Data Breaches

Breach Subtotal

Breach Type: all
Organization Type: all
Year(s) of Breach: 2018
Company or Organization: all
Date Made Public:
June 26, 2018
Company: Community Cancer Center
Location: , Illinois
Type of breach:
HACK
Type of organization:
MED
Records Breached:
500

Location of breached information: Desktop Computer, Network Server

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
June 25, 2018
Company: University of Michigan/Michigan Medicine
Location: Ann Arbor, Michigan
Type of breach:
PHYS
Type of organization:
EDU
Records Breached:
871

Location of breached information: Laptop

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
June 25, 2018
Company: Progressions Behavioral Health Services, Inc.
Location: , Pennsylvania
Type of breach:
HACK
Type of organization:
MED
Records Breached:
1,303

Location of breached information: Email

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
June 25, 2018
Company: San Francisco Department of Public Health
Location: , California
Type of breach:
DISC
Type of organization:
MED
Records Breached:
900

Location of breached information: Network Server

Business associate present: Yes

Information Source:
US Department of Health and Human Services
Date Made Public:
June 22, 2018
Company: InfuSystem, Inc.
Location: , Michigan
Type of breach:
HACK
Type of organization:
MED
Records Breached:
3,882

Location of breached information: Email

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
June 22, 2018
Company: VA Long Beach Healthcare System
Location: , California
Type of breach:
DISC
Type of organization:
MED
Records Breached:
1,030

Location of breached information: Paper/Films

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
June 22, 2018
Company: PDQ Restuarants
Location: Tampa, Florida
Type of breach:
HACK
Type of organization:
BSR
Records Breached:
0

According to PDQ, "We have been the target of a cyber-attack.  An unauthorized person (hacker) exploited part of our computer related system and accessed and or acquired personal information from some of our customers. We believe the attacker gained entry through an outside technology vendor’s remote connection tool. Based on an investigation, the unauthorized access and or acquisition occurred from May 19, 2017 – April 20, 2018 (breach time period). We learned on June 8, 2018 that credit card information and or some names may have been hacked.

All PDQ locations in operation during some or all of the breach time period, May 19, 2017 – April 20, 2018, were affected. However, the following locations were not affected: Tampa International Airport location at 4100 George J Bean Pkwy, Tampa, FL 33607, Amalie Arena location at 401 Channelside Drive, Tampa, FL 33602, and PNC Arena location at 1400 Edwards Mill Road, Raleigh, NC 27607

The information accessed and or acquired included some or all of the following: names, credit card numbers, expiration dates, and cardholder verification value. However, it should be noted that the cardholder verification value that may have been accessed or acquired is not the same as the security code printed on the back of certain payment cards (e.g., Discover, MasterCard, and Visa) or printed on the front of other payment cards (e.g., American Express). Based on the nature of the breach, it was not possible to determine the identity or exact number of credit card numbers or names that were accessed or acquired during the breach time period.

Information Source:
Media
Date Made Public:
June 19, 2018
Company: Peter J Parker, M.D., Inc.
Location: , California
Type of breach:
DISC
Type of organization:
MED
Records Breached:
628

Location of breached information: Electronic Medical Record

Business associate present: Yes

Information Source:
US Department of Health and Human Services
Date Made Public:
June 19, 2018
Company: Family Healthcare of Lake Norman
Location: , North Carolina
Type of breach:
HACK
Type of organization:
MED
Records Breached:
500

Location of breached information: Network Server

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
June 16, 2018
Company: David S. Ng, O.D.
Location: , California
Type of breach:
PHYS
Type of organization:
MED
Records Breached:
758

Location of breached information: Other Portable Electronic Device

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
June 15, 2018
Company: Dean Health Plan
Location: , Wisconsin
Type of breach:
DISC
Type of organization:
MED
Records Breached:
1,311

Location of breached information: Paper/Films

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
June 15, 2018
Company: New Jersey Department of Human Services
Location: , New Jersey
Type of breach:
DISC
Type of organization:
MED
Records Breached:
1,263

Location of breached information: Paper/Films

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
June 15, 2018
Company: CHRISTUS Spohn Hospital Corpus Christi-Shoreline
Location: , Texas
Type of breach:
PHYS
Type of organization:
MED
Records Breached:
1,805

Location of breached information: Paper/Films

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
June 14, 2018
Company: Gwenn S Robinson MD
Location: , New Mexico
Type of breach:
HACK
Type of organization:
MED
Records Breached:
2,500

Location of breached information: Desktop Computer

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
June 14, 2018
Company: Med Associates, Inc.
Location: , New York
Type of breach:
HACK
Type of organization:
MED
Records Breached:
276,057

