Itrcbreachreport2013.Pdf

Report Date: Identity Theft Resource Center 2/27/2015 2013 Breach List: Breaches: 614 Exposed: 62,001,589 Page 1 of 122

**ITRC does not consider a password adequate protectionA security for breachedbreach that data. compromised hundreds of debit and credit cards in Becker County has been traced to Lakes Liquor in Detroit Lakes. Customers who used a card at the store between Oct. 27 and Nov. 25 may be affected. Information involved customer names, credit or debit card numbers, the card's expiration date and security code. People should check their credit report, review account statements and contact the bank that issued the card to check for suspicious or unusual activity.

Attribution 1 Publication: kfgo.com / privacyrights.org Author: Date Published: Article Title: Security breach traced to Detroit Lakes liquor store Article URL: http://kfgo.com/news/articles/2013/dec/24/security-breach-traced-to-detroit-lakes-liquor-store/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131231-04 Orient-Express Hotels NY Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionThe Orient-Express for breached Hotelsdata. Ltd. and its subsidiaries have notified an unspecified number of customers of a breach involving their credit card information.

Attribution 1 Publication: databreaches.net / NH AG's office Author: Date Published: Article Title: Orient-Express Hotels Article URL: http://www.databreaches.net/orient-express-hotels-notifies-guests-after-data-security-breach/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131231-03 RegistratioNATION IL Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionOn November for breached 22, 2013, data. RegistratioNATION discovered that a limited number of customer records may have been exposed due to a November 4, 2013 cyber-attack on our computer systems. As a result, the unauthorized user may have obtained your first and last name, date of birth, credit or debit card number, credit card verification code and billing address associated with your account. RegistratioNATION does not collect your social security number.

Attribution 1 Publication: NH AG's office - databreaches.net Author: Date Published: Article Title: RegistratioNATION Article URL: http://doj.nh.gov/consumer/security-breaches/documents/registrationation-20131223.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131231-02 Actelis Networks CA Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionWe write for to breached inform you data. about the recent theft of two locked safes that contained password-protected files that occurred on approximately December 7 or 8,2013. The stolen files may have contained some of your personal information, including your name, contact information, and social security number which Actelis maintains in connection with employment and related business purposes.

Attribution 1 Publication: NH AG's office - databreaches.net Author: Date Published: Article Title: Actelis Networks Article URL: http://doj.nh.gov/consumer/security-breaches/documents/actelis-networks-20131213.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131231-01 T-Mobile WA Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionWe are for writing breached to inform data. you of a recent incident of unauthorized access to a file stored on servers owned and managed by a T-Mobile supplier. This file contained personal information, including name, address, Social Security number and/or Driver’s License number.

Attribution 1 Publication: CA AG's office / MD AG's office Author: Date Published: Article Title: T-Mobile Article URL: https://oag.ca.gov/system/files/Customer%20Notice_Final_Generic%20version_0.pdf?

Attribution 1 Publication: phiprivacy.net Author: Date Published: Article Title: Barnabas Health Medical Group Article URL: http://www.phiprivacy.net/nj-barnabas-health-notified-patients-after-laptop-with-with-pediatric-patients-pulmonary-testi

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131230-05 Department of Health Care CO Electronic Government/Military Yes - Published # 1,918 Policy and Financing **ITRC does not consider a password adequate protectionThe Department for breached of Health data. Care Policy and Financing announced today that client information was sent from a work to a personal email address by a temporary employee of its contractor, the Colorado Community Health Alliance (CCHA). The list may have been sent for the employee’s personal use in a separate business. The information did

Attribution 1 Publication: phiprivacy.net Author: Date Published: Article Title: Department of Health Care Policy and Financing (Colorado Medicaid) Article URL: http://www.phiprivacy.net/colorado-notifies-1918-medicaid-clients-of-hipaa-breach-by-contractors-employee/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131230-04 Cruises Inc. FL Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionOur client, for breachedCruises Inc., data. recognizes the impor1ance of the privacy and confidentiality of the personal information provided by its current and prospective customers. Regrettably, on October 23, 2013, Cruises Inc. discovered that an unauthorized person gained access to the booking system using the log-in credentials of an authorized user. Although credit card information is encrypted when it is stored in the booking system, the unauthorized person used a decryption feature of the system to view the credit card number and expiration date for a limited number of individuals

Attribution 1 Publication: MD AG's office Author: Date Published: Article Title: Cruises Inc. Article URL: http://www.oag.state.md.us/idtheft/Breach%20Notices/itu-235007.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131230-03 City of Sumner WA Electronic Government/Military Yes - Published # 3,600

**ITRC does not consider a password adequate protectionSome 3,600for breached people willdata. soon get an unwelcome letter from the city of Sumner alerting them to a security breach. A temporary municipal court clerk is accused of transferring the residents' information to her personal computer. She said she was doing it so she could learn more about the Sumner Municipal Court way of doing things.

Attribution 1 Publication: KIROTV.com Author: Deborah Horne Date Published: Article Title: Sumner residents getting letters because of data breach Article URL: http://www.kirotv.com/news/news/sumner-residents-getting-letters-because-data-brea/ncXyG/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131230-02 South Carolina Health SC Electronic Medical/Healthcare Yes - Published # 3,432 Insurance Pool **ITRC does not consider a password adequate protectionA laptop for stolen breached from data.an auditor's car contained the personal information of more than 3,400 members of the South Carolina Health Insurance Pool. CHANGED FROM GOVERNMENT TO MEDICAL PER HHS 2/2014

An attorney hired by the pool told The Associated Press on Monday the laptop contained names and Social Security numbers of 3,432 members who were part of the high-risk pool in 2011 and 2012.

Attribution 1 Publication: WISTV.com / hhs.gov Author: Date Published: Article Title: South Carolina Health Insurance Pool Article URL: http://www.wistv.com/story/24323194/laptop-with-data-of-schip-customers-stolen

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: StakerLaw Tax and Estate Planning Law Article URL: https://oag.ca.gov/system/files/StakerLaw%20Notice%2012-26-2013_0.pdf?

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131227-02 Ironshore Management, Inc. NY Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionWe are for writing breached to advise data. you that some of your personal information may have been exposed to unauthorized individuals, due to a recently reported laptop computer theft. The circumstances suggest that the motivation behind the reported theft was to obtain the equipment itself and not information, and we have not received any reports of access or misuse of personal information

Attribution 1 Publication: MD AG's office Author: Date Published: Article Title: Ironshore Management, Inc. Article URL: http://www.oag.state.md.us/idtheft/Breach%20Notices/itu-234968.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131227-01 Cracker Barrel TN Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionWe are for contacting breached you data. regarding a data security incident that involves your personal information. On October 15, 2013, a company-owned lap top containing some of your personal information was stolen out of a locked vehicle in San Antonio, Texas. The laptop was in the floor in the back seat of a locked rental car, and the car was parked in front of a store when it was broken into. Although the lap top was password protected, there is a remote possibility that an unauthorized individual could gain access to the information contained on the lap top.

Attribution 1 Publication: MD AG's office Author: Date Published: Article Title: Cracker Barrel Article URL: http://www.oag.state.md.us/idtheft/Breach%20Notices/itu-235004.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131226-01 Danner OR Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionDanner for is committedbreached data. to protecting your personal information. Regrettably, we are writing to inform you of an incident involving some of that information. On December 11, 2013, Danner identified signs that an unauthorized person had recently gained access to a computer that operates banner's website. The unauthorized person installed a program on November 28, 2013 that had the ability to capture information entered by a customer making a purchase on the site. Our security team immediately removed the program and implemented measures to block any further unauthorized access.

Attribution 1 Publication: NH AG's office / VT AG's office Author: Date Published: Article Title: Danner Article URL: http://www.atg.state.vt.us/assets/files/Danner%20ltrt%20Consumer%20re%20Security%20Breach.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131224-01 VAMC - Jonathan M. WA Electronic Government/Military Yes - Published # 1,519 Wainwright Memorial **ITRC does not consider a password adequate protectionThe Jonathan for breached M. Wainwright data. Memorial VA Medical Center (VAWW) in Walla Walla is offering free credit monitoring for up to 1,519 Veterans whose personal information, including social security numbers, was inadvertently emailed to an external education partner on November 1st.

Attribution 1 Publication: phiprivacy.net Author: Date Published: Article Title: Walla Walla, WA notifies patients after e-mail gaffe Article URL: http://www.phiprivacy.net/category/breaches/us-breaches/

Attribution 1 Publication: School District Website / databreaches. Author: Date Published: Article Title: Radnor Township School District Article URL: http://www.rtsd.org/domain/965

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131223-07 Huntington's Disease Society NY 10/2/2013 Electronic Business Yes - Unknown # 0 of America **ITRC does not consider a password adequate protectionWe represent for breached the Huntington's data. Disease Society of America ("HDSA"), 505 Eighth A venue, Suite 902, New York, NY 10018, and are writing to notify you of a data event that may affect the security of personal information of one (1) New Hampshire resident. HDSA's investigation into this event is ongoing, and this notice will be supplemented with any new significant facts learned subsequent to its submission. By providing this notice, HDSA does not waive any rights or defenses regarding the applicability of New Hampshire law or personal jurisdiction.

Attribution 1 Publication: databreaches.net Author: Date Published: Article Title: Huntington's Disease Society of America Article URL: http://www.databreaches.net/huntingtons-disease-society-of-america-suffers-second-security-incident-in-six-months/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131223-06 Saratoga Sweets GA Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionOn behalf for breachedof Saratoga data. Sweets, I am writing to inform you about an incident that potentially involved information about you. Saratoga Sweets received information on November 25, 2013, that an unauthorized person gained access to the servers of our Web hosting company, and may have accessed your credit card number and other personal information. We know that some information was compromised, but we do not know definitively that your information was part of that data set.

Attribution 1 Publication: VT AG's office Author: Date Published: Article Title: Saratoga Sweets Article URL: http://www.atg.state.vt.us/assets/files/Mannix%20Marketing%20ltrt%20Consumer%20re%20Security%20Breach.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131223-05 Travelocity TX Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionAccording for breachedto their letter, data. on that date they discovered that “over the previous several months, several employees of a Travelocity service provider had misused certain information to which they had access as part of performing services for us.” The information they misused was customers’ names and payment card numbers.

Attribution 1 Publication: databreaches.net / MD AG's offcie Author: Date Published: Article Title: Travelocity notifies customers after service providers’ employees misuse customer data Article URL: http://www.databreaches.net/travelocity-notifies-customers-after-service-providers-employees-misuse-customer-data/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131223-04 Washington University in St. IL Electronic Educational Yes - Unknown # 0 Louis **ITRC does not consider a password adequate protection.On September for breached 13, 2013,data. our client, Washington University, learned that an unencrypted laptop computer issued to a Washington University employee had been stolen from the Washington, DC office of the Danforth Center for Religion and Politics the night before.

Attribution 1 Publication: databreaches.net / breach notification let Author: Date Published: Article Title: Washington University in St. Louis notifies business partners after laptop with unencrypted PII stolen Article URL: http://www.oag.state.md.us/idtheft/Breach%20Notices/itu-234645.pdf

**ITRC does not consider a password adequate protectionWe write for to breached inform you data. about a security incident in CSX's Jacksonville, Florida headquarters that impacts the personal information of individuals within your state or jurisdiction. At issue are emails sent with attached spreadsheets that contain personal information for certain individuals.

Attribution 1 Publication: NH AG's office Author: Date Published: Article Title: Article URL: http://doj.nh.gov/consumer/security-breaches/documents/csx-transportation-20131003.pdf

Attribution 2 Publication: NH AG's office / MD AG's office Author: Date Published: Article Title: CSX Transportation Article URL: http://doj.nh.gov/consumer/security-breaches/documents/csx-transportation-20131003.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131223-02 Office of Robert Meaglia, DDS CA Electronic Medical/Healthcare Yes - Published # 1,400

**ITRC does not consider a password adequate protectionOn the formorning breached of December data. 16,2013 we were shocked to discover our office suite broken into and our computer stolen. The computer stored both medical records and dental insurance information, including social security numbers. As a result, we are concetned that your personal information is potentially accessible to unauthorized individuals. However, we do not store credit card information nor bank accounts. The computer was password protected and the software we use, Dentrix, encrypts their data.

Attribution 1 Publication: CA AG's office / hhs.gov Author: Date Published: Article Title: Office of Robert Meaglia, DDS Article URL: https://oag.ca.gov/ecrime/databreach/reports/sb24-43597

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131223-01 W.J. Bradley Mortgage CO Electronic Banking/Credit/Financial Yes - Unknown # 0 Capital, LLC **ITRC does not consider a password adequate protectionThe purpose for breached of this letterdata. is to notify you of a breach of some personal information that you disclosed to W.J. Bradley Mortgage Capital, LLC (“WJB”) in connection with a loan transaction. While this personal information was taken from WJB’s computer systems, we believe that it has been contained, not distributed to the public at large, that WJB has retrieved the information, and that such information was scrubbed from the offending parties’ systems.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: W.J. Bradley Mortgage Capital, LLC Article URL: https://oag.ca.gov/ecrime/databreach/reports/sb24-43590

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131220-06 Department of Social and WA Electronic Medical/Healthcare Yes - Published # 7,000 Health Services' Economic **ITRC does not consider a password adequate protectionThe state for ofbreached Washington's data. Department of Social and Health Services' Economic Services Administration (ESA) is notifying up to 7,000 clients that their personal information may have been compromised after a coding error caused ESA letters to be mailed to old addresses.

Attribution 1 Publication: SC Magazine Author: Adam Greenberg Date Published: Article Title: Coding error compromises data for thousands in Washington state Article URL: http://www.scmagazine.com/coding-error-compromises-data-for-thousands-in-washington-state/article/326668/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131220-05 TechMedia WA Electronic Business Yes - Published # 7,000

**ITRC does not consider a password adequate protectionWe are for writing breached to inform data. you of an incident that may have involved your personal information. On November 20, 2013, Techmedia Network detected an unauthorized intrusion into its systems that may have allowed access to your name, mailing address, email address, phone number, credit card number, expiration date, and CVV security codes. In addition to our ongoing internal investigation, we are working with law enforcement to further investigate the unauthorized intrusion into TechMedia systems. We want to see those involved in this incident found and fully prosecuted.

How is this report produced? What are the rules? See last page of report for details.

Attribution 1 Publication: CA AG's office / VT AG's office Author: Date Published: Article Title: TechMedia Article URL: https://oag.ca.gov/system/files/Techmedia%20Individual%20Notification_0.pdf?

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131220-04 Tennova Cardiology TN Electronic Medical/Healthcare Yes - Published # 2,777

**ITRC does not consider a password adequate protectionWBIR reportsfor breached that 2,777 data. patients referred to Tennova Cardiology by Summit Medical Group in Tennessee are being notified that their PHI was on a laptop stolen from the car of an unnamed third-party transcription contractor. The theft occurred October 22.

The information on the stolen laptop may include names, dates of birth, referring physician names, and health information about patient treatment and diagnostic procedures. There is no evidence that any Social Security numbers were included in the information contained on the laptop.

Attribution 1 Publication: PHIPrivacy.net Author: Date Published: Article Title: Tennova Cardiology Article URL: http://www.phiprivacy.net/laptop-containing-some-tennova-patient-info-stolen-from-contractors-car/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131220-03 Department of Treasury TN Electronic Government/Military Yes - Published # 6,300

**ITRC does not consider a password adequate protectionSteven forT. Hunter,breached a 24-year-olddata. former information technology worker for the state Department of Treasury, told the Tennessee Bureau of Investigation that he emailed information from a state computer system using a personal account “to perform his duties at home,” TBI spokeswoman Kristin Helm said Monday.

Attribution 1 Publication: The Tennessean Author: Date Published: Article Title: Worker said he downloaded data to work from home Article URL: http://www.tennessean.com/article/20131216/NEWS/312160048

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131220-02 Affinity Gaming NV Electronic Business Yes - Published # 280,000

**ITRC does not consider a password adequate protectionOwners for of breachedRail City Casinodata. and other casinos throughout Nevada have announced a security breach within their digital system.

According to Affinity Gaming, customers who have used credit or debit cards within its facility between March 14th and October 16th of 2013, are urged to take steps in protecting their identities and financial information.

Attribution 1 Publication: News 4 / KRNV-DT Reno / SC Magazine Author: Date Published: Article Title: Rail City Casino owner, Affinity Gaming, announces digital security breach Article URL: http://www.mynews4.com/mostpopular/story/Rail-City-Casino-owner-Affinity-Gaming-announces/L57yjSyL40qo8ceGlSo

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131220-01 State of Colorado CO Electronic Government/Military Yes - Published # 18,800

**ITRC does not consider a password adequate protectionAccording for breachedto idRADAR, data. the personal data of 18,800 current and former Colorado state employees may have been exposed when a state employee lost a USB drive

Attribution 1 Publication: esecurityplanet.com Author: Jeff Goldman Date Published: Article Title: Data Breach Affects 18,800 Colorado State Employees Article URL: http://www.esecurityplanet.com/network-security/data-breach-affects-18800-colorado-state-employees.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131218-01 Target MN Electronic Business Yes - Published # 40,000,000

**ITRC does not consider a password adequate protectionNationwide for breached retail giant data. Target is investigating a data breach potentially involving millions of customer credit and debit card records, multiple reliable sources tell KrebsOnSecurity. The sources said the breach appears to have begun on or around Black Friday 2013 — by far the busiest shopping day the year. 40 MILLION DC/CC - 70 MILLION UNKNOWN AS TO ANY DEGREE OF OVERLAP REDUCED NUMBER OF RECORDS FOR RANKING PURPOSES SINCE 70 MILLION RECORDS REMAIN UNKNOWN

How is this report produced? What are the rules? See last page of report for details.

Attribution 1 Publication: BankInfoSecurity.com Author: Date Published: Article Title: Target Breach: 70 Million Affected Article URL: http://www.bankinfosecurity.com/target-breach-70-million-affected-a-6366?rf=2014-01-10-eb&utm_source=SilverpopMai

Attribution 2 Publication: Brian Krebs Author: Date Published: Article Title: Target Investigating Data Breach Article URL: http://krebsonsecurity.com/2013/12/sources-target-investigating-data-breach/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131217-09 Martin Luther King Jr. Health NY Electronic Medical/Healthcare Yes - Published # 37,000 Center **ITRC does not consider a password adequate protectionOn August for breached 27, 2013, data. we learned that Professional Transcription Company (PTC), a company that was hired by us to transcribe dictated physician reports, had hired a subcontractor, Bahoo.net (Bahoo), which allowed certain transcriptions to be publicly available through Bahoo’s website and through certain search engines (e.g., Google). Upon investigation, it was determined that Bahoo failed to adequately secure its File Transfer Protocol (FTP) site allowing certain transcriptions to be viewable.

Attribution 1 Publication: phiprivacy.net / hhs.gov Author: Date Published: Article Title: NY: Martin Luther King Jr. Health Center learns of subcontractor’s breach four years later, responds to breach admirably Article URL: http://www.phiprivacy.net/ny-martin-luther-king-jr-health-center-learns-of-subcontractors-breach-four-years-later-respo

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131217-08 Greater Dallas Orthopaedics, TX Electronic Medical/Healthcare Yes - Published # 5,840 PLLC **ITRC does not consider a password adequate protectionIf you have for breached been a patient data. of Allaaddin Mollabashy, M.D., Nathan F. Gilbert, M.D. and/or Greater Dallas Orthopaedics, PLLC in Dallas, Texas, you are hereby notified that a privacy breach of personal health information may have occurred when two computers were stolen during a break-in on or about September 1, 2013.

Attribution 1 Publication: phiprivacy.net / hhs.gov Author: Date Published: Article Title: Texas orthopedic group notifies patients after desktop computers were stolen in burglary Article URL: http://www.phiprivacy.net/texas-orthopedic-group-notifies-patients-after-desktop-computers-were-stolen-in-burglary/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131217-07 Colorado Health & Wellness CO Electronic Medical/Healthcare Yes - Published # 651

**ITRC does not consider a password adequate protectionOn September for breached 4, 2013, data. Colorado Health & Wellness, Inc. discovered that a doctor formerly associated with Colorado Health & Wellness, Inc. took patient information without authorization when he ended his practice at Colorado Health & Wellness, Inc

Attribution 1 Publication: phiprivacy.net / hhs.gov Author: Date Published: Article Title: Colorado Health & Wellness notifies patients after doctor who left practice took their contact information with him Article URL: http://www.phiprivacy.net/colorado-health-wellness-notifies-patients-after-doctor-who-left-practice-took-their-contact-in

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131217-06 UniHealth Source GA 10/8/2013 Electronic Medical/Healthcare Yes - Published # 4,500

**ITRC does not consider a password adequate protectionThe purpose for breached of this noticedata. is to identify a recent incident involving the theft of a computer laptop belonging to one of our employees. The laptop contained very limited information about current and former clients: specifically, the first and last name and, in some cases, potential diagnoses.

Attribution 1 Publication: phiprivacy.net / hhs.gov Author: Date Published: Article Title: UniHealth Source Article URL: http://www.phiprivacy.net/two-laptops-with-phi-stolen-from-uhs-pruitt-employees-cars-in-a-two-week-period/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131217-05 UHS-Pruitt Corporation GA 9/26/2013 Electronic Medical/Healthcare Yes - Published # 1,300

**ITRC does not consider a password adequate protectionUHS-Pruitt for breached Corporation data. (“UHS-Pruitt”) has provided notice to current and former residents of Heritage Healthcare of Ashburn, UniHealth Post- Acute Care Augusta Hills, Heritage Healthcare of Fitzgerald, Heritage Healthcare at Osceola, Palmyra Nursing Home and Sylvester Healthcare of a breach of unsecured resident medical and financial information after discovering the following event:

How is this report produced? What are the rules? See last page of report for details.

Attribution 1 Publication: phiprivacy.net / hhs.gov Author: Date Published: Article Title: UHS-PRUITT CORPORATION NOTIFIES RESIDENTS OF BREACH OF UNSECURED PERSONAL INFORMATION Article URL: http://www.phiprivacy.net/two-laptops-with-phi-stolen-from-uhs-pruitt-employees-cars-in-a-two-week-period/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131217-04 Comprehensive SC Electronic Medical/Healthcare Yes - Published # 3,500 Psychological Services LLC **ITRC does not consider a password adequate protectionA breach for reported breached by data. Comprehensive Psychological Services LLC in South Carolina was added to HHS’s public breach tool yesterday. According to HHS’s entry, 3,500 patients were notified after a laptop was stolen from the practice’s office on October 28.

Attribution 1 Publication: hhs.gov / phiprivacy.net Author: Date Published: Article Title: Psychological assessments provider notifies patients after laptop with PHI stolen in office burglary Article URL: http://www.phiprivacy.net/psychological-assessments-provider-notifies-patients-after-laptop-with-phi-stolen-in-office-b

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131217-03 Fairfax County Health VA Electronic Government/Military Yes - Published # 1,499 Department - Bailey's Health **ITRC does not consider a password adequate protectionThe Fairfax for breached County Healthdata. Department in Virginia is sending notification letters to roughly 1,500 individuals after Bailey's Health Center – one of the county's health care clinics – inadvertently left private pharmaceutical records on an unsecured computer server. CHANGED TO MEDICAL PER HHS 2/2014

Attribution 1 Publication: SCMagazine Author: Adam Greenberg Date Published: Article Title: Fairfax County Health Department Article URL: http://www.scmagazine.com/patient-information-in-virginia-accessed-on-unsecured-server/article/325715/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131217-02 University of North Carolina - NC Electronic Educational Yes - Published # 6,500 Chapel Hill **ITRC does not consider a password adequate protectionWhat happened? for breached An data. information technology manager in the Division of Finance and Administration discovered that some Division of Facilities Services files containing the personal data were inadvertently posted publicly on the internet.

Attribution 1 Publication: SCMagazine Author: Adam Greenberg Date Published: Article Title: University of North Carolina - Chapel Hill Article URL: http://www.scmagazine.com/unc-chapel-hill-data-breach-affects-more-than-6000/article/325933/

Attribution 2 Publication: dailytarheel.com Author: Date Published: Article Title: Officials clean up UNC data breach Article URL: http://www.dailytarheel.com/article/2014/01/data-breach-0108

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131217-01 CITGO TX Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionWe value for ourbreached relationship data. with you and we respect and work to protect the privacy of your information. That's why CITGO must make you aware of a data storage issue that involves your personal information. Please note this is a precautionary notice only, as there is no indication that your information was accessed or retrieved by unauthorized employees, or that there has been any misuse of your personal information. Furthermore, we have no reason to believe that this type of incident will occur in the future.

Attribution 1 Publication: VT AG's office Author: Date Published: Article Title: CITGO Article URL: http://www.atg.state.vt.us/assets/files/CITGO%20ltrt%20Consumer%20re%20Security%20Breach.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131213-05 University of Connecticut CT Electronic Medical/Healthcare Yes - Published # 164 Health Center **ITRC does not consider a password adequate protectionAn employee for breached of the UConndata. Health Center inappropriately accessed personal information in the medical records of 164 patients, the university said Wednesday. Health Center spokeswoman Carolyn Pennington said the school became aware of the privacy breach Nov. 4 and has sent letters to all the affected patients. The incident was included in a report Wednesday to the school's board of trustees.

How is this report produced? What are the rules? See last page of report for details.

Attribution 1 Publication: AP Author: Date Published: Article Title: University of Connecticut Health Center Article URL: http://www.miamiherald.com/2013/12/11/3812390/uconn-employee-breached-privacy.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131213-04 EZYield GA Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionWe are for writing breached to notifY data. you of an incident with a recent hotel reservation made through an online travel agency that may affect the security of your personal information. We are unaware of any attempted or actual misuse of your personal information, but are providing this notice to ensure that you are aware of the incident and so that you may take steps to monitor your identity and your credit accounts, should you feel it is appropriate to do so.

Attribution 1 Publication: VT AG's office Author: Date Published: Article Title: EZYield Article URL: http://www.insurancethoughtleadership.com/articles/why-traditional-crime-measurements-dont-tell-the-whole-story - ax

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131213-03 Lanap & Dental Implants of PA Electronic Medical/Healthcare Yes - Published # 11,000 Pennsylvania (Dr. David **ITRC does not consider a password adequate protectionDave Bohman for breached of WNEP data. recently reported on a breach involving Lanap & Dental Implants of Pennsylvania. The breach involved someone uploading a copy of the dental group’s practice management software (Dentrix) to a torrent site. The upload didn’t just contain the software, however. It also contained unencrypted patient record databases. As a result, over 11,000 patients – mostly from their Williamsport office – had their personal and protected health information available for free downloading. (hhs.gov = David DiGiallorenzo, DMD)

Attribution 1 Publication: WNEP / PHIprivacy.net Author: Dave Bohman Date Published: Article Title: housands of Pennsylvania dental patients may be at lifetime risk of ID theft after patient database is uploaded to torrent sites Article URL: http://www.phiprivacy.net/thousands-of-pennsylvania-dental-patients-may-be-at-lifetime-risk-of-id-theft-after-patient-dat

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131213-02 Briar Group MA Electronic Business Yes - Published # 300

**ITRC does not consider a password adequate protectionHundreds for breachedof individuals data. who attended conferences at the Boston Convention & Exhibition Center (BCEC) are reporting unauthorized charges to their credit cards.

Attribution 1 Publication: Author: Date Published: Article Title: Chain confirms it was source of breach affecting conventions Article URL: http://www.bostonglobe.com/business/2013/12/27/local-restaurant-chain-source-data-breach-that-compromised-card-in

Attribution 2 Publication: SC Magazine Author: Date Published: Article Title: Officials seek cause of card breach affecting Boston convention attendees Article URL: http://www.scmagazine.com/officials-seek-cause-of-card-breach-affecting-boston-convention-attendees/article/325398/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131213-01 Cottage Health System OR Electronic Medical/Healthcare Yes - Published # 50,918

**ITRC does not consider a password adequate protectionOn December for breached 2, 2013 data. CHS received a voicemail message informing it that a file containing personal health information of certain patients may be available on Google. CHS immediately investigated the situation, and discovered that InSync, a third party vendor for CHS and its affiliated hospitals, Goleta Valley Cottage Hospital ("GVCH"), Santa Barbara Cottage Hospital ("SBCH"), and Santa Ynez Valley Cottage Hospital ("SYNCH"), appeared to have, without CHS's knowledge, removed electronic security protections from one of its servers, resulting in the exposure of a file containing certain personal health information stored nn the server. NUMBER OF RECORDS UPDATED PER HHS.GOV 9/4/2014

Attribution 1 Publication: CA AG's office / hhs.gov Author: Date Published: Article Title: Cottage Health System Article URL: https://oag.ca.gov/system/files/CHDOCS01-%231636861-v1-AG_Notification_CHS_-_CA_0.PDF?

**ITRC does not consider a password adequate protectionI appreciate for breached the trust data. you have placed in me by allowing me to be your surgeon. I regret to inform you that my residence was broken into on September 23, 2013 and various items were stolen. Pertinently, my password protected laptop was taken. Though the San Jose Police Department was immediately notified upon the burglary's discovery, to date nothing has been recovered.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: Office of Stephen T. Imrie MD Article URL: https://oag.ca.gov/system/files/FINAL%20Imrie%20notification%20letter_0.pdf?

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131211-01 Los Angeles Gay & Lesbian CA Electronic Medical/Healthcare Yes - Published # 59,000 Center **ITRC does not consider a password adequate protectionThe L.A. for Gay breached & Lesbian data. Center recently learned that the security of certain of our information systems was compromised by a criminal cyber attack apparently designed to collect social security numbers, credit card numbers and other financial information.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: Los Angeles Gay & Lesbian Center Article URL: https://oag.ca.gov/system/files/LAGLC%20Individual%20Notice_0.pdf?

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131210-08 Bed Bath & Beyond NY Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionAs you forare breached aware, New data. Hampshire state law requires notice to the New Hampshire Attorney General in the event of an information security breach involving the personal information of New Hampshire residents. In accordance with that requirement, I write to inform you of an information security breach that my client, Bed Bath & Beyond Inc. ("Bed Bath & Beyond"), discovered on September 19, 2013. Bed Bath & Beyond, to date, does not know whether any New Hampshire residents were affected, and recently determined that it may never know.

Attribution 1 Publication: NH AG's office / MD AG's office Author: Date Published: Article Title: Bed Bath & Beyond Article URL: http://doj.nh.gov/consumer/security-breaches/documents/bed-bath-beyond-20131122.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131210-07 Southern Illinois University IL Electronic Medical/Healthcare Yes - Published # 1,891 Healthcare **ITRC does not consider a password adequate protectionA laptop for containing breached personaldata. information of 1,891 SIU [Southern Illinois University] HealthCare patients is presumed stolen.

Attribution 1 Publication: PHIprivacy.net / WICS.com Author: Date Published: Article Title: Laptop Containing Patient Information Stolen From SIU (updated) Article URL: http://www.phiprivacy.net/il-laptop-containing-patient-information-stolen-from-siu/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131210-06 Food and Drug DC Electronic Government/Military Yes - Published # 14,000 Administration **ITRC does not consider a password adequate protectionLawmakers for breached have raised data. concerns that the Food and Drug Administration hasn't been as forthright as it should in disclosing an October breach that exposed personally identifiable information of 12,000 to 14,000 individuals.

Attribution 1 Publication: Data Breach Today Author: Eric Chabrow Date Published: Article Title: FDA Breach Raises Lawmakers' Hackles Article URL: http://www.databreachtoday.com/fda-breach-raises-lawmakers-hackles-a-6279/op-1

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131210-05 Made in Oregon (NAITO) OR Electronic Business Yes - Published # 1,700

**ITRC does not consider a password adequate protectionMore than for breached1,700 people data. who made purchases with online retailer Made In Oregon are being notified that their credit card information may have been compromised in a security breach.

How is this report produced? What are the rules? See last page of report for details.

Attribution 1 Publication: SC Magazine Author: Adam Greenberg Date Published: Article Title: More than 1,700 alerted to breach of Oregon online retailer Article URL: http://www.scmagazine.com//more-than-1700-alerted-to-breach-of-oregon-online-retailer/article/323608/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131210-04 TD Bank US Electronic Banking/Credit/Financial Yes - Unknown # 0

**ITRC does not consider a password adequate protectionAt TD Bank, for breached we understand data. the importance of keeping you informed when it comes to your banking. That's why we're committed to notifying you about events that might affect your accounts or relationship with us. Today, we're writing to let you know about a recent incident involving your personal information. We recently learned that one of our employees improperly disposed of Wire Transfer documents that may have contained your personal information. This personal information may have included your name, address and account number.

Attribution 1 Publication: VT AG's office Author: Date Published: Article Title: TD Bank Article URL: http://www.atg.state.vt.us/issues/consumer-protection/privacy-and-data-security/documents-and-resources5/td-bank-ltr

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131210-03 DecisionDesk NY Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionWe write for regarding breached a data. data incident involving information stored by our database hosting services provider MongoHQ. DecisionDesk uses the services of a third party hosting services provider, MongoHQ, to host the databases that maintain information submitted through our services. MongoHQ has informed us that a person (or persons) accessed its hosting systems without authorization and further accessed and likely duplicated or transmitted information from databases maintained by MongoHQ for several of its customers, including DecisionDesk.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: DecisionDesk Article URL: https://oag.ca.gov/system/files/California%20-%20Consumer%20Notice%20Sample_1.pdf?

