Client Report – Cyber Liability Focus

Miami VA Healthcare System ______

Company Profile Credit Details

Location 1201 NW 16th St Overall Credit Risk High Risk Miami, FL www.miami.va.gov Number of Legal Derogatory 3 Company Type Non-Profit Items Liability Amount Formerly Known As N/A Experian Intelliscore 10.76 SIC Code 8062 SIC Code Description General Medical And Surgical Hospitals Experian Intelliscore Percentile 8 % of companies score lower and have higher credit risk

Established N/A Experian Commercial IntelliscoreSM is an all-industry commercial model using business information to predict business risk. Its Sales (in millions) $7.30 predictiveness is among the best on the market today The objective of the Commercial Intelliscore Model is to predict seriously Employees 99 derogatory payment behavior. Possible score range from 0 to 100, where 0 is high risk and 100 is low risk Total OSHA Violations 2961 -Liability Amount is the total dollar amount of debtor’s legal liability, OSHA is an arm of the Department of Labor that conducts inspections of company including accounts in collection, tax liens,judgments and/or bankruptcies facilities with the goal of preventing work-related injuries, illnesses and deaths. -The Number of Legal Derogatory items are the sum of Tax-Lien Worksites that do not meet health and/or safety standards at the time of inspection may Count, Bankruptcy,Judgment, Collection-Counter and UCC Derog receive an OSHA violation. Business Description Miami VA Healthcare System serves Veterans in three South Florida counties: Miami-Dade, Broward, and Monroe, with an estimated veteran population of 175,000. Its parent facility The Bruce W. Carter Department of Veterans Affairs Medical Center is located on 26.3 acres in downtown Miami and opened in 1968. The Medical Center opened in 1968. The Miami VA is a comprehensive medical provider, providing general medical, surgical, inpatient and outpatient mental health services, the Miami VA Healthcare System includes an AIDS/HIV center, a prosthetic treatment center, spinal cord injury rehabilitative center, and Geriatric Research, Education, and Clinical Center (GRECC). The Miami VA Healthcare System is recognized as a Center of Excellence in Spinal Cord Injury Research, Substance Abuse Treatment and is a recognized Chest Pain Center. In addition to serving South Florida, the Miami VA is the tertiary referral facility for the West Palm Beach VAMC and provides open-heart surgery and other specialty services to other VA facilities in Florida and the country. The Miami VA Healthcare System operates 432 hospital beds, including a 4-story community living center attached to the main facility. It is also responsible for two major satellite Outpatient Clinics located in Broward County and Key West, five Community Based Outpatient Clinics located in Homestead, Key Largo, Pembroke Pines, Hollywood and Deerfield Beach and an Outpatient Substance Abuse Clinic and Healthcare for Homeless Veterans Center in Miami.

For more information contact your Advisen rep at +1.212.897.4800, email [email protected], or visit www.advisen.com 1

Key Personnel Name Age Title Officer Since Vincent A. DeGennaro N/A Chief N/A In a fast paced and technologically advanced world, there still remain special times when we pause and reflect upon people who have made significant contributions to society. Today is such a day and Dr. Vincent A. DeGennaro is such a person. Through his good works and high moral standards Dr. DeGennaro has helped make our community a better place in which to live, a safer place to grow and prosper. A gifted surgeon who possesses impeccable credentials and in an era of ever changing medical guidelines and procedures maintains a keen understanding of and a strong devotion to his profession.

His activities have earned him the FMA's Harold F. Stasser Good Samaritan Award, the Humanitarian Award of the Caducean Society of Fort Lauderdale and the University of Miami Department of Surgery Humanitarian Award. Marcia Lysaght N/A Director - Other N/A Mrs. Lysaght joined the VA system in 2003 and was appointed the Associate Director for Patient Care Services on April 12, 2010. Prior to assuming this position, Mrs. Lysaght served as the Director of Case Management & Utilization Management at the Culinary Health Fund and Director of Quality for the Health Services Coalition in Las Vegas which included 23 health plans encompassing 350 thousand lives. In addition, she previously held academic and leadership/administrative positions at the Loma Linda VAMC, Victor Valley California College, St. Jude California Medical Center, Santa Ana Western Medical Center, and the Desert Valley Hospital in California.

Mrs. Lysaght has an extensive background as a case manager, educator, quality management specialist, and administrator. She received her Bachelor s in Science from the California State University Fullerton (CSUF), and her Master s in Science in Nursing with emphasis on Business Administration from the University of California, Los Angeles (UCLA).

Mrs. Lysaght was born in Trinidad and enjoys cultural festivities. She manages to effectively balance a successful and demanding nursing leadership position with work and family life. She is a wife, mother and grandmother. Mark E. Morgan N/A Director - Other N/A Mark E. Morgan, is a senior healthcare executive with over 24 years of experience in healthcare administration, strategic planning, operations, logistics, human resources, safety, security and emergency management. Mr. Morgan joined the Miami VA Healthcare System as Associate Director in October of 2012.

Mark joined the Miami VA team following his service as the Assistant Director of the Portland VA Healthcare System. Prior to that, he was the Assistant Chief of the Central Business Office, Central Arkansas Veterans Healthcare System, in Little Rock, Arkansas. Mr. Morgan is a graduate of the 2009-2011 Executive Career Field Program, 2009 Healthcare Leadership Institute and is currently a fellow in the 2012 Leadership VA program.

Top Company Cyber Liability Cases by Settlement Amount Company Acc/Filing Amount Category Subtype Docket Number Court State Date (in millions) Veterans Affairs, United 5/22/2006 $20.000 Cyber/Identity Risks Digital Data Breach, 2006 CV 00506 District of Columbia States Dept Of Loss, or Theft MDL 1796 - On November 14, 2006, the Judicial Panel for Multidistrict Litigation (JPML) consolidated actions to recover damages resulting from a personal data on about 26.5 million U.S. military veterans was stolen from the residence of a Department of Veterans Affairs data analyst who improperly took the material home. An employee took home electronic data containing the names, Social Security numbers and dates of birth for millions of veterans and some spouses, as well as some disability ratings. The case was filed in U.S. District Court, District of Columbia (In Re: Department of Veterans Affairs (VA) Data Theft Litigation, MDL Docket No. 1796). MDL 1796 consist of one action each in the District of District of Columbia, the Eastern District of Kentucky, and the Eastern District of New York. Defendants moved the Panel, pursuant to 28 U.S.C. 1407 for an order centralizing this litigation in the District of District of Columbia. Plaintiffs in the District of Columbia action support Defendant's motion. Plaintiffs in the Eastern District of Kentucky action and the Eastern District of New York action oppose the motion and, alternatively support transfer to the Eastern District of Kentucky. The JPMDL assigned Judge James Robertson to oversee lawsuits enjoined in the MDL. On February 11, 2009, the court granted Preliminary Approval of class action Settlement. On September 23, 2009, the court issued an order granting Final Approval of Class Action Settlement and Final Judgment. The Veterans Affairs Department agreed to pay $20 million to veterans for exposing them to possible identity theft in 2006 by losing their sensitive personal information. On November 18, 2009, Plaintiffs appeal for new trial. United States 1/1/1996 $4.000 Cyber/Identity Risks Digital Data Breach, Department Of Loss, or Theft Agriculture

For more information contact your Advisen rep at +1.212.897.4800, email [email protected], or visit www.advisen.com 2

Fed Breach Leaks Social Security Numbers: The Social Security numbers of up to 150,000 people who received Agriculture Department grants have been posted on a government Web site since 1996, but they were taken down last week. The security breach was only noticed last week and promptly closed, the Agriculture Department and Census Bureau announced Friday. The breach was discovered by Marsha Bergmeier, president of Mohr Family Farms in Fairmount, Ill. I was Googling my farm name at 11 p.m. when I couldn't sleep, she said in a telephone interview, and details of her land loan came up in the second listing of the Google (nasdaq: GOOG - news - people ) search, a private Web site that reposted the government data. Chris Hoofnagle, senior attorney at the University of California at Berkeley law school clinic on technology, said the only federal law violated by such a breach is the Privacy Act, but the Supreme Court had ruled last year that victims could only collect damages for measurable losses to ID thieves, not merely for anxiety. When the breach was reported to the Agriculture Department on April 13, there were Social Security numbers for 47,000 recipients of grants from the department's Farm Services Agency and from USDA Rural Development on a public Web site maintained by the Census Bureau. The department said the Social Security numbers of 105,000 to 150,000 individuals had been entered into federal databases open to the public since 1981. But the data has only been posted on the Internet by the Census Bureau since 1996. The Census Bureau collects the grants made by 33 federal agencies and posts them on the Internet without analysis. By law, the names of these recipients and how much money they got are public records. The disclosure comes six months after a congressional report found federal workers at 19 agencies had lost personal information affecting thousands of employees and the public, raising concerns about the government's ability to protect sensitive information. In all, the House Government Reform Committee reported 788 incidents involving the loss or compromise of sensitive personal information since Jan. 1, 2003. Teuber said the two Agriculture Department programs involved gave each grant a 15-digit identifying number. Included among those digits was the recipient's 9-digit Social Security number. There was nothing on the Web site that indicated the grant number contained the Social Security number, but the recipient who reported the problem recognized her Social Security number in the grant number, Teuber said. To avoid revealing information that could increase the vulnerability of this private data, Teuber said Agriculture was not releasing more details, including the Web address, of the government site where this information was disclosed until all potentially compromised recipients have been notified. The Agriculture Department is sending registered mail notifications to 150,000 recipients identified as having been part of the public database since 1981, but Teuber said some people are likely to be on that list more than once. At an estimated taxpayer cost of $4 million, Agriculture is offering each of them free credit monitoring for one year, Teuber said. (April 20, 2007 - Associated Press) Federal Motor Carrier 1/1/2008 $2.773 Cyber/Identity Risks Identity Theft/Fraudulent 2008 CV 01208 California Safety Administration Use or Access On August 10, 2009 several weeks after his codefendant was sent to prison for nearly six years, a Los Feliz man was sentenced today to 55 months in federal prison for using a federal Internet site and the United States mails to defraud trucking companies of more than $2.7 million. Viacheslav Berkovich, 34, of the Los Feliz section of Los Angeles, was sentenced today by United States District Judge John F. Walter. In addition to the prison term, Judge Walter ordered Berkovich to pay restitution to the approximately 300 victims of the scheme. Judge Walter previously sentenced Berkovich's co-defendant to 70 months in prison. Nicholas Lakes, also known as Dmitry Nadezhdin, 35, of Glendale, California, was sentenced on June 29. Judge Walter imposed a tentative restitution order of $2,773,074 , which will be finalized after the court considers additional submissions from attorneys in the case. The government already has recovered $1.4 million from Lakes. Lakes and Berkovich pleaded guilty in February to computer fraud and mail fraud charges, admitting that they defrauded trucking brokers and trucking companies through use of the Internet. Using bogus corporate and individual identities, Lakes and Berkovich accessed the Safety and Fitness Electronic Records System (SAFER) Internet website of the Federal Motor Carrier Safety Administration of the United States Department of Transportation. The government provides the SAFER website to the trucking industry to register brokerages that offer trucking jobs to move goods by truck and trucking companies that move those goods. Lakes and Berkovich accessed the SAFER website with the intent to use a fictitious brokerage to transact trucking loads and collect payment from the original broker. Lakes and Berkovich fraudulently accessed the SAFER website and commercial "loadboards" to bid on trucking jobs from legitimate brokerages and then "double broker" the jobs to legitimate trucking companies. Lakes and Berkovich collected payment from the legitimate brokerages, but never paid the victim trucking companies for the actual trucking work that was done. As an example of a fraudulent transaction, in January 2008, Lakes and Berkovich accessed the Internet Truckstop "loadboard" and obtained information about a trucking load being brokered by Dallas-based Stevens Transport. Using the name of Vega Trucking, one of the fictitious companies they had registered on the SAFER website, Lakes and Berkovich agreed with Stevens Transport to transport the load for $3,400. Lakes and Berkovich then used the name of Barkfelt Transport, a fraudulent trucking brokerage, to double-broker the load by hiring victim RK Trucking to transport the load for $4,000. RK Trucking transported the load, but never got paid for its work. Lakes and Berkovich, however, received a $3,390 check in the mail from Stevens Transport. National Aeronautics and 2/1/2001 $1.190 Cyber/Identity Risks Digital Data Breach, Space Administration Loss, or Theft A British computer hacker lost his appeal against extradition to the United States, where he is accused of breaking into Pentagon and NASA networks - something he says he did to search for UFO records. Gary McKinnon, 42, faces extradition and trial for what U.S. officials say was a series of cyber attacks that stole passwords, attacked military networks and wrought hundreds of thousands of dollars worth of computer damage in what is claimed in one document to be 'the biggest military computer hack of all time'. The decision by Britain's House of Lords exhausts McKinnon's legal options in Britain; an appeal to the European Court of Human Rights in Strasbourg, France has resulted in a two-week delay. While appealing, he is banned from travelling abroad, forced to report to police every Friday, and barred from accessing the internet. U.S. prosecutors allege that McKinnon trespassed onto more than 90 computer systems belonging to the U.S. Army, Navy, Air Force, Department of Defense and NASA between February 2001 and March 2002, causing over $1.1 million worth of damage and interfering with critical operations in the wake of the 9/11 terrorist attacks. McKinnon has acknowledged accessing the computers. But he disputes the reported damage and says he did it because he wanted to find evidence that America was concealing the existence of aliens. McKinnon was caught in 2002 after some of the software used in the attacks was traced back to his girlfriend's e-mail account. He used a 56k modem, a cheap computer, a programming language known as PERL, and RemotelyAnywhere software, and has bragged that 'I could scan 65,000 machines in less than nine minutes.' In the end, the ease with which he could hack the systems became his undoing. 'I got sloppy. I went to places directly rather than jump through systems. Nasa tracked back my IP address.' He faces a maximum penalty of five years in federal prison and a $250,000 fine. U.S. Securities and 11/9/2012 $0.200 Cyber/Identity Risks Undetermined/Other Exchange Commission SEC Computers Vulnerable To Cyber Attacks: Securities and Exchange Commission staffers have failed to encrypt computers containing sensitive information from stock exchanges, sources familiar with the issue have stated, adding that they rendered the computers vulnerable to a host of cyber attacks. Reportedly, the computers under review belonged to employees in the SEC Trading and Markets Division. And the irony is that the same office is responsible for ensuring exchanges follow guidelines to protect markets from potential cyber threats and system faults. Some of the devices under consideration were even brought to a Black Hat convention where computer hacking experts gathered to discuss trends, Reuters has reported. The lapses in the Trading and Markets Division are laid out in a yet-to-be-released report. This news comes on the heels of SEC encouraging companies to get serious with cyber attacks. Cyber security has become a pressing issue as companies including Lockheed Martin Corp to Bank of America Corp have fallen victim to hacking in recent years. Apparently, the agency was forced to spend at least $200,000 and hire a third-party firm to conduct a thorough analysis to make sure none of the data was compromised, Reuters has pointed out. The SEC also notified exchanges about the incident. "From the moment we were informed, we have been actively seeking clarity from the SEC to understand the full extent of the use of improperly secured devices and the information involved, as well as the actions taken by the SEC to ensure that there is proper remediation and a complete audit trail for the information," Rich Adamonis, a spokesman for the New York Stock Exchange told Reuters. The SEC Trading and Markets Division, involving several hundred staffers, is responsible for overseeing the U.S. equity markets, ensuring compliance with rules and writing regulations for exchanges and brokerages. The division is entrusted with the task to ensure exchanges follow a series of voluntary guidelines known as "Automation Review Policies," or ARPs. These policies call for exchanges to establish programs concerning computer audits, security and capacity. They are a road map to the capital markets' infrastructure. SEC Chairman Mary Schapiro recently stated the SEC was working to convert the ARP guidelines into rules after a software error at Knight Capital Group bankrupt the brokerage and led to a $440 million trading loss. (November 9, 2012 - ibtimes.com) Federal Emergency 4/4/2008 $0.156 Cyber/Identity Risks Identity Theft/Fraudulent Management Agency Use or Access

For more information contact your Advisen rep at +1.212.897.4800, email [email protected], or visit www.advisen.com 3

Former FEMA Worker Convicted of Identity Theft: WASHINGTON - A former FEMA employee has been convicted of stealing the identities of more than 200 people and fraudulently opening credit accounts worth about $156,000. Robert Davis, 44, of Southeast D.C., pled guilty last Friday to one count of wire fraud and one count of aggravated identity theft in U.S. District Court. The U.S. Attorney says Davis stole the identities while working as a FEMA human services specialist. About 30 of his scams involved victims of natural disasters. Davis also worked as a clerk for various mortgage companies in the District. After obtaining personal information, Davis called retailers and opened credit accounts in their names. Davis used the identities of at least 74 victims to open accounts with the Home Shopping Network, QVC and others. Some items he received included diamond jewelry, designer watches and digital cameras. Davis faces between four to seven years in prison when he is sentenced in June. (April 7, 2008 - wtop.com) Bureau of Prisons 1/1/1999 $0.020 Cyber/Identity Risks Identity Theft/Fraudulent 2011 CR 00231 Texas Use or Access Plano Couple Plead guilty to Health Care Fraud in State and Federal Probe: DALLAS - On September 1, 2011, Joanna Jones Ellis Kemp, 68, and her husband, Peter A. Kemp, 67, both of Plano, Texas, each appeared in federal court before U.S. Magistrate Judge Irma C. Ramirez and pleaded guilty to one count of conspiracy to commit false statements relating to health care matters, announced U.S. Attorney James T. Jacks of the Northern District of Texas. They each face a maximum statutory sentence of five years in prison and a $250,000 fine. In addition, restitution could be ordered. Sentencing is set for December 21, 2011, before U.S. District Judge Ed Kinkeade.

According to documents filed in the case, Joanna Kemp, a licensed psychologist, and Peter Kemp were general partners and operators of New Horizons General Partnership. Joanna Kemp served as New Horizons' Director and Qualified Mental Retardation Professional (QMRP) and Peter Kemp served as the Administrator. New Horizons consisted of three intermediate care facilities for persons with mental retardation or a related condition (ICF/MR) that were located on Redbird Lane in Granbury, Texas and on Kenshire Drive and Sunridge Drive in Benbrook, Texas. These residential facilities provided 24-hour supervision for disabled persons with mental retardation or a related condition, such as cerebral palsy.

Joanna Kemp was also a contract employee for the Bureau of Prisons at the Federal Correctional Institution located in Seagoville, Texas (FCI-Seagoville). Joanna and Peter Kemp admitted that from at least January 1999 through April 2010, they conspired to unlawfully enrich themselves by defrauding the Texas Medicaid program. As part of their scheme, Joanna Kemp, during her contract employment as the special education diagnostician at FCI-Seagoville, obtained the names and social security numbers of at least 12 inmates and other persons and used this stolen information to create "ghost" employees for New Horizons. They also created false time sheets for these ghost employees and their CPA unwittingly relied on these false representations to process the payroll, issue payroll checks and prepare cost reports for New Horizons. Joanna and Peter Kemp opened three bank accounts, which were never disclosed to the CPA, which they used to deposit the ghost employees' pay checks after Joanna forged endorsement signatures. They then transferred the monies from the secret accounts to other bank and investment accounts they used for their own personal benefit. In addition, Joanna Kemp submitted to Medicaid false claims for ICF/MR services, for at least 10 residents, which were not rendered.

In total, Joanna and Peter Kemp fraudulently obtained $1,820,359 from the Texas Medicaid program.

On August 23, 2012, the court rendered judgment against Joanna Jones Ellis Kemp in 5 years probation, $20,000 fine jointly and severally with Peter Kemp, 100 hours community service and $100 in special assessment. Jet Propulsion 1/1/1998 $0.004 Cyber/Identity Risks Digital Data Breach, 2000 CV 01045 New York Laboratory Loss, or Theft Hacker Sentenced in New York City for Hacking into Two NASA Jet Propulsion Lab Computers Located in Pasadena, California: MARY JO WHITE, the United States Attorney for the Southern District of New York, announced that RAYMOND TORRICELLI, a/k/a "rolex," the head of a hacker group known as "#conflict," was sentenced today to four months in prison and four months of home confinement for, among other things, breaking into two computers owned and maintained by the National Aeronautics and Space Administration's Jet Propulsion Laboratory ("JPL"), located in Pasadena, California, and using one of those computers to host an Internet chat-room devoted to hacking. Chief United States District Judge MICHAEL B. MUKASEY also ordered TORRICELLI to pay a $4,400 in restitution to NASA. At his plea to five separate charges on December 1, 2000, TORRICELLI admitted that, in 1998, he was a computer hacker, and a member of a hacking organization known as "#conflict." TORRICELLI admitted that, operating from his residence in New Rochelle, New York, he used his personal computer to run programs designed to search the Internet, and seek out computers which were vulnerable to intrusion. Once such computers were located, TORRICELLI's computer obtained unauthorized access to the computers by uploading a program known as "rootkit." According to the Complaint, "rootkit" is a program which, when run on computer, allows a hacker to gain complete access to all of a computer's functions without having been granted these privileges by the authorized users of that computer. According to the Information and Complaint, one of the computers TORRICELLI accessed was used by NASA to perform satellite design and mission analysis concerning future space missions; another was used by JPL's Communications Ground Systems Section as an e-mail and internal web server. According to the Complaint, and his plea allocution, after gaining this unauthorized access to computers and loading "rootkit," TORRICELLI under his alias "rolex," used many of the computers to host chat-room discussions. According to the Complaint, TORRICELLI admitted that, in these discussions, he invited other chat participants to visit a website which enabled them to view pornographic images and that he earned 18 cents for each visit a person made to that website. According to the Complaint, TORRICELLI earned approximately $300-400 from per week from this activity. TORRICELLI also pled guilty to intercepting usernames and passwords traversing the computer networks of a computer owned by San Jose State University. In addition, TORRICELLI pled guilty to possession of stolen passwords and usernames which he used to gain free Internet access, or to gain unauthorized access to still more computers. According to the Complaint, TORRICELLI admitted that when he obtained passwords which were encrypted, he would use a password cracking program known as"John-the-Ripper" to decrypt the passwords. In addition, TORRICELLI pled guilty to possessing stolen credit card numbers; he admitted obtaining from other individuals and stored them on his computer. TORRICELLI admitted that he used one such credit card number to purchase long distance telephone service. According to the Complaint, much of the evidence obtained against TORRICELLI was obtained through a search of his personal computer. According to the Complaint, in addition to thousands of stolen passwords and numerous credit card numbers, investigators found transcripts of chat-room discussions in which TORRICELLI and members of "#conflict" discussed, among other things, (1) breaking into other computers (a practice known as "hacking"); (2) obtaining credit card numbers belonging to other persons and using those numbers to make unauthorized purchases (a practice known as "carding"); and (3) using their computers to electronically alter the results of the annual MTV Movie Awards. Ms. WHITE praised the investigative efforts of the National Aeronautics and Space Administration, Office of the Inspector General, Computer Crimes Division; the New Rochelle, New York, Police Department; and the Federal Bureau of Investigation. TORRICELLI, 20, lives in the New Rochelle, New York. (September 5, 2001 - US Department of Justice) Customs And Border 9/24/2009 $0.003 Cyber/Identity Risks Identity Theft/Fraudulent 2009 CV 02180 Arizona Protection, Bureau Of Use or Access On September 25, 2009, a complaint was filed by United States of America against Natan Ben-Shabat in the US District Court for the District of Arizona. The action was brought in relation to Natan Ben-Shabat's alleged Unauthorized Access to Government Computer. According to the complaint, Natan Ben-Shabat's was alleged that while he was employed as a U.S. Customs and order Protection Officer, Ben-Shabat abused his official access to the Consular Consolidated Database (CCD) and Treasury Enforcement Communications System (TECS) database to obtain personal information about a person he was suing in small claims court, and used the information to further his personal lawsuit. The information further alleges that Ben-Shabat induced other law enforcement officials, under the guise of official business, to access official records in the Arizona Criminal Justice Information System (ACJIS) database concerning the defendant in his personal lawsuit. On May 18, 2010, Natan Ben-Shabat was under probation for 3 years, $75 Special Assessment and $3,000 fined. Miami VA Healthcare 5/27/2011 $0.000 Cyber/Identity Risks Identity Theft/Fraudulent 2011 CR 20833 Florida System Use or Access On December 7, 2011, Wifredo A. Ferrer, United States Attorney for the Southern District of Florida, Quentin Aucoin, Special Agent in Charge, U.S. Department of Veterans Affairs, Office of the Inspector General, Southeast Field Office, Vance Luce, Special Agent in Charge, U.S. Secret Service, Miami Field Office, and Enrique Gutierrez, Inspector in Charge, U.S. Postal Inspection Service, Miami Division announced the indictment of Tarakesha Kendrick, 32, of Miami.

