Chronology of Data Breaches
Security Breaches 2005 - Present

Posted Date: April 20, 2005
Updated Date: December 31, 2013

Is this your first visit to our Chronology of Data Breaches?

  • Read our FAQ about what we define as a breached record, how we calculate the "total" records breached, our data sources, state breach notice laws, studies and other resources

  • Learn how to use our Chronology and take advantage of its sophisticated search and sort features

  • Get our RSS Feed to see when we add new breaches to the list

What would you like to do?

Chronology of Data Breaches

Custom Sort
Select your desired results. Then click "Go!"

Click or unclick the boxes then select go.


Select features, then click GO.



Help Guide

Can't find the sort feature you're looking for? Click here to download a CSV file of the data breach list as it exisits today.
Breach Total
815,842,526 RECORDS BREACHED
(Please see explanation about this total.)
from 4,488 DATA BREACHES made public since 2005

Save or Print PDF of Entire Breach List including introduction.Save or Print a PDF of Entire Breach List (including introductory FAQ)

Filter breach list before saving or printing PDF. Conduct a search of the Chronology using its sorting features, and Save or Print a PDF of your search results (Select filters)

If you do not have access to PDF, you can print the Chronology in landscape view.

Date Made Public Name Entity Type
June 7, 2009 T-Mobile USA
Bellevue, Washington
BSO HACK

Unknown

T-Mobile USA is investigating claims that a hacker has broken into its data bases and stolen customer and company information. Someone anonymously posted the claims on the security mailing list Full Disclosure. In that post, the hacker claims to have gotten access to everything -- their databases, confidential documents, scripts and programs from their servers, financial documents up to 2009. They claim they have been in touch with the carrier's competitors trying to sell the data, but have been unsuccessful. They threatened to sell it to the highest bidder. T-Mobile later confirmed a hacker obtained a document.

 
Information Source:
Media
records from this breach used in our total: 0

June 15, 2009 Beam Global Spirits & Wine Inc.
Deerfield, Illinois
BSR INSD

Unknown

Unauthorization access to a human resources payroll database by a former employee exposes names, addresses and Social Security numbers of past and present employees.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

June 18, 2009 Suncoast Schools Federal Credit Union
Tampa, Florida
BSF HACK

56,000 Not added to the total because it's included in the huge number already attributed for Heartland.

Some members of Suncoast Schools Federal Credit Union have been notified that their debit card accounts were exposed to fraud. It is the latest casualty of last year's breach of Heartland Payment Systems, one of the country's largest credit card processors, where information from more than 100 million credit and debit card transactions was exposed. Not until the end of May did Suncoast discover that some of its customers who use Visa Check Cards could be in danger. The Tampa credit union is issuing new cards to all members whose accounts were compromised.

 
Information Source:
Media
records from this breach used in our total: 0

June 22, 2009 Baptist Medical Center
Montgomery, Alabama
MED PHYS

Unknown

Many folders that were found in a landfill dump site were labeled "Radiology Department, Baptist Medical Center." Hundreds of medical records were out in the open, all with sensitive information. Sensitive patient information that was thrown out included names, x-rays, ultrasounds, MRIs, and Social Security numbers.  Files from at least five other facilities were found at the same site; however Baptist Medical Center is believed to be the source of the breach.


UPDATE (8/5/08): A former employee of Baptist Hospital has been sentenced to two years and one day in federal prison for wire fraud and stealing the identities of patients, according to a Department of Justice press release. Adrienne Denise Stovall, 30, pled guilty in January to one count of wire fraud and one count of aggravated identity theft, which carries a mandatory sentence of two years. Stovall worked at Montgomery's Baptist Hospital from August 2006 to early 2007. Her position gave her access to the hospital's computer system. The system contained confidential information including patient names, dates of birth, and Social Security numbers. Stovall used the information to apply for credit lines and credit cards.
http://www.justice.gov/usao/alm/press/current_press/2010_05_05_stovall.pdf

 
Information Source:
Media
records from this breach used in our total: 0

June 22, 2009 Broadridge Financial Solutions, Inc.
Jersey City, New Jersey
BSF DISC

Unknown

Broadridge Financial Solutions, Inc. provides proxy services for clients, including the processing, distribution and tabulation of Annual Meeting Proxy materials for registered shareholders of publicly traded companies. The firm inadvertently disclosed Dynegy shareholder information including name, address, Social Security number and other account information to another client. The total number of share-owners affected was not reported.

