Data Breaches

Breach Subtotal

Breach Type: HACK
Organization Type: all
Year(s) of Breach: 2017
Company or Organization: all
Date Made Public:
May 16, 2018
Company: Providence Saint John's Health Center
Location: , California
Type of breach:
HACK
Type of organization:
MED
Records Breached:
500
For more information, see the security breach letter sent to the California Attorney General's Office.
 
** Disclaimer ** The number of breached records reported reflects our best estimate, based on all the data currently available. Because the specific number of breached records was not disclosed in the notification letter sent to the California Attorney General’s Office, the number is estimated as the minimum number of breached records necessary to trigger the obligation to notify the Attorney General.
 
Under Cal. Civ. Code §§ 1798.29, 1798.82, notification to the Attorney General is only required whenever a breach of records affects more than 500 California residents.
If you are a business representative and believe this number is inaccurate, please contact us at chronology@privacyrights.org and we will review and update this record.
 
Information Source:
Security Breach Letter
Date Made Public:
April 20, 2018
Company: Orbitz
Location:
Type of breach:
HACK
Type of organization:
BSO
Records Breached:
0

Between Oct. 1, 201 and Dec. 22, 2017, Orbitz determined that an unauthorized third party may have accessed personal information stored on a third party business partner platform. Information affected including name, payment card number and expiration date, phone number, email address and physical and/or billing address. Certain hotel reservations made through Southwest.com, whih was powere dby orbitz, may have been affected.

 

Information Source:
Security Breach Letter
Date Made Public:
April 20, 2018
Company: W. W. Grainger, Inc.
Location: , California
Type of breach:
HACK
Type of organization:
BSO
Records Breached:
0

On April 10, 2018, Grainger as notified by [24]7.ai that [24]7.ai was involved in a cyber incident, during which time, credit card information of those conducting business with certain [24]7.ai clients, including Grainger, may have been accessed. Customers who used guest check out and manually entered credit card information on Grainger.com or its app were potentially affected. Information includes credit card numbers, security codes, card expiration dates, names and addresses.

Information Source:
Security Breach Letter
Date Made Public:
April 6, 2018
Company: Sears
Location: , Illinois
Type of breach:
HACK
Type of organization:
BSR
Records Breached:
90,000

Department store chain Sears Holding Corp (SHLD.O) and Delta Air Lines Inc (DAL.N) said on Wednesday some of their customer payment information may have been exposed in a cyber security breach at software service provider [ 24]7.ai.

Department store chain Sears Holding Corp (SHLD.O) and Delta Air Lines Inc (DAL.N) said on Wednesday some of their customer payment information may have been exposed in a cyber security breach at software service provider [ 24]7.ai.
A Delta Air Lines flight is pushed put of its gate at the airport in Salt Lake City, Utah, U.S., January 12, 2018. REUTERS/Mike Blake

Sears said it was notified of the incident in mid-March and the incident led to unauthorized access to the credit card information of under 100,000 of its customers.

Technology firm [ 24]7.ai, which provides online support services for Delta, Sears and Kmart among other companies, found that a cyber security incident affected online customer payment information of its clients, it said.

The incident happened on or after Sept. 26, 2017 last year and was found and resolved on Oct. 12, the company said.

Information Source:
Media
Date Made Public:
April 6, 2018
Company: [24]7.ai.
Location: San Jose, California
Type of breach:
HACK
Type of organization:
BSR
Records Breached:
150,000

A payment card breach suffered by [24]7.ai. between September 26 and October 12, 2017, is impacting major firm, including Best Buy, After Delta Air Lines and Sears Holdings.

The intrusion occurred between September 26 and October 12, 2017.

“We understand malware present in [24]7.ai’s software between Sept. 26 and Oct. 12, 2017, made unauthorized access possible for the following fields of information when manually completing a payment card purchase on any page of the delta.com desktop platform during the same timeframe: name, address, payment card number, CVV number, and expiration date.” reads the advisory published by Delta Airline.

“No other customer personal information, such as passport, government ID, security or SkyMiles information was impacted.”

Information Source:
Media
Date Made Public:
April 6, 2018
Company: Best Buy
Location:
Type of breach:
HACK
Type of organization:
BSR
Records Breached:
1

After Delta Air Lines and Sears Holdings, Best Buy has also come forward to warn customers that their payment card information may have been compromised as a result of a breach suffered by online services provider [24]7.ai.