The indictment charges that, on May 27 and September 16, 2011, Kendrick unlawfully possessed and transferred the identity information of other persons. Specifically, the indictment alleges that Kendrick committed seven counts of aggravated identity theft. According to a criminal complaint filed in the matter, Kendrick obtained the social security numbers, names, and dates of birth of patients at the VA Medical Center in Miami, where she worked in the Travel Benefits Section. The criminal complaint states that Kendrick sold this identity information to an undercover agent.

Kendrick will be arraigned at 10:00 a.m. on December 12, before U.S. Magistrate Judge Edwin G. Torres.

If convicted of the charge in Count 1, Kendrick faces a possible term of imprisonment of up to ten years in prison. If convicted of the charge in Count 4, she faces a possible term of imprisonment of up to fifteen years in prison. Additionally, Kendrick faces a possible term of imprisonment of two years as to each of Counts 2, 3, 5, 6, 7, 8, and 9 of the indictment, each of which must run consecutively to any sentence imposed on Counts 1 and 4.

On May 8, 2012, Kendrick sentenced 26 months imprisonment (2 months on Count 4, 24 months consecutive on Count 5), 3 years supervised release (3 years on Count 4, 1 year concurrent on Count 5) and $200 assessment.

For more information contact your Advisen rep at +1.212.897.4800, email [email protected], or visit www.advisen.com 4

Tennessee Valley 6/1/2000 $0.000 Cyber/Identity Risks Improper 2010 CV 00028 Kentucky Authority Disposal/Distribution, Loss or Theft (Printed Records) On January 12, 2010, Plaintiffs Norma Wiles, Thomas Wiles, Theresa Gibson and Wanta Evitt, all Kentucky residents, filed the proposed class action against defendants Ascom Transport System Inc., Downtown Owensboro Inc., Jones and Wenner Insurance, Nationwide Debt Recovery Service Inc., Tennessee Valley Authority and Xerox Corporation over the distribution of personal information from a state's motor vehicle records. The Kentucky plaintiffs claimed that Ascom violated the federal Driver's Privacy Protection Act, or DPPA, and their common law right to privacy when the company obtained in bulk and then used, resold and disclosed their personal information contained in the state's motor vehicle records without a permissible purpose under the act. The district court ruled in December 2010 that the bulk purchase of such motor vehicle records without a specific need for every record does not violate the DPPA, and ultimately granted Ascom's motion to dismiss the plaintiffs' third amended complaint. At that time, the district court also instructed the parties that it would consider dismissing specific elements of the third amended complaint. Ascom filed a motion to dismiss the case. On February 17, 2011, the court then granted Ascom's motion to dismiss and entered judgment in favor of the company and the other named defendants. The Kentucky plaintiffs appealed. On May 1, 2012, the federal appeals court upheld the dismissal. United States 3/8/2013 Cyber/Identity Risks Digital Data Breach, Department of Veterans Loss, or Theft Affairs On March 8, 2013, the Office of Information Technology at the U.S. Department of Veterans Affairs has disputed a finding by the agency's Inspector General that several VA centers routinely transmit unencrypted sensitive personal data over the public Internet. The probe by the IG's office was launched following a complaint in 2012 that three VA Medical Centers in the Midwest Health Care Network were transmitting personally identifiable information over unencrypted telecommunications carrier networks. Investigators from the IG's office visited the three VA medical centers cited in the complaint. The IG's office discovered that unencrypted sensitive information, including names, Social Security Numbers, dates of birth, and protected health information of veterans and their dependents, were sent from the targeted VA centers to other VA facilities. In addition, the two facilities in South Dakota regularly used the same unencrypted telecommunications carrier network to transmit sensitive data such as x-rays and other radiographic patient images to external organizations. The transmission of unencrypted personal data violates internal VA security rules and does not satisfy Federal Information Security Management Act requirements. The report called on the VA to immediately implement encryption controls to protect data during transmission. U.S. Securities and 11/8/2012 Cyber/Identity Risks Undetermined/Other Exchange Commission On November 8, 2012, staffers at the U.S. Securities and Exchange Commission failed to encrypt some of their computers containing highly sensitive information from stock exchanges, leaving the data vulnerable to cyber attacks. While the computers were unprotected, there was no evidence that hacking or spying on the SEC's computers took place. The computers and other electronic devices in question belonged to a handful of employees in an office within the SEC's Trading and Markets Division. That office is responsible for making sure exchanges follow certain guidelines to protect the markets from potential cyber threats and systems problems. Some of the staffers even brought the unprotected devices to a Black Hat convention, a conference where computer hacking experts gather to discuss the latest trends. It is not clear why the staffers brought the devices to the event. The security lapses in the Trading and Markets Division are laid out in a yet-to-be-released report that by the SEC's Interim Inspector General Jon Rymer. National Aeronautics and 10/31/2012 Cyber/Identity Risks Digital Data Breach, Space Administration Loss, or Theft NASA Suffers a Major Data Breach Yet Again: NASA has suffered yet another theft of a laptop containing sensitive information. On 31st October, some criminals broke into a car and stole a laptop containing personal identifiable information (PII) of a large number of NASA employees and contractors. NASA had not encrypted the data in the laptop, but only password protected it. With various password-breaking facilities now available, the information on the laptop is for all purposes freely available to the criminals. However, this latest episode seems to have shaken NASA enough to do something. NASA is putting a policy in place where no laptop containing sensitive information would leave a NASA facility without whole disk encryption. For good measure, NASA has also prohibited the storage of sensitive information on smart phones and other mobile devices. After the earlier breach, NASA had decided to encrypt all laptops at the NASA Kennedy Space Center, but for some reason did not extend the same policy across the agency. NASA has also tied up with ID Experts, a data breach specialist to notify the individuals affected by the breach and to offer them free identity and credit monitoring services and also recovery services in case the attackers actually steal their identity. NASA has also warned the victims not to fall for others who may try to take even more advantage of their misfortune by impersonating NASA or ID Experts and calling them up or emailing them to verify personal information. (November 15, 2012 - networksecurity.com) On November 15, 2012, a NASA spokesperson told Computer World that "at least" 10,000 employees and contractors are at risk due to the information contained on the laptop. The system was password protected, but the actual data on the hard drive was not encrypted, making it exceptionally vulnerable. United States 9/28/2012 Cyber/Identity Risks Digital Data Breach, Department of the Army Loss, or Theft Decorated soldier's SSNs exposed online: The Army is investigating how a defense contractor's data breach left vulnerable the Social Security numbers of Army's most highly decorated soldiers, when a comprehensive awards database was posted online. The exposed database contains the 31 Social Security numbers for six Medal of Honor recipients including former Staff Sgt. Sal Giunta, Sgt. 1st Class Leroy Petry and four posthumous recipients and 25 Distinguished Service Cross recipients. The database, which contains 518 records of award recipients since 2001, appeared to have been posted online by an employee of Brightline Interactive, a creative services firm in Alexandria, Va. The database also included records of Silver Star recipients, including their names, ranks, unit information, and the date, place and a description of their action. But the Social Security numbers for the 487 Silver Star recipients were not included on the website. The breach raises serious questions about how service members' personal information is protected, said Joe Kasper, deputy chief of staff for Rep. Duncan Hunter, R-Calif., a member of the House Committee on Armed Services. Ironically, the careless handling of information comes as the Army has rebuffed requests to share nonsensitive information about award recipients and their actions, even with members of Congress. Army Times waited to break the news of the breach until after it was corrected Sept. 28. Army Times notified Army officials of the breach, and the Army notified the contractor. Within hours, the file that contained the sensitive information was removed, said Col. Jonathan Withington, an Army spokesman at the Pentagon. The Army's Chief of Public Affairs office has provided Brightline on an annual basis with the names, pictures and award citations for all recipients of the Silver Star, Distinguished Service Cross and Medal of Honor since Sept. 11, 2001. The public affairs office obtained the information from Human Resources Command. The firm for several years built OCPA's "Gallery of Heroes" kiosk at the Association of the United States Army biannual conventions. However, as the Army scales back its presence at shows this year, the kiosk will not be present at the October convention, Withington said. A Web developer who lists his employer as Brightline on the networking site LinkedIn appeared to have posted or had access to the database on a public server alongside more than a dozen more innocuous files apparently related to his work. It was unclear why the information was there. Erik Muendel, CEO of Brightline, told Army Times he was previously unaware of the breach and did not know how the file wound up online, but he said he was investigating what was posted and how it got there. He said his firm is only meant to receive unclassified information, and he was surprised the firm was provided with sensitive information. The database was discovered by Doug Sterner, the curator of Military Times' online database of valor and award citations, "Hall of Valor." Sterner said separate searches for award recipients repeatedly led him to the Brightline database, and he downloaded it to investigate further. Sterner said the database appears to contain records of every recipient of those awards for actions since the start of the war in Afghanistan. He called it "the most complete, correct database of its kind," and more accurate than the Defense Department's public database at http://valor.defense.gov. Sterner said while the leak of personal information was unfortunate, the database represents a watershed for his mission, to publicize information about award recipients to honor them and for posterity. (September 28, 2012 - airforcetimes.com) Commodity Futures 5/21/2012 Cyber/Identity Risks Phishing, Skimming Trading Commission

For more information contact your Advisen rep at +1.212.897.4800, email [email protected], or visit www.advisen.com 5

CFTC Data Breach Risks Employee's Social Security Numbers: The U.S. Commodity Futures Trading Commission suffered a data breach in May, putting at risk Social Security numbers and personal information of employees of the country's top derivatives regulator. A CFTC employee received a "phishing" e-mail on May 21 and input information to a fraudulent website, according to a copy of an e-mail sent to agency employees that described the incident. A third-party was then able to illegally enter the employee's account, which had access to personnel information, according to the agency's description of the incident. "The e-mail account contained e-mails and attachments with the names, Social Security numbers and possibly other sensitive personally identifiable information of certain individuals," according to the e-mail description. The CFTC has about 700 employees and regulates U.S. futures and swaps markets. The e-mail description was confirmed last week by CFTC spokesman Steve Adamske. "The CFTC believes at this time that the data breach is contained to employee information and does not compromise any trading or market data. Law enforcement has been contacted and we will work with them as appropriate," John Rogers, chief information officer at the CFTC, said in an e-mail statement on June 22. The agency told employees that it would be implementing additional security controls for CFTC computer systems and increasing training for staff, including those who handle personal information. The CFTC arranged for employees to receive identity protection from a credit-monitoring company. (June 25, 2012 - businessweek.com) United States 3/29/2012 Cyber/Identity Risks Improper Department of Veterans Disposal/Distribution, Affairs Loss or Theft (Printed Records) A Seattle VARO's Assistant Vocational Rehabilitation and Employment Officer's (AVREO) vehicle was broken into and Veterans' personally identifiable information (PII) was stolen on March 29, 2012. On the way home from work on March 29, 2012, the AVREO stopped to eat dinner. Her vehicle was parked in the shopping center parking lot from 6:20 PM to 9:30 PM. Upon returning to the vehicle, she found the driver's side window of the vehicle had been shattered and her tote bag and lunch sack were missing. The contents of the bag included a personal planner containing a government travel card, passport, and personal information. She was scheduled to work at home on 3/30/12 so she also had documents and data to complete a Division Systematic Analysis of Operations (SAO). This included the full name, full SSN and file number for 55 identified Veterans. The material had not been placed into a locking red bag as required. The AVREO immediately contacted the police and filed a Police Report of the break-in and theft. She also contacted her immediate supervisor, the Seattle Vocational Rehabilitation and Employment Officer. She contacted the credit card company to report the theft and cancel the government credit card. They provided information that there had been two attempts to use the card at two different gas stations. The AVREO contacted the gas stations to inquire about possible surveillance footage. One indicated they do have cameras; this information was provided to the police and added to the report. On March 30, 2012, at 11:50 AM, the AVREO received a phone call from an individual stating he had found her planner. As a result of this event, the Seattle VR&E Officer reminded all VR&E staff members of the importance of properly securing Veterans' PII. United States 3/14/2012 Cyber/Identity Risks Improper Department of Veterans Disposal/Distribution, Affairs Loss or Theft (Printed Records) On March 14, 2012, several DD214s (Certificate of Release or Discharge from Active Duty) and fee dental approval letters were found in a file cabinet at a Recycling Center and reported to the Veterans Affairs (VA) Police. The files were transported by the employees of the Recycling Center to the VA within 30 minutes of discovery. On March 15, 2012, according to the Privacy Officer a total of 118 files were in the cabinet. Each file had a DD214 and the dental approval letters. The letter had full name and full SSN as well as the Veterans' address and year of birth and a descriptive line stated "conditions for which services are requested (description of disability) Dental." Therefore 118 Veterans will receive a letter offering credit protection services. United States 3/7/2012 Cyber/Identity Risks Digital Data Breach, Department of Veterans Loss, or Theft Affairs On March 7, 2012, it was brought to the attention of the Information Security Officer (ISO) that an unencrypted Mac book laptop computer purchased in 2005 was unaccounted for. The Mac book was loaned to a Veterans Affairs employee working at a remote location on a Consolidated Memorandum of Receipt (CMR) Equipment Inventory Listing (EIL) for the facility. According to the employee, the computer stopped functioning abruptly in June, 2007. It wouldn't power on at all. This was not related to any damage as it wasn't dropped or mishandled. The employee relates that when she called in 2007 she was told that she was due for another computer anyway, so to discard the nonfunctioning laptop. The employee believes her spouse may have disposed of it at the local landfill. The employee states there was no VA sensitive information on the laptop. She did not have a VA Network account or access to CPRS or VISTA. Environmental Protection 3/1/2012 Cyber/Identity Risks Digital Data Breach, Agency Loss, or Theft EPA cyber breach exposes 8,000 accounts: The Social Security numbers and bank routing numbers of about 8,000 accounts were exposed in a cyber breach of an Environmental Protection Agency database. The breach occurred in March and affected 5,100 current employees and 2,700 "other individuals," according to an EPA statement. In total, EPA has about 18,000 employees. EPA is offering free credit monitoring for one year and set up a hotline for the affected individuals to call. EPA said it is unlikely the personal financial information was used, according to the statement. "Vigilantly keeping data secure from increasingly sophisticated cyber threats is a top priority at EPA and throughout the public and private sectors. The agency has already added new safeguards in response to this incident. (August 2, 2012 - federalnewsradio.com) Government of The 12/13/2011 Cyber/Identity Risks Digital Data Breach, United States Loss, or Theft

For more information contact your Advisen rep at +1.212.897.4800, email [email protected], or visit www.advisen.com 6

Bulk of U.S. Data theft Linked to Few Chinese Hacker Teams: As few as 12 different Chinese groups, largely backed or directed by the government there, do the bulk of the China-based cyberattacks stealing critical data from U.S. companies and government agencies, according to U.S. cybersecurity analysts and experts. The aggressive, but stealthy attacks, which steal billions of dollars in intellectual property and data, often carry distinct signatures allowing U.S. officials to link them to certain hacker teams. And, analysts say the U.S. often gives the attackers unique names or numbers, and at times can tell where the hackers are and even who they may be. Sketched out by analysts who have worked with U.S. companies and the government on computer intrusions, the details illuminate recent claims by American intelligence officials about the escalating cyber threat emanating from China. And the widening expanse of targets, coupled with the expensive and sensitive technologies they are losing, is putting increased pressure on the U.S. to take a much harder stand against the communist giant. It is largely impossible for the U.S. to prosecute hackers in China, since it requires reciprocal agreements between the two countries, and it is always difficult to provide ironclad proof that the hacking came from specific people. Several analysts described the Chinese attacks, speaking on condition of anonymity because of the sensitivity of the investigations and to protect the privacy of clients. China has routinely rejected allegations of cyberspying and says it also is a target. A recognized expert on cyber issues, Cartwright has come out strongly in favor of increased U.S. efforts to hold China and other countries accountable for the cyberattacks that come from within their borders. The U.S., he said, "needs to say, if you come after me, I'm going to find you, I'm going to do something about it. It will be proportional, but I'm going to do something and if you're hiding in a third country, I'm going to tell that country you're there, if they don't stop you from doing it, I'm going to come and get you." yber experts agree, and say that companies are frustrated that the government isn't doing enough to pressure China to stop the attacks or go after hackers in that country. Much like during the Cold War with Russia, officials say the U.S. needs to make it clear that there will be repercussions for cyberattacks. The government "needs to do more to increase the risk," said Jon Ramsey, head of the counter threat unit at the Atlanta-based Dell SecureWorks, a computer security consulting company. "In the private sector we're always on defense. We can't do something about it, but someone has to. There is no deterrent not to attack the U.S." Cyberattacks originating in China have been a problem for years, but until a decade or so ago analysts said the probes focused mainly on the U.S. government - a generally acknowledged intelligence gathering activity similar to Americans and Russians spying on each other during the Cold War. But in the last 10 to 15 years, the attacks have gradually broadened to target defense companies, and then other critical industries including those in energy, finance and other sectors. According to Ramsey and other cyber analysts, hackers in China have different digital fingerprints, often visible through the computer code they use, or the command and control computers that they use to route their malicious software through. U.S. government officials have been reluctant to tie the attacks directly back to the Chinese government, but analysts and officials quietly say that they have tracked enough intrusions to specific locations to be confident they are linked to Beijing - either the government or the military. And, they add that they can sometimes glean who benefited from a particular stolen technology. One of the analysts said investigations show that the dozen or so Chinese teams appear to get "taskings," or orders, to go after specific technologies or companies within a particular industry. At times, two or more of the teams appear to get the same shopping list, and compete to be the first to get it, or the one with the greatest haul. Analysts and U.S. officials agree that a majority of the cyberattacks seeking intellectual property or other sensitive or classified data are done by China based hackers. While much of the cyberattacks stealing credit card or financial information come from Eastern Europe or Russia. (December 13, 2011 - insurancejournal.com) House of 11/10/2011 Cyber/Identity Risks Digital Data Breach, unknown Iowa Representatives, United Loss, or Theft States In July 2012, Barbara Heki and Richard Heki (collectively Plaintiffs) filed a lawsuit in Iowa District Court against Michele Bachmann, Bachmann for President, Kent Sorenson, Keith Nahigian, Nahigian Strategies LLC, Guy Short, C&M Strategies Inc, Brett O'Donnell, O'Donnell & Associates Ltd, Rebecca Donatelli, Campaign Services Inc, Eric Woolson, and The Concept Works Inc (Collectively Defendants). Defendants allegedly uploaded the NICHE (Network of Iowa Christian Home Educators) email list into their campaign database without permission. Barb Heki accused Defendants of stealing the NICHE email list from her private computer from her private office in the Bachmann campaign headquarters in Iowa. Prior to this Heki said she informed the campaign of her inability to share the NICHE database or release any information about the database to the campaign. Heki contended that Defendants inferred to the media and the public that Barb Heki had misappropriated and misused the email list from NICHE. Due to the alleged cover up by the Bachmann campaign, Plaintiffs have been isolated and expelled from their professional, social, political, and spiritual lives and careers. Plaintiffs sought compensation of all damages, costs, and interest. Social Security 10/14/2011 Cyber/Identity Risks Improper Administration Disposal/Distribution, Loss or Theft (Printed Records) Social Security agency leaks thousands of SSNs every year, report say: The Social Security Administration (SSA) puts thousands of Americans at risk of identity theft each year by accidentally leaking their Social Security Numbers, names and dates of birth, according to an investigative report by the Scripps Howard New Service. For its report, Scripps Howard reviewed three files from the Death Master File and discovered 31,931 living Americans listed erroneously in them. Dozens of those who were incorrectly listed were later contacted by the news service. None said they'd been informed of the breach by the SSA. The SSA has admitted that it inadvertently lists about 14,000 living people in the Death Master File each year, Scripps Howard said. Using that estimate, more than 400,000 records have been released since 1980, the report noted. In the report, Scripps Howard quotes SSA Commissioner Michael Astrue, who spoke to members of Congress about the issue last month. Astrue said that the SSA takes prompt action to correct any errors it discovers. Any breach involving the accidental leakage of SSNs is also promptly reported to the U.S. Computer Emergency Response Team. Astrue said the SSA has so far found no instance of fraud or misuse as a result of the inadvertent exposure. (October 14, 2011 - computerworld.com) Us Department Of 10/12/2011 Cyber/Identity Risks Digital Data Breach, Education Loss, or Theft Students financial info revealed on government website: The personal financial details of as many as 5,000 college students were temporarily laid bare for other students to view on the Education Department's direct loan website earlier this month, an education official testified Tuesday. The students' information was available during a 67-minute window as officials were making a reconfiguration involving 11.5 million borrowers, said James Runcie, the Education Department's federal student aid chief operating officer. The change was designed to improve the website's performance times. Runcie said students who logged on during the trouble period saw the personal details of other students. Those whose information was exposed have been notified and offered credit monitoring services, Runcie said. The department shut down the website while the problem was resolved. "We responded as quickly as we could," he said. Runcie's testimony came before a House Education and the Workforce subcommittee, which has been reviewing the Education Department's transition to directly issuing all student loans. Rep. Virginia Foxx, R-N.C., the subcommittee chairwoman, said the transition has meant more customer service problems and mistakes, including the recent security problem with the website. "The implications of this kind of website malfunction are severe, particularly when it affects millions of borrows nationwide," Foxx said. In a statement released after the hearing, Justin Hamilton, an Education Department spokesman, said the problem occurred on Oct. 12 and the department has no reason to believe students' information was misused or accessed by anyone with "malicious intent." Congress changed the way student loans are issued last year as part of the law overhauling the nation's health care system. It essentially stripped banks of their role as middlemen in issuing the loans. All loans are now directly issued by the government. The expectation at the time was that the measure would result in $61 billion in savings over a decade. The billions saved are to pay for Pell Grants, provide resources to community and historically black colleges, help reduce the deficit and offset expenses from the health care legislation. Runcie said the department uses rigorous security standards but is looking to soon roll out an additional safeguard. He also said the department appreciates suggestions on ways to make its website more user friendly, and plans to make changes. Overall, Runcie said the transition to the direct loan program has been a success. (October 25, 2011 - latimes.com) Tricare Management 9/29/2011 Cyber/Identity Risks Digital Data Breach, 2012 CV 00008 District of Columbia Activity Loss, or Theft

For more information contact your Advisen rep at +1.212.897.4800, email [email protected], or visit www.advisen.com 7

