Biometrics Direct - Your source for fingerprint biometric security products for home and business.  Biometric door locks, fingerprint USB security and PC biometric login

View Cart | Home | Support | News | Policies | Resellers | Contact Us | Sitemap |  

Contact Us Toll Free in the USA - 1-800-519-8800
Direct and International Support - +1 206-973-2137

 
Home Products iQBioBlog Where to Buy Support Smart Cards Card Printing ID Cardz ASG Global
Biometrics Direct - Your Source for Fingerprint Biometric Security Products for Home, Travel and Office
iQBio - "Unlock the Power of Your Print"
 
 


Site Navigation
 
 

Physical Access Control
iGuard IP Appliance

PC & Network Access
BioCert PC Peripherals
ACS Smart Card

Developer Products
ACS Development Kits
- Smart Cards
- Smart Card & Bio

Biometric Solutions
Time/Attendance

Other Products
ACS Smart Cards
Smart Card Supply
Card Five ID Software
PVC ID Card Products
Pebble ID Printer
Quantum PVC Printer
DNP Reverse Printers
IDCardz.com

Biometrics Education
Biometrics FAQ
Biometric Terms
Biometrics 101
US Biometrics Laws
Mythbusted?
Your Data in the Wild
2006 Data Breaches
2007 Data Breaches

Personal Privacy Risk
Biometrics Links

 
 

 Kall8
Toll Free & Int'l VOIP
with "Follow Me" Service

  Get Equifax Credit Watch

 

National "Wall of Shame"
Commentary and Analysis of 2006 Breaches - 1/3 of the USA is at Risk - James Childers

One in three Americans the potential victim of Identity Theft in 2006.  Privacy Rights Clearinghouse (http://www.privacyrights.org) announced on December 20th, 2006 a conservative total of the announced "breaches" in personal data security hit a record 100,214,930 individuals exposed to identity theft through the illegal theft or exposure of their private personal data.

US Population hits 301 Million People - That means that ONE in THREE people in the USA has been exposed to potential identity theft through the reckless disregard for the privacy of their personal information.  Most of these breaches involve the careless storage and transport of their personal data.

Most all of these breaches involve the transport of portable unencrypted data being compromised through neglect, theft or outright stupidity on the part of the stewards of the data.  Don't be a victim.  Don't have to be the one that explains to your boss, your clients or a judge that you did not take proper measures to protect valuable data.


How do you Tell Your Boss or Worse Yet, Your Customers That Their Data is Compromised or the Files were Stolen?
Imagine the Press That Your Company Could Generate When This News Gets Out...
Secure Your Network.  Secure Access and Secure Data with VeriSoft and BioCert.
Multi-Factor Authentication Integrated with Microsoft Active Directory.

