Chronology of Data Breaches
Security Breaches 2005 - Present

Posted Date: April 20, 2005
Updated Date: December 31, 2013

Is this your first visit to our Chronology of Data Breaches?

  • Read our FAQ about what we define as a breached record, how we calculate the "total" records breached, our data sources, state breach notice laws, studies and other resources

  • Learn how to use our Chronology and take advantage of its sophisticated search and sort features

  • Get our RSS Feed to see when we add new breaches to the list

What would you like to do?


Click or unclick the boxes then select go.


Select features, then click GO.



Help Guide

Can't find the sort feature you're looking for? Click here to download a CSV file of the data breach list as it exisits today.
Breach Total
867,188,052 RECORDS BREACHED
(Please see explanation about this total.)
from 4,253 DATA BREACHES made public since 2005

Save or Print PDF of Entire Breach List including introduction.Save or Print a PDF of Entire Breach List (including introductory FAQ)

Filter breach list before saving or printing PDF. Conduct a search of the Chronology using its sorting features, and Save or Print a PDF of your search results (Select filters)

If you do not have access to PDF, you can print the Chronology in landscape view.

Date Made Public Name Entity Type
June 12, 2010 Middle Township Municipal Hall
Middle Township, New Jersey
GOV PHYS

Unknown

Personal information from Municipal Hall was found in a public dumpster. The information was not shredded and included police reports, Social Security numbers, home addresses, telephone numbers, names, and tax records. The improper disposal of information continued after the first dumpster discovery.

 
Information Source:
Databreaches.net
records from this breach used in our total: 0

June 29, 2010 University of Oklahoma
Norman, Oklahoma
EDU HACK

Unknown

The university's Information Technology department noticed unusual Internet activity on a laptop computer associated with its network. It determined the computer belonged to an employee and was infected with a virus known as Zeus or Z-Bod. The employee's laptop had access to computer files that contain student names and Social Security numbers.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

June 8, 2010 Tri-City Medical Center
Oceanside, California
MED INSD

Unknown

Employees shared patient information on Facebook. Differing reports leave it unclear if these employees were nurses, and whether or not they were fired.

 
Information Source:
PHIPrivacy.net
records from this breach used in our total: 0

June 21, 2010 TeleTech, Sony Electronics
Englewood, Colorado
BSR UNKN

Unknown

Customers who placed orders through Sony Style Telesales Department between May 23rd and June 3rd 2010 may have had their credit card information illegitimately copied and sent to parties outside of the TeleTech network. TeleTech is a third party service provider of Sony.

 
Information Source:
Databreaches.net
records from this breach used in our total: 0

June 29, 2010 Merrimack Mortgage
Greer, South Carolina
BSF PHYS

Unknown

Personal documents from Merrimack Mortgage were found in an unsecured public dumpster. The documents were not shredded and contained Social Security numbers, credit scores, bank information, and other personal information.

 
Information Source:
Databreaches.net
records from this breach used in our total: 0

April 21, 2010 St. Mary and Elizabeth Hospital Women's Center
Louisville, Kentucky
MED STAT

77 (0 SSNs reported)

A hard drive was stolen from a locked area. Medical information such as biopsy images, patient names, and medical exams were on the stolen hard drive.

 
Information Source:
PHIPrivacy.net
records from this breach used in our total: 0

June 29, 2010 A Woman's Place
Ketchikan, Alaska
MED DISC

400 (0 SSNs reported)

An ACLU lawsuit claims that police acted inappropriately during a raid of A Woman's Place clinic. The lawsuit claims that police not only confiscated around 400 medical records, but read them and revealed sensitive medical information about patients to outside parties.

UPDATE (12/28/2012): ACLU is asking that the records be returned.  The police were investigating the clinic because it's owner is accused of billing state Medicaid program for services to 37 patients after having her license suspended.  Seven pharmacies billed Medicaid for prescriptions she had written after the owner's prescription authority was also suspended.

