294 (No SSNs or financial information reported)

A hacker or hackers posted email addresses, plain-text passwords, and ID numbers online.

3,600

Massachusetts Eye and Ear released a statement that can be found here: http://www.masseyeandear.org/news/press_releases/recent/data_breach_2012/

An employee was fired after police informed Massachusetts Eye and Ear that the employee was being investigated for identity theft.  The employee had taken and misused patient names, Social Security numbers, and dates of birth. At least four of the employee's victims came from Massachusetts Eye and Ear, but she had access to the information of approximately 3,600 patients.

12

A Reading Hospital employee made paper copies of sensitive information and used them for training purposes at an unaffiliated educational facility.  The incident was discovered the next day and the employee was fired.  Patient medical test results, diagnoses, prescribed medications, Social Security numbers, medical histories, and other personal information were exposed.

17,130 (No SSNs or financial information reported)

A laptop went missing from a physician's office sometime between March 16 and March 20 of 2012.  The laptop contained patient outcomes data from patients in the adult ICU from 2000 to 2008.  Patient names, race, age, dates of admission and discharge from the Intensive Care Unit, and results of treatment may have been exposed.

24

A dishonest employee used the names, Social Security numbers, addresses, phone numbers, dates of birth, and Medicare Health Insurance Claim Numbers to steal the identities of at least 24 Idaho customers enrolled in UnitedHealthcare Medicare plans. On January 30, 2012, it was discovered that the former employee may have accessed the information in the United Health Care database in a way that was inconsistent with his job duties and possibly for fraud purposes.  The information was taken between June 28 and December 12 of 2011. Affected patients were notified on March 30.

Unknown

A dishonest employee working as a technician in the surgery department at Howard University Health Sciences sold patient information between August 2010 and December of 2011. The employee was charged with one count of wrongful disclosure of individually identifiable health information.  Patient names, Medicare numbers, addresses, and dates of birth may have been exposed.

50

A Northwestern Memorial Hospital employee was charged with one count of aggravated identity and one count of identity theft. The dishonest employee is accused of stealing the identities of patients to pay off personal bills.  Paperwork with the Social Security numbers, credit card numbers, and dates of birth of over 50 patients was found in the employee's home.  The dishonest employee's scheme was discovered when suspicious credit card activity related to the opening of utilities in the employee's name.

3,000

Warren County residents had their names, Social Security numbers, addresses, phone numbers, and other information exposed.  A fire destroyed a Warren County human services office on December 4, 2011.  Records from the location that were due to be shredded were moved to a secure facility owned by warren County.  A county maintenance worker mistakenly moved a container full of the damaged sensitive records back to the destroyed building in early February of 2012.  The mistake was discovered on March 14 when the department received a call from a resident near the area who found a DHS paper in her yard.

701,000

Around 700,000 caregivers and care recipients had their information lost or stolen during transit between Hewlett Packard and the State Compensation Insurance Fund in Riverside, California.  A package that originally contained microfiche with payroll data entries and possibly other sensitive information.  It arrived via U.S. Postal Service damaged and missing thousands of payroll data entries. Names, wages, Social Security numbers, and state identification numbers were exposed. A total of 375,000 In-Home Supportive Services workers were affected and 326,000 recipients of In-Home Supportive Services care were affected.

Unknown

In November 2011, hackers accessed and released private email accounts belonging to a retired agent for the Department of Justice.  The retired agent was a member of the CATCH.  Some of the emails that the hackers released included data that contained the names, Social Security numbers, addresses, dates of birth, and other personal information of an unknown number of consumers.

15,399

On April 25, 2012, First Data learned that certain limited personal information about approximately 108,500 merchants who currently process with First Data or who applied for processing services had been shared outside of the company. The names, addresses, and Social Security numbers of merchants who submitted applications to First Data for merchant processing services were purposely disclosed to an outside party in January and February of 2012.  First Data later discovered that this action was not clearly permitted in some merchant contracts.

2,937

A former manager of the Thurston Branch of Key Bank pled guilty to charges related to opening a Key Bank account in the name of someone else. He will be sentenced for identity theft and bank fraud.  The manager obtained and transferred customer names, Social Security numbers, and dates of birth between January and May of 2007.  He eventual threatened and intimidated witnesses in August 2010. Key Bank had a total of $44,937.66 in expenses related to the breach.

Unknown

A former employee pled guilty to conspiracy to commit bank fraud and aggravated identity theft.  The former employee received $3,000 for his role in the conspiracy and his co-conspirators fraudulently made $84,169.37 from customers.  

741 (No SSNs reported)

A former employee used patient information to file false income tax returns. The information of 741 patients was accessible in a binder.  The employee worked as an intake coordinator at the Hospital from March 15 to August 18 of 2011.  The breach was not discovered until April 18 of 2012.  

Unknown

Hackers were able to access and publicly post over 16,000 law enforcement files online.  Sensitive 911 calls, witness and victim statements, names of young crime victims, names and personal phone numbers of SWAT team members, a blueprint that could allow sex predators to avoid arrest, and possibly sheriff employee passwords were posted. SWAT team information such as the unit's operating guide and number of snipers was also posted.  Personal information including Swat team member home and cell phone numbers was posted as well. The breach occurred sometime around April 28, 2012.

Unknown

The location listed is that of Ford's headquarters.

Hackers targeted various websites owned by Ford and posted sensitive information online.  Usernames, passwords, and administrator information may have been exposed.

Unknown (18 students requested that their grade be altered)

A high school student used the login credentials of his father to change student records.  The student's father worked at the school as a counselor.  At least 18 students paid for their attendance and course assignment records to be altered. The students who paid for the alterations were suspended.  It is unclear if other students had their information accessed or altered.  

Unknown

Hackers associating themselves with Anonymous claimed to have obtained the private information of University of Pittsburgh students and alumni. The hackers threatened to release the information publicly unless the University apologized to students, law enforcement, and professors.  The University was involved in the arrest of several supporters of Anonymous. Student passwords, dorm information, payment and credit information, parent information, coursework and grades, as well as alumni information may be exposed.

Unknown

On April 2, 2012, Incorporating Services learned that one of their servers was compromised by a malware attack.  Incorporating Services began investigating the breach after being informed by their internet hosting vendor and discovered that malicious software had allowed an unauthorized party to access data stored on the server.  Corporate officer Social Security numbers and names may have been exposed.

100,000

The information of Florida child care workers was placed on a state website.  The information was not password protected and could have been found through an internet search. An unnamed vendor working for the state of Florida was responsible for placing the information online.  Florida daycare workers may have had their dates of birth, names, and Social Security numbers exposed. It is not clear how long the information was exposed.

14,000

Those with questions may call (615) 230-3390.

The University became aware of an unintended disclosure.  Files with the information of current and former faculty and former students were placed on a web server that was not secure.  The information could have been accessed anytime between 2008 and the discovery of the error.  Names and Social Security numbers were exposed.

Unknown

A member of law enforcement found a black canvas bag full of payroll files.  The bag may have been stolen or misplaced and carried worker names, Social Security numbers, and other personnel information. Stacks of files were photographed behind Accurate Accounting. This led to the belief that the files had not been properly stored.

Unknown

An employee's laptop was stolen from a rental car that was left unattended in a restaurant parking lot.  The theft occurred on June 2, 2010.  The laptop was rendered inoperable within two hours of the discovery of the theft.  It contained data related to Fairview health system billing issues and was encrypted.  

6.5 million

Lawyers responsible for challenging a voter ID law in Texas requested the Texas voter database for analysis.  The Texas Attorney General's office released encrypted discs with the personal records of 13 million Texas voters, but half still contained Social Security numbers.  A state police officer was dispatched to New York, Washington D.C., and Boston to retrieve the encrypted discs when the opposing lawyers revealed that a mistake had occurred.

Unknown

An unknown number of customers had their personal information entered into the wrong field in a database.  The information should have been encrypted but was not because of the error. Customers may have received mail with their credit card number, driver's license number, Social Security number, passport number, or any combination of these elements printed on the outside of envelopes. The issue was discovered in late December of 2011.

Unknown

An April 1, 2012 office burglary resulted in the theft of computer equipment with sensitive information.  A server that contained customer names and Social Security numbers or driver's license numbers was stolen. Additional information related to customer applications was also on the server.

Unknown

Cryptic Studios detected evidence of unauthorized access to a user database that occurred in December 2010.  Users may have had their account names, handles, encrypted versions of their passwords, dates of birth, email addresses, billing addresses, and partial credit card numbers exposed.  Some of the passwords that were exposed were decrypted.  Cryptic Studios reset all customer passwords that could have been affected after discovering the breach by performing security analysis. Anyone who uses the same password and email combination for other accounts is encouraged to change their password for those accounts as well. 

550 (No SSNs or financial information reported)

The city where the breach took place was not reported.

The theft of sensitive documents from an Oregon State Hospital supervisor's car resulted in the exposure of patient information.  On Friday, April 13, a printed list of 550 hospital patients that included names, treating physicians, hospital identification numbers, and geographic information was stolen. Additionally, progress notes for 20 patients were stolen that included patient dates of birth, diagnoses, and other information.  It is not clear if patients who visited either the Salem Oregon State Hospital or the Portland Oregon State Hospital were affected by the breach.

7,000 (No SSNs or financial information reported)

Those with questions may call (855) 834-1606.

The University of Houston College of Optometry became aware that one of their computers was infected with a virus on February 23, 2012.  The person responsible for the breach may have been able to access the information for 24 hours.  Patient records dating between January 2006 and February 13, 2012 could be accessed from the computer.  Patient names, phone numbers, addresses, dates of birth, insurance information, future appointments, current medications, diagnoses, treatment information, vision test results, vision history information, letters from referring doctors, costs of medical services or goods, method of payment, occupation/job, gender, and languages spoken were in the patient records.

721

I man found medical records stacked in a bag in a closet while checking for financial records in the home of his estranged wife. The records date from 2003 to 2007 and involve the information of patients of Sheppard Air Force Base's 82nd Medical Group.  Names, Social Security numbers, addresses, phone numbers, and in some cases, patient diagnoses were on the documents.

Unknown

A physician's laptop was stolen from her husband's car.  The laptop contained patient names, Social Security numbers, dates of birth, phone numbers, and addresses. The laptop was not encrypted.  

Unknown

A Naugatuck Valley Community College instructor used patient X-rays from St. Mary's Hospital to teach radiology technology.  The instructor obtained the X-rays by using his Saint Mary's employee login to access medical records.  The X-rays were used without permission and contained patient names, dates of birth, and physician notes.  The instructor told students not to disclose the practice.

7,000 (No SSNs or financial information reported)

A UAMS physician sent financial data to an individual who was not a member of UAMS's workforce in February of 2012.  Patient identifiers had not been removed from the data and UAMS learned of the error on April 6.  Patients of interventional radiology seen at UAMS between 2009 and 2011 had their names, UAMS account numbers, dates of service, interventional radiology procedures, diagnosis codes, charges, and payments exposed.

Unknown

An office burglary that occurred on or around February 19 resulted in the theft of medications and a computer.  The computer contained patient names, Social Security numbers, and dates of birth. It is unclear if the computer was encrypted.  The total number of patients affected and all types of information exposed are also unclear.

Unknown

The location listed is that of Under Armour's headquarters.

A flash drive that contained Under Armour employee payroll information was lost by PricewaterhouseCoopers.  The information was being transmitted via mail for auditing purposes and went missing on or around April 12. Employee names, Social Security numbers, and salary information could have been exposed. it is unclear how many people were affected in the U.S. Under Armour employs 5,400 people worldwide.

Unknown

An April 12, 2012 office burglary resulted in the theft of a laptop with sensitive information. The computer assigned to the receptionist was stolen and contained a spreadsheet with client name, client status (active, discharged, etc.), internal client identification number, date of birth, and assigned staff person.  However the document was not labeled as a D.A.P. document. If someone saw the spreadsheet by itself they would not know it was linked to D.A.P.

Unknown

Those with questions may call 1-888-278-5515.

An unauthorized person or persons was able to access electronically-stored information relevant to BullMarket.com.  User names, credit card information, billing addresses, email addresses, and/or login information were compromised.  The breach occurred sometime between April 3 and April 7, 2012 and was discovered on April 11. Information as recent as June 2005 may have been exposed, but users with recent information appear to have not been affected.

228,435 (Unknown number of SSNs involved)

Those with questions may call 888-829-6561 or visit www.myscmedicaid.org.

An employee was fired and arrested after he sent the names, addresses, phone numbers, and dates of birth of Medicaid patients to his private email.  It was discovered that he had compiled and emailed the information of South Carolina Medicaid patients over a period of several months. He was charged with five misdemeanor counts of violating the confidentiality of medical indigents and one count of disclosing confidential information.  At least 22,600 patients had their Medicaid ID numbers emailed. It is unclear how many of those patients had their Social Security number used in place of a Medicaid ID number. Patients were warned not to give any personal information to anyone contacting them and claiming to be from the Medicaid agency.

Unknown

On March 23, 2012, an employee sent an unencrypted document to the personal emails of herself and her son.  The document contained the first names of customers and their Social security numbers.  Cigna became aware of the incident on March 27 and took immediate action.  The employee claimed that she had sent the document to obtain help with work from her son. She confirmed that both she and her son had deleted the email and was fired.

315,000 (228,000 SSNs reported)

Patients with questions may call the Emory Healthcare Support Center hotline at 1-855-205-6950.

Emory Healthcare revealed that 10 backup discs that contained patient information are missing from a storage location at Emory University Hospital.  The discs were determined to have been removed sometime between February 7, 2012, and February 20, 2012.  The patient information was related to surgery and included names, Social Security numbers, diagnoses, dates of surgery, procedure codes or the name of the surgical procedures, surgeon names, anesthesiologist names, device implant information, and other protected health information.  Patients treated at Emory University Hospital, Emory University Hospital Midtown (formerly known as Emory Crawford Long Hospital) and Emory Clinic Ambulatory Surgery Center between September of 1990 and April of 2007 were affected.

700 (No SSNs or financial information reported)

A candidate for student body president was accused of tampering with University computers in order to access student ID numbers and passwords.  The information could have been used to alter election results.  The University isolated and monitored the compromised accounts and rescheduled the election.  The student was arrested in March on suspicion of election fraud, identity theft, and unlawful access to a computer.  The student was released and no chargers were filed.

UPDATE (4/20/2012): The student was first arrested after allegedly being caught with a password stealing device at a campus computer.

Unknown

Patients in Prescott, Arizona may have also been affected.

Phoenix Cardiac Surgery inadvertently posted the clinical and surgical appointments of patients on an Internet-based calendar that was publicly accessible.  The error went unnoticed for an unspecified amount of time.  The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) investigated the error and determined that Phoenix Cardiac Surgery had a number of Health Insurance Portability and Accountability Act (HIPAA) violations.  Phoenix Cardiac Surgery agreed to pay HHS a settlement totalling $100,000 and to comply with HIPAA. The resolution agreement can be found here.