DATE MADE PUBLIC
NAME & Location
TYPE OF BREACH
Privacy Requirement:
NUMBER
OF RECORDS
Jan. 1, 2006 University of Pittsburgh Medical Center, Squirrel Hill Family Medicine Portable Unencrypted Data Breach
Six Stolen computers. Names, Social Security numbers, birthdates
HIPAA 700
Jan. 2, 2006 H&R Block SSNs exposed in 40-digit number string on mailing label   Unknown
Jan. 9, 2006 Atlantis Hotel - Kerzner Int'l Dishonest insider or hacking. Names, addresses, credit card details, Social Security numbers, driver's license numbers and/or bank account data.   55,000
Jan. 12, 2006 People's Bank Portable Unencrypted Data Breach
Lost computer tape containing names, addresses, Social Security numbers, and checking account numbers.
  90,000
Jan. 17, 2006 City of San Diego, Water & Sewer Dept.
(San Diego, CA)
Dishonest employee accessed customer account files, including SSNs, and committed identity theft on some individuals.   Unknown
Jan. 20, 2006 Univ. Place Conference Center & Hotel, Indiana Univ. Hacking. Reservation information including credit card account number compromised.   Unknown
Jan. 21, 2006 California Army National Guard Stolen briefcase with personal information of National Guardsmen including a "seniority roster," Social Security numbers and dates of birth.   "hundreds of officers"
Jan. 23, 2006 Univ. of Notre Dame Hackers accessed Social Security numbers, credit card information and check images of school donors.   Unknown
Jan. 24, 2006 Univ. of WA Medical Center Portable Unencrypted Data Breach
Stolen laptops containing names, Social Security numbers, maiden names, birth dates, diagnoses and other personal data.
HIPAA 1,600
Jan. 25, 2006 Providence Home Services
(Portland, OR)
Portable Unencrypted Data Breach
Stolen backup tapes and disks containing Social Security numbers, clinical and demographic information. In a small number of cases, patient financial data was stolen.
HIPAA 365,000
Jan. 27, 2006 State of RI web site (www.RI.gov) Hackers obtained credit card information in conjunction with names and addresses.
  4,117
Jan. 31, 2006 Boston Globe and The Worcester Telegram & Gazette Inadvertently exposed. Credit and debit card information along with routing information for personal checks printed on recycled paper used in wrapping newspaper bundles for distribution.   240,000 potentially exposed
Feb. 1, 2006 Blue Cross and Blue Shield of North Carolina Inadvertently exposed. SSNs of members printed on the mailing labels of envelopes with information about a new insurance plan. HIPAA 600
Feb. 4, 2006 FedEx Inadvertently exposed. W-2 forms included other workers' tax information such as SSNs and salaries.   8,500
Feb. 9, 2006 Unknown retail merchants, apparently OfficeMax and perhaps others. Hacking. Debit card accounts exposed involving bank and credit union accounts nationwide (including CitiBank, BofA, WaMu, Wells Fargo).
[3/13/06 Crime ring arrested.]
  200,000, although total number is unknown.
Feb. 9, 2006 Honeywell International Exposed online. Personal information of current and former employees including Social Security numbers and bank account information posted on an Internet Web site.   19,000
Feb. 13, 2006 Ernst & Young
(UK)
Portable Unencrypted Data Breach
Laptop stolen from employee's car with customers' personal information including Social Security numbers.
  38,000 BP employees in addition to Sun, Cisco and IBM employees.
Feb. 15, 2006 Dept. of Agriculture Inadvertently exposed Social Security and tax identification numbers in FOIA request.   350,000
Feb. 15, 2006 Old Dominion Univ. Exposed online. Instructor posted a class roster containing names and Social Security numbers to a web site.   601
Feb. 16, 2006 Blue Cross and Blue Shield of Florida Contractor sent names and Social Security numbers of current and former employees, vendors and contractors to his home computer in violation of company policies.   27,000
Feb. 17, 2006 Calif. Dept. of Corrections, Pelican Bay
(Sacramento, CA)
Inmates gained access to files containing employees' Social Security numbers, birth dates and pension account information stored in warehouse.   Unknown
Feb. 17, 2006 Mount St. Mary's Hospital (1 of 10 hospitals with patient info. stolen)
(Lewiston, NY)
Portable Unencrypted Data Breach
Two laptops containing date of birth, address and Social Security numbers of patients was stolen in an armed robbery in the New Jersey.
HIPAA 17,000
Feb. 18, 2006 Univ. of Northern Iowa Hacking. Laptop computer holding W-2 forms of student employees and faculty was illegally accessed.   6,000
Feb. 23, 2006 Deloitte & Touche (McAfee employee information) External auditor lost a CD with names, Social Security numbers and stock holdings in McAfee of current and former McAfee employees.   9,290
Mar. 1, 2006 Medco Health Solutions
(Columbus, OH)
Portable Unencrypted Data Breach
Stolen laptop containing Social Security numbers for State of Ohio employees and their dependents, as well as their birth dates and, in some cases, prescription drug histories.
HIPAA 4,600
Mar. 1, 2006 OH Secretary of State's Office SSNs, dates of birth, and other personal data of citizens routinely posted on a State web site as part of standard business practice.   Unknown
Mar. 2, 2006 Olympic Funding
(Chicago, IL)
Portable Unencrypted Data Breach
3 hard drives containing clients names, Social Security numbers, addresses and phone numbers stolen during break in.
  Unknown
Mar. 2, 2006 Los Angeles Cty. Dept. of Social Services
(Los Angeles, CA)
File boxes containing names, dependents, Social Security numbers, telephone numbers, medical information, employer, W-2, and date of birth were left unattended and unshredded. HIPAA [Potentially 2,000,000, but number unknown]
Not included in number below.
Mar. 2, 2006 Hamilton County Clerk of Courts
(OH)
SSNs, other personal data of residents posted on county Web site, were stolen and used to commit identity theft.   [1,300,000]
Not included in number below.
Mar. 3, 2006 Metropolitan State College
(Denver, CO)
Portable Unencrypted Data Breach
Stolen laptop containing names and Social Security numbers of students who registered for Metropolitan State courses between the 1996 fall semester and the 2005 summer semester.
  93,000
Mar. 5, 2006 Georgetown Univ.
(Washington, D.C.)
Hacking. Personal information including names, birthdates and Social Security numbers of District seniors served by the Office on Aging.   41,000
Mar. 8, 2006 Verizon Communications
(New York, NY)
Portable Unencrypted Data Breach
2 stolen laptops containing employees' personal information including Social Security numbers.
  "Significant number"
Mar. 8, 2006 iBill
(Deerfield Beach, FL)
Dishonest insider or possibly malicious software linked to iBill used to post names, phone numbers, addresses, e-mail addresses, Internet IP addresses, logins and passwords, credit card types and purchase amount online. Credit card account numbers, expiration dates, security codes, and SSNs were NOT included, but in our opinion the affected individuals could be vulnerable to social engineering to obtain such information.   [17,781,462]
Not included in total below.
Mar. 11, 2006 CA Dept. of Consumer Affairs (DCA)
(Sacramento, CA)
Mail theft. Applications of DCA licensees or prospective licensees for CA state boards and commissions were stolen. The forms include full or partial Social Security numbers, driver's license numbers, and potentially payment checks.
  "A small number"
Mar. 14, 2006 General Motors
(Detroit, MI)
Dishonest insider keep Social Security numbers of co-workers to perpetrate identity theft.   100
Mar. 14
2006
Buffalo Bisons and Choice One Online
(Buffalo, NY)
Hacker accessed sensitive financial information including credit card numbers names, passwords of customers who ordered items online.   Unknown
Mar. 15,
2006
Ernst & Young
(UK)
Portable Unencrypted Data Breach
Laptop lost containing the names, dates of birth, genders, family sizes, Social Security numbers and tax identifiers for current and previous IBM, Sun Microsystems, Cisco, Nokia and BP employees exposed.
  Unknown
Mar. 16,
2006
Bananas.com
(San Rafael, CA)
Hacker accessed names, addresses, phone numbers and credit card numbers of customers.   274
Mar. 23,
2006
Fidelity Investments
(Boston, MA)
Portable Unencrypted Data Breach
Stolen laptop containing names, addresses, birth dates, Social Security numbers and other information of 196,000 Hewlett Packard, Compaq and DEC retirement account customers was stolen.
  196,000
Mar. 24,
2006
CA State Employment Development Division
(Sacramento, CA)
Computer glitch sends state Employment Development Division 1099 tax forms containing Social Security numbers and income information to the wrong addresses, potentially exposing those taxpayers to identity theft.   64,000
Mar. 24,
2006
Vermont State Colleges (VT) Portable Unencrypted Data Breach
Laptop stolen containing Social Security numbers and payroll data of students, faculty and staff associated with the five-college system from as long ago as 2000.
  14,000
Mar. 30,
2006
Marines
(Monterey, CA)
Portable Unencrypted Data Breach
Portable drive lost that contains personal information used for research on re-enlistment bonuses.
  207,750
Mar. 30,
2006
Georgia Technology Authority
(Atlanta, GA)
Hacker exploited security flaw to gain access to confidential information including Social Security numbers and bank-account details of state pensioners.   573,000
Mar. 30,
2006
Conn. Technical High School System
(Middletown, CT)
Social Security numbers of students and faculty mistakenly distributed via email.   1,250
April 1, 2006 Con Edison
(New York)
Portable Unencrypted Data Breach
Con Edison shipped 2 cartridge tapes to JPMorgan Chase in upstate Binghamton so it could input data on behalf of the NY Dept. of Taxation and Finance. One tape was apparently lost containing employees' W-2 data, including names, addresses, SSNs, taxes paid and salaries.
  15,000 Con Edison employees
April 6,
2006
Progressive Casualty Insurance
(Mayfield Village, OH)
Dishonest insider accessed confidential information, including names, Social Security numbers, birth dates and property addresses on foreclosure properties she was interested in buying.   13
April 7,
2006
DiscountDomain
Registry.com
(Brooklyn, NY)
Exposed online. Domain registrants' personal information including usernames, passwords and credit card numbers were accessible online.   "thousands of domain name registrations"
April 9,
2006
University of Medicine and Dentistry of New Jersey
(Newark, NJ)
Hackers accessed Social Security numbers, loan information, and other confidential financial information of students and alumni. HIPAA 1,850
April 12,
2006
Ross-Simons
(Providence, RI)
Security breach exposed account and personal information of those who applied for its private label credit card. Information exposed includes private label credit card numbers and other personal information of applicants.   Unknown
April 14,
2006
Univ. of South Carolina
(Columbia, SC)
Social Security numbers of students were mistakenly e-mailed to classmates.   1,400
April 15, 2006 Scott County, IA The Social Security numbers of people who obtained mortgages in the early 1990s are visible in documents posted on the county's website. The county will redact the information at the individuals' request.   Unknown
April 21, 2006 University of Alaska, Fairbanks
(Fairbanks, AK)
A hacker accessed names, Social Security numbers, and partial e-mail addresses of current and former students, faculty, and staff.   38,941
April 21, 2006 Boeing
(Seattle, WA)
Portable Unencrypted Data Breach
A laptop was taken from a Boeing human resources employee at SeaTac airport. It contained SSNs and other personal information, including personnel information from the 2000 acquisition of Hughes Space and Communications. .
  3,600 current and former employees
April 21,
2006
Ohio University
Innovation Center
(Athens, OH)
a server containing data including e-mails, patent and intellectual property files, and 35 Social Security numbers associated with parking passes was compromised.   Unknown
April 24,
2006
University of Texas' McCombs School of Business
(Austin, TX)
Hackers accessed records containing names, biographical information and, in some cases, Social Security numbers and dates of birth of current and prospective students, alumni, faculty members, corporate recruiters and staff members.   197,000
April 24,
2006
Ohio University
(Athens, OH)
Hackers accessed a computer system of the school's alumni relations department that included biographical information and 137,000 Social Security numbers of alum.   300,000
April 26,
2006
Purdue University
(West Lafayette, IN)
Hacker accessed personal information including Social Security numbers of current and former graduate students, applicants to graduate school, and a small number of applicants for undergraduate scholarships.   1,351
April 26,
2006
