A UNLV computer was compromised and may have allowed loss of some personal data. The College of Sciences recently sent a letter to about 20 students as officials became aware of a virus affecting a computer in the College. The College found no information was leaked, but for legal reasons they still sent the letter. Information Source: records from this breach used in our total: 20 Media May 28, 2009 Aetna Hartford, Connecticut MED HACK 65,000 Aetna has contacted 65,000 current and former employees whose Social Security numbers may have been compromised in a Web site data breach. The breach was a spam campaign showing that the intruders successfully harvested e-mail addresses from the Web site, although it's not clear if SSNs were also obtained. The spam purported to be a response to a job inquiry and requested more personal information. Aetna sent letters last week notifying the 65,000 people whose SSNs were on the site of the breach. UPDATE (6/11/09): Hartford health insurer Aetna Inc. is being sued. The class-action suit was filed in a Pennsylvania District Court and demands credit monitoring, punitive damages, costs and other relief for current, former and potential employees. Information Source: Dataloss DB May 27, 2009 records from this breach used in our total: 65,000 Batteries.com Carmel, Indiana BSR HACK 865 On March 13th, Batteries.com received notice from a customer about potential unauthorized activity on their credit card. They later discovered the Batteries.com network had been breached from around February 25, 2009 to April 9, 2009. The hackers stole names, addresses and credit card information. Information Source: records from this breach used in our total: 865 Dataloss DB 94 May 27, 2009 Warren County Virtual Community School Lebanon, Ohio EDU PHYS 140 Contractors installing fiber on a near by street to the school say they found a four-page list in a recycling dumpster when they went to dump some trash. The list had more than 140 students' names, addresses, Social Security numbers and birth dates listed. Their parents names were on the list too. Information Source: records from this breach used in our total: 140 Dataloss DB May 23, 2009 Indianapolis Department of Workforce Development Indianapolis, Indiana GOV DISC 4,500 The Department of Workforce Development is notifying approximately 4,500 unemployment recipients concerning the accidental disclosure of their Social Security number to the incorrect employer. The release occurred during the printing of DWD's Statement of Benefit Charges by print vendor, Pitney Bowes Management Services Inc. This form is sent to companies listing those who are collecting unemployment benefits against that employer's account. The misprinted statements contained information from individuals who did not work for that company. Approximately 1,200 companies received incorrect statements. Information Source: Dataloss DB May 21, 2009 records from this breach used in our total: 4,500 Texas Lottery Commission Austin, Texas GOV INSD 140 A former Texas lottery worker was arrested while training for a new job and charged with illegally possessing personal information on 140 lottery winners and employees, including their names and Social Security numbers. The man was still working for the Lottery Commission in 2007 when he allegedly took the information, which was discovered last year on a state computer at the Comptroller of Public Accounts where he later was employed. Information Source: records from this breach used in our total: 140 Media May 21, 2009 Internal Revenue Service Washington, District Of Columbia GOV PHYS Unknown Additional locations: several IRS document disposal facilities in the U.S.), http://www.treas.gov/tigta/auditreports/2009reports/200930059fr.pdf [111] The U.S Treasury Inspector General for Tax Administration found in a fiscal year 2008 audit that in more than a dozen IRS document disposal facilities, old taxpayer documents were being tossed out in regular waste containers and dumpsters. In addition, the investigation found that IRS officials failed to consistently verify whether contract employees who have access to taxpayer documents had passed background checks. Further, investigators had difficulty finding anyone responsible for oversight of most of the facilities that the IRS contracted with to burn or shred sensitive taxpayer documents. The review was performed at IRS offices in Phoenix, Tempe, and Tucson, Arizona New Carrollton, Maryland Holtsville, Garden City, and Westbury, New York and Ogden, Utah, and included questionnaires to 14 Territory Managers across the country during the period September 2007 through May 2008. Information Source: records from this breach used in our total: 0 Media May 19, 2009 CompuCredit Atlanta, Georgia BSF DISC 120 (0 SSNs were accessed) A computer processing error created a single image file of 120 account statements for the month of April. Statement files are delivered to the cardholder through the website in Adobe PDF format. Because of a load error, the system failed to detect page breaks between the account statements, thus resulting in the system believing that all of the pages belonged to a 95 single statement. As a result, the PDF image file contained 119 statements in addition to the cardholder's statement. (Note: Monthly account statements do not include customers' Social Security numbers or PINs.) Information Source: Dataloss DB May 19, 2009 records from this breach used in our total: 0 National Archives GOV College Park, Maryland PORT Unknown The National Archives lost a computer hard drive containing massive amounts of sensitive data from the Clinton administration, including Social Security numbers, addresses, and Secret Service and White House operating procedures. The Archives had been converting the Clinton administration information to a digital records system when the hard drive went missing. The hard drive was left on a shelf and unused for an uncertain period of time. When the employee tried to resume work, the hard drive was missing. Information Source: Dataloss DB May 19, 2009 records from this breach used in our total: 0 Rudder BSF Houston, Texas DISC Unknown Rudder, a financial management company, erred in sending users' confidential financial information to the wrong individuals. Through an online financial planning application, hundreds of individuals were able obtain the full details on others' finances their salary, debts, bank balance, and where they shop. Bank account numbers were apparently not exposed. Information Source: Media May 18, 2009 records from this breach used in our total: 0 NJ Department of Labor and Workforce Development Trenton, New Jersey GOV DISC 28,000 Unemployed New Jersey residents may have had their name and Social Security number accidentally delivered to an employer for which you did not work. The error occurred when department staff last month sent first-quarter reports to businesses that included a list of former employees receiving unemployment benefits. Because some companies had laid off a significant number of employees, the reports were longer than usual, requiring staff members to stuff the envelopes by hand rather by machine. Some reports were placed in the wrong envelopes. Information Source: records from this breach used in our total: 28,000 Dataloss DB May 18, 2009 Anderson Kia Car Dealership Boulder, Colorado BSR PHYS Unknown Police have chained up 10 recycling bins outside Boulder's now-defunct Anderson Kia car dealership after learning that the bins were stuffed with personal information from the dealership's former customers. Green recycling bins were piled full with folders, each headed with an individual's name. All of the folders contained Social Security numbers, driver's license information, photos, phone numbers and financial information for Kia customers. Information Source: Dataloss DB May 15, 2009 records from this breach used in our total: 0 Kaiser Permanente Bellflower Medical Center Bellflower, California MED INSD 1 The California hospital where Nadya Suleman's octuplets were born has been fined $250,000 for failing to stop employees from snooping into medical files on the famous case. Hospital officials discovered that 23 unauthorized workers examined 96 Suleman's medical records. UPDATE (7/21/09): The Kaiser Permanente hospital in Bellflower has been hit with a $187,500 fine for failing for a second time to prevent unauthorized access to confidential patient information. Information Source: records from this breach used in our total: 1 Media May 13, 2009 United Food and Commercial Workers Union 555 Tigard, Oregon NGO PORT 19,000 A union employee's laptop was stolen on the East Coast. The laptop may have contained personal information of Local 555 members, including birth dates and Social Security numbers. Information Source: records from this breach used in our total: 19,000 Dataloss DB May 12, 2009 Johns Hopkins Hospital Baltimore, Maryland MED INSD 10,000 An investigation suggests a former employee who worked in patient registration may have been linked to a scheme to create fake drivers' licenses in Virginia. The employee had access to information such as name, address, telephone number, mother and fathers names, dates of birth and Social Security numbers, but not to any health or medical information. Information Source: Media May 11, 2009 records from this breach used in our total: 10,000 Office of the State Superintendent of Education D.C. Washington, District Of Columbia EDU DISC 2,400 The D.C. agency that handles college financial aid requests had accidentally e-mailed personal information from 2,400 student applicants to more than 1,000 of those applicants. An employee of the agency's Higher Education Financial Services Program inadvertently attached an Excel spreadsheet to an e-mail. The information included student names, e-mail and home addresses, phone and Social Security numbers and dates of birth. Information Source: records from this breach used in our total: 2,400 Dataloss DB May 11, 2009 Multiple financial institutions New York, New York BSF CARD Unknown A band of brazen thieves ripped off hundreds of New Yorkers by rigging ATMs to steal account and password information from bank customers. The first - a skimmer - went over the slot where customers insert their ATM cards. The skimmer read, and stored, the personal information kept in the magnetic strip on the back of the bank card. The second device was a tiny camera hidden in the lighted signs over the ATM. The pinhole camera lens pointed directly onto the ATM keypad and filmed victims typing in their supposedly secret PIN codes. The thieves would then create their own phony ATM cards and use their victims' PINs to access accounts. Information Source: Media May 7, 2009 records from this breach used in our total: 0 University of California, Berkeley Berkeley, California http://datatheft.berkeley.edu EDU HACK 160,000 [112] Hackers infiltrated restricted computer databases. Personal information of 160,000 current and former students and alumni 97 may have been stolen. The University says Social Security numbers, health insurance information and non-treatment medical records dating back to 1999 were accessed. The breach was discovered April 21, 2009, when administrators performing routine maintenance identified messages left by the hackers. They found that restricted electronic databases had been illegally accessed by hackers beginning on October 9, 2008 and continued until April 6, 2009. All of the exposed databases were removed from service to prevent further attacks. Information Source: records from this breach used in our total: 160,000 Dataloss DB May 5, 2009 East Burke Christian Ministries Hildebran, North Carolina NGO PORT 1,000 A thief broke into a charity in Burke County and stole a laptop containing more than 1,000 Social Security numbers of individuals seeking help. Information Source: records from this breach used in our total: 1,000 Dataloss DB May 5, 2009 Fulton County Board of Registration and Elections Atlanta, Georgia GOV PHYS 99,000 Boxes were found in a trash bin at Atlanta Technical College. They contained about 75,000 voter registration application cards and 24,000 precinct cards. Many of the documents contained personal information on active voters, such as full names and Social Security numbers. Information Source: Dataloss DB May 5, 2009 records from this breach used in our total: 99,000 Spencer House Apartment Complex Beaverton, Oregon BSO PHYS Unknown Residents at an apartment complex blamed apartment management Monday for leaving their personal information out in the open. The documents were found in an unlocked public container that was sitting off a side street in their apartment complex. The documents included Social Security numbers, addresses, phone numbers, immigration numbers and names. Information Source: Dataloss DB May 4, 2009 records from this breach used in our total: 0 Kapiolani Community College Honolulu, Hawaii EDU HACK 15,487 More than 15,000 students at Kapiolani Community College face an identity theft risk because of an Internet security breach. School officials found a computer with the personal information of 15, 487 students who applied for financial aid between January 2004 and April 15 that was infected with malware that can steal sensitive data. The computer did not have sensitive information, but it was hooked up to a network that had access to names, addresses, phone numbers dates of birth and Social Security numbers. Information Source: records from this breach used in our total: 15,487 Dataloss DB May 4, 2009 Virginia Prescription Monitoring Program Richmond, Virginia MED HACK 531,400 The FBI and Virginia State Police are searching for hackers who demanded that the state pay them a $10 million ransom for the return of millions of personal pharmaceutical records they say they stole from the state's prescription drug database. A notice posted on the DHP Web site acknowledged that the site is currently experiencing technical difficulties which affect 98 computer and e-mail systems. Some customer identification numbers, which may be Social Security numbers, were included, but medical histories were not. UPDATE (6/4/09): The state is mailing individual notifications to 530,000 people whose prescription records may have contained Social Security numbers. In addition, 1,400 registered users of the database, mostly doctors and pharmacists, who may have provided Social Security numbers when they registered for the program, are being notified. The database that was hacked contained records of more than 35 million prescriptions dispensed since 2006 for certain federally controlled drugs with a high potential for abuse. Information Source: Media May 1, 2009 records from this breach used in our total: 531,400 LexisNexis, Investigative Professionals Miamisburg, Ohio BSO CARD 40,000 Companies Lexis Nexis and Investigative Professionals have notified up to 40,000 individuals whose sensitive and personally identifiable information may have been viewed by individuals who did not have legitimate access. The data breach is linked to a Nigerian scam artist who used the information to incur fraudulent charges on victims' credit cards. Of the 40,000 individuals whose information was accessed, up to 300 were compromised and used to obtain fraudulent credit cards. The private information viewed included names, dates of birth and possibly Social Security numbers. Information Source: Dataloss DB April 29, 2009 records from this breach used in our total: 40,000 Orleans Parish Public Schools New Orleans, Louisiana EDU PHYS Unknown The confidential records of Orleans Parish public-school employees have been discovered in an abandoned and unsecured warehouse in New Orleans. Personnel files, payroll records, and other documents with private data were uncovered. Inside were countless boxes filled with confidential information, not to mention stacks of other documents lying on the ground, listing payroll information, worker evaluations, notices of personnel action, and investigations into employee discrimination. Also found were full names, home addresses, and Social Security numbers on document after document. Information Source: Media April 29, 2009 records from this breach used in our total: 0 Oklahoma Housing Finance Agency Oklahoma City, Oklahoma GOV PORT 225,000 A laptop computer containing the personal information of about 225,000 Oklahomans was stolen from a city home last week. The names, Social Security numbers, tax identification numbers, birth dates and addresses of clients of the Section 8 Housing Voucher Program were on an employee's laptop that was stolen. Information Source: records from this breach used in our total: 225,000 Dataloss DB April 29, 2009 llinois Department on Aging Springfield, Illinois GOV DISC 170 A spreadsheet with worker names and Social Security numbers was found on the Internet. The data, prepared for an outside auditing firm, was released to a so-called peer-to-peer network during a music transfer to an agency laptop. 160 employees and another 10 or so former staffers were alerted to the breach. Information Source: records from this breach used in our total: 170 Dataloss DB April 28, 2009 West Virginia State Bar NGO HACK Unknown 99 April 28, 2009 Charleston, West Virginia NGO HACK Unknown The West Virginia State Bar has hired forensic computer experts in hopes of finding those responsible for hacking into the group's website and internal computer network. Information about the State Bar's current and former members may have been compromised. The hacker was able to access the group's internal database server where there was information concerning lawyer identification numbers, names, mailing addresses, email addresses and some Social Security numbers. Information Source: records from this breach used in our total: 0 Dataloss DB April 27, 2009 Federal Reserve Bank of New York New York, New York BSF INSD Unknown A former employee at the Federal Reserve Bank of New York and his brother were arrested on suspicion of obtaining loans using stolen identities. The former employee previously worked as an IT analyst at the bank and had access to sensitive employee information, including names, birthdates, Social Security numbers and photographs. A thumb drive attached to his computer had applications for $73,000 in student loans using two stolen identities. They also found a fake drivers license with the photo of a bank employee who wasn't the person identified in the license. Information Source: records from this breach used in our total: 0 Media April 23, 2009 Oklahoma Department of Human Services Oklahoma City, Oklahoma GOV PORT 1,000,000 (866) 287-0371 Some personal information may have been contained on a laptop computer stolen from an agency employee. Information on the stolen computer included names, Social Security numbers and dates of birth for people who receive DHS services. Information Source: records from this breach used in our total: 1,000,000 Dataloss DB April 22, 2009 Marian Medical Center Santa Maria, California MED PORT 3,200 Recent patients of the emergency room and Urgent Care Center have been alerted that a Blackberry containing patient information was stolen from the hospital. The Blackberry contained an email message that included patient information, such as Social Security numbers, dates of birth and medical histories. Information Source: records from this breach used in our total: 3,200 Dataloss DB April 22, 2009 New York State Tax Department New York, New York GOV INSD 2,000 A former New York state tax department worker was accused of stealing the identities of thousands of taxpayers and running up more than $200,000 in fraudulent charges. The former employee gathered credit card, brokerage account and Social Security numbers that he used to open more than 90 credit card accounts and lines of credit between 2006 and 2008. Investigators searched the employee's home, they found more than 700 state tax forms containing identifying taxpayer information. They also found more than 300 birth certificates, more than 1,000 Social Security cards, credit card statements and applications, and some 2,000 notes with Social Security numbers, many accompanied by handwritten notes such as good prospect, had money and go with this one. Information Source: records from this breach used in our total: 2,000 Media 100 April 20, 2009 FairPoint Communications Inc. Charlotte, North Carolina BSO PORT 4,400 A worker's failure to abide by security precautions caused a portable data-storage device containing employee information to disappear. The device contained information for all current FairPoint employees and some former employees, or about 4,400 individuals in total. Such data may have included names, home addresses and phone numbers, Social Security numbers, birth dates and certain compensation and employment information. Information Source: Dataloss DB April 16, 2009 records from this breach used in our total: 4,400 MySpace Los Angeles, California BSO INSD Unknown (877) 369-1369 Confidential employee information, including at least name, Social Security numbers and compensation, was taken by an employee in the company's benefit's department without authorization, beginning in June 2008 or earlier. The information was used to annoy selected individuals and the now former employee was arrested and is being prosecuted by the High Tech Crimes Division of the Los Angeles County District Attorneys Office. Information Source: Dataloss DB April 16, 2009 records from this breach used in our total: 0 Fox Entertainment Group Los Angeles, California BSO INSD Unknown An employee was caught accessing the Social Security numbers, names, compensation information and other personal information of employees. The former employee misused the information within the organization; but it is not known if they gave it to outside parties. Information Source: records from this breach used in our total: 0 Dataloss DB April 13, 2009 Irving Independent School District Irving, Texas EDU PHYS Unknown Identity thieves using the names and Social Security numbers of Irving Independent School District employees have made thousands of dollars in credit card purchases. At least 64 of the 3,400 teachers and other employees names were on an old benefits report that somehow ended up in the trash. UPDATE (2/4/10): At least one woman involved in the crime was caught in January of 2009 and sentenced on February 4, 2010. Information Source: records from this breach used in our total: 0 Media April 13, 2009 Moses Cone Hospital Greensboro, North Carolina MED PORT 14,380 Moses Cone Hospital is offering free credit monitoring to 14,380 patients after a laptop computer containing confidential information was stolen from a VHA employee's car. The information on the laptop, including patients' Social Security numbers. Information Source: records from this breach used in our total: 14,380 Dataloss DB 101 April 12, 2009 CBIZ Medical Management Professionals Chattanooga, Tennessee MED STAT Unknown The office of CBIZ Medical was broken into on Feb. 23. Among the items stolen was a computer belonging to the hospital with stored radiology reports related to some patients. Patients between December 2007 and Feb. 23, 2009, may have had records saved on the stolen computer. Information Source: Dataloss DB April 11, 2009 records from this breach used in our total: 0 Peninsula Orthopaedic Associates Salisbury, Maryland MED PORT 100,000 As many as 100,000 patients of Peninsula Orthopaedic Associates are being warned to protect themselves against identity theft after tapes containing patient information were stolen. Patients also were advised to keep an eye on benefits statements from their health insurance companies since they may also be at risk for medical identity theft. The records from Peninsula Orthopaedic were stolen March 25 while in transport to an off-site storage facility. Patients' personal information including their Social Security numbers, employers and health insurance plan numbers may have been among the information stolen. Information Source: records from this breach used in our total: 100,000 Dataloss DB April 10, 2009 Borrego Springs Bank, Vavrinek, Trine, Day and Co. Borrego Springs, California BSF PORT Unknown The theft of seven laptop computers from an auditing firm has led the Borrego Springs Bank to send warning letters to all of its customers saying their personal financial information may be in the hands of criminals. The bank would not comment on the name of the accounting firm that was auditing the records or how or where the thefts occurred. The computer files contain sensitive personal financial information including account name, number and balance. Information Source: Dataloss DB April 9, 2009 records from this breach used in our total: 0 Penn State Erie/Behrend College Erie, Pennsylvania EDU HACK 10,868 On March 23, the University confirmed that 10,868 Social Security numbers in historical data on a computer at Penn State Erie, The Behrend College, could have been breached. Longstanding security measures, designed to protect the network and systems from malicious software, alerted the University to the potential breach. As soon as the University became aware of the malicious software on this computer, the computer was immediately taken off line, data was examined and information was removed. Information Source: Dataloss DB April 8, 2009 records from this breach used in our total: 10,868 Metro Nashville School/Public Consulting Group Nashville, Tennessee EDU DISC 18,000 (615) 259-INFO (4636) Metro Nashville students' names, Social Security numbers, addresses and dates of birth and parents' demographic information were available by searching Google. A private contractor unintentionally put student data on a computer Web server that wasn't secure. The data was available online from Dec. 28 to March 31. Information Source: records from this breach used in our total: 18,000 Dataloss DB 102 April 8, 2009 Hawaii Department of Transportation Kapolei, O'ahu, Hawaii GOV PORT 1,892 Holders of Hawai'i commercial driver's licenses are being warned to take measures to prevent identity theft after a state computer containing personal information was stolen three weeks ago. The laptop computer contained the names, addresses, Social Security numbers and other personal information of 1,892 commercial vehicle license drivers. Information Source: Dataloss DB April 6, 2009 records from this breach used in our total: 1,892 City of Culpeper Culpepper, Virginia GOV DISC 7,845 Personal information for 7,845 town taxpayers was exposed on the Internet due to a vendor's mistake. The unidentified vendor had the records to reformat the town's personal property tax file for billing purposes. The files containing the names, addresses and Social Security numbers of residents were on a password-protected site that was compromised. Information Source: Dataloss DB April 3, 2009 records from this breach used in our total: 7,845 Policy Studies, Inc., Tenn. Dept. of Human Services Nashville, Tennessee GOV INSD 1,600 A former child support worker was arrested after attempting to sell the personal information - including names, Social Security numbers and bank account numbers - of 1,600 people. He sold a total of 35 names, dates of birth and Social Security numbers between October 2008 and last month, all to an undercover operative of the Tennessee Bureau of Investigation. He claimed to the operative that he had similar information that he was willing to sell for an additional 1,500 people, and was arrested while meeting with the operative to deliver the information. Information Source: Dataloss DB April 1, 2009 records from this breach used in our total: 1,600 Palo Alto Medical Foundation Palo Alto, California MED PORT 1,000 A laptop computer recently stolen at the Palo Alto Medical Foundation's Santa Cruz office contained personal and medical information of 1,000 Santa Cruz County patients. Information Source: Dataloss DB April 1, 2009 records from this breach used in our total: 1,000 State of Maryland , Maryland GOV PHYS 8,000 The names, Social Security numbers and other personal information of about 8,000 state employees could be compromised. The potential problem came to light when a torn and empty envelope from the company that manages the state's health savings account program arrived by U.S. mail. The envelope was missing an invoice that contains confidential information. Information Source: records from this breach used in our total: 8,000 Dataloss DB March 31, 2009 Symantec Cupertino, California BSO INSD 200 Symantec is warning a small number of customers that their credit card numbers may have been stolen from an Indian call 103 center used by the security vendor. Symantec sent out warning letters , after the BBC reported that it managed to purchase credit card numbers obtained from Symantec's call center from a Delhi-based man. The letters were sent to just over 200 customers. Most of those notified are in the U.S., but the company also notified a handful of customers in the U.K. and Canada. Information Source: records from this breach used in our total: 200 Dataloss DB March 27, 2009 Pacific University Forest Grove, Oregon EDU PORT Unknown Student Life (503) 352-2212, Faculty and staff (503) 352-1511, Legal Affairs (503) 352-2236 A University-owned laptop was stolen from a staff member's residence. The stolen laptop was password protected and there is no factual evidence that any private information was stored on the laptop. The computer contained names and some personal information. It does not appear that any Social Security numbers were stored on the system. Information Source: Media March 24, 2009 records from this breach used in our total: 0 Massachusetts General Hospital Boston, Massachusetts MED PHYS 66 Massachusetts General Hospital has put dozens of patients on notice that it has lost some of their confidential medical records, which were left on an MBTA Red Line train by a hospital employee. The MGH employee left the hospital, taking the records with her to do billing work on them over the weekend. The records belonged to at least 66 patients and included private information such as the patients' diagnoses, their names, birth dates and billing information. Information Source: records from this breach used in our total: 66 Dataloss DB March 23, 2009 Maryland Federal Court Baltimore, Maryland GOV DISC 226 A filing error in Maryland's federal court resulted in health insurance information for 226 people - including 42 Social Security numbers - being made available to the public for more than two weeks. The private information of Washington area residents was included in requests for warrants to search the doctors' offices in Suitland, La Plata, Oxon Hill and Falls Church as part of a health care fraud investigation. The warrants were marked as being sealed and, therefore, were not supposed to be made public. Information Source: records from this breach used in our total: 226 Media March 19, 2009 Bailey Middle School Nashville, Tennessee EDU PHYS 21 A Nashville mother who was walking along found confidential paperwork that lists Metro school students' names, Social Security numbers and disabilities. The Metro Schools spokeswoman said they will trace the documents and try to figure out how they got where they weren't supposed to be. Information Source: Media March 18, 2009 records from this breach used in our total: 21 Central Ohio Transit Authority Columbus, Ohio GOV DISC 900 More than 900 current and former COTA employees recently learned their Social Security numbers had been sent to dozens 104 of health-insurance companies. Central Ohio Transit Authority officials notified administrative employees who have or had worked for COTA since 2004 that personnel workers gave 51 companies their names and identification numbers. The information went to companies proposing to bid on providing long-term disability insurance to COTA. In 2006, COTA also sent information on union employees to 39 potential insurance providers. Information Source: Dataloss DB March 18, 2009 records from this breach used in our total: 900 University of West Georgia Carrollton, Georgia EDU PORT 1,300 University of West Georgia officials have notified nearly 1,300 students and faculty members that their personal information was on a laptop stolen from a professor traveling in Italy. The laptop was taken last summer, but university officials say they only recently learned that the computer contained sensitive information, including names, addresses, phone numbers and Social Security numbers. Information Source: records from this breach used in our total: 1,300 Dataloss DB March 18, 2009 Walgreens Health Initiative Deerfield, Illinois MED DISC 28,000 (866) 292-9063 Names, dates of birth and Social Security numbers of roughly 28,000 state retirees were e-mailed to the Kentucky Retirement Systems without being properly encrypted for security purposes by its pharmacy benefit provider. The e-mail contained dates of birth, Social Security numbers and health insurance claim numbers but not personal health information. The file contained information only on members who were both Medicare-eligible and used the retiree pharmacy benefit through Walgreens in 2007. Information Source: Dataloss DB March 18, 2009 records from this breach used in our total: 28,000 New York City Housing Authority New York, New York GOV PHYS Unknown Dozens of confidential files with city public housing residents' birth dates, Social Security numbers, and eviction notices were dumped on an East New York street. City Housing Authority officials are investigating to determine how the files ended up scattered along Atlantic Ave. near Pennsylvania Ave. Information Source: Dataloss DB March 17, 2009 records from this breach used in our total: 0 Penn State Office of Physical Plant University Park, Pennsylvania EDU HACK 1,000 The Social Security numbers of employees working for the Penn State Office of Physical Plant in 2000 may have been stolen. A virus infiltrated an administrative computer that contained more than 1,000 Social Security numbers of OPP employees. Information Source: records from this breach used in our total: 1,000 Dataloss DB March 16, 2009 University of Toledo Toledo, Ohio EDU STAT 24,450 Only 450 were added to the total. 105 A computer stolen from the University of Toledo contained personal information for about 24,000 students and 450 faculty during the 2007-08 and 2008-09 academic years. The student data was directory and educational information, such as student identification numbers and grade point averages. The faculty information, however, was more personal and included names, Social Security numbers, birth dates, and more. Information Source: records from this breach used in our total: 450 Dataloss DB March 16, 2009 Comcast Philadelphia, Pennsylvania 4,000 Not added to total. SSNs and BSO DISC financial account numbers were not accessed. A list of over 8,000 Comcast user names and passwords were available to the public via Scribd for two months, before a Wilkes University professor discovered it over the weekend after doing a search for his identity online. Comcast is saying it looks like the result of a phishing scam and isn't an inside job, and that there are so many duplicate entries on the list that it's closer to 4,000 customers who were exposed. Information Source: records from this breach used in our total: 0 Media 1,600 (Not added to total. It does not March 12, 2009 US Army Washington, District Of Columbia GOV HACK appear that SSNs or financial account numbers were exposed.) An Army database that contains personal information about nearly 1,600 soldiers may have been penetrated by unauthorized users. The information that may have been breached includes the service members' names, e-mail messages, phone numbers, home addresses, awards received, ranks, gender, ethnicity, and dates the soldiers deployed and returned from their deployment. Information Source: Media March 12, 2009 records from this breach used in our total: 0 Dezonia Group Chicago, Illinois BSO PORT 63,000 The city of Chicago bills people for ambulance rides -- $600 and up. It uses a third party, Dezonia Group, for billing. An employee's laptop, containing patient names, addresses and Social Security numbers, was stolen from the company. Reports differ as to whether or not the data was encrypted. Information Source: records from this breach used in our total: 63,000 Dataloss DB March 11, 2009 Binghamton University Binghamton, New York EDU STAT 100,000 Binghamton University kept payment information for every student, possibly dating back at least ten years in a storage area next to one of the most trafficked lecture halls on campus, behind a door that was not only unlocked but taped open. The information itself contained Social Security numbers, credit card numbers, scans of tax forms, business information (including Social Security numbers and salary information for employees of students' parents), asylum records and more, all kept in a haphazard and disorganized fashion, sprawled out in boxes, in unlocked (yet lockable) filing cabinets and shelving units. If the information inside the room pertained only to the current students enrolled and their parents that would mean the story would effect, roughly, forty-two thousand people. However, because the information goes back at least ten years, if not 106 more, the potential number of people effect lies well in the hundred thousands. Information Source: records from this breach used in our total: 100,000 Media Unknown (1000's) (Not added to total. It does March 11, 2009 Sprint Overland Park, Kansas BSO INSD not appear that SSNs or financial account numbers were exposed.) (800) 300-6868 Sprint is warning several thousand customers that a former employee sold or otherwise provided their account data without permission. It appears this employee may have provided customer information to a third party in violation of Sprint policy and state law. They have terminated this employee. The information that may have been compromised includes your name, address, wireless phone number, Sprint account number, the answer to your security question, and the name of the authorized point of contact on your account. Information Source: records from this breach used in our total: 0 Dataloss DB March 7, 2009 Idaho National Laboratory Idaho Falls, Idaho GOV PORT 59,000 Idaho's Congressional Delegation this week announced a potential identity theft threat involving information from 59,000 present and former workers at the Idaho National Laboratory at Idaho Falls. DOE notified delegation members that an encoded disc containing personal data from the employees was either lost or stolen in transit via United Parcel Service. The package, originally shipped from New York to Maryland, was found damaged. Information Source: records from this breach used in our total: 59,000 Dataloss DB March 7, 2009 Google Mountain View, California (Not added to total. It does not appear that BSO DISC SSNs or financial account numbers were exposed.) http://googledocs.blogspot.com/2009/03/on-yesterdays-email.html [113] Google contacted some of its users to let them know about a situation that affected its Google Docs users. They believe the problem affected less than 0.05% of all documents. Google identified and fixed a bug where a small percentage of users shared some of their documents inadvertently. The bug occurred when the document owner, or a collaborator with sharing rights, selected multiple documents and presentations from the documents list and then changed the sharing permissions. The bug did not affect spreadsheets. Information Source: Media March 7, 2009 records from this breach used in our total: 0 Oklahoma Department of Human Services Shawnee, Oklahoma GOV PHYS Unknown The state Department of Human Services is investigating how a child welfare worker's records ended up with a local TV station. The files, which included names, Social Security numbers, contact information and details on child abuse investigations, reportedly were left behind when a DHS worker was evicted from a rent house in Guthrie. 107 Information Source: records from this breach used in our total: 0 Dataloss DB March 6, 2009 Federal Emergency Management Agency Region 5 Office Griffith, Indiana GOV PORT 50 A laptop containing Social Security numbers and other personal information from dozens of victims of last September's floods was reported stolen from a housing inspector's car. Representatives from the Federal Emergency Management Agency alerted roughly 50 flood victims from Gary, Hammond, Highland, Griffith and Munster whose information was stored in the laptop after they applied for federal disaster assistance. The password-protected laptop was stolen from a housing inspector's car in Griffith on Nov. 4, containing names, Social Security numbers, dates of birth, addresses and phone numbers of people who applied for assistance. Information Source: records from this breach used in our total: 50 Dataloss DB March 5, 2009 St. Rita's Medical Center Lima, Ohio MED PHYS 242 A home-health employee for St. Rita's Medical Center had a bag stolen during an automobile break-in. The bag contained information on some patients, including names, dated of birth, addresses, phone numbers, patient identification numbers, and the names of case managers and physicians. In some cases it also included Social Security numbers and the type of treatment being provided, according to a letter given to the patients involved. Information Source: records from this breach used in our total: 242 Dataloss DB March 4, 2009 Elk Grove Unified School District Elk Grove, California EDU PHYS 520 A document with the Social Security numbers of more than 500 Elk Grove Unified School District employees was lost by a district employee. Information Source: records from this breach used in our total: 520 Dataloss DB March 4, 2009 New York Police Department New York, New York GOV INSD 80,000 A civilian employee of the department's pension fund is accused of stealing eight tapes containing the Social Security numbers and direct-deposit information for 80,000 current and retired cops. The employee, who served as the pension fund's director of communications, has been charged with computer trespass, burglary and grand larceny. He is accused of removing the tapes from a backup data warehouse on Staten Island after disabling security cameras. Police found the missing tapes at his home before arresting him. Information Source: records from this breach used in our total: 80,000 Dataloss DB March 3, 2009 Western Oklahoma State College Altus, Oklahoma EDU DISC 1,500 A computer breach at Western Oklahoma State College may have exposed Social Security numbers and other identifying information for 1,500 campus library users. An unauthorized program known as a rootkit was installed on a server administered by an outside party. There is no indication that any of the data on the machine was actually compromised only that the opportunity for someone to access it existed. 108 Information Source: Dataloss DB March 1, 2009 records from this breach used in our total: 1,500 City of Muskogee Muskogee, Oklahoma GOV PORT 4,500 The city of Muskogee recently discovered that a computer zip disk containing personal information has been in public circulation since 2000. The disk in some cases contained phone numbers and in other cases contained Sociel Security numbers. It's believed that a forgetful employee scooped up the disk while putting together surplus items no longer used by the city. Information Source: records from this breach used in our total: 4,500 Dataloss DB February 26, 2009 Steamboat Springs School District EDU Steamboat Springs, Colorado PORT 1,300 Social Security numbers for 1,300 past and present employees was compromised when a laptop was stolen from the Steamboat Springs School District office. The laptop had a spreadsheet containing the Social Security numbers and names of their owners. The spreadsheet was created as part of a requirement from a past district audit. The laptop was passwordprotected, but district officials are warning their employees to be on the lookout for any potential identity theft. Information Source: records from this breach used in our total: 1,300 Dataloss DB February 23, 2009 University of Florida Gainesville, Florida EDU DISC 101 (877) 657-9133 <a href=http://privacy.ufl.edu/incidents/2009/ldap>http://privacy.ufl.edu/incidents/2009/ldap</a> An undated statement on the University's Web site indicates that on January 20, an LDAP Directory Server configuration error allowed outside access to a directory containing Social Secerity numbers and other personal data. Personal data belonging to about 101 people might have been compromised as a result. Information Source: Dataloss DB February 23, 2009 records from this breach used in our total: 101 Seaview Financial Corona Del Mar, California BSF PHYS Unknown Folders with personal information for numerous clients of a local mortgage broker sat for days at a public recycling site. The files contained bank account statements, completed tax forms, credit reports and Social Security numbers. Information Source: Dataloss DB February 20, 2009 records from this breach used in our total: 0 Del Mar College Del Mar, California EDU PHYS 53 A class roster containing the names and Social Security numbers of some 53 Del Mar College students has been stolen. The roster was taken out of a professor's vehicle parked at Cole Park. The G.E.D. teacher was taking work home Sunday, when he stopped at Cole Park and his car was broken into. Information Source: Dataloss DB records from this breach used in our total: 53 109 February 20, 2009 Arkansas Department of InformationSystems, Information Vaulting Services Little Rock, Arkansas GOV PORT 807,000 (888) 682-0411 <a href=http://notify.arkansas.gov>http://notify.arkansas.gov</a> A computer storage tape with data from criminal background checks dating back to the mid-1990s is missing from an information-protection company's vault. The background-check information includes names, dates of birth, Social Security numbers and addresses. Information Source: records from this breach used in our total: 807,000 Dataloss DB February 19, 2009 University of Florida Gainesville, Florida EDU HACK 97,200 (877) 657-9133 A foreign hacker gained access to a University of Florida computer system containing the personal information of students, faculty and staff. The files included the names and Social Security numbers of individuals who used UF's Grove computer system since 1996. Information Source: records from this breach used in our total: 97,200 Dataloss DB February 19, 2009 Northeast Orthopaedics, MRecord Raleigh, North Carolina MED DISC 1,000 Records of more than 1,000 patient visits to Northeast Orthopaedics, a large Albany surgical practice, have been posted on the Internet. The records appeared on the Web site visvabpo.com, which seems to be a defunct outsourcing company in India called Visva BPO. Those records include patient names, birth dates and Social Security numbers. Information Source: records from this breach used in our total: 1,000 Dataloss DB February 18, 2009 CVS Pharmacies Woonsocket, Rhode Island MED PHYS Unknown http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/cvsresolutionagreement.html [114] The CVS Pharmacy chain, the largest in the country with 6,300 outlets, has agreed to a $2.25 million settlement with the U.S. Dept. of Health and Human Services. Indianapolis TV station WTHR engaged in an extensive investigation beginning in 2006 of local CVS Pharmacies and their pharmacies in other cities nationwide including Boston, Chicago, Cleveland, Detroit, Dallas, Louisville, Miami, New Haven (Conn.), Philadelphia, Phoenix, and CVS headquarters in Woonsocket, RI. They found that CVS pharmacies were disposing of documents, such as labels from prescription bottles and old prescriptions, in unsecured dumpsters. The HHS's Office of Civil Rights charged that CVS failed to implement adequate policies and procedures to reasonably and appropriately safeguard protected health information during the disposal process failed to adequately train employees on how to dispose of such information properly and did not maintain and implement a sanctions policy for members of its workforce who failed to comply with its disposal policies and procedures. In a coordinated action, CVS Caremark Corporation, the parent company of the chain, also signed a consent order with the Federal Trade Commission to settle potential violations of the FTC Act. UPDATE (7/16/00): A state board has given final approval to settlements with Indiana's two largest drugstore chains for leaving patient information in the trash. CVS has paid a $2.25 million fine to settle a probe by the U.S. Office of Civil Rights. Also CVS will donate a $1,000 to charity as part of the state settlement. Information Source: Dataloss DB February 18, records from this breach used in our total: 0 Rio Grande Food Project NGO PORT 36,000 110 2009 NGO Albuquerque, New Mexico PORT 36,000 A food pantry is warning its clients that tens of thousands of them are at risk for identity theft after a laptop computer containing their personal information was stolen. The computer contained sensitive personal data including addresses, birth dates and Social Security numbers. Information Source: records from this breach used in our total: 36,000 Dataloss DB February 17, 2009 Broome Community College Binghamton, New York EDU DISC 14,000 Broome Community College, sent out a mailing last week with Social Security number posted prominently on the back cover. The winter/spring 2009 alumni magazine was mailed to 28,000 people, it assumed that less than 14,000 copies had Social Security numbers on the magazine. Information Source: records from this breach used in our total: 14,000 Dataloss DB February 16, 2009 Wyndham Hotels & Resorts BSO Parsippany, New Jersey http://www.wyndhamworldwide.com/customer_care/data-claim.cfm HACK 21,000 [97] In mid-September 2008, the company discovered that a sophisticated hacker penetrated the computer systems of one of the hotels. By going through the centralized network connection, the hacker was then able to access and download information from several, but not all, of the other WHR properties and create a unique file containing payment card information of a small percentage of WHR customers. Potentially exposed through this breach are guest and/or cardholder names and card numbers, expiration dates and other data from the card's magnetic stripe. Information Source: Dataloss DB February 13, 2009 records from this breach used in our total: 21,000 University of Alabama Tuscaloosa, Alabama EDU HACK 37,000 Seventeen of 400 databases were tapped by hackers. Personal information may have been stolen. One of those computers contained lab results for people tested at the campus medical center. The servers had a database containing 37,000 records of lab data. They contain the names, addresses, birthdates and Social Security numbers of each person who has had lab work, such as a blood or urine test, done on the UA campus since 1994. Information Source: records from this breach used in our total: 37,000 Dataloss DB February 11, 2009 Los Alamos National Laboratory Los Alamos, New Mexico GOV STAT Unknown The Los Alamos nuclear weapons laboratory in New Mexico is missing 69 computers, including at least a dozen that were stolen last year. The computers are a cybersecurity issue because they may contain personal information like names and addresses. But Los Alamos claims they did not contain classified information. Also missing are three computers that were taken from a scientist's home and a BlackBerry belonging to another employee that was lost in a foreign country considered sensitive. Information Source: records from this breach used in our total: 0 Dataloss DB February 10, SemGroup LP BSO DISC 160 111 2009 Tulsa, Oklahoma BSO DISC 160 Online banking bandits pulled thousands of dollars from the accounts of current and former employees after personal information was inadvertently left on a bankruptcy court document made public. Information Source: records from this breach used in our total: 160 Dataloss DB February 9, 2009 Parkland Memorial Hospital Dallas, Texas MED PORT 9,300 A laptop computer that may have contained the names, birthdates and Social Security numbers of 9,300 employees of Parkland Memorial Hospital was stolen. Information Source: records from this breach used in our total: 9,300 Dataloss DB February 9, 2009 Federal Aviation Administration Washington, District Of Columbia GOV HACK 43,000 Total increased to 48,000 Hackers broke into the Federal Aviation Administration's computer system, accessing the names and Social Security numbers of employees and retirees. Information Source: records from this breach used in our total: 48,000 Dataloss DB February 9, 2009 U.S. Postal Service Santee Santee, California GOV INSD Unknown A mail carrier in San Diego County is accused of stealing dozens of gift cards, debit cards and Social Security documents sent through the mail. Deputies found 30 gift cards, stolen mail, debit cards and money when the carrier was arrested after he finished his route. Detectives also found Social Security documents and W-2 wage and tax statements at carrier's home. Information Source: Dataloss DB February 8, 2009 records from this breach used in our total: 0 Kaspersky Woburn, Massachusetts BSO HACK Unknown An unidentified hacker gained access to databases used by the usa.kaspersky.com Web site, allowing access to users' accounts, activation codes and possibly personal data about Kaspersky customers. Kaspersky Lab is a security software company. Information Source: records from this breach used in our total: 0 Media February 6, 2009 Catskill Regional Medical Center Harris, New York MED INSD 431 A woman was fired for allegedly spying. The employee had access to company files. The files included Social Security numbers, birth dates, addresses and financial information. Information Source: records from this breach used in our total: 431 Dataloss DB 112 February 6, 2009 Kaiser Permanente Oakland, California MED UNKN 29,500 (877) 281-3573 A law enforcement agency seized a computer file with Kaiser data from a person who was subsequently arrested. The suspect was not a Kaiser employee. Kaiser Permanente is notifying nearly 30,000 Northern California employees that the security breach may have led to the release of their personal information. The stolen information included names, addresses, dates of birth and Social Security numbers for Kaiser employees. Information Source: Dataloss DB February 6, 2009 records from this breach used in our total: 29,500 Purdue University West Lafayette, Indiana EDU DISC 962 http://news.uns.purdue.edu/Payroll0901.html [115] A mailing error has resulted in 1099 tax forms being sent to the wrong recipients. The incident affected 248 companies and 962 individuals. Those affected by the incident received letters notifying them that their tax information had either been sent to another or that they themselves had received someone else's information by mistake. Information Source: records from this breach used in our total: 962 Dataloss DB February 5, 2009 Mooresville's Dry Cleaning Station Mooresville, North Carolina BSO INSD Unknown A Mooresville dry cleaner skipped town, taking her clients' clothes and credit card numbers with her. Information Source: records from this breach used in our total: 0 Dataloss DB February 5, 2009 phpBB.com Bellevue, Washington BSO HACK 400,000 Not added to total; SSNs were not accessed. A popular bulletin board software package has been taken offline following a security breach that gave an attacker full access to a database containing names, email, address, and hashed passwords for its entire user base. The attacker gained access through an unpatched security bug in PHPlist, a third-party email application. Information Source: records from this breach used in our total: 0 Media February 4, 2009 Womancare Inc. Lathrup Village, Michigan MED PHYS unknown Medical records were improperly disposed of. Pro-Life Society found the records in a dumpster behind the office. Information Source: records from this breach used in our total: 0 Dataloss DB February 4, 2009 Texas Veterans Commission Waco, Texas GOV DISC 20 113 A Waco individual received a packet in the mail with the application for her daughter's tuition benefits. At the bottom of the packet, was a claims log that listed more than 20 veterans names, Social Security numbers and medical claim information. The Waco Veterans Commission and the VA's regional office were not able to explain how the veterans' personal information found its way into the envelope containing the unrelated information about the tuition benefits for the woman's daughter. Information Source: Dataloss DB February 3, 2009 records from this breach used in our total: 20 Baystate Medical Center Springfield, Massachusetts MED PORT Unknown (413 )794-4722 Several laptops were stolen from Baystate Medical Center's Pediatrics department. Some of those computers had patient information on them. All of the information is password protected and the computers had no financial or Social Security information on them. Information Source: records from this breach used in our total: 0 Dataloss DB February 3, 2009 SRA International Fairfax, Virginia BSO HACK Unknown Malicious software may have allowed hackers to get access to data maintained by SRA, including employee names, addresses, Social Security numbers, dates of birth and healthcare provider information. Information Source: records from this breach used in our total: 0 Dataloss DB February 3, 2009 Georgia State Board of Pardons and Paroles Atlanta, Georgia GOV STAT Unknown The offices of a state contractor in Roswell were burglarized and a computer was stolen. Information regarding current and past parolees that was lost in a burglary includes names, dates of birth and Social Security numbers. Information Source: records from this breach used in our total: 0 Dataloss DB February 2, 2009 Southern Satellite Orange City, Florida BSO PHYS Unknown Hundreds of folders containing names, addresses, Social Security numbers and credit card information were found in a dumpster. Information Source: Dataloss DB February 2, 2009 records from this breach used in our total: 0 St. Anthony Central Hospital Denver, Colorado MED INSD 150 Boxes, filing cabinets and trash bags full of hundreds of U.S. passports, birth certificates, driver's licenses, Social Security cards and other documents - most stolen within the past two years were found in a storage unit. A hospital employee admitted to stealing the records. Also found were hospital records containing dates of birth, Social Security numbers and copies of the driver's licenses of 150 patients who had been admitted into the emergency room or general surgery. 114 Information Source: records from this breach used in our total: 150 Dataloss DB January 31, 2009 Columbia University New York, New York EDU PORT 1,400 About 1,400 current, former and prospective students at Columbia University have been told that their personal information, including Social Security numbers, is vulnerable following a security breach. The university said information about the students, as well as some current and past employees, was on three password-protected notebook computers that were stolen from a Columbia College. Information Source: records from this breach used in our total: 1,400 Dataloss DB January 31, 2009 HoneyBaked Ham Indianapolis, Indiana BSR PHYS Unknown A computer server stocked with credit-card information was stolen from a store. Customers might be at risk. Information Source: Dataloss DB January 31, 2009 records from this breach used in our total: 0 Ball State University Muncie, Indiana EDU DISC 19 A employee sent out an e-mail, to verify contact information, to 91 special events staff with an excel spreadsheet attachment that, unbeknownst to the employee, included the Social Security number of 19 of the workers. Information Source: Dataloss DB January 30, 2009 records from this breach used in our total: 19 Kansas State University Manhattan, Kansas EDU DISC 45 (785) 532 4441 Students who were enrolled in an agricultural economics class in spring 2001 inadvertently had some personal information exposed on the Internet through a K-State departmental Web site. Names, Social Security numbers and grades of those students have been exposed since 2001. Information Source: records from this breach used in our total: 45 Dataloss DB January 30, 2009 Coos Bay Department of Human Services Coquille, Oregon GOV HACK 45 A scammer made off with Social Security numbers after sending a virus online to a computer at the Department of Human Services office. An application that was installed recorded keystrokes and sent them to an external address. The information was taken from Coos County residents. Information Source: records from this breach used in our total: 45 Media January 30, 2009 Indiana Department of Administration Indianapolis, Indiana GOV DISC 8,775 115 Social Security numbers of current and former state employees were accidentally posted on a state Web site for about two hours. The Social Security numbers were erroneously included in a contract solicitation file posted on the department's procurement Web site. Information Source: Dataloss DB January 28, 2009 records from this breach used in our total: 8,775 CityStage Springfield, Massachusetts NGO DISC 60 A computer system might have exposed credit card information of customers on the Internet. The probably occurred in December while the theater's Web contractor was changing servers. Credit card numbers might have been compromised. Information Source: Dataloss DB January 27, 2009 records from this breach used in our total: 60 U.S. Consulate , GOV PHYS Unknown Hundreds of files - with Social Security numbers, bank account numbers and other sensitive U.S. government information were found in a filing cabinet purchased from the U.S. consulate in Jerusalem through a local auction. Information Source: records from this breach used in our total: 0 Media January 27, 2009 Beaumont City Beaumont, Texas GOV DISC 500 Personal information of current and former Beaumont city workers was accidentally posted online. The information, including birth dates and Social Security numbers. Information Source: records from this breach used in our total: 500 Dataloss DB January 27, 2009 Citi Habitats New York, New York BSO PHYS Unknown During a refurbishing of their office, paper that should have been shredded was improperly placed as trash. Information found blowing in the street included bank statements, 401k statements, credit reports, tax returns, driver's licenses, names, phone numbers and Social Security numbers. Information Source: Dataloss DB January 26, 2009 records from this breach used in our total: 0 Madison, WI. Human Resources Department Madison, Wisconsin GOV PORT 500 An oversight by the city of Madison's personnel office is the reason Social Security numbers of city employees were stored on a laptop computer stolen from a city office. Any official or employee - except those in the police, fire and transit departments - who was issued a new or replacement city identification card from the start of 2004 through 2007 may be at risk. Data on the laptop included photos, names and Social Security numbers. Information Source: records from this breach used in our total: 500 Dataloss DB 116 January 26, 2009 U.S. Military GOV Washington, District Of Columbia UNKN 60 A New Zealand man accesses US military secrets on an MP3 player he bought from an Oklahoma thrift shop for $18. When the 29-year-old hooked up the player he discovered a playlist he could never have imagined - 60 files in total, including the names and personal details of American soldiers. Information Source: Media January 23, 2009 records from this breach used in our total: 60 Monster.com BSO Maynard, Massachusetts http://help.monster.com/besafe/ [116] , http://help.monster.com/besafe/jobseeker/index.asp HACK Unknown [117] Their database was illegally accessed and user IDs, passwords, names, e-mail addresses, birth dates, gender, ethnicity, and in some cases, users' states of residence were stolen. Information Source: Media records from this breach used in our total: 0 First Interstate Mortgage Corporation (FIM), Nevada One Corporation (Nevada January 21, 2009 One) BSF PHYS Unknown , Nevada http://www.ftc.gov/opa/2009/01/navone.sht [118] These mortgage brokers have discarding consumers' tax returns, credit reports, and other sensitive personal and financial information in an unsecured dumpster in December of 2006. Approximately 40 boxes containing consumer records were found in a publicly-accessible dumpster. The records included tax returns, mortgage applications, bank statements, photocopies of credit cards, drivers' licenses, and at least 230 credit reports. The defendant, who has owned numerous companies that handle sensitive consumer information, kept the documents in an insecure manner in his garage before improperly disposing of them. UPDATE (1/20/10): The mortgage broker paid a $35,000 civil penalty to settle FTC charges. The mortgage broker will also have to hire an independent security professional to review the security process every year for 10 years. Information Source: records from this breach used in our total: 0 NAID January 21, 2009 Missouri State University Springfield, Missouri EDU DISC 565 Not included in total -- not known how many students have SSNs. Personal information, including Social Security numbers for 565 foreign students at MSU was leaked this month when a university office sent an e-mail message soliciting their help with language tutoring. The email message they got had a spreadsheet attachment that contained names and Social Security numbers for international students. Information Source: records from this breach used in our total: 0 Dataloss DB January 20, 2009 Kanawha-Charleston Health Department Charleston, West Virginia GOV INSD 11,000 People who received flu shots from the agency since October are being warned that their personal information may have been stolen by a former department temporary worker. Information included their names, Social Security numbers, addresses and other personal information. 117 Information Source: Dataloss DB January 20, 2009 records from this breach used in our total: 11,000 Heartland Payment Systems Princeton, New Jersey http://www.justice.gov/opa/pr/2009/August/09-crm-810.html [119] , http://www.2008breach.com BSF HACK More than 130 million [120] After being alerted by Visa and MasterCard of suspicious activity surrounding processed card transactions, the company last week found evidence of malicious software that compromised card data that crossed Heartland's network. This incident may be the result of a global cyberfraud operation. UPDATE (1/26/09): Heartland Payment Systems has been sued. The lawsuit seeks damages and relief for the inexplicable delay, questionable timing, and inaccuracies concerning the disclosures with regard to the data breach, which is believed to be the largest in U.S. history. UPDATE(2/12/09): According to BankInfoSecurity.com, the number of financial institutions [121] that have come forward to say they have been contacted by their credit card companies Visa and MasterCard in relation to the breach has jumped from fewer than 50 to more than 200. UPDATE (6/4/09): While it's hard to get a handle on just how many consumers were affected by the Heartland Payment Systems (HPY) data breach, the total number of institutions now reporting card compromises is at 656. UPDATE (6/16/09): Heartland lawsuits to be heard in Texas. The Judicial Panel on Multidistrict Litigation in Louisville, KY issued its decision to consolidate the class action suits. The lawsuits will be heard in the Southern District Court of Texas in Houston. Thirty-one separate lawsuits, on behalf of consumers, investors, banks and credit unions, have been filed against Princeton,N.J.