Data Breaches

Breach Subtotal

Breach Type: all
Organization Type: all
Year(s) of Breach: 2018
Company or Organization: all
Date Made Public:
May 1, 2018
Company: American Esoteric Laboratories
Location: , Alabama
Type of breach:
HACK
Type of organization:
MED
Records Breached:
0

A data breach may have resulted in the exposure of the personal and protected health information of patients of a medical lab chain with multiple Alabama locations.

American Esoteric Laboratories announced Friday that it had become aware of a "data security incident" that could impact patients' data security.

An AEL employees' company-issued laptop was stolen on Oct. 15, the company said in a press release. The laptop may have contained sensitive information about "some AEI patients and their payment guarantors," according to the company.

Upon learning of the incident, AEL disabled the affected employee's email account, disabled the stolen laptop's access to its computer network, and reported the laptop theft to the local police," the press release stated.

An internal AEL investigation found that a wide range of personal information about patients may have been stored on the laptop, including "names, addresses, Social Security numbers, dates of birth, health insurance information, and/or medical treatment information."

The company has also set up a hotline people can call with any questions or concerns about the breach. The phone number is 888-285-9795.

AEL, which is based in Tennessee, has three locations in Alabama, one each in Birmingham, Montgomery and Prattville.

Information Source:
Media
Date Made Public:
April 30, 2018
Company: Worldwide Insurance Services, LLC
Location: , Pennsylvania
Type of breach:
HACK
Type of organization:
MED
Records Breached:
1,692

Location of breached information: Email

Business associate present: Yes

Information Source:
US Department of Health and Human Services
Date Made Public:
April 30, 2018
Company: Complete Family Medicine, LLC
Location: , Nebraska
Type of breach:
PHYS
Type of organization:
MED
Records Breached:
1,331

Location of breached information: Laptop, Paper/Films

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
April 30, 2018
Company: Medical Center Ophthalmology Associates
Location: , Texas
Type of breach:
DISC
Type of organization:
MED
Records Breached:
3,017

Location of breached information: Email

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
April 27, 2018
Company: Billings Clinic
Location: , Montana
Type of breach:
HACK
Type of organization:
MED
Records Breached:
949

Location of breached information: Email

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
April 27, 2018
Company: Walgreen Co.
Location: , Illinois
Type of breach:
PHYS
Type of organization:
MED
Records Breached:
703

Location of breached information: Paper/Films

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
April 27, 2018
Company: Knoxville Heart Group, Inc.
Location: , Tennessee
Type of breach:
HACK
Type of organization:
MED
Records Breached:
15,995

Location of breached information: Email

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
April 27, 2018
Company: MedWatch LLC
Location: , Florida
Type of breach:
DISC
Type of organization:
MED
Records Breached:
40,621

Location of breached information: Network Server

Business associate present: Yes

Information Source:
US Department of Health and Human Services
Date Made Public:
April 27, 2018
Company: Eye Care Surgery Center, Inc.
Location: , Louisiana
Type of breach:
PHYS
Type of organization:
MED
Records Breached:
2,553

Location of breached information: Laptop

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
April 27, 2018
Company: Tiger Vision, LLC
Location: , Louisiana
Type of breach:
PHYS
Type of organization:
MED
Records Breached:
2,553

Location of breached information: Laptop

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
April 26, 2018
Company: Carolina Digestive Health Associates, PA
Location: , North Carolina
Type of breach:
DISC
Type of organization:
MED
Records Breached:
10,988

Location of breached information: Desktop Computer

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
April 26, 2018
Company: CareFirst BlueCross BlueShield
Location: , Maryland
Type of breach:
HACK
Type of organization:
MED
Records Breached:
6,200

Location of breached information: Email

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
April 26, 2018
Company: Illinois Department of Healthcare and Family Services
Location: , Illinois
Type of breach:
DISC
Type of organization:
MED
Records Breached:
8,000

Location of breached information: Paper/Films

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
April 24, 2018
Company: Scenic Bluffs Health Center Inc
Location: , Wisconsin
Type of breach:
HACK
Type of organization:
MED
Records Breached:
2,889

Location of breached information: Email

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
April 23, 2018
Company: Capital Digestive Care, Inc.
Location: , Maryland
Type of breach:
DISC
Type of organization:
MED
Records Breached:
17,639

Location of breached information: Network Server

Business associate present: Yes

Information Source:
US Department of Health and Human Services
Date Made Public:
April 20, 2018
Company: SunTrust Banks, Inc.
Location: Atlanta, Georgia
Type of breach:
HACK
Type of organization:
BSF
Records Breached:
1,500,000

"SunTrust Banks Inc. said an employee may have stolen the information of about 1.5 million customers and provided it to a “criminal third party,” the latest example of a potential breach that underscores the vulnerability of consumers’ private data.

The Atlanta-based bank on Friday said the employee, who no longer works at SunTrust, attempted to access client information, although it has “not identified significant fraudulent activity” around the accounts involved."

