Data Breaches

Breach Subtotal

Breach Type: all
Organization Type: all
Year(s) of Breach: 2018
Company or Organization: all
Date Made Public:
April 10, 2018
Company: Henry Ford Health System
Location: , Michigan
Type of breach:
PHYS
Type of organization:
MED
Records Breached:
1,658

Location of breached information: Other Portable Electronic Device

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
April 10, 2018
Company: ViaTech Publishing Solutions, Inc.
Location: , Minnesota
Type of breach:
DISC
Type of organization:
MED
Records Breached:
2,431

Location of breached information: Paper/Films

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
April 9, 2018
Company: Integrated Rehab Consultants
Location: , Illinois
Type of breach:
DISC
Type of organization:
MED
Records Breached:
4,292

Location of breached information: Network Server

Business associate present: Yes

Information Source:
US Department of Health and Human Services
Date Made Public:
April 6, 2018
Company: Delta Air Lines, Inc.
Location: , California
Type of breach:
HACK
Type of organization:
BSR
Records Breached:
200,000

Delta now says that payment-card information for about “several hundred thousand” airline customers may have been exposed by a malware breach last fall that also hit Sears and other companies.

The airline says that the malware attack may have exposed customers’ names, addresses, credit card numbers, card security codes and expiration dates.

Delta Air Lines Inc. offered the additional details about the attack on Thursday, a day after saying that only a “small subset” of customers was affected.

The Atlanta-based airline said that it wasn’t sure whether customers’ information was actually compromised by malware that it believes was in software used by (24)7.ai, which provided the airline with online chat services for customers, for about two weeks. The software company said it discovered and fixed the breach in October.

Information Source:
Media
Date Made Public:
April 6, 2018
Company: CA Department of Developmental Services
Location: , California
Type of breach:
PHYS
Type of organization:
MED
Records Breached:
582,174

Location of breached information: Paper/Films

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
April 6, 2018
Company: Walgreen Co.
Location: , Illinois
Type of breach:
PHYS
Type of organization:
MED
Records Breached:
910

Location of breached information: Other

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
April 6, 2018
Company: Chesapeake Regional Medical Center
Location: , Virginia
Type of breach:
PHYS
Type of organization:
MED
Records Breached:
2,100

Location of breached information: Other Portable Electronic Device

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
April 5, 2018
Company: Diagnostic Radiology & Imaging, LLC
Location: , North Carolina
Type of breach:
HACK
Type of organization:
MED
Records Breached:
800

Location of breached information: Email

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
April 3, 2018
Company: Panera Bread
Location:
Type of breach:
DISC
Type of organization:
BSR
Records Breached:
37,000,000

KrebsOnSecurity has discovered that Panera Bread left millions of customer sign-up records (possibly 37 million) in plain text on its website, including email addresses, home addresses, phone numbers and loyalty account numbers.

There was no payment info, thankfully, but it would have been patently easy for evildoers to harvest that information and use it as part of identity fraud or spam campaigns.

Crucially, Panera Bread didn't appear to be responsive to the problem. Houlihan notified the company about the problem in August 2017 and got a response promising that its team was "working on a resolution," but it didn't take down the info until KrebsOnSecurity got involved -- twice. In a statement, Panera Bread said it was still investigating the vulnerability but indicated that there was "no evidence" of either payment info or anyone accessing a "large number" of the accounts.

Information Source:
Media
Date Made Public:
April 3, 2018
Company: Wisconsin Department of Health Services
Location: , Wisconsin
Type of breach:
PHYS
Type of organization:
MED
Records Breached:
779

Location of breached information: Laptop

Business associate present: Yes

Information Source:
US Department of Health and Human Services
Date Made Public:
April 2, 2018
Company: Fondren Orthopedic Group L.L.P.
Location: , Texas
Type of breach:
DISC
Type of organization:
MED
Records Breached:
11,552

Location of breached information: Paper/Films

Business associate present: Yes

Information Source:
US Department of Health and Human Services
Date Made Public:
April 2, 2018
Company: West Kendall Baptist Hospital
Location: , Florida
Type of breach:
DISC
Type of organization:
MED
Records Breached:
1,480