-based Heartland. UPDATE (7/6/09): Heartland Payment Systems successfully completed the first phase of an end-to-end encryption pilot project designed to enhance its security. UPDATE (8/20/09): Albert Segvec Gonzalez has been indicted by a federal grand jury in New Jersey - along with two unnamed Russian conspirators - on charges of hacking into Heartland Payment Systems, the New Jersey-based card processing company, as well as Hannaford Brothers, 7-Eleven and two unnamed national retailers, according to the indictment unsealed Monday. Gonzalez, a former Secret Service informant, is already awaiting trial over his involvement in the TJX hack. Total records breached: 100 million transactions per month. It is unclear how many account numbers have been compromised, and how many are represented by multiple transactions. The number of records breached is an estimate, subject to revision. UPDATE (8/20/09): According to the court document [122] , hackers stole more than 130 million credit and debit card numbers from Heartland and Hannaford combined. UPDATE (5/12/10): The costs to Heartland Payment Systems Inc. from the massive data breach that it disclosed in January 2009 appear to be steadily adding up. Quarterly financial results released by Heartland last week show that the card payment processor has accrued $139.4 million in breach-related expenses. The figure includes a settlement totaling nearly $60 million with Visa, another of about $3.5 million with American Express and more than $26 million in legal fees. That total also includes $42.8 million that Heartland has set aside to fund proposed settlements with several other litigants over the breach. One example of what the fund is set up for is Heartland's offer to settle several consumer class action lawsuits against it for $4 million. So far, Heartland has recovered about $30 million from insurance companies. UPDATE (6/2/10): Heartland Payment Systems has made a third settlement deal, this time with MasterCard, related to a massive data breach two years ago at the card payments processor. As part of the deal, Heartland has agreed to pay as much as US$41.1 million to MasterCard issuers that lost money as a result of the data breach. The deal is contingent on financial institutions representing 80 percent of the affected MasterCard accounts accepting the offer by June 25. MasterCard is recommending that issuers accept the offer. Information Source: records from this breach used in our total: 130,000,000 Dataloss DB January 16, 2009 Southwestern Oregon Community College Coos Bay, Oregon EDU PORT 200 A laptop computer was stolen from the campus putting former and current students at risk. 118 Information Source: Dataloss DB January 14, 2009 records from this breach used in our total: 200 Occidental Petroleum Corporation Dallas, Texas BSO INSD Unknown (800) 733-0085 A former employee emailed himself (to personal email account) a spreadsheet of employee names, addresses, empolyee identification numbers, birth dates, starting dates, retirement dates and Social Security numbers. Information Source: records from this breach used in our total: 0 Dataloss DB January 13, 2009 University of Oregon Eugene, Oregon EDU PORT Unknown (541) 346-2510 A laptop computer containing data files for Youth Transition Program (YTP) participants was stolen. Those files contained names and social security numbers. Information Source: records from this breach used in our total: 0 Dataloss DB January 13, 2009 Innodata Isogen, Inc. Hackensack, New Jersey BSO PORT Unknown Laptop stolen from an employee's car contained names, addresses, Social Security numbers of current and former employees. Information Source: records from this breach used in our total: 0 Dataloss DB January 13, 2009 Seventh-Day Adventist Church Silver Spring, Maryland NGO PORT 292 A Laptop stolen and recovered contained names and Social Security numbers. Information Source: Dataloss DB January 13, 2009 records from this breach used in our total: 292 Continental Airlines Neward, New Jersey BSO PORT 230 A laptop containing fingerprints, Social Security numbers, names, addresses, was stolen from a locked Newark office. Information Source: records from this breach used in our total: 230 Dataloss DB January 13, 2009 Blue Ridge Community Action Morganton, North Carolina NGO PORT 300 Social Security numbers were on an external computer hard drive that is missing or stolen. The hard drive contained information on clients from four counties who have used the organization's services in the past four or five years. The 119 external hard drive was used to back up information on clients. Information Source: records from this breach used in our total: 300 Dataloss DB January 12, 2009 Columbus City Schools EDU Columbus, Ohio PHYS 100 Columbus City Schools experienced a security breach, resulting in employees' Social Security numbers being at risk. CPD officers went to serve drug and auto-theft felony warrants. During the arrest officers learned there might be stolen personal information in the house and found personal information on district employees. It is believed the suspects either stole or intercepted part of a mailing from the payroll division that was en route to annuity companies. Information Source: records from this breach used in our total: 100 Dataloss DB January 11, 2009 University of Rochester EDU Rochester, New York HACK 450 Personal information including Social Security numbers of about 450 current and former University of Rochester students was stolen by hackers this week from a UR database. The information was taken from a non-academic student database and copied illegally to an off-campus IP address. Information Source: records from this breach used in our total: 450 Dataloss DB January 7, 2009 Genica, Geeks.com BSO Oceanside, California (888) 529-6261 http://www1.ftc.gov/opa/2009/02/compgeeks.shtm HACK Unknown [123] Genica dba Geeks.com (Genica) recently discovered that customer information, including Visa credit card information, may have been compromised. In particular, it is possible that an unauthorized person may be in possession of your names, addresses, telephone numbers, email addresses, credit card numbers, expiration dates, and card verification numbers. They are still investigating the details of this incident, but it appears that an unauthorized individual may have accessed this information by hacking the eCommerce website. Information Source: Dataloss DB January 6, 2009 records from this breach used in our total: 0 CheckFree Corp. Atlanta, Georgia BSF HACK 5,000,000 CheckFree Corp. and some of the banks that use its electronic bill payment service say that criminals took control of several of the company's Internet domains and redirected customer traffic to a malicious Web site hosted in the Ukraine. The company believes that about 160,000 consumers were exposed to the Ukrainian attack site. However, because the company lost control of its Web domains, it doesn't know exactly who was hit. It has warned a much larger number of customers. This breach was reported back in Dec. 3, 2008. Information Source: Dataloss DB January 5, 2009 records from this breach used in our total: 5,000,000 Library of Congress Washington, Delaware GOV INSD 10 An employee in the human resources department of the Library of Congress was charged with conspiring to commit wire fraud in which he stole information on at least 10 employees from library databases. He passed the information to a relative, 120 who used it to open the accounts. Together, the two are alleged to have bought $38,000 worth of goods through the accounts. Information Source: records from this breach used in our total: 10 Dataloss DB January 2, 2009 Merrill Lynch BSF New York, New York STAT Unknown A third-party consulting services firm working on behalf of Merrill Lynch reported, one of their employees was burglarized. The burglars took various items, including a computer, which had on it the names and Social Security numbers of current and former Financial Advisors and some applicants for employment. Information Source: Dataloss DB January 2, 2009 records from this breach used in our total: 0 Pepsi Bottling Group BSR Somers, New York PORT Unknown For More Info Contact: David Yawman <a href=mailto:David.Yawman@pepsi.com>David.Yawman@pepsi.com</a> (914) 767-7620 or (866) 578-5410 A portable data storage device, which contained personal information, including the names and Social Security numbers of employees in the US is missing or stolen. Information Source: records from this breach used in our total: 0 Dataloss DB December 31, 2008 New Hampshire's Lakes Region General Hospital Laconia, New Hampshire MED PHYS 1,500 A package containing personnel medical information on patients is missing. UPS recently shipped the parcel from a Woburn, Mass. central processing agent to the hospital, but the package never arrived. Information contained in the package includes patient names, possible Social Security numbers, dates of service and diagnosis code numbers for different diagnosis or medical procedures. Information Source: records from this breach used in our total: 1,500 Dataloss DB December 31, 2008 Ohio State University Columbus, Ohio http://www.studentlife.osu.edu/dataexposure EDU DISC 18,000 [124] Ohio State University has notified 18,000 current and former students that their personel information was mistakenly stored on a computer server exposed to the Internet. The data included student names, Social Security numbers, addresses and coverage dates for those enrolled in the health insurance plan for three quarters in 2005-06. Information Source: records from this breach used in our total: 18,000 Dataloss DB December 29, 2008 RBS WorldPay Atlanta, Georgia BSF HACK 1.1 million http://www.rbsworldpay.us/RBS_WorldPay_Press_Release_Dec_23.pdf [125] , http://louisville.bizjournals.com/louisville/othercities/atlanta/stories/2008/12/22/daily24.html [126] 121 RBS WorldPay belatedly admitted that hackers broke into their systems. In the US up to 1.1 million Social Security numbers were exposed as a result of the breach. Pre-paid cards including payroll cards and open-loop gift cards were affected. RBS stated that PINs for all PIN-enabled cards have been reset. UPDATE (2/3/09): Hackers orchestrated a highly coordinated, global attack on ATM cards involving the theft of a staggering $9 million from ATMs in 49 cities worldwide. Alleged hackers are still at large and could orchestrate another attack. UPDATE (2/10/09): "Certain personal information" of 1.5 million card holders and Social Security numbers of 1.1 million people were compromised. A class action law suit has been filed against RBS WorldPay. UPDATE (5/28/09): RBS WorldPay says it has returned to Visa's and MasterCard's lists of validated service providers. It was recently certified as compliant with Payment Card Industry Data Security Standard (PCI DSS) version 1.2. UPDATE (4/05/10): Russian authorities have nabbed the man accused of masterminding a coordinated global ATM heist of $9.5 million from Atlanta-based card processing company RBS WorldPay. Information Source: records from this breach used in our total: 1,100,000 Dataloss DB December 25, 2008 Pulte Homes Las Vegas Division Las Vegas, Nevada BSO PHYS 16,000 A box containing computer backup tapes was stolen. Computer tapes holding private customer information including names, addresses, driver's license numbers and financial account numbers were stolen from a Pulte Homes office in Las Vegas. Information Source: records from this breach used in our total: 16,000 Dataloss DB December 24, 2008 Federal Emergency Management Agency New Orleans, Louisiana GOV DISC 16,857 An unauthorized breach of private information resulted in the information release of 16,857 names, Social Security numbers, phone numbers, and other private details of people who had applied for benefits. The information was flashed on a pair of privately run Web sites, but for how long was unclear. Information Source: records from this breach used in our total: 16,857 Dataloss DB December 23, 2008 Cedars-Sinai Medical Center Los Angeles, California MED INSD 1,000 A former billing department employee is in custody on $895,000 bail for allegedly stealing the personal information of 1,000 hospital patients and using it to bilk insurance companies. Information Source: records from this breach used in our total: 1,000 Dataloss DB December 23, 2008 Ohio University-Chillicothe Chillicothe, Ohio EDU PORT 38 An external computer hard drive was discovered missing or stolen. Current and former wellness center members' Social Security numbers were on the hard drive. Information Source: records from this breach used in our total: 38 Dataloss DB December 22, 2008 University of North Carolina School of the Arts Winston-Salem, North Carolina EDU DISC 2,700 122 Names and Social Security numbers may have been accidentally exposed in a security breach involving a university computer server. The security breach occurred in May of 2006 and affected students who were enrolled between 2003 and 2006. Information Source: records from this breach used in our total: 2,700 Dataloss DB December 21, 2008 Connecticut Department of Motor Vehicles Wethersfield, Connecticut GOV PHYS 155 The Connecticut Department of Motor Vehicles is notifying customers that their personal information may have been on a computer stolen from a mobile service center vehicle while it was being repaired. Personal data on the computer included names, addresses, date of birth, license numbers, photo and signature. Information Source: Media December 19, 2008 records from this breach used in our total: 155 Austin Peay State University Clarksville, Tennessee EDU PHYS 750 Two computers containing personal information were stolen. The computers contained names and Social Security numbers of students. Information Source: Dataloss DB December 18, 2008 records from this breach used in our total: 750 Bill Dube Ford/Toyota Dover, New Hampshire BSR PORT 10,000 Personal information from thousands of people in New Hampshire and Massachusetts has been compromised after a data backup tape was stolen. The data include names, addresses, Social Security numbers and driver's license information. Information Source: records from this breach used in our total: 10,000 Dataloss DB December 17, 2008 New Hampshire Deptartment of Health and Human Services Concord, New Hampshire GOV DISC 9,300 Health and Human Services mistakenly released the Social Security numbers and other personal information of Medicare Part D recipients. The information was mistakenly attached to a e-mail to health care organizations including nursing homes. Information Source: records from this breach used in our total: 9,300 Dataloss DB December 15, 2008 University of North Carolina Greensboro, North Carolina EDU HACK Unknown A breach of the accounting computer systems at UNC-Greensboro may have exposed personal employee information to intruders. The breach was detected on a computer in the Accounting Services office, in the form of a virus that may have allowed unauthorized access. Information Source: Dataloss DB records from this breach used in our total: 0 123 December 15, 2008 Louisiana Department of Revenue Baton Rouge, Louisiana GOV DISC 299 The Louisiana Department of Revenue accidentally divulged the personal information of taxpayers to other people with tax debts. The department says letters mailed to taxpayers who owe money also listed the name, address, Social Security number and debt for a different taxpayer on the other side of the paper. Information Source: records from this breach used in our total: 299 Dataloss DB December 14, 2008 Zyacorp Entertainment Cinemagic Stadium Merrimack, New Hampshire BSR HACK Unknown Hackers broke into a Merrimack movie theater's servers and stole customers' credit card information. Information Source: records from this breach used in our total: 0 Dataloss DB December 12, 2008 DJO, Empi Recovery Services St. Paul, Minnesota MED PORT 68,857 A laptop was stolen from an employee's car in Minneapolis. The laptop contained the names, addresses, account balances, insurance company, and Social Security numbers of patients. Information Source: records from this breach used in our total: 68,857 PHIPrivacy.net December 12, 2008 Oregon Health & Science University Portland, Oregon EDU PORT 890 A laptop stolen in Chicago this week contained health records. It was stolen from a hotel while an OHSU employee was there on business. The data could include medical record numbers, names, telephone numbers, dates of birth, gender, Social Security numbers, addresses.medical diagnosis category and category of treatment - but not the specific treatments. Information Source: Dataloss DB December 11, 2008 records from this breach used in our total: 890 Hewlett-Packard, Symantec Houston, Texas BSR PORT Unknown(1000's) Several thousand employee records were contained on a laptop that was stolen from an HP employee based in the Houston area. At first HP thought that there was no sensitive information on the laptop, but after looking into back-up files, the company realized that it contained names and Social Security numbers of current and former employees. Information Source: records from this breach used in our total: 1,000 Dataloss DB December 5, 2008 Cal Poly Pomona Pomona, California EDU DISC 675 A student informed the university that he accessed an Excel file containing his personal information and others while on the Internet. The information includes names, addresses, phone numbers and Social Security numbers. Information Source: Dataloss DB records from this breach used in our total: 675 124 December 3, 2008 Central California Appellate Program Sacramento, California NGO PORT Unknown A backup computer disk was in a safe taken by thieves who broke into a storage facility. Besides Social Security numbers, the disk contained tax identification numbers, addresses, telephone numbers and e-mail addresses. Information Source: Dataloss DB December 2, 2008 records from this breach used in our total: 0 US Army GOV Washington, District Of Columbia PORT 6,000 A possible security breach regarding the personal information stored on a lost laptop computer affecting more than 6,000 beneficiaries. Names, Social Security numbers and health information of at least 26 individuals were stored on the laptop. However, information on approximately 6,000 other patients also may have been on the missing computer. Information Source: records from this breach used in our total: 6,000 Dataloss DB December 2, 2008 Florida Agency for Workforce Innovation Tallahassee, Florida GOV DISC 259,193 Employment information and more than a quarter million Social Security numbers were posted online. The breach occurred when several thousand Excel and text files containing millions of employment records were posted in the course of developing a new website. Information Source: records from this breach used in our total: 259,193 Dataloss DB November 26, 2008 Luxottica Group, Things Remembered Mason, Ohio BSR HACK 59,419 A routine check by the information technology department discovered that a hacker had been inside a computer mainframe and downloaded the personal information of former workers. The victims lost names, addresses and Social Security numbers to the hacker. Information Source: Dataloss DB November 25, 2008 records from this breach used in our total: 59,419 Weber State University Ogden, Utah GOV PHYS 70 In a break in, thieves made off with approximately $1,600 in cash, three computers and a postal scale. Hard-copy records of post office box rental information was also taken from the center. Some of the stolen rental cards contained names, addresses and Social Security numbers for members of the campus community who rented post office boxes in the union building during the past eight years. Information Source: records from this breach used in our total: 70 Dataloss DB November 24, 2008 Starbucks Corp. Seattle, Washington BSR PORT 97,000 A laptop containing private information on employees was stolen. The information included names, addresses and Social Security numbers. 125 Information Source: records from this breach used in our total: 97,000 Dataloss DB November 22, 2008 Maryland Department of the Environment Baltimore, Maryland GOV PORT 1,367 Two laptop computers containing the names and Social Security numbers of people formerly employed by the Maryland Department of the Environment were stolen. Information Source: records from this breach used in our total: 1,367 Dataloss DB November 21, 2008 Jackson-Madison County School System Jackson, Tennessee EDU PORT 200 A computer disk containing Social Security numbers and test scores was stolen from a principal's car. Information Source: Dataloss DB November 21, 2008 records from this breach used in our total: 200 B.J. Accessories and Tax Preparation New Bern, North Carolina BSO STAT 70 A computer was stolen containing identity information on about 70 people. Information on the computer may have had Social Security Numbers on it. Information Source: records from this breach used in our total: 70 Dataloss DB November 20, 2008 Law office of former Texas attorney Rio Grande Valley, Texas BSO STAT 627 An individual purchased a used computer and memory stick from a pawn shop. He discovered sensitive information on the computer and traced it to the law office of a Texas attorney who no longer practices law. The attorney, Aaron Pena, Jr., is now a Texas State Representative. His spokesperson told news sources that the computer's hard drive had been wiped before the machine was donated to charity. The news team visited other pawn shops and found several other used computers which also contained sensitive personal information. Information Source: records from this breach used in our total: 627 Media November 12, 2008 University of Florida College of Dentistry Gainesville, Florida EDU HACK 330,000 Some current and former dental patients have been notified that an unauthorized intruder recently accessed a College of Dentistry computer server storing their personal information. College information technology staff members were upgrading the server and found software had been installed on it remotely. Information stored on the server included names, addresses, birth dates, Social Security numbers and, in some cases, dental procedure information for patients dating back to 1990. Information Source: records from this breach used in our total: 330,000 Dataloss DB 126 November 12, 2008 Pinellas County and Florida state agency offices GOV Pinellas County, Florida PHYS Unknown Documents with Social Security numbers, medical information and other legally protected data were found in trash containers at government buildings. Also found were hundreds of improperly discarded records were found that included medical data, privileged communications between attorneys and clients, juvenile defendant records and child abuse materials. Information Source: records from this breach used in our total: 0 Media November 11, 2008 Sinclair Community College EDU Dayton, Ohio DISC 1,000 The names and Social Security numbers of almost 1,000 employees were inadvertently left open to public view on the Internet for about a year. A spreadsheet with information on people who worked at the school in 2000 and 2001 was placed in a computer folder by an employee. The employee didn't realize the folder could be viewed on the Internet. Information Source: records from this breach used in our total: 1,000 Dataloss DB November 9, 2008 Texas A&M University Corpus Christi, Texas EDU DISC 1,430 Through an Internet search on the university's Web site, a student viewed a document that listed admissions applicants from 2005. The page listed names and Social Security numbers. Information Source: records from this breach used in our total: 1,430 Dataloss DB November 9, 2008 City of Charlottesville Charlottesville, North Carolina GOV PORT 25,000 Two laptops containing voter registration information were stolen from a building at Tonsler Park in Charlottesville sometime after the polls closed. The information on the computers included names, addresses, date of birth and DMV customer number. Information Source: Media November 7, 2008 records from this breach used in our total: 25,000 Christus Health Care Houston, Texas MED PORT Unknown (800) 877-9056 Two computer back-up tapes were stolen. Someone broke into a car in a Houston parking lot and took the tapes. The information on the tapes included patient names, Social Security numbers, demographic information, and in some cases, diagnosis codes. Information Source: records from this breach used in our total: 0 Dataloss DB November 7, 2008 Arizona's Department of Economic Security Phoenix, Arizona GOV PORT 40,000 (DES) is notifying the families of about 40,000 children that their personal data may have been compromised following the 127 theft of several hard drives from a commercial storage facility. The information stored on the stolen disks included the names, addresses and phone numbers of families whose children were referred to the DES for early intervention services over the past several years. In the cases of families that had applied for and received services from the agency, their records also included Social Security numbers. Information Source: records from this breach used in our total: 40,000 Dataloss DB November 6, 2008 Express Scripts St. Louis, Missouri BSO UNKN 700000 Express Scripts has received a letter demanding money from the company under the threat of exposing records of millions of patients. The letter, included personal information on 75 people covered by Express Scripts, including birth dates, Social Security numbers and prescription information. Express manages prescription benefits for roughly 50 million people. UPDATE 10/1/09: Express Scripts notified about 700,000 consumers that their records may have been breached. Information Source: Dataloss DB November 6, 2008 records from this breach used in our total: 700,000 Harvard Law School Cambridge, Massachusetts EDU PORT 21,000 A computer tape containing Social Security numbers, addresses, and financial information was either lost or stolen. About 8,000 records of present and former clients contained Social Security numbers another 13,000 had other identification information that was contained on the tape. Information Source: records from this breach used in our total: 21,000 Dataloss DB November 5, 2008 North Carolina Dept. of Health and Human Services Raleigh, North Carolina GOV PORT Unknown A laptop computer belonging to a Division of Aging and Adult Services employee was stolen. The computer contained information about people receiving home and community services. Information Source: records from this breach used in our total: 0 Media November 3, 2008 Genesee Intermediate School District Mundy Township, Michigan EDU PORT 6,000 Not included in total. A laptop stolen had been used for background checks on school workers and included their fingerprints and some personal information such as their names, addresses, birthdates and race. The laptop did not have Social Security numbers and the data was stored in files that require a password to be opened. Information Source: Media November 1, 2008 records from this breach used in our total: 0 Seattle School District Seattle, Washington EDU DISC 5,000 Personal information, including Social Security numbers, was inadvertently released to a local union representing some district workers. The 5,000 employees are more than half the district's work force. Included were about 700 members of International Union of Operating Engineers Local 609, which represents custodial, nutritional services, security- and alarmmonitoring workers. 128 Information Source: records from this breach used in our total: 5,000 Dataloss DB November 1, 2008 Veterans Affairs Medical Center Portland, Oregon MED DISC 1,600 Personal information, including some Social Security numbers, of patients at the Veterans Affairs Medical Center in Portland was inadvertently posted on a public Web site. Information Source: records from this breach used in our total: 1,600 Dataloss DB November 1, 2008 Baylor Health Care System Inc. Dallas, Texas MED PORT 100,000 (7,400 were SSN) (800) 554-5281 A laptop computer containing limited health information on 100,000 patients was stolen from an employee's car. Included were 7,400 patients whose Social Security numbers were stored on the computer. Information Source: Dataloss DB October 31, 2008 records from this breach used in our total: 100,000 U.S. State Department Washington, District Of Columbia GOV INSD 383 Passport applicants in the D.C. area were notified of a breach in a database that allowed a ring of thieves to obtain confidential information so they could fraudulently use credit cards stolen from the mail. The compromised included information Social Security numbers, physical descriptions, names and places of birth of the applicants' parents. Information Source: records from this breach used in our total: 383 Dataloss DB October 27, 2008 Shell Oil Co. Houston, Texas BSR INSD Unknown An IT contractor used the personal data of four Shell workers as part of an unemployment insurance claims scam. Employees of a third-party contractor misused information stored in a corporate database. The database includes records for a majority of current and former Shell employees. Misused data included names, dates of birth and Social Security numbers. Information Source: Dataloss DB October 24, 2008 records from this breach used in our total: 0 Shenendehowa Transportation Employees Shenendehowa, New York EDU HACK 250 A Shenendehowa sophomore was arrested after he allegedly accessed the personal data of some 250 transportation employees due to a school district error in configuring information on a new computer server. The student was able to use his student password to access an employee domain and 250 names of past and present Shenendehowa transportation employees, their Social Security numbers, driver's license numbers and more. Information Source: records from this breach used in our total: 250 Dataloss DB 129 October 23, 2008 Medical Mutual of Ohio Columbus, Ohio MED PORT 36,000 Eleven computer disks containing personal information on Ohio retirees and employees are missing, disks are most likely somewhere in the postal system. It seems insufficient postage was placed on the envelopes [containing the disks], therefore they are believed that they are likely to still be safe within the postal system. Information Source: Dataloss DB October 22, 2008 records from this breach used in our total: 36,000 KRM Management Fresno, California BSO PORT 5,700 Offices of KRM Management were broken into and stole two dozen computers, on one of those hard drives were Social Security numbers, birthdates and addresses. One missing laptop computer is causing the most concern. It contained sensitive and confidential information on close to 5700 city employees who filed worker's comp claims dating back to 1973. Hundreds are or were police officers. Information Source: records from this breach used in our total: 5,700 Dataloss DB October 19, 2008 Mary Washington Hospital Fredericksburg, Virginia MED DISC 803 A security breach in an online computer system exposed the private medical information of some of its maternity patients. Social Security numbers, phone numbers, address, insurance carrier, birth dates and doctor's names were exposed. Information Source: records from this breach used in our total: 803 Dataloss DB October 18, 2008 City of Goodyear Goodyear, Arizona GOV PHYS 570 A list of their Social Security numbers was stolen from the car of a staffer who had taken the data home. Burglars took the list while the employee's car was parked at her home. Information Source: records from this breach used in our total: 570 Dataloss DB October 17, 2008 The Planet Houston, Texas BSO UNKN 25,000 A security breach that may have affected the customer portal account and server passwords, was discovered. The Planet identified the methods by which the systems were compromised and have closed those holes. Only two user accounts were definitely affected, and no credit card information is believed to have been compromised. Information Source: records from this breach used in our total: 25,000 Media October 15, 2008 City of Indianapolis Indianapolis, Indiana GOV DISC 3,300 A spreadsheet containing the names, Social Security numbers and dates of birth for people charged with minor offenses in 2006 and 2007 was accidentally posted on the city of Indianapolis' new Web site. 130 Information Source: records from this breach used in our total: 3,300 Dataloss DB October 13, 2008 Southwest Mississippi Community College Summitt, Mississippi EDU DISC 1,000 Former Southwest Mississippi Community College students had some of their personal information made available temporarily on the Internet. The breach involved names, addresses, and in some cases, Social Security numbers. Information Source: records from this breach used in our total: 1,000 Dataloss DB October 7, 2008 University of North Dakota Alumni Association Grand Forks, North Dakota EDU PORT 84,554 A laptop computer containing sensitive personal and financial information on alumni, donors and others was stolen from a vehicle belonging to a software vendor retained by the UND. The information, included individuals' credit card and Social Security numbers, Information Source: records from this breach used in our total: 84,554 Dataloss DB October 7, 2008 West Virginia Dept. of Administration Charleston, West Virginia GOV PORT 535 A laptop was taken from an auditor's vehicle. It contains payroll and benefits information for 425 employees of the state Insurance Commission and 110 employees of the Department of Health and Human Resources' Bureau of Medical Services and Child Support Enforcement Division. The information includes full names or first names and Social Security numbers. Information Source: Dataloss DB October 1, 2008 records from this breach used in our total: 535 Foothills Parks and Recreation District Littleton, Colorado GOV HACK Unknown The district noticed unusual activity last week which they believe was caused by a virus introduced to cover up the actions of an intruder. Some customer information, including credit card information, may have been compromised. Information Source: Dataloss DB September 30, 2008 records from this breach used in our total: 0 Dormitory Authority's New York City, New York GOV PORT 3,600 On the trip from the Albany headquarters of this New York based construction organization, to their data center in New York City 5 tapes had fallen out of their yellow mailing envelope. The tapes contained personal private or sensitive information of over 600 employees and approximately 3,000 vendors. Social Security numbers and tax ID numbers were compromised. Information Source: records from this breach used in our total: 3,600 Media September 30, 2008 University of Indianapolis Indianapolis, Indiana EDU HACK 11,000 131 A hacker attacked the University of Indianapolis' computer system and gained access to personal information and Social Security numbers for 11,000 students, faculty and staff, Information Source: Dataloss DB September 30, 2008 records from this breach used in our total: 11,000 Blue Cross & Blue Shield Baton Rouge, Louisiana MED DISC 1,700 A document containing the personal data was accidentally attached to a general e-mail being sent out to brokers notifying them of a software upgrade. Information such as Social Security numbers, phone numbers and addresses were exposed. Information Source: Dataloss DB September 26, 2008 records from this breach used in our total: 1,700 Fort Wayne Community Schools Fort Wayne, Indiana EDU UNKN 3,348 A man arrested on forgery and counterfeiting charges may have used some employees' personal information in his possession. A 94-page document containing personal information belonging to 3,348 FWCS employees was found by police. The information included names, Social Security numbers, dates of birth and salary. Information Source: records from this breach used in our total: 3,348 Dataloss DB September 23, 2008 Texas Lottery Commission Austin, Texas GOV INSD 89,000 A former Texas Lottery Commission computer analyst has been arrested for copying the personal data of Texas lottery winners. He downloaded his own work files off his computer and took them to his next job. The names and Social Security numbers of 27,075 mid-level lottery winners -- people who have won prizes from $600 up to around $1 million -- were on the employee's hard drive. UPDATE 10/31/08: 89,000 lottery winners are being notified their personal information, including Social Security numbers, may have been breached. Information Source: records from this breach used in our total: 89,000 Dataloss DB September 22, 2008 Sonoma State University Sonoma, California EDU DISC 600 Social Security numbers have been exposed to the public through an internal department website. Information Source: Dataloss DB September 19, 2008 records from this breach used in our total: 600 Texas A&M University College Station, Texas EDU HACK 31 A class roster was among some documents located on a computer server that was hacked. The class roster was for Economics-2301 held during the first summer session of 2004. Social Security numbers were part of the information on those documents. Information Source: records from this breach used in our total: 31 Dataloss DB 132 September 15, 2008 Forever21 Los Angeles, California BSR HACK 98,930 (888) 757-4447, http://www.forever21.com/notice/notice.html [127] If you shopped at the stores between November 26, 2003, and October 24, 2005, criminals may have hijacked your credit and debit card numbers from its computers. Approximately 20,500 of these numbers were obtained from the Fresno store transaction data. The data included credit and debit card numbers and in some instances expiration dates and other card data, but did not include customer name and address. Information Source: records from this breach used in our total: 98,930 Dataloss DB September 13, 2008 State Farm Insurance Surprise, Arizona BSO INSD 137 An employee of State Farm fraudulently used customer information to open credit-card accounts. Customers' Social Security numbers, driver's license numbers, addresses and possibly financial account numbers could have been accessed. Information Source: records from this breach used in our total: 137 Dataloss DB September 12, 2008 Tennessee State University Nashville, Tennessee EDU PORT 9,000 A flash drive containing the financial information and Social Security numbers of students was reported missing. The flash, which contained financial records of TSU students dating back to 2002. Information Source: records from this breach used in our total: 9,000 Dataloss DB September 11, 2008 Marshall University Charleston, West Virginia EDU DISC 198 The names and Social Security numbers of Marshall University students were openly available on the Internet. Information Source: records from this breach used in our total: 198 Dataloss DB September 11, 2008 University of Iowa College of Engineering Iowa City, Iowa EDU HACK 500 Some students are being notified by the College that their personal information may have been exposed in a recent computer breach. The compromised computer contained a file with names and Social Security numbers of students stored on its hard drive. Information Source: Dataloss DB September 10, 2008 records from this breach used in our total: 500 Ivy Tech Community College Bloomington, Indiana EDU DISC Unknown http://www.ivytech.edu/about/security/ [128] An employee of the college used an internal file sharing system to send a file that consisted of students enrolled in the spring 133 2008 semester for distance education courses. The employee intended to share the file with a single employee of the college. Instead, due to a clerical error, the invitation to view the file was sent to a list of all Indianapolis region employees. Information Source: records from this breach used in our total: 0 Dataloss DB September 10, 2008 Franklin Savings and Loan Cincinnati, Ohio BSF HACK 25,000 (877) 579-2267, (513) 605-4378 An unauthorized person gained access to a database on a company web site containing personal information such as names, addresses, phone numbers, account numbers, account balances and Social Security numbers. Information Source: records from this breach used in our total: 25,000 Dataloss DB September 9, 2008 University of Pittsburgh Pittsburgh, Pennsylvania EDU PORT Unknown A laptop containing personal information including names and Social Security numbers was stolen. The laptop, stolen from Mervis Hall was being used by an employee to conduct surveys of alumni that are used in college rankings. Information Source: records from this breach used in our total: 0 Dataloss DB September 5, 2008 East Burke High School Morganton, North Carolina EDU DISC 163 For the past five years, East Burke High School's web site exposed files containing personal information including names, Social Security numbers, addresses, phone numbers, job titles, email addresses and unlisted phone numbers of teachers, bus drivers, custodians and other staff members on the Internet. Information Source: Dataloss DB September 2, 2008 records from this breach used in our total: 163 Clarkson University Potsdam, New York EDU DISC 245 A non-malicious student intruder gained access to a restricted server and promptly reported the vulnerability to campus authorities. Approximately 245 employees and former employees had personal information, including name, social security number, and date of birth, compromised during the security breach. The file containing personal information was a record of employees that had university credit cards known as purchase cards (or p-cards). Any university member requesting a pcard must provide their Social Security number and date of birth on the application form. Information Source: Dataloss DB August 30, 2008 records from this breach used in our total: 245 Ohio Police & Fire Pension System Columbus, Ohio GOV INSD 13,000 A former mailroom supervisor at the Ohio Police & Fire Pension System forwarded the names, addresses and Social Security numbers from his work e-mail address to his personal e-mail address before quitting his job. The file contains information for 13,000 of the approximately 24,000 retired members of the Ohio Police & Fire Pension System, most of whom are former police officers. Information 134 Source: records from this breach used in our total: 13,000 Dataloss DB August 30, 2008 National Technical Institute for the Deaf Rochester Institute of Technology FAQ, incl. ASL video, <a href=http://www EDU PORT 13,800 Rochester, New York RIT Hotline through 9/26/08 (866) 624-8330, RIT Public Safety (585) 475-2853 http://www.rit.edu/news/?v=46283 [129] A recently stolen laptop contained the names, birth dates and Social Security numbers of about 12,700 applicants to the National Technical Institute for the Deaf and another 1,100 people at Rochester Institute of Technology. The laptop belonged to an employee and was stolen on Monday from an office at NTID. People at RIT, who are not affiliated with NTID, are affected because their personal information was being used as part of a control group in an internal study. Information Source: records from this breach used in our total: 13,800 Dataloss DB August 30, 2008 Southwest Medical Association Las Vegas, Nevada MED PHYS Unknown Thousands of medical charts were found in an abandoned storage unit that was purchaced for $25. Information Source: records from this breach used in our total: 0 Media August 29, 2008 Louisiana Real Estate Commission Baton Rouge, Louisiana GOV DISC 13,000 A glitch during a computer upgrade caused the names, addresses and Social Security numbers of licensed agents to be exposed on the Internet. The commission was transferring its online programs to a new server when the sensitive electronic file, which is not normally posted on the Internet, was left unsecured and slipped in among the commission materials that could be seen online. Information Source: Dataloss DB August 29, 2008 records from this breach used in our total: 13,000 Wachovia Bank Cape Coral, Florida BSF CARD Unknown It was confirmed that the Camelot branch, at Cape Coral Parkway and Chiquita Boulevard, has had several debit cards' identities stolen because someone placed what's known as a skimming device on the ATM. The device collected each person's card information, including personal identification numbers, and allowed the suspect to create different debit cards with that information. Information Source: records from this breach used in our total: 0 Media August 28, 2008 The Washington Trust Co. Westerly, Rhode Island BSF HACK 1,000 The Washington Trust Co. has notified about 1,000 customers that their debit and credit card accounts might have been compromised in a suspected security breach at an unidentified MasterCard merchant. The company is investigating a suspected security breach of a U.S. e-commerce-based merchant's Web server which contained debit card data. Information Source: records from this breach used in our total: 1,000 135 Media August 28, 2008 Reynoldsburg Ohio City School District Reynoldsburg, Ohio EDU PORT 4,259 Reynoldsburg school officials were phasing out the use of Social Security numbers in the district's student database when someone stole a laptop containing that information. The district laptop, taken from a computer technician's car, also included names, addresses and phone numbers for two-thirds of the district's enrollment. Information Source: Dataloss DB August 27, 2008 records from this breach used in our total: 4,259 YMCA Champaign, Illinois NGO UNKN Unknown Customers who paid for items at a YMCA fund-raiser with checks or credit cards are being warned about a burglary at which credit and debit card numbers were taken. Information Source: Media August 27, 2008 records from this breach used in our total: 0 Kansas State University Manhattan, Kansas EDU PHYS 86 An instructor for classes offered through the Division of Continuing Education, taught through the UFM Community Learning Center, reported an overnight theft of numerous items from a car, which was parked outside a Manhattan residence. Items taken included a backpack with a list of names and Social Security numbers of 86 K-State students who had taken that instructor's classes from fall 2007 through summer 2008. Information Source: records from this breach used in our total: 86 Dataloss DB August 26, 2008 Pennsylvania Department of Public Welfare Harrisburg, Pennsylvania GOV DISC 2,845 Paper jams in a state Department of General Services mail inserter caused benefit renewal packets to go to the wrong Pennsylvania welfare client's homes. Nearly half of them included the intended recipients' Social Security numbers. Information Source: records from this breach used in our total: 2,845 Dataloss DB August 26, 2008 Prince William County Public Schools Manassas, Virginia EDU DISC 2,600 Personal information of some students, employees and volunteers was accidentally posted online by a Prince William County Public Schools employee. Information for more than 2,600 people was exposed through a file-sharing program by an employee working from home on a personal computer. The compromised information included: names, addresses and student identification numbers of more than 1,600 students names and Social Security numbers of 65 employees other confidential information for about 250 employees and the names, addresses and e-mail addresses of more than 700 volunteers. Information Source: Dataloss DB August 22, 2008 records from this breach used in our total: 2,600 Liberty McDonald's Restaurant Liberty, Kentucky BSR INSD Unknown 136 Liberty, Kentucky An employee at a Liberty McDonald's restaurant, took credit or debit cards from drive-through customers and used a device she had hidden near the window to swipe the cards to record their numbers. The information on the device then was downloaded and used to make new cards either in the names of the persons to which the original cards belonged or in the names of the perpetrators. Information Source: records from this breach used in our total: 0 Media August 19, 2008 Kingston Tax Service Kingston, Washington BSO PORT Unknown Office computers were stolen from the business. On each of the computers is information which can be used by identity thieves including credit card information and Social Security numbers. Information Source: records from this breach used in our total: 0 Dataloss DB August 18, 2008 Dominion Enterprises Richmond, Virginia BSO HACK 92,095 (757) 351-7951 A computer server within InterActive Financial Marketing Group (IFMG), a division of Dominion Enterprises located in Richmond, Virginia, was hacked into and illegally accessed by an unknown and unauthorized third party between November 2007 and February 2008. The data intrusion resulted in the potential exposure of personal information, including the names, addresses, birth dates, and Social Security numbers of 92,095 applicants who submitted credit applications to IFMG's family of special finance Web sites. Information Source: Dataloss DB August 18, 2008 records from this breach used in our total: 92,095 Keller High School Keller, Texas EDU DISC 45 Keller family's received a mailing from Keller High School last week. Upon opening it, they found two enrollment forms. One was an emergency-care authorization form. But the other was a student information form containing another classmate's Social Security number, student ID number, home address, phone number and contact information for his parents at home and at work. They quickly realized that their child's private information, which they used to set up their college fund and other accounts, was mailed to someone else. Information Source: Dataloss DB August 18, 2008 records from this breach used in our total: 45 The Princeton Review New York, New York EDU DISC 108,000 The test-preparatory firm accidentally published the personal data and standardized test scores of tens of thousands of Florida students on its Web site. One file on the site contained information on about 34,000 students in the public schools in Sarasota, Fl. Another folder contained dozens of files with names and birth dates for 74,000 students in the school system of Fairfax County, Va. Information Source: records from this breach used in our total: 108,000 Dataloss DB August 14, 2008 Wuesthoff Medical Center Rockledge, Florida MED HACK 500 137 Hundreds of people in Brevard County found out their personal information was stolen. Names, Social Security numbers and even personal medical information were posted on the Internet. Information Source: records from this breach used in our total: 500 Dataloss DB August 13, 2008 Charter Communications Greenville, South Carolina BSO PORT 9,000 Computers were stolen from the company's Greenville offices and contained records of more than 9,000 Charter employees nationwide. The information included Social Security numbers, dates of birth and driver's license numbers. Information Source: records from this breach used in our total: 9,000 Dataloss DB August 12, 2008 Wells Fargo Minneapolis, Minnesota BSF HACK 5,000 Wells Fargo is notifying customers that hackers have accessed their confidential personal data by illegally using its access codes. Personal information including names, addresses, dates of birth, Social Security numbers, driver's licence numbers and in some cases, credit account information was accessed by unauthorised persons. Information Source: records from this breach used in our total: 5,000 Dataloss DB August 12, 2008 Child Protective Services San Antonio, Texas GOV PHYS Unknown Hundreds of private, personal records were discarded with the trash, including records detailing medical histories of clients with diseases and drug addictions. Documents showing sexual abuse and information that could be used for identity theft, such as Social Security numbers, were also found in the trash. Information Source: Media August 7, 2008 records from this breach used in our total: 0 Harris County Hospital Houston, Texas MED PORT 1,200 A lower-level Harris County Hospital District administrator downloaded medical and financial records for patients with HIV, AIDS and other medical conditions onto a flash drive that later was lost or stolen. This may have been a violation of law. The data on the device included the patients' names, medical record numbers, billing codes, the facilities where the office visits occurred and other billing information. It also included the patients' Medicaid or Medicare numbers, which can indicate their Social Security numbers or those of their spouses. Information Source: Dataloss DB August 5, 2008 records from this breach used in our total: 1,200 The Clear Program Fast-pass Registered Travel program for airline passengers, operated by Verified Identity Pass for the U.S. Transportation Security Admin. New York, New York BSO PORT 33,000 A laptop containing personal information for about 33,000 people was reported stolen in a possible security breach for the Clear Program. The laptop was stolen at San Francisco International Airport. The stolen information included names, addresses, dates of birth, and driver's license numbers or passport numbers. 138 Information Source: Media August 4, 2008 records from this breach used in our total: 33,000 Arapahoe Community College Littleton, Colorado EDU PORT 15,000 A contractor who manages the student information database had a flash drive lost or stolen. Information on the drive included the names, addresses, credit card numbers and Social Security numbers. Information Source: Dataloss DB August 3, 2008 records from this breach used in our total: 15,000 Oakland School District Oakland, California EDU STAT Unknown Thieves stole 10 desktop computers containing employees' personal information from the Oakland school district's main office. District officials are still determining what information was on each computer, but the machines may contain personal information provided to the district when employees were hired. It is unknown how many employees' records were on the computers. Information Source: records from this breach used in our total: 0 Media August 2, 2008 Countrywide Financial Corp. BSF Calabasas, California INSD 2,000,000 The FBI on Friday arrested a former Countrywide Financial Corp. employee and another man in an alleged scheme to steal and sell sensitive personal information, including Social Security numbers. The breach occurred over a two-year period though July. The insider was a senior financial analyst at Full Spectrum Lending, Countrywide's subprime lending division. The alleged data thief was said to have downloaded about 20,000 customer profiles each week and sold files with that many names for $500, according to the affidavit. He typically would e-mail the data in Excel spreadsheets to his buyers, often using computers at Kinko's copying and business center stores. Some, perhaps most, and possibly all the names were being sold to people in the mortgage industry to make new pitches. UPDATE (1/30/09): Bank of America will pay Connecticut $350,000 as part of a settlement. The bank will also provide at least $25,000 to reimburse Connecticut residents forced to pay for freezing and unfreezing their credit reports. UPDATE (4/09/10): Employees of Countrywide Financial stole and sold "tens of thousands, or millions" of customers' personal financial information, invading their privacy and exposing them to identity theft, according to class action claims in Ventura County Court, Calif. Sixteen named plaintiffs sued Countrywide Financial, Countrywide Home Loans, and Bank of America, which bought Countrywide, the poster boy for the subprime mortgage crisis. UPDATE (5/08/10): For information about the settlement, visit www.CWdataclaims.com [130] or call (866) 940-3612. Information Source: Dataloss DB August 1, 2008 records from this breach used in our total: 2,000,000 Tennessee Valley Authority Knoxville, Tennessee GOV PORT Unknown A laptop stolen from TVA contained Social Security numbers and reflects generally inadequate policies and procedures for tracking computers at the agency. The laptop was one of approximately 26 computer and computer-related items stolen from TVA between May 26, 2006, and Nov. 30, 2007, according to the IG, although the report stated it was unclear whether sensitive information was present on any of the laptops or PCs stolen from TVA. Information Source: records from this breach used in our total: 0 Media August 1, 2008 Ohio Department of Job & Family Services, Delphi Automotive Columbus, Ohio BSO PORT 2,600 139 A flash drive with Social Security numbers and other personal information from former Dayton-area Delphi workers was removed from the unattended laptop of a state employee and is missing. The drive included the names, addresses, telephone numbers as well as the Social Security numbers of the workers. Information Source: Dataloss DB July 31, 2008 records from this breach used in our total: 2,600 City of Yuma Yuma, Arizona GOV DISC 300 The Social Security numbers of about 300 city of Yuma employees were unintentionally released in an e-mail sent to city administrative personnel. Information Source: Dataloss DB July 31, 2008 records from this breach used in our total: 300 University of Texas, Dallas Dallas, Texas EDU HACK 9,100 http://www.utdallas.edu/infosecurity/ [131] A security breach in UTD's computer network may have exposed Social Security numbers along with names, addresses, email addresses or telephone numbers: 4,406 students who were on the Dean's List or graduated between 2000 and 2003; 3,892 students who were contacted to take part in a survey by the Office of Undergraduate Education in 2002; 88 staff members from Facilities Management; 716 faculty and staff members listed in a space inventory record from 2001. Information Source: Dataloss DB July 29, 2008 records from this breach used in our total: 9,100 Blue Cross and Blue Shield of Georgia Atlanta, Georgia MED DISC 202,000 (866) 800-8776 Benefit letters containing personal and health information were sent to the wrong addresses last week. The letters included the patient's name and ID number, the name of the medical provider delivering the service, and the amounts charged and owed. A small percentage of letters also contained the patient's Social Security numbers. Information Source: records from this breach used in our total: 202,000 Dataloss DB July 29, 2008 Anheuser-Busch St. Louis, Missouri BSR PORT Unknown (800) 913-4502 A laptop containing personal information of current and former employees, including some from Hampton Roads, was stolen from a St. Louis-area Anheuser-Busch office. Information contained on the computer included employees' Social Security numbers, home addresses and marital status. Information Source: Dataloss DB records from this breach used in our total: 0 Unknown 80 million Not July 28, 2008 Facebook Palo Alto, California BSO DISC added to total since the breach is not SSNs or 140 financial account data. Facebook accidentally publicly revealed personal information about its members, which could be useful to identity thieves. The full dates of birth of many of Facebook's 80 million active users were visible to others, even if the individual member had requested that the information remained confidential. Information Source: records from this breach used in our total: 0 Media July 26, 2008 Connecticut College, Wesleyan University, Trinity College Middletown, Connecticut EDU HACK 2,815 A Connecticut College library system was breached by hackers apparently looking to set up chat rooms or send spam emails. The system's database included the names, addresses and Social Security or driver's license numbers of approximately 2,800 Connecticut College library patrons, 12 Wesleyan University patrons and three from Trinity. Information Source: records from this breach used in our total: 2,815 Dataloss DB July 25, 2008 Grady Memorial Hospital Atlanta, Georgia MED INSD Unknown Hospital records were stolen, although it remains unknown how many patient records were compromised, which patients were affected or how the records were stolen. The records pertained to recorded physician comments that Grady sent to a vendor to transcribe into medical notes. The records were stolen from a subcontractor employed by the vendor. Information Source: Media July 25, 2008 records from this breach used in our total: 0 Ohio University College of Osteopathic Medicine Columbus, Ohio EDU DISC 492 http://www.ohiocore.org/answers [132] , (866) 437-8698 A clerical error led to the online posting of the names and Social Security numbers of people who spoke at Ohio University's Centers for Osteopathic Research and Education. A spreadsheet that contained the information had been accessible since March 20 and was discovered when a nurse found the information last week while conducting online research. In addition to names and Social Security numbers, the spreadsheet included contact numbers, addresses, their speaking topics and federal employer identification numbers. Information Source: records from this breach used in our total: 492 Dataloss DB July 24, 2008 Village of Tinley Park Chicago, Illinois GOV PORT 20,400 Computer backup tapes that contain thousands of Social Security numbers of Tinley Park residents have been lost. The tapes containing information from as long ago as 15 years were lost while being transferred from the village hall to another site within the Chicago suburb. Information Source: records from this breach used in our total: 20,400 Dataloss DB July 24, 2008 Saint Mary's Regional Medical Center Reno, Nevada MED HACK 128,000 141 An unauthorized person may have accessed the Saint Mary's database. The database, used for Saint Mary's health education classes and wellness programs, contained personal information such as names and addresses, limited health information and some Social Security numbers. The database did not contain medical records or credit card information. Information Source: Dataloss DB July 24, 2008 records from this breach used in our total: 128,000 Hillsborough Community College Tampa, Florida EDU PHYS 2,000 Hillsborough Community College warned its employees to monitor their bank accounts because an HCC programmer's laptop was stolen from a hotel parking lot in Georgia. The programmer had been working on a payroll project for a group of employees using their names, bank-routing numbers, retirement information and Social Security numbers. Information Source: Dataloss DB July 24, 2008 records from this breach used in our total: 2,000 University of Houston Houston, Texas EDU DISC 259 The names and Social Security numbers of University of Houston students were inadvertently posted on the Internet for more than two years. The posting occurred when a math department lecturer posted student grades on a UH Web server in October 2005. Information Source: records from this breach used in our total: 259 Dataloss DB July 23, 2008 San Francisco Human Services Department San Francisco, California GOV PHYS Unknown Potentially thousands of files contaning personal information was exposed after a San Francisco agency left confidential files in unsecured curbside garbage and recycling bins. In some cases entire case files were discarded. Blown up copies of social security cards, driver's licenses, passports, bank statements and other sensitive personal information were all left in these unlocked bins. Information Source: Media July 19, 2008 records from this breach used in our total: 0 Minneapolis Veterans Home Minneapolis, Minnesota GOV STAT 336 A backup computer server stolen from the Minneapolis Veterans Home contained telephone numbers, addresses, next-ofkin information, dates of birth, Social Security numbers and some medical information, including diagnoses for the home's 336 residents. Information Source: records from this breach used in our total: 336 Dataloss DB July 17, 2008 Bristol-Myers Squibb Jacksonville, Florida BSO PORT 42,000 A backup computer-data tape containing employees' personal information, including Social Security numbers, was stolen recently. The backup data tape was stolen while being transported from a storage facility. The information on the tapes included names, addresses, dates of birth, Social Security numbers and marital status, and in some cases bank-account information. Data for some employees' family members also were on the tape. 142 Information Source: Dataloss DB July 17, 2008 records from this breach used in our total: 42,000 University of Maryland College Park, Maryland EDU DISC 23,000 University of Maryland accidentally released the addresses and Social Security numbers of thousands of students. A brochure with on-campus parking information was sent by U.S. Mail to students. The University discovered the labels on the mailing had the students' Social Security numbers on it. Information Source: records from this breach used in our total: 23,000 Dataloss DB July 17, 2008 Department of Consumer Affairs Sacramento, California GOV INSD 5,000 A Consumer Affairs personnel specialist in Sacramento, emailed an alpha personnel file containing names and Social Security numbers of the department's more than 5,000 staff to a personal Yahoo email account at the end of the day, her last day at the department. Information Source: records from this breach used in our total: 5,000 Dataloss DB July 16, 2008 Greensboro Gynecology Associates Greensboro, North Carolina MED PORT 47,000 A backup tape of patient information was stolen from an employee who was taking the tape to an off-site storage facility for safekeeping. The stolen information included patients' names, addresses, Social Security numbers, employers, insurance companies, policy numbers and family members. Information Source: Dataloss DB July 16, 2008 records from this breach used in our total: 47,000 Indiana State University Terre Haute, Indiana EDU PORT 2,500 A password-protected laptop computer containing personal information for current and former Indiana State University students was stolen. The laptop contained data for students who took economics classes from 1997 through the spring semester 2008. The information includes names, grades, e-mail addresses and student identification numbers and in some cases Social Security numbers. UPDATE(7/22/08) :The laptop computer was mailed anonymously back to the professor it was stolen from six days after it was stolen along with other personal items. Information Source: Dataloss DB July 15, 2008 records from this breach used in our total: 2,500 Weber Law Firm Houston, Texas BSO PHYS Unknown Sheriff's deputies uncovered hundreds of people's personal financial files that had been discarded in a dumpster in northwest Houston. Box after box of records including personal financial records, documents with Social Security numbers, people's medical files and more were found in the dumpster. Information Source: records from this breach used in our total: 0 Dataloss DB 143 July 15, 2008 Missouri National Guard Jefferson City, Missouri GOV UNKN 2,000 (888) 526-6664 ext. 7888, (312) 555-9500 ext. 7888 Soldier deployed overseas The Missouri National Guard has called for a criminal investigation after it learned that the personal information of as many as 2,000 soldiers had been breached. The Guard would not release how the personal information had been taken -- whether by computer hackers or other means -- because it has asked for a full law enforcement investigation into the matter. Information Source: Dataloss DB July 15, 2008 records from this breach used in our total: 2,000 University of Texas, Austin Austin, Texas EDU DISC 2,500 The personal information of University of Texas students and faculty has been exposed on the Internet. An independent watchdog discovered more than five dozen files containing confidential graduate applications, test scores, and Social Security numbers. The files were inadvertently posted by at least four different UT professors to a file server for the School of Biological Sciences. Information Source: records from this breach used in our total: 2,500 Dataloss DB July 14, 2008 Washington Metropolitan Area Transit Authority Washington, District Of Columbia GOV DISC 4,700 Metro accidentally published the Social Security numbers of past and present employees on its Web site. The numbers were posted with a solicitation to companies for workers' compensation and risk management services. Information Source: records from this breach used in our total: 4,700 Dataloss DB July 10, 2008 Williamson County (TN) Schools Franklin, Tennessee EDU DISC 5,100 Social Security numbers and other personal information of 4,000 children were posted on the Internet. UPDATE 7/11/08 : 5, 100 students' information may be compromised. Information Source: records from this breach used in our total: 5,100 Dataloss DB July 9, 2008 Wichita Radiological Group Wichita, Kansas MED INSD Unknown A former employee stole patient records before being fired from the Wichita Radiological Group. Tens of thousands of patient records were in the database could have been compromised. Information Source: records from this breach used in our total: 0 Media July 9, 2008 Wagner Resource Group McLean, Virginia BSF DISC 2,000 Sometime late last year, an employee of a McLean investment firm used the online file-sharing network LimeWire. In doing 144 so, he inadvertently opened the private files of his firm to the public. That exposed the names, dates of birth and Social Security numbers of about 2,000 of the firm's clients, including a number of high-powered lawyers and Supreme Court Justice Stephen G. Breyer. Information Source: Dataloss DB July 9, 2008 records from this breach used in our total: 2,000 Division of Motor Vehicles Colorado , Colorado GOV DISC 3.4 million The DMV regularly sends large batches of personal information over the Internet without encryption and has failed to properly limit access to its database, according to a recent audit. At one point, 33 former DMV employees could access names, addresses, dates of birth and Social Security numbers. Information Source: records from this breach used in our total: 3,400,000 Media July 8, 2008 LPL Financial (formerly Linsco Private Ledger) Boston, Massachusetts BSF HACK 10,219 http://www.sec.gov/litigation/admin/2008/34-58515.pdf [133] Hackers obtained clients' unencrypted names, addresses and Social Security numbers from July 17, 2007, to February 15, 2008. They compromised the logon passwords of 14 financial advisers and four assistants. UPDATE (9/11/08) : The U.S. Securities & Exchange Commission (SEC) fined LPL $275,000 and required that LPL strengthen its security safeguards involving customer information. It was found that the hacker(s) placed, or attempted to place, 209 unauthorized trades in 68 customer accounts of several of LPL's registered representative, for more than $700,000 in trades in securities of 19 different companies. LPL reversed or eliminated the trades and compensated the customers for the resulting trading losses, which totaled approximately $98,900. Information Source: Dataloss DB July 7, 2008 records from this breach used in our total: 10,219 Florida Agency for Health Care Administration Tallahassee, Florida GOV DISC 55,000 A computer flaw in the Organ and Tissue Donor Registry database may have exposed thousands of donors' personal information, including their Social Security numbers. Other data included donors' names, addresses, birth dates and drivers' license numbers. Information Source: records from this breach used in our total: 55,000 Dataloss DB July 4, 2008 US Army Fort Lewis, Washington GOV PORT 800-900 A laptop computer that was reported stolen from an Army employee's truck contained personal information on Fort Lewis soldiers. A 500 GB removable hard drive was also taken in the theft. UPDATE (7/11/08) :A 17-year-old Lacey boy faces a charge of suspicion of possession of stolen property after Tumwater police uncovered items from vehicle prowls, including a stolen Army laptop containing information on Fort Lewis soldiers. Information Source: Dataloss DB July 4, 2008 records from this breach used in our total: 800 Clark County Nevada District Court Las Vegas, Nevada GOV DISC 380 145 A contracted vendor released personal information on about 380 potential jurors to an employee's private e-mail address. The information provided to the e-mail account could have included names, addresses, Social Security numbers and birth dates. Information Source: records from this breach used in our total: 380 Dataloss DB July 2, 2008 Baptist Health Little Rock, Arkansas MED INSD 1,800 Due to a breach by an unauthorized person in its information systems, there is a possibility that personal information, such as name, address, date of birth, Social Security number, and reason for coming to Baptist Health were compromised. Apparently, no information in the patients' medical records and no information about the patients' diagnoses or prognoses was accessed. A former employee was arrested for attempting to open a credit account at a retail merchant. Information Source: Dataloss DB July 2, 2008 records from this breach used in our total: 1,800 University of Nebraska, Kearney Kearney, Nebraska EDU HACK 2,035 (308) 865-8950 Officials at the University of Nebraska at Kearney discovered a security breach involving nine university computers. Of the nine computers involved, five contained names and partial or complete Social Security numbers. Information Source: Dataloss DB June 27, 2008 records from this breach used in our total: 2,035 Montgomery Ward Cedar Rapids, Iowa BSR HACK 51,000 Hackers extracted information from an online database that held credit card account information. Information Source: records from this breach used in our total: 51,000 Dataloss DB June 26, 2008 Texas Department of Public Safety Austin, Texas GOV PHYS 826 The personal information of 826 state employees was stolen from a Wichita Falls home office. Notices are in the mail to inform the hundreds of victims that their names, home addresses, dates of birth, driver's license and Social Security numbers are in the hands of criminals. Information Source: Dataloss DB June 26, 2008 records from this breach used in our total: 826 IGN Entertainment Brisbane, California BSR STAT 119 A computer was stolen in an unspecified location on May 25 of 2008. The computer contained employee names, addresses, dates of birth, Social Security numbers, and dependent information. Information Source: Dataloss DB records from this breach used in our total: 119 146 Dataloss DB June 24, 2008 Southeast Missouri State University Cape Girardeau, Missouri EDU INSD 800 (573) 986-6800, (573) 335-6611, ex.123,lbavolek@semissourian.com A former employee has been indicted on two charges of identity fraud and one charge of computer trespass after being found in possession of 800 student names and Social Security numbers. Information Source: Dataloss DB June 23, 2008 records from this breach used in our total: 800 Colt Express Outsourcing Services, CNET Networks Walnut Creek, California BSO STAT 17241 Burglars stole computer systems from the offices of the company that administers the Internet publisher's benefit plans. The computers contained names, birth dates, Social Security numbers and employment information of the beneficiaries of CNET's health insurance plans. CNET was only one of several clients affected. UPDATE (8/26/08): Among the companies whose staffers have been exposed by the Colt break-in in Walnut Creek, Calif.: Google, Bebe Stores, Alston & Bird, and the California Bankers Assn. Information Source: Dataloss DB June 23, 2008 records from this breach used in our total: 17,241 Bank Atlantic Tampa, Florida BSF CARD Unknown Bank Atlantic confirms they had a data loss, involving their MasterCard debit cards. It happened through a local merchant, but at this time, isn't saying which one. Information Source: Media June 19, 2008 records from this breach used in our total: 0 Citibank New York, New York BSF HACK Unknown A Citibank server that processes ATM withdrawals at 7-Eleven convenience stores had been breached. The computer intrusion into the Citibank server led to two Brooklyn men making hundreds of fraudulent withdrawals from New York City cash machines, pocketing at least $750,000 in cash Information Source: Dataloss DB June 19, 2008 records from this breach used in our total: 0 Petroleum Wholesale Houston, Texas BSO PHYS Unknown The company dumped hundreds of records in a publicly accessible trash container outside its former headquarters. The records included receipts with customers' names and full credit or debit card numbers, including expiration dates. The records also included returned checks and forms containing customers' names and bank routing, driver's license and Social Security numbers. Information Source: Dataloss DB June 18, 2008 records from this breach used in our total: 0 Domino's Pizza BSR PHYS Unknown 147 June 18, 2008 Tucson, Arizona BSR PHYS Unknown Investigators found credit card numbers blowing in the wind. These piles and papers contained hundreds of old receipts from Domino's Pizza stores. The former owner had been discarding boxes of old records and somehow all those receipts got loose. Information Source: Media June 15, 2008 records from this breach used in our total: 0 Conneticut Department of Administrative Services Hartford, Connecticut GOV DISC Unknown Department of Administrative Services posted the Social Security numbers of individual contractors on a state Web site. An audit also uncovered the Social Security numbers of prospective nursing employees accessible on an agency Web site for 19 months until a complaint was lodged. Information Source: records from this breach used in our total: 0 Media June 13, 2008 Texas Insurance Claims Services Dallas, Texas BSF PHYS Unknown Hundreds of files with people's names, Social Security numbers and policy numbers were found in a Richardson dumpster, apparently discarded by Texas Insurance Claims Services. Information Source: records from this breach used in our total: 0 Dataloss DB June 12, 2008 Columbia University New York, New York EDU DISC 5,000 Social Security numbers of some 5,000 Columbians were accidentally posted by a student employee on a Google-hosted site in February 2007. Student Services discovered the leak in June 2008, 16 months later, removing the sensitive data Information Source: records from this breach used in our total: 5,000 Dataloss DB June 11, 2008 Dickson County Board of Education Dickson, Tennessee EDU PORT 850 A computer containing sensitive personal information was stolen from the Dickson County Board of Education. The computer belongs to the new director of schools and was loaded with the name and Social Security number of every school employee from the 2006-2007 school year, a total of 850. Information Source: records from this breach used in our total: 850 Dataloss DB June 10, 2008 1st Source Bank South Bend, Indiana BSF HACK Unknown 1st Source Bank is replacing ATM cards this month for all its account holders after cyber-thieves accessed an unknown amount of debit-related data. Information Source: records from this breach used in our total: 0 Dataloss DB 148 June 10, 2008 University of Utah Hospitals and Clinics Salt Lake City, Utah MED PORT 2.2 million [134] Billing records of 2.2 million patients at the University of Utah Hospitals and Clinics were stolen from a vehicle after a courier failed to immediately take the eight data tapes to a storage center. The records, contained Social Security numbers of 1.3 million people treated at the university over the last 16 years. Update (2/5/09): The data tapes were found within a month after being stolen. Update (6/9/10): An Englewood, Colo., insurance company has filed a federal lawsuit contending that it isn't reponsible for reimbursing the University of Utah for $3.3 million in costs related to a 2008 data breach [135] caused by a third-party service provider. The lawsuit filed in a Utah federal court by Colorado Casualty Insurance Co. contends that the insurer is not obligated to cover the costs sought by the university. Colorado Casualty was providing breach insurance to the univerity at the time of the breach. The nine-page complaint, which seeks a declaratory judgment from the court, offers little explanation as to why exactly the insurer believes it is not obligated to pay the breach relqted costs sought by the university. http://www.computerworld.com/s/article/9177702/Insurer_says_it_s_not_liable_for_University_of_Utah_s_3.3M_data_breach [134] [134] Information Source: records from this breach used in our total: 1,300,000 Dataloss DB June 10, 2008 University of Florida EDU Gainesville, Florida DISC 11,300 Current and former students had their Social Security numbers, names and addresses accidentally posted online. The information became available when former student employees of the Office for Academic Support and Institutional Service, or OASIS, program created online records of students participating in the program between 2003 and 2005. Information Source: Dataloss DB June 10, 2008 records from this breach used in our total: 11,300 Wheeler's Moving Company Boca Raton, Florida BSO PHYS Unknown Personal files with tax information, Social Security numbers and license numbers, were found in a Boca Raton dumpster. Information Source: records from this breach used in our total: 0 Media June 9, 2008 University of South Carolina Columbia, South Carolina EDU STAT 7,000 Several items were stolen from an office in the Moore School of Business. Among the items was a desktop computer. As a result of the computer being stolen, it is possible that some personally identifiable data could have been compromised. Information Source: records from this breach used in our total: 7,000 Dataloss DB June 7, 2008 Southington Water Department Southington, Connecticut GOV PHYS 26 Documents with the names and Social Security numbers of 26 people were found scattered by the Quinnipiac River. 