Chronology of Data Breaches
Security Breaches 2005 - Present

Posted Date: April 20, 2005
Updated Date: December 31, 2013

Is this your first visit to our Chronology of Data Breaches?

  • Read our FAQ about what we define as a breached record, how we calculate the "total" records breached, our data sources, state breach notice laws, studies and other resources

  • Learn how to use our Chronology and take advantage of its sophisticated search and sort features

  • Get our RSS Feed to see when we add new breaches to the list

What would you like to do?

Chronology of Data Breaches

Custom Sort
Select your desired results. Then click "Go!"

Click or unclick the boxes then select go.


Select features, then click GO.



Help Guide

Can't find the sort feature you're looking for? Click here to download a CSV file of the data breach list as it exisits today.
Breach Total
931,529,111 RECORDS BREACHED
(Please see explanation about this total.)
from 4,467 DATA BREACHES made public since 2005

Save or Print PDF of Entire Breach List including introduction.Save or Print a PDF of Entire Breach List (including introductory FAQ)

Filter breach list before saving or printing PDF. Conduct a search of the Chronology using its sorting features, and Save or Print a PDF of your search results (Select filters)

If you do not have access to PDF, you can print the Chronology in landscape view.

Date Made Publicsort icon Name Entity Type
November 15, 2013 Superior HealthPlan, Inc.
Austin, Texas
MED DISC

6,284 (No Social Security numbers or financial information reported)

New Health and Human Services Commission ID numbers were sent on Superior ID cards to CHIP members on October 4.  It was discovered that a computer error caused some Superior CHIP ID cards to be sent to incorrect addresses. Names, CHIP ID numbers, and doctors' names and phone numbers were exposed.  All members who were affected were notified.

 
Information Source:
HHS via PHIPrivacy.net
records from this breach used in our total: 0

November 15, 2013 Group Health Cooperative
Seattle, Washington
NGO DISC

1,015 (No Social Security numbers or financial information reported)

Group Health member identification numbers and chronic conditions were accidentally printed on the outside of letters that were mailed on September 16.  The issue was discovered on September 23.

 
Information Source:
HHS via PHIPrivacy.net
records from this breach used in our total: 0

November 15, 2013 Rose Medical Center
Denver, Colorado
MED PHYS

606 (No Social Security numbers or financial information exposed)

Patient records were improperly disposed of sometime between June 28 of 2013 and July 16 of 2013.

 
Information Source:
HHS via PHIPrivacy.net
records from this breach used in our total: 0

November 15, 2013 Lincoln Credit Center, National Debt Defense, SmartPath
San Diego, California
BSF UNKN

Unknown

Personal information related to client accounts may have been compromised at a physical location.  The breach occurred sometime between October 20 and November 15. Lincoln Credit Center is monitoring client accounts for suspicious activity.

 
Information Source:
California Attorney General
records from this breach used in our total: 0

November 14, 2013 Alta Bates Summit Medical Center, AverMedia Technologies
Berkeley, California
MED INSD

115

Two women are accused of misusing the information of over 115 people in the Bay Area for identity theft purposes.  At least 15 Atla Bates Summit Medical Center patients had their information misused and at least 35 had their information collected.  The two women were arrested on November 5 and also had a payroll sheet from AverMedia Technologies in their possession.

 
Information Source:
HHS via PHIPrivacy.net
records from this breach used in our total: 115

November 13, 2013 USI Insurance Services LLC
Columbus, Ohio
BSF HACK

Unknown

Malicious software was installed on the USI website on or around October 2, 2013.  A hacker may have been able to view information stored in the USI system.  Client names, usernames, passwords, and mailing addresses were exposed.

 
Information Source:
California Attorney General
records from this breach used in our total: 0

November 12, 2013 Rotech Healthcare
Orlando, Florida
MED PORT

10,680

On August 30, 2013 Rotech discovered that a former employee had taken employee files when her employment ended on November 26 of 2010.  Rotech employees and their dependents may have had their names, Social Security numbers, addresses, and certain medical insurance information exposed.  This medical information may have included the carrier that administered health care coverage, pharmacy services received, and other medical services received.  The information was not removed with malicious intent and there has been no evidence of misuse.

UPDATE (12/16/2013): A total of 10,680 employees and their dependents were affected.