Similar to Delta and Sears, Best Buy contracted [24]7.ai for online chat/support services. The retailer says it will contact impacted customers and provide free credit monitoring if needed.

Best Buy has not specified exactly how many of its customers are impacted, but noted that “only a small fraction of our overall online customer population could have been caught up in this [24]7.ai incident, whether or not they used the chat function.”

Information Source:
Media
Date Made Public:
February 27, 2018
Company: University of Virginia Health System
Location: Charlottesville, Virginia
Type of breach:
HACK
Type of organization:
EDU
Records Breached:
1,882

"A laptop computer and other computing devices of a physician affiliated with the University of Virginia Health System allowed an unauthorized individual to see medical information that the physician was viewing on his devices.

The unauthorized access continued for about 18 months, and now, 1,882 patients are being notified and encouraged to review healthcare statements and call their insurer if there are charges for services they did not receive. . .

On December 23, 2017, the health system determined that the unauthorized third-party may have been able to view patient information from May 3, 2015 to December 27, 2016.

Compromised protected health information included patient names, diagnoses, treatments, addresses and dates of birth. Social Security numbers and financial information were not accessed."

 

Information Source:
Media
Date Made Public:
February 26, 2018
Company: Southern National Bancorp of Virginia, Inc. d/b/a/ Sonabank
Location: Glen Allen, Virginia
Type of breach:
HACK
Type of organization:
BSF
Records Breached:
24,999

Southern National Bancorp of Virginia suffered a breach affecting 24,999 records, including social security numbers, driver's license number or non-driver identification card numbers, as well as financial account numbers or credit card numbers, in combination with the security code, access code, password or PIN for the account. 

Information Source:
Security Breach Letter
Date Made Public:
February 16, 2018
Company: Jemison Internal Medicine, PC
Location: Jemison, Alabama
Type of breach:
HACK
Type of organization:
MED
Records Breached:
6,550

Recently, Jemison's computer system was infected by a ransomware virus that encrypted its electronic medical records system containing its patient's medical records. The ransomware demanded monetary payment from JIM in order to decrypt the files and allow the practice to regain access to them. JIM did not pay the ransom to the cyber criminals, but was instead able to restore its files and the functionality of its system through backup records. Subsequent scans of JIM's system show no further sign of the ransomware, and its investigation does not show any indication that the ransomware exfiltrated any data off its system. However, through its investigation of the incident, JIM discovered that its computer system previously had been accessed without its knowledge by unauthorized individuals not affiliated with JIM between September and December 2017. JIM is not able to confirm which, if any, files or patient information were accessed by these unauthorized individuals, but it is possible that they could have accessed JIM's electronic medical records system containing patient names, addresses, telephone numbers, Social Security numbers, dates of birth, driver's license numbers, treatment or procedure information, prescription information, and/or healthcare insurance information. Although JIM is unable to confirm that any personally identifying information or patient health information was accessed by unauthorized individuals, out of an abundance of caution and because of its commitment to data security and privacy, JIM is notifying all of its patients about the incident in compliance with the Health Insurance Portability and Accountability Act (HIPAA).

Information Source:
Security Breach Letter
Date Made Public:
February 15, 2018
Company: Hobe & Lucas Certified Public Accountants, Inc.
Location: Independence, Ohio
Type of breach:
HACK
Type of organization:
BSR
Records Breached:
91

On November 17, 2017, Hobe & Lucas discovered that an unknown individual gained access to an employee's email account. Hobe & Lucas quickly responded by taking action to prevent any further access, and immediately conducted an investigation to determine what information was potentially accessible during the intrusion. It is possible that potentially accessible email correspondence contained clients' personal information, including their name, address and Social Security number.

Information Source:
Security Breach Letter
Date Made Public:
February 14, 2018
Company: Flexible Benefit Service Corporation
Location: Chicago, Illinois
Type of breach:
HACK
Type of organization:
BSF
Records Breached:
19,438

Flexible Benefit Service Corporation suffered a breach which affected 19438 records, including Medical Information and SSN.