 
Information Source:
Media
records from this breach used in our total: 0

July 1, 2009 Carrell Clinic
Dallas, Texas
MED HACK

Unknown

An Arlington security guard was arrested on federal charges for hacking into hospital's computer system. The defendant allegedly posted video of himself compromising a hospital's computer system on YouTube. The system and computers contained confidential patient information.

UPDATE (3/18/2011): Phiprivacy.net reports that the former security guard was sentenced to nine years in prison for installing malware.  Jesse William McGraw was employed by the security company United Protection Service while working as a security guard for Carrell Clinic. He was also the leader of a hacker gang.

 
Information Source:
Media
records from this breach used in our total: 0

July 1, 2009 Bike Nashbar
Asheville, North Carolina
BSR HACK

Unknown

custserv@nashbar.com, 1-800-NASHBAR

The company's computer servers were hacked and credit card information was compromised. Letters with more details will be mailed to affected customers.

 
Information Source:
Media
records from this breach used in our total: 0

June 29, 2010 A Woman's Place
Ketchikan, Alaska
MED DISC

400 (0 SSNs reported)

An ACLU lawsuit claims that police acted inappropriately during a raid of A Woman's Place clinic. The lawsuit claims that police not only confiscated around 400 medical records, but read them and revealed sensitive medical information about patients to outside parties.

UPDATE (12/28/2012): ACLU is asking that the records be returned.  The police were investigating the clinic because it's owner is accused of billing state Medicaid program for services to 37 patients after having her license suspended.  Seven pharmacies billed Medicaid for prescriptions she had written after the owner's prescription authority was also suspended.

 
Information Source:
PHIPrivacy.net
records from this breach used in our total: 0

July 9, 2009 Mountain Medical Center
Salt Lake, Utah
MED PHYS

Unknown

Names, credit card numbers, Social Security numbers were found in a dumpster. A man was throwing away some stuff in a dumpster and found it was chock full of medical records. There's everything in there from canceled checks to routing numbers, he said. Salt Lake Police packed away perhaps twenty boxes of papers, and said they would protect the documents, as they dug into the matter.

 
Information Source:
Media
records from this breach used in our total: 0

June 28, 2010 Children's Hospital of Orange County
Orange, California
MED PHYS

Unknown

The Hospital is checking its database for accuracy after discovering that patient files have been faxed to the wrong location at least twice. Patient records were faxed to an auto shop in 2009, and the wrong doctor on a separate occasion.

 
Information Source:
PHIPrivacy.net
records from this breach used in our total: 0

July 14, 2009 Leander School District
Leander, Texas
EDU UNKN

Unknown

School officials sent a notice home with special needs students to alert parents that someone gained access to private information. It appears that one individual gained unauthorized electronic access to confidential information.

 
Information Source:
Media
records from this breach used in our total: 0

July 16, 2009 Elance
Mountain View, California
BSO HACK

Unknown

http://www.elance.com/p/trust/account_security.html>http://www.elance.com/p/trust/account_security.html

A warning from Elance's customer service was emailed, saying that the site has been hacked or attacked in some way. The data accessed was contact information - specifically name, email address, telephone number, city location and Elance username. This incident did not involve any credit card, bank account, social security or tax ID numbers.

 
Information Source:
Media
records from this breach used in our total: 0

August 24, 2010 Riverview Gardens School District
St. Louis, Missouri
EDU PHYS

Unknown

Hundreds of documents with student Social Security numbers, pictures, phone numbers and ages were left near a dumpster.

 
Information Source:
Databreaches.net
records from this breach used in our total: 0

July 22, 2009 A Honolulu hospital
Honolulu, Hawaii
MED INSD

Unknown

In June 2009, a Hawaii woman was sentenced to a year in prison for illegally accessing another woman's medical records and posting on MySpace that she had HIV. The State of Hawaii brought charges under a state law that criminalizes unauthorized access to a computer as a class B felony. The defendant was employed by a hospital and had access to patient medical records.