Aetna -- health insurance records for employees of 2 members, including Omni Hotels and the Dept. of Defense NAF
(Hartford, CT)
Portable Unencrypted Data Breach
Laptop containing personal information including names, addresses and Social Security numbers of Dept. of Defense (35,253) and Omni Hotel employees (3,000) was stolen from an Aetna employee's car.
HIPAA 38,000
April 27,
2006
MasterCard
(Potentially UK only)
Though MasterCard refused to say how the breach occurred, fraudsters stole the credit card details of holders in a major security breach.   [2,000]
Not included in total below.
April 27,
2006
Long Island Rail
Road
(Jamaica, NY)
Portable Unencrypted Data Breach
Data tapes containing personal information including names, addresses, Social Security numbers and salary figures of "virtually everyone" who worked for the agency was lost by delivery contractor Iron Mountain while enroute. Data tapes belonging to the U.S. Department of Veterans Affairs may also have been affected.
  17,000
April 28,
2006
Ohio's Secretary of State
(Cleveland, OH)
The names, addresses, and Social Security numbers of potentially millions of registered voters in Ohio were included on CD-ROMs distributed to 20 political campaign operations for spring primary election races. The records of about 7.7 million registered voters are listed on the CDs, but it's unknown how many records contained SSNs, which were not supposed to have been included on the CDs.   "Potentially millions of registered voters"
April 28,
2006
Dept. of Defense
(Washington, DC)
Hacker accessed a Tricare  Management Activity (TMA) public server containing personal information about military employees. HIPAA Unknown
May 2,
2006
Georgia State Government
(Atlanta, GA)
Portable Unencrypted Data Breach
Government surplus computers that sold before their hard drives were erased contained credit card numbers, birth dates, and Social Security numbers of Georgia citizens.
  Unknown
May 4,
2006
Idaho Power Co.
(Boise, ID)
Portable Unencrypted Data Breach
Four company hard drives were sold on eBay containing hundreds of thousands of confidential company documents, employee names and Social Security numbers, and confidential memos to the company's CEO.
  Unknown
May 4,
2006
Ohio University
Hudson Health Center
(Athens, OH)
Names, birth dates, Social Security numbers and medical information were accessed in records of students dating back to 2001, plus faculty, workers and regional campus students. HIPAA 60,000
May 2006 Ohio University
(Athens, OH)
A breach was discovered on a computer that housed IRS 1099 forms for vendors and independent contractors for calendar years 2004 and 2005.   2,480
May 2006 Ohio University
(Athens, OH)
A breach of a computer that hosted a variety of Web-based forms, including some that processed on-line business transactions. Although this computer was not set up to store personal information, investigators did discover files that contained fragments of personal information, including Social Security numbers. The data is fragmentary and it is not certain if the compromised information can be traced to individuals. Also found on the computer were 12 credit card numbers that were used for event registration.   Unknown
May 5,
2006
Dept. of Veteran Affairs
(Washington, D.C.)
Portable Unencrypted Data Breach
A data tape disappeared from a VA facility in Indianapolis, IN that contained information on legal cases involving U.S. veterans and included veterans' Social Security numbers, dates of birth and legal documents.
HIPAA 16,500
May 5,
2006
Wells Fargo
(San Francisco, CA)
Portable Unencrypted Data Breach
Computer containing names, addresses, Social Security numbers and mortgage loan deposit numbers of existing and prospective customers may have been stolen while being delivered from one bank facility to another.
  Unknown
May 12,
2006
Mercantile Potomac Bank
(Gaithersburg, MD)
Portable Unencrypted Data Breach
Laptop containing confidential information about customers, including Social Security numbers and account numbers was stolen when a bank employee removed it from the premises, in violation of the bank's policies. The computer did not contain customer passwords, personal identification numbers (PIN numbers) or account expiration dates.
  48,000
May 19,
2006
American Institute of Certified Public Accountants (AICPA)
(New York, NY)
Portable Unencrypted Data Breach
An unencrypted hard drive containing names, addresses and Social Security numbers of AICPA members was lost when it was shipped back to the organization by a computer repair company.
  330,000
[Updated 6/16/06]
May 19,
2006
Unknown retail merchant Visa, MasterCard, and other debit and credit card numbers from banks across the country were stolen when a national retailer's database was breached. No names, Social Security numbers or other personal identification were taken.   Unknown
May 22,
2006
Dept. of Veterans Affairs
(Washington, DC)
(800) 827-1000
Portable Unencrypted Data Breach
On May 3, data of all Currently Serving Personnel and Discharged American veterans who were discharged since 1975 including names, Social Security numbers, dates of birth and in many cases phone numbers and addresses, were stolen from a VA employee's home. Theft of the laptop and computer storage device included data of 26.5 million veterans. The data included individually identifiable medical information
HIPAA 28,600,000
May 23,
2006
Univ. of Delaware
(Newark, DE)
Security breach of a Department of Public Safety computer server potentially exposes names, Social Security numbers and driver's license numbers.   1,076
May 23,
2006
M&T Bank
(Buffalo, NY)
Portable Unencrypted Data Breach
Laptop computer, owned by PFPC, a third party company that provides record keeping services for M & T's Portfolio Architect accounts was stolen from a vehicle. The laptop contained clients' account numbers, Social Security numbers, last name and the first two letters of their first name.
  Unknown
May 23, 2006 Butler Co. Dept. of Mental Retardation & Developmental Disabilities
(Cincinatti, OH)
Portable Unencrypted Data Breach
Three laptop computers were stolen "last month" from the agency's office. They contained personal information on mental health clients, including SSNs.
  100 clients
May 23, 2006 Mortgage Lenders Network USA
(Middletown, CT)
A former employee was arrested for extortion for attempting to blackmail his former employer for $6.9 million. He threatened to expose company files containing sensitive customer information if the company didn't pay him. He stole the files over the 16 months he worked there.   Unknown
May 24,
2006
Sacred Heart Univ.
(Fairfield, CT)
Portable Unencrypted Data Breach
It was discovered on May 8th that a computer containing personal information including names, addresses and Social Security numbers was breached.
HIPAA Unknown
May 24,
2006
American Red Cross, St. Louis Chapter
(St. Louis,
Dishonest employee had access to Social Security numbers of donors to call urging them to give blood again. The employee misused the personal information of at least 3 people to perpetrate identity theft and had access to the personal information of 1 million donors.   1,000,000
May 25, 2006 Vystar Credit Union
(Jacksonville, FL)
Hacker gained access to member accounts "a few weeks ago" and stole personal information including names, addresses, birth dates, mother's maiden names, SSNs and/or email addresses.   Approx. 34,400
("less than 10% of its 344,000 members")
May 30,
2006
Texas Guaranteed Student Loan Corp.
(Round Rock, TX)
via subcontractor, Hummingbird
(Toronto, Canada)
Portable Unencrypted Data Breach
Texas Guaranteed (TG) was notified by subcontractor Hummingbird that on May 24, an employee had lost a piece of equipment containing names and Social Security numbers of TG borrowers.
Update (6/16/06): TG now says a total of 1.7 million people's information was compromised, 400,000 more than original estimate of 1.3 million.
  1,300,000
plus 400,000
for total of 1,700,000
May 30,
2006
Florida Int'l Univ.
(Miami, FL)
Hacker accessed a database that contained personal information, such as student and applicant names and Social Security numbers.   "thousands"
May 31, 2006 Humana
(Louisville, KY)
On May 5, 2006, Medicare drug benefit applications were stolen from an insurance agent's unlocked car in Brooklyn Park, MN. Information included applicants' name, address, date of birth, Social Security number, and bank routing information. HIPAA 268 Minnesota and North Dakota applicants
June 1,
2006
Miami University
(Oxford, OH)
Portable Unencrypted Data Breach
An employee lost a hand-held personal computer containing personal information of students who were enrolled between July 2001 and May 2006.
  851
June 1,
2006
Ernst & Young
(UK)
Portable Unencrypted Data Breach
A laptop containing names, addresses and credit or debit card information of Hotels.com customers was stolen from an employee's car in Texas.
  243,000
June 1,
2006
Univ. of Kentucky
(Lexington, KY)
Personal information of current and former University of Kentucky employees including Social Security numbers was inadvertently accessible online for 19 days last month.   1,300
June 2,
2006
Buckeye Community Health Plan
(Columbus, OH)
Portable Unencrypted Data Breach
Four laptop computers containing customer names, Social Security numbers, and addresses were stolen from the Medicaid insurance provider.
  72,000
June 2,
2006
Ahold USA
(Landover, MD)
Parent company of Stop & Shop, Giant stores and Tops stores via subcontractor Electronic Data Systems
(Plano, TX)
An EDS employee lost a laptop computer during a commercial flight that contained pension data of former employees of Ahold's supermarket chains including Social Security numbers, birth dates and benefit amounts.   Unknown
June 2,
2006
YMCA
(Providence, RI)
Portable Unencrypted Data Breach
Laptop computer containing personal information of members was stolen. The information included credit card and debit card numbers, checking account information, Social Security numbers, the names and addresses of children in daycare programs and medical information about the children, such as allergies and the medicine they take, though the type of stolen information about each person varies.
  65,000
June 2,
2006
Humana
(Louisville, KY)
Personal information of Humana customers enrolled in the company's Medicare prescription drug plans could have been compromised when an insurance company employee called up the data through a hotel computer and then failed to delete the file. HIPAA 17,000 current and former Medicare enrollees
June 5,
2006
Internal Revenue Service
(Washington, DC)
Portable Unencrypted Data Breach
A laptop computer containing personal information of employees and job applicants, including fingerprints, names, Social Security numbers, and dates of birth, was lost during transit on an airline flight
  291
June 6,
2006
Univ. of Texas
(El Paso, TX)
Students demonstrated that student body and faculty elections could be rigged by hacking into student information including Social Security numbers.   4,719
June 8,
2006
Univ. of Michigan Credit Union
(Ann Arbor, MI)
Paper documents containing personal information of credit union members were stolen from a storage rooms. The documents were supposed to have been digitally imaged and then shredded. Instead, they were stolen and used to perpetrate identity theft.   5,000
June 11,
2006
Denver Election Commission
(Denver, CO)
Records containing personal information on more than 150,000 voters are missing at city election offices. The microfilmed voter registration files from 1989 to 1998 were in a 500-pound cabinet that disappeared when the commission moved to new offices in February. The files contain voters' Social Security numbers, addresses and other personal information.   150,000
June 12,
2006
U.S. Dept. of Energy
(Washington, D.C.)
Names, Social Security numbers, security clearance levels and place of employment for mostly contract employees who worked for National Nuclear Security Administration may have been compromised when a hacker gained entry to a computer system at a service center in Albuquerque, N.M. eight months ago.
  1,502
June 13,
2006
Minn. State Auditor
(St. Paul, MN)
Portable Unencrypted Data Breach
Three laptops possibly containing Social Security numbers of employees and recipients of housing and welfare benefits along with other personal information of local governments the auditor oversees have gone missing.
  493
June 13,
2006
Oregon Dept. of Revenue
(Salem, OR)
Electronic files containing personal data of Oregon taxpayers may have been compromised by an ex-employee's downloaded a contaminated file from a porn site. The "Trojan" attached to the file may have sent taxpayer information back to the source when the computer was turned on.   2,200
June 13,
2006
U.S. Dept of Energy, Hanford Nucear Reservation