 
Information Source:
PHIPrivacy.net
records from this breach used in our total: 0

June 28, 2010 Children's Hospital of Orange County
Orange, California
MED PHYS

Unknown

The Hospital is checking its database for accuracy after discovering that patient files have been faxed to the wrong location at least twice. Patient records were faxed to an auto shop in 2009, and the wrong doctor on a separate occasion.

 
Information Source:
PHIPrivacy.net
records from this breach used in our total: 0

June 26, 2010 Federal Aviation Administration
Washington, District Of Columbia
GOV DISC

0

This is an update to the February 9, 2009 breach entry.

An investigation that was launched in response to the 2009 breach of the Federal Aviation Administration's computer system (see Feb. 9, 2009, entry) was released June 26, 2010.  The findings reveal that the names addresses, Social Security numbers, medical data and other personal information of airmen are still vulnerable and that "serious security lapses" exist.

NOTE (12/2/2010): This entry has been updated to correct an error. Prior to December 2, 2010, this entry erroneously implied that a new breach had occurred involving 3 million records.  We apologize for our mistake.

Information Source: http://www.oig.dot.gov/sites/dot/files/MSS%20Final%20Report%20%28signed%29%206-18-2010.pdf

 
Information Source:
PHIPrivacy.net
records from this breach used in our total: 0

June 18, 2010 Family Care Center
Clinton, Washington
MED PORT

8,000 (0 SSNs reported)

Operations in Clinton, Freeland, and Oak Harbor were affected.

A thief or thieves entered the physical therapy office on June 12th.  Cash, other items, and a laptop containing encrypted patient information such as names and account numbers were stolen.  It appears that a door was left unlocked.

 
Information Source:
PHIPrivacy.net
records from this breach used in our total: 0

June 20, 2010 Mercy Willard Hospital
Willard, Ohio
MED INSD

Unknown

A former employee kept patient photographs, videos, memos, schedules, and forms. Some of the documents included patient Social Security numbers and other personal information. The employee is also being accused of voyeurism and possession of child pornography; though this is unrelated to these findings.

 
Information Source:
PHIPrivacy.net
records from this breach used in our total: 0

June 18, 2010 Ebony Medical Equipment and Supplies, Inc.
Tyler, Texas
MED INSD

Unknown

The owner used patient medical information to fraudulently obtain over $70,000 from Medicare and Medicaid.  The owner is also charged with buying patient information.

 
Information Source:
PHIPrivacy.net
records from this breach used in our total: 0

June 6, 2010 Private Medical Practice
Chino Hills, California
MED PHYS

600 (0 reports of SSNs or financial information)

Confidential medical files were found in a dumpster near the medical office of the two doctors. The doctors were in the process of moving to a new location.

 
Information Source:
PHIPrivacy.net
records from this breach used in our total: 0

July 4, 2010 Beautiful Brands International
West Lafayette, Indiana
BSR HACK

Unknown

Computer hackers have infiltrated the credit card processing system.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

June 2, 2010 Rainbow Hospice and Palliative Care
Park Ridge, Illinois
MED PORT

Unknown

http://www.rainbowhospice.org/protection/

According to their website: "On April 12, 2010, one of our laptop computers, which contained personal information, was stolen during a patient visit.  The laptop had security measures in place, but there is a very small chance that protected information such as name, address, date of birth, Social Security number, insurance information, medications, treatment, and diagnoses may have been inappropriately accessed."

 

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

July 8, 2010 Waukesha County
Big Bend, Wisconsin
GOV PORT

Unknown

A laptop was stolen from a payroll services provider of the county. It is unknown what types of Big Bend employee payroll information were contained on the laptop.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

May 26, 2010 Children's Hospital and Research Center at Oakland
Oakland, California
MED DISC

1,000 (0 SSNs reported)

http://www.childrenshospitaloakland.org/EnhancedPatientPrivacyProtection...