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131210-02 National American University SD Paper Data Educational Yes - Unknown # 0

**ITRC does not consider a password adequate protectionNational for American breached University data. in Rapid City is investigating whether some student financial records were handled correctly after they were thrown into an outdoor trash bin.

The Rapid City Journal reported (http://bit.ly/1e0AXXs ) that it obtained thousands of records including names, addresses and Social Security numbers that a member of the public took from a Dumpster and brought to the newspaper after the university relocated to a new campus earlier this year.

Attribution 1 Publication: centredaily.com Author: Date Published: Article Title: Rapid City university to probe disposal of records Article URL: http://www.centredaily.com/2013/12/09/3933592/rapid-city-university-to-probe.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131210-01 Houston Methodist Hospital TX Electronic Medical/Healthcare Yes - Published # 1,300

**ITRC does not consider a password adequate protectionHouston for Methodist breached Hospital data. learned on Dec. 5 that an encrypted laptop and some paper files were stolen, and began notifying patients, local media and federal officials on Dec. 6.

Attribution 1 Publication: healthdatamanagement.com Author: Joseph Goedert Date Published: Article Title: Houston Methodist Reacts Quickly to Data Breach Article URL: http://www.healthdatamanagement.com/news/houston-methodist-reacts-quickly-to-data-breach-46984-1.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131206-05 Drew University NJ Electronic Educational Yes - Unknown # 0

**ITRC does not consider a password adequate protectionOn October for breached 1, 2013, data. Drew University was informed by a university employee that his/her work email account had been hacked into by an unknown third-party. Upon learning of this incident, Drew University immediately changed the employee's network login credentials and launched an internal investigation into this incident.

How is this report produced? What are the rules? See last page of report for details.

Attribution 1 Publication: VT AG's office Author: Date Published: Article Title: Drew University Article URL: http://www.atg.state.vt.us/assets/files/2013%2012%2005%20Drew%20University%20Security%20Breach%20Ltr%20to%2

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131206-04 Capital One UT Electronic Banking/Credit/Financial Yes - Unknown # 0

**ITRC does not consider a password adequate protectionWe're sorryfor breached to inform data. you that an event may have compromised the privacy of your personal information related to your Capital One® Credit Card account ending in . We believe that a former employee may have improperly accessed your account.

Attribution 1 Publication: VT AG's office Author: Date Published: Article Title: Capital One Article URL: http://www.atg.state.vt.us/issues/consumer-protection/privacy-and-data-security/documents-and-resources5/capital-on

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131206-03 HSBC Bank USA, N.A. IL Electronic Banking/Credit/Financial Yes - Unknown # 0

**ITRC does not consider a password adequate protectionWe recently for breached became data. aware of an incident where an employee with HSBC inappropriately accessed information relating to your account with HSBC Bank USA or one of its affiliates beginning early this year. As a result of this incident, your personal information may have been exposed to a third party.

Attribution 1 Publication: VT AG's office Author: Date Published: Article Title: HSBC Bank USA, N.A. Article URL: http://www.atg.state.vt.us/issues/consumer-protection/privacy-and-data-security/documents-and-resources5/hsbc-lette

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131206-02 Horizon Blue Cross Blue NJ Electronic Medical/Healthcare Yes - Published # 839,711 Shield of New Jersey **ITRC does not consider a password adequate protectionHorizon for Blue breached Cross Bluedata. Shield of New Jersey is writing to inform you that two company laptop computers which may have contained some of your information were stolen. We want to apologize for this incident and provide you information on what happened and the steps we are taking to protect you moving forward.

Attribution 1 Publication: HealthITSecurity Author: Nicole Freeman Date Published: Article Title: Horizon Blue Cross Blue Shield tells 840,000 of data breach Article URL: http://healthitsecurity.com/2013/12/10/horizon-blue-cross-blue-shield-tells-840000-of-data-breach/

Attribution 2 Publication: CA AG's office Author: Date Published: Article Title: Horizon Blue Cross Blue Shield of New Jersey Article URL: https://oag.ca.gov/system/files/Horizon%20BCBSNJ%20-%20Incident%20Notification%20-%20CA_0.pdf?

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131206-01 B&G Foods North America, VT Electronic Business Yes - Unknown # 0 Inc. **ITRC does not consider a password adequate protectionOn November for breached 16, 2013, data. B&G Foods North America, Inc. discovered that an unauthorized third party had earlier that day attacked the online e- commerce website associated with our Maple Grove Farms brand. We are sending you this letter as a cautionary measure because we believe that certain information about you, which may have included your name, address, telephone number, and credit / debit card number, may have been accessed without authorization.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: B&G Foods North America, Inc. Article URL: https://oag.ca.gov/system/files/B%26G%20Foods%20Consumer%20Letter_0.pdf?

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131205-02 Facebook CA Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionHackers for have breached pilfered data. some 2 million user passwords and credentials from Facebook and other social media and Internet sites, according to IT security provider Trustwave.

A Dec. 4 blog from Trustwave's SpiderLabs says the attack emanated from a single IP address in the Netherlands that functions as a gateway or reverse proxy between the infected machines and the Dutch-based command-and-control server.

How is this report produced? What are the rules? See last page of report for details.

Attribution 1 Publication: Databreachtoday.com Author: Eric Chabrow Date Published: Article Title: 2 Million Passwords Reportedly Stolen Article URL: http://www.databreachtoday.com/2-million-passwords-reportedly-stolen-a-6266?rf=2013-12-05-edbt&elq=506c143226dd

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131205-01 JP Morgan, Chase & Co. NY Electronic Banking/Credit/Financial Yes - Published # 465,000

**ITRC does not consider a password adequate protectionPersonal for information breached data. of nearly half a million corporate and government clients who hold prepaid cash cards issued by JPMorgan Chase & Co. (NYSE:JPM) may have been compromised in a cyberattack that took place on the bank’s network in July, the bank warned on Wednesday.

Attribution 1 Publication: International Business Times Author: Amrutha Gayathri Date Published: Article Title: JPMorgan Chase Cyberattack: Almost Half A Million Corporate Customers’ Data Breached, Bank Warns Article URL: http://www.ibtimes.com/jpmorgan-chase-cyberattack-almost-half-million-corporate-customers-data-breached-bank-war

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131203-04 Employment Development CA Electronic Government/Military Yes - Unknown # 0 Department **ITRC does not consider a password adequate protectionCalifornia's for breached Employment data. Development Department, which manages unemployment insurance and disability insurance for the state, recently began notifying an undisclosed number of people that their confidential information, including their full names and Social Security numbers, may have been provided by mistake to employers for whom they hadn't worked.

Attribution 1 Publication: eSEcurity Planet / CA AG's office Author: Jeff Goldman Date Published: Article Title: Employment Development Department Article URL: http://www.esecurityplanet.com/network-security/california-edd-acknowledges-data-breach.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131203-02 University of Pittsburgh PA Electronic Medical/Healthcare Yes - Published # 1,300 Medical Center **ITRC does not consider a password adequate protectionMore than for breacheda thousand data. patients treated at a variety of University of Pittsburgh Medical Center (UPMC) locations over the past year are being notified that their personal information was viewed inappropriately by a former employee.

Attribution 1 Publication: SC Magazine Author: Adam Greenberg Date Published: Article Title: Staffer compromises more than a thousand Pittsburgh patients Article URL: http://www.scmagazine.com/staffer-compromises-more-than-a-thousand-pittsburgh-patients/article/323483/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131203-01 Board of Barbering and CA Electronic Business Yes - Unknown # 0 Cosmetology **ITRC does not consider a password adequate protectionWe are for writing breached to inform data. you of a security incident at the Board of Barbering and Cosmetology (Board) involving your personal information. On August 23, 2013, the Board's Fairfield Office was burglarized and a desktop computer was stolen. The burglary was reported to local law enforcement authorities. Through an investigation, it was determined that the computer may have contained a document with personal information of individuals who participated as models for applicants who were taking a cosmetology, barbering, manicure, esthetician, or electrology exam.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: Board of Barbering and Cosmetology Article URL: https://oag.ca.gov/system/files/BBC_Sample_Letter_0.pdf?

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131202-03 University of Washington WA Electronic Medical/Healthcare Yes - Published # 90,000 (UW) Medicine **ITRC does not consider a password adequate protection In early for October breached 2013, data. a UW Medicine employee opened an email attachment that contained malicious software (malware). The malware took control of the computer, which had patient data stored on it. UW Medicine staff discovered this incident the following day and immediately took measures to prevent any further malicious activity.

Attribution 1 Publication: UW Medicine statement / welivesecurity Author: Date Published: Article Title: Malware attack on Seattle hospital leaves 90,000 patients’ details exposed Article URL: http://www.welivesecurity.com/2013/12/02/malware-attack-on-seattle-hospital-leaves-90000-patients-details-exposed/?u

Attribution 1 Publication: myFoxPhoenix.com / NAID Author: Marc Martinez Date Published: Article Title: http://www.myfoxphoenix.com/story/24079777/2013/11/26/cps-documents-found-dumped-in-alley Article URL: http://www.myfoxphoenix.com/story/24079777/2013/11/26/cps-documents-found-dumped-in-alley

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131202-01 Mid-Atlantic Regional Law MD Paper Data Business Yes - Unknown # 0 Group **ITRC does not consider a password adequate protectionABC2 Investigatorsfor breached wentdata. dumpster diving after getting a tip about document dumping outside a now defunct Baltimore County law firm. We dug in and found sensitive personal information that belongs to clients.

Attribution 1 Publication: abc2news.com / NAID Author: Date Published: Article Title: Sensitive material found in local dumpster Article URL: http://www.abc2news.com/dpp/news/local_news/investigations/sensitive-material-found-in-local-dumpster

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131127-04 Maricopa County Community AZ Electronic Educational Yes - Published # 2,500,000 College District **ITRC does not consider a password adequate protectionThe personal for breached information data. of nearly 2.5 million Maricopa County Community College District students, employees and suppliers might have been exposed without authorization.

Attribution 1 Publication: Author: Date Published: Article Title: Maricopa community colleges district reports IT security breach Article URL: http://www.wnem.com/story/24085061/maricopa-community-colleges-district-reports-it-security-breach

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131127-03 Marsh & McLennan NY Electronic Business Yes - Unknown # 0 Companies, Inc. **ITRC does not consider a password adequate protectionWe are for writing breached to inform data. you that a data incident has taken place at Kroll Background Screening Services (Kroll) involving personal information. Kroll performs background checks for many companies, including Marsh & McLennan Companies, Inc. and our affiates (collectively "we", "us" or the "company"). According to available records we believe that you provided personal information to Kroll for a background check performed in connection with your application for employment or performance of services for the Company. Some of your personal information, including your name, Social Security number, address, employment, and academic histories may have been on Kroll servers or networks impacted by this data incident.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: Marsh & McLennan Companies, Inc. Article URL: MMC Notification-Kroll Data Incident Individual Notification_0.pd

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131127-02 URM Stores US Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionAt the heightfor breached of Thanksgiving data. grocery shopping, dozens of local groceries stores are asking customers to pay cash or check because the URM-run computer network that processes credit and debit card transactions has been compromised by hacking for at least two months. URM CEO Ray Sprinkle gathered managers from Yoke's, Rosauers, Super 1 Foods, Trading Company, Harvest Foods and Family Foods and Center Place grocery stores Sunday to discuss the breach of security and explain how to move forward with customers.

Attribution 1 Publication: KXLY.com / URM letter Author: Date Published: Article Title: Security breach hits dozens of grocery stores Article URL: http://www.kxly.com/news/spokane-news/security-breach-hits-dozens-of-grocery-stores/-/101214/23155576/-/khhuhi/-/in

**ITRC does not consider a password adequate protectionRoughly for 15,000 breached students data. enrolled in 18 Long Island elementary, middle and high schools – comprising the Sachem School District – may have had personal data compromised by an unidentified individual who posted the information on an online forum.

Attribution 1 Publication: SC Magazine Author: Adam Greenberg Date Published: Article Title: Data breach of Long Island school district affects thousands of students Article URL: http://www.scmagazine.com/data-breach-of-long-island-school-district-affects-thousands-of-students/article/322144/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131126-04 CME Group NY Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionFutures for exchange breached company data. CME Group says it was the victim of a cyberattack over the summer. CME Group said the breach happened in July through the company's ClearPort system, a software platform where over-the-counter trading of commodities and currencies is reported. An estimated 450,000 contracts pass through ClearPort on an average trading day.

Attribution 1 Publication: AP Author: Ken Sweet Date Published: Article Title: CME Group was victim of 'cyber intrusion' in July Article URL: http://finance.yahoo.com/news/cme-group-victim-cyber-intrusion-204036445.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131126-03 Florida Digestive Health FL Electronic Medical/Healthcare Yes - Published # 4,400 Specialists LLP **ITRC does not consider a password adequate protectionFlorida forDigestive breached Health data. Specialists LLP is notifying about 4,400 patients that a former employee improperly accessed their personal information and photographed the data.

Attribution 1 Publication: SC Magazine / heraldtribune.com Author: Adam Greenberg Date Published: Article Title: Florida health employee caught photographing patient data, gets fired Article URL: http://www.scmagazine.com/florida-health-employee-caught-photographing-patient-data-gets-fired/article/322701/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131126-02 Kaiser Foundation Hospital / CA Electronic Medical/Healthcare Yes - Published # 49,000 Anaheim Medical Center **ITRC does not consider a password adequate protectionNo week for is breached complete data. without a healthcare data breach in which a USB flash drive was either stolen or lost. This time, it was the Kaiser Foundation Hospital Orange County - Anaheim Medical Center alerting patients that their data had been compromised when a flash drive with their information on it went missing.

Attribution 1 Publication: Los Angeles Time / PHIprivacy.net Author: Chad Terhune Date Published: Article Title: Kaiser Permanente reports privacy breach to 49,000 patients Article URL: http://www.latimes.com/business/money/la-fi-mo-kaiser-privacy-breach-20131209,0,4000091.story - axzz2n7OPHIAr

Attribution 2 Publication: Health IT Security / PHIprivacy.net Author: Patrick Ouellette Date Published: Article Title: Kaiser Permanente sends patient data breach notifications Article URL: http://healthitsecurity.com/2013/11/26/kaiser-permanente-sends-patient-data-breach-notifications/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131126-01 Crown Castle PA Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionCrown Castlefor breached recently data. began notifying an undisclosed number of its U.S. employees that their payroll information may have been accessed by hackers.

Attribution 1 Publication: eSecurity Planet Author: Jeff Goldman Date Published: Article Title: Crown Castle Acknowledges Data Breach Article URL: http://www.esecurityplanet.com/network-security/crown-castle-acknowledges-data-breach.html

How is this report produced? What are the rules? See last page of report for details. ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131122-02 University of California San CA Electronic Medical/Healthcare Yes - Published # 8,294 Francisco (physician) **ITRC does not consider a password adequate protectionThe theft for of breached a laptop data.from a University of California San Francisco physician has compromised the health information of 8,294 people. The laptop containing protected health information was taken from the locked car of a UCSF School of Medicine gastroenterologist. Though the physician believed the laptop to be encrypted, UCSF could not confirm it was.

Attribution 1 Publication: Beckershospitalreview.com Author: Date Published: Article Title: Another UCSF Data Breach Affects 8k Article URL: http://www.beckershospitalreview.com/healthcare-information-technology/another-ucsf-data-breach-affects-8k.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131122-01 Flamingo Resort and Spa NV Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionWithin thefor breachedlast month data. the Flamingo Resort and Spa discovered a virus on the payroll computer which could have allowed a hacker to access personal information, such as your social security number, date of birth, home address, phone number and bank routing numbers (if you do direct deposit for your pay checks). The Flamingo Resort and Spa is taking further measures to ensure this will not happen in the future.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: Flamingo Resort and Spa Article URL: https://oag.ca.gov/system/files/To%20whom%20it%20may%20concern_0.pdf?

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131121-01 Anthem Blue Cross of CA Electronic Medical/Healthcare Yes - Published # 24,500 California **ITRC does not consider a password adequate protectionWe are for sending breached you data.this letter to notify you that your Tax Identification Number (“TIN”), along with your name and business address, were erroneously displayed on a PDF document posted to the Anthem website, www.anthem.com/ca.

Attribution 1 Publication: Los Angeles Times Author: Date Published: Article Title: Anthem Blue Cross posts Social Security, tax numbers of 24,500 doctors Article URL: http://articles.latimes.com/2013/nov/25/business/la-fi-mo-anthem-doctors-breach-20131125

Attribution 2 Publication: HealthcareITNews Author: Erin McCann Date Published: Article Title: Docs feel brunt of Anthem breach Article URL: http://www.healthcareitnews.com/news/docs-feel-brunt-anthem-data-breach-blunder

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131120-17 Sierra View District Hospital CA Electronic Medical/Healthcare Yes - Published # 1,009

**ITRC does not consider a password adequate protectionDuring fora routine breached security data. audit of patient records and information, Sierra View District Hospital determined that a hospital employee inappropriately accessed protected health information (PHI). As a result, the hospital immediately conducted an investigation to determine the extent to which information was accessed.

Attribution 1 Publication: foothills Sun-Gazette / phiprivacy.net / h Author: Date Published: Article Title: SVDH reports patient record breach Article URL: http://www.fsgnews.com/article/health/2013/10/16/svdh-reports-patient-record-breach/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131120-16 BriovaRx IL Electronic Medical/Healthcare Yes - Published # 1,067

**ITRC does not consider a password adequate protectionBriovaRx for in breached Illinois reported data. that 1,067 patients had PHI involved in a breach that occurred between July 3 and July 11 of this year.

Attribution 1 Publication: Author: Date Published: Article Title: BriovaRx Article URL: http://www.phiprivacy.net/?s=tsys&searchsubmit=

**ITRC does not consider a password adequate protectionComprehensive for breached Podiatry data. LLC Commits HIPAA Theft Breach Affecting 1,360 in OH.

Attribution 1 Publication: hhs.gov Author: Date Published: Article Title: Comprehensive Podiatry, LLC Article URL: http://hipaaviolation.org/category/breach/page/51/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131120-13 Good Samaritan Hospital CA Electronic Medical/Healthcare Yes - Published # 3,833

**ITRC does not consider a password adequate protectionOn July for 8, breached2013, we data.learned that a laptop computer containing information about pacemaker readings was missing. Initially we had understood the information was not linked to any patient identifying information, but on September 23, 2013, we learned that the laptop also had data files that could be linked to the pacemaker readings that included patient identifying information.

Attribution 1 Publication: phiprivacy.net Author: Date Published: Article Title: Good Samaritan Hospital Article URL: http://www.phiprivacy.net/unencrypted-laptops-still-a-major-cause-of-breach-reports-to-hhs/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131120-11 Region Ten Community VA Electronic Medical/Healthcare Yes - Published # 10,228 Services Board **ITRC does not consider a password adequate protectionOn July for 29, breached 2013, a hackerdata. obtained the passwords to several Region Ten Community Services Board employees’ email accounts. It is unknown what, if any, protected health information was contained in the email accounts involved, and Region Ten is not aware that any protected health information was accessed or used by unauthorized individuals.

Attribution 1 Publication: hhs.gov Author: Date Published: Article Title: Region Ten Community Services Board Article URL: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

Attribution 2 Publication: phiprivacy.net / hhs.gov Author: Date Published: Article Title: Region Ten Community Services Board Article URL: http://www.phiprivacy.net/unencrypted-laptops-still-a-major-cause-of-breach-reports-to-hhs/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131120-10 Schuylkill Health System PA Electronic Medical/Healthcare Yes - Published # 2,810

**ITRC does not consider a password adequate protectiontheft - laptop for breached data.

Attribution 1 Publication: hhs.gov Author: Date Published: Article Title: Schuylkill Health System Article URL: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131120-09 Texas Health Presbyterian TX Electronic Medical/Healthcare Yes - Published # 949 Dallas Hospital **ITRC does not consider a password adequate protectionTexas Healthfor breached Presbyterian data. Hospital Dallas (Texas Health Dallas) is committed to protecting our patients’ information and takes significant steps to do so. We are writing to inform you about an incident involving some of that information.

Attribution 1 Publication: phiprivacy.net / Texas Health website Author: Date Published: Article Title: Texas Health Presbyterian Dallas Hospital Article URL: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

**ITRC does not consider a password adequate protectionIn accordance for breached with 45 data. CFR Parts 160 and 164, this is to notify you of a recent occurrence that resulted in a breach of protected health information.

Description of what happened: On the morning of August 23, 2013, it was discovered that my rolling briefcase, containing my laptop business computer, books, and seven case files had been stolen from my personal vehicle. My vehicle was on private property at the time. The police are actively investigating this case.

Attribution 1 Publication: phiprivacy.net / hhs.gov Author: Date Published: Article Title: Access Counseling Article URL: http://www.phiprivacy.net/unencrypted-laptops-still-a-major-cause-of-breach-reports-to-hhs/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131120-07 Office of Sarah Benjamin, CO Electronic Medical/Healthcare Yes - Published # 3,512 DPM **ITRC does not consider a password adequate protectiontheft - laptop for breached data.

Attribution 1 Publication: hhs.gov Author: Date Published: Article Title: Office of Sarah Benjamin, DPM Article URL: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131120-06 TSYS Employee Health Plan GA Electronic Medical/Healthcare Yes - Published # 5,232

**ITRC does not consider a password adequate protectiontheft - email for breached data.

Attribution 1 Publication: hhs.gov Author: Date Published: Article Title: TSYS Employee Health Plan Article URL: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131120-05 County of Baltimore MD Electronic Government/Military Yes - Published # 12,000

**ITRC does not consider a password adequate protectionThe personal for breached information data. of current and past Baltimore County employees was stolen by a former employee of a county information technology contractor.

Attribution 1 Publication: SC Magazine Author: Marcos Colon Date Published: Article Title: Baltimore County workers' personal information stolen Article URL: http://www.scmagazine.com/baltimore-county-workers-personal-information-stolen/article/319162/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131120-04 City of Milwaukee WI Electronic Government/Military Yes - Published # 9,414

**ITRC does not consider a password adequate protectionThousands for breached of city workers data. in Milwaukee, as well as their spouses and domestic partners, had personal information compromised after a flash drive that contained the data was stolen.

Attribution 1 Publication: Milwaukee-Wisconsin Journal Sentinel Author: Date Published: Article Title: City prepared to take action on Dynacare data breach Article URL: http://www.jsonline.com/blogs/news/232851751.html

Attribution 2 Publication: SC Magazine Author: Adam Greenberg Date Published: Article Title: Milwaukee contractor loses flash drive, compromises thousands Article URL: http://www.scmagazine.com/milwaukee-contractor-loses-flash-drive-compromises-thousands/article/321411/

How is this report produced? What are the rules? See last page of report for details. ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131120-03 Department of Health and NC Electronic Medical/Healthcare Yes - Published # 1,300 Human Services **ITRC does not consider a password adequate protectionThe North for breachedCarolina Department data. of Health and Human Services has begun notifying the 1,300 patients whose personal information was inadvertently posted on a public website.

Attribution 1 Publication: Becker's Hospital Review Author: Helen Gregg Date Published: Article Title: North Carolina Accidentally Posts Patient Information on Public Site Article URL: http://www.beckershospitalreview.com/healthcare-information-technology/north-carolina-accidentally-posts-patient-inf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131120-02 Redwood Memorial Hospital CA Electronic Medical/Healthcare Yes - Published # 1,039

**ITRC does not consider a password adequate protectionIn Fortuna, for breached Calif., Redwood data. Memorial Hospital announced the loss of a thumb drive containing personal and medical information of 1,039 patients, according to a Times-Standard report.

Attribution 1 Publication: Becker's Hospital Review Author: Helen Gregg Date Published: Article Title: 2 Recent Data Breaches: Eastside Medical Center Loses Paper Records, Redwood Memorial Loses Thumb Drive With Patient Article URL: http://www.beckershospitalreview.com/healthcare-information-technology/2-recent-data-breaches-eastside-medical-ce

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131120-01 Office of Kathleen Whisman, CA Electronic Medical/Healthcare Yes - Unknown # 0 MD **ITRC does not consider a password adequate protectionThe security, for breached confidentiality, data. integrity and privacy of patient personal information are highly valued by Kathleen Whisman, M.D. We are writing you because of a disclosure of your personally identifiable information.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: Office of Kathleen Whisman, MD Article URL: https://oag.ca.gov/system/files/Breach%20Notification_2.pdf?

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131119-14 Rotech FL Electronic Medical/Healthcare Yes - Published # 10,680

**ITRC does not consider a password adequate protectionRotech for Healthcare breached recently data. began notifying its employees that it learned on August 30, 2013 that a former employee took a personal computer containing sensitive files with her when she stopped working at the company on November 26, 2010 (h/t PHIprivacy.net).

Attribution 1 Publication: phiprivacy.net / eSecurity Planet Author: Date Published: Article Title: Rotech Healthcare Admits Data Breach Article URL: http://www.esecurityplanet.com/network-security/rotech-healthcare-admits-data-breach.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131119-13 Rose Medical Center CO Paper Data Medical/Healthcare Yes - Published # 606

**ITRC does not consider a password adequate protectionRose Medical for breached Center data. in Colorado CO reported that 606 patients had PHI on paper records that were improperly disposed of between June 28 and July 16th,

Attribution 1 Publication: phiprivacy.net Author: Date Published: Article Title: Rose Medical Center Article URL: http://www.phiprivacy.net/and-yet-9-more-breaches-added-to-hhss-breach-tool/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131119-12 Group Health Cooperative WA Paper Data Medical/Healthcare Yes - Published # 1,015

**ITRC does not consider a password adequate protectionGroup Healthfor breached Cooperative data. in Washington reported that 1,015 patients had PHI involved in an incident on September 16th involving paper records.

Attribution 1 Publication: Author: Date Published: Article Title: Article URL:

How is this report produced? What are the rules? See last page of report for details.

Attribution 2 Publication: phiprivacy.net / Group Health Author: Date Published: Article Title: Group Health Cooperative Article URL: http://www.phiprivacy.net/and-yet-9-more-breaches-added-to-hhss-breach-tool/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131119-11 Superior HealthPlan, Inc. TX Paper Data Medical/Healthcare Yes - Published # 6,284

**ITRC does not consider a password adequate protectionOn October for breached 9, 2013, data. Superior HealthPlan (Superior) learned of an incident that resulted in a breach of Protected Health Information (PHI). A breach means that PHI was mistakenly shared with another person without the member’s approval.

The Health and Human Services Commission (HHSC) recently issued new ID numbers to all CHIP members. We sent a new Superior ID card with the new ID number to CHIP members. On October 4, 2013, some Superior CHIP ID cards were accidently sent to the wrong address. It may have been received by another person. This was caused by an error in our computer system. The member’s name and CHIP ID number were included on the ID card that was sent to the wrong address. It also included the name and phone number of the member’s doctor and effective date with Superior.

Attribution 1 Publication: phiprivacy.net / Superior HealthPlan web Author: Date Published: Article Title: Superior HealthPlan, Inc. Article URL: http://www.phiprivacy.net/and-yet-9-more-breaches-added-to-hhss-breach-tool/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131119-10 Mount Sinai Medical Center NY Paper Data Medical/Healthcare Yes - Published # 1,586

**ITRC does not consider a password adequate protectionMount Sinaifor breached Medical data.Center in New York reported two breaches that occurred in August of this year. The second breach, which occurred on August 6, involved the improper disposal of 1,586 patients’ paper records.

Attribution 1 Publication: phiprivacy.net Author: Date Published: Article Title: Mount Sinai Medical Center Article URL: http://www.phiprivacy.net/and-yet-9-more-breaches-added-to-hhss-breach-tool/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131119-09 Mount Sinai Medical Center NY Electronic Medical/Healthcare Yes - Published # 610

**ITRC does not consider a password adequate protectionMount Sinaifor breached Medical data.Center in New York reported two breaches that occurred in August of this year. The first, which occurred on August 1, seemed to have involved the loss of a portable electronic device with PHI on 610 patients.

Attribution 1 Publication: phiprivacy.net Author: Date Published: Article Title: Mount Sinai Medical Center Article URL: http://www.phiprivacy.net/and-yet-9-more-breaches-added-to-hhss-breach-tool/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131119-08 Hospital for Special Surgery NY Electronic Medical/Healthcare Yes - Published # 537

**ITRC does not consider a password adequate protectionThe Hospital for breached for Special data. Surgery in New York reported that 537 patients had PHI stolen on March 19, although it’s not clear from HHS’s log whether the data were stolen from a computer or if the computer itself was stolen. There was also reference to “paper” format. HHS update 3/14 = 937

Attribution 1 Publication: phiprivacy.net / MD AG's office Author: Date Published: Article Title: Hospital for Special Surgery Article URL: http://www.phiprivacy.net/and-yet-9-more-breaches-added-to-hhss-breach-tool/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131119-07 Office of Paul G. Klein, DPM SC Electronic Medical/Healthcare Yes - Published # 2,500

**ITRC does not consider a password adequate protectionPaul G. for Klein, breached DPM, data.of New Jersey reported 2,500 patients had PHI on a laptop that was stolen on October 1.

Attribution 1 Publication: phiprivacy.net / hhs.gov Author: Date Published: Article Title: Office of Paul G. Klein, DPM Article URL: http://www.phiprivacy.net/and-yet-9-more-breaches-added-to-hhss-breach-tool/

**ITRC does not consider a password adequate protection Some forpatients breached of AnMed data. Health are worried their information is in the wrong hands. Hospital officials would not specify how many people received a letter which states someone accessed medical records without a legitimate reason.

Attribution 1 Publication: PHIprivacy.net / WSPA.com Author: Date Published: Article Title: Patients Worried About Compromised Records At AnMed Article URL: http://www.wspa.com/story/22458588/patients-worried-about-compromised-records-at-anmed

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131119-05 Eastside Medical Center GA Paper Data Medical/Healthcare Yes - Unknown # 0

**ITRC does not consider a password adequate protectionThousands for breached of pages data. of medical documents containing confidential information are back in the control of a local hospital after being dumped across a busy Gwinnett County road.

Attribution 1 Publication: phiprivacy.net / WSB-TV Author: Date Published: Article Title: Medical records scattered across Gwinnett County road Article URL: http://www.wsbtv.com/news/news/local/medical-records-scattered-across-gwinnett-county-r/nbj8z/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131119-04 Western Union CO Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionOn September for breached 5, 2013, data. The Western Union Company ("Western Union") identified security vulnerability on the Western Union prepaid website and gateway, allowing unauthorized users to bypass online card verification checks. Based on our investigation, we believe the unauthorized users funded a limited number of money transfers using legitimate customers' prepaid cards.

Attribution 1 Publication: NH AG's office Author: Date Published: Article Title: Western Union Article URL: http://doj.nh.gov/consumer/security-breaches/documents/western-union-20131029.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131119-03 Clarity Media Group CO Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionPlease forbe breachedaware that data. Clarity Media Group, Inc. has suffered a security breach. A laptop was stolen from the car of a Clarity Media Group subsidiary's employee on October 12, 2013. Although the laptop was password protected and several files were encrypted, we have analyzed the laptop's backup files, and we have come to the conclusion that the laptop contained unencrypted files including personally identifiable information ("PH") regarding current or former employees of Clarity Media Group and its subsidiaries, or of Freedom Communications (the former owner of the Colorado Springs Gazette, which is now owned by Clarity Media Group).

Attribution 1 Publication: NH AG's office Author: Date Published: Article Title: Benchmark Senior Living Article URL: http://doj.nh.gov/consumer/security-breaches/documents/benchmark-20131029.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131119-02 USI Insurance Services LLC GA Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionI am writing for breached to you on data. behalf of Company about a potential security incident. We recently discovered that certain unauthorized software was uploaded to our computer system.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: USI Insurance Services LLC Article URL: https://oag.ca.gov/system/files/Sample%201_0.pdf?

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131119-01 Lincoln Credit Center / CA Electronic Banking/Credit/Financial Yes - Unknown # 0 National Debt Defense **ITRC does not consider a password adequate protectionAt Lincoln for breachedCredit Center data. we take your account security very seriously. We have learned that some personal information related to your account may have been compromised at a physical location.

How is this report produced? What are the rules? See last page of report for details.

Attribution 1 Publication: CA AG's office / VT AG's office Author: Date Published: Article Title: Lincoln Credit Center / National Debt Defense Article URL: https://oag.ca.gov/system/files/LCC%20-%20Client%20Notification%20Letter_0.pdf?

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131112-06 Washington State University WA Electronic Educational Yes - Published # 310

**ITRC does not consider a password adequate protectionHundreds for breachedof employees, data. former employees and students of Washington State University are being notified that their personal information may have been compromised after two possibly unencrypted external hard drives were stolen from an on-campus office.

Attribution 1 Publication: SC Magazine Author: Adam Greenberg Date Published: Article Title: Two hard drives stolen from Washington State University office Article URL: http://www.scmagazine.com/two-hard-drives-stolen-from-washington-state-university-office/article/320133/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131112-05 North Country Hospital VT Electronic Medical/Healthcare Yes - Published # 550

**ITRC does not consider a password adequate protectionNorth Country for breached Hospital data. in Newport, Vt., has alerted patients to a data breach resulting from a former hospital employee having possession of a retired laptop containing patients' health information.