 
Information Source:
PHIPrivacy.net
records from this breach used in our total: 10,680

November 11, 2013 City Jeffersonville
Jeffersonville, Indiana
GOV DISC

311

City vendors and other businesses were alerted to a breach of information that dates back to 2001.  Names, addresses, and in some cases Social Security numbers, were sent to city employees in a monthly email about vendor payments.  The issue was noticed when a recent software change made the information easier to spot.  Jeffersonville's information technology staff deleted the emails from city employee inboxes.

 
Information Source:
Media
records from this breach used in our total: 311

November 11, 2013 North Country Hospital and Health Center
Newport, Vermont
MED INSD

550 (No Social Security numbers or financial information reported)

Patients with questions may call (802) 334-3253.

A former employee refused to return a laptop that contained unspecified patient health information.  North County Hospital first learned of the issue on September 18.  The Newport Police Department was contacted and all administrator-level computer system user codes and passwords that the employee had access to were changed.  The laptop was also password-protected and will be remotely locked out if someone attempts to use it to access the Hospital systems.

 
Information Source:
HHS via PHIPrivacy.net
records from this breach used in our total: 0

November 11, 2013 New York City Police Department
New York, New York
GOV INSD

30 (No Social Security numbers or financial information reported)

A former police detective pleaded guilty to paying hackers to steal passwords associated with the email accounts of other officers.  The dishonest detective also misused the National Crime Information Center database to search for the information of at least two other NYPD officers.  The breaches occurred between April of 2010 and October of 2012. The dishonest detective was charged with one count of conspiracy to commit hacking and one count of unauthorized access.  The 30 or more people who were affected included 20 current and former NYPD officers.  At least 43 email accounts and one cellular phone account were hacked.

 
Information Source:
Media
records from this breach used in our total: 30

November 11, 2013 St. Mary's Janesville Hospital, SSM Health Care
Janesville, Wisconsin
MED PORT

629 (No Social Security numbers or financial information exposed)

The August 27 car theft of an SSM Health Care employee's unencrypted laptop resulted in the exposure of patient information.  Patients who were treated in St. Mary's Janesville Hospital's emergency room between January 1 and August 26 of 2013 were affected.  Names, dates of birth, medical record numbers, account numbers, providers, departments of service, bed numbers, room numbers, dates and times of service, history of visits, complaints, diagnoses, procedures, test results, vaccines, and medications were exposed.

 
Information Source:
PHIPrivacy.net
records from this breach used in our total: 0

November 11, 2013 Discover Financial Services
Riverwoods, Illinois
BSF UNKN

Unknown

An unspecified number of Discover customers had their account numbers changed and were issued a new card.  It is unclear what type of security breach prompted the notification and when it may have occurred. Several customers in California received the notification letter; residents of other states may have been notified as well.

 
Information Source:
California Attorney General
records from this breach used in our total: 0

November 8, 2013 Standard Insurance Company
Portland, Oregon
BSF DISC

Unknown

One of Standard Insurance Company's vendors accessed a file that was inadvertently disclosed on the vendor's system.  Names, Social Security numbers, addresses, and dates of birth could have been accessed between October 7 and October 18.  The issue was discovered when an insurance policyholder noticed they had access to the information and contacted Standard Insurance Company.

 
Information Source:
Media
records from this breach used in our total: 0

November 8, 2013 Baltimore County
Baltimore, Maryland
GOV INSD

12,000

A contractor who worked for Baltimore County between December of 2011 and July of 2012 was found to have saved the personal information of 12,000 county employees to computers for reasons unrelated to work.  The information was discovered during an investigation in Florida and came from payroll files dated between January and March of 2007.  Employees who had their paychecks direct deposited were affected and the bank account information of 6,633 employees was exposed.  Baltimore county employees are no longer allowed to download personal information to county computers and more than 5,000 county hard drives will be cleared of related data.

 
Information Source:
Media
records from this breach used in our total: 12,000

November 8, 2013 North Carolina Department of Health and Human Services
Raleigh, North Carolina
GOV DISC

1,300 (No Social Security numbers or financial information was involved)

Over 1,300 people who received payment from state hospitals had their information exposed online.  Names, addresses, payment dates, name of facilities that made the payments, and dollar amounts paid were posted on North Carolina Department of Health and Human Services' transparency website "NC OpenBook."  The error was discovered when an individual complained.  The information had been available for years.