 
Information Source:
Media
records from this breach used in our total: 0

June 26, 2010 Federal Aviation Administration
Washington, District Of Columbia
GOV DISC

0

This is an update to the February 9, 2009 breach entry.

An investigation that was launched in response to the 2009 breach of the Federal Aviation Administration's computer system (see Feb. 9, 2009, entry) was released June 26, 2010.  The findings reveal that the names addresses, Social Security numbers, medical data and other personal information of airmen are still vulnerable and that "serious security lapses" exist.

NOTE (12/2/2010): This entry has been updated to correct an error. Prior to December 2, 2010, this entry erroneously implied that a new breach had occurred involving 3 million records.  We apologize for our mistake.

Information Source: http://www.oig.dot.gov/sites/dot/files/MSS%20Final%20Report%20%28signed%29%206-18-2010.pdf

 
Information Source:
PHIPrivacy.net
records from this breach used in our total: 0

July 31, 2009 Jackson Memorial Hospital
Miami, Florida
MED INSD

3,360 (No reports of SSNs or financial information)

A Miami man was charged with buying confidential patient records from a Jackson Memorial Hospital employee over the past two years, and selling them to a lawyer suspected of soliciting the patients to file personal-injury claims.

UPDATE (10/26/10): Ruben E. Rodriquez was sentenced to 11 years in prison for selling patient records to lawyers for injury claims.  Rodriquez stole 3,350 patient records in 2008 and 2009.  He may have also sold information in 2007.  The information included name, contact information and medical diagnoses.

 
Information Source:
Media
records from this breach used in our total: 0

August 11, 2009 Bank of America Corp.
Charlotte, North Carolina
BSF CARD

Unknown

Charlotte-based BofA (NYSE:BAC) and Citigroup (NYSE:C) each recently issued replacement cards to consumers, telling them that their account numbers may have been compromised. Account information from certain Bank of America debit cards may have been compromised at an undisclosed third-party location. Bank officials are not certain if this is a new breach or a previously disclosed one.

 
Information Source:
Media
records from this breach used in our total: 0

August 11, 2009 Citigroup Inc.
New York, New York
BSF CARD

Unknown

Citigroup (NYSE:C) recently issued replacement cards to consumers and told them that their account numbers may have been compromised. Citigroup told credit-card customers in Massachusetts that their account numbers may have been illegally obtained as a result of a merchant database compromise and could be at risk for unauthorized use. Bank officials are not certain if this is a new breach or a previously disclosed one.

 
Information Source:
Media
records from this breach used in our total: 0

June 20, 2010 Mercy Willard Hospital
Willard, Ohio
MED INSD

Unknown

A former employee kept patient photographs, videos, memos, schedules, and forms. Some of the documents included patient Social Security numbers and other personal information. The employee is also being accused of voyeurism and possession of child pornography; though this is unrelated to these findings.

 
Information Source:
PHIPrivacy.net
records from this breach used in our total: 0

June 18, 2010 Family Care Center
Clinton, Washington
MED PORT

8,000 (0 SSNs reported)

Operations in Clinton, Freeland, and Oak Harbor were affected.

A thief or thieves entered the physical therapy office on June 12th.  Cash, other items, and a laptop containing encrypted patient information such as names and account numbers were stolen.  It appears that a door was left unlocked.

 
Information Source:
PHIPrivacy.net
records from this breach used in our total: 0

August 14, 2009 American Express
New York, New York
BSF INSD

Unknown

Some American Express card members' accounts may have been compromised by an employee's recent theft of data. The former employee has been arrested and the company is investigating how the data was obtained. American Express declined to disclose any more details about the incident. The company has put additional fraud monitoring and protection controls on the accounts at issue.

 
Information Source:
Media
records from this breach used in our total: 0

June 18, 2010 Ebony Medical Equipment and Supplies, Inc.
Tyler, Texas
MED INSD

Unknown

The owner used patient medical information to fraudulently obtain over $70,000 from Medicare and Medicaid.  The owner is also charged with buying patient information.