Information Source:
Security Breach Letter
Date Made Public:
February 14, 2018
Company: AHM, Inc. on behalf of the Staybridge Suites Lexington & Holiday Inn Express New Buffalo
Location: Cheboygan, Michigan
Type of breach:
HACK
Type of organization:
BSR
Records Breached:
244

AHM, Inc. on behalf of the Staybridge Suites Lexington & Holiday Inn Express New Buffalo suffered a breach that affected 344 records, which included Account # and CC/DC account information.

Information Source:
Security Breach Letter
Date Made Public:
February 13, 2018
Company: Mindlance, Inc.
Location: Union, New Jersey
Type of breach:
HACK
Type of organization:
BSO
Records Breached:
3,085

On 12/28/2017, Mindlance, Inc. suffered a system breach (hack) that affected 3085 records, including SS numbers and names. 

Information Source:
Security Breach Letter
Date Made Public:
February 9, 2018
Company: Inspire Homes Loans, Inc.
Location: Irvine, California
Type of breach:
HACK
Type of organization:
BSF
Records Breached:
5,403

On December 14, 2017, our client, Inspire Home Loans Inc, learned that a small number of customers had received fraudulent emails that appeared to come from email addresses associated with Inspire and their affiliated entities. Inspire immediately commenced an investigation, reset all email account passwords, and engaged a professional forensic security firm to determine whether employee email accounts had been accessed without authorization. Inspire has determined that messages in the employee's email account may have contained personal information for North Carolina residents, including their name, address, and Social Security number. Even though its investigation is still on-going, Inspire will begin notifying seventeen (17) North Carolina residents by U.S. Mail in accordance with North Carolina law in substantially the same form as the document enclosed herewith. Inspire is also offering the affected individuals a complimentary one year membership in credit monitoring and identity theft protection services through Experian and has provided a dedicated phone number to answer any questions that individuals may have regarding the incident.

Information Source:
Security Breach Letter
Date Made Public:
February 9, 2018
Company: Driscoll's, Inc.
Location: Watsonville, California
Type of breach:
HACK
Type of organization:
BSF
Records Breached:
1,530

Driscoll's Inc., suffered a data breach that affected 1530 records, including SSN data. 

Information Source:
Security Breach Letter
Date Made Public:
February 9, 2018
Company: Connecticut Airport Authority
Location: Windsor Locks, Connecticut
Type of breach:
HACK
Type of organization:
GOV
Records Breached:
144

Connecticut Airport Authority suffered a data breach of 144 records which included Driver's Licenses.

Information Source:
Security Breach Letter
Date Made Public:
February 8, 2018
Company: TrueNet Communications
Location: Jacksonville, Florida
Type of breach:
HACK
Type of organization:
BSR
Records Breached:
161

TrueNet Communications discovered on December 19, 2017 that an unauthorized third party gained access to a TrueNet employee's email credentials and redirected certain emails, which allowed the authorized third party to access the emails. They determined on January 15, 2018 that certain of these emails contained employee and contractor information.

Information Source:
Security Breach Letter
Date Made Public:
February 7, 2018
Company: Nevro
Location: , California
Type of breach:
HACK
Type of organization:
MED
Records Breached:
500

 Nevro was recently the victim of a criminal break-in at our corporate headquarters in which several laptop computers were stolen. Nearby businesses were also targeted by the same perpetrators, who stole laptops from those businesses as well. Nevro has been unable to recover the stolen laptops on which limited information relating to you has been stored. Nevro has no indication that these laptops were stolen in order to acquire the data on them, nor any indication that the data on the laptops has been accessed or used in any way. All the stolen Nevro laptops were password-protected, although not all were encrypted. Because limited information about individual customer treatment relationships with Nevro was stored on one or more of the stolen laptops, and applicable state law considers this type of information sufficient to warrant a notification, we are reaching out to advise customers of these equipment thefts.

What Information Was Involved? Limited categories of information about certain patients who use Nevro’s HF10 therapy were contained in files stored on one or more of the unencrypted laptops. The categories of information varied by file or patient, but the data fields were limited to patient name, street address, birth date, procedure date, medical device identifiers (such as serial number), and contact information for the patient’s physician or other medical provider. Nevro does not possess, and none of these laptops contained, sensitive identifying information such as Social Security or other government-issued identification numbers or credit card or financial institution information. None of these laptops contained treatment or medical information other than the information directly related to the fact of the use of the device.