258 (No SSNs or financial information reported)

A Virginia Military Institute (VMI) administrator emailed a spreadsheet with the grade point average of every member of VMI's senior class to the VMI student president.  The email should have only contained an attachment with the names and hometowns of potential 2012 graduates.  The second attachment was not only emailed to the student president, but was then forwarded to 258 senior students before the student president and VMI administration realized the mistake.

Unknown

Someone managed to install malware on a Ruby's computer system.  Customer credit and debit card information was obtained and used to make fraudulent purchases across the United States and internationally.  The breach may have occurred as early as December 2011.  

Unknown

A hacker or hackers accessed information from the Berrien County Sheriff's Department.  An unspecified number of people had unspecified types of information posted online.

4,000

Alumni who graduated before 1985 and requested copies of their transcripts may have been affected by a breach involving accidental disclosure.  Certain alumni had their names, Social Security numbers, addresses, and telephone numbers in an electronic file that was emailed to an individual who would not normally have access to such information.  The person who received the email notified the University.

UPDATE (5/03/2012): This breach was erroneously listed as occurring in Corpus Christi, Texas on this site. The breach affected those who were associated with Texas A&M University in College Station, Texas.

56

A former manager was indicted for stealing the identities of patients.  He faces a 48-count indictment alleging grand larceny in the third degree, identity theft in the second degree, offering a false instrument for filing in the first degree, and possession of a forged instrument in the second degree.  He allegedly used the names and Social Security numbers of patients to e-file fraudulent tax returns and obtain over $200,000 in federal, New York, and New Jersey tax refunds. The scam occurred in 2006 and 2007. It was not discovered until recently since those who were affected were unable to work with investigators.  

The manager was convicted for similar crimes in the past.  He used the information of a deceased and developmentally disabled individual from a Nassau County group home to obtain a fraudulent debit card and was also arrested for credit card fraud near Atlanta, Georgia.

9,500

Patients with questions may call (877) 643-2062.

On January 27, 2012, MHS learned that at least one employee may have accessed patient information in order to receive fraudulent tax returns.  A second employee was later identified and both employees were terminated.  Patient names, Social Security numbers, and dates of birth may have been accessed between 2011 and early 2012.  Medical information was not involved. Law enforcement requested that MHS delay notifying patients.  ON April 12, 2012, letters were mailed to patients who may have been affected.

Unknown

A concerned citizen found a box of sensitive medical documents in a dumpster and contacted a local news team.  The box contained hundreds of documents that included copies of driver's licenses, prescriptions, signatures, and other patient information.  The box was removed by Indiana University Medical Group before investigators arrived.  Indiana University Medical Group claimed that the information was accidentally discarded rather than shredded. The documents were properly disposed after being collected.

Unknown

Computer equipment that contained patient insurance information was taken during an office burglary.

87,667 

Two campus computers were determined to have been infected by malware.  The breach occurred when a faculty or staff member opened an email that contained a virus.  The virus was immediately detected.  Faculty, staff, and students affiliated with the school between the early 1990's and the day of the breach may have had their names, Social Security numbers, dates of birth, and addresses exposed.  Housatonic's president acknowledged that the cost of handling the breach could be as much as $500,000.

Unknown

A foreign hacker accessed the information of guests who stayed at the hotel between May 21, 2011 and March 10, 2012.  An unspecified number of credit and debit card numbers with corresponding names were accessed, but their associated PINs were not compromised. 

Unknown

The city in which this breach occured was not reported.

Owners of a mini-storage business discovered that Associated Surveyors had abandoned sensitive information.  The rent on the storage space had not been paid for over a year and Associated Surveyors and the items in the space were set to be auctioned off. The mini-storage owners decided to properly dispose of the documents in the unit when they found Social Security numbers, Social Security card applications, checks, bank account numbers, tax return forms, and copies of other documents with sensitive personal information.  

950

100 current and or former patients of North Shore Universitiy Hospital in Manhasset, New York were affected. Many more people who were not associated with the hospital were also affected.

A licensed nurse who may or may not have been affiliated with North Shore University Hospital was indicted for identity theft and possessing computer data from North Shore containing information on over 900 people.  It is unclear when the breach that allowed the nurse and an accomplice to access the information first occurred.  Social Security numbers, dates of birth, addresses, phone numbers, medical record numbers, insurance information, and medical histories could have been accessed.  North Shore University Hospital notified 50 patients of a potential breach in 2011 and may have experienced a separate system breach in early January of 2012.  

Unknown

On March 23, 2012, X-Rite learned that a database server had been attacked by a malicious third party.  The names, contact information, and credit card information of customers who made purchases on X-Rite's website pantone.com may have been exposed.  

7,561 (No SSNs or financial information reported)

A computer mailing error caused Seton member Medicaid health plan cards to be sent to incorrect addresses.  The cards were mailed by Seton's vendor HealthLOGIX on March 9. Seton became aware of the breach when members began calling about receiving the incorrect cards a week after the mistake.  Seton Health Plan members enrolled in the STAR/Medicaid plan were affected and may have had their names and dates of birth exposed.

600

Affected patients may call (877)-309-0186.

Law enforcement informed TJUH management that sensitive documents had been recovered during an investigation.  Radiology registration documents with patient names, Social Security numbers, addresses, home phone numbers, work phone numbers, dates of birth, TJUH account numbers, TJUH medical record numbers, insurance information, emergency contact information, and special radiology studies performed had been stolen from TJUH.  It is unclear when the theft occurred.  Patients who received services between February 4 and March 22, 2005 were affected.  

600

The campus theft of two university-issued laptops resulted in the exposure of alumni information.  Though University policy required data security measures, the laptops were not encrypted and did not have a program installed that would allow sensitive information to be deleted remotely.  Master's of arts and bachelor's of arts alumni from 1987 through the date of the theft were affected.  

1,000

Those with questions may email security@reuseit.com

A hacker or hackers were able to intercept customer information online between August 22 and September 28 of 2011.  Customers who were affected may have had their login, password, and credit card information obtained.  Anyone who used the same login and password combination for reuseit.com and other websites should change their password.  

Unknown

Two masked men stole several bags of documents and records from a state courier truck outside the Lawrence Registry of Motor Vehicle (RMV) branch on Wednesday April 4.  However, the trash included records from the Wilmington branch of the RMV. Registration transactions, duplicate titles, crash reports, citation payments, rebate requests, and municipal parking records from transactions that occurred between Friday March, 30 and Monday, April 2 were stolen.

780,000 (280,000 SSNs)

Utah Medicaid clients have had their information exposed by a hack of an improperly protected Utah Department of Health computer server.  The breach was discovered when an unusual amount of data was found to be streaming out of the server on April 2. Medicaid clients who had not had their Social Security numbers transitioned into the system had their Social Security numbers exposed.  A majority of the affected individuals had medical claims, dates of birth, addresses, physicians' names, and other forms of medical information exposed, but not Social Security numbers. Two out of three of those who were affected were children.  The cost of working with the credit-reporting company Experian to contain the breach is estimated to be $460,000.

UPDATE (4/10/2012): Though the number of affected individuals was originally reported as 181,604 with 25,096 Social Security numbers exposed, Utah Department of Health reported that nearly 280,000 people had their Social Security numbers exposed by the breach.  An additional 500,000 victims did not have their Social Security numbers exposed, but had some form of personal information such as date of birth, name, and address exposed. People who visited a health care provider in the past four months is likely to have been affected by the breach.

UPDATE (5/15/2012): The governor of Utah fired the Director of the Department of Technology Services and appointed a new employee, an ombudsman, to shepherd victims through the process of protecting their identities and credit.  Two other members of the technology services department are under review.  The vulnerability that caused the breach was partly, if not fully, due to failure to change a default password. Additionally, data will now be encrypted while it is on Utah servers as well as when it is in transit.

40 (No SSNs or financial information reported)

A hacker or hackers accessed information from the University of California Riverside.  A total of 40 email addresses and corresponding passwords were posted online.

35,959 (No SSNs or financial information reported)

No city was listed for this breach.

A hacker or hackers posted 35,959 usernames, email addresses, and passwords online.

Unknown

On February 15, 2012, Union Bank discovered that a former contractor kept proprietary bank data in his possession after leaving the company on January 31, 2012.  The bank data included some customer information such as names, account numbers, home addresses, phone numbers, and email addresses.

442 (No SSNs or financial information reported)

An administrative error resulted in recently admitted students receiving an email with the information of all recently admitted students.  Student names, addresses, grades, LSAT scores, race, scholarship amount, and other types of personal information were available in the email attachment. No Social Security numbers or dates of birth were in the emailed spreadsheet.  Students were encouraged to treat the data with the confidentiality of a lawyer and immediately delete the email.  

300

Investigators determined that a breach must have occurred at the grocery store Glenwood IGA after nearly 300 people reported fraudulent charges on their credit cards. The credit card fraud began in early February and unauthorized purchase attempts were made across the globe. The method of the breach is not clear. 

Unknown

On March 6, 2012, an investigation confirmed that an employee of an unnamed State Farm office may have used customer information in an inappropriate manner.  An unknown number of customers may have had their names, addresses, credit card numbers, and Social Security numbers misused by the dishonest employee.

3,657 (No SSNs or financial information reported)

A hacker or hackers posted the login information of two website administrators.  The information of 8 job users was posted, as well as an additional 3,647 usernames, passwords, and emails. Anyone who used the same username, password, and/or email combination for other sites is encouraged to change them immediately.

687 (No SSNs or financial information reported)

A hacker or hackers posted the information of users online.  It is unclear if this is related to an identical incident that occurred on October 23, 2011.

Unknown

On or around March 6, a spreadsheet containing the names and contact information of active and retired Local 522 members was sent by a Local 522 employee to the Sacramento Central Labor Council (CLC).  The spreadsheet contained member Social Security numbers, but was only supposed to provide member mailing addresses.  The email did not stop at CLC and was forwarded to Capitol Mailing, Inc.  The mistake was discovered on March 23 after Local 522 members received mailing labels that displayed their Social Security numbers.  

Unknown

The San Francisco Head Start/Early Head Start database was accessed by one or more unauthorized parties between August 2011 and November 2011.  Names, Social Security numbers, addresses, contact information, health data, dates of birth, and other personal information may have been exposed.  Head Start claimed that the delay in notification of the breach was due to an ongoing law enforcement investigation.  It is unclear how San Francisco State University was involved.

Unknown

Opening Ceremony discovered that an inadvertent breach of security resulted in the exposure of customer names, addresses, credit card numbers, credit card expiration dates, and credit card security codes.  The breach was discovered sometime in March and first occurred on or around February 16, 2012.

UPDATE (5/11/2012): The breach lasted between February 16 and March 21 of 2012. Malware was discovered on the website on March 21.  Affected customers were mailed notification letters on May 4.  Either the credit card information was stored in an unencrypted format on the site in violation of Payment Card Industry Data Security Standard (PCI-DSS) practices, or a hacker was able to place something on the site to get credit card information after it was transmitted. It is more likely that Open Ceremony, an online clothing retailer, was not in compliance with PCI.

Unknown

A storeroom window at Saint Joseph's HealthCare Clinical Laboratory (HCCL) was discovered broken on February 2, 2012.  Two storage boxes containing HCCL lab requisition forms were missing from the center.  People who received laboratory services between October 24, 2011 and November 18, 2011, between December 13, 2012 and January 5, 2012, and also between January 17, 2012 and January 31, 2012, may have had their names, Social Security numbers, phone numbers, addresses, and insurance information exposed.

UPDATE (4/26/2012): At least 700 patients were affected.  Two boxes were discovered missing immediately after the robbery and a third was discovered missing on March 16.

7,000,000

Global Payments discovered a massive breach of their systems in early March 2012.  Global Payments processes credit and debit cards for banks and merchants and a number of credit and debit cards issued to businesses were determined to be compromised.  The breach was discovered when Global Payments' security systems detected unusual activity.

UPDATE (4/2/2012): Global Payments created a breach information website for consumers. Global Payments claimed that only a few of their North American servers were affected by the breach.  They also claimed that around 1.5 million users had Track 2 data (card expiration date and credit card number) exposed. Media reports that up to 10 million consumers had their names, addresses, and Social Security numbers credit exposed were denied by Global Payments.  Visa has removed Global Payments from their list of compliant service providers as a result of the breach.  

UPDATE (4/5/2012): The breach occurred sometime between January 21 and February 25 of 2012.  Fraudulent activity has already been detected on around 800 cards.

UPDATE (5/1/2012): It appears that a hacker or hackers were first able to access Global Payments Inc. in June of 2011.  Global Payments revised their initial estimate and believe that card holders and banks were affected at least as far back as June 2011. This could mean that at least seven million card accounts are vulnerable.

800,000

The location listed is that of IBM's headquarters.

On March 12, 2012, the Department of Child Support Services (DCSS) was notified that contractors International Business Machines (IBM) and Iron Mountain, Inc. could not locate several computer devices that had been shipped from Colorado to California. Californians who used state child support services were affected by the loss.  Names, Social Security numbers, addresses, driver's licenses, names of health insurance providers, health insurance plan membership identification numbers, and employer information may have been exposed.  

34,503 

The January 27 theft of a laptop from a former contractor's vehicle resulted in the loss of patient information.  The patient files included Social Security numbers, names, addresses, identification numbers, medical record numbers, dates of birth, admission dates, diagnosis-related information, and discharge dates. The majority of those affected were patients who were treated at the Hospital between December 2010 and October 2011.  Some patients who received treatment as far back as 2007 were also affected. The patient files had been downloaded onto the contractor's personal laptop in violation of the Hospital's policy. The contractor stopped working for the hospital in December of 2011.

1,000

A woman found over 1,000 detailed abortion records in a dumpster when she went to dump her recycling near a local elementary school.  The records included names, Social Security numbers, birth dates, telephone numbers, emergency family contacts, patient health histories, number of children, term of pregnancies, number of previous abortions, reasons for failing to go through with the abortion procedures, and fees paid for the procedures. Many of the records were from 2001 and 2002.  The physician who ran the practice admitted to dumping the records without attempting to properly destroy them.  His clinic had closed in 2005 after he lost his medical license.  The county district attorney commented that he will most likely not pursue a criminal case against the former physician.

171,000 (No SSNs or financial information reported)

Hackers affiliated with LulzSec (Reborn) claimed responsibility for revealing a database of militarysingles.com names, usernames, email addresses, IP addresses, and passwords on the Internet.  People who used their same email and password combination for Militarysingles.com and other sites are encouraged to change their passwords. Militarysingles.com is owned by ESingles, Inc.  An ESingles executive claimed that no evidence of an attack had been found as of March 28; however, a number of sources revealed that they could download and decrypt sensitive information by following a Twitter announcement.