(Richland, WA)
Current and former workers at the Hanford Nuclear Reservation that their personal information may have been compromised, after police found a 1996 list with workers' names and other information in a home during an unrelated investigation.   4,000
June 14,
2006
American Insurance Group (AIG), Indiana Office of Medical Excess, LLC
(New York, NY)
Portable Unencrypted Data Breach
The computer server was stolen on March 31 containing personal information including names, Social Security numbers, birth dates, and some medical and disability information.
  930,000
June 14,
2006
Western Illinios Univ.
(Macomb, IL)
On June 5th, a hacker compromised a University server that contained names, addresses, credit card numbers and Social Security numbers of people connected to the University.   180,000
June 16,
2006
Union Pacific
(Omaha, NE)
Portable Unencrypted Data Breach
On April 29th, an employee's laptop was stolen that contained data for current and former Union Pacific employees, including names, birth dates and Social Security numbers.
  30,000
June 16,
2006
NY State Controller's Office
(Albany, NY)
State controller data cartridge containing payroll data of employees who work for a variety of state agencies was lost during shipment. The data contained names, salaries, Social Security numbers and home addresses.   1,300
June 16,
2006
ING
(Miami, FL)
Portable Unencrypted Data Breach
Two ING laptops that carried sensitive data affecting of Jackson Health System hospital workers were stolen in December 2005. The computers, belonging to financial services provider ING, contained information gathered during a voluntary life insurance enrollment drive in December and included names, birth dates and Social Security numbers.
HIPAA 8,500
June 16,
2006
Univ. of Kentucky
(Lexington, KY)
The personal data of current and former students including classroom rosters names, grades and Social Security numbers was reported stolen on May 26 following the theft of a professor's flash drive..   6,500
June 17,
2006
ING
(Washington, D.C.)
Laptop stolen from employee's home containing retirement plan information including Social Security numbers of D.C. city employees.   13,000
June 17,
2006
Automatic Data Processing (ADP)
(Roseland, NJ)
Personal and payroll information of workers were intended to be faxed between ADP offices and were mistakenly sent to a third party.   80
June 17,
2006
CA Dept. of Health Services (CDHS)
(Sacramento, CA)
CDHS documents were inappropriately emptied from an employee's cubicle on June 5 and 9 rather than shredded.
The documents contained state employees and other individuals applying for employment with the state including names, addresses, Social Security numbers and home and work telephone numbers. They were mostly expired state employment certification lists, but also included requests for personnel action, copies of e-mail messages and handwritten notes.
HIPAA 1,550
June 20,
2006
Equifax
(Atlanta, GA)
Portable Unencrypted Data Breach
On May 29, a company laptop containing employee names and partial and full Social Security numbers was stolen from an employee.
  2,500
June 20,
2006
Univ. of Alabama
(Birmingham, AL)
Portable Unencrypted Data Breach
In February a computer was stolen from a locked office of the kidney transplant program at the University of Alabama at Birmingham that contained confidential information of donors, organ recipients and potential recipients including names, Social Security numbers and medical information.
HIPAA 9,800
June 21,
2006
U.S. Dept. of Agriculture (USDA)
(Washington, D.C.)
During the first week in June, a hacker broke into the Department's computer system and may have obtained names, Social Security numbers and photos of current and former employees and contractors.   26,000
June 21, 2006 Cape Fear Valley Health System
(Fayetteville, NC)
Portable Unencrypted Data Breach
Portable computer containing personal information of more than 24,000 people was stolen from ambulance of Cumberland Co. Emergency Medical Services on June 8th. It contained information on people treated by the EMS, including names, addresses, and birthdates, plus SSNs of 84% of those listed.
HIPAA 24,350
June 21, 2006
(Date of letter sent to doctors. Date of news story is July 28, 2006)
Lancaster General Hospital
(Lancaster, PA)
A desktop computer with personal information of hundreds of doctors was stolen from a locked office June 10. The unencrypted data included names, practice addresses, and SSNS of physicians on medical and dental staff. HIPAA "Hundreds of local physicians" (not included in total below)
June 22,
2006
Federal Trade Commission (FTC)
(Washington, D.C.)
Portable Unencrypted Data Breach
Two laptop computers containing personal and financial data were stolen from an employee's vehicle. The data included names, addresses, Social Security numbers, dates of birth, and in some instances, financial account numbers gathered in law enforcement investigations.
  110
June 23,
2006
San Francisco State Univ.
(San Francisco, CA)
Portable Unencrypted Data Breach
a faculty member's laptop was stolen from a car on June 1 that contained personal information of former and current students including Social Security numbers, and names and ins some instance, phone numbers and grade point averages.
  3,000
June 23,
2006
U.S. Navy
(Washington, D.C.)
Navy personnel were notified on June 22 that a civilian web site contained files with personal information of Navy members and dependents including names, birth dates and Social Security numbers.   30,000
June 23,
2006
CA Dept. of Health Services (CDHS)
(Sacramento, CA)
On June 12, a box of Medi-Cal forms from December 2005 were found in the cubicle of a CDHS employee. The claim forms contained the names, addresses, Social Security numbers and prescriptions for beneficiaries or their family members. HIPAA 323
June 23,
2006
Catawba County Schools
(Newton, NC)
On June 22, it was discovered that a web site posted names, Social Security numbers, and test scores of students who had taken a keyboarding and computer applications placement test during the 2001-02 school year.
Update: The web site containing the data has been removed.
  619
June 23,
2006
King County Records, Elections, and Licensing Services Division
(Seattle, WA)
Social Security numbers for potentially thousands of current and former county residents may be exposed on the agency's web site. Residents can request that the image of any document that contains a Social Security number, Mother's Maiden Name or Drivers License be removed. Officials state that they are unable to alter original public documents and cannot choose to not record documents presented for recording. 
  Unknown
June 27,
2006
Gov't Accountability Office (GAO)
(Washington, D.C.)
Data from audit reports on Defense Department travel vouchers from the 1970s were inadvertently posted online and included some service members' names, Social Security numbers and addresses. The agency has subsequently removed the information.   "Fewer than 1,000"
[1,000 used in total]
June 28,
2006
AAAAA Rent-A-Space
(Colma, CA)
Customer's account information including name, address, credit card, and Social Security number was easily accessible due to a security gap in its online payment system.   13,000
June 29,
2006
AllState Insurance
Huntsville branch
(Huntsville, AL)
Portable Unencrypted Data Breach
Over Memorial Day weekend, a computer containing personal data including images of insurance policies, correspondence and Social Security numbers was stolen.
  2,700
June 29,
2006
Nebraska Treasurer's Office
(Lincoln, NE)
A hacker broke into a child-support computer system and may have obtained names, Social Security numbers and other information such as tax identification numbers for 9,000 businesses.   309,000
June 29, 2006 Minnesota Dept. of Revenue
(St. Paul, MN)
Portable Unencrypted Data Breach
On May 16, a package containing a data tape used to back up the regional office's computers went missing during delivery. The tape contained personal information including individuals' names, addresses, and Social Security numbers.
  50,400
June 30, 2006 Nat'l Institutes of Health Federal Credit Union
(Rockville, MD)
NIHFCU is investigating with law enforcement the identity theft of some of its 41,000 members. No details given on type of information stolen, or how it was stolen.   "Very few" of 41,000 members affected
[not included in total]
July 1, 2006 American Red Cross, Farmers Branch
(Dallas, TX)
Portable Unencrypted Data Breach
Sometime in May, 3 laptops were stolen, one of them containing encrypted personal information including names, SSNs, dates of birth, and medical information of all regional donors. They also report losing a laptop with encrypted donor information in June 2005.
HIPAA Unknown
July 5, 2006 Bisys Group Inc.
(Roseland, NJ)
Personal details about 61,000 hedge fund investors were lost when an employee's truck carrying backup tapes was stolen. The data included SSNs of 35,000 individuals. The tapes were being moved from one Bisys facility to another on June 8 when the theft occurred.   61,000
July 6, 2006 Automated Data Processing (ADP)
(Roseland, NJ)
Payroll service company ADP gave scam-artist names, addresses, and number of shares held of investors, although apparently not SSNs or account numbers. The leak occurred from Nov. '05 to Feb. '06 and involved individual investors with 60 companies including Fidelity, UBS, Morgan Stanley , Bear Stearns, Citigroup, Merrill Lynch.   "Hundreds of thousands"
[not included in total]
July 7, 2006 University of Tennessee
(866) 748-1680
Hacker broke into UT computer containing names, addresses and SSNs of about 36,000 past and current employees. Intruder apparently used computer from Aug. '05 to May '06 to store and transmit movies.   36,000
July 7, 2006 Nat'l Association of Securities Dealers (NASD)
(Boca Raton, FL)
Portable Unencrypted Data Breach
Ten laptops were stolen on Feb. 25 '06 from NASD investigators. They included SSNs of securities dealers who were the subject of investigations involving possible misconduct. Inactive account numbers of about 1,000 consumers were also contained on laptops.
  73
July 7, 2006 Naval Safety Center SSNs and other personal information of naval and Marine Corps aviators and air crew, both active and reserve, were exposed on Center web site and on 1,100 computer discs mailed to naval commands. HIPAA "more than 100,000"
July 7, 2006 Montana Public Health and Human Services Dept.
(Helena, MT)
Portable Unencrypted Data Breach
A state government computer was stolen from the office of a drug dependency program. during a 4th of July break-in. It was not known if sensitive information such as SSNs was compromised.
HIPAA Unknown
July 7, 2006 City of Hattiesburg
(Hattiesburg, MS)
Portable Unencrypted Data Breach
Video surveillance cameras caught 2 intruders stealing hard drives from 18 computers June 23. Data files contained names, addresses, and SSNs of current and former city employees and registered voters as well as bank account information for employees paid through direct deposit and water system customers who paid bills electronically.
  "thousands of city workers and contractors"
July 13, 2006 Moraine Park Technical College
(Beaver Dam, Fond du Lac, & West Bend, WI)
Portable Unencrypted Data Breach
Computer disk (CD) with personal information of 1,500 students was reported missing. Information includes names, addresses, phone numbers & SSNs of apprenticeship students back to 1993.
  1,500
July 14, 2006 Northwestern Univ.
(Evanston, IL)
(888-209-0097)
Files containing names and some personal information including SSNs were on 9 desktop computers that had been accessed by unauthorized persons outside the University. The computers were in the Office of Admissions and Financial Aid Office.   "As many as 17,000 individuals' records" exposed
July 14, 2006 University of Iowa
(Davenport, IA)
Portable Unencrypted Data Breach
Laptop computer containing personal information of current and former MBA students was stolen. Data files included SSNs and some contact info.
  280
July 14, 2006
(Date of letter sent to students. Date of news story is 8/1/06)
California Polytechnic State University (Cal Poly)
(San Luis Obispo, CA)
(Call (805) 756-2226 or (805) 756-2171)
Portable Unencrypted Data Breach
Laptop computer was stolen from the home of a physics department professor July 3. It included names and SSNs of physics and astronomy students from 1994-2004.
  3,020 students
July 14, 2006 Treasurer's computer in Circuit Court Clerk's office
(Hampton, VA)
Public computer in city government building containing taxpayer information was found to display SSNs of many residents -- those who paid personal property and real estate taxes. It was shut down and confiscated by the police on July 12th.   "Over 100,000 records"
(The number containing SSNs is not known yet and not included in total below.)