On January 4, 2012, a class action complaint was filed by Jessica Palmer, Shanna Hartman, Antionette Morelli, and Claudia Falubebres, on behalf of themselves and all other similarly situated against Tricare Management Activity (Tricare), Science Applications International Corporation, United States Department of Defense and Leon E. Panetta, in his Official Capacity as Secretary of Department of Defense in United States District Court, District of Columbia (Washington, DC). The action was brought in relation with the defendants' alleged intentional, willful and reckless violations of the privacy rights of more than 4.9 million individuals, who entrusted their private medical and other personal information to the Defendants. The plaintiffs alleged that on September 29, 2011, Tricare publicly admitted that data containing the most highly sensitive personal and intimate information pertaining to 4.9 million of its members had been unlawfully disclosed. The Plaintiffs allege that the Defendants flagrantly disregarded the Plaintiffs' privacy rights by intentionally, willfully and recklessly failing to take the necessary precautions required safeguarding their personal identification information from unauthorized disclosure. In addition, the plaintiffs contend that the defendants betrayed the members' trust by failing to properly safeguard this private information and by publicly disclosing it in violation of numerous laws, including the federal Administrative Procedures Act, the Fair Credit Reporting Act, California law, the common law and the federal Privacy Act of 1974. Plaintiffs sought for the certification of the action as class action, actual and statutory damages, including punitive and treble damages, costs and expenses, and other relief. Tricare Management 9/14/2011 Cyber/Identity Risks Digital Data Breach, 2011 CV 02142 District of Columbia Activity Loss, or Theft On December 1, 2011, a class action complaint was filed by Plaintiff James F. Biggerman Jr. on behalf of all other similarly situated against Science Applications International Corporation (SAIC) and TriCare Management Activity (collectively Defendants) in U.S. District Court for the District of Columbia as a result of Defendants failure to adequately safeguard millions of military clinic and hospital patients personally identifiable and protected health information. According to the complaint, on September 14, 2011, SAIC reported a data breach involving personally identifiable and protected health information impacting an estimated 4.9 million military clinic and hospital patients served by TriCare. The confidential information was contained on improperly encrypted or unencrypted computer backup tapes from an electronic health care record use in the MHS to capture patient data from 1992 through September 7, 2011. The confidential information includes social security numbers, addresses and phone numbers, and personal health data such as clinical notes, laboratory test and other patient data. As a result of the theft, 4.9 million TriCare members including Plaintiff has their confidential information compromised and has been deprived of the exclusive use and control of their proprietary prescription information and has suffered economic damages. Plaintiff and the Class sought for an award of all costs, expenses including expert's fees and attorney's fees and the cost of the action. On December 22, 2011, a motion to dismiss complaint was filed by the Defendants. United States 9/14/2011 Cyber/Identity Risks Digital Data Breach, 2011 CV 02142 District of Columbia Department of Defense Loss, or Theft On December 1, 2011, a class action complaint was filed by Plaintiff James F. Biggerman Jr. on behalf of all other similarly situated against Science Applications International Corporation (SAIC) and TriCare Management Activity (collectively Defendants) in U.S. District Court for the District of Columbia as a result of Defendants failure to adequately safeguard millions of military clinic and hospital patients personally identifiable and protected health information. According to the complaint, on September 14, 2011, SAIC reported a data breach involving personally identifiable and protected health information impacting an estimated 4.9 million military clinic and hospital patients served by TriCare. The confidential information was contained on improperly encrypted or unencrypted computer backup tapes from an electronic health care record use in the MHS to capture patient data from 1992 through September 7, 2011. The confidential information includes social security numbers, addresses and phone numbers, and personal health data such as clinical notes, laboratory test and other patient data. As a result of the theft, 4.9 million TriCare members including Plaintiff has their confidential information compromised and has been deprived of the exclusive use and control of their proprietary prescription information and has suffered economic damages. Plaintiff and the Class sought for an award of all costs, expenses including expert's fees and attorney's fees and the cost of the action. On December 22, 2011, a motion to dismiss complaint was filed by the Defendants. Tricare Management 9/14/2011 Cyber/Identity Risks Digital Data Breach, Activity Loss, or Theft On September 14, 2011, SAIC reported a data breach involving personally identifiable and protected health information impacting an estimated 4.9 million military clinic and hospital patients served by TriCare. The confidential information was contained on improperly encrypted or unencrypted computer backup tapes from an electronic health care record use in the MHS to capture patient data from 1992 through September 7, 2011. The confidential information includes social security numbers, addresses and phone numbers, and personal health data such as clinical notes, laboratory test and other patient data. As a result of the theft, 4.9 million TriCare members has their confidential information compromised and has been deprived of the exclusive use and control of their proprietary prescription information and has suffered economic damages. Tricare Management 9/13/2011 Cyber/Identity Risks Identity Theft/Fraudulent 2011 CV 01800 District of Columbia Activity Use or Access On October 11, 2011, an Air Force veteran of the first Iraq war and a military spouse and her two children have hit the Defense Department with a class action lawsuit seeking $4.9 billion in damages from the theft of a computer tape containing personal and sensitive health information from the car of an employee of Science Applications International Corp., a contractor with the TRICARE Health Management Activity. The company was not named as a defendant in the action. The suit, filed by the law firm Shulman, Rogers, Gandal, Pordy & Ecker of Potomac, Md., seeks $1,000 in damages for all 4.9 million TRICARE beneficiaries whose records were on the computer tape stolen September 13 from the SAIC employee's car in San Antonio. TRICARE and Defense Secretary Leon Panetta are named as defendants. Plaintiffs in the case are Virginia Gaffney of Hampton, Va., a TRICARE beneficiary described as the spouse of a decorated war veteran, along with her two dependent children, and Adrienne Taylor of Glendale, Ariz., an Air Force Operation Desert Storm veteran who also is a military spouse and TRICARE beneficiary. The suit, filed in the U.S. District Court for the District of Columbia, charges that TRICARE "flagrantly disregarded" the privacy rights of TRICARE beneficiaries by failing to take the necessary precautions to protect their identity. The complaint said data on the stolen computer tape was "unprotected, easily copied . . . [and TRICARE] inexplicably failed to encrypt the information." The suit alleged that TRICARE compounded its dereliction of duty by authorizing an untrained or improperly trained individual to take the highly confidential information off of government premises and to leave unencrypted information in an unguarded car in a public location, from which it was stolen by an unknown party or parties. The complaint charged that the intentional, willful and reckless disregard of plaintiffs' privacy rights caused one of the largest unauthorized disclosures of Social Security numbers, medical records and other private information in recent history. TRICARE has acknowledged that the stolen computer tape contained a wealth of patient information including clinical notes, laboratory tests, prescriptions, diagnoses, treatment information, and provider names and locations. But, when it announced the theft -- which it called a "data breach" -- on September 30, TRICARE downplayed the ability of anyone to access the information on the tape. The military health program said that the risk of harm to patients is judged to be low despite the data elements involved since retrieving the data on the tapes would require knowledge of and access to specific hardware and software and knowledge of the system and data structure. The class action lawsuit disputed this assertion, alleging that personal information on the computer tape could be retrieved by the name of an individual or by an identifying number, symbol or other identifying data assigned to an individual. The theft of the computer tape, the complaint charged, has exposed the medical and personal information of all four plaintiffs to the possibility of identity fraud and resulted in "emotional upset" due to the invasion of privacy. TRICARE declined to provide credit monitoring services in the wake of the tape theft, and, as a result, the complaint said, both Gaffney and Taylor purchased such services on their own to protect against identity theft, incurring an ongoing economic cost. The lawsuit asked the court to direct TRICARE to provide free credit monitoring services to all 4.9 million beneficiaries whose personal information was on the stolen tape and to reimburse those who had already purchased such services on their own. This could slam TRICARE with another hefty bill. When the Veterans Affairs Department discovers a loss, theft or exposure of this kind it routinely offers credit monitoring services and up to $1 million annually in identity theft protection at a cost per veteran of $29.95 a year. At that rate, it would cost TRICARE $146.8 million to provide credit monitoring services to 4.9 million people. Shulman, Rogers also wants to use the lawsuit to reform what it considers poor practices by Defense and TRICARE to maintain the privacy of personal information. Defense and TRICARE, the suit said, "have repeatedly demonstrated an inability or unwillingness to implement or [have a] callous disregard for fundamental procedures to provide minimally acceptable safeguards to prevent against the disclosure of personal and private information in their possession." The suit asks the court to bar TRICARE and Defense from transferring a record or system of records covered by the Privacy Act "until an independent panel of experts finds that adequate information security has been established." The court also should prohibit Defense and TRICARE from transporting any records off government property unless they are fully encrypted and SAIC should not be allowed to transport any records until an independent expert panel determines the company has established adequate information procedures, the lawsuit said. United States 8/25/2011 Cyber/Identity Risks Digital Data Breach, Department of the Army Loss, or Theft

For more information contact your Advisen rep at +1.212.897.4800, email [email protected], or visit www.advisen.com 8

Personal data on 25,000 NAF retirees lost: Army officials say a CD containing the personal information of nearly 25,000 Non-Appropriated Fund retiree records was lost in the mail. The potentially compromised information contains names, Social Security numbers and other retirement data such as retirement date, type of retirement, amount of life insurance carried, term data and dates of service. U.S. Army Installation Management Command officials say some records might also contain birth dates. According to an Army release, the CD was lost in the mail between Alexandria, Va., and San Antonio, Texas, during the last week of August. The Army said retirees who are at risk have been sent letters advising them of the data loss and actions they can take to protect their identities. (September 14, 2011 - stripes.com) VA Illiana Health Care 7/14/2011 Cyber/Identity Risks Improper System Disposal/Distribution, Loss or Theft (Printed Records) Illinois VA System Suffers Data Breach: The Veterans Affairs Illiana Healthcare System, based in Danville, Illinois, recently began alerting some of its patients that it suffered a data breach that may leave them vulnerable to identity theft. The breach was caused when an appointment book that listed the last names and Social Security numbers of 518 veterans was discovered missing on July 14, according to a report from the Danville Commercial-News. At this point, the missing data still have not been recovered. Currently, the system states that there is no evidence the information contained in the book was misused, the report said. However, it is cautioning veterans to keep a close eye on their credit reports just in case. (September 27, 2011 - idt911.com) U.S. Securities and 5/4/2011 Cyber/Identity Risks Improper Exchange Commission Disposal/Distribution, Loss or Theft (Printed Records) Personal data of 4,000 SEC employees exposed: The personal information of thousands of U.S. Securities and Exchange Commission (SEC) employees was accidentally exposed in an unencrypted email. The email was sent May 4 by an employee at the U.S. Department of the Interior's National Business Center, a service center in charge of payroll, human resources and financial reporting for dozens of federal agencies, including the SEC. The contractor forgot to encrypt the message, and software in place to detect such an error failed. The personal data was exposed for about one minute, while in transit. There is no indication that the data was intercepted. (May 20, 2011 - scmagazineus.com) Yokota Air Base 5/1/2011 Cyber/Identity Risks Improper Disposal/Distribution, Loss or Theft (Printed Records) Hundreds of Medical records found in Yokota service member's home: YOKOTA AIR BASE, Japan - Air Force officials have sent warnings to 593 people to be on the lookout for signs of identity theft after their medical records were found at a servicemember's home on Yokota Air Base. The 374th Airlift Wing announced last week that the documents which included the names, Social Security numbers, dates of birth, addresses, phone numbers and health records of people who sought medical advice or treatment in 2008 and 2009 were discovered as part of an investigation into another matter in May. However, those potentially affected by the breach in privacy weren't notified until mid-October. Yokota Air Base public affairs officer Capt. Raymond Geoffroy said in an email Friday that investigators found no incidents of the information being exploited for malicious purposes and, initially, determined that the breach did not meet the threshold for reporting under the Health Insurance Portability and Accountability Act (HIPAA), which requires that officials inform people if their confidential information is compromised. (October 28, 2011 - stripes.com) National Aeronautics and 1/1/2011 Cyber/Identity Risks Digital Data Breach, Space Administration Loss, or Theft NASA says it was hacked 13 times last year: NASA said hackers broke into its computer systems 13 times last year, stealing employee credentials and gaining access to mission critical projects in breaches that could compromise U.S. national security. The National Aeronautics and Space Administration spends only $58 million of its $1.5 billion annual IT budget on cyber security, Paul Martin, the agency's inspector general, told a Congressional panel on NASA security earlier this week. "Some NASA systems house sensitive information which, if lost or stolen, could result in significant financial loss, adversely affect national security, or significantly impair our nation's competitive technological advantage," Martin said in testimony before the U.S. House Committee on Science, Space and Technology, released on Wednesday. He said the agency discovered in November that hackers working through a Chinese-based IP address broke into the network of NASA's Jet Propulsion Laboratory. He said they gained full system access, which allowed them to modify, copy, or delete sensitive files, create user accounts for mission-critical JPL systems and upload hacking tools to steal user credentials and compromise other NASA systems. They were also able to modify system logs to conceal their actions, he said. In another attack last year, intruders stole credentials for accessing NASA systems from more than 150 employees. Martin said the agency has moved too slowly to encrypt or scramble the data on its laptop computers to protect information from falling into the wrong hands. Unencrypted notebook computers that have been lost or stolen include ones containing codes for controlling the International Space Station as well as sensitive data on NASA's Constellation and Orion programs and Social Security numbers, Martin said. (March 2, 2012 - reuters.com) General Services 10/25/2010 Cyber/Identity Risks Digital Data Breach, Administration(inc) Loss, or Theft U.S. Workers Are on Alert After Breach of Data: WASHINGTON - Federal workers at the General Services Administration are on alert against identity theft after an employee sent the names and Social Security numbers of the agency's entire staff to a private e-mail address. The agency, which manages federal property, employs more than 12,000 people. Officials apologized to employees for the incident in a letter dated Oct. 25 - almost six weeks after the breach occurred. The agency said it had paid for employees to enroll in a one-year program to monitor their credit reports, along with up to $25,000 in identity theft insurance coverage. The letter was signed by Casey Coleman, the chief information officer, and Gail Lovelace, the agency's senior privacy official. Neither returned calls or e-mails for comment. Documents show that officials first notified employees on Sept. 28. But workers who spoke with The New York Times said they did not learn of the incident until early November, when the letters arrived in the mail. Previous notices had been sent as security alert e-mails, which employees said they received frequently and often ignored. According to interviews and documents obtained by The Times, technicians discovered the e-mail with names and Social Security numbers while reviewing logs on Sept. 22, a week after the message was sent, and deleted it from the recipient's e-mail account and laptop. The agency explained to employees that one worker had apparently transmitted the file containing the personal data by accident while seeking work-related assistance and that it had not been forwarded. Those involved had cooperated, and the computer that received the data was scrubbed clean by agency technicians. According to the documents, the agency inspector general is investigating the incident. The inspector general, Brian Miller, did not return calls for comment. (November 6, 2010 - nytimes.com) Federal Emergency 10/4/2010 Cyber/Identity Risks Improper Management Agency Disposal/Distribution, Loss or Theft (Printed Records) Storage unit yields ID documents: Two men discovered financial information from more than 340 people when they purchased the abandoned contents of a self-storage unit at auction. The documents covered applications for financial assistance to the Federal Emergency Management Agency and applications to lease or purchase cars from Williams Chevrolet Inc. FEMA began an investigation but when local police showed no interest in the documents because they said no crime had been committed, the men began returning the documents themselves. (July 17, 2011 - record-eagle.com) Tricare Management 6/25/2010 Cyber/Identity Risks Improper Activity Disposal/Distribution, Loss or Theft (Printed Records) Tricare Management Activity notified Health and Human Services (HHS) that on June 25, 2010, 4,500 patients' protected health information was breached due to unauthorized access or disclosure of paper records.

For more information contact your Advisen rep at +1.212.897.4800, email [email protected], or visit www.advisen.com 9

United States 4/22/2010 Cyber/Identity Risks Digital Data Breach, Department of Veterans Loss, or Theft Affairs Laptop Stolen from VA Contractor Contains Veteran's Personal Data: A laptop belonging to a contractor working for the Veterans Affairs Department was stolen earlier this year and the personal data on hundreds of veterans stored on the computer was not encrypted, a violation of a VA information technology policy, said the top-ranking Republican on the House Veterans Affairs Committee. The VA reported the theft of the laptop from an unidentified contractor to the committee on April 28 and informed members the computer contained personally identifiable information on 644 veterans, including data from some VA medical centers' records, according to a letter Rep. Steve Buyer, R-Ind., sent to VA Secretary Eric Shenseki. The data was not encrypted, which would have prevented a thief from accessing the information, a requirement Congress and VA issued to all department contractors in 2006 after a laptop containing health data on more than 26 million veterans and their spouses was stolen from a VA employee's home. That laptop later was recovered. The laptop was stolen from a contractor employee's car on April 22, and she notified local police within 10 minutes, said Roger Baker, chief information officer at VA, in an interview. Although the vendor had certified to VA that it had encrypted laptops that stored department data, Baker confirmed the data on the stolen laptop was unencrypted. The vendor, who Baker declined to identify because he said it would make it more difficult for contractors to report future data breaches if they knew their name would be made public, reported the theft to VA on April 23. Baker said the notice to Congress was 60 to 90 days quicker than how long it took the Bush administration to report security breaches. (May 13, 2010 - nextgov.com) Miami VA Healthcare 1/19/2010 Cyber/Identity Risks Improper System Disposal/Distribution, Loss or Theft (Printed Records) A pharmacy log book was found missing on January 19, 2010 that contained the protected health information (PHI) of veteran patients. Unfortunately, this logbook has not been uncovered. The pharmacy log book contained the names and partial Social Security numbers of 568 veterans. Following the breach, Miami VA Healthcare System sent out appropriate notification letters, and it instructed the employees to cease the practice of keeping log books. As a result of OCR's investigation, Miami VA Healthcare System revised and/or updated its policies and procedures with respect to safeguarding PHI and has now restricted the use of logbooks. Transportation Security 12/9/2009 Cyber/Identity Risks Digital Data Breach, Administration Loss, or Theft On December 9, 2009, the Transportation Security Administration (TSA) accidentally posted on a public website a manual that contained complete details on its airport screening procedures. The TSA manual included details for screening passengers, checking for explosives devices, special rules for handling the CIA, diplomats and law enforcement officials, and the technical settings and tolerances used by metal and explosive detectors used at airports. The leak occurred when an improperly redacted TSA Standard Operations Procedures manual was posted on a federal Web site as part of a contract bid solicitation process. Lawmakers called the gaffe as shocking and reckless, as wells as a threat to national security. Government of The 11/28/2009 Cyber/Identity Risks Digital Data Breach, United States Loss, or Theft Thief steals U.S. Army laptop from employee's home: A laptop containing the personal information of tens of thousands of U.S. Army soldiers, family members and U.S. Department of Defense employees was recently stolen. The computer contained "names and personally identifiable information for slightly more than 42,000 Fort Belvoir Morale, Welfare and Recreation patrons. The laptop was stolen on November 28 from an employee of the Fort Belvoir Family and Morale, Welfare and Recreation (MWR) Command, located in Virginia. There were signs of forced entry into the employee's residence where the laptop was stolen. Other high-value electronics and jewelry were also stolen. The Family and MWR Command operates several facilities on Fort Belvoir, including child care centers, bowling alleys, restaurants, and golf courses. Individuals who have who used an MWR facility on Fort Belvoir since 2005 may be included in the data on the laptop. It is unlikely the information on the computer will be compromised because it was protected by three layers of security access and encryption passwords. The Family and MWR Command were made aware of the theft December 1, and then conducted an assessment to determine the extent of the breach. Letters will be sent to affected individuals. Local authorities are investigating the incident, which appears to be a random burglary. Military authorities are investigating whether proper security protocols were followed. (December 17, 2009 - scmagazineus.com) Engineers, U S Army 11/1/2009 Cyber/Identity Risks Digital Data Breach, Corps Of Loss, or Theft Data breach could affect 60,000 GIs, civilians: The Corps of Engineers is investigating the recent loss of an external hard drive that could pose identify theft problems for as many as 60,000 soldiers and Army civilians. Maj. Mark Young, a Corps of Engineers spokesman in Washington, said the security breach occurred in the command's Southwestern Division, which is headquartered in Dallas, in early November. Information stored on the missing hard drive includes personal data, such as names and Social Security numbers, on a number of current and former soldiers and some civilian employees, according to information provided by the Southwest Division. Most of the affected population includes soldiers whose files went before the Fiscal 2008 sergeant first class and 2008 master sergeant promotion boards, and the 2007 colonel promotion board and the 2009 lieutenant colonel command board. Officials said that as of that date, there were no known cases of identify theft associated with the lists. The Army continues to allow designated commanders access to select and non-select lists, but does not include any part of a soldier's Social Security number on the lists. Database security and the threat of identify theft is a major problem in both the government and private sector, according to the Open Security Foundation. (November 13, 2009 - armytimes.com) Defense, United States 9/1/2009 Cyber/Identity Risks Digital Data Breach, Dept Of Loss, or Theft GAO: Defense lost track of 72,000 combat medical records: Government auditors said on Thursday that Defense Department officials could not account for more than 72,000 health questionnaires that were to have been completed by troops following their service in Iraq and Afghanistan. The records, known as post-deployment health reassessments, or PDHRA, are to be administered 90 to 180 days after service members return from deployment. Because mental health issues sometimes do not emerge until months after troops return from combat, the assessments are considered a vital tool in helping to identify deployment-related health issues. Asked by the Senate Armed Services Committee to review the department's implementation of the PDHRA to active, reserve and separated service members, auditors last April sought the questionnaire records of troops who returned from Iraq or Afghanistan from Jan. 1, 2007, through May 31, 2008, after serving at least 30 days overseas. Of the roughly 319,000 service members who met that criterion, 74,000 were missing PDHRA records in Defense's central repository, which officials use as a key source of health surveillance information. GAO then checked with the military services to see if their databases contained the missing questionnaires, which had not yet been electronically posted to the central database as required by policy. That check located about 7,000 of the missing questionnaires. In September, GAO again queried Defense's central repository to update the April data for the same population of service members 15 months after the last service members would have returned from deployment. That query showed 72,000 missing questionnaires. The military services are responsible for administering PDHRA to active-duty personnel, and Defense contracts with Logistics Health Inc. to administer the questionnaire to troops in the Guard and Reserve. All troops are required to fill out only demographic information in the questionnaire, and they are encouraged to fill out sections regarding their physical and mental health. Defense officials said they would take steps to ensure service members who need to receive the PDHRA do so, and would brief commanders on the importance of compliance and requirements. They also pledged to resolve any problems with electronic transmission of questionnaires between the services and the department's central repository. (November 20, 2009 - govexec.com) United States 8/18/2009 Cyber/Identity Risks Digital Data Breach, Department of the Navy Loss, or Theft

For more information contact your Advisen rep at +1.212.897.4800, email [email protected], or visit www.advisen.com 10