Location of breached information: Desktop Computer

Business associate present: Yes

Information Source:
US Department of Health and Human Services
Date Made Public:
June 13, 2018
Company: Black River Medical Center
Location: , Missouri
Type of breach:
HACK
Type of organization:
MED
Records Breached:
13,443

Location of breached information: Email

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
June 13, 2018
Company: WellCare Health Plans, Inc.
Location: , Florida
Type of breach:
DISC
Type of organization:
MED
Records Breached:
1,101

Location of breached information: Other

Business associate present: Yes

Information Source:
US Department of Health and Human Services
Date Made Public:
June 13, 2018
Company: Kelley Imaging Systems
Location: , Washington
Type of breach:
HACK
Type of organization:
MED
Records Breached:
627

Location of breached information: Desktop Computer, Electronic Medical Record, Network Server

Business associate present: Yes

Information Source:
US Department of Health and Human Services
Date Made Public:
June 12, 2018
Company: Ticketfly
Location: San Francisco, California
Type of breach:
HACK
Type of organization:
BSR
Records Breached:
27,000,000

Ticketfly was the target of a malicious cyber attack, and user information names, addresses, email addresses and phone numbers connected to approximately 27 million Ticketfly accounts was accessed. Third-party forensic cybersecurity experts can now confirm that credit and debit card information was not accessed

Information Source:
Media
Date Made Public:
June 12, 2018
Company: PageUp
Location:
Type of breach:
HACK
Type of organization:
BSO
Records Breached:
2,000,000

TechRadar reports:

PageUp, an Australia-based software company, has revealed that its IT systems were breached in late May of this year, potentially compromising the personal data of over two million customers worldwide.

The company is responsible for producing cloud-based HR software for recruitment companies across 190 countries, including the US, UK, Australia and Singapore, which is used to manage employment within many major companies.

While the full extent of the breach is yet to be revealed, data such as bank details, personal information and Australian tax file numbers was stored on the IT system that experienced the malware.

 

PageUp is an Australian company but multiple colleges and universities in the United States use PageUp for their recruitment and onboarding software. This includes Swarthmore College, University of Wisconsin Oshkosh, Mississippi State University, University of Massachusetts, Kansas State, Bucknell University, Colorado School of Mines, and Rollins college - according to PageUp's Testimonials page.

Information Source:
Media
Date Made Public:
June 12, 2018
Company: Terros Health
Location: Phoenix, Arizona
Type of breach:
DISC
Type of organization:
MED
Records Breached:
1,600

ABC15 Arizona reports:

Officials with Terros Health say a data breach has possibly compromised personal information of more than one thousand of its patients.

In a news release Friday, June 8, the company says it mailed letters to 1,600 people whose information may have been accessed by an unauthorized third party.

Patients' name, date of birth, physical and email address, diagnosis, medical records number and "other protected health information" may have been exposed.

Nearly all of those potentially impacted by the breach received treatment at the clinic near 23rd and Dunlap avenues in Phoenix. Additionally, the company said 1,241 of the 1,600 patients may have only had their name and birthday disclosed.

Information Source:
Media
Date Made Public:
June 12, 2018
Company: Nuance Communications
Location: , California
Type of breach:
INSD
Type of organization:
BSO
Records Breached:
45,000

Bank Info Security reports:

Nuance Communications, which specializes in speech recognition software, says an unauthorized third party accessed one of its medical transcription platforms, exposing 45,000 individuals' records.

See Also: Matching Application Security to Business Needs

So far, it appears only one of its customers, the San Francisco Department of Health, has reached out to affected patients.

. . . .

Breach victims include patients who visited Zuckerberg San Francisco General Hospital and Laguna Honda Hospital. The health department says in a news release that it delayed notifying patients at the request of the FBI and Justice Department, which have been investigating the breach.

Their investigation "determined that a former Nuance employee breached Nuance's servers and accessed the personal information of thousands of individuals from several contracted clients, including the San Francisco Department of Public Health," the department says.

 

Information Source:
Media
Date Made Public:
June 12, 2018
Company: Facebook, inc.
Location: San Francisco, California
Type of breach:
DISC
Type of organization:
BSR
Records Breached:
3,000,000

New Scientist reports:

Data from millions of Facebook users who used a popular personality app, including their answers to intimate questionnaires, was left exposed online for anyone to access, a New Scientist investigation has found.

Academics at the University of Cambridge distributed the data from the personality quiz app myPersonality to hundreds of researchers via a website with insufficient security provisions, which led to it being left vulnerable to access for four years. Gaining access illicitly was relatively easy.

The data was highly sensitive, revealing personal details of Facebook users, such as the results of psychological tests. It was meant to be stored and shared anonymously, however such poor precautions were taken that deanonymising would not be hard.