Attribution 1 Publication: Becker's Hospital Review Author: Helen Gregg Date Published: Article Title: Data Breach at North Country Hospital Due to PHI on "Retired" Laptop Article URL: http://www.beckershospitalreview.com/healthcare-information-technology/data-breach-at-north-country-hospital-due-to

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131112-04 Department of Health FL Electronic Medical/Healthcare Yes - Published # 2,200

**ITRC does not consider a password adequate protectionThe Florida for breached Department data. of Health has notified 2,200 central Florida patients of a data breach after two former employees allegedly used their access to the department's database to steal patient information for a tax return scheme, according to a WFTV report. CHANGED FROM GOVERNMENT TO MEDICAL 2/2014

Attribution 1 Publication: Becker's Hospital Review Author: Helen Gregg Date Published: Article Title: Florida Department of Health Notifies 2,200 Patients of Data Breach Article URL: http://www.beckershospitalreview.com/healthcare-information-technology/florida-department-of-health-notifies-2-200-p

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131112-02 Baltimore County Police MD Electronic Government/Military Yes - Published # 6,600 Department **ITRC does not consider a password adequate protectionThe Baltimore for breached County data. Police Department says it has uncovered personal information of 6,600 county employees on computers seized from a contractor.

Attribution 1 Publication: Baltimore Business Journal Author: Ryan McDonald Date Published: Article Title: Baltimore County reports additional data breach of employees Article URL: http://www.bizjournals.com/baltimore/blog/cyberbizblog/2013/11/baltimore-county-reports-additional.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131112-01 TD Bank NJ Paper Data Banking/Credit/Financial Yes - Published # 17,000

**ITRC does not consider a password adequate protectionTD Bank for is breached notifying data.17,000 New Hampshire residents following a printing issue that compromised their September bank account statements.

Attribution 1 Publication: bankinfosecurity.com Author: Jeffrey Roman Date Published: Article Title: TD Bank Customer Statements Exposed Article URL: http://www.bankinfosecurity.com/td-bank-incident-leads-breach-roundup-a-6204?rf=2013-11-11-eb&elq=d286bd63d9da4

**ITRC does not consider a password adequate protectionPursuant for to breached New Hampshire data. law (N.H. REV. STAT. ANN.§ 359-C:20(I)(b)), I write to notify your office of a data security incident involving two NBC Sports laptops that were stolen from a locked vehicle in Northern California on the evening of August 24, 2013. NBC Sports is working with law enforcement authorities in connection with the investigation of this incident.

Attribution 1 Publication: NH AG's office Author: Date Published: Article Title: NBC Sports Group Article URL: http://doj.nh.gov/consumer/security-breaches/documents/nbc-sports-group-20131014.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131107-07 University Hospital OH Electronic Medical/Healthcare Yes - Published # 7,100

**ITRC does not consider a password adequate protectionMore than for breached7,100 University data. Hospitals patients received notification by mail this week that their protected personal medical information was potentially exposed after a hard drive containing physician office data was stolen from a third-party vendor helping to upgrade the health system's computer systems .

Attribution 1 Publication: cleveland.com / phiprivacy.net Author: Brie Zeitner Date Published: Article Title: UH notifies 7,100 patients of stolen hard drive with personal medical information Article URL: http://www.cleveland.com/healthfit/index.ssf/2013/11/uh_notifies_7100_patients_of_l.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131107-06 Phoenix Medical Group NJ Electronic Medical/Healthcare Yes - Published # 0

**ITRC does not consider a password adequate protectionA Florida for man breached admitted data. last week to using his position in a New Jersey doctor’s office to steal personal identifying information as part of his role in running a stolen identity refund fraud scheme, U.S. Attorney Paul J. Fishman announced.

Attribution 1 Publication: phiprivacy.net Author: Date Published: Article Title: Phoenix Medical Group Article URL: http://www.phiprivacy.net/florida-man-pleads-guilty-to-stealing-new-jersey-patients-information-for-tax-refund-fraud-sc

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131107-05 Goodwill Industries of IN Electronic Business Yes - Published # 0 Central Indiana **ITRC does not consider a password adequate protectionGoodwill for Industries breached of data. Central Indiana has launched an internal investigation after 13 Investigates discovered the charity has been selling tax returns, medical records, social security numbers and other sensitive information mistakenly donated by its customers.

Attribution 1 Publication: WTHR.com Author: Date Published: Article Title: Goodwill caught selling donors' personal information Article URL: http://www.wthr.com/story/23875764/2013/11/04/goodwill-caught-selling-donors-personal-information

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131107-03 Total System Services, Inc. GA Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionWe are for writing breached on behalf data. of our client, Total System Services, Inc. ("TSYS"). On September I I, 2013, TSYS learned that an employee of Paragon Benefits, Inc., a third party claims administrator of the TSYS Employee Health Plan and the TSYS Retiree Health Plan, misappropriated a digital file from Paragon Benefits on September 5, 2013.

Attribution 1 Publication: NH AG's office / MD AG's office Author: Date Published: Article Title: Total System Services, Inc. Article URL: http://doj.nh.gov/consumer/security-breaches/documents/total-system-services-20130926.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131107-02 Executive Accounting NC Electronic Business Yes - Unknown # 0 Services **ITRC does not consider a password adequate protectionAs detailed for breached in the enclosed data. letter to potentially affected individuals, on September 17th, EAS received notices from several financial institutions regarding the compromise of certain accounts belonging to EAS's clients. At that time, EAS's information technology vendor oonfirmecno EAS that EAS's systems and servers had not been compromised. EAS later received additional information about suspicious activity on its network and continued its investigation into the incident.

How is this report produced? What are the rules? See last page of report for details.

Attribution 1 Publication: NH AG's office Author: Date Published: Article Title: Executive Accounting Services Article URL: doj.nh.gov_consumer_security-breaches_documents_executive-accounting-20131004.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131107-01 DaVita CA Electronic Medical/Healthcare Yes - Published # 11,500

**ITRC does not consider a password adequate protectionWe regret for breachedto inform youdata. that on September 6, 2013 a laptop was stolen from a teammate’s (employee’s) vehicle. Although DaVita maintains a company-wide program and policy requiring encryption of laptop computers, we discovered that the encryption technology on this particular device had been unintentionally deactivated.

Attribution 1 Publication: phiprivacy.net / DaVita website Author: Date Published: 11/7/2013 Article Title: DaVita®, a division of DaVita HealthCare Partners Inc Article URL: http://www.phiprivacy.net/category/breaches/us-breaches/

Attribution 2 Publication: CA AG's office Author: Date Published: Article Title: DaVita Article URL: https://oag.ca.gov/system/files/Samples%20Notices_0.pdf?

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131105-02 Standard Insurance Company OR Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionAs a employee, for breached you data.are receiving this letter due to a potential breach of personally identifiable information contained in a file provided to a vendor of Standard Insurance Company (“The Standard.”) The Standard is the life insurance provider and is committed to protecting your confidential information.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: Standard Insurance Company Article URL: https://oag.ca.gov/system/files/Sample.Breach%20Notification%20letter.11.1.13_0.pdf?

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131105-01 Samaritan Health Services / OR Paper Data Medical/Healthcare Yes - Published # 1,122 Samaritan Family Medicine **ITRC does not consider a password adequate protectionFollowing for abreached July 2013 data. patient data breach at Samaritan Health Services of Corvallis, Ore., the Oregon Department of Consumer and Business Services announced that Samaritan will be fined $1,000.

Attribution 1 Publication: http://healthitsecurity.com Author: Date Published: Article Title: Samaritan Health Services fined for July data breach Article URL: http://healthitsecurity.com/2013/11/04/samaritan-health-services-fined-for-july-data-breach/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131104-01 CorporateCarOnline MO Electronic Business Yes - Published # 850,000

**ITRC does not consider a password adequate protectionA hacker for break breached in at data.a U.S. company that brokers reservations for limousine and Town Car services nationwide has exposed the personal and financial information on more than 850,000 well-heeled customers, including Fortune 500 CEOs, lawmakers, and A-list celebrities.

Attribution 1 Publication: KrebsonSecurity Author: Brian Krebs Date Published: Article Title: Hackers Take Limo Service Firm for a Ride Article URL: http://krebsonsecurity.com/2013/11/hackers-take-limo-service-firm-for-a-ride/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131101-01 Kroll Background America NY Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionThree majorfor breached U.S. data data. brokerages -- companies that amass and sell sensitive data -- have been hit by a hacking group that specializes in selling stolen social security numbers.

Attribution 1 Publication: USA Today / CA AG's office Author: Byron Acohido Date Published: Article Title: LexisNexis, Dunn & Bradstreet, Kroll hacked Article URL: http://www.usatoday.com/story/cybertruth/2013/09/26/lexisnexis-dunn--bradstreet-altegrity-hacked/2878769/

Attribution 1 Publication: iHealth Beat Author: Date Published: Article Title: Children's Healthcare of Atlanta Article URL: http://www.ihealthbeat.org/articles/2013/10/30/several-health-data-breaches-reported-across-four-states

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131030-02 Institute of Allied Medical CT Electronic Medical/Healthcare Yes - Unknown # 0 Professions **ITRC does not consider a password adequate protectionA receptionist for breached who worked data. for six weeks at the Institute of Allied Medical Professions, a medical imaging school in Stamford, Conn., faces 17 charges of identity theft plus two other charges.

Attribution 1 Publication: Databreachtoday.com Author: Date Published: Article Title: Receptionist Charged in ID Theft Case Article URL: http://www.databreachtoday.com/hospital-records-breach-leads-roundup-a-6118?rf=2013-10-04-eb&elq=124035fa30e54f

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131030-01 Michigan State University MI Electronic Educational Yes - Unknown # 0 (MSU) **ITRC does not consider a password adequate protectionMichigan for State breached University data. (MSU) has announced that its EBS HR/Payroll systems were recently taken offline after two employees reported receiving e-mail confirmation of changes to their direct deposit designations on October 18, 2013 (h/t Softpedia).

Attribution 1 Publication: eSecurity Planet Author: Jeff Goldman Date Published: Article Title: Michigan State University Admits Security Breach Article URL: http://www.esecurityplanet.com/network-security/michigan-state-university-admits-security-breach.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131029-06 Boone Hospital Center MO Electronic Medical/Healthcare Yes - Published # 125

**ITRC does not consider a password adequate protectionBoone forHospital breached Center data. in Columbia, Mo., has notified 125 patients whose information was compromised after a physician clinic employee inappropriately accessed and viewed their records, according to a KOMU report.

Attribution 1 Publication: Becker's Hospital Review Author: Date Published: Article Title: Boone Hospital Center Article URL: http://www.beckershospitalreview.com/healthcare-information-technology/data-breach-at-boone-hospital-center-affects

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131029-04 Gerdau - HealthFitness TN Electronic Medical/Healthcare Yes - Unknown # 0

**ITRC does not consider a password adequate protectionLast week, for breached HealthFitness data. notified Gerdau that there was a possible data breach of the personal health information of some of its employees, spouses and dependents, according to a news release cited in a Jackson Sun news story.

Attribution 1 Publication: phiprivacy.net Author: Date Published: Article Title: Gerdau notifies employees of privacy breach after HealthFitness laptop stolen Article URL: http://www.phiprivacy.net/?s=gerdau&searchsubmit=

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131029-03 Allina Health MN Electronic Medical/Healthcare Yes - Published # 3,807

**ITRC does not consider a password adequate protectionA medical for breachedassistant atdata. Minneapolis-based health clinic Inver Grove Heights – a part of Allina Health System – was fired for the unauthorized viewing of nearly 4,000 patient records over the span of more than three years.

Attribution 1 Publication: SC Magazine Author: Adam Greenberg Date Published: Article Title: Allina Health Article URL: http://www.scmagazine.com//minneapolis-medical-assistant-fired-for-accessing-patient-data/article/318225/

How is this report produced? What are the rules? See last page of report for details. ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131029-02 Genesis Rehabilitation PA Electronic Medical/Healthcare Yes - Published # 1,167 Services **ITRC does not consider a password adequate protectionWe are for writing breached to inform data. you that on or about September 3, 2013, the Genesis Rehabilitation Services (GRS) staff providing services at Lebanon Center discovered that there may have been unauthorized access to certain of your personal information as an employee, agency employee or applicant of GRS. Specifically, as part of our investigation, we discovered that a GRS employee's USB drive that had been left in a secure office in the center was missing.

Attribution 1 Publication: phiprivacy.net Author: Date Published: Article Title: Genesis Rehabilitation Services breach also affected patients Article URL: http://www.phiprivacy.net/genesis-rehabilitation-services-breach-also-affected-patients/

Attribution 2 Publication: VT AG's office Author: Date Published: Article Title: Genesis Rehabilitation Services Article URL: http://www.atg.state.vt.us/assets/files/Genesis%20Rehab%20Srvc%20ltrt%20Consumer%20re%20Security%20Breach.p

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131029-01 Dun & Bradstreet GA Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionWe are for writing breached to inform data. you of an incident that may have involved your personal information. Dun & Bradstreet (D&B), a provider of business information, recently learned that it was one of several victims of a criminal cyberattack.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: Dun & Bradstreet Article URL: https://oag.ca.gov/system/files/California%20Individual%20Notification_0.pdf?

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131025-03 Yusen Logistics GA Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionYusen Logisticsfor breached (Americas) data. Inc. (“YLA”) is committed to safeguarding the privacy and security of information regarding our current and former employees. Regrettably, we are writing to inform you about an incident involving some of that information.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: Yusen Logistics Article URL: https://oag.ca.gov/system/files/YLA%20Generic%20Notification_0.pdf?

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131025-02 International SOS PA Electronic Business Yes - Published # 164,000 Assistance, Inc. **ITRC does not consider a password adequate protectionWe are for writing breached to inform data. you of a recent data breach incident affecting a small number of International SOS members.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: International SOS Assistance, Inc. Article URL: https://oag.ca.gov/system/files/Letter%20and%20ReferenceGuide_0.pdf?

Attribution 2 Publication: MD AG's office Author: Date Published: Article Title: International SOS Assistance, Inc. Article URL: http://www.oag.state.md.us/idtheft/Breach%20Notices/itu-234661%20(1).pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131025-01 Gordon Supply Company PA Paper Data Business Yes - Published # 400

**ITRC does not consider a password adequate protectionA woman for foundbreached two data.bags of personnel records in her backyard in mid-August. The woman called the cops after discovering the sensitive information. Social Security numbers, driver's license photos, addresses, phone numbers, medical information, dates of birth, emergency contacts, payroll history, and tax documents were exposed. The breach occurred after the building was abandoned and the files were not checked before being discarded. An estimated 400 people were affected.

How is this report produced? What are the rules? See last page of report for details.

Attribution 1 Publication: Privacy Rights Clearinghouse Author: Date Published: Article Title: Gordon Supply Company Article URL: https://www.privacyrights.org/content/gordon-supply-company

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131024-06 Memorial Hospital of WI Paper Data Medical/Healthcare Yes - Published # 4,330 Lafayette County **ITRC does not consider a password adequate protectionA system for settingsbreached error data. caused financial statements to be mailed to roughly 8,000 people who received care from Wisconsin-based Memorial Hospital of Lafayette County, but an undisclosed number were sent to unauthorized persons.

Attribution 1 Publication: SC Magazine / hhs.gov Author: Adam Greenberg Date Published: Article Title: Wisconsin hospital bills erroneously mailed to unauthorized persons Article URL: http://www.scmagazine.com/wisconsin-hospital-bills-erroneously-mailed-to-unauthorized-persons/article/316514/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131024-05 Hudson Valley Community NY Electronic Educational Yes - Unknown # 0 College **ITRC does not consider a password adequate protectionHudson for Valley breached Community data. College is committed to protecting your personal information. As the Next Step Program's regional administrator, we are writing to inform you about an incident involving some of that information.

Attribution 1 Publication: VT AG's office Author: Date Published: Article Title: Hudson Valley Community College Article URL: http://www.atg.state.vt.us/assets/files/HVCC%20ltrt%20Consumer%20re%20Security%20Breach.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131024-04 Radiant Systems TX Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionRadiant for Systems, breached Inc. data. provides point of sale and back office technology to The Fisherman’s Restaurant. We regret to inform you of an incident Radiant recently discovered that has put some of your personal information potentially at risk. We are writing to provide you with information about the incident and advise you of steps you may wish to take.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: Radiant Systems Article URL: https://oag.ca.gov/system/files/Radiant%20Final_0.pdf?

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131024-03 Denver Public School District CO Electronic Educational Yes - Published # 100

**ITRC does not consider a password adequate protectionCBS Denver for breached reports data.that 100 Denver Public School students' personal information may have been exposed when a briefcase containing a thumb drive was stolen from a school nurse's car in Morrison, Colo., on October 5, 2013 (h/t PHIprivacy.net).

Attribution 1 Publication: eSecurity Planet Author: Jeff Goldman Date Published: Article Title: Security Breach Exposes 100 Elementary School Students' Medical Data Article URL: http://www.esecurityplanet.com/network-security/security-breach-exposes-100-elementary-school-students-medical-dat

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131024-02 Seton Healthcare Family TX Electronic Medical/Healthcare Yes - Published # 5,500

**ITRC does not consider a password adequate protectionOn Tuesday, for breached officials data. at Seton Healthcare Family reported that a hospital laptop containing the personal health information of about 5,500 patients was stolen between Oct. 3 and Oct. 4, the Austin American-Statesman reports.

Attribution 1 Publication: ihealthbeat.org Author: Date Published: Article Title: Seton Healthcare Family Article URL: http://www.ihealthbeat.org/articles/2013/10/23/health-facilities-in-california-texas-report-health-data-breaches

**ITRC does not consider a password adequate protectionAHMC forHealthcare breached Inc. data. said today that protected health information for approximately 729,000 patients has been compromised following the theft of two laptops from a secure office. The laptops contained data from patients treated at the following AHMC hospitals: Garfield Medical Center, Monterey Park Hospital, Greater El Monte Community Hospital, Whittier Hospital Medical Center, San Gabriel Valley Medical Center and Anaheim Regional Medical Center.

Attribution 1 Publication: Becker's Hospital Review / AHMC State Author: Helen Gregg Date Published: Article Title: Data Breach at AHMC Healthcare Affects More Than 700k Article URL: http://www.beckershospitalreview.com/healthcare-information-technology/data-breach-at-ahmc-healthcare-affects-mor

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131022-01 Ouidad NY Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionHair products for breached company data. Ouidad recently began notifying an undisclosed number of customers that their personal information may have been accessed by hackers between June 30 and July 4, 2013.

Attribution 1 Publication: eSecurity Planet / CA AG's office Author: Jeff Goldman Date Published: Article Title: Ouidad Acknowledges Data Breach Article URL: http://www.esecurityplanet.com/network-security/ouidad-acknowledges-data-breach.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131021-02 Broward Health Medical FL Paper Data Medical/Healthcare Yes - Published # 960 Center **ITRC does not consider a password adequate protectionA former for Broward breached Health data. Medical Center employee took documents containing the personal information of nearly 1,000 patients in a data breach uncovered by local and federal officials, the Fort Lauderdale health system announced Friday.

Attribution 1 Publication: SunSentinel Author: Maria Mallory White Date Published: Article Title: Ex-employee breached Broward Health data Article URL: http://www.sun-sentinel.com/news/palm-beach/fl-broward-health-data-breach-20131018,0,7325048.story

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131021-01 Hospice of the Chesapeake MD Electronic Medical/Healthcare Yes - Published # 7,606

**ITRC does not consider a password adequate protectionHospice for of breached the Chesapeake data. reported that 7,035 patients were affected by an employee e-mailing spreadsheets with their information to a home account that may have been hacked. The hospice’s statement at the time mentioned 500 patients.

Attribution 1 Publication: phiprivacy.net / hhs.gov Author: Date Published: 10/31/2013 Article Title: Hospice of the Chesapeake Article URL: http://www.phiprivacy.net/?s=tsys&searchsubmit=

Attribution 2 Publication: Baltimore Sun Author: Carrie Wells Date Published: Article Title: Hundreds of hospice patient records potentially breached Article URL: http://www.baltimoresun.com/news/maryland/anne-arundel/pasadena/bs-md-ar-hospice-security-breach-20131020,0,50

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131018-02 University of Arizona AZ Electronic Educational Yes - Published # 9,080

**ITRC does not consider a password adequate protectionThe personal for breached data of data. former University of Arizona law students and applicants may have been compromised during a July incident. An "unauthorized intruder" may have accessed old class rosters and applicant lists stored on the same server as the College of Law's public website.

Attribution 1 Publication: Tucson Sentinel.com Author: Dylan Smith Date Published: Article Title: UA Law server breach exposes Social Security numbers, passwords Article URL: http://www.tucsonsentinel.com/local/report/101713_ua_server/ua-law-server-breach-exposes-social-security-numbers-

Attribution 1 Publication: SC Magazine Author: Adam Greenberg Date Published: Article Title: Sacramento State server hack affects nearly 2,000 employees Article URL: http://www.scmagazine.com/sacramento-state-server-hack-affects-nearly-2000-employees/article/316690/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131015-01 NHC HealthCare of Oak Ridge TN Electronic Medical/Healthcare Yes - Unknown # 0

**ITRC does not consider a password adequate protectionNHC HealthCare for breached of Oakdata. Ridge, Tenn. announced a possible patient data breach after an unencrypted backup tape was lost. Though the number of patients is unknown, potentially compromised information included patient names, Social Security numbers, birth dates, home addresses and medical information. UPDATE 3/14 = 4,268 records

Attribution 1 Publication: HealthITSecurity Author: Patrick Ouellette Date Published: Article Title: NHC HealthCare Oak Ridge loses unencrypted backup tape Article URL: http://healthitsecurity.com/2013/09/19/nhc-healthcare-oak-ridge-loses-unencrypted-backup-tape/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131014-03 Kearny Mesa Infiniti CA Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionThe security for breached and privacy data. of your personal information is highly important to us. This letter is to inform you of a potential unauthorized access and disclosure of your personal information.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: Kearny Mesa Infiniti Article URL: https://oag.ca.gov/ecrime/databreach/reports/sb24-42932

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131014-02 Sentara Healthcare VA Electronic Medical/Healthcare Yes - Published # 3,645

**ITRC does not consider a password adequate protectionTwo former for breached Sentara data.Healthcare nurse's aides improperly accessed the personal information of about 3,700 patients as part of an elaborate identity theft scheme that netted more than $116,000, according to hospital officials.

Attribution 1 Publication: PilotOnline.com / Phiprivacy.net Author: Date Published: Article Title: Two nurse's aides plead guilty to identity theft Article URL: http://hamptonroads.com/2013/10/sentara-employees-took-info-3700-beach-patients

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131014-01 Legal Aid Society CA Electronic Business Yes - Published # 3,200

**ITRC does not consider a password adequate protectionWe are for writing breached to you data. because of a recent security incident at the Legal Aid Society of San Mateo County involving our personal information.

Attribution 1 Publication: Daily Journal Author: Michelle Durand Date Published: Article Title: Stolen laptops breaches Legal Aid client info Article URL: http://www.smdailyjournal.com/articles/lnews/2013-10-17/stolen-laptops-may-have-compromised-legal-aid-client-info/1

Attribution 2 Publication: CA AG's Office Author: Date Published: Article Title: Article URL: https://oag.ca.gov/system/files/breach_notification_100813_1.pdf?

How is this report produced? What are the rules? See last page of report for details. ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131011-06 Department of Social CA Electronic Government/Military Yes - Published # 144,493 Services **ITRC does not consider a password adequate protectionHackers for said breached to be located data. overseas may have compromised the personal data of tens of thousands of California residents in a computer attack that dates back to March.

Among the sensitive information that may have been accessed are the names, addresses, dates of birth and Social Security numbers of 144,493 Monterey County residents.

Attribution 1 Publication: SC Magazine Author: Adam Greenberg Date Published: Article Title: Attackers in Asia compromise data for nearly 150k in California Article URL: http://www.scmagazine.com/attackers-in-asia-compromise-data-for-nearly-150k-in-california/article/315977/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131011-05 City of Wichita KS Electronic Government/Military Yes - Published # 29,000

**ITRC does not consider a password adequate protectionWe learned for breached last night data. that 29,000 city vendors and employees may be at risk for identity theft. The city is recommending those who are at risk to call one of the three major credit reporting companies and set up free fraud alert services.

Attribution 1 Publication: KWCH 12 Author: Brian Heap Date Published: Article Title: FactFinder 12: Preventing identity theft Article URL: http://www.kwch.com/news/factfinder12/news-adk-kwch-ff12-preventing-identity-theft-20131008,0,2927026.story

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131011-04 Milwaukee Public Schools WI Paper Data Educational Yes - Published # 6,000

**ITRC does not consider a password adequate protectionThe social for breachedsecurity numbers data. of thousands of MPS retirees were put in plain view on a letter recently sent out. The letter was sent by a third party vendor regarding prescription drug coverage for MPS Medicare D recipients.

Attribution 1 Publication: WDJT-TV Author: John Cuoco Date Published: Article Title: MPS retirees have social security numbers exposed Article URL: http://www.cbs58.com/news/local-news/MPS-retirees-have-social-security-numbers-exposed--226548351.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131011-03 Scottsdale Dermatology AZ Electronic Medical/Healthcare Yes - Published # 1,456 Clinic **ITRC does not consider a password adequate protectionWinfred for Aurelious breached Dick, data. Jr., department and Brittany Davidson, both of Phoenix, have been arrested by Maricopa County Sheriff’s detectives on charges related to identity theft. Both are suspected of stealing the credit card information of multiple victims which they gained access to at their place of employment.

Attribution 1 Publication: Sonoran News Author: Date Published: Article Title: Healthcare credit card scheme results in arrests Article URL: http://www.sonorannews.com/archives/2013/131009/news-healthcare.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131011-02 HOPE Family Health TN Electronic Medical/Healthcare Yes - Published # 6,932

**ITRC does not consider a password adequate protectionHOPE isfor committed breached data.to maintaining and securing every aspect of your privacy. We treasure our relationship with each and every patient. This is why we need to inform you of a recent event that may affect you or someone you may know. On Sunday, August 4, 2013 at 9:00 p.m., HOPE Family Health discovered the theft of a laptop computer owned by the organization and issued to one of our management employees working in the finance department.

Attribution 1 Publication: Becker's Hospital Review Author: Date Published: Article Title: HOPE Family Health Article URL: http://www.beckershospitalreview.com/healthcare-information-technology/laptop-stolen-from-hope-family-health-comp

**ITRC does not consider a password adequate protectionDatapak for Services breached Corporation data. ("Datapak") is an order fulfillment and payment processor for several e-commerce websites. We are contacting you because we recently learned of a data security incident that may have involved some of your personal information.

Attribution 1 Publication: VT AG's office Author: Date Published: Article Title: Datapak Services Corporation Article URL: http://www.atg.state.vt.us/assets/files/2013%2010%2002%20Datapak%20ltrt%20Consumer%20re%20Security%20Breach

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131009-03 Clinical Reference KS Paper Data Medical/Healthcare Yes - Unknown # 0 Laboratory - Massachusetts **ITRC does not consider a password adequate protectionSometimes for breached bad news data. still arrives the old-fashioned way—from the postman. Even a routine task like mailing a stack of bills can trigger a data breach. Now a nationwide medical lab and a US insurance company are notifying customers that their data was exposed when a mailing envelope was damaged in processing.

Attribution 1 Publication: CA AG's office - idradar.com Author: Date Published: Article Title: Massachusetts Mutual Life Insurance- Clinical Reference Laboratory Article URL: https://oag.ca.gov/system/files/ca%20ag%20crl%20client%20ssn_001_0.pdf?

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131009-02 Suddenly Single Parents GA Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionA Dekalb for Countybreached charity data. said hundreds of people’s identities could be at risk after confidential information was taken from their office.

Attribution 1 Publication: WSB-TV Author: Date Published: Article Title: Hundreds at risk for ID theft after info was taken from charity Article URL: http://www.wsbtv.com/news/news/local/hundreds-risk-identify-theft-after-charity-hit-thi/nbJhG/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131009-01 Colonial Properties Trust AL Electronic Banking/Credit/Financial Yes - Unknown # 0

**ITRC does not consider a password adequate protectionAlabama's for breached Colonial Propertiesdata. Trust, which recently merged with Mid-America Apartment Communities Inc., has begun notifying an undisclosed number of customers that their names and Social Security numbers may have been accessed when Colonial's network was infected with malware.

Attribution 1 Publication: eSecurity Planet / MD AG's office Author: Jeff Goldman Date Published: Article Title: Colonial Properties Acknowledges Data Breach Article URL: http://www.esecurityplanet.com/network-security/colonial-properties-acknowledges-data-breach.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131008-05 PayJunction GA Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionPayJunction for breached recently data. became aware of unauthorized access to a data backup of an internal business system affecting our sales agents. The internal business system did not contain cardholder data and is separate from our payment processing system for merchants.

Attribution 1 Publication: VT AG's office Author: Date Published: Article Title: PayJunction Article URL: http://www.atg.state.vt.us/assets/files/Pay%20Junction%20%20ltrt%20Consumer%20re%20Security%20Breach.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131008-04 University of California San CA Electronic Medical/Healthcare Yes - Published # 3,553 Francisco **ITRC does not consider a password adequate protectionAn unencrypted for breached laptop data. containing the medical and personal data of more than 3,500 UC San Francisco patients was stolen from an employee’s car in September. The theft, which could cost the university hundreds of thousands of dollars in fines, is just the latest in a series of IT security breaches in recent years that has cost the institution millions and prompted an effort to stanch such incidents. CHANGED FROM EDUCATIONAL TO MEDICAL PER HHS 2/2014

How is this report produced? What are the rules? See last page of report for details.

Attribution 1 Publication: San Francisco Examiner Author: Jonah Owen Lamb Date Published: Article Title: Computer containing patient data stolen from UCSF employee’s car Article URL: http://www.sfexaminer.com/sanfrancisco/computer-containing-patient-data-stolen-from-ucsf-employees-car/Content?oi

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131008-03 Saint Louis University (SLU) MO Electronic Educational Yes - Published # 3,100

**ITRC does not consider a password adequate protectionMissouri's for breachedSaint Louis data. University (SLU) recently began notifying approximately 3,000 people that their protected health information may have been exposed by a phishing scam.

Attribution 1 Publication: eSecurity Planet Author: Jeff Goldman Date Published: Article Title: Saint Louis University Admits Data Breach Article URL: http://www.esecurityplanet.com/network-security/saint-louis-university-admits-data-breach.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131008-02 CaroMont Health NC Electronic Medical/Healthcare Yes - Published # 1,310

**ITRC does not consider a password adequate protectionCaroMont for breachedHealth is notifyingdata. 1,310 patients their personal-health information may have been compromised. The Gastonia health-care system said in a statement that a staff member from CaroMont Medical Group, the Gastonia health-care system’s physician arm, transmitted patient data via an unsecure email.

Attribution 1 Publication: Charlotte Business Journal Author: Jennifer Thomas Date Published: Article Title: CaroMont notifies 1,310 patients of potential data breach Article URL: http://www.bizjournals.com/charlotte/news/2013/10/07/caromont-notifies-1310-patients-of.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131008-01 Rothman Institute PA Paper Data Medical/Healthcare Yes - Published # 2,350

**ITRC does not consider a password adequate protectionThe Rothman for breached Institute data. has released a letter regarding an internal breach of patient data that may have affected the privacy of some patients.

Attribution 1 Publication: Press of Atlantic City / phiprivacy.net Author: Anjalee Khemlani Date Published: Article Title: Rothman Institute Article URL: Orthopedic institute offers free credit monitoring to

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131007-02 St. Mary's Janesville Hospital WI Electronic Medical/Healthcare Yes - Published # 629

**ITRC does not consider a password adequate protectionOn August for breached 27, a laptop data. was stolen from an employee’s car, the hospital announced in a recent statement. Information that could be compromised included name, date of birth, complaint, diagnosis, procedures, test results, medications, vaccines, medical record and account numbers, provider and department of service, bed and room number, date and time of service, and visit history.

Attribution 1 Publication: Health Data Management Author: Date Published: Article Title: Stolen Laptop Results in Hospital Offering ID Protection Article URL: http://www.healthdatamanagement.com/news/breach-stolen-laptop-results-in-identity-protection-46720-1.html?ET=heal

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131007-01 Adobe CA Electronic Business Yes - Published # 2,900,000

**ITRC does not consider a password adequate protectionAdobe forbegan breached warning data. 2.9 million customers Thursday that their Adobe user ID, as well as passwords and credit card numbers -- stored in encrypted format -- were stolen in a series of "sophisticated attacks" that appear to date from August 2013, if not earlier.

Attribution 1 Publication: KrebsonSecurity Author: Brian Krebs Date Published: Article Title: Adobe Breach Impacted At Least 38 Million Users Article URL: http://krebsonsecurity.com/2013/10/adobe-breach-impacted-at-least-38-million-users/

Attribution 2 Publication: Information Week Author: Mathew J. Schwartz Date Published: Article Title: Adobe Customer Security Compromised: 7 Facts Article URL: http://www.computerworld.com/s/article/9243010/Adobe_hack_shows_subscription_software_vendors_lucrative_target

**ITRC does not consider a password adequate protectionLaw enforcement for breached personnel data. are investigating a data breach of West Des Moines-based UnityPoint Health's electronic medical records (EMR) system.

Personal information of approximately 1,800 hospital patients from across UnityPoint Health's operating regions may be at risk from the security breach in the system, which was discovered Aug. 8 during the course of regular audit, the health system said in a press release.