July 16, 2006 Mississippi Secretary of State
(Jackson, MS)
The state agency's web site listed 2 million+ Uniform Commercial Code (UCC) filings in which thousands of individuals' SSNs were exposed.   Among the 2 million postings are "thousands" containings SSNs
(not included in total)
July 17, 2006 Vassar Brothers Medical Center
(Poughkeepsie, NY)
(845) 483-6990
Portable Unencrypted Data Breach
Laptop was stolen from the emergency department between June 23-26. It contained information on patients dating back to 2000, including SSNs and dates of birth.
HIPAA [257,800 patients were initially notified, but an analysis by Kroll later determined that the laptop contained no personal information. This number is not included in the total below.]
July 18, 2006 Nelnet Inc.
(Lincoln, NE)
(800) 552-7925
Portable Unencrypted Data Breach
Computer tape containing personal information of student loan customers and parents, mostly from Colorado, was lost when shipped via UPS. The loans were previously serviced by College Access Network
  188,000
July 18, 2006 CS Stars, subsidiary of insurance company Marsh Inc.
(Chicago, IL)
On May 9, CS Stars lost track of a personal computer containing records of more than a half million New Yorkers who made claims to a special workers' comp fund. The lost data includes SSNs and date of birth but apparently no medical information.
Update (7/26/06): Computer was recovered.
  540,000
July 18, 2006 U.S. Dept. of Agriculture
(Wellington, KS)
Portable Unencrypted Data Breach
Laptop computer and printout containing names, addresses and SSNs of 350 employees was stolen from an employee's car and later recovered.
  350
July 24, 2006 New York City Dept. of Homeless Services The personal information of 8,400 homeless persons, including SSNs, was leaked in an e-mail attachment July 21, when accidentally sent to homeless advocates and city officials.   8,400
July 25, 2006 Armstrong World Industries
(Lancaster Co., PA)
Portable Unencrypted Data Breach
A laptop containing personal information of current and former employers was stolen. The computer was in the possession of the company's auditor, Deloitte & Touche. Data included names, home addresses, phone numbers, SSNs, employee ID numbers, salary data, and bank account numbers of employees who have their checks directly deposited.
  12,000
July 25, 2006 Belhaven College
(Jackson, MS)
Portable Unencrypted Data Breach
An employee carrying laptop was robbed at gunpoint on July 19 while walking to his car. Computer contained names and SSNs of college employees.
  300 employees
July 25, 2006 Georgetown University Hospital
(Washington, DC)
Patient data was exposed online via the computers of an e-prescription provider, InstantDx. Data included names, addresses, SSNs, and dates of birth, but not medical or prescription data. GUH suspended the trial program with InstantDX. HIPAA "between 5,600 and 23,000 patients were affected"
(23,000 added to total below)
July 25, 2006 Old Mutual Capital Inc., subsidiary of United Kingdom-based financial services firm Old Mutual PLC Portable Unencrypted Data Breach
Laptop was stolen sometime in May containing personal information of U.S. clients, including names, addresses, account numbers and some SSNs.
  6,500 fund shareholders
July 25, 2006 Cablevision Systems Corp.
(lost when shipped to Dallas-based ACS)
Portable Unencrypted Data Breach
A tape en route to the company's 401(k) plan record-keeper ACS was lost when shipped by FedEx to Dallas, TX. No customer data was on the tape.
  13,700 current and former employees
July 26, 2006 U.S. Navy recruitment offices
(Trenton, NJ, and Jersey City, NJ)
Portable Unencrypted Data Breach
Two laptop computers with information on Navy recruiters and applicants were stolen in June and July. Also included was information from selective service and school lists. About 4,000 records contained SSNs. Files were password protected.
  31,000 records were stolen, with about 4,000 containing SSNs. The latter number is included in the total below.
July 26, 2006 West Virginia Div. of Rehabilitation Services
(Beckley, WV)
Portable Unencrypted Data Breach
A laptop was stolen July 24 containing clients' names, addresses, SSNs, and phone numbers. Data was password protected.
HIPAA Unknown
July 27, 2006 Kaiser Permanente Northern Calif. Office
(Oakland, CA)
(866) 453-3934
Portable Unencrypted Data Breach
A laptop was stolen containing names, phone numbers, and the Kaiser number for each HMO member. The data file did not include SSNs. The data was being used to market Hearing Aid Services to Health Plan members.
HIPAA 160,000 records. Because the data file did not include SSNs, this number is not added to the total below.
July 27, 2006 Los Angeles County
(Los Angeles, CA)
Portable Unencrypted Data Breach
In May, a laptop was stolen from the home of a community and senior services employee. It contained information on LA County employees.
  Unknown
July 27, 2006 Los Angeles Co., Community Development Commission (CDC)
(Monterey Park, CA)
Earlier in July, a computer hacker located in Germany gained access to the CDC's computer system, containing personal information on 4,800 public housing residents.   4,800 records. Because it is not clear if SSNs were included, this number is not added to the total below.
July 27, 2006 Los Angeles County, Adult Protective Services
(Burbank, CA)
Portable Unencrypted Data Breach
Last weekend 11 laptops were stolen from the Burbank office. It is not clear what type of personal information was included.
  Unknown
July 28, 2006 Matrix Bancorp Inc.
(Denver, CO)
(877-250-7742)
Portable Unencrypted Data Breach
Two laptop computers were stolen during daytime while staffers were away from their desks. One computer contained customers' account information. The bank says data is encrypted and password protected.
  Unknown
July 28, 2006 Riverside, Calif., city employees The SSNs and financial information regarding 401(k) accounts was accidentally e-mailed to 2,300 city employees due to a computer operator's error. The data was intended for the city payroll dept.   "nearly 2,000 employees"
July 29, 2006 Sentry Insurance
(Stevens Point, WI)
Personal information including SSNs on worker's compensation claimants was stolen, some of which was later sold on the Internet. No medical records were included. The thief was a lead programmer-consultant who had access to claimants' data. The consultant was arrested and faces felony charges.   Information on 72 claimants was sold on the Internet. Data on an additional 112,198 claimants was also stolen with no evidence of being sold online. .
Total affected is 112,270
Aug. ?, 2006 CoreLogic for ComUnity Lending
(Sacramento, CA)
(877) 510-3700
identityprotection@
corelogic.com
Portable Unencrypted Data Breach
In early August, CoreLogic notified customers of ComUnity Lending that a computer with customers' data was stolen from its office. Data included names, SSNS, and property addresses related to an existing or anticipated mortgage loan.
  Unknown
Aug. 1, 2006 U.S. Bank
(Covington, KT)
A bank employee's briefcase was stolen from the employee's car with documents containing names, phone numbers, and SSNs of customers.   "very small" number
Aug. 1, 2006 Wichita State University
(Wichita, KS)
WSU learned on June 29 that someone gained unauthorized access into 3 computers in its College of Fine Arts box office, containing credit card information for about 2,000 patrons.   2,000
Aug. 1, 2006 Wichita State University
(Wichita, KS)
An intrusion into a WSU psychology department's server was discovered July 16. It contained information on about 40 applicants to the doctoral program.   40
(not included in total below because it is not known if SSNs were included in breached data)
Aug. 1, 2006 Dollar Tree
(Carmichael and Modesto, CA, as well as Ashland, OR, and perhaps other locations)
Customers of the discount store have reported money stolen from their bank accounts due to unauthorized ATM withdrawals. Data may have been intercepted by a thief's use of a wireless laptop computer with the thief then creating counterfeit ATM cards and using them to withdraw money.   Total number unknown
Aug. 4, 2006 Toyota plant
(San Antonio, TX)
Portable Unencrypted Data Breach
Laptop belonging to contractor and containing personal information of job applicants and employees was stolen. Data included names and SSNs.
  1,500
Aug. 4, 2006 PSA HealthCare
(Norcross, GA)
(866) 752-5259
Portable Unencrypted Data Breach
A company laptop was stolen from an employee's vehicle in a public parking lot July 15. It contained names, addresses, SSNs, and medical diagnostic and treatment information used in reimbursement claims.
HIPAA 51,000 current and former patients
Aug. 6, 2006 American Online (AOL)
(nationwide)
In late July AOL posted on a public web site data on 20 million web queries from 650,000 users. Some search records exposed SSNs, credit card numbers, or other pieces of sensitive information.
Update (9/26/06):
Three individuals whose data were exposed have filed a lawsuit against AOL.
  Unknown how many records contain high-risk personal information
Aug. 7, 2006 Veterans Affairs Dept. through its contractor Unisys Corp.
(Reston, VA)
Computer at contractor's office was reported missing Aug. 3, containing billing records with names, addresses, SSNs, and dates of birth of veterans at 2 Pennsylvania locations.
Update (9/15/06): Law enforcement recovered the computer and arrested an individual who had worked for a company that provides temporary labor to Unisys.
HIPAA 5,000 Philadelphia patients,
11,000 Pittsburgh patients,
2,000 deceased patients,
plus possibly 20,000 more
(18,000 is included in total below)
Aug. 8, 2006 Virginia Bureau of Insurance
(804) 726-2630
The Bureau has advised insurance agents in the state that their SSN may have been exposed on its web site from June 13 through July 31, 2006, due to a programming error. The SSNs were not shown on any web page, but could have been found by savvy computer users using the source code tool of a web browser.   Unknown
Aug. 8, 2006 Linens 'n Things
(Sterling, VA)
A folder holding about 90 receipts was missing from the store. Receipts included full credit or debit account number and name of the card holder.   90
Aug. 9, 2006 U.S. Dept. of Transportation
(800) 424-9071
hotline@
oig.dot.gov
The DOT's Office of the Inspector General reported a special agent's laptop was stolen on July 27 from a government-owned vehicle in Miami, FL, parked in a restaurant parking lot. It contained names, addresses, SSNs, and dates of birth for 80,670 persons issued commercial drivers licenses in Miami-Dade County; 42,800 persons in FL with FAA pilot certificates; and 9,000 persons with FL driver's licenses.
Update (11/21/06): A suspect was arrested in the same parking lot where the theft occurred, but the laptop has not been recovered. Investigators found a theft ring operating in the vicinity of the restaurant parking lot.
  132,470
Aug. 11, 2006 Madrona Medical Group
(Bellingham, WA)
On Dec. 17, 2005, a former employee accessed and downloaded patient files onto his laptop computer. Files included name, address, SSN, and date of birth. The former employee has since been arrested. HIPAA At least 6,000 patients
Aug. 15, 2006 University of Kentucky The names and SSNs of 630 students were posted on the University's financial aid web site between Friday and Monday, Aug. 11-14.   630
Aug. 15, 2006 University of Kentucky About 80 geography students were notified Aug. 14 that their SSNs were inadvertently listed on an e-mail communication they all received telling them who their academic advisor would be for the coming year.   80
Aug. 15, 2006 U.S. Dept. of Transportation
(Orlando, FL)
Portable Unencrypted Data Breach
On April 24, a DOT employee's laptop computer was stolen from an Orlando hotel conference room. It contained several unencrypted case files. Investigators are determining if it contained sensitive personal information.
  Unknown
Aug. 16, 2006 Chevron
(San Ramon, CA)
Portable Unencrypted Data Breach
Chevron informed its U.S. workers Aug. 14 that a laptop was stolen from "an employee of an independent public accounting firm" who was auditing its benefits plans. The theft apparently occurred Aug. 5. Files contained SSNs and sensitive information related to health and disability plans.
  Total employees affected is unclear. Nearly half of its 59,000 workers are from North America.
Aug. 17, 2006 Williams-Sonoma
(San Francisco, CA)
Portable Unencrypted Data Breach
On July 10, a laptop was stolen from the Los Angeles home of a Deloitte & Touche employee who was conducting an audit for W-S. Computer contained employees' payroll information and SSNs.
  1,200 current and former employees
Aug. 17, 2006 HCA, Inc.
Hospital Corp. of America
(Nashville, TN)
(800) 354-1036
hcahealthcare.com