Navy laptop with personal info missing: PENSACOLA, Fla. - Naval Hospital Pensacola will be notifying thousands of beneficiaries who use its pharmacy services, following the disappearance of a laptop computer August 18 which contains personally identifiable information. The computer's database contains a registry of 38,000 pharmacy service customers' names, Social Security numbers and dates of birth on all patients that used the pharmacy in the last year. It does not contain any personal health information. The last date that the computer can be accounted for is Aug. 18. In an internal review and investigation, the command made contact with 100 percent of its Pharmacy staff members in an attempt to discover the whereabouts of the computer. The computer has a damaged exterior and may have been disposed of. NH Pensacola believes the risk of malicious intent is low. Because the hospital cannot account for the laptop, it is sending a letter to each person whose information was on the computer. The letter will include information on how to take protective action. (September 2, 2009 - fox10tv.com) Internal Revenue Service 7/1/2009 Cyber/Identity Risks Identity Theft/Fraudulent Use or Access On February 28, 2011, Catherine Griffin (Griffin) was sentenced to more than nine months in prison, followed by two years of supervised release. She was ordered to repay the government more than $40,000. Griffin was arraigned before United States Magistrate Judge C. Christopher Hagy and released on bond. Millions of law-abiding citizens pay their fair share of taxes and do not have an insider at the IRS changing the numbers on a computer for them so they can pay less tax. The defendant in this case allegedly was paid to change information in the IRS computer system to make it appear certain taxpayers were eligible for first-time homebuyer credits. Cheating like this has consequences. According to United States Attorney Yates, from approximately July 2009 to November 2009, Griffin worked as a seasonal employee for the IRS in Chamblee, Georgia, processing amended tax returns filed by taxpayers. In her capacity as an IRS employee, Griffin had access to the IRS computer system. The indictment alleges that Griffin exceeded her authorized access of the IRS computer system to alter taxpayer information for approximately 4 individuals. In exchange for fraudulently altering these taxpayers' information, Griffin received payments of $2,000. The indictment charges Griffin with 4 counts of exceeding authorized access of government computers to alter taxpayer data for private financial gain. The computer fraud charges each carry a maximum sentence of 5 years in prison and a fine of up to $250,000. In determining the actual sentence, the Court will consider the United States Sentencing Guidelines, which are not binding but provide appropriate sentencing ranges for most offenders. Members of the public are reminded that the indictment contains only allegations. A defendant was presumed innocent of the charges and it will be the government's burden to prove a defendant's guilt beyond a reasonable doubt at trial. The case was being investigated by Special Agents of the Treasury Inspector General for Tax Administration (TIGTA). On June 9, 2011, Griffin was sentenced to more than nine months in prison, followed by two years of supervised release. She was ordered to repay the government more than $40,000. United States 6/25/2009 Cyber/Identity Risks Digital Data Breach, Department of Homeland Loss, or Theft Security What you can learn from a UBC class trip: University of British Columbia journalism students uncovered a hard drive containing sensitive U.S. defence information while filming a documentary in Ghana. Find out why it happened and how you can keep your company from a similarly embarrassing experience. No business should expose a single asset that hasn't had a data wipe performed on it, according to an Info-Tech Research Group Ltd. analyst. The warning comes after a group of University of British Columbia journalism students uncovered a data drive containing information about a multi-million dollar U.S Department of Homeland Security defence contract in a recent trip to Ghana. The B.C. students, who were visiting the African country as part of a study about electronic waste, paid about $40 for the second-hand hard drive. The discarded hard drive included information about hiring and personnel contracts of a variety of U.S. defence organizations including information about private military contractor Northrop Grumman Corp. as well as credit card numbers and personal photos, according to published reports citing the students. (June 25, 2009 - ComputerWorld Canada) Government Printing 5/22/2009 Cyber/Identity Risks Digital Data Breach, Office, United States Loss, or Theft In May 2009, a 267-page document listing all U.S. civilian nuclear sites along with the description of their assets and activities became available on a whistleblower Web site Wikileaks.org days after a government Web site publicly posted the data by accident. The data have been compiled as part of a report being prepared by the federal government for the International Atomic Energy Agency (IAEA). It was scheduled to be transmitted to the agency and was sent for congressional review by President Obama on May 5. The document, which had been marked by the president as "Highly Confidential Safeguards Sensitive," subsequently appears to have, for some unexplained reason, been publicly posted by the U.S. Government Printing Office (GPO) on its Web site. The document has since been taken down but is now available from several locations via Wikileaks.org. The document was discovered on the GPO Web site on May 22 by Steven Aftergood, director of the Federation of American Scientists' (FAS) Project on Government Secrecy. Aftergood posted the document on Secrecy News, a publication of the FAS that he maintains. The breached document is titled The List of Sites, Locations, Facilities, and Activities Declared to the International Atomic Energy Agency, and contains detailed information on hundreds of civilian nuclear sites in the country, including those storing enriched uranium. The report lists details on programs at nuclear weapons research labs at Los Alamos, Livermore and Sandia. United States 5/19/2009 Cyber/Identity Risks Improper Department of the Navy Disposal/Distribution, Loss or Theft (Printed Records) Toledo Navy office compromises recruits' identities: TOLEDO -- They thought their personal information would be safe in the hands of the U.S. Navy, but dozens of sailors who signed up at a Toledo recruiting station are about to learn that their personal information was compromised. Now, their families are not happy with the Navy. The men volunteered to serve their country, but an NBC24 investigation finds that the Navy recruiting office in the Miracle Mile Shopping Center threw out thousands of personal documents from recruits without first shredding them. A crook's treasure chest of addresses, phone numbers, and even social security numbers were found in a dumpster behind the recruiting office. NBC24 went to the Navy recruiting office, but the sailors didn't have any answers. When asked if they had anything to say about the dumpster discovery, those inside the office said they had nothing to say. Bags of shredded documents were also found, but somehow the papers that NBC24 obtained fell through the cracks. When asked how they think recruits would feel if they knew their documents were handled in this manner, the sailors said they couldn't say anything even if they wanted to. (May 19, 2009 - toledoonthemove.com) Veterans Affairs, United 2/4/2009 Cyber/Identity Risks Improper States Dept Of Disposal/Distribution, Loss or Theft (Printed Records) Disabled Veteran Receives Other Veterans' Personal Data By Mistake: WACO (February 4, 2009)--A local veterans association mistakenly sent out personal information about disabled veterans in the mail. The top of the claims log is labeled "Texas Veterans Commission," but neither the Commission nor the Veterans Affairs Regional Office is sure who is to blame for the incident. "At this point we don't know where it came from; I guarantee it was just a mistake. We vigorously take pains to protect veterans as does the VA. You can rest assured, it will be thoroughly investigated and we'll find out what happened. It's a terrible human error," said Jim Richman, Director of Claims Representation and Counseling for the Texas Veterans Commission. The Department of Veterans Affairs had a similar response." This is a very big privacy issue and we consider it very serious. One of our top priorities is patient privacy," said Debra Meyer of the VA's public affairs office. (February 4, 2009 - kwtx.com) Federal Aviation 2/1/2009 Cyber/Identity Risks Digital Data Breach, Administration Loss, or Theft FAA says Hackers broke into agency computers: WASHINGTON (AP) - Hackers broke into the Federal Aviation Administration's computer system last week, accessing the names and Social Security numbers of 45,000 employees and retirees. The agency said in a statement Monday that two of the 48 files on the breached computer server contained personal information about employees and retires who were on the FAA's rolls as of the first week of February 2006. The server that was accessed was not connected to the operation of the air traffic control system and there is no indication those systems have been compromised, the statement said. Tom Waters, president of American Federation of State, County and Municipal Employees Local 3290, said FAA officials told unions representing agency employees at a briefing Monday that the second breached file with personal information contained encrypted medical information. (February 10, 2009 - Associated Press)

For more information contact your Advisen rep at +1.212.897.4800, email [email protected], or visit www.advisen.com 11

Defense, United States 1/26/2009 Cyber/Identity Risks Improper Dept Of Disposal/Distribution, Loss or Theft (Printed Records) NZ man accesses US military secrets: ONE News has gained access to the personal files of American soldiers, uncovering military secrets from the most powerful nation in the world. In November last year the US Defense Department banned the use of portable data storage devices. However, Chris Ogle from Whangerei got more than he bargained for when he bought an MP3 player from an Oklahoma thrift shop for $18. When the 29-year-old hooked up the player he discovered a play list he could never have imagined - 60 files in total, including the names and personal details of American soldiers. Some of the information appears to be a mission briefing. ONE News found amongst the files lists of soldiers based in Afghanistan, along with the names of some personnel who have fought in Iraq and cell phones numbers for soldiers based overseas. The files that the numbers were located in are marked with a warning saying the release of its contents is "prohibited by federal law". There are also details of equipment deployed to the bases and private information about soldiers, such as social security numbers and even which ones are pregnant. Most of the files found are dated 2005 and seem unlikely to compromise US national security, but experts contacted by ONE News say they could put the individual soldiers at risk. (January 26, 2009 - ONE News) Food & Drug 1/1/2009 Cyber/Identity Risks Digital Data Breach, 2011 cv 01739 Washington Administration Loss, or Theft On January 25, 2012 Paul Hardy and five other current and former employees (plaintiffs) filed a lawsuit in the U.S. District Court of Washington against Food and Drug Administration (FDA) alleging that top FDA managers monitored and seized emails from their personal Gmail and Yahoo accounts for at least two years. Documents they obtained through the Freedom of Information Act and other means show that FDA began monitoring electronic conversations in 2009, which they say was triggered by their correspondence with incoming administration officials. According to the lawsuit, information garnered this way eventually contributed to the harassment or dismissal of all six of the FDA employees. All had worked in an office responsible for reviewing devices for cancer screening and other purposes. In the lawsuit, the doctors and scientists say the government violated their constitutional privacy rights by gazing into personal e-mail accounts for the purpose of monitoring activity that they say was lawful. An FDA spokeswoman, Erica Jefferson, said the agency does not comment on litigation. But according to FDA internal documents that the scientists and doctors obtained under the Freedom of Information Act, the agency told the Department of Health and Human Services' inspector general that they had improperly disclosed confidential business information about the devices. The agency requested that an investigation be opened in May 2010. The scientists and doctors denied sharing information improperly. The HHS inspector general's office, which oversees FDA operations, declined to pursue an investigation, finding no evidence of criminal conduct. It also said that the doctors and scientists had a legal right to air their concerns to Congress or journalists. Federal Emergency 12/1/2008 Cyber/Identity Risks Digital Data Breach, Management Agency Loss, or Theft FEMA data on Katrina evacuees leaked: FEMA has confirmed that an "unauthorized breach of private information" resulted in the information release of 16,857 names, Social Security and phone numbers, and other private details of people who had applied for benefits. The information was flashed on a pair of privately run Web sites, but for how long was unclear. Nearly all the affected individuals lived in Louisiana at the time of the storm. In a news release, the Federal Emergency Management Agency said the data had been turned over to a Texas state agency, which it believes is responsible for an error that placed the data in the wrong hands. An investigation is under way, and federal officials haven't named the state agency or Web sites. A FEMA applicant alerted the federal agency after finding his or her information posted on the Web, officials said. On Friday, FEMA announced that last week it had "swiftly contacted" a pair of Web sites holding the private information and had it removed from public view. The information was assembled in 16,857 lines of data assembled on a spreadsheet. The 16,857 applicants were people who evacuated to Texas, and of that number, 16,372 were originally from Louisiana, officials said. FEMA said it regrets the information was posted but insisted that it followed provisions of the federal Privacy Act in transferring the information to the Texas agency. There have been no confirmed reports of identity theft as a result of the temporary posting of the information, but FEMA said it isn't taking chances. (December 24, 2008 - The Times-Picayune) Federal Emergency 11/4/2008 Cyber/Identity Risks Digital Data Breach, Management Agency Loss, or Theft The Federal Emergency Management Agency is putting new safeguards in place to protect sensitive information stored on laptop computers after one containing personal information for about 50 Indiana flood victims was stolen from an inspector's car. FEMA is installing more protection software on all of its laptops and now uses additional encryption and data-tracking software in all portable data storage devices, the Post-Tribune of Merrillville reported Sunday. FEMA this month began notifying about 50 victims of last September's flooding in northwest Indiana that a laptop stolen Nov. 4 from a FEMA inspector's car in Griffith contained their names, Social Security numbers and other personal information. Those affected were from Gary, Hammond, Highland, Griffith and Munster. A letter from FEMA received by one of the affected victims last week acknowledged the breach of security and apologized, the Post-Tribune said. (March 16, 2009 - wsbt.com) Veterans Affairs, United 11/1/2008 Cyber/Identity Risks Digital Data Breach, States Dept Of Loss, or Theft Portland VA hospital mistakenly posts vets' personal data online: Personal information, including some Social Security numbers, of about 1,600 patients at the Veterans Affairs Medical Center in Portland was inadvertently posted on a public Web site, Portland VA officials said Saturday. The breach also involved patient information from other VA hospitals around the country, but Portland VA spokesman Mike McAleer did not know how many patients were affected nationally. The affected Portland patients had stayed in local lodging at the VA's expense while undergoing treatment at the Portland VA Medical Center, McAleer said. Most were from Oregon. The VA is offering affected patients free credit monitoring and fraud alert services, a step that Congress required in 2006 after previous data security lapses at the VA. The disclosure did not include Social Security numbers of all 1,600 patients, McAleer said. In some cases, only patient names or partial names were posted online. He did not have a breakdown of how many Social Security numbers were released. The release occurred when the VA inadvertently included personal patient information in agency financial records transferred to the federal Web site USAspending.gov, McAleer said. The site allows the public to search for details of government contracts and spending. He said the records transferred involved the VA's spending on behalf of patients at local hotels. VA officials removed the information from the Internet as soon as they realized it was there, but McAleer did not know how long the information was publicly available. The Portland VA began notifying affected patients about the lapse by letter a little more than a week ago. "We sincerely apologize for any inconvenience or worry this may have caused you," said one letter from David Stockwell, acting director in Portland. VA patient Mary Birmingham of Wilderville, near Grants Pass, received a letter last week saying that her Social Security number had been disclosed. She said she had resisted VA suggestions that she access her records on the Internet because she feared such a lapse. (November 1, 2008 - The Oregonian) United States 10/4/2008 Cyber/Identity Risks Digital Data Breach, Department of the Army Loss, or Theft Army waited to tell of possible security breach: VILSECK, Germany - U.S. Army medical officials in southeast Germany waited nearly two months before notifying more than 6,000 beneficiaries of a possible security breach regarding their personal information stored on a lost laptop computer. Authorities know the names, Social Security numbers and health information of at least 26 individuals were stored on the laptop, according to a news release sent Monday from the U.S. Army Medical Department Activity, Bavaria. However, officials said similar information on approximately 6,000 other patients also may have been on the missing computer, though they don't know for sure. According to the release, the laptop went missing on Oct. 4. Notices that were sent to the beneficiaries on Nov. 24 were characterized as a precaution. The letters were addressed to not only beneficiaries in the affected region, but to people from other regional commands in the United States and elsewhere that may be affected, the release states. The release did not explain why Army medical officials waited so long to notify the public. In a phone interview late Monday, Lt. Col. Henry Spring, the unit's deputy commander of clinical services, attributed the delay to bureaucracy, privacy issues, the need to provide reliable information and a concern over unduly scaring people. The employee, who was not named, was en route to a temporary duty assignment when they lost track of the backpack prior to boarding their train, said Anne Torphy, a unit spokeswoman. (December 2, 2008 - Stars and Stripes) National Archives & 10/1/2008 Cyber/Identity Risks Digital Data Breach, Records Administration Loss, or Theft

For more information contact your Advisen rep at +1.212.897.4800, email [email protected], or visit www.advisen.com 12

Sensitive data missing from National Archives: WASHINGTON-The National Archives lost a computer hard drive containing massive amounts of sensitive data from the Clinton administration, including Social Security numbers, addresses, and Secret Service and White House operating procedures, congressional officials said Tuesday. One of former Vice President Al Gore's three daughters is among those whose Social Security numbers were on the drive, but it was not clear which one. Other information includes logs of events, social gatherings and political records. Archives spokeswoman Susan Cooper said in a written statement that the agency was preparing to notify affected individuals of the breach. The representative of former President Bill Clinton has been notified, but Cooper gave no indication whether the former president's personal information was on the hard drive. "The drive contains an as yet unknown amount of personally identifiable information of White House staff and visitors," the statement added. The FBI is conducting a criminal investigation of the matter, according to Rep. Edolphus Towns, D-N.Y., chairman of the House Oversight and Government Reform Committee. Towns and the committee's senior Republican, Rep. Darrell Issa of California, said they would continue to seek more information. The drive is missing from the Archives facility in College Park, Md., a Washington suburb. The drive was lost between October 2008 and March 2009 and contained 1 terabyte of data enough material to fill millions of books. A Republican committee aide who was at the inspector general's briefing said the Archives had been converting the Clinton administration information to a digital records system when the hard drive went missing. The aide, who was not authorized to be quoted by name, said the hard drive was left on a shelf and unused for an uncertain period of time. When the employee tried to resume work, the hard drive was missing. Committee staff members were told there is a copy of the massive amount of information, but Archives officials have only just begun to learn what was on the drive. (May 19, 2009 - Associated Press) United States 7/3/2008 Cyber/Identity Risks Digital Data Breach, Department of the Army Loss, or Theft Army records on stolen laptop: A laptop computer that was reported stolen from an Army employee's truck last week contained personal information on about 800 to 900 Fort Lewis soldiers, said military and Lacey police officials. A post spokeswoman said officials were notifying the involved soldiers out of concern that the case might put them at risk for identity theft. Officials said the employee, a civilian military personnel specialist, appears to have violated Army standards and policies for protecting personal information and government property. The Army is assisting Lacey police with the theft investigation and conducting its own review, said Catherine Caruso, a Fort Lewis spokeswoman. Federal agencies have stepped up their security requirements for personal information stored on laptops and portable hard drives in the wake of several high-profile laptop thefts within the past two years, notably at the Department of Veterans Affairs. In May 2006, VA officials said a stolen laptop contained the Social Security numbers and other personal information of as many as 26 million veterans. It was later recovered and department officials said the information wasn't compromised. In this case, an Army employee told Lacey police he left the laptop and a 500 -gigabyte removable hard drive on the seat of his Dodge truck, parked unlocked in front of his house overnight July 3. He reported them stolen about 10 a.m. on July 4. He told police there was no classified, secret or top-secret information on the laptop and the hard drive. Lacey police redacted the man's name from a copy of the report it released Thursday. Fort Lewis declined to identify him pending the military's investigation. Army laptops and removable storage devices containing personal information are generally restricted to on-post workplaces but can be signed out with a supervisor's permission. They're also supposed to be password-protected and personal information is supposed to be encrypted, Caruso said. (July 11, 2008 - thenewstribune.com) A 17-year-old Lacey boy faces a charge of suspicion of possession of stolen property after Tumwater police uncovered items from vehicle prowls, including a stolen Army laptop containing information on Fort Lewis soldiers. (July 11, 2008 - privacyrights.org) Walter Reed Army 5/21/2008 Cyber/Identity Risks Improper Medical Center Disposal/Distribution, Loss or Theft (Printed Records) Patients Personal Data Compromised In Walter Reed Army Medical Center: Sensitive information on about 1,000 patients at Walter Reed Army Medical Center and other military hospitals was exposed in a security breach, rising identity theft concerns and an investigation by the Army. The medical center learned of the breach on May 21 from an outside data mining company, which officials did not identify. Walter Reed officials were notified of a possible disclosure of personally identifiable information through a Peer to Peer (P2P) network of approximately 1000 Military Health System beneficiaries. Names, Social Security numbers, birth dates and other information were released, hospital officials said Monday. The computer file that was breached did not include information such as medical records, or the diagnosis or prognosis for patients, they said. Preliminary results of an on-going investigation have identified a computer from which the data was apparently compromised. (June 3, 2008 - cyberinsecure.com) Internal Revenue Service 5/15/2008 Cyber/Identity Risks Improper Disposal/Distribution, Loss or Theft (Printed Records) Through the wonders of modern technology, some of those federal economic stimulus checks are being deposited directly into recipients' bank accounts. But some are not -- and are instead winding up in the bank accounts of complete strangers. "We do know of instances of problems; we've heard of situations where stimulus checks have gone to the wrong people's bank accounts," conceded Kevin McKeon, the Internal Revenue Service spokesman for the New York region. "We're getting a lot of calls to the toll-free number." One taxpayer, who asked not to be identified, reported that he had discovered an unexpected deposit of $1,800 in his bank account. He said it was a deposit from the IRS bearing another taxpayer's Social Security number. He said he contacted the IRS and was told by an agent that the deposit was one of 15,000 misrouted checks sent out incorrectly as a result of a computer programming glitch. McKeon said he could not confirm that figure or that a computer problem was responsible. The stimulus checks are for up to $600 for a qualifying single taxpayer, $1,200 for a couple filing jointly, and $300 additional per child. Distribution began in late April, starting with taxpayers who had requested electronic deposits, and are continuing in weekly waves based on the ending digits in Social Security numbers. Paper checks will be sent out in the same way up until July 11. "Overall, the vast majority of stimulus payments are going out timely and accurately to taxpayers," the IRS said in a statement issued in response to questions from Newsday. "To date more than 29 million stimulus payments totaling more than $27 billion have been issued." Those receiving misdirected IRS deposits must report the mistake to their bank, McKeon said. Similarly, paper checks sent to incorrect recipients must be mailed back to the IRS, he said, and any money spent before the recipient is aware of the mistake must be repaid. (Newsday, May 16, 2008) Naval Facilities 5/1/2008 Cyber/Identity Risks Digital Data Breach, Engineering Service Loss, or Theft Center

For more information contact your Advisen rep at +1.212.897.4800, email [email protected], or visit www.advisen.com 13