 
Information Source:
Media
records from this breach used in our total: 0

November 8, 2013 ICS Collection Services, Inc, University of Chicago Physicians Group
Tinley Park, Illinois
MED DISC

1,344 (Unknown number of Social Security numbers)

University of Chicago Physicians Group's former contractor ICS Collection Services discovered that website users were able to view sensitive information of other users.  At least one user was able to view the names, addresses, dates of birth, insurance payments and dates, insurance company names, insurance policy numbers, procedures, diagnosis codes and descriptions, dates of service, treating physician names, and sometimes even Social Security numbers associated with University of Chicago Physicians Group patients.  ICS Collection Services learned of the issue on July 9.

 
Information Source:
HHS via PHIPrivacy.net
records from this breach used in our total: 0

November 8, 2013 Office of Dr. Carol Patrick, Ph.D
Lima, Ohio
MED STAT

517

Those with questions may call (419) 222-5077.

The August 8 office theft of several computers resulted in the exposure of patient information.  The computers contained names, Social Security numbers, addreses, and dates of birth that were encrypted.  They also contained letters, reports, evaluations, and session notes that were not encrypted.

 
Information Source:
PHIPrivacy.net
records from this breach used in our total: 517

November 8, 2013 Good Samaritan Hospital
San Jose, California
MED PORT

3,833 (Five Social Security numbers involved)

Good Samaritan Hospital learned that a laptop was missing on July 8.  An investigation revealed on September 23 that the laptop contained data files related to patient pacemakers.  Names, dates of birth, addresses, telephone numbers, and health insurance company names may have been exposed.  Five patients had their Social Security numbers on the laptop.  Only a fraction of patients who had their pacemakers checked between 1996 and July of 2013 were affected.

UPDATE (12/5/2014): "Rensselaer County has paid $25,000 in a court award and set aside $90,000 for expected legal fees in a flurry of lawsuits brought by jail officers and others whose medical information was viewed for years by employees using a computer in the jail nurses' office.

Seven parties, including four current or former correction officers, a jail employee, the family of a correction officer on behalf of a minor child, and a private individual have sued the county.

More suits are anticipated, officials have said.

Two cases have been settled."

More Information: http://www.timesunion.com/local/article/Cost-grows-for-medical-access-la...

 
Information Source:
HHS via PHIPrivacy.net
records from this breach used in our total: 5

November 8, 2013 Texas Health Presbyterian Dallas Hospital
Dallas, Texas
MED STAT

949 (No Social Security numbers or financial information reported)

The August 22 office theft of a computer resulted in the exposure of patient information.  Names, dates of birth, age, gender, radiology images, radiation therapy dose planning, diagnoses, and Texas Health Presbyterian medical record numbers were on the computer.

 
Information Source:
HHS via PHIPrivacy.net
records from this breach used in our total: 0

November 8, 2013 Ferris State University - Michigan College of Optometry
Big Rapids, Michigan
MED HACK

3,947

Michigan College of Optometry learned on July 23, 2013 that their network had been compromised in December of 2011.  A malware program could have accessed the names, Social Security numbers, demographic information, and a limited amount of clinical information of patients that were on the server.  Former and current patients were mailed letters on September 24.

 
Information Source:
HHS via PHIPrivacy.net
records from this breach used in our total: 3,947

November 8, 2013 Comprehensive Podiatry LLC
Independence, Ohio
MED PORT

1,360 (No Social Security numbers or financial information reported)

The August 3 theft of a laptop resulted in the exposure of patient information.

 
Information Source:
HHS via PHIPrivacy.net
records from this breach used in our total: 0

November 8, 2013 Access Counseling, LLC
Los Angeles, California
MED PORT

566 (Partial Social Security numbers involved)

A briefcase was stolen from an employee's car sometime between the evening of August 22 and the morning of August 23.  The case files of seven clients were inside of the briefcase. Additionally, the briefcase contained a computer with files that included names, partial Social Security numbers, dates of birth, addresses, and clinical notes related to all clients.

 
Information Source:
HHS via PHIPrivacy.net
records from this breach used in our total: 0

November 8, 2013 BriovaRx
Chicago, Illinois
MED UNKN

1,067 (No Social Security numbers or financial information reported)

A breach of patient records occurred between July 3 and July 11 of 2013.  In a breach that may be related, a former employee was sued for stealing confidential health information and trade secrets in October.

