Data Breaches

Breach Subtotal

Breach Type: all
Organization Type: all
Year(s) of Breach: 2018
Company or Organization: all
Date Made Public:
May 31, 2018
Company: Dignity Health
Location: , California
Type of breach:
DISC
Type of organization:
MED
Records Breached:
55,947

Location of breached information: Email

Business associate present: Yes

Information Source:
US Department of Health and Human Services
Date Made Public:
May 31, 2018
Company: The University of Texas MD Anderson Cancer Center
Location: , Texas
Type of breach:
DISC
Type of organization:
EDU
Records Breached:
1,266

Location of breached information: Email

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
May 30, 2018
Company: Dino-Peds
Location: , Colorado
Type of breach:
DISC
Type of organization:
MED
Records Breached:
1,357

Location of breached information: Electronic Medical Record

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
May 29, 2018
Company: Aflac
Location: , Georgia
Type of breach:
HACK
Type of organization:
MED
Records Breached:
10,396

Location of breached information: Email

Business associate present: Yes

Information Source:
US Department of Health and Human Services
Date Made Public:
May 25, 2018
Company: The Trustees of Purdue University
Location: , Indiana
Type of breach:
HACK
Type of organization:
EDU
Records Breached:
1,711

Location of breached information: Desktop Computer

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
May 25, 2018
Company: Care Partners Hospice and Palliative Care
Location: , Oregon
Type of breach:
HACK
Type of organization:
MED
Records Breached:
600

Location of breached information: Email

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
May 25, 2018
Company: Aultman Hospital
Location: , Ohio
Type of breach:
HACK
Type of organization:
MED
Records Breached:
42,625

Location of breached information: Email

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
May 25, 2018
Company: BioIQ Inc.
Location: , California
Type of breach:
DISC
Type of organization:
MED
Records Breached:
4,059

Location of breached information: Email

Business associate present: Yes

Information Source:
US Department of Health and Human Services
Date Made Public:
May 24, 2018
Company: T-Mobile
Location:
Type of breach:
DISC
Type of organization:
BSR
Records Breached:
74,000,000

ZDNet's Zach Whittaker reports:

"A bug in T-Mobile's website let anyone access the personal account details of any customer with just their cell phone number.

The flaw, since fixed, could have been exploited by anyone who knew where to look -- a little-known T-Mobile subdomain that staff use as a customer care portal to access the company's internal tools. The subdomain -- promotool.t-mobile.com, which can be easily found on search engines -- contained a hidden API that would return T-Mobile customer data simply by adding the customer's cell phone number to the end of the web address.

. . . .

The returned data included a customer's full name, postal address, billing account number, and in some cases information about tax identification numbers. The data also included customers' account information, such as if a bill is past-due or if the customer had their service suspended.

The data also included references to account PINs used by customers as a security question when contacting phone support."

T-Mobile had 74 million customers. Though it is unknown how many records were stolen or inappropriately accessed, reportedly all 74 million customers records were inappropriately exposed.

Information Source:
Media
Date Made Public:
May 23, 2018
Company: California Department of Public Health
Location: , California
Type of breach:
PHYS
Type of organization:
GOV
Records Breached:
500

A CDPH Contractor who performs health facilities inspections on behalf of the department's vehicle was broken into and some documents and a laptop were stolen. Information included on the laptop included first and last name, date of birth, social security number, address, diagnoses and other health information, health insurance information and demographic information.

 

** Disclaimer: ** The number of breached records reported reflects our best estimate, based on all the data currently available. Because the specific number of breached records was not disclosed in the notification letter sent to the California Attorney General’s Office, the number is estimated as the minimum number of breached records necessary to trigger the obligation to notify the Attorney General.

Under Cal. Civ. Code §§ 1798.29, 1798.82, notification to the Attorney General is only required whenever a breach of records affects more than 500 California residents. 

If you are a business representative and believe this number is inaccurate, please contact us at chronology@privacyrights.org and we will review and update this record. 