Navy took more than a year to announce personal data breach: In case of danger or a natural disaster, the U.S. Navy can rapidly dispatch troops, fighter jets or relief supplies to troubled areas around the world. So why did it take the Navy 17 months to inform employees at the Naval Facilities Engineering Service Center in Port Hueneme, Calif., that their Social Security numbers had been inadvertently released. The information was sent in May 2008 to three other employees whose security access had been suspended for reasons unrelated to the information breach. E-mails obtained by The Washington Post indicate that Navy officials quickly realized employees should be informed. But that was not done until October 2009. The names of those sending and receiving the messages were blocked out, but their offices, and in some cases their positions, were not. An e-mail dated June 6, 2008, to the chief of naval operations and the Navy's chief information officer, among others, cites a report from a month earlier on personally identifiable information and reads, A list of employees was generated (128) that reflected the names, social security numbers and perceived security clearance issues relating to each of named employees. The June 6 e-mail says there was no criminal activity involved, though the Navy's general counsel was notified. It also says that the personal data are confidential and that their use is restricted. A June 9 e-mail from a Navy "privacy team leader" says the employees must be issued letters stating that they are at increased risk for identity theft due to the high risk nature of PII [personally identifiable information] that was compromised. This note even indicates where a sample letter can be found on the Navy's Web site. But the 244 employees subsequently increased from 128 were not notified until much later. On Oct. 9, 2009, Capt. P.B. Gomez, commanding officer of the engineering service center, sent a letter to employees calling the breach a potential compromise of your Personally Identifiable Information (PII) that was recently brought to my attention although it occurred over a year ago. In a letter to Navy officials, Raether said the harm to employees could go beyond identity theft, because that can lead to a poor credit rating, which could affect an employee's security clearance. Employees are at risk and face loss of reputation and then face the loss of their security clearance for the failure of the Command to act to protect them and to ensure that procedures are followed to make it harder for it to happen again," Raether wrote. Officials at the engineering service center declined to answer several specific questions submitted by Federal Diary. As "our command's official response," the public affairs office did provide a copy of a letter from Gomez who was not in charge at the time of the breach to the editor of the Ventura County Star, which broke the story. The Navy did provide employee organizations a limited amount of information in reply to questions they submitted. The answers, however, were not very informative and in some cases directly contradict what was in the e-mails. In answer to a question about why it took so long for employees to be notified, the Navy told the Federal Union of Scientists and Engineers that in June 2008 the command believed there was no compromise of PII as the information was provided only to members of the command who already had access to this information in the performance of their duties. The notion that officials didn't believe there was a compromise of personal information is challenged not only by the June 9, 2008, e-mail from the privacy team leader, but also by a June 6 e-mail from NAVFAC Wash, Naval Facilities Washington, which says, NFESC needs to make a notification of the PII breach today. Today didn't come until more than a year later. (April 2, 2010 - washingtonpost.com) United States 4/28/2008 Cyber/Identity Risks Digital Data Breach, Department of Defense Loss, or Theft Intruders breach TMA server: The Defense Department announced April 28 that someone broke into a Tricare Management Activity public server and gained access to information. The compromised information included personal information about military employees, DOD officials said. As a result of this incident, we immediately implemented enhanced security controls throughout the network and installed additional monitoring tools to improve security of existing networks and data files, said William Winkenwerder Jr., assistant secretary of defense for health affairs. Such incidents are reprehensible, and we deeply regret the inconvenience this may cause the people we serve. Investigators do not know the motive for the crime or whether the information has been misused. The Defense Criminal Investigative Service is participating in an investigation. DOD sent letters to employees who were affected by the intrusion to inform them of potential identity theft. (April 28, 2006 - fcw.com) Library of Congress 4/1/2008 Cyber/Identity Risks Identity Theft/Fraudulent Use or Access Pair Charged in Identity Theft Scheme: A former Library of Congress employee and a relative have been charged with stealing the identities of federal workers and using the purloined names to buy thousands of dollars in goods, authorities said yesterday. William Sinclair Jr., 27, of Southeast Washington was charged in U.S. District Court with conspiring to commit wire fraud. The charge came in "criminal information," a document that can be filed only with the defendant's consent and generally means that a plea deal is near. Sinclair worked in the human resources department of the Library of Congress and used a government database in April and May to obtain the names, birthdates and Social Security numbers of at least 10 library employees, prosecutors said. He passed the information to Labiska Gibbs, 35, of Southeast Washington, a second cousin who used the information to open credit accounts at retailers including Target, Radio Shack and Circuit City, prosecutors said. Prosecutors said the stores lost more than $38,000. Gibbs was indicted by a federal grand jury on charges of conspiracy, wire fraud and aggravated identity theft. The charges against Gibbs and Sinclair were unsealed. State, United States Dept 3/1/2008 Cyber/Identity Risks Identity Theft/Fraudulent Of Use or Access State Department warns of possible identity theft: WASHINGTON (AP) - The State Department said Friday it has warned nearly 400 passport applicants of a security breach in its records system that may have left them open to identity theft. The department has so far notified 383 people. Most of them in the Washington, D.C. area that their passport applications containing personal information, including Social Security numbers, may have been illegally accessed and used to open fraudulent credit card accounts, spokesman Sean McCormack said. More may be notified as an investigation continues, he said, adding that most of those contacted had not been victimized by identity thieves but all have been offered free credit monitoring for a year. The breach came to light in March around the same time the department was grappling with cases of workers improperly snooping in the passport application files of presidential candidates, celebrities and athletes, McCormack said. However, he said the cases are not related. The department notified the 383 passport applicants of their potential vulnerability in August and earlier this month while working with Washington police investigating a credit card and identity theft ring, he said. The ring was exposed after the March arrest of a man found with 19 credit cards in different names and eight completed passport applications. The names of four of those applicants matched those on four of the credit cards, according to documents filed in the U.S. District Court for the District of Columbia. McCormack declined to comment on how the man obtained the applications, but said at least one State Department worker had been reassigned and might face further disciplinary action pending completion of the investigation. Following the passport snooping incidents, the department stepped up security for its passport records management, restricting the number of people with access and stepping up mandatory audits and monitoring of the files. (October 31, 2008 - The Associated Press) Army United States 2/29/2008 Cyber/Identity Risks Digital Data Breach, Department Of Loss, or Theft Military IDs, Equipment Stolen over Weekend: MILWAUKEE -- More than 200 military identification cards, and equipment that can be used to make more, was stolen during a burglary at a U.S. Army Reserve Center on Milwaukee's northwest side over the weekend, police said Monday. It was sometime between 3 p.m. Friday and 9:45 a.m. Sunday, approximately 200 military ID cards, 10 to 12 used military ID cards and a laptop computer that can be used to make them went missing. Police said an office door at the facility, at 4828 W. Silver Spring Drive, was pried open. (March 3, 2008 - wisn.com) National Institutes of 2/23/2008 Cyber/Identity Risks Digital Data Breach, Health Loss, or Theft Patients' Data on Stolen Laptop: A government laptop computer containing sensitive medical information on 2,500 patients enrolled in a National Institute of Health study was stolen in February, potentially exposing seven years' worth of clinical trial data, including names, medical diagnoses and details of the patients' heart scans. The information was not encrypted, in violation of the government's data-security policy. NIH officials made no public comment about the theft and did not send letters notifying the affected patients of the breach until last Thursday almost a month later. They said they hesitated because of concerns that they would provoke undue alarm. The handling of the incident is reminiscent of a 2006 theft from the home of a Department of Veterans Affairs employee of a laptop with personal information about veterans and active-duty service members. In that case, VA officials waited 19 days before announcing the theft. The incident is the latest in a number of failures by government employees to properly secure personal information. This month, the Government Accountability Office found that at least 19 of 24 agencies reviewed had experienced at least one breach that could expose people's personal information to identity theft. NIH officials said the laptop was taken Feb. 23 from the locked trunk of a car driven by an NHLBI laboratory chief named Andrew Arai, who had taken his daughter to a swim meet in Montgomery County. They called it a random theft. Arai oversees the institute's research program on cardiac magnetic resonance imaging and signed the letters to those whose data was exposed. (March 24, 2008 - Washington Post)

For more information contact your Advisen rep at +1.212.897.4800, email [email protected], or visit www.advisen.com 14

Federal Energy 2/20/2008 Cyber/Identity Risks Improper Regulatory Commission Disposal/Distribution, Fitness Center Loss or Theft (Printed Organization Records) FERC reports loss of former employee personal information: The Federal Energy Regulatory Commission (FERC) today reported the loss of a binder containing the Personally Identifiable Information of 2,810 former employees, including Commissioners, who had left government service between October 1983 and August 2007. The likelihood is low that the information, in a three-ring binder located in an office in the Human Resources Division of FERC's Office of the Executive Director, was exposed. The binder contained copies of packing slips for all boxes of official personnel files for FERC employees who had left government service during that time. The boxes of files were shipped to the National Archives and Records Center in St. Louis, Mo. Copies of the packing slips included names and Social Security numbers of the former employees. Periodically, Human Resources staff prepares and ship former employees' official personnel files to the National Archives and Records Center. The binder was last used on Feb. 20, 2008. On March 3, 2008, the binder was reported missing and was presumed to be lost during an office move. During that move, Human Resources employees were cleaning out and disposing of old files and materials from the locked office. A complete search of all personal and common work areas by Human Resources officials did not recover the binder. An official investigation by FERC's Information Technology Security Division determined there was a high probability that the binder was discarded in the trash, resulting in a low probability that the information was compromised. Herlihy has sent letters to all affected former FERC employees notifying them of the situation and offering assistance to protect their identities and credit information. (April 4, 2008 - ferc.gov) Veterans Affairs, United 2/1/2008 Cyber/Identity Risks Digital Data Breach, States Dept Of Loss, or Theft Stolen VA laptop caught in safety net: The Veterans Affairs Department lost another laptop PC, but the department was better prepared this time. When an employee at VA's Austin Corporate Data Center in Texas had his laptop stolen from his apartment last month, the department's revamped security policies and new security technologies were put to the test. Unlike what happened when a VA laptop was stolen in 2006, data on the newly missing laptop was protected by encryption, and VA officials knew exactly what equipment was missing. VA protected the laptop with GuardianEdge full-disk encryption. No one lacking proper authentication could do more than turn on the computer. The encryption software would block unauthorized users from accessing the data, Martinez said. In the latest incident, the employee immediately reported the theft to VA and the Austin police department. Because VA followed information technology security policies and procedures, officials could determine that no sensitive data resided on the laptop. On the evening of the theft, Austin police recovered the laptop in a raid on a convenience store suspected of involvement in drug activity. Police noticed the VA insignia flashing on a laptop running in the back of the store. Believing it might be stolen government property, the police took possession of it and notified the Homeland Security Department, which contacted VA and returned it. The only damage was a broken lock. The employee whose laptop was stolen had permission to bring the laptop home, where he had locked it down to furniture. (March 3, 2008 - fcw.com) United States Secret 2/1/2008 Cyber/Identity Risks Digital Data Breach, Service Loss, or Theft In February 2008, Law enforcement and congressional sources working for the U.S. Secret Service accidentally left a pouch containing two computer backup tapes on a train in Washington's Metrorail subway system. The tapes contained very sensitive Secret Service personnel and investigative information, and if accessed could be highly damaging. The contractor was transporting the pouch from Secret Service headquarters in Washington to a now-closed data facility in Maryland. The sources say the contractor got off a Metro train, and later realized the pouch had been left behind. The Secret Service and the Metro police were contacted, and an aggressive search took place. According to one source, the tapes have not been recovered. It is now the subject of an investigation by the Department of Homeland Security's Office of Inspector General, according to a congressional source. Marine Corps Community 1/11/2008 Cyber/Identity Risks Digital Data Breach, Service Loss, or Theft Personal data potentially compromised: Marine Corps Bases Japan officials are investigating the Jan. 11 theft of a laptop computer, which contained personally identifiable information for as many as 4,000 clients of Marine Corps Community Services' New Parent Support Program. According to Marine Corps officials, the laptop may contain names, ranks, social security numbers, dates of birth, children's names and mailing addresses of U.S. military service members, U.S. government employees and Status of Forces Agreement personnel on Okinawa and Marine Corps Air Station Iwakuni. It does not include driver's license numbers or bank and credit card information. Marine Corps Bases Japan and MCCS officials are working together with J&E Associates, a federal contractor for MCCS and owner of the computer, to notify potentially affected personnel as soon as possible, according to Garn. There is no evidence the information has been misused. (February 1, 2008 - Consolidated Public Affairs Office) Oak Ridge National 12/6/2007 Cyber/Identity Risks Digital Data Breach, Laboratory Loss, or Theft Oak Ridge National Lab Reports Sophisticated Cyber Attack: The Oak Ridge National Laboratory revealed today that a sophisticated cyber attack over the last few weeks may have allowed personal information about thousands of lab visitors to be stolen. Lab officials said the assault appeared to be part of a coordinated attempt to gain access to computer networks at numerous laboratories and other institutions across the country. But at Oak Ridge, they say, hackers may have infiltrated a non-classified database containing names, Social Security numbers and birth dates of every lab visitor between 1990 and 2004. The lab estimates 3,000 researchers annually come to the facility, a major DOE energy research and high-performance computing center. Officials stressed that no classified data was compromised. The lab has sent letters to about 12,000 potential victims. The assault was in the form of phony e-mails containing attachments, which when opened allowed hackers to penetrate the lab's computer security. (December 6, 2007 - Associated Press) United States Air Force 11/19/2007 Cyber/Identity Risks Digital Data Breach, Loss, or Theft Montgomery Man's Personal Information on Missing Military Computer: J.J. Evans spent 24 years in the Air Force protecting our country. Now he's angry because he says the military didn't protect his personal information. Air Force officials sent Evans a letter detailing how a military laptop computer is missing and it contains personal information including social security numbers, birth dates, addresses, and telephone numbers of active and retired Air Force members. The laptop belonged to an Air Force band member at Bolling Air Force Base in Washington D.C. He reported it missing from his home. Something else that concerns Evans, the laptop turned up missing November 19, according to the Air Force. It didn't send out the letter until nearly a month later. There were 10,501 records exposed. (December 28, 2007 - wsfa.com) United States 11/11/2007 Cyber/Identity Risks Digital Data Breach, Department of Veterans Loss, or Theft Affairs Computers Stolen from VA Hospital in Indianapolis: Today, the Department of Veterans Affairs (VA) notified Ranking Member Steve Buyer (R-Ind.) that two personal computers and a laptop computer were allegedly stolen from an unsecured room at Roudebush VA Medical Center in Indianapolis, Indiana on Veterans' Day weekend. Law enforcement and VA authorities were immediately notified. One of the stolen computers contained the names, social security numbers and dates of service of approximately 12,000 veterans. Local and state police and the FBI are investigating the incident. I am upset that the VA repeatedly fails to comply with its own policy to safeguard veterans' personal information, Buyer said. The VA must give immediate assurance to over 12,000 veterans that it will provide full credit monitoring and protection of sensitive personal information. I am outraged that these computers were stolen from Roudebush VA hospital over Veterans' Day weekend, and I call upon those who may have taken these computers to return them immediately. (November 15, 2007 - Inside Indiana Business) Tri Care Management 11/7/2007 Cyber/Identity Risks Digital Data Breach, Activity Loss, or Theft

For more information contact your Advisen rep at +1.212.897.4800, email [email protected], or visit www.advisen.com 15

Letters are in the mail to about 4,700 households who submitted claims through the Tricare Europe office since 2004 about a data breach involving their personal information a month after the breach was reported. Electronic Data Systems notified Tricare on Nov. 7 that they had not properly secured a part of the system it maintains for Tricare, and "certain external entities" had been allowed access to a file with personal information. That file contained full or partial Social Security numbers. For one or more members of each household, it included their name, date of birth, and a medical diagnosis code associated with a health benefits claim submitted to Tricare Management Activity. United States Army 11/1/2007 Cyber/Identity Risks Digital Data Breach, Acquisition Support Loss, or Theft Center Army Shuts Down Site for Scrubbing" A spreadsheet containing a "hidden" column of Social Security numbers belonging to about two dozen officers and civilian employees of one Army agency was left on the agency's website for five months after being notified of the presence of the personal information. The Army's Acquisition Support Center has temporarily shut down its website to scrub the information from the spreadsheet, following FederalNewsRadio's request for an interview. The spokesman's email stated that the agency was investigating why the information had been included on the spreadsheet to begin with, and why it was still on the website five months after ASC was notified of its presence. A computer expert who works for a federal contractor was surfing the web while doing research and found the spreadsheet in November. The file contained a list of Colonels and civilians who managed programs within ASC. Visible columns listed their name, rank, program and organization. In Microsoft Excel, however, every column is labeled with a letter of the alphabet, and the columns in this spreadsheet read, "A-B-D-E," indicating that column C was hidden. A simple command, "unhide," revealed the column of Social Security numbers. FederalNewsRadio has obtained a copy of the email sent by the expert to ASC warning of the presence of the SSNs. The agency responded to the expert that the matter was being turned over to its executive officer for "review and correction." But the information was still present on ASC's Web site on April 3, five months to the day after ASC promised it would be corrected. FederalNewsRadio contacted one person on the list, to confirm the number shown next to his name was in fact his Social Security number. The man declined to directly confirm the number, but he was clearly shocked, and asked several questions, including requesting the link so he could see it for himself. As he is already a victim of the breach, FederalNewsRadio agreed not to identify him. While only a handful of people were affected by the lapse, it is a violation of federal policy. Part of the military's reluctance might be because the OMB memo makes clear that no additional funds will be budgeted to cover the cost of change. Cate and Schwartz both agreed that PII leaked over the Internet is much more dangerous than widely publicized incidents involving lost and stolen laptops containing similar information, because once on the web, data lives forever. (April 4, 2008 - FederalNewsRadio) Transportation Security 10/12/2007 Cyber/Identity Risks Digital Data Breach, Administration Loss, or Theft TSA Laptops with Personal Info Missing: Two laptop computers with detailed personal information about commercial drivers across the country who transport hazardous materials are missing and considered stolen. The laptops belong to a contractor working for the Transportation Security Administration and contain the names, addresses, birthdays, commercial driver's license numbers and, in some cases, Social Security numbers of 3,930 people, according to an Oct. 12 letter from TSA to lawmakers. The contractor told TSA that the personal information was deleted from the computers before they were stolen, the letter stated. But after the second laptop was stolen, TSA investigators discovered that a person with data recovery skills could recover the personal information that the contractor deleted. News of the security breach came the day before TSA begins collecting similar personal information from employees with access to areas at the port of Wilmington, Del. The Transportation Worker Identification Credential program is set to launch in Wilmington on Tuesday. Eventually 750,000 employees across the country with access to port areas will be required to submit information for background checks. Since the two laptops were stolen, TSA has instructed the contractor to fully encrypt hard drives. The TSA program, called the Hazardous Materials Endorsement Threat Assessment, collects information for security-clearance purposes for any driver who transports hazardous materials. These assessments were mandated in the Patriot Act. United States Marine 9/1/2007 Cyber/Identity Risks Identity Theft/Fraudulent 2008 CV 00215 Texas Corps Use or Access Military computer contractor convicted on ID theft charges: A former U.S. military contractor has pleaded guilty to exceeding authorized access to a computer and aggravated identity theft after he was accused of selling names and Social Security numbers of 17,000 military employees, the U.S. Department of Justice said. Randall Craig, 41, of Houston, pleaded guilty Friday to both counts of an indictment returned in April by a grand jury in U.S. District Court for the Southern District of Texas. Craig acknowledged selling information contained in a military database to a person he believed to represent a foreign government, according to the U.S. Attorney's Office for the Southern District of Texas and the U.S. Federal Bureau of Investigation. The person who purchased the names and Social Security numbers from Craig was an undercover FBI agent, they said. Craig worked as a private computer contractor at the Marine Corps Reserve Center in San Antonio, Texas, in September 2007, and he had access to personal information of U.S. Marines in the center's database, the DOJ said. On Feb. 6, Craig met with someone he believed to be a representative of a foreign government at the Houston airport to discuss the sale of a thumb drive containing the information Craig had obtained from the military database, the DOJ said. Craig sold the thumb drive for US$500, the agency said. A forensic examination conducted by the Naval Criminal Investigative Service determined the data was from the Marine Corps Reserve Center where Craig worked, the DOJ said. The thumb drive contained personal information of 17,000 people assigned to the Battalion of the U.S. Marine Corps in San Antonio, the DOJ said. The investigation found that none of the information obtained by Craig was sold to others or otherwise compromised. At a Feb. 22 meeting with the FBI undercover agent, Craig said he had made efforts to contact other foreign countries in an attempt to offer his services, the DOJ said. The undercover agent and Craig discussed future contact, using cell phones and e-mail. The conviction for exceeding authorized access to a computer for financial gain carries a maximum sentence of five years in prison. Aggravated identity theft carries a mandatory two year-sentence that must be served consecutive to any sentence imposed for the charge of exceeding authorized access. Both counts also include maximum fines of $250,000. Craig is scheduled to be sentenced July 28. He is being held in federal custody without bond, the DOJ said. On March 29, 2009, Defendant Randall Craig was sentenced to 48 months imprisonment as to Count 1 and 24 months as to Count 2, 3 years SRT as to Count 1 and 1 year SRT as to Count 2, $5,000 fine and $200 special assessment. On July 10, 2010, the US Court of Appeals affirmed the District Court's judgment as to Defendant Randall Craig's notice of appeal. United States 8/17/2007 Cyber/Identity Risks Improper Department of the Army Disposal/Distribution, Loss or Theft (Printed Records) Army Documents With Personal Data Found in Trash Bin: Police say boxes of documents containing personal information from the Walter Reed Army Institute of Research were supposed to be shredded but instead turned up last week in an off-base trash bin. A resident of a suburban Washington neighborhood near the Army medical research's campus found "numerous boxes" in the trash receptacle on Friday and alerted Montgomery County police. Officers eventually returned the boxes to the research center. A spokeswoman for the U.S. Army Medical Command says the files were research study records. An investigation is under way to determine precisely what information they held and why they appeared off base. Police say most were from the late 1990s and were likely placed in the bin on Friday. The records were supposed to be shredded by a Walter Reed research division employee. No foul play is suspected and no charges were filed. Police do not believe anyone had access to the information other than the person who found the records and called authorities. (August 21, 2007 - WJLA) United States Marine 7/6/2007 Cyber/Identity Risks Digital Data Breach, Corps Loss, or Theft Marines' personal data exposed on Web: Some Marines. Personal information, including names and Social Security numbers, was inadvertently posted online recently, exposing more than 10,000 leathernecks to potential identity theft, the Corps announced. Under a research contract, Penn State University obtained from the Corps the personal information of Marines who had rifle range prequalification records while attending Marine Corps Recruit Depot Parris Island, S.C., from January 2004 through December 2006. The data belonging to 10,554 Marines was improperly posted, by Penn State, according to a Corps-wide message. The information was then cached by the Google Internet search engine, states MarAdmin 443/07. The issue came to light when one of the affected Marines googled his own name and found the posting, said Maj. Tim Keefe, a spokesman at Quantico, Va. The Marine notified Penn State officials, who immediately took the information off the Internet and notified the Corps of the problem July 6. The message advises Marines to review their credit reports and look for suspicious activity, such as loans or new accounts they did not request, or activity on an old or inactive account. Requests for comment from Google and Penn State were not immediately answered. (July 26, 2007 - marinecorpstimes.com)

For more information contact your Advisen rep at +1.212.897.4800, email [email protected], or visit www.advisen.com 16