Approximately 1,000 patients received information about themselves and other patients in the mail. According to the Hospital's website "equipment designed to generate, fold and stuff documents for mailing was programmed to fold and stuff two pages rather than one. This programming error caused guarantor billing statements prepared on May 25 and May 26 to be collated and mailed incorrectly."

 
Information Source:
PHIPrivacy.net
records from this breach used in our total: 0

April 16, 2009 Fox Entertainment Group
Los Angeles, California
BSO INSD

Unknown

An employee was caught accessing the Social Security numbers, names, compensation information and other personal information of employees.  The former employee misused the information within the organization; but it is not known if they gave it to outside parties.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

July 14, 2010 Oregon State University
Corvallis, Oregon
EDU HACK

34,000 (unknown number of SSNs)

A University computer containing personal information of current and former employees was found to be infected by a virus. Employee records from 1999 to 2005 contained Social Security numbers.

 
Information Source:
Databreaches.net
records from this breach used in our total: 0

July 10, 2010 Village of Big Bend
Big Bend, Wisconsin
BSO PORT

Unknown

A laptop containing payroll information for the village's employees was stolen from the car of the village's payroll provider in Milwaukee. Police have not recovered the laptop. The provider reported the theft and sent letters to employees to inform them their personal information was not secure. The provider recommended that employees contact a credit bureau that would place a 90-day alert on their information to prevent identity theft. 

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

July 10, 2010 Cisco Live 2010
Las Vagas, Nevada
BSO HACK

Unknown

Someone hacked the list of attendees for the recent Cisco Live 2010 users' conference, a security breach that led Cisco to notify the customers as well as a broader group who have dealings with the company. A vendor told Cisco that someone had made "an unexpected attempt to access attendee information through ciscolive2010.com," the event Web site. That lead to the general notification that Cisco sent to attendees and others who had been invited but did not attend. According to Cisco, details about less than 20% of those on the list were compromised. The breach was closed quickly, "but not before some conference listings were accessed." The compromised information consisted of Cisco Live badge numbers, names, titles, company addresses and e-mail addresses. "No other information was available or accessed," according to the warning Cisco Live's event team sent via e-mail.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

July 15, 2010 Private Dental Practice
Barstow, California
MED PHYS

Unknown

An anonymous tipster called the Sheriff's Department and reported unattended boxes of personal records outside the dental office. The boxes contained patient records from the early 1990's to the present. These records numbered in the hundreds and had personal information such as Social Security numbers, names, birth dates, credit card numbers, and addresses. The Sheriff's Department destroyed the records and warned patients of dentists Lee, Sang H. Yoon and Patricia Patterson.

 
Information Source:
Databreaches.net
records from this breach used in our total: 0

July 16, 2010 United Healthcare (UnitedHealthcare), Deere and Company
Minneapolis, Minnesota
MED DISC

1,097 (no SSNs or financial information reported)

Deere and Company is headquartered in Moline, Illinois

United Healthcare notified members of a Deere and Company employee benefits plan of a mistake that led to claims summary statements being sent to the wrong addresses. Dates of services, categories of service, cost of service, and physician names were included.

 
Information Source:
PHIPrivacy.net
records from this breach used in our total: 0

July 15, 2010 Utah Department of Workforce Services
Salt Lake City, Utah
GOV INSD

1,300 (Unknown number of SSNs)

A leak that allowed anti-immigration activists to post and circulate the names, Social Security numbers, medical information, addresses, workplaces, and phone numbers of alleged illegal immigrants in Utah has been linked to Utah's Department of Workforce Services. A large number of employees had access to this information.

 
Information Source:
Databreaches.net
records from this breach used in our total: 0

July 15, 2010 NBTY
Bohemia, New York
BSR DISC

Unknown

An email containing current and former employees' and plan participants' personal information was sent to the wrong recipient on June 15th. The information in the email included names, dates of birth, and Social Security numbers.