Information Source:
Security Breach Letter
Date Made Public:
May 22, 2018
Company: Golden 1 Credit Union
Location: , California
Type of breach:
HACK
Type of organization:
BSF
Records Breached:
500
 
 
** Disclaimer ** The number of breached records reported reflects our best estimate, based on all the data currently available. Because the specific number of breached records was not disclosed in the notification letter sent to the California Attorney General’s Office, the number is estimated as the minimum number of breached records necessary to trigger the obligation to notify the Attorney General.
 
Under Cal. Civ. Code §§ 1798.29, 1798.82, notification to the Attorney General is only required whenever a breach of records affects more than 500 California residents.
If you are a business representative and believe this number is inaccurate, please contact us at chronology@privacyrights.org and we will review and update this record.
 
 
Information Source:
Security Breach Letter
Date Made Public:
May 22, 2018
Company: MSK Group
Location: , Tennessee
Type of breach:
HACK
Type of organization:
MED
Records Breached:
566,236

Location of breached information: Network Server

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
May 22, 2018
Company: Muir Medical Group, IPA, Inc.
Location: , California
Type of breach:
DISC
Type of organization:
MED
Records Breached:
5,485

Location of breached information: Network Server

Business associate present: Yes

Information Source:
US Department of Health and Human Services
Date Made Public:
May 21, 2018
Company: Echo Canyon Healthcare, Incorporated dba Heritage Court Post Acute of Scottsdale
Location: , Arizona
Type of breach:
PHYS
Type of organization:
MED
Records Breached:
1,765

Location of breached information: Paper/Films

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
May 21, 2018
Company: Elmcroft Senior Living, Inc.
Location: , Texas
Type of breach:
HACK
Type of organization:
MED
Records Breached:
10,000

Location of breached information: Network Server

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
May 20, 2018
Company: TeenSafe
Location: Los Angeles, California
Type of breach:
DISC
Type of organization:
BSR
Records Breached:
10,200

ZDNet's Zack Whittaker reports:

At least one server used by an app for parents to monitor their teenagers' phone activity has leaked tens of thousands of accounts of both parents and children.

The mobile app, TeenSafe, bills itself as a "secure" monitoring app for iOS and Android, which lets parents view their child's text messages and location, monitor who they're calling and when, access their web browsing history, and find out which apps they have installed.

Although teen monitoring apps are controversial and privacy-invasive, the company says it doesn't require parents to obtain the consent of their children.

But the Los Angeles, Calif.-based company left its servers, hosted on Amazon's cloud, unprotected and accessible by anyone without a password.

. . . .

The database stores the parent's email address associated with TeenSafe, as well as their corresponding child's Apple ID email address. It also includes the child's device name -- which is often just their name -- and their device's unique identifier. The data contains the plaintext passwords for the child's Apple ID. Because the app requires that two-factor authentication is turned off, a malicious actor viewing this data only needs to use the credentials to break into the child's account to access their personal content data.

None of the records contained content data, such as photos or messages, or the locations of either parents or children.

The data also contained error messages associated with a failed account action, such as if a parent looking up a child's real-time location didn't complete.

Shortly before the server went offline, there were at least 10,200 records from the past three months containing customers data -- but some are duplicates.

TeenSafe claims to have over a million parents using the service.

 

 

 

Information Source:
Media
Date Made Public:
May 18, 2018
Company: Holland Eye Surgery and Laser Center
Location: , Michigan
Type of breach:
HACK
Type of organization:
MED
Records Breached:
42,200

Location of breached information: Desktop Computer

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
May 18, 2018
Company: Associates in Psychiatry and Psychology
Location: , Minnesota
Type of breach:
HACK
Type of organization:
MED
Records Breached:
6,546

Location of breached information: Network Server

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
May 18, 2018
Company: Bombas, LLC
Location: , California
Type of breach:
HACK
Type of organization:
BSO
Records Breached:
41,000

Bombas sells socks online using an outside vendor to develop and manage their website and a third party e-commerce platform for purchases. Malware in the code of the e-commerce platform was identified and initially removed from their website on January 15, 2015, and then finally removed on February 9, 2015. They cannot determine which transactions were impacted, and are sending notice to all of the approximately 41,000 customers who made a credit card purchase on the website during the period the malware may have existed, essentially from the date of launch of the website, September 1, 2013, until the day the identified malware was finally removed.

