Chronology of Data Breaches
Security Breaches 2005 - Present

Posted Date: April 20, 2005
Updated Date: December 31, 2013

Is this your first visit to our Chronology of Data Breaches?

  • Read our FAQ about what we define as a breached record, how we calculate the "total" records breached, our data sources, state breach notice laws, studies and other resources

  • Learn how to use our Chronology and take advantage of its sophisticated search and sort features

  • Get our RSS Feed to see when we add new breaches to the list

What would you like to do?


Click or unclick the boxes then select go.


Select features then click GO. To modify your search, check or uncheck the boxes and click GO.


Reset the checkboxes to the default "all selected."

Help Guide

Can't find the sort feature you're looking for? Click here to download a CSV file of the data breach list as it exisits today.

display_id:page_1

display_id:page_1

Breach Total
816,324,756 RECORDS BREACHED
(Please see explanation about this total.)
from 4,517 DATA BREACHES made public since 2005
Date Made Publicsort ascending Name Entity Type
July 29, 2013 Samaritan Regional Health System
Ashland, Ohio
MED PHYS

2,203 (No Social Security numbers or financial information reported)

An exposure of patient paper records was discovered on May 29th.

 
Information Source:
HHS via PHIPrivacy.net
records from this breach used in our total: 0
July 29, 2013 South Florida Neurology Associates, P.A.
Boca Raton, Florida
MED PORT

900 (No Social Security numbers or financial information reported)

The theft of a laptop resulted in the exposure of patient information.  The laptop was stolen sometime between May 25 and May 30.

 
Information Source:
HHS via PHIPrivacy.net
records from this breach used in our total: 0
July 29, 2013 Sheet Metal Local 36 Welfare Fund, People Resource Corporation
St. Louis, Missouri
MED UNKN

4,560 (No Social Security numbers or financial information reported)

A data breach occured between August 1, 2012 and July 8, 2013.

 
Information Source:
HHS via PHIPrivacy.net
records from this breach used in our total: 0
July 29, 2013 MED-EL Corporation
Durham, North Carolina
MED DISC

609 (No Social Security numbers or financial information reported)

An email error that occrred on June 25 resulted in the exposure of health information.

 
Information Source:
HHS via PHIPrivacy.net
records from this breach used in our total: 0
July 29, 2013 Northrop Grumman Retiree Health Plan, CVS Caremark
Fall Church, Virginia
MED PHYS

4,305 (No Social Security numbers or financial information reported)

A breach involving paper records from CVS Caremark affected 4,305 Northrop Grumman Retiree Health Plan enrollees.

 
Information Source:
HHS via PHIPrivacy.net
records from this breach used in our total: 0
July 26, 2013 NASDAQ OMX Group Inc.
New York, New York
BSF INSD

Unknown

Malware was installed on servers between November of 2008 and October of 2010.  This allowed one or more hackers to execut commands to delte, change, and steal data from the computers used by NASDAQ.  A total of five foreign hackers were charged for involvement in a series of financial incidents.  They were all collaborating in a scheme to target major corporate networks and were able to steal more than 160 million credit card numbers across corporations.

 
Information Source:
Media
records from this breach used in our total: 0
July 26, 2013 Stanford University
Stanford, California
EDU HACK

Unknown

People who used Stanford University's computer network have been asked to reset their passwords. Stanford released few details but stated that it does not appear that Social Security numbers and financilai nformation were accessed or exposed.

 
Information Source:
Media
records from this breach used in our total: 0
July 26, 2013 St. Mary's Bank
Manchester, New Hampshire
BSF HACK

115,775

Current and former members may have had their Social Security numbers, transaction records, and other personal information exposed due ot malware that was found on an employee's office computer.  The malware was discovered on May 26 and St. Mary's began mailing letters on July 12.  The malware could have been on up to 23 work stations as early as February.  There has been no evidence of names, Social Security numbers, addresses, account numbers, transaction records, or other sensitive information being accessed by an unauthorized individual so far.