 
Information Source:
Databreaches.net
records from this breach used in our total: 0

July 15, 2010 Alcoa Global Mobility Group
New York, New York
BSO DISC

Unknown

An electronic folder containing personal information on current and former expatriates and others who received assistance from Alcoa's Global Mobility Group was shared as a public folder within its network.  The personal information included names, dates of birth, family members' names and dates of birth, salary compensation, Social Security numbers, and some people's medical information.

 
Information Source:
Databreaches.net
records from this breach used in our total: 0

July 14, 2010 Carle Clinic Association
Urbana, Illinois
MED PHYS

1,300 (no SSNs or financial information reported)

An impostor posing as a representative of the organization's recycling service removed several barrels of purged x-ray films and film jackets. The health information included approximately 1,300 patient names, dates of birth, gender, clinic medical numbers, internal accession numbers, site locations, physician or provider names, and internal provider numbers.

 
Information Source:
PHIPrivacy.net
records from this breach used in our total: 0

July 14, 2010 Blue Island Radiology
Blue Island, Illinois
MED PORT

2,000 (number and type of financial account numbers and SSNs unknown)

A backup data tape and compact disc containing protected health information were never received. Individuals demographic, financial and clinical information were on the CD.

 
Information Source:
PHIPrivacy.net
records from this breach used in our total: 0

July 14, 2010 Blue Cross Blue Shield Association
Chicago, Illinois
MED PHYS

15,000 (0 SSNs and financial information reported)

An error in the quarterly address update process resulted in the mailing of approximately 15,000 individuals' protected health information to incorrect addresses. The information in the letters included demographic information, explanation of benefits, clinical information, and diagnoses. The returned mail was collected and the organization verified whether or not it had been delivered.

 
Information Source:
PHIPrivacy.net
records from this breach used in our total: 0

July 14, 2010 VHS Genesis Lab
Berwyn, Illinois
MED PHYS

500 (No SSNs or financial information involved)

Over 500 client invoices went missing. It does not appear that the month's worth of invoices were mailed. They contained health information such as names, dates of birth, and medical testing information.

 
Information Source:
PHIPrivacy.net
records from this breach used in our total: 0

July 14, 2010 University of Pittsburgh Student Health Services
Pittsburgh, Pennsylvania
EDU INSD

8,000 (Not included because no specific type of financial information stated)

An employee dishonestly took documents containing names and financial information. The employee was fired.

 
Information Source:
PHIPrivacy.net
records from this breach used in our total: 0

July 14, 2010 Tomah Memorial Hospital
Tomah, Wisconsin
MED INSD

600

A nurse used patient names and account numbers to illegally obtain narcotics. The nurse was fired.

 
Information Source:
PHIPrivacy.net
records from this breach used in our total: 0

June 29, 2010 Ridgefield High School
Ridgefield, Connecticut
EDU HACK

Unknown (the students of a few teachers)

Two students were arrested for hacking into their school's computer system. Their goal appears to be changing their own grades; but they had access to the grades and personal information of other students.

 
Information Source:
Databreaches.net
records from this breach used in our total: 0

July 20, 2010 Long Island Consultation Center (LICC)
Rego Park, New York
MED PORT

800 (0 reports of SSNs or financial information)

A computer device containing doctor reports was reported missing from a secured area at LICC on May 24th. Names, dates of birth, diagnostic information and treatment information of some patients may have been included on the device.

 
Information Source:
PHIPrivacy.net
records from this breach used in our total: 0

July 1, 2010 NYU Langone Medical Center Hospital for Joint Diseases
New York, New York
MED PORT

2,563 (no SSNs or financial information reported)

An unencrypted portable USB was lost or stolen sometime around May 12th. It contained patient names, medical record numbers, sex, age, procedure, attending physician, time of arrival in recovery room and time of discharge from recovery room.