Attribution 1 Publication: Business Record Author: Date Published: Article Title: UnityPoint Health reports health data breach Article URL: http://www.businessrecord.com/Content/Health---Wellness/Health---Wellness/Article/UnityPoint-Health-reports-health-d

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131001-08 DR Horton TN Paper Data Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionAfter thousands for breached of private data. financial documents were discovered sitting in a wide open community recycling dumpster on Thursday, their owner, homebuilder D.R. Horton made good on a promise to retrieve them.

Attribution 1 Publication: KXAN.com / databreaches.net Author: Date Published: Article Title: DR Horton Article URL: http://www.kxan.com/news/local/austin/piles-of-private-documents-found-dumped-in-public-bins

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131001-07 R. T. Jones Capital Equities MO Electronic Banking/Credit/Financial Yes - Published # 809 Management, Inc. **ITRC does not consider a password adequate protectionWe represent for breached R.T. Jones data. Capital Equities Management, Inc. (R.T. Jones) and are writing to notify you of a data event that compromised the security of personal information of eight hundred nine (809) Maryland residents.

Attribution 1 Publication: MD AG's office Author: Date Published: Article Title: R. T. Jones Capital Equities Management, Inc. Article URL: http://www.oag.state.md.us/idtheft/Breach%20Notices/itu-232161.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131001-06 Virginia Polytechnic Institute VA Electronic Educational Yes - Published # 144,963 and State University **ITRC does not consider a password adequate protectionA computer for breached server within data. the Department of Human Resources at Virginia Polytechnic Institute and State University, popularly known as Virginia Tech, was breached as a result of human error.

Attribution 1 Publication: SC Magazine Author: Date Published: Article Title: Human error leads to Virginia Tech computer server breach Article URL: http://www.scmagazine.com/human-error-leads-to-virginia-tech-computer-server-breach/article/313797/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131001-05 Office of Dr. Carol L. Patrick, OH Electronic Medical/Healthcare Yes - Published # 517 Ph.D. **ITRC does not consider a password adequate protectionThe office for breachedof clinical data.psychologist Dr. Carol L. Patrick is alerting clients of the possibility of identity theft as a result of an Aug. 8 robbery. All working computers in the office were stolen, with the possible intention of gaining personal information of clients.

Attribution 1 Publication: limaohio.com / phiprivacy.net Author: Date Published: Article Title: Psychologist office robbery leads to risk of identity theft Article URL: http://www.limaohio.com/news/local_news/article_d3c6f68a-26fb-11e3-b186-001a4bcf6878.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131001-04 Atlanta Center for GA Electronic Medical/Healthcare Yes - Published # 654 Reproductive Medicine **ITRC does not consider a password adequate protectionbreach forinvolving breached email data.

How is this report produced? What are the rules? See last page of report for details.

Attribution 1 Publication: hhs.gov / phiprivacy.net Author: Date Published: Article Title: Atlanta Center for Reproductive Medicine Article URL: http://www.phiprivacy.net/updates-to-hhss-breach-tool-2/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131001-03 Baltimore Gas and Electric MD Electronic Business Yes - Published # 80 (BGE) **ITRC does not consider a password adequate protectionBaltimore for Gasbreached and Electric data. Company (BGE) values your business and respects the privacy of your information. We want to inform you that on September 9, 2013, the car of a BGE employee was vandalized, and a brief case was stolen that contained hardcopy customer file information that included your name, address, and possibly, your social security number, driver’s license number, and date of birth. The BGE employee promptly reported the theft to the police and completed a police report.

Attribution 1 Publication: MD AG's office Author: Date Published: Article Title: Baltimore Gas and Electric (BGE) Article URL: http://www.oag.state.md.us/idtheft/Breach%20Notices/itu-232170.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131001-02 Petrochem Insulation, Inc. CA Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionWe are for writing breached to inform data. you of a potential information security incident involving your personal information discovered by Petrochem Insulation, Inc. (“Petrochem”). While Petrochem does not know whether your personal information has been or will be misused, as a precaution we are writing to tell you about the incident and call your attention to some steps you may take to help protect yourself. We sincerely apologize for any inconvenience or concern this may cause you.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: Petrochem Insulation, Inc. Article URL: https://oag.ca.gov/system/files/Petrochem%20Invdividual%20Notice%20Letter-SAMPLE_0.pdf?

Attribution 2 Publication: CA AG's office Author: Date Published: Article Title: Petrochem Insulation, Inc. Article URL: https://oag.ca.gov/system/files/Petrochem%20Invdividual%20Notice%20Letter-SAMPLE_0.pdf?

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20131001-01 Santa Clara Valley Medical CA Electronic Medical/Healthcare Yes - Published # 579 Center **ITRC does not consider a password adequate protectionWe want for to breached inform you data. that your medical information was accidentally disclosed. On September 16, 2013, staff discovered that a laptop had been stolen from the Audiology Department over the weekend. The laptop was used for hearing screenings and was not encrypted. Your information was believed to have been on the laptop that was taken.

Attribution 1 Publication: CA AG's Office / phiprivacy.net / hhs.go Author: Date Published: Article Title: Santa Clara Valley Medical Center Article URL: https://oag.ca.gov/system/files/541-116-13%20Letter%20to%20Patient_0.pdf?

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130926-06 Department of Public Health AL Electronic Government/Military Yes - Published # 1,200

**ITRC does not consider a password adequate protectionA clerical for workerbreached at the data. Alabama Department of Public Health (ADPH) emailed patients’ private identity information, which was stored in a protected state database, to an accomplice who used the information to file “over 1,000 false tax returns that claimed over $1.7 million in fraudulent tax refunds,” according to a statement released Monday by the Department of Justice. The case was investigated by special agents of the Internal Revenue Service’s Criminal Investigation unit.

Attribution 1 Publication: cnsnews.com Author: Date Published: Article Title: AL Public Health Clerk Stole 1,000 Patient Identities For $1.7M Tax Refund Scam Article URL: http://www.cnsnews.com/news/article/alissa-tabirian/al-public-health-clerk-stole-1000-patient-identities-17m-tax-refund

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130926-05 Aptean GA 9/18/2013 Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionAt Aptean, for breached we take security data. of your financial information very seriously. We are writing to inform you of an unauthorized exposure to cardholder data that occurred on Aptean servers that may have resulted in access to your customer's credit card information.

How is this report produced? What are the rules? See last page of report for details.

Attribution 1 Publication: MD AG's office Author: Date Published: Article Title: Aptean Article URL: www.oag.state.md.us_idtheft_Breach Notices_itu-231928.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130926-04 Ektron NJ 6/15/2013 Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionPursuant for to breached N.H. Rev. data. Stat.§ 359-C.19-21, I am writing on behalf of Ektron, Inc. ("Ektron") to notify you of a breach of personal information involving sixteen New Hampshire residents. NATURE OF THE SECURITY BREACH The breach involved a third party gaining access to a file , which contained personal data for 22 current and past employees, including the passports, employment authorization cards, social security cards and/or immigration Visas for sixteen New Hampshire residents. Circumstances suggest that the access was not specifically targeted at information about individuals

Attribution 1 Publication: NH AG's office Author: Date Published: Article Title: Ektron Article URL: doj.nh.gov_consumer_security-breaches_documents_ektron-20130903.pd

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130926-03 Defense Contracts South TX Electronic Banking/Credit/Financial Yes - Unknown # 0 Federal Credit Union **ITRC does not consider a password adequate protectionThis letter for breachedis to inform data. you that your personal information may have been accessed without proper authorization. This unauthorized access took place sometime between August 26, 2013 l!llld August 27, 2013.

Attribution 1 Publication: NH AG's office Author: Date Published: Article Title: Defense Contracts South Federal Credit Union Article URL: http://doj.nh.gov/consumer/security-breaches/documents/defense-contracts-fcu-20130916.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130926-02 ICG America TX 8/5/2013 Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionICG America, for breached which data.operates a family of companies that includes Amazing Clubs, Flying Noodle, MonsterBrew, and California Reds, is committed to protecting your personal information. Regrettably, we are writing to inform you of an incident involving some of that information.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: ICG America Article URL: https://oag.ca.gov/ecrime/databreach/reports/sb24-42754

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130926-01 Unique Vintage CA 9/14/2013 Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionWe are for writing breached to you data. because of an incident at Unique Vintage. On September 14, 2013 we discovered a data security incident that involved some of your personal information. Unique Vintage is Payment Card Industry Security Standards Council (“PCI”) compliant and implements the latest measures reasonably possible to protect its customers’ sensitive information.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: Unique Vintage Article URL: https://oag.ca.gov/system/files/Customer%20Notification%20Letter%20%2892312rv%292_0.pdf?

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130925-03 National HealthCare TN Electronic Medical/Healthcare Yes - Unknown # 0 Corporation (NHC) **ITRC does not consider a password adequate protectionOfficials for at breached NHC Oak data. Ridge, 300 Laboratory Road, Oak Ridge, have reported a possible breach of patient information due to a missing backup tape that was not encrypted. The information on this tape included patient names, social security numbers, birth dates, home addresses and medical information.

Attribution 1 Publication: NHC website Author: Date Published: Article Title: NHC Oak Ridge Reports Possible Breach of Information Article URL: http://www.nhcoakridge.com/NHCHealthCare%2COakRidge/oakridge.pdf

**ITRC does not consider a password adequate protectionNearly for10,000 breached former data. patients of Holy Cross Hospital have received letters in the mail notifying them that their personal information may have been accessed by a former employee.

Attribution 1 Publication: CBS Miami Author: Date Published: Article Title: Holy Cross Hospital Informs Former Patients Of Data Breach Article URL: http://miami.cbslocal.com/2013/09/24/holy-cross-hospitals-inform-former-patients-of-data-breach/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130925-01 Virginia Tech VA Electronic Educational Yes - Published # 145,000

**ITRC does not consider a password adequate protectionA Virginia for Techbreached official data. Tuesday blamed human error for a data breach that may have exposed sensitive data on about 145,000 people who applied online for jobs at the school over the past 10 years.

Attribution 1 Publication: computerworld. Author: Jaikumar Vijayan Date Published: Article Title: Virginia Tech breach exposes data on 145K job applicants Article URL: http://www.computerworld.com/s/article/9242633/Virginia_Tech_breach_exposes_data_on_145K_job_applicants

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130924-06 Windhaven Investment MA Electronic Banking/Credit/Financial Yes - Published # 44,000 Management **ITRC does not consider a password adequate protectionAn undisclosed for breached number data. of accounts with Boston-based Windhaven Investment Management may have been compromised after an intruder accessed a web server maintained by a third-party.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: Web server intrusion puts advisory clients at risk Article URL: http://www.scmagazine.com/web-server-intrusion-puts-advisory-clients-at-risk/article/312705/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130924-05 Public Storage CA Electronic Business Yes - Published # 745

**ITRC does not consider a password adequate protectionPursuant for to breached Md. Code data. Atm. Comm. Law§ 14-3504(h), Public Storage ("PS") hereby provides notice to the Maryland Office of the Attorney General of a resolved security breach involving twenty five (25) of PS's customers that live in the State of Maryland.

Attribution 1 Publication: MD AG's office Author: Date Published: Article Title: Public Storage Article URL: http://www.oag.state.md.us/idtheft/Breach%20Notices/itu-231917.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130924-04 Altius Education Inc. CA Electronic Educational Yes - Published # 198

**ITRC does not consider a password adequate protectionI write tofor inform breached you ofdata. a security breach at Altius University, LLC (originally Ivy Bridge College, LLC) (of which Altius Education, Inc. is the majority member) which involved the personal information of 198 persons, two (2) of whom are residents of Maryland.

Attribution 1 Publication: MD AG's office Author: Date Published: Article Title: Altius Education Inc. Article URL: http://www.oag.state.md.us/idtheft/Breach%20Notices/itu-231916.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130924-03 State Farm IL Electronic Business Yes - Published # 687

**ITRC does not consider a password adequate protectionAs the Privacyfor breached Official data. of State Farm, I am providing you this notice of our intended communication to one of your state residents pursuant to Md. Code Ann., Com. Law §14-3504. Out of an abundance of caution we are also notifying 35 additional residents from the state of Maryland. Letters are being mailed within the week.

How is this report produced? What are the rules? See last page of report for details.

Attribution 1 Publication: MD AG's office Author: Date Published: Article Title: State Farm Article URL: http://www.oag.state.md.us/idtheft/Breach%20Notices/itu-231521.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130924-02 Department of Social MO Paper Data Medical/Healthcare Yes - Published # 26,818 Services / HealthNet **ITRC does not consider a password adequate protectionMO HealthNet for breached is in the data. process of notifying 1,357 individuals that some of their personal information was mailed to an incorrect address by one of its contractors, Infocrossing, Inc. The disclosure was caused by a software programming error. UPDATED 2/2014 PER TWO LISTINGS ON HHS

Attribution 1 Publication: PHIprivacy.net / KRCG 13 / hhs.gov Author: Date Published: Article Title: MO HealthNet notifies consumers of HIPAA disclosure Article URL: http://www.connectmidmissouri.com/news/story.aspx?id=930103 - .UkHDSoakoqg

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130924-01 21st Century Oncology MD Electronic Medical/Healthcare Yes - Unknown # 0 Services **ITRC does not consider a password adequate protection21st Century for breached Oncology data. Services, an affiliate of Peninsula Cancer Care Center and 21st Century Oncology of Maryland, notified the Maryland Attorney General in July that they had been informed by federal law enforcement of an insider breach allegedly linked to a tax refund fraud scheme.

Attribution 1 Publication: phiprivacy.net Author: Date Published: Article Title: 21st Century Oncology employee stole patient information for tax refund fraud scheme – feds Article URL: http://www.phiprivacy.net/21st-century-oncology-employee-stole-patient-information-for-tax-refund-fraud-scheme-feds/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130918-08 Kaiser Permanente / CA Electronic Medical/Healthcare Yes - Published # 670 Foundation Health Plan, Inc. **ITRC does not consider a password adequate protectionI am writing for breached to let you data. know of an incident involving the transmission of confidential member information, including yours. We take privacy very seriously and sincerely apologize that this occurred.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: Kaiser Permanente / Foundation Health Plan, Inc. Article URL: https://oag.ca.gov/system/files/Member%20Notification%20Letter%20Sample%20FINAL%202013_07496_9.10.2013_0.pd

Attribution 2 Publication: Author: Date Published: Article Title: Kaiser Permanente sends out breach letters after email gaffe Article URL: http://www.healthcareitnews.com/news/kaiser-permanente-sends-out-breach-letters-after-email-gaffe

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130918-07 Logan Community IN Electronic Medical/Healthcare Yes - Published # 2,900 Resources, Inc. **ITRC does not consider a password adequate protectionLogan Communityfor breached Resources, data. Inc. in Indiana reported that 2,900 were affected by a “Hacking/IT Incident” that occurred on August 24, 2012.

Attribution 1 Publication: phiprivacy.net / hhs.gov Author: Date Published: Article Title: Logan Community Resources, Inc. Article URL: http://www.phiprivacy.net/?s=ADPI&searchsubmit=

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130918-06 Minne-Tohe Health ND Electronic Medical/Healthcare Yes - Published # 10,000 Center/Elbowoods Memorial **ITRC does not consider a password adequate protectionMinne-Tohe for breached Health Center/Elbowoodsdata. Memorial Health Center in North Dakota reported a breach affecting 10,000. The breach reportedly occurred October 1, 2011, and involved “Improper Disposal, Unauthorized, Access/Disclosure”,”Desktop Computer, Other.”

Attribution 1 Publication: phiprivacy.net / hhs.gov Author: Date Published: Article Title: Minne-Tohe Health Center/Elbowoods Memorial Health Center Article URL: http://www.phiprivacy.net/?s=ADPI&searchsubmit=

Attribution 1 Publication: phiprivacy.net / hhs.gov Author: Date Published: Article Title: Summit Community Care Clinic Article URL: http://www.phiprivacy.net/?s=ADPI&searchsubmit=

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130918-04 BEL USA LLC FL Electronic Business Yes - Published # 2,007

**ITRC does not consider a password adequate protectionWe wanted for breached to notify data.you of a security incident involving the [[insert name of website here]] website, which is operated by BEL USA LLC. We have reason to believe that because you placed an order with us on this website or by phone between March 1, 2013 and July IS, 2013 that your personal information may have been obtained by unauthorized third parties.

Attribution 1 Publication: VT AG's office / CA AG's office / MD AG Author: Date Published: Article Title: BEL USA LLC Article URL: http://www.atg.state.vt.us/issues/consumer-protection/privacy-and-data-security/documents-and-resources5/bel-usa-se

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130918-03 MFS Service Center MA Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionWe are for writing breached to notify data. you of a recent incident involving your personal information. On September 3, 2013, an MFS Service Center, Inc. employee inadvertently e-mailed a file containing shareholder data to a group of financial professionals at other financial companies.

Attribution 1 Publication: VT AG's office / NH AG's office Author: Date Published: Article Title: MFS Service Center Article URL: http://www.atg.state.vt.us/assets/files/MFS%20Service%20Center%20Security%20Breach%20Letter%20to%20Consumer

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130918-02 PLS Financial Services, Inc. IL Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionPLS Financial for breached Services, data. Inc. is committed to protecting your personal information. Regrettably, we are writing to inform you of an incident involving some of that information.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: PLS Financial Services, Inc. Article URL: https://oag.ca.gov/system/files/Master%20Notification_0.pdf?

Attribution 2 Publication: CA AG's office Author: Date Published: Article Title: PLS Financial Services, Inc. Article URL: https://oag.ca.gov/system/files/Master%20Notification_0.pdf?

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130918-01 Cash Central of California CA Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionWe value for ourbreached relationship data. with you and we respect the privacy of your information, which is why, as a precautionary measure, we are writing to let you know about a data security incident that may involve your personal information.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: Cash Central of California Article URL: https://oag.ca.gov/system/files/Master%20Notification_0.pdf?

How is this report produced? What are the rules? See last page of report for details. ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130917-01 Buckeye Title Loans of OH Electronic Banking/Credit/Financial Yes - Unknown # 0 California LLC **ITRC does not consider a password adequate protectionWe value for ourbreached relationship data. with you and we respect the privacy of your information, which is why, as a precautionary measure, we are writing to let you know about a data security incident that may involve your personal information.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: Buckeye Title Loans of California LLC Article URL: https://oag.ca.gov/system/files/Notice%20of%20Breach%20to%20BTLCA%20customers_0.pdf?

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130913-02 ICS Collection Service, Inc. / IL Electronic Medical/Healthcare Yes - Published # 1,290 University of Chicago **ITRC does not consider a password adequate protectionICS Collection for breached Service, data. Inc. ("ICS") is a debt collection agency specializing in recovering aged debt from individuals ("debtors") on behalf of healthcare and commercial entities ("clients" or "creditors"), including University of Chicago Physicians Group ("UCPG"). ICS had previously contracted with UCPG for collection and address verification services. While the contract had been terminated before the potential breach occurred, ICS had retained data on 1,344 patient claims that were active at the time the contract was terminated.

Attribution 1 Publication: ICS Collection Service, Inc. Author: Date Published: Article Title: ICS Collection Service, Inc. Issues Press Release Regarding Notice of Data Event Article URL: http://www.prnewswire.com/news-releases/ics-collection-service-inc-issues-press-release-regarding-notice-of-data-eve

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130913-01 Mnsure MN Electronic Government/Military Yes - Published # 2,400

**ITRC does not consider a password adequate protectionOfficials for with breached the state's data. new health insurance exchange are notifying about 2,400 insurance agents about a data breach involving their social security numbers and other private information.

Attribution 1 Publication: twincities.com Author: Date Published: Article Title: Mnsure Article URL: http://www.twincities.com/politics/ci_24087664/mnsure-health-exchange-data-breach-affects-about-2

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130912-06 Tri-State Surgical Associates MD Paper Data Medical/Healthcare Yes - Published # 433

**ITRC does not consider a password adequate protectionWe are for writing breached you with data. important information about a recent breach of your personal information from Tri-State Surgical Associates. We became aware of this breach on July 18, 2013, and to the best of our knowledge the breach itself occurred on or around May 30, 2013.

Attribution 1 Publication: MD AG's office Author: Date Published: Article Title: Tri-State Surgical Associates Article URL: http://www.oag.state.md.us/idtheft/Breach%20Notices/itu-230937.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130912-05 Clark & Anderson, P.A. MD Electronic Business Yes - Published # 2,906

**ITRC does not consider a password adequate protectionOn August for breached 4, 2013, Clarkdata. & Anderson, P.A. learned that a hard drive, which operated as a backup drive for client data on Clark & Anderson,

Attribution 1 Publication: datalossdb.org / MD AG's office Author: Date Published: Article Title: Clark & Anderson, P.A. Article URL: http://datalossdb.org/attachments/incident_attachments/1625/original/itu-231323.pdf?1378705906

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130912-04 Bell Helicopter TX Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionWe are for writing breached to inform data. you of an information security incident that could potentially affect you, and to share with you the steps that Bell Helicopter's Training Academy ("Bell") is taking to address it.

How is this report produced? What are the rules? See last page of report for details.

Attribution 1 Publication: VT AG's office Author: Date Published: Article Title: Bell Helicopter Article URL: http://www.atg.state.vt.us/issues/consumer-protection/privacy-and-data-security/documents-and-resources5/bell-helico

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130912-03 Edgewood Partners CA Electronic Business Yes - Unknown # 0 Insurance Center (EPIC) **ITRC does not consider a password adequate protectionEdgewood for breached Partners data.Insurance Center ("EPIC") is committed to protecting the personal information it maintains. Regrettably, we are writing to inform you about an incident involving some of that information.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: Edgewood Partners Insurance Center (EPIC) Article URL: https://oag.ca.gov/system/files/Edgewood%20Redacted%20General%20Employee%20letter_0.PDF?

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130912-02 Outdoor Network LLC FL Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionWe are for strongly breached committed data. to the security of our customers’ information and strive to let you know about security concerns as soon as possible. We recently learned of an incident on our websites (boats.net and partzilla.com) that may have exposed your personal information to unauthorized persons. This notification to you was not delayed as a result of a law enforcement investigation.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: Outdoor Network (Boats.net / Partzilla.com) Article URL: https://oag.ca.gov/system/files/Outdoor%20Network%20Notification%20V1%20D_data%20audit%20proof_090613_0.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130912-01 Paymast'r Services FL Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionWe recently for breached learned data.that between July 22nd and July 28th, 2013, an unauthorized third party gained access to a website hosted by one of our service partners and was able to access personal information about you, which may have included your name, address, Social Security number, driver’s license number and Payroll Card number.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: Paymast'r Services Article URL: https://oag.ca.gov/system/files/930L81%20Paymast%27r%20Services%20Ad%20MetaBank_0.pdf?

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130911-01 Pierce County Housing WA Electronic Government/Military Yes - Published # 1,000 Authority **ITRC does not consider a password adequate protectionThe Pierce for breached County Housing data. Authority is conducting an investigation into a security breach that impacts all the people on the county's wait list for Section 8 housing. The staff does not yet know how it happened, but the names and social security numbers of all the people on the wait list appeared online. That is about 1,000 people.

Attribution 1 Publication: King5.com Author: Date Published: Article Title: Thousands of Social Security numbers exposed in Pierce County Article URL: http://www.king5.com/news/cities/tacoma/Private-information-of-Section-8-waitlist-applicants-accidentally-posted-onlin

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130906-05 Department of Labor and MN Electronic Government/Military Yes - Published # 269 Industry **ITRC does not consider a password adequate protectionInvestigators for breached found the data. stolen names and Social Security numbers of 269 public employees in the home of a former state worker, according to a criminal complaint.

Roxanne Kay Deflorin "may have been a source of some of the stolen identities" used by three other women charged in the case, the complaint said.

Attribution 1 Publication: twincities.com Author: Date Published: Article Title: Former state of Minnesota worker stole IDs of 269 public employees, charges say Article URL: http://www.twincities.com/crime/ci_24026416/state-ex-worker-stole-269-ids-public-employees

How is this report produced? What are the rules? See last page of report for details.

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130906-04 Department of Labor GA Electronic Government/Military Yes - Published # 4,457

**ITRC does not consider a password adequate protectionAn employee for breached error compromised data. thousands of people's personal information, including social security numbers, the Georgia Department of Labor said.

Attribution 1 Publication: USA Today Author: Kevin Rowson Date Published: Article Title: Thousands of social security numbers sent in email Article URL: http://www.usatoday.com/story/news/nation/2013/09/06/social-security-numbers-email/2775199/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130906-03 Office of Hankyu Chung, M.D. CA Electronic Medical/Healthcare Yes - Published # 2,182

**ITRC does not consider a password adequate protectionThe security, for breached confidentiality, data. integrity and privacy of patient personal information are highly valued by Hankyu Chung, M.D. We are writing you because of a potential disclosure of your personal health information and personally identifiable information. We believe you should be made aware of the circumstances of the potential disclosure, so that you can take steps to protect your personal information.

Attribution 1 Publication: CA AG's office / hhs.gov Author: Date Published: Article Title: Office of Hankyu Chung, M.D. Article URL: https://oag.ca.gov/ecrime/databreach/reports/sb24-42619

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130906-02 Commonwealth - Conexis VA Electronic Government/Military Yes - Published # 13,000

**ITRC does not consider a password adequate protection13,000 forstate breached employees data. are being offered free credit monitoring service right now after a security breach of their personal information.

The employees effected, including those working at Virginia Tech, are enrolled in the Commonwealth's 2014 Flexible Spending Account. They were sent letters saying Conexis, (Blue Cross/Blue Shield Flexible Spending Account Services) sent a report summarizing their enrollment in the plan to 11 state human resources and payroll employees in error. The reports contained the employee's name and social

Attribution 1 Publication: wsls.com Author: Dawn Jefferies Date Published: Article Title: 13,000 state employee's personal info breached Article URL: http://www.wsls.com/story/23357047/13000-state-employees-personal-info-breached

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130906-01 Medical University of South SC Electronic Medical/Healthcare Yes - Published # 7,000 Carolina **ITRC does not consider a password adequate protectionIn the largest for breached data breach data. ever affecting Medical University of South Carolina records, the financial information for some 7,000 customers was stolen last month when a foreign entity hacked data from an outside credit card processing vendor, the hospital announced Thursday.

Attribution 1 Publication: The Post and Courier Author: Lauren Sausser Date Published: Article Title: Cyber attack threatens financial information for 7,000 MUSC customers Article URL: http://www.postandcourier.com/article/20130905/PC16/130909692/1009/cyber-attack-threatens-financial-information-for-

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130903-16 Bonneville Power OR Electronic Business Yes - Published # 14,000 Administration **ITRC does not consider a password adequate protectionThe turmoil for breached continues data. at the Bonneville Power Administration and its parent agency, the U.S. Department of Energy -- this time with a new twist. The DOE, which has been coming down around Bonneville's ears for violations of federal hiring practices, has started informing employees that their personal information was compromised last month after its computer systems were hacked. A total of 14,000 federal employees were affected, including some or all of Bonneville's.

Attribution 1 Publication: The Oregonian Author: Date Published: Article Title: BPA employees' personal data hacked; audit findings of hiring problems dribble out Article URL: http://www.oregonlive.com/business/index.ssf/2013/08/bpa_employees_personal_data_ha.html

**ITRC does not consider a password adequate protectionAttorney for General breached Chris data. Koster today warned consumers to be alert following the recent notice from Missouri Credit Union that credit union member information was accessible for a short time this summer on the Credit Union’s website. Consumers should diligently monitor their accounts, and immediately contact the Credit Union if they notice unusual activity.

Attribution 1 Publication: MO AG's office Author: Date Published: Article Title: Attorney General Koster advises consumers following accidental release of customer information at Missouri Credit Union --Kos Article URL: http://ago.mo.gov/newsreleases/2013/AG_Koster_advises_consumers_accidental_release_customer_information_MO_

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130903-14 Creative Banner Assemblies MN Electronic Business Yes - Published # 232

**ITRC does not consider a password adequate protectionWe value for yourbreached business data. and respect the privacy of your information, which is why, as precautionary measure, we are making you aware of a situation that may have exposed customer information including customer names, addresses, phone numbers and temporarily unencrypted credit card numbers with security codes.

Attribution 1 Publication: NH AG's office Author: Date Published: Article Title: Creative Banner Assemblies Article URL: http://doj.nh.gov/consumer/security-breaches/documents/creative-banner-20130813.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130903-13 Hill Air Force Base UT Electronic Government/Military Yes - Published # 500

**ITRC does not consider a password adequate protectionMore than for breached500 Hill Air data. Force Base employees had sensitive personal information compromised after another base employee improperly transmitted the information to an unprotected email address.

Attribution 1 Publication: Standard-Examiner / databreaches.net Author: Date Published: Article Title: Hill employee personal info improperly transmitted Article URL: http://www.standard.net/stories/2013/08/23/hill-employee-personal-info-improperly-transmitted - .Uhd6YBJro0g.twitter

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130903-12 Hancock OB/GYN IL Electronic Medical/Healthcare Yes - Published # 1,396

**ITRC does not consider a password adequate protectionHancock for OB/GYN breached recently data. sent letters to 1,396 of its patients, informing them that an employee at the practice had accessed physician notes in those patients' medical records without a work-related reason for doing so. The physician notes included the patient's name, date of service, medical record number and specific clinical information regarding the OB/GYN care provided. No financial or other identifying information was inappropriately accessed by the employee and no copies of the information were made during the inappropriate access.

Attribution 1 Publication: hancockobgyn.com / PHIprivacy.net Author: Date Published: Article Title: Physician Practice Informs Patients of Data Breach Article URL: http://www.hancockobgyn.com/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130903-11 Young Family Medicine, Inc. OH Electronic Medical/Healthcare Yes - Published # 2,045

**ITRC does not consider a password adequate protectiontheft of forlaptop breached data.

Attribution 1 Publication: hhs.gov / phiprivacy.net Author: Date Published: Article Title: Young Family Medicine, Inc. Article URL: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

**ITRC does not consider a password adequate protectionA box full for ofbreached personal data. employee records found in a public recycling dumpster in Merriam, Kan., has left hundreds of people at risk of identity theft. A coupon collector who did not want to be identified said he was looking for a coupon for Miracle Whip when he found the private information. "I noticed files in the dumpsters, and I took a look at the files, and I noticed social security numbers and driving records," the collector said. "If that were my information, I would expect that that would be shredded and disposed of properly, not thrown in a recycle dumpster or any other kind of dumpster."

Attribution 1 Publication: KSHB.com / phiprivacy.net Author: Syed Shabbir Date Published: Article Title: Hundreds at risk of identity theft after personal records dumped in public recycling bin Article URL: http://www.kshb.com/dpp/news/local_news/hundreds-at-risk-of-identity-theft-after-personal-records-dumped-in-public-r

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130903-09 Olson & White Orthodontics MO Electronic Medical/Healthcare Yes - Published # 10,000

**ITRC does not consider a password adequate protectionA Florissant for breached orthodontist’s data. office has informed 10,000 people that their personal information could be compromised because of a break-in and burglary at its offices in July.

Attribution 1 Publication: St. Louis Post-Dispatch / phiprivacy.net Author: Georgina Gustin Date Published: Article Title: Patients at Florissant orthodontist told of possible data breach after burglary Article URL: http://www.stltoday.com/news/local/patients-at-florissant-orthodontist-told-of-possible-data-breach-after/article_47bcd2

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130903-08 St. Anthony's Physician IL Electronic Medical/Healthcare Yes - Published # 2,600 Organization **ITRC does not consider a password adequate protectionA laptop for computer breached and data. flash drive containing information on 2,600 St. Anthony's nursing home patients was stolen from a doctor's car on July 29, the South County hospital reported Friday.

Attribution 1 Publication: St. Louis Post-Dispatch / phiprivacy.net Author: Date Published: Article Title: St. Anthony's doctor's laptop stolen with patient information Article URL: http://www.stltoday.com/lifestyles/health-med-fit/health/health-matters/st-anthony-s-doctor-s-laptop-stolen-with-patient-

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130903-07 LabMD GA Electronic Medical/Healthcare Yes - Published # 10,000

**ITRC does not consider a password adequate protectionThe Federal for breached Trade Commission data. has filed a complaint alleging Atlanta-based medical testing laboratory LabMD exposed roughly 10,000 consumers' personal information.

Attribution 1 Publication: Becker's Hospital Review Author: Date Published: Article Title: FTC: Medical Lab Failed to Protect Privacy of 10K Patients Article URL: http://www.beckershospitalreview.com/healthcare-information-technology/ftc-medical-lab-failed-to-protect-privacy-of-1

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130903-06 University of Texas TX Electronic Medical/Healthcare Yes - Published # 596 Physicians **ITRC does not consider a password adequate protectionUT Physicians, for breached part ofdata. The University of Texas Health Science Center at Houston Medical School, has taken steps to inform patients of a potential patient data breach.

A laptop was stolen out of a UT Physicians orthopedic clinic, containing the information of 596 patients. UTHealth does not believe any information has been compromised, but has begun mailing letters to the affected patients.

Attribution 1 Publication: Becker's Hospital Review Author: Date Published: Article Title: UTHealth Informs Patients of Possible Data Breach Article URL: http://www.beckershospitalreview.com/healthcare-information-technology/uthealth-informs-patients-of-possible-data-b

**ITRC does not consider a password adequate protectionAs you formay breached be aware data. from the email we sent on August 13, 2013, Osprey Packs recently discovered that your first and last name, phone number,' email address, billing and shipping address, and the credit card information (number and expiration date) that you provided in connection with a previous Osprey transaction may have been obtained by an unauthorized third party's breach of the Pro Deal website.