Transportation Security 5/3/2007 Cyber/Identity Risks Digital Data Breach, Administration Loss, or Theft TSA Loses Hard Drive with Personal Info: The Transportation Security Administration has lost a computer hard drive containing Social Security numbers, bank data and payroll information for about 100,000 employees. Authorities realized Thursday the hard drive was missing from a controlled area at TSA headquarters. TSA Administrator Kip Hawley sent a letter to employees Friday apologizing for the lost data and promising to pay for one year of credit monitoring services. In a statement released Friday night, the agency said the external or portable hard drive contained information on employees who worked for the Homeland Security agency from January 2002 until August 2005. TSA, a division of the Homeland Security Department, employs about 50,000 people and is responsible for security of the nation's transportation systems, including airports and train stations. The agency added a section to its Web site Friday night addressing the data security breach and directing people to information about identity theft. It's the latest mishap for the government involving computer data. Last year, a laptop with information for more than 26.5 million military personnel, was stolen from a Veterans Affairs Department employee's home. Law enforcement officials recovered the laptop and the FBI said Social Security numbers and other personal data had not been copied. Federal Emergency 4/16/2007 Cyber/Identity Risks Improper Management Agency Disposal/Distribution, Loss or Theft (Printed Records) FEMA's Unfortunate Privacy Disaster: Sometimes when they are not busy dealing with natural disasters, FEMA folks just make up their own. We got this letter the other day from Glenn M. Cannon, assistant administrator in the Disaster Operations Directorate. Dear Disaster Generalist, he wrote to about 2,300 people on April 16, an unfortunate administrative processing error at FEMA has resulted in the printing of Social Security numbers on the outside address labels of Disaster Assistance Employee (DAE) reappointment letters. The mail distribution center mishandled the letters, he said, creating this unintentional release of Privacy Act information. Once it figured out what happened FEMA sprang into action. Everyone affected will get identity theft protection for one year free of charge, Cannon said. But wait! That's not all! Each affected employee will receive a personal telephone call to apologize and explain the actions FEMA will take to minimize the impact, he said. And from now on employees will be given personal identification numbers so the agency won't need to use Social Security numbers. (April 23, 2007 - Washington Post) Veterans Affairs, United 4/7/2007 Cyber/Identity Risks Identity Theft/Fraudulent States Dept Of Use or Access Man arrested in theft of 1.8 million Social Security numbers: A man who purchased $5,600 in jewelry at a store in Tustin using three fraudulent credit cards, one belonging to actor Marlon Wayans, was arrested Thursday in Los Angeles after a months-long investigation, said Tustin police Lt. John Strain. The investigation also uncovered from his home computer about 1.8 million Social Security numbers from the U.S. Department of Veteran Affairs, where Kim had been employed as an auditor. Veterans Affairs' officials have said only 185,000 numbers are at risk because many were repeated in the file. Tae Kim, 28, was booked at Orange County Jail and is being held in lieu of $1 million bail after being arrested at 5 p.m. Thursday at a car wash in Koreatown, police said. On April 7, two Asian men identified as Kim and Justin Hong, purchased jewelry from Jewelry Exchange at 15732 Tustin Village Way using three skimmed cards belong to three different victims, one of whom was actor Marlon Wayans, Strain said. Kim was on formal probation and a search was conducted at his Los Angeles residence June 14 where a computer was taken as evidence. After a search warrant was obtained, police found the Social Security numbers hidden in a computer file. Kim had worked at the Veteran Affairs office since 2003 when he was a student at USC but quit in February of this year when he discovered a background check would be conducted. Authorities from the Orange County District Attorney's Office, LAPD and U.S. Marshalls have been attempting to arrest Kim since August. Kim is believed to be a member of Koreatown Gangsters, police said. He faces eight different charges, including commercial burglary, fraudulent use of an access card, identity theft, and criminal street gang activity and computer access fraud. Justin Hong is in L.A. County Jail awaiting trial for a gang related murder. A warrant for his arrest is also pending filing with the court. (November 16, 2007 - The Orange County Register) United States Dept Of 3/19/2007 Cyber/Identity Risks Digital Data Breach, Army Loss, or Theft Laptop computer containing info on 16,000 Fort Monroe employees stolen: A laptop computer containing the names, Social Security numbers and payroll information for as many as 16,000 civilian employees at Fort Monroe was stolen from one of the employee's personal vehicle, officials said Monday. The computer was password protected, Army officials said, and did not contain bank account or bank routing information. The potentially affected employees all work at the U.S. Army Training and Doctrine Command, which has Fort Monroe as its headquarters. Officials said the Army Criminal Investigation Command and local law enforcement were investigating, and TRADOC was looking into whether some policies need to be changed. (March 26, 2007 - Associated Press) Veterans Affairs, United 1/22/2007 Cyber/Identity Risks Digital Data Breach, States Dept Of Loss, or Theft Missing Veterans Affairs hard drive sparks identity theft fears: The Department of Veterans Affairs (VA) today announced that an employee reported a government-owned, portable hard drive used by the employee at a Department facility in Birmingham, Ala. and potentially containing personal information about some veterans is missing and may have been stolen. On January 22, the employee at the Birmingham VA Medical Center reported that an external hard drive was missing. The hard drive was used to back up information contained on the employee's office computer, and may have contained data from research projects the employee was involved in. The employee also indicated the hard drive may have contained personal identifying information on some veterans, but asserts that portions of the data were protected. Investigators are still working to determine the scope of the information potentially involved. On January 23, VA's IG was notified the external hard drive was missing. The OIG opened a criminal investigation, sent special agents to the medical center, and notified the FBI. VA's Office of Information & Technology in Washington, D.C. also dispatched an incident response team to investigate. The OIG has seized the employee's work computer and is in the process of analyzing its contents. VA IT staff is providing technical support in this effort. In addition to the ongoing criminal investigation, the OIG has initiated an administrative investigation to determine how such an incident could occur. VA will provide further updates as the investigation produces additional information. (February 2, 2007 -James W. Crawley, Media General News Service) State, United States Dept 12/1/2006 Cyber/Identity Risks Digital Data Breach, Of Loss, or Theft Bag of 700 passport forms goes missing: A bag of about 700 passport applications is missing and a handful of Utahns are among the impacted applicants. The bag was reported missing by the U.S. State Department on Dec. 1, when the applications were supposed to be shipped by commercial air from Los Angeles to the State Department's Passport Center in Charlotte, N.C. We've conducted a pretty comprehensive search, said Steve Royster, spokesman for consular affairs with the State Department. We're continuing to work at locating them. In the meantime, applicants including Matthew Schneider, 16, have been getting letters and phone calls from State Department officials. His father, Dave Schneider, the sports editor for the Deseret Morning News, is worried about identify theft. His son is planning a humanitarian trip for next year with a group headed to Kenya. The goal was to have a passport in hand by Feb. 1, in time to apply for a visa. Most of the applications in the missing bag appear to be from California and Texas, Royster said. He wouldn't speculate on just how many from Utah were in the bag, only that there weren't a lot. Many of the applications listed detailed personal information, such as a Social Security number, address and phone number. Schneider's son included his old passport and original birth certificate with his application. (December 22, 2006 - deseretnews.com) Internal Revenue Service 12/1/2006 Cyber/Identity Risks Digital Data Breach, Loss, or Theft

For more information contact your Advisen rep at +1.212.897.4800, email [email protected], or visit www.advisen.com 17

26 IRS tapes missing from City Hall: Twenty-six IRS computer tapes containing taxpayer information are missing after they were delivered to City Hall months ago. City and IRS officials on Thursday either would not or could not say exactly what information is on the tapes or the number of taxpayers whose information is on the tapes. But the information potentially could include taxpayers' names, Social Security numbers and bank account numbers, or they could contain employer information. The tapes require special equipment to read and software that is not commonly used, so the average person could not access the information, said Assistant City Manager Rich Noll. Noll said he became aware of the disappearance in late December. He said the city was supposed to have the tapes for a specific period of time, but they apparently were not returned to the Treasury Department in a timely manner, triggering the investigation. Employees in the city's Office of Management and Budget and the Finance Department were sent home early on Jan. 3 and their offices were searched, but the tapes were not found. Noll said he did not think the tapes contained images of tax forms. He said he did not think there was significant risk that sensitive taxpayer information had been inappropriately released, but he could not say there was no risk. (January 19, 2007 - kansascity.com) United States 11/1/2006 Cyber/Identity Risks Digital Data Breach, Department of the Air Loss, or Theft Force Laptop with data on 1,000 West Virginia guardsmen stolen: A laptop containing personal information on about 1,000 members of a West Virginia Air National Guard unit has been stolen. Members of the Charleston based 130th Airlift Wing were sent letters notifying them of the theft. The guardsmen also were warned to be alert for identity theft, although there is no indication that the information has been accessed, said Lt. Col. Mike Cadle, a Guard spokesperson. Cadle said the laptop was stolen from a military member in November during an out of state trip to a training school. He said he could not provide the location or any other details because it could hinder the investigation. The Air Force Office of Special Investigations and police are investigating the theft. (December 6, 2006 - Associated Press) Homeland Security, 10/16/2006 Cyber/Identity Risks Digital Data Breach, United States Loss, or Theft Department Of Federal Security Drive Lost At PDX: PORTLAND - Federal Homeland Security officials say a computer storage device that may have held personal information on current and former employees has been lost. A federal security director says they're relatively confident that it "got scraped into the trash, and it's gone." The agency has spent several days trying to determine what information was on the drive and where it had gone. The device, called a ThumbDrive, turned up missing Oct. 16 at the Transportation Security Administration's command center at Portland International Airport. The agency has about 500 employees statewide who oversee airport security checkpoints. When the device was last backed up a month ago, it contained the names, Social Security numbers, addresses and telephone numbers of the current workers and roughly 400 former ones in Oregon. (25 October 2006 - KOIN6 News) United States Marine 10/3/2006 Cyber/Identity Risks Digital Data Breach, Corps Loss, or Theft Marine Base Seeks Missing Laptop: A laptop computer loaded with personal information on 2,400 residents of the Camp Pendleton Marine Corps base has been lost, authorities said Friday. The computer was reported missing Tuesday by Lincoln B.P. Management Inc., which helps manage base housing. The company and Camp Pendleton are investigating. As of Friday, investigators had not found evidence that the data had been accessed, the base said in a statement. Authorities would disclose what kind of information was on the computer. Lincoln B.P. officials were notifying residents. "We take this matter very seriously and are working closely with Lincoln Properties to find out what happened and to safeguard the personal information of our Marines, sailors and their families," said Col. James B. Seaton III, the base's commanding officer. (October 6, 2006 - Las Vegas Sun) Census Bureauthe Us 10/1/2006 Cyber/Identity Risks Digital Data Breach, Loss, or Theft Census Bureau admits privacy breach: The Census Bureau inadvertently posted personal information from 302 households on a public Internet site multiple times over a five-month period, the bureau said Wednesday. The information included names, addresses, phone numbers, birth dates and family income ranges, said Ruth Cymber, the agency's director of communications. No Social Security numbers were posted, and there is no evidence that the data was misused, Cymber said. The bureau is in the process of contacting the households, located in nine states and the District of Columbia, to offer free credit-monitoring services. The information was on and off the public Web site from October to Feb. 15 as Census employees working from home tested new software, Cymber said. The workers were supposed to use fictitious information to test the site, but they inadvertently mingled data from the bureau's Current Population Survey, a monthly survey best known for generating the nation's employment statistics. Cymber said the real and fictitious data were indistinguishable. The information could have been accessed through a search engine on the Census Bureau's Web site used to disseminate large data files. She said she didn't know whether the data actually was accessed by anyone. The affected households were located in Alabama, Alaska, Arkansas, Arizona, California, Colorado, Delaware, Florida, Connecticut and Washington, D.C. (March 7, 2007 - Associated Press) Federal Aviation 9/29/2006 Cyber/Identity Risks Digital Data Breach, Administration Loss, or Theft FAA data in Oberlin computer lost: The names and Social Security numbers of at least 400 air traffic controllers are missing from a computer at the Cleveland Air Route Traffic Control Center in Oberlin, a union official says. Bill Liberty, president of the facility's National Air Traffic Controllers Association unit, said he was told on Monday by Eric Fox, Oberlin's air traffic control manager, that a computer hard drive with the personal information was stolen. Cory confirmed that personal information for more than 400 controllers was on the missing hard drive, but she declined to specify precisely what the information entailed. A computer technician discovered the loss on Friday when he opened the computer to install a new DVD drive, Liberty said. The missing data could be used to apply for credit cards or loans. Cory confirmed that to remove the hard drive someone would have to open a computer casing and unscrew and detach the device. She said someone may have removed the hard drive for a legitimate reason, but no one has come forward with that information. Liberty said the training room is locked between 3 p.m. and 6 a.m. when not being used for training. Liberty said investigators speculated someone stole the hard drive for spare parts. He's skeptical. (October 6, 2006 - Michael Sanglacomo, The Plain Dealer) Veterans Affairs, United 9/6/2006 Cyber/Identity Risks Digital Data Breach, States Dept Of Loss, or Theft Your identity may be stolen, vets are warned: The feds are warning hundreds of war veterans that they could become victims of identity theft because a computer was stolen from the Manhattan Veterans Affairs Medical Center. The computer storing veterans' personal information was snatched Sept. 6 from the E. 23rd St. hospital, according to an Oct. 20 letter sent to veterans. Rep. Carolyn Maloney (D-Manhattan) released the letter yesterday and blasted VA officials for failing to warn veterans sooner. "The VA seems to be mishandling this situation at every step of the way - first they lost yet another computer, then they waited almost two months to tell veterans that their identities might be at risk," Maloney said. (November 2, 2006 - Bill Hutchinson) Transportation Security 8/25/2006 Cyber/Identity Risks Improper Administration Disposal/Distribution, Loss or Theft (Printed Records) Former TSA workers' data exposed: The Transportation Security Administration is warning 1,195 of its former employees that a contractor may have mailed their Social Security numbers and birth dates to the wrong addresses and left them open to identity fraud. The error, acknowledged in letters the TSA mailed in late August to each of the former employees, is the latest in a series of data breaches that may have exposed workers in both private and government jobs to identity thieves. TSA spokeswoman Amy von Walter said the breach was "an administrative error, and the contractor has taken steps to ensure it's not repeated." Accenture, a contractor that handles TSA personnel, sent 1,195 documents to the wrong former employees during a recent mailing, according to a letter signed by Richard Whitford, TSA assistant administrator for human capital. The documents were standard forms that are sent to employees after they leave the government. The forms often list an employee's Social Security number, birth date and salary. Its unclear how many forms had that information, A Social Security number and birth date can enable a thief to get a credit card fraudulently, Givens said. The odds of that happening in the TSA data breach are "very low," she added, because the forms ended up in the hands of other TSA employees. The TSA, she said, is "a closed community that has very strong security values." The TSA said 244 of the wrongly addressed letters were returned to the agency unopened. (September 6, 2006 - Thomas Frank, USA Today)

For more information contact your Advisen rep at +1.212.897.4800, email [email protected], or visit www.advisen.com 18

Federal Motor Carrier 8/22/2006 Cyber/Identity Risks Digital Data Breach, Loss, or Theft Stolen Laptop May Contain Personal Data On Licenses: A laptop that might contain personally identifiable information on 193 people who have commercial driver's licenses was stolen in Baltimore this week, transportation officials said Friday. The Federal Motor Carrier Safety Administration, part of the Department of Transportation, said the laptop was stolen Tuesday from a government-owned vehicle and was reported to Baltimore police. FMCSA said the computer might contain names, dates of birth and commercial driver's license numbers of 193 people from 40 motor carrier companies. It does not contain financial or medical information, the agency said. The motor carriers have been notified of the potential security breach the FMCSA said. The states that issued the commercial driver's licenses are Alabama, California, Florida, Georgia, Illinois, Kentucky, Maryland, North Carolina, New Jersey, New York, Pennsylvania, Texas and Virginia and Washington, D.C. (August 25, 2006 - thewbalchannel.com) Education, United States 8/21/2006 Cyber/Identity Risks Digital Data Breach, Dept Of Loss, or Theft Education Department working to fix software after student loan data breach: The Education Department was working to fix a software glitch in its student loan Web site after users complained that they could see other people's personal data. The department said Wednesday that only a "limited number'' of the program's 6.4 million borrowers were believed to be affected after the problem began Sunday, since not all use the online system. It did not specify how many. The program involves holders of federal direct student loans, not those who have loans managed through private companies. The department blamed the data breach on a routine software upgrade, conducted by Dallas-based contractor Affiliated Computers Services Inc., that appeared to mix up data for different borrowers when they accessed the Web site. Since Sunday, four borrowers have complained, a spokeswoman said. The department said it had disabled the malfunctioning parts of the Web program and will not turn them back on until the problem is fixed. (August 23, 2006 - Associated Press) Federal loan Web site left unprotected: Complications from a computer software upgrade caused a security breach that left loan borrowers' private information, such as their Social Security numbers, unprotected online. The problem occurred from the evening of Aug. 20 to the morning of Aug. 22 on the Web site of Direct Loans. Direct Loans is part of the William D. Ford Federal Direct Loan Program within the Dept. of Education and Federal Student Aid. More than 60 percent of UI students use Direct Loans while attending school, but it is unclear how many were affected, she said, adding that no students had contacted her. Anyone who used the Web site and performed the same transaction at the same time in the same part of the system as another user could have had his or her data exposed, Bushman said. She estimated that 21,000 accounts of the more than six million on the system could have been affected. All those potentially affected already would have been notified, she said. Upon discovery of the issue Aug. 21, online payment and electronic correspondence options on the Web site were disabled. Errors in other online menu options were discovered Aug. 22 and disabled immediately, the letter stated. The Web site was fixed Sept. 1. Federal Student Aid is offering affected students a free one-year membership to Equifax Credit Watch Gold with 3-in-1 monitoring. The period for enrollment ends Nov. 30. (September 17, 2006 - Brian Morelli, Iowa City Press-Citizen) Education, United States 8/11/2006 Cyber/Identity Risks Digital Data Breach, Dept Of Loss, or Theft Laptops with sensitive data stolen from Education contractor: Two laptop computers believed to contain unencrypted personal information about 43 grant reviewers were stolen from an Education Department contractor in Washington, D.C., earlier this month. The laptops, stolen Aug. 11, contained information about grant reviewers for the Teacher Incentive Fund. An official for the contractor overseeing the reviews, DTI Associates of Arlington, Va., said the firm could not rule out the possibility that Social Security numbers, used in the processing of the reviewers' payments, were on the computers. Within minutes of realizing that the laptops had been taken from a downtown Washington office building, Rankin said company officials notified the Metropolitan Police Department. Within an hour, they informed the Education Department. According to Rankin, the police have identified a suspect through the building's security cameras. Rankin said the computers were protected with the Windows login password system, but had no encryption software. (August 29, 2006 - Daniel Pulliam, govexec.com) Veterans Affairs, United 8/3/2006 Cyber/Identity Risks Digital Data Breach, States Dept Of Loss, or Theft VA loses another computer with personal info: Another computer with veterans' personal information is missing, the Department of Veterans Affairs announced Monday. This time, information on as many as 38,000 living and deceased veterans was on the computer, which was lost by outside contractor Unisys. Officials at the Reston, Va., company notified the VA that that desktop computer was missing on Aug. 3, the VA says. Unisys had been hired to help with insurance collections at VA medical centers in Philadelphia and Pittsburgh. Included on the computer were veterans' names, addresses, Social Security Numbers, dates of birth, insurance carriers and billing information, dates of military service, and claims data, which may include some medical information, the VA said on its Web site. Only veterans who received treatment in the past four years at the two VA medical centers in Philadelphia and Pittsburgh were impacted by the theft, the VA said. The agency estimated that records on the computer include information on about 5,000 patients treated at the Philadelphia facility, 11,000 at Pittsburgh, and about 2,000 deceased patients. The statement also says the computer may have contained information on another 20,000 people who received care through the Pittsburgh medical center. (August 8, 2006 - Bob Sullivan) Us Department Of 7/27/2006 Cyber/Identity Risks Digital Data Breach, Transportati Loss, or Theft Transportation Department Laptop Stolen: A laptop computer belonging to the federal Department of Transportation inspector general's office was stolen last month, putting the sensitive personal information of nearly 133,000 Florida residents at risk, Acting Inspector General Todd J. Zinser said today. The laptop, assigned to a special agent in the Miami office, was stolen from a government vehicle on July 27 in Doral, Fla., Zinser told Florida Gov. Jeb Bush (R) today in a letter obtained by The Washington Post. The computer contains the names, Social Security numbers, birthdates and addresses of 42,792 Florida residents who hold a pilot's license; 80,667 people in the Miami-Dade County area who hold commercial driver's licenses; 9,496 people who took personal driver's license tests or obtained their license from an examining facility near Tampa, the letter said. Zinser wrote that he learned of the laptop theft on July 31, but was unaware that the computer contained sensitive personal information on Florida residents until Saturday, when the IG's office began investigating exactly what was in the laptop and dispatched its agents to Florida. (August 9, 2006 - Christopher Lee and Del Quentin Wilber, Washington Post) United States 7/14/2006 Cyber/Identity Risks Digital Data Breach, Department Of Loss, or Theft Agriculture USDA laptop with personal data compromised: A laptop computer bag was stolen from an Agriculture Department worker's car in Kansas, and the names, addresses and Social Security numbers of about 350 employees may have been accessed, the department said. The case, containing a computer and a printout of the data, has since been returned to a meat plant, department spokesman Ed Loyd said. But it was obvious someone had rummaged through the case, Loyd said. The theft may have affected about 350 full-time and part-time employees and state contractors involved in federal Agricultural Marketing Service meat grading programs in 30 states and the District of Columbia, the department said. Local authorities and the department are investigating the recent theft, which happened Friday in Wellington, Kan., and was discovered on Saturday. The department also is looking into why sensitive employee data was left in a car. Navy, United States 7/7/2006 Cyber/Identity Risks Digital Data Breach, Department Of The Loss, or Theft Navy data again found on public web site: For the second time in two weeks, Social Security numbers and other personal information of Navy personnel have been discovered on an Internet site, triggering an investigation. The Navy said Friday that information on more than 100,000 naval and Marine Corps aviators and aircrew was on the Naval Safety Center Web site and on nearly 1,100 computer discs mailed out to naval commands. There was no indication that the information has been used illegally, said Navy spokesman Lt. Ryan Perry. He said Rear Adm. George Mayer, commander of the Naval Safety Center, had the information removed immediately and officials are looking into how the data was posted on the Web site. The Navy is also attempting to retrieve the computer disks, he said, and individuals whose data was revealed on the Internet were being notified. Both active and reserve members were affected by the latest incident, including aviators who may have served within the last 20 years. The Web site was not identified, but the Navy said the information was removed and there also was no indication the data was used illegally. The Naval Criminal Investigative Service is investigating the matter. (July 7, 2006 - Lolita C. Baldor, Associated Press)

For more information contact your Advisen rep at +1.212.897.4800, email [email protected], or visit www.advisen.com 19