149 Information Source: Media June 7, 2008 records from this breach used in our total: 26 East Tennessee State University Johnson City, Tennessee EDU STAT 6,200 6,200 people may have had there identities compromised by the theft of a desktop computer. The computer is password protected and files cannot be easily accessed. But there is a small possibility that the information could be compromised. Information Source: records from this breach used in our total: 6,200 Dataloss DB June 6, 2008 Stanford University Stanford, California EDU PORT 72,000 Stanford University determined that a university laptop, which was recently stolen, contained confidential personnel data. The university is not disclosing details about the theft as an investigation is under way. Information Source: records from this breach used in our total: 72,000 Dataloss DB June 4, 2008 Oregon State University Corvallis, Oregon EDU HACK 4,700 The Oregon State Police are investigating the theft of personal information from online customers of the OSU Bookstore who used credit cards to purchase items. Information Source: records from this breach used in our total: 4,700 Dataloss DB June 2, 2008 Walter Reed Army Medical Center Washington, District Of Columbia MED UNKN 1,000 (877) 854-8542, ext. 9 Sensitive information on patients at Walter Reed Army Medical Center and other military hospitals was exposed in a security breach. The computer file was found on a "non-government, non-secure computer network." The data file did not include information such as medical records, or the diagnosis or prognosis for patients, but may have included names, Social Security numbers, birth dates as well as other information. Information Source: records from this breach used in our total: 1,000 Dataloss DB June 2, 2008 Connecticut Department of Labor Wethersfield, Connecticut GOV PHYS 2,100 Records with confidential information on about 2,100 people have been lost and might have been mistakenly shredded. The files contained copies of letters informing applicants that they were ineligible for the unemployment insurance. They were dated between May 2 and May 20 and contained names, addresses and Social Security numbers. Information Source: Dataloss DB May 31, 2008 records from this breach used in our total: 2,100 Pocono Mountain School District EDU HACK 11,000 150 May 31, 2008 Swiftwater, Pennsylvania EDU HACK 11,000 (570) 873-7121, ext. 10151 A hacker apparently broke into the computers at Pocono Mountain School District and may have tapped into confidential information concerning students and their parents. Information may have included the students' birth dates, Social Security numbers, student IDs, home phones, and the parents' names, phone numbers and emergency phone numbers. ''If you see any unauthorized activity, promptly contract your service provider and or the office of the director of technology at 570-8737121, ext. 10151.'' Information Source: Dataloss DB May 30, 2008 records from this breach used in our total: 11,000 Circuit Court of Louisville Louisville, Kentucky GOV PHYS 312 (502) 595-3273 Louisville Metro Police made an arrest, and during that arrest they found 312 stolen court traffic files in that person's possession. All of the files contain personal information of people in Louisville such as, name, address, date of birth and in some cases Social Security numbers and copies of drivers' licenses. Information Source: records from this breach used in our total: 312 Media May 29, 2008 State Street Corp, Investors Financial Services Boston, Massachusetts BSF STAT 45,500 Computer equipment containing personal information on customers and employees of a State Street unit was stolen. The computer equipment was stolen from a vendor hired by Investors Financial Services to provide legal support services. The personal information included names, addresses and Social Security numbers. Information Source: Dataloss DB May 28, 2008 records from this breach used in our total: 45,500 University of California, San Francisco San Francisco, California (415) 353-7427, PathHotline@ucsf.edu EDU HACK 3,569 [136] During routine monitoring of a campus computer network, UCSF discovered unusual data traffic on one of its computers. During the investigation, UCSF determined that an unauthorized movie-sharing program had been installed on one computer by an unknown individual. Installation of this program required high-level system access. The computer contained files with lists of patients from the UCSF pathology department's database. The data included information such as patient names, dates of pathology service, health information and, in some cases, Social Security numbers. Information Source: records from this breach used in our total: 3,569 Dataloss DB May 23, 2008 R.E. Moulton Irving, Texas BSF PORT 19,000 Thieves broke into the Irving, Texas, regional office and stole a laptop computer containing personally information of numerous individuals, including names and Social Security numbers. The company is in the medical stop-loss insurance industry. Information Source: records from this breach used in our total: 19,000 Dataloss DB 151 May 22, 2008 HealthSpring Inc. Franklin, Tennessee MED PORT 9,000 A laptop computer containing personal information of about 450 state residents was stolen. The laptop, believed to contain names, dates of birth and Social Security numbers of about 9,000 individuals, was stolen from a HealthSpring employee's locked car. Information Source: Dataloss DB May 22, 2008 records from this breach used in our total: 9,000 AT&T San Antonio, Texas BSO PORT Unknown A laptop was stolen from the car of an employee. The data on the computer was not encrypted -- a violation of company policy -- and included names, Social Security numbers and in some cases, salary and bonus information. Information Source: records from this breach used in our total: 0 Security Breach Letter May 21, 2008 Oklahoma Corporation Commission Oklahoma City, Oklahoma GOV STAT 5,000 The Oklahoma Corporation Commission is removing hard drives from all surplus computer equipment after a server containing the names and Social Security numbers of thousands of residents was sold at an auction. Information Source: Media May 20, 2008 records from this breach used in our total: 5,000 University of Florida College of Medicine Jacksonville, Florida MED INSD 1,900 (866) 876-4472 A UF assistant professor of plastic surgery at the UF College of Medicine-Jacksonville, stored unsecured digital photographs of his patients and identifying information on a computer. He then gave the computer to a family. The information included names, dates of birth, Social Security numbers, and Medicare numbers. Information Source: records from this breach used in our total: 1,900 Dataloss DB May 20, 2008 New York University New York, New York EDU DISC 273 Duke University's Fuqua School of Business is notifying former New York University students that some of their personal information was inadvertently accessible by targeted Internet searches. The personal data included names and Social Security numbers and was contained in the faculty member's research records. The information could have been accessed only if searched by specific student names, along with a search code for Social Security numbers. Information Source: records from this breach used in our total: 273 Dataloss DB May 17, 2008 University of Louisville Louisville, Kentucky EDU PHYS 20 152 Documents being copied and taken from a private office in the president's office, to its Internal Audit Office and Department of Public Safety may have resulted in a security breach. The documents contained personal information - including Social Security numbers, student and employee identification numbers and salary information - for current and recent student employees. The university learned of the theft when salary information was shared anonymously with some employees in the office. Information Source: records from this breach used in our total: 20 Dataloss DB May 16, 2008 Spring Independent School District (Spring, TX) Spring, Texas EDU PORT 8,000 A laptop computer containing the personal information of students was stolen from a employee's car. The car burglars made off with her school laptop and an external flash drive. The flash drive contains students' Social Security numbers, personal information, schools those students attend, as well as their grade level and birthdates. The drive also contained the Texas Assessment of Knowledge and Skills test results. Information Source: Dataloss DB May 16, 2008 records from this breach used in our total: 8,000 Greil Memorial Psychiatric Hospital Montgomery, Alabama EDU PHYS Unknown Index cards containing patients personal information, names, dates of birth, even Social Security numbers are gone. Hundreds of records have simply disappeared. Information Source: Dataloss DB May 16, 2008 records from this breach used in our total: 0 Amateur Athletic Union Lake Buena Vista, Florida NGO PHYS Unknown Boxes filled with personal information were found in a dumpster. Information on athletes and their guardians included Social Security numbers and copies of birth certificates. Information Source: records from this breach used in our total: 0 Dataloss DB May 16, 2008 Chester County School District Downingtown, Pennsylvania EDU HACK 55,000 A 15-year-old student gained access to files on a computer at Downingtown West High School. Private information, including names, addresses and Social Security numbers, of more than 50,000 people were accessed. The student apparently used a flash drive to save the personal data of about 40,000 taxpayers and 15,000 students. Information Source: Media May 15, 2008 records from this breach used in our total: 55,000 BB&T Insurance Harrisonburg, Virginia BSF PORT Unknown A BB&T Insurance laptop containing the personnel information of some Harrisonburg City Schools employees was stolen. The laptop, used by an outside sales representative to develop an insurance proposal for the school system, was stolen from a car. The information contained names, dates of birth, Social Security numbers, and, in some cases, medical history. Information 153 Source: records from this breach used in our total: 0 Dataloss DB May 14, 2008 Oklahoma State University Stillwater, Oklahoma EDU HACK 70,000 A breach in an Oklahoma State University computer server exposed names, addresses and Social Security numbers of students, staff and faculty who bought parking and transit services permits in the past six years. Information Source: records from this breach used in our total: 70,000 Dataloss DB May 12, 2008 Dave & Buster's Islandia, New York BSO HACK 5,000 Three men have been charged with hacking into the network and then remotely installing "packet sniffer" software on pointof-sale servers at 11 Dave & Buster's locations throughout the U.S. A packet sniffer logs information being sent over a network. In this case, the criminals used it to log credit- and payment-card data as it was sent from the branch locations to corporate headquarters. The hacking took place from April to September 2007. At Dave & Buster's Islandia, New York, location, the hackers accessed details of about 5,000 payment cards. The information was sold to other criminals who then used the card numbers to scam online merchants. The criminals were able to post at least US$600,000 in fraudulent transactions from 675 cards taken from this one store. UPDATE (4/05/10): In reaching a settlement with Dave & Buster’s, the FTC quietly and without fanfare introduced a new security standard, requiring the company to monitor and filter outbound Internet traffic to block the unauthorized export of sensitive information. The consent decree puts companies on notice that they may face FTC scrutiny and penalties if they fail to use data loss prevention software. Information Source: records from this breach used in our total: 5,000 Dataloss DB May 12, 2008 Pfizer New York, New York 13,000 Not added to total. It does not seem BSO PORT that SSNs or financial account numbers were exposed. (866) 274-3891 About 13,000 employees at Pfizer Inc., including about 5,000 from Connecticut, had their personal information compromised when a company laptop and flash drive were stolen. No Social Security numbers were on the laptop, but names, home addresses, home telephone numbers, employee ID numbers, positions and salaries were possibly compromised. Other information possibly lost included the department employees worked in, the Pfizer site where the employees worked, the name of employees' managers and descriptions of their jobs. Information Source: Dataloss DB May 9, 2008 records from this breach used in our total: 0 Princeton University Tower Club Princeton, New Jersey EDU DISC 103 Tower Club is taking steps to protect 103 of its alumni in the classes of 2006 and 2007 after a spreadsheet listing their names and Social Security numbers was e-mailed to current club members. The document was attached to an apparently unrelated e-mail that informed current members about a club event. The spreadsheet was attached unintentionally because of a technical glitch in an email program. Information Source: Dataloss DB records from this breach used in our total: 103 154 May 8, 2008 Dominican University River Forest, Illinois EDU HACK 5,000 Two students were able to access records on a staff network storage area. The files accessed were three spreadsheets that included students' names, addresses, phone numbers, birthdays and Social Security numbers. Information Source: records from this breach used in our total: 5,000 Dataloss DB May 8, 2008 Las Cruces Public Schools Las Cruces, New Mexico EDU DISC 1,800 A part-time computer analyst for Las Cruces Public Schools inadvertently posted personal data for 50 special education students and 1,750 district employees on the Internet. Information posted included Social Security number, date of birth, name, the nature of disability and caseworker's name. Information Source: Dataloss DB May 7, 2008 records from this breach used in our total: 1,800 SAIC , Maryland BSO PORT 4,690 (877) 277-8001 SAIC stockholders are at risk of identity theft after a box of magnetic backup tapes went missing. The tapes contained names, addresses, Social Security numbers, stock account information, transaction activity and possibly bank account numbers for current or former shareholders. Information Source: records from this breach used in our total: 4,690 Media May 6, 2008 Ohio State University Agricultural Technical Institute Wooster, Ohio EDU DISC 192 Personal information on faculty and staff members was accidentally emailed to about 680 students. The email contained spreadsheet information listing the names, positions, salaries and Social Security numbers. Information Source: records from this breach used in our total: 192 Dataloss DB May 6, 2008 International Visa Service Atlanta, Georgia BSO INSD 1,000 An employee has been arrested and charged with stealing the personal information of people who were applying for a passport and sold the identities on the black market. Information Source: records from this breach used in our total: 1,000 Dataloss DB May 6, 2008 Northeast Security West Haven, Massachusetts BSO PHYS Unknown News Channel 8 found Social Security numbers, bank account numbers and even canceled checks inside a dumpster. The files appear to belong to Northeast Security, a subcontractor for Safe Home Security, based out of Rocky Hill. Northeast Security recently moved out of a West Haven storefront, and it seems they left their clients personal information behind. 155 Information Source: records from this breach used in our total: 0 Dataloss DB 6,313 Not added to May 5, 2008 Target America Inc., University of California, San Francisco (UCSF) San Francisco, California total. It is not clear if MED DISC SSNs or financial account numbers were exposed. Information on UCSF patients was accessible on the Internet. The information accessible online included names and addresses of patients along with names of the departments where medical care was provided. Some patient medical record numbers and the names of the patients' physicians also were available online. Information Source: records from this breach used in our total: 0 Dataloss DB May 5, 2008 Iredell County Tax Administration Statesville, North Carolina GOV PHYS 486 (704) 878-3020 A courier vehicle providing services for First Citizens Bank was stolen in Charlotte. The stolen shipment contained a computer report of taxpayer's check information, including account numbers, check numbers, check amounts and routing numbers from various banks on which the checks were drawn. There were also copies of tax bills that contained taxpayer names, addresses and other public information related to tax payments. Information Source: records from this breach used in our total: 486 Dataloss DB May 4, 2008 Staten Island University Hospital Staten Island, New York MED STAT 88,000 Computer equipment stolen from an administrator contained personal information from patients. Social Security numbers and health insurance numbers were contained in computer files on a desktop computer and the backup hard drive. Information Source: records from this breach used in our total: 88,000 Dataloss DB May 2, 2008 Marine Corps Reserve Center San Antonio, Texas GOV INSD 17,000 A former U.S. military contractor has pleaded guilty to exceeding authorized access to a computer and aggravated identity theft after he was accused of selling names and Social Security numbers of 17,000 military employees. Information Source: records from this breach used in our total: 17,000 Media May 1, 2008 Cove Creek Mortgage, Front Range Mortgage Englewood, Colorado BSF PHYS Unknown Sensitive mortgage files with people's personal information were recently found in a Dumpster. The files and computers contained sensitive information on many former customers of Front Range Mortgage, including names and addresses, Social Security numbers and bank, credit card and investment account information. Information Source: records from this breach used in our total: 0 156 Source: records from this breach used in our total: 0 Media May 1, 2008 Lunardi's Supermarket Los Gatos, California BSR CARD 100, updated amount 250 An ATM and credit card reader in a checkout aisle at the Los Gatos Lunardi's supermarket was recently switched, resulting in cases of identity theft. Victims all had their card numbers stolen after officials from Lunardi's contacted them about a problem with one of their card readers. UPDATE (8/4/08): Police arrested a man Friday that was involved with the ATM scam at a Los Gatos supermarket that lost about $300,000. He was booked into the Santa Clara County Jail in connection with burglary, conspiracy, drunken driving, and further charges may be filed later, according to the district attorney's office. Information Source: Dataloss DB April 28, 2008 records from this breach used in our total: 250 Hough, MacAdam & Wartnik North Bend, Oregon BSO PORT 500 A notebook computer was stolen from a locked vehicle. The notebook's hard drive may have contained names, Social Security numbers, and other personal information. Information Source: Dataloss DB April 27, 2008 records from this breach used in our total: 500 General Internal Medicine of Lancaster East Hempfield Township, Pennsylvania MED PORT Unknown A laptop was stolen from a doctors' office containing the Social Security numbers of patients. The clinic is notifying 12,000 potential-affected patients. Information Source: Media April 25, 2008 records from this breach used in our total: 0 University of Colorado, Boulder Boulder, Colorado EDU HACK 9,500 revised to 0 Three computers in the Division of Continuing Education and Professional Studies were compromised, leaving people open to potential identity theft. One of the three computers had personal data, including names, Social Security numbers, addresses and grades. UPDATE (5/1/08): Upon further analysis, the University concluded that no personal data had been exposed. 9,500 records were initially thought to be comprised, but later this was revised to zero. Information Source: Dataloss DB April 25, 2008 records from this breach used in our total: 0 Canton WiseBuys Canton, New York BSR HACK Unknown Someone apparently hacked into the Canton WiseBuys store computer system during a changeover between December 5, 2007 and December 20, 2007. The hacker obtained personal identification and banking numbers of hundreds of customers. Information Source: Media records from this breach used in our total: 0 157 April 25, 2008 Baltimore Highway Administration Baltimore, Maryland GOV DISC 1,800 An employee transferred personnel transaction data from a secure drive to a SHA shared drive. Sensitive personal information concerning employees, included names and Social Security numbers. Information Source: records from this breach used in our total: 1,800 Dataloss DB April 24, 2008 Harmony Information Systems Madison, Wisconsin BSO DISC Unknown A computer program housing personal information about Wisconsin seniors and disabled people had a significant security hole. A senior center volunteer in McFarland said he could see hundreds of files of people's private information from across the country in the system run by Virginia-based Harmony Information Systems. The information is entered into an electronic record that includes the person's name and Social Security number. Information Source: records from this breach used in our total: 0 Media April 24, 2008 Collections Lawyers Pellegrino & Feldstein Denville, New Jersey BSO DISC 530 Consumer information somehow escaped the New Jersey law offices and ended up posted on several websites. The Liberty Coalition discovered cached versions of an Excel file that contained the full names, Social Security numbers, dates of birth, addresses, account numbers, and financial information. Information Source: records from this breach used in our total: 530 Dataloss DB April 23, 2008 University of Texas Health Science Center Tyler, Texas MED DISC 2,000 About 2,000 medical bills were mailed last week with patients' Social Security numbers visible on the envelope. Information Source: records from this breach used in our total: 2,000 Dataloss DB April 23, 2008 Southern Connecticut State University New Haven, Connecticut EDU HACK 11,000 Southern Connecticut State University is taking action to prevent its students from becoming victims of identity theft. The move comes after a website with student and alumni information was found to be easily accessible to hackers. It appears that no financial information was accessed but Social Security numbers were vulnerable. Information Source: records from this breach used in our total: 11,000 Dataloss DB April 22, 2008 LendingTree Charlotte, North Carolina BSF INSD Unknown Outside loan companies may have accessed information, including Social Security numbers, between October 2006 and early 2008 and used it to market their own mortgages to LendingTree customers. Several former employees may have shared confidential passwords with a handful of lenders that were not approved by the company. Information 158 Information Source: records from this breach used in our total: 0 Media April 22, 2008 University of Massachusetts, Amherst Amherst, Massachusetts MED HACK Unknown Hackers breached the computer system used by UMass Amherst's Health Services, potentially gaining access to thousands of medical records. More than half of the student population at UMass Amherst are patients on record at the University Health Services. Information Source: Dataloss DB April 22, 2008 records from this breach used in our total: 0 HealthNow New York Buffalo, New York MED PORT Unknown Clients may be at risk for identity theft, after a former employee's laptop computer went missing with confidential information several months ago. The potential information includes names, dates of birth, Social Security numbers, addresses, employer group names, and health insurance identifier numbers. Information Source: records from this breach used in our total: 0 Media April 22, 2008 Fishback Financial Corp. Brookings, South Dakota BSF HACK Unknown There has been an unauthorized access to one of the database servers by a third party. The database includes names, addresses and Social Security numbers. Information Source: records from this breach used in our total: 0 Dataloss DB April 22, 2008 Central New England HealthAlliance Leominster, Massachusetts MED PORT 384 Personal data could be at risk of exposure after a home health nurse reported that her handheld computer was missing. The unencrypted data include names, Social Security numbers, and health insurance records. Information Source: Media April 22, 2008 records from this breach used in our total: 384 Smithtown Post Office Smithtown, New York GOV INSD Unknown A Smithtown postal worker was arrested after he stole credit cards from the mail and went on a shopping spree. Information Source: records from this breach used in our total: 0 Media April 22, 2008 CollegeInvest Denver, Colorado NGO PORT 200,000 Customers had personal information stored on a computer hard drive that disappeared during a recent move. CollegeInvest moved to a new office space, using an international relocation firm that offered specialists in moving computer equipment. CollegeInvest discovered while unpacking at the new location that a hard drive was missing. CollegeInvest is a not-for-profit 159 division of the Colorado Department of Higher Education. Information Source: records from this breach used in our total: 200,000 Dataloss DB April 21, 2008 Brunswick Corp. Lake Forest, Illinois BSO STAT 700 An electronic device that scans customers' drivers' licenses to make sure they're of legal drinking age was stolen from a company-owned bowling facility in suburban Naperville. The device contains information such as driver's license number, date of birth and first and last names of customers whose licenses were scanned. Information Source: records from this breach used in our total: 700 Media April 20, 2008 Helping Homeless Veterans and Families Hoosier Veterans Foundation NGO Indianapolis, Indiana PHYS Unknown Hundreds of files containing medical histories and Social Security numbers were found in the trash on Indianapolis' east side. The records belong to homeless veterans. A lot of the things inside the folders are confidential information about the clients including Social Secrutiy numbers. Information Source: Media April 19, 2008 records from this breach used in our total: 0 Central Collection Bureau BSO Indianapolis, Indiana STAT 700,000 A computer server containing Social Security numbers and other personal information was stolen last month from a Southside debt-collection bureau. The information includes customer-billing records for Indiana businesses, including Citizens Gas & Coke Utility, St. Vincent Health and Methodist Medical Group. Information Source: Dataloss DB April 17, 2008 records from this breach used in our total: 700,000 SunGard, Connecticut State University System, Buffalo State, Northwest Missouri State University BSO PORT Totals are not known , http://www.sungardhe.com/custom.aspx?id=1554&LangType=1033 [137] At least 18 colleges are scrambling to inform tens of thousands of students they are at risk of having their identities stolen. A laptop computer that was stolen from a vendor contained the data of current and former students from the four state universities, including Western Connecticut State University. The computer was password-protected but contained unencrypted files with personally identifiable data, including names and Social Security numbers. Information Source: Dataloss DB April 17, 2008 records from this breach used in our total: 0 University of Miami Miami, Florida MED PORT 2,100,000 (866) 628-4492 Computer tapes containing confidential information of Miami patients was stolen last month when thieves took a case out of a van used by a private off-site storage company. The data included names, addresses, Social Security numbers or health information. 160 Information Source: records from this breach used in our total: 2,100,000 Dataloss DB April 16, 2008 Hexter Elementary School Dallas, Texas EDU PHYS Unknown Employee and volunteer records were found at a recycling bin near the school. It's unknow what type of documents were found. Information Source: records from this breach used in our total: 0 Media April 16, 2008 University of Virginia Charlottesville, Virginia EDU PORT 7,000 A laptop stolen from a University of Virginia employee contained sensitive information about students, staff and faculty members. Stolen from an unidentified employee from an undisclosed location in Albemarle County, the laptop contained a confidential file filled with names and Social Security numbers. Information Source: records from this breach used in our total: 7,000 Dataloss DB April 15, 2008 First Federal Bank of California Los Angeles, California BSF UNKN Unknown Additional locations: Brookfield, WI (headquarters of Fiserv, Inc) This bank was not the only financial institute impacted by a security breach that occurred in a banking in a subsystem of a financial data processor, Fiserv, Inc. of Wisconsin last month.The bank said that it was company policy not to reveal any details about the breach including the number of banks involved, how many customers were impacted, the depth of information breached, how extensive the breach was geographically even which federal agencies were involved. However, non-public private account information might be at risk. Information Source: Dataloss DB April 15, 2008 records from this breach used in our total: 0 Oklahoma's Department of Corrections Oklahoma City, Oklahoma GOV DISC 10,597 The names, addresses, and Social Security numbers of tens of thousands of Oklahoma residents were made available to the general public for a period of at least three years on the ODC's website. Information Source: Media April 14, 2008 records from this breach used in our total: 10,597 Stokes County High Schools Danbury, North Carolina EDU STAT 800 A school computer containing the names, test scores and Social Security numbers of students from three Stokes County high schools was stolen from a locked closet. Information Source: Dataloss DB records from this breach used in our total: 800 Utah Department of Workforce Services 161 April 14, 2008 Utah Department of Workforce Services Salt Lake City, Utah GOV INSD Unknown A former state employee who took applications from people seeking food stamps and other welfare aid worked with three others to steal the identity of Utah residents and charge tens of thousands of dollars in purchases. Information Source: records from this breach used in our total: 0 Media April 13, 2008 University of Toledo Toledo, Ohio EDU DISC 6,488 Personal information of the University of Toledo employees, the majority having worked on the Health Science Campus in 1993 and 1999 - last month was inadvertently placed on a server to which all employees had access. The information, which was used for payroll purposes, included names, addresses, and Social Security numbers and was accessible for about 24 hours. Information Source: records from this breach used in our total: 6,488 Dataloss DB April 12, 2008 Allied Waste Boston, Massachusetts BSO PHYS Unknown A strap on the garage truck snapped sending reams of unshredded financial reports over downtown Boston streets. Information Source: Media April 12, 2008 records from this breach used in our total: 0 West Seneca School District West Seneca, New York EDU HACK 1,800 Several current and former students are believed to have broken into the school district's computer system and copied secure files that included the personal information and Social Security numbers of school employees Information Source: Dataloss DB April 11, 2008 records from this breach used in our total: 1,800 New York-Presbyterian Hospital, Weill Cornell Medical Center New York, New York MED INSD 49,841 An admissions employee is accused of selling 2,000 patients' data in an identity theft scheme and accessing nearly 50,000 records illegitimately. Records contained names, phone numbers and, in some cases, Social Security numbers of patients. The employee has since been charged with one count of conspiracy involving computer fraud, identity document fraud, transmission of stolen property and sale of stolen property. Information Source: records from this breach used in our total: 49,841 Dataloss DB April 10, 2008 Joliet West High School Joliet, Illinois EDU HACK Unknown A student using a school computer last month was able to access personal information about every student enrolled. The student allegedly downloaded a list of names and Social Security numbers to his iPod. Information Source: Dataloss DB records from this breach used in our total: 0 162 Dataloss DB April 9, 2008 People's United Bank Bridgeport, Connecticut BSF PHYS Unknown For four months, a dumpster diver searched through trash bins outside People's United Bank branches in Fairfield County. He pulled out bags of paperwork with private information, including customers' Social Security numbers and account information. UPDATE (5/1/08): The man who discovered bank records in the garbage outside local branches of People's United Bank in Connecticut has been sued to prevent him from informing people about the discovery. The man, discovered financial documents, including customer names, Social Security numbers, and account information. He was a no-show at a scheduled appearance in court. The bank won a restraining order against the man, which ordered him not to talk to bank customers, or disclose what he had discovered. He disregarded the order and made a documentary about the discovery. The man has already been fined $800 USD for refusing to hold his tongue, and now he has also been ordered to pay the bank's legal costs. According to the Connecticut Post, those costs are already up to around $40,000 USD. Information Source: records from this breach used in our total: 0 Media April 9, 2008 Norfolk's Community Services Board Norfolk, Virginia NGO PHYS 30 The personal information of clients of Norfolk's Community Services Board was compromised when a case worker's briefcase was stolen. The briefcase was left in the worker's car in a Virginia Beach parking garage, but someone smashed a window and stole it. It's unclear what information was in the files but that it likely included Social Security numbers. Information Source: records from this breach used in our total: 30 Media April 8, 2008 WellPoint Indianapolis, Indiana BSO DISC 128,000 Personal information that may have included Social Security numbers and pharmacy or medical data for customers in several states was exposed online over the past year. Information Source: records from this breach used in our total: 128,000 Dataloss DB April 8, 2008 WellCare Health Plans Inc. Atlanta, Georgia MED DISC 71,000 Private records of members of health insurance programs for the poor or working poor were accidentally made available on the Internet for several days. Those whose data was made available on the Internet included members of Medicaid, the federal health program for the poor, and PeachCare for Kids, a federal-state insurance plan for children of the working poor. About 10,500 members' Social Security numbers may have been viewed by unauthorized people on the Internet, all members of Medicaid or PeachCare. There is a possibility that an initial 59,000 members may have had some personal information made accessible. Information Source: Dataloss DB April 7, 2008 records from this breach used in our total: 71,000 Pfizer Inc New York, New York BSO PORT 800 A laptop was stolen by a burglar from the home of a contractor who helps arrange planning travel and meetings for Pfizer. Information on the laptop included names, credit card numbers and, in some instances, credit card expiration dates, various addresses and phone numbers, hotel loyalty program numbers and other information. It did not appear that any Social Security numbers or PIN codes were exposed. 163 Information Source: records from this breach used in our total: 800 Dataloss DB April 7, 2008 Army Acquisition Support Center Ft. Belvoir, Virginia GOV DISC 24 A spreadsheet containing a hidden column of Social Security numbers belonging to about two dozen officers and civilian employees of one Army agency was left on the agency's website for five months after being notified of the presence of the personal information. The center has temporarily shut down its website to scrub the information from the spreadsheet. Information Source: records from this breach used in our total: 24 Media April 7, 2008 Redbox Oakbrook Terrace, Illinois BSR CARD Unknown Redbox rents DVD movies via vending machine in drugstores and supermarkets throughout the country. They announced that they'd found credit card skimmers attached to three of their kiosks. Information Source: records from this breach used in our total: 0 Media April 4, 2008 Harley-Davidson, Inc. (HOG) Milwaukee, Wisconsin BSO PORT 60,000 A laptop computer containing certain HOG members' personal information was determined to be missing from their facilities. The personal information stored on the computer included names, addresses, credit card numbers, their expiration dates, and driver's license numbers. Information Source: Media April 4, 2008 records from this breach used in our total: 60,000 University of California, Irvine Irvine, California EDU UNKN 7,000 7,000 current or former graduate students could be at risk of identity thieves who already used stolen data to file fake tax returns for 93 students. UCI doesn't know how the information was stolen or who is using it. Information Source: Dataloss DB April 1, 2008 records from this breach used in our total: 7,000 Okemo Mountain Resort Ludlow, Vermont BSO HACK 28,168 (866) 756-5366 The Ludlow ski area announced that its computer network was breached by an intruder who gained access to credit card data including cardholder names, account numbers and expiration dates. Information Source: Dataloss DB March 31, 2008 records from this breach used in our total: 28,168 Advance Auto Parts Roanoke, Virginia BSR HACK 56,000 164 The retailer reported that a network intrusion had exposed financial information and was the subject of a criminal investigation. Fourteen of the retailer's stores, including locations in Georgia, Ohio, Louisiana, Tennessee, Mississippi, Indiana, Virginia and New York, are believed to have been affected. Information Source: records from this breach used in our total: 56,000 Dataloss DB March 29, 2008 Department of Human Resources Atlanta, Georgia GOV PORT Unknown A thief has stolen computer records containing identifying information on current and former employees of the state Department of Human Resources, including names, Social Security numbers, birth dates and home contact information. An external hard drive that stored a database was removed by an unauthorized person. Information Source: records from this breach used in our total: 0 Dataloss DB March 29, 2008 San Quentin State Prison San Quentin, California GOV PORT 3,500 A flash memory drive containing names, birth dates and driver's license numbers of people who either volunteered or visited San Quentin State Prison in a group tour has been lost. Information Source: records from this breach used in our total: 3,500 Media March 28, 2008 Antioch University Yellow Springs, Ohio EDU HACK 70,000 A computer system that contained personal information on about 70,000 people was breached by an unauthorized intruder three times. The system contained the names, Social Security numbers, academic records and payroll documents for current and former students, applicants and employees. Information Source: records from this breach used in our total: 70,000 Dataloss DB March 28, 2008 Museum of Science, Boston Boston, Massachusetts NGO DISC 140 The museum has notified 140 patrons that their names, credit card numbers, and other personal information were exposed on the museum's website because of a contractor's error. Information Source: records from this breach used in our total: 140 Dataloss DB March 26, 2008 Presbyterian Intercommunity Hospital Whittier, California MED STAT 5,000 About 5,000 past and current employees at Presbyterian Intercommunity Hospital had their private information stolen. The data included Social Security numbers, birth dates, full names and other records stored on a desktop computer that was stolen. Information Source: Media records from this breach used in our total: 5,000 165 March 26, 2008 Broward School District EDU Coconut Creek, Florida HACK 38,000 An Atlantic Technical High School senior hacked into a district computer and collected Social Security numbers and addresses of district employees. Information Source: Dataloss DB March 26, 2008 records from this breach used in our total: 38,000 Originally 4.5 million Bank of New York Mellon Pittsburgh, Pennsylvania BSF PORT customer records, raised to 12.5 million (877) 278-3451, (877) 278-346, www.bnymellon.com/tapequery [138] The company lost a box of computer data tapes storing personal information including names, Social Security numbers and possibly bank account numbers. UPDATE (5/07/08): On February 27, Bank of New York Mellon gave the unencrypted backup tape containing information on about 4.5 million consumers -- hundreds of thousands of them People's United Bank customers and investors -- and nine other tapes to a storage firm, Archive Systems, Inc., for transportation to a storage facility. When the storage company vehicle arrived at the storage facility, the tape was missing. The other nine tapes reached the facility safely. UPDATE (5/31/08): The Hartford Courant [139] reports the following figures regarding the number of Connecticut shareholders affected by the lost computer tape: 403,894 People's United Bank 33,586 John Hancock Financial 18,361 Walt Disney Co. 10,000 the remaining shareholders UPDATE (8/30/08): The estimated number of people affected by a data breach at Bank of New York Mellon Corp has been raised from 4.5 million to 12.5 million. UPDATE (2/19/09): The Bank of New York Mellon will pay Connecticut $150,000 as part of a settlement. The bank will continue to provide those affected by the breach with credit monitoring and fraud alerts for a total of 36 months of protection. It will also reimburse anyone for funds stolen from their accounts as a direct result of the data breach. Information Source: Media March 24, 2008 records from this breach used in our total: 12,500,000 National Institutes of Health Bethesda, Maryland GOV PORT 4,359 A laptop was stolen from the trunk of a car. It contained information about heart disease patients, including their names, dates of birth and diagnoses of their medical conditions. UPDATE (4/14/08): Ongoing review of the computer's last-known contents, performed on data backed up from the laptop before it was stolen, has found a file that, unbeknownst to the lead researcher, had been loaded onto the laptop by a research associate.That file included Social Security numbers for at least 1,281 of the 3,078 patients enrolled in the multiyear study, which is sponsored by the NIH's National Heart, Lung and Blood Institute. Information Source: records from this breach used in our total: 4,359 Dataloss DB March 22, 2008 Agilent Technologies Santa Clara, California BSO PORT 51,000 A laptop containing sensitive and unencrypted personal data on current and former employees of Agilent Technologies was stolen from the car of an Agilent vendor. The data includes employee names, Social Security numbers, home addresses and details of stock options and other stock-related awards. Agilent blamed the San Jose vendor, Stock & Option Solutions, for failing to scramble or otherwise safeguard the data - in violation of the contracted agreement. Information Source: records from this breach used in our total: 51,000 166 Dataloss DB March 22, 2008 Western Carolina University Cullowhee, North Carolina EDU HACK 555 Someone had hacked into a computer server and had access to the Social Security numbers of 555 graduates of the university who had signed up for a newsletter. Information Source: Dataloss DB March 21, 2008 records from this breach used in our total: 555 Compass Bank Birmingham, Alabama BSF INSD 1,000,000 A database containing names, account numbers and customer passwords was stolen. A credit-card encoder and software to encode the information onto blank cards was also used to acquire information from ATMs. A former programmer at Birmingham, Ala.-based Compass Bank stole a hard drive containing 1 million customer records and used some of that information to commit debit-card fraud. The thief had used the information stolen from Compass Bank's database to create about 250 counterfeit debit cards. He was able to use about 45 of those cards to access and withdraw cash from customer accounts at the bank before he was arrested. Information Source: records from this breach used in our total: 1,000,000 Dataloss DB March 21, 2008 Rhode Island Department of Administration Cranston, Rhode Island GOV PORT 1,400 A state computer disk containing Social Security numbers is missing. The information was discovered missing within the last two weeks when human resources staff members who had relocated from Providence to Cranston could not find the data on the server. Information Source: records from this breach used in our total: 1,400 Dataloss DB March 20, 2008 Rampage Marketing Services Columbus, Ohio BSO PHYS Unknown The company, a licensed insurance agency, threw 14 boxes of files containing sensitive financial and medical information into a trash bin. An insurance agent for another company noticed the boxes in the shared bin and sent them back to the Insurance Department Information Source: records from this breach used in our total: 0 Media March 20, 2008 Pennsylvania Department of State Harrisburg, Pennsylvania GOV DISC 30,000 The state was forced to pull the plug on a voter registration Web site after it was found to be exposing sensitive data about voters. Because of a Web programming error, the Web site was allowing anyone on the Internet to view data such as the voter's name, date of birth, driver's license number, and political party affiliation. On some forms, the last four digits of Social Security numbers could also be seen. Information Source: records from this breach used in our total: 30,000 Media Lasell College 167 March 20, 2008 Lasell College Newton, Massachusetts EDU HACK 20,000 A hacker accessed data containing personal information on current and former students, faculty, staff and alumni. Information included names and Social Security numbers. Information Source: records from this breach used in our total: 20,000 Dataloss DB March 19, 2008 Affordable Realty Flint, Michigan BSO PHYS Unknown Social Security numbers and financial records of customers. Affordable Realty occupied office space inside the Ben Agree building on Dort Highway for years. The company was evicted and all of its sensitive customer information ended up outside in a dumpster or on the ground nearby. Information Source: records from this breach used in our total: 0 Dataloss DB March 19, 2008 The Dental Network Baltimore, Maryland MED DISC 74,256 (866) 879-7402 A security breach of The Dental Network website left access to member personal data, including names, Social Security numbers, addresses and dates of birth unprotected for approximately two weeks. The Dental Network is an independent licensee of the Blue Cross and Blue Shield Association. Information Source: records from this breach used in our total: 74,256 Dataloss DB March 19, 2008 UCLA Medical Center Los Angeles, California MED INSD 900 UCLA Medical Center has moved to fire 13 employees and suspended six others for unauthorized access to confidential medical records. UPDATE (8/5/08): The latest report said 127 workers peeked into celebrities' medical records without permission, leading to several firings, suspensions and warnings. The report also detailed the case of one employee who looked at the records of about 900 patients without any legitimate reason and viewed Social Security numbers, health insurance information and addresses, from April 2003 to May 2007. Information Source: Dataloss DB March 17, 2008 records from this breach used in our total: 900 Hannaford Bros. Supermarket chain Portland, Maine BSF HACK 4.2 million (866) 591-4580 This security breach affects all of its 165 stores in the Northeast, 106 Sweetbay stores in Florida and a smaller number of independent groceries that sell Hannaford products. The company is currently aware of about 1,800 cases of reported fraud related to the security breach. Credit and debit card numbers were stolen during the card authorization transmission process. It's unclear if personal information was exposed. UPDATE (4/2/2009): An April 2, 2009, news story indicated that between Dec. 7, 2007, and March 10, 2008, hackers stole credit and debit card numbers, expiration dates and PIN numbers from people shopping at Hannaford supermarkets. About 1,800 fraudulent charges had been made. UPDATE (5/14/2009): A federal appeals court has revived a Tampa class-action suit seeking money for Florida shoppers whose credit and debit card numbers were swiped in a data breach that hit 109 Sweetbay Supermarkets. The suit seeks free 168 credit monitoring, credit repair if necessary and undetermined money damages to be split up among victims of the breach, including those unaware they were victims. UPDATE (5/22/2009): A Maine U.S. District Court dismissed most of a class action lawsuit against Hannaford, finding that there is no way to value the time and effort that consumers spent in correcting fraudulent activity resulting from the breach. The case of one named plaintiff was not dismissed. That plaintiff suffered actual monetary damages for unreimbursed fraudulent charges. Information Source: records from this breach used in our total: 4,200,000 Dataloss DB March 17, 2008 Minneola City Minneola, Florida GOV DISC 9 Nine Minneola firefighters are trying to keep their names clean after their personal information ended up on the city's Web site. The city clerk accidentally published the information. Social security numbers, phone numbers, addresses and personal information from union application cards found its way onto the city's Web site for over 36 hours. Information Source: Media March 17, 2008 records from this breach used in our total: 9 Binghamton University Binghamton, New York EDU DISC 300 A university employee mistakenly sent an e-mail attachment containing the names, grade point averages and Social Security numbers of junior and senior accounting students to another group of School of Management students. Information Source: Dataloss DB March 15, 2008 records from this breach used in our total: 300 Starling Insurance and Associates Colorado Springs, Colorado BSF PHYS Unknown A server stolen from the locked offices contained names, addresses and Social Security numbers, dates of birth, driver's license numbers and/or account information for an unspecified number of customers. Information Source: Media records from this breach used in our total: 0 500 - not included in March 15, 2008 Utah Division of Finance Salt Lake City, Utah GOV HACK total because it is unclear whether Social Security numbers or financial information was involved Computer files containing the personal information of approximately 500 individuals may have been accessed by unauthorized persons during a security breach. An initial investigation indicates it is highly unlikely the person who breached the computer system was able to access any personal information. Information Source: Dataloss DB March 13, 2008 records from this breach used in our total: 0 University Health Care Salt Lake City, Utah MED PORT 4,800 169 A laptop and flash drive containing patient data were stolen after hours from a locked office. Data included patients' names, addresses, and in some cases, medications, health insurance policy numbers, and Social Security numbers. Information Source: Dataloss DB March 12, 2008 records from this breach used in our total: 4,800 Harvard University Cambridge, Massachusetts EDU HACK 6,600 Harvard Graduate School of Arts and Sciences (GSAS) Web server may have compromised 10,000 sets of personal information from applicants and students, including 6,600 Social Security numbers and 500 Harvard ID numbers. Information Source: Dataloss DB March 10, 2008 records from this breach used in our total: 6,600 Texas Department of Health and Human Services Austin, Texas MED STAT Unknown Information, including Social Security numbers that could be used to steal Medicaid clients' identity may have been stored on two computers stolen during a burglary. Computers could have contained personal information only on e-mails. The e-mails, however, would normally contain only an individual's case number. It is unlikely those e-mails would have listed Social Security numbers. Information Source: records from this breach used in our total: 0 Media March 10, 2008 Central Florida Regional Hospital Sanford, Florida MED PHYS 28 The medical records of Central Florida Regional Hospital patients were sold last month at a Salt Lake City surplus store for about $20. The records were sold to a local school teacher looking for scrap paper for her fourth-grade class. The records contained detailed medical histories, phone numbers, addresses, Social Security numbers and insurance information. They were lost en route to a Medicare auditor in Las Vegas, NV. Information Source: Media March 10, 2008 records from this breach used in our total: 28 Blue-Cross Blue-Shield of Western New York Buffalo, New York MED PORT 40,000 A laptop hard-drive containing vital information about members has gone missing. Blue-Cross Blue-Shield of Western New York says it is notifying its members about identity theft concerns after one of it's company laptops went missing. Information Source: Dataloss DB March 8, 2008 records from this breach used in our total: 40,000 MTV Networks Los Angeles, California BSO HACK 5,000 Computer files with confidential data on employees at MTV Networks were breached by someone outside the company. Personal information in the files included names, birth dates, Social Security numbers and compensation data. Information Source: Dataloss DB records from this breach used in our total: 5,000 170 March 6, 2008 Cascade Healthcare Community Prineville, Oregon MED HACK 11,500 A computer virus may have exposed to outside eyes the names, credit card numbers, dates of birth and home addresses of individuals who donated to Cascade Healthcare Community. Information Source: Dataloss DB March 5, 2008 records from this breach used in our total: 11,500 Nevada Department of Public Safety Carson City, Nevada GOV PORT 109 A private firm working for the Nevada Department of Public Safety has lost a thumb drive containing personal information provided by individuals seeking jobs with the agency. Data included Social Security numbers, addresses and background check information. Information Source: Dataloss DB March 3, 2008 records from this breach used in our total: 109 DaVita Inc. Denver, Colorado MED PORT 8,800 A laptop containing employee information was stolen from an employee's vehicle. The information included Social Security numbers and medical insurance information. Information Source: Dataloss DB March 3, 2008 records from this breach used in our total: 8,800 Kaft Foods Northfield, Illinois BSO PORT 20,000 A company-owned laptop computer was stolen from an employee of Kraft Foods traveling on company business. The laptop contained the names and may have contained Social Security numbers. Information Source: Dataloss DB February 29, 2008 records from this breach used in our total: 20,000 Wellesley Health Department Wellesley, Massachusetts GOV PHYS 480 Information in an envelope that had been mailed by the town's health department to a Medicare office in Boston say when the envelope arrived, it was open and the contents were missing. The material included social security numbers, addresses and dates of birth of seniors who had received flu shots from the town last fall. Information Source: Dataloss DB February 27, 2008 records from this breach used in our total: 480 Health Net Federal Services Rancho Cordova, California MED DISC 103,000 Thousands of doctors in eleven states had their personal information openly posted on a company website. Social Security numbers were part of the personal information exposed. The states involved include Wisconsin, Michigan, Illinois, Indiana, Ohio, Pennsylvania, Tennessee, Iowa, Missouri, Kentucky and West Virginia. Information Source: records from this breach used in our total: 103,000 171 Dataloss DB February 25, 2008 Mecklenburg County Charlotte, North Carolina GOV PHYS 400 A County employee's car was stolen, and in that car was a printout of bank draft transactions within the Park and Recreation Department. Bank account information of an unknown number of people in Mecklenburg County has been stolen. UPDATE: 400 account numbers were stolen; the county alerted those who were affected via letter. Information Source: records from this breach used in our total: 400 Dataloss DB February 18, 2008 First Magnus Financial Ft. Lauderdale, Florida BSF PHYS Unknown Outside a University of Phoenix Building in Ft. Lauderdale, files and paperwork belonging to the defunct First Magnus Financial were just lying in stacked boxes inside an industrial garbage container. The paperwork contained Social Security numbers, credit card information, addresses, and properties. Information Source: Dataloss DB February 16, 2008 records from this breach used in our total: 0 Texas A&M University College Station, Texas EDU DISC 3,000 A computer file containing the names and Social Security numbers of current and former Texas A&M University agricultural employees was inadvertently posted online and accessible to the public for three weeks. Information Source: Dataloss DB February 15, 2008 records from this breach used in our total: 3,000 Systematic Automation Inc Fullerton, California BSO STAT 40,000 Police filed possession of stolen property charges against a prison parolee who was arrested for having a computer with more than 40,000 names, addresses and Social Security numbers of California residents. The computer was stolen from Systematic Automation Inc., which processes individualized annual statements customized for employees with a summary of their health and other employee benefits. The hard drive contained employee information from 19 agencies. Some of the larger agencies include the Modesto City Schools, Clovis Unified School District, Los Angeles Department of Water and Power, and the Torrance Unified School District. Information Source: Dataloss DB February 15, 2008 records from this breach used in our total: 40,000 Lexmark International Lexington, Kentucky BSO DISC Unknown The employee personal data was inadvertently exposed, it included Social Security numbers, dates of birth, along with names and addresses. The data was accessed by two unknown parties when the data was loaded to a company file sharing site. Information Source: records from this breach used in our total: 0 Dataloss DB February 15, Crosslines Ministries of Carthage NGO PHYS 2,000 172 2008 Carthage, Missouri NGO PHYS 2,000 One of the largest aid agencies in Carthage was burglarized and files, containing the personal information of about 2,000 families, were stolen. Among the items stolen were paper files containing names, addresses, Social Security numbers and other personal information of individuals served by Crosslines. Information Source: Dataloss DB February 14, 2008 records from this breach used in our total: 2,000 Tenet Healthcare Corporation Dallas, Texas MED INSD 37,000 A ex-employee worked at a Frisco, Texas, billing center for less than two years, and is confirmed to have stolen the names, Social Security numbers and other personal information of about 90 patients. The employee also had access to 37,000 other accounts. Information Source: Dataloss DB February 13, 2008 records from this breach used in our total: 37,000 Los Angeles Department of Water and Power Los Angeles, California GOV PHYS Unknown A computer was stolen from a contractor on February 11, 2008. Compromised information included name, Social Security number, date of birth, employee identification number, salary, work location, deferred compensation balances, insurance plan coverage and health care benefits selection for all active employees who were members of the DWP Retirement Plan during 2006 and 2007. Information Source: Security Breach Letter February 13, 2008 records from this breach used in our total: 0 Milwaukee County Milwaukee, Wisconsin GOV DISC Unknown Milwaukee County officials mistakenly released numerous confidential court records for a citizens group's Web site that detail payments for tests and other costs linked to to mental competency, paternity and guardianship cases. Entries for psychiatric examinations and guardianship fees in which the clients' names were still listed. Information Source: Media February 13, 2008 records from this breach used in our total: 0 Lifeblood Memphis, Tennessee MED PORT 321,000 Laptop computers with birth dates and other personal information of roughly 321,000 blood donors are missing and presumed stolen. Stored inside both computers were names, birth dates and addresses at the time of the individual's last donation or attempted donation. In most cases, the donors' Social Security numbers were also stored, along with driver's licenses, telephone numbers, e-mail addresses, ethnicity, marital status, blood type and cholesterol levels. Social Security numbers had been used to track blood from the donor to the recipients. Information Source: Dataloss DB February 13, 2008 records from this breach used in our total: 321,000 Middle Tennessee State University Murfreesboro, Tennessee EDU STAT 1,500 A professor left the university computer unattended in the mass communication department about two weeks ago and an unidentified person is believed to have used the machine to send spam e-mails. The computer contained the names and 173 Social Security numbers of past and current students. Information Source: Dataloss DB February 12, 2008 records from this breach used in our total: 1,500 Modesto City Schools Modesto, California EDU PORT 3,500 (209) 576-4192 A computer hard drive holding the names, addresses, birth dates and Social Security numbers of Modesto City Schools' employees was stolen. Information Source: Dataloss DB February 12, 2008 records from this breach used in our total: 3,500 Long Island University Brookville, New York EDU PHYS 30,000 Students tax forms mailed to them last week in were in defective mailers. The mailers containing each student's annual 1098-T Tuition Statement were supposed to have adhesive on all four sides. But one side of each envelope was missing adhesive. The statement contains the student's name, address and Social Security number. Information Source: Dataloss DB February 11, 2008 records from this breach used in our total: 30,000 Jefferson County Public Schools Arvada, Colorado EDU PORT 2,900 A special education technician had a personal laptop and jump drive stolen during a home robbery. Student name and date of birth, Student ID number, School location If the student has received district transportation additional information such as parent or guardian name and contact information, may also have been on the jump drive. The stolen information did not contain any Social Security numbers or financial information. Information Source: Dataloss DB February 10, 2008 records from this breach used in our total: 2,900 Administrative Systems, Inc Seattle, Washington BSO STAT Unknown A desktop computer stolen from an Administrative Systems, Inc. (ASI) office in Seattle contained names and sensitive information about customers or employees of several of the firm's clients: Continental American Medical, EyeMed Vision/Kelly Services Vision, and Jefferson Pilot Financial Dental. Personal details may have included name, date of birth, mailing address, and Social Security number, depending on the service being provided. Information Source: records from this breach used in our total: 0 Dataloss DB February 8, 2008 MLSgear.com Louisville, Kentucky BSR HACK Unknown Injection attacks on web servers hosted by a third-party service provider has compromised the personal data of an unspecified number of individuals who had shopped on Major League Soccer's MLSgear.com Web site. The compromised information included names, addresses, credit card data, debit card data, and MLSgear.com passwords. Information Source: records from this breach used in our total: 0 174 Dataloss DB February 7, 2008 Memorial Hospital South Bend, Indiana MED PORT 4,300 A laptop containing the personal information of full and part time employees and retirees is missing. The missing computer contains their names, addresses, birth dates, ID numbers and Social Security numbers. Information Source: Dataloss DB February 4, 2008 records from this breach used in our total: 4,300 Bellin Health Greenbay, Wisconsin MED PHYS 650 Patients received notification that their Social Security numbers may have been exposed. Invoices mailed from Bellin Health's unnamed bill processor had viewable Social Security numbers. Information Source: PHIPrivacy.net February 2, 2008 records from this breach used in our total: 650 Diocese of Providence Providence, Rhode Island NGO STAT 5,000 Four computers were taken, and one had personal information on current and former Catholic school employees. The theft possibly exposed names, addresses and Social Security numbers. Information Source: Dataloss DB February 1, 2008 records from this breach used in our total: 5,000 Marine Corps Bases Japan Washington, District Of Columbia GOV PORT 4,000 Additional location: Okinawa, Japan A laptop was stolen which contained personally identifiable information for clients of Marine Corps Community Services' New Parent Support Program. The laptop may contain names, ranks, Social Security numbers, dates of birth, children's names and mailing addresses of U.S. military service members, U.S. government employees and Status of Forces Agreement personnel on Okinawa and Marine Corps Air Station Iwakuni. It does not include driver's license numbers or bank and credit card information. Information Source: Dataloss DB records from this breach used in our total: 4,000 South Carolina Department of Health and Environmental Control in Spartanburg, January 31, 2008 Cherokee, Union, Greenville and Pickens counties GOV PORT 400 , South Carolina A laptop containing the names and Social Security numbers of state health department employees is missing. The computer was inside a worker's vehicle when it was stolen last week from a convenience store. State officials say the passwordprotected computer contains personal information of state health department workers from Spartanburg, Cherokee, Union, Greenville and Pickens counties. Information Source: Dataloss DB January 31, 2008 records from this breach used in our total: 400 University of Minnesota Reproductive Medicine Center MED PORT 3,100 175 January 31, 2008 Minneapolis, Minnesota MED PORT 3,100 A doctor at the fertility clinic lost a flash drive that was used to back up his computer. The drive held details of infertility treatments for 3,100 patients going back to 1999. The lost drive included names, birthdates, and in some cases, diagnostic information, details of treatments, whether or not patients had conceived, baby names, and birth weights -- but apparently no SSNs or financial information. Information Source: Dataloss DB January 30, 2008 records from this breach used in our total: 3,100 Davidson Companies Great Falls, Montana BSF HACK 226,000 A computer hacker broke into a database and obtained the names and Social Security numbers of virtually all of the Great Falls financial services company's clients. The database also included information such as account numbers and balances. Information Source: Dataloss DB January 29, 2008 records from this breach used in our total: 226,000 Georgetown University Washington, District Of Columbia EDU PORT 38,000 A hard drive containing the Social Security numbers of Georgetown students, alumni, faculty and staff was reported stolen from the office of Student Affairs. Information Source: Dataloss DB January 29, 2008 records from this breach used in our total: 38,000 Wake County (NC) Emergency Medical Services Raleigh, North Carolina MED PORT 4733 A Panasonic Toughbook used by county paramedics to store patient information on ambulance runs went missing from the WakeMed emergency department and now is thought to have been stolen. The laptop contained names, addresses and Social Security numbers. UPDATE (2/7/08): The laptop also may have the names and Social Security numbers of emergency personnel. The number includes county paramedics, firefighters and contracted emergency medical technicians and paramedics from municipal agencies. Information Source: Dataloss DB January 29, 2008 records from this breach used in our total: 4,733 Horizon Blue Cross Blue Shield Newark, New Jersey MED PORT 300,000 More than 300,000 members names, Social Security numbers and other personal information were contained on a laptop computer that was stolen. The laptop was being taken home by an employee who regularly works with member data. Information Source: Dataloss DB January 29, 2008 records from this breach used in our total: 300,000 TransUnion, Intelenet Global Services, Fullerton, California BSF INSD 400 Additional location: Plano, TX Credit profiles of as many as 400 Americans have been altered by two employees of Mumbai, India-based Intelenet Global 176 Services, an outsourcing company. The two arrested Intelenet employees had been accessing and altering data of individuals in the datafiles of the credit bureau TransUnion since August 2005. The bank account statements of the two men revealed that money was being deposited from an international source for the past few months. Information Source: records from this breach used in our total: 400 Dataloss DB January 28, 2008 T. Rowe Price Retirement Plan Services, CBIZ Benefits and Insurance Services Inc. BSF Baltimore, Maryland STAT 35,000 Names and Social Security numbers of current and former participants in several hundred retirement plans were compromised when several computers were stolen. The machines were taken from the office of CBIZ Benefits and Insurance Services Inc. Information Source: Dataloss DB January 25, 2008 records from this breach used in our total: 35,000 Penn State University University Park, Pennsylvania EDU PORT 677 A university laptop containing archived information and Social Security numbers for 677 students attending Penn State between 1999 and 2004 was recently stolen from a faculty member. Information Source: Dataloss DB January 24, 2008 records from this breach used in our total: 677 Fallon Community Health Plan Worcester, Massachusetts MED PORT 29800 A vendor computer containing personal information on patients of Fallon Community Health Plan has been stolen. The data included names, dates of birth, some diagnostic information and medical ID numbers. Some of which may be based on Social Security numbers. Information Source: Dataloss DB January 24, 2008 records from this breach used in our total: 29,800 OmniAmerican Bank Fort Worth, Texas BSF HACK Unknown An international gang of cyber criminals hacked into the bank's records. They stole account numbers, created new PINs, fabricated debit cards, then withdrew cash from ATMs in Eastern Europe, Russia, Ukraine, Britain, Canada and New York. Fewer than 100 accounts, some of them dormant, were compromised. Information Source: records from this breach used in our total: 0 Dataloss DB January 23, 2008 Baylor University Waco, Texas EDU INSD Unknown A student employee breached the security of the Baylor Information Network to access the Bear ID and passwords of those logging on to the BIN. This access didn't include sensitive information like Social Security Numbers, financial information or academic records. It was just unlawful access to Bear IDs and passwords. The information did, however, give access to Baylor e-mail and Blackboard accounts. Information Source: records from this breach used in our total: 0 177 Media January 17, 2008 GE Money , Iron Mountain Boston, Massachusetts BSF PORT 150,000 Personal information on customers of J.C. Penney and up to 100 other retailers could be compromised after a computer tape went missing. The missing information includes Social Security numbers for about 150,000 people. Information Source: Dataloss DB January 16, 2008 records from this breach used in our total: 150,000 University of Wisconsin, Madison Madison, Wisconsin EDU DISC 205 The personal information, including e-mail addresses, phone numbers, Social Security numbers and campus ID numbers of faculty and staff who made purchases from the DoIT computer shop had been accessible on a campus Internet site. Information Source: Dataloss DB January 15, 2008 records from this breach used in our total: 205 Department of Revenue Wisconsin Madison, Wisconsin GOV PHYS 5,000 Breach locations: Lena, Marinette, Little Suamico, Freedom, Kaukauna, Kimberly, Little Chute, Krakow, Keshena and Lakewood Taxpayers in northeastern Wisconsin had their Social Security numbers exposed in a state mailing. A folding error, apparently the result of a faulty machine, allowed the Social Security numbers to be seen through the clear address window of the envelope. Information Source: Dataloss DB January 15, 2008 records from this breach used in our total: 5,000 Naval Surface Warfare Center Dahlgren Division White Oak, Maryland GOV PHYS Unknown (800) 352-7967 Officials at the Naval Surface Warfare Center are warning past and present employees that their identities and credit ratings could be at risk. Two pages of a Naval Surface Warfare Center Employment Verification Report was found when four people were arrested in Bensalem Township, Pa., last week for attempted identity fraud. The report included names, Social Security numbers, birth dates, position titles, tenure codes, pay grades, salaries and other information about the employees. Information Source: records from this breach used in our total: 0 Dataloss DB January 14, 2008 Tennessee Tech University Cookeville, Tennessee EDU PORT 990 A portable storage drive containing the names and Social Security numbers of 990 students has been lost. A school employee transferred the information onto a portable flash drive when the printer where he was working did not print. The employee noticed the drive was missing the next morning. Information Source: Dataloss DB records from this breach used in our total: 990 178 January 12, 2008 California State University Stanislaus, Sodexho Turlock, California EDU UNKN Unknown A possible data breach occurred on a food vendor's computer server. Credit card numbers, cardholder names and expiration dates were exposed, leaving hundreds, possibly thousands, of university students, staff and guests open to identity theft, with victims reporting fake charges on their cards. Social Security numbers were not accessible. Information Source: Dataloss DB January 11, 2008 records from this breach used in our total: 0 University of Akron Akron, Ohio EDU PORT 800 A portable hard drive containing personal information is missing and may have been discarded or destroyed. The device contained Social Security numbers, names and addresses of students and graduates. Information Source: Dataloss DB January 11, 2008 records from this breach used in our total: 800 University of Iowa Iowa City, Iowa EDU DISC 216 Iowa College of Engineering has notified some of its former students that some of their personal information, including Social Security numbers, was inadvertently exposed on the Internet for several months. Information Source: Dataloss DB January 11, 2008 records from this breach used in our total: 216 Virginia Department of Social Services Richmond, Virginia GOV INSD 1,500 The Department of Social Services has mailed about 1,500 letters to warn of a potential security breach involving a department computer that police suspect was used to commit fraud. A woman is accused of using her work computer while employed by Social Services last summer to apply for a credit card using her landlord's information. She was charged with two felony counts, credit card fraud and forgery, and is accused of spending nearly $1,000 on the card. Information Source: Dataloss DB January 10, 2008 records from this breach used in our total: 1,500 Select Physical Therapy Levelland, Texas MED PHYS 4,000 The company dumped about 4,000 pieces of sensitive customer information in garbage containers behind its facility. The records included Social Security numbers, credit and debit card account numbers, names, addresses and telephone numbers. Information Source: Dataloss DB January 8, 2008 records from this breach used in our total: 4,000 Wisconsin Department of Health and Family Services Madison, Wisconsin GOV DISC 260,000 Social Security numbers were printed on about 260,000 informational brochures sent by a vendor hired by the state, Electronic Data Systems Inc. (EDS), to recipients of SeniorCare, BadgerCare and Medicaid. The company agreed to pay $250,000 to the state for the mistake, as well as paying for an identity theft monitoring service for the affected individuals, for a total of about $1 million. 