 
Information Source:
Media
records from this breach used in our total: 115,775
July 25, 2013 Securities and Exchange Commission (SEC)
Washington, District Of Columbia
BSF DISC

Unknown

A July 8 letter warned current and former employees that SEC employee data had been found on the networks of another federal agency.  The outside federal agency was not named. It appears that a former SEC employee inadvertently and unknowingly downloaded the names, Social Security numbers, and dates of birth of SEC employees onto a thumb drive and then transferred them to another agency.  The employee wanted a template of the document rather than the actual employee data that it contained.  The accidental upload of sensitive information occured in April of 2012 and again in June of either 2012 or 2013.  Employees who were with SEC before October of 2009 were affected. The breach lasted for 10 months before being noticed. The SEC confiscated the flash drive when the breach was uncovered.

 
Information Source:
Media
records from this breach used in our total: 0
July 25, 2013 Baltimore City
Baltimore, Maryland
GOV PHYS

Unknown

Thousands of current and former Baltimore City employees are at risk after a box was found with Baltimore City personnel information.  Records been discarded in a publicly accessible place for trash.  Names, Social Security numbers, dates of birth, drivers' license information, and other vital and personal employee information was contained in the records. The Department of Public Works obtained the box of information and is attempting to contact people based on lists of class attendants that were among the records.

 
Information Source:
Databreaches.net
records from this breach used in our total: 0
July 24, 2013 NYC Bike Share, Citibike
New York, New York
BSR DISC

1,200

NYC Bike Share discovered that customer credit card numbers, names, and addresses had been posted on a publicly accessible page of its website.  The glitch was corrected after being active between April 15 and late May.  Customers who initially entered their information incorrectly had their information posted online for 24 hours.  The data was cleared every 24 hours between April 15 and late May.

 
Information Source:
Media
records from this breach used in our total: 1,200
July 24, 2013 Tinder
West Hollywood, California
BSO DISC

Unknown

Tinder advertises to users that their physical location information is never shown to other users.  An outside engineer discovered an issue with the Tinder app that allowed the locations of users to be available for at least two weeks.  Last known locations, Facebook IDs, dates of birth, gender, and names were available.  

 
Information Source:
Media
records from this breach used in our total: 0
July 24, 2013 Tinder
West Hollywood, California
BSO DISC

Unknown

Tinder advertises to users that their physical location information is never shown to other users.  An outside engineer discovered an issue with the Tinder app that allowed the locations of users to be available for at least two weeks.  Last known locations, Facebook IDs, dates of birth, gender, and names were available.  

 
Information Source:
Media
records from this breach used in our total: 0
July 23, 2013 Henry Ford Health System
Detroit, Michigan
MED PHYS

15,417 (No SSNs or financial information reported)

A warehouse that was not owned by Henry Ford Health System was raided for old X-rays.  X-rays can be stripped for silver and these medical X-rays also contained the names, addresses, and dates of birth of patients of Henry Ford Health System.  The X-rays dated between 1996 and 2003.  Henry Ford Health System learned about the issue on May 24.

 
Information Source:
Media
records from this breach used in our total: 0
July 22, 2013 Apple Inc.
Cupertino, California
BSR HACK

Unknown

Apple's website for developers was accessed by unauthorized parties.  Registered developer names, mailing addresses, and email addresses may have been accessed on Thursday, July 18.  Encrypted customer information was not affected.

 
Information Source:
Media
records from this breach used in our total: 0
July 19, 2013 University of Virginia, Aetna Health Care
Charlottesville, Virginia
EDU DISC

18,700

A mailing error by a third-party mailing vendor used by Aetna Health Care resulted in the Social Security numbers of students being exposed in open-enrollment brochures.

 
Information Source:
Media
records from this breach used in our total: 18,700
July 19, 2013 Regional Medical Center Bayonet Point
Hudson, Florida
MED DISC

Unknown (10 confirmed)

A patient received the information of other patients in a mailing.  Names, patient records, and Social Security numbers were exposed.  

 
Information Source:
PHIPrivacy.net
records from this breach used in our total: 10
July 18, 2013 South Shore Physicians, P.C.
Staten Island, New York
MED INSD

8,000 (80 people confirmed affected)

A dishonest nurse and three co-conspirators were linked to medical identity fraud after she posted details about the fraud on a social media account.  The ring had been active since 2004 and had brought in $675,000 over the past five years.  The nurse had been fired from South Shore Physicians after falsifying her work hours.  The co-conspirators face at least 64 counts related to fraud, falsifying records, and theft.