What Information was Involved?The data accessed may have included personal information such as name, address, and credit card information.

Information Source:
Security Breach Letter
Date Made Public:
May 18, 2018
Company: UT Physicians
Location: , Texas
Type of breach:
DISC
Type of organization:
MED
Records Breached:
2,793

Location of breached information: Email

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
May 17, 2018
Company: Hancock County Board of Developmental Disabilities
Location: , Ohio
Type of breach:
DISC
Type of organization:
MED
Records Breached:
607

Location of breached information: Paper/Films

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
May 17, 2018
Company: Black Phoenix, Inc
Location: , California
Type of breach:
HACK
Type of organization:
BSO
Records Breached:
500
See security breach letter for more information.
 
** Disclaimer ** The number of breached records reported reflects our best estimate, based on all the data currently available. Because the specific number of breached records was not disclosed in the notification letter sent to the California Attorney General’s Office, the number is estimated as the minimum number of breached records necessary to trigger the obligation to notify the Attorney General.
 
Under Cal. Civ. Code §§ 1798.29, 1798.82, notification to the Attorney General is only required whenever a breach of records affects more than 500 California residents.
If you are a business representative and believe this number is inaccurate, please contact us at chronology@privacyrights.org and we will review and update this record.
 
Information Source:
Security Breach Letter
Date Made Public:
May 17, 2018
Company: 211 LA County
Location: Los Angeles, California
Type of breach:
DISC
Type of organization:
NGO
Records Breached:
3,500,000

Los Angeles Times reports:

The nonprofit organization that operates Los Angeles County's social services hotline inadvertently exposed personal information that was stored online, according to county officials and a private security firm that discovered the vulnerability.

UpGuard, a cybersecurity firm based in Mountain View, Calif., said it notified the county in April that it discovered exposed Social Security numbers, addresses and sensitive notes about calls regarding mental health and abuse.

. . . .

It was not immediately clear whether any unauthorized people accessed the data, which was kept in a cloud storage repository maintained by 211 L.A. County, the nonprofit group that operates the county's 211 hotline.

. . . . .

Chris Vickery, director of UpGuard's cyberspace risk research team, said the information he discovered included names, email addresses and weakly encrypted passwords of users operating the 211 system, potentially opening them to attack. He said it was available for public download from an Amazon web server.

The data also contained records for 3.5 million calls and a substantial amount of personally identifiable information, Vickery said. That included 33,000 Social Security numbers, and in many cases full names and addresses — as well as detailed notes for 200,000 calls logged between 2010 and 2016.

In one example, the notes described an elderly woman with dementia who was allegedly being abused by her son. In another, they described a meth addict who said she was suicidal. A third example included details about a woman who suffered from paranoia and was on the verge of being evicted. The firm provided The Times with screen shots of redacted records to document its discovery.

Information Source:
Media
Date Made Public:
May 15, 2018
Company: LifeBridge Health, Inc
Location: , Maryland
Type of breach:
HACK
Type of organization:
MED
Records Breached:
538,127

Location of breached information: Network Server

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
May 14, 2018
Company: OrthoWest, Ltd.
Location: , Ohio
Type of breach:
DISC
Type of organization:
MED
Records Breached:
2,300

Location of breached information: Network Server

Business associate present: Yes

Information Source:
US Department of Health and Human Services
Date Made Public:
May 11, 2018
Company: New York City Human Resources Administration/Department of Social Services
Location: , New York
Type of breach:
DISC
Type of organization:
MED
Records Breached:
2,078