 

Portable Unencrypted Data Breach
10 computers containing Medicare and Medicaid billing information and records of employees and physicians from 1996-2006 were stolen from one of the company's regional offices. Some patient names and SSNs were exposed, but details are vague. Records for patients in hospitals in the following states were affected: CO, KS, LA, MS, OK, OR, TS, WA.
HIPAA "thousands of files"
Aug. 18, 2006 Calif. Dept. of Mental Health
(916) 654-2309
Portable Unencrypted Data Breach
Computer tape with employees' names, addresses, and SSNs has been reported missing. Employees were notified Aug. 17 by e-mail.
HIPAA 9,468 employees
Aug. 21, 2006 U.S. Dept. of Education via contractor, DTI Associates
(Washington, DC)
Portable Unencrypted Data Breach
Two laptops were stolen from DTI's office in downtown DC containing personal information on 43 grant reviewers for the Teacher Incentive Fund. DTI could not rule out that the data included SSNs.
  43
Aug. 22, 2006 AFLAC
American Family Life Assurance Co.
(Greenville, SC)
(888) 794-2352
Portable Unencrypted Data Breach
A laptop containing customers' personal information was stolen from an agent's car. It contained names, addresses, SSNs, and birth dates of 612 policyholders. They were notified Aug. 11.
HIPAA 612 policyholders
Aug. 22, 2006 Beaverton School District
(Beaverton, OR)
Time slips revealing personal information were missing and presumed stolen following a July 24 break-in at a storage shed on the administration office's property. The time slips included names and SSNs but not addresses.   1,600 employees
Aug. 22, 2006 Beaumont Hospital
(Troy, MI)
Portable Unencrypted Data Breach
A vehicle of a home health care nurse was stolen from outside a senior center Aug. 5. Although it was recovered nearby, a laptop left in the rear of the car was not recovered. It contained names, addresses, SSNs, and insurance information of home health care patients.
  28,400 home care patients
Aug. 23, 2006 U.S. Dept. of Education, Direct Loan Servicing Online
(Atlanta, GA)
www.dlssonline.com
and
dlservicer.ed.gov
A faulty Web site software upgrade resulted in personal information of 21,000 student loan holders being exposed on the Department's loan Web site. Information included names, birthdates, SSNs, addresses, phone numbers, and in some cases, account information. Affiliated Computer Services Inc. is the contractor responsible for the breach. The breach did not include those whose loans are managed through private companies.   21,000
Aug. 25, 2006 Dominion Resources
(Richmond, VA)
Portable Unencrypted Data Breach
Two laptops containing employee information were stolen earlier in August. It was not clear what type of data were included. No customer records were on the computers. Dominion operates a gas and electric energy distribution company.
  Unknown
Aug. 25, 2006 U.S. Dept. of Transportation, Federal Motor Carrier Safety Administration
(Baltimore, MD)
(800) 832-5660
Portable Unencrypted Data Breach
A laptop that "might contain" personal information of people with commercial driver's licenses was stolen Aug. 22. FMCSA said the data might include names, dates of birth, and commercial driver's license numbers of 193 individuals from 40 trucking companies.
  193
(not added to total)
Aug. 25, 2006 Sovereign Bank
(New Bedford, MA)
Portable Unencrypted Data Breach
Personal data may have been compromised when 3 managers' laptops were stolen from 2 separate locations in early August. Customers were notified Aug. 21. Sovereign serves New England and the Mid-Atlantic. The bank said the data included unspecified customer information, but not account data.
  "thousands of customers"
Aug. 26, 2006 PortTix
(Portland, ME)
Credit card information for about 2,000 people who ordered tickets online through PortTix was accessed by someone who hacked into the Web site. PortTix is Merrill Auditorium's ticketing agency. The Web site was secured as of Aug. 24.   2,000
Aug. 26, 2006 University of South Carolina
(Columbia, SC)
A security audit this summer found that a computer server was hacked in Sept. 2005. A database could have been accessed with names, SSNs, and birthdates of current and former students.   6,000 current and former students
Aug. 27, 2006 New Mexico Administrative Office of the Courts
(Santa Fe, NM)
For 8 days in late May, an unsecured document was exposed on the agency's FTP site on the state's computer server. It contained names, birth dates, SSNs, home addresses and other personal information of judicial branch employees. The FTP site was shut down June 2 and has since be redesigned. .   1,500 employees
Aug. 29, 2006
Valley Baptist Medical Center
(Harlingen, TX)
(877) 840-5999
A programming error on the hospital's web site exposed names, birth dates, and SSNs of healthcare workers in late August. The error was fixed but it is not known how long the personal information was compromised. The affected individuals are workers from outside the hospital who provide services and bill the hospital via an online form. HIPAA Unknown
Aug. 29, 2006 AT&T
via vendor that operates an order processing computer
(San Francisco, CA)
Computer hackers accessed credit card account data and other personal information of customers who purchased DSL equipment from AT&T's online store. The company is notifying "fewer than 19,000" customers."   "Fewer than 19,000" customers
Aug. 29, 2006 Compass Health
(Everett, WA)
(800) 508-0059
Portable Unencrypted Data Breach
Compass Health notified some of its clients that a laptop containing personal information, including SSNs, was stolen June 28. The agency serves people who suffer from mental illness.
HIPAA "A limited number of people"
Aug. 31, 2006 Labcorp
(Monroe, NJ)
(800) 788-9091 x3925
Portable Unencrypted Data Breach
During a break-in June 4 or 5, a computer was stolen that contained names and SSNs, but according to the company did not have birth dates or lab test results.
  Unknown
Aug. 31, 2006 Diebold, Inc.
(Canton, OH)
Portable Unencrypted Data Breach
An employee's laptop was stolen containing employee information, including name, SSN, and if applicable, corporate credit card number.
  Unknown
Sept. 1, 2006 Wells Fargo via unnamed auditor
(San Francisco, CA)
Portable Unencrypted Data Breach
In a letter dated Aug. 28, the company notified its employees that a laptop and data disk were stolen from the locked trunk of an unnamed auditor, hired to audit the employees' health plan. Data included names, SSNs, and information about drug claim cost and dates from 2005, but no prescription information said the company.
  Unknown
Sept. 1, 2006 Virginia Commonwealth University
(Richmond, VA)
www.ts.vcu.edu
Personal information of freshmen and graduate engineering students from 1998 through 2005 was exposed on the Internet for 8 months (Jan. - Aug.) due to human error. It was discovered by a student who used a search engine to find her name. The data included SSNs and e-mail addresses.   2,100 current and former students
Sept. 1, 2006 City of Chicago via contractor Nationwide Retirement Solutions, Inc.
(Chicago, IL)
(800) 638-1485
www.chicagofop.org
Portable Unencrypted Data Breach
A laptop was stolen from the home of contractor's employee last April 2005. It was reported to the city July 2006 more than a year later. Data included names, addresses, phone numbers, birthdates and SSNs for those in the city's deferred compensation plan.
  "Up to 38,443 city employees and retirees"
Sept. 2, 2006 Lloyd's of London
(Port St. Lucie, FL)
A thief reprogrammed more than 150 Lloyd's of London credit card numbers onto phone cards and used them to withdraw money from an ATM in Port St. Lucie, FL (stealing more than $20,000 over 3 days). Key personal and financial information had been skimmed from the magnetic strip on the victims' cards.   Unknown
Sept. 5, 2006 Transportation Security Administration (TSA) via Accenture
(Washington, DC)
In late August 2006, Accenture, a contractor for TSA mailed documents containing former employees' SSN,, date of birth, and salary information to the wrong addresses due to an administrative error.   1,195 former TSA employees
Sept. 7, 2006 Florida National Guard
(Bradenton, FL)
Portable Unencrypted Data Breach
A laptop computer was stolen from a soldier's vehicle contained training and administrative records, including Social Security numbers of up to 100 Florida National Guard soldiers.
  100
Sept. 7, 2006 Circuit City and Chase Card Services, a division of JP Morgan Chase & Co.
(Wilmington, DE)
Portable Unencrypted Data Breach
Chase Card Services mistakenly discarded 5 computer data tapes in July containing Circuit City cardholders' personal information.
  2.6 million past and current Circuit City credit cardholders
Sept. 8, 2006 Linden Lab
(San Francisco, CA)
www.secondlife.com
On Sept. 6, Linden Lab discovered that a hacker accessed its Second Life database through web servers. The affected data included unencrypted account names, real life names, and contact information, plus encrypted account passwords and payment information. Second Life is a 3-D virtual world.   Unknown
Sept. 8, 2006 University of Minnesota
(Minneapolis, MN)
Portable Unencrypted Data Breach
On August 14-15 eve, two computers were stolen from the desk of an Institute of Technology employee, containing information on students who were freshmen from 1992-2006 -- including names, birthdates, addresses, phone numbers, high schools attended, student ID numbers, grades, test scores, and, academic probation. SSNs of 603 students were also exposed.
  13,084 students including SSNs of 603 students
Sept. 8, 2006 Berks Co. Sheriff's Office via contractor Canon Technology Solutions
(Reading, PA)
A confidential list of some of the County's 25,000 gun permit holders was exposed on the Web by the contractor that is developing a Web-based computer records program for the Sheriff's Office. Personal information included names, addresses and SSNs.
Update (10/6/06): The Berks County solicitor's office says the entire list of more than 25,000 gun permit holders was exposed.
  25,000 gun permit holders exposed, although initially the number was unknown
Sept. 9, 2006 Cleveland Clinic
(Naples, FL)
(866) 907-0675
A clinic employee stole personal information from electronic files and sold it to her cousin, owner of Advanced Medical Claims, who used it to file fraudulent Medicare claims totaling more than $2.8 million. Information included names, SSNs, birthdates, addresses and other details. Both individuals were indicted. HIPAA 1,100 patients
Sept. 11, 2006 Telesource
via Vekstar
(Indianapolis, IN)
Employees discovered their personnel files in a Dumpster after the company had been bought out by another company Vekstar. The files were discarded when the office was being cleaned out and shut down. Files contained SSNs, dates of birth and photocopies of SSN cards and driver's licenses.   Unknown
Sept. 13, 2006 American Family Insurance
(Madison, WI)
Portable Unencrypted Data Breach
The office of an insurance agent was broken into and robbed last July. Among the items stolen was a laptop with customers' names, SSNs, and driver's license numbers.
HIPAA 2,089 customers
Sept. 14, 2006 Nikon Inc. and Nikon World Magazine
(Melville, NY)
Workers at a Montgomery, AL, camera store discovered that subscription information for the magazine Nikon World was exposed on the Web for at least 9 hours. Data included subscribers' names, addresses and credit card numbers.   3,235 magazine subscribers
Sept. 14, 2006 Illinois Dept. of Corrections
(Springfield, IL)
A document containing employees' personal information was found outside the agency's premises "where it should not have been." It has since been retrieved. Information included employees' names, SSNs, and salaries.   Unknown
Sept. 15, 2006 Mercy Medical Center
(Merced, CA)
Portable Unencrypted Data Breach
A memory stick containing patient information was found July 18 by a local citizen on the ground at the County Fairgrounds near the hospital's information booth. It was returned to the hospital 4 weeks later. Data included names, SSNs, birthdates, and medical records.
HIPAA 295 patients
Sept. 15, 2006 Whistle Junction restaurant
(Orlando, FL)
Personnel files of employees of the now-closed restaurant were found in a nearby Dumpster. Papers included names and SSNs of former employees,   Unknown
Sept. 16, 2006 Michigan Dept. of Community Health
(Detroit, MI)
Portable Unencrypted Data Breach
Residents who participated in a scientific study were notified that a flash drive was discovered missing as of Aug. 4, and likely stolen, from an MDCH office.The portable memory device contained names, addresses, phone numbers, dates of birth, and SSNs of participants. The study tracked the long-term exposure to flame retardents ingested by residents in beef and milk.
HIPAA 4,000 Michigan residents
Sept. 16, 2006 Beaumont Hospital
(Royal Oak, MI)
The hospital mistakenly mailed medical reports on 3 patients to a retired dentist in Texas. Reports included name, test results, date of birth and patient ID numbers. The hospital admitted to both human and computer error. A new computer system mixed similar names, and staff did not catch it.. HIPAA 3 patients
Sept. 17, 2006 Direct Loans, part of William D. Ford Federal Direct Loan Program within U.S. Dept. of Education and Federal Student Aid via its IT contractor ACS A security breach exposed private information of student loan borrowers from Aug. 20-22 during a computer software upgrade. Users of the Direct Loans Web site were able to view information other than their own if they used certain options. SSNs were among the data elements exposed online.   21,000 accounts
Sept. 18, 2006 Howard, Rice, Nemerovski, Canady, Falk & Rabkin law firm
(San Francisco, CA)
via its auditor Morris, Davis & Chan
(Oakland, CA)
Portable Unencrypted Data Breach
A laptop was stolen from the trunk of the car of the law firm's auditor, containing confidential employee pension plan information -- names, SSNs, remaining balances, 401(k) and profit-sharing information.
  500 current and former employees
Sept. 18, 2006 DePaul Medical Center, Radiation Therapy Dept.
(Norfolk, VA)
(757) 889-5945
Portable Unencrypted Data Breach
Two computers were stolen, one on August 28 and the other Sept. 11. Personal data included names, date of birth, treatment information, and some SSNs.
  "More than 100 patients"
Sept. 19, 2006 Life Is Good
(Hudson, NH)
Hackers accessed the retailer's database containing customer's credit card numbers. The company said no other personal information was in the database.   9,250 customers' credit card numbers
Sept. 20, 2006 City of Savannah, Georgia
(912) 651-6565
savannahga.gov
Because of a "hole in the firewall," a City server exposed personal information online for 7 months. Individuals identified by the Red Light Camera Enforcement Program are affected -- name, address, driver's license number, vehicle identification number, and SSNs of those individuals whose driver's license number is still the SSN.   8,800 individuals whose identities were captured by red-light cameras
Sept. 20, 2006 Berry College via consultant Financial Aid Services Inc.
(Mount Berry, GA)
(800) 961-4692
www.berry.edu
Student applications for need-based financial aid were misplaced by a consultant -- in both paper and digital form. Data included name, SSN, and reported family income for students and potential students for the 2005-06 academic year.   2,093 students and potential students (of those, 1,322 are currently enrolled)
Sept. 21, 2006 Pima Co. Health Dept.
(Tucson, AZ)
Vaccination records on 2,500 clients had been left in the trunk of a car that was stolen Sept. 12. The car and records have since been recovered. Records included names, dates of birth and ZIP codes, but no SSNs or addresses.   2,500
(not included in Total below)
Sept. 21, 2006 U.S. Dept. of Commerce and Census Bureau
(Washington, DC)
Portable Unencrypted Data Breach
The agency reported that 1,137 laptops have been lost or stolen since 2001. Of those, 672 were used by the Census Bureau, with 246 of those containing personal data. Secretary Gutierrez said the computers had "protections to prevent a breach of personal information."
  Unknown
Sept. 22, 2006 Purdue University College of Science
(West Lafayette, IN)
(866) 307-8520
www.purdue.edu
A file in a desktop computer in the Chemistry Department may have been accessed illegitimately. The file contained names, SSNs, school, major, and e-mail addresses of people who were students in 2000.   2,482 students from the year 2000
Sept. 22, 2006 University of Colorado-Boulder, Leeds School of Business
(Boulder, CO)
(303) 492-8741
Portable Unencrypted Data Breach
Two computers had been placed in storage during the school's move to temporary quarters in May. When they were to be retrieved Aug. 28, they were found missing. They had been used by 2 faculty members and included students' names, SSNs, and grades.
  1,372 students and former students
Sept. 22, 2006 Several Indianapolis pharmacies
(Indianapolis, IN)
Earlier this year a local TV reporter from WTHR found that "dozens" of pharmacies disposed of customer records in unsecured garbage bins. Now the Indiana Board of Pharmacy has launched an investigation of 30 pharmacies. Both the Board and the Attorney General say that the pharmacies violated state law.   Unknown
Sept. 23, 2006 An illegal dumping site northwest of Quinlan, TX Investigators found boxes of private medical records containing names and personal information of patients of a doctor who lives in Dallas and who has a Greenville, TX, practice. They had apparently been dumped there by a contractor who was hired to remodel his house. The contractor was indicted on a charge of illegal dumping. HIPAA Unknown
Sept. 23, 2006 Erlanger Health System
(Chattanooga, TN)
Records of hospital employees disappeared from a locked office on Sept. 15. They were stored on a USB "jump drive." Information was limited to names and SSNs. Those affected included anyone who went through job "status changes" from Nov. 2003 to Sept. 2006. HIPAA 4,150 current and former employees
Sept. 25, 2006 General Electric
(US Corporate HQ: Fairfield , CT )
Portable Unencrypted Data Breach
An employee's laptop computer holding the names and Social Security numbers of approximately 50,000 current and former GE employees was stolen from a locked hotel room while he was traveling for business.
  50,000 employees
Sept. 28, 2006 North Carolina Dept. of Motor Vehicles
(Louisville , NC)
(888) 495-5568
Portable Unencrypted Data Breach
A computer was stolen from a NC Dept. of Motor Vehicles office, reported Sept. 10. It contains names, addresses, driver's license numbers, SSNs, and in some cases immigration visa information of 16,000 people who have been issued licenses in the past 18 months. Most are residents of Franklin County.
  16,000
Sept. 28, 2006 Illinois Dept. of Transportation
(Springfield, IL)
Documents found by state auditors in recycling bins in a hallway contained IDOT employee names and SSNs.   40
Sept. 28, 2006 Stevens Hospital Emergency Room via dishonest employee of billing company Med Data
(Edmonds, WA)
A manager for the hospital's billing company, Med Data, stole patients' credit card numbers. She gave them to her brother who bought $30,000 worth of clothes and gift cards over the Internet. The woman is scheduled for sentencing in Nov. and her brother's trial is expected Jan. 2007. HIPAA "about 30 patients"
Sept. 29, 2006 University of Iowa Dept of Psychology
(Iowa City, IA)
Portable Unencrypted Data Breach
A computer containing SSNs of 14,500 psychology department research study subjects was the object of an automated attack designed to store pirated video files for subsequent distribution.
HIPAA 14,500 individuals who had participated in a research study
Sept. 29, 2006 Kentucky Personnel Cabinet
(Frankfort, KY)
State employees received letters from the Kentucky Personnel Cabinet with their SSNs visible through the envelope windows.   146,000
Sept. ??, 2006 Adams State College
(Alamosa, CO)
Portable Unencrypted Data Breach
A laptop computer stolen from a locked closet at Adams State College contained personally identifiable data belonging to 184 high school students who participated in the college's Upward Bound program over the last four years. The theft occurred on August 14, but it was not until late September that staff realized the computer held students' data.
  184 Upward Bound students
Oct. 2, 2006 Port of Seattle
(Seattle, WA)
(888) 902-PORT
Portable Unencrypted Data Breach
Six CDs missing from the ID Badging office at Seattle-Tacoma International Airport hold the personal information of 6,939 airport workers. The data include names, addresses, birth dates, SSNs and driver's license numbers, telephone numbers, employer information, and height/weight. The data on the disks were scanned from paper applications for airport badges. The port learned of the missing disks on September 18 and sent letters to the affected employees on Oct. 2.
 