UPDATE (10/1/2013): Notifications were sent to 8,000 patients in relation to the breach.

 
Information Source:
Media
records from this breach used in our total: 80
July 18, 2013 NASDAQ.com
New York, New York
BSO HACK

Unknown

Hackers were able to steal passwords from a NASDAQ Community forum.  It is likely that only passwords  and non-financial inforimation was stolen.  NASDAQ alerted users to the issue and took the website offline to upgrade its security.  There is concern that the hackers will use the email and password information to send phishing messages and obtain access to various financial accounts.

 
Information Source:
Media
records from this breach used in our total: 0
July 18, 2013 San Jose Medical Supply Company
San Jose, California
MED INSD

800

Fraudulent activity by former employees was discovered when a new owner took over San Jose Medical Supply Company in August of 2012.  San Jose Medical Supply Company confirmed in June of 2013 that health information was exposed between August of 2011 and December of 2011.  The dishonest employees and other affiliated individuals no longer work with San Jose Medical.  Names, Social Security numbers, home addresses, dates of birth, Medi-Cal ID numbers, physician names and contact information, prescriptions, diagnosis information, type and quantity of medical supplies ordered, and disability codes were disclosed to Front Medical Supply and/or Living Medical Supply without authorization.

UPDATE (07/29/2013): A total of 800 people were affected.

 
Information Source:
California Attorney General
records from this breach used in our total: 800
July 17, 2013 Office of the Medicaid Inspector General (OMIG)
Albany, New York
MED INSD

17,743

A link to the official notice can be foudn here:

http://apps.cio.ny.gov/apps/mediaContact/public/preview.cfm?parm=E5EBBF4...

An OMIG employee sent an email that contained sensitive records to their own email account on October 12, 2012.  Medicaid paitient first and last names, Social Security numbers, dates of birth, and Medicaid client information numbers may have been compromised. 

 
Information Source:
Media
records from this breach used in our total: 17,743
July 17, 2013 Citigroup
New York, New York
BSF DISC

146,000

Citigroup exposed the Social Security numbers, dates of birth, and other sensitive information of customers by not properly redacting the information for court records.  Consumers who went into bankruptcy between 2007 and 2011 were affected.  The incident was discovered by the bank on April 2011.  Roughly 146,000 consumers were notified of the breach in July of 2013.

 
Information Source:
Media
records from this breach used in our total: 146,000
July 16, 2013 Gap, Banana Republic
San Francisco, California
BSR DISC

20

A customer received a package from Banana Republic that contained documents with employee Social Security numbers, tax forms, resignation letters, legal notices, doctors' notes, and performance reviews.  The package was meant for HR administration and contained the information of around 20 sales support associates who work at Gap.  The customers were expecting a tie and pocket square.  it appears that the package had been mislabeled.

 
Information Source:
Media
records from this breach used in our total: 20
July 16, 2013 Calvert Internal Medicine Group
Prince Frederick, Maryland
MED DISC

Unknown

A finance department employee contacted ADP for troubleshooting and an ADP representative removed the firewall of Calvert Internal Medicine Group during the service call.  The firewall was not restored after the call and employees began receiving spam emails from the finance department employee's email account.  Malware was also detected in the spam inbox of the employee's computer.  Names, Social Security numbers, addresses, and other payroll information of current and former employees may have been exposed.

 
Information Source:
Media
records from this breach used in our total: 0
July 16, 2013 Academy Studios
Novato, California
BSO PHYS

Unknown

Personnel records were discarded in a public dumpster after Academy Studios. The non-profit closed in April and many of its assets were sold in an online auction on May 21.  The personnel paperwork included names, Social Security numbers, dates of birth, copies of passports, copies of drivers' licenses, I-9 forms, and other employee information.

 
Information Source:
Media
records from this breach used in our total: 0
July 13, 2013 Cedars-Sinai Medical Center
Los Angeles, California
MED INSD

14 (No Social Security numbers or financial information reported)

Five medical workers were fired for their role in a hacking effort that targeted a celebrity.  A total of 14 patient records were breached between June 18 and June 24.  The employees misused the Hospital's information system to access patient records for curiousity or media purposes.  A volunteer also participated and was barred from working at the Hospital.