Information Source:
Media
Date Made Public:
April 20, 2018
Company: UnityPoint Health
Location: West Des Moines, Iowa
Type of breach:
HACK
Type of organization:
MED
Records Breached:
16,000

UnityPoint Health confirmed that its dealing with an information breach that impacted patients.

"After a detailed forensic investigation and document review, UnityPoint Health determined that protected health information was contained in impacted email accounts, including patient names and one or more of the following: dates of birth, medical record numbers, treatment information, surgical information, diagnoses, lab results, medications, providers, dates of service and/or insurance information. For a limited number of impacted individuals, information that may have been viewed included Social Security Numbers or other financial information." 

They said they are not aware of any fraud issues at this point, but they still want the people impacted to be aware of the problem. They are advising people to follow these steps:  

  • Only share your health insurance cards with your health care providers and other family members who are covered under your insurance plan or who help you with your medical care.
  • Review your “explanation of benefits statement” which you receive from your health insurance company. Follow up with your insurance company or care provider for any items you do not recognize. If necessary, contact the care provider on the explanation of benefits statement and ask for copies of medical records from the date of the potential access (noted above) to current date.
  •  Ask your insurance company for a current year-to-date report of all services paid for you as a beneficiary. Follow up with your insurance company or the care provider for any items you do not recognize.

The hospital has apologized to patients for this problem. 

If you want to learn if your information was compromised or you have questions, call 855-331-3612.

Information Source:
Media
Date Made Public:
April 20, 2018
Company: Riverside Medical Center
Location: , Illinois
Type of breach:
PHYS
Type of organization:
MED
Records Breached:
501

Location of breached information: Desktop Computer, Other

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
April 20, 2018
Company: Capital District Physicians’ Health Plan
Location: , New York
Type of breach:
DISC
Type of organization:
MED
Records Breached:
839

Location of breached information: Paper/Films

Business associate present: Yes

Information Source:
US Department of Health and Human Services
Date Made Public:
April 20, 2018
Company: Michael Gruber DMD PA
Location: , New Jersey
Type of breach:
HACK
Type of organization:
MED
Records Breached:
4,624

Location of breached information: Desktop Computer, Email, Network Server

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
April 20, 2018
Company: AccessLex Institute d/b/a Access Group
Location: , California
Type of breach:
DISC
Type of organization:
BSF
Records Breached:
0

On March 28, 2018 AccessLex learned that on March 23, 2018, a vendor they use to help provide student loan processing services inadvert sently sent a copy of certain loan files, to another business that was not authorized to receive them. Shortly after they learned of the inadvertent file transfer, we contacted managers of the second business that received the files. The second business confirmed it had deleted the transferred files and agreed that the appropriate manager would sign a sworn statement confirming it had deleted the files and retained no copies.The information involved included names, driver’s license numbers, and Social Security numbers.

Information Source:
Security Breach Letter
Date Made Public:
April 18, 2018
Company: Localblox
Location: Bellevue, Washington
Type of breach:
DISC
Type of organization:
BSO
Records Breached:
47,000,000

Quoting the article that exposed this breach on ZDNet, "Localblox, a Bellevue, Wash.-based firm, says it 'automatically crawls, discovers, extracts, indexes, maps and augments data in a variety of formats from the web and from exchange networks.' Since its founding in 2010, the company has focused its collection on publicly accessible data sources, like social networks Facebook, Twitter, and LinkedIn, and real estate site Zillow to name a few, to produce profiles.

But earlier this year, the company left a massive store of profile data on a public but unlisted Amazon S3 storage bucket without a password, allowing anyone to download its contents.

The bucket, labeled 'lbdumps,' contained a file that unpacked to a single file over 1.2 terabytes in size. The file listed 48 million individual records, scraped from public profiles, consolidated, then stitched together."

Information Source:
Media
Date Made Public:
April 18, 2018
Company: Center for Orthopaedic Specialists - Providence Medical Institute (PMI)
Location: , California
Type of breach:
HACK
Type of organization:
MED
Records Breached:
81,550

Location of breached information: Network Server

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
April 17, 2018
Company: Kansas Department for Aging and Disability Services
Location: , Kansas
Type of breach:
DISC
Type of organization:
MED
Records Breached:
11,000

Location of breached information: Desktop Computer

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
April 17, 2018
Company: Inogen, Inc.
Location: , California
Type of breach:
HACK
Type of organization:
MED
Records Breached:
29,528

Location of breached information: Email

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
April 17, 2018
Company: MAXIMUS, Inc. / Business Ink, Co.
Location: , Virginia
Type of breach:
DISC
Type of organization:
MED
Records Breached:
3,029

Location of breached information: Paper/Films

Business associate present: Yes

Information Source:
US Department of Health and Human Services
Date Made Public:
April 16, 2018
Company: Iowa Health System d/b/a UnityPoint Health
Location: , Iowa
Type of breach:
HACK
Type of organization:
MED
Records Breached:
16,429