179 Information Source: Dataloss DB January 8, 2008 records from this breach used in our total: 260,000 University of Georgia EDU Athens, Georgia HACK 4,250 Former and prospective residents of a University housing complex were affected by a hacker who was able to access a server containing personal information, including Social Security numbers. A computer with an overseas IP address was able to access the personal information - including Social Security numbers, names and addresses - of 540 current graduate students living in graduate family housing and 3,710 former students and applicants. Information Source: records from this breach used in our total: 4,250 Dataloss DB January 7, 2008 Sears, ManageMyHome.com Cook County, Illinois BSR DISC Unknown Sears' ManageMyHome.com site exposed customer purchase data to any online visitor who asked about it. Information Source: Media January 7, 2008 records from this breach used in our total: 0 Geeks.com Oceanside, California BSR HACK Unknown Personal and financial data may have been compromised by an intrusion into the systems of the online retailer's Web site. Compromised information included the names, addresses, telephone numbers and Visa credit card numbers. Information Source: Dataloss DB January 5, 2008 records from this breach used in our total: 0 New Mexico State University Las Cruces, New Mexico EDU PORT Unknown A computer hard drive containing the names and Social Security numbers of current and former NMSU employees is missing from the Pan American Center. Information Source: records from this breach used in our total: 0 Dataloss DB January 4, 2008 Health Net Mountain View, California MED PORT 5,000 Additional locations: Connecticut. Thousands of Health Net employees in Connecticut and other states have been notified that their names and Social Security numbers were on a laptop computer that was stolen more than a month ago from a company vendor. The laptop had information on about 5,000 employees companywide and an undisclosed number of health-care providers outside the Northeast. Information Source: Dataloss DB January 4, 2008 records from this breach used in our total: 5,000 Florida Department of Children and Families GOV PORT 1,200 180 January 4, 2008 Orange, Florida GOV PORT 1,200 Additional locations: Seminole and Osceola, FL) Social Security numbers, birth dates and other information about day-care workers in Orange, Seminole and Osceola counties were among the data on five laptop computers that were stolen from the DCF office near Orlando. Information Source: Dataloss DB January 4, 2008 records from this breach used in our total: 1,200 Maryland Department of Assessments and Taxation Baltimore, Maryland GOV DISC 900 The Maryland Department of Assessments and Taxation Web site may have exposed Social Security numbers online because the application system did not have a necessary security certificate to encrypt the information before it was sent out over the Internet. Roughly 900 people used the system. Information Source: Dataloss DB January 3, 2008 records from this breach used in our total: 900 Robotics Industries Association Ann Arbor, Michigan BSO HACK Unknown A hacker accessed the administration site for Robotics Online gaining access to individual orders that contained credit card information. Seven residents of NH were affected, but national totals were not indicated. Information Source: Media January 3, 2008 records from this breach used in our total: 0 Dorothy Hains Elementary School Augusta, Georgia EDU STAT Unknown The library door was kicked in and the circulation computer was stolen, something the principal desperately wants back because it has the Social Security numbers of students and teachers on it. Information Source: Dataloss DB January 2, 2008 records from this breach used in our total: 0 Workers Compensation Fund Salt Lake City, Utah BSO PORT 2,800 Officials with one of Utah's largest insurance companies are searching for a stolen laptop containing Social Security numbers and other personal information for about 2,800 people and 1,400 companies. The computer was taken from a car parked in the home garage of an auditor for the Workers Compensation Fund. Information Source: records from this breach used in our total: 2,800 Dataloss DB December 28, 2007 Minnesota Department of Commerce St. Paul, Minnesota GOV PORT 219 A laptop computer containing personal information on Minnesotans licensed by the state Commerce Department was stolen from one of its Pennsylvania vendors. Information Source: records from this breach used in our total: 219 181 Dataloss DB December 28, 2007 Davidson County Election Commission Nashville, Tennessee GOV PORT 337,000 Someone broke into several county offices over Christmas and stole laptop computers that county officials now believe may have contained Social Security numbers and other personal information for every registered voter in Davidson County. UPDATE (1/19/08): Metro Police confirmed late Thursday they have recovered the hard drive from the laptop computer, containing names and complete Social Security numbers for 337,000 registered voters, that was stolen from the Election Commission in December. Information Source: Dataloss DB December 28, 2007 records from this breach used in our total: 337,000 United States Air Force Washington, District Of Columbia GOV PORT 10,501 A military laptop computer is missing and it contains personal information including Social Security numbers, birth dates, addresses, and telephone numbers of active and retired Air Force members. The laptop belonged to an Air Force band member at Bolling Air Force Base, he reported it missing from his home. Information Source: records from this breach used in our total: 10,501 Dataloss DB December 21, 2007 Franklin County Municipal Court Columbus, Ohio GOV HACK 270 At least six central Ohioans are now under investigation by the U.S. Secret Service for hacking into a government Web site and stealing Social Security numbers to create false credit accounts. More than 270 people nationwide might have been victimized by a security lapse in the Franklin County Municipal Court Web site. Someone was randomly feeding Social Security numbers into a clerk's site, which contained personal information for thousands of people charged with misdemeanors, some guilty of only a speeding ticket. Once a number was hit on, the name, address, age and other information could be used to obtain credit cards and open bank accounts. Information Source: Dataloss DB December 20, 2007 records from this breach used in our total: 270 Dormitory Authority of the State of New York Manhattan, New York NGO PORT 800 Data tapes containing Social Security numbers, phone numbers and addresses for up to 800 current and former employees of the state Dormitory Authority are missing. Information Source: Dataloss DB December 20, 2007 records from this breach used in our total: 800 Greenville County School District Greenville, South Carolina EDU HACK Unknown The district notified employees last week that its computers had been compromised and that employees' personal information was taken, including their names, home phone numbers and Social Security numbers. Information Source: Dataloss DB records from this breach used in our total: 0 182 December 18, 2007 Brownsville School District Brownsville, Pennsylvania EDU PHYS Unknown Forms with employee personal information littered the fence of a Brownsville school district warehouse. Information on litter contained confidential letters with names, bank account numbers, and Social Security numbers. The forms may be more than ten years old, but they each contain information that's still valuable. Information Source: Media December 18, 2007 records from this breach used in our total: 0 Pennsylvania Department of Aging Harrisburg, Pennsylvania GOV PORT 21,000 A state Department of Aging-owned laptop computer containing personal information on senior citizens was stolen from a Johnstown home. The information included names, addresses, Social Security numbers and some medical information. Information Source: records from this breach used in our total: 21,000 Dataloss DB December 17, 2007 West Penn Allegheny Health System Pittsburgh, Pennsylvania MED (866) 559-6309 Monday through Friday from 10 a.m. to 6 p.m. or e-mail the hospital at askquestions@wpahs.org PORT 42,000 [140] . The names, Social Security numbers, phone numbers, addresses and patient care information of 42,000 patients were all on a laptop computer stolen from a nurse's home. Only home care and hospice patients could be impacted, not patients at the hospitals. Information Source: records from this breach used in our total: 42,000 Dataloss DB December 14, 2007 Deloitte & Touche New York, New York BSO PORT Unknown A laptop containing the personal information of an undisclosed number of Deloitte & Touche partners, principals and employees was stolen while in possession of a contractor responsible for scanning the accounting firm's pension fund documents. The computer contained confidential data, including names, Social Security numbers, birth dates, and other personnel information, such as hire and termination dates. Information Source: Dataloss DB December 10, 2007 records from this breach used in our total: 0 Cameron County Brownsville, Texas GOV UNKN Unknown An employee released an e-mail with a list of all county officials and employees. It reportedly contained names, Social Security numbers, and salaries. Information Source: Dataloss DB December 10, 2007 records from this breach used in our total: 0 Sutter Lakeside Hospital Lakeport, California MED PORT 45,000 Not added to total. It is not clear if SSNs or financial account numbers were exposed. 183 (866) 785-6443 A laptop computer containing personal and medical information of approximately 45,000 former patients, employees and physicians has been stolen from the residence of a contractor. Information Source: records from this breach used in our total: 0 Dataloss DB December 10, 2007 Iowa Department of Natural Resources Des Moines, Iowa GOV PORT 7,000 A contractor working for the DNR revealed that a computer jump drive containing the names and Social Security numbers for 7000 people is missing. The contractor believes the jump drive fell off of his desk and into a garbage can. Information Source: records from this breach used in our total: 7,000 Dataloss DB December 7, 2007 Beacon Medical Services Aurora, Colorado MED DISC Unknown Detailed, personally identifiable medical records of thousands of Colorado residents were viewable on a publicly accessible Internet site for an uncertain period of time. The data included details of patients' visits to emergency rooms -- what ailments they complained of, diagnoses, treatments, and medical histories, along with the patients' names, occupations, addresses, phone numbers, insurance providers, and in some cases, Social Security numbers. The company is trying to determine the exact number of patients affected, but Beck says the number looks to be fewer than 5,000. Information Source: records from this breach used in our total: 0 Dataloss DB December 7, 2007 Colorado Board of Dental Examiners Lone Tree, Colorado GOV PHYS Unknown More than a hundred Colorado dentists and their patients could be at risk for identity theft after a car containing a bag of sensitive information was stolen. Authorities found the car a few days later at an apartment complex where one of the alleged thieves lived. Inside the unit, police discovered a massive amount of personal information from previous crimes. Social Security numbers, dates of birth, the credit card numbers, the pin numbers to those credit cards, they even have the photo IDs of the individuals they stole those credit cards from. Information Source: records from this breach used in our total: 0 Dataloss DB December 6, 2007 Oak Ridge National Laboratory Oak Ridge, Tennessee GOV HACK 12,000 Hackers may have infiltrated a non-classified database containing names, Social Security numbers and birth dates of every lab visitor between 1990 and 2004. The assault was in the form of phony e-mails containing attachments, which when opened allowed hackers to penetrate the lab's computer security. The lab has sent letters to about 12,000 potential victims. Information Source: Dataloss DB December 5, 2007 records from this breach used in our total: 12,000 Memorial Blood Centers Duluth, Minnesota Hot Line (888) 333-1491 Contacts: Memorial Blood Centers Laura Kaplan, (651) 332-7220 lkaplan@mbc.org McCartney, (952) 346-6688 MED [141] PORT 268,000 or Jim 184 McCartney, (952) 346-6688 A laptop computer holding donor information was stolen. About 268,000 donor records on this laptop computer contain a donor name in combination with the donor's Social Security number. Information Source: Dataloss DB December 5, 2007 records from this breach used in our total: 268,000 Forrester Research Cambridge, Massachusetts BSO PORT unknown Thieves stole a laptop from the home of a Forrester Research employee, potentially exposing the names, addresses and Social Security numbers of an undisclosed number of current and former employees and directors. Information Source: Dataloss DB December 4, 2007 records from this breach used in our total: 0 Indianapolis Power and Light Indianapolis, Indiana BSO DISC 3,000 (317) 261-4845 The private information of thousands of customers was inadvertently posted online for up to four years. Data included names, addresses and Social Security numbers. Information Source: Dataloss DB December 4, 2007 records from this breach used in our total: 3,000 Duke University Durham, North Carolina EDU HACK 1,400 Social Security numbers of about 1,400 prospective law school applicants may have been compromised when a school Web site was accessed illegally. Information Source: Dataloss DB December 1, 2007 records from this breach used in our total: 1,400 Battelle & Battelle LLC Oakwood, Ohio BSO PORT 600 Other organizations: Community Blood Bank, Ohio Masonic Home A laptop was stolen from a Battelle & Battelle LLC employee's vehicle. The laptop contained information on an audit of the Community Blood Center's 401K plan as well as information on the employees of Springfield-based Ohio Masonic Home. The stolen laptop needs multiple levels of authentication in order to access the sensitive data, according to a representative of Battelle. Masonic Home officials report 600 of its employees were affected. Information Source: records from this breach used in our total: 600 Dataloss DB November 30, 2007 Prescription Advantage , Massachusetts MED UNKN 150,000 (866) 523-6846 or (877) 610-0241 for those who are hearing impaired. The state of Massachusetts is warning 150,000 members of its Prescription Advantage insurance program that their personal information may have been snatched by an identity thief. Local authorities arrested a lone identity thief who had been using information taken from the program in an attempted identity theft scheme. Although the thief used information from just a small number of participants in the scheme, state data-breach laws require that the 150,000 people who could 185 have possibly been affected by the breach be contacted. Information Source: records from this breach used in our total: 150,000 Dataloss DB November 29, 2007 American Red Cross Dallas, Texas NGO PHYS Unknown Six boxes were left unattended in a public hallway for more than six hours. The files contained personal information of current and former employees and were placed there by human resources. Names, addresses and social security numbers could have easily been stolen. The files also contained embarrassing information, including disciplinary actions, results from a drug test, a sexual harassment case even someone's criminal record from another state. Information Source: Media November 21, 2007 records from this breach used in our total: 0 University of Florida Gainesville, Florida EDU DISC 415 Those who suspect their Social Security numbers were posted can search their names on the Web site www.ssnbreach.org [142] . More than 400 former UF students might have been put at risk for identity theft after their Social Security numbers were posted on UF's Computing & Networking Services Web site. A news release from the Liberty Coalition, a group that works to preserve the privacy of individuals, said 14 files on the Web site contained sensitive information of 534 former UF students, including 415 Social Security numbers. Information Source: Dataloss DB November 21, 2007 records from this breach used in our total: 415 United Healthcare (UnitedHealthcare) New York, New York MED DISC Unknown UnitedHealthcare is headquartered in Minneapolis, Minnesota. United Healthcare posted the Social Security numbers of doctors at Columbia University's faculty practice on a public Web site. United posted the taxpayer identification numbers, some of which were Social Security numbers, alongside the names of 993 providers at Columbia who participate in the insurer's network. The list was supposed to be accessible to Columbia employees during the current open enrollment period Information Source: records from this breach used in our total: 0 Media November 16, 2007 A.J. Falciani Realty Company Vineland, New Jersey BSO STAT Unknown Computers containing the personal information of between 500 to 1,000 clients of A.J. Falciani Realty Company were taken in a burglary. Many of the stolen computers stored the names, addresses, Social Security numbers, dates of birth, telephone numbers and other information on the company's clients. Information Source: Dataloss DB November 16, 2007 records from this breach used in our total: 0 University of Wisconsin, Whitewater Whitewater, Wisconsin EDU DISC Unknown Officials were notified by one individual about his ability to access an online search feature for the school's website. The 186 search feature could be used to see student names and Social Security numbers along with some other limited student information. Access to the feature was promptly disabled upon notification of the problem. Information Source: Media November 16, 2007 records from this breach used in our total: 0 U.S. Department of Veteran Affairs Washington, District Of Columbia GOV INSD 185,000 Investigation from a man's home uncovered a computer that held about 1.8 million Social Security numbers from the U.S. Department of Veteran Affairs, where he had been employed as an auditor. Veterans Affairs' officials have said only 185,000 numbers are at risk because many were repeated in the file. Information Source: records from this breach used in our total: 185,000 Dataloss DB November 15, 2007 Roudebush Veteran's Administration Medical Center Indianapolis, Indiana MED STAT 12,000 Two personal computers and a laptop computer were allegedly stolen from an unsecured room. One of the stolen computers contained the names, Social Security numbers and dates of service of approximately 12,000 veterans. UPDATE (3/19/08) : A 50 year old Indianapolis man was arrested Monday on one count of Class D felony theft after investigators identified him from surveillance video. A probable cause affidavit, a sworn police statement filed in support of the charge, identifies him as a former patient at the facility.The man has been charged in the disappearance of hospital computer equipment that contained the records of nearly 12,000 patients. Information Source: records from this breach used in our total: 12,000 Dataloss DB November 13, 2007 Commerce Bancorp Philadelphia, Pennsylvania BSF INSD Unknown A Commerce Bancorp Inc. employee gave out personal information on an unspecified number of the Cherry Hill bank's customers. The Bank discovered the breach through an internal investigation and sent letters to affected customers. The bank does not know if the information included account numbers and Social Security numbers. Information Source: Dataloss DB November 7, 2007 records from this breach used in our total: 0 University of Connecticut Foundation, Convio Storrs, Connecticut (800) 269-9965, security@foundation.uconn.edu NGO HACK Unknown [143] UConn was notified of a security breach by an outside party on the network of Convio, Inc., a vendor used by The University of Connecticut Foundation, Inc. for processing online gift transactions and communicating by e-mail. This breach affected 92 of Convio's clients nationwide, including the UConn Foundation. User names and passwords for Convio account preferences were compromised in this breach. Information Source: Media November 7, 2007 records from this breach used in our total: 0 Carolinas Medical Center, NorthEast Concord, North Carolina MED PORT 28,000 A paramedic left a computer on the back bumper of an ambulance and then drove away. The laptop contains names, 187 addresses, phone numbers and Social Security numbers of approximately 28,000 people who have been cared for by the Cabarrus County EMS over the last four years. Information Source: records from this breach used in our total: 28,000 Dataloss DB November 6, 2007 Butte Community Bank Chico, California BSF PORT Unknown (866) 488-8588 A laptop with customers' personal information including names, addresses, Social Security numbers and bank account numbers was stolen from Butte Community Bank. Information Source: records from this breach used in our total: 0 Dataloss DB November 5, 2007 Alabama Department of Public Health Montgomery, Alabama GOV DISC 1,554 (at least 1,554 people) The personal information, including the names, ages and Social Security numbers of families enrolled in the state's ALL Kids health care coverage program, were accidentally sent to the wrong families last week. 1,554 affected families were alerted that some of their confidential information might have been released. Information Source: Dataloss DB November 2, 2007 records from this breach used in our total: 1,554 Montana State University Bozeman, Montana EDU PORT 216 (406) 994-6550 http://eu.montana.edu/security [144] MSU learned that an employee's laptop computer had been stolen somewhere off-campus. It contained the Social Security numbers of 216 students and employees who lived in on-campus housing from 1998 to 2007. Information Source: Dataloss DB November 2, 2007 records from this breach used in our total: 216 Montana State University Bozeman, Montana EDU DISC 42 (406) 994-6550 http://eu.montana.edu/security [144] An independent security watchdog group informed MSU that an Excel spreadsheet with the names and Social Security numbers of 42 people, most of them hired in the summer of 2006, was publicly accessible on MSU's Web site. Information Source: Dataloss DB November 2, 2007 records from this breach used in our total: 42 Montana State University Bozeman, Montana EDU DISC 13 (406) 994-6550, http://eu.montana.edu/security [144] While investigating that breach, MSU data-security staff found another Excel spreadsheet accidentally posted on the MSU Web site since 2002. It contained the Social Security numbers of 13 people who got travel vouchers from the computer science department in the College of Engineering. 188 Information Source: Dataloss DB November 1, 2007 records from this breach used in our total: 13 City University of New York New York, New York EDU PORT 20,000 A broken laptop containing personal information was taken from the school's financial aid office. Information Source: Dataloss DB October 30, 2007 records from this breach used in our total: 20,000 University of Nevada, Reno Reno, Nevada EDU PORT 16,000 A University of Nevada, Reno administrative employee has lost a flash drive that contained the names and Social Security numbers of 16,000 current and former students. Information Source: Dataloss DB October 30, 2007 records from this breach used in our total: 16,000 Hartford Financial Services Group Hartford, Connecticut BSF PORT 230,000 Other locations: Ohio Three backup tapes that contained personal information of 230,000 customers, including 9,200 Ohioans, mainly of the company's property lines, were misplaced. Information Source: Dataloss DB October 30, 2007 records from this breach used in our total: 230,000 Pathology Group Memphis, Tennessee MED STAT 75,000 Someone broke into a locked office building, several computers with flat screen monitors were stolen. One of those computers had patient information on about 75,000 people. This information included names, addresses, Social Security number, even medical information Information Source: Dataloss DB October 29, 2007 records from this breach used in our total: 75,000 United States Postal Service Oahu, Hawaii GOV PORT 3,000 Employees' names, Social Security numbers and other information were on a laptop computer that was stolen. Information Source: Dataloss DB October 29, 2007 records from this breach used in our total: 3,000 ABC Phones, ACC Communications Greenville, North Carolina BSO PHYS Unknown Two men found a box in a dumpster. The cell phone business recently moved and threw away documents that contained personal information from customers. The information contained driver's license numbers, Social Security number, bank 189 accophonesunt numbers, credit card numbers, work and home addresses. Information Source: records from this breach used in our total: 0 Media October 28, 2007 Art.com Lockbourne, Ohio BSR HACK Unknown Cyberspace criminals gained systems entry despite multiple security layers and accessed some credit card transactions. The retailer of posters, prints and framed art alerted customers that hackers had gotten into the website to access credit card accounts. Information Source: Dataloss DB October 25, 2007 records from this breach used in our total: 0 University of Akron Akron, Ohio EDU PORT 1,200 A microfilm containing the personal information of alumni were missing. Names, previous addresses, phone numbers, birth dates and Social Security numbers was on the missing microfilm. Information Source: Dataloss DB October 24, 2007 records from this breach used in our total: 1,200 Not Your Average Joe's Dartmouth, Massachusetts BSO HACK Unknown Massachusetts restaurants were targeted by an individual or individuals seeking to illegally obtain credit card data. The data that was compromised included credit card numbers, expiration date and name associated with the card. Information Source: Dataloss DB October 23, 2007 records from this breach used in our total: 0 West Virginia Public Employees Insurance Agency Charleston, West Virginia MED PORT 200,000 (800) 435-4351 West Virginia officials are alerting 200,000 past and current members of three health insurance programs that a computer tape containing full names, addresses, phone numbers, Social Security numbers and marital status was lost last week while being shipped via United Parcel Service. Information Source: Dataloss DB October 23, 2007 records from this breach used in our total: 200,000 Blockbuster Sarasota, Florida BSR PHYS Unknown A Sarasota resident was fishing in a trash container for boxes when he found 400 documents. These documents included membership forms and employment applications with names, addresses, credit card numbers and Social Security numbers. Information Source: Dataloss DB October 23, 2007 records from this breach used in our total: 0 Dixie State College EDU DISC 11,000 190 October 23, 2007 EDU St. George, Utah (866) 295-3033, idprotect@dixie.edu DISC 11,000 [145] An unauthorized person reportedly gained access to a computer system and confidential files, including Social Security numbers, birth date information and addresses for some 11,000 alumni and current DSC employees who graduated or worked at DSC from 1986 to 2005. Information Source: Dataloss DB October 23, 2007 records from this breach used in our total: 11,000 Bates College Lewiston, Maine EDU DISC 500 Two publicly accessible documents that contained the records of nearly 500 recipients of the federal Perkins Loan, along with each recipient's address, date of birth, Social Security number, legal name and loan amount, were accessible on the Bates network. Information Source: Dataloss DB October 18, 2007 records from this breach used in our total: 500 University of Cincinnati Cincinnati, Ohio EDU PORT 7,000 The personal information of thousands of University of Cincinnati students and graduates has been stolen. A flash drive was taken from a UC employee last month. It contained the Social Security numbers and other data for more than 7,000 people. Information Source: Dataloss DB October 17, 2007 records from this breach used in our total: 7,000 Home Depot Boston, Massachusetts BSR PORT 10,000 A laptop computer containing about 10,000 employees' personal data was stolen from a regional manager's car. The computer, which was password protected, didn't contain any customer information. The laptop contained names, home addresses and Social Security numbers of certain Home Depot employees. Information Source: Dataloss DB October 17, 2007 records from this breach used in our total: 10,000 Louisiana Office of Student Financial Assistance, Iron Mountain Baton Rouge, Louisiana http://www.osfa.state.la.us/notice.htm EDU PORT Unknown [146] Sensitive data for virtually all Louisiana college applicants and their parents over the past nine years were in a case lost last month during a move. The data included Social Security numbers for applicants and their parents. The bank account information for START account holders also was involved. Information Source: Dataloss DB October 16, 2007 records from this breach used in our total: 0 Administaff Inc. Houston, Texas BSO PORT 159,000 Current and former workers personal data may be compromised because of a stolen laptop. The data wasn't encrypted when it was stored on the portable computer, which is password-protected. Data stored on the laptop included names, 191 addresses and Social Security numbers for most employees paid by Administaff in 2006. Information Source: records from this breach used in our total: 159,000 Dataloss DB October 15, 2007 Transportation Security Administration Arlington, Virginia GOV PORT 3,930 Two laptop computers with detailed personal information about commercial drivers across the country who transport hazardous materials are missing and considered stolen. The laptops contained the names, addresses, birthdays, commercial driver's license numbers and, in some cases, Social Security numbers of 3,930 people. Information Source: Dataloss DB October 13, 2007 records from this breach used in our total: 3,930 Montana State University Bozeman, Montana EDU HACK 1,400 (406) 994-6550, http://eu.montana.edu/security/ [147] An unknown hacker remotely accessed a computer server that housed records containing credit card numbers and Social Security numbers of students who enrolled online for MSU Extended University courses during the last two years. The data in question was encrypted, and there is no evidence that personal information was stolen. Information Source: Dataloss DB October 12, 2007 records from this breach used in our total: 1,400 King County Transportation Department Seattle, Washington GOV PORT 1,400 A laptop computer containing personal information about current and former employees has been stolen. Workers' names, addresses and Social Security numbers were on the password-protected laptop, which was stolen during a Sept. 28 home burglary. The information was not encrypted. Information Source: records from this breach used in our total: 1,400 Dataloss DB October 10, 2007 Wheels Inc., Pfizer Des Plaines, Illinois BSO DISC 1,800 + 23 Not included in Total because it is not clear if SSNs were exposed. The spouses and domestic partners of about 1,800 Pfizer employees, including 23 from Connecticut, learned late last month about a data breach at Wheels Inc., which provides cars to the company, mostly for use by its sales force. The breach at Wheels, first reported by the Pharmalot Web site, released onto the Internet names, addresses, birth dates and driver's license numbers, but not Social Security numbers, according to the company. Information Source: Dataloss DB October 10, 2007 records from this breach used in our total: 0 Commerce Bank Wichita, Kansas BSF HACK 20 A hacker gained access to a database with about 3,000 customer records and accessed data belonging to 20 of them. The bank is contacting those who may have been affected. The hacking was quickly detected and stopped, according to Commerce Bank, which then notified law enforcement. 192 Information Source: records from this breach used in our total: 20 Dataloss DB October 9, 2007 Pembroke Schools Pembroke, Massachusetts EDU DISC Unknown (781) 829-1178 Personal information on anyone who worked or volunteered for the Pembroke schools in the last four years was accessible via the Internet because of a weakness in the district's computer system. The information included names, birth dates and Social Security numbers. Information Source: Dataloss DB October 8, 2007 records from this breach used in our total: 0 University of Iowa Iowa City, Iowa EDU PORT 184 http://www.uiowa.edu/~phil/SSN.shtml [148] A laptop computer was stolen from a former teaching assistant. The theft of the computer, which occurred last month in a break-in of the instructor's home, contained class records such as attendance, test scores, and grades of students who took his philosophy courses at the UI between 2002 and 2006. Social Security numbers were also present in 100 of the records. Information Source: Dataloss DB October 8, 2007 records from this breach used in our total: 184 Carnegie Mellon University Pittsburgh, Pennsylvania EDU PORT Unknown Two laptops were stolen from the office of a computer science professor. Both of the computers were believed to have contained significant personal identifying data, such as Social Security numbers. Information Source: Dataloss DB October 8, 2007 records from this breach used in our total: 0 Semtech Camarillo, California BSO PORT Unknown A laptop computer and other personal belongings were stolen from one of Semtech's vendors. The computer was not stolen from a Semtech facility, but may have contained computerized data relating to Semtech employees. Semtech declined to provide further details of the incident, such as what personal employee data may have been put at risk, when the theft happened or how long it took the company to inform its workers of the potential breach. Information Source: Dataloss DB October 4, 2007 records from this breach used in our total: 0 Massachusetts Division of Professional Licensure Boston, Massachusetts GOV DISC 450,000 http://www.mass.gov/dpl [149] or call (617) 973-8100 Social Security numbers of about 450,000 licensed professionals were inadvertently released. The information was mailed last month to agencies that submitted a public records request for the names and addresses of professionals licensed by the division. The division mailed 28 computer disks to 23 agencies that use the information as a marketing or promotional tool. The disks would normally contain only the names and addresses of individuals licensed through the Division of Professional Licensure and the Division of Health Professions Licensure. However, the disks also included Social Security numbers. 193 Information Source: records from this breach used in our total: 450,000 Dataloss DB October 2, 2007 The Nature Conservancy Arlington, Virginia NGO HACK 14,000 Additional locations: Little Rock, Fayetteville, Arkadelphia, Batesville and Ponca, (Arkansas) A hacker illegally gained access to a computer of The Nature Conservancy containing personal information on current and former employees and their dependents. The stolen information included the names, home addresses, Social Security numbers and birth dates. It also included direct deposit bank account numbers for employees who were on the payroll between 2000 and 2004, as well as the Social Security numbers of those employees' dependents. When employees accessed a particular Web site, the site planted a program on the employees' computers that copied the contents of the hard drives and sent the information to the hacker. Information Source: Dataloss DB October 2, 2007 records from this breach used in our total: 14,000 Athens Regional Health Services Athens, Georgia MED STAT 1,400 only 85 people were affected by SSN (706) 475-4369 A computer missing from a Regional First Care clinic in Watkinsville held the personal information of more than 1,400 people, according to Athens Regional Health Services. Workers first noticed on Sept. 24 that the computer was missing. The computer held Social Security numbers for 85 people, some health information for 545 people and the name, address and/or telephone numbers of 811 people. No credit card or other financial information was stored on the computer, which was a backup server for the Watkinsville clinic. Information Source: Dataloss DB September 28, 2007 records from this breach used in our total: 85 Gap Inc. San Francisco, California BSR PORT 800,000 (866) 237-4007, http://gapinc.com/securityassistance/ [150] A laptop containing the personal information of certain job applicants was recently stolen from the offices of an experienced third-party vendor that manages job applicant data for Gap Inc. Personal data for approximately 800,000 people who applied online or by phone for store positions at one of Gap Inc.'s brands between July 2006 and June 2007 was contained on the stolen laptop. Social Security numbers were included in the information on the laptop. Information Source: records from this breach used in our total: 800,000 Dataloss DB September 24, 2007 Utah Department of Workforce Services American Fork, Utah GOV PORT 2,000 A laptop computer containing a spreadsheet with the the Social Security numbers and other personal information of about 2,000 people was reported stolen. Information Source: records from this breach used in our total: 2,000 Dataloss DB September 21, 2007 City of Columbus, Ohio Columbus, Ohio GOV STAT 3,500 194 For Info: The Columbus Dispatch, http://www.dispatch.com [151] The city of Columbus is offering identity-theft protection services to more than 3,000 people whose Social Security numbers were on three computers stolen from a warehouse. The theft affected people who had signed up for the city's Mobile Tool Library, which lends power tools, lawn mowers and supplies. Information Source: Dataloss DB September 21, 2007 records from this breach used in our total: 3,500 Citigroup, ABN Amro Mortgage Group Norridge, Illinois BSF DISC 5,208 Three spreadsheets containing 5,200 Social Security numbers and other personal details about customers were inadvertently leaked over an online file-sharing network by a former employee. Tiversa, a company that monitors P2P networks, found Excel spreadsheets from the desktop of a financial analyst at ABN Amro Mortgage Group running LimeWire. Although Tiversa found over 10,000 files, deduplication revealed only 5,208 unique Social Security numbers, along with names and what type of mortgage each customer had. Information Source: Media September 20, 2007 records from this breach used in our total: 5,208 State of Connecticut, Accenture Ltd. Hartford, Connecticut GOV PORT 58 A backup tape was stolen in Ohio in June and contained data removed by Accenture from the state's Core-CT computer system, which performs all of the state's payroll, personnel, purchasing, accounting and inventory functions. The backup tape contained state agency bank account numbers, bank names and types of accounts, as well as the names and Social Security numbers of 58 of Connecticut taxpayers. Connecticut officials today revealed plans to file a civil complaint against IT consulting giant Accenture Ltd. related to this security breach involving stolen records tied to state agency bank accounts worth millions of dollars. Information Source: Media September 19, 2007 records from this breach used in our total: 58 Kansas University Lawrence, Kansas EDU PHYS Unknown A number of documents containing Kansas University student, faculty and staff personal information were recovered from the recycling and trash in the Mathematics Department at Kansas University. The information included student exams, student change of grade forms, class rosters, copies of health insurance cards, copies of immigration forms as well as a copy of a Social Security card. Information Source: records from this breach used in our total: 0 Media September 19, 2007 University of Michigan School of Nursing Ann Arbor, Michigan MED PORT 8,585 Backup tapes containing patient information like Social Security numbers, patient names and addresses were stolen from the School of Nursing two weeks ago. Information Source: Dataloss DB September 14, 2007 records from this breach used in our total: 8,585 TD Ameritrade Holding Corp. Omaha, Nebraska BSF HACK 6.3 million 195 FAQ at http://www.elvey.com/IDTheft/spam_faq.cfm.html [152] For links to key legal documents, see http://datalossdb.org/incident_highlights/30-legal-sub-project-elvey-v-td-ameritrade [153] One of TD Ameritrade's databases was hacked and contact information for its more than 6.3 million customers was stolen. A spokeswoman for the Omaha-based company said more sensitive information in the same database, including Social Security numbers and account numbers, does not appear to have been taken. "We were able to conclude that while Social Security numbers are stored in this particular database, your SSN were not retrieved." The company said names, e-mail addresses, phone numbers, and home addresses were taken in the data breach. Company customers received unwanted spam because of this breach. UPDATE (4/28/09):TD Ameritrade sent a mass email on September 14, 2007 to its customers admitting SSNs had been compromised:" [W]e recently discovered and eliminated unauthorized code from our systems. This code allowed certain client information stored in one of our databases ... to be retrieved by an external source [and] Social Security Numbers are stored in this particular database." UPDATE(10/27/09): TD Ameritrade was nearing a settlement in the case of more than 6 million stolen records when the judge, who previously seemed to agree with the proposal, rejected it today. The federal judge handling the case has decided the proposed settlement provides no discernible benefit to the victims and he rejected the proposed settlement. Information Source: records from this breach used in our total: 6,300,000 Dataloss DB September 14, 2007 Tennessee Tech University Cookeville, Tennessee EDU DISC 3,100 Some 3,100 current or past students who owe the university money were notified today that some of their personal data may have been compromised. A technical problem in the way student bills are printed resulted in the chance that some student social security numbers and personal identification numbers may have been sent to another student's address. Information Source: Dataloss DB September 13, 2007 records from this breach used in our total: 3,100 Voxant.com Reston, Virginia BSO HACK 4,500 (703) 964-0696 The Voxant online ecommerce store server was hacked using what appeared to be a typical phishing scheme. The server is seperate from the primary business at www.voxant.com [154] . The affected server was immediately taken offline and removed the offending phising pages. Encrypted credit card numbers could have been accessed during the incident. Although the credit card numbers were encrypted, the encryption key was not well protected. The database up through June 19-20 could have been affected, representing approximately 4,500 US customers. Information Source: records from this breach used in our total: 4,500 Dataloss DB September 12, 2007 TennCare, Americhoice Inc. Knoxville, MED PORT 67,000 To sign up for the free ID theft protection you must call AmeriChoice at (800) 690-1606. There are 67,000 TennCare enrollees at risk of identity theft after a courier service lost their personal information. The lost information includes names, Social Security Numbers, birthdays and addresses. Information Source: records from this breach used in our total: 67,000 Dataloss DB September 11, 2007 Pennsylvania Public Welfare Department Harrisburg, Pennsylvania GOV STAT 2,000 196 Two computers containing the mental health histories of more than 300,000 medical-assistance recipients were stolen. The computer work stations were taken during an overnight break-in at an office. The mental health information on the computers identified people by codes and not by name. The information also was protected by multiple passwords, but full names and Social Security numbers of nearly 2,000 people were also on the computers. Information Source: Dataloss DB September 11, 2007 records from this breach used in our total: 2,000 Gander Mountain Greensburg, Pennsylvania BSR STAT 112,000 Somebody either lost or stole a computer potentially containing the credit card information of anyone who has shopped at the Greensburg store since it first opened more than five years ago. Gander Mountain said credit card information for 112,000 customers of its Greensburg store might have been compromised. That includes 10,000 records with names, card numbers and expiration dates. Information Source: Dataloss DB September 10, 2007 records from this breach used in our total: 112,000 Purdue University West Lafayette, Indiana EDU DISC 111 www.purdue.edu/news/coa0709.html [155] , (866) 275-1181 The university is warning those who were students in the fall of 2004 that information about them was inadvertently posted on the Internet. The information was in a document that contained the names and Social Security numbers of students in the Animal Sciences 102 class. The page was no longer in use but was on a computer server connected to the Internet. The document was found recently through an internal search and reported to the chief information security officer at Purdue. Information Source: records from this breach used in our total: 111 Dataloss DB September 9, 2007 De Anza College Cupertino, California EDU PORT 4,375 (408) 864-8292 Thousands of former students might be at risk for identity fraud after an instructor's laptop computer, containing students' personal information, was stolen last month. The computer contained the students' names, addresses, grades and in many cases Social Security numbers. Information Source: records from this breach used in our total: 4,375 Dataloss DB September 9, 2007 McKesson San Francisco, California MED STAT Unknown (thousands) (866) 554-6366 McKesson Health-care services company, is alerting thousands of its patients that their personal information is at risk after two of its computers were stolen from an office. Information Source: records from this breach used in our total: 0 Dataloss DB September 6, 2007 University of South Carolina Columbia, South Carolina EDU DISC 1,482 197 A number of files containing Social Security numbers, test scores and course grades were exposed online. It appears the person responsible for the breach may not have known enough about computers to realize the information could be accessed outside the university system. Information Source: Dataloss DB September 4, 2007 records from this breach used in our total: 1,482 Pfizer New York, New York BSO INSD 34,000 (866) 274-3891 A security breach may have caused employees' names, Social Security numbers, addresses, dates of birth, phone numbers, bank account numbers, credit card information, signatures and other personal information to be publicly exposed. The breach occurred late last year when a Pfizer employee removed copies of confidential information from a Pfizer computer system without the company's knowledge or approval. Pfizer didn't become aware of the breach until July 10. Information Source: records from this breach used in our total: 34,000 Dataloss DB September 4, 2007 Brevard Public Schools Viera, Florida EDU UNKN 61 A missing piece of luggage belonging to a state auditor contains the personal information of 61 Brevard Public Schools employees and had district personnel scrambling before the holiday weekend began to notify people that their names and Social Security numbers might be compromised. UPDATE (9/21/07): Melbourne International Airport police arrested a 44-year-old defense subcontractor from California on charges of stealing luggage. He is in the Brevard County Jail, facing at least two charges of grand theft. Information Source: Media September 1, 2007 records from this breach used in our total: 61 Johns Hopkins Hospital Baltimore, Maryland MED STAT 5,783 A desktop computer containing the personal information of 5,783 Johns Hopkins Hospital patients was stolen. The computer included patients' names, Social Security numbers, birth dates and medical histories. Information Source: Dataloss DB August 30, 2007 records from this breach used in our total: 5,783 Maryland Department of the Environment Annapolis, Maryland GOV PORT Unknown A laptop computer containing personal information on people with state licenses has been stolen from a vehicle. It contains four databases that include personal information related to licenses issued by four state boards. Information Source: Dataloss DB August 30, 2007 records from this breach used in our total: 0 AT&T San Antonio, Texas BSO PORT Unknown A laptop containing unencrypted personal data on current and former employees of the former AT&T Corp. was stolen recently from the car of an employee of a professional services firm doing work for the company. That theft prompted the company to notify an unspecified number of individuals about the potential compromise of their Social Security numbers, 198 names and other personal details. Information Source: Media August 28, 2007 records from this breach used in our total: 0 Connecticut Department of Revenue Services Hartford, Connecticut GOV PORT 106,000 A computer laptop with the names and Social Security numbers of more than 100,000 Connecticut taxpayers has been stolen. The Department of Revenue Services intends to launch a web page soon that residents can search to determine whether their personal information was stored on the laptop. UPDATE (9/14/07): More than 2 dozen state laptops have gone missing since July 2006. UPDATE (10/19/07): A supervisor at the state Department of Revenue Services was suspended without pay. His computer was stolen from his car in August at a hotel in New York. Police say it was possible the vehicle was not locked because there were no signs of a break-in. Information Source: records from this breach used in our total: 106,000 Dataloss DB 5,247 Not added to total. It does not August 27, 2007 University of Illinois Champaign-Urbana, Illinois EDU DISC appear that SSNs or financial account numbers were exposed. An e-mail sent Aug. 24 to about 700 University of Illinois engineering students contained a spreadsheet listing personal information, including addresses and grade point averages, of thousands of students. The spreadsheet attached to the mass mail did not contain Social Security numbers or the students' university identification numbers. But, the person who sent the mass e-mail attached a spreadsheet containing information on all 5,247 students in the College of Engineering. The spreadsheet included each student's name, e-mail address, major, gender, race and ethnicity, class, date admitted, spring 2007 grade point average, cumulative GPA, plus local address and phone number. Information Source: Media August 26, 2007 records from this breach used in our total: 0 American Ex-Prisoners of War , Texas NGO UNKN 35,000 Personal records including addresses and Social Security numbers of more than 35,000 veterans and their families were stolen this month from the offices of a POW support organization in Texas. Digital and paper records included information on the group's entire membership, including addresses, dates of birth, Social Security numbers and VA claims data. Information Source: Dataloss DB August 23, 2007 records from this breach used in our total: 35,000 New York City Financial nformation Services Agency New York, New York 280,000 Not added to total. It is not clear that GOV PORT SSNs or financial account numbers were exposed. A laptop loaded with financial information on as many as 280,000 city retirees was stolen from a consultant who took the computer to a restaurant. 199 Information Source: Dataloss DB August 23, 2007 records from this breach used in our total: 0 Loomis Chaffee School Windsor, Connecticut EDU UNKN Unknown Valuable computer equipment, including two large storage devices were stolen during a night time burglary from the locked IT facility on campus. The stolen storage devices contained information about some recent graduates of the school, including their names, Social Security numbers, and contact information from their days as students at the school. Information Source: Dataloss DB August 23, 2007 records from this breach used in our total: 0 Monster.com Maynard, Massachusetts BSO HACK Unknown http://help.monster.com/besafe/ [116] Monster announced that the details of some 1.6 million job seekers had been stolen. Fewer than 5,000 of those 1.6 million users affected are based outside the United States. The information stolen was limited to names, addresses, phone numbers and email addresses, and no other details including bank account numbers were uploaded. UPDATE (8/29/07) : Hackers have stolen the names, e-mail addresses and telephone numbers of about 146,000 subscribers to USAJOBS.gov. The hackers accessed the information from the resume database run by Monster.com, which provides the technology for USAJOBS.gov. Monster Worldwide told OPM that no Social Security numbers were compromised. Information Source: Media August 22, 2007 records from this breach used in our total: 0 California Public Employees' Retirement System (CalPERS) Sacramento, California GOV DISC 445,000 Roughly 445,000 retirees in California received brochures announcing an upcoming election to fill a rare vacancy on the board of the California Public Employees' Retirement System. All or a portion of each person's Social Security number appeared without hyphens on the address panel. Information Source: Dataloss DB August 21, 2007 records from this breach used in our total: 445,000 Walter Reed Army Institute of Research Silver Spring, Maryland GOV PHYS Unknown Boxes of documents containing personal information were supposed to be shredded but instead turned up last week in an off-base trash bin. Police do not believe anyone had access to the information other than the person who found the records. An investigation is under way to determine precisely what information they held and why they appeared off base. Information Source: Dataloss DB August 21, 2007 records from this breach used in our total: 0 West Virginia Board of Barbers and Cosmetologists Charleston, West Virginia BSO UNKN Unknown Every barber and cosmetologist licensed in the state of West Virginia since 1986 could now potentially be a victim of identity theft. Someone broke into the second floor office of the Board of Barbers and Cosmetologists and stole a safe. The director of the agency says the safe contains the personal information of thousands of hair dressers. 200 Information Source: records from this breach used in our total: 0 Dataloss DB August 20, 2007 University of Toledo Toledo, Ohio EDU PORT Unknown A laptop computer has been stolen from an office in the Student Recreation Center that contained some student and employee names and Social Security numbers. Information Source: records from this breach used in our total: 0 Dataloss DB August 16, 2007 Utica Title and Escrow Bixby, Oklahoma BSF PHYS Unknown Boxes belonging to Utica Title and Escrow had been stored at a storage unit in Bixby. When Utica quit paying rent the storage company went through the legal process to be able to sell everything left behind. No one wanted to buy the boxes of paper so the boxes were thrown out. The boxes contained private information, including Social Security numbers, bank accounts and pay stubs. Information Source: Media August 15, 2007 records from this breach used in our total: 0 Idaho Army National Guard Boise, Idaho GOV PORT 3,400 http://www.idahoarmyguard.org/ [156] , or call the Idaho National Guard Joint Operations Center A small computer drive containing Social Security numbers and other personal information about every Army National Guard soldier in Idaho has been stolen. Information Source: Dataloss DB August 15, 2007 records from this breach used in our total: 3,400 Greater Detroit Hospital Detroit, Michigan MED PHYS Unknown It's a repeat of a problem that emerged late last year at the Greater Detroit Hospital where metal thieves stripped everything from copper piping to windows, exposing rows of abandoned patient files. Neighbors said there are hundreds of boxes of patient files and payroll records inside, full of credit card and Social Security numbers. Information Source: records from this breach used in our total: 0 Media August 15, 2007 Sky Lakes Medical Center, Verus Inc. Klamath Falls, Oregon MED DISC 30,000 The company that maintained the hospital's online bill payment system, transferred patient information from one server to another to perform maintenance but didn't take security measures, leaving information such as names, addresses and Social Security numbers exposed. Information Source: Dataloss DB August 13, 2007 records from this breach used in our total: 30,000 Pfizer, Axia Ltd. BSO PORT 950 201 August 13, 2007 New York, New York BSO PORT 950 (866) 274-3891 Axia Ltd. had notified Pfizer on June 14 of an incident in which two Pfizer laptops were stolen from a locked car. The laptops, which disappeared May 31 in Boston, included the names and Social Security numbers of health-care professionals who were providing or considering providing contract services for Pfizer, according to the letter. Information Source: Dataloss DB August 11, 2007 records from this breach used in our total: 950 Providence Alaska Medical Center Anhorage, Alaska MED PORT 250 (888) 387-3392 A laptop computer that contains the personal information of patients is missing. On the laptop there maybe names, medical record numbers, dates of birth, patient diagnoses, Social Security numbers and addresses. Information Source: Dataloss DB August 10, 2007 records from this breach used in our total: 250 Loyola University Chicago, Illinois EDU STAT 5,800 A computer with the Social Security numbers of 58 hundred students was discarded before its hard drive was erased, forcing the school to warn students about potential identify theft. Information Source: Dataloss DB August 10, 2007 records from this breach used in our total: 5,800 Legacy Health System Portland, Oregon MED INSD 747 (503) 445-9533 A primary care physician practice has discovered the theft of $13,000 in cash and personal data for patients. Patient receipts, credit card transaction slips and checks are also missing, in addition to Social Security numbers and dates of birth for patients. The investigation indicated it was a dishonest insider. Information Source: Dataloss DB August 8, 2007 records from this breach used in our total: 747 Yale University New Haven, Connecticut EDU STAT 10,200 Social Security numbers for over 10,000 current and former students, faculty and staff were compromised last month following the theft of two University computers Information Source: Dataloss DB August 7, 2007 records from this breach used in our total: 10,200 Electronic Data Systems Montgomery, Alabama BSO INSD 498 A former employee was arrested this week for allegedly trafficking in stolen identities she received through her work with the company. She obtained the names and identifying information of 498 Alabama Medicaid recipients and subsequently sold 50 202 of those identities. Information Source: records from this breach used in our total: 498 Dataloss DB August 7, 2007 Merrill Lynch Hopewell, New Jersey BSF UNKN 33,000 A computer device apparently was stolen containing sensitive personal information, including Social Security numbers, about some 33,000 employees. Information Source: records from this breach used in our total: 33,000 Dataloss DB August 6, 2007 Verisign Mountain View, California BSO PORT Unknown A laptop containing extensive personal information on an undisclosed number of VeriSign employees was stolen from an employee's car. The information included names, addresses, Social Security numbers, dates of birth, telephone numbers, and salary records. Information Source: Dataloss DB August 4, 2007 records from this breach used in our total: 0 Kellogg Community Federal Credit Union Battle Creek, Michigan BSF STAT Unknown A computer containing personal information on an undisclosed number members was stolen. A file containing some members' names, addresses, telephone numbers, birth dates, Social Security numbers and account numbers was on the computer's hard drive. Information Source: Dataloss DB August 3, 2007 records from this breach used in our total: 0 WorkCare Orem Pleasant Grove, Utah MED PHYS Unknown A truck driver found medical documents containing personal information in his truck and on the ground while he picked up a load at a garbage transfer station. The documents contained names, addresses, telephone numbers, Social Security numbers and birth dates. Information Source: Media August 3, 2007 records from this breach used in our total: 0 Wabash Valley Correctional Facility Indianapolis, Indiana GOV DISC Unknown A database containing Social Security numbers, dates of birth and names of people employed at the facility between 1997 and 2002 was unintentionally moved from a secure private drive that was accessible only by the human resources department to a shared directory that could be accessed by other employees here. Information Source: Dataloss DB records from this breach used in our total: 0 203 August 2, 2007 E.On - U.S.(energy services) Louisville, Kentucky BSO PORT Unknown A laptop with names, Social Security numbers and birth dates of most E.On U.S. employees and some retirees was stolen last month. Information Source: Dataloss DB August 2, 2007 records from this breach used in our total: 0 University of Toledo Toledo, Ohio EDU STAT Unknown (419) 530-4836, (419) 530-3661, (419) 530-1472 Two computers were stolen with hard drives containing student and staff Social Security numbers, names, and grade change information. Information Source: Dataloss DB August 1, 2007 records from this breach used in our total: 0 Lifetime Fitness Dallas, Texas GOV PHYS Unknown Staff had discarded customer records in easily accessible trash cans behind Dallas businesses. Information that was discarded contained names, addresses, Social Security numbers, driver's license numbers and credit card information, as well as the date of birth of several children. Lifetime Fitness is based in Minnesota. Information Source: records from this breach used in our total: 0 Dataloss DB July 28, 2007 Yuba County Health and Human Services Yuba County, California MED PORT 70,000 A laptop stolen from a building contained personally identifiable information of individuals whose cases were opened before May 2001. The laptop was being used as a backup system for the county's computer system. The data include Social Security numbers, birth dates, driver's license numbers and other private information. Information Source: Dataloss DB July 27, 2007 records from this breach used in our total: 70,000 City of Virginia Beach, Flexible Benefits Administrators Virginia Beach, Virginia GOV INSD 2,000 A former employee allegedly stole Virginia Beach city and school district employees' personal information and used it to commit prescription fraud. Police discovered a list of names and Social Security numbers at the employee's home. Information Source: Dataloss DB July 27, 2007 records from this breach used in our total: 2,000 City Harvest New York, New York NGO HACK 12,000 (917) 351-8763 City Harvest is currently investigating a potential improper access of systems that contained credit card information of their donors. 