 
Information Source:
HHS via PHIPrivacy.net
records from this breach used in our total: 0

November 8, 2013 Region Ten Community Services Board
Charlottesville, Virginia
MED HACK

10,228 (No Social Security numbers or financial information exposed)

A hacker obtained the passwords to several employees' emails on July 29.  The email accounts may have contained the health information of patients.

 
Information Source:
HHS via PHIPrivacy.net
records from this breach used in our total: 0

November 8, 2013 Schuylkill Health System
Pottsville, Pennsylvania
MED PORT

2,810 (No Social Security numbers or financial information reported)

The August 7 theft of a laptop resulted in the exposure of patient information.  

 
Information Source:
HHS via PHIPrivacy.net
records from this breach used in our total: 0

November 8, 2013 Littleton Podiatry
Littleton, Colorado
MED PORT

3,512 (No Social Security numbers or financial information exposed)

The August 27 theft of a laptop resulted in the exposure of patient information.

 
Information Source:
HHS via PHIPrivacy.net
records from this breach used in our total: 0

November 8, 2013 Sierra View District Hospital
Porterville, California
MED INSD

1,009 (No Social Security numbers or financial information reported)

A routine security audit at Sierra View District Hospital revealed that an employee had inappropriately accessed protected health information.  An investigation revealed that the information was not disclosed externally.  The breach occurred between July 1 and August 2.  

 
Information Source:
HHS via PHIPrivacy.net
records from this breach used in our total: 0

November 7, 2013 DaVita
Denver, Colorado
MED PORT

11,500 (375 Social Security numbers exposed)

The theft of an unencrypted laptop resulted in the exposure of patient and employee information.  The laptop was stolen from an employee's vehicle and contained names, insurance information, diagnoses, and dialysis treatment information.  Approximately 375 patients also had their Social Security numbers exposed.

 
Information Source:
Media
records from this breach used in our total: 375

November 7, 2013 Department of Economic Opportunity
Tallahassee, Florida
GOV DISC

45

A glitch in the Department of Economic Opportunity's website caused Social Security numbers of people who registered for unemployment to be exposed.  The information was mistakenly sent to businesses and the Department of Economic Opportunity alerted businesses to the issue.  Those who were affected were sent letters.

 
Information Source:
Media
records from this breach used in our total: 45

November 7, 2013 Washington State University
Pullman, Washington
EDU PORT

300

The October 11 theft of two external hard drives may have exposed the information of students, current employees, and former employees.  Administrative and financial information such as Social Security numbers may have been exposed.

 
Information Source:
Media
records from this breach used in our total: 300

November 4, 2013 Phoenix Medical Group
Laurel, New Jersey
MED INSD

Unknown

A dishonest employee accessed and misused patient information sometime between January of 2009 and March of 2012.  Social Security numbers and dates of birth were taken to file fraudulent tax returns. The former employee pleaded guilty to one count of theft of government property and one count of aggravated identity theft.

 
Information Source:
PHIPrivacy.net
records from this breach used in our total: 0

November 4, 2013 Samaritan Family Medicine Resident Clinic, Samaritan Health System
Corvallis, Oregon
MED PHYS

1,222 (20 Social Security numbers reported)

A patient discovered a stack of unshredded medical documents in a publicly accessible dumpster near the medical offices on Samaritan Drive.  Prescriptions, diagnoses, and other sensitive medical information could have been accessed.  The breach occurred in July and an employee removed the information soon after the incident.

The Oregon Department of Consumer and Business Services fined Samaritan $1,000 for the breach.  Samaritan will pay a full fine of $5,000 if it fails to comply with Oregon's confidential records laws during the next five years.

 
Information Source:
PHIPrivacy.net
records from this breach used in our total: 20

November 4, 2013 University Hospitals
Cleveland, Ohio
MED STAT

7,100 (Unknown number of Social Security numbers)

An unnamed contractor misplaced a University Hospitals hard drive after taking it for a computer system upgrade.  The hard drive was stolen from the car of an employee of the contractor on August 8.  It contained patient information such as names, birth dates, addresses, medical record numbers, insurance provider information, and health information.  