UPDATE (3/28/2012): ESingles released a statement claiming that a thorough investigation revealed that the database had not been hacked. A discrepancy between the number of users in the militarysingles.com database, the use of encrypted user passwords, and the fact that the website was already scheduled to be down for maintenance during the time the hackers claimed to have taken it down led ESingles to this conclusion.

3,500 (No SSNs or financial information reported)

People who were members of Tufts Health Plan received letters meant for other members.  A programming error caused the addresses of members to be incorrect.  Names, medical conditions, and medications were exposed.

100

A man stole 100 debit and credit cards, some bottles of alcohol, and cash from the office of a bar called Pure. The thief managed to use one of the stolen cards at a convenience store before being caught for a separate incident involving robbery by assault. Cameras showed that the man had entered through a ventilation shaft connected to the bar's office.

Unknown

An H&R Block office manager was caught wearing a disguise near the ATMs of three banks. The employee's vehicle was searched and contained $2,960 in cash, and client records with dates of birth, names, and Social Security numbers. A total of $6,900 cash, H&R Block Emerald Cards, and the personal information of additional people were found at the home of the employee's girlfriend. The number of fraudulent tax returns, victims, and years the employee worked for H&R Block were not revealed.

Unknown

A hacker was able to access the names, mailing addresses, email addresses, dates of birth, usernames, passwords, phone numbers, and credit card details of customers.  The breach occurred and was detected on Sunday, March 25.  Manhattan Prep removed all credit card information previously associated with compromised customer accounts from their database.  Customer account passwords were automatically reset.  Customers were also encouraged to change any passwords that were used for both Manhattan Prep and other accounts.  

Unknown

Employees of Lake Worth School District received email notification of a possible computer security breach.  It appears that a former employee may have accessed the personal information of employees and could have misused it.  It is unclear if a breach actually occurred. It is also unclear how the former employee may have compromised the district's computer system.

3,100 (No SSNs or financial information reported)

Three computers were stolen on December 30, 2011.  One of the computers contained the protected health information of patients.  

11,646 (no SSNs or financial information reported)

The unauthorized disclosure of paper records sometime around December 22, 2011 may have resulted in the exposure of protected health information.  

1,444 (No SSNs or financial information reported)

The unauthorized disclosure of paper records may have resulted in the exposure of the protected health information of people associated with Department of Medical Assistance Services (DMAS). The incident related to DMAS's relationship with Affiliated Computer Services (ACS) and occurred sometime between November 2, 2011 and November 16, 2011. 

1,287 (No SSNs or financial information reported)

The location of the breach is listed as Medco's main office in New Jersey.

The unauthorized disclosure of paper records on November 30, 2011 may have resulted in the exposure of protected health information.  

20,000 (No SSNs or financial information reported)

The February 11, 2012 theft of a laptop resulted in the exposure of protected health information.

1,300 (No SSNs or financial information reported)

The theft of a laptop on or around November 10, 2011 may have resulted in the exposure of protected health information.  It is unclear if this incident is related to a December 29, 2011 incident that also resulted in the theft of a laptop that contained protected health information.

728 (No SSNs or financial information reported)

The December 29, 2011 theft of a laptop may have resulted in the exposure of protected health information.  It is unclear if this incident is related to a November 10, 2011 theft of a laptop that contained protected health information.

1,526 (No SSNs or financial information reported)

A technician's USB thumb drive with patient information was misplaced at Georgetown University Hospital.  People who were associated with the Department of Laboratory Medicine and visited the Hospital between September of 2004 and September of 2009 may have had their names, medical record numbers, dates of birth, blood types, dates of blood tests, blood test results, summary of clinical histories, and clinician names exposed. The thumb drive was last seen on September 9, 2011, and was discovered missing on the morning of September 14, 2011.

200

Police officers discovered a large number of credit card receipts and other items during a traffic stop in June of 2011.  The driver was then arrested and admitted to using stolen credit card receipts from Comfort Inn & Suites to make fraudulent credit cards.  He had stolen around 500 receipts and successfully used two counterfeit credit cards.  He was sentenced to five years and 10 months in federal prison and ordered to pay $3,606 in restitution.

1,000

An employee of Wayne County's personnel department accidentally sent an email with a sensitive attachment.  People who were members of AFSCME Locals 25, 409, 1659, and 3309 received an email about health insurance with employee names, ID numbers, Social Security numbers, dates of birth, addresses, and other information available in an attached file.  The mistake was noticed immediately and a follow-up email was sent with instructions to destroy the previous email.

UPDATE (4/16/2012): About 1,300 union members received the email and it contained the information of over 1,000 employees.

3,000

The city of Providence accidentally provided the Social Security numbers of almost 3,000 former employees when releasing information for a public records request.  GoLocalProv filed an Access to Public Records Act request in order to obtain information about pension recipients in Providence.  The city's legal team responded by emailing a .pdf file with retiree names, dates of retirement, dates for cost-of-living-adjustments, and monthly pension received each month.  Social security numbers and employee identification numbers were displayed as redacted in the document, but could easily be read when the .pdf file was expanded or when the highlight color of the document was changed to a light color.

30,000

Someone purchased a hard drive in September of 2011 and immediately notified law enforcement that it contained confidential information.  The external hard drive did not come from a Kaiser Permanente office.  It contained employee data that was as recent as 2009.  Current and former employees may have had their names, Social Security numbers, dates of birth, and addresses exposed. There is no evidence that the information from the hard drive was used for illegal purposes as of March of 2012.

UPDATE (3/22/2012): The external hard drive was purchased at a thrift store.  Phone numbers, pay stubs, COBRA Error, Trust Fund Paid Hours, or Fidelity Savings Plan Deduction reports may have also been on the hard drive.

UPDATE (4/16/2012): At least one source lists the total number of affected current and former employees as 30,000.

Unknown

A security company searching the web for sensitive data uncovered personally identifiable information from IndyMac Bank and Indy Mac Resources employees, and possibly others associated with the firms.  IndyMac Bank failed sometime around July of 2008.  The information is related to IndyMac employee pension benefits analysis and appears to have been placed on a public web server by an employee of a contractor for IndyMac.  People who were employed by either IndyMac firm between January 1, 1999 and January 1, 2005 had their names, Social Security numbers, dates of birth, earnings, hire dates, and other employment related information exposed.  It was available as early as January of 2007 and as recently as December of 2011.  

2,300

The theft of a company-issued laptop from an employee's car resulted in the exposure of sensitive information.  The laptop was stolen from the employee's car while it was at home and contained the names, Social Security numbers, races, national origins, genders, dates of birth, contact information, college affiliations, grade-point averages, and other information of employees.  The hard drive was not encrypted.  The Kennedy Space Center had planned to have all hard drives encrypted by September 2012 prior to the breach.

Unknown

Two laptops with member information were stolen during an office burglary. Financial and other administrative information were also on the laptops. The laptops did not contain any patient information. It is unclear if the theft of the equipment was politically motivated.

UPDATE (3/26/2012): The breach appears to have been politically motivated.  Two other OB-GYNs had laptops stolen from their offices after speaking out against a controversial Georgia bill.

125 (No SSNs or financial information reported)

A thief or thieves entered Huntsville Hospital and impersonated a vendor in order to collect old barrels of X-rays.  Thieves commonly use this tactic to obtain X-rays.  The X-rays are then stripped for silver.  The X-rays contained patient names, dates of birth, and medical records.  There were over 1,000 X-rays, but only 125 to 175 patients were affected.

30,000

A server management error caused files containing sensitive information to be made publicly accessible between July of 2011 and the breach's discovery on March 13, 2012.  A classroom exercise revealed that the information was compromised and the University of Tampa's IT office was immediately informed of the discovery.  The University of Tampa then notified Google and asked that the cached file be removed from the search engine.

One file included 6,818 records of students who attended in Fall of 2011.  Two other files contained the information of an additional 29,540 people and included University ID numbers, names, Social Security numbers, and photos.  Some people also had their dates of birth exposed.The IT office at the University of Tampa concluded that the files had only been accessed by the people who reported the breach.

UPDATE (3/22/2012): Additionally, 22,722 current and former faculty, staff, and students who were associated with the University between January 29, 2000 and July 11, 2011 may have had their information exposed. The IT office confirmed that these files had only been accessed by University insiders as well. The University will not cover the cost of credit monitoring services for those who were affected.

Unknown

An employee of another company discovered a security issue in Oink.  Oink is a "rate everything" application from mobile application developer Milk Inc.  The security issue allowed anyone to download personal information of another Oink user by entering another person's username.  Folders with associated email addresses, photos, and other user site information may have been exposed. Oink shutdown and the employees of Milk Inc. joined Google for a new project shortly after the issue was discovered.

513 (No SSNs or financial information reported)

Those with questions may email privacy@georgiahealth.edu.

A laptop was stolen from the home of a nurse on January 18, 2012.  It contained the names, dates of birth, partial diagnosis information, and internal codes associated with patients' laboratory tests.  The information is from patients of the Adult Sickle Cell Clinic.  

Unknown

Edmund Optics identified suspicious activity on their website on February 26, 2012.  It was determined that a security breach had occurred and that some customer accounts had been compromised.  The breach most likely occurred on February 8 and resulted in the theft of some customers' credit card information. The website was secured and preventative measures were increased.  

Unknown

RJL Insurance Services became aware of a vulnerability in its computer network that may have resulted in the exposure of some electronic files.  The information was secured, but some RJL files were accessible for a period of two weeks in late September and early October of 2011.  Client names, Social Security numbers, driver's license numbers, and medical conditions may have been exposed.  

5,700

The personal information of students was accidentally sent in an email attachment as a response to a request for data.  The mistake was noticed immediately and all copies of the file were removed from the system of the party requesting data.  Student names, addresses, and Social Security numbers were exposed. Humboldt State University warned students to be vigilant about phishing, but stated that it is unlikely the data was misused.

1,300 (No SSNs or financial information reported)

A staff member of the University Advisement Center at BYU accidentally included a complete list of international student names, email addresses, phone numbers, and student ID numbers in an email notification about a career workshop.  BYU immediately apologized for the error and noted that all of the student information except for student ID numbers could easily be found in the BYU directory.

14,000

An office burglary on New Year's Eve 2011 resulted in the loss of hardware that contained sensitive personal information.  The full names, addresses, Social Security numbers, and medical information of clients were on the hardware.  Impairment Resources notified patients in February and then filed for bankruptcy in March. The high cost of handling the breach led directly to the decision to file for bankruptcy.

480 (No SSNs or financial information reported)

An office burglary in October of 2011 resulted in the theft of a laptop and other items.  The laptop contained the information of current and former patients. It is unclear what type of information the laptop contained.  A widespread notification of the breach was released in March after many patients could not be reached by mail.

282

A dishonest McDonald's employee confessed to using a handheld skimming device for three weeks to capture drive-thru customer credit and debit card numbers. He then passed the information along to others who used the numbers to produce fraudulent cards and make purchases.  A total of 282 card numbers were discovered on a suspect's laptop.

647 (No SSNs or financial information reported)

No city was reported for this breach.

A hacker or hackers posted email addresses, passwords, and usernames online.  Members of similar online forums recommended that users change their passwords for other sites since members often use the same email address, password, and username combination for multiple sites.

434 (No SSNs or financial information reported)

A hacker or hackers posted 434 usernames and corresponding passwords, as well as email addresses online.

1,000

A woman found thousands of WIC applications in a dumpster.  Around 1,000 documents were originally reported in the dumpster.  Additional documents were discovered when a local news team joined the woman at the dumpster a few days later. The applications included copies of drivers licenses, Social Security numbers, medical information, and many other types of sensitive information.  An employee of the state agency said that the forms would normally be properly shredded, but were thrown out in a hurry without being checked.

184 (No SSNs or financial information reported)

Someone accessed student information and posted it on Twitter @LindenLeaks.  The information was from the Fall 2011 semester and included grades, majors, phone numbers, and email addresses.  The account was eventually deleted from Twitter.  The person who originally posted the information online commented that the document had been downloaded nearly 140 times since being posted.

100

A payment drop box was broken into sometime during the weekend of March 5. Customers who used the box around that time may have had their banking institution information, check account numbers, addresses, names, phone numbers, and driver's license numbers stolen.  PG&E will change the account numbers and passwords of customers who had their information stolen.

30 (No SSNs or financial information reported)

The city of the breach was not reported.

A hacker or hackers posted 30 names, telephone numbers, email addresses, and corresponding passwords online.  

72,794 (44,663 credit card numbers obtained)

A group of hackers accessed customer details, credit card numbers, and administrator information.  At least a) 28 administrator names, usernames, email addresses, and encrypted passwords, b) 85 affiliate usernames, plaintext passwords, c) 100 user email addresses, usernames, and plaintext passwords, and d) 82 .gov and .mil email addresses and plaintext passwords were posted. The hackers criticized the ease of obtaining the credit card numbers, expiration dates, cvvs, and customer billing addresses which were all in plain text.  The hackers chose not to post customer credit card numbers.

1,500 (No SSNs or financial information reported)

Concerned patients may call 1-877-800-5530 or contact KMC by email at breachinfo@kernmedctr.com.

A resident physician printed out the records of 1,500 patients for research purposes.  The paper records were stored in a computer bag and the bag was stolen from the physician's car on February 25.  The records contained names, health information, and test results. They may have also contained the insurance information of some patients.

UPDATE (4/20/2012): Medical record numbers, dates of treatments, diagnoses sites, cocci clinical numbers, and test results for HIV, AIDS, Hepatitis, and pregnancy may have also been exposed.

250 (No SSNs or financial information reported)

A hacker or hackers posted administrator usernames and corresponding passwords, as well as the email addresses of 250 state and Plainfield employees online.  Some of the information included addresses, phone numbers, and email passwords, and some information was from employee contacts. 

31 (No SSNs or financial aid reported)

A team of hackers revealed that they had attacked the University of Washington's system with multiple SQL injections.  The first one was detected and fixed by the University of Washington, but a second one went unnoticed.  The team of hackers released 31 login and password combinations from a user database and 25 WordPress user login, password, and email address combinations.  The attack comes a few weeks after a hacker identified nearly 20 university systems that were vulnerable to SQLi attacks.

Unknown

This breach was covered by the media and notifications of this breach were sent in 2009.

A former worker for the Miami-Dade school board misused student information.  The dishonest employee worked as a clerk and accessed the student information for the purpose of obtaining fraudulent credit cards with her boyfriend. An unknown number of student Social Security numbers were accessed and used.  She was caught in the act of stealing the Social Security numbers in 2009.

Unknown

The media covered this breach sometime in 2011.