 
Information Source:
Media
records from this breach used in our total: 0
July 12, 2013 Long Beach Memorial Medical Center
Long Beach, California
MED INSD

2,864 (No SSNs reported)

Patients who received treatment between September 2012 to June 2013 may have had their information exposed by a breach related to an employee.  Names, sex, dates of birth, home addresses, phone numbers, account numbers, insurance information, and the reason for admission were exposed.  There is currently no reason to believe that the information was used in a malicious manner.

 
Information Source:
Media
records from this breach used in our total: 0
July 11, 2013 Texas Health Harris Methodist Hospital Fort Worth, Shred-it
Fort Worth, Texas
MED PHYS

277,000 (Unknown number of SSNs)

People who may have been affected may call 1-877-216-3789 and use reference code 4537070513.

A concerned citizen alerted police to a situation on May 11.  Old microfiche records were discovered in a park even though they should have been destroyed by the Hospital's contractor Shred-it.  The records contained names, addresses, dates of birth, and health information and were from 1980 to 1990. Some records also contained Social Security numbers.  

 
Information Source:
Media
records from this breach used in our total: 0
July 11, 2013 Guildford County Schools, Page High School
Greensboro, North Carolina
EDU DISC

456 (No SSNs or financial information reported)

Parents with questions may call 336-332-0810.

A Guildford County Schools employee accidentally emailed a PDF file that contained Page High School student personal information.  Student names, addresses, phone numbers, course enrollments, grades, school district identification numbers, and other transcript data were in the PDF file. The information was emailed to a single guardian on July 2, 2013.

 
Information Source:
Media
records from this breach used in our total: 0
July 8, 2013 Roy's Holdings, Inc.
Honolulu, Hawaii
BSR STAT

Unknown

Malware infected an employee's desktop computer.  Roy's restaurants in Ko'Olina, Waikiki, Kaanapali, Poipu, and Waikoloa were affected.  Anyone who used a debit or credit card at those locations between February, 1, 2013 and February 25, 2013 may have had their payment card information compromised.

 
Information Source:
California Attorney General
records from this breach used in our total: 0
July 8, 2013 Internal Revenue Service (IRS)
Washington, District Of Columbia
GOV DISC

10,000

Public.Resource.org received 990-T forms with sensitive information during a request for information from the IRS.  The IRS acknowledged the mistake and Public.Resource.org became curious about where else the information could be found.  Public.Resource.org found multiple incidents of Social Security numbers being exposed on the IRS website and wrote a letter that pointed out the issues to the IRS.  The IRS was able to remove some or all of the sensitive files from public view over the course of a few days.

 
Information Source:
Media
records from this breach used in our total: 10,000
July 5, 2013 Morningstar Document Research
Chicago, Illinois
BSF HACK

182,000 (2,300 credit card accounts reported)

Client information may have been compromised by an intrusion that took place around April 3.  Client email addresses, passwords, credit card numbers, and other information may have been exposed.

 
Information Source:
Media
records from this breach used in our total: 2,300
July 4, 2013 Behavioral Health Network
Springfield, Massachusetts
MED PHYS

Unknown

A concerned citizen found medical records in a publicly accessible dumpster.  Behavioral Health Network has a shredding vendor and did not have an explanation for the breach.  Behavioral Health Network picked up the remaining files.

 
Information Source:
PHIPrivacy.net
records from this breach used in our total: 0
July 3, 2013 Bureau of Automotive Repair (BAR)
Rancho Cordova, California
GOV HACK

Unknown

Those with questions may call the Consumer Information Center at 1-800-952-5210.

An unauthorized individual accessed the network of a BAR service provider between May 2012 and March 2013.  The bank routing information of Smog Check stations licensed with the BAR was exposed.  Those who may have had their accounts accessed are encouraged to close their old accounts and open new accounts with new PINs or passwords.

UPDATE (07/11/2013): Approximately 7,500 Smog Check stations had bank account and routing numbers associated with the businesses exposed.