 
Information Source:
PHIPrivacy.net
records from this breach used in our total: 0

August 21, 2009 University of Massachusetts
Amherst, Massachusetts
EDU HACK

Unknown

Nearly a year ago, hackers broke into a computer server that contained Social Security numbers and a very limited amount of credit card information for graduates of University of Massachusetts. Hackers gained access to one server on the university's computer system, which held information of students who attended UMass between 1982 and 2002, as well as a few who attended before 1982. A UMass spokesman declined to say how many people's records were exposed, except that it was a large number of undergraduate and graduate students who attended the university during the 20-year period.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

September 7, 2009 School for the Physical City High School
New York, New York
EDU PHYS

Unknown

Boxes of student records were piled in the street in front of the old home of the School for the Physical City. Some records contained the Social Security numbers, grades, signatures and even psychological reports of former students of the public intermediate high school. The boxes contained hundreds of records and were sitting next to a trash bin filled with old desks and other discarded school supplies. The School for the Physical City moved to a new location over the summer and apparently the records were thrown out with the trash during the relocation.

 

UPDATE (9/12/10): A parent and child are suing the New York City Department of Education.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

June 6, 2010 Private Medical Practice
Chino Hills, California
MED PHYS

600 (0 reports of SSNs or financial information)

Confidential medical files were found in a dumpster near the medical office of the two doctors. The doctors were in the process of moving to a new location.

 
Information Source:
PHIPrivacy.net
records from this breach used in our total: 0

September 14, 2009 Jones General Store/Root of the Hill
Boulder, Colorado
BSR PHYS

Unknown

Boulder police are investigating two burglaries on University Hill that could have compromised some local shoppers' personal and credit card information. A manager for Jones General Store called police to report an overnight break-in and theft of credit card receipts. A short time later, an owner of Root of the Hill, a business in the same building, called officers to report a break-in, theft and extensive vandalism.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

September 17, 2009 Akron Children's Hospital
Akron, Ohio
MED HACK

Unknown

A 38-year-old Avon Lake, Ohio, man is set to plead guilty to federal charges after spyware he allegedly meant to install on the computer of a woman he'd had a relationship with ended up infecting computers at Akron Children's Hospital. He allegedly sent the spyware to the woman's Yahoo e-mail address, hoping that it would give him a way to monitor what she was doing on her PC. But instead, she opened the spyware on a computer in the hospital's pediatric cardiac surgery department, creating a regulatory nightmare for the hospital. Between March 19 and March 28 the spyware sent more than 1,000 screen captures via e-mail. They included details of medical procedures, diagnostic notes and other confidential information relating to 62 hospital patients. He was also able to obtain e-mail and financial records of four other hospital employees as well, the plea agreement states.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

September 25, 2009 Tennessee Department of Human Services
Nashville, Tennessee
GOV DISC

Unknown

Various doctors' offices in Tennessee were involved

Doctors' offices in Tennessee have been accidentally sending patient information, including Social Security numbers and medical histories, to an Indiana businessman's fax machine for the past three years. The sensitive medical information was supposed to be sent to the Tennessee Department of Human Services, but the owner of SunRise Solar Inc. in Indiana, says hundreds of confidential medical faxes having been coming to him.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

October 7, 2009 CLP Skilled Trade Solutions
Palm Springs, Florida
BSO PHYS

Unknown

Boxes full of documents that had the CLP Skilled Trade Solutions logo on them were found in a dumpster in the back of a Newport Café. Some of the information found included Social Security cards, tax papers, driver's licenses and home IDs. Many of the documents were from a company that CLP acquired a few years ago.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

October 15, 2009 PayChoice
Moorestown, New Jersey
BSF HACK

Unknown

Hackers broke into the company's servers and stole customer user names and passwords. The attackers then included that information in e-mails to PayChoice's customers warning them that they needed to download a Web browser plug-in in order to maintain uninterrupted access to onlineemployer.com. The plug-in was instead malicious software designed to steal the victim's user names and passwords.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

October 27, 2009 FirstMerit Bank
Streetsboro, Ohio
BSF PHYS

Unknown

 Additional locations; Westlake and Elyria, OH

Police in three Ohio cities are investigating the theft of three large storage bins from bank branches earlier this month. The storage bins were used to store paper waiting to be shredded. Three branches of the FirstMerit Bank in Streetsboro, Westlake and Elyria, OH each reported a bin missing beginning on October 7. One of the three bins contained personal documents of bank customers.