204 Information Source: Dataloss DB July 27, 2007 records from this breach used in our total: 12,000 American Education Services, Vista Financial Inc Harrisburg, Pennsylvania BSF PORT 5,000 Personal information was on a laptop stolen in a burglary at a subcontractor's headquarters. The information, which was not encrypted, included names, addresses, phone numbers, e-mail addresses and Social Security numbers. Information Source: Dataloss DB July 26, 2007 records from this breach used in our total: 5,000 United States Marine Corps, Penn State University Harrisburg, Pennsylvania EDU DISC 10,554 Data belonging to 10,554 Marines was “improperly posted” by Penn State University, according to the Marine Corps. Names and Social Security numbers of Marines could be found via Google search engine. Penn State University was under a research contract with the Marine Corps. Information Source: Dataloss DB July 25, 2007 records from this breach used in our total: 10,554 Hidalgo County Commissioner's Office Hidalgo County, Texas GOV DISC 25 The private medical information, including Social Security numbers and treatment details of people who sought medical assistance from the county was posted on the Hidalgo County Website. Information Source: Media July 24, 2007 records from this breach used in our total: 25 St. Vincent Hospital, Verus Inc. Indianapolis, Indiana MED DISC 51,000 The hospital used subcontractor Verus Inc. to set up an online bill payment for patients. For a "brief" period of time, personal information was left unprotected and available online. The security lapse compromised names, addresses and Social Security numbers. Information Source: records from this breach used in our total: 51,000 Dataloss DB 1.5 million Not added to total. It does not July 23, 2007 Fox News Los Angeles, California BSO DISC appear that SSNs or financial account numbers were exposed. Sensitive information was exposed on the Fox News web server. The security hole allowed hackers to access login information, names, phone numbers, and email addresses. Information Source: Media records from this breach used in our total: 0 205 July 21, 2007 University of Michigan Ann Arbor, Michigan EDU HACK 5,500 University databases were hacked. Names, addresses, Social Security numbers, birth dates, and in some cases, the school districts where former students were teaching were exposed. Information Source: Dataloss DB July 20, 2007 records from this breach used in our total: 5,500 Science Applications International Corp. (SAIC) San Diego, California BSO DISC 580,000 (703) 676-6533, http://www.saic.com/response/ [157] Pentagon contractor may have compromised personal information. Information such as names, addresses, birth dates, Social Security numbers and health information about military personnel and their relatives because it did not encrypt data transmitted online. Information Source: records from this breach used in our total: 580,000 Dataloss DB July 19, 2007 Cricket Communications Omaha, Nebraska BSO PHYS 300 Documents stolen from store result in loss of 300 credit card numbers. Information Source: Dataloss DB July 19, 2007 records from this breach used in our total: 300 Jackson Local Schools Massillon, Ohio EDU DISC 1,800 The Social Security numbers of present and former Jackson Local Schools' employees were at risk of public access on a county maintained Web site. Information Source: Dataloss DB July 18, 2007 records from this breach used in our total: 1,800 Purdue University West Lafayette, Indiana EDU DISC 50 (866) 605-0013 Files which were no longer in use were discovered on a computer server connected to the Internet. The files contained names and Social Security numbers of students who were enrolled in an industrial engineering course in spring 2002 or fall 2004. Information Source: records from this breach used in our total: 50 Dataloss DB July 18, 2007 Connecticut General Assembly Transportation Committee, L.G. Defelice Hartford, Connecticut GOV DISC 300 Social Security numbers of former employees of defunct L.G. Defelice Inc. were posted on CT transportation committee website. Information 206 Source: records from this breach used in our total: 300 Dataloss DB July 17, 2007 Western Union Greenwood Village, Colorado BSF HACK 20,000 Credit card information and names were hacked from a database. The thieves got names, addresses, phone numbers and complete credit-card information. Information Source: records from this breach used in our total: 20,000 Dataloss DB July 17, 2007 Louisiana Board of Regents Baton Rouge, Louisiana GOV DISC 80,000 Records of students and staff including Social Security numbers,names, and addresses exposed on web. In all, more than 80,000 names and Social Security numbers were accessible for perhaps as long as two years on an internal Internet site. Information Source: records from this breach used in our total: 80,000 Dataloss DB July 17, 2007 Kingston Technology Co. Fountain Valley, California BSO HACK 27,000 A security breach may have compromised the names, addresses and credit card details of online customers. Kingston Technology is a computer memory vendor. The breach may have gone undetected for nearly 2 years. Information Source: records from this breach used in our total: 27,000 Dataloss DB July 16, 2007 Transportation Security Administration (TSA) Arlington, Virginia GOV PORT 100,000 Authorities realized in May a storage device was missing from TSA headquarters. The drive contained historical payroll data, Social Security numbers, dates of birth, addresses, time and leave datas, bank account, routing information, and details about financial allotments and deductions. Information Source: Media July 15, 2007 records from this breach used in our total: 100,000 Westminster College Salt Lake City, Utah EDU DISC 100 Names of students, former and current were printed in two files along with each student's Social Security number. The files were on a student Web server used by Westminster students. Information Source: Media July 13, 2007 records from this breach used in our total: 100 City of Encinitas Encinitas, California GOV DISC 1,200 (760) 633-2788 Credit card or checking account information and addresses of people who had enrolled in Encinitas' youth recreation programs was inadvertently posted on the city's Web site. 207 Information Source: Dataloss DB July 13, 2007 records from this breach used in our total: 1,200 Metropolitan St. Louis Sewer District St.Louis, Missouri GOV INSD 1,600 A employee had downloaded Social Security numbers of current or former district employees to a home computer. The Social Security numbers were part of a computer file the district uses to make sure workers get the proper pay. Information Source: Dataloss DB July 11, 2007 records from this breach used in our total: 1,600 South County Hospital South Kingstown, Rhode Island MED PHYS 79 Paperwork containing personal details from customers was left in a briefcase inside a car that was stolen. That batch of paperwork contained details including names, addresses, Social Security numbers, phone numbers and a summary of hospital accounts. Information Source: Dataloss DB July 11, 2007 records from this breach used in our total: 79 Texas A&M University Corpus Christi, Texas EDU PHYS 49 College of Business officials are investigating a faculty member for the misplacement of a business law class roster containing the names and Social Security numbers of students. Information Source: Media July 11, 2007 records from this breach used in our total: 49 Disney Movie Club, Alta Resources, McNeil-PPC Inc Neenah, Wisconsin BSO INSD Unknown A contract employee stole an unknown number of credit card numbers. Credit-card information was sold by an employee of a Disney contractor to a federal agent as part of an undercover sting operation. Information Source: records from this breach used in our total: 0 Dataloss DB July 9, 2007 Girl Scouts Mile Hi Denver, Colorado NGO PORT Unknown Tapes stolen from a car held personal information from a membership database, including names, addresses, phone numbers. A very limited number of credit card numbers and Social Security numbers were included in the stolen data from the camp and event registration database. Information Source: Media July 7, 2007 records from this breach used in our total: 0 Cuyahoga County Dept. of Development Cleveland, Ohio GOV PORT 3,000 208 Names and Social Security numbers on memory stick stolen in carjacking. Information Source: records from this breach used in our total: 3,000 Dataloss DB July 5, 2007 Highland University Las Vegas, New Mexico EDU UNKN 420 A building on the campus had been broken into, and the affected offices might have contained such personal information as Social Security numbers, credit card and bank account information. Information Source: records from this breach used in our total: 420 Dataloss DB July 3, 2007 Fidelity National Information Services/Certegy Check Services Inc. Jacksonville, Florida BSF INSD 8,500,000 A worker at one of the company's subsidiaries (Certegy Check Services, Inc.) stole customer records containing credit card, bank account and other personal information. UPDATE (8/27/07): The company first estimated that about 2.3 million records were affected but quickly boosted that number to 8.5 million in filings with the U.S. Securities and Exchange Commission. A California law firm has filed a class-action suit charging Fidelity National Information Services (FIS) and one of its subsidiaries with negligence in connection with a data breach. UPDATE (11/23/07): A former database analyst at Certegy Check Services Inc., has agreed to plead guilty to federal fraud and conspiracy charges in connection with the theft of data. UPDATE (7/7/08):A man has been sentenced to four years and nine months in jail and fined US $3.2 million for his part in the theft of consumer records from Certegy Check Services. UPDATE (7/7/08): A new settlement provides that all class members whose personal or financial information was stolen can get compensated up to $20,000 for certain unreimbursed identity theft losses caused by the data theft. The losses covered could have occurred from Aug. 24, 1998, to Dec. 31, 2010. www.datasettlement.com [158] UPDATE (4/26/10): As part of a class action settlement in U.S. District Court in Tampa, consumers were given the opportunity to elect credit monitoring for one year or bank account monitoring for two years and were able to seek reimbursement of certain out-of-pocket costs incurred or identity theft expenses. Consumers also were able to request credit monitoring at the company's expense immediately after the thefts were announced. The settlement with the attorney general's office ensures that Certegy will maintain a comprehensive information-security program. This program will assess internal and external risks to consumers' personal information, implement safeguards to protect that consumer information, and will regularly monitor and test the effectiveness of those safeguards. Certegy and its related entities also agree to adhere to payment card industry data security standards as those standards continue to evolve. As part of the settlement, Certegy is donating $125,000 to the attorney general's Seniors vs. Crime Program for educational, investigative and crime prevention programs for the benefit of senior citizens and the community and will pay $850,000 for the state's investigative costs and attorney's fees related to the case. Information Source: records from this breach used in our total: 8,500,000 Dataloss DB June 29, 2007 Harrison County Schools Charleston, West Virginia EDU STAT Unknown Several computers that contained the personal information, including Social Security numbers, of several Harrison County school employees were stolen. Workers Comp claims between January of 2001 and February of 2007 are at risk. Information Source: records from this breach used in our total: 0 Dataloss DB June 27, 2007 Milwaukee PC Milwaukee, Wisconsin BSR DISC 65,000 (414) 258-2275 209 Credit card information for 65,000 was possibly compromised. A service center noticed a file in their server and was concerned that file could contain customers' credit card numbers and personal information. Information Source: records from this breach used in our total: 65,000 Dataloss DB June 27, 2007 Bowling Green State University Bowling Green, Ohio EDU PORT 199 Lost storage device contained Social Security numbers, and names of 199 former students. Information Source: Dataloss DB June 27, 2007 records from this breach used in our total: 199 University of California, Davis Davis, California deansoffice@vetmed.ucdavis.edu EDU HACK 1,120 [159] Computer-security safeguards were breached. Compromised information included the applicants' names, birth dates and, in most cases, Social Security numbers. Information Source: Dataloss DB June 25, 2007 records from this breach used in our total: 1,120 Fresno County Fresno, California GOV PORT 10,000 (559) 453-6450 A disk containing information pertaining to thousands of home health-care workers -- including their names, addresses and Social Security numbers -- was lost when it was shipped to a software vendor's office in San Jose, CA. Information Source: Dataloss DB June 23, 2007 records from this breach used in our total: 10,000 Winn-Dixie Pascagoula, Mississippi MED PHYS Unknown Pharmacy documents were found behind a closed Winn-Dixie grocery store, containing telephone numbers, Social Security numbers and addresses of thousands of individuals. Apparently when the grocery store/pharmacy closed, employees put bundles of documents outside to be picked up. However, they were never retrieved. Information Source: Dataloss DB June 22, 2007 records from this breach used in our total: 0 Texas First Bank Texas City, Texas BSF PORT 4,000 Information such as account numbers, Social Security numbers, names and addresses may have been stored on a stolen laptop computer during a car theft in Dallas. Information Source: Dataloss DB records from this breach used in our total: 4,000 210 June 20, 2007 American Airlines Fort Worth, Texas BSO DISC 365 Personal information including Social Security numbers of pilots and other employees at American Airlines, including the chief executive, was exposed on a company Web site. Information Source: records from this breach used in our total: 365 Dataloss DB June 20, 2007 University Community Hospital Tampa, Florida MED DISC Unknown A parent says his son should never have received bills in the mail for a pre-employment drug screening visit. Additionally, he received information about 17 others who were also tested, including Social Security numbers. Information Source: records from this breach used in our total: 0 Media June 18, 2007 Parisexposed.com Bellevue, Washington BSO DISC 750 Investigation by The Smoking Gun Web site said that by changing a few characters on the web page URL it was possible to see the subscriber's name, email address, password, phone number, mailing address and credit card number. Information Source: records from this breach used in our total: 750 Dataloss DB June 18, 2007 Shamokin Area School District Coal Township, Pennsylvania EDU DISC Unknown A local newspaper employee gained unauthorized access to the Shamokin Area School District's computer database. It is the same system that stores students' personal information, including Social Security numbers. That newspaper employee brought the security flaw to the attention of school officials. Information Source: Dataloss DB June 18, 2007 records from this breach used in our total: 0 Texas A&M University Corpus Christi, Texas EDU PORT 8,000 A professor vacationing off the coast of Africa took data with him on a small computer storage device which was lost or stolen. It is thought to contains SSNs and dates of birth for students enrolled in the spring, summer and fall semesters of 2006 Information Source: Dataloss DB June 15, 2007 records from this breach used in our total: 8,000 Ohio state workers Columbus, Ohio GOV PORT 1,000,000 (888) 644-6648(taped-message), (877) 742-5622 (Ohio Consumers' Counsel) or (800) 267-4474 A backup computer storage device with the names and Social Security numbers of every state worker was stolen out of a state intern's car. The tape, which was stolen in June, contains personally identifiable information of nearly 84,000 current and former Ohio state employees and more than 47,000 state taxpayers. UPDATE (6/20/07) : The storage device also had the names and Social Security numbers of 225,000 taxpayers. 211 UPDATE (6/22/07) : Previous news stories reported smaller amounts, but the most recent news story shows 500,000. UPDATE (7/12/07) State of Ohio increases data theft estiamte to 1 million. Information Source: Dataloss DB June 14, 2007 records from this breach used in our total: 1,000,000 Division of Workforce Services Salt Lake City, Utah GOV UNKN 20,000 (801) 281-1267 Children's Social Security numbers are believed to have been compromised by identity thieves. Information Source: records from this breach used in our total: 20,000 Media June 14, 2007 Hamburger Hamlet Restaurant Los Angeles, California BSO INSD 40 Former waitress made off with the credit or debit card numbers of at least half a dozen patrons - and possibly as many as 40. Already, about $16,300 in unauthorized charges have been linked to the scam. Information Source: records from this breach used in our total: 40 Media June 14, 2007 Georgia Tech University Atlanta, Georgia 23,000 Not included in Total because it's not EDU DISC clear SSNs or account numbers were exposed. An electronic file containing the personal information of current and former Georgia Tech students was exposed briefly. Information Source: records from this breach used in our total: 0 Dataloss DB June 14, 2007 Lynchburg City Lynchburg, Virginia 1,200 Not included in total because it's not GOV DISC clear SSNs or account numbers were exposed. Personal information of Lynchburg city employees and retirees was accidentally posted on the city's website among that information employee's prescription medications. Information Source: Dataloss DB June 11, 2007 records from this breach used in our total: 0 Pfizer New York, New York BSO DISC 17,000 866-274-3891 Installation of certain file sharing software on a Pfizer laptop, exposed files containing names, Social Security numbers, 212 addresses and bonus information of present and former Pfizer colleagues. Investigation revealed that certain files containing data were accessed and copied. Information Source: Dataloss DB June 11, 2007 records from this breach used in our total: 17,000 Grand Valley State University Allendale, Michigan EDU PORT 3,000 Jann Joseph (616) 331-2110 A flash drive containing confidential information was stolen. Social Security numbers of current and former students were on the flash drive, stolen from the English department. Information Source: Dataloss DB June 9, 2007 records from this breach used in our total: 3,000 Concord Hospital, Verus Inc. MED Concord, New Hampshire mhanna@cmonitor.com DISC 9,000 [160] Names, addresses, dates of birth and Social Security numbers exposed on the internet for a period of time, security lapsed from a subcontractor that handles its online billing. UPDATE (6/20/07): Washington-based company that was managed its online billing system was fired. Hospital officials now are asking for an audit to verify that Verus Incorporated has removed all of its patient information from its servers. Information Source: Dataloss DB June 8, 2007 records from this breach used in our total: 9,000 University of Virginia Charlottesville, Virginia http://www.virginia.edu/uvatoday/newsRelease.php?id=2217 EDU [161] , identity-assistance@virginia.edu [162] , HACK 5,735 (866) 621-5948 A breach in one of the computer applications resulted in exposure of sensitive information belonging to current and former U.Va. faculty members. The information included names, Social Security numbers and dates of birth. The investigation has revealed that on 54 separate days between May 20, 2005, and April 19, 2007, hackers tapped into the records of 5,735 faculty members. Information Source: records from this breach used in our total: 5,735 Dataloss DB June 8, 2007 University of Iowa Iowa City, Iowa EDU HACK 1,100 Social Security numbers of faculty, students and prospective students were stored on the Web database program that was compromised. Information Source: Dataloss DB June 6, 2007 records from this breach used in our total: 1,100 Cedarburg High School Cedarburg, Wisconsin EDU DISC Unknown Students obtained names, addresses and Social Security numbers and might have accessed personal bank account information of current and former district employees. 213 Information Source: Dataloss DB June 6, 2007 records from this breach used in our total: 0 Dearfield Medical Building Greenwich, Connecticut MED PHYS Unknown A box was discovered at inside a trash bin in May and contains information about lab tests and insurance approvals as well as other medical issues, documents are not medical charts, but do contain patient names and contact information. Information Source: Dataloss DB June 4, 2007 records from this breach used in our total: 0 Stevens Hospital Edmonds, Washington MED DISC 550 (425) 673-3745 Personal information including names, addresses, and Social Security numbers were exposed online due to a lapse in the data security procedures by a subcontractor. An Internet search engine was able to access the information while the subcontractor's laptop was unsecured. Information Source: Dataloss DB June 3, 2007 records from this breach used in our total: 550 Gadsden State Community College College Gadsden, Alabama EDU PHYS 400 Students who took an Art Appreciation class at the Ayers Campus between 2005 and 2006 had their names, grades and Social Security numbers scattered across a local business' driveway. Information Source: Dataloss DB June 1, 2007 records from this breach used in our total: 400 Fresno County, Refined Technologies Inc., DHL Fresno, California GOV HACK 10,000 A missing computer disk contains names, addresses and Social Security numbers. The County sent it by courier to a software vendor's office in San Jose to determine workers' eligibility for health care benefits. The software company, Refined Technologies Inc., said they never received the disk. The courier service, DHL, told County officials that the file was delivered May 10, though the County didn't require anyone to sign for the delivery. Information Source: Dataloss DB June 1, 2007 records from this breach used in our total: 10,000 Jax Federal Credit Union Jacksonville, Florida BSF DISC 7,766 Social Security numbers and account numbers of clients were accidentally posted on the Internet, then indexed by Google. JFCU was transmitting information to a printer for a preapproved auto loan mailing when the information was picked up by Google from the printer's Web site. JFCU normally transmits information on an encrypted disk delivered by courier, but when the printer couldn't open the disk, the information was sent again, but wasn't encrypted and included Social Security numbers and account numbers. Information Source: Dataloss DB records from this breach used in our total: 7,766 214 June 1, 2007 Northwestern University Evanston, Illinois c-loebbaka@northwestern.edu BSO DISC 4,000 [163] Files containing personal information of students and applicants were available online. Information Source: Dataloss DB May 31, 2007 records from this breach used in our total: 4,000 Priority One Credit Union South Pasadena, California BSF DISC Unknown Priority One Credit Union sent out election ballots to members with Social Security numbers and account numbers printed on the outside of the envelopes Information Source: Dataloss DB May 26, 2007 records from this breach used in our total: 0 Cover Tennessee Nashville, Tennessee MED DISC 279 A computer error at the Cover Tennessee health insurance program caused small business owners who chose not to print out their forms from the Web site to have their personal information including Social Security numbers added to the next user's printout request. Information Source: Dataloss DB May 25, 2007 records from this breach used in our total: 279 North Carolina Deptartment of Transportation Raleigh, North Carolina https://apps.dot.state.nc.us/pio/releases/details.aspx?r=1179 GOV UNKN 25,000 [164] A computer server used to back up employee identification badge records that included the names and Social Security numbers of NCDOT employees, contractors and other state employees was compromised. Information Source: records from this breach used in our total: 25,000 Dataloss DB May 25, 2007 Booker T. Washington Community Center Auburn, New York NGO PORT Unknown A laptop computer with personal information of individuals who applied for Family Health Plus or Child Health Plus state health insurance program benefits was recovered when a woman tried to sell it at a pawn shop. Information Source: records from this breach used in our total: 0 Media May 24, 2007 Beacon Medical Services Aurora, Colorado MED DISC 5,000 Private medical and financial information including patient records from at least 10 Colorado clinics and hospitals, and one hospital in Peoria, Illinois that should have been only accessible through VPN access were inadvertently available on the Internet. 215 Information Source: Dataloss DB May 23, 2007 records from this breach used in our total: 5,000 Waco Independent School District Waco, Texas EDU HACK 17,400 Two high school seniors recently hacked into the district's computer network potentially compromising the personal information including Social Security numbers of students and employees. Information Source: Dataloss DB May 23, 2007 records from this breach used in our total: 17,400 Check into Cash Champaign, Illinois BSF PHYS Unknown Consumer loan documents and related reports were found in a trash bin behind the shopping center where Check into Cash is located. Documents contained Social Security numbers, addresses, copies of driver's licenses and other personal information of the company's customers. Information Source: records from this breach used in our total: 0 Dataloss DB May 22, 2007 University of Pittsburgh Medical Center Pittsburgh, Pennsylvania MED DISC 6,000 former patients UPMC mailed a fundraising letter to 6,000 former patients on May 7. The donor response cards inadvertently included each individual's SSN in the tracking code, visible through the envelope window. Information Source: records from this breach used in our total: 6,000 Dataloss DB May 22, 2007 University of Colorado, Boulder Boulder, Colorado EDU HACK 45,000 Hotline: (303) 492-1655 A hacker launched a worm that attacked a University computer server used by the College of Arts and Sciences. Information for 45,000 students enrolled at UC-B from 2002 to the present was exposed, including SSNs. The breach was discovered May 12. Apparently anti-virus software had not been properly configured. Information Source: Dataloss DB May 21, 2007 records from this breach used in our total: 45,000 Columbia Bank Fair Lawn, New Jersey BSF HACK Unknown Columbia Bank notified its online banking customers of a hacking incident. Names and SSNs were accessed, but account numbers and passwords were not. Information Source: Dataloss DB May 20, 2007 records from this breach used in our total: 0 Northwestern University Chicago, Illinois EDU PORT Unknown 216 A laptop belonging to the financial aid office was stolen. It contained SSNs and other information of some alumni. Information Source: records from this breach used in our total: 0 Dataloss DB May 19, 2007 Texas Commission on Law Enforcement Standards and Education Austin, Texas GOV PORT 230,000 A laptop computer was stolen from the state agency that licenses police officers. It contained information on every licensed peace officer in Texas, including SSNs, driver's license numbers, and birth dates. Information Source: records from this breach used in our total: 230,000 Dataloss DB May 19, 2007 Illinois Dept. of Financial and Professional Regulation Chicago, Illinois For information about breach www.idfpr.com GOV HACK 300,000 [165] A computer server in the office of the Illinois Dept. of Financial and Professional Regulation was breached earlier this year. SSNs, tax numbers, and addresses of banking and real estate licensees and applicants were exposed. The hacking incident was discovered May 3. Information Source: Dataloss DB May 19, 2007 records from this breach used in our total: 300,000 Stony Brook University Stony Brook, New York EDU DISC 90,000 http://www.stonybrook.edu/sb/disclosure/ [166] , Call Center, (866) 645-5830 (available until July 15, 2007) SSNs and university ID numbers of faculty, staff, students, alumni, and other community members were visible via the Google search engine after they were posted to a Health Sciences Library Web server April 11. It was discovered and removed 2 weeks later. Information Source: Dataloss DB May 18, 2007 records from this breach used in our total: 90,000 Alcatel-Lucent Murray Hill, New Jersey BSO PORT Unknown The telecom and networking equipment maker notified employees that a computer disk containing personal information was lost in transit to Aon Corp., another vendor. It contained names, addresses, SSNs, birth dates, and salary information of current and former employees. Information Source: Dataloss DB May 18, 2007 records from this breach used in our total: 0 Yuma Elementary School District No. 1 Yuma, Arizona EDU PHYS 91 SSNs of 91 substitute teachers were stolen May 7 when a district employee's car was broken into and a brief case was taken containing payroll reports. The reports did not include bank account information.. Information Source: records from this breach used in our total: 91 217 Dataloss DB May 18, 2007 Indianapolis Public Schools Indianapolis, Indiana EDU DISC 7,500 students not included in total because it is not clear if SSNs were exposed. A local newspaper reporter discovered that sensitive personal information was accessible online, including employee performance reviews, student gradebooks, student special education needs, and essays. Information Source: Dataloss DB May 17, 2007 records from this breach used in our total: 0 Georgia Division of Public Health Atlanta, Georgia GOV HACK 140,000 The GA Dept. of Human Resources notified parents of infants born between 4/1/06 and 3/16/07 that paper records containing parents' SSNs and medical histories -- but not names or addresses -- were discarded without shredding. Information Source: records from this breach used in our total: 140,000 Dataloss DB May 15, 2007 IBM Armonk, New York BSO PORT Unknown An unnamed IBM vendor lost computer tapes containing information on IBM employees -- mostly ex-workers -- including SSNs, dates of birth, and addresses. They went missing in transit frm a contractor's vehicle. Information Source: records from this breach used in our total: 0 Dataloss DB May 14, 2007 Community College of Southern Nevada North Las Vegas, Nevada EDU HACK 197,000 A virus attacked a computer server and could have allowed a hacker to access students' personal information including names, Social Security numbers and dates of birth, but the school is not certain whether anything was actually stolen from the school's computer system. Information Source: Dataloss DB May 12, 2007 records from this breach used in our total: 197,000 Goshen College EDU Goshen, Indiana http://www.goshen.edu/news/pressarchive/05-11-07-security.html [167] , info@goshen.edu [168] , HACK 7,300 (866) 877-3055 A hacker accessed a college computer that contained the names, addresses, birth dates, Social Security numbers and phone numbers of students and information on some parents with the suspected motivation of using the system to send spam e-mails. Information Source: Dataloss DB May 11, 2007 records from this breach used in our total: 7,300 University of California, Irvine Medical Center Irvine, California MED PHYS 287 218 About 1,600 file boxes stored in an off-site university warehouse were discovered missing. Some of the files included patients' names, addresses, Social Security numbers and medical record numbers. Information Source: Media May 11, 2007 records from this breach used in our total: 287 Highland Hospital (Rochester, NY) Rochester, New York HighlandHospitalAdmin@urmc.rochester.edu MED PORT 13,000 [169] Two laptop computers, one containing patient information including Social Security numbers, were stolen from a business office. The computers were sold on eBay, and the one containing personal information was recovered. Information Source: Dataloss DB May 8, 2007 records from this breach used in our total: 13,000 University of Missouri Columbia, Missouri EDU HACK 22,396 (866) 241-5619 A hacker accessed a computer database containing the names and Social Security numbers of employees of any campus within the University system in 2004 who were also current or former students of the Columbia campus. Information Source: Dataloss DB May 7, 2007 records from this breach used in our total: 22,396 Indiana Deptartment of Administration Indianapolis, Indiana GOV DISC "No more than a couple hundred" An employee uploaded a list of certified women and minority business enterprises to the department's Web site and inadvertently included their tax identification numbers, which for some businesses and sole proprietorships is the owner's Social Security number. Information Source: records from this breach used in our total: 0 Dataloss DB May 5, 2007 Transportation Security Administration (TSA) Crystal City, Virginia GOV PORT 100,000 A computer hard drive containing payroll data from January 2002 to August 2005 including employee names, Social Security numbers, birth dates, bank account and routing information of current and former workers including airport security officers and federal air marshals was stolen. UPDATE (5/14/07) The American Federation of Government Employees is suing the TSA for the loss of the hard drive. It calls the breach a violation of the Privacy Act. Information Source: Dataloss DB May 3, 2007 records from this breach used in our total: 100,000 Maryland Department of Natural Resources Annapolis, Maryland GOV PORT 1,433 Personal information of current and retired employees including names and Social Security numbers was downloaded to a 219 thumb drive by an employee who wanted to work at home but was lost en route. Information Source: Dataloss DB May 3, 2007 records from this breach used in our total: 1,433 Louisiana State University, E..J. Ourso College of Business Baton Rogue, Louisiana EDU PORT 750 A laptop stolen from a faculty member's home contained personally identifiable information including may have included students' Social Security numbers, full names and grades of University students. Information Source: Dataloss DB May 3, 2007 records from this breach used in our total: 750 Montgomery College Conroe, Texas EDU DISC Unknown A new employee posted the personal information of all graduating seniors including names, addresses and Social Security numbers on a computer drive that is publicly accessible on all campus computers. Information Source: Dataloss DB May 1, 2007 records from this breach used in our total: 0 Healing Hands Chiropractic Sterling, Colorado MED PHYS Hundreds Medical records containing the personal information of chiropractic patients including Social Security numbers, birth dates, addresses and, in some cases, credit card information were thrown into a dumpster “due to lack of office space.” Information Source: Media May 1, 2007 records from this breach used in our total: 0 J. P. Morgan New York, New York BSF PHYS Unknown Documents containing personal financial data of customers including names, addresses and Social Security numbers were found in garbage bags outside five branch offices in New York. Information Source: Dataloss DB May 1, 2007 records from this breach used in our total: 0 Maine State Lottery Commission Hallowell, Maine GOV PHYS Unknown Documents containing personal information such as names, Social Security numbers, references to workers compensation claim records, psychiatric and other medical records, and police background checks were found in a dumpster. Information Source: Media May 1, 2007 records from this breach used in our total: 0 Champaign Police Officers Champaign, Illinois GOV STAT 139 The names and Social Security numbers of Champaign police officers were left on a computer donated to charity. 220 Information Source: Dataloss DB May 1, 2007 records from this breach used in our total: 139 J. P. Morgan Chicago, Illinois BSF PORT 47,000 A computer tape containing personal information of wealthy bank clients and some employees was delivered to a secure offsite facility for storage but was later reported missing. Information Source: Dataloss DB April 29, 2007 records from this breach used in our total: 47,000 University of New Mexico Alburquerque, New Mexico EDU PORT 3,000 not included in total below because SSNs were apparently not compromised) Employees' personal information including names, e-mail and home addresses, UNM ID numbers and net pay for a pay period for staff, faculty and a few graduate students may have been stored on a laptop computer stolen from the San Francisco office of an outside consultant working on UNM's human resource and payroll systems. Information Source: records from this breach used in our total: 0 Dataloss DB April 28, 2007 Couriers on Demand Dallas, Texas BSO DISC Hundreds Personal information of job applicants was accidentally published to the Internet. Information Source: Dataloss DB April 27, 2007 records from this breach used in our total: 100 Google Ads Mountain View, California BSO HACK Unknown Top sponsored Google ads linked to 20 popular search terms were found to install a malware program on users' computers to capture personal information and access online accounts for 100 different banks. Information Source: Media April 27, 2007 records from this breach used in our total: 0 Caterpillar, Inc. Peoria, Illinois BSO PORT Unknown A laptop computer containing personal data of employees including Social Security numbers, banking information and addresses was stolen from a benefits consultant that works with the company. Information Source: Dataloss DB April 26, 2007 records from this breach used in our total: 0 Ceridian Corp. Minneapolis, Minnesota BSO DISC 150 221 A former employee had data containing the personal information of employees including ID and bank-account data and then, accidentally posted it on a personal Web site. Information Source: Dataloss DB April 25, 2007 records from this breach used in our total: 150 Neiman Marcus Group Dallas, Texas http://phx.corporate-ir.net/phoenix.zhtml?c=118113&p=irol-recentdata BSR [170] , STAT 160,000 (800) 456-7019 Computer equipment was stolen containing files with sensitive information including name, address, Social Security number, date of birth, period of employment and salary information of retailer Neiman Marcus Group's current and former employees and their spouses. Information Source: records from this breach used in our total: 160,000 Dataloss DB April 24, 2007 Purdue University West Lafayette, Indiana EDU DISC 175 (866) 307-8513 Personal information including names and Social Security numbers of students who were enrolled in a freshman engineering honors course was on a computer server connected to the Internet that had been indexed by Internet search engines and consequently was available to individuals searching the Web. Information Source: Dataloss DB April 24, 2007 records from this breach used in our total: 175 Baltimore County Deptartment of Health Baltimore, Maryland GOV PORT 6,000 A laptop containing personal information including names, date of birth, Social Security numbers, telephone numbers and emergency contact information of patients who were seen at the clinic between Jan. 1, 2004 and April 12 was stolen. Information Source: Dataloss DB April 23, 2007 records from this breach used in our total: 6,000 Federal Emergency Management Agency (FEMA) Washington, District Of Columbia GOV DISC 2,300 Social Security numbers of Disaster Assistance Employees were printed on the outside address labels of reappointment letters Information Source: Dataloss DB April 21, 2007 records from this breach used in our total: 2,300 Albertsons (Save Mart Supermarkets) Alameda, California BSR CARD Over 100 (510) 337-8340 Credit and debit card numbers were stolen using bogus checkout-line card readers resulting in card numbers processed at those terminals being captured and some to be misused. Information 222 Source: Dataloss DB April 20, 2007 records from this breach used in our total: 100 Los Alamos National Laboratory Alburquerque, New Mexico GOV DISC 550 The names and Social Security numbers of lab workers were posted on a Web site run by a subcontractor working on a security system. Information Source: Dataloss DB April 20, 2007 records from this breach used in our total: 550 U.S. Agriculture Department Washington, District Of Columbia GOV DISC 38,700 http://www.usda.gov/wps/portal/!ut/p/_s.7_0_A/7_0_1OB?contentidonly=true&contentid=2007/04/0110.xml [171] The Social Security numbers of people who received loans or other financial assistance from two Agriculture Department programs were disclosed since 1996 in a publicly available database posted on the Internet. Originally, the US Department of Agriculture estimated that the personal information of as many as 150,000 people may be affected, then reduced the number 38,700. Information Source: Dataloss DB April 19, 2007 records from this breach used in our total: 38,700 New Mexico State University Las Cruces, New Mexico EDU DISC 5,600 The names and Social Security numbers of students who registered online to attend their commencement ceremonies from 2003 to 2005 were accidentally posted on the school's Web site when an automated program moved what was supposed to be a private file into a public section of the Web site. Information Source: records from this breach used in our total: 5,600 Dataloss DB April 18, 2007 Ohio State University Columbus, Ohio http://www.osu.edu/news/newsitem1673 EDU HACK 14,000 [172] A hacker accessed the names, Social Security numbers, employee ID numbers and birth dates of 14,000 current and former staff members. Information Source: records from this breach used in our total: 14,000 Dataloss DB April 18, 2007 University of California, San Francisco (UCSF) San Francisco, California EDU STAT 3,000 (866) 485-8777, http://news.ucsf.edu/releases/ucsf-computer-server-with-research-subject-information-is-stolen/ [173] , http://security.ucsf.edu/alert/information.html [174] A computer file server containing names, contact information, and Social Security numbers for study subjects and potential study subjects related to research on causes and cures for different types of cancer was stolen from a locked UCSF office. For some individuals, the files also included personal health information. Information Source: records from this breach used in our total: 3,000 223 Dataloss DB April 18, 2007 Ohio State University Columbus, Ohio http://www.osu.edu/news/newsitem1673 EDU PORT 3,500 [172] The names, Social Security numbers and grades of 3,500 former chemistry students were on class rosters housed on two laptop computers stolen from a professor's home in late February. Information Source: Dataloss DB April 15, 2007 records from this breach used in our total: 3,500 CVS Pharmacy MED Liberty, Texas PHYS Over 1,000 The Attorney General of Texas filed a complaint against CVS Pharmacy for illegally disposing of personal information including active debit and credit card numbers, complete with expiration dates and medical prescription forms with customer's name, address, date of birth, issuing physician and the types of medication prescribed. The information was found in a dumpster behind a store that apparently was being vacated. Information Source: records from this breach used in our total: 1,000 Dataloss DB April 12, 2007 Bank of America Charlotte, North Carolina BSF PORT "limited" number of people A laptop containing personal information of current, former and retired employees including names, addresses, dates of birth and Social Security numbers was stolen when an employee was a victim of a recent break-in. Information Source: Dataloss DB April 12, 2007 records from this breach used in our total: 0 University of Pittsburgh Medical Center MED Pittsburgh, Pennsylvania DISC 88 Personal information including names, Social Security numbers, and radiology images of patients were previously included in two medical symposium presentations that were posted on UPMC's Web site. Though the presentation was later removed in 2005, the presentations were apparently inadvertently re-posted on the site and only recently removed again. Information Source: records from this breach used in our total: 88 Dataloss DB April 12, 2007 Georgia Secretary of State Atlanta, Georgia http://sos.georgia.gov/pressrel/20070411a.htm GOV PHYS 75,000 [175] 30 boxes of Fulton County voter registration cards that contain names, addresses and Social Security numbers were found in a trash bin. Information Source: Dataloss DB April 11, 2007 records from this breach used in our total: 75,000 New Horizons Community Credit Union, Protiviti BSF PORT 9,000 224 April 11, 2007 BSF Denver, Colorado http://www.ncua.gov/news/press_releases/2007/MR07-0411.htm PORT 9,000 [176] A laptop computer that contained personal information of members who had loans with the credit union was stolen from Protiviti, a consultant employed by Bellco Credit Union conducting due diligence to prepare a possible acquisition bid. Information Source: Dataloss DB April 11, 2007 records from this breach used in our total: 9,000 ChildNet Ft. Lauderdale, Florida NGO PORT 12,000 An organization responsible for managing Broward County's child welfare system believe a dishonest former employee stole a laptop from the agency's office. It contains personal information of adoptive and foster-care parents including financial and credit data, Social Security numbers, driver's license data and passport numbers. Information Source: records from this breach used in our total: 12,000 Dataloss DB April 11, 2007 Black Hills State University Spearfish, South Dakota EDU STAT 56 http://www.bhsu.edu/AboutBHSU/NewsEvents/tabid/3454/articleType/ArticleView/articleId/339/Default.aspx [177] , (605) 6426215 Names and Social Security numbers of scholarship winners were inadvertently posted and publicly available on the university's web site. Information Source: Dataloss DB April 10, 2007 records from this breach used in our total: 56 Georgia Department of Community Health, Affiliated Computer Services (ACS) Atlanta, Georgia GOV PORT 2,900,000 http://dch.georgia.gov/vgn/images/portal/cit_1210/19/38/80010015Public_Notice-Missing_Personal_Data.pdf [178] , (866) 2133969 A computer disk containing personal information including addresses, birthdates, dates of eligibility, full names, Medicaid or children's health care recipient identification numbers, and Social Security numbers went missing from a private vendor, Affiliated Computer Services (ACS), contracted to handle health care claims for the state. Information Source: Dataloss DB April 9, 2007 records from this breach used in our total: 2,900,000 Turbo Tax , BSO DISC Unknown Using Turbo Tax online to access previous returns, a Nebraska woman was able to access tax returns for other Turbo Tax customers in different parts of the country. The returns contained personal information needed to e-file including bank account numbers with routing digits and Social Security numbers. Information Source: records from this breach used in our total: 0 Dataloss DB April 6, 2007 Hortica (Florists’ Mutual Insurance Company), UPS Edwardsville, Illinois BSF PORT Unknown 225 http://www.hortica-insurance.com/hotTopics/26.PDF [179] , (800) 851-7740, securedata@hortica-insurance.com [180] A locked shipping case of backup tapes containing personal information including names, Social Security numbers, drivers' license numbers, and bank account numbers went missing while in transit with UPS. Information Source: records from this breach used in our total: 0 Dataloss DB April 6, 2007 Chicago Public Schools Chicago, Illinois EDU PORT 40,000 (773) 553-1142 Two laptop computers contain the names and Social Security numbers of current and former employees was stolen from Chicago Public Schools headquarters. Information Source: records from this breach used in our total: 40,000 Dataloss DB April 5, 2007 DCH Health Systems Tuscaloosa, Alabama MED PORT 6,000 An encrypted disc and hardcopy documents containing retirement benefit information including Social Security numbers and other personal information were lost. Tracking data indicates the package was delivered to the addressee's building, but the intended recipient never received the package. Information Source: Dataloss DB April 5, 2007 records from this breach used in our total: 6,000 Security Title Agency Phoenix, Arizona BSF HACK Unknown Hackers "defaced" the company's Web site and may have accessed customer information which is stored on the same server as the site. Information Source: Media April 4, 2007 records from this breach used in our total: 0 University of California, San Francisco (UCSF) San Francisco, California (415) 353-8100, isecurity@ucsf.edu EDU HACK 46,000 [181] An unauthorized party may have accessed the personal information including names, Social Security numbers, and bank account numbers of students, faculty, and staff associated with UCSF or UCSF Medical Center over the past two years by compromising the security of a campus server. Information Source: Dataloss DB March 30, 2007 records from this breach used in our total: 46,000 Los Angeles County Child Support Services Los Angeles, California GOV PORT 243,000 Three laptops containing personal information including about 130,500 Social Security numbers — most without names, 12,000 individuals' names and addresses, and more than 101,000 child support case numbers were apparently stolen from the department's office. 226 Information Source: records from this breach used in our total: 243,000 Dataloss DB March 30, 2007 Naval Station San Diego's Navy College Office San Diego, California GOV PORT Unknown (866) U-ASK-NPC, CSCMailbox@navy.mil [182] Three laptops were reported missing that may contain Sailors' names, rates and ratings, Social Security numbers, and college course information. The compromise could impact Sailors and former Sailors homeported on San Diego ships from January 2003 to October 2005 and who were enrolled in the Navy College Program for Afloat College Education. Information Source: records from this breach used in our total: 0 Dataloss DB March 30, 2007 University of Montana Western Dillon, Montana EDU PORT over 400 A computer disk containing students' Social Security numbers, names, birth dates, addresses and other personal information was stolen from a professor's office. The stolen information belonged to students enrolled in the TRIO Student Support Services program, which offers financial and personal counseling and other assistance. Information Source: Dataloss DB March 29, 2007 records from this breach used in our total: 400 RadioShack BSR Portland, Texas PHYS Unknown 20 boxes of discarded records including sales receipts with names, addresses, Social Security numbers, credit card information. and personal information of store employees spanning from 2001 to 2005 were found in a dumpster. UPDATE (04/03/07): The Texas Attorney General's Office filed an action [183] against the Radio Shack store for violating the state's violating the 2005 Identity Theft Enforcement and Protection Act. Information Source: Dataloss DB March 27, 2007 records from this breach used in our total: 0 St. Mary Parish Schools Centerville, Louisiana EDU DISC 380 Personal information including Social Security numbers of St. Mary Parish public school employees was available on the Internet when a Yahoo!Web crawler infiltrated the server of the school's technology department. Information Source: Dataloss DB March 26, 2007 records from this breach used in our total: 380 Fort Monroe Fort Monroe, Virginia GOV PORT 16,000 A laptop computer containing the names, Social Security numbers and payroll information for as many as 16,000 civilian employees was stolen from an employee's personal vehicle. Bank account and bank routing information were not included. Information Source: Dataloss DB records from this breach used in our total: 16,000 227 March 23, 2007 Group Health Cooperative Health Care System Seattle, Washington MED PORT 31,000 http://www.ghc.org/news/news.jhtml?reposid=/common/news/news/20070323-missing_laptops.html [184] Two laptops containing names, addresses, Social Security numbers and Group Health ID numbers of local patients and employees have been reported missing. Information Source: Dataloss DB March 23, 2007 records from this breach used in our total: 31,000 Swedish Urology Group Seattle, Washington MED PORT hundreds Three computer hard drives with personal files on hundreds of local patients including were stolen. Information Source: Dataloss DB March 20, 2007 records from this breach used in our total: 0 Tax Service Plus Santa Rosa, California BSF STAT 4,000 Thieves stole the company's backup computer, which contained financial data on thousands of tax returns dating back three years. Information Source: Dataloss DB March 19, 2007 records from this breach used in our total: 4,000 Science Applications International Corp. (SAIC) Boise, Idaho BSO PHYS Unknown Barrels filled with thousands of sensitive documents including printed copies of e-mail and performance evaluations along with documents marked “internal use only – not for public release” and “for official use only” were found on the curb outside of SAIC's local office. Information Source: records from this breach used in our total: 0 Media March 16, 2007 Springfield City Schools, Ohio State Auditor Springfield, Ohio EDU PORT 1,950 http://www.spr.k12.oh.us/ [185] , http://www.spr.k12.oh.us./ourboard/treasdocs/notificationofDataTheft.pdf [186] A laptop containing personal information of current and former employees of Springfield City Schools including their names and Social Security numbers was stolen from a state auditor employee's vehicle while parked at home in a garage. Information Source: Dataloss DB March 14, 2007 records from this breach used in our total: 1,950 Wellpoint's Empire Blue Cross and Blue Shield unit in NY Indianapolis, Indiana MED PORT 75,000 800-293-3443 An unencrypted disc containing patient's names, Social Security numbers, health plan identification numbers and description of medical services back to 2003 was lost en route to a subcontractor. 228 UPDATE (3/14/07): The subcontrator reported that the CD that was reported missing on Feb. 9 has been found. Information Source: Dataloss DB March 13, 2007 records from this breach used in our total: 75,000 U.S. Department of Agriculture (USDA) Washington, District Of Columbia GOV UNKN Unknown http://www.usda.gov/oig/webdocs/50501-8-FM.pdf [187] A total of 95 USDA computers were lost or stolen between Oct. 1, 2005, and May 31, 2006. Some may have contained personal information such as names, addresses, Social Security numbers and payment information. Two-thirds of the computers contained unencrypted data. Information Source: Media March 12, 2007 records from this breach used in our total: 0 Dai Nippon , BSO INSD Unknown A former contract worker of a Japanese commercial printing company stole nearly 9 million pieces of private data on customers from 43 clients, including U.S. companies. The stolen data includes confidential information such as names, addresses and credit card numbers intended for use in direct mailing and other printing services. Customers of U.S.-based American Home Assurance Co. and Toyota Motor were affected. Information Source: Dataloss DB March 10, 2007 records from this breach used in our total: 0 University of Idaho Moscow, Idaho EDU DISC 2,700 888-900-3783 A data file posted to the school's Web site contained personal information including names, birthdates and Social Security numbers of University employees. Information Source: Dataloss DB March 9, 2007 records from this breach used in our total: 2,700 California National Guard Sacramento, California GOV PORT 1,300 A computer hard drive containing Social Security numbers, home addresses, birth dates and other identifying information of California National Guard troops deployed to the U.S.-Mexico border was stolen. Information Source: Dataloss DB March 7, 2007 records from this breach used in our total: 1,300 Los Rios Community College Sacramento, California EDU DISC 2,000 Student information including Social Security numbers were accessible on the Internet after the school used actual data to test a new online application process in October. Information Source: Dataloss DB records from this breach used in our total: 2,000 229 March 7, 2007 U.S. Census Bureau Washington, District Of Columbia GOV DISC 302 households http://www.census.gov/Press-Release/www/releases/archives/miscellaneous/009732.html [188] Personal information of 302 households including names, addresses, phone numbers, birth dates and family income ranges were posted on a public Internet site multiple times over a five-month period from October 2006 to Feb. 15, 2007 when Census employees working from home tested new software records. Information Source: Dataloss DB March 3, 2007 records from this breach used in our total: 302 Metropolitan State College of Denver Denver, Colorado EDU PORT 988 http://www.mscd.edu/securityalert/ [189] , 866-737-6622 A faculty member's laptop computer that contained the names and Social Security numbers of former students was stolen from its docking station on campus. Information Source: Dataloss DB March 3, 2007 records from this breach used in our total: 988 Johnny's Selected Seeds Winslow, Maine BSR HACK 11,500 Hacker accessed credit card account information of online customers. About 20 credit cards have been used fraudulently. Information Source: Dataloss DB March 2, 2007 records from this breach used in our total: 11,500 California Department of Health Services Sacramento, California GOV DISC 54 http://www.cchealth.org/press_releases/dhs_breach_03_2007.php [190] , http://www.applications.dhs.ca.gov/pressreleases/store/PressReleases/07-... [191] Benefit notification letters containing names addresses, Medicare Part D plan names and premium payment amounts of some individuals enrolled in the California AIDS Drug Assistance Program (ADAP) were erroneously mailed to another enrollee. Information Source: Media March 1, 2007 records from this breach used in our total: 54 Westerly Hospital Westerly, Rhode Island MED DISC 2,200 Patient names, Social Security numbers, contact information as well as insurance information were posted on a publiclyaccessible Web site. Information Source: records from this breach used in our total: 2,200 Dataloss DB February 28, 2007 Gulf Coast Medical Center Tallahassee, Florida MED PORT 8,000 230 Patient information including names and Social Security numbers were compromised when a computer went missing in February in Tallahassee, FL. Information Source: records from this breach used in our total: 8,000 Dataloss DB February 28, 2007 Gulf Coast Medical Center Nashville, Tennessee MED PORT 1,900 Patient information including names and Social Security numbers were compromised when a computer went missing in November 2006 from Nashville, TN. This breach drew media attention when an additional 8,000 patients' information was compromised during a February 2007 breach in Tallahassee, FL. Information Source: Dataloss DB February 23, 2007 records from this breach used in our total: 1,900 Rabun Apparel Inc., former subsidiary of Fruit of the Loom Rabun Gap, Georgia BSR DISC 1,006 Names and Social Security numbers of former employees were accessible on the Internet from Jan. 15 until Feb. 20. Information Source: records from this breach used in our total: 1,006 Dataloss DB February 22, 2007 Speedmark Woodlands, Texas BSO STAT 35,000 Thieves stole several computers, one of which contained a database with personally identifying information including names, addresses, e-mail accounts, and Social Security numbers of Speedmark's mystery shopper employees and contractors. Information Source: records from this breach used in our total: 35,000 Dataloss DB February 21, 2007 Georgia Institute of Technology Atlanta, Georgia 404-894-2499, hr@gatech.edu EDU HACK 3,000 [192] Personal information of former employees mostly in the School of Electrical and Computer Engineering including name, address, Social Security number, other sensitive information, and about 400 state purchasing card numbers, were compromised by unauthorized access to a Georgia Tech computer account. Information Source: Dataloss DB February 20, 2007 records from this breach used in our total: 3,000 Back and Joint Institute of Texas San Antonio, Texas MED PHYS hundreds 20 boxes containing Social Security numbers, photocopies of driver's license numbers, addresses, phone numbers and private medical history of chiropractic patients were found in a dumpster. Information Source: Dataloss DB February 19, records from this breach used in our total: 0 Seton Healthcare Network MED PORT 7,800 231 2007 North Austin, Texas MED PORT 7,800 A laptop with uninsured patients' names, birth dates and Social Security numbers was stolen last week from the Seton hospital system. The uninsured patients had gone to Seton emergency rooms and city health clinics since July 1, 2005. Information Source: Dataloss DB February 19, 2007 records from this breach used in our total: 7,800 Clarksville-Montgomery County middle and high schools Clarksville, Tennessee EDU DISC 633 Staff and faculty Social Security numbers, used as employee identification numbers, were embedded in file photos by the company that took yearbook pictures and inadvertently placed in a search engine on school system's Web site. Information Source: Dataloss DB February 19, 2007 records from this breach used in our total: 633 Stop & Shop Supermarkets Quincy, Massachusetts BSR CARD Unknown Additional locations: Southern Massachusetts and Rhode Island. (877) 366-2668 Credit and debit card account information including PIN numbers was stolen by high-tech thieves who apparently broke into checkout-line card readers and PIN pads and tampered with them. Information Source: Dataloss DB February 19, 2007 records from this breach used in our total: 0 Social Security Administation (SSA) Milwaukee, Wisconsin GOV PHYS 13 Files of disability applicants containing Social Security numbers, addresses, phone numbers of family members, dates of birth and work history, and detailed medical information were lost/stolen when a telecommuting employee abandoned them in a locked filing cabinet at home after a threat of domestic violence. Several of the files were mailed back to the local SSA office months later others were found in a dumpster recently, and four were never recovered. Information Source: records from this breach used in our total: 13 Media February 15, 2007 City College of San Francisco San Francisco, California EDU DISC 11,000 students (800) 436-0108, www.ccsf.edu/securityalert [193] Names, grades, and SSNs were posted on an unprotected Web site after summer session in 1999. CCSF stopped using SSNs as studens IDs in 2002. Information Source: records from this breach used in our total: 11,000 Dataloss DB February 14, 2007 Kaiser Medical Center Oakland, California MED PORT 22,000 patients, but apparently only 500 records contained SSNs (866) 529-0779 232 A doctor's laptop was stolen from the Medical Center containing medical information of 22,000 patients. But only 500 records contained SSNs. Information Source: Dataloss DB February 14, 2007 records from this breach used in our total: 500 Iowa Department of Education Des Moines, Iowa GOV HACK 600 Up to 600 files of G.E.D. recipients were viewed when the online database was hacked. Files included names, addresses, birthdates, and SSNs of G.E.D. graduates from 1965 to 2002. Information Source: Dataloss DB February 14, 2007 records from this breach used in our total: 600 Conneticut Office of the State Comptroller Hartford, Connecticut GOV DISC 1,753 Personal information of state employees including names and Social Security numbers was inadvertently posted on the Internet in a spreadsheet of vendors used by the state. Information Source: Dataloss DB February 10, 2007 records from this breach used in our total: 1,753 State of Indiana Official Website www.IN.gov Indianapolis, Indiana GOV HACK 76,600 (888) 438-8397, Email: securityconcerns @www.IN.gov A hacker gained access to the State Web site and obtained credit card numbers of individuals who had used the site's online services and gained access to Social Security numbers for 71,000 healthcare workers and 5,600 individuals and businesses. UPDATE (3/22/07): Investigators have identified a teen they believe hacked into the IN.gov as a prank. Information Source: Dataloss DB February 9, 2007 records from this breach used in our total: 76,600 East Carolina University Greenville, North Carolina EDU DISC 65,000 students, alumni, and staff members http://www.ecu.edu/incident/ [194] , 877-328-6660 A programming error resulted in personal information of 65,000 individuals being exposed on the University's Web site. The data has since been removed. Included were names, addresses, SSNs, and in some cases credit card numbers. Information Source: records from this breach used in our total: 65,000 Dataloss DB February 9, 2007 Radford University, Waldron School of Health and Human Services Radford, Virginia EDU HACK 2,400 children A computer security breach exposed the personal information, including SSNs, of children enrolled in the FAMIS program, Family Access to Medical Insurance Security. Information 233 Source: records from this breach used in our total: 2,400 Dataloss DB February 8, 2007 Piper Jaffrey Minneapolis, Minnesota BSF DISC More than 1,000 employees W-2s sent to current and former employees in January included employees' Social Security numbers on the outside of the envelope. Though the numbers were not identified as Social Security numbers, they followed the standard XXX-XX-XXXX format. Executives indicated the mishap was an error by a third-party vendor. Information Source: Dataloss DB February 8, 2007 records from this breach used in our total: 1,000 St. Mary's Hospital Leonardtown, Maryland MED PORT 130,000 A laptop was stolen in December that contained names, SSNs, and birthdates for many of the Hospital's patients. Information Source: Dataloss DB February 7, 2007 records from this breach used in our total: 130,000 University of Nebraska Lincoln, Nebraska EDU DISC 72 An employee accidentally posted SSNs of 72 students, professors, and staff on UNL's public Web site where they remained for 2 years. They have since been removed. Information Source: Dataloss DB February 7, 2007 records from this breach used in our total: 72 Johns Hopkins University and Johns Hopkins Hospital Baltimore, Maryland MED PORT 52,000 past and present employees plus 83,000 patients Johns Hopkins reported the disappearance of 9 backup computer tapes containing personal information of employees and patients. Eight of the tapes contained payroll information on 52,000 past and present employees, including SSNs and in some cases bank account numbers. The 9th tape contained less sensitive information about 83,000 hospital patients. Information Source: Dataloss DB February 7, 2007 records from this breach used in our total: 135,000 Central Connecticut State University New Britain, Connecticut EDU DISC 750 students Social Security numbers of about 750 CCSU students were exposed in the name and address window on envelopes mailed to them. The envelopes were not folded correctly. They contained IRS 1098T forms. Information Source: Dataloss DB February 6, 2007 records from this breach used in our total: 750 New York Department of Labor Glenn Falls, New York GOV PHYS 537 234 A laptop computer annd documents were stolen from a state tax auditor's apartment. While the laptop had security features and had little personal information on it, the documents contained personal information for people who were employed by 13 Capital Region businesses. Information Source: records from this breach used in our total: 537 Dataloss DB February 6, 2007 Metro Credit Services Hurst, Texas BSF PHYS thousands Files of the defunct bill collection company containing medical records, phone bills and Social Security numbers were found in a trash bin. Information Source: records from this breach used in our total: 0 Dataloss DB February 3, 2007 CTS Tax Service Cassopolis, Michigan BSO STAT 800 The computer and hard drive of a tax preparation company were stolen. Data included names, bank account numbers, routing numbers, birthdates, SSNs, and addresses. Information Source: records from this breach used in our total: 800 Dataloss DB February 2, 2007 Massachusetts Department of Industrial Accidents Boston, Massachusetts 800) 323-3249 ext. 560, www.mass.gov/dia GOV INSD 1,200 people who submitted claims [195] A former state contractor allegedly accessed a workers' compensation data file and stole personal information, including SSNs. The thief used the data to commit identity theft on at least 3 individuals. Information Source: Dataloss DB February 2, 2007 records from this breach used in our total: 1,200 Indian Consulate via Haight Ashbury Neighborhood Council recycling center San Francisco, California GOV PHYS Unknown Visa applications and other sensitive documents were accessible for more than a month in an open yard of a recycling center. Information included applicants' names, addresses, phone numbers, birthdates, professions, employers, passport numbers, and photos. A sampling of documents indicated that the paperwork included everyone who applied in the Western states from 2002-2005. Applicants were current and former executives of major Bay Area companies that have operations in India. Information Source: Dataloss DB February 2, 2007 records from this breach used in our total: 0 Wisconsin Assembly Madison, Wisconsin GOV PHYS 150 Assembly members and aides A document containing personal information of Wisconsin Assembly members was stolen from a legislative employee's car while she was exercising at a local gym. It contained names, addresses, and SSNs. Information 235 Source: Dataloss DB February 2, 2007 records from this breach used in our total: 150 University of Missouri, Research Board Grant Application System Columbia, Missouri EDU HACK 1,220 A hacker broke into a UM computer server mid-January and might have accessed personal information, including SSNs, of 1,220 researchers on 4 campuses. The passwords of 2,579 individuals might also have been exposed. Information Source: Dataloss DB February 2, 2007 records from this breach used in our total: 1,220 New York Deptartment of State Albany, New York GOV DISC Unknown The agency's Web site posted commercial loan documents that mistakenly contained SSNs. The forms are posted to let lenders know the current financial status of loan recipients. Information Source: Dataloss DB February 2, 2007 records from this breach used in our total: 0 U.S. Dept. of Veterans Affairs, VA Medical Center Birmingham, Alabama (877) 894-2600, http://www1.va.gov/opa/pressrel/pressrelease.cfm?id=1294 MED PORT 48,000 veterans plus 535,000 [196] An employee reported a portable hard drive stolen or missing that might contain personal information about veterans including Social Security numbers. UPDATE (2/10/07 [196] ): VA increases number of affected veterans to 535,000, included in the total below. UPDATE (2/12/07): VA reported that billing information for 1.3 million doctors was also exposed, including names and Medicare billing codes, not included in the total below. UPDATE (3/19/07): The VA's Security Operations Center has referred 250 incidents since July 2006 to its inspector general, which has led to 46 separate investigations. UPDATE (6/18/07):More than $20 million to respond to its latest data breach, the breach potentially puts the identities of nearly a million physicians and VA patients. Information Source: Dataloss DB January 29, 2007 records from this breach used in our total: 583,000 Mendoza College of Business, Notre Dame University Notre Dame, Indiana EDU DISC Unknown Additional location: South Bend, Indiana A file of individuals who took the GMAT test (Graduate Management Admissions Test) was mistakenly left on a computer that was decommissioned. The computer was later reactivated and plugged into the Internet. Its files were available through a file-sharing program. Data included names, scores, SSNs and demographic information from 2001. Information Source: Media January 26, 2007 records from this breach used in our total: 0 Indiana Deptartment of Transportation (INDOT) Indianapolis, Indiana GOV DISC 4,000 employees The names and SSNs of INDOT employees were inadvertently posted on an internal network computer drive sometime 236 The names and SSNs of INDOT employees were inadvertently posted on an internal network computer drive sometime between Sept. 6 and Dec. 4, 2006. Information Source: Dataloss DB January 26, 2007 records from this breach used in our total: 4,000 Vanguard University Costa Mesa, California EDU STAT 5,105 financial aid applicants (800) 920-7312 On Jan. 16, 2 computers were discovered stolen from the financial aid office. Data included names, SSNs, dates of birth, phone numbers, driver's license numbers, and lists of assets. Affected financial aid applicants from 2005-2006 and 20062007 school years. Information Source: records from this breach used in our total: 5,105 Dataloss DB January 26, 2007 WellPoint's Anthem Blue Cross Blue Shield Richmond, Virginia MED PORT 50,000 (800) 284-9779 Cassette tapes containing customer information were stolen from a lock box held by one of its vendors. Data included names and SSNs. Information Source: records from this breach used in our total: 50,000 Dataloss DB January 26, 2007 Chase Bank and the former Bank One, now merged Shreveport, Louisiana BSF 4,100 current and PHYS former employees from all over Louisiana A Bossier woman bought a used desk from a furniture store. She discovered a 165-page spread sheet in a drawer that included names and SSNs of bank employees. The document was returned to the bank. Information Source: Media January 26, 2007 records from this breach used in our total: 4,100 Eastern Illinois University Charleston, Illinois EDU STAT 1,400 currently enrolled students A desktop computer was stolen from the Student Life office containing membership rosters -- including SSNs, birthdates, and addresses -- of the University's 23 fraternities and sororities. A hard drive and memory from 2 other computers were also stolen. Information Source: Dataloss DB January 25, 2007 records from this breach used in our total: 1,400 Clay High School Oregon, Ohio EDU HACK Unknown A former high school student obtained sensitive staff and student information through an apparent security breach. The data was copied onto an iPod and included names, birth dates, SSNs, addresses, and phone numbers. 237 Information Source: Dataloss DB January 25, 2007 records from this breach used in our total: 0 Ohio Board of Nursing GOV Columbus, Ohio DISC 3,031 newly licensed nurses The agency's Web site posted names and SSNs of newly licensed nurses twice in the past 2 months. SSNs were supposed to have been removed before posting. Information Source: Dataloss DB January 25, 2007 records from this breach used in our total: 3,031 Wahiawa Women, Infants and Children program (WIC) Honolulu, Hawaii (808) 586-8080, http://www.hawaii.gov/dcca/quicklinks/id_theft_info GOV INSD 11,500 current and former clients [197] A WIC employee apparently stole the personal information of agency clients, including SSNs, and committed identity theft on at least 3 families and perhaps 2 more. The Health Director said the agency will no longer use SSNs in its data base. Information Source: records from this breach used in our total: 11,500 Dataloss DB January 23, 2007 Rutgers-Newark University, Political Science Department Newark, New Jersey EDU PORT 200 students An associate professor's laptop was stolen, containing names and SSNs of 200 students. Rutgers no longers uses SSNs as student IDs, but student IDs from past years are still SSNs. Information Source: records from this breach used in our total: 200 Dataloss DB January 22, 2007 U.S. Deptartment of Veterans Affairs Seattle, Washington GOV PHYS Unknown Folders of veterans' personal information were stolen from a locked car in Bremerton, WA. News stories are not clear on the type of information contained in the folders. Information Source: records from this breach used in our total: 0 Media January 22, 2007 Chicago Board of Election Chicago, Illinois GOV PORT 1.3 million voters About 100 computer discs (CDs) with 1.3 million Chicago voters' SSNs were mistakenly distributed to aldermen and ward committeemen. CDs also contain birth dates and addresses. Information Source: records from this breach used in our total: 1,300,000 Dataloss DB January 19, 2007 U.S. Internal Revenue Service via City of Kansas City Kansas City, Missouri GOV PORT Unknown 238 26 IRS computer tapes containing taxpayer information were reported missing after they were delivered to City Hall. They potentially contain taxpayers' names, SSNs, bank account numbers, or employer information. The 26 tapes were the entire shipment received by the City last August. The disappearance was noticed late December 2006. Information Source: Dataloss DB January 18, 2007 records from this breach used in our total: 0 KB Home BSO Charleston, South Carolina STAT 2,700 A computer was stolen from one of the home builder's offices. It likely contained names, addresses, and SSNs of people who had visited the sales office for Foxbank Plantation in Berkeley County near Charleston. Information Source: Dataloss DB January 17, 2007 records from this breach used in our total: 2,700 TJ stores (TJX), including TJMaxx, Marshalls, Winners, HomeSense, AJWright, KMaxx, and possibly Bob's Stores in U.S. & Puerto Rico -- Winners and HomeGoods stores in Canada -- and possibly TKMaxx stores in UK and Ireland Framingham, Massachusetts U.S.: Call (866) 484-6978, Canada: (866) 903-1408, U.K. & Ireland: 0800 77 90 15, www.tjx.com BSR HACK 100,000,000 [198] The TJX Companies Inc. experienced an unauthorized intrusion into its computer systems that process and store customer transactions including credit card, debit card, check, and merchandise return transactions. It discovered the intrusion midDecember 2006. Transaction data from 2003 as well as mid-May through December 2006 may have been accessed. According to its Web site, TJX is the leading off-price retailer of apparel and home fashions in the U.S. and worldwide. Note on our total: included in this breach are 45,700,000 credit and debit card account numbers; 455,000 merchandise return records containing customer names and driver's license numbers; recovery of about 200,000 stolen credit card account numbers; records then 1indicated an additional 48 million people have been affected. Totals were estimated at 94 million but now seem to have affected over 100 million accounts. UPDATE (2/22/07):TJX said that while it first thought the intrusion took place from May 2006 to January 2007, it now thinks its computer system was also hacked in July 2005 and on various subsequent dates that year.u UPDATE (3/21/07): Information stolen from TJX's systems was being used fraudulently in November 2006 in an $8 million gift card scheme, one month before TJX officials said they learned of the breach, according to Florida law enforcement officials. UPDATE (3/29/07): The company reported in its SEC filing that 45.7 million credit and debit card numbers were hacked, along with 455,000 merchandise return records containing customers' driver's license numbers, Military ID numbers or Social Security numbers. UPDATE (4/22/07): Initially, TJX said the break-in started seven months before it was discovered. Then, on Feb. 18, the company noted the perpetrators had access to data for 17 months, and apparently began in July 2005. UPDATE (04/26/07): Three states' banking associations (MA, CT, and ME) filed a class action lawsuit [199] against TJX to recover the costs of damages totaling tens of millions of dollars incurred for replacing customers' debit and credit cards. UPDATE (05/04/07): An article in the WSJ [200] notes that because TJX had an outdated wireless security encryption system, had failed to install firewalls and data encryption on computers using the wireless network, and had not properly install another layer of security software it had bought, thieves were able to access data streaming between hand-held pricechecking devices, cash registers and the store's computers. 21 U.S. and Canadian lawsuits seek damages from the retailer for reissuing compromised cards. UPDATE (07/10/07): U.S. Secret Service agents found TJX customers' credit card numbers in the hands of Eastern European cyber thieves who created high-quality counterfeit credit cards. Victims are from the U.S., Europe, Asia and Canada, among other places, Several Cuban nationals in Florida were arrested with more than 200,000 credit card account numbers. UPDATE (08/31/07): The U.S. Secret Service Agency earlier this week said it has arrested and indicted four members of an organized fraud ring in South Florida, charging each of them with aggravated identity theft, counterfeit credit-card trafficking, and conspiracy. UPDATE (09/21/07): A ring leader in the TJX Cos.-linked credit card fraud, was sentenced to five years in prison and has been ordered to pay nearly $600,000 in restitution for damages resulting from stolen financial information. UPDATE (09/25/07): TJX announced the terms of a settlement for customers affected by the data breach -- with strings attached. Credit monitoring will be offered to about 455,000 of the 46 million affected. TJX will reimburse customers who had to replace driver's licenses as a result of the breach if they submit documentation for the time and money spent on replacing licenses. The company will give a $30 store voucher to those customers who submit documentation about their lost time and money. And TJX will hold a special 3-day sale with a 15% discount sometime in 2008. The settlement still needs to be approved by the court. 