 
Information Source:
PHIPrivacy.net
records from this breach used in our total: 0

July 20, 2010 South Shore Hospital, Active Data Solutions
South Weymouth, Massachusetts
MED PORT

800,000 (unknown number of SSNs and financial information)

South Shore's statement can be found here:http://www.southshorehospital.org/news/notice/news_statement.htm

Computer files containing personal, health and financial information of volunteers, patients, vendors, business partners and employees from January 1996 through January 2010 may have been lost by a professional data management company. Depending on the person's association with the hospital, the information exposed could be full name, address, phone number, date of birth, Social Security number, driver's license number, medical record number, patient number, bank account information, credit card number, diagnoses and treatment.

UPDATE (9/10/10): Archive Data Solutions (formerly Iron Mountain Data Products) was revealed to be the company responsible for disposing of South Shore Hospital's records. Archive Data Solutions subcontracted the process to Graham Magnetics, who then lost the tapes in shipping.  The tapes may have also had patient information from Harbor Medical Associates and patient and vendor information from South Shore Physician Hospital Organization.

After investigating the incident the hospital decided not to mail notices or offer credit monitoring and identity theft services to those who may have been affected by the loss.  It was determined that the risk of the data being accessed was extremely low and that notifications inside the hospital, on websites, via email and in newspapers would be enough.  In addition, the Attorney General's office of Massachusetts has spoken out against the hospital's decision to skip precautions.

UPDATE (5/24/2012): South Shore Hospital will pay $750,000 to settle HIPAA violation and state law charges.  The breach involved the loss of two of three boxes containing 473 unencrypted back-up computer tapes with sensitive information sometime between February 2010 and June of 2010.  A total of $250,000 in civil penalty fines and a payment of $225,000 for an education fund to be used by the Attorney General's Office to promote education concerning the protection of personal information and protected health information was determined. South Shore Hospital was given a credit of $275,000 to reflect the cost of security measures it had already taken subsequent to the breach.

 
Information Source:
PHIPrivacy.net
records from this breach used in our total: 0

July 19, 2010 LV Financial Services
Orlando, Florida
BSF PHYS

Unknown

Dozens of boxes of files from medical offices that hired LV to collect unpaid bills were found in an Orlando public dumpster. The files contained names, addresses, Social Security numbers, driver's license copies and credit reports. The collection agency went out of business in 2005 and the location of the files prior to this incident is unknown.

 
Information Source:
Dataloss DB
records from this breach used in our total: 0

July 22, 2010 Colorado Department of Health Care Policy and Financing
Denver, Colorado
GOV PORT

105,470 (0 SSNs and financial information reported)

A hard drive containing personal information for clients enrolled in state-provided health insurance was stolen from the Colorado Office of Information Technology. The information included names, state ID number and the name of the client's program. The Agency is certain that contact information, financial information and Social Security numbers were not involved.

 
Information Source:
Databreaches.net
records from this breach used in our total: 0

July 23, 2010 University of California San Francisco (UCSF) Medical Center
San Francisco, California
EDU INSD

Unknown

A former employee used the Social Security numbers of his colleagues to obtain vouchers for Amazon.com purchases. He secretly used the Social Security numbers to create hundreds of accounts and complete 382 online StayWell health surveys in exchange for $100 online vouchers.

UPDATE (10/28/10): The former employee pled guilty to wire fraud and improper use of Social Security numbers.  He was sentenced to 12 one year and one day in prison. 

 
Information Source:
Databreaches.net
records from this breach used in our total: 0

July 26, 2010 Natchez Police Department
Natchez, Mississippi
GOV INSD

Unknown

A police officer with the Natchez department fraudulently used and encouraged others to use stolen credit and debit cards.