. . . .

Facebook suspended myPersonality from its platform on 7 April saying the app may have violated its policies due to the language used in the app and on its website to describe how data is shared.

More than 6 million people completed the tests on the myPersonality app and nearly half agreed to share data from their Facebook profiles with the project. All of this data was then scooped up and the names removed before it was put on a website to share with other researchers. The terms allow the myPersonality team to use and distribute the data “in an anonymous manner such that the information cannot be traced back to the individual user”.

To get access to the full data set people had to register as a collaborator to the project. More than 280 people from nearly 150 institutions did this, including researchers at universities and at companies like Facebook, Google, Microsoft and Yahoo.

. . . .

For the last four years, a working username and password has been available online that could be found from a single web search. Anyone who wanted access to the data set could have found the key to download it in less than a minute.

The publicly available username and password were sitting on the code-sharing website GitHub. They had been passed from a university lecturer to some students for a course project on creating a tool for processing Facebook data

The credentials gave access to the “Big Five” personality scores of 3.1 million users. These scores are used in psychology to assess people’s characteristics, such as conscientiousness, agreeableness and neuroticism. The credentials also allowed access to 22 million status updates from over 150,000 users, alongside details such as age, gender and relationship status from 4.3 million people.

. . . .

Each user in the data set was given a unique ID, which tied together data such as their age, gender, location, status updates, results on the personality quiz and more. With that much information, de-anonymising the data can be done very easily. “You could re-identify someone online from a status update, gender and date,” says Dixon.

Information Source:
Media
Date Made Public:
June 12, 2018
Company: University at Buffalo
Location: Buffalo, New York
Type of breach:
HACK
Type of organization:
EDU
Records Breached:
2,500

WIVB4 is reporting:

University at Buffalo leaders, along with their security team, are investigating a data breach of external third-party accounts. 

They say it's affected more than 25-hundred accounts campus wide. About 18-hundred of those are student accounts.

. . .

Affected accounts:

28 faculty and staff accounts

862 alumni accounts

1,800 student accounts

Information Source:
Media
Date Made Public:
June 12, 2018
Company: HealthEquity, Inc.
Location: , Utah
Type of breach:
HACK
Type of organization:
MED
Records Breached:
16,000

Location of breached information: Email

Business associate present: Yes

Information Source:
US Department of Health and Human Services
Date Made Public:
June 11, 2018
Company: Denise M. Bowden, LAc
Location: , California
Type of breach:
PHYS
Type of organization:
MED
Records Breached:
538

Location of breached information: Desktop Computer

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
June 10, 2018
Company: Healthland Inc.
Location: , Minnesota
Type of breach:
DISC
Type of organization:
MED
Records Breached:
614

Location of breached information: Other

Business associate present: Yes

Information Source:
US Department of Health and Human Services
Date Made Public:
June 8, 2018
Company: New England Baptist Health
Location: , Massachusetts
Type of breach:
DISC
Type of organization:
MED
Records Breached:
7,582

Location of breached information: Email

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
June 8, 2018
Company: Massac County Surgery Center dba Orthopaedic Institute Surgery Center
Location: , Illinois
Type of breach:
HACK
Type of organization:
MED
Records Breached:
2,000

Location of breached information: Email

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
June 7, 2018
Company: RISE Wisconsin, Inc.
Location: , Wisconsin
Type of breach:
HACK
Type of organization:
MED
Records Breached:
3,731

Location of breached information: Network Server

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
June 7, 2018
Company: Benefit Outsourcing Solutions
Location: , Michigan
Type of breach:
DISC
Type of organization:
MED
Records Breached:
1,144

Location of breached information: Other

Business associate present: Yes

Information Source:
US Department of Health and Human Services
Date Made Public:
June 5, 2018
Company: Terros Incorporated
Location: , Arizona
Type of breach:
HACK
Type of organization:
MED
Records Breached:
1,618

Location of breached information: Email

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
June 4, 2018
Company: MyHeritage
Location:
Type of breach:
DISC
Type of organization:
BSO
Records Breached:
92,283,900

According to MyHeritage's statement, published on June 4, 2018:

[On] June 4, 2018 at approximately 1pm EST, MyHeritage’s Chief Information Security Officer received a message from a security researcher that he had found a file named myheritage containing email addresses and hashed passwords, on a private server outside of MyHeritage. Our Information Security Team received the file from the security researcher, reviewed it, and confirmed that its contents originated from MyHeritage and included all the email addresses of users who signed up to MyHeritage up to October 26, 2017, and their hashed passwords.

