Chronology of Data Breaches
Security Breaches 2005 - Present

Posted Date: April 20, 2005
Updated Date: December 31, 2013

Is this your first visit to our Chronology of Data Breaches?

  • Read our FAQ about what we define as a breached record, how we calculate the "total" records breached, our data sources, state breach notice laws, studies and other resources

  • Learn how to use our Chronology and take advantage of its sophisticated search and sort features

  • Get our RSS Feed to see when we add new breaches to the list

What would you like to do?


Click or unclick the boxes then select go.


Select features, then click GO.



Help Guide

Can't find the sort feature you're looking for? Click here to download a CSV file of the data breach list as it exisits today.
Breach Total
868,045,823 RECORDS BREACHED
(Please see explanation about this total.)
from 4,351 DATA BREACHES made public since 2005

Save or Print PDF of Entire Breach List including introduction.Save or Print a PDF of Entire Breach List (including introductory FAQ)

Filter breach list before saving or printing PDF. Conduct a search of the Chronology using its sorting features, and Save or Print a PDF of your search results (Select filters)

If you do not have access to PDF, you can print the Chronology in landscape view.

Date Made Public Name Entity Type
April 23, 2009 Oklahoma Department of Human Services
Oklahoma City, Oklahoma
GOV PORT

1,000,000

(866) 287-0371

Some personal information may have been contained on a laptop computer stolen from an agency employee. Information on the stolen computer included names, Social Security numbers and dates of birth for people who receive DHS services.

 
Information Source:
Dataloss DB
records from this breach used in our total: 1,000,000

November 16, 2012 Nationwide Mutual Insurance Company and Allied Insurance
Columbus, Ohio
BSF HACK

1,000,000

Affected Georgia consumers may call 1-800-760-1125. Other consumers with questions may call 1-800-656-2298.

A portion of the computer network used by Nationwide and Allied Insurance agents was breached by cyber criminals on October 3.  The attack was discovered on the same day and contained.  On October 16, it was determined that names, Social Security numbers, driver's license numbers, dates of birth, marital status, gender, occupation, and employer information had been stolen.  Affected parties were identified on November 2 and notifications were sent on November 16.

UPDATE (11/20/2012): At least 28,000 people in Georgia were affected.  The total number of affected people is not known.

UDPATE (12/10/2012): A total of 28,468 people in Georgia, 534 in Oklahoma, 12,490 in South Carolina, 286 in Maryland, 5,050 in California, 91,000 in Iowa, 170 in Hawaii, 8,000 in New Mexico, and 98,191 in Minnesota were affected. This brings the known total to 244,188.  Nationwide/Allied Group reported that the breach compromised the information of one million policyholders and non-policyholders nationwide.

 
Information Source:
California Attorney General
records from this breach used in our total: 1,000,000

June 14, 2006 American International Group (AIG), Indiana Office of Medical Excess, LLC
New York, New York
BSF STAT

930,000

The computer server was stolen on March 31 containing personal information including names, Social Security numbers, birth dates, and some medical and disability information.

UPDATE (1/12/2010) A 28-year-old Indianapolis man was sentenced today to two years in state prison for trying to extort $208,00 from an insurance company after stealing a computer server. In March 2006, the man burglarized the Indianapolis office of AIG Medical Excess, threatening to release clients' personal data on the Internet. The server contained the names of more than 900,000 insured persons, as well as their personal identifying information, and confidential medical information and e-mail communications. At the time of the burglary, the man was an employee of a private security firm that provided security services to the insurance company. On July 23, 2008, Stewart delivered a package to the insurance company. The package included a letter stating that he possessed the stolen server and its confidential data. He asked for $1,000 a week for four years, but the FBI and others intervened. The Indiana State Police, the Indiana Department of Natural Resources, Indianapolis Metropolitan Police Department, and Attorney General also were part of the investigation.

 
Information Source:
Dataloss DB
records from this breach used in our total: 930,000

July 20, 2007 Science Applications International Corp. (SAIC)
San Diego, California
BSO DISC

867,000

 (703) 676-6533, http://www.saic.com/response/

The Pentagon contractor may have compromised personal information. Information such as names, addresses, birth dates, Social Security numbers and health information about military personnel and their relatives were exposed when the data were not encrypted prior to being transmitted online.

UPDATE (5/05/2012): Though 580,000 households were reported, a total of 867,000 people may have been affected.

 
Information Source:
Dataloss DB
records from this breach used in our total: 867,000

November 4, 2013 CorporateCarOnline.com
Kirkwood, Missouri
BSO HACK

850,000

Hackers stole and stored information online related to customers who used limousine and other ground transportation.  The online information included plain text archives of credit card numbers, expiration dates, names, and addresses.  Many of the customers were wealthy and used credit cards that would be attractive to identity thieves.

 
Information Source:
Media
records from this breach used in our total: 850,000

December 6, 2013 Horizon Healthcare Services, Inc. (Horizon Blue Cross Blue Shield)
Newark, New Jersey
BSF PORT

840,000

Sometime between November 1 and 3, two unencrypted laptops were stolen from employee workstations.  The laptops were password-protected and cable-locked to the workstations.  Names, Social Security numbers, addresses, dates of birth, Horizon Blue Cross Blue Shield New Jersey identification numbers, and demographic information may have been exposed.  Almost 840,000 Horizon Blue Cross Blue Shield members were affected.