Divine Sports marketed itself as a non-profit that tutored at-risk youth.  It appears that the owner of the company billed the Miami-Dade School District for hours of tutoring that never occurred. The company even created reports for students that did not exist by using the information of real students.  Hundreds of thousands of dollars may have been fraudulently obtained over multiple years. The fraud was discovered in 2010.  Divine is located in multiple states and the corporate office denied any control over the day-to-day operations of Divine Sports in Miami.

Unknown

Those with questions may visit http://www.jjtwomeymd.com/index.htm

An office burglary that occurred sometime during the weekend of December 31, 2011 resulted in the theft of an external hard drive.  The hard drive contained patient names, addresses, medical conditions, and diagnoses.  The hard drive also held an unspecified number of patient Social Security numbers and dates of birth.

445

Concerned patients may call 1-855-755-8482 and dial 42250 22112 when asked to enter a reference code.

On September 26, 2011, Hackensack University Medical Center became aware that a dishonest employee had accessed patient information prior to September 1, 2011.  A former employee working as a clerk took confidential patient files from an outpatient clinic.  The files contained names, Social Security numbers, addresses, dates of birth, driver's license numbers, health insurance cards, and other insurance information.  No medical records were taken.

1,000 (No SSNs or financial information reported)

An employee of BCBS North Carolina accidentally sent an email that revealed the email addresses of all customers who received the email.  Customers received the email as notification of changes to their billing cycle on Wednesday, February 29.  The employee error meant that anyone who received the email could then send unwanted messages referencing BCBS or unrelated content to other customers who received the email.

Unknown

People who were members of the Transformers Club run by Fun Publications became aware that their credit card information had been compromised. Fun Publications conducted an investigation and determined that their e-commerce database had been compromised sometime around January 31.  Members were encouraged to monitor their credit cards closely and to consider replacing any cards that were used with Fun Publications for event registration, club store purchases, or other purchases. One member who used similar login information for both the Transformers Club and PayPal realized that his PayPal account had been compromised. 

100 (No SSNs or financial information reported)

The FBI is investigating an incident that resulted in the information of over 100 law enforcement officers being posted online.  Hackers obtained the names, addresses, and phone numbers of officers who are part of the Los Angeles County Police Canine Association (LACPCA).  Private emails from officers may have also been obtained.    

2,100

Two hackers claimed responsibility for hacking the website of the city of Springfield, Missouri.  The breach occurred on February 17, and the databases on the server contained over 300,000 entries.  It appears that not all databases were accessed as the total number of citizens affected was reported as 2,100.  Hackers claimed to have acquired 6,071 entries related to the date of birth, weight, height, race, hair color, skin tone, phone number, address, and Social Security number of people listed in online police reports. A total of 15,887 entries related to warrants that included age, date of birth, address, employer, eye color, hair color, race, sex, weight, height, and other details were obtained.  Databases with 1,041 vehicle descriptions from online police reports and details related to 284,618 summons were also obtained.  The hackers posted a significant amount of information, but voluntarily removed any sensitive information that could cause problems for consumers. 

1,182

Documents with names, Social Security numbers, and discharge dates of veterans were discovered unattended in the lobby entrance of Robley Rex VA. An extensive review was conducted by VA officials and they concluded there was no reason to believe any information was misused or that any malicious activity was involved.  Neither the reason for the breach nor the details of the breach discovery were revealed.

50,000

A miscommunication caused AC LME to lose access to servers containing sensitive health information.  An Alamance County employee mistakenly changed a lock on the facility that housed data servers for AC LME.  It appears that AC LME forgot to inform the county that AC LME was extending a contract for server maintenance.  Former consumers of AC LME, including those who became PBH consumers on October 1, 2011, may have had their personal health information stored on these servers. The servers are now in the possession of the county and could contain the names, Social Security numbers, medical record identification numbers, addresses, and diagnoses of AC LME consumers. LME officials have not had access to the server room without being monitored by a county employee or with the forensics team assigned to examine the servers.

276 (No SSNs or financial information reported)

Information from Wallace Community College was posted online by a hacker. The College became aware of the breach after being notified by Databreaches.net.  Eight username, email address, and password combinations were posted in addition to 276 username, password, and full name combinations.  People who used their same email and password combination for Wallace Community and other sites are encouraged to change their passwords.

30

A former Burger King employee used a skimming device to capture customer information.  Customers who used their credit cards at the drive-through during the late-night shift had their information copied, sold, and used to make fraudulent purchases. The dishonest employee, the person who misused the data to create forged credit cards, and two others who made fraudulent purchases were all arrested.  A total of $14,000 in goods were purchased.

Unknown

A steady flow of employees of Weather Shield have been reporting identity theft in the form of fraudulent tax returns. The company, or one of the company's affiliates that had access to employee financial information, must have experienced some type of breach or breaches. Over 60 employees have discovered that someone had already filed and collected their tax returns. Employees experienced the problem for 2010 and 2011 tax returns, but no one has been charged for the crimes.

719

People who had an unclaimed check or refund from the University of Florida had their Social Security numbers posted on Florida's Unclaimed Property website.  The information had been posted in July of 2005 and is from debts prior to that time, but had been posted through January 12, 2012.  The University submitted its Annual Unclaimed Property Report to the Florida State Department of Financial Services.  The state accidentally posted the Social Security numbers in addition to the usual information.  The University of Florida was the only entity affected by the mistake.  Students, employees, and vendors may have been affected.

Unknown

On February 10, 2012, DHI Mortgage became aware that a software security breach by external sources had occurred in its Internet Loan Prequalification System.  DHI Mortgage immediately isolated the affected server, purged certain affected files, and modified the electronic security measures.  People who provided their information online for pre-qualification may have had their names, Social Security numbers, dates of birth, contact information, marital status, employment information, income, asset information, and liability information exposed.

13,800

The theft of two laptops resulted in the exposure of credit union member information. The laptops were stolen on December 21, 2011 and contained names and Social Security numbers, as well as credit card numbers in some cases.

Unknown

Affected patients may call 1 (855) 808-4104.

A hard drive was discovered missing on February 19.  It contained patient personal and medical information related to a bone density machine.  Medical information, names, dates of birth, addresses, medical record numbers, and medications from patients who had bone density scans between November 2005 and January 2012 were exposed.  The hard drive was designed to work with the bone density machine and specialized software would be needed to extract information.

Unknown

Affected patients may call 1 (855) 808-4104.

A hard drive was discovered missing on February 19.  It contained patient personal and medical information related to a bone density machine.  Medical information, names, dates of birth, addresses, medical record numbers, and medications from patients who had bone density scans between November 2005 and January 2012 were exposed.  The hard drive was designed to work with the bone density machine and specialized software would be needed to extract information.

Unknown

Thousands of documents with sensitive information were found in a publicly accessible dumpster. An investigation began on February 20 when officers were alerted to three dumpsters filled with documents dating back to 2005.  The information included Social Security numbers, driver's licenses, phone numbers, and addresses. The landlord of the space leased by Mo' Money appears to have mistakenly cleaned out the office space before Mo' Money's shredding service could access the documents. The IRS is now conducting a federal investigation related to identity theft.

81,000 (No SSNs or financial information reported)

An unsuccessful attempt to access a database was detected by Trident University on November 29, 2011.  It contained usernames and passwords of current and former students.  The attempt appeared to be unsuccessful and no other information was contained in the database.  Trident University offered credit monitoring services despite the belief that the attempt to access non-financial information had been unsuccessful.  

Unknown

BDO was contracted by Rubio's to perform financial auditing services.  A BDO employee accidentally removed one or more CD-ROMs from the office.  The CD-ROM or CD-ROMs contained a list of Rubio's workers' compensation claimants and a list of people who owned equity shares in Rubio's Restaurants, Inc.  The CD-ROM or CD-ROMS appear to have been stolen from the BDO employee's vehicle.  The workers' compensation information contained names, claim numbers, medical status, and date of loss.  The medical status information included the employees' claim for injuries or illnesses.  No Social Security numbers were involved.  The partial equity roll list contained names and Social Security numbers.

18,763

A computer breach in a CCSU Business Office exposed the information of current and former faculty, staff, and student workers.  A Z-Bot virus designed to relay information was discovered on the computer on December 6, 2011.  The computer had been exposed for eight days and only exposed the Social Security numbers of those who were affected. People associated with CCSU as far back as 1998 were affected.

Unknown

Sensitive documents were placed in public trash bags.  The bags were opened and the documents were found scattered across a sidewalk.  Confidential patient records which included names, Social Security numbers, unemployment compensation records, copies of benefits cards, and other patient personal information were exposed. Patients dating back to 2006 were affected. 

31,800 (No SSNs or financial information reported)

Patients from the California hospitals St. Jude Medical Center, Mission Hospital, Santa Rosa Memorial Hospital, Petaluma Valley Hospital, and Queen of the Valley were affected. No single California city is listed as the breach location.

Protected patient information may have been available on the internet for one year.  A patient's attorney contacted St. Jude officials to inform them that the information was available online. The patient health records included names, body mass index, blood pressure, lab results, smoking status, diagnoses lists, medication allergies, and demographic information such as gender, date of birth, language spoken, ethnicity, and race.  The information was removed from online and co no longer be accessed by unauthorized parties.   A total of 6,235 patients from Santa Rosa Memorial Hospital, two from Petaluma Valley Hospital, 4,263 from Queen of the Valley in Napa, and an unknown number of patients form St. Jude Medical Center in Fullerton, and Mission Hospitals in Laguna Beach and Mission Viejo were affected.

350,000

UNC-Charlotte will post information about the breach here.  Those with questions may also call (855) 205-6937.

An online security breach occurred at the UNC-Charlotte campus and was discovered on January 31.  It is unclear how much information could have been accessed. The number of people affected was not revealed.  An email alert was sent to students and staff on February 15 in order to inform them that a "potentially significant data exposure of its Information Systems" had occurred.  The University also stated that it had corrected the known issues related to the breach.

UPDATE (5/09/2012): Around 350,000 people had their Social Security numbers exposed. Financial information was also exposed.  A system misconfiguration and incorrect access settings caused a large amount of electronic data hosted by the University to be accessible from the Internet. One exposure issue affected general University systems over a period of about three months.  A second exposure issue affected the college of engineering systems for over a decade.

Unknown

Hackers stole credit card information during an attack on Solitude Mountain's credit card system.  The breach was short-lived and a small, but undisclosed number of people saw fraudulent charges on their credit cards.  Anyone who used a credit card at Solitude during the week of February 7 should check their statements for unusual activity.

Unknown

An unknown number of employee Social Security numbers were mistakenly disclosed after the City responded to a Freedom of Information law request.  The Social Security numbers were included along with payroll data to the entity that requested the information.  City officials verified that the information would not be passed on after the breach was discovered.

500

More than 500 patients of Lakeview Medical Center homecare and hospice programs had their personal information exposed by the theft of a laptop.  The laptop was stolen from a car belonging to a Lakeview nurse.  It contained names, Social Security numbers, dates of birth, home addresses, medicare ID numbers, and diagnostic information. It is unclear when the laptop was stolen, but the nurse who was involved no longer works for Lakeview.

Unknown

C.D. Peacock is suing BridgePoint Technologies for faulty IT services.  BridgePoint Technologies was hired in August 2009 and in March of 2010, a breach of C.D. Peacock's virtual private network (VPN) was discovered.  The private network was designed to give remote users access to a centralized network. C.D. Peacock was allegedly advised by BridgePoint Technologies to go around the VPN since it could not be fixed.  Though BridgePoint Technologies allegedly said that this move would be safe, C.D. Peacock experienced a serious security breach almost immediately.  Hackers installed malicious software on its credit card processing system and other network computers in early April 2010.  According to the lawsuit, this allowed hackers to "access the confidential personal data and financial information of" C.D. Peacock customers.  The stolen data was transfered to the hackers' remote system.  The breach was discovered in August of 2010.  BridgePoint Technologies claimed that it had not received a copy of the lawsuit as of February 10, 2012.

6,831

St. Elizabeth's Medical Center became aware of sensitive paperwork that was found exposed miles away from the medical center's Brighton campus.  St. Elizabeth's immediately sent someone to recover the documents.  It is unclear how the documents ended up in the area and a vendor may have been the source of the breach.  The types of information exposed were not revealed.

UPDATE (4/09/12): The total number of patients who were notified is 6,831.  The documents contained billing information such as patient names, hospital account numbers, credit card numbers and security codes.  The breach was discovered when someone saw the credit card payment receipts of at least five patients flying through a field.  There is no evidence that more than five patients were affected, however, it is unclear how those receipts escaped destruction.

Unknown

Receipts, credit card numbers, addresses, phone numbers, and other information were found in an easily accessible dumpster that sat outside the closed fitness center.  A local news station was contacted and followed up on the story.  The dumpster was removed, but it is unclear if the documents were properly disposed. The news story received attention from the attorney general's office and Cardinal Fitness may now face a fine of up to $305,000 for dumping the information.

156 (No SSNs or financial information reported)

No city is listed.  Board members, members, and organization officers live throughout West Virginia. 

A hacker obtained and revealed the home addresses, phone numbers, cellphone numbers, email addresses, and usernames of police officers associated with the West Virginia Chiefs of Police Association. Retired police chiefs, and every current police chief in West Virginia had their information exposed. The hacker was associated with Anonymous.

23 (No SSNs or financial information reported)

Hackers targeted the Dallas Police Department in response to an officer being placed on leave after crashing his vehicle while intoxicated.  A total of 21 full names with employee ID numbers and hire dates, as well as 23 user IDs, email addresses, and passwords were posted online by the hackers.

540 (No SSNs or financial information reported)

No location is listed.  Members from across Wisconsin were affected.  The contact information city is listed as Shawano, Wisconsin.

Three hackers posted an administrative login and password on a public website. A fourth hacker released three logins and password combinations and 540 email addresses. The fourth hacker did not work with the other three hackers, but posted the information on the same day.

Unknown

The office burglary during the weekend of February 4 resulted in the theft of 10 encrypted laptops. The laptops had other safeguards as well as encryption codes. Additional items were stolen. The types of confidential and personal client information that were on the computers were not disclosed, nor was the possible number of people affected.  

9,000 (No SSNs or financial information reported)

An Excel spreadsheet with student names, addresses, dates of birth, and college ID's was listed online on a password-protected website.  The password protection eventually expired and anyone could access the information online.  Valencia College hired an unnamed contractor to create a custom page for prospective students to communicate with the college.  The contractor then hired an unnamed sub-contractor to work on some of the website.The breach can be linked to that unnamed sub-contractor.

17,000 (No SSNs or financial information reported)

Those with questions may call the Lab Management at 1-888-263-0388.

An October 17 office burglary resulted in the theft of a laptop.  The laptop contained patient names, dates of birth, physicians, and diagnosis information.  