239 UPDATE (10/23/07): Court filings in a case brought by banks against TJX say the number of accounts affected by the thefts topped 94 million. UPDATE (10/23/07): The total number of records increased from 167 million to 215 million. Recent court filings in a case brought by banks against TJX say the number of accounts affected by the thefts topped 94 million, up considerably from 45,7 million credit and debit card account numbers initially thought to be compromised. Breach costs have been estimated at $216 million. UPDATE (11/30/07): Fifth Third Bancorp, the Ohio bank that was fined $880,000 by Visa for its role in the customer data security breach at TJX Cos., the largest ever, also paid fines and compensation totaling $1.4 million following the loss of data from BJ's Wholesale Club Inc. UPDATE (12/05/07): An InternetNews.com article estimates TJX expenses at $500 million to $1 billion. In a settlement with VISA USA, TJX will pay a maximum of $40.9 million to fund an alternative recovery payments program for customers affected by the breach. At least 19 lawsuits have been filed, and there are investigations underway by the Federal Trade Commission and 37 state Attorneys General. UPDATE (12/18/07): TJX has settled the lawsuit for an undisclosed amount.Although both sides said the settlement total would remain confidential, TJX said the costs were covered by a $107 million reserve that it set aside against its secondquarter earnings.TJX also has said that $107 million would cover the costs of another breach agreement: a Nov. 30 deal with Visa Inc. to help pay a maximum $40.9 million to help the network's card-issuing banks recover expenses to replace customers' Visa cards. UPDATE (2/10/08): Notices are going out to millions of customers who may have had credit card information compromised in a data breach. The notices contain information about eligibility for compensation such as vouchers and credit monitoring to be provided under a proposed settlement. UPDATE (4/2/08): TJX Cos. reached a settlement with MasterCard Inc. in which it will pay up to $24 million to banks and other institutions to cover fraud losses stemming from a massive data breach disclosed last year. They also struck a similar deal with rival card network Visa in which it agreed to pay up to $40.9 million. As in that deal, TJX said the costs of its MasterCard settlement are included in the $256 million the company has set aside to pay for computer work and other costs associated with the breach. UPDATE (5/14/08): The TJX Companies, Inc. today announced that it completed its previously announced settlement with MasterCard International Incorporated and its issuers. Financial institutions representing 99.5% of eligible MasterCard accounts worldwide claimed to have been affected by the unauthorized computer intrusion(s) at TJX accepted the alternative recovery offer under TJX's previously announced Settlement Agreement with MasterCard. UPDATE (8/5/08): Eleven perpetrators allegedly involved in the hacking of nine major U.S. retailers have been charged with numerous crimes, including conspiracy, computer intrusion, fraud and identity theft. This is the largest hacking and identity theft case ever prosecuted by the U.S. Department of Justice. An indictment was returned on Aug. 5, 2008. Conspirators obtained the credit and debit card numbers by wardriving and hacking into the wireless computer networks of major retailers -- including TJX Companies, BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW. The indictments are the result of a three-year undercover investigation conducted out of the San Diego Field Office of the U.S. Secret Service. UPDATE (8/30/08): TrustCo BankCorp NY sued TJX in August 2008 to recoup costs it incurred from reissuing an estimated 4,000 customer MasterCard debit cards after hackers accessed the TJX computer network. The bank stated its cost for the breach was up to $20 per affected account, explaining that it suffered losses from administrative expenses and lost interest and transaction fees. Later in the month, TJX in turn claimed that Trustco failed to implement policies or procedures that would have enabled the bank to avoid canceling and replacing customer debit cards. UPDATE (9/22/08):One of the 11 people arrested last month in connection with the massive data theft at T JX Companies Inc., BJ Wholesale Clubs Inc. and several other retailers pleaded guilty yesterday to four felony counts, including wire and credit card fraud and aggravated identity theft. Many of the Internet attacks that he facilitated were SQL injection attacks, according to court documents. The stolen data was sold to cyber criminals in Eastern Europe and the U.S. or used to make fraudulent credit and debit cards. UPDATE (6/26/09): TJX has agreed to pay $9.75 million to 41 states and to implement and maintain a comprehensive information security program, designed to safeguard consumer data and address any weaknesses in TJX's systems in place at the time of the breach. Of the $9.75 million monetary payment under the settlement, $5.5 million is to be dedicated to data protection and consumer protection efforts by the states, and $1.75 million is to reimburse the costs and fees of the investigation. Further, $2.5 million of the settlement will fund a Data Security Trust Fund to be used by the state Attorneys General to advance enforcement efforts and policy development in the field of data security and protecting consumers’ personal information. UPDATE (7/28/09): Pennsylvania and 40 other states reached a $9.75 million settlement. UPDATE (9/4/09): TJX settles for $525K with four banks. As part of the settlement with AmeriFirst Bank, Trustco Bank, HarborOne Credit Union and SELCO Community Credit Union, the Framingham, Mass.-based retailer paid $525,000. The money primarily will be used to cover the banks' expenses in pursuing the legal action. UPDATE (12/15/09):A Miami hacker who had already pleaded guilty to computer fraud and identity theft for breaches at retailers T.J. Maxx, OfficeMax, and many other merchants, pleaded guilty on Tuesday to similar charges related to breaches at Heartland Payment Systems, 7-11, Hannaford Brothers supermarkets, and two other companies. Albert Gonzalez, 28, reiterated terms of a plea agreement in U.S. District Court in Boston. A week earlier, co-conspirator Stephen Watt of New York, appeared in that same court and was ordered to serve two years in prison and pay $171.5 million in restitution for developing a sniffing program used to grab payment card data in the breach at the TJX companies between 2003 and 2008. UPDATE (3/17/10): Humza Zaman, a co-conspirator in the hack of TJX and other companies, was sentenced in Boston to 46 months in prison and fined $75,000 for his role in the conspiracy. The sentence matches what prosecutors were seeking. Zaman was charged with laundering between $600,000 and $800,000 for hacker Albert Gonzalez, who is currently awaiting sentencing on charges that he and others hacked into TJX, Office Max, Heartland Payment Systems and numerous other 240 companies to steal data on more than 100 million credit and debit card accounts. Zaman pleaded guilty in April to one count of conspiracy. His sentence includes three years of supervised release with the condition that Zaman must disclose his conviction to any future employer. Upon release, Zaman will not be barred from using computers. Zaman is the second conspirator in the TJX case to be charged. Former Morgan Stanley coder, Stephen Watt, was sentenced in December to two years in prison for his role in the TJX case, which involved supplying Gonzalez with a sniffer program used to siphon card data from the TJX network. UPDATE (3/29/10): A 28-year-old college dropout who became the world’s biggest credit card hacker on Thursday was sentenced to 20 years in prison for stealing millions of credit union and bank account records from TJX Cos., BJ’s Wholesale Club, Office Max, Dave & Busters, Barnes & Noble and a string of other companies – even as he was working as a $75,000a-year undercover informant for the U.S. government in identity theft cases. But that’s not the end of it, as Albert Gonzalez is scheduled to be sentenced again to additional years behind bars for additional data thefts at Heartland Payment Systems, Hannaford Bros. supermarkets and 7-Eleven convenience stores. The theft of credit card data cost financial institutions, insurers and cardholders an estimated $200 million, according to law enforcement. JC Penney and Wet Seal were both officially added to the list of retail victims of Albert Gonzalez on Friday (March 26) when U.S. District Court Judge Douglas P. Woodlock refused to continue their cloak of secrecy and removed the seal from their names. StorefrontBacktalk had reported last August that $17 billion JC Penney chain was one of Gonzalez.s victims, even though JC Penney's media representatives were denying it. But the $561 million chain Wet Seal, which has 504 stores in 47 states, Washington, D.C. and Puerto Rico, had kept their identity secret. No more and that.s the way Woodlock wanted it. UPDATE (4/16/10): Damon Patrick Toey, the 'trusted subordinate' of TJX hacker Albert Gonzalez, was sentenced in Boston to 5 more years in prison. He also received a $100,000 fine and three years. supervised release, according to the Justice Department. UPDATE (7/8/10): TJX has settled another lawsuit. The Louisiana Municipal Police Employees' Retirement System, a shareholder of TJX stock, settled with TJX for $595,000 in legal fees and enhanced oversight of customer files. Information Source: Dataloss DB January 17, 2007 records from this breach used in our total: 100,000,000 Rincon del Diablo Municipal Water District GOV Escondido, California STAT 500 customers Additional locations:unincorporated neighborhoods outside the city, and parts of San Marcos and San Diego, CA. (760) 7455522 2 computers were stolen from the district office. One included names and credit card numbers of customers. Information Source: records from this breach used in our total: 500 Dataloss DB January 16, 2007 University of New Mexico Albuquerque, New Mexico EDU STAT Unknown At least 3 computers and 4 monitors were stolen from the associate provost's office overnight between Jan. 2 and 3. They may have included faculty members' names and SSNs. Information Source: Dataloss DB January 13, 2007 records from this breach used in our total: 0 North Carolina Department of Revenue Raleigh, North Carolina GOV PORT 30,000 taxpayers A laptop computer containing taxpayer data was stolen from the car of a NC Dept. of Revenue employee in mid-December. The files included names, SSNs or federal employer ID numbers , and tax debt owed to the state. Information Source: Dataloss DB January 12, 2007 records from this breach used in our total: 30,000 MoneyGram International BSF HACK 79,000 241 January 12, 2007 Minneapolis, Minnesota BSF HACK 79,000 MoneyGram, a payment service provider, reported that a company server was unlawfully accessed over the Internet last month. It contained information on about 79,000 bill payment customers, including names, addresses, phone numbers, and in some cases, bank account numbers. Information Source: Media January 11, 2007 records from this breach used in our total: 79,000 University of Idaho Moscow, Idaho EDU STAT 70,000 (866) 351-1860 Over Thanksgiving weekend, 3 desktop computers were stolen from the Advancement Services office containing personal information of alumni, donors, employees, and students. 331,000 individuals may have been exposed, with as many as 70,000 records containing SSNs, names and addresses. Information Source: Dataloss DB January 10, 2007 records from this breach used in our total: 70,000 University of Arizona Tucson, Arizona EDU UNKN Unknown Breaches occurred in November and December 2006 that affected services with UA Student Unions, University Library, and UA Procurement and Contracting Services. Some services were shut down for several days. Information Source: records from this breach used in our total: 0 Dataloss DB 18,000 past and present employees, January 9, 2007 Towers Perrin New York, New York BSF INSD presumably of Altria (total number of affected invididuals is unknown); 6,300 employees of Philip Morris. 5 laptops were stolen from Towers Perrin, allegedly by a former employee. The theft occurred Nov. 27, 2006. The computers contain names, SSNs, and other pension-related information, presumably of several companies, although news reports are not clear. Companies named include Altria (18.000 employees) and Philip Morris (6,300 employees). UPDATE (1/11/07): NY police arrested a junior-level administrative employee of the company in the theft of the laptops. Information Source: Dataloss DB January 5, 2007 records from this breach used in our total: 24,300 Dr. Baceski's office, internal medicine Somerset, Pennsylvania MED PORT hundreds of patients A hard drive was stolen containing personal information on hundreds of patients. Information Source: records from this breach used in our total: 0 Media 242 January 4, 2007 Selma, North Carolina, Water Treatment Plant Johnston County, North Carolina GOV PORT Unknown A laptop stolen from the water treatment facility holds the names and SSNs of Selma volunteer firefighters. Information Source: Dataloss DB January 2, 2007 records from this breach used in our total: 0 Notre Dame University Notre Dame, Indiana EDU PORT Unknown Additional location: South Bend, IN A University Director's laptop was stolen before Christmas. It contained personal information of employees, including names, SSNs, and salary information. Information Source: Dataloss DB January 2, 2007 records from this breach used in our total: 0 News accounts are not clear as to source, but thought to be a realty office Las Vegas, Nevada BSO PHYS Unknown About 40 boxes of financial paperwork, thought to be from loan applications, was found in a dumpster. One of the boxes visible to news reporters was said to contain paperwork with bank account details, photocopies of driver's licenses, SSNs and other private information. Information Source: records from this breach used in our total: 0 Media January 1, 2007 Wisconsin Department of Revenue via Ripon Printers Madison, Wisconsin (608) 224-5163, http://privacy.wi.gov/alerts/jan0107.jsp GOV DISC 171,000 taxpayers [201] Tax forms were mailed to taxpayers in which SSNs were inadvertently printed on the front of some Form 1 booklets. Some were retrieved before they were mailed. Information Source: records from this breach used in our total: 171,000 Dataloss DB December 30, 2006 KeyCorp Cleveland, Ohio BSF PORT 9,300 A laptop computer stolen from a KeyCorp vendor contains personally identifiable information, including SSNs, of 9,300 customers in six states. Information Source: records from this breach used in our total: 9,300 Dataloss DB December 28, 2006 U.S. State Department Washington, District Of Columbia GOV PHYS 700 A bag containing approximately 700 completed passport applications, which included Social Security numbers, was reported missing on December 1. The bag, which was supposed to be shipped to Charlotte, NC, was found later in the month at Los Angeles International Airport. Information 243 Source: Dataloss DB December 27, 2006 records from this breach used in our total: 700 Montana State University Bozeman, Montana EDU DISC 259 students A student working in the loan office mistakenly sent packets containing lists of student names, Social Security numbers, and loan information to other students Information Source: Dataloss DB December 27, 2006 records from this breach used in our total: 259 Deaconess Hospital Evansville, Indiana MED PHYS 128 patients A computer missing from the hospital holds personal information, including SSNs, of 128 respiratory therapy patients. Information Source: records from this breach used in our total: 128 Dataloss DB December 22, 2006 Texas Woman's University Dallas, Texas EDU DISC 15,000 students Additional locations: Denton and Houston, TX A document containing names, addresses and SSNs of 15,000 TWU students was transmitted over a non-secure connection. Information Source: records from this breach used in our total: 15,000 Media December 21, 2006 Santa Clara County employment agency Santa Clara County, California GOV STAT 2,500 A computer stolen from the agency holds the SSNs of approximately 2,500 individuals. Information Source: Dataloss DB December 20, 2006 records from this breach used in our total: 2,500 Lakeland Library Cooperative - serving 80 libraries in 8 counties Grand Rapids, Michigan GOV DISC 15,000 library users, not included in total because Social Security numbers not involved Personal information of 15,000 library users in West Michigan was displayed on the Cooperative's Web site due to a technical problem. Information exposed included names, phone numbers, e-mail addresses, street addresses, and library card numbers. Children's names were also listed along with their parents' names on a spreadsheet document. The information has since been removed. Information Source: Dataloss DB December 20, records from this breach used in our total: 0 Big Foot High School EDU DISC 87 current and former 244 2006 Walworth, Wisconsin EDU DISC employees Personal information was accidentally exposed on the High School's Web site for a short time, perhaps for about 36 minutes, according to a report. Information included last names, SSNs, and birthdates. Information Source: records from this breach used in our total: 87 Dataloss DB 27 residents of Lake County plus about 90 December 20, 2006 Lake County residents, plus Major League Baseball players Northbrook, Illinois BSO PHYS current and retired Major League Baseball players for a total of 117 individuals A Chicago man apparently removed documents from a trash bin outside SFX Baseball Inc., a sports agency that deals with Major League Baseball. He used information found on those documents to commit identity theft on at least 27 Lake County residents. Information found during a search of the thief's home included SSNs, birthdates, canceled paychecks, obituaries, and infant death records. Information Source: Dataloss DB December 20, 2006 records from this breach used in our total: 117 Deb Shops, Inc. Philadelphia, Pennsylvania BSR HACK Unknown (800) 460-9704 A hacker illegally accessed company Web pages and a related data base used for Internet-based purchases. The intruder may have accessed customers' credit card information including names on cards and credit card numbers. Information Source: Dataloss DB December 19, 2006 records from this breach used in our total: 0 Mississippi State University Jackson, Mississippi EDU DISC 2,400 students and emplolyees SSNs and other personal information were inadvertently posted on a publicly accessible MSU Web site. The breach was discovered last week and the information has since been removed. Information Source: Dataloss DB December 15, 2006 records from this breach used in our total: 2,400 University of Colorado, Boulder, Academic Advising Center Boulder, Colorado EDU HACK 17,500 http://www.colorado.edu/its/security/awareness/privacy/identitytheft.pdf [202] A server in the Academic Advising Center was the subject of a hacking attack. Personal information exposed included names and SSNs for individuals who attended orientation sessions from 2002-2004. CU-Boulder has since ceased using SSNs as identifiers for students, faculty, staff, and administrators. Information Source: Dataloss DB records from this breach used in our total: 17,500 245 December 15, 2006 City of Wickliffe Wickliffe, Ohio GOV HACK 125 employees Hackers breached security in one of the city's three computer servers containing personal information on some city employees, including names and SSNs. Information Source: Dataloss DB December 14, 2006 records from this breach used in our total: 125 Electronic Registry Systems Atlanta, Georgia MED PORT More than 63,000 patients Additional locations: Danville, Pennsylvania, Nashville, TN On Nov. 23, 2006, two computers (one desktop, one laptop) were stolen from Electronic Registry Systems, a business contractor in suburban Springdale, OH, that provides cancer patient registry data processing services. It contained the personal information (name, date of birth, Social Security number, address, medical record number, medical data and treatment information) of cancer patients from hospitals in Pennsylvania, Tennessee, Ohio and Georgia, dating back to 1977 at some hospitals. Hospitals include Emory Hospital, Emory Crawford Long Hospital, Grady Memorial Hospital, as well as Geisinger Health System (PA) and Williamson Medical Center (TN). UPDATE(1/14/07): The number of affected patients was increased from 25,000 to 63,000. Information Source: records from this breach used in our total: 63,000 Dataloss DB December 14, 2006 Riverside High School Durham, North Carolina EDU DISC Thousands of school employees (at least 2,000) Two students discovered a breach in the security of a Durham Public Schools computer as part of a class assignment. They reported to school officials that they were able to access a database containing SSNs and other personal information of thousands of school employees. The home of one student was searched by Sheriff's deputies and the family computer was seized. Information Source: Dataloss DB December 14, 2006 records from this breach used in our total: 2,000 St. Vrain Valley School District Longmont, Colorado EDU PHYS 600 students Paper records containing student information were stolen, along with a laptop, from a nurse's car Nov. 20. Personal information included students' names, dates of birth, names of their schools, what grade they are in, their Medicaid numbers (presumably SSNs), and their parents' names. The laptop contained no personal data. Information Source: Dataloss DB December 14, 2006 records from this breach used in our total: 600 Bank of America Charlotte, North Carolina BSF INSD Unknown A former contractor for Bank of America unauthorizedly accessed the personal information (name, address, phone number, Social Security number) of an undisclosed number of customers, for the purpose of committing fraud. Information Source: Dataloss DB records from this breach used in our total: 0 246 December 13, 2006 Boeing Seattle, Washington BSO PORT 382,000 current and former employees In early December, a laptop was stolen from an employee's car. Files contained names, salary information, SSNs, home addresses, phone numbers and dates of birth of current and former employees. UPDATE (12/14/06): Boeing fired the employee whose laptop was stolen. UPDATE(1/26/07): The laptop was recovered. Information Source: records from this breach used in our total: 382,000 Dataloss DB December 12, 2006 University of California at Los Angeles (UCLA) Los Angeles, California Affected individuals can call UCLA at (877) 533-8082, http://www.identityalert.ucla.edu EDU HACK 800,000 [203] Hacker(s) gained access to a UCLA database containing personal information on current and former students, current and former faculty and staff, parents of financial aid applicants, and student applicants, including those who did not attend. Exposed records contained names, SSNs, birth dates, home addresses, and contact information. About 3,200 of those notified are current or former staff and faculty of UC Merced and current and former staff of UC's Oakland headquarters. Information Source: Media December 12, 2006 records from this breach used in our total: 800,000 University of Texas, Dallas Dallas, Texas EDU HACK 35,000 Affected individuals can call (972) 883-4325, http://www.utdallas.edu/datacompromise/form.html [204] The University discovered that personal information of current and former students, faculty members, and staff may have been exposed by a computer network intrusion -- including names, SSNs, home addresses, phone numbers and e-mail addresses. UPDATE (12/14/06): The number of people affected was first thought to be 5,000, but was increased to 6,000. UPDATE (01/19/07): Officials now say 35,000 individuals may have been exposed. Information Source: Dataloss DB December 12, 2006 records from this breach used in our total: 35,000 Aetna, Nationwide, Wellpoint Group Health Plans, Humana Medicare, Mutual of Omaha Insurance Company,Anthem Blue Cross Blue Shield via Concentra Preferred Systems MED PORT 396,279 Dayton, Ohio A lockbox holding personal information of health insurance customers was stolen Oct. 26. Thieves broke into an office building occupied by insurance company vendor, Concentra Preferred Systems. The lockbox contained computer backup tapes of medical claim data for Aetna and other Concentra health plan clients. Exposed data includes member names, hospital codes, and either SSNs or Aetna member ID numbers. SSNs of 750 medical professionals were also exposed. Officials downplay the risk by stating that the tapes cannot be used on a standard PC. UPDATE (12/23/06): The lockbox also contained tapes with personal information of 42,000 NY employees insured by Group Health Insurance Inc.) UPDATE(1/24/07): Personal data of 28,279 Nationwide's Ohio customers were also compromised. 2/11/10 Total changes to 396,279 to reflect final total of records breached in all of the affected companies. Information Source: records from this breach used in our total: 396,279 247 Dataloss DB December 9, 2006 Home Finance & Mortgage, Inc. Cornelius, North Carolina BSF PHYS 146 Company dumped files containing names, addresses, Social Security numbers, credit card numbers, and bank account numbers of people who had applied for mortgage loans. Home Finance and its owners have agreed to pay the State of NC $3,000 for their violations. Information Source: records from this breach used in our total: 146 Dataloss DB December 9, 2006 Virginia Commonwealth University (VCU) Richmond, Virginia EDU DISC 561 students Personal information of 561 students was inadvertently sent as attachments on Nov. 20 in an e-mail, including names, SSNs, local and permanent addresses and grade-point averages. The e-mail was sent to 195 students to inform them of their eligibility for scholarships. Information Source: Dataloss DB December 8, 2006 records from this breach used in our total: 561 Segal Group of New York, via web site of Vermont state agency used to call for bids on state contracts Montpelier, Vermont BSO DISC 1,100 Names and SSNs of several hundred physicians, psychologists and other health care providers were mistakenly posted online by Segal Group, a contractor hired by the state to put its health management contract out for bid. The information was posted from May 12 to June 19. It was discovered when a doctor found her own SSN online. UPDATE (1/14/07): SSNS of more than 1,100 doctors, psychothereapists and other health professionals were exposed. Information Source: records from this breach used in our total: 1,100 Dataloss DB December 6, 2006 Premier Bank Columbia, Missouri BSF PHYS 1,800 customers Headquarters in Jefferson City, MO A report was stolen the evening of Nov. 16 from the car of the bank's VP and CFO while employees were celebrating an award received by the bank. The document contained names and account numbers of customers, but reportedly no SSNs. Information Source: records from this breach used in our total: 1,800 Dataloss DB December 5, 2006 Army National Guard 130th Airlift Wing Charleston, West Virginia GOV PORT Unknown A laptop was stolen from a member of the unit while he was attending a training course. It contained names, SSNs, and birth dates of everyone in the 130th Airlift Wing. Information Source: records from this breach used in our total: 0 Media December 5, 2006 Nassau Community College Garden City, New York EDU PHYS 21,000 students 248 Garden City, New York A printout is missing that contains information about each of NCC's 21,000 students, including names, SSNs, addresses, and phone numbers. It disappeared from a desk in the Student Activities Office. Information Source: records from this breach used in our total: 21,000 Dataloss DB December 3, 2006 City of Grand Prairie Grand Prairie, Texas GOV DISC hundreds of employees (at least 200) Employees of the city of Grand Prairie were notified that personal records were exposed on the city's website for at least a year. Included were the names and SSNs of hundreds of employees. The information has since been removed. The city had been working with a contractor on a proposal for workers' compensation insurance. Along with the proposal, names and SSNs were mistakenly listed. Information Source: records from this breach used in our total: 200 Dataloss DB December 1, 2006 TD Ameritrade Omaha, Nebraska BSF PORT about 300 current and former employees (201) 369-8373 According to a letter sent to employees, a laptop was removed (presumably stolen) from the office Oct. 18, 2006, that contained unencrypted information including names, addresses, birthdates, and SSNs. Information Source: Dataloss DB November 30, 2006 records from this breach used in our total: 300 Pennsylvania Deptartment of Transportation (PennDOT) Dunmore, Pennsylvania GOV STAT 11,384 Affected individuals can call (800) PENNDOT if you have questions. Thieves stole equipment from a driver's license facility late evening Nov. 28, including computers containing personal information on more than 11,000 people. Information included names, addresses, dates of birth, driver's license numbers and both partial and complete SSNs (complete SSNs for 5,348 people). Also stolen were supplies used to create drivers licenses and photo IDs. The state maintains 97 driver's license facilities. Information Source: Dataloss DB November 30, 2006 records from this breach used in our total: 11,384 TransUnion Credit Bureau via Kingman, AZ, court office , BSF HACK more than 1,700 people Four different scam companies downloaded the credit information of more than 1,700 individuals, including their credit histories and SSNs. They were able to illegitimately obtain the password to the TransUnion account held by the Kingman, AZ, court office, which apparently has a subscription to the bureau's services. Information Source: Dataloss DB November 29, 2006 records from this breach used in our total: 1,700 Gundersen Lutheran Medical Center LaCrosse, Wisconsin MED INSD unknown 249 A Medical Center employee used patient information, including SSNs and dates of birth, to apply for credit cards in their names. As patient liaison, her duties included insurance coverage, registration, and scheduling appointments. She was arrested for 37 counts of identity theft, and was convicted of identity theft and uttering forged writing, according to the criminal complaint. Information Source: records from this breach used in our total: 0 Media November 28, 2006 Kaiser Permanente Colorado-- Skyline and Southwest offices Denver, Colorado MED PORT 38,000 (not included in total, because SSNs were apparently not exposed) For members who have questions: (866) 529-0813 A laptop was stolen from the personal car of a Kaiser employee in California on Oct. 4. It contained names, Kaiser ID number, date of birth, gender, and physician information. The data did not include SSNs. Information Source: records from this breach used in our total: 0 Dataloss DB November 28, 2006 California State University, Los Angeles (Cal State LA), Charter College of Education Los Angeles, California EDU PORT 2,534 (800) 883-4029 An employee's USB drive was inside a purse stolen from a car trunk. It contained personal information on 48 faculty members and more than 2,500 students and applicants of a teacher credentialing program. Information included names, SSNs, campus ID numbers, phone numbers, and e-mail addresses. Information Source: Dataloss DB November 27, 2006 records from this breach used in our total: 2,534 Johnston County, NC Johnston County, North Carolina GOV DISC About 39,000 North Carolina residents Personal data, including SSNs, of thousands of taxpayers, were inadvertently posted on the county web site. The information was removed from the site within an hour after officials became aware of the situation. Information Source: records from this breach used in our total: 39,000 Dataloss DB November 27, 2006 Greenville County School District Greenville, South Carolina EDU STAT At least 101,000 students and employees School district computers sold to the WH Group at auctions between 1999 and early 2006 contained the birth dates, SSNs, driver's license numbers and Department of Juvenile Justice records of approximately 100,000 students. The computers also held sensitive data for more than 1,000 school district employees. UPDATE(12/10/06): A judge ordered the WH Group to return the computers and the confidential data on them to the school district. Information Source: records from this breach used in our total: 101,000 250 Dataloss DB November 27, 2006 Chicago Public Schools via All Printing & Graphics, Inc. Chicago, Illinois 1,740 former Chicago EDU DISC Public School employees A company hired to print and mail health insurance information to former Chicago Public School employees mistakenly included a list of the names, addresses and SSNs of the nearly 1,740 people receiving the mailing. Each received the 125page list of the 1,740 former employees. Information Source: Dataloss DB November 25, 2006 records from this breach used in our total: 1,740 Family Health Center of Clark County Jeffersonville, Indiana MED STAT 7,700 Two computers stolen from an Indiana state health department contractor, the Family Health Center of Clark Count, contained the names, addresses, birth dates, SSNs and medical and billing information for more than 7,500 women. The data were collected as part of the state's Breast and Cervical Cancer Program. Information Source: Dataloss DB November 20, 2006 records from this breach used in our total: 7,700 Administration for Children's Services New York, New York GOV 200 case files (not included in Total PHYS because it is not clear if SSNs were exposed) More than 200 case files from the Emergency Children's Services Unit of ACS were found on the street in a plastic garbage bag. The files contain sensitive information of families, social workers and police officers. Information Source: Dataloss DB November 17, 2006 records from this breach used in our total: 0 Jefferson College of Health Sciences Roanoke, Virginia EDU DISC 143 An email containing the names and SSNs of 143 students intended for one employee was inadvertently sent to the entire student body of 900. Information Source: Dataloss DB November 16, 2006 records from this breach used in our total: 143 American Cancer Society (ACS) Louisville, Kentucky NGO PORT Unknown Headquarters in Atlanta, GA. If you have tips, call (502) 574-5673 An unspecified number of laptop computers were stolen from the Louisville offices of the American Cancer Society. It is not clear what personal information was exposed, if any. Information Source: Media records from this breach used in our total: 0 251 November 15, 2006 Internal Revenue Service (IRS) Washington, District Of Columbia GOV PORT 2,359 According to document s obtained under the Freedom of Information Act, 478 laptops were either lost or stolen from the IRS between 2002 and 2006. 112 of the computers held sensitive taxpayer information such as SSNs. UPDATE (04/05/07): A report [205] by the Treasury Inspector General for Tax Administration noted that at least 490 IRS computers have been stolen or lost since 2003 in 387 security breach incidents that potentially jeopardized tax payers' personal information. UPDATE (04/17/07): The Inspector General's assessment of 20 buildings in 10 cities discovered four separate locations at which hackers could have easily gained access to IRS computers and taxpayer data using wireless technology. Information Source: Media November 13, 2006 records from this breach used in our total: 2,359 Connors State College EDU Warner, Oklahoma (918) 463-6267, perline@connorsstate.edu PORT Considerably more than 22,500 [206] On Oct. 15, a laptop computer was discovered stolen from the college. (It has since been recovered by law enforcement). The computer contains Social Security numbers and other data for Connors students plus 22,500 high school graduates who qualify for the Oklahoma Higher Learning Access Program scholarships. Information Source: Dataloss DB November 11, 2006 records from this breach used in our total: 22,500 Hertz Global Holdings, Inc. Oklahoma City, Oklahoma BSO INSD Unknown 1-888-222-8086 The names and Social Security numbers of Hertz employees dating back to 2002 were discovered on the home computer of a former employee. Information Source: Dataloss DB November 10, 2006 records from this breach used in our total: 0 KSL Services, Inc. Los Alamos, New Mexico BSO PORT Approximately 1,000 A disk containing the personal information of approximately 1,000 KSL employees is missing. KSL is a contractor for Los Alamos National Laboratory. Information Source: Dataloss DB November 9, 2006 records from this breach used in our total: 1,000 Four ARCO gas stations Costa Mesa, California BSR CARD At least 440 Additional locations: Westminster and Torrance, CA From Sept. 29 to Oct. 9, thieves used card skimmers to steal bank account numbers and PIN codes from gas station customers and used the information to fabricate debit cards and make ATM withdrawals. Information Source: Dataloss DB records from this breach used in our total: 440 252 November 7, 2006 City of Lubbock Lubbock, Texas GOV HACK 5,800 Hackers broke into the city's web site and compromised the online job application database, which included Social Security numbers. Information Source: Dataloss DB November 6, 2006 records from this breach used in our total: 5,800 Bowling Green Police Department Bowling Green, Ohio GOV DISC Approx. 200 victims or suspects The police dept. accidentally published a report on their website containing personal information on nearly 200 people the police had contact with on Oct. 21. Data included names, Social Security numbers, driver's license numbers, etc. Information Source: records from this breach used in our total: 200 Dataloss DB November 3, 2006 University of Virginia (UVA) Charlottesville, Virginia EDU DISC 632 students Due to a computer programming error, Student Financial Services sent e-mail messages to students containing 632 other students' Social Security numbers. Information Source: records from this breach used in our total: 632 Dataloss DB November 3, 2006 West Shore Bank Ludington, Michigan BSF CARD About 1,000 Customers' debit cards and possibly credit cards were compromised from a security break last summer at a common MasterCard point-of-purchase provider. Information Source: records from this breach used in our total: 1,000 Dataloss DB November 3, 2006 Wesco Muskegon, Michigan BSR CARD Unknown Wesco gas stations experienced a breach in credit card transactions from July 25-Sept. 7 resulting in inaccurate charges to customer accounts. Information Source: records from this breach used in our total: 0 Dataloss DB November 3, 2006 Starbucks Corp. Seattle, Washington 60,000 current and former U.S. employees BSR PORT and about 80 Canadian workers and contractors 1-800-453-1048 253 Starbucks lost track of four laptop computers. Two held employee names, addresses, and Social Security numbers. Information Source: records from this breach used in our total: 60,080 Dataloss DB November 3, 2006 Several Joliet area motels Joliet, Illinois BSO INSD Unknown Motel owners and employees allegedly stole and sold customers' credit card numbers. Information Source: Media November 2, 2006 records from this breach used in our total: 0 Hilb, Rogal & Hobbs, Villanova University Plymouth Meeting, Pennsylvania BSF 1,243 Villanova PORT University students and staff In September 2006, a laptop computer was stolen from the insurance brokerage firm. It contained client information including the names, birthdates, and drivers license numbers of Villanova University students and staff who drive university vehicles. Information Source: Dataloss DB November 2, 2006 records from this breach used in our total: 1,243 Colorado Deptartment of Human Services via Affiliated Computer Services (ACS) Dallas, Texas GOV STAT Up to 1.4 million For questions, call ACS at (800) 350-0399 On Oct. 14, a desktop computer was stolen from a state contractor who processes Colorado child support payments for the Dept. of Human Services. Computer also contained the state's Directory of New Hires. UPDATE (12/07/2006) When initially posted to this list, the number 1.4 million was not added to the total because we could not confirm if SSNs were exposed. The PRC was contacted by an affected individual today who confirmed that names, addresses, SSNs and dates of birth were exposed. Information Source: records from this breach used in our total: 1,400,000 Dataloss DB November 2, 2006 Greater Media, Inc. Philadelphia, Pennsylvania BSO PORT Unknown A laptop computer containing the Social Security numbers of the radio broadcasting company's current and former employees was stolen from their Philadelphia offices. Information Source: records from this breach used in our total: 0 Dataloss DB November 2, 2006 McAlester Clinic and Veterans Affairs Medical Center Muskogee, Oklahoma MED PORT 1,400 veterans Three disks containing billing information, patient names and Social Security numbers, were lost in the mail. Information Source: records from this breach used in our total: 1,400 Dataloss DB 254 November 2, 2006 Intermountain Health Care Salt Lake City, Utah MED PORT 6,244 A computer was purchased at a second-hand store, Deseret Industries, that contained the names, Social Security numbers, employment records, and other personal information about Intermountain Health Care employees employed there in 19992000. Information Source: Dataloss DB November 2, 2006 records from this breach used in our total: 6,244 Compulinx White Plains, New York BSO INSD Up to 50 Compulinx employees The CEO of Compulinx was arrested for fraudulently using employees' names, addresses, Social Security numbers and other personal information for credit purposes. (It is unclear whether customers' data was also used). Information Source: Media November 1, 2006 records from this breach used in our total: 50 U.S. Army Cadet Command Fort Monroe, Virginia GOV PORT 4,600 high school seniors 1-866-423-4474, Email: mydata@usaac.army.mil A laptop computer was stolen that contained the names, addresses, telephone numbers, birthdates, Social Security numbers, parent names, and mother's maiden names of applicants for the Army's four-year ROTC college scholarship. Information Source: Dataloss DB October 31, 2006 records from this breach used in our total: 4,600 Avaya Maitland, Florida BSO PORT Unknown Additional location: Basking Ridge, NJ A laptop stolen from an Avaya employee on October 16 in Florida contained personally identifiable information, including names, addresses, W-2 tax form information and SSNs. Information Source: records from this breach used in our total: 0 Dataloss DB October 27, 2006 Gymboree San Francisco, California BSR PORT up to 20,000 employees A thief stole 3 laptop computers from Gymboree's corporate headquarters. They contained unencrypted human resources data (names and Social Security numbers) of thousands of workers. Information Source: Dataloss DB October 27, 2006 records from this breach used in our total: 20,000 Hancock Askew & Co. Savannah, Georgia BSO PORT Unknown On October 5, 2006, a laptop computer containing 401(k) information for employees of at least one company (Atlantic Plastics, Inc.) was stolen from accounting firm Hancock Askew. 255 Information Source: Dataloss DB October 26, 2006 records from this breach used in our total: 0 Akron Children's Hospital MED Akron, Ohio HACK 235,903 Overseas hackers broke into two computers at Children's Hospital. One contains private patient data (including Social Security numbers) and the other holds billing and banking information. Information Source: Dataloss DB October 26, 2006 records from this breach used in our total: 235,903 Empire Equity Group Charlotte, North Carolina BSF PHYS Unknown Mortgage files that included personal financial details about loan applicants were found in a dumpster. Empire Equity will pay $12,500 to the State of NC. Information Source: Dataloss DB October 26, 2006 records from this breach used in our total: 0 LimeWire Denver, Colorado BSO HACK 75 http://www.denverda.org/News_Release/Releases/2006%20Release/Computer%20security%20alert.pdf [207] The Denver Police Dept. reports that LimeWire's file-sharing program was exploited to access personal and financial information from approximately 75 different individual and business account names from all over the country. The information, which included tax records, bank account information, online bill paying records and other material, appears to have been stolen directly from computers that were using LimeWire's filesharing software program. Information Source: records from this breach used in our total: 75 Dataloss DB October 25, 2006 Transportation Security Administration (TSA) Portland, Oregon GOV PORT 900 current and former Oregon TSA employees A thumb drive is missing from the TSA command center at Portland International Airport and believed to contain the names, addresses, phone numbers and Social Security numbers of approximately 900 current and former employees. Information Source: Media October 25, 2006 records from this breach used in our total: 900 Swedish Medical Center, Ballard Campus Seattle, Washington MED INSD Up to 1,100 patients (800) 840-6452 An employee stole the names, birthdates, and Social Security numbers from patients who were hospitalized or had daysurgeries from June 22 to Sept 21. She used 3 patients' information to open multiple credit accounts. Information Source: Dataloss DB records from this breach used in our total: 1,100 256 October 25, 2006 Tuscarawas County and Warren County Tuscarawas County, Ohio GOV DISC Unknown Additional location: Warren County, OH The Social Security numbers of some Tuscarawas and Warren County voters were available on the LexisNexis Internet database service. Local boards of elections may be the source of the information. UPDATE (11/1/06): LexisNexis says it has now removed the SSNs. Information Source: Dataloss DB October 24, 2006 records from this breach used in our total: 0 Jacobs Neurological Institute MED Buffalo, New York PORT Unknown The laptop of a research doctor was stolen from her locked office at the Institute. It included records of patients and her research data. Information Source: Media records from this breach used in our total: 0 260,000 patients and Sisters of St. Francis Health Services via Advanced Receivables Strategy (ARS), a October 23, 2006 Perot Systems Company MED PORT Indianapolis, Indiana about 6,200 employees, board members and physicians for a total of 266,200 (866) 714-7606 On July 28, 2006, a contractor working for Advanced Receivables Strategy, a medical billing records company, misplaced CDs containing the names and SSNs of 266,200 patients, employees, physicians, and boad members of St. Francis hospitals in Indiana and Illinois. Also affected were records of Greater Lafayette Health Services. The disks were inadvertently left in a laptop case that was returned to a store. The purchaser returned the disks. The records were not encrypted even though St. Francis and ARS policies require encryption. Information Source: Dataloss DB October 23, 2006 records from this breach used in our total: 266,200 Chicago Voter Database Chicago, Illinois GOV DISC 1.35 million Chicago residents An official from the not-for-profit Illinois Ballot Integrity Project says his organization hacked into Chicago's voter database, compromising the names, SSNs and dates of birth of 1.35 million residents. The Chicago Election Board is reportedly looking into removing SSNs from the database. Election officials have patched the flaw that allowed the intrusion. Information Source: Dataloss DB October 20, 2006 records from this breach used in our total: 1,350,000 Manhattan Veterans Affairs Medical Center, New York Harbor Health Care System New York, New York MED 1,600 veterans who PORT receive pulmonary care at the facility On Sept. 6, an unencrypted laptop computer containing veterans' names, Social Security numbers, and medical diagnosis, was stolen from the hopsital. 257 Information Source: Dataloss DB October 19, 2006 records from this breach used in our total: 1,600 Allina Hospitals and Clinics Minneapolis-St.Paul, Minnesota MED PORT Individuals in 17,000 households A laptop stolen from a nurse's car on October 8 contains the names and SSNs of individuals in approximately 17,000 households participating in the Allina Hospitals and Clinics obstetric home-care program since June 2005. Information Source: Dataloss DB October 19, 2006 records from this breach used in our total: 17,000 University of Minnesota Minneapolis-St.Paul, Minnesota EDU PORT 200 students (not included in total) In June, a University of Minnesota art department laptop computer stolen from a faculty member while traveling in Spain holds personally identifiable information of 200 students. Information Source: records from this breach used in our total: 200 Media October 17, 2006 City of Visalia, Recreation Division Visalia, California GOV PHYS 200 current and former employees Personally identifiable information of approximately 200 current and former Visalia Recreation Department employees was exposed when copies of city documents were found scattered on a city street. Information Source: Dataloss DB October 16, 2006 records from this breach used in our total: 200 Germanton Elementary School Germanton, North Carolina EDU STAT Unknown A computer stolen from Germanton Elementary school holds students' SSNs. The data on the computer are encrypted. Information Source: records from this breach used in our total: 0 Dataloss DB October 16, 2006 VISA, FirstBank (1st Bank) Lakewood, Colorado BSF UNKN Unknown FirstBank sent a letter to an unknown number of customers informing them their FirstTeller Visa Check Card numbers were compromised when someone accessed “a merchant card processor's transaction database.” The FirstBank letter said customers would receive new cards by October 27. Information Source: Dataloss DB October 16, 2006 records from this breach used in our total: 0 Dr, Charles Kay of Orchard Family Practice Englewood, Colorado MED PHYS "Hundreds" 258 Sheriff's deputies evicting Dr. Charles Kay put files from his office in a nearby parking lot. In a news report, Dr. Kay said he had removed the patient files but not the business files. Information Source: Media October 15, 2006 records from this breach used in our total: 100 Poulsbo Department of Licensing Poulsbo, Washington GOV PORT 2,200 An unspecified “storage device” containing personally identifiable data of approximately 2,200 North Kitsap (WA) residents has been lost from the Poulsbo Department of Licensing. The data include names, addresses, photographs and driver's license numbers of individuals who conducted transactions at the Poulsbo branch in late September. Information Source: Media October 14, 2006 records from this breach used in our total: 2,200 T-Mobile USA Inc. Bellvue, Washington BSO PORT 43,000 current and former employees A laptop computer holding personally identifiable information of approximately 43,000 current and former T-Mobile employees disappeared from a T-Mobile employee's checked luggage. T-Mobile has reportedly sent letters to all those affected. The data are believed to include names, addresses, SSNs, dates of birth and compensation information. Information Source: Dataloss DB October 13, 2006 records from this breach used in our total: 43,000 Ohio Ethics Commission Columbus, Ohio GOV PHYS Unknown number of Ohio state employees Papers belonging to the Ohio Ethics Commission were found floating on the wind in an alley. The documents are related to state employees' finances and contained SSNs and financial statements. They were supposed to be in the possession of the state archives. Information Source: records from this breach used in our total: 0 Dataloss DB October 12, 2006 U.S. Census Bureau Washington, District Of Columbia GOV PORT Unknown number of Travis Co., TX, residents Additional location: Travis Co., TX This spring, residents of Travis County, TX helped the Census Bureau test new equipment. When the test period ended, 15 devices were unaccounted for. The Census Bureau and the Commerce Department issued a press release saying the devices held names, addresses and birthdates, but not income or SSNs. Information Source: records from this breach used in our total: 0 Media October 12, 2006 Congressional Budget Office Washington, District Of Columbia GOV HACK Unknown Hackers broke into the Congressional Budget Office's mailing list and sent a phishing e-mail that appeared to come from the CBO. 259 Information Source: records from this breach used in our total: 0 Media October 12, 2006 University of Texas, Arlington Arlington, Texas http://www.uta.edu/oit/iso/Datatheft.php EDU STAT 2,500 students [208] Two computers stolen from a University of Texas faculty member's home hold the names, SSNs, grades, e-mail addresses and other information belonging to approximately 2,500 students enrolled in computer science and engineering classes between fall 2000 and fall 2006. The theft occurred on September 29 and was reported on October 2. Information Source: Dataloss DB October 11, 2006 records from this breach used in our total: 2,500 Republican National Committee (RNC) Washington, District Of Columbia NGO DISC 76 RNC donors http://www.nysun.com/national/gop-donors-personal-data-disclosed-in-rnc-privacy/41341/ [209] The Republican National Committee (RNC) inadvertently emailed a list of donors' names, SSNs and races to a New York Sun reporter. Information Source: records from this breach used in our total: 76 Dataloss DB October 10, 2006 Florida Labor Department Tallahassee, Florida GOV DISC 4,624 individuals who had registered with Florida 's Agency for Workforce Innovation The names and SSNs of 4,624 Floridians were accessible on the Internet for approximately 18 days in September. The data were not accessible through Web sites, but an individual came across the information when Googling his own name. The agency has asked Google to remove the pages from its cache, and has notified all affected individuals by mail. Information Source: Dataloss DB October 9, 2006 records from this breach used in our total: 4,624 Troy Athens High School Troy, Michigan EDU PORT 4,400 For questions or comments, call (248) 823-4035 A hard drive stolen from Troy Athens High School in August contained transcripts, test scores, addresses and SSNs of students from the graduating classes of 1994 to 2004. The school district and the superintendent have notified all affected alumni by regular mail. Information Source: Dataloss DB October 6, 2006 records from this breach used in our total: 4,400 Cleveland Air Route Traffic Control Center Oberlin, Ohio GOV STAT At least 400 A computer hard drive missing from the Cleveland Air Route Traffic Control Center in Oberlin (OH) contains the names and SSNs of at least 400 air traffic controllers. 260 Information Source: Dataloss DB October 6, 2006 records from this breach used in our total: 400 Camp Pendleton Marine Corps base via Lincoln B.P. Management Camp Pendleton, California GOV PORT 2,400 A laptop missing from Lincoln B.P. Management Inc. holds personally identifiable data about 2,400 Camp Pendleton residents. Information Source: Dataloss DB October 5, 2006 records from this breach used in our total: 2,400 San Juan Capistrano Unified School District (CA) San Juan Capistrano, California EDU STAT Unknown Five computers stolen from the HQ of San Juan Capistrano Unified School District likely contain the names, SSNs and dates of birth of district employees enrolled in an insurance program. Information Source: Dataloss DB October 4, 2006 records from this breach used in our total: 0 Orange County Controller Orlando, Florida GOV DISC Unknown A Florida woman discovered her marriage license was visible on the Orange County (FL) controller's Web site with no information blacked out, not even SSNs. She discovered the breach because someone had applied for a loan in her name. The Orange County Comptroller is reportedly paying a vendor $500,000 to black out all SSNs by January 2008. Information Source: records from this breach used in our total: 0 Media October 3, 2006 Cumberland County Carlisle, Pennsylvania GOV DISC 1,200 employees of the county Cumberland County (PA) officials removed salary board meeting minutes from their Web site because they contained the SSNs of 1,200 county employees. The information was included in minutes from meetings prior to 2000. The county no longer uses SSNs as unique identifiers for employees. Employees will be informed of the data breach in a note included with their paychecks. Information Source: records from this breach used in our total: 1,200 Dataloss DB 4,500 Oregon high school students [not October 3, 2006 Willamette Educational Service District (ESD) Salem, Oregon EDU STAT included in total because not thought to contain sensitive info. such as SSNs] Seven computers stolen from a Willamette Educational Service District office were believed to contain personal information of 4,500 Oregon high school students. Backup tapes indicate the computers hold information about the students' school clubs but do not contain sensitive information. Information 261 Source: records from this breach used in our total: 0 Media October 3, 2006 Picatinny Arsenal Rockaway, New Jersey GOV UNKN Unknown If you have tips, call (973) 989-0652 28 computers are missing from the Picatinny Arsenal, a Department of Defense Weapons Research Center. The computers were reported lost or stolen over the last two years. None of the computers was encrypted. Officials state the computers did not contain classified information. Information Source: Media records from this breach used in our total: 0 6,939 current and October 2, 2006 Port of Seattle, Seattle-Tacoma Airport (Sea-Tac) Seattle, Washington http://www.portseattle.org [210] , GOV former Seattle-Tacoma PORT International Airport employees (888) 902-PORT Six CDs missing from the ID Badging office at Seattle-Tacoma International Airport hold the personal information of 6,939 airport workers. The data include names, addresses, birth dates, SSNs and driver's license numbers, telephone numbers, employer information, and height/weight. The data on the disks were scanned from paper applications for airport badges. The port learned of the missing disks on September 18 and sent letters to the affected employees on Oct. 2. Information Source: Dataloss DB September 29, 2006 records from this breach used in our total: 6,939 University of Iowa Department of Psychology Iowa City, Iowa EDU HACK 14,500 A computer containing SSNs of 14,500 psychology department research study subjects was the object of an automated attack designed to store pirated video files for subsequent distribution. Information Source: Dataloss DB September 29, 2006 records from this breach used in our total: 14,500 Kentucky Personnel Cabinet via Bluegrass Mailing Frankfort, Kentucky GOV DISC 146,000 State employees received letters from the Kentucky Personnel Cabinet with their SSNs visible through the envelope windows. Information Source: Dataloss DB September 28, 2006 records from this breach used in our total: 146,000 North Carolina Department of Motor Vehicles Louisville, North Carolina GOV STAT 16,000 (888) 495-5568 A computer was stolen from a NC Dept. of Motor Vehicles office, reported Sept. 10. It contains names, addresses, driver's license numbers, SSNs, and in some cases immigration visa information of 16,000 people who have been issued licenses in the past 18 months. Most are residents of Franklin County. 262 Information Source: records from this breach used in our total: 16,000 Dataloss DB September 28, 2006 Illinois Department of Transportation (IDOT) Springfield, Illinois GOV PHYS 40 Documents found by state auditors in recycling bins in a hallway contained IDOT employee names and SSNs. Information Source: Media September 28, 2006 records from this breach used in our total: 40 Stevens Hospital Emergency Room via dishonest employee of billing company Med Data Edmonds, Washington MED INSD about 30 patients A manager for the hospital's billing company, Med Data, stole patients' credit card numbers. She gave them to her brother who bought $30,000 worth of clothes and gift cards over the Internet. The woman is scheduled for sentencing in Nov. and her brother's trial is expected Jan. 2007. Information Source: Dataloss DB September 25, 2006 records from this breach used in our total: 30 Movie Gallery Gastonia, North Carolina BSR PHYS Unknown A large number of Movie Gallery's files and videos were found in a dumpster. The files contained personal information of people employed by Movie Gallery and people applying for jobs at the video store as well as people applying for movie rental membership. Movie Gallery has agreed to pay $50,000 to the State of NC. Information Source: records from this breach used in our total: 0 Dataloss DB September 25, 2006 General Electric (GE) Fairfield, Connecticut BSO PORT 50,000 employees An employee's laptop computer holding the names and Social Security numbers of approximately 50,000 current and former GE employees was stolen from a locked hotel room while he was traveling for business. Information Source: records from this breach used in our total: 50,000 Dataloss DB September 23, 2006 Erlanger Health System Chattanooga, Tennessee MED PORT 4,150 current and former employees Records of hospital employees disappeared from a locked office on Sept. 15. They were stored on a USB jump drive. Information was limited to names and SSNs. Those affected included anyone who went through job status changes from Nov. 2003 to Sept. 2006. Information Source: Dataloss DB September 22, 2006 records from this breach used in our total: 4,150 Purdue University College of Science West Lafayette, Indiana EDU STAT 2,482 students from the year 2000 263 (866) 307-8520 A file in a desktop computer in the Chemistry Department may have been accessed illegitimately. The file contained names, SSNs, school, major, and e-mail addresses of people who were students in 2000. Information Source: records from this breach used in our total: 2,482 Dataloss DB September 22, 2006 University of Colorado, Boulder, Leeds School of Business Boulder, Colorado EDU STAT 1,372 students and former students (303) 492-8741 Two computers had been placed in storage during the school's move to temporary quarters in May. When they were to be retrieved Aug. 28, they were found missing. They had been used by 2 faculty members and included students' names, SSNs, and grades. UPDATE (9/25/06): One of the computers was found. Information Source: Dataloss DB September 22, 2006 records from this breach used in our total: 1,372 Several Indianapolis pharmacies Indianapolis, Indiana MED PHYS Unknown Earlier this year a local TV reporter from WTHR found that dozens of pharmacies disposed of customer records in unsecured garbage bins. Now the Indiana Board of Pharmacy has launched an investigation of 30 pharmacies. Both the Board and the Attorney General say that the pharmacies violated state law. Information Source: Media September 21, 2006 records from this breach used in our total: 0 Pima County Health Department Tucson, Arizona GOV PHYS 2,500 (no SSNs or financial information reported) Vaccination records on 2,500 clients had been left in the trunk of a car that was stolen Sept. 12. The car and records have since been recovered. Records included names, dates of birth and ZIP codes, but no SSNs or addresses. Information Source: Dataloss DB September 21, 2006 records from this breach used in our total: 0 U.S. Department of Commerce and Census Bureau Washington, District Of Columbia GOV PORT Unknown https://www.census.gov/Press-Release/www/releases/archives/miscellaneous/007497.html [211] The agency reported that 1,137 laptops have been lost or stolen since 2001. Of those, 672 were used by the Census Bureau, with 246 of those containing personal data. Secretary Gutierrez said the computers had protections to prevent a breach of personal information. Information Source: Media records from this breach used in our total: 0 8,800 individuals 264 September 20, 2006 City of Savannah, Georgia Savannah, Georgia GOV DISC whose identities were captured by red-light cameras (912) 651-6565, http://www.savannahga.gov/security [212] Because of a hole in the firewall, a City server exposed personal information online for 7 months. Individuals identified by the Red Light Camera Enforcement Program are affected -- name, address, driver's license number, vehicle identification number, and SSNs of those individuals whose driver's license number is still the SSN. Information Source: Dataloss DB September 20, 2006 records from this breach used in our total: 8,800 Berry College via consultant Financial Aid Services Inc. Mount Berry, Georgia EDU PHYS 2,093 students and potential students (of those, 1,322 are currently enrolled) (800) 961-4692, http://www.berry.edu/stulife/idprotect/ [213] Student applications for need-based financial aid were misplaced by a consultant -- in both paper and digital form. Data included name, SSN, and reported family income for students and potential students for the 2005-06 academic year. Information Source: Dataloss DB September 19, 2006 records from this breach used in our total: 2,093 Life Is Good Hudson, New Hampshire BSR HACK 9,250 Hackers accessed the retailer's database which contained customer's credit card numbers. The company said no other personal information was in the database. Information Source: Dataloss DB September 18, 2006 records from this breach used in our total: 9,250 Howard, Rice, Nemerovski, Canady, Falk & Rabkin law firm via its auditor Morris, Davis & Chan San Francisco, California BSO PORT 500 current and former employees Additional locations: Oakland, CA A laptop was stolen from the trunk of the car of the law firm's auditor, containing confidential employee pension plan information -- names, SSNs, remaining balances, 401(k) and profit-sharing information. Information Source: records from this breach used in our total: 500 Dataloss DB September 18, 2006 DePaul Medical Center, Radiation Therapy Department Norfolk, Virginia MED STAT More than 100 patients (757) 889-5945 Two computers were stolen, one on August 28 and the other Sept. 11. Personal data included names, date of birth, treatment information, and some SSNs. Information Source: Dataloss DB records from this breach used in our total: 100 265 September 17, 2006 U.S. Dept. of Energy, Direct Loan Servicing , GOV DISC 21,000 accounts A security breach exposed private information of student loan borrowers from Aug. 20-22 during a computer software upgrade. Users of the DOE's Direct Loan Web site were able to view information other than their own if they used certain options when accessing the program's web pages. SSNs were among the data elements exposed online. Software company Affiliated Computer Services (ACS) created the technology for the Direct Loan Servicing feature on the DoE's site. Information Source: Dataloss DB September 16, 2006 records from this breach used in our total: 21,000 Michigan Department of Community Health Detroit, Michigan GOV PORT 4,000 Michigan residents Residents who participated in a scientific study were notified that a flash drive was discovered missing as of Aug. 4, and likely stolen, from an MDCH office.The portable memory device contained names, addresses, phone numbers, dates of birth, and SSNs of participants. The study tracked the long-term exposure to flame retardents ingested by residents in beef and milk. Information Source: records from this breach used in our total: 4,000 Dataloss DB September 16, 2006 Beaumont Hospital Royal Oak, Michigan MED DISC 3 patients The hospital mistakenly mailed medical reports on 3 patients to a retired dentist in Texas. Reports included name, test results, date of birth and patient ID numbers. The hospital admitted to both human and computer error. A new computer system mixed similar names, and staff did not catch it. Information Source: Media September 15, 2006 records from this breach used in our total: 3 Mercy Medical Center Merced, California MED PORT 295 patients A memory stick containing patient information was found July 18 by a local citizen on the ground at the County Fairgrounds near the hospital's information booth. It was returned to the hospital 4 weeks later. Data included names, SSNs, birthdates, and medical records. Information Source: records from this breach used in our total: 295 Dataloss DB September 15, 2006 Whistle Junction restaurant Orlando, Florida BSO PHYS Unknown Personnel files of employees of the now-closed restaurant were found in a nearby Dumpster. Papers included names and SSNs of former employees, Information Source: records from this breach used in our total: 0 Dataloss DB September 14, 2006 Nikon Inc. and Nikon World Magazine Melville, New York BSR DISC 3,235 magazine subscribers 266 Workers at a Montgomery, AL, camera store discovered that subscription information for the magazine Nikon World was exposed on the Web for at least 9 hours. Data included subscribers' names, addresses and credit card numbers. Information Source: Dataloss DB September 14, 2006 records from this breach used in our total: 3,235 Illinois Department of Corrections (IDOC) Springfield, Illinois GOV PHYS Unknown A document containing employees' personal information was found outside the agency's premises where it should not have been. It has since been retrieved. Information included employees' names, SSNs, and salaries. Information Source: Dataloss DB September 13, 2006 records from this breach used in our total: 0 American Family Insurance Group Madison, Wisconsin BSF PORT 2,089 customers The office of an insurance agent was broken into and robbed last July. Among the items stolen was a laptop with customers' names, SSNs, and driver's license numbers. Information Source: Dataloss DB September 11, 2006 records from this breach used in our total: 2,089 Telesource via Veksta Indianapolis, Indiana BSO PHYS Unknown Employees discovered their personnel files in a Dumpster after the company had been bought out by another company Vekstar. The files were discarded when the office was being cleaned out and shut down. Files contained SSNs, dates of birth and photocopies of SSN cards and driver's licenses. Information Source: Dataloss DB September 9, 2006 records from this breach used in our total: 0 Cleveland Clinic Naples, Florida MED INSD 1,100 patients (866) 907-0675 A clinic employee stole personal information from electronic files and sold it to her cousin, owner of Advanced Medical Claims, who used it to file fraudulent Medicare claims totaling more than $2.8 million. Information included names, SSNs, birthdates, addresses and other details. Both individuals were indicted. Information Source: records from this breach used in our total: 1,100 Dataloss DB September 8, 2006 Linden Lab, Second Life San Francisco, California BSO HACK Unknown http://blog.secondlife.com/2006/09/08/urgent-security-announcement/ [214] On Sept. 6, Linden Lab discovered that a hacker accessed its Second Life database through web servers. The affected data included unencrypted account names, real life names, and contact information, plus encrypted account passwords and payment information. Second Life is a 3-D virtual world. Information Source: records from this breach used in our total: 0 267 Dataloss DB September 8, 2006 University of Minnesota Minneapolis, Minnesota EDU STAT 13,084 students including SSNs of 603 students On August 14-15 eve, two computers were stolen from the desk of an Institute of Technology employee, containing information on students who were freshmen from 1992-2006 -- including names, birthdates, addresses, phone numbers, high schools attended, student ID numbers, grades, test scores, and, academic probation. SSNs of 603 students were also exposed. Information Source: Dataloss DB records from this breach used in our total: 603 25,000 gun permit September 8, 2006 Berks County Sheriff's Office via contractor Canon Technology Solutions Reading, Pennsylvania GOV DISC holders exposed, although initially the number was unknown A confidential list of some of the County's 25,000 gun permit holders was exposed on the Web by the contractor that is developing a Web-based computer records program for the Sheriff's Office. Personal information included names, addresses and SSNs. UPDATE (10/6/06): The Berks County solicitor's office says the entire list of more than 25,000 gun permit holders was exposed. Information Source: records from this breach used in our total: 25,000 Dataloss DB September 7, 2006 Florida National Guard Bradenton, Florida GOV PORT 100 A laptop computer was stolen from a soldier's vehicle contained training and administrative records, including Social Security numbers of up to 100 Florida National Guard soldiers. Information Source: records from this breach used in our total: 100 Dataloss DB September 7, 2006 Circuit City and Chase Card Services, a division of JP Morgan Chase & Co. Wilmington, Delaware BSF PORT 2.6 million past and current Circuit City credit cardholders Chase Card Services mistakenly discarded 5 computer data tapes in July containing Circuit City cardholders' personal information. Information Source: Security Breach records from this breach used in our total: 2,600,000 Letter September 5, 2006 Transportation Security Administration (TSA) via Accenture Washington, District Of Columbia GOV DISC 1,195 former TSA employees In late August 2006, Accenture, a contractor for TSA mailed documents containing former employees' SSN,, date of birth, and salary information to the wrong addresses due to an administrative error. 