Information Source:
Security Breach Letter
Date Made Public:
February 7, 2018
Company: XOS Technologies d/b/a XOS Digital, Inc.
Location: Wilmington, Massachusetts
Type of breach:
HACK
Type of organization:
BSR
Records Breached:
10

In 2017 XOS Technologies d/b/a XOS Digital, Inc. suffered a data breach affecting 10 records incl. account user names and passwords

Information Source:
Security Breach Letter
Date Made Public:
February 5, 2018
Company: 1st Mariner Bank
Location: Baltimore, Maryland
Type of breach:
HACK
Type of organization:
BSF
Records Breached:
1,500

1st Mariner Bank experienced a phishing attack that resulted in the exposure of the records of 1500 persons. Information exposed included Social Security Numbers, as well as names in combination with credit card or financial account information.

Information Source:
Security Breach Letter
Date Made Public:
February 2, 2018
Company: Ron's Pharmacy Services
Location: San Diego, California
Type of breach:
HACK
Type of organization:
MED
Records Breached:
500

On October 3, 2017, Ron’s Pharmacy identified unusual activity in an employee email account. Ron’s Pharmacy immediately changed the employee’s credentials and commenced an investigation, with the assistance of third-party forensic investigators, to determine what happened. As part of this investigation, determined that the employee’s email account was subject to unauthorized access and certain emails were viewed as a result of the unauthorized individual(s) using software to crack the employee’s email account password. On December 21, 2017, as part of Ron’s Pharmacy’s ongoing investigation, it was determined that the following information relating was accessed:  names,  internal account numbers at Ron’s Pharmacy, prescription medication information, and payment adjustment information, which relates to credits made to accounts. Importantly, no Social Security, health insurance, or financial account information was accessed.

Information Source:
Date Made Public:
February 2, 2018
Company: Advanced-Online
Location: , California
Type of breach:
HACK
Type of organization:
BSR
Records Breached:
500

Advanced-Online learned on January 3, 2018 that certain personal information housed on the company’s online platform may have been subject to unauthorized access. The date range for the incident appears to be April 29, 2017 until January 12, 2018. Upon becoming aware of the potential unauthorized access, Advanced-Online promptly engaged a nationally recognized cybersecurity and forensics firm to assess and address the situation.

WHAT INFORMATION WAS INVOLVED? Advanced-Online and our cybersecurity and forensics firm believe that the following categories of information may have been compromised: name, address, username/email address, password, and payment card information (account number, expiration date, CVV number).

Information Source:
Date Made Public:
February 2, 2018
Company: Advanced Graphic Products, Inc. /dba/ "Advanced-Online"
Location: Coppell, Texas
Type of breach:
HACK
Type of organization:
BSO
Records Breached:
22,182

"Advanced-Online", or Advanced graphic Products, Inc., experienced a data breach exposing 22,182 records. According to the breach notification form sent to the Indiana Office of Attorney General, "Advanced-Online learned on January 3, 2018 that certain personal information housed on the company's online platform  may have been subject to unauthorized access. The date range for the incident appears to be April 29, 2017until January 12, 2018."

Information Source:
Security Breach Letter
Date Made Public:
February 1, 2018
Company: Department of Homeland Security
Location: , District Of Columbia
Type of breach:
HACK
Type of organization:
GOV
Records Breached:
246,167

A data breach at the Department of Homeland Security has exposed the personal information of more than 240,000 current and former DHS employees, such as their social security numbers, dates of birth, positions, grades, and duty stations, the agency saidOn January 3, 2018, select DHS employees received notification letters that they may have been impacted by a privacy incident related to the DHS Office of Inspector General (OIG) Case Management System.  The privacy incident did not stem from a cyber-attack by external actors, and the evidence indicates that affected individual’s personal information was not the primary target of the unauthorized unauthorized transfer of data.

What we know: The department said the breach was not carried out as part of a "cyber-attack by external actors." Instead, the data was discovered in the possession of a former employee of the agency's Office of Inspector General during an ongoing criminal investigation last May

Go deeper with the department's full memo.

 

Information Source:
Government Agency
Date Made Public:
February 1, 2018
Company: Ventiv Technology, Inc.
Location: Atlanta, Georgia
Type of breach:
HACK
Type of organization:
BSO
Records Breached:
239

Ventiv Technology, Inc. experienced a phishing attack and exposed the records of 239 individuals. The breach occurred from 10/14/17 until 12/5/17, was discovered on 1/5/18 and Ventiv began notifying consumers on 2/1/2018. Information that was exposed included Social Security numbers.