 
Information Source:
Media
records from this breach used in our total: 0

July 4, 2010 Beautiful Brands International
West Lafayette, Indiana
BSR HACK

Unknown

Computer hackers have infiltrated the credit card processing system.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

July 8, 2010 Waukesha County
Big Bend, Wisconsin
GOV PORT

Unknown

A laptop was stolen from a payroll services provider of the county. It is unknown what types of Big Bend employee payroll information were contained on the laptop.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

May 26, 2010 Children's Hospital and Research Center at Oakland
Oakland, California
MED DISC

1,000 (0 SSNs reported)

http://www.childrenshospitaloakland.org/EnhancedPatientPrivacyProtection...

Approximately 1,000 patients received information about themselves and other patients in the mail. According to the Hospital's website "equipment designed to generate, fold and stuff documents for mailing was programmed to fold and stuff two pages rather than one. This programming error caused guarantor billing statements prepared on May 25 and May 26 to be collated and mailed incorrectly."

 
Information Source:
PHIPrivacy.net
records from this breach used in our total: 0

April 16, 2009 Fox Entertainment Group
Los Angeles, California
BSO INSD

Unknown

An employee was caught accessing the Social Security numbers, names, compensation information and other personal information of employees.  The former employee misused the information within the organization; but it is not known if they gave it to outside parties.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

July 14, 2010 Oregon State University
Corvallis, Oregon
EDU HACK

34,000 (unknown number of SSNs)

A University computer containing personal information of current and former employees was found to be infected by a virus. Employee records from 1999 to 2005 contained Social Security numbers.

 
Information Source:
Databreaches.net
records from this breach used in our total: 0

July 10, 2010 Village of Big Bend
Big Bend, Wisconsin
BSO PORT

Unknown

A laptop containing payroll information for the village's employees was stolen from the car of the village's payroll provider in Milwaukee. Police have not recovered the laptop. The provider reported the theft and sent letters to employees to inform them their personal information was not secure. The provider recommended that employees contact a credit bureau that would place a 90-day alert on their information to prevent identity theft. 

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

July 10, 2010 Cisco Live 2010
Las Vagas, Nevada
BSO HACK

Unknown

Someone hacked the list of attendees for the recent Cisco Live 2010 users' conference, a security breach that led Cisco to notify the customers as well as a broader group who have dealings with the company. A vendor told Cisco that someone had made "an unexpected attempt to access attendee information through ciscolive2010.com," the event Web site. That lead to the general notification that Cisco sent to attendees and others who had been invited but did not attend. According to Cisco, details about less than 20% of those on the list were compromised. The breach was closed quickly, "but not before some conference listings were accessed." The compromised information consisted of Cisco Live badge numbers, names, titles, company addresses and e-mail addresses. "No other information was available or accessed," according to the warning Cisco Live's event team sent via e-mail.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

July 15, 2010 Private Dental Practice
Barstow, California
MED PHYS

Unknown

An anonymous tipster called the Sheriff's Department and reported unattended boxes of personal records outside the dental office. The boxes contained patient records from the early 1990's to the present. These records numbered in the hundreds and had personal information such as Social Security numbers, names, birth dates, credit card numbers, and addresses. The Sheriff's Department destroyed the records and warned patients of dentists Lee, Sang H. Yoon and Patricia Patterson.

 
Information Source:
Databreaches.net
records from this breach used in our total: 0

July 16, 2010 United Healthcare (UnitedHealthcare), Deere and Company
Minneapolis, Minnesota
MED DISC

1,097 (no SSNs or financial information reported)

Deere and Company is headquartered in Moline, Illinois

United Healthcare notified members of a Deere and Company employee benefits plan of a mistake that led to claims summary statements being sent to the wrong addresses. Dates of services, categories of service, cost of service, and physician names were included.

