Data Breaches

Breach Subtotal

Breach Type: CARD, HACK, INSD, PHYS, PORT, STAT, DISC, UNKN
Organization Type: EDU
Year(s) of Breach: 2017
Company or Organization: all
Date Made Public:
June 15, 2018
Company: Central christian college of kansas
Location: McPherson, Kansas
Type of breach:
UNKN
Type of organization:
EDU
Records Breached:
631

Information on this security breach is provided by the Office of the Indiana Attorney General

Information Source:
Indiana Attorney General
Date Made Public:
February 27, 2018
Company: University of Virginia Health System
Location: Charlottesville, Virginia
Type of breach:
HACK
Type of organization:
EDU
Records Breached:
1,882

"A laptop computer and other computing devices of a physician affiliated with the University of Virginia Health System allowed an unauthorized individual to see medical information that the physician was viewing on his devices.

The unauthorized access continued for about 18 months, and now, 1,882 patients are being notified and encouraged to review healthcare statements and call their insurer if there are charges for services they did not receive. . .

On December 23, 2017, the health system determined that the unauthorized third-party may have been able to view patient information from May 3, 2015 to December 27, 2016.

Compromised protected health information included patient names, diagnoses, treatments, addresses and dates of birth. Social Security numbers and financial information were not accessed."

 

Information Source:
Media
Date Made Public:
February 8, 2018
Company: Riverside Unified School District
Location: Riverside, California
Type of breach:
DISC
Type of organization:
EDU
Records Breached:
1

On December 5, 2017, a San Diego County office of Education employee inadvertently sent an employee retirement contribution spreadsheet to San Diego County Office of Education's retirement contribution contacts at forty-four (44) school districts throughout Southern California. The impact likely affected 1 Idaho resident.

Information Source:
Security Breach Letter
Date Made Public:
January 22, 2018
Company: EASTCONN
Location: Hampton, Connecticut
Type of breach:
INSD
Type of organization:
EDU
Records Breached:
194

In Dec. 2017 EASTCONN suffered a data breach affecting 194 records, incl. Driver's license and SSN.

Information Source:
Security Breach Letter
Date Made Public:
January 19, 2018
Company: Questar Assessment
Location: Apple Valley, Minnesota
Type of breach:
HACK
Type of organization:
EDU
Records Breached:
52

A data breach at testing vendor Questar Assessment exposed personal information of about 52 students in five New York schools, state Education Commissioner MaryEllen Elia said Thursday.

Questar, headquartered in Apple Valley, Minnesota, reported that someone accessed a small amount of “personally identifiable” information from Dec. 30 to Jan. 2, Elia said. The data included some student names, identification numbers, grade levels and teachers’ names, but not student addresses, Social Security numbers, disability status or test scores.

Information Source:
Media
Date Made Public:
January 18, 2018
Company: University of Idaho
Location: Moscow, Idaho
Type of breach:
HACK
Type of organization:
EDU
Records Breached:
257

The university detected that one of their accounts was being used to send phishing email. An investigation determined that the employees email messages contained personal information for 257 individuals. Information included names, addresses and social security numbers. 

Information Source:
Security Breach Letter
Date Made Public:
January 12, 2018
Company: Monticello Central School District
Location: Monticello, New York
Type of breach:
UNKN
Type of organization:
EDU
Records Breached:
2,598

Name or other personal identifier in combination with SSN for 2 Maine citizens breached.

Information Source:
Security Breach Letter
Date Made Public:
January 10, 2018
Company: Broward College
Location: Fort Lauderdale, Florida
Type of breach:
HACK
Type of organization:
EDU
Records Breached:
44,000

On or about August 3, 2017, Broward College employees received a spam phishing email to their email accounts. The school learned that certain employees had clicked on the link and provided their credentials. Between July 18, 2017 and September 8 2017, Broward college determined that records were exposed including name, date of birth, address, social security number, financial account numbers, credit/debit card numbers, and/or driver's license or state identification card number. The breach affected 44,000 records.

Information Source:
Security Breach Letter
Date Made Public:
December 11, 2017
Company: University of South Florida, USF Health Care
Location: , Florida
Type of breach:
DISC
Type of organization:
EDU
Records Breached:
1,279

Location of breached information: Paper/Films

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
December 4, 2017
Company: Stanford University
Location: Palo Alto, California
Type of breach:
DISC
Type of organization:
EDU
Records Breached:
10,000

"A student staff member of the Stanford Daily discovered a data breach and reported it to campus privacy authorities on November 9. The student was able to access unidentified sexual assault reports which were being collected under the Clery Act from 2005 to 2012.