268 Information Source: Dataloss DB September 2, 2006 records from this breach used in our total: 1,195 Iowa Student Loan BSF West Des Moines, Iowa PORT 165,000 A compact disk containing personal information, including SSNs, was lost when shipped by private courier. Information Source: records from this breach used in our total: 165,000 Dataloss DB September 1, 2006 Wells Fargo via unnamed auditor San Francisco, California BSF PORT Unknown In a letter dated Aug. 28, the company notified its employees that a laptop and data disk were stolen from the locked trunk of an unnamed auditor, hired to audit the employees' health plan. Data included names, SSNs, and information about drug claim cost and dates from 2005, but no prescription information said the company. Information Source: Security Breach Letter September 1, 2006 records from this breach used in our total: 0 Virginia Commonwealth University (VCU) Richmond, Virginia EDU DISC 2,100 current and former students http://old.ts.vcu.edu/security/id_exposure.html [215] Personal information of freshmen and graduate engineering students from 1998 through 2005 was exposed on the Internet for 8 months (Jan. - Aug.) due to human error. It was discovered by a student who used a search engine to find her name. The data included SSNs and e-mail addresses. Information Source: Dataloss DB September 1, 2006 records from this breach used in our total: 2,100 City of Chicago via contractor Nationwide Retirement Solutions, Inc. Chicago, Illinois GOV PORT Up to 38,443 city employees and retirees (800) 638-1485, http://www.chicagofop.org/Updates/links/nrs.pdf [216] A laptop was stolen from the home of contractor's employee last April 2005. It was reported to the city July 2006 more than a year later. Data included names, addresses, phone numbers, birthdates and SSNs for those in the city's deferred compensation plan. Information Source: Dataloss DB August 31, 2006 records from this breach used in our total: 38,443 CoreLogic for ComUnity Lending Sacramento, California (877) 510-3700, identityprotection@corelogic.com [217] . BSO STAT Unknown Exact date in August 2006 unknown. In early August, CoreLogic notified customers of ComUnity Lending that a computer with customers' data was stolen from its office. Data included names, SSNs, and property addresses related to an existing or anticipated mortgage loan. Information 269 Source: Security Breach records from this breach used in our total: 0 Letter August 31, 2006 Labcorp Monroe, New Jersey MED STAT Unknown (800) 788-9091 x3925 During a break-in June 4 or 5, a computer was stolen that contained names and SSNs, but according to the company did not have birth dates or lab test results. Information Source: records from this breach used in our total: 0 Dataloss DB August 31, 2006 Diebold, Inc., GE Capital Canton, Ohio BSO PORT Unknown An employee's laptop was stolen containing employee information, including name, SSN, and if applicable, corporate credit card number. Information Source: records from this breach used in our total: 0 Security Breach Letter August 29, 2006 Valley Baptist Medical Center Harlingen, Texas MED DISC Unknown (877) 840-5999 A programming error on the hospital's web site exposed names, birth dates, and SSNs of healthcare workers in late August. The error was fixed but it is not known how long the personal information was compromised. The affected individuals are workers from outside the hospital who provide services and bill the hospital via an online form. Information Source: Dataloss DB August 29, 2006 records from this breach used in our total: 0 AT&T via vendor that operates an order processing computer San Francisco, California BSO HACK 19,000 Computer hackers accessed credit card account data and other personal information of customers who purchased DSL equipment from AT&T's online store. The company is notifying fewer than 19,000 customers. UPDATE (9/1/06). The breach was followed by a bogus phishing e-mail to those customers that attempted to trick them into revealing more info such as SSN and birthdate -- essential for crime of identity theft. Information Source: Dataloss DB August 29, 2006 records from this breach used in our total: 19,000 Compass Health Everett, Washington MED PORT A limited number of people (800) 508-0059 Compass Health notified some of its clients that a laptop containing personal information, including SSNs, was stolen June 28. The agency serves people who suffer from mental illness. Information 270 Source: records from this breach used in our total: 0 Dataloss DB August 27, 2006 New Mexico Administrative Office of the Courts Santa Fe, New Mexico GOV DISC 1,500 employees For 8 days in late May, an unsecured document was exposed on the agency's FTP site on the state's computer server. It contained names, birth dates, SSNs, home addresses and other personal information of judicial branch employees. The FTP site was shut down June 2 and has since be redesigned. Information Source: Dataloss DB August 26, 2006 records from this breach used in our total: 1,500 University of South Carolina Columbia, South Carolina EDU HACK 6,000 TheState.com reported that the University of South Carolina warned 6,000 current and former students that their information, including Social Security numbers and birth dates, may have been breached when a server was accessed from outside the system. Information Source: Media August 26, 2006 records from this breach used in our total: 6,000 PortTix Portland, Maine BSO HACK 2,000 Credit card information for about 2,000 people who ordered tickets online through PortTix was accessed by someone who hacked into the Web site. PortTix is Merrill Auditorium's ticketing agency. The Web site was secured as of Aug. 24. Information Source: Dataloss DB August 25, 2006 records from this breach used in our total: 2,000 Dominion Resources Richmond, Virginia BSO PORT Unknown Two laptops containing employee information were stolen earlier in August. It was not clear what type of data were included. No customer records were on the computers. Dominion operates a gas and electric energy distribution company. Information Source: Dataloss DB August 25, 2006 records from this breach used in our total: 0 U.S. Department of Transportation, Federal Motor Carrier Safety Administration Baltimore, Maryland GOV PORT 193 (not added to total) (800) 832-5660 A laptop that might contain personal information of people with commercial driver's licenses was stolen Aug. 22. FMCSA said the data might include names, dates of birth, and commercial driver's license numbers of 193 individuals from 40 trucking companies. Information Source: records from this breach used in our total: 0 Dataloss DB August 25, 2006 Sovereign Bank New Bedford, Massachusetts BSF PORT thousands of customers 271 Personal data may have been compromised when 3 managers' laptops were stolen from 2 separate locations in early August. Customers were notified Aug. 21. Sovereign serves New England and the Mid-Atlantic. The bank said the data included unspecified customer information, but not account data. Information Source: Dataloss DB August 23, 2006 records from this breach used in our total: 0 U.S. Department of Education, Direct Loan Servicing Online Atlanta, Georgia http://www.dlssonline.com GOV DISC 21,000 [218] A faulty Web site software upgrade resulted in personal information of 21,000 student loan holders being exposed on the U.S. Department of Education's loan Web site. Information included names, birthdates, SSNs, addresses, phone numbers, and in some cases, account information. Affiliated Computer Services Inc. is the contractor responsible for the breach. The breach did not include those whose loans are managed through private companies. Information Source: records from this breach used in our total: 21,000 Dataloss DB August 22, 2006 AFLAC American Family Life Assurance Co. Greenville, South Carolina BSF PORT 612 policyholders (888) 794-2352 A laptop containing customers' personal information was stolen from an agent's car. It contained names, addresses, SSNs, and birth dates of 612 policyholders. They were notified Aug. 11. Information Source: records from this breach used in our total: 612 Dataloss DB August 22, 2006 Beaverton School District Beaverton, Oregon EDU PHYS 1,600 employees Time slips revealing personal information were missing and presumed stolen following a July 24 break-in at a storage shed on the administration office's property. The time slips included names and SSNs but not addresses. Information Source: records from this breach used in our total: 1,600 Dataloss DB August 22, 2006 Beaumont Hospital Troy, Michigan MED PORT 28,400 home care patients A vehicle of a home health care nurse was stolen from outside a senior center Aug. 5. Although it was recovered nearby, a laptop left in the rear of the car was not recovered. It contained names, addresses, SSNs, and insurance information of home health care patients. UPDATE (8/23/06). The laptop was returned Aug. 23 by a woman who said she found it in her yard. Information Source: Dataloss DB August 21, 2006 records from this breach used in our total: 28,400 U.S. Dept. of Education via contractor, DTI Associates Washington, District Of Columbia GOV PORT 43 272 Two laptops were stolen from DTI's office in downtown DC containing personal information on 43 grant reviewers for the Teacher Incentive Fund. DTI could not rule out that the data included SSNs. Information Source: Dataloss DB August 18, 2006 records from this breach used in our total: 43 California Department of Mental Health , GOV PORT 9,468 employees (916) 654-2309 Computer tape with employees' names, addresses, and SSNs has been reported missing. Employees were notified Aug. 17 by e-mail. Information Source: Dataloss DB August 17, 2006 records from this breach used in our total: 9,468 Williams-Sonoma, Deloitte & Touche San Francisco, California BSR PORT 1,200 current and former employees On July 10, a laptop was stolen from the Los Angeles home of a Deloitte & Touche employee who was conducting an audit for W-S. Computer contained employees' payroll information and SSNs. Information Source: records from this breach used in our total: 1,200 Dataloss DB August 17, 2006 HCA, Inc. Hospital Corporation of America Nashville, Tennessee (800) 354-1036, http://www.hcahealthcare.com MED STAT thousands of files [219] 10 computers containing Medicare and Medicaid billing information and records of employees and physicians from 19962006 were stolen from one of the company's regional offices. Some patient names and SSNs were exposed, but details are vague. Records for patients in hospitals in the following states were affected: CO, KS, LA, MS, OK, OR, TS, WA. Information Source: records from this breach used in our total: 0 Dataloss DB Total employees affected is unclear. August 16, 2006 Chevron San Ramon, California BSO Nearly half of its 59,000 workers are from North PORT America, but it is not known if that number includes employees from Canada. Chevron informed its U.S. workers Aug. 14 that a laptop was stolen from an employee of an independent public accounting firm who was auditing its benefits plans. The theft apparently occurred Aug. 5. Files contained SSNs and sensitive information related to health and disability plans. Information Source: Dataloss DB August 15, 2006 records from this breach used in our total: 0 University of Kentucky EDU DISC 630 273 August 15, 2006 Lexington, Kentucky EDU DISC 630 The names and SSNs of 630 students were posted on the University's financial aid web site between Friday and Monday, Aug. 11-14. Information Source: Dataloss DB August 15, 2006 records from this breach used in our total: 630 University of Kentucky Department of Georgraphy Lexington, Kentucky EDU DISC 80 About 80 geography students were notified Aug. 14 that their SSNs were inadvertently listed on an e-mail communication they all received telling them who their academic advisor would be for the coming year. Information Source: Dataloss DB August 15, 2006 records from this breach used in our total: 80 U.S. Department of Transportation Orlando, Florida GOV PORT Unknown On April 24, a DOT employee's laptop computer was stolen from an Orlando hotel conference room. It contained several unencrypted case files. Investigators are determining if it contained sensitive personal information. Information Source: records from this breach used in our total: 0 Media August 11, 2006 Madrona Medical Group Bellingham, Washington MED INSD At least 6,000 patients On Dec. 17, 2005, a former employee accessed and downloaded patient files onto his laptop computer. Files included name, address, SSN, and date of birth. The former employee has since been arrested. Information Source: records from this breach used in our total: 6,000 Dataloss DB August 9, 2006 U.S. Department of Transportation , GOV PORT 132,470 (800) 424-9071, hotline@oig.dot.gov [220] The DOT's Office of the Inspector General reported a special agent's laptop was stolen on July 27 from a governmentowned vehicle in Miami, FL, parked in a restaurant parking lot. It contained names, addresses, SSNs, and dates of birth for 80,670 persons issued commercial drivers licenses in Miami-Dade County 42,800 persons in FL with FAA pilot certificates and 9,000 persons with FL driver's licenses. UPDATE (11/21/06):A suspect was arrested in the same parking lot where the theft occurred, but the laptop has not been recovered. Investigators found a theft ring operating in the vicinity of the restaurant parking lot. Information Source: Dataloss DB August 8, 2006 records from this breach used in our total: 132,470 Virginia Bureau of Insurance Richmond, Virginia GOV DISC Unknown (804) 726-2630 The Bureau has advised insurance agents in the state that their SSN may have been exposed on its web site from June 13 274 through July 31, 2006, due to a programming error. The SSNs were not shown on any web page, but could have been found by savvy computer users using the source code tool of a web browser. Information Source: Dataloss DB August 8, 2006 records from this breach used in our total: 0 Linens 'n Things Sterling, Virginia BSR PHYS 90 A folder holding about 90 receipts was missing from the store. Receipts included full credit or debit account number and name of the card holder. Information Source: records from this breach used in our total: 90 Dataloss DB 5,000 Philadelphia patients, 11,000 August 7, 2006 U.S. Department of Veterans Affairs via contractor Unisys Corporation Reston, Virginia GOV INSD Pittsburgh patients, 2,000 deceased patients, plus possibly 20,000 more (18,000 is included in total below) Computer at contractor's office was reported missing Aug. 3, containing billing records with names, addresses, SSNs, and dates of birth of veterans at 2 Pennsylvania locations. UPDATE (9/15/06): Law enforcement recovered the computer and arrested an individual who had worked for a company that provides temporary labor to Unisys. Information Source: records from this breach used in our total: 18,000 Dataloss DB August 6, 2006 American Online (AOL) New York, New York BSO DISC Unknown how many records contain highrisk personal information Other locations: nationwide In late July AOL posted on a public web site data on 20 million web queries from 650,000 users. Some search records exposed SSNs, credit card numbers, or other pieces of sensitive information. UPDATE (9/26/06): Three individuals whose data were exposed have filed a lawsuit against AOL. Information Source: Dataloss DB August 4, 2006 records from this breach used in our total: 0 Toyota San Antonio, Texas BSO PORT 1,500 Laptop belonging to contractor and containing personal information of job applicants and employees of a Toyota plant was stolen. Data included names and SSNs. Information Source: Dataloss DB records from this breach used in our total: 1,500 275 August 4, 2006 PSA HealthCare Norcross, Georgia MED PHYS 51,000 current and former patients (866) 752-5259 A company laptop was stolen from an employee's vehicle in a public parking lot July 15. It contained names, addresses, SSNs, and medical diagnostic and treatment information used in reimbursement claims. Information Source: records from this breach used in our total: 51,000 Dataloss DB August 1, 2006 US Bank Covington, Kentucky BSF PHYS very small number A bank employee's briefcase was stolen from the employee's car with documents containing names, phone numbers, and SSNs of customers. Information Source: records from this breach used in our total: 0 Dataloss DB August 1, 2006 Wichita State University Wichita, Kansas EDU HACK 2,000 WSU learned on June 29 that someone gained unauthorized access into 3 computers in its College of Fine Arts box office, containing credit card information for about 2,000 patrons. Information Source: records from this breach used in our total: 2,000 Dataloss DB August 1, 2006 Wichita State University Wichita, Kansas 40 (not included in total below because it is not EDU HACK known if SSNs were included in breached data) An intrusion into a WSU Psychology Department's server was discovered July 16. It contained information on about 40 applicants to the doctoral program. Information Source: Dataloss DB August 1, 2006 records from this breach used in our total: 0 Dollar Tree Carmichael, California BSR HACK Unknown Additional locations: Modesto, CA and Ashland, OR. Other locations may also be involved. Customers of the discount store have reported money stolen from their bank accounts due to unauthorized ATM withdrawals. Data may have been intercepted by a thief's use of a wireless laptop computer with the thief then creating counterfeit ATM cards and using them to withdraw money. UPDATE (10/5/06): Parkev Krmoian was indicted by a federal grand jury for allegedly using phony ATM cards made from gift cards. The case is tied to the Dollar Tree customer bank account thefts. Information Source: Dataloss DB records from this breach used in our total: 0 276 August 1, 2006 Ron Tonkin Nissan Portland, Oregon BSR UNKN Up to 16,000 affected Questions? Call: (503) 251-3349 Several months ago the car dealership experienced a security breach affecting the personal information of those who bought cars or applied for credit between 2001 and March 2006. Information Source: Dataloss DB records from this breach used in our total: 16,000 Information on 72 claimants was sold on the Internet. Data on July 29, 2006 Sentry Insurance Stevens Point, Wisconsin BSF INSD an additional 112,198 claimants was also stolen with no evidence of being sold online. Total affected is 112,270 Personal information including SSNs on worker's compensation claimants was stolen, some of which was later sold on the Internet. No medical records were included. The thief was a lead programmer-consultant who had access to claimants' data. The consultant was arrested and faces felony charges. Information Source: Dataloss DB July 28, 2006 records from this breach used in our total: 112,270 Matrix Bancorp Inc. Denver, Colorado BSF PORT Unknown (877) 250-7742 Two laptop computers were stolen during daytime while staffers were away from their desks. One computer contained customers' account information. The bank says data is encrypted and password protected. Information Source: Dataloss DB July 28, 2006 records from this breach used in our total: 0 City of Riverside, California Riverside, California GOV DISC nearly 2,000 employees The SSNs and financial information regarding 401(k) accounts was accidentally e-mailed to 2,300 city employees due to a computer operator's error. The data was intended for the city payroll dept. Information Source: Dataloss DB July 27, 2006 records from this breach used in our total: 2,000 Kaiser Permanente Northern California Office Oakland, California MED PORT 160,000 records. Because the data file did not include SSNs, this number is not added to the total below. (866) 453-3934 277 A laptop was stolen containing names, phone numbers, and the Kaiser number for each HMO member. The data file did not include SSNs. The data was being used to market Hearing Aid Services to Health Plan members. Information Source: Dataloss DB July 27, 2006 records from this breach used in our total: 0 Los Angeles County Los Angeles, California GOV PORT Unknown In May, a laptop was stolen from the home of a community and senior services employee. It contained information on LA County employees. Information Source: Dataloss DB records from this breach used in our total: 0 4,800 records (not July 27, 2006 Los Angeles County, Community Development Commission (CDC) Monterey Park, California GOV included in total below HACK because it is not known if SSNs were included in breached data) Earlier in July, a computer hacker located in Germany gained access to the CDC's computer system, containing personal information on 4,800 public housing residents. Information Source: Dataloss DB July 27, 2006 records from this breach used in our total: 0 Los Angeles County, Adult Protective Services Burbank, California GOV PORT Unknown Last weekend 11 laptops were stolen from the Burbank office. It is not clear what type of personal information was included. Information Source: Dataloss DB records from this breach used in our total: 0 31,000 records were July 26, 2006 U.S. Navy recruitment offices Trenton, New Jersey GOV stolen, with about 4,000 containing SSNs. PORT The latter number is included in the total below. Additional location: Jersey City, NJ Two laptop computers with information on Navy recruiters and applicants were stolen in June and July. Also included was information from selective service and school lists. About 4,000 records contained SSNs. Files were password protected. Information Source: Dataloss DB July 26, 2006 records from this breach used in our total: 4,000 West Virginia Division of Rehabilitation Services Beckley, West Virginia GOV PORT Unknown A laptop was stolen July 24 containing clients' names, addresses, SSNs, and phone numbers. Data was password protected. 278 Information Source: Dataloss DB July 25, 2006 records from this breach used in our total: 0 Armstrong World Industries, Deloitte & Touche Lancaster County, Pennsylvania BSO PORT 12,000 A laptop containing personal information of current and former employers was stolen. The computer was in the possession of the company's auditor, Deloitte & Touche. Data included names, home addresses, phone numbers, SSNs, employee ID numbers, salary data, and bank account numbers of employees who have their checks directly deposited. Information Source: records from this breach used in our total: 12,000 Dataloss DB July 25, 2006 Belhaven College Jackson, Michigan EDU PORT 300 employees An employee carrying laptop was robbed at gunpoint on July 19 while walking to his car. Computer contained names and SSNs of college employees. Information Source: records from this breach used in our total: 300 Dataloss DB July 25, 2006 Georgetown University Hospital Washington, District Of Columbia MED DISC between 5,600 and 23,000 patients were affected (23,000 added to total below) Patient data was exposed online via the computers of an e-prescription provider, InstantDx. Data included names, addresses, SSNs, and dates of birth, but not medical or prescription data. GUH suspended the trial program with InstantDX. Information Source: records from this breach used in our total: 23,000 Dataloss DB July 25, 2006 Old Mutual Capital Inc., subsidiary of United Kingdom-based financial services firm Old Mutual PLC Kansas City, Missouri BSF PORT 6,500 fund shareholders Laptop was stolen sometime in May containing personal information of U.S. clients, including names, addresses, account numbers and some SSNs. Information Source: Dataloss DB July 25, 2006 records from this breach used in our total: 6,500 Cablevision Systems Corp., ACS, FedEx Bethpage, New York BSO PORT 13,700 current and former employees Additional locations: Dallas, TX, Connecticut, New Jersey and New York A tape en route to the company's 401(k) plan record-keeper ACS was lost when shipped by FedEx to Dallas, TX. No customer data was on the tape. Information Source: Dataloss DB records from this breach used in our total: 13,700 279 July 24, 2006 New York City Department of Homeless Services New York, New York GOV DISC 8,400 The personal information of 8,400 homeless persons, including SSNs, was leaked in an e-mail attachment July 21, when accidentally sent to homeless advocates and city officials. Information Source: Dataloss DB July 18, 2006 records from this breach used in our total: 8,400 Nelnet Inc., UPS BSO Lincoln, Nebraska PORT 188,000 (800) 552-7925 A computer tape containing personal information of student loan customers and parents, mostly from Colorado, was lost when shipped via UPS. The loans were previously serviced by College Access Network between November 1, 2002 and May 31, 2006. Information Source: Dataloss DB July 18, 2006 records from this breach used in our total: 188,000 CS Stars, subsidiary of insurance company Marsh Inc. Chicago, Illinois BSF STAT 722,000 On May 9, CS Stars lost track of a personal computer containing records of more than a half million New Yorkers who made claims to a special workers' comp fund. The lost data includes SSNs and date of birth but apparently no medical information. UPDATE (7/26/06): Computer was recovered. UPDATE (04/26/07): The New York Attorney General's office [221] found that CS Stars violated the state's security breach law. CS Stars must pay the Attorney General's office $60,000 for investigation costs. It was determined that the computer had been stolen by an employee of a cleaning contractor, the missing computer was located and recovered, and that the data on the missing computer had not been improperly accessed. Information Source: Security Breach Letter July 18, 2006 records from this breach used in our total: 722,000 U.S. Department of Agricultur Wellington, Kansas GOV PORT 350 Laptop computer and printout containing names, addresses and SSNs of 350 employees was stolen from an employee's car and later recovered. Information Source: Dataloss DB records from this breach used in our total: 350 [257,800 patients were initially notified, but an analysis by Kroll later July 17, 2006 Vassar Brothers Medical Center Poughkeepsie, New York MED PORT determined that the laptop contained no personal information. This number is not included in the total below.] (845) 483-6990 280 (845) 483-6990 Laptop was stolen from the emergency department between June 23-26. It contained information on patients dating back to 2000, including SSNs and dates of birth. UPDATE (10/5/06) Private investigators determined the laptop did not contain personally identifiable patient information. Information Source: records from this breach used in our total: 0 Dataloss DB July 16, 2006 Mississippi Secretary of State Jackson, Mississippi GOV DISC Among the 2 million postings are "thousands" containings SSNs The state agency's web site listed 2 million+ Uniform Commercial Code (UCC) filings in which thousands of individuals' SSNs were exposed. Information Source: records from this breach used in our total: 2,000 Dataloss DB July 14, 2006 Northwestern University Evanston, Illinois EDU HACK 17,000 (888) 209-0097. http://www.northwestern.edu/newscenter/stories/2006/07/data.html [222] Files containing names and some personal information including SSNs were on 9 desktop computers that had been accessed by unauthorized persons outside the University. The computers were in the Office of Admissions and Financial Aid. Information Source: records from this breach used in our total: 17,000 Dataloss DB July 14, 2006 University of Iowa Davenport, Iowa EDU PORT 280 Laptop computer containing personal information of current and former MBA students was stolen. Data files included SSNs and some contact info. Information Source: records from this breach used in our total: 280 Dataloss DB July 14, 2006 California Polytechnic State University (Cal Poly) San Luis Obispo, California EDU PORT 3,020 students Call (805) 756-2226 or (805) 756-2171 Laptop computer was stolen from the home of a physics department professor July 3. It included names and SSNs of physics and astronomy students from 1994-2004. Information Source: records from this breach used in our total: 3,020 Security Breach Letter Over 100,000 records July 14, 2006 Hampton Circuit Court Clerk - Treasurer's computer Hampton, Virginia GOV DISC (The number containing SSNs is not known yet and not included in total below.) 281 included in total below.) Public computer in city government building containing taxpayer information was found to display SSNs of many residents -those who paid personal property and real estate taxes. It was shut down and confiscated by the police on July 12th. UPDATE (7/27/2006) Investigation concluded that the data was exposed due to software problem. Information Source: Dataloss DB July 13, 2006 records from this breach used in our total: 0 Moraine Park Technical College Beaver Dam, Wisconsin EDU PORT 1,500 Additional locations: Fond du Lac and West Bend, WI Computer disk (CD) with personal information of 1,500 students was reported missing. Information includes names, addresses, phone numbers & SSNs of apprenticeship students back to 1993. Information Source: Dataloss DB July 7, 2006 records from this breach used in our total: 1,500 University of Tennessee EDU Knoxville, Tennessee (866) 748-1680, http://security.tennessee.edu [223] . HACK 36,000 Additional locations: Chattanooga, Martin, Tullahoma and Memphis, TN Hacker broke into UT computer containing names, addresses and SSNs of about 36,000 past and current employees. Intruder apparently used computer from Aug. '05 to May '06 to store and transmit movies. Information Source: Dataloss DB July 7, 2006 records from this breach used in our total: 36,000 National Association of Securities Dealers (NASD) Boca Raton, Florida BSF PORT 73 Ten laptops were stolen on Feb. 25 '06 from NASD investigators. They included SSNs of securities dealers who were the subject of investigations involving possible misconduct. Inactive account numbers of about 1,000 consumers were also contained on laptops. Information Source: Dataloss DB July 7, 2006 records from this breach used in our total: 73 Naval Safety Center Norfolk, Virginia GOV DISC more than 100,000 SSNs and other personal information of naval and Marine Corps aviators and air crew, both active and reserve, were exposed on Center web site and on 1,100 computer discs mailed to naval commands. Information Source: Dataloss DB July 7, 2006 records from this breach used in our total: 100,000 Montana Public Health and Human Services Department Helena, Montana MED STAT Unknown A state government computer was stolen from the office of a drug dependency program during a 4th of July break-in. It was not known if sensitive information such as SSNs was compromised. 282 Information Source: Dataloss DB July 7, 2006 records from this breach used in our total: 0 City of Hattiesburg Hattiesburg, Mississippi GOV STAT thousands of city workers and contractors (at least 2,000) Video surveillance cameras caught 2 intruders stealing hard drives from 18 computers June 23. Data files contained names, addresses, and SSNs of current and former city employees and registered voters as well as bank account information for employees paid through direct deposit and water system customers who paid bills electronically. Information Source: records from this breach used in our total: 2,000 Dataloss DB July 6, 2006 Automated Data Processing (ADP) Roseland, New Jersey BSO UNKN Hundreds of thousands [not included in total] Payroll service company ADP gave scam-artist names, addresses, and number of shares held of investors, although apparently not SSNs or account numbers. The leak occurred from Nov. '05 to Feb. '06 and involved individual investors with 60 companies including Fidelity, UBS, Morgan Stanley, Bear Stearns, Citigroup, Merrill Lynch. Information Source: Dataloss DB July 5, 2006 records from this breach used in our total: 0 Bisys Group Inc. Roseland, New Jersey BSF PORT 61,000 Personal details about 61,000 hedge fund investors were lost when an employee's truck carrying backup tapes was stolen. The data included SSNs of 35,000 individuals. The tapes were being moved from one Bisys facility to another on June 8 when the theft occurred. Information Source: records from this breach used in our total: 61,000 Dataloss DB July 1, 2006 American Red Cross, Farmers Branch Dallas, Texas NGO PORT Unknown Sometime in May, 3 laptops were stolen, one of them containing encrypted personal information including names, SSNs, dates of birth, and medical information of all regional donors. They also report losing a laptop with encrypted donor information in June 2005. Information Source: Dataloss DB June 30, 2006 records from this breach used in our total: 0 U.S. Department of Veteran Affairs Washington, District Of Columbia GOV PORT 16,500 A data tape disappeared from a VA facility in Indianapolis, IN that contained information on legal cases involving U.S. veterans and included veterans' Social Security numbers, dates of birth and legal documents. UPDATE (10/11/06): The VA's Office of the General Counsel is offering identity theft protection services to those affected by the missing tape. Information 283 Source: Dataloss DB June 30, 2006 records from this breach used in our total: 16,500 National Institutes of Health Federal Credit Union Rockville, Maryland BSF UNKN Very few of 41,000 members affected [not included in total] NIHFCU and law enforcement are investigating the identity theft of some of its 41,000 members. No details were given on the type of information stolen, or how it was stolen. Information Source: Media June 29, 2006 records from this breach used in our total: 41,000 AllState Insurance Huntsville branch Huntsville, Alabama BSF STAT 27,000 Over Memorial Day weekend, a computer containing personal data including images of insurance policies, correspondence and Social Security numbers was stolen. Information Source: Dataloss DB June 29, 2006 records from this breach used in our total: 27,000 Nebraska Treasurer's Office Lincoln, Nebraska GOV HACK 309,000 A hacker broke into a child-support computer system and may have obtained names, Social Security numbers and other information such as tax identification numbers for 9,000 businesses. Information Source: Dataloss DB June 29, 2006 records from this breach used in our total: 309,000 Minnesota Department of Revenue St. Paul, Minnesota GOV PORT 50,400 http://www.taxes.state.mn.us/taxes/publications/press_releases/content/taxpayer_information.shtml [224] On May 16, a package containing a data tape used to back up the regional office's computers went missing during delivery. The tape contained personal information including individuals' names, addresses, and Social Security numbers. UPDATE (7/20/06): The package was reported delivered 2 months later, but apparently had been temporarily lost by the U.S. Postal Service. Information Source: Dataloss DB June 27, 2006 records from this breach used in our total: 50,400 Government Accountability Office (GAO) Washington, District Of Columbia GOV DISC Fewer than 1,000 [1,000 used in total] Data from audit reports on Defense Department travel vouchers from the 1970s were inadvertently posted online and included some service members' names, Social Security numbers and addresses. The agency has subsequently removed the information. Information Source: records from this breach used in our total: 1,000 Dataloss DB 284 June 26, 2006 AAAAA Rent-A-Space Colma, California BSO DISC 13,000 Customer's account information including name, address, credit card, and Social Security number was easily accessible due to a security gap in AAAAA's online payment system. Information Source: records from this breach used in our total: 13,000 Dataloss DB June 24, 2006 Catawba County Schools Newton, North Carolina EDU UNKN 619 On June 22, it was discovered that a web site posted names, Social Security numbers, and test scores of students who had taken a keyboarding and computer applications placement test during the 2001-02 school year. UPDATE:The web site containing the data has been removed. Information Source: records from this breach used in our total: 619 Dataloss DB June 23, 2006 San Francisco State University San Francisco, California EDU PORT 3,000 www.sfsu.edu/%7Eadmisrec/reg/idtheft.html [225] A faculty member's laptop was stolen from a car on June 1 that contained personal information of former and current students including Social Security numbers, and names and ins some instance, phone numbers and grade point averages. Information Source: records from this breach used in our total: 3,000 Dataloss DB June 23, 2006 U.S. Navy Washington, District Of Columbia GOV UNKN 30,000 Navy personnel were notified on June 22 that a civilian web site contained files with personal information of Navy members and dependents including names, birth dates and Social Security numbers. Information Source: records from this breach used in our total: 30,000 Dataloss DB June 22, 2006 Ohio University Athens, Ohio EDU HACK 2,480 http://www.ohio.edu/datasecurity [226] A breach was discovered on a computer that housed IRS 1099 forms for vendors and independent contractors for calendar years 2004 and 2005. Information Source: records from this breach used in our total: 2,480 Media June 22, 2006 Ohio University Athens, Ohio EDU HACK Unknown http://www.ohio.edu/datasecurity/ [227] A computer was compromised that hosted a variety of Web-based forms, including some that processed online business 285 transactions. Although this computer was not set up to store personal information, investigators did discover files that contained fragments of personal information, including Social Security numbers. The data is fragmentary and it is not certain if the compromised information can be traced to individuals. Also found on the computer were 12 credit card numbers that were used for event registration. Information Source: Media June 22, 2006 records from this breach used in our total: 0 University of Kentucky Lexington, Kentucky EDU PORT 6,500 The personal data of current and former students including classroom rosters names, grades and Social Security numbers was reported stolen on May 26 following the theft of a professor's flash drive. Information Source: Dataloss DB June 22, 2006 records from this breach used in our total: 6,500 U.S. Department of Agriculture (USDA) Washington, District Of Columbia GOV HACK 26,000 http://www.firstgov.gov/usdainfo.shtml [228] During the first week in June, a hacker broke into the Department's computer system and may have obtained names, Social Security numbers and photos of current and former employees and contractors. Information Source: Dataloss DB June 22, 2006 records from this breach used in our total: 26,000 Federal Trade Commission (FTC) Washington, District Of Columbia GOV PORT 110 Two laptop computers containing personal and financial data were stolen from an employee's vehicle. The data included names, addresses, Social Security numbers, dates of birth, and in some instances, financial account numbers gathered in law enforcement investigations. Information Source: records from this breach used in our total: 110 Dataloss DB June 21, 2006 Cumberland County Emergency Medical Service Fayetteville, North Carolina MED PORT 24,350 Portable computer containing personal information of more than 24,000 people was stolen from ambulance of Cumberland Co. Emergency Medical Services on June 8th. It contained information on people treated by the EMS, including names, addresses, and birthdates, plus SSNs of 84% of those listed. Information Source: Dataloss DB June 21, 2006 records from this breach used in our total: 24,350 Lancaster General Hospital Lancaster, Pennsylvania Hundreds of local EDU STAT physicians (at least 200) Date of letter sent to doctors: June 21, 2006 Date of news story: July 28, 2006 A desktop computer with personal information of hundreds of doctors was stolen from a locked office June 10. The unencrypted data included names, practice addresses, and SSNS of physicians on medical and dental staff. 286 Information Source: records from this breach used in our total: 200 Security Breach Letter June 20, 2006 Equifax Atlanta, Georgia BSF PORT 2,500 On May 29, a company laptop containing employee names and partial and full Social Security numbers was stolen from an employee. Information Source: Dataloss DB June 20, 2006 records from this breach used in our total: 2,500 University of Alabama Birmingham, Alabama EDU STAT 9,800 In February a computer was stolen from a locked office of the kidney transplant program at the University of Alabama at Birmingham that contained confidential information of donors, organ recipients and potential recipients including names, Social Security numbers and medical information. Information Source: Dataloss DB June 18, 2006 records from this breach used in our total: 9,800 ING U.S. Financial Services Miami, Florida BSF PORT 13,000 Two ING laptops that carried sensitive data affecting of Jackson Health System hospital workers were stolen in December 2005. The computers, belonging to financial services provider ING, contained information gathered during a voluntary life insurance enrollment drive in December and included names, birth dates and Social Security numbers. Information Source: records from this breach used in our total: 13,000 Dataloss DB June 18, 2006 ING U.S. Financial Services Washington, District Of Columbia BSF PORT 13,000 A laptop was stolen from an employee's home. It contained retirement plan information including Social Security numbers of D.C. city employees. Information Source: records from this breach used in our total: 13,000 Dataloss DB June 17, 2006 Western Illinios University Macomb, Illinois EDU HACK 180,000 http://www.wiu.edu/securityalert/ [229] On June 5th, a hacker compromised a University server that contained names, addresses, credit card numbers and Social Security numbers of people connected to the University. UPDATE (7/5/06): Number affected reduced from 240,000. Information Source: Dataloss DB records from this breach used in our total: 180,000 287 June 17, 2006 Automatic Data Processing (ADP) Roseland, New Jersey BSO DISC 80 Personal and payroll information of workers were intended to be faxed between ADP offices and were mistakenly sent to a third party. Information Source: Dataloss DB June 17, 2006 records from this breach used in our total: 80 California Department of Health Services (CDHS) Sacramento, California GOV PHYS 1,550 http://www.applications.dhs.ca.gov/pressreleases/store/PressReleases/06-41.html [230] On June 12, a box of Medi-Cal forms from December 2005 were found in the cubicle of a California Dept. of Health Services employee. The claim forms contained the names, addresses, Social Security numbers and prescriptions for beneficiaries or their family members. Information Source: records from this breach used in our total: 1,550 Dataloss DB June 16, 2006 Union Pacific Omaha, Nebraska BSO PORT 30,000 On April 29th, an employee's laptop was stolen that contained data for current and former Union Pacific employees, including names, birth dates and Social Security numbers. Information Source: records from this breach used in our total: 30,000 Dataloss DB June 16, 2006 New York State Controller's Office Albany, New York GOV PORT 1,300 A state controller data cartridge containing payroll data of employees who work for a variety of state agencies was lost during shipment. The data contained names, salaries, Social Security numbers and home addresses. Information Source: records from this breach used in our total: 1,300 Dataloss DB June 16, 2006 California Department of Health Services (CDHS) Sacramento, California GOV PHYS 1,550 http://www.applications.dhs.ca.gov/pressreleases/store/PressReleases/06-41.html [230] CDHS documents were inappropriately emptied from an employee's cubicle on June 5 and 9 rather than shredded. The documents contained state employees and other individuals applying for employment with the state including names, addresses, Social Security numbers and home and work telephone numbers. They were mostly expired state employment certification lists, but also included requests for personnel action, copies of e-mail messages and handwritten notes. Information Source: Dataloss DB June 14, 2006 records from this breach used in our total: 1,550 American International Group (AIG), Indiana Office of Medical Excess, LLC New York, New York BSF STAT 930,000 The computer server was stolen on March 31 containing personal information including names, Social Security numbers, birth dates, and some medical and disability information. 288 UPDATE (1/12/2010) A 28-year-old Indianapolis man was sentenced today to two years in state prison for trying to extort $208,00 from an insurance company after stealing a computer server. In March 2006, the man burglarized the Indianapolis office of AIG Medical Excess, threatening to release clients' personal data on the Internet. The server contained the names of more than 900,000 insured persons, as well as their personal identifying information, and confidential medical information and e-mail communications. At the time of the burglary, the man was an employee of a private security firm that provided security services to the insurance company. On July 23, 2008, Stewart delivered a package to the insurance company. The package included a letter stating that he possessed the stolen server and its confidential data. He asked for $1,000 a week for four years, but the FBI and others intervened. The Indiana State Police, the Indiana Department of Natural Resources, Indianapolis Metropolitan Police Department, and Attorney General also were part of the investigation. Information Source: records from this breach used in our total: 930,000 Dataloss DB June 13, 2006 Minnesota State Auditor St. Paul, Minnesota GOV PORT 493 Three laptops possibly containing Social Security numbers of employees and recipients of housing and welfare benefits along with other personal information of local governments the auditor oversees have gone missing. Information Source: records from this breach used in our total: 493 Dataloss DB June 13, 2006 Oregon Department of Revenue Salem, Oregon GOV HACK 2,200 Electronic files containing personal data of Oregon taxpayers may have been compromised by an ex-employee who downloaded a contaminated file from a porn site. The trojan attached to the file may have sent taxpayer information back to the source when the computer was turned on. Information Source: Dataloss DB June 13, 2006 records from this breach used in our total: 2,200 U.S. Dept of Energy, Hanford Nucear Reservation Richland, Washington GOV UNKN 4,000 Current and former workers at the Hanford Nuclear Reservation were notified that their personal information may have been compromised, after police found a 1996 list with workers' names, Social Security numbers, birth dates, work titles, assignments, and telephone numbers in a home during an unrelated investigation. Information Source: records from this breach used in our total: 4,000 Dataloss DB June 11, 2006 Denver Election Commission Denver, Colorado GOV PHYS 150,000 Records containing personal information on more than 150,000 voters are missing at city election offices. The microfilmed voter registration files from 1989 to 1998 were in a 500-pound cabinet that disappeared when the commission moved to new offices in February. The files contain voters' Social Security numbers, addresses and other personal information. Information Source: Dataloss DB June 11, 2006 records from this breach used in our total: 150,000 Adams State College Alamosa, Colorado EDU PORT 184 Upward Bound students 289 A laptop computer stolen from a locked closet at Adams State College contained personally identifiable data belonging to 184 high school students who participated in the college's Upward Bound program over the last four years. The theft occurred on August 14, but it was not until late September that staff realized the computer held students' data. Information Source: records from this breach used in our total: 184 Dataloss DB June 8, 2006 University of Michigan Credit Union Ann Arbor, Michigan BSF PHYS 5,000 Paper documents containing personal information of credit union members were stolen from a storage room. The documents were supposed to have been digitally imaged and then shredded. Instead, they were stolen and used to perpetrate identity theft. Information Source: Dataloss DB June 6, 2006 records from this breach used in our total: 5,000 University of Texas at El Paso El Paso, Texas EDU HACK 4,719 Students demonstrated that student body and faculty elections could be rigged by hacking into student information including Social Security numbers. Information Source: Dataloss DB June 6, 2006 records from this breach used in our total: 4,719 U.S. Department of Energy Washington, District Of Columbia GOV HACK 1,502 Names, Social Security numbers, security clearance levels and place of employment for mostly contract employees who worked for National Nuclear Security Administration may have been compromised when a hacker gained entry to a computer system at a service center in Albuquerque, NM eight months prior to press releases. Information Source: Dataloss DB June 5, 2006 records from this breach used in our total: 1,502 U.S. Internal Revenue Service (IRS) Washington, District Of Columbia GOV PORT 291 A laptop computer containing personal information of employees and job applicants, including fingerprints, names, Social Security numbers, and dates of birth, was lost during transit on an airline flight Information Source: Security Breach records from this breach used in our total: 291 Letter June 3, 2006 Buckeye Community Health Plan Columbus, Ohio MED PORT 72,000 Four laptop computers containing customer names, Social Security numbers, and addresses were stolen from the Medicaid insurance provider. Information Source: records from this breach used in our total: 72,000 Dataloss DB 290 June 3, 2006 Humana Louisville, Kentucky MED DISC 17,000 current and former Medicare enrollees Personal information of Humana customers enrolled in the company's Medicare prescription drug plans could have been compromised when an insurance company employee called up the data through a hotel computer and then failed to delete the file. Information Source: records from this breach used in our total: 17,000 Dataloss DB June 2, 2006 Ahold USA, parent company of Stop & Shop, Giant stores and Tops stores via subcontractor Electronic Data Systems (EDS) Landover, Maryland BSR PORT Unknown Additional location: Plano, TX An EDS employee lost a laptop computer during a commercial flight that contained pension data of former employees of Ahold's supermarket chains including Social Security numbers, birth dates and benefit amounts. Information Source: Dataloss DB June 1, 2006 records from this breach used in our total: 0 Miami University Oxford, Ohio EDU PORT 851 An employee lost a hand-held personal computer containing personal information of students who were enrolled between July 2001 and May 2006. Information Source: Dataloss DB June 1, 2006 records from this breach used in our total: 851 Ernst & Young New York, New York BSO PORT 243,000 Additional locations: Throughout the US and UK. Breach occurred in Texas. A laptop containing names, addresses and credit or debit card information of Hotels.com customers was stolen from an employee's car in Texas. Information Source: Media June 1, 2006 records from this breach used in our total: 243,000 University of Kentucky Lexington, Kentucky EDU DISC 1,300 Personal information of current and former University of Kentucky employees including Social Security numbers was inadvertently accessible online for 19 days in May. Information Source: Dataloss DB June 1, 2006 records from this breach used in our total: 1,300 YMCA of Greater Providence Providence, Rhode Island NGO PORT 65,000 A laptop computer containing personal information of members was stolen. The information included credit card and debit 291 card numbers, checking account information, Social Security numbers, the names and addresses of children in daycare programs and medical information about the children, such as allergies and the medicine they take, though the type of stolen information about each person varies. Those affected were notified. Information Source: Dataloss DB May 31, 2006 records from this breach used in our total: 65,000 Texas Guaranteed Student Loan Corp. via subcontractor Hummingbird Round Rock, Texas BSF UNKN 1,300,000 plus 400,000 for total of 1,700,000 Additional location: Toronto, Canada Texas Guaranteed (TG) was notified by subcontractor Hummingbird that on May 24, an employee had lost a piece of equipment containing names and Social Security numbers of TG borrowers. UPDATE (6/16/06):TG now says a total of 1.7 million people's information was compromised, 400,000 more than original estimate of 1.3 million. Information Source: Dataloss DB May 30, 2006 records from this breach used in our total: 1,700,000 Florida International University Miami, Florida EDU HACK Unknown Hacker accessed a database that contained personal information on thousands of individuals, such as student and applicant names and Social Security numbers. Information Source: Dataloss DB May 25, 2006 records from this breach used in our total: 0 VyStar Credit Union Jacksonville, Florida BSF HACK 34,400 Hacker gained access to member accounts a and stole personal information including names, addresses, birth dates, mother's maiden names, Social Security numbers and/or email addresses. Less than 10% of VyStar's 344,000 members were affected. Information Source: records from this breach used in our total: 34,400 Dataloss DB May 24, 2006 Sacred Heart University Fairfield, Connecticut EDU HACK Unknown It was discovered on May 8th that a computer containing personal information including names, addresses and Social Security numbers was breached. The University did not immediately release information on who the breach affected. Information Source: records from this breach used in our total: 0 Dataloss DB May 23, 2006 University of Delaware Newark, Delaware EDU HACK 1,076 A security breach of a Department of Public Safety computer server potentially exposed names, Social Security numbers and driver's license numbers. Individuals whose personal information was compromised were contacted. Information 292 Source: records from this breach used in our total: 1,076 Dataloss DB May 23, 2006 Butler County Department of Mental Retardation & Developmental Disabilities Cincinnati, Ohio NGO PORT 100 clients In April, three laptop computers were stolen from the agency's office. They contained personal information on mental health clients, including Social Security numbers. Those affected were contacted in May. Information Source: records from this breach used in our total: 100 Dataloss DB May 23, 2006 Mortgage Lenders Network USA Middletown, Connecticut BSF INSD 231,000 A former employee was arrested for extortion for attempting to blackmail his former employer for $6.9 million. He threatened to expose company files containing sensitive customer information - including customers' names, addressess, Social Security numbers, loan numbers, and loan types - if the company didn't pay him. He stole the files over the 16 months he worked there. Information Source: Dataloss DB May 22, 2006 records from this breach used in our total: 231,000 U.S. Department of Veterans Affairs Washington, District Of Columbia GOV PORT 26,500,000 (800) 827-1000 On May 3, data of all American veterans who were discharged since 1975 including names, Social Security numbers, dates of birth and in many cases phone numbers and addresses, were stolen from a VA employee's home. Theft of the laptop and computer storage device included data of 26.5 milliion veterans. The data did not contain medical or financial information, but may have disability numerical rankings. UPDATE (6/29/06): The stolen laptop computer and the external hard drive were recovered. UPDATE (7/14/06): FBI claims no data had been taken from stolen computer. UPDATE(8/5/06): Two teens were arrested in the theft of the laptop. UPDATE (8/25/06): In an Aug. 25 letter, Secretary Nicholson told veterans of the decision to not offer them credit monitoring services. Rather the VA has contracted with a company to conduct breach analysis to monitor for patterns of misuse. UPDATE (11/23/07): A federal judge questioned the Veterans Affairs Department's computer security and ruled Friday that lawsuits can go forward over the theft of computer equipment containing data on 26.5 million veterans. The lawsuits have been filed as potential class-action cases representing every veteran whose data was released. UPDATE (1/23/09): The Department of Veterans Affairs has agreed to pay $20 million to current and former military personnel to settle a class action lawsuit. UPDATE (6/16/09): No less than $75 will be paid for any valid claim, up to a cap of $1,500. If your expenses were higher than that, you might want to opt out of the class-action portion so you can file for your actual damages. In that case, you need to file a letter so it is received by June 29, 2009. You have until Nov. 27, 2009, to mail your claim form to VA Settlement Claims, P.O. Box 6727, Portland, OR 97228-9767. Be sure to keep a copy of the claim form, along with your proof of mailing. To download the claim form and to get more information, go to www.veteransclass.com [231] . Read the FAQ and note the particulars on out-of-pocket expenses and actual damages. You also can call (888) 288-9625. Information Source: records from this breach used in our total: 26,500,000 Dataloss DB May 18, 2006 American Red Cross, St. Louis Chapter St. Louis, Missouri NGO INSD 1,000,000 A dishonest employee had access to Social Security numbers of donors. The database was used to call previous donors 293 and urge them to give blood again. The employee misused the personal information of at least three people to perpetrate identity theft and had access to the personal information of one million donors. Information Source: Dataloss DB May 17, 2006 records from this breach used in our total: 1,000,000 M &T Bank via contractor PFPC Buffalo, New York BSF PORT Unknown A laptop computer, owned by PFPC, a third party company that provides record keeping services for M & T's Portfolio Architect accounts was stolen from a vehicle. The laptop contained clients' account numbers, Social Security numbers, last name and the first two letters of their first name. Information Source: records from this breach used in our total: 0 Security Breach Letter May 16, 2006 American Institute of Certified Public Accountants (AICPA) New York, New York NGO PORT 330,000 [Updated 6/16/06] An unencrypted hard drive containing names, addresses and Social Security numbers of AICPA members was lost when it was shipped back to the organization by a computer repair company. AICPA offered one year of free credit monitoring services to affected members. Information Source: Dataloss DB May 12, 2006 records from this breach used in our total: 330,000 Mercantile Potomac Bank Gaithersburg, Maryland BSF PORT 48,000 A laptop containing confidential information about customers, including Social Security numbers and account numbers was stolen when a bank employee removed it from the premises, in violation of the bank's policies. The computer did not contain customer passwords, personal identification numbers (PIN numbers) or account expiration dates. The bank contacted affected customers and offered them one year of free credit monitoring services. Information Source: Dataloss DB May 11, 2006 records from this breach used in our total: 48,000 Ohio University Hudson Health Center Athens, Ohio MED HACK 60,000 http://www.ohio.edu/datasecurity [226] Names, birth dates, Social Security numbers and medical information were accessed in records of students dating back to 2001, plus faculty, workers and regional campus students. Information Source: Dataloss DB May 5, 2006 records from this breach used in our total: 60,000 Wells Fargo San Francisco, California BSF STAT Unknown A computer containing names, addresses, Social Security numbers and mortgage loan deposit numbers of existing and prospective customers may have been stolen while being delivered from one bank facility to another. Information 294 Source: Dataloss DB May 4, 2006 records from this breach used in our total: 0 Idaho Power Company Boise, Idaho BSO PORT Unknown Four company hard drives were sold on eBay containing hundreds of thousands of confidential company documents, employee names and Social Security numbers, and confidential memos to the company's CEO. Information Source: Dataloss DB May 2, 2006 records from this breach used in our total: 0 Ohio University Innovation Center Athens, Ohio EDU HACK 35 http://www.ohio.edu/datasecurity [226] A server containing data including e-mails, patent and intellectual property files, and 35 Social Security numbers associated with parking passes was compromised. Information Source: Dataloss DB May 2, 2006 records from this breach used in our total: 35 Ohio University Athens, Ohio EDU HACK 300,000 http://www.ohio.edu/datasecurity/ [227] Hackers accessed a computer system of the school's alumni relations department that included biographical information and 137,000 Social Security numbers of alum. UPDATE (8/30/07) : An Ohio judge has granted a motion to dismiss a case against Ohio University (OU) regarding security breaches of the school's computer systems that compromised alumni data. The two alumni who filed the lawsuit wanted OU to pay for credit monitoring services for everyone whose data were compromised. The judge said the pair had not proven that they had suffered damages for which they could be compensated. Information Source: records from this breach used in our total: 300,000 Dataloss DB May 2, 2006 Georgia State Government Atlanta, Georgia GOV STAT Unknown Government surplus computers that sold before their hard drives were erased contained credit card numbers, birth dates, and Social Security numbers of Georgia citizens. The State stopped selling the computers after being notified by a buyer. Thousands of patient records from a psychiatric hospital in Rome, Georgia were found on one computer's hard drive. Information Source: Dataloss DB April 28, 2006 records from this breach used in our total: 0 Ohio Secretary of State Cleveland, Ohio GOV DISC Potentially millions of registered voters The names, addresses, and Social Security numbers of potentially millions of registered voters in Ohio were included on CDROMs distributed to 20 political campaign operations for spring primary election races. The records of about 7.7 million registered voters are listed on the CDs, but it's unknown how many records contained Social Security numbers, which were not supposed to have been included on the CDs. UPDATE (9/15/06): A news report said that some Social Security numbers still remain on the agency's Web site. 295 Information Source: Dataloss DB April 28, 2006 records from this breach used in our total: 0 U.S. Department of Defense Washington, District Of Columbia GOV HACK Unknown Hacker accessed a Tricare Management Activity (TMA) public server containing personal information about military employees. Information Source: Dataloss DB April 27, 2006 records from this breach used in our total: 0 Long Island Railrad via contractor Iron Mountain Jamaica, New York GOV PORT 17,000 Data tapes containing personal information including names, addresses, Social Security numbers and salary figures of virtually everyone who worked for or currently works for the agency were lost. The lost occurred during delivery by contractor Iron Mountain. Data tapes belonging to the U.S. Department of Veteran's Affairs may also have been affected. Information Source: Dataloss DB April 26, 2006 records from this breach used in our total: 17,000 Purdue University West Lafayette, Indiana EDU HACK 1,351 A hacker accessed personal information including Social Security numbers of current and former graduate students, applicants to graduate school, and a small number of applicants for undergraduate scholarships. The information compromised goes back three years prior to the incident. Those who were affected were contacted. Information Source: records from this breach used in our total: 1,351 Dataloss DB April 26, 2006 Aetna, Omni Hotels and the Department of Defense NAF Hartford, Connecticut MED PORT 38,253 A laptop containing personal information including names, addresses and Social Security numbers of Department of Defense (35,253) and Omni Hotel employees (3,000) was stolen from an Aetna employee's car. Members were notified and Aetna offered to pay for the credit monitoring services of those who were affected. Information Source: Dataloss DB April 23, 2006 records from this breach used in our total: 38,253 University of Texas McCombs School of Business Austin, Texas EDU HACK 197,000 Foreign hackers accessed records containing names, biographical information and, in some cases, Social Security numbers and dates of birth of current and prospective students, alumni, faculty members, corporate recruiters and staff members. Information Source: Dataloss DB April 21, 2006 records from this breach used in our total: 197,000 University of Alaska, Fairbanks Fairbanks, Alaska EDU HACK 38,941 296 A hacker had access to names, Social Security numbers, and partial e-mail addresses of current and former students, faculty, and staff. The University reported that it would not contact those affected after a first and second notification. Anyone claiming to be from the University after these notifications should be viewed with suspicion. Information Source: records from this breach used in our total: 38,941 Dataloss DB April 21, 2006 Boeing Seattle, Washington BSO PORT 3,600 current and former employees A laptop was taken from a Boeing human resources employee at Sea-Tac airport. It contained Social Security numbers and other personal information, including personnel information from the 2000 acquisition of Hughes Space and Communications. Information Source: Dataloss DB April 14, 2006 records from this breach used in our total: 3,600 NewTech Imaging BSO Honolulu, Hawaii INSD 40,000 Records containing the names, Social Security numbers and birth dates of more than 40,000 members of Voluntary Employees Benefit Association of Hawaii were illegally reproduced at a copying business before they were to be put onto a compact disc for the State. Police later found the data on a computer that had been confiscated as part of a drug investigation. Those who were on the list and Hawaii Government Employees Association and United Public Workers members who were enrolled in union-sponsored health and group life insurance plans between July and December 1999 were warned. Investigators were only able to speculate that the theft may have occurred in February of 2005. Information Source: Dataloss DB April 14, 2006 records from this breach used in our total: 40,000 Unviersity of South Carolina Columbia, South Carolina EDU DISC 1,400 A department chair distributing information about summer courses sent an email containing sensitive information. A database containing Social Security numbers of students was mistakenly added as an attachment and e-mailed to classmates. Information Source: Dataloss DB April 12, 2006 records from this breach used in our total: 1,400 Ross-Simons Providence, Rhode Island BSR HACK Unknown A security breach exposed account and personal information of those who applied for Ross-Simons' private label credit card. Information exposed includes private label credit card numbers and other personal information of applicants. Information Source: Dataloss DB April 9, 2006 records from this breach used in our total: 0 University of Medicine and Dentistry of New Jersey Newark, New Jersey EDU HACK 1,850 Hackers accessed Social Security numbers, loan information, and other confidential financial information of students and alumni. 297 Information Source: Dataloss DB April 7, 2006 records from this breach used in our total: 1,850 DiscountDomainRegistry.com Brooklyn, New York BSO DISC thousands of domain name registrations Domain name registrants' personal information including user names, passwords and credit card numbers was accessible online. The information may have been exposed online for four months. Information Source: Dataloss DB April 6, 2006 records from this breach used in our total: 1,000 Progressive Casualty Insurance Mayfield Village, Ohio BSF INSD 13 A dishonest insider accessed confidential information, including names, Social Security numbers, birth dates and property addresses on foreclosure properties she was interested in buying. Information Source: Dataloss DB April 1, 2006 records from this breach used in our total: 13 Con Edison New York, New York BSO PORT 15,000 Con Edison employees Con Edison shipped two cartridge tapes to JPMorgan Chase in upstate Binghamton so it could input data on behalf of the NY Dept. of Taxation and Finance. One tape was apparently lost and contained employees' W-2 data, including names, addresses, Social Security numbers, taxes paid and salaries. Information Source: Dataloss DB March 30, 2006 records from this breach used in our total: 15,000 U.S. Marine Corp Monterey, California GOV PORT 207,750 A portable drive containing the personal information of Marines was lost in a campus computer lab. The lost drive was being used for research on Marine re-enlistment bonuses and contained names, Social Security numbers, marital status, and enlistment contract details. Enlisted marines on active duty between January 2001 and December of 2005 were affected. The University notified those whose information may have been compromised. Information Source: records from this breach used in our total: 207,750 Dataloss DB March 30, 2006 Georgia Technology Authority (GTA) Atlanta, Georgia GOV HACK 573,000 Hackers exploited a security flaw to gain access to confidential information including Social Security numbers and bankaccount details of state pensioners. The State only had contact information for 180,000 of those affected and relied on media coverage to get the word out to others. Information Source: Dataloss DB records from this breach used in our total: 573,000 Connecticut Technical High School System 298 March 30, 2006 Connecticut Technical High School System Middletown, Connecticut EDU DISC 1,250 Social Security numbers of faculty and administrators were mistakenly distributed via email to staff. The email went to 17 principals; at least one forwarded the email to her staff of 77. Those affected were contacted. Information Source: Dataloss DB March 24, 2006 records from this breach used in our total: 1,250 California State Employment Development Division Sacramento, California GOV DISC 64,000 A computer glitch sent state Employment Development Division 1099 tax forms containing Social Security numbers and income information to the wrong addresses, potentially exposing those taxpayers to identity theft. Information Source: Dataloss DB March 24, 2006 records from this breach used in our total: 64,000 Vermont State Colleges Waterbury, Vermont EDU PORT 14,000 Note: there are several locations in Vermont. We list the Office of the Chancellor as the primary location. A laptop containing Social Security numbers and payroll data of students, faculty and staff associated with the five-college system was stolen. It contained information from as long ago as 2000. Information Source: Dataloss DB March 23, 2006 records from this breach used in our total: 14,000 Fidelity Investments Boston, Massachusetts BSF PORT 196,000 A laptop containing names, addresses, birth dates, Social Security numbers and other information of 196,000 Hewlett Packard, Compaq and DEC retirement account customers was stolen. Fidelity contacted the customers and paid for one year of credit monitoring services. Fidelity also pledged to pay for unauthorized transactions in pensions or retirement accounts that occurred due to the theft. Information Source: records from this breach used in our total: 196,000 Security Breach Letter March 16, 2006 Bananas.com San Rafael, California BSR HACK 274 A hacker accessed names, addresses, phone numbers and credit card numbers of customers. The breach occurred in February and someone on the Internet began selling personal information shortly after. Affected customers were notified in March. Information Source: Dataloss DB March 14, 2006 records from this breach used in our total: 274 General Motors (GM) Detroit, Michigan BSO INSD 100 A former security guard kept Social Security numbers of co-workers to perpetrate identity theft. The disgruntled former employee sent harassing emails to employees after gaining access to personal information including the types of cars they drove. 