 
Information Source:
California Attorney General
records from this breach used in our total: 0
July 3, 2013 Indiana Family and Social Services Administration (FSSA), RCR Technology Corporation
Indianapolis, Indiana
GOV DISC

187,533 (3,926 SSNs exposed)

A computer programming glitch resulted in the exposure of client health, financial, and employment information.  Personal and private documents that belonged to certain clients were accidentally made available to other clients between April 6 and May 21 when FSSA contractor RCR Technology Corporation made a programming error.  The issue was discovered on May 10 and addressed on May 21.  Patients of clients may have had their names, addresses, dates of birth, demographic information, contact information, types of benefits received, monthly benefit amount, employer information, monthly income and expenses, bank balances and other assets, medical providers, medical conditions, and information about household members exposed.

 
Information Source:
Media
records from this breach used in our total: 3,926
July 2, 2013 Health Net, CalViva Health
Suwanee, Georgia
MED DISC

Unknown

A number of member identification cards were mailed to incorrect addresses.  The problem occurred because of a programming error.  The member identification cards contained names, dates of enrollment, addresses, telephone numbers of primary care physicians, issue dates of cards, and Medi-Cal client identification numbers.  

 
Information Source:
California Attorney General
records from this breach used in our total: 0
July 2, 2013 Quayside Publishing Group
Minneapolis, Minnesota
BSO CARD

Unknown

Qbookshop.com, Qbookshop.net, Motorbooks.com, and WalterFoster.com were affected.

A credit card breach resulted in the exposure of information. Customers who made online purchases at Quayside Publishing Group had their information exposed sometime around April 29.  Names, addresses, and credit card numbers were exposed until June 17.

 
Information Source:
California Attorney General
records from this breach used in our total: 0
July 2, 2013 Advantage Health Solutions
Indianapolis, Indiana
MED DISC

Unknown

A patient discovered that he could see the information of other users by logging into his Advantage Health Solutions account.  Any patients who put in a name or date of birth other than their own were able to see the records of people with those names or dates of birth.  Names, phone numbers, addresses, primary care physicians, medical bills, types of medications, and other medical information were exposed.

 
Information Source:
PHIPrivacy.net
records from this breach used in our total: 0
July 1, 2013 Union Security Insurance Company
Kansas City, Missouri
MED UNKN

1,127 (No Social Security numbers or financial information reported)

A breach that occurred on May 17 may have exposed protected health information.  It involved email and/or the improper disposal of records.

 
Information Source:
HHS via PHIPrivacy.net
records from this breach used in our total: 0
June 28, 2013 University of South Carolina
Columbia, South Carolina
EDU PORT

6,300

The April theft of a faculty laptop resulted in the exposure of current and former student information.  The laptop was stolen from a locked room in the Department of Physics and Astronomy.  It contained a file with the names, emails, and Social Security numbers of up to 6,300 University of South Carolina students who had taken one of four physics courses between January of 2010 and the fall 2012 semester.

 
Information Source:
Media
records from this breach used in our total: 6,300
June 28, 2013 Greensboro ABC Stores, Triad ABC
,
BSR HACK

Unknown

Stores in the Greensboro, South Carolina and Winston-Salem, North Carolina areas were affected.

Greensboro ABC stores and Triad ABC stores discovered that the software used by cash registers had been hacked.  The malware was discovered after customers complained about fraudulent charges on their debit and credit card accounts.  The ABC stores stopped accepting credit and debit cards while investigating the issue.

 
Information Source:
Media
records from this breach used in our total: 0
June 27, 2013 Millimaki Eggert, LLP
San Diego, California
BSF PORT

Unknown

The April 27 office burglary of two password-protected laptops resulted in the exposure of sensitive client information.  Names, Social Security numbers, and addresses may have been involved.  

 
Information Source:
California Attorney General
records from this breach used in our total: 0
June 27, 2013 Citi Prepaid Services
New York, New York
BSF DISC

Unknown

Those with questions may call (888) 742-9213.

A code change in the prepaid cardholder website impacted the security features that authenticate cardholder logins.  Anyone who logged into the prepaid cardholder website between June 2 and June 13 was affected.  The issue was remediated and it does not appear that unauthorized charges have occurred on any of the affected accounts.