6,939 current and former Seattle-Tacoma International Airport employees

Oct. 3, 2006 Cumberland County, PA Cumberland County (PA) officials removed salary board meeting minutes from their Web site because they contained the SSNs of 1,200 county employees. The information was included in minutes from meetings prior to 2000. The county no longer uses SSNs as unique identifiers for employees. Employees will be informed of the data breach in a note included with their paychecks.   1,200 employees of the county
Oct. 3, 2006 Willamette Educational Service District
(Salem, OR)
Portable Unencrypted Data Breach
Seven computers stolen from a Willamette Educational service District office were believed to contain personal information of 4,500 Oregon high school students. Backup tapes indicate the computers hold information about the students' school clubs but do not contain sensitive information.
  4,500 Oregon high school students
[not included in total because not thought to contain sensitive info. such as SSNs]
Oct. 3, 2006 Picatinny Arsenal
(Rockaway Twp., NJ)
(If you have tips, call (973) 989-0652)
Portable Unencrypted Data Breach
28 computers are missing from the Picatinny Arsenal, a Department of Defense Weapons Research Center. The computers were reported lost or stolen over the last two years. None of the computers was encrypted. Officials state the computers did not contain classified information.
  Unknown
Oct. 4, 2006 Orange County Controller (FL) A Florida woman discovered her marriage license was visible on the Orange County (FL) controller's Web site with no information blacked out, not even SSNs. She discovered the breach because someone had applied for a loan in her name. The Orange County Comptroller is reportedly paying a vendor $500,000 to black out all SSNs by January 2008.   Unknown
Oct. 5, 2006 San Juan Capistrano Unified School District (CA) Portable Unencrypted Data Breach
Five computers stolen from the HQ of San Juan Capistrano Unified School District likely contain the names, SSNs and dates of birth of district employees enrolled in an insurance program.
  Unknown
Oct. 6, 2006 Cleveland Air Route Traffic Control Center
(Oberlin, OH)
Portable Unencrypted Data Breach
A computer hard drive missing from the Cleveland Air Route Traffic Control Center in Oberlin (OH) contains the names and SSNs of at least 400 air traffic controllers.
  At least 400
Oct. 6, 2006 Camp Pendleton Marine Corps base via Lincoln B.P. Management
(Camp Pendleton near Oceanside, CA)
Portable Unencrypted Data Breach
A laptop missing from Lincoln B.P. Management Inc. holds personally identifiable data about 2,400 Camp Pendleton residents.
  2,400
Oct. 9, 2006
(Letter mailed Oct. 5, 2006)
Troy Athens High School
(Troy, MI)
(For questions or comments, call (248) 823-4035)
Portable Unencrypted Data Breach
A hard drive stolen from Troy Athens High School in August contained transcripts, test scores, addresses and SSNs of students from the graduating classes of 1994 to 2004. The school district and the superintendent have notified all affected alumni by regular mail.
  4,400
Oct. 10, 2006 Florida Labor Department The names and SSNs of 4,624 Floridians were accessible on the Internet for approximately 18 days in September. The data were not accessible through Web sites, but an individual came across the information when Googling his own name. The agency has asked Google to remove the pages from its cache, and has notified all affected individuals by mail.   4,624 individuals who had registered with Florida 's Agency for Workforce Innovation
Oct. 11, 2006 Republican National Committee
(Washington, D.C.)
The Republican National Committee (RNC) inadvertently emailed a list of donors' names, SSNs and races to a New York Sun reporter.   76 RNC donors
Oct. 12, 2006 U.S. Census Bureau Portable Unencrypted Data Breach
This spring, residents of Travis County, TX helped the Census Bureau test new equipment. When the test period ended, 15 devices were unaccounted for. The Census Bureau and the Commerce Department issued a press release saying the devices held names, addresses and birthdates, but not income or SSNs.
  Unknown number of Travis Co., TX, residents
Oct. 12, 2006 Congressional Budget Office
(Washington, D.C.)
Hackers broke into the Congressional Budget Office's mailing list and sent a phishing e-mail that appeared to come from the CBO.
  Unknown number of e-mail addresses
Oct. 12, 2006 University of Texas at Arlington Portable Unencrypted Data Breach
Two computers stolen from a University of Texas faculty member's home hold the names, SSNs, grades, e-mail addresses and other information belonging to approximately 2,500 students enrolled in computer science and engineering classes between fall 2000 and fall 2006. The theft occurred on September 29 and was reported on October 2.
  2,500 students
Oct. 13, 2006 Ohio Ethics Committee
(Columbus, OH)
Papers belonging to the Ohio Ethics Commission were found floating on the wind in an alley. The documents are related to state employees' finances and contained SSNs and financial statements. They were supposed to be in the possession of the state archives.   Unknown number of Ohio state employees
Oct. 13, 2006 Orchard Family Practice (Colorado doctor's patient files dumped in a parking lot)
(Englewood, CO)
When a bankrupt Colorado doctor was evicted from his office, everything in his office was dumped in the parking lot by the landlord and the sheriff's department, including file cabinets containing personal information of his patients. Scavengers were seen carting off some desks and file cabinets, some containing records. The exposed documents were thought to consist of bgusiness records containing names, SSNs, dates of birth, and addresses, but not medical information, which the doctor had previously removed.   Unknown
Oct. 14, 2006 T-Mobile USA Inc.
(Bellvue, WA)
Portable Unencrypted Data Breach
A laptop computer holding personally identifiable information of approximately 43,000 current and former T-Mobile employees disappeared from a T-Mobile employee's checked luggage. T-Mobile has reportedly sent letters to all those affected. The data are believed to include names, addresses, SSNs, dates of birth and compensation information.
  43,000 current and former employees
Oct. 15, 2006 Poulsbo Department of Licensing
(Poulsbo, WA)
Portable Unencrypted Data Breach
An unspecified “storage device” containing personally identifiable data of approximately 2,200 North Kitsap (WA) residents has been lost from the Poulsbo Department of Licensing. The data include names, addresses, photographs and driver's license numbers of individuals who conducted transactions at the Poulsbo branch in late September.
  2,200
Oct. 16, 2006 Germanton Elementary School
(Germanton, NC)
Portable Unencrypted Data Breach
A computer stolen from Germanton Elementary school holds students' SSNs. The data on the computer are encrypted.
  Unknown
Oct. 16, 2006 VISA/FirstBank FirstBank sent a letter to an unknown number of customers informing them their FirstTeller Visa Check Card numbers were compromised when someone accessed “a merchant card processor's transaction database.” The FirstBank letter said customers would receive new cards by October 27.   Unknown
Oct. 16, 2006 Dr, Charles Kay of Orchard Family Practice
(Englewood, CO)
Sheriff's deputies evicting Dr. Charles Kay put files from his office in a nearby parking lot. In a news report, Dr. Kay said he had removed the patient files but not the business files. HIPAA Unknown
Oct. 17, 2006 City of Visalia, Recreation Division
(Visalia, CA)
Personally identifiable information of approximately 200 current and former Visalia Recreation Department employees was exposed when copies of city documents were found scattered on a city street.   200 current and former employees
Oct. 19, 2006 Allina Hospitals and Clinics
(Minneapolis-St. Paul, MN)
Portable Unencrypted Data Breach
A laptop stolen from a nurse's car on October 8 contains the names and SSNs of individuals in approximately 17,000 households participating in the Allina Hospitals and Clinics obstetric home-care program since June 2005.
HIPAA Individuals in 17,000 households
Oct. 19, 2006 University of Minnesota/Spain Portable Unencrypted Data Breach
In June, a University of Minnesota art department laptop computer stolen from a faculty member while traveling in Spain holds personally identifiable information of 200 students.
  200 students (not included in total)
Oct. 20, 2006 Manhattan Veterans Affairs Medical Center, New York Harbor Health Care System
(New York, NY)
Portable Unencrypted Data Breach
On Sept. 6, an unencrypted laptop computer containing veterans' names, Social Security numbers, and medical diagnosis, was stolen from the hospital.
HIPAA 1,600 veterans who receive pulmonary care at the facility
Oct. 21, 2006 Bowling Green Police Dept.
(Bowling Green, OH)
The police dept. accidentally published a report on their website containing personal information on nearly 200 people the police had contact with on Oct. 21. Data included names, Social Security numbers, driver's license numbers, etc .   Approx. 200 victims or suspects
Oct. 23, 2006 Sisters of St. Francis Health Services via Advanced Receivables Strategy (ARS), a Perot Systems Company
(Indianapolis, IN)
(866) 714-7606
On July 28, 2006, a contractor working for Advanced Receivables Strategy, a medical billing records company, misplaced CDs containing the names and SSNs of 266,200 patients, employees, physicians, and boad members of St. Francis hospitals in Indiana and Illinois. Also affected were records of Greater Lafayette Health Services. The disks were inadvertently left in a laptop case that was returned to a store. The purchaser returned the disks. The records were not encrypted even though St. Francis and ARS policies require encryption. HIPAA 260,000 patients and about 6,200 employees, board members and physicians for a total of 266,200
Oct. 23, 2006 Chicago Voter Database
(Chicago, IL)
An official from the not-for-profit Illinois Ballot Integrity Project says his organization hacked into Chicago's voter database, compromising the names, SSNs and dates of birth of 1.35 million residents. The Chicago Election Board is reportedly looking into removing SSNs from the database. Election officials have patched the flaw that allowed the intrusion.   1.35 million Chicago residents
Oct. 24, 2006 Jacobs Neurological Institute
(Buffalo, NY)
Portable Unencrypted Data Breach
The laptop of a research doctor was stolen from her locked office at the Institute. It included records of patients and her research data.
  Unknown
Oct. 25, 2006 Transportation Security Administration (TSA)
(Portland, OR)
Portable Unencrypted Data Breach
A thumb drive is missing from the TSA command center at Portland International Airport and believed to contain the names, addresses, phone numbers and Social Security numbers of approximately 900 current and former employees.
  900 current and former Oregon TSA employees
Oct. 25, 2006 Swedish Medical Center, Ballard Campus
(Seattle, WA)
(800) 840-6452
An employee stole the names, birthdates, and Social Security numbers from patients who were hospitalized or had day-surgeries from June 22 to Sept 21. She used 3 patients' information to open multiple credit accounts.   Up to 1,100 patients
Oct. 25, 2006 Tuscarawas County and Warren County
(OH)
The Social Security numbers of some Tuscarawas and Warren County voters were available on the LexisNexis Internet database service.
Update (11/1/06): LexisNexis says it has now removed the SSNs.
  Unknown
Oct. 26, 2006 Akron Children's Hospital
(Akron, OH)
Overseas hackers broke into two computers at Children's Hospital. One contains private patient data (including Social Security numbers) and the other holds billing and banking information. HIPAA 235,903
Oct. 26, 2006 Hilb, Rogal & Hobbs
(Plymouth Meeting, PA)
Portable Unencrypted Data Breach
In September 2006, a laptop computer was stolen from the insurance brokerage firm. It contained client information including the names, birthdates, and drivers license numbers of Villanova University students and staff who drive university vehicles.
  1,243 Villanova University students and staff
Oct. 27, 2006 Gymboree
(San Francisco, CA)
Portable Unencrypted Data Breach
A thief stole 3 laptop computers from Gymboree's corporate headquarters. They contained unencrypted human resources data (names and Social Security numbers) of thousands of workers.
  up to 20,000 employees
Oct. 27, 2006 Hancock Askew & Co.
(Savannah, GA)
Portable Unencrypted Data Breach
On October 5, 2006, a laptop computer containing 401(k) information for employees of at least one company (Atlantic Plastics, Inc.) was stolen from accounting firm Hancock Askew.
  Unknown
Oct. 27, 2006 Hertz Global Holdings, Inc.
(Oklahoma City, OK)
1-888-222-8086
The names and Social Security numbers of Hertz employees dating back to 2002 were discovered on the home computer of a former employee.   Unknown
Oct. 30, 2006 Georgia county clerk of courts' web sites A Georgia TV station reported that SSNs could be found on some records posted on county clerk of court web sites, specifically for individuals with federal tax liens filed against them. At least one county clerk -- Cherokee County -- is now removing SSNs from the web site.   Unknown
Oct. 31, 2006 Avaya
(theft occurred in Maitland, FL, office of company, headquartered in Basking Ridge, NJ)
Portable Unencrypted Data Breach
A laptop stolen from an Avaya employee on October 16 in Florida contained personally identifiable information, including names, addresses, W-2 tax form information and SSNs.
  Unknown
Nov. 1, 2006 U.S. Army Cadet Command
(Fort Monroe, VA)
1-866-423-4474
Email: mydata@
usaac.army.mil
Portable Unencrypted Data Breach
A laptop computer was stolen that contained the names, addresses, telephone numbers, birthdates, Social Security numbers, parent names, and mother's maiden names of applicants for the Army's four-year ROTC college scholarship.
  4,600 high school seniors
Nov. 2, 2006 Colorado Dept. of Human Services via Affiliated Computer Services (ACS)
(Dallas, TX)
For questions, call ACS at (800) 350-0399
Portable Unencrypted Data Breach
On Oct. 14, a desktop computer was stolen from a state contractor who processes Colorado child support payments for the Dept. of Human Services. Computer also contained the state's Directory of New Hires.
  Up to 1.4 million
Nov. 2, 2006 Greater Media, Inc.
(Philadelphia, PA)
Portable Unencrypted Data Breach
A laptop computer containing the Social Security numbers of the radio broadcasting company's current and former employees was stolen from their Philadelphia offices.
  Unknown
Nov. 2, 2006 McAlester Clinic and Veteran's Affairs Medical Center
(Muskogee, OK)
Portable Unencrypted Data Breach
Three disks containing billing information, patient names and Social Security numbers, were lost in the mail.
  1,400 veterans
Nov. 2, 2006 Intermountain Health Care
(Salt Lake City, UT)
Portable Unencrypted Data Breach
A computer was purchased at a second-hand store, Deseret Industries, that contained the names, Social Security numbers, employment records, and other personal information about Intermountain Health Care employees employed there in 1999-2000.
HIPAA 6,244
Nov. 2, 2006 Compulinx
(White Plains, NY)
The CEO of Compulinx was arrested for fraudulently using employees' names, addresses, Social Security numbers and other personal information for credit purposes. (It is unclear whether customers' data was also used).   Up to 50 Compulinx employees
Nov. 3, 2006 University of Virginia
(Charlottesville, VA)
Due to a computer programming error, Student Financial Services sent e-mail messages to students containing 632 other students' Social Security numbers.   632 students
Nov. 3, 2006 West Shore Bank
(Ludington, MI)
Customers' debit cards and possibly credit cards were compromised from a security break last summer at a common MasterCard point-of-purchase provider.   About 1,000
Nov. 3, 2006 Wesco
(Muskegon, MI)
Wesco gas stations experienced a breach in credit card transactions from July 25-Sept. 7 resulting in inaccurate charges to customer accounts.   Unknown
Nov. 3, 2006 Starbucks Corp.
(Seattle, WA)
1-800-453-1048
Portable Unencrypted Data Breach
Starbucks lost track of four laptop computers. Two held employee names, addresses, and Social Security numbers.
  60,000 current and former U.S. employees and about 80 Canadian workers and contractors
Nov. 3, 2006 Several Joliet area motels
(Joliet, IL)
Motel owners and employees allegedly stole and sold customers' credit card numbers.   Unknown
Nov 7, 2006 City of Lubbock
(Lubbock, TX)
Hackers broke into the city's web site and compromised the online job application database, which included Social Security numbers.   5,800
Nov. 9, 2006 Four ARCO gas stations
(Costa Mesa, CA)
(Westminster, CA)
(Torrance, CA)
From Sept. 29 to Oct. 9, thieves used card skimmers to steal bank account numbers and PIN codes from gas station customers and used the information to fabricate debit cards and make ATM withdrawals.   At least 440
Nov. 10, 2006 KSL Services, Inc.
(Los Alamos, NM)
Portable Unencrypted Data Breach
A disk containing the personal information of approximately 1,000 KSL employees is missing. KSL is a contractor for Los Alamos National Laboratory.
  Approximately 1,000
Nov. 13, 2006 Connors State College
(Warner, OK)
(918) 463-6267
perline@
connorsstate.edu
Portable Unencrypted Data Breach
On Oct. 15, a laptop computer was discovered stolen from the college. (It has since been recovered by law enforcement). The computer contains Social Security numbers and other data for Connors students plus 22,500 high school graduates who qualify for the Oklahoma Higher Learning Access Program scholarships.
  Considerably more than 22,500
Nov. 15, 2006 Internal Revenue Service
(Washington, DC)
Portable Unencrypted Data Breach
According to document s obtained under the Freedom of Information Act, 478 laptops were either lost or stolen from the IRS between 2002 and 2006. 112 of the computers held sensitive taxpayer information such as SSNs. .
  Unknown
Nov. 16, 2006 American Cancer Society
(Louisville , KY, offices, HQ in Atlanta , GA)
If you have tips, call (502) 574-5673
Portable Unencrypted Data Breach
An unspecified number of laptop computers were stolen from the Louisville offices of the American Cancer Society. It is not clear what personal information was exposed, if any.
HIPAA Unknown
Nov. 16, 2006 Carson City residents
(Carson City, NV)
The Sheriff's Department reported that at least 50 residents had their credit card information stolen by employees of local businesses. The employees apparently sell the account information to international crime rings that produce counterfeit cards. The crime is called "skimming."   50
Nov. 17, 2006