 
Information Source:
California Attorney General
records from this breach used in our total: 840,000

February 20, 2009 Arkansas Department of InformationSystems, Information Vaulting Services
Little Rock, Arkansas
GOV PORT

807,000

 (888) 682-0411 <a href=http://notify.arkansas.gov>http://notify.arkansas.gov</a>

A computer storage tape with data from criminal background checks dating back to the mid-1990s is missing from an information-protection company's vault. The background-check information includes names, dates of birth, Social Security numbers and addresses.

 
Information Source:
Dataloss DB
records from this breach used in our total: 807,000

December 12, 2006 University of California at Los Angeles (UCLA)
Los Angeles, California
EDU HACK

800,000

Affected individuals can call UCLA at (877) 533-8082, http://www.identityalert.ucla.edu

Hacker(s) gained access to a UCLA database containing personal information on current and former students, current and former faculty and staff, parents of financial aid applicants, and student applicants, including those who did not attend. Exposed records contained names, SSNs, birth dates, home addresses, and contact information. About 3,200 of those notified are current or former staff and faculty of UC Merced and current and former staff of UC's Oakland headquarters.

 
Information Source:
Media
records from this breach used in our total: 800,000

September 28, 2007 Gap Inc.
San Francisco, California
BSR PORT

800,000

 (866) 237-4007, http://gapinc.com/securityassistance/

A laptop containing the personal information of certain job applicants was recently stolen from the offices of an experienced third-party vendor that manages job applicant data for Gap Inc. Personal data for approximately 800,000 people who applied online or by phone for store positions at one of Gap Inc.'s brands between July 2006 and June 2007 was contained on the stolen laptop. Social Security numbers were included in the information on the laptop.

 

UPDATE (5/28/10): A man whose Social Security number and other personal information were compromised by a company that processed his job application for The Gap Inc. has no legal claims against the company because no actual damage resulted from the privacy breach (a laptop stolen from Vangent), ruled the Ninth Circuit Court of Appeals. Ruiz v. Gap, Inc. 09-15971 (9th Circ. May 28, 2010), http://www.ca9.uscourts.gov/datastore/memoranda/2010/05/28/09-15971.pdf .

 
Information Source:
Dataloss DB
records from this breach used in our total: 800,000

March 29, 2012 Department of Child Support Services, International Business Machines (IBM), Iron Mountain, Inc.
Boulder, Colorado
GOV PORT

800,000

The location listed is that of IBM's headquarters.

On March 12, 2012, the Department of Child Support Services (DCSS) was notified that contractors International Business Machines (IBM) and Iron Mountain, Inc. could not locate several computer devices that had been shipped from Colorado to California. Californians who used state child support services were affected by the loss.  Names, Social Security numbers, addresses, driver's licenses, names of health insurance providers, health insurance plan membership identification numbers, and employer information may have been exposed.  

 
Information Source:
PHIPrivacy.net
records from this breach used in our total: 800,000

December 15, 2010 Ohio State University
Columbus, Ohio
EDU HACK

750,000 (Unknown numbers of SSNs and financial information)

Affected individuals can find more information at www.osu.edu/creditsafety

Students, professors and other University affiliates were notified that their information may have been accessed by a hacker.  University officials discovered the breach in late October.  Unauthorized individuals logged into an Ohio State server and had access to names, Social Security numbers, dates of birth and addresses of current and former students, faculty, staff, University consultants and University contractors.

UPDATE (1/14/11): 517,729 former students and 65,663 current students were affected.  Exact numbers for current and former faculty, staff, consultants and contractors were not given.

UPDATE (2/22/2011): As of February 22, OSU was still attempting to find and inform affected individuals of the breach.  Around 226,000 notification letters were mailed to alumni in February.

 
Information Source:
Databreaches.net
records from this breach used in our total: 750,000

July 18, 2006 CS Stars, subsidiary of insurance company Marsh Inc.
Chicago, Illinois
BSF STAT

722,000

On May 9, CS Stars lost track of a personal computer containing records of more than a half million New Yorkers who made claims to a special workers' comp fund. The lost data includes SSNs and date of birth but apparently no medical information.

UPDATE (7/26/06): Computer was recovered.

UPDATE (04/26/07): The New York Attorney General's office found that CS Stars violated the state's security breach law. CS Stars must pay the Attorney General's office $60,000 for investigation costs. It was determined that the computer had been stolen by an employee of a cleaning contractor, the missing computer was located and recovered, and that the data on the missing computer had not been improperly accessed.

 
Information Source:
Security Breach Letter
records from this breach used in our total: 722,000

May 12, 2012 Hewlett, Packard, California Department of Social Services
Riverside, California
GOV PORT

701,000

Around 700,000 caregivers and care recipients had their information lost or stolen during transit between Hewlett Packard and the State Compensation Insurance Fund in Riverside, California.  A package that originally contained microfiche with payroll data entries and possibly other sensitive information arrived via U.S. Postal Service damaged and missing thousands of payroll data entries. Names, wages, Social Security numbers, and state identification numbers were exposed. A total of 375,000 In-Home Supportive Services workers were affected and 326,000 recipients of In-Home Supportive Services care were affected.

UPDATE (05/30/2013): A total of 748,902 elderly home care recipients and their caretakers were affected.