299 Information Source: records from this breach used in our total: 100 Dataloss DB March 14, 2006 Buffalo Bisons and Choice One Online Buffalo, New York BSO HACK Unknown A hacker accessed sensitive financial information including the credit card numbers names, and passwords of customers who ordered items online. The Bisons mailed letters to affected customers and notified American Express, MasterCard, Discover, and Visa. Information Source: Dataloss DB March 11, 2006 records from this breach used in our total: 0 California Department of Consumer Affairs (DCA) Sacramento, California GOV PHYS A small number Mailed applications of DCA licensees or prospective licensees for CA state boards and commissions were stolen. The forms include full or partial Social Security numbers, driver's license numbers, and potentially payment checks. Information Source: Dataloss DB March 8, 2006 records from this breach used in our total: 0 Verizon Communications New York, New York BSO PORT Significant number Two laptops containing employees' personal information including Social Security numbers were stolen. Verizon is offering affected employees free use of a credit monitoring service. Information Source: Dataloss DB March 8, 2006 records from this breach used in our total: 0 iBill [disputed] Deerfield Beach, Florida BSF UNKN 17,781,462 (SSNs and financial information not involved) A dishonest insider or possibly malicious software linked to iBill was used to post names, phone numbers, addresses, e-mail addresses, Internet IP addresses, login names and passwords, credit card types and purchase amount online. Credit card account numbers, expiration dates, security codes, and Social Security numbers were NOT included, but in our opinion the affected individuals could be vulnerable to social engineering to obtain such information. Whether iBill is the source of the breach has been disputed [232] . Information Source: Dataloss DB March 5, 2006 records from this breach used in our total: 0 Georgetown University Washington, District Of Columbia EDU HACK 41,000 A server was attacked that housed personal information including names, birthdates and Social Security numbers of District seniors served by the Office on Aging. Georgetown managed the server as part of a grant to manage information services provided by the D. C. Office of Aging. Information Source: Dataloss DB records from this breach used in our total: 41,000 300 March 3, 2006 Metropolitan State College of Denver (MSCD) Denver, Colorado EDU PORT 93,000 http://www.mscd.edu/securityalert/ [189] A laptop containing student information was stolen. The information included names and Social Security numbers of students who registered for Metropolitan State courses between the 1996 fall semester and the 2005 summer semester. Information Source: Security Breach Letter March 2, 2006 records from this breach used in our total: 93,000 Olympic Funding Chicago, Illinois BSF UNKN Unknown Three hard drives containing clients' names, Social Security numbers, addresses and phone numbers stolen during a break in. Information on the drives was protected via password and security software. The business owner sent letters to his clients alerting them of the theft. Information Source: records from this breach used in our total: 0 Dataloss DB March 2, 2006 Los Angeles County Department of Social Services Los Angeles, California GOV PHYS Potentially 2,000,000 File boxes containing names, dependents, Social Security numbers, telephone numbers, medical information, employer, W2, and date of birth were left unattended for at least one month. This affects employees and clients. Information Source: records from this breach used in our total: 2,000,000 Dataloss DB March 2, 2006 Hamilton County Clerk of Courts Cincinnati, Ohio GOV DISC [1,300,000] Not included in number below. Social Security numbers, and other personal data of residents was posted on the County's website. Some information was stolen and used to commit identity theft. UPDATE (9/28/06):An identity thief was sentenced to 13 years in prison for the crimes. She stole 100 identities and nearly $500,000. The Web site now blocks access to court documents containing personal information. Information Source: records from this breach used in our total: 100 Dataloss DB March 1, 2006 Medco Health Solutions Columbus, Ohio MED PORT 4,600 A laptop containing Social Security numbers for State of Ohio employees and their dependents, as well as their birth dates and, in some cases, prescription drug histories was stolen from an employee. The theft occurred in December and Medco contacted Ohio officials in February. The company agreed to provide free credit monitoring and fraud alert services for the affected families for one year. Information Source: Dataloss DB records from this breach used in our total: 4,600 301 February 23, 2006 Deloitte & Touche, McAfee , BSO PORT 9,290 Deloitte & Touche is an international organization with multiple locations throughout the United States. An external auditor lost a CD with names, Social Security numbers and stock holdings in McAfee of current and former McAfee employees. Three thousand current employees and 6,000 former employees were affected. Current and former employees received two years of free credit monitoring services from Equifax. Information Source: records from this breach used in our total: 9,290 Dataloss DB February 18, 2006 University of Northern Iowa Cedar Falls, Iowa EDU HACK 6,000 A laptop computer holding W-2 forms of student employees and faculty was illegally accessed. The University warned students and faculty to monitor their bank accounts. Information Source: records from this breach used in our total: 6,000 Dataloss DB February 17, 2006 California Department of Corrections, Pelican Bay State Prison Sacramento, California GOV INSD Unknown Inmates gained access to files stored in a warehouse. The files contained employees' Social Security numbers, birth dates and pension account information. Information Source: records from this breach used in our total: 0 Dataloss DB February 17, 2006 Mount St. Mary's Hospital (1 of 10 hospitals with patient info. stolen) Lewiston, New York MED PORT 17,000 Two laptops containing dates of birth, addresses and Social Security numbers of patients were stolen in an armed robbery in New Jersey. The laptops and sensitive files were password protected. The Hospital contacted those whose information may have been compromised. Information Source: Dataloss DB February 16, 2006 records from this breach used in our total: 17,000 Blue Cross and Blue Shield Jacksonville, Florida MED INSD 27,000 A contractor sent names and Social Security numbers of current and former employees, vendors and contractors to his home computer in violation of company policies. A judge ordered the former computer consultant to reimburse the Jacksonville-based health insurer $580,000 for expenses related to his theft. Information Source: Dataloss DB February 15, 2006 records from this breach used in our total: 27,000 U.S. Department of Agriculture (USDA) Washington, District Of Columbia GOV DISC 350,000 The Social Security numbers of tobacco farmers were accidentally released when the U.S. Department of Agriculture attempted to comply with the Freedom of Information Act. Those who received the information agreed to destroy any copies and return the original discs, which also contained tax identification numbers. 302 Information Source: records from this breach used in our total: 350,000 Dataloss DB February 15, 2006 Old Dominion University Norfolk, Virginia EDU DISC 601 An instructor posted a class roster containing names and Social Security numbers to a publicly accessible website. The information was posted during the spring semester of 2004. Letters were sent to affected students which contained websites where the students could check to see if they had been victims of identity theft. Information Source: Dataloss DB records from this breach used in our total: 601 38,000 BP employees February 13, 2006 Ernst & Young New York, New York BSO PORT in U.S. in addition to Sun, Cisco and IBM employees. Additional locations: Throughout the US and UK A laptop was stolen from an employee's car. It contained customers' personal information including Social Security numbers. Information Source: Security Breach Letter February 13, 2006 records from this breach used in our total: 38,000 Ernst & Young New York, New York BSO PORT Unknown Additional locations: Throughout the US and UK A laptop was stolen from a locked car containing the names, dates of birth, genders, family sizes, Social Security numbers and tax identifiers for current and previous IBM, Sun Microsystems, Cisco, Nokia and BP employees. While Ernst and Young waited until pressured to inform a majority of those affected about the breach, at least one CEO from the affected companies was contacted immediatel. Information Source: records from this breach used in our total: 0 Dataloss DB February 9, 2006 OfficeMax and perhaps other businesses including Sam's Club , BSR HACK 200,000, although total number is unknown. Debit card accounts and pin numbers from bank and credit union accounts nationwide (including CitiBank, BofA, WaMu, Wells Fargo) were exposed. The crooks created counterfeit cards to make fraudulent purchases and withdrawals from cardholder accounts. UPDATE (3/14/06) New Jersey law enforcement arrested 14 people connected to the crime spree. Information Source: Dataloss DB February 6, 2006 records from this breach used in our total: 200,000 Prudential Financial Inc. Newark, New Jersey BSF DISC 1,000 303 A health insurer claims data were erroneously faxed to a company in Canada by doctors and clinics across the U.S.. Data included the patients' Social Security numbers, bank account details and health care information. Information Source: Media February 4, 2006 records from this breach used in our total: 1,000 FedEx , BSO DISC 8,500 W-2 forms including other workers' tax information such as Social Security numbers and salaries were sent out to employees. Information Source: Dataloss DB February 1, 2006 records from this breach used in our total: 8,500 Blue Cross and Blue Shield of North Carolina Durham, North Carolina BSO DISC 629 Social Security numbers of members were printed on the mailing labels of envelopes with information about a new insurance plan. Those who were affected were contacted immediately. Information Source: Dataloss DB records from this breach used in our total: 629 Boston Globe (The New York Times Company) and The Worcester Telegram & January 31, 2006 Gazette Boston, Massachusetts BSO DISC 240,000 potentially exposed Recycled paper used in wrapping newspaper bundles for distribution turned out to contain credit and debit card information along with routing information for personal checks of subscribers. Information Source: records from this breach used in our total: 240,000 Dataloss DB January 31, 2006 Honeywell International Morristown, New Jersey BSO UNKN 19,000 Personal information of current and former employees including Social Security numbers and bank account information was posted on an Internet Web site. It was not known whether this was the result of a malicious insider or an administrative error. Current and former employees whose information was compromised were informed immediately and offered free credit monitoring and identity theft insurance. Information Source: Dataloss DB January 27, 2006 records from this breach used in our total: 19,000 State of Rhode Island website (www.RI.gov) Providence, Rhode Island GOV HACK 4,118 Hackers obtained credit card information in conjunction with names and addresses. The credit card companies were notified of the breach, but not the customers. Information Source: Dataloss DB records from this breach used in our total: 4,118 304 January 25, 2006 Providence Home Services Portland, Oregon MED PORT 365,000 Backup tapes, laptops and disks containing Social Security numbers, clinical and demographic information were stolen from the car of an employee. In a small number of cases, patient financial data was stolen. UPDATE (9/26/06) Providence Health System and the Oregon Attorney General [233] have filed a settlement agreement. Providence will provide affected patients with free credit monitoring, offer credit restoration to patients who are victims of identity fraud, and reimburse patients for direct losses that result from the data breach. The company must also enhance its security programs. UPDATE (7/15/08) Providence Health will pay $100,000 and adhere to a compliance plan under the first ever Resolution Agreement negotiated by CMS (Centers for Medicare and Medicaid Services of the U.S. Dept. of Health and Human Services) under the HIPAA Privacy and Security Standards. The Corrective Action Plan requires Providence to revamp its security policies to include physical protections for portable devices and off-site transport and storage of backup media. Further, it must implement technical safeguards, such as encryption and password protection. And it must conduct random compliance audits and submit compliance reports to HHS for the next three years Information Source: records from this breach used in our total: 365,000 Dataloss DB January 24, 2006 University of Washington Medical Center Seattle, Washington MED PORT 1,600 Laptops containing names, Social Security numbers, maiden names, birth dates, diagnoses and other personal data were stolen from a UW office. The information was password protected and the affected patients were notified. Information Source: records from this breach used in our total: 1,600 Dataloss DB January 23, 2006 University of Notre Dame Notre Dame, Indiana EDU HACK Unknown Hackers may have accessed Social Security numbers, credit card information and check images of people who donated to the University between November 22 of 2005 and January 12 of 2006. Information Source: records from this breach used in our total: 0 Dataloss DB January 21, 2006 California Army National Guard Sacramento, California GOV PHYS hundreds of officers (at least 200) A briefcase with personal information of National Guardsmen including a seniority roster, Social Security numbers and dates of birth was stolen from the car of an employee. A memo was sent to National Guard soldiers. Information Source: Dataloss DB January 20, 2006 records from this breach used in our total: 200 Indiana University, University Place Conference Center & Hotel Indianapolis, Indiana BSO HACK Unknown The computer housing the reservations data base was compromised. Data included credit card account numbers and names. Information Source: Security Breach records from this breach used in our total: 0 305 Letter January 17, 2006 City of San Diego, Water & Sewer Department San Diego, California GOV INSD Unknown A dishonest employee accessed customer account files, including Social Security numbers, and stole the identities of two individuals. Information Source: Media January 12, 2006 records from this breach used in our total: 0 People's Bank Bridgeport, Connecticut BSF PORT 90,000 A computer tape containing names, addresses, Social Security numbers, and checking account numbers was lost while being transported by UPS. The bank alerted the affected customers and provided them with a credit monitoring service for one year. Information Source: Dataloss DB January 2, 2006 records from this breach used in our total: 90,000 H&R Block Kansas City, Missouri BSO DISC Unknown H&R Block included Social Security numbers in a 40-digit number string on mailing labels. Affected individuals were contacted. Information Source: Dataloss DB January 1, 2006 records from this breach used in our total: 0 University of Pittsburgh Medical Center, Squirrel Hill Family Medicine MED Pittsburgh, Pennsylvania STAT 700 Six computers containing names, Social Security numbers, and birth dates of patients were stolen from doctors' offices. A letter was sent notifying the affected patients. Information Source: Dataloss DB December 25, 2005 records from this breach used in our total: 700 Ameriprise Financial Inc. BSF Minneapolis, Minnesota PORT 260,000 (877) 267-7408 A laptop was stolen from an employee's car Christmas eve. It contained customers' names and Social Security numbers and in some cases, Ameriprise account information. UPDATE (08/06): The laptop was recovered by local law enforcement in the community where it was stolen. UPDATE (12/11/06): The company settled with the Massachusetts securities regulator in the office of the Secretary of State. Ameriprise agreed to hire an independent consultant to review its policies and procedures for employees' and contractors' use of laptops containing personal information. Ameriprise will pay the state regulator $25,000 for the cost of the investigation. Information Source: records from this breach used in our total: 260,000 Dataloss DB 306 December 22, 2005 Ford Motor Co. Dearborn, Michigan BSO STAT 70,000 A computer containing names and Social Security numbers of current and former employees was stolen. Ford alerted those who were affected and offered to pay for their credit monitoring services. Information Source: records from this breach used in our total: 70,000 Dataloss DB December 22, 2005 H&R Block Kansas City, Missouri BSO DISC Unknown Many past and present customers received unsolicited copies of the program TaxCut that displayed their Social Security numbers on the outside, embedded in a lengthy string of code. Information Source: records from this breach used in our total: 0 Security Breach Letter December 20, 2005 Guidance Software, Inc. BSO Pasadena, California HACK 3,800 A hacked database exposed credit card numbers of law enforcement officials and network security professionals. The company is a leading provider of software used to diagnose hacked attacks. UPDATE (4/3/07): The FTC came to a settlement agreement and final consent order [234] against Guidance Software. Information Source: Dataloss DB December 16, 2005 records from this breach used in our total: 3,800 La Salle Bank, ABN AMRO Mortgage Group, DHL Ann Arbor, Michigan BSF PORT [2,000,000] Not included in total below. A backup tape with residential mortgage customers' information was lost in shipment by DHL. It contained Social Security numbers and account information. UPDATE (12/20/05): DHL found the lost tape. Information Source: Security Breach Letter December 16, 2005 records from this breach used in our total: 0 Colorado Technical University (CTU) Colorado Springs, Colorado EDU DISC 300 An email was erroneously sent which contained names, phone numbers, email addresses, Social Security numbers and class schedules. Information Source: Security Breach records from this breach used in our total: 300 Letter December 12, 2005 Sam's Club, a division of Wal-Mart Stores, Inc Bentonville, Arkansas BSR UNKN Unknown Note: location is corporate headquarters, not necessarily the location of the breach. 307 Customers who used credit cards at the wholesaler's gas stations discovered fraudulent activity on their credit accounts. Sam's Club is unaware of how the information was stolen. Visa alerted the affected financial institutions and asked them to provide fraud monitoring services for the affected customers. Information Source: Dataloss DB December 12, 2005 records from this breach used in our total: 0 Iowa State University Ames, Iowa EDU HACK 5,500 Two ISU computers were hacked. One held 2,500 encrypted credit card numbers. The second contained employee information of more than 3,000 employees. Information Source: Dataloss DB December 7, 2005 records from this breach used in our total: 5,500 Idaho State University, Office of Institutional Research Pocatello, Idaho EDU HACK Unknown Contact: Information Technology Services (208) 282-2872, http://www.isu.edu/announcement/ [235] ISU discovered a security breach in a server containing archival information about students, faculty, and staff, including names, Social Security numbers, birth dates, and grades. Anyone who was a student or employee between 1995 and 2005 could be affected. Information Source: Dataloss DB December 6, 2005 records from this breach used in our total: 0 Washington State Employment Security Department Olympia, Washington GOV PORT 530 A laptop was stolen from the trunk of an auditor's car. Names, Social Security numbers and earnings of former employees from 2002 to 2005 were exposed. The Employment Security Department does not have all of the contact information for those affected and used the media to help notify those whose information was compromised. The laptop contained unemployment insurance reports for 49 Seattle businesses that were undergoing routine audits by Employment Security between November 2004 and October 2005.. Information Source: Dataloss DB December 2, 2005 records from this breach used in our total: 530 Cornell University Ithaca, New York EDU HACK 900 The University discovered a security breach last summer that exposed names, addresses, Social Security numbers, bank names and account numbers. Information Source: Dataloss DB December 1, 2005 records from this breach used in our total: 900 First Trust Bank Memphis, Tennessee BSF PORT 100,000 A man claiming to be a janitor bypassed security and stole a laptop from the bank. The laptop contained Social Security numbers and other personal information of current and former customers. Affected customers were contacted and the theft was caught on tape. 308 Information Source: records from this breach used in our total: 100,000 Dataloss DB December 1, 2005 University of San Diego San Diego, California EDU HACK 7,800 Hackers gained access to computers containing personal income tax data, including Social Security numbers, names, and addresses. Faculty members, students and vendors had their information compromised and were notified by the University. Information Source: records from this breach used in our total: 7,800 Dataloss DB November 19, 2005 Boeing Chicago, Illinois BSO PORT 161,000 A laptop containing names, Social Security numbers, bank account information and other human resources data was stolen. Affected current and former employees were notified. Information Source: records from this breach used in our total: 161,000 Dataloss DB November 11, 2005 Georgia Tech University Office of Enrollment Services Atlanta, Georgia EDU STAT 13,000 On October 16 of 2005 computers were stolen from campus which contained the names, Social Security numbers, addresses and birth dates of current and prospective students. Notifications were sent to those who were affected. Information Source: records from this breach used in our total: 13,000 Dataloss DB November 11, 2005 Scottrade Troy Group Santa Ana, California BSF HACK Unknown A hacker compromised a server containing names, Social Security numbers, driver's licenses, state ID numbers, dates of birth, phone numbers, bank names, bank codes, bank account numbers and Scottrade account numbers. Scottrade alerted all affected customers. Information Source: Dataloss DB November 10, 2005 records from this breach used in our total: 0 State of California - Department of Corrections and Rehabilitations (CDCR) Parole Outpatient Clinic MED PORT Unknown Sacramento, California On or around June 18, 2005 a laptop computer was stolen with information on parolees. It was unclear from the letter we recieved whether Social Security numbers were involved. Information Source: records from this breach used in our total: 0 Security Breach Letter November 9, 2005 TransUnion Credit Bureau Chester, Pennsylvania BSF STAT 3,623 A desktop containing Social Security numbers and other information was stolen from a regional sales office in California. 309 A desktop containing Social Security numbers and other information was stolen from a regional sales office in California. Affected consumers were notified and offered one year of free credit monitoring services. Information Source: Dataloss DB November 5, 2005 records from this breach used in our total: 3,623 Safeway, Hawaii Pleasanton, California 1,400 in Hawaii, BSR PORT perhaps more elsewhere Additional locations: Hawaii (where affected employees work). Laptop was stolen from a private home in California. A division director's laptop was stolen. Names and Social Security numbers of some Hawaii workers were compromised by the theft. The theft occurred in August and letters were sent to affected employees in October. Information Source: records from this breach used in our total: 1,400 Dataloss DB November 4, 2005 Keck School of Medicine, University of Southern California (USC) Los Angeles, California EDU STAT 50,000 A computer server containing names and Social Security numbers of patients, donors and employees was stolen from a campus computer room. Information Source: records from this breach used in our total: 50,000 Security Breach Letter November 1, 2005 University of Tennessee Medical Center Knoxville, Tennessee MED PORT 3,800 A laptop was stolen from the University's medical billing office. Personal information lost included names, Social Security numbers and birth dates. Affected patients were not informed of the theft for nearly two months. Information Source: Dataloss DB October 21, 2005 records from this breach used in our total: 3,800 Wilcox Memorial Hospital Lihue, Hawaii MED PORT 130,000 A backup computer data drive containing medical record numbers, addresses, names and Social Security numbers of current and former patients was lost. Letters have been sent to affected patients. Information Source: Dataloss DB October 15, 2005 records from this breach used in our total: 130,000 Montclair State University Montclair, New Jersey EDU DISC 9,100 Names and Social Security numbers of undergraduates were posted online for nearly four months. An undergraduate alerted the University after running a Google.com search of his name. The University warned all students of the problem. Information Source: Dataloss DB records from this breach used in our total: 9,100 310 October 12, 2005 Ohio State University Medical Center Columbus, Ohio MED DISC 2,800 Appointment information including Social Security numbers, birth dates, addresses, phone numbers, medical record numbers, reasons for appointments, and physicians was exposed online. Information Source: Security Breach Letter September 29, 2005 records from this breach used in our total: 2,800 University of Georgia Athens, Georgia EDU HACK At least 1,600 A hacker may have accessed names and Social Security numbers of people working for the College of Agricultural and Environmental Sciences. The University is attempting to contact individuals who may have been affected. Information Source: Dataloss DB September 28, 2005 records from this breach used in our total: 1,600 RBC Dain Rauscher Minneapolis, Minnesota BSF INSD 100+ customers' records compromised out of 300,000 Someone claiming to be a former employee obtained customer names, addresses, tax ID number, birth date and Dain Rauscher account number. Letters were sent to customers claiming that their personal information had been sold in retaliation against the company. Information Source: Dataloss DB September 23, 2005 records from this breach used in our total: 100 Bank of America Charlotte, North Carolina BSF PORT Not disclosed A laptop was stolen from a Bank of America service provider. Information such as names, account numbers, routing transit numbers, and credit card numbers were compromised by the theft. An unspecified number of Visa Buxx users were contacted by Bank of America. Information Source: Dataloss DB September 22, 2005 records from this breach used in our total: 0 City University of New York New York, New York EDU DISC 771 An unprotected payroll link exposed personal information for Hunter College Campus Schools. Those affected included 335 Queens College law school students, 265 current workers and 171 former workers at local elementary and high schools. All affected people were contacted. Information Source: Dataloss DB September 19, 2005 records from this breach used in our total: 771 Children's Health Council San Jose, California NGO PORT 5,000 - 6,700 A tape containing sensitive information was stolen from a Children's Health Council office. The tape contained names, Social Security numbers, and detailed medical information for around 6,000 current and former clients. Payroll information for 700 311 current and former employees was also on the tape. The agency alerted those who may be at risk of identity theft. Information Source: records from this breach used in our total: 6,700 Dataloss DB September 17, 2005 North Fork Bank (now Capital One Bank) New York, New York BSF PORT 9,000 A laptop containing mortgage data was stolen from a North Fork Bank office on the weekend of July 24 of 2005. Personal information included names, addresses, and mortgage account numbers. Affected customers were contacted and offered one year of free credit monitoring services from Equifax. Information Source: Dataloss DB September 15, 2005 records from this breach used in our total: 9,000 Miami University Hamilton, Ohio EDU DISC 21,762 A report containing Social Security numbers and grades of students was accessible online for three years. The University is attempting to contact those affected via letters and emails. A graduate alerted the University to the exposure after running a Google.com search of her name. Information Source: Dataloss DB September 10, 2005 records from this breach used in our total: 21,762 Kent State University Kent, Ohio EDU STAT 100,000 Five desktop computers were stolen from the locked offices of two deans. Names, Social Security numbers, and grades were on the computers. The information goes back to 2000 for students and 2002 for instructors. Affected students and professors were alerted by the University. Information Source: records from this breach used in our total: 100,000 Dataloss DB August 30, 2005 J.P. Morgan Chase & Co. (Dallas, TX) Dallas, Texas BSF PORT Unknown A laptop was stolen on August 8th. It contained personal and financial account information of customers. Those affected were contacted. Information Source: records from this breach used in our total: 0 Dataloss DB August 30, 2005 California State University, Chancellor's Office Long Beach, California EDU HACK 154 A computer virus attack exposed names and Social Security numbers. Those affected included two financial aid administrators and 152 students enrolled at various Cal State Universities. Those affected were contacted. Information Source: records from this breach used in our total: 154 Dataloss DB August 29, 2005 Iowa Student Loan BSF PORT Unknown 312 August 29, 2005 Des Moines, Iowa BSF PORT Unknown A CD-Rom including Social Security numbers, last name and state of residence was lost while in transit from an outside business partner. Information Source: records from this breach used in our total: 0 Security Breach Letter August 27, 2005 University of Florida, Health Sciences Center, ChartOne Gainesville, Florida EDU PORT 3,851 A contractor's laptop containing patient names, Social Security numbers, dates of birth, and medical record numbers was stolen. A letter was sent to the affected patients. Information Source: Dataloss DB August 22, 2005 records from this breach used in our total: 3,851 U.S. Air Force Washington, District Of Columbia GOV HACK 33,300 A hacker used a legitimate user ID and password to access career information, birth dates, and Social Security numbers. Those affected were notified several months after the breach was discovered. Information Source: Dataloss DB August 19, 2005 records from this breach used in our total: 33,300 University of Colorado Denver, Colorado EDU HACK 49,000 A hacker may have gained access to personal information from June of 1999 to May of 2001, and fall of 2003 to summer of 2005. The information included current and former student names, Social Security numbers, addresses and phone numbers. The University contacted individuals who were affected. Information Source: records from this breach used in our total: 49,000 Dataloss DB August 17, 2005 California State University, Stanislaus Turlock, California EDU HACK 900 The names and Social Security numbers of student workers were exposed during a hacker attack. The student workers were contacted by the University. Information Source: records from this breach used in our total: 900 Dataloss DB August 10, 2005 University of North Texas Denton, Texas EDU HACK 39,000 A server containing housing records, financial aid inquiries, and in some cases credit card numbers was hacked. UNT sent letters to current, former, and prospective students whose information may have been accessed. Information Source: records from this breach used in our total: 39,000 Dataloss DB 313 August 9, 2005 Sonoma State University Rohnert Park, California EDU HACK 61,709 Hackers broke into a computer system and may have accessed the names and Social Security numbers of people who applied, attended, or worked at the University between 1995 and 2002. University officials attempted to notify those who were affected. Information Source: Dataloss DB August 9, 2005 records from this breach used in our total: 61,709 University of Utah Salt Lake City, Utah EDU HACK 100,000 A server containing library archival databases was hacked. The server included names and Social Security numbers of former University employees. The University issued a warning that people may try to get personal information by posing as University officials involved in the investigation. Information Source: Dataloss DB August 2, 2005 records from this breach used in our total: 100,000 University of Colorado Denver, Colorado EDU HACK 36,000 Hackers accessed files containing names, photographs, Social Security numbers, and University meal card information. Around 7,000 staff members, 29,000 current students, and some former students were affected. Information Source: Dataloss DB July 31, 2005 records from this breach used in our total: 36,000 California State Polytechnic University (Cal PolyPomona) Pomona, California EDU HACK 31,077 Hackers gained access to two computers containing names, Social Security numbers and transfer records. Applicants, current students, current and former faculty, and staff were affected. Information Source: Dataloss DB July 30, 2005 records from this breach used in our total: 31,077 San Diego County Employees Retirement Association San Diego, California GOV HACK 33,000 Two computers that contained personal information for current and retired San Diego County employees were hacked. The information included names, addresses, Social Security numbers, and dates of birth. The San Diego Retirement Association mailed warnings to members. Information Source: records from this breach used in our total: 33,000 Dataloss DB July 30, 2005 California State University, Dominguez Hills Carson, California EDU HACK 9,613 Hackers accessed several computers containing personal information such as names and Social Security numbers. The students who were affected were emailed. Information 314 Source: Dataloss DB July 21, 2005 records from this breach used in our total: 9,613 University of Colorado, Boulder Boulder, Colorado EDU HACK 49,000 Prospective students, current students, staff, faculty and University health care service recipients may have had their data exposed in a campus server breach. The information included names, Social Security numbers, addresses, student ID numbers, birth dates, and lab test information. The University mailed letters and sent emails to the individuals affected. UPDATE (08/20/2005) The number of students affected was increased from an estimate of 42,000 to 49,000. Information Source: Dataloss DB July 12, 2005 records from this breach used in our total: 49,000 University of Southern California (USC) Los Angeles, California 270,000 possibly EDU DISC accessed, dozens exposed A reporter contacted USC based on an individual's claim to be able to access personal information on college applicants online. USC removed the site pending investigation and sent letters to affected individuals. Information Source: records from this breach used in our total: 270,000 Security Breach Letter July 7, 2005 Michigan State University East Lansing, Michigan EDU HACK 27,000 Student information was compromised during an attack on the College of Education server. The information included Social Security numbers, names, addresses, student courses, and personal identification numbers. The breach occurred in April and students were emailed in July. Information Source: Dataloss DB July 6, 2005 records from this breach used in our total: 27,000 City National Bank, Iron Mountain Los Angeles, California BSF PORT Unknown Two tapes containing Social Security numbers, account numbers, and other customer information were lost or stolen during transportation. The tapes have been missing since April. City National Bank notified its customers. Information Source: Dataloss DB July 1, 2005 records from this breach used in our total: 0 University of California San Diego La Jolla, California EDU HACK 3,300 A University server was hacked in April. The server contained Social Security numbers, driver's license numbers, and credit card numbers from people who attended or worked at UCSD Extension between the time of the incident and 2000. UCSD contacted those who were affected two months after the incident. Information Source: records from this breach used in our total: 3,300 Dataloss DB 315 June 30, 2005 Ohio State University Medical Center, MTE Consulting Columbus, Ohio MED PORT 15,000 A laptop containing patient information was stolen from a financial consultant. MTE Consulting notified OSU medical center a month after the laptop was stolen and OSU sent a brief letter to the affected clients. Information Source: Dataloss DB June 29, 2005 records from this breach used in our total: 15,000 Bank of America Charlotte, North Carolina BSF PORT 18,000 A laptop containing the names, Social Security numbers, and addresses of customers was stolen from a consultant's car. Information Source: records from this breach used in our total: 18,000 Dataloss DB June 28, 2005 Lucas County Children Services Toledo, Ohio GOV DISC 900 Data from around 500 former and 400 current employees from as far back as 1991 were sent outside the organization via email. The data included names, Social Security numbers, and telephone numbers. Current employees were contacted immediately and letters were sent to former employees. Information Source: Media June 27, 2005 records from this breach used in our total: 900 U.S. Department of Veterans Affairs Washington, District Of Columbia GOV PORT 66 Note: exact month and date are unknown A laptop being stored in the trunk of a car was stolen in Minneapolis, Minnesota. Two people later reported identity fraud problems. Information Source: Dataloss DB June 25, 2005 records from this breach used in our total: 66 University of Connecticut (UCONN) Storrs, Connecticut EDU HACK 72,000 University officials became aware of an October 26, 2003 hacking incident. The personal information included Social Security numbers and addresses for students, faculty, and staff. The University began contacting those affected in June of 2005. Information Source: Dataloss DB June 22, 2005 records from this breach used in our total: 72,000 Eastman Kodak Rochester, New York BSO PORT 5,800 A password-protected laptop containing former employee names, Social Security numbers, birth dates, and benefits information was stolen from a consultant's car trunk. Kodak sent letters and offered one-year of credit monitoring services and identity theft insurance covering up to $50,000 in fraud. Information 316 Source: records from this breach used in our total: 5,800 Dataloss DB June 18, 2005 University of Hawaii Manoa, Hawaii EDU INSD 150,000 A former librarian with access to the personal information of students, faculty, staff and patrons was convicted of Social Security fraud. The former librarian used Social Security information to obtain fraudulent loans. The University used Social Security numbers to track who checked out library materials. At the time of the press release it was unclear whether any information had been stolen from the University. Information Source: Dataloss DB June 17, 2005 records from this breach used in our total: 150,000 Kent State University Kent, Ohio EDU PORT 1,400 A laptop containing the names, Social Security numbers, and in some cases birthdays of current and former University employees was stolen from a human resources administrator's car. Information Source: Dataloss DB June 16, 2005 records from this breach used in our total: 1,400 CardSystems Tucson, Arizona BSF HACK 40,000,000 The motion to dismiss by Savvis: http://www.box.net/shared/static/180zctq8dz.pdf [236] Over 40 million card accounts were exposed to potential fraud due to a security breach that occurred at a third-party processor of payment card transactions. Of the more than 40 million accounts exposed, information on 68,000 Mastercard accounts, 100,000 Visa accounts and 30,000 accounts from other card brands are known to have been exported by the hackers. The data exported included names, card numbers and card security codes. UPDATE (2/23/2006) CardSystems agreed to settle Federal Trade Commission charges that it failed to take appropriate security measures to protect sensitive personal information. The company must implement a comprehensive security program and obtain audits every 2 years for 20 years. UPDATE (5/12/2006) CardSystems filed for bankruptcy. UPDATE (5/28/2009) Merrick Bank has launched a multi-million dollar lawsuit against Savvis, accusing the vendor of erroneously telling it that CardSystems Solutions complied with Visa and MasterCard security regulations less than a year before the payment processor's systems were hacked, compromising up to 40 million credit card accounts. Less than a year later the security breach occurred. Hackers were able to get hold of the data because CardSystems kept unencrypted card information on its servers - in contravention of the regulations for which Savvis certified it. Information Source: Dataloss DB June 10, 2005 records from this breach used in our total: 40,000,000 Federal Deposit Insurance Corp. (FDIC) Washington, District Of Columbia GOV UNKN 6,000 Personal information including the names, birthdays, salaries, and Social Security numbers of former Federal Deposit Insurance Corporation employees was stolen. Some of the information was used for fraudulent purposes. Affected employees from as far back as July 2002 were notified. Information Source: records from this breach used in our total: 6,000 Dataloss DB June 6, 2005 Citigroup, UPS BSF PORT 3,900,000 317 June 6, 2005 New York, New York BSF PORT 3,900,000 Customers are being notified that backup tapes containing their account information were lost or stolen while being shipped by UPS. Information Source: records from this breach used in our total: 3,900,000 Dataloss DB June 4, 2005 Duke University Medical Center Durham, North Carolina EDU HACK 14,000 Not included in total because full Social Security numbers not involved A hacker broke into the computer system, stealing thousands of passwords and fragments of Social Security numbers. 14,000 affected people were notified, including 10,000 employees of Duke University Medical Center. Information Source: records from this breach used in our total: 0 Dataloss DB May 30, 2005 Motorola Schaumburg, Illinois BSO STAT Unknown Two computers were stolen from third party vendor Affiliated Computer Services (ACS). They had security safeguards and contained names and Social Security numbers of Motorola employees. Motorola notified affected staff by email and offered fraud insurance coverage. Information Source: Dataloss DB May 28, 2005 records from this breach used in our total: 0 Merlin Information Services Kalispell, Montana BSO INSD 5,875 An individual fraudulently obtained personal information about thousands of victims from Merlin Information Services and used that information to commit identity theft by opening up credit card accounts. He posed as a private investigator, thus giving Merlin the impression that he was a legitimate user of their services. He conducted at least 1,873 queries through the Merlin system to obtain information on approximately 5,875 people. Information Source: records from this breach used in our total: 5,875 Media May 27, 2005 Cleveland State University Cleveland, Ohio EDU PORT 44,420 A laptop containing personal information from applicants, current students, and former students was stolen from the University's admissions office. The information included Social Security numbers and addresses from as far back as 2001. Letters were sent to those affected. UPDATE (12/24):CSU found the stolen laptop Information Source: Dataloss DB May 19, 2005 records from this breach used in our total: 44,420 Valdosta State University Valdosta, Georgia EDU HACK 40,000 318 A computer server containing campus ID card information and Social Security numbers was hacked. The cards were designed to be used as debit cards by students and employees. Information Source: Dataloss DB May 18, 2005 records from this breach used in our total: 40,000 Jackson Community College Jackson, Michigan EDU HACK 8,000 A hacker may have downloaded the passwords and Social Security numbers of employees and students. The College sent new, high security passwords to students and employees. Information Source: Dataloss DB May 18, 2005 records from this breach used in our total: 8,000 University of Iowa Iowa City, Iowa EDU HACK 30,000 A computer containing credit card numbers and campus ID numbers for University Book Store customers was breached by a hacker. Information Source: Dataloss DB May 16, 2005 records from this breach used in our total: 30,000 Westborough Bank Westborough, Massachusetts BSF INSD 750 A former employee who ran an investment program from 1998 to 2001 may have given Social Security numbers and account information to a convicted felon known for defrauding senior citizens. The bank mailed warning letters. Information Source: Dataloss DB May 14, 2005 records from this breach used in our total: 750 Georgia Technology Authority (GTA) Atlanta, Georgia GOV INSD 465,000 A former computer programmer for Georgia Technology Authority downloaded state driver's license information which contained names, addresses, driver's license numbers, and in some cases Social Security numbers. Information Source: Dataloss DB May 12, 2005 records from this breach used in our total: 465,000 Hinsdale Central High School Hinsdale, Illinois EDU HACK 2,400 Two students were accused of hacking into the School's computer system and stealing student and staff Social Security numbers. The students had the information for months before being caught. Letters were sent to affected families. The Social Security Administration and the Federal Trade Commission were also notified. Information Source: records from this breach used in our total: 2,400 Dataloss DB May 11, 2005 Stanford University Stanford, California EDU HACK 9,900 319 The University's Career Development Center was hacked. This exposed the names, Social Security numbers, and other personal information of users. Names and credit card information for some employers that registered with the site were also in the database. Information Source: Dataloss DB May 7, 2005 records from this breach used in our total: 9,900 Department of Justice Washington, District Of Columbia GOV PORT 80,000 A laptop containing password protected names and travel account credit card information was stolen. Information Source: records from this breach used in our total: 80,000 Dataloss DB May 5, 2005 Purdue University West Lafayette, Indiana EDU HACK 11,360 Hackers accessed a program which contained University credit card information and the Social Security numbers of current and former employees. Letters were sent to employees and former employees. Information Source: records from this breach used in our total: 11,360 Dataloss DB May 4, 2005 Colorado Health Department Denver, Colorado GOV PORT 1,600 (families) A laptop containing Social Security numbers, medical records, family medical history, and addresses was stolen from an employee's car. The State Health Department is not monitoring the affected group and has only contacted some of the families involved. Information Source: Dataloss DB May 2, 2005 records from this breach used in our total: 1,600 Time Warner New York, New York BSO PORT 600,000 Backup tapes containing the personal information of current and former employees from as far back as 1986 was lost or stolen during shipping. An 800 number was set up to answer questions and provide free credit monitoring for one year. Information Source: Dataloss DB April 29, 2005 records from this breach used in our total: 600,000 Oklahoma State University Stillwater, Oklahoma EDU PORT 37,000 A laptop used for student job placement seminars was lost or stolen. It contained the Social Security numbers of current and former students. Information Source: Dataloss DB April 28, 2005 records from this breach used in our total: 37,000 Georgia Southern University Stateboro, Georgia EDU HACK tens of thousands 320 Hackers accessed a University server which contained thousands of credit card and Social Security numbers collected over three years. Students who received bookstore credit through scholarship or financial aid between the fall 2003 and spring of 2005 semesters, and anyone who made credit purchases at campus stores, stadium, or website are at risk. Email alerts were sent to students and alumni. Information Source: records from this breach used in our total: 0 Dataloss DB April 28, 2005 Wachovia, Bank of America, PNC Financial Services Group and Commerce Bancorp Hackensack, New Jersey BSF INSD 676,000 Note: location listed is the corporate headquarters of Bank of America, not necessarily where the breach occurred. Bank employees illegally sold account information to someone posing as a collection agency. Customers affected were notified and received one year of free credit monitoring services. Information Source: Dataloss DB April 26, 2005 records from this breach used in our total: 676,000 Michigan State University's Wharton Center East Lansing, Michigan EDU HACK 40,000 A hacker may have stolen the credit card information of visitors attending a performing arts venue. Warnings were sent to Wharton visitors who used their credit cards anytime between September of 2003 and the incident. Information Source: Dataloss DB April 26, 2005 records from this breach used in our total: 40,000 Christus St. Joseph's Hospital Houston, Texas MED STAT 16,000 Two computers used for converting paper medical records into digital files were stolen. One of the computers contained Social Security numbers and medical records for hundreds of patients. Letters were sent to about 16,000 patients. Information Source: Dataloss DB April 21, 2005 records from this breach used in our total: 16,000 Carnegie Mellon University Pittsburgh, Pennsylvania EDU HACK 19,000 The compromised information included Social Security numbers and grades from master's alumni classes 1997 through 2004, job offer information from master's alumni classes 1985 through 2004, contact information for all alumni, and Social Security numbers and grades from doctoral students enrolled between 1998 and 2004. Between 5,000 and 6,000 of those affected had their credit card information and Social Security numbers compromised. Emails and letters were sent to those who were affected. Information Source: Dataloss DB April 20, 2005 records from this breach used in our total: 19,000 TD Ameritrade Omaha, Nebraska BSF PORT 200,000 A backup tape was lost, stolen, or accidentally destroyed while being shipped. The tape contained account information from clients or former clients between the years of 2001 and 2003. Ameritrade notified the affected clients and offered one free year of credit protection services. 321 Information Source: records from this breach used in our total: 200,000 Dataloss DB April 15, 2005 Polo Ralph Lauren, HSBC New York, New York BSR HACK 180,000 Credit card data was stolen. Individuals holding the HSBC-issued General Motors Mastercard were told their cards should be replaced. UPDATE(07/10/07): U.S. Secret Service agents found Ralph Polo Lauren customers' credit card numbers in the hands of Eastern European cyber thieves who created high-quality counterfeit credit cards. Victims are from the U.S., Europe, Asia and Canada, among other places, Several Cuban nationals in Florida were arrested with more than 200,000 credit card account numbers. Information Source: records from this breach used in our total: 180,000 Dataloss DB April 15, 2005 California Department of Health Services Sacramento, California GOV PORT 21,600 A laptop containing the names, Social Security numbers, and medical information of Medi-Cal beneficiaries was stolen from the car trunk of an employee. The Department of Health Services began notifying beneficiaries in late May. Information Source: records from this breach used in our total: 21,600 Dataloss DB April 11, 2005 Tufts University Boston, Massachusetts EDU HACK 106,000 The University's donor database was breached. Letters were sent to the alumni who may have had their personal information stolen. Information Source: records from this breach used in our total: 106,000 Dataloss DB April 8, 2005 Eastern National Ft. Washington, Pennsylvania NGO HACK 15,000 A hacker gained access to a server containing the names, credit card information, and billing addresses of 15,000 customers. Letters were mailed to all customers who bought products through the educational website for national parks. Information Source: records from this breach used in our total: 15,000 Dataloss DB April 8, 2005 San Jose Medical Group San Jose, California MED STAT 187,000 UPDATE(10/10/07): A former branch manager at the San Jose Medical Group has been sentenced to almost two years in prison for stealing medical records for about 187,000 patients. The accused pleaded guilty in May to one count of health care-related theft after he stole computer equipment from his former employer, including a DVD that contained patients' names, Social Security numbers, medical diagnoses and other information. Information Source: Dataloss DB records from this breach used in our total: 187,000 322 April 6, 2005 University of California, San Francisco (UCSF) San Francisco, California EDU HACK 7,000 A server in the accounting and personnel departments was hacked. It contained information on 7,000 students, faculty, and staff members. The affected individuals were notified March 23. Information Source: Dataloss DB April 5, 2005 records from this breach used in our total: 7,000 MCI Colorado Springs, Colorado BSO PORT 16,500 A laptop containing names and Social Security numbers of current and former employees was stolen from the car trunk of an MCI financial analyst. An MCI spokesperson stated that MCI would continue its policy of allowing laptops to be taken home by employees and will evaluate new security technologies. Information Source: records from this breach used in our total: 16,500 Dataloss DB April 5, 2005 University of California, Davis Davis, California EDU HACK 1,100 The names and Social Security numbers of students, faculty, visiting speakers and staff may have been compromised when a hacker accessed a main computer. Information Source: records from this breach used in our total: 1,100 Dataloss DB 1,200 (not included in total because news March 25, 2005 Purdue University West Lafayette, Indiana EDU HACK stories are not clear if SSNs or financial information were exposed) Computers in the College of Liberal Arts' Theater Dept. were hacked, exposing personal information of employees, students, graduates, and business affiliates. Information Source: Dataloss DB March 20, 2005 records from this breach used in our total: 0 Northwestern University Evanston, Illinois EDU HACK 17,500 Hackers gained access to multiple computers and gathered user ID and password information from the University's network. The personal information for around 500 faculty members, 2000 staff members, and 14,000 alumni was compromised. Information Source: Media March 20, 2005 records from this breach used in our total: 17,500 University of Nevada, Las Vegas Las Vegas, Nevada EDU HACK 5,000 A hacker was caught accessing the University's server and may have gotten information from the Student Exchange and Visitor Information System (SEVIS). 323 Information Source: Dataloss DB March 16, 2005 records from this breach used in our total: 5,000 California State University, Chico Chico, California EDU HACK 59,000 A university housing and food service computer server containing names and Social Security numbers of faculty, staff, students, former students, and prospective students was hacked. Information Source: records from this breach used in our total: 59,000 Dataloss DB March 12, 2005 Las Vegas Department of Motor Vehicles (LV DMV) Las Vegas, Nevada GOV STAT 8,900 A computer and holographic laminate materials were stolen from the Donovan office of the DMV in North Las Vegas. UPDATE. The equipment was recovered on June 1. Information Source: Dataloss DB March 11, 2005 records from this breach used in our total: 8,900 University of California, Berkeley Berkeley, California EDU PORT 98,400 A laptop containing the Social Security numbers of doctoral degree recipients from 1976 to 1999, graduate students enrolled between 1989 and 2003, and graduate school applicants between fall 2001 and spring of 2004 was stolen. Birth dates and addresses for about one-third of the affected people were also on the laptop. Information Source: Dataloss DB March 11, 2005 records from this breach used in our total: 98,369 Kaiser Permanente Oakland, California MED DISC 140 A disgruntled employee posted informaton on her blog noting that Kaiser Permanente included private patient information on systems diagrams posted on the Web. UPDATE (6/21/2005): The California Department of Managed Health Care fined Kaiser $200,000 for exposing the confidential health information. Information Source: records from this breach used in our total: 140 Dataloss DB March 11, 2005 Boston College Boston, Massachusetts EDU HACK 120,000 A hacker gained access to a phone banking database that included alumni addresses and Social Security numbers. Information Source: Dataloss DB March 10, 2005 records from this breach used in our total: 120,000 LexisNexis Dayton, Ohio BSO INSD 30,000 additional 280,000 324 Unauthorized individuals used IDs and passwords of legitimate customers to obtain consumers' Social Security numbers, driver's license numbers, and names and addresses. Most of the breaches were at the company's subsidiary Seisint Inc., based in Florida. UPDATE (4/12/05) An internal investigation at LexisNexis has uncovered evidence that an additional 280,000 records may have been involved in this breach, increasing the total from 30,000 to 310,000. UPDATE (06/30/06): Last week, five men were arrested in connection with this breach. Information Source: Dataloss DB March 8, 2005 records from this breach used in our total: 310,000 DSW, Retail Ventures Columbus, Ohio BSR HACK 1,400,000 Credit card information from customers in 25 states was compromised. UPDATE (4/19/2005) additional 1,300,000 added to 100,000 Information Source: records from this breach used in our total: 1,400,000 Dataloss DB February 25, 2005 Bank of America Corp. Charlotte, North Carolina BSF PORT 1,200,000 Computer tapes with credit card information, Social Security numbers, addresses and account numbers were lost. Bank of America began monitoring the customer accounts on the lost tapes and said it would contact cardholders if unusual activity was detected. Around 900,000 of the account holders affected were Defense Department employees. Information Source: Dataloss DB February 25, 2005 records from this breach used in our total: 1,200,000 PayMaxx Miramar, Florida BSF DISC 100,000 A software glitch at PayMaxx Inc., a Franklin, Tenn., payroll processing company, accidentally revealed personal financial information on as many as 100,000 individuals, including Social Security numbers. The problem arose in a PayMaxx feature that enabled employees to use the Internet to get their W-2 forms, the standard tax information form issued by companies to their employees. Information Source: records from this breach used in our total: 100,000 Dataloss DB February 18, 2005 University of Chicago Hospital Chicago, Illinois MED INSD 85 The FBI launched an investigation into possible fraud by at least one hospital employee. As many as 85 patients may have been affected. The hospital contacted all affected patients. Information Source: records from this breach used in our total: 85 Dataloss DB February 15, 2005 ChoicePoint Alpharetta, Georgia BSO INSD 163,000 Fraudsters who presented themselves as legitimate ChoicePoint customers purchased data profiles from ChoicePoint on 325 individuals and used that data to commit identity theft. The initial number of affected records was estimated at 145,000 but was later revised to 163,000. UPDATE(1/26/06): ChoicePoint settled with the Federal Trade Commission [237] for $10 million in civil penalties and $5 million for consumer redress. UPDATE (12/06/06): The FTC announced [238] that victims of identity theft as a result of the data breach who had out-of- pocket expenses can now be reimbursed. The claims deadline is Feb. 4, 2007. UPDATE (06/24/07): Starting Dec. 2006, the FTC began mailing claims forms to victims of the breach. Its Web site [239] provides information about the claims process. Deadline is Aug. 18, 2007. Victims can be reimbursed for out-of-pocket expenses resulting from identity theft connected to the breach. Call (888) 884-8772, or email cpredress@ftc.gov [240] . UPDATE (11/04/07): Since its 2005 data security incident, ChoicePoint has implemented enhancements to its privacy and information security framework including the establishment of an Office of Privacy, Ethics and Compliance to reinforce the responsible use and protection of information at ChoicePoint through policies and procedures, audit and compliance, and outreach and education. Visit www.privacyatchoicepoint.com [241] . UPDATE (1/27/08): Has agreed to pay $10 million to settle a class action lawsuit Information Source: records from this breach used in our total: 163,000 Security Breach Letter February 12, 2005 Science Applications International Corp. (SAIC) San Diego, California BSO STAT 45,000 employees On Jan. 25 thieves broke into a SAIC facility and stole computers containing names, SSNs, and other personal information of past and current employees. Stolen information included names, NNS, addresses, phone numbers and records of financial transactions. Information Source: Dataloss DB January 22, 2005 records from this breach used in our total: 45,000 University of Northern Colorado Greeley, Colorado EDU PORT 30,000 A hard drive was apparently stolen. It contained information on current and former University employees and their beneficiaries -- name, date of birth, SSN, address, bank account and routing number. Information Source: Dataloss DB January 18, 2005 records from this breach used in our total: 30,000 University of California, San Diego San Diego, California EDU HACK 3,500 A hacker breached the security of two University computers that stored the Social Security numbers and names of students and alumni of UCSD Extension. Information Source: Dataloss DB January 10, 2005 records from this breach used in our total: 3,500 George Mason University Fairfax, Virginia EDU HACK 32,000 Names, photos, and Social Security numbers of 32,000 students and staff were compromised because of a hacker attack on the University's main ID server. Information Source: records from this breach used in our total: 32,000 326 Dataloss DB Breach Total 494,692,655 RECORDS BREACHED (Please see explanation [91] about this total.) from 1,651 DATA BREACHES made public since 2005 Source URL (retrieved on 2010-08-04 04:30 ): http://www.privacyrights.org/data-breach Copyright © Privacy Rights Clearinghouse/UCAN. This copyrighted document may be copied and distributed for nonprofit, educational purposes only. For distribution, see our copyright and reprint guidelines. The text of this document may not be altered without express authorization of the Privacy Rights Clearinghouse. Links: [1] http://www.privacyrights.org/sites/default/files/static/Chronology-of-Data-Breaches_-_Privacy-RightsClearinghouse.pdf [2] http://www.privacyrights.org/data-breach/print [3] http://www.privacyrights.org/#CP [4] http://www.privacyrights.org/#1 [5] http://www.privacyrights.org/#2 [6] http://www.privacyrights.org/#3 [7] http://www.privacyrights.org/#4 [8] http://www.privacyrights.org/#5 [9] http://www.privacyrights.org/#6 [10] http://www.privacyrights.org/#7 [11] http://www.privacyrights.org/#8 [12] http://www.privacyrights.org/#9 [13] http://www.privacyrights.org/#10 [14] http://www.privacyrights.org/#11 [15] http://www.privacyrights.org/#12 [16] http://www.privacyrights.org/#13 [17] http://www.privacyrights.org/#Total [18] http://www.privacyrights.org/about_us.htm [19] http://datalossdb.org/primary_sources [20] http://datalossdb.org/ [21] mailto:dataloss-subscribe@datalossdb.org [22] http://datalossdb.org/download [23] http://www.databreaches.net/ [24] http://www.pogowasright.org [25] http://www.phiprivacy.net/ [26] http://www.naidonline.org [27] http://www.privacyrights.org/fs/fs17b-SecurityBreach.htm [28] https://microsite.accenture.com/dataprivacyreport/Pages/default.aspx [29] https://microsite.accenture.com/dataprivacyreport/Documents/Accenture_Data_Privacy_Report.pdf [30] http://www.microsoft.com/Presspass/press/2010/apr10/04-05MSRSAPR.mspx?rss_fdn=Press Releases [31] https://www.otalliance.org/resources/Incident.html [32] http://www.bbb.org/us/corporate-engagement/security/ [33] http://www.ftc.gov/bcp/edu/pubs/business/idtheft/bus69.pdf [34] http://csrc.nist.gov/publications/nistpubs/800-100/SP800-100-Mar07-2007.pdf [35] http://www.privacyrights.org/ar/PreventITWorkplace.htm [36] http://www.privacyprotection.ca.gov/res/docs/pdf/infosharingdisclos.pdf [37] http://www.privacyprotection.ca.gov/res/docs/pdf/ssnrecommendations.pdf [38] http://www.privacyprotection.ca.gov/res/docs/pdf/COPP_Breach_Reco_Practices_6-09.pdf [39] http://www.ftc.gov/bcp/edu/microsites/idtheft/business/data-breach.html [40] http://www.privacyrights.org/ar/SecurityBreach.htm [41] http://www.defendyourdollars.org/2005/02/states_with_not.html [42] http://www.nymity.com/FormDownload.aspx?docid=E5AE006F-1947-4163-BDAC-0BFE129E5C89 [43] http://www.digestiblelaw.com/files/upload/securitybreach.pdf [44] http://www.scottandscottllp.com/resources/state_data_breach_notification_law.pdf [45] http://www.mintz.com/newsletter/2007/PrivSec-DataBreachLaws-02-07/state_data_breach_matrix.pdf [46] http://www.crowell.com/pdf/SecurityBreachTable.pdf [47] http://www.consumersunion.org/campaigns//learn_more/003484indiv.html [48] http://www.pirg.org/consumer/credit/statelaws.htm [49] http://www.mass.gov/Eoca/docs/idtheft/notificationsrpt20080918.pdf [50] http://www.krollfraudsolutions.com/about-kroll/HIMSS-Security-Patient-Data-Report.aspx [51] http://www.healthcareitnews.com/news/study-points-critical-gaps-hospital-data-security [52] http://blogs.findlaw.com/technologist/2010/02/data-security-breaches-cost-real-money.html [53] http://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/2008-2009 US Cost of Data Breach Report Final.pdf [54] http://www.ey.com/Publication/vwLUAssets/12th_annual_GISS/$FILE/12th_annual_GISS.pdf 327 [55] http://www.deloitte.com/view/en_US/us/industries/MediaEntertainment/e510f6b085912210VgnVCM100000ba42f00aRCRD.htm [56] http://www.cs.ucsb.edu/~seclab/projects/torpig/torpig.pdf [57] http://web.interhack.com/news/n2009/taxonomy [58] http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf [59] http://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/Dell Executive Summary FINAL 063008.pdf [60] http://www.symantec.com/about/news/release/article.jsp?prid=20090223_01 [61] http://mba.tuck.dartmouth.edu/digital/Research/ResearchProjects/JohnsonHemorrhagesFC09Proceedingd.pdf [62] http://cisco.com/en/US/solutions/collateral/ns170/ns896/ns895/white_paper_c11-506224.html [63] http://www.jcampana.com/JCampanaDocuments/EducationSectorDataBreachStudy.pdf [64] http://www.verizonbusiness.com/resources/security/databreachreport.pdf [65] http://www.adamdodge.com/esi/yir_2007 [66] http://www.privacyrights.org/ar/DataBreaches2006-Analysis.htm [67] http://www.yourcreditadvisor.com/blog/2007/07/how_many_times.html [68] http://www.tech-404.com/calculator.html [69] http://www.insidecounsel.com/Issues/2009/May-2009/Pages/Breach-Patrol.aspx [70] http://law.bepress.com/cgi/viewcontent.cgi?article=1153&context=unswwps [71] http://ssrn.com/abstract=1268926 [72] http://www.csoonline.com/article/221322/CSO_Disclosure_Series_Data_Breach_Notification_Laws_State_By_State [73] http://www.privacyrights.org/notification_laws.htm [74] http://www.privacyrights.org/ar/notification_laws.htm [75] http://www.paulschwartz.net/pdf/datasec_schwartz-janger.pdf [76] http://www.jonesday.com/pubs/pubs_detail.aspx?pubID=S3225 [77] http://www.privacyrights.org/sites/default/files/imported/ar/Wernick_Dec06.pdf [78] http://www.gibsondunn.com/practices/publications/detail/id/766/?pubItemId=7832 [79] http://www.gibsondunn.com/publications/pages/SecurityBreachNotificationsaStateandFederalLawMaze.aspx [80] http://media.gibsondunn.com/fstore/documents/pubs/072705-SecurityBreachCHART.pdf [81] http://findarticles.com/p/articles/mi_m0BJK/is_10_18/ai_n19521336/ [82] http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/postedbreaches.html [83] http://datalossdb.org/search/primary_sources/7-maine-attorney-general [84] http://www.idtheftcenter.org/artman2/publish/lib_survey/Press_Release_-_2007_Breach_List.shtml [85] http://doj.nh.gov/consumer/breaches.html [86] http://emergentchaos.com/archives/category/breaches [87] http://www.databreaches.net [88] http://www.adamdodge.com/esi/stolen_sungard_higher_education_laptop_contained_csu_system_student_information [89] http://www.numbrx.net/ [90] http://www.worldprivacyforum.org/testimony/NCVHStestimony_092005.html [91] http://www.privacyrights.org/data-breach#2 [92] http://www.privacyrights.org/data-breach?order=field_breach_date_value_1&sort=asc [93] http://www.privacyrights.org/data-breach?order=field_breach_total_value&sort=asc [94] http://www.rainbowhospice.org/protection/ [95] http://www.childrenshospitaloakland.org/EnhancedPatientPrivacyProtection.asp [96] mailto:legalinquiry@nmff.org [97] http://www.wyndhamworldwide.com/customer_care/data-claim.cfm [98] http://www.privacyrights.org/sites/default/files/AR-M450_20100223_180300223.pdf [99] http://www.valdosta.edu/notify/ [100] mailto:databreach@4j.lane.edu [101] http://www.army.mil/-news/2009/12/16/31955-laptop-containing-personal-information-about-mwrcustomers-stolen/ [102] http://www.thebeijingcenter.org/securityqns [103] mailto:action@tadgear.com [104] http://www.chaminade.edu/infosecure [105] http://www.ftc.gov/opa/2009/10/choicepoint.shtm [106] mailto:ecert@eku.edu [107] https://security.berkeley.edu/jschool-info [108] http://www.elance.com/p/trust/account_security.html>http://www.elance.com/p/trust/account_security.html [109] mailto:custserv@nashbar.com [110] http://www.justice.gov/usao/alm/press/current_press/2010_05_05_stovall.pdf [111] http://www.treas.gov/tigta/auditreports/2009reports/200930059fr.pdf [112] http://datatheft.berkeley.edu [113] http://googledocs.blogspot.com/2009/03/on-yesterdays-email.html [114] http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/cvsresolutionagreement.html [115] http://news.uns.purdue.edu/Payroll0901.html [116] http://help.monster.com/besafe/ [117] http://help.monster.com/besafe/jobseeker/index.asp [118] http://www.ftc.gov/opa/2009/01/navone.shtm [119] http://www.justice.gov/opa/pr/2009/August/09-crm-810.html [120] http://www.2008breach.com [121] http://www.bankinfosecurity.com/articles.php?art_id=1200 [122] http://www.wired.com/images_blogs/threatlevel/2009/08/gonzalez.pdf 328 [123] http://www1.ftc.gov/opa/2009/02/compgeeks.shtm [124] http://www.studentlife.osu.edu/dataexposure [125] http://www.rbsworldpay.us/RBS_WorldPay_Press_Release_Dec_23.pdf [126] http://louisville.bizjournals.com/louisville/othercities/atlanta/stories/2008/12/22/daily24.html [127] http://www.forever21.com/notice/notice.html [128] http://www.ivytech.edu/about/security/ [129] http://www.rit.edu/news/?v=46283 [130] http://www.cwdataclaims.com/ [131] http://www.utdallas.edu/infosecurity/ [132] http://www.ohiocore.org/answers [133] http://www.sec.gov/litigation/admin/2008/34-58515.pdf [134] http://www.computerworld.com/s/article/9177702/Insurer_says_it_s_not_liable_for_University_of_Utah_s_3.3M_data_breach [135] http://www.computerworld.com/s/article/9096721/Thieves_steal_tapes_holding_2.2M_billing_records [136] mailto:PathHotline@ucsf.edu [137] http://www.sungardhe.com/custom.aspx?id=1554&LangType=1033 [138] http://www.bnymellon.com/tapequery [139] http://www.courant.com/business/hc-mellon0531.artmay31,0,4507316,print.story [140] mailto:askquestions@wpahs.org [141] mailto:lkaplan@mbc.org [142] http://www.ssnbreach.org [143] mailto:security@foundation.uconn.edu [144] http://eu.montana.edu/security [145] mailto:idprotect@dixie.edu [146] http://www.osfa.state.la.us/notice.htm [147] http://eu.montana.edu/security/ [148] http://www.uiowa.edu/~phil/SSN.shtml [149] http://www.mass.gov/dpl [150] http://gapinc.com/securityassistance/ [151] http://www.dispatch.com [152] http://www.elvey.com/IDTheft/spam_faq.cfm.html [153] http://datalossdb.org/incident_highlights/30-legal-sub-project-elvey-v-td-ameritrade [154] http://www.voxant.com [155] http://www.purdue.edu/news/coa0709.html [156] http://www.idahoarmyguard.org/ [157] http://www.saic.com/response/ [158] http://www.datasettlement.com/ [159] mailto:deansoffice@vetmed.ucdavis.edu [160] mailto:mhanna@cmonitor.com [161] http://www.virginia.edu/uvatoday/newsRelease.php?id=2217 [162] mailto:identity-assistance@virginia.edu [163] mailto:c-loebbaka@northwestern.edu [164] https://apps.dot.state.nc.us/pio/releases/details.aspx?r=1179 [165] http://www.idfpr.com [166] http://www.stonybrook.edu/sb/disclosure/ [167] http://www.goshen.edu/news/pressarchive/05-11-07-security.html [168] mailto:info@goshen.edu [169] mailto:HighlandHospitalAdmin@urmc.rochester.edu [170] http://phx.corporate-ir.net/phoenix.zhtml?c=118113&p=irol-recentdata [171] http://www.usda.gov/wps/portal/!ut/p/_s.7_0_A/7_0_1OB? contentidonly=true&contentid=2007/04/0110.xml [172] http://www.osu.edu/news/newsitem1673 [173] http://news.ucsf.edu/releases/ucsf-computer-server-with-research-subject-information-is-stolen/ [174] http://security.ucsf.edu/alert/information.html [175] http://sos.georgia.gov/pressrel/20070411a.htm [176] http://www.ncua.gov/news/press_releases/2007/MR07-0411.htm [177] http://www.bhsu.edu/AboutBHSU/NewsEvents/tabid/3454/articleType/ArticleView/articleId/339/Default.aspx [178] http://dch.georgia.gov/vgn/images/portal/cit_1210/19/38/80010015Public_NoticeMissing_Personal_Data.pdf [179] http://www.hortica-insurance.com/hotTopics/26.PDF [180] mailto:securedata@hortica-insurance.com [181] mailto:isecurity@ucsf.edu [182] mailto:CSCMailbox@navy.mil [183] http://www.oag.state.tx.us/oagNews/release.php?id=1961 [184] http://www.ghc.org/news/news.jhtml?reposid=/common/news/news/20070323-missing_laptops.html [185] http://www.spr.k12.oh.us/ [186] http://www.spr.k12.oh.us./ourboard/treasdocs/notificationofDataTheft.pdf [187] http://www.usda.gov/oig/webdocs/50501-8-FM.pdf [188] http://www.census.gov/Press-Release/www/releases/archives/miscellaneous/009732.html [189] http://www.mscd.edu/securityalert/ [190] http://www.cchealth.org/press_releases/dhs_breach_03_2007.php [191] http://www.applications.dhs.ca.gov/pressreleases/store/PressReleases/07-17 breach of personal information.html [192] mailto:hr@gatech.edu [193] http://www.ccsf.edu/securityalert 329 [194] http://www.ecu.edu/incident/ [195] http:www.mass.gov/dia [196] http://www1.va.gov/opa/pressrel/pressrelease.cfm?id=1294 [197] http://www.hawaii.gov/dcca/quicklinks/id_theft_info [198] http://www.tjx.com/ [199] https://www.massbankers.org/pdfs/DataBreachSuitNR5.pdf [200] http://online.wsj.com/article_email/article_print/SB117824446226991797lMyQjAxMDE3NzA4NDIwNDQ0Wj.html [201] http://privacy.wi.gov/alerts/jan0107.jsp [202] http://www.colorado.edu/its/security/awareness/privacy/identitytheft.pdf [203] http://www.identityalert.ucla.edu [204] http://www.utdallas.edu/datacompromise/form.html [205] http://www.treas.gov/tigta/auditreports/2007reports/200720048fr.pdf [206] mailto:perline@connorsstate.edu [207] http://www.denverda.org/News_Release/Releases/2006 Release/Computer security alert.pdf [208] http://www.uta.edu/oit/iso/Datatheft.php [209] http://www.nysun.com/national/gop-donors-personal-data-disclosed-in-rnc-privacy/41341/ [210] http://www.portseattle.org [211] https://www.census.gov/Press-Release/www/releases/archives/miscellaneous/007497.html [212] http://www.savannahga.gov/security [213] http://www.berry.edu/stulife/idprotect/ [214] http://blog.secondlife.com/2006/09/08/urgent-security-announcement/ [215] http://old.ts.vcu.edu/security/id_exposure.html [216] http://www.chicagofop.org/Updates/links/nrs.pdf [217] mailto:identityprotection@corelogic.com [218] http://www.dlssonline.com [219] http://www.hcahealthcare.com [220] mailto:hotline@oig.dot.gov [221] http://www.oag.state.ny.us/press/2007/apr/apr26a_07.html [222] http://www.northwestern.edu/newscenter/stories/2006/07/data.html [223] http://security.tennessee.edu [224] http://www.taxes.state.mn.us/taxes/publications/press_releases/content/taxpayer_information.shtml [225] http://www.sfsu.edu/~admisrec/reg/idtheft.html [226] http://www.ohio.edu/datasecurity [227] http://www.ohio.edu/datasecurity/ [228] http://www.firstgov.gov/usdainfo.shtml [229] http://www.wiu.edu/securityalert/ [230] http://www.applications.dhs.ca.gov/pressreleases/store/PressReleases/06-41.html [231] http://www.veteransclass.com [232] http://www.wired.com/science/discoveries/news/2006/03/70380 [233] http://www.doj.state.or.us/releases/2006/rel092606a.shtml [234] http://www.ftc.gov/os/caselist/0623057/index.htm [235] http://www.isu.edu/announcement/ [236] http://www.box.net/shared/static/180zctq8dz.pdf [237] http://www.ftc.gov/opa/2006/01/choicepoint.htm [238] http://www.ftc.gov/opa/2006/12/choicepoint.htm [239] http://www.ftc.gov/bcp/cases/choicepoint/index.shtm [240] mailto:cpredress@ftc.gov [241] http://www.privacyatchoicepoint.com 330