11,081 (No SSNs or financial information reported)

An unauthorized disclosure of paper documents occurred on January 31, 2011.  The breach may have affected records that date from September 23, 2009 through October 18, 2011. No further details are available.

1,670 (No SSNs or financial information reported)

The theft of a computer on or aroudn December 1, 2011 resulted in the exposure of personal information.

771 (No SSNs or financial information reported)

A total of 771 patient records may have been exposed as a result of a breach that occurred on November 19, 2011.  No further details were disclosed.

844 (No SSNs or financial information reported)

Patients with questions may call 1-800-722-9608 between December 2011 and March 2012.

A binder containing forms with flu test results for 2011 went missing sometime around December 5, 2011.  It contained the information of patients who received a flu test between January 1, 2011, and December 5, 2011.  patient names, internal hospital department and internal account numbers, gender, medical record numbers, dates of birth, age, dates of tests, and flu test results.  

870

Patients with questions may email privacyoffice@concentra.com or call 1-800-819-5571.

An office burglary resulted in the theft of an unencrypted laptop.  It contained the names, Social Security numbers, and pre-employment work-fitness tests of Concentra patients from the Springfield area.  The Concentra Springfield Medical Center will not encrypt all equipment as a result of this breach. 

2,070 (No SSNs or financial information reported)

A laptop with Triumph client and family member information was stolen on December 13.  The office burglary was committed by three men.  Two of them distracted the receptionist while the third entered a hallway and stole the laptop.  People in Davie, Forsyth, and Stoke counties were affected.  The laptop contained spreadsheets with names, dates of birth, medical record numbers, insurance numbers, and Medicaid numbers.  Notifications went out on February 2 after it was determined that the laptop would most likely not be recovered.

1,073 (No SSNs or financial information reported)

Hackers obtained police officer and non-police related civilian information from the Salt Lake City Police Department.  The attack was in response to a proposed Utah bill that would have criminalized the possession of graffiti tools with the intent to deface property.  The hackers did release the names, phone numbers, usernames, titles, email addresses, and hashed passwords of over 1,000 police officers.  The information of civilians was never released and the hackers eventually deleted their copies.  The never released data was from people who had provided crime tips or other information to the Salt Lake City Police Department.

2,038

A printing error caused thousands of taxpayers to receive 1099-G forms from 2011 with the Social Security number and tax refund of another taxpayer.  The mistake occurred because the company was trying to conserve paper.  The forms were supposed to be cut below a certain point, but the bottom half remained attached.  

100 (Unknown number of financial records and SSNs involved)

Customers who purchased a refurbished Motorola XOOM Wi-Fi tablet from Woot.com between October and December 2011 are encouraged to visit motorola.com/xoomreturn or to call Motorola Mobility Customer Support at 1-800-734-5870 (Option 1) in order to determine if their tablet is affected.

Approximately 100 out of a batch of 6,200 refurbished Motorola XOOM Wi-Fi tablets were sent to new customers without being completely wiped by Motorola.  The affected tablets were resold by Woot.com between October and December 2011.  Previous owners may have stored user names, passwords, email addresses, videos, photographs, and documents on the tablets.  There is also a possibility that any password-protected sites and applications could be accessed by people who bought the device refurbished. Any customers who purchased and returned the tablet between March and October of 2011 are eligible for two-years of paid credit monitoring services if both transactions took place at Amazon.com, Best Buy, BJ's Wholesale, eBay, Office Max, Radio Shack, Sam's Club, Staples, or a few other independent retailers.  Those users are also encouraged to change email passwords, social media passwords, and any passwords used to access sensitive applications on the tablet.  Additionally, customers who purchased the refurbished tablets and discover that there is information from a previous user may mail the device back to Motorola for free, have the device reset, and receive a $100 American Express gift card.

2,000 (No SSNs or financial information reported)

Hackers were able to access patient names, phone numbers, dates of birth, Metro Community Provider Network internal account numbers, and medical conditions through phishing emails sent to several Metro Community Provider Network employees.  Employees received an email that appeared to be from a trusted source and contained a link.  Multiple employees clicked the link, which then asked for their email login information.  The breach was detected on the same day that it occurred, December 5th, 2011.  

50

Over 50 people who ate at Flores' were victims of fraudulent credit card activity.  The damages total nearly $50,000.  Hackers used a computer virus to infiltrate Flores' credit card system in December.  The owner noticed a drop in business of 15 percent after the breach was disclosed.

50

A Staples cashier is accused of using a skimming device to obtain the credit card information of customers.  She is also accused of selling the numbers to another party. A total of $181,000 in fraudulent credit card purchases resulted from the breach. The dishonest employee faces two felonies for criminal possession of a forgery device and first-degree scheme to defraud.  She also faces 50 counts of unlawful possession of personal identification and 50 counts of petite larceny.

Unknown

VeriSign was hacked repeatedly in 2010. The hackers stole undisclosed information.  VeriSign is responsible for the integrity of web addresses ending in.com, .net, and .gov. If hackers were able to obtain certain information, it is possible that .com, .net, and .gov websites could be imitated more easily.  Hackers may be able to direct people to faked website and intercept email from federal employees or corporate executives using the .gov addresses.  VeriSign officials do not believe that the attacks breaches the servers that support the Domain Name System network, but did not reveal many details about the breach.  VeriSign offers a number of services that defend customer websites from attacks and manage website traffic.  VeriSign also researchers international cybercrime groups.  The security staff responded to the attack quickly, but the breach was not disclosed throughout the company until September 2011.

Unknown

A former employee was able to access the Segmark Solutions computer system.  It is unclear if the former employee guessed passwords, used passwords that had not been changed, or used some other method to access the computer system.  He then used credit card information in the system to make fraudulent purchases. Damages caused a total of $7,000.  The former employee was caught after a six-month investigation and charged with second degree computer crime and illegal use of credit cards.

159

Police stopped a high school student and discovered several sheets of papers with student names, dates of birth, and Social Security numbers in a vehicle.  It is unclear how the student obtained the printout and she is accused of using the information to file fraudulent federal income tax returns.  

Unknown

The personal information of current and former Regions employees was lost in November after an auditor from Ernst & Young mailed a flash drive and decryption code. The envelope arrived with the decryption code, but no flash drive. The data included information related to 401k retirement plans.  Names, Social Security numbers, and possibly dates of birth were on the flash drive.  Regions employs about 27,000 people in 16 states.

1,219 (No SSNs or financial information reported)

Patients with questions may call (855) 540-4773.

A briefcase containing an unencrypted flash drive was stolen from the vehicle of a University of Miami Miller School of Medicine pathologist on November 24, 2011.  It contained the names, medical record numbers, ages, sexes, diagnosis information, and treatment information of patients who had specimens reviewed by the department of pathology between 2005 and 2011.  

1,018 (No SSNs or financial information reported)

Concerned patients may call 1-877-851-2562 or (859)-258-5888 locally.

A December 7 overnight office burglary resulted in the theft of a laptop with patient data. It contained names, contact information, and diagnoses of patients receiving services within the neurology department.  The locks to the neurology department were changed after the theft was discovered.  

12,456

TryMedia is a division of RealNetwork.  RealNetworks is located in Seattle, Washington. 

Try Media's ActiveStore application was attacked by intruders who were able to intercept and obtain the credit card information of customers.  Credit card numbers, expiration dates, security codes, addresses, email addresses, and passwords to user accounts for transactions that occurred between November 4, 2011 and December 2, 2011 were accessed.  

Unknown

Three students were caught selling quiz answers to students.  It was discovered that they had stolen and copied a master key from the janitor's office.  They then used the copy of the master key to install keylogging hardware onto the computers of four teachers.  The keylogging hardware revealed passwords, which were then used to access the central files of the school network.  It is unclear what types of information the students had access to.  They used their access to electronically change their grades slightly. The master key copy was also used to access 20 paper tests before they were given.  A student who became aware of the black market for quiz materiala reported the students.  

640 (Unknown number of SSNs)

An office burglary on or around January 18 resulted in the theft of two laptops.  The laptops contained the records of about 640 patients and had been used for cardiac tests. Though the laptops contained minimal clinical data, they did contain some Social Security numbers and demographic information.

101 (No SSNs or financial information reported)

The report cards of 101 high school students were accidentally sent to the person listed as their emergency contact.  A vendor made an unauthorized change to the computer program that generates report cards.  If a parent had a high school student attending the district and was listed as an emergency contact for another high school student, then they received two report cards.  Parent names were listed on the report cards of each student, but parents listed as emergency contacts mistakenly received the report cards anyway. No Social Security numbers were exposed.  Student ID numbers, schedules, and grades were exposed.

400 (No SSNs or financial information reported)

An office burglary that occurred on or around January 24 resulted in the loss of a laptop. The laptop held client records.  The company sent a breach notification through Facebook and email.  No financial information was on the laptop, but Preferred Skin Solutions still warned their clients about the risk of identity theft.

391

An employee of Towers Watson posted unspecified personal information of current and former Sequoia Hospital employees online in October of 2007.  Towers Watson is a Sequoia Hospital contractor.  The types of information that were posted were not disclosed, but full names and Social Security numbers were included.  The information remained online until December 2 of 2011.  

650,000 (Unknown number of SSNs)

A security breach caused the personal information of 650,000 President's Challenge participants nationwide to be exposed.  Hackers may have accessed participant names, email addresses, dates of birth, and nutritional data.  People throughout Indiana University were participating in a Health IU fitness inter-campus competition.  No financial information was available to the hacker or hackers.  A small percentage and unknown number of Social Security numbers may have been available through other organizations that participate in President's Challenge programs.  It is unclear how many other organizations were affected by the President's Challenge hack.  

250

More than 250 people in 30 states were victims of scams perpetrated on Craigslist.com by two New York residents.  The women posted phony Craigslist ads for nonexistent jobs and apartments to gather the personal information of victims between February of 2010 and October of 2011.  That information was then used to obtain fraudulent state income tax returns, bank loans, and credit cards.  More than $75,000 was fraudulently obtained.  Early in 2011, workers in the Buffalo office of the state Department of Taxation and Finance discovered that hundreds of state tax refunds were being claimed from only about 10 addresses in the county.  The two women were indicted by a grand jury on grand larceny and scheme to defraud charges.  The women face up to 15 years in prison if convicted.

Unknown

A concerned neighbor noticed that packages were being delivered to an abandoned house. Law enforcement confronted a man who was collecting the packages and found that he had stolen old Windstream customer files and used the information to open fraudulent accounts with online retailers.  The man was an employee of Windstream and had taken paper documents from the mid to late 1990s.  A second vacant home that served as a delivery location was also found.  The former employee was charged with felony identity theft.

Unknown

Bamastuff.com notified its customers that a breach in its database had been discovered.  Customer names, email addresses, billing and shipping addresses, telephone numbers, credit card information, and/or cryptographically scrambled passwords may have been exposed.  Customers who bought items between August 1, 2009 and January 16, 2012 may have been affected. Some customers have already experienced fraudulent charges.

Unknown

A potential security breach to the City of Point Pleasant's computer system was discovered by an outside agency.  Pleasant officials were contacted and an investigation began.  Little is known about the breach, though it is believed to have originated from an outside source.

Unknown

in November of 2009, a customer discovered that spreadsheet with current and former MetLife customer information had been posted online.  MetLife corrected the problem after being notified by the customer and provided two years of credit monitoring and identity theft insurance to customers who had been affected by the breach.  The type of information exposed in the spreadsheet and the length of time it was available online were not revealed.  

Additional negotiations with Attorney General George Jepsen and Consumer Protection Commissioner William Rubenstein resulted in an agreement for MetLife to offer additional protection.  MetLife paid an additional $10,000 for a special fund that will reimburse the state of Connecticut's investigative and enforcement costs, or reimburse losses for consumers in the future. Additionally, customers who paid for a security freeze to be lifted or placed will be eligible for reimbursement and Metlife agreed to improve employee personal information protection training policies and procedures.

878,000 NYSEG customers and 367,000 RG&E customers

Affected customers may call 1-877-736-4495. More information can be found on the websites of the companies www.nyseg.com and www.rge.com.

An employee at a software development consulting firm that was contracted by Iberdrola USA, the parent company of both NYSEG and RG&E, allowed the information systems of clients to be accessed by an unauthorized party.  Customer Social Security numbers, birth dates, and in some cases, financial institution account numbers were exposed.  A total of 878,000 NYSEG customers and 367,000 RG&E electricity customers were affected.  An unknown number of additional customers from both companies who signed up for gas services, but not electricity services were also affected.

108 (Unknown number of SSNs)

A nurse was fired after accessing patient medical records without cause.  The unauthorized access exposed patient vital signs, diagnoses, and treatment notes.  Patient Social Security numbers may have also been exposed.  The breach was uncovered in November during an audit.

450 (No SSNs or financial information reported)

Between 400 and 450 medical records were stolen from a chiropractic clinic during a January 2 burglary.  Files for patients with last names ending in DOD through DRI; ending in ELL through GAT; and ending in GIF through HAL and who had been to the clinic since January 1, 2008 were taken.

2,000

Thousands of patient records were found in an unsecured trash can.  They contained names, Social Security numbers, addresses, phone numbers, medical conditions, and treatment information.  The boxes of medical records were traced to Ayuda, whose owner claimed to have been doing little or no business after losing a state contract in September.  The boxes were auctioned off after the owner failed to pay the rental fee on a storage unit. 

7,100 (100 SSNs reported)

Paper files, a laptop, and a flash drive were stolen from an employee's vehicle in Wichita.  A total of 100 seniors who participated in the Senior Care Act program had their Social Security numbers exposed.  An additional 7,000 seniors who participated int he Older American Act program including Meals on Wheels had personal information other than Social Security numbers stolen. This personal information may have included full names, addresses, birth dates, gender, Medicaid identification numbers, case manager name and case manager telephone number.

300,000 (No SSNs or financial information reported)

ASU online system users with questions about logging into their accounts may call (855) 278-5080.

ASU shutdown its online computer system after discovering a breach.  An encrypted file containing user names and passwords was downloaded on Wednesday, January 18 by an unauthorized party.  All online services were suspended until the night of Thursday, January 19.  Students and staff will be required to enter new passwords to access their accounts since there is a chance that some information could have been compromised.  

Unknown

Customers who used debit or credit cards at Ward's Nursery and Garden Center may have had their information taken.  Dozens of people from various banks reported fraudulent activity on their cards and Ward's Nursery and Garden Center appears to be a common link.  Reports of fraudulent activity date back to December and people who visited Ward's Nursery and Garden Center are urged to check their cards for fraud until the cause of the breach is determined.

2,200

VA officials gave veteran Social Security numbers, names, and possibly other information to Ancestry.com in March of 2011 in response to a Freedom of Information Act request from the genealogy site.  The records should have only contained the information of deceased veterans, but instead contained the information of over 2,200 living veterans. The information was then posted in 2011 and taken down in January of 2012.