 
Information Source:
Databreaches.net
records from this breach used in our total: 701,000

April 19, 2008 Central Collection Bureau
Indianapolis, Indiana
BSO STAT

700,000

A computer server containing Social Security numbers and other personal information was stolen last month from a Southside debt-collection bureau. The information includes customer-billing records for Indiana businesses, including Citizens Gas & Coke Utility, St. Vincent Health and Methodist Medical Group.

 
Information Source:
Dataloss DB
records from this breach used in our total: 700,000

November 6, 2008 Express Scripts
St. Louis, Missouri
BSO UNKN

700000

Express Scripts has received a letter demanding money from the company under the threat of exposing records of millions of patients. The letter, included personal information on 75 people covered by Express Scripts, including birth dates, Social Security numbers and prescription information. Express manages prescription benefits for roughly 50 million people.

UPDATE 10/1/09: Express Scripts notified about 700,000 consumers that their records may have been breached.

 
Information Source:
Dataloss DB
records from this breach used in our total: 700,000

April 28, 2005 Wachovia, Bank of America, PNC Financial Services Group and Commerce Bancorp
Hackensack, New Jersey
BSF INSD

676,000

Note: location listed is the corporate headquarters of Bank of America, not necessarily where the breach occurred.

Bank employees illegally sold account information to someone posing as a collection agency. Customers affected were notified and received one year of free credit monitoring services.

 
Information Source:
Dataloss DB
records from this breach used in our total: 676,000

May 25, 2012 University of Nebraska, Nebraska Student Information System, Nebraska College System
Lincoln, Nebraska
EDU HACK

654,000

The University of Nebraska set up a webpage for more information on the breach: http://nebraska.edu/security

A University technical staff member discovered a breach on May 23.  Staff took steps to limit the breach and there was no clear evidence that any information was downloaded.  The Social Security numbers, addresses, grades, transcripts, housing and financial aid information for current and former University of Nebraska students may have been accessed.  The database also included the information of people who applied to the University of Nebraska, but may have not been admitted, and alumni information as far back as Spring of 1985. The University of Nebraska was still investigating the extent of the breach as of May 25, 2012.

UPDATE (05/29/2012): The University of Nebraska created a webpage for information about the breach.  Close to 21,000 people had bank account information that was linked to the student information system and exposed.  The University of Nebraska's computer database also held 654,000 Social Security numbers, though it is unclear if that number completely overlaps the number of individuals who had their bank account information exposed.  Current and former students of the University of Nebraska campuses in Lincoln, Omaha, and Kearney were affected; as well as anyone who applied to the University since 1985.

UPDATE (06/01/2012): The Nebraska College System began using a shared student information system called NeSIS in 2009.  This resulted in data from Chadron State, Peru State, and Wayne State colleges being exposed.

UPDATE (09/10/2012): Police seized computers and related equipment belonging to a University of Nebraska-Lincoln (UNL) undergraduate student who is believed to be involved in the incident.

UPDATE (12/11/2012): The former UNL student has been charged with intentionally accessing a protected computer system and causing damage of at least $5,000.

UPDATE (06/22/2013): The hacker now faces an additional nine charges of exceeding his authorized access to a computer and two charges of knowingly transmitting a program that damaged computers owned by the University of Nebraska and Nebraska State College Systems.

UPDATE (12/03/2013): The hacker and former UNL student pleaded guilty to one count of intentionally damaging a protected computer and causing loss in excess of $5,000.  His sentencing was scheduled for March 21, 2014.

 
Information Source:
Dataloss DB
records from this breach used in our total: 654,000

May 2, 2005 Time Warner, Iron Mountain Inc.
New York, New York
BSO PORT

600,000

Backup tapes containing the personal information of current and former employees from as far back as 1986 was lost or stolen during shipping. An 800 number was set up to answer questions and provide free credit monitoring for one year.

UPDATE (5/3/2005): A contractor named Iron Mountain Inc. lost the tapes during shipping. 

 
Information Source:
Dataloss DB
records from this breach used in our total: 600,000

February 24, 2010 Citigroup
New York, New York
BSF DISC

600,000

About 600,000 Citigroup customers got a shock earlier this month when they received their annual tax documents with their Social Security numbers printed on the outside of the envelope. The digits were not identified as a Social Security number, and they were printed at the lower edge of the mailing envelope with other numbers and letters that together resembled a mail routing number.

 
Information Source:
Dataloss DB
records from this breach used in our total: 600,000

February 2, 2007 U.S. Department of Veterans Affairs, VA Medical Center
Birmingham, Alabama
MED PORT

48,000 veterans plus 535,000

(877) 894-2600, http://www1.va.gov/opa/pressrel/pressrelease.cfm?id=1294

An employee reported a portable hard drive stolen or missing that might contain personal information about veterans including Social Security numbers.

UPDATE (2/10/07): VA increases number of affected veterans to 535,000, included in the total below.

UPDATE (2/12/07): VA reported that billing information for 1.3 million doctors was also exposed, including names and Medicare billing codes, not included in the total below.

UPDATE (3/19/07): The VA's Security Operations Center has referred 250 incidents since July 2006 to its inspector general, which has led to 46 separate investigations.

UPDATE (6/18/07):More than $20 million to respond to its latest data breach, the breach potentially puts the identities of nearly a million physicians and VA patients.