Attribution 1 Publication: VT AG's office Author: Date Published: Article Title: Osprey Packs Article URL: http://www.atg.state.vt.us/assets/files/Osprey%20Packs%20Services%20Security%20Breach%20ltrt%20consumer.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130903-04 Republic Services AZ Electronic Business Yes - Published # 82,160

**ITRC does not consider a password adequate protectionOn August for breached 10, 2013, data. an unencrypted, password protected, Republic Services' ("Republic") laptop was stolen from a Republic employee's home during a burglary. We learned of the incident on August 11, 2013. The laptop contained certain personal information about current and former Republic employees including name and social security number. Immediately upon discovering the theft, a report was filed with the Maricopa County Sherriff's Department and an investigation is underway.

Attribution 1 Publication: VT AG's office/ databreaches.net (updat Author: Date Published: Article Title: Republic Services Article URL: http://www.atg.state.vt.us/assets/files/Republic%20Services%20Security%20Breach%20ltrt%20consumer.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130903-03 Argotec MA Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionAs a current for breached employee data. of Argotec, your privacy is very important to us, and Argotec takes steps to keep personal information about you as confidential as possible. Unfortunately, however, we recently learned that on or about July 26, 2013, a data breach may have occurred at Argotec, and that the potentially compromised data may have included personal information about you, such as your name, bank account information and social security number. Although Argotec has no information to indicate that your or any other current or former employee's personal information was accessed or acquired, it is possible that such improper access or acquisition may occur.

Attribution 1 Publication: VT AG's office Author: Date Published: Article Title: Argotec Article URL: http://www.atg.state.vt.us/assets/files/Argotec%20Services%20Inc%20Security%20Breach%20ltrt%20consumer.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130903-02 Crystal & Company NY Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionWe are for writing breached to notify data. you of an incident that may affect the security of your personal information. We are unaware of any attempted or actual misuse of your personal information, but are providing this notice to you to ensure that you are aware of the incident and so that you may take steps to monitor your identity, and your credit accounts, should you feel it is necessary to do so.

Attribution 1 Publication: VT AG's office Author: Date Published: Article Title: Crystal & Company Article URL: http://www.atg.state.vt.us/assets/files/Crystal%20and%20Company%20Security%20Breach%20ltrt%20consumer.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130903-01 Intercontinental Mark CA Electronic Business Yes - Unknown # 0 Hopkins San Francisco **ITRC does not consider a password adequate protectionWe are for writing breached to inform data. you of a potential data security incident that occurred at the InterContinental Mark Hopkins - San Francisco hotel (the “Hotel”) on July 4, 2013 that appears to have exposed your payment card account number and other personal information to unauthorized persons.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: Intercontinental Mark Hopkins San Francisco Article URL: https://oag.ca.gov/system/files/InterContinental%20Mark%20Hopkins%20-%20Notification%20Letter_0.pdf?

**ITRC does not consider a password adequate protectionWe’re writingfor breached to tell youdata. that it’s possible that the credit card you used at Midwest Supplies on [Month, Day, Year] might have been compromised at that time. Despite our best efforts, the security of our website was breached by an outside party. Your credit card information might have been improperly viewed including your name, address, email address, telephone number, credit card number, expiration date and security code.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: Midwest Supplies, LLC Article URL: https://oag.ca.gov/system/files/Individual%20Notice_0.pdf?

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130826-01 Advocate Medical Group IL 7/15/2013 Electronic Medical/Healthcare Yes - Published # 4,029,530

**ITRC does not consider a password adequate protectionOn July for 15, breached 2013, we data. learned that an Advocate administrative office in Park Ridge, Illinois was burglarized overnight. We discovered that four password-protected computers were stolen. We immediately notified the Park Ridge Police Department and began a thorough investigation to determine the information contained on the computers. Our investigation confirmed that the computers contained patient information used by Advocate for administrative purposes and may have included patient demographic information (for example, names, addresses, dates of birth, Social Security numbers) and limited clinical information (for example, treating physician and/or departments, diagnoses, medical record numbers, medical service codes, health insurance information). Patient medical records were not on the computers and patient care will not be affected.

Attribution 1 Publication: AMG website Author: Date Published: Article Title: Advocate Medical Group Article URL: http://patientnotice.org/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130823-02 University of Mississippi MS Electronic Educational Yes - Published # 2,281 Medical Center **ITRC does not consider a password adequate protectionThe University for breached of Mississippi data. Medical Center mistakenly gave out Social Security numbers, grade-point averages and other personal information for most of its student body this week, violating state and federal privacy laws. UMC’s accounting department on Wednesday attached the private data to a mass email notifying students about changes to the school’s health insurance. The attached spreadsheet contained the names, Social Security numbers, GPAs, race, gender, birthdays, addresses and phone numbers for the nearly 2,300 students enrolled in the university.

Attribution 1 Publication: Clarion Ledger Author: Brian Eason Date Published: Article Title: University of Mississippi Medical Center Article URL: http://www.clarionledger.com/article/20130823/NEWS/308220069/UMC-breaches-student-privacy

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130823-01 Shore Mortgage MI Electronic Banking/Credit/Financial Yes - Unknown # 0

**ITRC does not consider a password adequate protectionI am writing for breached to make data.you aware that Shore Mortgage (a division of United Shore Financial Services, LLC) recently discovered that servers at one of our vendors were subject to a computer intrusion. The servers that were accessed contained Shore information. This may have included personal information you provided to us, such as your name, contact information, date of birth, driver's license number, social security number and/or financial account information.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: Shore Mortgage Article URL: https://oag.ca.gov/system/files/Consumer%20Notice%2082113_0.pdf?

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130821-11 Wedgewood Legacy Medical NE Electronic Medical/Healthcare Yes - Published # 2,125

**ITRC does not consider a password adequate protectionThe protected for breached health data. information of more than 2,000 patients has been compromised after a computer chip at a Lincoln, Neb.-based medical practice was declared lost.

Attribution 1 Publication: healthcareitnews.com Author: Erin McCann Date Published: Article Title: Missing thumb drive begets HIPAA breach Article URL: http://www.healthcareitnews.com/news/missing-thumb-drive-begets-hipaa-breach

**ITRC does not consider a password adequate protectionSeven largefor breached boxes filled data. with personal information of clients from the Sylvan Learning Center, including names, birth dates, Social Security numbers and credit card information, were found in a Dumpster in Beaverton.

Attribution 1 Publication: KOIN.com / phiprivacy.net Author: Jessica Morkert Date Published: Article Title: Sylvan Learning Center personal files tossed Article URL: http://www.koin.com/2013/08/05/boxes-with-personal-info-found-in-trash/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130821-09 Office of Janna Benkelman CO Electronic Medical/Healthcare Yes - Published # 1,500

**ITRC does not consider a password adequate protectionA laptop for stolen breached from data.a Denver counselor's office contains protected health information that may have been compromised.

Attribution 1 Publication: phiprivacy.net / TheDenverChannel.com Author: Anica Padilla Date Published: Article Title: Denver counselor's laptop reported stolen; contains protected health information Article URL: http://www.thedenverchannel.com/news/local-news/denver-counselors-laptop-reported-stolen-contains-protected-healt

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130821-08 North Texas Comprehensive TX Electronic Medical/Healthcare Yes - Published # 3,200 Spine and Pain Center **ITRC does not consider a password adequate protectionPolice arefor breachedinvestigating data. after patient information disappeared from a doctor's office. The office lost a computer drive containing medical records, and so far there's no report of any problems.

Attribution 1 Publication: phiprivacy.net / KTEN TV Author: Date Published: Article Title: Hard drive stolen by employee contained thousands of patients’ information Article URL: http://www.kten.com/story/23141653/disk-drive-with-patient-records-disappears-in-sherman

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130821-07 Hope Community Resources AK Electronic Business Yes - Published # 3,700 of Alaska **ITRC does not consider a password adequate protectionHope Community for breached Resources data. inadvertently dispersed private identification information on more than 3,700 clients – disabled Alaska families and individuals across the state – in an email survey, Monday night. Families and caregivers connected to Alaska’s disabled are speaking out after the inadvertent release of private, personal and sensitive identity and healthcare information was blasted out in an email chain on Monday night. Some are just angry that an attachment with personal information was accidentally added to a survey solicitation for Hope Community Resources of Alaska.

Attribution 1 Publication: phiprivacy.net / Alaska Dispatch Author: Sean Doogan Date Published: Article Title: Email accident violates privacy of thousands of Hope Community clients Article URL: http://www.alaskadispatch.com/article/20130820/email-accident-violates-privacy-thousands-hope-community-clients

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130821-06 swimsuitsforall NJ Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionOn June for 24, breached 2013, an data. unauthorized person gained access to the computer system our client, swimsuitsforall, uses to process payments for purchases made on its website. swimsuitsforall discovered and blocked this access on June 27, 2013. The unknown person may have gained access to customer information including names, addresses, credit or debit card account numbers, and card expiration dates. Upon discovering this incident, swimsuitsforall immediately launched an investigation and implemented measures to prevent any further unauthorized access.

Attribution 1 Publication: NH AG's office Author: Date Published: Article Title: swimsuitsforall Article URL: http://doj.nh.gov/consumer/security-breaches/documents/swimsuitsforall-20130802.pdf

**ITRC does not consider a password adequate protectionWe represent for breached Ruby Tuesday,data. Inc., 150 West Church Avenue, Maryville, Tennessee 37801 ("Ruby Tuesday") and are writing to notify you of a data event that may affect the security of personal information of one (1) New Hampshire resident. Ruby Tuesday's investigation into this event is ongoing, and this notice will be supplemented with any new significant facts learned subsequent to its submission. By providing this notice, Ruby Tuesday does not waive any rights or defenses under New Hampshire law.

Attribution 1 Publication: NH AG's office Author: Date Published: Article Title: Ruby Tuesday Article URL: http://doj.nh.gov/consumer/security-breaches/documents/ruby-tuesday-20130723.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130821-04 Novartis NJ Electronic Medical/Healthcare Yes - Unknown # 0

**ITRC does not consider a password adequate protectionWe are for writing breached to inform data. you about an incident that involved the loss of personal information of one resident of New Hampshire. On or about March 4 of 2013 a media storage device (a/k/a thumb drive) was discovered to be missing from a limited access area. Subsequently, after a lengthy review of barely legible archived materials, we determined that one resident of New Hampshire was affected. We deeply regret that this incident occurred and take very seriously the security of personal information.

Attribution 1 Publication: NH AG's office Author: Date Published: Article Title: Novartis Article URL: http://doj.nh.gov/consumer/security-breaches/documents/novartis-20130805.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130821-03 McKesson - ADP CA Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionWe are for writing breached to inform data. you about a security incident experienced by our payroll vendor ADP that affected the personal information of 3 New Hampshire residents. ADP has previously informed your office about this event, but McKesson also is providing specific notice regarding its affected employees. ADP prepares annual payroll tax statements for McKesson employees, for use by our employees to file with their annual income tax forms.

Attribution 1 Publication: NH AG's office Author: Date Published: Article Title: McKesson - ADP Article URL: http://doj.nh.gov/consumer/security-breaches/documents/mckesson-20130809.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130821-02 Huntington's Disease Society NY 5/3/2013 Electronic Business Yes - Unknown # 0 of America **ITRC does not consider a password adequate protectionWe represent for breached Huntington's data. Disease Society of America ("HDSA"), and are writing to notify you of a data event that may affect the security of personal information of one ( 1) New Hampshire resident. HDSA' s investigation into this event is ongoing, and this notice will be supplemented with any new significant facts learned subsequent to its submission. By providing this notice, HDSA does not waive any rights or defenses regarding the applicability of New Hampshire law or personal jurisdiction.

Attribution 1 Publication: NH AG's office Author: Date Published: Article Title: Huntington's Disease Society of America Article URL: http://doj.nh.gov/consumer/security-breaches/documents/huntingtons-disease-20130722.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130821-01 San Francisco State College CA Electronic Educational Yes - Unknown # 0 of Extended Learning **ITRC does not consider a password adequate protectionSan Francisco for breached State data. College of Extended Learning takes our responsibility to protect your personal data very seriously. For this reason, we are writing to inform you that on Monday, June 11, 2013 we were notified by federal law enforcement of a compromise of the College of Extended Learning server that occurred on March 25th, 2013 at 3 am. The incident involved the unauthorized use of the server by a group not associated with SF State. Although we have no evidence of compromise of the databases also located on this server, federal law enforcement indicated more than 500 other sites were compromised by this same group and some of those sites did find evidence of compromised data. As a precaution, we are advising you of the possibility that SF State data has been compromised.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: San Francisco State College of Extended Learning Article URL: https://oag.ca.gov/system/files/Breach%20Notification_1.pdf?

**ITRC does not consider a password adequate protectionWe are for writing breached to notify data. you of a matter that involved some information about you held by Fidelity Investments, a retirement plan administrative service provider for Oracle Corporation. On July 10, 2013, information about you was inadvertently included in a report that was briefly viewed by a plan administrator at another Fidelity client firm.

Attribution 1 Publication: VT AG's offce Author: Date Published: Article Title: Fidelity Investments / Oracle Article URL: http://www.atg.state.vt.us/issues/consumer-protection/privacy-and-data-security/documents-and-resources5/oracle-dra

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130820-05 Department of Corrections CA Electronic Government/Military Yes - Unknown # 0 and Rehabilitation **ITRC does not consider a password adequate protectionWe are for writing breached to you data. because of a recent security incident at the Centinela State Prison (CEN) involving your personal information. On July 28, 2013, it was discovered that a file containing your name, date of birth, and Social Security number was saved to a location on our CEN server which is accessible to all CEN staff. This file was on the server between July 26, 2013 and July 29, 2013 before being removed.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: Department of Corrections and Rehabilitation Article URL: https://oag.ca.gov/system/files/CEN%20Breach%20Letter_0.pdf?

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130820-04 Exelixis GA Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionThe privacy for breached of individual data. personal data is important to Exelixis. As a result, we are writing to inform you that on July 30, 2013, we learned of a theft of company equipment that contained such data. Following an investigation, we have determined that the data may have included your name, address, birth date, financial account number, and social security number.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: Exelixis Article URL: https://oag.ca.gov/system/files/Multistate_Breach_Notification_Letter_0.pdf?

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130820-03 Income and Capital Growth CA Electronic Business Yes - Unknown # 0 Strategies, Inc. **ITRC does not consider a password adequate protectionWe have for recently breached discovered data. unauthorized access to our computer network by unknown person or persons. While the only losses so far are to Doug Thorburn personally (and we believe Doug Thorburn was the target), it is possible personal information about you and your dependents including your name, address, social security number, birthdate, driver’s license number and bank account information (for those who use direct deposit for tax refunds) was obtained.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: Income and Capital Growth Strategies, Inc. Article URL: https://oag.ca.gov/system/files/Hacking%20incident%20Aug%20%2713%20letter%20to%20clients_0.pdf?

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130820-02 Tampa General Hospital / FL Electronic Medical/Healthcare Yes - Published # 140 University of South Florida **ITRC does not consider a password adequate protectionTampa forGeneral breached Hospital data. and the University of South Florida Health are not giving much information about the latest breach within the delivery system that could involve identity theft.

Attribution 1 Publication: Tampa Bay Business Journal Author: Jane Meinhardt Date Published: Article Title: USF patient information breach probed Article URL: http://www.bizjournals.com/tampabay/news/2013/09/09/usf-patient-information-breach-probed.html

Attribution 2 Publication: healthdatamanagement.com Author: Joseph Goedert Date Published: Article Title: Tampa General Quiet on Details of New Breach Article URL: http://www.healthdatamanagement.com/news/breach-notification-hipaa-privacy-security-46495-1.html?ET=healthdatam

**ITRC does not consider a password adequate protectionHealth forinformation breached and data. Social Security numbers are among data that may have been compromised for faculty, staff and students in a data breach at Emory University in Atlanta.

Attribution 1 Publication: Scmagazine.com Author: Date Published: Article Title: Officials investigate scope of Emory University breach Article URL: http://www.scmagazine.com/officials-investigate-scope-of-emory-university-breach/article/307854/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130816-05 Department of Energy DC Electronic Government/Military Yes - Published # 104,179

**ITRC does not consider a password adequate protectionThe United for breached States Department data. of Energy notified employees via an email Wednesday that hackers gained personal information, such as names and social security numbers, of 14,000 current and former agency employees as the result of a hack that occurred in late July. This is the second attack this year that involved a breach of employee data.

Attribution 1 Publication: Wall Street Journal Author: Rachel King Date Published: Article Title: Department of Energy Hacked Again Article URL: http://blogs.wsj.com/cio/2013/08/15/department-of-energy-hacked-again/

Attribution 2 Publication: energy.gov Author: Date Published: Article Title: Department of Energy Article URL: http://energy.gov/cio/cyber-incident-information/july-2013-cyber-incident

Attribution 3 Publication: InformationWeekSecurity Author: Mathew J. Schwartz Date Published: Article Title: Dept. Of Energy Breach: Bigger Than We Realized Article URL: http://www.informationweek.com/security/attacks/dept-of-energy-breach-bigger-than-we-rea/240162952

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130816-04 Rivermark Community Credit OR Electronic Banking/Credit/Financial Yes - Published # 0 Union **ITRC does not consider a password adequate protectionRivermark for breachedCommunity data. Credit Union officials say they are reissuing debit and credit cards of fewer than 1,000 members after receiving notice from Visa of a possible data breach.

Attribution 1 Publication: Oregonlive.com Author: Date Published: Article Title: Visa's alert of possible data breach impacts Rivermark Credit Union members Article URL: http://www.oregonlive.com/finance/index.ssf/2013/08/visa_alert_of_possible_data_br.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130816-03 Boston Public School MA Electronic Educational Yes - Published # 21,054

**ITRC does not consider a password adequate protectionMore than for breached20,000 students data. across 36 schools in the Boston Public School (BPS) system had their data compromised when the district's ID card vendor Plastic Card Systems lost a flash drive containing the information.

Attribution 1 Publication: SC Magazine Author: Adam Greenberg Date Published: Article Title: Lost flash drive compromises data for thousands of students Article URL: http://www.scmagazine.com/lost-flash-drive-compromises-data-for-thousands-of-students/article/307298/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130816-02 Ferris State University MI Electronic Educational Yes - Published # 39,000

**ITRC does not consider a password adequate protectionWith data for onbreached thousands data. of students, including names, addresses and Social Security numbers – a virtual treasure trove of personal information– it’s no surprise that colleges and universities face the same cyber security threats businesses and government agencies contend with daily, experts say.

Attribution 1 Publication: Mlive.com Author: Brian McVicar Date Published: Article Title: Ferris State’s online security breach: Experts say cyber attacks on higher education growing Article URL: http://www.mlive.com/news/grand-rapids/index.ssf/2013/08/ferris_states_online_security.html

**ITRC does not consider a password adequate protectionEmployees for breached for and applicants data. to the linguist program of Virginia-based defense contractor Northrop Grumman may have had their sensitive information compromised when a database was accessed by an unauthorized party.

Attribution 1 Publication: SC Magazine / NH AG's office Author: Date Published: Article Title: U.S. defense contractor sustains data breach Article URL: http://www.scmagazine.com/us-defense-contractor-sustains-data-breach/article/307498/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130814-01 Caledonia Home Health Care VT Electronic Medical/Healthcare Yes - Unknown # 0 & Hospice **ITRC does not consider a password adequate protectionCaledonia for breachedHome Health data. Care & Hospice in St. Johnsbury, Vt., is giving little information to patients or the media about a breach of protected health information.

Attribution 1 Publication: Health Data Management Author: Date Published: Article Title: Home Health Agency Tight-Lipped About Breach Article URL: http://www.healthdatamanagement.com/news/breach-notification-hipaa-privacy-security-46481-1.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130809-13 Northrop Grumman Retiree VA Paper Data Medical/Healthcare Yes - Published # 4,305 Health Plan **ITRC does not consider a password adequate protectionother - forpaper breached data.

Attribution 1 Publication: hhs.gov Author: Date Published: Article Title: Northrop Grumman Retiree Health Plan Article URL: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130809-12 Med-El NC Electronic Medical/Healthcare Yes - Published # 609

**ITRC does not consider a password adequate protectionother - foremail breached data.

Attribution 1 Publication: hhs.gov / phiprivacy.net Author: Date Published: Article Title: Med-El Article URL: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130809-11 Medtronic MN Paper Data Medical/Healthcare Yes - Published # 2,764

**ITRC does not consider a password adequate protectionIn early for July, breached the manufacturer data. notified patients about a box of training records that had gone missing from a facility in Minnesota, Resman said. Most of the documents and records in the box dated back to 2008 and were connected with training in the use of insulin pumps or continuous glucose monitoring devices.

Attribution 1 Publication: phiprivacy.net / hhs.gov Author: Date Published: Article Title: Medtronic Article URL: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130809-10 Aflac GA Electronic Medical/Healthcare Yes - Published # 679

**ITRC does not consider a password adequate protectionAn encrypted for breached laptop data.computer was stolen from an AFLAC associate's vehicle in Puerto Rico. The laptop contained PHI of approximately 679 individuals and contained demographic, financial and clinical information, including patient names, addresses, birthdates, social security numbers, claims information, and diagnoses. The covered entity filed a police report and provided breach notification to all affected individuals, HHS, and the media. The responsible workforce member was sanctioned. OCR acknowledges that the incident does not constitute a reportable breach under the Breach Notification Rule because the laptop was sufficiently encrypted.

How is this report produced? What are the rules? See last page of report for details.

Attribution 1 Publication: hhs.gov Author: Date Published: Article Title: Aflac Article URL: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130809-09 Sheet Metal Local 36 Welfare MO Electronic Medical/Healthcare Yes - Published # 4,560 Fund **ITRC does not consider a password adequate protectionunauthorized for breached access/disclosure data. - other

Attribution 1 Publication: hhs.gov Author: Date Published: Article Title: Sheet Metal Local 36 Welfare Fund Article URL: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130809-08 South Florida Neurology FL Electronic Medical/Healthcare Yes - Published # 900 Associates, P.A. **ITRC does not consider a password adequate protectiontheft of forlaptop breached data.

Attribution 1 Publication: hhs.gov Author: Date Published: Article Title: South Florida Neurology Associates, P.A. Article URL: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130809-07 Samaritan Regional Health OH Paper Data Medical/Healthcare Yes - Published # 2,203 System **ITRC does not consider a password adequate protectionpaper breach for breached data.

Attribution 1 Publication: hhs.gov Author: Date Published: Article Title: Samaritan Regional Health System Article URL: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130809-06 Jacksonville Spine Center FL Paper Data Medical/Healthcare Yes - Published # 5,200

**ITRC does not consider a password adequate protectionThe covered for breached entity (CE), data. Jacksonville Spine Center, impermissibly disclosed the protected health information (PHI) of approximately 5,200 individuals when a workforce member misaddressed some envelopes due to a spreadsheet error.

Attribution 1 Publication: hhs.gov Author: Date Published: Article Title: Jacksonville Spine Center Article URL: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130809-05 Lone Star Circle of Care TX Electronic Medical/Healthcare Yes - Published # 1,955

**ITRC does not consider a password adequate protectiontheft of forlaptop breached data.

Attribution 1 Publication: phiprivacy.net / hhs.gov / LSCC website Author: Date Published: Article Title: Lone Star Circle of Care Article URL: http://www.lscctx.org/security/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130809-04 Parkview Community TN Electronic Medical/Healthcare Yes - Published # 32,000 Hospital Medical Center / **ITRC does not consider a password adequate protectionThe protected for breached health data. information of some 32,000 patients across 48 states has been compromised after a health IT vendor's firewall was down for more than a month, allowing, in some cases, for patient data to be indexed by Google, officials announced Thursday.

How is this report produced? What are the rules? See last page of report for details.

Attribution 1 Publication: healthcareitnews.com Author: Date Published: Article Title: Site flaw puts patient data on Google Article URL: http://www.healthcareitnews.com/news/site-flaw-puts-patient-data-google

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130809-03 Office of Dr. James Fosnaugh NE Electronic Medical/Healthcare Yes - Published # 2,125

**ITRC does not consider a password adequate protectionSomehow, for breached somewhere, data. sometime in May, a computer chip containing medical records for more than 2,000 of a Lincoln doctor's patients went missing — likely having slipped from the thumb drive Dr. James Fosnaugh wore on a lanyard around his neck.

Attribution 1 Publication: JournalStar.com Author: Date Published: Article Title: Lost piece of thumb drive contained thousands of patient records Article URL: http://journalstar.com/news/local/lost-piece-of-thumb-drive-contained-thousands-of-patient-records/article_d3d422ab-e

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130809-01 Retinal Consultants Medical CA Electronic Medical/Healthcare Yes - Unknown # 0 Group **ITRC does not consider a password adequate protectionOn June for 7, breached 2013, it wasdata. discovered that a laptop computer, which was a component of a diagnostic imaging machine, was stolen sometime after our office closed on June 5, 2013. The laptop computer contained the following types of unsecured PHI: names, dates of birth, gender, race, and OCT (optical coherence tomography) images. Please be assured that information such as your Social Security Number, Driver’s License, and address was not on the laptop.

Attribution 1 Publication: eSecurity Planet - RCMG Notification let Author: Jeff Goldman Date Published: Article Title: Retinal Consultants Medical Group Admits Security Breach Article URL: http://www.esecurityplanet.com/network-security/retinal-consultants-medical-group-admits-security-breach.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130808-04 Auburn University AL Electronic Educational Yes - Unknown # 0

**ITRC does not consider a password adequate protectionWe represent for breached Auburn data. University, 316 Leach Science Center, Alabama 36849 ("Auburn University") and are writing to notify you of a data event that may affect the security of personal information of two (2) New Hampshire residents. Auburn University's investigation into this event is ongoing, and this notice will be supplemented with any new significant facts learned subsequent to its submission. By providing this notice, Auburn University does not waive any rights or defenses under New Hampshire law.

Attribution 1 Publication: databreaches.net / NH AG's office Author: Date Published: Article Title: Auburn University Article URL: http://doj.nh.gov/consumer/security-breaches/documents/auburn-university-20130802.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130808-03 Rocky Mountain Spine Clinic CO Electronic Medical/Healthcare Yes - Published # 532

**ITRC does not consider a password adequate protectionRocky Mountainfor breached Spine data. Clinic announced Wednesday that a former employee misappropriated and stole protected health information from some of the clinic's patients.

The employee, who worked for RMSC's billing department, created a document containing the information of 532 patients and then sent the document to her personal email account, according to a news release.

Attribution 1 Publication: Denver Post / datalossdb.org Author: Matthew Payne Date Published: Article Title: Former Rocky Mountain Spine Clinic employee stole patient information Article URL: http://www.denverpost.com/breakingnews/ci_23769928/former-rocky-mountain-spine-clinic-employee-stole-patient

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130808-02 Fairfax County Public VA Electronic Educational Yes - Published # 2,000 Schools **ITRC does not consider a password adequate protectionA laptop for containing breached healthdata. records for 2,000 Fairfax County public school students was stolen out of a health department employee’s car, possibly compromising the confidential information, school and health officials said.

Attribution 1 Publication: datalossdb.org / Washington Post Author: T. Rees Shapiro Date Published: Article Title: Stolen laptop contained 2,000 Fairfax student health records Article URL: http://www.washingtonpost.com/local/education/stolen-laptop-contained-2000-fairfax-student-health-records/2013/07/2

How is this report produced? What are the rules? See last page of report for details.

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130808-01 Smartphone Experts FL Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionOn August for breached 6, 2013, Smartphonedata. Experts began notifying an undisclosed number of its customers that a hacker or hackers had accessed the system used to process payments for purchases made on its Web site. The breach was discovered on July 12, 2013 (h/t DataBreaches.net).

Attribution 1 Publication: eSecurity Planet / CA AG's office Author: Jeff Goldman Date Published: 8/12/2013 Article Title: Smartphone Experts Article URL: http://www.esecurityplanet.com/mobile-security/smartphone-experts-hacked.html

Attribution 2 Publication: CA AG's office Author: Date Published: Article Title: Smartphone Experts Article URL: https://oag.ca.gov/system/files/602490607_1_%28BHDOCS%29_0.PDF?

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130730-06 US Airways US Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionUS Airways for breached recently data.began notifying its employees that programming error at ADP may have made it possible for other US Airways employees to view their names, Social Security numbers, and total taxable W-2 wages for the tax years 2010, 2011, and/or 2012 (h/t DataBreaches.net).

Attribution 1 Publication: eSecurity Planet Author: Jeff Goldman Date Published: Article Title: US Airways Acknowledges Data Breach Article URL: http://www.esecurityplanet.com/network-security/us-airways-acknowledges-data-breach.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130730-05 University of Delaware DE Electronic Educational Yes - Published # 74,000

**ITRC does not consider a password adequate protectionThe University for breached of Delaware data. is notifying the campus community that it has experienced a cyberattack in which files were taken that included confidential personal information of current and past employees, including student employees. A criminal attack on one of the University’s systems took advantage of a vulnerability in software acquired from a vendor.

Attribution 1 Publication: University of Delaware website / databre Author: Date Published: Article Title: University of Delaware Article URL: http://www.udel.edu/udaily/2014/jul/resources073013.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130730-04 Oregon Health & Science OR Electronic Medical/Healthcare Yes - Published # 3,044 University **ITRC does not consider a password adequate protectionInformation for breached for more data. than 3,000 patients at Oregon Health & Science University was put at risk when medical residents stored the data on a password protected cloud computing system, the institution announced this week. The potential data breach is the third such reported incident to occur at the university in less than a year, and the fifth since 2008.

Attribution 1 Publication: FierceHealthIT Author: Dan Bowman Date Published: Article Title: Oregon Health & Science University Article URL: http://www.fiercehealthit.com/story/cloud-storage-debacle-marks-hospitals-third-privacy-incident-year/2013-07-30

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130730-03 California Correctional CA Electronic Medical/Healthcare Yes - Unknown # 0 Health Care Services **ITRC does not consider a password adequate protectionOn June for 19, breached 2013, dental data. records were reported missing from a California Correctional Health Care Services (CCHCS) staff member’s possession while off the premises of a correctional institution. The missing documents contained information such as patient name, CDCR number, date of birth, and dental treatment plan. It is possible that your dental record may have been included in the missing documents.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: California Correctional Health Care Services (CCHCS) Article URL: https://oag.ca.gov/system/files/Incident%2013-0613%20Breach%20Notice%20Final_0.pdf?

**ITRC does not consider a password adequate protectionWe believe for breached Brandywine’s data. payroll system was compromised on or about February 20, 2013. The payroll system contained social security numbers, birth dates and bank account numbers. Based on the evidence we could see in our system, (i) some of the payroll information was changed and (ii) none of the aforementioned information was downloaded; however, we cannot be certain that the aforementioned information was not extracted. The breach was detected by our company before any payroll was processed so there were no payroll transfers to unauthorized bank accounts. We have since corrected and verified all information in Brandywine’s payroll system.

Attribution 1 Publication: MD AG's office Author: Date Published: Article Title: Brandywine Senior Living Article URL: http://www.oag.state.md.us/idtheft/Breach%20Notices/itu-225397.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130730-01 Choice Research Associates MD Electronic Business Yes - Published # 163

**ITRC does not consider a password adequate protectionThis letter for breachedis being sent data. to individuals who were interviewed by a case manager regarding health insurance from October 10, 2010 through January 6, 2013. In January 2013, a Choice Research Associates subcontractual research associate was charged with obtaining an unauthorized credit card using the social security number and name of an executive from another organization. This subcontractor also had access to a database containing the names, social security numbers, dates of birth, address, and phone numbers of 163 Maryland residents who were interviewed by a case manager regarding health insurance.

Attribution 1 Publication: MD AG's office Author: Date Published: Article Title: Choice Research Associates Article URL: http://www.oag.state.md.us/idtheft/Breach%20Notices/itu-227417.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130729-02 City of Baltimore MD Paper Data Government/Military Yes - Unknown # 0

**ITRC does not consider a password adequate protectionA man forwho breached didn't want data. to be identified told the 11 News I-Team he was driving by a city training and safety office on Druid Park Drive in northwest Baltimore when he saw a huge pile of furniture and other items that had been put out for trash. He said he thought he could use a cardboard box that was part of the pile for filing.

"When I got it home, that's when I noticed. I was dumbfounded. It was incredible. I couldn't believe it," the man told I-Team reporter Barry Simms.

Inside the box there were confidential records for thousands of current and former Baltimore City employees, from firefighters to sanitation workers, and all their vital information was there, including their Social Security numbers, birth dates, driver's license information and more.

Attribution 1 Publication: WBALTV11.com Author: Date Published: Article Title: Man finds city workers' personal info in tossed files Article URL: http://www.wbaltv.com/news/maryland/i-team/man-finds-city-workers-personal-info-in-tossed-files/-/10640252/21000568

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130729-01 Clark Memorial Hospital IN Paper Data Medical/Healthcare Yes - Published # 1,087

**ITRC does not consider a password adequate protectionThe hospital for breached learned data. on July 16 that Mail Louisville Inc., a contractor that processes and mails billing statements, on July 15 sent statements to the wrong name and address. “Accordingly, for each of the affected patients, the billing statement was sent to another one of those affected patients,” according to the hospital’s public notice.