Information Source:
Security Breach Letter
Date Made Public:
January 26, 2018
Company: Goldleaf Partners Services, Inc.
Location: Bloomington, Minnesota
Type of breach:
HACK
Type of organization:
BSF
Records Breached:
6,020

On 10/31/2017 Goldleaf Partners Services, Inc. suffered a hack that affected 6020 records, including Social Security numbers as well as names and credit card or financial account information.

Information Source:
Security Breach Letter
Date Made Public:
January 26, 2018
Company: Member First Mortgage, LLC
Location: Grand Rapids, Michigan
Type of breach:
HACK
Type of organization:
BSF
Records Breached:
36,840

On 11/25/2017 Member First Mortgage, LLC, experienced an unauthorized access to their internal systems exposing 36840 records, including Social Security numbers as well as names and credit card or financial account information. 

Information Source:
Security Breach Letter
Date Made Public:
January 26, 2018
Company: Pentair Aquatic Eco Systems, Inc.
Location: Apopka, Florida
Type of breach:
HACK
Type of organization:
BSO
Records Breached:
239

Pentair Aquatic Eco Systems, Inc., suffered a hack on 12/19/2017 that resulted in the exposure of 239 records, which included names, credit card or financial account information and debit card numbers.

Information Source:
Security Breach Letter
Date Made Public:
January 25, 2018
Company: The National Registry of Emergency Medical Technicians
Location: Columbus, Ohio
Type of breach:
HACK
Type of organization:
MED
Records Breached:
843

On 11/17/2017 The National Registry of Emergency Medical Technicians suffered a hack affecting 843 records, including first and last names, address information ,and Social Security numbers. 

Information Source:
Security Breach Letter
Date Made Public:
January 23, 2018
Company: Revolution Partners, LLC
Location: Memphis, Tennessee
Type of breach:
HACK
Type of organization:
BSF
Records Breached:
228

On December 14, 2017, our client, Revolution Partners, discovered that an unauthorized individual may have gained access to an employee's email account. When Revolution Partners learned of this, they immediately reset all email account passwords and began an investigation to determine the scope of the incident. Revolution Partners also hired an outside forensic investigation firm to assist in their investigation. Revolution Partners submits this notice after learning that some of the potentially accessed email messages contained the name, address, and Social Security number for two (2) North Carolina residents. Revolution Partners began notifying individuals by U.S. Mail on January 22, 2018 in accordance with North Carolina law in substantially the same form as the document enclosed herewith. Revolution Partners is also offering affected individuals one year of identity theft protection services through Experian has provided a dedicated phone number to answer any questions that individuals may have regarding the incident.

Information Source:
Security Breach Letter
Date Made Public:
January 22, 2018
Company: Tx: Team Rehab, Inc.
Location: Indianapolis, Indiana
Type of breach:
HACK
Type of organization:
MED
Records Breached:
56

Tx:Team suffered a hack on 10/30/2017 that affected 6 records, including SS numbers as well as names and credit card or financial account information.

Information Source:
Security Breach Letter
Date Made Public:
January 22, 2018
Company: The Coca-Cola Company
Location: Atlanta, Georgia
Type of breach:
HACK
Type of organization:
BSR
Records Breached:
2,181

In July, 2017, The Coca-Cola company suffered a phishing attack that resulted in the exposure of 2181 records, which included social security numbers. 

Information Source:
Security Breach Letter
Date Made Public:
January 22, 2018
Company: National Stores, Inc.
Location: Street Gardena, California
Type of breach:
HACK
Type of organization:
BSR
Records Breached:
609,064

On December 22, 2017, National Stores received an alert that its point-of-sale systems were affected by malware, and that customer payment card information may have been accessed without authorization. National Stores immediately launched an investigation and engaged digital cybersecurity firms to assist with the investigation. National Stores also contacted the Federal Bureau of Investigation and payment card brands to prevent fraudulent activity on payment cards that may have been affected. The affected payment card holders have not yet been identified, although National Stores is diligently attempting to do so. Additional Information on this security breach is provided by the Office of the Indiana Attorney General.