 
Information Source:
Dataloss DB
records from this breach used in our total: 583,000

March 30, 2006 Georgia Technology Authority (GTA)
Atlanta, Georgia
GOV HACK

573,000

Hackers exploited a security flaw to gain access to confidential information including Social Security numbers and bank-account details of state pensioners.  The State only had contact information for 180,000 of those affected and relied on media coverage to get the word out to others.

 
Information Source:
Dataloss DB
records from this breach used in our total: 573,000

July 24, 2009 Network Solutions
Herndon, Virginia
BSO HACK

573,000

Hackers have broken into Web servers owned by domain registrar and hosting provider Network Solutions, planting rogue code that resulted in the compromise of more than 573,000 debit and credit card accounts over the past three months. Network Solutions discovered that attackers had hacked into Web servers the company uses to provide e-commerce services - a package that includes everything from Web hosting to payment processing -- to at least 4,343 customers, mostly mom-and-pop online stores. The malicious code left behind by the attackers allowed them to intercept personal and financial information for customers who purchased from those stores.

 
Information Source:
Dataloss DB
records from this breach used in our total: 573,000

May 4, 2009 Virginia Prescription Monitoring Program
Richmond, Virginia
MED HACK

531,400

The FBI and Virginia State Police are searching for hackers who demanded that the state pay them a $10 million ransom for the return of millions of personal pharmaceutical records they say they stole from the state's prescription drug database. A notice posted on the DHP Web site acknowledged that the site is currently experiencing technical difficulties which affect computer and e-mail systems. Some customer identification numbers, which may be Social Security numbers, were included, but medical histories were not.

UPDATE (6/4/09): The state is mailing individual notifications to 530,000 people whose prescription records may have contained Social Security numbers. In addition, 1,400 registered users of the database, mostly doctors and pharmacists, who may have provided Social Security numbers when they registered for the program, are being notified. The database that was hacked contained records of more than 35 million prescriptions dispensed since 2006 for certain federally controlled drugs with a high potential for abuse.

 
Information Source:
Media
records from this breach used in our total: 531,400

March 30, 2011 Eisenhower Medical Center (EMC)
Rancho Mirage, California
MED STAT

514,330 (No SSNs or financial information reported)

The March 11 theft of a desktop resulted in the exposure of patient names, dates of birth, ages, Eisenhower medical record numbers and the last four digits of patient Social Security numbers. A television was also stolen during the burglary. Patient information from as far back as the 1980's may have been exposed.

UPDATE (5/22/2014): A California appellate court ruled Wednesday that Eisenhower Medical Center did not violate California's Confidentiality of Medical Information Act.

According to the Fourth District Court of Appeals, "names on a hospital patient index are not "medical informaiton" if they're not coupled with medical histories, condition or treatment".

If the court had found the medical center in violation, they could have been faced with damages as high as $500 million dollars.

 

 
Information Source:
PHIPrivacy.net
records from this breach used in our total: 514,330

February 28, 2010 Wyndham Hotels & Resorts
Dallas, Texas
BSO HACK

500,000

International hotel group Wyndham Hotels and Resorts (WHR) has suffered yet another serious data breach after hackers broke into its computer systems, stealing customer names and payment card information.

UPDATE (05/18/2010): An open letter from Wyndham to its customers: www.wyndhamworldwide.com/customer_care/data-claim.cfm

UPDATE (05/12/2011): Wyndham identified 42 additional New Hampshire residents who were affected by the 2010 breach.  The total number of people affected by hacking incidents at Wyndham in 2009 and 2010 is likely to be large since 37 hotels under Wyndham's hotel group were affected.

UPDATE (06/26/2012): The FTC has filed a complaint against Wyndham hotels for failure to protect the personal information of consumers.  Wyndham hotels and three of its subsidiaries are accused of data security failures that led to three data breaches at Wyndham hotels between 2009 and 2011.  The FTC accused them of allowing failures that led to fraudulent charges on consumers' accounts, millions of dollars in fraud loss, and the export of hundreds of thousands of consumers' payment card account information to an internet domain address registered in Russia.  The FTC statement can be read here: http://www.ftc.gov/opa/2012/06/wyndham.shtm.

UPDATE (08/30/2012): Wyndham Hotel & Resorts LLC is contending that the FTC lacks the authority to regulate private companies' data security practices. Wyndham motioned to dismiss the FTC's Arizona federal court case with this assertion.

UPDATE (06/25/2014): On June 25th, The Federal Trade Commission "sufficiently alleged that several Wyndham Hotels entities operated as a common enterprise in the commission's data security enforcement action against them, the U.S. District Court for the District of New Jersey held June 23, in an unpublished opinion. The court is allowing Wyndham Hotels and Resorts LLC a interlocutory review of portions an an earlier April 7th opinion denying the company's separate motion to dismiss, Judge Esther Salas wrote in a second unpublished opion (FTC v. Wyndham Worldwide Corp., 2014 BL 174519, D.N.J., No. 2:13-cv-01887, unpublished opinion 6/23/14)".

 
Information Source:
Media
records from this breach used in our total: 500,000

June 23, 2010 Anthem Blue Cross, WellPoint
Pasadena, California
MED DISC

470,000

More than 200,000 Anthem Blue Cross customers this week received letters informing them that their personal information might have been accessed during a security breach of the company's website. Only customers who had pending insurance applications in the system are being contacted because information was viewed through an on-line tool that allows users to track the status of their application. Social Security and credit card numbers were potentially viewed.  Anthem Blue Cross merged with WellPoint in 2004.