Attribution 1 Publication: healthdatamanagement.com Author: Joseph Goedert Date Published: Article Title: Mailing Error Causes Breach for Nearly 1,100 Indiana Patients Article URL: http://www.healthdatamanagement.com/news/breach-notification-hipaa-privacy-security-46419-1.html?ET=healthdatam

How is this report produced? What are the rules? See last page of report for details. ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130725-05 Securities and Exchange DC Electronic Government/Military Yes - Unknown # 0 Commission **ITRC does not consider a password adequate protectionA serious for databreached breach data. at the Securities and Exchange Commission transferred personal data about current and former employees into the computer system of another federal agency, a letter sent by the SEC to staff reveals. The July 8 letter, obtained by The Hill, is from Thomas Bayer, the SEC’s chief information officer and senior agency official on privacy. It warned that personal employee data had been discovered on the networks of another, unnamed federal agency. It said a former SEC employee “inadvertently and unknowingly” downloaded the names, birthdates and Social Security numbers of employees onto a thumb drive, and then transferred them to the other agency.

Attribution 1 Publication: The Hill Author: Peter Schroeder Date Published: Article Title: Staff data leaks out of the SEC Article URL: http://thehill.com/blogs/on-the-money/1007-other/313387-staff-data-leaks-out-of-the-sec

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130725-04 Harbor Freight CA Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionHarbor forFreight breached Tools, data. a U.S.-based chain of 400 retail tool stores, has reported a breach against its payment processing system.

Attribution 1 Publication: databreachtoday.com Author: Jeffrey Roman Date Published: Article Title: New Retail Breach Reported Article URL: http://www.databreachtoday.com/new-retail-breach-reported-a-5927?rf=2013-07-25-edbt&elq=d104a16378344c8e8c1134

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130725-03 University of Virginia VA Paper Data Educational Yes - Published # 18,700

**ITRC does not consider a password adequate protectionThousands for breached of University data. of Virginia students were affected by a printing error that caused their personal information, including Social Security numbers, to be printed on a mailing address label.

How many victims? 18,700 students.

What type of personal information? Names, addresses and Social Security numbers.

Attribution 1 Publication: SC Magazine Author: Date Published: Article Title: Social Security numbers of Va. students printed on mailing labels Article URL: http://www.scmagazine.com/social-security-numbers-of-va-students-printed-on-mailing-labels/article/304210/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130725-02 Regional Medical Center FL Paper Data Medical/Healthcare Yes - Unknown # 0 Bayonet Point **ITRC does not consider a password adequate protectionRequests for frombreached patients data. for medical records are a routine task for hospitals. “I went to the hospital and was given a form to fill out for medical records,” said Micki Thoms. Thoms asked for her records after undergoing surgery at Regional Medical Center Bayonet Point in Hudson, and was told they would be mailed to her. Days later, the papers arrived in the mail. As she opened the envelope and began to look through them, she noticed something was not quite right. “I read the first name and it wasn’t mine, and I turned the page and read the second name and it was not mine,” she said.

Attribution 1 Publication: phiprivacy.net / ABCactionnews.com Author: Date Published: Article Title: Regional medical center Bayonet Point Hospital sends records of multiple patients without permission Article URL: http://www.abcactionnews.com/dpp/news/local_news/investigations/regional-medical-center-bayonet-point-hospital-se

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130725-01 St. Mary's Bank NH Electronic Banking/Credit/Financial Yes - Published # 115,775

**ITRC does not consider a password adequate protectionSt. Mary's for breachedBank ("St. data. Mary's") is a state-chartered community based credit union regulated by the New Hampshire Banking Department. On May 26, 2013, our client, St. Mary's, discovered malware on an employee workstation computer. An analysis by a nationally recognized computer security consulting firm found that the malware was designed to capture information as it appeared on individual computer screens and could have been introduced into 23 workstation computers beginning in February, 2013. As soon as the malware was discovered, St. Mary's brought in independent security experts to analyze its entire computer system and isolate and eliminate the malware using the most sophisticated computer security tools available.

How is this report produced? What are the rules? See last page of report for details.

Attribution 1 Publication: SC Magazine Author: Date Published: Article Title: Malware in NH bank computers may affect hundreds of thousands Article URL: http://www.scmagazine.com/malware-in-nh-bank-computers-may-affect-hundreds-of-thousands/article/303729/

Attribution 2 Publication: NH AG's office Author: Date Published: Article Title: St. Mary's Bank Article URL: http://doj.nh.gov/consumer/security-breaches/documents/st-marys-bank-20130712.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130724-03 AlliedBarton Security CA Electronic Business Yes - Unknown # 0 Services - ADP **ITRC does not consider a password adequate protectionI am writing for breached to inform data. you about a potential security breach regarding personal information held by AlliedBarton's service provider ADP.

Attribution 1 Publication: NH AG's office Author: Date Published: Article Title: AlliedBarton Security Services Article URL: http://doj.nh.gov/consumer/security-breaches/documents/alliedbarton-20130716.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130724-02 San Jose Medical Supply CA Electronic Medical/Healthcare Yes - Published # 800

**ITRC does not consider a password adequate protectionThis letter for breachedis written todata. you as a current or former customer of San Jose Medical Supply Co., Inc. (“San Jose Medical”), as required by law, to notify you of a potential violation relating to disclosure of your personal information. The violation arises from incidents that took place in 2011, but were only recently discovered by San Jose Medical’s new owner and management. Please read this letter and contact me directly if you have any questions or if you wish to discuss this matter further.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: San Jose Medical Supply Article URL: https://oag.ca.gov/system/files/HIPAA%20Breach%20Letter%20-%20San%20Jose%20Medical%20Supply_0.pdf?

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130724-01 Citi Bike NY Electronic Business Yes - Published # 1,174

**ITRC does not consider a password adequate protectionCiti Bike for users breached – many data. of them already frustrated by other problems with the program – have now learned that their personal information has been compromised.

As CBS 2’s Hazel Sanchez reported Tuesday, the program is already wildly unpopular with many cyclists who have been stuck left waiting for a ride. But Link Salas was also wondering if someone took him for a ride, after he and 1,173 other cyclists received an alarming e-mail from Citi Bike.

Attribution 1 Publication: CBS New York Author: Date Published: Article Title: City Admits Security Guarding Citi Bike Users’ Information Was Breached Article URL: http://newyork.cbslocal.com/2013/07/23/city-admits-security-may-have-been-breached-for-citi-bike-users-information/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130717-01 Office of the Medicaid NY Electronic Medical/Healthcare Yes - Published # 17,743 Inspector General (OMIG) **ITRC does not consider a password adequate protectionOn October for breached 12, 2012, data. an employee of the Office of the Medicaid Inspector General (OMIG) is suspected of having made a personal decision, without agency involvement or authorization from OMIG leadership or his or her personal supervisors, to send 17,743 records of Medicaid recipients to his or her own personal e-mail account.

Attribution 1 Publication: HealthITSecurity / OMIG Author: Patrick Ouellette Date Published: Article Title: Office of the Medicaid Inspector General (OMIG) Article URL: http://apps.cio.ny.gov/apps/mediaContact/public/preview.cfm?parm=E5EBBF49-5056-9D2A-10DAA90DCDDE22E1

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130716-09 Union Security Insurance MO Electronic Medical/Healthcare Yes - Published # 1,127 Company **ITRC does not consider a password adequate protectionimproper for disposal breached - emaildata.

How is this report produced? What are the rules? See last page of report for details.

Attribution 1 Publication: hhs.gov Author: Date Published: Article Title: Article URL:

Attribution 2 Publication: hhs.gov / phiprivacy.net Author: Date Published: Article Title: Union Security Insurance Company Article URL: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130716-08 Edge Studio NY Electronic Business Yes - Published # 481

**ITRC does not consider a password adequate protectionPlease forbe breachedadvised that data. we were recently informed of a breach of security of our vendor's website containing personal information of consumers, said breach lasting for an indeterminate period of time during the first quarter of 2013. The breach resulted in a disclosure of unencrypted personal information consisting of individuals' names, addresses, telephone numbers, and social security numbers.

Attribution 1 Publication: MD AG's office Author: Date Published: Article Title: Edge Studio Article URL: http://www.oag.state.md.us/idtheft/Breach%20Notices/itu-227162.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130716-07 Bridgewater CT Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionThis letter for breachedis to inform data. you of a data security incident that occurred on or around April11, 2013. The incident was discovered approximately one day later and an investigation was immediately conducted. As a former or rehired Bridgewater employee, you were offered continuing health care coverage (COBRA) upon your separation from Bridgewater. Bridgewater utilizes a third party provider (Ceridian) to administer these benefits.

Attribution 1 Publication: NH AG's office Author: Date Published: Article Title: Bridgewater Article URL: http://doj.nh.gov/consumer/security-breaches/documents/bridgewater-20130628.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130716-06 Automatic Data Processing NJ Electronic Business Yes - Unknown # 0 (ADP) **ITRC does not consider a password adequate protectionI am writing for breached to let you data. know about a security incident that exposed the personal information of 680 New Hampshire residents. ADP prepares annual payroll tax statements for; employees of our clients, as required for the individuals to file with their annual income tax forms. In some cases, client employees can access their statement via an online service, allowing them to download and save a PDF version of the statement. As required for tax filing purposes, each PDF presents the payroll tax information (including the employee's name and Social Security number as well as income and tax information) on the face of the document. On April 29, we discovered that a small number of the PDF files created for one client contained embedded information pertaining to another employee of the same client. This information included the other employee's name, Social Security number and gross annual wages.

Attribution 1 Publication: NH AG's office Author: Date Published: Article Title: Automatic Data Processing (ADP) Article URL: http://doj.nh.gov/consumer/security-breaches/documents/automatic-data-processing-20130604.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130716-05 AHW LLC IL Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionAHW LLC for breachedis providing data. this notification in addition to the individuai notifications it had provided to residents of your State and other states relating to an apparent breach in the security of an on-line store that AHW LLC operates.

Attribution 1 Publication: NH AG's office Author: Date Published: Article Title: AHW LLC Article URL: http://doj.nh.gov/consumer/security-breaches/documents/ahw-20130522.pdf

How is this report produced? What are the rules? See last page of report for details. ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130716-04 Advantage Health Solutions / IN Electronic Medical/Healthcare Yes - Published # 2,575 St. Francis Health Network **ITRC does not consider a password adequate protectionA security for breachedbreach with data. a local health insurance company has been exposing members’ home addresses, cell phone numbers, prescriptions and extensive medical information in an online portal.

Attribution 1 Publication: phiprivacy.net Author: Date Published: Article Title: Advantage Health Solutions / St. Francis Health Network Article URL: http://healthitsecurity.com/2013/09/18/loyola-university-medical-center-reports-patient-data-breach/

Attribution 2 Publication: Fox59 Author: Date Published: Article Title: Clients discover security breach on insurance carrier’s patient portal Article URL: http://fox59.com/2013/07/01/clients-discover-security-breach-on-insurance-carriers-patient-portal/ - axzz2ZEyQiEDH

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130716-03 Behavioral Health Network MA Paper Data Medical/Healthcare Yes - Published # 190

**ITRC does not consider a password adequate protectionSpringfield-based for breached Behavioral data. Health Network Inc. is notifying approximately 190 patients that its personal patient protected health information was inadvertently placed in an unsecured trash bin Monday. UPDATED 2/2014

Attribution 1 Publication: masslive.com Author: Jim Kinney, The Repu Date Published: Article Title: Behavioral Health Network in Springfield notifies patients of possible privacy breach Article URL: http://www.masslive.com/business-news/index.ssf/2013/07/springfields_behavioral_health_network_n.html

Attribution 2 Publication: WWLP.com Author: Date Published: Article Title: Behavioral Health Network Article URL: http://www.wwlp.com/dpp/news/i_team/medical-records-discovered-in-dumpster

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130716-02 Department of Healthcare IL Paper Data Medical/Healthcare Yes - Published # 3,133 and Family Services **ITRC does not consider a password adequate protectionThe Illinois for breached Department data. of Healthcare and Family Services says information on about 3,100 clients in Cook County may have been released.

Attribution 1 Publication: WLS-TV Chicago Author: Date Published: Article Title: Illinois health agency reports potential privacy breach to 3,100 Cook County residents Article URL: http://abclocal.go.com/wls/story?section=news/local&id=9163529

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130716-01 Suffolk University MA Electronic Educational Yes - Unknown # 0

**ITRC does not consider a password adequate protectionSuffolk forUniversity breached was data. recently contacted about a potential breach of personal information through its third-party ticketing vendor, Vendini, Inc. Vendini has reported that, on April 25, 2013, the company detected an unauthorized intrusion into its systems. If you used your credit card to make a purchase for a Suffolk University event through Vendini prior to April 25, 2013, your information, including your credit card number, may have been compromised.

Attribution 1 Publication: Suffolk University notification Author: Date Published: Article Title: Suffolk University Article URL: http://www.suffolk.edu/documents/Campus%20Life/Security_Notification_Credit_Card_Customers_62113.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130715-02 Harris County TX Electronic Government/Military Yes - Published # 21,000

**ITRC does not consider a password adequate protectionhe Houston for breached Chronicle data. is reporting that sources say that at least one stolen electronic file containing sensitive personal information on thousands of current and former Harris County employees was found in Vietnam by the FBI.

Attribution 1 Publication: The Republic / Houston Chronicle Author: Date Published: Article Title: Sources: Harris County personal data found in Vietnam, FBI investigating agency Article URL: http://www.therepublic.com/view/story/99499c94793a4b41b4c21626e44d8162/TX--Harris-County-Data-Stolen

How is this report produced? What are the rules? See last page of report for details. ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130715-01 Long Beach Memorial CA Electronic Medical/Healthcare Yes - Published # 2,864 Medical Center **ITRC does not consider a password adequate protectionLong Beach for breached Memorial data. Medical Center alerted 2,864 patients who received treatment from September 2012 to last month that it has experienced a health data breach.

Attribution 1 Publication: HealthIT Security Author: Patrick Ouellette Date Published: Article Title: Long Beach Memorial Medical Center announces data breach Article URL: http://healthitsecurity.com/2013/07/12/long-beach-memorial-medical-center-announces-data-breach/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130712-01 Texas Health Harris TX Paper Data Medical/Healthcare Yes - Published # 277,000 Methodist Hospital **ITRC does not consider a password adequate protectionTexas Healthfor breached Harris data.Methodist Hospital Fort Worth says it is notifying hundreds of thousands of former patients whose personal information on decades-old records turned up in a Dallas park instead of being destroyed by a contractor.

Attribution 1 Publication: Star-Telegram Author: Jim Fuguay Date Published: Article Title: Fort Worth hospital reports huge data breach Article URL: http://www.star-telegram.com/2013/07/11/4997021/fort-worths-harris-hospital-says.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130711-02 Internal Revenue Service US Electronic Government/Military Yes - Published # 100,000

**ITRC does not consider a password adequate protectionBy exposing for breached tens of thousandsdata. of Social Security numbers on government websites, the Internal Revenue Service finds itself between the proverbial rock and a hard place.

The public interest group Public.Resource.org says it discovered the IRS postings, which the IRS confirmed. It then removed the database containing the Social Security numbers from public view.

Attribution 1 Publication: SC Magazine Author: Date Published: Article Title: IRS leaks tens of thousands of Social Security numbers Article URL: http://www.scmagazine.com//irs-leaks-tens-of-thousands-of-social-security-numbers/article/302212/?utm_source=feed

Attribution 2 Publication: govinfosecurity.com Author: Eric Chabrow Date Published: Article Title: Is IRS Legally Free to Expose Private Info? Article URL: http://www.govinfosecurity.com/blogs/irs-legally-free-to-expose-private-info-p-1508?rf=2013-07-11-eg&elq=46fa2afefa0e

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130711-01 Indiana Family and Social IN Electronic Medical/Healthcare Yes - Published # 187,533 Services Administration **ITRC does not consider a password adequate protectionThe Indiana for breached Family anddata. Social Services Administration is notifying almost 188,000 clients that their personal information may have been inadvertently disclosed in mailings to other clients, apparently as a result of a computer programming error by a business associate. The information potentially exposed includes Social Security numbers for about 4,000 clients.

Attribution 1 Publication: Data Breach Today Author: Marianne Kolbasuk M Date Published: Article Title: Indiana Agency Notifies 188,000 of Breach Article URL: http://www.databreachtoday.com/indiana-agency-notifies-188000-breach-a-5893?rf=2013-07-11-edbt&elq=9772fb9067fa4

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130709-03 Citi Prepaid Services PA Electronic Banking/Credit/Financial Yes - Unknown # 0

**ITRC does not consider a password adequate protectionOn behalf for breachedof Citi Prepaid data. Services, I am writing to inform you about a recent incident that may have involved your personal information. We recently discovered that a code change to our prepaid cardholder website impacted the security features that we use to authenticate cardholders logging into their accounts between June 2 and June 13

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: Citi Prepaid Services Article URL: https://oag.ca.gov/system/files/Cardholder%20Letter%20Sample_CA_062713_0.pdf?

**ITRC does not consider a password adequate protectionWe are for writing breached to you data. because of a security incident involving bank routing information of Smog Check stations licensed with the Bureau of Automotive Repair (BAR).

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: Bureau of Automotive Repair Article URL: https://oag.ca.gov/system/files/Notification_Letter_0.pdf?

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130709-01 Roy's Holdings HI Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionHonolulu, for Hawaii-breached July data. 5, 2013- Roy's Holdings, Inc. ("Roy's"), the holding company which includes six restaurants in Hawaii, has confirmed that the desktop computer of a Roy's corporate employee became infected by mal ware of unknown origin, resulting in a potential compromise of credit card information from individuals who patronized Roy's restaurants in Ko'Olina, Waikiki, Kaanapali, Poipu, and Waikoloa, and utilized credit or debit cards at these restaurant locations, between February 1, 2013 to February 25, 2013.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: Roy's Holdings Article URL: https://oag.ca.gov/system/files/nldh-prolaw%20nldh%20com_Exchange_07-05-2013_15-47-37_0.pdf?

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130708-04 Quayside Publishing Group MN Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionWe are for writing breached to notify data. you of an incident that involved unauthorized access to our web server in which your personal information, including your credit card number, may have been stolen. We were recently made aware of this incident and have taken action to secure our servers.

Attribution 1 Publication: VT AG's office Author: Date Published: Article Title: Quayside Publishing Group Article URL: http://www.atg.state.vt.us/assets/files/Quayside%20Publishing%20Consumer%20Notice.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130708-03 Morningstar Inc. IL Electronic Business Yes - Published # 2,300

**ITRC does not consider a password adequate protectionMorningstar for breached Inc. says data. it discovered an illegal intrusion into its systems that may have compromised some of its clients' personal information, including email addresses, passwords, and credit card numbers.

Attribution 1 Publication: Las Vegas Sun Author: AP Date Published: Article Title: Morningstar: Client credit card data may be leaked Article URL: http://www.lasvegassun.com/news/2013/jul/07/us-morningstar-data-breach/ - axzz2YTHymzPW

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130708-02 Health Net of California CA Paper Data Medical/Healthcare Yes - Published # 8,331

**ITRC does not consider a password adequate protectionHealth forNet breached of California, data. a subsidiary of insurer Health Net Inc., is notifying approximately 6,700 members of its Health Net Medi-Cal program of a breach of their protected information.

Attribution 1 Publication: HealthDataManagement / hhs.gov Author: Joseph Goedert Date Published: Article Title: Health Net of California Article URL: http://www.healthdatamanagement.com/news/breach-notification-hipaa-privacy-security-46355-1.html?ET=healthdatam

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130708-01 Department of Community MI Electronic Government/Military Yes - Published # 49,000 Health **ITRC does not consider a password adequate protectionThe Michigan for breached Department data. of Community Health has notified more than 49,000 individuals that a server of the Michigan Cancer Consortium holding their names, birth dates, Social Security numbers, cancer screening test results and testing dates was hacked.

How is this report produced? What are the rules? See last page of report for details.

Attribution 1 Publication: HealthData Management Author: Joseph Goedert Date Published: Article Title: Michigan Agency Breaches PHI But Says Not Bound by HIPAA Article URL: http://www.healthdatamanagement.com/news/breach-notification-hipaa-privacy-security-46359-1.html?ET=healthdatam

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130701-01 Boston Teachers Union MA Electronic Business Yes - Published # 506 Health And Welfare Fund **ITRC does not consider a password adequate protectionThe Boston for breached Teachers data. Union Health and Welfare Fund began notifying 506 of its members that their names and Social Security numbers were mistakenly made available in search results for a Web site maintained by Classic Optical, the parent company of Classic Administrative Services (h/t DataBreaches.net).

Attribution 1 Publication: eSecurity Planet Author: Jeff Goldman Date Published: Article Title: Boston Teachers Union Suffers Security Breach Article URL: http://www.esecurityplanet.com/network-security/boston-teachers-union-suffers-security-breach.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130628-02 University of South Carolina SC Electronic Educational Yes - Published # 6,300

**ITRC does not consider a password adequate protectionThe University for breached of South data. Carolina sent letters this week to 6,300 students whose personal information, including Social Security numbers, could have been on a laptop stolen from the school.

Attribution 1 Publication: The State Author: Andrew Shain Date Published: Article Title: 6,300 USC students warn Article URL: http://www.thestate.com/2013/06/28/2839028/6300-usc-students-warned-about.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130628-01 Oregon State University OR Electronic Educational Yes - Published # 8,600

**ITRC does not consider a password adequate protectionPeople forwho breached bought ticketsdata. to events at Oregon State University’s Memorial Union or University Theater in the past three years may have been the victims of identity theft.

Attribution 1 Publication: Gazette-Times Author: Date Published: Article Title: Ticket vendor reports security breach Article URL: http://www.gazettetimes.com/news/local/ticket-vendor-reports-security-breach/article_961218ee-df64-11e2-829f-0019bb

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130627-01 Department of Human IA Electronic Medical/Healthcare Yes - Published # 7,335 Services **ITRC does not consider a password adequate protectionIowa Department for breached of Humandata. Services officials issued an alert Wednesday to former patients at the Mental Health Institute in Independence and hundreds of state employees there and at other state facilities concerning a possible breach of their confidential information. CHANGED FROM GOVERNMENT TO MEDICAL PER HHS 2/2014

Attribution 1 Publication: WCFCourier.com / datalossdb.org Author: Date Published: Article Title: Confidential records missing at MHI in Independence Article URL: http://wcfcourier.com/news/local/govt-and-politics/confidential-records-missing-at-mhi-in-independence/article_efe73f7

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130625-04 Millimaki Eggert CA Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionWe are for writing breached to notify data. you of an incident that may affect the security of your personal information. On April 27, 2013, an unknown individual(s) burglarized Millimaki Eggert's San Diego, California office and stole, among other things, two password-protected laptops containing sensitive information. We reported the theft to local law enforcement, and law enforcement's investigation into this incident is ongoing.

Attribution 1 Publication: VT AG's office Author: Date Published: Article Title: Millimaki Eggert Article URL: http://www.atg.state.vt.us/issues/consumer-protection/privacy-and-data-security/documents-and-resources5/millimaki-

**ITRC does not consider a password adequate protectionMontana for State breached University data. ("MSU") is committed to protecting the personal information it maintains. Regrettably, we are writing to inform you about an incident involving some of that information. On March 5, 2013, MSU discovered unusual activity on a computer in a central administration department. The computer was immediately taken offiine and we began an investigation to examine what happened. We also hired an expert computer forensics company to assist with our investigation. After completing a thorough analysis of the computer, the forensics company determined that a computer virus may have allowed an unauthorized person to access information on the computer.

Attribution 1 Publication: VT AG's office Author: Date Published: Article Title: Montana State University Article URL: http://www.atg.state.vt.us/issues/consumer-protection/privacy-and-data-security/documents-and-resources5/montana-

Attribution 2 Publication: Missoulian Author: Date Published: Article Title: MSU: Employee Social Security numbers at risk Article URL: http://missoulian.com/news/state-and-regional/montana/msu-employee-social-security-numbers-at-risk/article_ac4e2c9

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130625-02 King County sheriff's office WA Electronic Government/Military Yes - Unknown # 0

**ITRC does not consider a password adequate protectionThousands for breached of people data. are now vulnerable to identity theft, and it's all because of a stolen laptop.

The information, which includes Social Security and drivers license numbers, was on a King County sheriff's office computer that was stolen from a detective.

Attribution 1 Publication: komonews.com Author: Date Published: Article Title: Detective's stolen laptop puts thousands at risk of identity theft Article URL: http://www.komonews.com/news/local/Stolen-sheriffs-office-laptop-puts-thousand-at-risk-of-identity-theft-212860341.ht

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130625-01 Foundations Recovery TN Electronic Medical/Healthcare Yes - Published # 5,690 Network **ITRC does not consider a password adequate protectionI am writing for breached on behalf data. of Foundations Recovery Network to inform you of a recent privacy incident concerning your personal information. On Saturday, June 15 th, one of our employees informed us that she had been the victim of a burglary during the early morning hours on June 15 th at approximately 2:45 a.m. and that her company laptop had been stolen. The laptop contained certain aspects of patient information which she needed as part of her role with our company. The employee reported the theft immediately to law enforcement authorities. We understand that the theft was one of several that took place in her neighborhood that night, so we do not believe the thief specifically targeted her or the laptop.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: Foundations Recovery Network Article URL: https://oag.ca.gov/system/files/FRN%20Breach%20Notice%20Letter%20%28CA%29%20%28SSN%29_0_1.pdf?

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130624-03 University of Illinois IL Electronic Educational Yes - Published # 3,000

**ITRC does not consider a password adequate protectionAnother for exploit breached of the data. former University of Illinois student known as the ECE Hacker has been uncovered, but police said the situation is under control.

Daniel Beckwitt was recently sentenced to probation in connection with the tampering of campus computers and e-mail accounts. And this week, it was made known that Beckwitt gained access to nearly 3000 social security numbers of residents at the Hendrick House residence hall in Urbana, where Beckwitt was at one time a resident.

Attribution 1 Publication: The News-Gazette Author: Date Published: Article Title: Another hack from former UI student uncovered Article URL: http://www.news-gazette.com/news/local/2013-06-20/another-hack-former-ui-student-uncovered.html

**ITRC does not consider a password adequate protectionThe social for breachednetworking data. giant Facebook just had a huge security breach, sharing 6 million Facebook users’ email addresses and phone numbers due to a bug in their software. Those users whose security has been compromised will be notified by email, according to Facebook.

Attribution 1 Publication: intomobile.com Author: Date Published: Article Title: Facebook Security Breach Exposes 6 Million Users’ Phone Numbers, Email Addresses Article URL: http://www.intomobile.com/2013/06/21/facebook-security-breach-exposes-6-million-users-phone-numbers-email-addres

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130624-01 Department of Education FL Electronic Educational Yes - Published # 47,000

**ITRC does not consider a password adequate protectionPersonal for information breached data. of roughly 47,000 teacher preparation program participants in the state was compromised for 14 days in late May, according to a statement Saturday by the Florida Department of Education.

Attribution 1 Publication: abcactionnews.com Author: Date Published: Article Title: Dept. of Education: Personal info breach for 47K teacher prep participants Article URL: http://www.abcactionnews.com/dpp/news/dept-of-education-personal-info-breach-for-47k-teacher-prep-participants

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130620-03 North Lincoln County OR Electronic Government/Military Yes - Published # 950 Community Health Center **ITRC does not consider a password adequate protectionDuring forthe breached evening of data. April 17, 2013 the North Lincoln County Community Health Center Clinic and surrounding offices in the same building, were broken into by an unknown person or persons. Locked doors, rooms and cabinets were forcibly entered. Money was taken from the clinic, but it appears no other records or materials were removed. No electronic devices were taken or accessed. However, the locked room which contains medical charts for our clients was breached.

Attribution 1 Publication: Lincoln County Media Release / Healthc Author: Date Published: Article Title: North Lincoln County Community Health Center Article URL: http://www.lincolncountyhealth.com/press/Lincoln%20County%20-%20Media%20Release%20-%20Notice.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130620-02 Gulf Breeze Family Eyecare FL Electronic Medical/Healthcare Yes - Published # 9,626

**ITRC does not consider a password adequate protectionGulf Breeze for breached Family Eyecare,data. Inc., d/b/a Sight and Sun Eyeworks Gulf Breeze has discovered a patient privacy issue. On May 17, 2013, Sight and Sun Eyeworks Gulf Breeze learned that its patients' personal information, including name, address, social security number and medical record had been accessed inappropriately.

Attribution 1 Publication: healthcareinfosecurity.com / hhs.go Author: Date Published: Article Title: Gulf Breeze Family Eyecare d/b/a Gulf Breeze Family Eyecare Article URL: http://www.healthcareinfosecurity.com/fifth-stanford-breach-leads-roundup-a-5848?rf=2013-06-20-eh&elq=f519ab7cae4

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130620-01 City of Houston TX Electronic Government/Military Yes - Published # 5,000

**ITRC does not consider a password adequate protectionTechnical for issuesbreached encountered data. by the city of Houston's payroll contractor could have potentially exposed personal information for nearly 5,000 local government workers, including more than 1,000 in the Houston Police Department.

Attribution 1 Publication: chron.com Author: Cindy George Date Published: Article Title: Payroll company error prompts security breach concern Article URL: http://www.chron.com/news/houston-texas/houston/article/Payroll-company-error-prompts-security-breach-4611194.ph

**ITRC does not consider a password adequate protectionCurtis Fullwood'sfor breached job data. was to help patients with mental health problems find work they could do in the South Florida State Hospital in Pembroke Pines, but instead, authorities say, he stole their identities.

Fullwood, 57, and his cousin, Terri Davis, 45, have pleaded not guilty to a federal indictment charging them with conspiracy to commit identity theft, conspiring to disclose individual's health information, access device fraud, wrongful disclosure of health information and aggravated identity theft.

Attribution 1 Publication: Sun Sentinel - PHIprivacy.net Author: Date Published: Article Title: Psychiatric patients' IDs stolen by hospital worker, feds say Article URL: http://www.sun-sentinel.com/fl-id-theft-psych-hospital-20130611,0,5669451.story

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130618-06 Lucile Packard Children's CA Electronic Medical/Healthcare Yes - Published # 12,900 Hospital **ITRC does not consider a password adequate protection Law enforcement for breached is data.investigating a recent computer theft at Lucile Packard Children’s Hospital at Stanford.

The incident was reported to the hospital by an employee on May 8. A password-protected, non-functional laptop containing limited medical information on pediatric patients was stolen from a secured, badge-access controlled area of the hospital. Immediately following discovery of the theft, Packard Children’s launched an aggressive and ongoing investigation with security and law enforcement.

Attribution 1 Publication: LPCH company website Author: Date Published: Article Title: Lucile Packard Children's Hospital Article URL: http://www.lpch.org/aboutus/news/releases/2013/patient-notification.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130618-04 Vendini - University of MI Electronic Business Yes - Published # 33,000 Michigan **ITRC does not consider a password adequate protectionHackers for accessed breached the data. credit card information of tens of thousands customers of the University of Michigan's Union Ticket Office, the latest organization that has fallen victim to a breach affecting a third-party vendor.

Attribution 1 Publication: SC Magazine Author: Date Published: Article Title: Another victim comes forward in massive ticketing software company breach Article URL: http://www.scmagazine.com//another-victim-comes-forward-in-massive-ticketing-software-company-breach/article/2987

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130618-03 VAMC - Fayetteville NC Paper Data Government/Military Yes - Published # 1,093

**ITRC does not consider a password adequate protectionThe personal for breached information data. of more than 1,000 military veterans who were patients at the Veterans Affairs hospital in Fayetteville, N.C., was exposed after a hospital employee improperly disposed of the records. CHANGED FROM GOVERNMENT TO MEDICAL PER HHS.GOV 2/2014

Attribution 1 Publication: SC Magazine Author: Date Published: Article Title: Veterans' patient information found in recycle bin Article URL: http://www.scmagazine.com//veterans-patient-information-found-in-recycle-bin/article/299254/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130618-02 VYC Tires Inc. PA Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionWe (VYC for Tires,breached Inc.) data. are writing to you because of an incident which occurred with the off-site computer system which we use to manage and process our customer orders.

Attribution 1 Publication: VT AG's office Author: Date Published: Article Title: VYC Tires Inc. Article URL: http://www.atg.state.vt.us/issues/consumer-protection/privacy-and-data-security/documents-and-resources5/vyc-tires-i

**ITRC does not consider a password adequate protectionYour account for breached security data. is a top priority for Yolo Federal Credit Union. As part of our regular security process, we have identified your VISA card number as being at risk for unauthorized charges and are taking the proactive step of sending you a new VISA card.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: Yolo Federal Credit Union Article URL: https://oag.ca.gov/system/files/Mbr%20notification%20letter%2007Jun13%20and%2010Jun13_0.pdf?

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130611-10 LabCorp NC Electronic Medical/Healthcare Yes - Unknown # 0

**ITRC does not consider a password adequate protectionIt was reportedfor breached on March data. 15, 2013, that a computer tagged for destruction was stolen from one of our facilities in Burlington, North Carolina. The incident affected 115 Maryland residents and the data elements included the patient first and last name, date of birth, and the Medicare Subscriber numbers.

Attribution 1 Publication: LabCorp Notification / phiprivacy.net Author: Date Published: Article Title: LabCorp Article URL: http://www.oag.state.md.us/idtheft/Breach%20Notices/itu-227421.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130611-09 Republic Bank & Trust KY Paper Data Banking/Credit/Financial Yes - Unknown # 0 Company **ITRC does not consider a password adequate protectionEnclosed for pleasebreached find data. a copy of Incident Response Form 02152013-1 describing a potential security incident relative to personal information at Republic Bank & Trust Company. On January 28th an error occurred during the mailing process of 1 099c forms. As a result of our investigation, the Bank has identified that some of the correspondence that was shipped out had sensitive data partially or fully exposed in the envelope window, including social security or tax identification numbers, along with traditional address information.