Location of breached information: Other

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
April 2, 2018
Company: QUALITY-CARE PHARMACY
Location: , California
Type of breach:
PHYS
Type of organization:
MED
Records Breached:
2,000

Location of breached information: Desktop Computer, Other, Other Portable Electronic Device, Paper/Films

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
April 1, 2018
Company: Lord & Taylor's, Saks
Location: , New Jersey
Type of breach:
HACK
Type of organization:
BSR
Records Breached:
5,000,000

Hackers have stolen the personal and financial information of customers who shop at Lord and Taylor and Saks Fifth Avenue in the latest of a string of data breaches in recent years.

Records for more than five million credit and debit cards used at all the chains’ North American locations were compromised, according to Gemini Advisory, a cybersecurity firm. Most were obtained from stores in New York and New Jersey, Gemini said.

Information Source:
Media
Date Made Public:
March 30, 2018
Company: Under Armour
Location: , California
Type of breach:
HACK
Type of organization:
BSR
Records Breached:
150,000,000

Under Armour says roughly 150 million MyFitnessPal users are affected by a breach of their wildly popular fitness app "MyFitnessPal", which it discovered earlier this week. It said on Thursday that an "unauthorized party" acquired data about these users late last month.

"Under Armour is working with leading data security firms to assist in its investigation, and also coordinating with law enforcement authorities," the company said in a statement. "The investigation indicates that the affected information included usernames, email addresses, and hashed passwords — the majority with the hashing function called bcrypt used to secure passwords."

Under Armour said the hacker would not have been able to obtain users' payment details or information like Social Security numbers or driver's license numbers. The company has begun notifying users via messages in the app and emails.

Information Source:
Media
Date Made Public:
March 30, 2018
Company: Milligan Chiropractic Group, Inc. d/b/a Del Mar Chiropractic Sports Group
Location: , California
Type of breach:
PHYS
Type of organization:
MED
Records Breached:
2,640

Location of breached information: Laptop

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
March 30, 2018
Company: Bezop
Location: , California
Type of breach:
DISC
Type of organization:
BSF
Records Breached:
25,000

On Mar 30, researchers at Kromtech Security identified a database open to the public containing full names, addresses, email addresses, encrypted passwords, wallet information, along with links to scanned passports, driver's licenses, and other IDs for over 25,000 investors of the newly created Bezop.  The information was found within a MongoDB database without any security.

John Mcafee, an adviser on the board for Bezop, described Bezop as “a distributed version of Amazon.com” in a recent Twitter post.  It is that, but it's also a cryptocurrency.  Bezop is adding, and has in fact already added, it's own cryptocurrency, which they call “Bezop tokens”, into the stream of transactions.

Information Source:
Media
Date Made Public:
March 30, 2018
Company: Sonoma County Indian Health Project, Inc
Location: , California
Type of breach:
DISC
Type of organization:
MED
Records Breached:
662

Location of breached information: Desktop Computer, Email

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
March 30, 2018
Company: Guardian Pharmacy of Jacksonville
Location: , Florida
Type of breach:
HACK
Type of organization:
MED
Records Breached:
11,521

Location of breached information: Email

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
March 30, 2018
Company: Children’s National Medical Center
Location: , District Of Columbia
Type of breach:
PHYS
Type of organization:
MED
Records Breached:
722

Location of breached information: Laptop

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
March 29, 2018
Company: Middletown Medical P.C.
Location: , New York
Type of breach:
DISC
Type of organization:
MED
Records Breached:
63,551

Location of breached information: Electronic Medical Record

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
March 29, 2018
Company: NYC Health + Hospitals/Harlem
Location: , New York
Type of breach:
PHYS
Type of organization:
MED
Records Breached:
595

Location of breached information: Laptop

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
March 28, 2018
Company: Cambridge Health Alliance
Location: , Massachusetts
Type of breach:
HACK
Type of organization:
MED
Records Breached:
2,280