UPDATE (6/29/2010): Around 470,000 customers in 10 states were notified of the breach.  The original story states that only applicants were affected, but existing customers also received notification of a possible breach of their information.

UPDATE (7/12/2010): 20,000 Louisville, Kentucky residents received notification that a security mistake online resulted in the exposure of their Social Security numbers and financial information.  It is unclear whether these residents are included in the original 470,000 customers.  Only customers who were self insured were affected. WellPoint is claiming that this and other recent breaches were committed by an attorney or attorneys attempting to gain information for a lawsuit against WellPoint.

UPDATE (9/17/2010): An Anthem applicant whose information was exposed by the breach filed a lawsuit against Anthem at the Los Angeles County Superior Court. The lawsuit claims that the breach exposed applicants and clients to identity theft.  An applicant behind the lawsuit is seeking class action status.

UPDATE (10/29/2010): The office of the Attorney General of Indiana is suing WellPoint Inc. because of the company's delay in notifying customers of the breach. WellPoint is accused of violating an Indiana law that requires businesses to provide notification of breaches in a timely manner and faces $300,000 in fines.  State officials believe WellPoint was aware of the exposure in late February, but waited until June to notify customers. 

UPDATE (7/5/2011): WellPoint Inc. will pay Indiana a $100,000 settlement for violating a 2009 data breach notification law.  Customer data was accessible between October 23, 2009 and March 8, 2010.  One or more consumers informed WellPoint of the problem on February 22, 2010 and again on March 8, 2010.  WellPoint began notifying consumers on June 18, 2010.

UPDATE (07/13/2013): About 612,000 individuals may have had their names, Social Security numbers, dates of birth, addresses, telephone numbers, health information, and other electronic protected health information exposed.  WellPoint paid HHS $1.7 million in fines.  

 
Information Source:
Dataloss DB
records from this breach used in our total: 470,000

May 14, 2005 Georgia Technology Authority (GTA)
Atlanta, Georgia
GOV INSD

465,000

A former computer programmer for Georgia Technology Authority downloaded state driver's license information which contained names, addresses, driver's license numbers, and in some cases Social Security numbers.

 
Information Source:
Dataloss DB
records from this breach used in our total: 465,000

December 5, 2013 JPMorgan Chase
New York, New York
BSF HACK

465,000

The information associated with JPMorgan Chase prepaid cash cards (Ucards) that were issued to corporations for employee payments and for government issued tax refunds, unemployment, and other benefits may have been accessed by hackers. The breach happened back in July of 2013 and JPMorgan learned of the breach sometime during the middle of September.  The breach was disclosed after an investigation revealed which customer accounts may have been affected.

UPDATE (12/06/2013): Hackers were able to breach the www.ucard.chase.com website and access personal information.  The passwords appeared in plain text during the course of the attack.

Child support payments may have also been affected.  The Department of Social Services, the Department of Labor, and the Department of Children and Families sent out prepaid cards that were affected.  The breach affected people nationwide. Government agencies in Maine, Utah, Connecticut, and Pennsylvania confirmed they were affected.

UPDATE (12/09/2013): Rhode Island residents were also affected.

UPDATE (12/12/2013): Michigan residents were also affected.  Beneficiaries were affected nationwide.  Each state has a different number of residents who were affected.

 
Information Source:
Media
records from this breach used in our total: 465,000

January 14, 2010 BlueCross BlueShield (BCBST)
Chattanooga, Tennessee
MED PORT

1,023,209 (451,274 Social Security numbers involved)

Additional locations: Memphis, Jackson, Knoxville, Nashville and additional locations in Tennessee

The theft of 57 hard drives from a BlueCross BlueShield of Tennessee training facility last October has put at risk the private information of approximately 500,000 customers in at least 32 states. The hard drives contained 1.3 million audio files and 300,000 video files. The files contained customers' personal data and protected health information that was encoded but not encrypted, including: names and BlueCross ID numbers. In some recordings-but not all-diagnostic information, date of birth, and/or a Social Security number were exposed. BCBS of TN estimates that the Social Security numbers of approximately 220,000 customers may be at risk.


UPDATE (4/29/10): The number of plan members whose data were exposed has grown from 521,761, an estimate made in March, to nearly one million, as of April 2, according to a report issued by Mary Thompson, spokeswoman for the Tennessee Blues.

UPDATE (11/3/10): According to a letter sent to the New Hampshire Attorney General's Office, the total number of individuals affected was 1,023,209.  BCBS used a three-tier system to categorize individuals affected by the breach.  The total includes 451,274 clients whose Social Security numbers were involved, 319,325 clients whose personal and diagnostic health information was involved and 239,730 clients who had personally identifiable information that was neither medical nor their Social Security number.  BlueCross Blue Shield also reported receiving fewer than 10 requests for credit restoration services from those who had their Social Security numbers exposed.

UPDATE (3/14/2012): Blue Cross Blue Shield of Tennessee (BCBST) reached a $1.5 million resolution agreement with the U.S. Department of Health and Human Services. BCBS of Tennessee kept the drives and network data closet in a facility that was secured by a property management company.  The closet was secured by biometric and keycard scan security with a magnetic look and an additional door with a keyed lock.  BCBST eventually vacated most of the leased office space. Thieves may have taken the opportunity to steal the 57 unencrypted hard drives from the closet while the space was not fully occupied.