Immediately upon receipt of the file, MyHeritage’s Information Security Team analyzed the file and began an investigation to determine how its contents were obtained and to identify any potential exploitation of the MyHeritage system. We determined that the file was legitimate and included the email addresses and hashed passwords of 92,283,889 users who had signed up to MyHeritage up to and including Oct 26, 2017 which is the date of the breach.

. . .

We believe the intrusion is limited to the user email addresses. We have no reason to believe that any other MyHeritage systems were compromised. As an example, credit card information is not stored on MyHeritage to begin with, but only on trusted third-party billing providers (e.g. BlueSnap, PayPal) utilized by MyHeritage. Other types of sensitive data such as family trees and DNA data are stored by MyHeritage on segregated systems, separate from those that store the email addresses, and they include added layers of security. We have no reason to believe those systems have been compromised.

Information Source:
Media
Date Made Public:
June 2, 2018
Company: University of Utah Health
Location: , Utah
Type of breach:
PHYS
Type of organization:
EDU
Records Breached:
607

Location of breached information: Laptop, Other Portable Electronic Device

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
June 1, 2018
Company: Worldwide Services Insurance Agency, LLC
Location:
Type of breach:
HACK
Type of organization:
MED
Records Breached:
500
Worldwide Services Insurance Agency, LLC determined that an unauthorized party obtained credentials to two employees’ email accounts through a phishing email scheme. Their investigation determined that unauthorized access to those email accounts could have occurred between the dates of October 11, 2017 and October 13, 2017. As a result, the unauthorized party may have viewed or accessed emails in one employee’s email account that contained information provided to them in connection with your international health insurance plan.
 
 
** Disclaimer ** The number of breached records reported reflects our best estimate, based on all the data currently available. Because the specific number of breached records was not disclosed in the notification letter sent to the California Attorney General’s Office, the number is estimated as the minimum number of breached records necessary to trigger the obligation to notify the Attorney General.
 
Under Cal. Civ. Code §§ 1798.29, 1798.82, notification to the Attorney General is only required whenever a breach of records affects more than 500 California residents.
If you are a business representative and believe this number is inaccurate, please contact us at chronology@privacyrights.org and we will review and update this record.
 
Information Source:
Security Breach Letter
Date Made Public:
June 1, 2018
Company: Farmgirl Flowers, Inc.
Location: , California
Type of breach:
HACK
Type of organization:
BSR
Records Breached:
1,870
For more information, see the security breach letter submitted to the California Attorney General.
 

 

 
Information Source:
Security Breach Letter
Date Made Public:
June 1, 2018
Company: PumpUp, inc.
Location: , Ontario
Type of breach:
DISC
Type of organization:
BSR
Records Breached:
6,000,000

ZDNet's Zach Whittaker reports:

"A popular fitness app that claims over six million users was leaking private and sensitive data, including health information and private messages sent between users.

PumpUp, an Ontario-based company, bills itself as a fitness community, allowing subscribers to discover new workouts and record their results, and get advice from fitness coaches and other users.

But the company left a core backend server, hosted on Amazon's cloud, exposed without a password, allowing anyone to see who was signing on and who was sending messages -- and their contents -- in real-time.

. . .

Each time a user sent a message to another user, the app exposed user profile data -- and the private contents of that message.

The exposed data included email addresses, dates of birth, gender, and the city or town of the user's location and timezone. The data also included the user's app bio, workout and activity goals, and users' full resolution profile photos, who a user has blocked, and if the user has rated the app.

The app also exposed user-submitted health information -- such as height, weight, and other data points, like caffeine and alcohol consumption, smoking frequency, health concerns, medications, and injuries.

Also included in the exposed data was device data, such as iOS and Android advertiser identifiers, users' IP addresses, and session tokens for the app which could be used to gain access to a user's account without needing their password.

Users who signed in using Facebook also had their access tokens exposed, putting their Facebook account at risk.

In some cases, we also found unencrypted credit card data -- including card numbers, expiry dates, and card verification values

 

Information Source:
Media
Date Made Public:
June 1, 2018
Company: Capitol Anesthesiology Association
Location: , Texas
Type of breach:
HACK
Type of organization:
MED
Records Breached:
2,231

Location of breached information: Network Server

Business associate present: Yes

Information Source:
US Department of Health and Human Services
Date Made Public:
June 1, 2018
Company: Florida Agency for Persons with Disabilities
Location: , Florida
Type of breach:
DISC
Type of organization:
MED
Records Breached:
1,951

Location of breached information: Email

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
June 1, 2018
Company: SimplyWell
Location: , Texas
Type of breach:
DISC
Type of organization:
MED
Records Breached:
597

Location of breached information: Other

Business associate present: Yes

Information Source:
US Department of Health and Human Services
CSV