Attribution 1 Publication: MD AG's office Author: Date Published: Article Title: Republic Bank & Trust Company Article URL: http://www.oag.state.md.us/idtheft/Breach%20Notices/itu-226836.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130611-08 Verizon NY Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionWe are for writing breached to inform data. you that a thumb drive containing a Verizon document that had your name and Social Security number was recently lost, recovered and returned to Verizon. We understand the increased risks and sensitivity surrounding identity theft. As such, we are notifying you so that you may be vigilant for any signs of misuse of your information.

Attribution 1 Publication: MD AG's Office Author: Date Published: Article Title: Verizon Article URL: http://www.oag.state.md.us/idtheft/Breach%20Notices/itu-227413.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130611-07 Mercer County Community NJ Electronic Educational Yes - Unknown # 0 College **ITRC does not consider a password adequate protectionWe are for writing breached to notify data. you of a data security event that compromised the security of personal information. Mercer County Community College ("the College"), 1200 Old Trenton Road, West Windsor, NJ, 08550, is informing your office of pertinent facts that are known at this time related to an exposure of certain student personal information. Specifically, the College's local network security setting had been inadvertently set to permit all local network users access to a database intended to be accessible by those with administrator credentials only. This database contained the names, addresses (home and email), dates of birth, and Social Security numbers of certain College students.

Attribution 1 Publication: MD AG's office Author: Date Published: Article Title: Mercer County Community College Article URL: http://www.oag.state.md.us/idtheft/Breach%20Notices/itu-224417.pdf

Attribution 1 Publication: MD AG's office Author: Date Published: Article Title: Publishers Circulation Fulfillment Article URL: http://www.oag.state.md.us/idtheft/Breach%20Notices/itu-226834.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130611-05 Contact Solutions VA Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionContact for Solutions breached has data. been notified that employee names and social security numbers may have been compromised. Summary: A spreaadsheet containing Contact Solutions employee names and social security numbers was inadvertently emailed to an external contractor whose email account was then compromised. No other personal information was contained in that specific file.'

Attribution 1 Publication: MD AG's office Author: Date Published: Article Title: Contact Solutions Article URL: http://www.oag.state.md.us/idtheft/Breach%20Notices/itu-226829.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130611-04 Emmorton Associates MD Electronic Medical/Healthcare Yes - Unknown # 0

**ITRC does not consider a password adequate protectionPlease forconsider breached this data.a security breach notification. On December 21, 2012, Emmorton Psych became aware of a possible breach of personal health information. We are unable to determine the exact date and the extent of the breach but.a possible information leakage occurred between December 10, 2012 and December 21, 2012. We will be notifying the affected individuals in as timely a mrumer as possible to reduce or eliminate potential harm.

Attribution 1 Publication: MD AG's office Author: Date Published: Article Title: Emmorton Associates Article URL: http://www.oag.state.md.us/idtheft/Breach%20Notices/itu-224437.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130611-03 Calvert Internal Medicine MD Electronic Medical/Healthcare Yes - Unknown # 0

**ITRC does not consider a password adequate protectionCalvert for Internal breached Medicine data. Group recently learned that one of our computers may have been compromised and that employee personal information, including names, addresses and social security numbers, could have been acquired by unauthorized persons. Although we have no definitive evidence of a compromise, we are taking, and would suggest you take, precautionary measures to assure that your personal information has not been misused.

Attribution 1 Publication: databreaches.net Author: Date Published: Article Title: Calvert Internal Medicine Article URL: http://www.databreaches.net/?p=27864

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130611-02 Wyndham Vacation Resorts NJ 1/18/2013 Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionWe are for writing breached to notify data. you of an unauthorized access to personal information involving two (2) Maryland residents. While under the circumstances of this incident we do not believe Wyndham Vacation Ownership, including its subsidiary Wyndham Vacation Resorts, Inc., ("Wyndham'') has a statutory obligation to notify your office pursuant to applicable law, we nonetheless thought it appropriate and advisable to notify your office of this incident. On or about January 18, we were informed by the Orlando, Florida, Police Department that it had arrested an individual later identified as a Wyndham employee, who had been tied to fraudulent credit card purchases.

Attribution 1 Publication: MD AG's office Author: Date Published: Article Title: Wyndham Vacation Resorts Article URL: http://www.oag.state.md.us/idtheft/Breach%20Notices/itu-227153.pdf

**ITRC does not consider a password adequate protectionI am writing for breached to inform data. you of a potential breach of your confidential personal information that may have occurred during our payroll processing and the transfer of specific information to the Northeast Credit Union. This potential breach happened on Thursday, May 16th during the transfer of information from Edgewood to Northeast Credit Union which included your name, social security number, bank account number and the amount of money transferred into your account(s).

Attribution 1 Publication: NH AG's office Author: Date Published: Article Title: Edgewood Centre Article URL: http://doj.nh.gov/consumer/security-breaches/documents/edgewood-centre-20130520.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130607-08 Goldner Associates VT Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionWe recently for breached notified data.you of the security incident involving the [Goldner customer name] online store. As we noted in the email that we sent to you, Goldner Associates provides services to [Goldner customer name]. By way of update from our May 17th email, we have now confirmed that on May 14, 2013 there was unauthorized access to the server of our service provider hosting the [Goldner customer name) online store. We have also confirmed that these unauthorized third parties obtained your name, credit card or debit card number for the card noted above and the expiration date and CVV code of that card, and your address and phone number. Since we do not collect PINs for debit cards, social security numbers, dates of birth or driver's license information, these types of personal information were not involved.

Attribution 1 Publication: VT AG's office / NH AG's office Author: Date Published: Article Title: Goldner Associates Article URL: http://www.atg.state.vt.us/issues/consumer-protection/privacy-and-data-security/documents-and-resources5/oldner-as

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130607-07 Green Mountain Club VT Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionWe are for writing breached to you data. because of recent security incident at the Green Mountain Club. Our website was compromised and personal information may have been stolen including: address, phone number, email address, and credit card number.

Attribution 1 Publication: VT AG's office Author: Date Published: Article Title: Green Mountain Club Article URL: http://www.atg.state.vt.us/assets/files/Green%20Mountain%20Club%20Security%20Breach%20Notice%20Ltr%20to%20c

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130607-06 Independence Care System NY Electronic Medical/Healthcare Yes - Published # 2,434

**ITRC does not consider a password adequate protectionIndependence for breached Care data.System, a long-term care insurance provider based in New York, is notifying more than 2,400 of its members about the theft of an unencrypted laptop containing sensitive information.

Attribution 1 Publication: Data Breach Today Author: Date Published: Article Title: Independence Care System Article URL: http://www.databreachtoday.com/payroll-information-breach-leads-roundup-a-5831

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130607-05 Health Resources of Arkansas AR Electronic Medical/Healthcare Yes - Published # 1,911

**ITRC does not consider a password adequate protectionOther physical for breached breaches data. can’t be avoided, such as at Health Resources of Arkansas, where 1,911 patient records were potentially compromised on April 14, 2013. One of its locations was robbed and though no records were stolen, the office did contain protected health information (PHI) such as name, address, date of birth, Social Security number, diagnosis, type of treatment, class attended, court information, services provided or insurance information of persons served by that location.

Attribution 1 Publication: HHS.gov / HealthIT Security Author: Date Published: Article Title: Health Resources of Arkansas Article URL: http://healthitsecurity.com/2013/06/11/carefirst-reports-three-separate-breaches-to-oag/

**ITRC does not consider a password adequate protectionRaley's for Family breached of Fine data. Stores, a supermarket chain with more than 120 stores in California and Nevada, has been stung by a hack that compromised the credit and debit card information of its customers.

Raley's spokeswoman Nicole Townsend said a "portion" of its computer systems were the target of a “complex, criminal cyber attack,” she said in a Thursday statement posted on Raley's website. No further details about the intrusion were provided.

Attribution 1 Publication: Raley's website Author: Date Published: Article Title: Raley's Family of Fine Stores Targeted in Cyber Attack Article URL: http://www.raleys.com/www/feature/media.jsp?viewFullSite=yes

Attribution 2 Publication: scmagazine.com Author: Date Published: Article Title: Hackers invade Raley's grocery chain Article URL: http://www.scmagazine.com/hackers-invade-raleys-grocery-chain/article/296778/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130607-03 Sutter Health East Bay Region CA Electronic Medical/Healthcare Yes - Published # 4,479

**ITRC does not consider a password adequate protectionWe are for writing breached to notify data. you that on May 23, 2013, the Alameda County Sheriff's office notified us that personal information pertaining to a number of people, including you, was recovered during and investigation. The information may have originated from Sutter Health's Alta Bates Summitt Medical Center, Sutter Delta Medical Center or Eden Medical Center, and may have included the following: your name, SSN, date of birth, gender, address, zip code, home phone number, marital status, name of your employer and your work phone number.

Attribution 1 Publication: CA AG's Office Author: Date Published: Article Title: Sutter Health East Bay Region Article URL: https://oag.ca.gov/system/files/Patient%20Notification%20Letter_0.pdf?

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130607-02 Inland Empire Health Plan - CA Electronic Medical/Healthcare Yes - Published # 1,566 SynerMed **ITRC does not consider a password adequate protectionThe purpose for breached of this letterdata. is to report a security incident of which SynerMed has become aware, that involved the theft from one of our employees of a laptop computer containing protected health information (PHI) of members of Inland Valleys IPA (IVIPA).

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: SynerMed Article URL: https://oag.ca.gov/system/files/Sample%20Member%20Notice_0.pdf?

Attribution 2 Publication: SC Magazine Author: Date Published: Article Title: Laptop stolen from Calif. health care provider exposing data of 1,500 Article URL: http://www.scmagazine.com//laptop-stolen-from-calif-health-care-provider-exposing-data-of-1500/article/298999/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130607-01 County of Brookhaven NY Electronic Government/Military Yes - Published # 78

**ITRC does not consider a password adequate protectionBrookhaven for breached Supervisor data. Edward P. Romaine on Thursday handed off an investigation into the inadvertent online posting of personal information to the town's law department -- the same unit that made the mistake.

Attribution 1 Publication: newsday.com Author: Deon J. Hampton Date Published: Article Title: Brookhaven data breach 'was clerical error,' officials say Article URL: http://www.newsday.com/long-island/towns/brookhaven-data-breach-was-clerical-error-officials-say-1.5426405

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130606-01 Arlington School District TX Electronic Educational Yes - Unknown # 0

**ITRC does not consider a password adequate protectionArlington for school breached district data. employees and some former employees were notified this week that two laptops possibly containing their personal information were stolen overnight May 27 from the administration building.

How is this report produced? What are the rules? See last page of report for details.

Attribution 1 Publication: Star-Telegram Author: Date Published: Article Title: Arlington school employees notified about possible d Article URL: http://www.star-telegram.com/2013/06/05/4912668/arlington-school-district-employees.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130605-02 Bon Secours Hampton VA Electronic Medical/Healthcare Yes - Published # 5,000 Roads Health System **ITRC does not consider a password adequate protectionVirginia's for Bonbreached Secours data. Hampton Roads Health System recently announced the firing of two nursing assistants for improperly accessing patients' medical records (h/t PHIprivacy.net). UPDATED WITH RECORDS 2/2014

According to a statement from the health system, the information improperly accessed included one or more of the following: names, birthdates, dates and times of service, provider and facility names, hospital medical record and account numbers (which may have included Social Security numbers), and treatment information.

Attribution 1 Publication: BSHR website Author: Date Published: Article Title: Bon Secours Notifying Patients of Information Security Breach Article URL: http://bshr.com/news-and-events-news-room.html?newsID=DFC45C92-9F5B-46BC-BB59-064AD5F92643

Attribution 2 Publication: eSecurity Planet Author: Jeff Goldman Date Published: Article Title: Virginia Health System Admits Security Breach Article URL: http://www.esecurityplanet.com/network-security/virginia-health-system-admits-security-breach.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130605-01 University of Massachusetts - MA Electronic Educational Yes - Unknown # 0 Center for Language, Speech **ITRC does not consider a password adequate protectionUMass forofficials breached are notifyingdata. patients of the school’s Center for Language, Speech, and Hearing that their personal health data may have been compromised after malware infected a workstation.

Attribution 1 Publication: WGGB.com Author: Date Published: Article Title: Patients of UMass Center Warned of Security Breach Article URL: http://www.wggb.com/2013/06/04/patients-of-umass-center-warned-of-security-breach/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130604-04 Shumsky Promotional Agency OH Electronic Business Yes - Published # 1,400

**ITRC does not consider a password adequate protectionOn May for 16, breached 2013, Shumsky data. was notified by its e-commerce platform provider that on May 14, 2013, an unauthorized third party accessed the e-commerce platform and accessed nearly 1,400 of Shumsky cardholder records.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: Shumsky Promotional Agency Article URL: https://oag.ca.gov/system/files/CardHolder_Notice_PRINT_0.pdf?

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130604-03 Godiva Chocolatier Inc. PA Electronic Business Yes - Published # 957

**ITRC does not consider a password adequate protectionOn April for 15, breached 2013, Godiva data. received a letter informing us that an individual, without authorization, had obtained and accessed a flash drive containing certain personal information about some individuals who worked at Godiva, or applied for positions at Godiva, prior to August 5, 2010. The information accessed varies from individual to individual, but could, in some cases, include names, addresses, social security numbers, phone numbers, and other information related to employment records at Godiva.

Attribution 1 Publication: MD AG's office / CA AG's office Author: Date Published: Article Title: Godiva Chocolatier Inc. Article URL: http://www.oag.state.md.us/idtheft/Breach%20Notices/itu-230752.pdf

**ITRC does not consider a password adequate protectionThis letter for breachedis being sent data. to you because our records indicate that you were a guest at Anasazi Hotel LLC (“Anasazi”) sometime between June 18, 2012 and March 21, 2013, and one or more credit cards was used as payment at our facility in connection with your stay with us. As described in more detail below, we have discovered that cards processed at Anasazi during that time period may have been accessed by an unauthorized person. We wanted to inform you of our investigation of this incident, let you know of the steps we suggest you take to protect yourself against any potential identity theft, and offer you an identity theft protection service at no charge to you, as described in greater detail below and in the enclosed materials.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: Anasazi Hotel LLC Article URL: https://oag.ca.gov/system/files/Anasazi%20-%20Sample%20Consumer%20Security%20Breach%20Notice_0.pdf?

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130604-01 RentPath, Inc. (Primedia) GA Electronic Business Yes - Published # 56,000

**ITRC does not consider a password adequate protectionWe recently for breached discovered data. a security incident that occurred at our offices which may have resulted in the exposure of some of your personal information. At this time, we are not aware of any misuse of your personal information. We take the security of your personal information very seriously, and sincerely apologize for any inconvenience this may cause you.

Attribution 1 Publication: eSecurity Planet / VT AG's office Author: Jeff Goldman Date Published: Article Title: RentPath Security Breach May Have Exposed 56,000 Social Security Numbers Article URL: http://www.esecurityplanet.com/network-security/rentpath-security-breach-may-have-exposed-56000-social-security-nu

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130603-02 Office of Lee D. Pollan, DMD NY Electronic Medical/Healthcare Yes - Published # 19,178

**ITRC does not consider a password adequate protectionIn January, for breached attorneys data. for Lee D. Pollan, DMD, PC notified the NYS Division of Consumer Protection that PHI of 13,806 former patients was on a missing laptop. The laptop reportedly went missing from the oral surgeon’s office in North Chili, New York sometime after November 6, 2012 and was discovered missing on November 15, 2012. Dr. Pollan had closed his private practice in December 2011, but still needed to access the patient data at times, which is why the laptop was in his current office. On January 11, Dr. Pollan notified those affected that the laptop was probably stolen from his office, and their names, addresses, dates of birth, Social Security numbers, diagnosis code, surgical billing codes, and person responsible bills were on it. The laptop was password protected, but the files were not encrypted. As he explained, Dr. Pollan thought the laptop would be secure in his current office. Although the laptop was stolen, the patients’ data had been backed upOr, and Dr. Pollan indicated that he was (now) encrypting the backup drive.

Attribution 1 Publication: Dissent / Phiprivacy.net Author: Date Published: Article Title: Oral surgeon notifies former patients after laptop with their PHI was stolen from his office Article URL: http://www.phiprivacy.net/?p=12796&utm_source=feedly

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130603-01 Champlain College VT Electronic Educational Yes - Published # 14,217

**ITRC does not consider a password adequate protectionChamplain for breached College is data. offering data protection services to more than 14,000 students and their families after a computer drive containing their Social Security numbers and other data was left unsecured in a computer lab.

Attribution 1 Publication: AP / VT AG's office Author: Date Published: Article Title: Champlain College Warns Of Data Security Breach Article URL: http://digital.vpr.net/post/champlain-college-warns-data-security-breach

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130531-02 Beachbody, LLC CA Electronic Business Yes - Published # 764

**ITRC does not consider a password adequate protectionWe represent for breached Beachbody, data. LLC ("Beachbody"), and are writing to notify you of a data event that compromised the security of personal information of one hundred sixty one ( 161) New Hampshire residents.

Attribution 1 Publication: NH AG's office / MD AG's office Author: Date Published: Article Title: Beachbody, LLC Article URL: http://doj.nh.gov/consumer/security-breaches/documents/beachbody-20130523.pdf

**ITRC does not consider a password adequate protectionBon Secours for breached has terminated data. the employment of two CNAs, certified nursing assistants, for improper use of the health system's electronic medical records at Mary Immaculate Hospital in Newport News, it announced Wednesday.

Attribution 1 Publication: Daily Press Author: Prue Salasky Date Published: Article Title: Electronic health records breach reported Article URL: http://www.dailypress.com/health/dp-nws-electronic-records-breach-0530-20130530,0,2904197.story?goback=%2Egde_

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130530-01 Department of Motor Vehicles UT Electronic Government/Military Yes - Unknown # 0

**ITRC does not consider a password adequate protection FOX 13 for News breached has learned data. authorities are investigating a data breach of personal information at the Utah Department of Motor Vehicles. Investigators are accusing a former employee at the DMV of taking people’s information and passing it to others, who would then go out and commit crimes. But state officials acknowledge they may have no way of knowing how widespread the problem is.

Attribution 1 Publication: Fox 13 News - SLC Author: Ben Winslow Date Published: Article Title: Authorities investigate personal info data breach at DMV Article URL: http://fox13now.com/2013/05/29/authorities-investigate-personal-info-data-breach-at-dmv/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130529-01 University of Florida - Health FL Electronic Medical/Healthcare Yes - Published # 5,682 Pediatrics **ITRC does not consider a password adequate protectionAn employee for breached working data. at a University of Florida medical practice who had ties to an identity theft ring may have compromised patient personal and health information.

Attribution 1 Publication: Campus website Author: Date Published: Article Title: Parents, patients notified of potential identity theft incident Article URL: http://news.ufl.edu/2013/05/29/potential-identity-theft-2/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130528-09 Hawaii State Department of HI Electronic Medical/Healthcare Yes - Published # 674 Health **ITRC does not consider a password adequate protectionHawaii forState breached Department data. of Health, Adult Mental Health Division disclosed a breach in October 2012 that is also first appearing on HHS’s breach tool. According to the entry, 674 clients were affected by a hack that occurred on September 25, 2012.

Attribution 1 Publication: phiprivacy.net / hhs.gov Author: Date Published: Article Title: Hawaii State Department of Health Article URL: http://www.phiprivacy.net/?s=silverscript

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130528-08 Sovereign Medical Group NJ Electronic Medical/Healthcare Yes - Published # 27,800

**ITRC does not consider a password adequate protectionSovereign for breachedMedical Group, data. LLC in New Jersey reported that 27,800 were affected by a breach on October 10, 2012. HHS’s breach tool codes the incident as “Theft, Hacking/IT Incident”, Network Server,”

Attribution 1 Publication: hhs.gov / phiprivacy.net Author: Date Published: Article Title: Sovereign Medical Group Article URL: http://www.phiprivacy.net/?s=silverscript

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130528-07 Silver Script Insurance AZ Paper Data Medical/Healthcare Yes - Published # 852 Company **ITRC does not consider a password adequate protectionSilver Script for breached Insurance data. Company AZ 852 10/31/2012 Unauthorized Access/Disclosure Paper

Attribution 1 Publication: hhs.gov / datalossdb.org Author: Date Published: Article Title: SilverScript Insurance Company Article URL: http://datalossdb.org/incidents/10191-852-paper-records-compromised-by-unauthorized-access

How is this report produced? What are the rules? See last page of report for details.

Attribution 2 Publication: hhs.gov Author: Date Published: Article Title: Silver Script Insurance Company Article URL: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130528-06 HealthMarkets TX Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionRecently for HealthMarkets, breached data. Inc. subsidiaries became aware of an inadvertent distribution of personal non-public information maintained by our subsidiaries. Upon notification of the error, we performed an investigation to determine the amount and content of information that was released and the parties who were involved. The personal information that was included in the electronic communication included a list of agents' names, addresses, social security numbers, date of birth and some financial information. Our investigation included interviews with employees and inspection of all affected electronic records.

Attribution 1 Publication: NH AG's Office Author: Date Published: Article Title: HealthMarkets Article URL: http://doj.nh.gov/consumer/security-breaches/documents/healthmarkets-20130514.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130528-05 Callaway Gardens GA Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionCallaway for Gardens breached is data. reporting a breach of its credit card security system in an announcement Friday, suggesting that private customer information that can be used for financial fraud might have been taken.

Attribution 1 Publication: Atlanta Journal Constitution Author: Date Published: Article Title: Callaway Gardens alerts customers about credit card security breach Article URL: http://www.ajc.com/news/news/breaking-news/callaway-gardens-alerts-customers-about-credit-car/nX3g7/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130528-04 Sonoma Valley Hospital CA Electronic Medical/Healthcare Yes - Published # 1,386

**ITRC does not consider a password adequate protectionWhat happened? for breached A hospitaldata. worker accidentally uploaded the patient data onto the hospital's public website as part of a routine update, according to a news release. The data was not directly accessible through the website, but did show up in search engine queries.

Attribution 1 Publication: SC Magazine Author: Marcos Colon Date Published: Article Title: Hospital posts personal patient information on public website Article URL: http://www.scmagazine.com//hospital-posts-personal-patient-information-on-public-website/article/295190/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130528-03 Department of State Hospitals CA Electronic Government/Military Yes - Unknown # 0

**ITRC does not consider a password adequate protectionDSH discovered for breached that data. an employee roster containing confidential personal information was placed on the Patton State Hospital intranet website by mistake. The personal information was the first name, middle initial and last name, social security number, DSH position number and title, and Bargaining Unit of DSH-Patton employees, including you. This was on the intranet website for approximately 6 hours on May 8, 2013 until the mistake was discovered and corrected. CHANGED FROM MEDICAL TO GOVERNMENT 2/2014

Attribution 1 Publication: CA AG's Office Author: Date Published: Article Title: Department of State Hospitals Article URL: https://oag.ca.gov/system/files/DSH%20SSN%20Breach%20Template%20Notification%20Letter_0.pdf?

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130528-02 Jackson Health System FL Electronic Medical/Healthcare Yes - Published # 566

**ITRC does not consider a password adequate protectionWith the for approval breached of data.law enforcement officials, Jackson Health System, a nonprofit that includes 2,500 beds among six hospitals, only recently disclosed the March 2012 incident, which involved 556 patients. In what could be fodder for a television show on dumb criminals, Jackson officials said the theft came to light when three men were spotted sitting in a Miramar, Fla., McDonald’s parking lot, attempting to use the restaurant’s free WiFi connection to file fraudulent tax returns.

Attribution 1 Publication: AIS Health / hhs.gov Author: Date Published: Article Title: Identity Theft Ring Results in Smartphone Ban at Health System Article URL: http://aishealth.com/archive/hipaa0113-03?utm_source=Fierce

How is this report produced? What are the rules? See last page of report for details.

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130528-01 Jackson Health System FL Paper Data Medical/Healthcare Yes - Published # 1,471

**ITRC does not consider a password adequate protectionJackson for Health breached System data. is reporting more issues with protecting patient data. Shortly after a 566-patient breach that was announced in December 2012, Jackson lost more than 1,400 patients’ data in January 2013 and have sent those patients notification letters.

Attribution 1 Publication: HealthITSEcurity / phiprivacy.net Author: Patrick Ouellette Date Published: Article Title: New patient data breach reported at Jackson Health System Article URL: http://healthitsecurity.com/2013/05/28/new-patient-data-breach-reported-at-jackson-health-system/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130523-02 Idaho State University - ID Electronic Medical/Healthcare Yes - Published # 17,500 Pocatello Family Medicine **ITRC does not consider a password adequate protectionIdaho State for breached University data. (ISU) has agreed to pay $400,000 to the U.S. Department of Health Human Services (HHS) to settle alleged violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. The settlement involves the breach of unsecured electronic protected health information (ePHI) of approximately 17,500 patients at ISU’s Pocatello Family Medicine Clinic.

Attribution 1 Publication: phiprivacy.net Author: Date Published: Article Title: Idaho State University Settles HIPAA Security Case for $400,000 Article URL: http://www.phiprivacy.net/?p=12728

Attribution 2 Publication: Author: Date Published: Article Title: Article URL:

Attribution 3 Publication: Author: Date Published: Article Title: Article URL: http://www.phiprivacy.net/?p=12728

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130523-01 Venidini Inc. / South Orange CA Electronic Business Yes - Published # 23,000 PAC **ITRC does not consider a password adequate protection The Maine for breached Attorney data.General's office is issuing an alert for people who may have used an out-of-state service for buying tickets for shows and other forms of entertainment recently.

The service, Venidini, Inc., has been hacked, exposing financial information for tens of thousands of customers.

Attribution 1 Publication: WCSH6.com Author: Date Published: Article Title: Data breach may affect 23,000 Mainers who bought tickets online Article URL: http://www.wcsh6.com/news/article/244721/2/Data-breach-may-affect-Mainers-who-bought-tickets-online

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130522-01 DHS - Customs and Border DC Electronic Government/Military Yes - Unknown # 0 Protection **ITRC does not consider a password adequate protectionTens of for thousands breached of data. current and former Homeland Security Department employees are at risk of identity theft after officials discovered a vulnerability in a vendor's system used for processing background investigations.

Attribution 1 Publication: Federalnewsradio.com Author: Jason Miller Date Published: Article Title: Data breach puts DHS employees at risk of identity theft Article URL: http://www.federalnewsradio.com/473/3332836/Data-breach-puts-DHS-employees-at-risk-of-identity-theft

How is this report produced? What are the rules? See last page of report for details. ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130521-12 Toshiba America Information CO Electronic Business Yes - Unknown # 0 Systems **ITRC does not consider a password adequate protectionRevana, for Inc. breached and TeleTech data. Services, Corp. (together, "Revana") provide customer services to Toshiba America Information Systems, Inc. ("TAIS"). Revana is contacting you on behalf of TAIS pursuant to N.H Rev. Stat. § 359-C:20(1)(b) concerning a data security incident involving the personal information of four New Hampshire residents. Revana uses a data protection tool to detect when certain types of personal information are exported out of its system. On April 8, 2013, Revana discovered that one of its employees had improperly saved the personal information of one TAIS customer residing in New Hampshire outside ofRevana's secure network in violation of company policies. This information consisted of names, addresses, credit card account numbers, credit card expiration dates and CVVs (card security codes).

Attribution 1 Publication: NH AG's office Author: Date Published: Article Title: Toshiba America Information Systems Article URL: http://doj.nh.gov/consumer/security-breaches/documents/toshiba-america-20130430.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130521-11 El Centro Regional Medical CA Paper Data Medical/Healthcare Yes - Published # 189,489 Center **ITRC does not consider a password adequate protectionOn March for breached22, 2013, data.El Centro Regional Medical Center (ECRMC) was notified that x-rays ECRMC had provided to a trusted vendor for digitization and destruction were missing from a storage warehouse and may not have been properly destroyed. ECRMC immediately began a thorough internal investigation to determine what happened to the x-rays, but has been unable to find the missing x-rays. ECRMC has also not been able to make contact with the vendor. The radiology films and records are for dates of service prior to February 2011. As a precaution, ECRMC began sending letters to affected patients on May 7 to let them know this occurred.

Attribution 1 Publication: phiprivacy.net Author: Date Published: Article Title: Notice Regarding Missing X-Rays for El Centro Regional Medical Center Patients Article URL: http://www.phiprivacy.net/?p=12650

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130521-10 Public Health Center - Seattle WA Paper Data Medical/Healthcare Yes - Published # 750 & King County **ITRC does not consider a password adequate protectionThis posting for breached is to inform data. you that, on March 7, 2013, a substitute custodian employed by the building owner at Downtown Public Health Center disposed of some clients' protected health information in a way that did not follow proper procedure.

Attribution 1 Publication: phiprivacy.net / hhs.gov Author: Date Published: Article Title: Public Health Center - Seattle & King County Article URL: http://www.phiprivacy.net/?p=12692

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130521-09 Orthopedics & Adult TX Electronic Medical/Healthcare Yes - Published # 22,000 Reconstructive Surgery **ITRC does not consider a password adequate protectionOrthopedics for breached & Adult data.Reconstructive Surgery in Texas reported that their business associate, AssuranceMD (formerly known as Harbor Group) lost a portable electronic device sometime during the first half of March. The device contained information on 22,000 patients.

Attribution 1 Publication: phiprivacy.net / hhs.gov Author: Date Published: Article Title: Orthopedics & Adult Reconstructive Surgery Article URL: http://www.phiprivacy.net/?p=12692

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130521-08 Stronghold Counseling SD Electronic Medical/Healthcare Yes - Published # 8,500 Services, Inc. **ITRC does not consider a password adequate protectionStronghold for breached Counseling data. Services Inc. of South Dakota reported that 8,500 patients had information on a computer stolen on December 24, 2012.

Attribution 1 Publication: phiprivacy.net / hhs.gov Author: Date Published: Article Title: Stronghold Counseling Services, Inc. Article URL: http://www.phiprivacy.net/?p=12692

On February 22, 2013, the Center discovered that a central processing unit (CPU) had been removed from a staff member’s office at its 70 Grand Street, New Rochelle, New York location. The Center immediately conducted a preliminary investigation into the incident and determined that the CPU was taken on February 21, 2013. The Center notified local law enforcement and filed a police report. The New Rochelle Police Department is currently investigating the incident.

Attribution 1 Publication: phiprivacy.net / hhs.gov Author: Date Published: Article Title: Guidance Center of Westchester Article URL: http://www.phiprivacy.net/?p=12692

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130521-06 Valley Mental Health UT Electronic Medical/Healthcare Yes - Published # 700

**ITRC does not consider a password adequate protectionValley Mentalfor breached Health data. of Utah reported that 700 patients had information on a stolen computer. The theft occurred on February 27, and I can find no statement on their web site or substitute notice anywhere.

Attribution 1 Publication: phiprivacy.net / hhs.gov Author: Date Published: Article Title: Valley Mental Health Article URL: http://www.phiprivacy.net/?p=12692

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130521-05 Wood County Hospital OH Electronic Medical/Healthcare Yes - Published # 2,500

**ITRC does not consider a password adequate protectionAuthorities for breached are investigating data. the theft of radiology films of between 2,000 to 2,500 patients stolen in March from a Wood County Hospital storage room.

Catharine Harned, director of marketing and business development for Wood County Hospital, said the radiology films were among those being prepared for destruction through recycling.

“The individuals who committed the theft gained access posing as subcontractors that the vendor retained for recycling,” Ms. Harned said. She said footage of the suspects was recorded by cameras and the hospital is working with the Bowling Green Police Department to identify the suspects.

Attribution 1 Publication: toledoblade.com / phiprivacy.net Author: Date Published: Article Title: Police probe theft of radiology films Article URL: http://www.toledoblade.com/Police-Fire/2013/05/09/Police-probe-theft-of-radiology-films.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130521-04 Delta Dental of Pennsylvania PA 3/20/2013 Paper Data Medical/Healthcare Yes - Published # 14,829

**ITRC does not consider a password adequate protectionDelta Dental for breached of Pennsylvania data. notified 14,829 employees of Select Medical Corporation that a mailing to their employer arrived with pages missing that contained enrollees’ personal information.

Attribution 1 Publication: phiprivacy.net / hhs.gov Author: Date Published: Article Title: Delta Dental of Pennsylvania Article URL: http://www.phiprivacy.net/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130521-03 NTT Docomo USA NY Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionNTT DOCOMO for breached USA, data. Inc. recently discovered that, on April26, 2013, due to an unauthorized external access to our server from an outside source, information pertaining to some of our DOCOMO USA Wireless™ subscribers was accessed. Through our investigation, we have determined that the personal information involved in this incident included name and payment card information. We deeply regret that this incident occurred and take very seriously the security of personal information.

How is this report produced? What are the rules? See last page of report for details.

Attribution 1 Publication: VT AG's office Author: Date Published: Article Title: NTT Docomo USA Article URL: http://www.atg.state.vt.us/issues/consumer-protection/privacy-and-data-security/documents-and-resources5/ntt-docom

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130521-02 ThyssenKrupp OnlineMetals WA Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionWe are for writing breached to inform data. you that personal information collected through the ThyssenKrupp OnlineMetals, LLC website, www.onlinemetals.com, may have been compromised. We deeply regret that this incident occurred, and because you are potentially affected, we want to share with you what we know and urge you to take steps to protect your personal information.