 
Information Source:
PHIPrivacy.net
records from this breach used in our total: 0

November 4, 2013 CorporateCarOnline.com
Kirkwood, Missouri
BSO HACK

850,000

Hackers stole and stored information online related to customers who used limousine and other ground transportation.  The online information included plain text archives of credit card numbers, expiration dates, names, and addresses.  Many of the customers were wealthy and used credit cards that would be attractive to identity thieves.

 
Information Source:
Media
records from this breach used in our total: 850,000

October 31, 2013 Boone Hospital Center
Columbia, Missouri
MED INSD

125

An employee was found to have accessed Social Security numbers, dates of birth, medical diagnoses, prescribed treatments, and other health information without cause.  A patient contacted Boone Hospital Center on September 16 and said that her personal health information had been accessed.  An investigation revealed the breach and the employee's access was terminated on September 19.

 
Information Source:
Media
records from this breach used in our total: 125

October 31, 2013 Genesis Rehabilitation Services
Kennett Square, Pennsylvania
MED PORT

1,167

An employee's USB drive was discovered missing on September 3, 2013.  It contained the names, Social Security numbers, and addresses or email addresses of current employees, applicants, and agency employees.  A total of 33 people were affected.

UPDATE (12/04/2013): A second USB drive was also lost on August 30.  A total of 739 Lebanon Center and Wheelock Terrace patients in New Hampshire were affected.  Patient information included names, dates of birth, diagnoses, dates of admission or service, medical insurance identification information, and other medical information.  At least 71 patients had their Social Security numbers on the USB drive.

UPDATE (12/16/2013): A total of 1,167 individuals were affected.

 
Information Source:
Databreaches.net
records from this breach used in our total: 1,167

October 31, 2013 Milwaukee Public School District, Express Scripts
Milwaukee, Wisconsin
EDU DISC

6,000

Social Security numbers were printed on the outside of letters that were sent to a third party vendor.  As many as 6,000 letters were sent to MPS Medicare D recipients. 

 
Information Source:
Media
records from this breach used in our total: 6,000

October 31, 2013 Paragon Benefits Inc, TSYS Employee Health Plan
Columbus, Georgia
BSO INSD

5,232

An employee of a temporary staffing agency who was working at Paragon Benefits Inc. emailed personal information to his own Gmail account for fraudulent purposes.  The information came from TSYS employees. The dishonest employee was arrested and charged with felony identity theft.  Two spreadsheets that contained names, Social Security numbers, dates of birth, and home addresses were sent.  At least 1,000 TSYS former employees and 11 family members had their information exposed.

 
Information Source:
Media
records from this breach used in our total: 5,232

October 31, 2013 Ektron
Nashua, New Hampshire
BSO HACK

22

The June 15 hack of Ektron resulted in the exposure of current and former employee information.  Names, Social Security numbers, immigration visas, passport numbers, and employee authorization cards were exposed.  Ektron learned of the breach in July and hired a third party firm to investigate the scope of the breach in August.

 
Information Source:
Databreaches.net
records from this breach used in our total: 22

October 30, 2013 Florida Department of Health
Orlando, Florida
MED INSD

3,500

Patients who suspect fraudulent activity may call the Orange County Sheriff's Office at (407) 253-7000.  Patients with general questions may call the Department of Health at (407) 858-1490.

Two employees accessed a database of patient names, Social Security numbers, and dates of birth for the purpose of misusing the information to file tax returns.  Police found a hand written list of 148 names and personal information when they searched the home of the alleged ring leader.  Patients who were 17 and 18 years of age were targeted.

UPDATE (12/21/2013): The two women each pleaded guilty to one federal fraud charge related to accessing names, Social Security numbers, and dates of birth.

 
Information Source:
PHIPrivacy.net
records from this breach used in our total: 3,500

October 30, 2013 Children's Healthcare of Atlanta
Atlanta, Georgia
MED INSD

500 (No Social Security numbers or financial information exposed)

Children's Healthcare of Atlanta fired and sued an executive for allegedly taking proprietary information that included patient health information, state license numbers for more than 500 health care providers, and other health care provider information.  The executive announced her resignation on October 16 and on October 18 the Hospital discovered that she had emailed sensitive information to her personal email account.  The executive had planned to leave on December 20 but was fired for exposing the Hospital's sensitive information.