 
Information Source:
Dataloss DB
records from this breach used in our total: 451,274

October 4, 2007 Massachusetts Division of Professional Licensure
Boston, Massachusetts
GOV DISC

450,000

http://www.mass.gov/dpl or call (617) 973-8100

Social Security numbers of about 450,000 licensed professionals were inadvertently released. The information was mailed last month to agencies that submitted a public records request for the names and addresses of professionals licensed by the division. The division mailed 28 computer disks to 23 agencies that use the information as a marketing or promotional tool. The disks would normally contain only the names and addresses of individuals licensed through the Division of Professional Licensure and the Division of Health Professions Licensure. However, the disks also included Social Security numbers.

 
Information Source:
Dataloss DB
records from this breach used in our total: 450,000

August 22, 2007 California Public Employees' Retirement System (CalPERS)
Sacramento, California
GOV DISC

445,000

Roughly 445,000 retirees in California received brochures announcing an upcoming election to fill a rare vacancy on the board of the California Public Employees' Retirement System. All or a portion of each person's Social Security number appeared without hyphens on the address panel.

 
Information Source:
Dataloss DB
records from this breach used in our total: 445,000

April 21, 2010 Affinity Health Plan
Bronx, New York
MED PORT

409,262

Affinity Health Plan, a New York managed care service, is notifying more than 400,000 current and former customers employees that their personal data might have been leaked through the loss of an unerased digital copier hard drive. Some personal records were found on the hard drive of a copier found in a New Jersey warehouse. The copier had previously been leased by Affinity and was then returned to the leasing company. Affinity Health Plan says it has not had a chance to review the data found on the copier. The figure of 409,262 notifications includes former and current employees, providers, applicants for jobs, members, and applicants for coverage.

UPDATE (08/15/2013): Affinity Health Plan will pay more than $1.2 million in HIPAA violations as a result of the breach.

 
Information Source:
Dataloss DB
records from this breach used in our total: 409,262

February 5, 2014 St. Joseph Health System
Suwanee, Georgia
MED HACK

405,000

St. Joseph Health System in Texas has reported a data breach of a server that stored information for numerous facilities.

Information was accessed through a single server by hackers from China and other locations. The server contained employee and patient data for St. Joseph Regional Health Center in Bryan, Burleson St. Joseph Center, Madison St. Joseph Health Center, Grimes St. Joseph Health Center and St. Joseph Rehabilitation Center. The affected server was taken offline once the breach was discovered.

The breach supposedly occurred between December 16 through the 18th, 2013.

The data included patient names, birth dates, Social Security numbers, and possibly addresses. Medical information for patients was accessible, as well as bank information for current and former employees. Both adult and minor information may have been compromised.

Currently, investigators could not determine if any information had been extracted or used.

 
Information Source:
California Attorney General
records from this breach used in our total: 405,000

February 24, 2011 Cambridge Who's Who Publishing, Inc.
Uniondale, New York
BSO PORT

400,000

A former employee made accusations that Who's Who experienced a breach of 400,000 data tapes with customer information.  It is not clear what happened, but the tapes were misplaced during the shipping process sometime before October 20, 2010.  The information on the tapes included customer names, Social Security numbers, addresses, driver's license numbers, payroll data, checking account numbers and credit card information may have been exposed.

 
Information Source:
Databreaches.net
records from this breach used in our total: 400,000

May 27, 2011 Spartanburg Regional Hospital
Spartanburg, South Carolina
MED PORT

400,000

The March 28 theft of a laptop resulted in the exposure of patient information.  The laptop was stolen from an employee's car on March 28.  It contained patient names, Social Security numbers, addresses, dates of birth and medical billing codes. Spartanburg Regional has not revealed the number of affected patients.

UPDATE (7/03/2011): Spartanburg Regional notified HHS that 400,000 patients were affected.

 
Information Source:
PHIPrivacy.net
records from this breach used in our total: 400,000

April 17, 2014 Aaron Brothers
Coppell, Texas
BSR HACK

400,000

Aaron Brothers, a division of Michaels Stores Inc. appears to been a part of the data breach of Michaels Stores Inc. The company confirmed on Thursday April 17, 2014 that the payment system breach also affected its Aaron Brothers chain. Approximately 400,000 cards were potentially breached from June 26, 2013 through February 27, 2014.

 
Information Source:
Media
records from this breach used in our total: 400,000

December 12, 2006 Aetna, Nationwide, WellPoint Group Health Plans, Humana Medicare, Mutual of Omaha Insurance Company, Anthem Blue Cross Blue Shield via Concentra Preferred Systems
Dayton, Ohio
MED PORT

396,279

A lockbox holding personal information of health insurance customers was stolen Oct. 26. Thieves broke into an office building occupied by insurance company vendor, Concentra Preferred Systems. The lockbox contained computer backup tapes of medical claim data for Aetna and other Concentra health plan clients. Exposed data includes member names, hospital codes, and either SSNs or Aetna member ID numbers. SSNs of 750 medical professionals were also exposed. Officials downplay the risk by stating that the tapes cannot be used on a standard PC.

UPDATE (12/23/06): The lockbox also contained tapes with personal information of 42,000 NY employees insured by Group Health Insurance Inc.)

UPDATE(1/24/07): Personal data of 28,279 Nationwide's Ohio customers were also compromised.  2/11/10 Total changes to 396,279 to reflect final total of records breached in all of the affected companies.