 
Information Source:
PHIPrivacy.net
records from this breach used in our total: 0

July 15, 2010 Utah Department of Workforce Services
Salt Lake City, Utah
GOV INSD

1,300 (Unknown number of SSNs)

A leak that allowed anti-immigration activists to post and circulate the names, Social Security numbers, medical information, addresses, workplaces, and phone numbers of alleged illegal immigrants in Utah has been linked to Utah's Department of Workforce Services. A large number of employees had access to this information.

 
Information Source:
Databreaches.net
records from this breach used in our total: 0

July 15, 2010 NBTY
Bohemia, New York
BSR DISC

Unknown

An email containing current and former employees' and plan participants' personal information was sent to the wrong recipient on June 15th. The information in the email included names, dates of birth, and Social Security numbers.

 
Information Source:
Databreaches.net
records from this breach used in our total: 0

July 15, 2010 Alcoa Global Mobility Group
New York, New York
BSO DISC

Unknown

An electronic folder containing personal information on current and former expatriates and others who received assistance from Alcoa's Global Mobility Group was shared as a public folder within its network.  The personal information included names, dates of birth, family members' names and dates of birth, salary compensation, Social Security numbers, and some people's medical information.

 
Information Source:
Databreaches.net
records from this breach used in our total: 0

July 14, 2010 Carle Clinic Association
Urbana, Illinois
MED PHYS

1,300 (no SSNs or financial information reported)

An impostor posing as a representative of the organization's recycling service removed several barrels of purged x-ray films and film jackets. The health information included approximately 1,300 patient names, dates of birth, gender, clinic medical numbers, internal accession numbers, site locations, physician or provider names, and internal provider numbers.

 
Information Source:
PHIPrivacy.net
records from this breach used in our total: 0

July 14, 2010 Blue Island Radiology
Blue Island, Illinois
MED PORT

2,000 (number and type of financial account numbers and SSNs unknown)

A backup data tape and compact disc containing protected health information were never received. Individuals demographic, financial and clinical information were on the CD.

 
Information Source:
PHIPrivacy.net
records from this breach used in our total: 0

July 14, 2010 Blue Cross Blue Shield Association
Chicago, Illinois
MED PHYS

15,000 (0 SSNs and financial information reported)

An error in the quarterly address update process resulted in the mailing of approximately 15,000 individuals' protected health information to incorrect addresses. The information in the letters included demographic information, explanation of benefits, clinical information, and diagnoses. The returned mail was collected and the organization verified whether or not it had been delivered.

 
Information Source:
PHIPrivacy.net
records from this breach used in our total: 0

July 14, 2010 VHS Genesis Lab
Berwyn, Illinois
MED PHYS

500 (No SSNs or financial information involved)

Over 500 client invoices went missing. It does not appear that the month's worth of invoices were mailed. They contained health information such as names, dates of birth, and medical testing information.

 
Information Source:
PHIPrivacy.net
records from this breach used in our total: 0

July 14, 2010 University of Pittsburgh Student Health Services
Pittsburgh, Pennsylvania
EDU INSD

8,000 (Not included because no specific type of financial information stated)

An employee dishonestly took documents containing names and financial information. The employee was fired.

 
Information Source:
PHIPrivacy.net
records from this breach used in our total: 0

July 14, 2010 Tomah Memorial Hospital
Tomah, Wisconsin
MED INSD

600

A nurse used patient names and account numbers to illegally obtain narcotics. The nurse was fired.

 
Information Source:
PHIPrivacy.net
records from this breach used in our total: 0

June 29, 2010 Ridgefield High School
Ridgefield, Connecticut
EDU HACK

Unknown (the students of a few teachers)

Two students were arrested for hacking into their school's computer system. Their goal appears to be changing their own grades; but they had access to the grades and personal information of other students.

 
Information Source:
Databreaches.net
records from this breach used in our total: 0

Breach Total
815,842,526 RECORDS BREACHED
(Please see explanation about this total.)
from 4,488 DATA BREACHES made public since 2005
Showing 451-500 of 4488 results


X

Sign In!

Loading