Location of breached information: Paper/Films

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
May 11, 2018
Company: Capitol Administrators, Inc
Location: , California
Type of breach:
HACK
Type of organization:
MED
Records Breached:
1,733

Location of breached information: Email

Business associate present: Yes

Information Source:
US Department of Health and Human Services
Date Made Public:
May 10, 2018
Company: Dignity Health St. Rose Dominican Hospitals - San Martin
Location: , Nevada
Type of breach:
DISC
Type of organization:
MED
Records Breached:
1,764

Location of breached information: Paper/Films

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
May 10, 2018
Company: Dignity Health St. Rose Dominican Hospitals - Siena
Location: , Nevada
Type of breach:
DISC
Type of organization:
MED
Records Breached:
2,098

Location of breached information: Paper/Films

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
May 10, 2018
Company: Dignity Health St. Rose Dominican Hospitals-DeLIma
Location: , Nevada
Type of breach:
DISC
Type of organization:
MED
Records Breached:
2,174

Location of breached information: Paper/Films

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
May 9, 2018
Company: Dollar Shave Club, Inc.
Location: , California
Type of breach:
HACK
Type of organization:
BSR
Records Breached:
0

On March 21, 2018, Dollar Shave Club Inc.'s tech team identified attempts by a third party system using email and password combinations obtained elsewhere (not from Dollar Shave Club) to log in to certain Dollar Shave Club customers’ e-commerce accounts. This incident involved the email address and password combinations (obtained through some other source, not Dollar Shave Club) that were then used to access a Dollar Shave Club online account, which allows someone to view the information in an account, including name, address, and the last four digits of the payment card on file (if you’ve provided that information). Based on ts investigation, Dollar Shave Club has no reason to believe that any Dollar Shave Club additional systems, accounts, personal information or financial information were affected.

Information Source:
Security Breach Letter
Date Made Public:
May 9, 2018
Company: Cambridge Dental Consulting Group
Location: , Nevada
Type of breach:
DISC
Type of organization:
MED
Records Breached:
3,758

Location of breached information: Other

Business associate present: Yes

Information Source:
US Department of Health and Human Services
Date Made Public:
May 9, 2018
Company: Boys Town National Research Hospital
Location: , Nebraska
Type of breach:
HACK
Type of organization:
MED
Records Breached:
2,182

Location of breached information: Email

Business associate present: Yes

Information Source:
US Department of Health and Human Services
Date Made Public:
May 8, 2018
Company: USACS Management Group, Ltd.
Location: , Ohio
Type of breach:
HACK
Type of organization:
MED
Records Breached:
15,552

Location of breached information: Email

Business associate present: Yes

Information Source:
US Department of Health and Human Services
Date Made Public:
May 8, 2018
Company: The Oregon Clinic, P.C. (“The Oregon Clinic”)
Location: , Oregon
Type of breach:
HACK
Type of organization:
MED
Records Breached:
64,487

Location of breached information: Email

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
May 8, 2018
Company: Cerebral Palsy Research Foundation of Kansas, Inc.
Location: , Kansas
Type of breach:
DISC
Type of organization:
MED
Records Breached:
8,300

Location of breached information: Network Server

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
May 7, 2018
Company: Baptist Health
Location: , Arkansas
Type of breach:
DISC
Type of organization:
MED
Records Breached:
3,453

Location of breached information: Network Server

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
May 4, 2018
Company: baystate family dental inc
Location: , Massachusetts
Type of breach:
PHYS
Type of organization:
MED
Records Breached:
500

Location of breached information: Paper/Films

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
May 4, 2018
Company: Baystate Family Dental, Inc.
Location: , Massachusetts
Type of breach:
PHYS
Type of organization:
MED
Records Breached:
500

Location of breached information: Paper/Films

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
May 3, 2018
Company: Florida Hospital
Location: , Florida
Type of breach:
HACK
Type of organization:
MED
Records Breached:
12,724

Location of breached information: Network Server

Business associate present: No

Information Source:
US Department of Health and Human Services
CSV