 
Information Source:
California Attorney General
records from this breach used in our total: 0
June 26, 2013 Iowa Department of Health Services
Des Moines, Iowa
MED PORT

7,335 (No Social Security numbers or financial information reported)

Former patients of the Mental health Institute in Independence, Iowa and state employees may have had their confidential information exposed.  A backup tape was found to have been missing as of April 30.  Officials of Iowa Department of Human Services believe the tape was accidentally discarded or destroyed.  

UPDATE (06/27/2013): The tape contained the information of 7,300 patients and 700 employees. Only patients who were admitted after June of 2010 were affected.

 
Information Source:
PHIPrivacy.net
records from this breach used in our total: 0
June 25, 2013 Foundations Recovery Network, Sebastopol Sea Serpents
Nashville, Tennessee
MED PORT

5,690

The June 15 theft of an employee's laptop resulted in the exposure of patient information.  Names, Social Security numbers, dates of birth, addresses, medical information, and telephone numbers were on the laptop.

UPDATE (08/28/2013): A total of 5,690 patients were affected by the breach.

UPDATE (11/25/2013): Level of care, dates of service, health insurance information, and other medical information were also on the laptop.

 
Information Source:
PHIPrivacy.net
records from this breach used in our total: 5,690
June 25, 2013 Baptist Health South Florida, West Kendall Baptist Hospital
Miami, Florida
MED INSD

Unknown

An employee of West Kendall Baptist Hospital sold patient information to a man who used the information to file fraudulent tax returns.  Patients may have had their names, Social Security numbers, and dates of birth exposed.  The man who purchased and used the information was sentenced to 31 months in federal prison after pleading guilty to possessing 15 or more Social Security numbers.

 
Information Source:
PHIPrivacy.net
records from this breach used in our total: 0
June 24, 2013 Florida State University, Florida Department of Education
Tallahassee, Florida
EDU DISC

47,000

The information of 47,000 Florida teachers was publicly accessible for 14 days after a data transfer at Florida State University.  The information was from teachers participating in state prep programs.  The Department of Education used Florida State University as the contractor for the transfer of teacher data.

UPDATE (06/26/2013): People who participated in Florida teacher preparation programs during the 2009 -2010 and 2011-2012 academic years were affected.

 
Information Source:
Media
records from this breach used in our total: 47,000
June 24, 2013 King County Sheriff's Office
Seattle, Washington
GOV PORT

2,300

A laptop and portable hard drive were stolen from the truck of an undercover officer in March of 2013.  The devices were not encrypted and contained Social Security numbers, drivers license numbers, and personal information about victims, suspects, witnesses, and police officers. The officer received disciplinary action for leaving the laptop unattended in the backseat of a truck.

 
Information Source:
Media
records from this breach used in our total: 2,300
June 21, 2013 Facebook
Menlo Park, California
BSO DISC

6,000,000 (No SSNs or financial information involved)

Facebook's official notice can be found here: https://www.facebook.com/notes/facebook-security/important-message-from-facebooks-white-hat-program/10151437074840766

Facebook discovered a bug that may have allowed unauthorized users to view the personal contact information of Facebook users.  The people who could have used the information would have had some kind of connection to them or some kind of contact information, but users may have thought their email and phone numbers were hidden from these connections.  People who used the Download Your Information (DYI) tool may have been able to access the contact information.  The issue was discovered by an external group of security researches involved with the White Hat program. The breach began sometime in 2012.

 
Information Source:
Media
records from this breach used in our total: 0
June 21, 2013 North Lincoln Community Health Center Clinic
Lincoln City, Oregon
MED PHYS

1,000

An April 17 burglary resulted in the possible exposure of patient information.  Someone entered locked rooms and cabinets in order to take money.  No records or electronic devices were taken; however the room where client medical charts were stored was accessed.  Social Security numbers, health information, and other personal information may have been exposed.

 
Information Source:
PHIPrivacy.net
records from this breach used in our total: 1,000
Breach Total
816,324,756 RECORDS BREACHED
(Please see explanation about this total.)
from 4,517 DATA BREACHES made public since 2005

Pages

Showing 651-700 of 4517 results