Information Source:
Security Breach Letter
Date Made Public:
January 19, 2018
Company: Questar Assessment
Location: Apple Valley, Minnesota
Type of breach:
HACK
Type of organization:
EDU
Records Breached:
52

A data breach at testing vendor Questar Assessment exposed personal information of about 52 students in five New York schools, state Education Commissioner MaryEllen Elia said Thursday.

Questar, headquartered in Apple Valley, Minnesota, reported that someone accessed a small amount of “personally identifiable” information from Dec. 30 to Jan. 2, Elia said. The data included some student names, identification numbers, grade levels and teachers’ names, but not student addresses, Social Security numbers, disability status or test scores.

Information Source:
Media
Date Made Public:
January 19, 2018
Company: OnePlus
Location: Shenzhen, Guangdong
Type of breach:
HACK
Type of organization:
BSR
Records Breached:
40,000

OnePlus has confirmed that up to 40,000 customers have been affected by a credit card breach, in the latest embarrassing misstep for the Chinese handset maker. The news comes several days after OnePlus shut down credit card processing following complaints from customers about fraudulent charges landing on their cards after they bought products through OnePlus’s online store.

OnePlus offered an explanation of what had happened on its website.

“One of our systems was attacked, and a malicious script was injected into the payment page code to sniff out credit card info while it was being entered,” the company said. “The malicious script operated intermittently, capturing and sending data directly from the user’s browser. It has since been eliminated. We have quarantined the infected server and reinforced all relevant system structures.”

The affected users entered their card information on OnePlus’s store between mid-November and January. Customers who made purchases with a saved card “should not” be affected, OnePlus said. The same goes for ones who paid with PayPal or credit card via PayPal. Affected users will be offered a year of credit monitoring.

Information Source:
Media
Date Made Public:
January 19, 2018
Company: Idaho Transportation Department
Location: , Idaho
Type of breach:
HACK
Type of organization:
GOV
Records Breached:
8

On Jan. 2, 2018, the Idaho Transportation Department's Cyber Security Unit discovered an internal email account was compromised through a phishing attack. The Division of Motor Vehicles employee account was accessible from Nov. 11, 2017 through Dec. 7, 2017. The email account contained personal identifiable and payment card information for eight individuals. 

Information Source:
Security Breach Letter
Date Made Public:
January 19, 2018
Company: Westminster Ingleside King Farm Presbyterian Retirement Communities, Inc.
Location: Rockville, Maryland
Type of breach:
HACK
Type of organization:
NGO
Records Breached:
9,769

On 16/21/2017 Westminster Ingleside suffered a hack that affected 9769 records, including SS numbers, names, and credit card or financial account information. 

Information Source:
Security Breach Letter
Date Made Public:
January 19, 2018
Company: Securadyne Systems LLC
Location: Dallas, Texas
Type of breach:
HACK
Type of organization:
BSR
Records Breached:
112

On or about September 12, 2017, Securadyne discovered that it had become the target of a phishing email campaign and that several employees had clicked on the phishing email and entered their credentials. Securadyne immediately took steps to secure the employees' email accounts and launched an in-depth investigation to determine whether any sensitive information was accessed or acquired. Securadyne subsequently determined, with the help of outside computer forensic investigators, that an unknown actor had gained access to the Securadyne employees' email accounts. On November 7, 2017, Securadyne determined, after a lengthy programmatic and manual review of the contents of the email accounts, the types of protected information contained in the email accounts and to which individuals the information relates, and immediately launched a review of its files to ascertain address information for the impacted individuals.

Information Source:
Security Breach Letter
Date Made Public:
January 18, 2018
Company: University of Idaho
Location: Moscow, Idaho
Type of breach:
HACK
Type of organization:
EDU
Records Breached:
257

The university detected that one of their accounts was being used to send phishing email. An investigation determined that the employees email messages contained personal information for 257 individuals. Information included names, addresses and social security numbers. 

Information Source:
Security Breach Letter
Date Made Public:
January 17, 2018
Company: Valley of the Sun YMCA
Location: Phoenix, Arizona
Type of breach:
HACK
Type of organization:
NGO
Records Breached:
2,649

On 9/21/2017 Valley of the Sun YMCA suffered a system breach (hack) that affected 2649 records, which included names as well as credit card or financial account information.

Information Source:
Security Breach Letter
CSV