Jefferson College of Health Sciences
(Roanoke, VA)

 

An email containing the names and SSNs of 143 students intended for one employee was inadvertently sent to the entire student body of 900. HIPAA 143
Nov. 17, 2006 Automatic Data Processing (ADP)
(Roseland , NJ)
ADP sent paperwork for a small Wisconsin company to a Cordova, TN coffee house. The paperwork contained names, birth dates, SSNs, addresses, salaries, and bank account and routing numbers   Unknown
Nov. 20, 2006 Administration for Children's Services
(New York , NY)
More than 200 case files from the Emergency Children's Services Unit of ACS were found on the street in a plastic garbage bag. The files contain sensitive information of families, social workers and police officers.   200 case files
(not included in Total because it is not clear if SSNs were exposed)
Nov. 25, 2006 Indiana State Department of Health via Family Health Center of Clark County
(Jeffersonville, IN)
Portable Unencrypted Data Breach
Two computers stolen from an Indiana state health department contractor contained the names, addresses, birth dates, SSNs and medical and billing information for more than 7,500 women. The data were collected as part of the state's Breast and Cervical Cancer Program.
HIPAA 7,700
Nov. 27, 2006 Johnston County, NC Personal data, including SSNs, of thousands of taxpayers, were inadvertently posted on the county web site . The information was removed from the site within an hour after officials became aware of the situation.   Unknown
Nov. 27, 2006 Greenville County School District
(Greenville, SC)
Portable Unencrypted Data Breach
School district computers sold to the WH Group at auctions between 1999 and early 2006 contained the birth dates, SSNs, driver's license numbers and Department of Juvenile Justice records of approximately 100,000 students. The computers also held sensitive data for more than 1,000 school district employees.
UPDATE (12/10/06): A judge ordered the WH Group to return the computers and the confidential data on them to the school district.
  At least 101,000 students and employees
Nov. 27, 2006 Chicago Public Schools via All Printing & Graphics, Inc.
(Chicago, IL)
A company hired to print and mail health insurance information to former Chicago Public School employees mistakenly included a list of the names, addresses and SSNs of the nearly 1,740 people receiving the mailing. Each received the 125-page list of the 1,740 former employees.   1,740 former Chicago Public School employees
Nov. 28, 2006 Kaiser Permanente Colorado -- its Skyline and Southwest offices
(Denver, CO)
For members who have questions:
(866) 529-0813 .
Portable Unencrypted Data Breach
A laptop was stolen from the personal car of a Kaiser employee in California on Oct. 4. It contained names, Kaiser ID number, date of birth, gender, and physician information. The data did not include SSNs.
  38,000
(not included in total, because SSNs were apparently not exposed)
Nov. 28, 2006 Cal State Los Angeles, Charter College of Education
(Los Angeles, CA)
(800) 883-4029
Portable Unencrypted Data Breach
An employee's USB drive was inside a purse stolen from a car trunk. It contained personal information on 48 faculty members and more than 2,500 students and applicants of a teacher credentialing program. Information included names, SSNs, campus ID numbers, phone numbers, and e-mail addresses.
  2,534
Nov. 30, 2006 Pennsylvania Dept. of Transportation
(Hanover township driver's license facility, Dunmore, PA)
Affected individuals can call (800) PENNDOT if you have questions.
Call PA Crimestoppers if you have tips, (800) 4PATIPS, reward offered.
Thieves stole equipment from a driver's license facility late evening Nov. 28, including computers containing personal information on more than 11,000 people. Information included names, addresses, dates of birth, driver's license numbers and both partial and complete SSNs (complete SSNs for 5,348 people). Also stolen were supplies used to create drivers licenses and photo IDs. The state maintains 97 driver's license facilities.   11,384
Nov. 30, 2006 TransUnion Credit Bureau via Kingman, AZ, court office Four different scam companies downloaded the credit information of more than 1,700 individuals, including their credit histories and SSNs. They were able to illegitimately obtain the password to the TransUnion account held by the Kingman, AZ, court office, which apparently has a subscription to the bureau's services.   "more than 1,700 people"
Dec. 1, 2006 TD Ameritrade
(Bellevue, NE)
(201) 369-8373
Portable Unencrypted Data Breach
According to a letter sent to employees, a laptop was removed (presumably stolen) from the office Oct. 18, 2006, that contained unencrypted information including names, addresses, birthdates, and SSNs.
  about 300 current and former employees
Dec. 2, 2006 Gundersen Lutheran Medical Center
(LaCrosse, WI)
A Medical Center employee used patient information, including SSNs and dates of birth, to apply for credit cards in their names. As patient liaison, her duties included insurance coverage, registration, and scheduling appointments. She was arrested for 37 counts of identity theft, and was convicted of identity theft and uttering forged writing, according to the criminal complaint.. HIPAA unknown
Dec. 3, 2006 City of Grand Prairie
(Grand Prairie, TX)
Employees of the city of Grand Prairie were notified that personal records were exposed on the city's Web site for at least a year. Included were the names and SSNs of "hundreds of employees." The information has since been removed. The city had been working with a contractor on a proposal for workers' compensation insurance. Along with the proposal, names and SSNs were mistakenly listed.   "hundreds of employees"
Dec. 5, 2006 Army National Guard 130th Airlift Wing
(Charleston, WV)
Portable Unencrypted Data Breach
A laptop was stolen from a member of the unit while he was attending a training course. It contained names, SSNs, and birth dates of everyone in the 130th Airlift Wing.
  Unknown
Dec. 5, 2006 Nassau Community College
(Garden City, NY)
A printout is missing that contains information about each of NCC's 21,000 students, including names, SSNs, addresses, and phone numbers. It disappeared from a desk in the Student Activities Office.   21,000 students
Dec. 6, 2006 Premier Bank
(Columbia, MO, with HQ in Jefferson City, MO)
A report was stolen the evening of Nov. 16 from the car of the bank's VP and CFO while employees were celebrating an award received by the bank. The document contained names and account numbers of customers, but reportedly no SSNs.   1,800 customers
Dec. 8, 2006 Segal Group of New York, via web site of Vermont state agency used to call for bids on state contracts
(Montpelier, VT)
Names and SSNs of "several hundred" physicians, psychologists and other health care providers were mistakenly posted online by Segal Group, a contractor hired by the state to put its health management contract out for bid. The information was posted from May 12 to June 19. It was discovered when a doctor found her own SSN online.   "several hundred, likely more" health care providers
Dec. 9, 2006 Virginia Commonwealth University
(Richmond, VA)
Personal information of 561 students was inadvertently sent as attachments on Nov. 20 in an e-mail, including names, SSNs, local and permanent addresses and grade-point averages. The e-mail was sent to 195 students to inform them of their eligibility for scholarships.   561 students
Dec. 12, 2006 University of California - Los Angeles
(Los Angeles, CA)
Affected individuals can call UCLA at (877) 533-8082.
www.identityalert.
ucla.edu
Hacker(s) gained access to a UCLA database containing personal information on current and former students, current and former faculty and staff, parents of financial aid applicants, and student applicants, including those who did not attend. Exposed records contained names, SSNs, birth dates, home addresses, and contact information. About 3,200 of those notified are current or former staff and faculty of UC Merced and current and former staff of UC's Oakland headquarters.   800,000
Dec. 12, 2006 University of Texas - Dallas
(Dallas, TX)
Affected individuals can call (972) 883-4325
www.utdallas.edu/
datacompromise/
form.html
The University discovered that personal information of current and former students, faculty members, and staff may have been exposed by a computer network intrusion -- including names, SSNs, home addresses, phone numbers and e-mail addresses.   6,000 current and former students, faculty, staff, and others
Dec. 12, 2006 Aetna via Concentra Preferred Systems
(Dayton, OH)
Portable Unencrypted Data Breach
A lockbox holding personal information of health insurance customers was stolen Oct. 26. Thieves broke into an office building occupied by Aetna vendor, Concentra Preferred Systems. The lockbox contained computer backup tapes of medical claim data for Aetna and other Concentra health plan clients. Exposed data includes member names, hospital codes, and either SSNs or Aetna member ID numbers. SSNs of 750 medical professionals were also exposed. Officials downplay the risk by stating that the tapes cannot be used on a standard PC.
HIPAA 130,000
Dec. 13, 2006 Boeing
(Seattle, WA)
Portable Unencrypted Data Breach
In early December, a laptop was stolen from an employee's car. Files contained names, salary information, SSNs, home addresses, phone numbers and dates of birth of current and former employees.
  382,000 current and former employees
Dec. 14, 2006 Geisinger Health System via Electronic Registry Systems
(Danville, PA)
Police in suburban Springdale (Cincinnati, OH) reported that a computer was stolen from Electronic Registry Systems on Thanksgiving. It manages a cancer patient registry database for Geisinger. Patient data included names, addresses, birthdates, medical record numbers, and SSNs, dating back to 1980. Other businesses in the building were robbed that evening as well.
UPDATE (12/19/06): The computer contained records on cancer patients from five hospitals in Tennessee, Georgia, Pennsylvania, and Ohio.
HIPAA 25,000 patients
Dec. 14, 2006 Riverside High School
(Durham, NC)
Two students discovered a breach in the security of a Durham Public Schools computer as part of a class assignment. They reported to school officials that they were able to access a database containing SSNs and other personal information of thousands of school employees. The home of one student was searched by Sheriff's deputies and the family computer was seized.   "thousands of school employees"
Dec. 14, 2006 St. Vrain Valley School District
(Longmont, CO)
Paper records containing student information were stolen, along with a laptop, from a nurse's car Nov. 20. Personal information included students' names, dates of birth, names of their schools, what grade they are in, their Medicaid numbers (presumably SSNs), and their parents' names. The laptop contained no personal data.   600 students
Dec. 15, 2006 University of Colorado - Boulder, Academic Advising Center
(Boulder, CO)
www.colorado.edu
A server in the Academic Advising Center was the subject of a hacking attack. Personal information exposed included names and SSNs for individuals who attended orientation sessions from 2002-2004. CU-Boulder has since ceased using SSNs as identifiers for students, faculty, staff, and administrators.   17,500
Dec. 15, 2006 City of Wickliffe
(Wickliffe, OH)
Hackers breached security in one of the city's three computer servers containing personal information on some city employees, including names and SSNs.   125 employees
Dec. 19, 2006 Mississippi State University
(Jackson, MS)
SSNs and other personal information were "inadvertently" posted on a publicly accessible MSU Web site. The breach was discovered "last week" and the information has since been removed.   2,400 students and employees
Dec. 20, 2006 Lakeland Library Cooperative - serving 80 libraries in 8 counties
(Grand Rapids, MI)
Personal information of 15,000 library users in West Michigan was displayed on the Cooperative's Web site due to a technical problem. Information exposed included names, phone numbers, e-mail addresses, street addresses, and library card numbers. Children's names were also listed along with their parents' names on a spreadsheet document. The information has since been removed.   15,000 library users
Dec. 20, 2006 Big Foot High School
(Walworth, WI)
Personal information was accidentally exposed on the High School's Web site for a short time, perhaps for about 36 minutes, according to a report. Information included last names, SSNs, and birthdates.   87 current and former employees
Dec. 20, 2006 Lake County residents, plus Major League Baseball players
(Northbrook, IL)
A Chicago man apparently removed documents from a trash bin outside SFX Baseball Inc., a sports agency that deals with Major League Baseball. He used information found on those documents to commit identity theft on at least 27 Lake County residents. Information found during a search of the thief's home included SSNs, birthdates, canceled paychecks, obituaries, and infant death records.   27 residents of Lake County plus about 90 current and retired Major League Baseball players for a total of 117 individuals
       

100,214,930

 
 
 
Copyright © 2002-20012 Artemis Solutions Group, Use of this site or purchase subject to these Terms and Conditions of use.
Some images used on this website are Copyright (c) Comstock and used under license.