The data was stored on the Andrew Filed Sharing platform and was accessible to any AFS user, including those outside of Stanford, according to Stanford News.

While the University Privacy Office and the Graduate School of Business IT teams investigated the November 9 exposure, they discovered a file on November 21 which contained names, birthdates, Social Security numbers and salary information for nearly 10,000 non-teaching university employees from an August 2008 snapshot. Confidential financial aid information for MBA students was accessible as well."

Information Source:
Media
Date Made Public:
December 4, 2017
Company: Rutgers University
Location: New Brunswick, New Jersey
Type of breach:
DISC
Type of organization:
EDU
Records Breached:
1,700

"At Rutgers University, academic information for 1,700 students was exposed during a “data security” incident on November 8 and November 9, reports Tap into Plainfield.

University spokesman Neal Buccino says the affected students were in the Department of Computer Science and shared information included ID numbers, cumulative GPAs and class schedules. No Social Security numbers, addresses or financial information were leaked, according to Buccino.

The leak, blamed on an “administrative error”, was discovered when 18 students were able to access the data. The school notified the students who were able to view the information that the data was confidential."

Information Source:
Media
Date Made Public:
November 27, 2017
Company: University of Alabama at Birmingham
Location: , Alabama
Type of breach:
PHYS
Type of organization:
EDU
Records Breached:
652

Location of breached information: Other Portable Electronic Device

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
November 17, 2017
Company: Academy of Art University
Location: San Francisco, California
Type of breach:
DISC
Type of organization:
EDU
Records Breached:
0

"What Happened?

The Academy of Art University is committed to safeguarding the personal information of our employees. On November 8, 2017, an Academy employee mistakenly sent an internal e-mail with an attachment (subject of email: Reminder! 2017 Difference Card Reimbursement Claims), and one of the spreadsheet tabs included in the attachment contained your personal information. The file containing your personal information was originally on a working document that was stored in a secured drive. The employee needed the information contained on the working spreadsheet document to prepare the email distribution list. The employee failed to remove the spreadsheet attachment before the email was sent. The department has policies, procedures and training in place to prevent inadvertent disclosures, but the mistake still occurred as a result of human error. The Academy’s technical security measures, however, prevented this email from being forwarded from the Academy email system to external addresses. We are not aware of the email being sent to anyone other than Academy employees. The Academy has no reason to believe that any information about you has been misused, but nonetheless wants to make sure you are aware of the issue. Those that are not impacted are not receiving this notification.

What Information Was Involved?

The attachment to the e-mail contained several spreadsheet tabs, one of which listed your first name, last name, and Social Security number."

Information Source:
California Attorney General
Date Made Public:
November 17, 2017
Company: The Medical College of Wisconsin, Inc.
Location: , Wisconsin
Type of breach:
HACK
Type of organization:
EDU
Records Breached:
9,500

Location of breached information: Email

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
November 14, 2017
Company: Bakersfield City School District
Location: Bakersfield, California
Type of breach:
DISC
Type of organization:
EDU
Records Breached:
0

"What happened?

On November 9, 2017, at or about 4:24 p.m., the Board Docs Agenda was posted to the District’s website. In this agenda packet under the Certificated Human Resources Report, a report of certificated extra-time was inadvertently attached. It was confirmed that the personal information contained in this attachment included that of approximately 1,250 certificated employees and/or substitutes who worked extra-time. The error was identified at approximately 7:45 p.m. and immediately removed. The total time this information remained online was approximately three hours and twenty-one minutes.

What information was involved?

The individuals affected include certificated employees and certificated substitutes. The personal information potentially compromised includes their names and Social Security numbers."

Information Source:
California Attorney General
Date Made Public:
November 9, 2017
Company: Chapman University
Location: Orange, California
Type of breach:
PHYS
Type of organization:
EDU
Records Breached:
0
"WHAT HAPPENED
Last week an external hard drive went missing from Chapman University’s Harry and Diane Rinker Health Science Campus. The employee who was assigned the external drive had access to several University network drives. Chapman University cannot determine the actual contents of the missing external disk drive but it is treating the entire content of all drives that the assigned employee had access to as potential content on the missing external drive.
 