 
Information Source:
Dataloss DB
records from this breach used in our total: 396,279

December 13, 2006 Boeing
Seattle, Washington
BSO PORT

382,000 current and former employees

In early December, a laptop was stolen from an employee's car. Files contained names, salary information, SSNs, home addresses, phone numbers and dates of birth of current and former employees.

UPDATE (12/14/06): Boeing fired the employee whose laptop was stolen.

UPDATE(1/26/07): The laptop was recovered.

 
Information Source:
Dataloss DB
records from this breach used in our total: 382,000

July 12, 2010 Marsh and Mercer
Washington, District Of Columbia
BSF PORT

378,000

Marsh and Mercer's Seabury and Smith, Inc. and Mercer Health and Benefits LLC operations were involved.  The list of known organizations with affected employees includes Idaho Power, Saint Luke's health System and Saint Alphonsus Regional Medical Center.

The location is listed as Seabury and Smith's office.

The insurance broker and benefits consulting firm reported the loss of a backup tape during transport.  The tape contained employee benefits information for companies that used Marsh and Mercer for consultation. Names, addresses, Social Security numbers, dates of birth, account information and driver's license numbers were on the tape.

UPDATE (8/9/10): Three hundred current and former Boise, Idaho city employees were also affected.

UPDATE (8/26/10): The Idaho Power website revealed that around 5,000 employees were affected, and a total of 375,000 individuals from other organizations were affected.

 
Information Source:
Databreaches.net
records from this breach used in our total: 378,000

January 25, 2006 Providence Home Services
Portland, Oregon
MED PORT

365,000

Backup tapes, laptops and disks containing Social Security numbers, clinical and demographic information were stolen from the car of an employee. In a small number of cases, patient financial data was stolen.

UPDATE (9/26/06) Providence Health System and the Oregon Attorney General have filed a settlement agreement. Providence will provide affected patients with free credit monitoring, offer credit restoration to patients who are victims of identity fraud, and reimburse patients for direct losses that result from the data breach. The company must also enhance its security programs.

UPDATE (7/15/08) Providence Health will pay $100,000 and adhere to a compliance plan under the first ever Resolution Agreement negotiated by CMS (Centers for Medicare and Medicaid Services of the U.S. Dept. of Health and Human Services) under the HIPAA Privacy and Security Standards. The Corrective Action Plan requires Providence to revamp its security policies to include physical protections for portable devices and off-site transport and storage of backup media. Further, it must implement technical safeguards, such as encryption and password protection. And it must conduct random compliance audits and submit compliance reports to HHS for the next three years.

UPDATE (4/16/2012): The Oregon Supreme Court struck down a class-action suit against Providence Health Systems.  The Oregon Supreme Court claimed that there was no evidence that any of the 365,000 patients who were affected by the breach suffered any financial loss or other adverse consequences.

 
Information Source:
Dataloss DB
records from this breach used in our total: 365,000

June 9, 2011 Citibank
New York, New York
BSF HACK

360,000

Customers may call 888-640-4982 for more information.

Hackers have managed to access the information of approximately 1% of Citibank's 21 million users. U.S. Customer names, account numbers, and contact information were exposed.  Security codes and dates of birth were not exposed.  The breach occurred sometime in May.  

UPDATE (6/13/2011): Citibank released an official statement on the Citigroup website.

UPDATE (6/14/2011): It has been revealed that hackers obtained customer names, account numbers and transaction information by logging into the customer credit card site and guessing the account numbers of other customers.  Since the account number appeared in the web address browser bar, simply altering an account number allowed the hackers to access a different account.  The hackers also utilized an automatic computer program to guess account numbers quickly. This incident appears to have occurred in early May.

UPDATE (6/14/2011): Connecticut Attorney General George Jepsen asked Citigroup Inc. to provide more information about the data breach.  Jepsen feels that more information about the types of account information exposed, the cause of the breach, the steps taken to notify affected individuals and the steps to prevent future breaches is needed.  He requested the additional information by June 22.

UPDATE (6/16/2011): The number of affected individuals has been raised from 210,000 to 360,000.  Further investigation of and information about the breach revealed that the breach was discovered on May 10.  By May 24, Citigroup officials concluded that the data thieves had captured names, account numbers, and email addresses of about 360,000 customer accounts.  Social Security numbers, expiration dates, and three-digit security passwords found on the back of credit cards were not exposed.

UPDATE (6/24/2011): At least 3,400 of the customers whose credit card information was stolen have suffered a combined loss of $2,700,000.

UPDATE (09/03/2013): Citibank has agreed to pay $15,000 in civil penalties to Connecticut's Privacy Protection Guaranty and Enforcement Account and $40,000 to the General Fund of Connecticut.  Citibank will also hire a third party to conduct an information security audit of the Account Online section of Citibank's website.

 
Information Source:
Databreaches.net
records from this breach used in our total: 360,000

February 15, 2006 U.S. Department of Agriculture (USDA)
Washington, District Of Columbia
GOV DISC

350,000

The Social Security numbers of tobacco farmers were accidentally released when the U.S. Department of Agriculture attempted to comply with the Freedom of Information Act.  Those who received the information agreed to destroy any copies and return the original discs, which also contained tax identification numbers.