Veterans Affairs, United 6/30/2006 Cyber/Identity Risks Digital Data Breach, States Dept Of Loss, or Theft Indy VA office is missing backup tape with vets' records: The Department of Veterans Affairs is missing a backup tape with more than 16,000 legal case records from an Indianapolis office serving veterans in Indiana and Kentucky. The Indianapolis tape contains personally identifiable information on veterans, their dependents or department employees, such as dates of birth, Social Security numbers, patient records and other documentation related to legal cases handled by the Regional General Counsel's Office. The cases also may involve neighboring states. Nicholson said veterans potentially affected are being notified and will have access to free credit-protection monitoring.. (June 30, 2006 - Maureen Groppe, Star Washington Bureau) Government 6/27/2006 Cyber/Identity Risks Digital Data Breach, Accountability Office Loss, or Theft GAO pulls archived personal data from Web: The Government Accountability Office has pulled from its Web site personal information on certain government employees after discovering that the archived data had been inadvertently posted online. In a recent notice, GAO said the data came from audit reports on Defense Department travel vouchers from the 1970s and included some service members. names, Social Security numbers and addresses. GAO estimates that fewer than 1,000 people were impacted. David Walker, head of the GAO and comptroller of the U.S., ordered the agency to remove the data and directed officials to contact the Pentagon and other affected organizations and urge them to purge similar files. Walker said the information was posted online when GAO began digitally archiving records and putting them on its Web site. Although he said the records "are of little public interest," Walker said his agency is "taking this very, very seriously." GAO said an inspector general's office from another agency discovered the data. (June 27, 2006 - Rob Thormeyer, GCN) Federal Trade 6/22/2006 Cyber/Identity Risks Digital Data Breach, Commission Loss, or Theft FTC Laptop Theft Exposes Consumer Data: The Federal Trade Commission -- an agency whose mission includes consumer protection and occasionally involves suing companies for negligence in protecting customer information -- today disclosed a recent theft of two laptop computers containing personal and financial data on consumers. In a statement, the FTC said two employee laptops were stolen from a locked vehicle. The PCs contained data on about 110 people that was "gathered in law enforcement investigations and included, variously, names, addresses, Social Security numbers, dates of birth, and in some instances, financial account numbers." The commission said it has "no reason to believe the information on the laptops, as opposed to the laptops themselves, was the target of the theft. In addition, the stolen laptops were password protected and the personal information was a very small part of several thousand files contained in one of the laptops." The agency also said it would offer affected individuals one year of free credit monitoring. (June 22, 2006 - Brian Krebs, WashingtonPost.com) United States 6/22/2006 Cyber/Identity Risks Digital Data Breach, Department of the Navy Loss, or Theft Sailors' Social Security Nos. on Web Site: The Navy has begun a criminal investigation after Social Security numbers and other personal data for 28,000 sailors and family members were found on a civilian Web site. The Navy said Friday the information was in five documents and included people's names, birth dates and Social Security numbers. Navy spokesman Lt. Justin Cole would not identify the Web site or its owner, but said the information had been removed. He would not provide any details about how the information ended up on the site. Cole said there was no indication so far that the information was used illegally, but individuals involved were being contacted and encouraged to monitor their bank accounts and credit cards. Meanwhile, the General Accountability Office said it removed archival records from its Website this week containing some personal identifying information of fewer than 1,000 government workers. The data included some individual names and Social Security numbers. (June 23, 2006 - Associated Press) According to a Navy press release, the Chief of Naval Personnel was notified June 22 of the posting that included five spreadsheets that contained names, birth dates and social security numbers of active-duty sailors. Energy, United States 6/11/2006 Cyber/Identity Risks Identity Theft/Fraudulent Dept Of Use or Access Hanford workers warned about security breach: The U.S. Energy Department has warned about 4,000 current and former workers at the Hanford Nuclear Reservation that their personal information may have been compromised, after police found a 1996 list with workers' names and other information in a home during an unrelated investigation. Police in Yakima discovered the list while investigating an unrelated criminal matter, the Energy Department said, adding that the list included the names of people who worked for a former Hanford contractor, Westinghouse Hanford, who were transferring to Fluor Hanford or companies under contract to Fluor Hanford in 1996. The Energy Department awarded Fluor Hanford the contract to clean up the highly contaminated nuclear site in December 1996. The list also included workers' Social Security numbers and birthdates, as well as work titles, assignments and telephone numbers. The department began notifying workers about the discovery Sunday. Employees at seven companies were warned to monitor their financial accounts and billing statements for any suspicious activity. There was no indication that Hanford's computer network was compromised. The Energy Department and Fluor Hanford were working with law enforcement officials to determine how the list was obtained and why it was in the home, the Energy Department said in a statement Monday. (June 13, 2006 - The Associated Press) Internal Revenue Service 6/5/2006 Cyber/Identity Risks Digital Data Breach, Loss, or Theft Lost IRS laptop stored employee fingerprints: A laptop computer containing fingerprints of Internal Revenue Service employees is missing, MSNBC.com has learned. The computer was lost during transit on an airline flight in the western United States, IRS spokesman Terry Lemon said. No taxpayer information was on the lost laptop, Lemon said. In all, the IRS believes the computer contained information on 291 employees and job applicants, including fingerprints, names, Social Security numbers, and dates of birth. The fingerprints had been collected as part of a normal background screening process. Some job applicants' information also was also on the computer. Lemon said he could not narrow the list of people who might be on the computer, other than to say they were from western and Midwest regions. The IRS has attempted to contact all 291 people by telephone, and will soon send a notification letter to each affected employee and applicant. Data on the laptop was not encrypted, Lemon said, but it was double password protected, meaning someone would have to enter two different passwords to access the data. He said there is no indication the data had been used to commit ID theft. (June 5, 2006 - Technology Correspondent, MSNBC) United States 6/5/2006 Cyber/Identity Risks Digital Data Breach, Department Of Loss, or Theft Agriculture Hacker enters Agriculture dept. computers: A hacker broke into the Agriculture Department's computer system and may have obtained names, Social Security numbers and photos of 26,000 Washington-area employees and contractors, the department said Wednesday. Agriculture Secretary Mike Johanns said the department will provide free credit monitoring for one year to anyone who might have been affected. Spokeswoman Terri Teuber said Thursday: "Protecting the privacy of our employees is a top priority for us, and to that end, we're conducting a thorough review through the entire department of 110,000 people to ensure the systems that contain private data are as protected as possible." The break-in happened during the first weekend in June, the department said. Technology staff learned of the breach on June 5 and told Johanns the following day but believed personal information was protected by security software, the department said. However, on further analysis, staff concluded that data on current or former employees might have been accessed and informed Johanns on Wednesday, according to the department. The department said it notified law enforcement agencies. Its inspector general is investigating the break-in. (June 22, 2006 - Libby Quaid, AP Food and Farm) Navy, United States 6/1/2006 Cyber/Identity Risks Digital Data Breach, Department Of The Loss, or Theft

For more information contact your Advisen rep at +1.212.897.4800, email [email protected], or visit www.advisen.com 20

Navy Computers With Personal Data Stolen: Two laptop computers with personal information on about 31,000 Navy recruiters and their prospective recruits were stolen from Navy offices in New Jersey in June and July, the Navy disclosed on Wednesday. It was the third time in little more than a month that personal data on Navy personnel has been lost or unintentionally released publicly over the Internet. "There have been no reports of illegal usage of personal data identified by these incidents," said Navy spokesman, Lt. Bashon W. Mann, adding that the Navy is identifying the affected individuals. He said the information on the laptops was secured by several layers of password protection. According to the Navy, one laptop was reported stolen from a recruiting station in Trenton, N.J., in early June, and the other was taken from a Jersey City, N.J., recruiting station in early July. While the thefts were initially reported to the police, the head of Naval personnel was not informed until mid-July. Information on the computers included a list of applicants and recruiters as well as information from selective service and school lists. About 4,000 included Social Security numbers. The police and the Navy Criminal Investigative Service are investigating. (July 26, 2006 - Lolita C. Baldor, Associated Press) Tennessee Valley 5/26/2006 Cyber/Identity Risks Digital Data Breach, Authority Loss, or Theft Stolen TVA laptops may have sensitive info, IG says: A laptop stolen from TVA contained Social Security numbers and reflects generally inadequate policies and procedures for tracking computers at the agency, according to the TVA Inspector General. The laptop was one of approximately 26 computer and computer-related items stolen from TVA between May 26, 2006, and Nov. 30, 2007, according to the IG, although the report stated it was unclear whether sensitive information was present on any of the laptops or PCs stolen from TVA.TVA spokesman Jim Allen said TVA officials did not have information late Thursday on how many people were involved in the breach, who they were or whether the information had been used in any fraudulent activities. According to the IG, since TVA rolled out an inventory system for its computers in August 2004, called the HP Service Desk, TVA has been unable to track more than 5,550 computers. "The inability to adequately track, as well as the lack of encryption, on these computers increases the risk for the disclosure of sensitive or restricted information," the report stated. In addition, it said, the policies for handling and reporting stolen computers were not consistently followed. As for the more than 5,000 missing machines, most of the computers were older models with "little residual value" that had been declared surplus or disconnected from the network, Allen said. More than 3,000 of the 5,500 missing computers have now been accounted for and TVA's inventory tracking system has been tightened, Allen said. (August 1, 2008 - knoxnews.com) United States 5/22/2006 Cyber/Identity Risks Digital Data Breach, Department of Veterans Loss, or Theft Affairs Stolen Veterans Affairs Laptop and Hard Drive Are Found. The stolen laptop computer and hard drive containing sensitive data for up to 26.5 million veterans, their spouses, and active-duty military personnel have been found, according to Veterans Affairs Secretary Jim Nicholson. This comes as newly discovered documents show that Veterans Affairs had given permission in 2002 for the analyst, from whom the equipment was stolen, to work from home with data that included millions of Social Security numbers, disability ratings and other personal information. Agency officials previously said the analyst was fired because he violated agency procedure by taking the data home. Social Security 3/31/2006 Cyber/Identity Risks Digital Data Breach, Administration Loss, or Theft Identity data stolen along with laptop: A laptop containing the personal information of more than 200 people was stolen from a Roanoke-based staff attorney for the federal Social Security Administration. The computer contained the names, Social Security numbers and, in some cases, medical information of the 228 people whose records may have been compromised, said Mark Lassiter, a spokesman for the Social Security Administration. At least 37 of the 228 people are from Southwest Virginia. The March 31 larceny occurred about a month before millions of veterans' personal information was stolen from the home of a data analyst for the U.S. Department of Veterans Affairs. In the case involving the Social Security Administration, the computer was taken in Atlanta, where the attorney was attending a conference. Lassiter said the lawyer reported it stolen about the time he returned to work, April 3 or 4. The lawyer broke a work-at-home agreement with the agency by taking the laptop to the conference, Lassiter said. Under the work-at-home agreement, certain sensitive information was supposed to have remained locked in a briefcase or otherwise secured when not in use, Lassiter said. He said Social Security officials have checked for suspicious activity by investigating whether there are records of any of the 228 people changing their addresses, getting new driver's licenses or having paychecks direct-deposited into different accounts. The laptop has not been recovered, and no one has been arrested. (June 24, 2006 - Reed Williams) United States Marine 3/14/2006 Cyber/Identity Risks Digital Data Breach, Corps Loss, or Theft Thousands of Marines may be at risk for identity theft after loss of portable drive: WASHINGTON. A portable drive with personal information on more than 207,750 Marines was lost earlier this month, possibly jeopardizing those troops, credit records and privacy. In a message sent out to Marines, officials said the information was encoded and so far they've seen no evidence the information is being abused, but, because the data could be used for criminal purposes, they are asking all Marines to be on guard for signs of identity theft. According to officials from the Manpower Information Technology Branch, the portable drive was part of a Naval Postgraduate School research project. The information was being used in research about the effectiveness of re-enlistment bonuses, but it was lost in a computer lab on campus in Monterey, Calif. The drive contained the names, Social Security numbers, marital status and enlistment contract details for enlisted Marines on active duty between January 2001 and December 2005. School officials were notified that the data had been lost March 14. An investigation by postgraduate school officials into the loss is ongoing. In addition, manpower officials are looking into the incident and considering additional ways of notifying affected Marines about the data loss. (March 30, 2006 - Stars and Stripes) United States 2/16/2006 Cyber/Identity Risks Improper Department Of Disposal/Distribution, Agriculture Loss or Theft (Printed Records) Government accidentally releases farmers' Social Security numbers: The Agriculture Department says it accidentally released Social Security numbers and tax IDs for 350,000 tobacco farmers. But the department says those who received the information agreed to destroy copies and return discs to the government. The agency said it inadvertently released the data in response to Freedom of Information Act requests about the tobacco buyout program. The information went to eight different people or groups. Most of the buyout is going to farmers in North Carolina, Kentucky and Tennessee. (February 16, 2006 - Associated Press) State, United States Dept 12/1/2005 Cyber/Identity Risks Improper Of Disposal/Distribution, Loss or Theft (Printed Records) U.S. Consulate Mistakenly Sells Secret Files in Jerusalem: Hundreds of files with social security numbers, bank account numbers and other sensitive U.S. government information were found in a filing cabinet purchased from the U.S. consulate in Jerusalem through a local auction. The consulate was unaware of the missing files until FOX News contacted U.S. officials. Initially they said that no filing cabinets were sold in the auction, but later they acknowledged the sale. The State Department has now launched an investigation. The files contained social security numbers of U.S. Marines and State Department employees stationed in Israel, and documentation of how U.S. government money is allocated to fund sensitive programs in the region. Among the papers was also a report labeled "secret" that documented an encounter a U.S. Marine had with an Israeli woman at a bar in Jerusalem. The head of security at the U.S. consulate approached Paula asking for the documents to be returned. When she refused to turn them in the consulate asked Israeli police to intervene. After she was threatened with criminal charges, she returned the files, but not before FOX News had a thorough look at them. The American consulate in Jerusalem routinely holds furniture auctions to dispose of unwanted items. The woman purchased the cabinets in December of 2005 but decided to come forward with the files after hearing about a Sept. 22, 2008 incident in which a Palestinian teenager crashed a BMW into a group of Israeli soldiers. (January 28, 2009 - The Truth Tracker) Internal Revenue Service 9/11/2005 Cyber/Identity Risks Improper Disposal/Distribution, Loss or Theft (Printed Records)

For more information contact your Advisen rep at +1.212.897.4800, email [email protected], or visit www.advisen.com 21

Traffic Accident Leads to Missing IRS Payments: A traffic accident above the San Francisco Bay could affect up to an estimated 30,000 taxpayers in 13 states. A number of checks, most believed to cover estimated taxes from the self-employed, were lost on Sept. 11, when a truck carrying them to an Internal Revenue Service lockbox was involved in an accident on the San Mateo Bridge. Wind blew away an estimated 30,000 pieces of mail, many ending up in the bay. Taxpayers in Alaska, Arizona, California, Hawaii, Idaho, Montana, Nevada, Ohio, Oregon, Utah, Virginia, Washington and Wyoming are among those who could be affected. The IRS believes most of the missing mail includes estimated tax payments due on Sept. 15, and will waive penalties and interest for anyone whose payment was effected. In the meantime, taxpayers who sent checks to P.O. Box 510000 in San Francisco during the first 10 days of September should wait until October to see if their checks clear before contacting the IRS. (September 22, 2005 - WebCPA) National Nuclear Security 9/1/2005 Cyber/Identity Risks Digital Data Breach, Administration Loss, or Theft National Nuclear Safety Administration: A computer hacker got into the U.S. agency that guards the country's nuclear weapons stockpile and stole the personal records of at least 1,500 employees and contractors, a senior U.S. lawmaker said on Friday. The target of the hacker, the National Nuclear Safety Administration, is the latest agency to reveal that sensitive private information about government workers was stolen. The incident happened last September but top Energy Department officials were not told about it until this week, prompting the chairman of the House of Representatives Energy and Commerce Committee to demand the resignation of the head of the NNSA. According to Barton, the NNSA chief knew about the incident soon after it happened in September but did not inform Energy Department officials, including Bodman, until Wednesday. (June 9, 2006 - Chris Baltimore, Reuters) United States Dept Of 8/20/2005 Cyber/Identity Risks Digital Data Breach, Army Loss, or Theft Fort Carson records stolen: COLORADO SPRINGS - Fort Carson has cautioned thousands of its soldiers to watch their credit records carefully following the theft of computerized personnel records from the post. Thieves broke into the Soldier Readiness Processing center over the weekend of Aug. 20-21 and stole four computer hard drives containing thousands of personnel records, Fort Carson spokeswoman Dee McNutt said Monday. The records include names, Social Security numbers, ages, ranks, jobs, citizenship information and unit affiliations of soldiers and civilians who had been processed through the center since January, McNutt said. Soldiers must update their personnel information through the center at least once a year, or whenever they are deploying or transferring to or from the post. Civilian federal employees and contractors deploying with military units also must register. The 3rd Armored Cavalry Regiment's 5,300 soldiers deployed to Iraq in March, and the 2nd Brigade, 2nd Infantry Division, with about 4,000 soldiers, arrived at the post in July, so most of those soldiers' records were contained on the hard drives that were stolen, McNutt said. The Army's Criminal Investigation Division is investigating the Fort Carson break-in, but there are no suspects, McNutt said. (September 13, 2005 - Dick Foster) Justice, United States 5/7/2005 Cyber/Identity Risks Digital Data Breach, Dept Of Loss, or Theft FBI Probes Theft of Justice Dept. Data: The FBI is investigating the theft of a laptop computer containing travel account information for as many as 80,000 Justice Department employees, but it is unclear how much personal data are at risk of falling into the wrong hands. Authorities think the computer was stolen between May 7 and May 9 from Omega World Travel of Fairfax, which is one of the largest travel companies in the Washington area and does extensive business with government agencies. Justice Department spokeswoman Gina Talamona said the data included names and account numbers from travel account credit cards issued to government employees by J.P Morgan Chase & Co. and its subsidiary Bank One Corp. In addition, she said the account information was protected by passwords, although sophisticated hackers often can break into stored databases. (June 1, 2005 - Jonathan Krim, Washington Post) United States Air Force 5/1/2005 Cyber/Identity Risks Digital Data Breach, Loss, or Theft Air Force investigates data breach: The U.S. Air Force is notifying more than 33,000 officers that their personal data has been breached by a malicious hacker. The hacker used a legitimate user's ID and password to access personal information on the officers contained in the Assignment Management System (AMS), an online program used for assignment preferences and career management, the Air Force said. That data included career information, birth dates and Social Security numbers. Lt. Col. Michele Dewerth, a spokeswoman for the Air Force Personnel Center (AFPC) at Randolph Air Force Base in Texas, said there has been no evidence of identify theft. A systems operator at the air base discovered the breach sometime between May and June, Dewerth said. She declined to be more specific because of the ongoing investigation. The personnel center also notified Air Force and federal investigators that there was unusually high activity on a single user's AMS account in June, according to the statement. The breach involved data on half of the force's approximately 70,000 officers. It also affected fewer than 20 enlisted personnel, the Air Force said. (August 19, 2005 - Linda Rosencrance, Computerworld) GMAC LLC 1/26/2004 Cyber/Identity Risks Digital Data Breach, Loss, or Theft GMAC Insurance tells 200,000 customers they could become victims of identity theft: A division of GMAC Financial Services has been quietly informing about 200,000 of its customers that their personal data may have been compromised because of the theft of two laptop computers from an employee's car at a regional office near Atlanta. In a letter to its personal insurance customers, GMAC Insurance indicates that a "random theft" of the laptops from a locked vehicle may have left them vulnerable to identify theft. The letter, obtained last week by InformationWeek, says the stolen laptops contained customers' names, addresses, dates of birth, Social Security numbers, credit scores, marital status, and gender. "For incidents like this, government regulatory agencies recommend that you place a fraud alert on your credit file," the letter advises customers. The GMAC letter was dated March 12; the theft took place on Jan. 26. (March 29, 2004 - Paul McDougall) United States 12/3/2003 Cyber/Identity Risks Identity Theft/Fraudulent (02-1377) 540 U.S. 614 Washington Department of Labor Use or Access (2004) The plaintiff in the case, coal miner Buck Doe (a pseudonym), filed for benefits under the federal Black Lung Benefits Act, 30 U.S.C. 901 et seq. The Department of Labor, which ran the benefits program, required applicants to provide a Social Security number as a part of the application. The government's practice was to use the number for identification purposes, and as a result, claimants such as Doe had their Social Security numbers displayed on various legal documents and published in case reporters and online legal research databases. Doe, along with six other black lung claimants, sued the Department of Labor for violating their rights under the Privacy Act. The government conceded that it had violated the statute. At trial, Doe testified that he suffered "distress" from the release of his private information. The district court awarded Doe $1000, which was the statutory minimum amount of damages that could be awarded under the statute. The Fourth Circuit reversed. It interpreted the statute to require a plaintiff to show some actual damages before the statutory minimum damages could be awarded. Further, it found that plaintiff's testimony about his "distress" was not legally sufficient to show that he had been damaged by the disclosure. This decision conflicted with decisions of the First, Fifth, Ninth, Eleventh, and District of Columbia circuits, and the Supreme Court granted certiorari to resolve the dispute. Treasury, United States 10/1/2003 Cyber/Identity Risks Digital Data Breach, Dept Of Loss, or Theft Treasury breaks word on e-mail anonymity: The U.S. Treasury Department plans to publish nearly 10,000 e-mail addresses on the Web, violating its privacy promise to Americans who used e-mail to comment on a government proceeding. In March 2003, the Treasury Department's Alcohol and Tobacco Tax and Trade Bureau (TTB) asked for e-mail comments about a proposal that could raise the price of malt beverages like Bacardi Breezer and Smirnoff Ice. At the time, the department said that the text of comments would be made public--but assured people that e-mail addresses, home addresses and other personal information of individuals would be removed first. As news of the proposed regulations circulated around malt beverage aficionados online, word-of-mouth took over and comments started flooding in to [email protected]. By October, the Treasury Department had received about 9,900 e-mail messages, plus 4,800 comments sent through the U.S. mail or fax--and decided it could no longer keep its promise. The Treasury Department's decision comes after the U.S. Forest Service proposed to limit the influence of "substantially similar" comments--especially those submitted through e-mail--in its own regulatory procedures. (January 8, 2004 - Delan McCullagh, CNET News.com) Defense, United States 12/31/2002 Cyber/Identity Risks Digital Data Breach, Dept Of Loss, or Theft

For more information contact your Advisen rep at +1.212.897.4800, email [email protected], or visit www.advisen.com 22

DoD Establishes Health Information Security Task Force: In its continued response to the criminal theft of computer equipment and personal identification information contained on some of this equipment, the Department of Defense announced today additional steps to enhance patient protection from unauthorized access to or criminal use of sensitive personal information. All 562,000 military beneficiaries whose information was contained on the computer files have been notified by mail of the theft as of December 31, 2002, and informed of the actions they should take to protect themselves from identify theft or other misuse of their personal information. Fewer than 25 persons also may have had personal credit card information compromised. Each of these individuals has been contacted by phone and informed of the incident and proper actions to take in response. A $100,000 reward has been posted by TriWest for information leading to the arrest and successful prosecution of the perpetrators and return of the stolen items. (January 3, 2003 - U.S. Dept. of Defense Military Healthy System) Government Of The 3/28/2002 Cyber/Identity Risks Digital Data Breach, United States Loss, or Theft U.S. government Web sites left internal databases open to Web: Four U.S. government Web sites left the contents of internal databases open to Web surfers, French security experts revealed Thursday. Databases operated by the Commerce Department's STAT-USA/Internet service, as well as the Department of Energy's Pacific Northwest National Laboratory and the Federal Judicial Center, allowed remote Internet users to browse documents ranging from correspondence to online order data, Newsbytes has confirmed. The insecure sites were all running IBM's Lotus Domino server, according to Antoine Champagne, leader of Kitetoa.com, a group of Paris-based computer security enthusiasts that discovered the flaws. At the vulnerable STAT-USA/Internet site, accessible from http://www.economy.gov and http://orders.stat-usa.gov, Web surfers had the ability to drill into databases containing information about customer orders for the agency's financial, business and trade information products. (March 29, 2002 - Brian Williams, Newsbytes) Substance Abuse & 5/25/2001 Cyber/Identity Risks Digital Data Breach, Mental Health Services Loss, or Theft Administration Health site exposed customer info: A government health information Web site exposed information about thousands of people who asked for pamphlets and brochures about drug and alcohol addiction. Because of a software flaw, consumers who visited the site and requested titles such as "Moving Forward With Your Life, Leaving Alcohol and Other Drugs Behind" had their names, e-mails and addresses revealed on an Internet page. The site, Health.org, is maintained by a private subcontractor for a Department of Health and Human Services agency. (May 25, 2001 - B. Sullivan, MSNBC) United States 1/1/2001 Cyber/Identity Risks Digital Data Breach, Department of Loss, or Theft Commerce 1,100 Laptops Missing From Commerce Dept.: More than 1,100 laptop computers have vanished from the Department of Commerce since 2001, including nearly 250 from the Census Bureau containing such personal information as names, incomes and Social Security numbers, federal officials said yesterday. This disclosure by the department came in response to a request by the House Committee on Government Reform, which this summer asked 17 federal departments to detail any loss of computers holding sensitive personal information. In a private briefing yesterday for three members of Congress, Commerce Secretary Carlos M. Gutierrez estimated that the disappearance of laptops from the Census Bureau could have compromised the personal information of about 6,200 households, Marin said. He said the department was still trying to determine the extent of the problem. Commerce officials told the congressmen that the inventory of missing laptops had escalated rapidly in recent weeks as the department investigated the disappearances. Marin said the committee was concerned that that number could increase significantly as Commerce officials learn more about missing handheld computers, which are increasingly being used in the Census Bureau. Commerce officials said in a statement that they knew of no instances in which information from the missing laptops had been improperly accessed, adding that all the equipment contained safeguards that would prevent a breach of personal data. (September 22, 2006 - Washington Post) Federal Bureau of 10/7/1997 Cyber/Identity Risks Digital Data Breach, 2003 cr 380 Texas Investigation Loss, or Theft A federal grand jury indicted a former Federal Bureau of Investigation analyst Wednesday on a variety of charges related to the misuse of his position, including sharing FBI files with family and friends. Jeffrey D. Fudge, 33, was arrested Wednesday and fired from FBI offices in Dallas. Fudge was charged with eight counts of exceeding authorized access to a government computer and two counts of making false statements. The indictment alleges that between October 7, 1997 and April 25, 2003, Fudge accessed FBI files and computer programs on current and former investigations and disclosed the information friends and family. Fudge's duties included conducting database searches using the FBI computer system, serving subpoenas, analyzing phone records and assisting agents. Prosecutors said Fudge allegedly checked FBI files to satisfy his own curiosity about investigations. Fudge could not immediately be reached for comment Wednesday evening. On May 18, 2004, Fudge pled guilty to illegally using databases to search for information about his own brother who was currently being investigated by the FBI for HUD fraud. Transportation Security Cyber/Identity Risks Digital Data Breach, Administration Loss, or Theft TSA turbulence grips Logan, nation: A recent data breach at Logan International Airport involving a TSA contract worker, coming amid other high-profile Transportation Security Administration lapses, casts another cloud over a federal agency engulfed in turmoil. In the latest snafu, a Lynn couple is due back in court Wednesday, accused of selling the identities of at least 16 TSA workers at Logan. The ID data was taken by a female TSA contract worker who is related to one of the two Lynn suspects, according to a police report and sources. The breach drew criticism from at least one security expert. In the Logan case, it is alleged that Tina M. White, 46, and Michael J. Washington, 48, got the stolen TSA employee names from Washington's niece, a contract clerical worker in the TSA human resources department at Logan. She no longer works there. The couple sold the names, Social Security numbers and dates of birth for $40 each to a contact who set up phony cable, gas and cell phone accounts, according to an affidavit in Lynn District Court. The fraud started in November 2008 and continued through 2009. TSA Logan worker Laura Gigante said the theft has been devastating. White and Washington were arraigned last month on identity theft and larceny charges. Washington's attorney declined comment on the upcoming hearing. White's attorney could not be reached. It's unclear whether the TSA worker herself was charged. (January 3, 2010 - news.bostonherald.com)