WHAT INFORMATION WAS INVOLVED
I regret to inform you that a copy of your W9 form was among the content found on the network drives that could have been accessed and downloaded to the external drive. While the content stored on the network drives themselves are secure, the unauthorized back up of these files onto an external disk drive may have put the files at risk of disclosure to
an unauthorized person when the external drive was taken."
Information Source:
California Attorney General
Date Made Public:
November 3, 2017
Company: Indiana University Health
Location: , Indiana
Type of breach:
PHYS
Type of organization:
EDU
Records Breached:
1,399

Location of breached information: Paper/Films

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
September 7, 2017
Company: University of Wisconsin - Madison
Location: , Wisconsin
Type of breach:
DISC
Type of organization:
EDU
Records Breached:
1,000

Location of breached information: Paper/Films

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
August 17, 2017
Company: South Washington County School District
Location: Cottage Grove, Minnesota
Type of breach:
DISC
Type of organization:
EDU
Records Breached:
9,600

"Personal information about thousands of students and their families was sent out in a mass back-to-school officials are calling "an inadvertent employee error"

In a statement issued Thursday, the district said the e-mails sent Wednesday by its transportation department were intended to provided bus information for the coming school year.  But also included was a document that revealed students' names, grades, student identification numbers, e-mail and mailing addresses, phone numbers, bus routes, pickup and drop-off times and locations, and schools of attendance."

 

Information Source:
Media
Date Made Public:
August 5, 2017
Company: UCLA
Location: Los Angeles, California
Type of breach:
HACK
Type of organization:
EDU
Records Breached:
30,000

"More than 30,000 current and former UCLA students are being warned Saturday about a potential security breach.

The university said someone hacked into a server containing some students' personal data.


Officials don't believe the hacker obtained any sensitive information, though UCLA is offering one year of free identity-protection services to anyone affected."

Information Source:
Media
Date Made Public:
June 21, 2017
Company: Miami Dade County School District
Location: Miami, Florida
Type of breach:
DISC
Type of organization:
EDU
Records Breached:
2

"Two former Miami-Dade students are suing the School Board after they found their Social Security numbers and test scores online along with the personal information of hundreds of other students.

The plaintiffs did a basic online search of their names and discovered that the information was posted on the Miami-Dade school district’s website, according to the lawsuit.

“The carelessness with how the district manages students’ private information needs to be addressed,” lawyer Stephanie Langer said in a statement. The students are asking for both monetary damages and an “overhaul” of school district policies on the protection of student information. "

Information Source:
Media
Date Made Public:
June 19, 2017
Company: Occidental College
Location: Los Angeles, California
Type of breach:
HACK
Type of organization:
EDU
Records Breached:
0

"What Happened?

The college has reason to believe that on or around June 1, 2017, an unauthorized person may have gained access to a computer file containing a limited amount of personality identifiable information.  The college has conducted a thorough investigation into what happened.

What Information Was Involved

The file in question included names, Oxy ID numbers and associated encoded data that enables Oxy ID cards to function as on-campus debit cards.  The file did NOT include Social Security numbers, driver's license or other state-issued ID numbers, financial information (Such as credit card or banking information), or other sensitive personal data."

 

Information Source:
California Attorney General
Date Made Public:
June 14, 2017
Company: Oklahoma University
Location: Norman, Oklahoma
Type of breach:
DISC
Type of organization:
EDU
Records Breached:
29,000

"The University of Oklahoma unintentionally exposed thousands of students’ educational records — including social security numbers, financial aid information and grades in records dating to at least 2002 — through lax privacy settings in a campus file-sharing network, violating federal law.

The university scrambled to safeguard the files late Tuesday after learning The OU Daily had discovered the breach last week. The Daily spoke to vice president for admissions and records Matt Hamilton Tuesday afternoon, when he said OU IT was aware of the breach and was working to secure the files.

OU press secretary Matt Epting provided the following statement late Tuesday night: “The IT Security team has found no evidence to confirm that there has been a breach by an outside party, and is investigating the scenario that enabled an individual to access the files the individual has claimed to download.”

At no point did The Daily suggest there had been an outside breach, but rather that lax security measures allowed email users more access to educational records than should have been allowed.

In just 30 of the hundreds of documents made publicly discoverable on Microsoft Office Delve, there were more than 29,000 instances in which students’ private information was made public to users within OU’s email system. Each instance could constitute a violation of the Family Educational Rights and Privacy Act, which gives students control over who can access their educational records."

Information Source:
Media
Date Made Public:
May 29, 2017
Company: Mallard Creek High School
Location: Charlotte , North Carolina
Type of breach:
PHYS
Type of organization:
EDU
Records Breached:
0

"A Channel 9 viewer said she warned Charlotte-Mecklenburg Schools’ officials after finding documents with students’ names, addresses and other personal information blowing in the wind.

But when Channel 9 arrived to the area near Johnston-Oehler Road in north Charlotte, the documents were still there. 