 
Information Source:
PHIPrivacy.net
records from this breach used in our total: 0

October 30, 2013 Florida Department of Health
Orlando, Florida
MED INSD

2,300

Those with questions may call (407) 858-1490.

Two former employees used patient records to make lists of names, Social Security numbers, and dates of birth.  The information was created for tax fraud purposes.

 
Information Source:
PHIPrivacy.net
records from this breach used in our total: 2,300

October 30, 2013 Emerald Garden, Tampa General Hospital
Clearwater, Florida
MED INSD

Unknown

An investigation uncovered sensitive information from Emerald Garden and Tampa General Hospital patients.  A dishonest Emerald Garden employee was arrested in May and sentenced to 37 months in prison for conspiring to misuse the information to file tax refunds.  A contact at Tampa General Hospital also supplied patient information.  

 
Information Source:
PHIPrivacy.net
records from this breach used in our total: 0

October 29, 2013 MongoHQ
Mountain View, California
BSO HACK

Unknown

MongoHQ's internal system was compromised.  The system allowed certain administrative users to appear as other users.  MongoHQ reset all employee accounts and will enable devices, email, and internal applications after a credential reset and audit.  

 
Information Source:
Media
records from this breach used in our total: 0

October 28, 2013 Allina Health
Minneapolis, Minnesota
MED INSD

3,800 (No Social Security numbers reported)

Roughly 3,800 patients were affected by a breach that involved a former employee at the Inver Grove Heights clinic.  The employee worked as a certified medical assistant and viewed patient records without permission between February of 2010 and September of 2013.  Patients who were seen at any location within Allina Health's system may have had their demographic, clinical, and health insurance information viewed.  The employee also had access to the last four digits of patients' Social Security numbers.  

 
Information Source:
Media
records from this breach used in our total: 0

October 28, 2013 HealthFitness, Gerdau
Minneapolis, Minnesota
MED PORT

Unknown

Those who may have been affected may call (877) 371-7902.

HealthFitness informed Gerdau of a laptop theft that exposed the information of Gerdau employees and employee dependents.  HealthFitness administors Gerdau's health management and wellness program.  The laptop contained Social Security numbers, employee names, spouse names, dates of birth, and health plan elections.

 
Information Source:
PHIPrivacy.net
records from this breach used in our total: 0

October 28, 2013 Dun & Bradstreet
Suwanee, Georgia
BSO HACK

Unknown

A cyber attack occurred during the period between March and April 2013.  Dun & Bradstreet hold information for business marketing and other businesses may have been affected. 

 
Information Source:
California Attorney General
records from this breach used in our total: 0

October 25, 2013 NBC Sports Group
Stamford, Connecticut
BSO PORT

Unknown

Those with questions may call (203) 356-2720.

The August 24 theft of two laptops resulted in the exposure of personal information.  The laptops were stolen in Northern California and it is unclear whether employees, clients, or general consumers were affected.  Names, Social Security numbers, driver's licence numbers, and dates of birth were exposed.

 
Information Source:
Databreaches.net
records from this breach used in our total: 0

October 25, 2013 Michigan State University
East Lansing, Michigan
EDU HACK

Unknown

Michigan State University provided a notification herehttp://police.msu.edu/crimealert10202013.asp

An unauthorized user was able to modify employee banking information.  The breach was discovered on October 18 when two employees reported receiving email confirmations of changes to their direct-deposit designations.  The unauthorized user may have obtained valid payroll credentials by using a phishing attack.  The HR/Payroll systems were taken offline on Friday, October 18 and were expected to become active again on October 21.

 
Information Source:
Media
records from this breach used in our total: 0

October 25, 2013 Yusen Logistics (Americas) Inc.
Secaucus, New Jersey
BSO PORT

Unknown

An unencrypted laptop was stolen from an employee's vehicle sometime around September 23.  It contained a spreadsheet with payroll deduction information for former and current Yusen Logistics Americas employees.  It contained names, Social Security numbers, addresses, and payroll benefit deduction amounts from the period of July 2013 to September 2013.

 
Information Source:
California Attorney General
records from this breach used in our total: 0

Breach Total
931,529,111 RECORDS BREACHED
(Please see explanation about this total.)
from 4,467 DATA BREACHES made public since 2005
Showing 401-450 of 4467 results


X

Sign In!

Loading