 
Information Source:
Dataloss DB
records from this breach used in our total: 350,000

February 15, 2012 University of North Carolina at Charlotte
Charlotte, North Carolina
EDU DISC

350,000

UNC-Charlotte will post information about the breach here.  Those with questions may also call (855) 205-6937.

An online security breach occurred at the UNC-Charlotte campus and was discovered on January 31.  It is unclear how much information could have been accessed. The number of people affected was not revealed.  An email alert was sent to students and staff on February 15 in order to inform them that a "potentially significant data exposure of its Information Systems" had occurred.  The University also stated that it had corrected the known issues related to the breach.

UPDATE (5/09/2012): Around 350,000 people had their Social Security numbers exposed. Financial information was also exposed.  A system misconfiguration and incorrect access settings caused a large amount of electronic data hosted by the University to be accessible from the Internet. One exposure issue affected general University systems over a period of about three months.  A second exposure issue affected the college of engineering systems for over a decade.

 
Information Source:
Databreaches.net
records from this breach used in our total: 350,000

December 28, 2007 Davidson County Election Commission
Nashville, Tennessee
GOV PORT

337,000

Someone broke into several county offices over Christmas and stole laptop computers that county officials now believe may have contained Social Security numbers and other personal information for every registered voter in Davidson County.

UPDATE (1/19/08): Metro Police confirmed late Thursday they have recovered the hard drive from the laptop computer, containing names and complete Social Security numbers for 337,000 registered voters, that was stolen from the Election Commission in December.

 
Information Source:
Dataloss DB
records from this breach used in our total: 337,000

October 27, 2006 Link Staffing Services
Houston, Texas
BSO STAT

332,000

On September 26 it was discovered that a computer server was stolen during an office burglary. The server had employee names and Social Security numbers. Current and former employees were notified at the end of October after an investigation of the breach.

 
Information Source:
Dataloss DB
records from this breach used in our total: 332,000

May 16, 2006 American Institute of Certified Public Accountants (AICPA)
New York, New York
NGO PORT

330,000 [Updated 6/16/06]

An unencrypted hard drive containing names, addresses and Social Security numbers of AICPA members was lost when it was shipped back to the organization by a computer repair company. AICPA offered one year of free credit monitoring services to affected members.

 
Information Source:
Dataloss DB
records from this breach used in our total: 330,000

November 12, 2008 University of Florida College of Dentistry
Gainesville, Florida
EDU HACK

330,000

Some current and former dental patients have been notified that an unauthorized intruder recently accessed a College of Dentistry computer server storing their personal information. College information technology staff members were upgrading the server and found software had been installed on it remotely. Information stored on the server included names, addresses, birth dates, Social Security numbers and, in some cases, dental procedure information for patients dating back to 1990.

 
Information Source:
Dataloss DB
records from this breach used in our total: 330,000

February 13, 2008 Lifeblood
Memphis, Tennessee
MED PORT

321,000

Laptop computers with birth dates and other personal information of roughly 321,000 blood donors are missing and presumed stolen. Stored inside both computers were names, birth dates and addresses at the time of the individual's last donation or attempted donation. In most cases, the donors' Social Security numbers were also stored, along with driver's licenses, telephone numbers, e-mail addresses, ethnicity, marital status, blood type and cholesterol levels. Social Security numbers had been used to track blood from the donor to the recipients.

 
Information Source:
Dataloss DB
records from this breach used in our total: 321,000

March 10, 2005 LexisNexis
Dayton, Ohio
BSO INSD

310000

Unauthorized individuals used IDs and passwords of legitimate customers to obtain consumers' Social Security numbers, driver's license numbers, and names and addresses. Most of the breaches were at the company's subsidiary Seisint Inc., based in Florida.

UPDATE (4/12/05) An internal investigation at LexisNexis has uncovered evidence that an additional 280,000 records may have been involved in this breach, increasing the total from 30,000 to 310,000.

UPDATE (06/30/06): Five men were arrested in connection with this breach.

 
Information Source:
Dataloss DB
records from this breach used in our total: 310,000

February 19, 2014 University of Maryland
College Park, Maryland
EDU HACK

309,079

The University of Maryland, located in College Town Maryland, had one of their records databases hacked Tuesday January 18, 2014 around 4:00 a.m by an outside source.

This particular database holds information dating back to 1998 and includes names, Social Security numbers, dates of birth and university identification numbers for 309,079 people affiliated with the school at their College Park and Shady Grove campuses.

The hackers did not alter anything in the actual database, but apprarently have made a "copy" of the information. The university commented at how sophisticated the attack was by the hacker or hackers and they must have had a "very significant understanding" of how the database was designed and maintained, including the level of encryption and protection of the database.

According to the university President, school officials are investigating the breach and taking steps to prevent any further system intrusions.

The college has put out the following statements:

"The University is offering one year of free credit monitoring to all affected persons. Additinoal information will be communicated within the next 24 hours on how to activate this service.

University email communications regarding this incident will not ask you to provide personal information. Please be cautious when sharing personal information.

All updates regarding this matter will be posted to this website.  If you have any questions or comments, please call our special hotline at 301-405-4440 or email us at datasecurity@umd.edu".

 

 
Information Source:
Media
records from this breach used in our total: 309,079

Breach Total
868,045,823 RECORDS BREACHED
(Please see explanation about this total.)
from 4,351 DATA BREACHES made public since 2005
Showing 51-100 of 4351 results


X

Sign In!

Loading