Unknown

Customers were told to login and change all passwords after unauthorized activity was detected on a database.  There was no evidence initially that customer passwords were taken, but customer passwords were immediately reset after the discovery.

UPDATE (2/07/2012): Hundreds of PHPs (Personal Home Page) have been created in order to redirect users to work-at-home scams. The Russian scam page tricks users into buying a starter kit for a phony internet-based job.  Though Dreamhost took steps to ensure that user web pages could not be stolen by resetting the FTP and shell access passwords of all customers, a number of websites hosted by the company have been hijacked to redirect users to the scam page. An analysis of some of the compromised web pages revealed that the January 20 DreamHost breach may not have been what allowed hackers to access the pages. Hackers had installed backdoor PHP scripts in order to access the pages on December 26.

24 million (No financial information or SSNs reported)

Customers with questions about their Zappos passwords may email passwordchange@zappos.com

Customers were informed that their customer account information on Zappos.com may have been illegally accessed by unauthorized parties.  Customer names, email addresses, billing and shipping addresses, phone numbers, final four digits of credit card numbers, and/or cryptographically scrambled passwords were linked to customer accounts and could have been obtained. The secure database that stores detailed credit card and payment information was not affected by the breach or accessed. Since passwords may have been affected, customers should change their passwords and make sure that their old Zappos.com password is not used for any other sites.

UPDATE (1/21/2012): A resident of Texas is suing Zappos.com and Zappos' parent company Amazon.com on behalf of millions of customers who were affected by the release of personal account information.  The lawsuit is being filed Kentucky.

Unknown

The College's electronic systems have been affected by a series of dangerous viruses since 1999.  The problem was noticed in 2012 when the College's data security monitoring service detected an unusual pattern of computer traffic. Further investigation revealed that servers and desktops had been infected across administrative, instructional, and wireless networks.  Officials believe that it is likely that using a flash drive to transmit information between a campus computer and a personal computer resulted in exposed personal information.  It appears that the viruses searched and transmitted data to sites in Russia, China, and at least eight other countries. Banking information and any other personal information that may have been accessed by visitors, students, staff, and faculty on campus computers between 1999 and January of 2012 could have been exposed.

200

A podiatrist licensed in the state of Maryland operated a podiatry practice called Chesapeake Wound Care Center from his home.  Between April 1, 2002 and October 11, 2004, he submitted 80 fraudulent claims to Medicare for podiatry services that had not been performed at nursing facilities.  The podiatrist signed a Settlement Agreement with the government on October 30, 2007 after being caught, but then fraudulently billed Medicare advantage plans between October 31, 2007 and July 20, 2010.  The podiatrist admitted to submitting false bills for podiatry care by misusing the names and personal information of about 200 nursing home patients. He was subsequently charged with health care fraud and aggravated identity theft. He was sentenced to 54 months in prison, three years of supervised release, and ordered to pay $1,122,992.08  in restitution for the fraudulent billing of Medicare.

2,900 (No SSNs or financial information reported)

The misplacement of paper documents resulted in the exposure of health and/or other personal information.  The breach was discovered on October 7, 2011.

2,000 (No SSNs or financial information reported)

The improper disposal of paper documents resulted in the exposure of health and/or other personal information.  The breach was discovered on September 6, 2011.

1,332

The Vermont Department of Taxes website accidentally displayed the Social Security numbers of 1,332 individuals and the federal ID numbers of 245 businesses for two hours.  The personal data was contained in a weekly group of property transfer tax returns.  The three parties who were able to access the information were identified and contacted.  

7,226

Patients with questions may call the AOMS security-breach hotline at 855-684-6179 to receive additional instructions and information.

Letters dictated by AOMS providers were accidentally uploaded onto a non-secure server in Europe. The information then became publicly searchable via internet.  AOMS learned of the breach on October 12, 2011.  People who were seen at AOMS for injuries and/or work-related examinations from July, 2009 through October 12, 2011 may have been affected by the breach.  No names, contact information, personal information, test results, financial information or Social Security numbers were exposed.

567 (No SSNs or financial information reported)

A portable electronic device was discovered to have been stolen on or around September 8, 2011. The device may have contained health and/or other personal information. 

2,700 (No SSNs or financial information reported)

People with Healthy Indiana Plan, Care Select, or Hoosier Healthwise memberships may have been affected.

An upgrade of MDwise's customer record computer system in February 2011 resulted in the leak of records form several organizations.  Anyone searching by name could have accessed the information online.  Members of Healthy Indiana Plan, Care Select, and Hoosier Healthwise may have had their names, addresses, Medicaid numbers, and doctors' names and addresses exposed online.  Administrators corrected the error as soon as it was detected.  

Unknown

A man noticed dozens of books and documents inside a dumpster near Miller Elementary.  The documents contained personal and financial information related to applications for free and recuded-price meals.  The books were new and federally-funded.  School officials claimed that the documents should have been shredded and recovered the documents and books. The books were donated.

Unknown

Thousands of personal documents were found in a recycling dumpster.  The documents likely contained employment information such as full names, addresses, phone numbers, email addresses, and work histories. They were taken from an office in Alpharetta without the company's knowledge or permission.  A landlord with Temp Real Estate Corporation sent a cleaning crew to clean out the office after incorrectly believing Employ Bridge's lease had expired. 

180

A hacker or hackers outside of the US attempted to gain access to an OSU Internet server. Information on the server included names, medical record numbers, and dianoses of 30 patients who visited the pathology department between the late 1980s and 2004.  A roster of students who had received training at the medical center in 2006 was also on the server.  Officials do not believe that any personal information was taken during the attempt. A total of 30 patients and 150 students were notified.

Unknown

A woman alerted a local news station to a stash of improperly disposed information.  Credit card applications, patient names, addresses, Social Security numbers, and possibly medical records were found sitting next to a dumpster in a parking lot.  The paperwork came from multiple organizations.  Among the organizations were two closed branches of Pure Med Spa and Brite Smile Brite Skin.  

4,289

An employee discovered that it was possible to access current and former employee W-2 forms online via a Google search.  The W-2 form contained employee name, Social Security number, address, earnings, and taxes paid for 2009 and 2010.  The discovery was made on December 23 of 2011. 

Unknown

A janitor who worked at the Ochsner Medical Center in new Orleans and his girlfriend have pleaded guilty to charges related to stealing patient information for personal gain.  The janitor stole printouts containing patient names, Social Security numbers, dates of birth, and other types of personal information.  The stolen information was then used by the janitor's girlfriend to open online accounts under the patients' names. The online accounts were used to make thousands of dollars in fraudulent purchases. The date of the breach is unknown, but the janitor was employed between November of 2008 and June of 2009. Federal prosecutors first brought charges in early December of 2011.  

Unknown

A precinct employee trashed a number of documents after they had been damaged by a flood in the basement of the building.  Dumpster divers found the documents and reported that they were readable.  The documents, which contained at least one domestic violence report, stolen property records, criminal complaints, and mug shots, were then recovered, secured, and presumably shredded.

Unknown

Those with questions may call 1-888-499-FIRE (3473).

The December 29, 2011 theft of a laptop from a parked car in San Francisco resulted in the loss of personal information.  The information was being used in preparation for a merger between SF Fire Credit Union and Pacifica-Coastside Credit Union.  Current and former account holders had their names, Social Security numbers, dates of birth, addresses, and Pacifica-Coastside Credit Union account information.

130

A subpoena by the Department of Social Services revealed the names and Social Security numbers of multiple people.  The subpoena was in response to reports that state employees had engaged in food stamp fraud.  Instead of separate subpoenas for each individual, a sheet with 40 names and a sheet with 90 names were sent.  This allowed state employees who are under investigation to learn that their fellow employees were under investigation, as well as their Social Security numbers.

Unknown

Member email addresses, passwords, and names were exposed by hackers.  The passwords were encrypted, but were posted in their decrypted form.  If anyone used the same password and email combination for CSLEA and other websites, they should immediately change their password for those other websites.  Anonymous/AntiSec/LulzSec posted the information online.

Unknown

Hackers exposed the email addresses, passwords, and names of CSLEA members.  The passwords were encrypted, but were posted in their decrypted form.  If anyone used the same password and email combination for CSLEA and other websites, they should immediately change their password for those other websites.  Anonymous/AntiSec/LulzSec posted the information online.  

UPDATE (1/04/2012): CSLEA became aware of the issue in early November. Old credit card information and corresponding home addresses for orders from the CSLEA online store were also obtained.  Though the ordering process and encryption of credit card information were eventually taken over by Wells Fargo Bank, the card info was inadvertently placed back onto the CSLEA server when the web hosting service restored the site from an earlier version.  It is unclear how old the credit card information was.  CSLEA attempted to prevent hackers from accessing information after the November breach, but Anonymous was able to get past new passwords, obtain information, and release it around December 31.

20 (No SSNs or financial information reported)

A customer checking frequent flyer miles on United Airlines' mobile website was able to view the names, Mileage Plus numbers, future flight itineraries with confirmation codes, and previous trips of other Unite Airlines customers.  The information could have allowed anyone to change another passenger's seating assignment or cancel a flight by using confirmation codes and last names.  

Unknown

On December 27, Care2 discovered that their website had been breached.  Hackers accessed member login information.  Care2 emailed new passwords once members had logged into their accounts.  Members should change the passwords of any accounts that share the password that was previously used on Care2.  Though Care2 has 17,900,617 members, a "limited number" were affected by the breach.

Unknown

On November 12, 2011, an encrypted laptop was stolen from the home of an ADP associate.  The laptop was encrypted and password-protected.  It contained files with the personal information of A.W. Hastings & Co. employees which had been given to ADP for payroll processing.  Names, Social Security numbers, and addresses may have been exposed.

2,184 (No SSNs or financial information reported)

A laptop and external hard drive containing patient information were stolen from a locked vehicle owned by an Aegis employee on November 22, 2011.  The external hard drive contained names and Social Security numbers. It may have also contained driver's license numbers, dates of birth, and phone numbers.  Though Aegis provides lab tests, results and medical records were not exposed.  

11

An unknown number of people were affected by the breach nationwide.  Guide Publishing Group reported that 11 people in the state of New Hampshire were affected.

Hackers inserted code onto the server that hosts GuideYou.com and accessed customer credit card numbers.  The CVC2/CVV2/CID codes, customer names, and addresses associated with the credit card numbers were also accessible through the server.  The breach was discovered on October 28, but the malicious code had been present since November 19, 2010.  

Unknown

Customers who went to Alamo Drafthouse Cinemas may have had their debit and credit card information stolen due to a theft of information from N/L Entertainment.  The Bank of Charles Town is suing N/L Entertainment for failing to prevent the theft, which lead to at least 232 fraudulent purchases made using Bank of Charles Town customer debit cards.  The Bank of Charles Town is seeking $29,919.74 in damages plus an unspecified amount in interest.

The breach was first noticed and reported to the public in September.  Thieves had taken financial information from people who used their debit or credit cards to make transactions between the end of June 2011 to late August of 2011.  

An employee was fired after taking sensitive documents home on or around December 19.  Medical records and other documents with patient dates of birth, addresses, driver's license numbers, medical record numbers, and in some cases, Social Security numbers were removed from the hospital against hospital policy. The records were recovered.

68,063

Anonymous/#AntiSec has claimed responsibility for the hack of a global intelligence company named Stratfor.  Hackers were able to obtain tens of thousands of credit card numbers and other personal information from Stratfor.com.  In addition to credit card numbers with security codes, addresses, and names, the hackers obtained 200GB of emails.  The hackers also claim to have used the credit card information to make over $1 million in donations to charities. Hackers later revealed that the information was even easier to use since it had not been encrypted. Stratfor took the website down within an hour after it was hacked and defaced, but sensitive information had already been leaked.

UPDATE (1/04/2012): A total of 68,063 unique credit card numbers, 859,311 unique email addresses, 860,160 hashed passwords, 50,569 phone numbers and 50,618 U.S. resident addresses were posted.  Of the 68,063 credit card numbers, about 36,000 were not expired.  

UPDATE (2/15/2012): Hackers posing as officials from Stratfor have started emailing infected links to government subscribers whose email addresses were stolen during the breach.

UPDATE (2/27/2012): Wikileaks published more than five million emails that were obtained by hackers during the breach. Some of these emails could contain sensitive information that would unmask sources, reveal security information that the intelligence-gathering company had collected, and reveal information about many Fortune 500 companies that subscribe to Stratfor.

UPDATE (5/03/2012): Four Irish and British men were charged for their involvement with Anonymous's faction Antisec and the Stratfor breach. These men were also charged with involvement in hacks of Fox, Sony Pictures, and the Arizona Department of Public Safety.

Unknown

The group Anonymous claimed responsibility for hacking and publishing a data base. The database consisted of names, addresses, telephone numbers, email addresses, medical conditions, domestic violence and abuse reports, descriptions of financial hardship, complaints about residential issues, and other very personal details of people who submitted this information via the public advocate's website.  The submissions for assistance date from April 2010. 

UPDATE (12/28/2011): The NYC Office of the Public Advocate released a public notice.

639

Social Security numbers, tax identification numbers, and other types of personal information were exposed on the Virginia Department of General Services website since 2001.  The database was not accessible via search engines, but an employee discovered that the information could be found by anyone doing a focused search on the actual website.  The information was removed after the discovery.

3,200 (No SSNs or financial information reported)

The email addresses of around 3,200 parents and students were exposed by a computer security breach.  The parents and students received an official looking email that linked to a survey about satisfaction with the school district.  The survey had not been authorized for release.

Unknown

Fourteen Department of Taxation employees were placed on administrative leave without pay following the discovery of an internal security breach of the department's tax database.  The breach was found during an audit of the department's security systems and internal controls.  The incidents date from 2008 to present.  It is unclear what types of information could have been exposed.

14,000 (Unknown number of SSNs)

A November 25 home burglary resulted in the loss of an encrypted data tape.  The tape was inside a backpack that was stolen from an employee's locked car while it was parked at home.  The data tape had names, addresses, and in some cases Social Security numbers of Good News Garage donors dating back 15 years. 

Unknown

A possible breach in the security systems used for processing credit card transactions is being investigated.  There is no information on the type of breach or how many customers may have been affected.  The cause of the breach is also unknown.

3,000 (No SSNs or financial information reported)

People who were fingerprinted at The Willamette Street office in Eugene between August 2008 and 2010 may have also been affected.

Those with questions may call 1-855-360-4554, extension 0.

The theft of a computer resulted in the exposure of sensitive information from DHS staff, volunteers, adoptive placements, respite providers, in-home care providers, and foster parents.  People who were fingerprinted at The Gateway Center in Springfield, Oregon between August 2010 and December 8, 2011 may have been affected.  People fingerprinted at The Willamette Street office in Eugene, Oregon between August 2008 and August 2010 may have also been affected.