Recent Federal Dockets for the Parent Company and its Subsidiaries Caption File date Category Docket Number Court

Lain V. Fbi Et Al 3/14/2013 Personal Injury 2013 cv 11136 US District Court for the Eastern District of Michigan Flugstad Et Al V. United 3/14/2013 Personal Injury 2013 cv 5192 US District Court for the Western District of States Fish & Wildlife Washington Service Et Al Talley V. National 3/11/2013 Personal Injury 2013 cv 1305 US District Court for the Eastern District of Railroad Passenger Pennsylvania Corporation Et Al Betha V. Inrevco 3/7/2013 Personal Injury 2013 cv 1212 US District Court for the Eastern District of Associates, L.P. Et Al Pennsylvania Mccleod V. National 3/6/2013 Personal Injury 2013 cv 57 US District Court for the Southern District of Railroad Passenger Georgia Corporation

For more information contact your Advisen rep at +1.212.897.4800, email [email protected], or visit www.advisen.com 23

Flores V. Us Attorney 3/5/2013 Personal Injury 2013 cv 1 US District Court for the District of New Hampshire General Et Al Flores V. Us Attorney 3/4/2013 Personal Injury 2013 cv 72 US District Court for the District of New Hampshire General Et Al Balkin V. National 2/28/2013 Personal Injury 2013 cv 225 US District Court for the Western District of New Railroad Passenger Corp York Gamble V. National 2/26/2013 Personal Injury 2013 at 190 US District Court for the Eastern District of Railroad Passenger California Corporation Et Al Gamble V. National 2/26/2013 Personal Injury 2013 cv 386 US District Court for the Eastern District of Railroad Passenger California Corporation Et Al Garth V. Fbi Et Al 2/25/2013 Personal Injury 2013 cv 247 US District Court for the District of Columbia

Garth V. Fbi Et Al 2/25/2013 Personal Injury 2013 mc 164 US District Court for the District of Columbia

Carter Et Al V. National 2/21/2013 Personal Injury 2013 cv 809 US District Court for the Northern District of Railroad Passenger California Corporation Et Al Darata V. National 2/20/2013 Personal Injury 2013 cv 1348 US District Court for the Northern District of Illinois Railroad Passenger Corporation Et Al Tew V. Federal Bureau 2/19/2013 Personal Injury 2013 cv 216 US District Court for the Western District of Of Investigation Et Al Kentucky

Clash Events with the Industry Description Root Cause

Sub-prime & Credit/Liquidity Crisis Cases related to or triggered by

Asbestos contamination exposure to asbestos

Cigarette Litigation Lung Cancer

Madoff 2008 - 2011 Hedge fund collapse and trading violations Deepwater Horizon Disaster - Liability & Litigation Costs Offshore Drilling Platform blowout, explosion, fire & oil spill

For more information contact your Advisen rep at +1.212.897.4800, email [email protected], or visit www.advisen.com 24

Potential Insured Losses based on Industry Experience (Cyber Liability)

Top Industry Cyber Liability Cases by Accident/Filing Date Top Industry Cyber Liability Cases by Settlement Amount

Company Acc/Filing Amount Category Subtype Company Acc/Filing Amount Category Subtype Date (in millions) Date (in millions) Hopital 1/18/2013 Cyber/ Digital Data Cleveland Clinic 2/1/2006 $2.800 Cyber/Identity Improper Montfort Identity Risks Breach, Loss, Florida Hospital Risks Disposal/ or Theft Inc Distribution, Loss or Theft On January 18, 2013, the Montfort Hospital in Ottawa is informing patients (Printed treated at the facility last October their personal information could be co... Records) Bluewater 1/1/2013 Cyber/ Digital Data Combining an "unwholesome criminal trilogy" of identity theft, medical privacy Health Identity Risks Breach, Loss, violations and health-care fraud, two cousins stole the personal inform... or Theft Johns Hopkins 10/1/2005 $1.000 Cyber/Identity Identity On January 28, 2013, hospital staffs have reportedly been fired after a Hospital Risks Theft/ privacy breach at Bluewater Health. As many as 17 people were dismissed Fraudulent Use after ... or Access Jackson Health 11/30/2012 Cyber/ Digital Data Baltimore Woman and Co-Schemers Fraudulently Obtained At Least $174,000 System Identity Risks Breach, Loss, in Cash and Merchandise from 89 Individual Victims in a Three Year Period. or Theft ... On December 11, 2012, Jackson health System (Jackson) announced that Tallahassee 8/1/2011 $0.818 Cyber/Identity Identity a health data breach involving 1,200 photos of records of 566 patients went Memorial Risks Theft/ publi... Healthcare, Inc. Fraudulent Use Gibson 11/27/2012 Cyber/ Digital Data or Access General Identity Risks Breach, Loss, A former Tallahassee Memorial HealthCare food service employee was indicted Hospital, Inc. or Theft on 31 counts of filing false tax returns, wire fraud, false claims, and ag... On November 27, 2012, a Gibson General Hospital laptop containing Johns Hopkins 8/1/2007 $0.600 Cyber/Identity Identity patients' personal health information was stolen from an employee's home. Medicine Risks Theft/ The lap... International, Fraudulent Use South Jersey 11/14/2012 Cyber/ Digital Data L.L.c or Access Hospital, Inc. Identity Risks Breach, Loss, Five Defendants Indicted In Fraudulent Credit Card Scheme Using Information or Theft Stolen From Johns Hopkins Hospital Patient Records: Baltimore, Maryland - ... On November 14, 2012, an Omnicell device that contained patient Lahey Clinic, 8/19/2004 $0.200 Cyber/Identity Improper medication information about a group of South Jersey Healthcare (SJH) Inc. Risks Disposal/ patients and som... Distribution, Sentara 11/14/2012 Cyber/ Digital Data Loss or Theft Healthcare Identity Risks Breach, Loss, (Printed or Theft Records) On November 14, 2012, an Omnicell device that contained patient Intentional Tort - Privacy - Medical Records An action in Middlesex Superior medication information about Sentahara Healthcare patients and some Court concerning the unauthorized release of an individual's medica... treated at two oth... Enloe Medical 8/17/2009 $0.130 Cyber/Identity Digital Data Center Risks Breach, Loss, or Theft

For more information contact your Advisen rep at +1.212.897.4800, email [email protected], or visit www.advisen.com 25

The 10/8/2012 Cyber/ Digital Data On August 17, 2009, Enloe Medical Center in Chico identified the incident of Charlotte- Identity Risks Breach, Loss, unauthorized access to protected healthcare information. The incident was... Mecklenburg or Theft Providence 9/1/2005 $0.100 Cyber/Identity Digital Data Hospital Health & Risks Breach, Loss, Authority Services or Theft Carolinas HealthCare discloses data breach: Carolinas HealthCare System On July 17, 2008, the U.S. Department of Health & Human Services (HHS) has will notify approximately 5,600 patients that their private information may entered into a Resolution Agreement with Seattle-based Providence Health & ... ha... The Whittington 7/22/2008 $0.039 Cyber/Identity Digital Data Stichting 10/7/2012 Cyber/ Digital Data Hospital NHS Risks Breach, Loss, Groene Hart Identity Risks Breach, Loss, Trust or Theft Ziekenhuis or Theft Hospital's missing data discs 'found': FOUR CDs containing the personal Groene Hart Ziekenhuis (Green Heart Hospital) leaking medical records: details of almost 18,000 NHS staff have been found - just days after their "lo... The entire patient file with the information of more than 493,000 people appear... Fairview Health 2/21/2011 $0.037 Cyber/Identity Improper Services Risks Disposal/ Hopital 10/1/2012 Cyber/ Digital Data Distribution, Montfort Identity Risks Breach, Loss, Loss or Theft or Theft (Printed On March 14, 2013, the Charney Group and Sutts, Strosberg LLP filed a Records) class action lawsuit against Montfort Hospital for privacy breach. Fairview can't find box of 1,200 patient records: In February, staffers at Fairview Sometime a... Health Services in Minneapolis packed up about 1,200 patient recor... Blount 8/25/2012 Cyber/ Digital Data Tufts Medical 12/1/2010 $0.000 Cyber/Identity Improper Memorial Identity Risks Breach, Loss, Center, Inc. Risks Disposal/ Hospital, or Theft Distribution, Incorporated Loss or Theft Blount Memorial Hospital Data Breach Affects 27k Patients: Blount (Printed Memorial Hospital in Maryville, Tenn., has notified 27,000 patients whose Records) personal i... On July 14, 2011, Kimberly White sued Tufts Medical Center and Dr. Kimberly Schelling in Plymouth County Superior Court alleging that documents includ...

For more information contact your Advisen rep at +1.212.897.4800, email [email protected], or visit www.advisen.com 26

Recent News

Presolicitation Notice - Q-- Laboratory testing for Liver and Kidney Transplant Procedures Q - Medical services 03/18/2013

Notice Type: Presolicitation Notice Posted Date: 15-MAR-13 Office Address: Department of Veterans Affairs;Network Contracting Office 8 (NCO 8);8875 Hidden River Pkwy Suite 525;Tampa FL 33637 Subject: Q-- Laboratory testing for Liver and Kidney Transplant Procedures Classification Code: Q - Medical services Solicitation Number: VA24813R0263 Contact: Nicholas MiloneContract Specialist Phone: 813-972-7634 mailto:nicholas.milone@ va .gov [Contract Specialist] Setaside: N/AN/A Place of Performance (address): Miami VA Healthcare System ;Pathology and Laboratory Medicine Service Room A30;1201 NW 16th Street, Miami , FL Place of Performance (zipcode): 33136 Place of Performance Country: United States Description: Department of Veterans Affairs Tampa VAMC James A. Haley Department of Veterans Affairs Medical Center

This is a PRE-SOLICITATION ANNOUNCEMENT ONLY. The Miami Veterans Affairs Healthcare System MVAHS ( Miami , FL) intends to make a single award for the provision of histocompatible laboratory sources for medical testing capable of providing test procedures to support organ transplant programs at the MVAHS. This includes routine tests, stat tests, including critical value , turn-around-time, used-in-the-evaluation, selection and monitoring of transplant donors and recipients (kidney, pancreas, liver, lung, heart and intestine) including tissue typing, histocompatible and immunologic tests to aid veteran patients in the process of receiving organs in support of the Pathology & Laboratory Medicine Service at MVAHS. A histocompatible lab, interfacing with the Miami computer system is expected for reporting for patient data, routine, stat, critical value and after hours reporting. Contractor shall collect specimen from MVAHS location. Routine Results: Contractor shall submit results of all tests ordered to P&LMS at MVAHS within 24 hours of the request. Contractor is required to provide results the next business day, i.e. if services are performed on the weekend, Contractor shall report results on Monday morning. STAT Results: All STAT results shall be communicated to the laboratory at the MVAHS within two (2) hours of the request. Critical Value Results: All Critical Value results shall be submitted to P&LMS at MVAHS immediately. Services performed under the resultant contract shall be provided by contractor employees. Contractor laboratory shall be located within 15 mile driving distance of MVAHS place of performance as determined by Google Maps on the Internet. 1. Services shall be provided 24 hours, 7 days a week including government holidays. 2. Contractor shall provide courier services and all labor, equipment, and supplies required to perform requested procedures and tests. 3. Contractor shall pick up specimens at the Miami VA Healthcare System , 1201 NW 16th Street, Miami , FL, Pathology & Laboratory Medicine Service Room A305, prepare specimens and perform tests as prescribed by Miami VA attending physicians. 4. All drivers shall have attained the age of 21 years and shall be licensed in accordance with the Florida Department of Highway Safety and Motor Vehicles, to include any special licensure required for the transporting of Hazardous Materials Endorsement (HME) and will complete annual VA National Privacy Training and submit proof of completion to COTR. 5. Procedures and tests shall be performed to the satisfaction of the Pathology & laboratory Medicine Service at the MVAHS, and the Contracting Officer's Technical Representative ("COTR") 6. Contractor shall provide to the COTR the methodology and ranges for results on any tests that are requested. 7. Professional services provided will be verified by a record keeping system maintained by the Manager of the Laboratory Services at MVAHS, which assures that the VA pays for only those services actually requested. 8. Contractor shall have all licenses, permits, accreditation and certificates required by law, personnel assigned by the contractor to perform these services covered under this contract shall be licensed in a State, Territory or Commonwealth of the United States, The lab must be accredited by the American Safety & Health Institute (ASHI), College of American Pathologist (CAP) or have The Joint Commission (JC) and Clinical Laboratory Improvement Amendments (CLIA) (Public Law 100-578) certifications. Contractor must submit proof of ASHI, CAP, JC, and CLIA certifications. Contractor shall be subject to Federal Laws, regulations, standards, VA policies and Information Security.

The contract type is Indefinite Delivery Indefinite Quantity (IDIQ) contract with firm-fixed unit prices. The contract shall consist of a 12 month base period and four 12 month option periods for renewal. The solicitation will be made available on or about April 15, 2013 and will be solely distributed through the General Services Administration's Federal Business Opportunities website at www.fedbizopps.gov/. Hard copies of the solicitation will not be available. This site provides downloading instructions. All future information regarding this acquisition, including solicitation amendments, will also be distributed solely through this site. Interested parties are responsible for monitoring this site to ensure that they have the most up-to-date information about the acquisition. The anticipated date for receipt of proposals is May 15, 2013. All responsible sources may submit an offer which will be considered.

Contracting Office Address: Department of Veterans Affairs Network Contracting Office 8 (NCO 8) 8875 Hidden River Parkway Suite 525 Tampa, FL 33637

Place of Performance: Miami VA Healthcare System Pathology and Laboratory Medicine Service Room A305 1201 NW 16th Street, Miami , FL 33136 United States

Primary Point of contact: Nicholas Milone Contract Specialist Nicholas,Milone@ va .gov Phone: 813-972-7634 Fax: N/A Link/URL: https://www.fbo.gov/spg/VA/TaVAMC673/TaVAMC673/VA24813R0263/listing.html

27

For more information contact your Advisen rep at +1.212.897.4800, email [email protected] , or visit www.advisen.com Miami Va Reaching out to Homeless Veterans; Event Provides Healthcare , Supplies and Counseling to Help Leave the Streets 03/12/2013

Miami , FL (PRWEB) March 12, 2013

When President Obama took office, the Department of Veterans took on an ambitious goal end Veteran homelessness. In South Florida, this initiative has been a huge success, helping thousands of Veterans leave the streets, end substance abuse and transition successfully into civilian life.

Led by the Healthcare for Homeless Veterans program at the Miami VA Healthcare System , the 2013 Homeless Veteran Stand Down will be held March 16 at the American Legion Post#29 at 6445 NE 7th Ave from 9 a.m. 2 p.m.

The community here in South Florida has really come together to help support Homeless Veterans, said Beth Wolfsohn, program manager for the Healthcare for Homeless Veterans Program at the Miami VA . In just the last five years we have helped more than 2,000 Veterans leave the streets. We couldnt do that without our many local and federal partners.

Meals, supplies and most importantly active case management will be offered to Veterans living in South Florida. Case management is a holistic approach to helping Veterans leave the streets that looks at physical, mental and social health to make sure that the Veterans have all the tools they need to leave the streets permanently.

The Healthcare for Homeless Program is a comprehensive program that brings all the resources of the VA together so that these Veterans can get another chance at making it in the civilian world, said Cheryl Smart, Healthcare for Homeless Veterans coordinator. Sometimes its just one bad choice that leads down a path that ends on the streets. Many times we are able to give people a second chance.

Who: Miami VA Healthcare System What: 2013 Homeless Veteran Stand Down and Outreach Event When: 9 a.m. 2 p.m. Where: American Legion: Harry Seeds Post #29 6445 NE 7 Avenue, Miami , FL (64th & Biscayne)

For more information, contact Miami VA Office of Public Affairs at (305) 575-3399.

Read the full story at http://www.prweb.com/releases/2013/3/prweb10522924.htm

Special Notice - Y-- Emergency Repair MICU Piping Y - Construction of structures and facilities 03/08/2013

Notice Type: Special Notice Posted Date: 07-MAR-13 Agency: Department of Veterans Affairs Office Address: Department of Veterans Affairs; Miami VA Healthcare System ;1201 NW 16th Street; Miami FL 33125 Subject: Y-- Emergency Repair MICU Piping Classification Code: Y - Construction of structures and facilities Contact: Johnnie Jacobs JrContract Specialist 305-575-7274 mailto:johnnie.jacobs@ va .gov [Contract Specialist] Description: Department of Veterans Affairs VA Miami Health Care System Department of Veterans Affairs Miami Health Care System

NOTICE OF PROPOSED CONTRACT ACTION: In accordance with the Veterans First Contracting Program and the Authority under 38 USC 8127-8128 (Sections 502 and 503 of Public Law (P.L.) 109-461), FAR Part 6.302-5(b) (6), and VAAR 819.7007, The Government intends to negotiate a sole source contract to a Service Disabled Veteran Owned Small Business (SDVOSB) for Purchase Request #546-13-1-6873-0016 - Emergency Repair MICU Pipe.

The Project range is between $50,000 and $100,000.

This is not a solicitation and does not constitute a commitment or an obligation by the government. This notice is not a request for offers, quotes or proposals.

The government intends to negotiate a sole source contract with The Cherokee 8a Group, Inc, an SDVOSB concern

Link/URL: https://www.fbo.gov/spg/VA/MiVAMC/VAMCCO80220/VA24813R1002/listing.html

Presolicitation Notice - R-- UPGRADE & REPAIRS OF CABLE SERVICE R - Professional, administrative, and management support 02/26/2013 services

Notice Type: Presolicitation Notice Posted Date: 25-FEB-13 Office Address: Department of Veterans Affairs;Network Contracting Office (NCO-8) Miam; Miami VA Healthcare System ;1201 NW 16th Street; Miami FL 33125 Subject: R-- UPGRADE & REPAIRS OF CABLE SERVICE Classification Code: R - Professional, administrative, and management support services Solicitation Number: VA24813R0813 Contact: Gwendolyn Law, Contract SpecialistNETWORK CONTRACTING OFFICE (NCO-8) MIAMI MIAMI VA HEALTHCARE SYSTEM 1201 NW 16 STREET MIAMI , FL 33125 mailto:gwendolyn.law@ va .gov [Contract Specialist] Setaside: Total Small BusinessTotal Small Business 28

For more information contact your Advisen rep at +1.212.897.4800, email [email protected] , or visit www.advisen.com Place of Performance (address): Dept of Veterans Affairs; Miami VA Healthcare System ;1201 NW 16 Street; Miami , Fl Place of Performance (zipcode): 33125 Place of Performance Country: usa Description: Department of Veterans Affairs VA Miami Health Care System Department of Veterans Affairs Miami Health Care System

This is a commercial item acquisition conducted in accordance with Federal Acquisition Regulation (FAR) Part 15. This acquisition is for the provision to Upgrade cable & provide monthly TV services. The Miami VA Healthcare System intends to award a firm fixed price requirements contracted to a 100% Small Business, NAICS Code 515210, Size Standard: $35.5. The Contractor shall provide our veterans with Digital Television service for delivery of local and cable entertainment channels to 230 interactive patient care viewpoints with an additional 100 viewpoints throughout the facility. The completion of this requirement is for one (1) time repairs, rewiring and installation. The monthly television service Period of Performance will be for a period of One (1) Base Term with the option to extend for Four )4) additional 12 month terms from date of award.

The electronic Solicitation for RFP VA248-13-R-0813 may be downloaded at http://www.fedbizopps.gov. The offeror is responsible for downloading all amendments and other documents from the FBO website without further notices from the Department of Veterans Affairs, Miami VA Healthcare System . Interested firms must be registered in the System for Award Management (SAM) at www.sam.gov. Contractors must be registered under NAICS Code 515210-Cable and Other Subscription Programming in order to be eligible for award. The Solicitation issue date is Monday, February 25, 2013. All questions must be submitted in writing to the Contract Specialist via e-mail to Gwendolyn.law@ va .gov., no later than March 5, 2013@noon. Proposals shall be submitted by Tuesday, March 12,2013@3:00 P.M.(ET) via a traceable mailing source (Fedex, US Postal Service and United Postal Service(UPS).

Link/URL: https://www.fbo.gov/spg/VA/MiVAMC/VAMCCO80220/VA24813R0813/listing.html

Modification to a Previous Presolicitation Notice - R-- COURIER SERVICE: EXTEND CLOSING DATE TO FRIDAY, MARCH 8, 2013 02/25/2013 @3:00 pm (EST) R - Professional, administrative, and management support services

Notice Type: Modification to a Previous Presolicitation Notice Posted Date: 22-FEB-13 Office Address: Department of Veterans Affairs;Network Contracting Office (NCO-8) Miami ; Miami VA Healthcare System ;1201 NW 16th Street; Miami FL 33125 Subject: R-- COURIER SERVICE: EXTEND CLOSING DATE TO FRIDAY, MARCH 8, 2013 @3:00 pm (EST) Classification Code: R - Professional, administrative, and management support services Solicitation Number: VA24813R0534 Contact: Gwendolyn Law, Contract SpecialistNetwork Contracting Office (NCO-8) Miami Miami VA Healthcare System 1201 NW 16 Street Miami , Fl 33125 mailto:gwendolyn.law@ va .gov [Contract Specialist] Setaside: Service-Disabled Veteran-Owned Small BusinessService-Disabled Veteran-Owned Small Business Place of Performance (address):Deptment of Veterans Affairs; Network Contracting Office (NCO-8) Miami ; Miami VA Healthcare System ;1201 NW 16 Street; Miami , Fl Place of Performance (zipcode): 33125 Place of Performance Country: USA Description: Department of Veterans Affairs VA Miami Health Care System Department of Veterans Affairs Miami Health Care System

This modification is to extend the closing date from Friday, February 22, 2013 @ 3:00 pm to Friday, March 8, 2013 @ 3:00 pm (EST).

Link/URL: https://www.fbo.gov/spg/VA/MiVAMC/VAMCCO80220/VA24813R0534/listing.html

29

For more information contact your Advisen rep at +1.212.897.4800, email [email protected] , or visit www.advisen.com