Location of breached information: Other

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
March 26, 2018
Company: Walmart Inc.
Location: , Arkansas
Type of breach:
DISC
Type of organization:
MED
Records Breached:
741

Location of breached information: Email, Other

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
March 26, 2018
Company: Mississippi State Department of Health
Location: , Mississippi
Type of breach:
DISC
Type of organization:
MED
Records Breached:
30,799

Location of breached information: Email

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
March 26, 2018
Company: VA Palo Alto Health Care System
Location: , California
Type of breach:
DISC
Type of organization:
MED
Records Breached:
1,600

Location of breached information: Paper/Films

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
March 22, 2018
Company: City of Houston Medical Plan
Location: , Texas
Type of breach:
PHYS
Type of organization:
MED
Records Breached:
34,637

Location of breached information: Laptop

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
March 21, 2018
Company: National Mentor Healthcare, LLC.
Location: , Massachusetts
Type of breach:
PHYS
Type of organization:
MED
Records Breached:
1,015

Location of breached information: Other Portable Electronic Device

Business associate present: Yes

Information Source:
US Department of Health and Human Services
Date Made Public:
March 21, 2018
Company: Mentor ABI, LLC
Location: , Massachusetts
Type of breach:
PHYS
Type of organization:
MED
Records Breached:
994

Location of breached information: Other Portable Electronic Device

Business associate present: Yes

Information Source:
US Department of Health and Human Services
Date Made Public:
March 21, 2018
Company: Center for Comprehensive Services, Inc.
Location: , Massachusetts
Type of breach:
PHYS
Type of organization:
MED
Records Breached:
1,176

Location of breached information: Other Portable Electronic Device

Business associate present: Yes

Information Source:
US Department of Health and Human Services
Date Made Public:
March 21, 2018
Company: CareMeridian, LLC
Location: , Massachusetts
Type of breach:
PHYS
Type of organization:
MED
Records Breached:
1,922

Location of breached information: Other Portable Electronic Device

Business associate present: Yes

Information Source:
US Department of Health and Human Services
Date Made Public:
March 20, 2018
Company: Prestera Center for Mental Health Services, Inc.
Location: , West Virginia
Type of breach:
HACK
Type of organization:
MED
Records Breached:
670

Location of breached information: Email

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
March 16, 2018
Company: Primary Health Care, Inc.
Location: , Iowa
Type of breach:
HACK
Type of organization:
MED
Records Breached:
10,313

Location of breached information: Email

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
March 15, 2018
Company: North Texas Medical Center
Location: , Texas
Type of breach:
DISC
Type of organization:
MED
Records Breached:
3,350

Location of breached information: Laptop

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
March 15, 2018
Company: UnitedHealth Group Single Affiliated Covered Entity
Location: , Minnesota
Type of breach:
DISC
Type of organization:
MED
Records Breached:
1,755

Location of breached information: Paper/Films

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
March 14, 2018
Company: Saint Francis Hospital
Location: , Georgia
Type of breach:
PHYS
Type of organization:
MED
Records Breached:
1,412

Location of breached information: Other

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
March 14, 2018
Company: Serene Sedation, LLC
Location: , Maryland
Type of breach:
HACK
Type of organization:
MED
Records Breached:
5,207

Location of breached information: Network Server

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
March 13, 2018
Company: Special Agents Mutual Benefit Association
Location: , Maryland
Type of breach:
DISC
Type of organization:
MED
Records Breached:
13,942

Location of breached information: Paper/Films

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
March 12, 2018
Company: ATI Holdings, LLC and its subsidiaries
Location: , Illinois
Type of breach:
HACK
Type of organization:
MED
Records Breached:
35,136

Location of breached information: Email

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
March 12, 2018
Company: Barnes-Jewish St. Peters Hospital
Location: , Missouri
Type of breach:
DISC
Type of organization:
MED
Records Breached:
15,046

Location of breached information: Network Server

Business associate present: No

Information Source:
US Department of Health and Human Services
CSV