Unknown

Someone was able to enter a Ridgewood school building through a compromised computer password.  The breach was discovered during the week of December 14. It is unclear if a data breach occurred during the incident.  Six students have been identified as possible participants in the breach. 

140 (No SSNs or financial information reported)

The breach occurred in the city of Bend or Redmond Oregon.

A laptop was stolen from a St. Charles employee's car in late October.  It contained the personal information of 140 patients who were seen in the St. Charles Bend or St. Charles Redmond emergency room.  The laptop was discovered in brush by an elementary school student in late November.  After the laptop was returned on December 16, it was discovered that attempts to gain unauthorized access to its contents had failed.

Unknown

A breach of Butler Schein Animal Health's (BSAH) systems (MyVetDirect.com) may have affected clients whose veterinarian's websites were hosted by MyVetDirect.com.  People who placed orders on veterinarian websites that were hosted by MyVetDirect.com may have had their names, credit card information and numbers, addresses, telephone numbers, email addresses, billing and delivery information, and other purchase information obtained.

1475 (No SSNs or financial information reported)

Patients may call 1-855-241-2575 or email hipaaprivacy@umc.edu.

Research study participants may have had their personal information exposed by the theft of a laptop.  The laptop was stolen when UMMC employees left the laptop unsecured for a short period of time against departmental guidelines.  It was reported stolen on October 31, and the employees who left it unsecured were disciplined.  Two databases with research related health information were on the laptop.  One had the age, sex, race, medical record number, zip code, and lab results of 1,400 patients.  The other database contained unspecified protected health information from 75 patients.

Unknown

An October 14, 2011 office burglary resulted in the exposure of patient information dating from 1993 to 2004.  Office equipment and CDs with patient information were discovered missing on October 17.  Affected patients were mailed notification letters on December 13, 2011 and informed that their names, Social Security numbers, dates of birth, addresses, diagnoses, medical conditions, lab results, medications, surgery records, radiological tests, and other clinical treatment information could have been on the stolen CDs.  The office now plans to install encryption technology and update physical security systems in order to protect patient data from more breaches.

300,000

The location listed is that of Restaurant Depot's corporate location.

People who shopped at Jetro or Restaurant Depot between September 21 and November 18 may have had their credit or debit card information taken by a hacker.  Customer names, card numbers, expiration dates, and verification codes were exposed.  The breach investigation began on November 9 when the parent company became aware of customers experiencing card fraud.

100

A contract worker or employee of a contractor may have stolen and misused the personal information of an undisclosed number of customers.  The natural gas utilities serve nearly one million customers in the Chicago area, but state law bars the utilities from disclosing the number of customers affected. However, a November news report revealed that the theft of information had occurred in October and over 100 people were affected.  An employee working in iQor's human resources department was linked to the incident. The employee was fired and faces criminal investigation and prosecution.

Unknown

A student is being investigated by the North Penn School District (NPSD) and Towamencin Township Police Department for hacking into the NPSD computer network.  Computer devices are being analyzed to determine what types of information may have been accessed.  No further information is available due to the ongoing investigation.

Unknown

People who donated to UJA-Federation may have had their bank account information taken by a dishonest worker.  A worker who led a $2million identity theft ring surreptitiously took pictures of checks given to UJA-Federation during her two years of employment.  The dishonest worker also collected donor names, addresses, and account numbers. The information was then sold to other members of the identity theft ring and used to create fraudulent checks and open credit cards.  The dishonest worker was fired when the crimes were discovered.

6,500 (No SSNs or financial information exposed)

Around 6,500 ACT Explore test results for 8th graders were mailed to incorrect addresses.  The breach was discovered when parents began calling the district.  Parents were asked to shred the tests.  The exact cause of the mailing error is unknown.

Unknown

A call center employee who worked for a Trilegiant vendor used his phone to take pictures of customer names and credit or debit card numbers.  The dishonest employee was seen doing this at least once, but no misuse of customer information had been reported as of December 14, 2011.

Unknown

The owner of a cleaning company called "Mr. Janitor" was arrested for stealing personal information from Eagle Harbor Country Club members.  An unknown number of members had their information stolen and used to open fraudulent credit cards and bank accounts in their names.  The owner of the cleaning company was charged with identity theft of more than $50,000 and/or affecting more than twenty persons.

Unknown

A physician pleaded guilty to unlawfully obtaining the private medical information of another person.  The former employee accessed the records of several women who were not his patients.  In one case, he was in a sexual relationship with a woman and accessed her information to check if she carried sexually transmitted diseases.  The crime occurred in 2008.  The physician is scheduled to be sentenced on March 26, 2012 and faces a maximum sentence of one year in prison and a $50,000 fine. 

90

A temporary employee of Metabasis Therapeutics was assigned to computer help-desk support in 2008.  The dishonest employee somehow obtained unauthorized access to the names and personal-identification information of Metabasis Therapeutics employees and their relatives.  The information was used to open credit cards; the credit cards were used to purchase travel packages, which were then resold. A total of $250,000 worth of Las Vegas air, hotel, and show-ticket packages were purchased on Travelocity.com. The former temporary employee was given a four year sentence in federal prison after being convicted for credit card fraud and aggravated identity theft.

22 (No SSNs or financial information revealed)

Anonymous and AntiSec released FFA information which included 22 email addresses linked to IP addresses of newsletter subscribers, 13 email addresses linked to type of credit card and security code number, and administrator login information which included encrypted passwords.  The attack was in response to FFA's successful efforts to pressure Home Depot and Lowe's into removing advertisement on a TLC show called "All-American Muslim."  The FFA strongly opposed the idea of having a Muslim family featured in a positive way on TV.

Anonymous also hinted at an attack on Lowe's for caving into the FFA's demands.

2,400 (No SSNs or financial information reported)

A hacker released member information that had been stored on the CLEAR website. Member phone numbers, residential and email addresses, and place of employment were exposed. Administrator passwords that had easily been decrypted were also released. One person claimed to have used the information to access the email of a police department. The hacker claimed that the attack was a response to the mistreatment of Occupy protesters. 

1,105

An unencrypted USB drive was determined to be missing on April 4, 2011. It contained patient names, Social Security number, addresses, phone numbers, dates of birth, diagnosis codes, and insurance information. 

884 (No SSNs or financial information reported)

A burglary that occurred on or around April 15, 2011 resulted in the theft of laptop with patient information.

501 (No SSNs or financial information reported)

The theft of paper records on or around June 28, 2011 resulted in the exposure of patient information.

815 (No SSNs or financial information reported)

Unauthorized access or disclosure of patient information resulted after a breach involving a laptop.  The breach was discovered on or around February 5, 2011.

2,334 (No SSNs or financial information reported)

The exact location of this breach was not listed.  It occurred somewhere in Texas.

On or around June 25, 2011, a breach involving a laptop, a computer, and a network server was discovered.  Patient information was exposed as a result of the breach.

2,600 (No SSNs or financial information reported)

Electronic medical records may have been exposed as a result of the theft of a laptop on or around August 28, 2011. 

2,000 (No SSNs or financial information reported)

Paper records were found to have been exposed to unauthorized parties on or around May 6, 2010.

500 (No SSNs or financial information reported)

X-ray records were discovered to have been improperly disposed of on or around October 1, 2011. Patient information may have been exposed.

2,900 (No SSNs or financial information reported)

A network server was discovered to have been stolen on or around September 30, 2011. It may have contained patient information.

12,563

Affected patients may call (304) 792-0191 (ext. 201) or email psheppard@leasa.org for more information.

A laptop was discovered missing on October 1, 2011.  It was either lost or stolen.  It contained names, Social Security numbers, addresses, and health information from patients. The laptop appears to have not been used to connect to the internet since October 1 and LEAS is attempting to block potential use of the device.

1,472 (No SSNs or financial information reported)

CDs with personal information were discovered lost on or around August 24, 2011.  Other items with personal information may have been lost as well.

3,079

A computer or laptop was discovered to have been lost or stolen on or around October 23, 2011. 

UPDATE (12/28/2011): A total of five computers containing medical and personal information were stolen from a physician's office during the breach.  A thief had pried open an office door during the weekend of October 22-23.  Patients were informed on December 5 that their names, Social Security numbers, dates of birth, account numbers, disability codes, and diagnoses were stored on the computers.

1,537 (No SSNs or financial information reported)

Papers were discovered stolen on or around July 15, 2011.

80,000

Over 150 Subway franchises and at least 50 other small retailers had customer data hacked from their point-of-sale (POS) systems.  Four Romanian hackers were indicted for hacking and misusing the credit card information between 2008 and May of 2011.  Over $3 million in fraudulent charges on customer cards was obtained by scanning the internet for vulnerable POS systems and then easily breaking the passwords to these systems. Keyloggers and a backdoor were also installed to allow further access to the system.  Retailers who were hit had used a certain type or types of basic POS software and many had failed to change the default password for the software.

24 (No SSNs or financial information reported)

The personal information of over 24 members of the LAPD's command staff was posted on a website.  Officers had their property records, campaign contributions, biographical information and, in a few cases, the names of their family members posted.  This breach appears to be different from the one that affected members of Coalition of Law Enforcement and Retail (CLEAR) on or around December 11.

22

An employee was charged with selling the personal identities of disabled hospital patients.  At least 22 military veterans who received services at the VA in Miami had their information sold.  The employee was worked at the VA Travel Benefits Sections and had access to the names, Social Security numbers, addresses, and dates of birth of disabled veterans who had been reimbursed for travel expenses related to their medical treatment.  The employee was caught late in 2010 after several veterans complained about unauthorized credit card accounts opened in their names.

327

A total of 327 New Hampshire residents were affected. The total number of people affected nationwide was not revealed.

An employee took a flash drive with customer information on December 27, 2010.  Someone at the former employee's new company noticed that files from Jeanne D'Arc were installed on a computer at the new company.  Copies of the files were sent back to Jeanne D'Arc.  Jeanne customer names, Social Security numbers, and loan account numbers were exposed.

14,475 (222 Social Security numbers)

A briefcase was stolen from an employee's car during lunch sometime during the spring of 2011.  The briefcase contained a company laptop that had not yet been encrypted and paper copies of appointment schedules. The laptop contained the information of patients and providers from 18 practices. A recent backup of the laptop files revealed that 5,338 subscriber numbers, 2,777 names with no other information, and 222 names with associated Social Security numbers, dates of birth, subscriber numbers, and phone numbers had been on the laptop. Seventy of the 222 who had their names, Social Security numbers, dates of birth, subscriber numbers, and phone numbers exposed also had their addresses exposed.

1,770

State employees who canceled their health or dental insurance had their information mailed to the wrong address in October.  Each mailing included a certificate containing the information of the recipient and three other letters aimed at other members of the plan.  Names, Social Security numbers, addresses, employee ID numbers, and healthcare insurance coverage dates were exposed. The error was discovered on October 6, 2011.

1,100

A former employee's laptop was stolen during a home burglary sometime in mid November.  On November 30, the District learned that the former employee's laptop contained confidential records.  Current and former District employees had their names, Social Security numbers and other confidential information exposed. 

UPDATE (12/22/2011): It was revealed that a finance director loaded private information onto a personal laptop and took it home to finish work.  Though the finance director's last day with the School District was September 2, 2011, the laptop still contained sensitive data when it was stolen on November 11.

Unknown

Patients with questions may call (925)-957-7400.

Residents who owed money to the county health department had their names inadvertently published in a public document.  The names were published in a report to the Board of Supervisors dated July 27, 2010.  The error was discovered at the end of November, 2011.  No patient information was exposed, but the publication of the names in the report constitutes a breach of patient confidentiality laws.  The information was removed from the online report.

Unknown

A laptop was stolen from an employee's office after a brief absence during working hours at a Dallas branch. The theft occurred on October 31 and those who were affected were notified on November 11. Some affected clients may have had their Social Security numbers exposed, but most could have had their names and account numbers exposed.  Transcend Capital informed clients that their account numbers would be changed in response to the incident and that their accounts would be monitored for suspicious activity.  Transcend Capital also implemented a policy of securing laptops to desks as a result of the breach.

Unknown

Documents containing the personal information of current and former student housing residents was stolen during a burglary at the Department of Student Housing office on November 30.  Names, dates of birth, apartment numbers, email addresses, KU ID numbers, and other information, some of it related to student dependents, were on the documents.  The number of affected students was not revealed, but those who were affected were told to be cautious of identity theft.

Unknown

Someone hacked into the Extreme Pizza computer system and took information from cards that had been swiped by Extreme Pizza. The thefts date back to September of 2011.  Credit card transactions were moved to a different type of card reader in response to the breach. 

12,815 (No SSNs or financial information reported)

The College's On-Campus Student Employment System had a vulnerability that allowed student applicants to see the personal information of other students.  A student applicant notified the College of the problem on November 2 after seeing the information of 12 other students.  The system flaw was fixed within hours, but no duration was given for the breach.

5,000

Those with questions may call 1-855-827-2277.

Several customers of the UCR Dining Services location reported fraudulent credit and debit card activity to UCR.  On or around November 16, it became clear that registers at UCR food services locations were compromised by a cyber hacker.  Anyone who used a card, including visitors, between the summer of 2011 and November 16, 2011 may have had their financial information obtained. The information includes cardholder names, numbers, expiration dates, and an encrypted version of debit PINs.

30

A coordinator at the Jewish Community Services office was arrested on charges of selling Holocaust survivor identity information.  The dishonest employee misused access privileges to collect client names, addresses, Social Security numbers, and dates of birth of clients who regularly seek help from the Holocaust Survivors Assistance program.  A police informant was offered the information of five clients after contacting the dishonest employee.  The informant told the employee that he wanted the information for tax fraud purposes and was able to obtain 30 identifications for $1,000.  The dishonest employee was captured after handing over 32 sheets of identity information.

10,000

A phishing attack exposed the personal information of users with domain names.  The unauthorized access was discovered by 101domain.com when a vendor contacted them to inform them of a breach that affected multiple vendors, including 101Domain.com. 

UPDATE (12/20/2011): The websites 101domain.com, bluesit.com, free-domain.com, rerundomains.com, RWGUSA.com, and RWGUSA.net could have all been affected by a server breach at one of 101Domain, Inc.'s vendors.  Encrypted customer names, addresses, email addresses, and in some cases, credit card or PayPal account information could have been compromised. 

625 (No SSNs or financial information reported)

A hacker named Kahuna posted three data dumps from the realty company.  The names, email addresses, rental addresses, and payment information for approximately 625 renters were revealed.

Unknown

A student ran a Google search on her own name in mid-September and discovered some of her private information online.  Skagit County Health Department was notified.  People who used services at other county departments also had information exposed.  The types of information did not include credit card numbers, Social Security numbers, dates of birth, or addresses, but did include information from receipts for department services.