The unshredded documents are from Mallard Creek High School and contained disciplinary actions and names of students.

One woman, who didn't want to be identified, found the papers Friday morning and was shocked.

"My biggest concern was someone stealing a child's information and someone targeting that child," she said. "I was reading parents' information, notes from kids who were bringing doctor's notes to school."

Information Source:
Media
Date Made Public:
April 20, 2017
Company: Campbell Union High School District
Location: Campbell, California
Type of breach:
HACK
Type of organization:
EDU
Records Breached:
0

"What Happened:

Sometime between 3/30/2017 and 4/6/2017 district computers were tampered with allowing unauthorized access to district file servers.

What Information Was Involved:

This matter was immediately and thoroughly investigated by Campbell Union High School District technology staff and results of that investigation have been shared with law enforcement.

Campbell Union High School District is committed to safeguarding your personal information and is taking immediate steps to enhance security measures.  Accordingly, Campbell Union High School District is reviewing and improving its processes for handling data, and we have reiterated to our staff the importance of carefully handling confidential information to protect your privacy."

 

 

Information Source:
California Attorney General
Date Made Public:
March 3, 2017
Company: The Center for Election Systems at Kennesaw State University
Location: Kennesaw, Georgia
Type of breach:
UNKN
Type of organization:
EDU
Records Breached:
7,500,000

"The Federal Bureau of Investigation is investigating an alleged data breach in Georgia at the Center for Election Systems at Kennesaw State University, The Atlanta Journal-Constitution has learned.

The situation is still developing, although the Secretary of State’s Office said Friday that the investigation is not related to its own network and is not a breach of its database containing the personal information on Georgia’s 6.6 million registered voters. The office referred all other questions to both university and federal officials.

In a statement released Friday afternoon, the university said it was “working with federal law enforcement officials to determine whether and to what extent a data breach may have occurred involving records maintained by the Center for Election Systems. Because this involves a pending criminal investigation, Kennesaw State will have no further comment on this matter and any inquiries should be addressed to the U.S. Attorney’s Office,” the statement said."

More Information: http://www.ajc.com/news/state--regional-govt--politics/fbi-investigating...

Information Source:
Media
Date Made Public:
March 2, 2017
Company: University California Santa Cruz
Location: Santa Cruz, California
Type of breach:
PORT
Type of organization:
EDU
Records Breached:
0

"What Happened?

On January 13, 2017, two unencrypted laptops were stolen from the home of a University of California, Santa Cruz (UC Santa Cruz) researcher/instructor. The theft was discovered the same day and a police report was filed, but at this time no items have been recovered.Our investigation confirmed that the stolen laptop contained copies of your UC Santa Cruz narrative evaluations. There is no indication that the student information was the intended target.

What Information Was Involved?

These UC Santa Cruz narrative evaluations dating from 2000 to 2004 contained personally identifiable information including your name and Social Security Number (SSN) (which was used as the Student ID number prior to 2005). In addition to SSN, student record information including grades, narrative evaluations and email addresses were on the stolen laptops.The data was not encrypted."

More Information: https://oag.ca.gov/ecrime/databreach/reports/sb24-66636

Information Source:
California Attorney General
Date Made Public:
February 24, 2017
Company: Vanderbilt University Medical Center
Location: , Tennessee
Type of breach:
DISC
Type of organization:
EDU
Records Breached:
3,247

Location of breached information: Electronic Medical Record

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
February 15, 2017
Company: Platt College
Location: Alhambra, California
Type of breach:
DISC
Type of organization:
EDU
Records Breached:
0

What Happened?

A technical error caused Student's 1098T Tuition Statements to be addressed with another student's mailing address, and the Statements were inadvertently mailed to another student on January 113, 2017.

What Information Was Involved?

1098T Tuition Statements contain your first and last name, last four digits of your social security number, total amount billed for qualified tuition and related expenses for 2016 and any scholarships or grant totals for 2016."

Information Source:
California Attorney General
Date Made Public:
January 30, 2017
Company: Palomar College
Location: San Marcos, California
Type of breach:
HACK
Type of organization:
EDU
Records Breached:
0

"What Happened

On January 19, 2017, we learned that an unauthorized individual may have accessed part of our network that contained IRS Form W-2s for some of our employees. Upon learning of this, we immediately began an investigation and contacted law enforcement.

What Information Was Involved

Our ongoing investigation has determined that the unauthorized individual may have accessed your IRS Form W-2. The information that could have been accessed included your name, address, and Social Security number."

More information: https://oag.ca.gov/ecrime/databreach/reports/sb24-66102

Information Source:
California Attorney General
CSV