Location of breached information: Email

Business associate present: Yes

Information Source:
US Department of Health and Human Services
Date Made Public:
April 16, 2018
Company: Athens Heart Center, P.C.
Location: , Georgia
Type of breach:
HACK
Type of organization:
MED
Records Breached:
12,158

Location of breached information: Electronic Medical Record

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
April 16, 2018
Company: Cornerstone Foot & Ankle
Location: , New Jersey
Type of breach:
DISC
Type of organization:
MED
Records Breached:
533

Location of breached information: Email

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
April 15, 2018
Company: Texas Health Resources
Location: Arlington, Texas
Type of breach:
DISC
Type of organization:
MED
Records Breached:
4,000


Texas Health Resources
 says emails containing private patient information may have gotten into the hands of an unauthorized third party.

Officials with the Arlington-based healthcare corporation have mailed letters to the patients — fewer than 4,000 — who may have been affected and have established a call center to answer any questions patients might have, a spokesperson said.

Law enforcement personnel told Texas Health about the possible data breach in January but asked the company to not notify their patients or the public while they pursued their investigation, company officials said.

Texas Health was recently given the OK to speak openly about the investigation, which they said is part of a much larger investigation that's nationwide in scope. The Texas Health breach affected patients who received care primarily in October.

Information Source:
Media
Date Made Public:
April 13, 2018
Company: Texas Health Physicians Group
Location: , Texas
Type of breach:
HACK
Type of organization:
MED
Records Breached:
3,808

Location of breached information: Email

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
April 13, 2018
Company: California Physicians Service d/b/a Blue Shield of California
Location: , California
Type of breach:
DISC
Type of organization:
MED
Records Breached:
1,717

Location of breached information: Email

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
April 13, 2018
Company: ATI Holdings, LLC and its subsidiaries
Location: , Illinois
Type of breach:
HACK
Type of organization:
MED
Records Breached:
1,776

Location of breached information: Email

Business associate present: Yes

Information Source:
US Department of Health and Human Services
Date Made Public:
April 13, 2018
Company: MorshedEye, PLLC
Location: , Kentucky
Type of breach:
DISC
Type of organization:
MED
Records Breached:
1,100

Location of breached information: Email

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
April 13, 2018
Company: Pierre Fabre
Location: , California
Type of breach:
HACK
Type of organization:
MED
Records Breached:
0

On March 12, 2018, we discovered that information entered on some of our websites (aveneusa.com, renefurtererusa.com, kloraneusa.com, and glytone-usa.com (the “Websites”)) had been captured and potentially sent to unauthori zed third parties. Any information entered on any  of the Websites between  February 20, 2018 and March 15, 2 018 may have been exposed.Information affected included: name, credit or debit card information or other payment account information, phone number, email address, shipping address, billing address and/or Website account password.

Information Source:
Security Breach Letter
Date Made Public:
April 12, 2018
Company: Polk County Health Services, Inc
Location: , Iowa
Type of breach:
DISC
Type of organization:
MED
Records Breached:
1,071

Location of breached information: Email

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
April 12, 2018
Company: Mise En Place Restaurant Services, Inc.
Location: , California
Type of breach:
HACK
Type of organization:
BSR
Records Breached:
0

Mise en Place Restaurant Services, Inc. experienced a ransomware attack on March 15, 2018. Information exposed may include names, addresses and social security numbers of Mise en Place cients, employees or investors of  Mise En Place clients.

Information Source:
Security Breach Letter
Date Made Public:
April 12, 2018
Company: Walker Advertising, LLC
Location: , California
Type of breach:
HACK
Type of organization:
BSO
Records Breached:
0

Two senior Walker employees' corporate email accounts were hacked between Jan 29, 2018 and Feb 22, 2018. At least one account was used to send phishing emails to solicit individuals to respond with access credentials to Walker's electronic information system. An investigation determined that personal information was exposed as a result of the attacks. Information included names, social security numbers, driver's license numbers, medical information and health insurance information.

Information Source:
Security Breach Letter
Date Made Public:
April 11, 2018
Company: City of Thousand Oaks
Location: , California
Type of breach:
HACK
Type of organization:
GOV
Records Breached:
0

On Feb 28, 2018, City of Thousand Oaks Financial Department learned that an unauthorized individual may have gained access to the computer used by the City's vendor to process credit card transactions. During the incident, information entered into the City of Thousand Oaks' online payment system (Click2 Gov) between Jan 4 and Jan 10 may be have been accessed. This information may have included name, payment card number and expiration date.

Information Source:
Security Breach Letter
Date Made Public:
April 11, 2018
Company: Atchison Hospital Association
Location: , Kansas
Type of breach:
HACK
Type of organization:
MED
Records Breached:
667

Location of breached information: Network Server

Business associate present: Yes

Information Source:
US Department of Health and Human Services
CSV