Unknown

A glitch allowed nearly 400 workers from 2002 to 2011 to view the personal information of any employees in MassBay's worker database system.  The information included Social security numbers, home addresses, and other personnel information. 

878 (No SSNs or financial information reported)

Those with questions may call 1-877-528-3970 or email privacy@uky.edu.

An employee's phone was lost or stolen on September 25, 2011.  Patient health conditions, medical record numbers, and possibly even names could be accessed from the phone. 

566

Concerned patients may call (907) 747-2726.

A patient discovered their own personal information and that of 565 others online.  Patient names, Social Security numbers, addresses, and dates of birth were exposed.  A chiropractor from the Sitka Wellness Center claims that an electornic medical record software vendor known as EMR4Doctors.com stored the patient information for 9 months in 2008.  The company stopped doing business in 2009.  The information was removed from the Internet.

Unknown

A software testing vendor was robbed of several computers on November 9.  One of the computers contained personal information of YMCA members active in 2008.  Addresses, phone numbers, email addresses, dates of birth, bank account numbers, and credit card numbers were exposed. 

Unknown

Customers who used credit cards to sign up for WineLibrary.com may have had their financial information compromised.  Wine Library began investigating the possibility of a breach in October when they received initial customer complaints.  All credit card data was removed from the site on November 11th after an increase in customer complaints.  The hacking incident(s) was traced back to China.

Unknown

The October 14 car theft of an employee's laptop resulted in exposed physician and patient information.  Though the laptop had a self-encrypting drive, it was not functioning properly.  Patient and physician names, addresses, Social Security numbers, and bank account numbers or credit card numbers were exposed.  Some patients also had unspecified medical information exposed as well. 

Unknown

Some of AT&T's customers experienced coordinated hacking attacks. The hackers were trying to gain customer account information and appear to have used "auto script" technology to determine if AT&T telephone numbers were linked to online AT&T accounts.  Fewer than 1% of customers were affected.  No accounts were successfully breached.

Unknown

A state government watchdog revealed that confidential personal information was located in an outdoor trash bin.  The documents contained documents related to a job agency for Ohioans with disabilities.  The extent of the breach and the cause of the breach are being investigated.

Unknown

Two students managed to obtain the login credentials for Blairsville High's online security system by repeatedly guessing.  Their attempts began in May and were only discovered during the fall term when one of the students revealed his teacher's Social Security number in class.  Teacher addresses, Social Security numbers, and salaries were exposed.

927 (No SSNs or financial information reported)

A laptop was stolen from the area of MS 399/MS 459.  It contained student information from the 2009-2010 school year such as names, dates of birth, genders, heights, weights, body mass indexes, ethnicity, asthma diagnoses, and influenza vaccination information.

Unknown

Contractors responsible for cleaning out the medical office after a storm improperly disposed of a computer that contained sensitive patient information.  Lebanon Internal Medicine Associates left no specific instructions for the removal of the damaged computer.  Patient information dating between November 1999 and August 25, 2011 was exposed and included full names, Social Security numbers, dates of birth, home addresses, account numbers, diagnoses, laboratory test results, and medical insurance information. It is believed that the information was inaccessible due to security measures within the server and flood damage.

16

An employee was arrested for using a skimming device to collect customer credit card information.  At least 16 people were affected, but more are expected to come forward.  The dishonest employee was underage at the time of the crimes and was held on suspicion of identity theft and forgery.  Customers who used cards at the McDonald's drive through between October 10 and November 9 of 2011 may have been affected.  Investigators became aware of the breach when members of the Washington State Employees Credit Union began filing claims for fraudulent use of their credit cards.

Unknown

A restaurant manager was found to have sold the identities of U.S. citizens to illegal aliens employed at multiple McDonald's restaurants.  The employee was sentenced in U.S. District Court to 32 months in federal prison for her role in the identity theft scheme.  Fourteen arrests were made and five suspects face federal identity theft charges.  The rest were charged with immigration violations.  It is unclear how many people were involved in the identity theft scheme. Other Mcdonald's managers also stole and sold the identities of U.S. citizens.

40

Members of Honolulu's APEC Host Committee may have had their personal information exposed after requesting security clearances to meet with President Barack Obama.  Someone gained unauthorized access to eight East-West Center computers beginning on October 25 by using "unusually sophisticated methods." Committee member names, Social Security numbers, and dates of birth could have been acquired. 

Unknown

Between 2009 and July 2011, the owner of Community Tax used confidential information to file false tax returns through Community Tax.  Nearly 1,400 tax returns were linked to the owner over those two years.  On August 31, 2011, the owner was indicted on 32 counts. She faces between two and 27 years in prison, along with three or less years of supervised release, mandatory restitution, and up to $750,000 in fines or twice the cost of her crimes.

The dishonest owner illegally obtained names, Social Security numbers, and dates of birth, then used the information to file tax returns.  The refunds from the tax returns went to her bank accounts and debit cards.  She also used online filing websites to file false tax returns.  The scheme was uncovered when a criminal complaint was filed.

50

Morton's is located in Stamford, Connecticut.  The Bicycle Club is located in Englewood Cliffs,New Jersey.

An identity theft ring that targeted wealthy customers of steakhouses was uncovered.  At least 28 current and former waiters and associates were arrested.  Waiters used credit card skimmers to steal the credit card information of customers who paid with American Express Black cards and other high-limit credit cards.  The crimes occurred between April 2010 and November 2011.  At least 50 victims have been identified.

1,311 (232 SSNs included)

Thousands of patient records were stolen by a former employee.  Names, ages, genders, Medicare coverage information, phone numbers, and dates of birth were exposed.  The employee did not steal the records for ID theft purposes, but rather for their usefulness in contacting potential clients.  The unnamed former employee owns a home health care agency. 

Unknown

  Detailed medical information was discovered on the back of a drawing from a student of Hale Elementary.  An attorney from Sawicki and Phelps donated the firm's old paper to her child's school. A local news team contacted the school after discovering the incident and additional pieces of paper were collected and stored in a secure location.  The number of people affected was not revealed.

650 (No SSNs or financial information reported)

On the weekend of October 21, 2011, a Medcenter One laptop computer and a bag containing 11 internal paper forms for processing patient charges were stolen from an employee's car along with valuable personal items.  The forms contained patient name, date of birth, address, phone number, insurance company and policy number, Medicare number, and patient hearing diagnoses. The stolen laptop contained the names and dates of birth for 650 hearing aid patients from 2003 up to the time of the theft. 

4.2 million (No SSNs or financial information involved)

Patients with questions may call (855) 770-0003 and enter a digital reference code: 7637111511.

A company-issued password-protected unencrypted desktop computer was stolen from SMF's administrative offices during the weekend of October 15, 2011.  Approximately 3.3 million patients whose health care provider is supported by SPS had their names, addresses, dates of birth, phone numbers, email addresses, medical record numbers and health insurance plan name exposed.  The information dated from 1995 to January of 2011.  An additional 934,000 SMF patients had dates of services and description of medical diagnoses and/or procedures used for business operations in addition the the previously listed information exposed.  This information dated from January 2005 to January 2011.  Patients will receive notification letters no later than December 5.

UPDATE (11/23/2011): Two lawsuits have been filed against Sutter Health.  One class-action suit alleges that Sutter Health was negligent in safeguarding its computers and data and then did not notify the millions of patients whose data went missing within the time required by state law.  The suit seeks $1,000 for each member of the class and attorneys' fees. 

100

A supervisor noticed a drive-thru cashier using a skimming device.  The dishonest employee admitted to stealing the information from more than 100 customer cards, and stealing between 15 and 20 accounts during each drive-thru shift.  Another person provided the skimming device and paid the employee $15 per credit account.

36,000

A mailing error led to the Social Security numbers of over 36,000 people to be visible from the outside of envelopes mailed in October.  Those who were enrolled in the Illinois Treasurer's Office Bright Directions college savings program were affected.

Unknown

An employee was caught with a skimming device after hotel guests complained about fraudulent charges on their credit and debit cards.  The employee managed to get the information after cleaning the rooms of hotel guests. Hotel security was able to determine which employee had taken the credit card information by checking key card information for room activity.  A hidden camera in a mock room showed that the employee was checking the personal belongings of guests and using the skimmer on any cards that were found.

2,000

About 2,000 pension fund members had their information placed online when an employee accidentally posted an unencrypted file on a public website.  At least one person saw the information.  The date of this error was not reported.  Member names and Social Security numbers were exposed. 

Unknown

The theft of a laptop resulted in the exposure of customer names, Valley Credit Union account numbers, Social Security numbers, and addresses. The laptop was stolen outside of the office sometime before November 4.  No information was given about the number of customers who were affected or who the laptop was stolen from.

Unknown

Several former employees were found to have accessed patient information without authorization and taken the data to a competitor.  Patient names, Social Security numbers, addresses, dates of birth, lab tests, and lab results were exposed.  In January of 2010, BHL filed a lawsuit against Health Diagnostic Laboratory, Inc., and two former employees for trade secret violations and breach of contract. 

200

A man was arrested for his role in the unauthorized collection and use of credit card numbers from over 200 Columbia County residents.  Investigators began searching for a common link between the affected residents in August.  Results of the investigation lead them to overseas activity in Russia and video surveillance from Wal-mart security. 

60 (No SSNs or financial information reported)

The academic records database of Santa Clara University was hacked in order to change the grades of over 60 current and former undergraduate students.  The breach was discovered when a former student pointed out that her current transcript showed a grade better than the one on a transcript that had previously been printed. Tens of thousands of student records dating back more than a decade were examined.  The "sophisticated" hacking incident or incidents had altered student transcripts from all three of the University's schools and changed some grades for courses taken as far back as 2006.  The incident or incidents is believed to have occurred between June 2010 and July 2011.  Some students received subtle upgrades and others had their grades changed from F's to A's.

Unknown

Affected employees may call (965) 548-8061.

Brownsville ISD discovered that a number of employees had their names, Social Security numbers, disability plan information, and salary information available on a publicly accessible website.  Employees who were enrolled for disability insurance had their information posted in April 2011 on the Employee Benefits/Risk Management website. 

50,000 (No SSNs or financial information reported)

Hackers posted data from providencenightlife.net users onto Pastebin.  The data included usernames, clear-text passwords, and email addresses.  

5,400 (No full credit card numbers or SSNs revealed)

A customer logged onto her USPS online store account and was able to see the name, address, and the final four digits of another customer's credit card number.  The customer alerted the USPS customer service, but was told that the error had already been noted. On October 28, USPS became aware that a coding issue during an update had resulted in an error that exposed credit card information.  Customers were notified of the problem on November 8.  The error was subsequently fixed.

19,276 (No SSNs or financial information reported)

Those with questions may email infosecurity@utpa.edu.

On September 1, 2011, a spreadsheet containing information on 19,276 students was accidentally made accessible from the internet due to a administrative error.  The spreadsheet contained the names, addresses, phone numbers, email addresses, majors, class or classes, levels, colleges, student ID numbers, and GPAs of students enrolled as of September 1 of 2011.  The problem was corrected on November 2 soon after it was discovered. The spreadsheet had been accessed 15 times by unknown parties between September 1 and November 2.  

176,567

Those with questions may call (855) 886-2931 or email responseteam@vcu.edu.

Hackers were able to access a Virginia Commonwealth University (VCU) computer server.  It contained files with the personal information of current and former VCU and VCU Health System faculty, staff, students and affiliates.  Suspicious files were discovered on the server on October 24.  It was taken offline and subsequent investigation revealed that two unauthorized accounts had been created on a second server.  While the first server did not contain personal data, the second server did and had been compromised through the first server.  Data included either a name or eID, Social Security number, and in some cases, date of birth, contact information, and various programmatic or departmental information.  

2,400

The information of 2,400 students in grades four through ten was accidentally posted online.  A parent discovered the breach after searching their child's name.  The student's FCAT scores and Social Security number appeared on a public site.  The cause of the unintended disclosure was not reported.

Unknown

The November 6 defacement of Steam forums led to an investigation that revealed hackers had accessed a Steam database with sensitive user information. The database contained user names, hashed and salted passwords, game purchases, email addresses, billing addresses, and encrypted credit card information.  Users were prompted to change their Steam forum passwords and encouraged to change their Steam account passwords.  Anyone using their Steam forum password for other websites should change their password since hackers could have obtained email address and password combinations. Steam is the Valve Corporation's social-distribution network.

30 (No SSNs or financial information reported)

A janitor sold patient records to gang members.  The janitor was able to use a master key to access boxes of sensitive information that were due to be shredded.  Some of the locks to the restricted boxes were also broken.  The scheme went on for up to eight months and investigators were able to seize nearly 30 patient records.

200 (No SSNs or financial information reported)

A man who purchased a used computer hard drive discovered that it had detailed clinical assessments for patients referred to Behavioral Health Services of Pickens County and a monthly monitoring list of patient referrals from the Pickens County Department of Social Services.  Information about patient drug and emotional problems and pending litigations was on the hard drive.

444

A number of identity thefts were linked to Habitat for Humanity of Delaware County ReStore.  An investigation revealed that hackers had accessed the store's computer system and took customer names and credit card numbers.  Detectives believe there are other sources of identity theft that have yet to be identified. The date of the access was not reported, but as many as 444 customers could have had their information taken.

7,019

On July 6, 2011, four tape cartridges with sensitive information were shipped in a container from VOI.  The container was placed into a cardboard shipping box and shipped.  ValueOptions Inc. (VOI) was informed that the package had not arrive as of August 1. An outside agency investigated the loss of the packages until September 22.  Notification that the tapes had been lost was sent on November 4.  The tapes contained names, addresses, phone numbers, dates of birth, Social Security numbers, and plan subscriber ID numbers. VOI processes the benefits information for National elevator Industry's Health Benefit Plan, as well as other organizations.  A total of 350 New Hampshire residents were affected by the breach and 6,669 New York residents were affected as well.  The total number of people affected from different organizations and across the United States was not reported.

100

An employee of IQCR wrote down names, Social Security numbers, and dates of birth from records. The records came from a gas company in Chicago and were processed by IQCR.  That information was then used to apply for credit cards.  This occurred in October of 2011.  The dishonest employee and her partner were caught after people alerted authorities about being declined for credit cards they had not requested.  Authorities discovered that the fraudulent credit requests all came from the same computer IP address and went to the same residential address. The couple face 10 years in prison per-identity stolen.  Over 100 people were affected by the breach.

98

A dishonest employee swiped customer credit cards after initial transactions, then processed a second transaction for cash back and pocketed the amount of the second fraudulent transaction from the cash register.  A store manager noticed the employee stealing money and reported her. A customer complaint about an unauthorized transaction then revealed the extent of the breach.  The fraudulent transaction complains date from May 25 to June 10. Store records reveal that $6,197 was stolen in this way.