 
Information Source:
Databreaches.net
records from this breach used in our total: 0

July 27, 2010 Rite Aid Corporation
Camp Hill, Pennsylvania
BSR PHYS

Unknown

Etters, PA is also mentioned as Rite Aid's headquarters

Rite Aid paid one million dollars to settle HIPAA privacy violations. Rite Aid also agreed to update corporate policies and procedures so that patient medical information would be properly disposed, employees would be properly trained in disposal of patient information, and employees would be held accountable if they did not dispose of patient information properly.

 
Information Source:
PHIPrivacy.net
records from this breach used in our total: 0

July 28, 2010 Time Warner Cable
New York, New York
BSR INSD

Unknown

A former employee was convicted of installing spyware on three company computers. The employee intended to capture the passwords of users who had access to a customer database and a billing system.

 
Information Source:
Databreaches.net
records from this breach used in our total: 0

July 27, 2010 Cooper University Hospital
Camden, New Jersey
MED PORT

Unknown

A flash drive with the personal information of graduate medical residents and fellows was reported missing on July 23.  The personal information included Social Security numbers, dates of birth, race, gender, addresses, phone numbers, marital status, emergency contacts and more. Students enrolled between 2008 and 2010 and current members of staff were affected.

 
Information Source:
Databreaches.net
records from this breach used in our total: 0

July 27, 2010 Citigroup Inc.
New York, New York
BSR DISC

117,600 (No incidents reported)

Citigroup's mobile banking application for Apple's iphone has a security flaw that saves user account numbers, bill payments and security access codes into a hidden file on the iphone and the user's computer.  An upgrade that will fix the problem is available.

 
Information Source:
Media
records from this breach used in our total: 0

July 29, 2010 University of Virginia
Charlottesville, Virginia
EDU PORT

Unknown

A transient was ordered to spend time in a men's diversion program after pleading guilty to stealing credit cards and electronics. One of the laptops he stole was a University-owned laptop. The man served 12 months in jail before being sentenced and slept in his car and in the University library during the time of the thefts.

 
Information Source:
Databreaches.net
records from this breach used in our total: 0

July 30, 2010 Texas Children's Hospital and Baylor College of Medicine
Houston, Texas
NGO PORT

694 (No SSNs or financial information reported)

A physician's laptop was stolen from an office on May 13th.  The laptop contained personal information on cardiology patients.  Affected persons were notified that their names, dates of service, medical record numbers, diagnoses and dates of birth were on the password-protected laptop.

UPDATE (9/2/10): Only 694 patients were affected.  The original notice on the website stated that 1600 patients were at risk.

 
Information Source:
PHIPrivacy.net
records from this breach used in our total: 0

July 31, 2010 The Center for Neurosciences
Tucson, Arizona
MED PORT

1,101 (No reports of SSNs or financial information)

A visitor stole a laptop from an electromyogram and nerve conduction studies exam room on December 15, 2009.  The computer contained names, dates of birth, referring physicians and reasons for neurophysiological tests.

 
Information Source:
PHIPrivacy.net
records from this breach used in our total: 0

March 23, 2010 Montefiore Medical Center
Bronx, New York
MED PORT

625 (Unknown number of SSNs and financial accounts)

A laptop containing private health information was stolen on February 20th.

 
Information Source:
PHIPrivacy.net
records from this breach used in our total: 0

August 1, 2010 Guttenberg Housing Authority
Guttenberg, New Jersey
GOV HACK

Unknown

An unauthorized individual may have accessed sensitive information on housing applicants and residents in late December 2009. The information may have included Social Security numbers, names and other personal identifying information.

 
Information Source:
Databreaches.net
records from this breach used in our total: 0

August 12, 2010 Tino's Greek Cafe
Austin, Texas
BSR CARD

Unknown

Thieves collected debit and credit card information from customers of Tino's.

 
Information Source:
Databreaches.net
records from this breach used in our total: 0

Breach Total
867,188,052 RECORDS BREACHED
(Please see explanation about this total.)
from 4,253 DATA BREACHES made public since 2005
Showing 451-500 of 4253 results


X

Sign In!

Loading