Attribution 1 Publication: VT AG's office Author: Date Published: Article Title: ThyssenKrupp OnlineMetals Article URL: http://www.atg.state.vt.us/issues/consumer-protection/privacy-and-data-security/documents-and-resources5/thyssenkr

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130521-01 Community Health Med- IN Electronic Medical/Healthcare Yes - Published # 180 Check **ITRC does not consider a password adequate protectionAfter learning for breached of a former data. employee stealing patient identities, Community Health Med-check in Speedway, Ind. has notified about 180 patients that their data may have been compromised.

Attribution 1 Publication: HealthIT Security Author: Patrick Ouellette Date Published: Article Title: Community Health sends patients data breach notifications Article URL: http://healthitsecurity.com/2013/05/17/community-health-sends-patients-data-breach-notifications/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130520-02 LSU Health Shreveport LA Paper Data Medical/Healthcare Yes - Published # 8,330

**ITRC does not consider a password adequate protectionLSU Health for breached Shreveport data. recently began notifying patients that a processing error at Siemens Healthcare, which prints and mails doctors' bills on behalf of LSU Health, resulted in the exposure of 8,330 patients' personal information (h/t PHIprivacy.net).

Attribution 1 Publication: eSecurity Planet / phiprivacy.net Author: Jeff Goldman Date Published: Article Title: LSU Health Acknowledges Data Breach Article URL: http://www.esecurityplanet.com/network-security/lsu-health-acknowledges-data-breach.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130520-01 Piedmont HealthCare NC Electronic Medical/Healthcare Yes - Published # 10,000

**ITRC does not consider a password adequate protectionA local forhealthcare breached company data. is now trying to contact 10,000 job applicants whose private information was exposed in a major security breach.

Attribution 1 Publication: WSOCTV.com / VT AG's office Author: Date Published: Article Title: Information for 10K job applicants exposed in security breach Article URL: http://www.wsoctv.com/news/news/local/piedmont-compromise/nXtt3/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130517-10 City of Akron OH Electronic Government/Military Yes - Published # 8,000

**ITRC does not consider a password adequate protectionThe city for of breached Akron notified data. Friday some of the taxpayers whose personal information — possibly including Social Security numbers, credit card numbers and checking account numbers — was compromised in a cyber attack and posted on the Internet.

Attribution 1 Publication: Beacon Journal Author: Betty Lin-Fisher Date Published: Article Title: Akron notifies some people named in hacked city files; victims appear to be individuals who e-filed city taxes in 2013 Article URL: http://www.ohio.com/news/break-news/akron-notifies-some-people-named-in-hacked-city-files-victims-appear-to-be-ind

**ITRC does not consider a password adequate protectionA local fordentist's breached office data. is working to ensure its patients' records are secure after a virus attacked the office's computer system in March.

Staff at Erskine Family Dentistry, 734 E. Ireland Road, say there is no indication the virus has accessed the personal information of patients, according to a news release.

Attribution 1 Publication: South Bend Tribune / phiprivacy.net / hh Author: Date Published: Article Title: Local dentist office faced with computer security breach Article URL: http://www.southbendtribune.com/news/sbt-local-dentist-office-faced-with-computer-security-breach-20130514,0,68688

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130516-02 Louisiana State University LA Paper Data Medical/Healthcare Yes - Published # 8,330

**ITRC does not consider a password adequate protectionA database for breached error in adata. computer entry field led to the disclosure of personal health information of 8,330 LSU Health patients.

The hospital says it notified each patient on Wednesday of the release of personal information and that each patient's bill contained incorrect information. A hospital news release says no Social Security numbers, birth dates, or financial account numbers were disclosed.

Attribution 1 Publication: ksla.com Author: Date Published: Article Title: LSU Health: Personal information of 8,300 patients unintentionally released Article URL: http://www.ksla.com/story/22265674/lsu-health-personal-information-of-8300-patients-unintentionally-released

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130516-01 Dent Neurologic Institute NY Electronic Medical/Healthcare Yes - Published # 10,000

**ITRC does not consider a password adequate protectionConfidential for breached information data. about more than 10,200 patients of Dent Neurologic Institute was inadvertently sent to more than 200 patients Monday in an email attachment.

The personal information – including patients’ names and home addresses, their doctors’ names, last appointment dates and their email addresses – was contained on an Excel patient spreadsheet.

Attribution 1 Publication: The Buffalo News / hhs.gov Author: Melinda Miller Date Published: Article Title: Mass email by Dent Neurologic inadvertently breaches privacy of 10,200 patients Article URL: http://www.buffalonews.com/apps/pbcs.dll/article?AID=/20130514/CITYANDREGION/130519516/1003

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130514-09 Sedgwick Claims TN Electronic Business Yes - Unknown # 0 Management Services, Inc. **ITRC does not consider a password adequate protectionSedgwick for coordinatesbreached data. your short term disability claim for and we take your privacy very seriously. That is why we are very sorry to report that we became aware on April 8, 2013 that information containing your name, Social Security Number, and employee ID was obtained by an unauthorized party through a sophisticated attack on an individual Sedgwick desk top computer.

Attribution 1 Publication: NH AG's office Author: Date Published: Article Title: Sedgwick Claims Management Services, Inc. Article URL: http://doj.nh.gov/consumer/security-breaches/documents/sedgwick-claims-20130506.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130514-08 Pearl Izumi CA Electronic Business Yes - Published # 1,250

**ITRC does not consider a password adequate protectionWe are for notifYing breached you data. in connection with a recently uncovered security breach that may have affected your account with Pearl Izumi. On February 18th, 2013, we discovered that malware had been introduced into our online store without our knowledge. As we had recently implemented a new monitoring system to combat just this kind of issue, we were able to eliminate this potential threat soon after discovery, and we believed at the time that the breach affected only a handful of customers.

Attribution 1 Publication: NH Ag's Office Author: Date Published: Article Title: Pearl Izumi Article URL: http://doj.nh.gov/consumer/security-breaches/documents/pearl-izumi-20130429.pdf

**ITRC does not consider a password adequate protectionWe are for writing breached to notify data. you of a data event that may have compromised the security of personal information of two (2) New Hampshire residents. Peoples Bank of Commerce, 234 E. First A venue, Cambridge, MN 55008 is informing your office of pertinent facts that are known at this time related to the data event described below. Peoples Bank of Commerce retained privacy and data security legal counsel to assist in the ongoing investigation of, and response to, the incident.

Attribution 1 Publication: NH AG's office Author: Date Published: Article Title: Peoples Bank of Commerce Article URL: http://doj.nh.gov/consumer/security-breaches/documents/peoples-bank-20130501.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130514-06 IHS Inc. (Janes) CO Electronic Medical/Healthcare Yes - Unknown # 0

**ITRC does not consider a password adequate protectionWe are for writing breached to notify data. you of a data security incident involving IHS Inc. On February 22, 2013, IHS discovered that some of our databases, including those containing personal information you provided as a customer of IHS Jane's, were illegally accessed by unauthorized parties. Our investigation indicates that the unauthorized parties acquired the relevant data from the IHS Jane's environment on or about November 22, 2012.

Attribution 1 Publication: NH AG's office Author: Date Published: Article Title: IHS Inc. (Janes) Article URL: http://doj.nh.gov/consumer/security-breaches/documents/ihs-inc-20130502.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130514-05 Columbia University Medical NY Electronic Medical/Healthcare Yes - Published # 407 Center **ITRC does not consider a password adequate protectionOn March for breached15, 2013 Columbiadata. University Medical Center of Columbia University ("CUMC") was informed that a file containing personal information of 407 medical students from the graduating classes of years 2008, 2009 and 2013 had been released inadvertently to Columbia students, faculty, and staff via email. One (1) New Hampshire residents were among those affected.

Attribution 1 Publication: NH AG's office Author: Date Published: Article Title: Columbia University Medical Center Article URL: http://doj.nh.gov/consumer/security-breaches/documents/columbia-university-medical-center-20130506.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130514-04 PHH Corporation GA Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionWe are for writing breached to let data.you know that, on April 3, 2013, we learned that a temporary worker placed at a PHH Corporation (“PHH”) location had been indicted in connection with identity fraud unrelated to the work performed at PHH. The individual is no longer working at PHH. Because the temporary worker had access to personal information of certain PHH current and former employees and applicants, we promptly initiated a review of the individual’s access to this information. We are cooperating with law enforcement authorities to investigate the issue.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: PHH Corporation Article URL: https://oag.ca.gov/system/files/Letter%20Version%201_proof_PHH_0.pdf?

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130514-03 Equity Trust Company OH Electronic Banking/Credit/Financial Yes - Published # 5,953

**ITRC does not consider a password adequate protectionWe are for writing breached to notify data. you that a portion of Equity Trust’s computer network was recently accessed by an unauthorized third party. We are very sorry that this situation has occurred. Protecting the privacy and security of your information is a top priority for us. Accordingly, upon discovering the event, we promptly installed software to block similar intrusions, and denied access to our network from certain international locations. Although we did not find any evidence that the unauthorized third party actually acquired, copied or removed any customer information from our network, we want to inform you about the situation and encourage you to take the steps set forth in this notice.

Attribution 1 Publication: MD AG's office / CA AG's office Author: Date Published: Article Title: Equity Trust Company Article URL: http://www.oag.state.md.us/idtheft/Breach%20Notices/itu-226404.pdf

**ITRC does not consider a password adequate protectionThe Oklahoma for breached City-based data. wireless companies TerraCom and YourTel America said Monday that journalists had accessed the personal information of about 150,000 prospective clients and that the personal information of 200 people had been readily available online via a simple Google search.

Attribution 1 Publication: NewsOK Author: Brianna Bailey Date Published: Article Title: Oklahoma City-based wireless companies report data breach Article URL: http://newsok.com/article/3809598

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130514-01 Presbyterian Anesthesia NC Electronic Medical/Healthcare Yes - Published # 9,988 Associates **ITRC does not consider a password adequate protectionThe credit for breachedcard information data. of nearly 10,000 people may have been accessed in a data breach at a Charlotte medical practice.

Presbyterian Anesthesia Associates has disclosed that a hacker broke through a security flaw of the practice’s website to gain access to a database of personal information, including names, contact information, dates of birth and credit card numbers for 9,988 people.

Attribution 1 Publication: Charlotte Observer Author: Andrew Dunn Date Published: Article Title: Presbyterian Anesthesia reports data breach affecting nearly 10,000 Article URL: http://www.charlotteobserver.com/2013/05/13/4039763/presbyterian-anesthesia-reports.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130513-02 Regional Medical Center TN Electronic Medical/Healthcare Yes - Published # 1,200

**ITRC does not consider a password adequate protectionThe sending for breached of three data. emails including personally identifiable information of patients between October 2012 and February 2013 has led the Regional Medical Center in Memphis (the MED) to report a health data breach, according to a public notice issued by the healthcare organization on May 9, 2013. The details from the notice are sparse. The organization determined on March 15, 2013, that three emails were sent on Oct. 29, 2012; Nov. 1, 2013; and Feb. 4, 2013. Each contained some protected health information (PHI) of patients receiving outpatient physician therapy treatment between May 1, 2012, and Jan. 31, 2013.

Attribution 1 Publication: Healthitsecurity.com Author: Kyle Murphy, PhD Date Published: Article Title: Memphis Regional Medical Center reports health data breach Article URL: http://healthitsecurity.com/2013/05/13/memphis-regional-medical-center-reports-health-data-breach/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130513-01 Indiana University Health IN Electronic Medical/Healthcare Yes - Published # 10,350 Arnett **ITRC does not consider a password adequate protectionMore than for breached10,000 patients data. of Indiana University Health Arnett are receiving notifications that some of their personal information was on a laptop computer stolen last month

Attribution 1 Publication: jconline.com Author: Date Published: Article Title: IU Health Arnett laptop stolen Article URL: http://www.jconline.com/article/20130510/NEWS03/305100032/IU-Health-Arnett-laptop-stolen?gcheck=1

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130510-02 Lutheran Social Services of PA Electronic Business Yes - Published # 7,300 South Central PA **ITRC does not consider a password adequate protectionLutheran for Social breached Services data. of South Central Pennsylvania recently made 7,300 current and former senior residents aware of a data breach that was discovered in March. According to YorkDispatch.com, the root of the issue was a malware program that the organization’s IT staff found during a routine system check of the four York senior living locations. Potentially-compromised data includes residents’ names, dates of birth, Social Security numbers, Medicare numbers, health insurance numbers and payer names and medical diagnosis codes.

Attribution 1 Publication: Author: Date Published: Article Title: Southern Penn. senior living experiences resident data breach Article URL: http://healthitsecurity.com/2013/05/09/southern-penn-senior-living-experiences-resident-data-breach/

How is this report produced? What are the rules? See last page of report for details. ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130510-01 Administrative Office of the WA Electronic Government/Military Yes - Published # 1,160,000 Courts **ITRC does not consider a password adequate protectionAttackers for hackedbreached into data. Washington state's Administrative Office of the Courts (AOC) servers and obtained copies of up to 160,000 social security numbers and 1 million driver's license numbers, state officials said Thursday. Officials don't know exactly when the breach occurred or how many records -- which could be used to commit identity theft -- were stolen.

Attribution 1 Publication: Information Week Author: Mathew J. Schwartz Date Published: Article Title: Washington State Courts Reveal Security Breach Article URL: http://www.informationweek.com/security/attacks/washington-state-courts-reveal-security/240154638

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130507-08 Lakeshore Mental Health TN Paper Data Medical/Healthcare Yes - Unknown # 0 Institute **ITRC does not consider a password adequate protectionLakeshore for breached Mental Health data. Institute of Tennessee has been associated with a strange patient data breach of records that date back to 1995, but the incident doesn’t involve any current patients. That’s because, as WBIR.com reports, the organization ended patient admissions in June 2012, but sensitive data has still been exposed to the public.

Attribution 1 Publication: HealthITSecurity Author: Date Published: Article Title: Update: Lakeshore Mental Health leaves patient data exposed Article URL: http://healthitsecurity.com/2013/05/01/lakeshore-mental-health-institute-leaves-patient-data-exposed/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130507-07 York Technical College SC Electronic Educational Yes - Published # 12,000

**ITRC does not consider a password adequate protectionThe names, for breached Social Security data. numbers and driver’s license numbers of more than 12,000 online student applicants at York Technical College might have been exposed, school officials said Tuesday.And it was one of the applicants who discovered the problem and brought it to the college’s attention.An online admissions system used from January 2012 to April 2013 was at risk, officials said.

Attribution 1 Publication: TheState.com Author: Don Worthington Date Published: Article Title: Personal data from 12,000 York Tech applicants may have been exposed Article URL: http://www.thestate.com/2013/05/07/2760730/personal-data-from-12000-york.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130507-06 WorldVentures Marketing LLC GA Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionWe are for writing breached to notify data. you of an incident that involved unauthorized access to our computer servers in which general payment cardholder information is stored. We were recently made aware of this incident and it may have involved your cardholder information.

Attribution 1 Publication: VT AG's office Author: Date Published: Article Title: WorldVentures Marketing LLC Article URL: http://www.atg.state.vt.us/issues/consumer-protection/privacy-and-data-security/documents-and-resources5/brittontum

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130507-05 Tomren Wealth Management CA Electronic Banking/Credit/Financial Yes - Unknown # 0

**ITRC does not consider a password adequate protectionWe are for writing breached to inform data. you about a recent incident that may have involved personal information about you. We recently discovered that, between February 21 and March, 6, 2013 , a server containing information about you was accessed by an unauthorized third party. We deeply regret that this incident occurred and take very seriously the security of personal information.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: https://oag.ca.gov/system/files/State%20Notification%20Packet_0.PDF? Article URL: https://oag.ca.gov/system/files/State%20Notification%20Packet_0.PDF?

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130507-04 Department of Public Health CA Electronic Medical/Healthcare Yes - Published # 2,000

**ITRC does not consider a password adequate protectionState health for breached leaders data.on Monday announced a possible security breach involving 2,000 birth records. A reel containing names, addresses, Social Security numbers and some medical information was found in an unsecure location, the California Department of Public Health reported.

How is this report produced? What are the rules? See last page of report for details.

Attribution 1 Publication: Oakland Tribune / insidebayarea.com Author: Date Published: Article Title: Possible security breach: California says birth records found in unsecure location Article URL: http://www.insidebayarea.com/breaking-news/ci_23184400/possible-security-breach-california-says-birth-records-found

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130507-03 University of Rochester NY Electronic Medical/Healthcare Yes - Published # 537 Medical Center **ITRC does not consider a password adequate protectionThe University for breached of Rochester data. (N.Y.) Medical Center announced that it has sent letters to 537 former orthopedic patients alerting them of a potential data breach.

Attribution 1 Publication: Becker's Hospital Review Author: Date Published: Article Title: URMC Notifies 537 Patients of Possible Data Breach Article URL: http://www.beckershospitalreview.com/healthcare-information-technology/urmc-notifies-537-patients-of-possible-data-

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130507-02 Raleigh Orthopaedic Clinic NC Electronic Medical/Healthcare Yes - Published # 17,300

**ITRC does not consider a password adequate protectionMore than for breached17,000 patients data. at the Raleigh Orthopaedic Clinic are potential victims of a health data breach as a result of a third-party vendor’s crooked activities, according to an announcement from the healthcare organization. The clinic has not mentioned the third-party vendor by name and could not be reached for comment at the time of this report. The clinic hired the vendor in order to transfer its X-ray media from film to an electronic format. The potential breach stems from the unknown whereabouts or condition of the film in question:

Attribution 1 Publication: healthitsecurity.com Author: Date Published: Article Title: Home > Articles > X-ray film scam exposes 17k patients to possible data breach Article URL: http://healthitsecurity.com/2013/05/07/x-ray-film-scam-exposes-17k-patients-to-possible-data-breach/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130507-01 MAPCO Express Inc. TN Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionConvenience for breached store operator data. MAPCO Express Inc. has experienced a security breach by third-party hackers that may have compromised the credit/debit card information of certain MAPCO customers.

Attribution 1 Publication: NACS online Author: Date Published: Article Title: MAPCO EXPRESS EXPERIENCES DATA SECURITY BREACH Article URL: http://www.nacsonline.com/News/Daily/Pages/ND0507133.aspx

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130430-08 Intermountain Life Flight UT Electronic Medical/Healthcare Yes - Published # 857

**ITRC does not consider a password adequate protectionPatients for flown breached by Life data. Flight helicopters during at least three months of 2004 were advised Friday that their personal information may have been compromised.

The information, collected from patients in April, May and June of that year, was inadvertently put on an employee website where it may have been accessed by individuals outside of the emergency transport company.

Attribution 1 Publication: deseretnews.com Author: Date Published: Article Title: Life Flight informs patients of possible confidential information breach Article URL: http://www.deseretnews.com/article/865579041/Life-Flight-informs-patients-of-possible-confidential-information-breach

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130430-07 Orthopedic Physician WA Electronic Medical/Healthcare Yes - Unknown # 0 Associates - Proliance **ITRC does not consider a password adequate protectionOn April, for 1, breached 2013, a laptopdata. and ten patient files were stolen during a car break-in. The patient files were subsequently recovered. However, information regarding some patients of Orthopedic Physician Associates, a division of Proliance Surgeons, may have been compromised by this theft. Sensitive information, including name, address, telephone number, social security number, name of provider, health insurance information and the reason for the patient’s appointment was included in emails stored in the laptop’s cache file.

How is this report produced? What are the rules? See last page of report for details.

Attribution 1 Publication: Privacyrights.org / Proliance Surgeons' Author: Date Published: Article Title: Orthopedic Physician Associates - Proliance Surgeons Article URL: http://proliancesurgeons.adhostclient.com/images/PDF/websitenotice.pdf.

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130430-06 Oakland Community College CA Electronic Educational Yes - Published # 100

**ITRC does not consider a password adequate protectionOakland for Community breached data. College is investigating how personal information of more than 100 students in connection with student loans became available on the college website.

Attribution 1 Publication: Oakland Press Author: Diana Dillaber Murray Date Published: Article Title: ‘Glitch’ publishes private info of more than 100 Oakland Community College students Article URL: http://www.theoaklandpress.com/articles/2013/04/24/news/local_news/doc517834de0d35d600294321.txt?viewmode=full

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130430-05 City of Berkeley CA Electronic Government/Military Yes - Published # 11,000

**ITRC does not consider a password adequate protectionFollowing for thisbreached week’s data. disclosure by Berkeley city staff that roughly 11,000 municipal employee social security numbers had been erroneously divulged to a local media outlet in March, the media outlet’s managing editor said Tuesday that he doubted the data could have been compromised, though it had been “passed around” by employees over email.

Attribution 1 Publication: WMCTV.com Author: Date Published: Article Title: Mayor's donation check among records found in dumpster Article URL: http://www.600wrec.com/pages/goout.php?url=http://www.wmctv.com/story/22092795/mayors-donation-check-among-r

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130430-04 Mid-South Reading Alliance TN Paper Data Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionThe director for breached of an adult data. literacy charity is trying to figure out how the personal information of former associates and donors, including Memphis Mayor AC Wharton, were piled up inside the charity's dumpster.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: Westcoast Children's Clinic Article URL: https://oag.ca.gov/system/files/OAG%20PHI%20BREACH%20SAMPLE%20NOTICE_0.pdf?

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130430-03 OneWest Bank CA Electronic Banking/Credit/Financial Yes - Unknown # 0

**ITRC does not consider a password adequate protectionWe recently for breached learned data.that one of our service providers, was the victim of an illegal and unauthorized intrusion into its network (“Network Intrusion”) during the first quarter of 2011. In response, the service provider enhanced the security of its network systems, cooperated with law enforcement including the United States Secret Service (“USSS”), and investigated using leading outside security firms. Given the size and complexity of the issues, they have continued to investigate the scope and extent of the Network Intrusion. As a result, the service provider recently notified us that they have determined that an unauthorized person had access to files which contain some or all of the following information about you: name, address, birthdate, phone number, drivers license number, passport number, and Social Security Number.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: OneWest Bank Article URL: https://oag.ca.gov/system/files/Network%20Intrusion_Breach%20Notification%20on_0.pdf?

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130430-02 Hope Hospice TX Electronic Medical/Healthcare Yes - Published # 818

**ITRC does not consider a password adequate protectionHope Hospice, for breached located data. in New Braunfels, Texas, has sent out more than 800 patient notifications after an employee sent out sensitive patient data through unsecured email twice since December 2012.

Attribution 1 Publication: HealthITSecurity Author: Patrick Ouellette Date Published: Article Title: Hope Hospice informs 800 patients of health data breach Article URL: http://healthitsecurity.com/2013/04/29/hope-hospice-informs-800-patients-of-health-data-breach/

**ITRC does not consider a password adequate protectionCyber-attackers for breached recently data. breached LivingSocial's systems and illegally accessed customer information for more than 50 million users, LivingSocial said. Users need to change their passwords immediately.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: LivingSocial Article URL:

Attribution 2 Publication: PC Magazine Author: Fahmida Y. Rashid Date Published: Article Title: LivingSocial Password Breach Affects 50 Million Accounts Article URL: http://securitywatch.pcmag.com/news-events/310828-livingsocial-password-breach-affects-50-million-accounts

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130429-01 Upstate University Hospital NY Electronic Medical/Healthcare Yes - Published # 283

**ITRC does not consider a password adequate protectionUpstate for University breached Hospital, data. affiliated with the State University of New York (SUNY) system, told 283 patients recently of a late March data breach involving the theft of a portable electronic device. According to centralny.ynn.com, patient names, date of birth, hospital medical record number, and diagnosis may have been included on the device when it was stolen on March 30 or 31. However, fortunately for the patients, it did not include Social Security number, insurance information or address.

Attribution 1 Publication: HealthITSecurity Author: Patrick Ouellett Date Published: Article Title: Upstate University Hospital alerts patients of data breach Article URL: http://healthitsecurity.com/2013/04/29/upstate-university-hospital-alerts-patients-of-data-breach/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130426-01 Teavana GA Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionMultiple for sources breached in law data. enforcement and the financial community are warning about a possible credit and debit card breach at Teavana, a nationwide tea products retailer. Seattle-based coffee giant Starbucks, which acquired Teavana late last year, declined to confirm a breach at Teavana, saying only that the company is currently responding to inquiries from card-issuing banks and credit card brands.

Attribution 1 Publication: KrebsonSecurity Author: Brian Krebs Date Published: Article Title: Sources: Tea Leaves Say Breach at Teavan Article URL: http://krebsonsecurity.com/2013/04/sources-tea-leaves-say-breach-at-teavana/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130425-19 State of California - CA Electronic Medical/Healthcare Yes - Published # 18,162 Department of **ITRC does not consider a password adequate protectiontheft - laptop for breached data.

Attribution 1 Publication: hhs.gov Author: Date Published: Article Title: State of California - Department of Developmental Services Article URL: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130425-18 VAMC - John J. Pershing MD Paper Data Government/Military Yes - Published # 589

**ITRC does not consider a password adequate protectionother - forpaper breached data.

Attribution 1 Publication: phiprivacy.net Author: Date Published: Article Title: John J. Pershing VA Medical Center Article URL: http://www.phiprivacy.net/

Attribution 2 Publication: hhs.gov Author: Date Published: Article Title: ohn J. Pershing VA Medical Center Article URL: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

**ITRC does not consider a password adequate protectionunauthorized for breached access/disclosure data. - electronic medical records

Attribution 1 Publication: hhs.gov Author: Date Published: Article Title: South Miami Hospital Article URL: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130425-15 West Georgia Ambulance GA Electronic Medical/Healthcare Yes - Published # 500

**ITRC does not consider a password adequate protectiontheft - laptop for breached data.

Attribution 1 Publication: hhs.gov Author: Date Published: Article Title: West Georgia Ambulance Article URL: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130425-14 HomeCare of Mid-Missouri MO Electronic Medical/Healthcare Yes - Published # 4,027 Inc. **ITRC does not consider a password adequate protectiontheft - laptop for breached data.

Attribution 1 Publication: hhs.gov Author: Date Published: Article Title: HomeCare of Mid-Missouri Inc. Article URL: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130425-13 Arizona Oncology AZ Electronic Medical/Healthcare Yes - Published # 501

**ITRC does not consider a password adequate protectiontheft - laptop for breached data.

Attribution 1 Publication: hhs.gov Author: Date Published: Article Title: Arizona Oncology Article URL: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130425-12 Kindred Healthcare, Inc. MA Electronic Medical/Healthcare Yes - Published # 716

**ITRC does not consider a password adequate protectiontheft - other for breached portable data.electronic device

Attribution 1 Publication: hhs.gov Author: Date Published: Article Title: Kindred Healthcare, Inc. d/b/a Kindred Transitional Care and Rehabilitation Article URL: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130425-11 Agency for Health Care FL Paper Data Medical/Healthcare Yes - Published # 1,892 Administration **ITRC does not consider a password adequate protectionunauthorized for breached access/disclosure data. - paper

Attribution 1 Publication: hhs.gov Author: Date Published: Article Title: Agency for Health Care Administration Article URL: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

**ITRC does not consider a password adequate protectiontheft - laptop for breached data.

Attribution 1 Publication: hhs.gov Author: Date Published: Article Title: Riderwood Village Article URL: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130425-09 Child & Family Psychological MA Electronic Medical/Healthcare Yes - Published # 7,250 Services, Inc. **ITRC does not consider a password adequate protectionhacking/IT for breached incident - data.network server

Attribution 1 Publication: hhs.gov Author: Date Published: Article Title: Child & Family Psychological Services, Inc. Article URL: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130425-08 Office of Thomas L. Davis, Jr. OR Electronic Medical/Healthcare Yes - Published # 3,269 DDS **ITRC does not consider a password adequate protectiontheft - desktop for breached computer, data. electronic medical records

Attribution 1 Publication: hhs.gov Author: Date Published: Article Title: Office of Thomas L. Davis, Jr. DDS Article URL: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130425-07 Mount Sinai Medical Center FL Electronic Medical/Healthcare Yes - Published # 628

**ITRC does not consider a password adequate protectiontheft - desktop for breached computer, data. paper

Attribution 1 Publication: phiprivacy.net Author: Date Published: Article Title: Mount Sinai Medical Center Article URL: http://www.phiprivacy.net/

Attribution 2 Publication: Author: Date Published: Article Title: Mount Sinai Medical Center Article URL: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130425-06 Carpenters Health & Welfare CA Paper Data Medical/Healthcare Yes - Published # 2,400 Trust Fund for California **ITRC does not consider a password adequate protectionunauthorized for breached access/disclosure data. - paper

Attribution 1 Publication: hhs.gov Author: Date Published: Article Title: Carpenters Health & Welfare Trust Fund for California Article URL: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130425-05 Lake Granbury Medical TX 2/13/2013 Paper Data Medical/Healthcare Yes - Published # 502 Center **ITRC does not consider a password adequate protectiontheft - paper for breached data.

How is this report produced? What are the rules? See last page of report for details.

Attribution 1 Publication: hhs.gov Author: Date Published: Article Title: Lake Granbury Medical Center Article URL: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130425-04 Hospice and Palliative Care NC 2/24/2013 Electronic Medical/Healthcare Yes - Published # 5,371 Center of Alamance Caswell **ITRC does not consider a password adequate protectiontheft, unauthorized for breached access/disclosure data. - laptop, paper

Attribution 1 Publication: hhs.gov Author: Date Published: Article Title: Hospice and Palliative Care Center of Alamance Caswell Article URL: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130425-03 Texas Health Care, PLLC TX Paper Data Medical/Healthcare Yes - Published # 554

**ITRC does not consider a password adequate protectiontheft - paper for breached data.

Attribution 1 Publication: hhs.gov Author: Date Published: Article Title: Texas Health Care, PLLC Article URL: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130425-02 Brookdale University NY 8/11/2012 Paper Data Medical/Healthcare Yes - Published # 2,261 Hospital and Medical Center **ITRC does not consider a password adequate protectionunauthorized for breached access/disclosure data. - paper

Attribution 1 Publication: hhs.gov Author: Date Published: Article Title: Brookdale University Hospital and Medical Center Article URL: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130425-01 Brookdale University NY 9/21/2012 Electronic Medical/Healthcare Yes - Published # 28,187 Hospital and Medical Center **ITRC does not consider a password adequate protectionUnauthorized for breached Access/Disclosure data. - other portable electronic device

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130423-13 Erlanger Health Systems TN Paper Data Medical/Healthcare Yes - Published # 87

**ITRC does not consider a password adequate protection87 families for breached received data.notification from Erlanger Health System, saying their child's medical records were found outside the hospital.

Attribution 1 Publication: wdef.com Author: Alisha Searl Date Published: Article Title: Security Breach at Erlanger Health System has Families Upset Article URL: http://www.wdef.com/news/story/Security-Breach-at-Erlanger-Health-System-has/dF_wE2QwdUKWmNoq2KnHDw.cspx

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130423-12 Multiple Health Plans - Coast CA Paper Data Medical/Healthcare Yes - Published # 1,368 Healthcare Management **ITRC does not consider a password adequate protectiontheft - paper for breached data.

How is this report produced? What are the rules? See last page of report for details.

Attribution 1 Publication: hhs.gov Author: Date Published: Article Title: Multiple Health Plans - Coast Healthcare Management Article URL: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130423-11 Catoctin Dental - Richard B. MD Electronic Medical/Healthcare Yes - Published # 6,400 Love, DDS **ITRC does not consider a password adequate protectionhacking/IT for breached incident - data.network server

Attribution 1 Publication: hhs.gov Author: Date Published: Article Title: Catoctin Dental - Richard B. Love, DDS Article URL: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130423-10 Department of Behavioral CA Paper Data Medical/Healthcare Yes - Published # 686 Health - County of San **ITRC does not consider a password adequate protectiontheft - paper for breached data.

Attribution 1 Publication: hhs.gov Author: Date Published: Article Title: Department of Behavioral Health - County of San Bernardino Article URL: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130423-09 Intervention Services, Inc. FL Electronic Medical/Healthcare Yes - Published # 1,200

**ITRC does not consider a password adequate protectiontheft - laptop for breached data.

Attribution 1 Publication: hhs.gov Author: Date Published: Article Title: Intervention Services, Inc. Article URL: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130423-08 Center for Pain Management MD Electronic Medical/Healthcare Yes - Published # 5,822 LLC **ITRC does not consider a password adequate protectionHHS update for breached 11/14/2014: data. Three laptop computers were stolen from the Rockville, MD office of the covered entity (CE), Center for Pain Management. The laptops were unencrypted and two of the devices contained the electronic protected health information (ePHI) of 5,822 individuals. The CE retained Identity Force, a firm specializing in providing mitigation services in cases of security breaches.

Attribution 1 Publication: hhs.gov Author: Date Published: Article Title: Center for Pain Management LLC Article URL: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130423-07 Lancaster General Medical PA Paper Data Medical/Healthcare Yes - Published # 527 Group **ITRC does not consider a password adequate protectiontheft - paper for breached data.

Attribution 1 Publication: hhs.gov Author: Date Published: Article Title: Lancaster General Medical Group Article URL: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130423-06 Schneck Medical Center IN Electronic Medical/Healthcare Yes - Unknown # 0

**ITRC does not consider a password adequate protectionA Seymour for breached hospital reporteddata. Monday that protected health information for thousands of patients was inadvertently made available online.

How is this report produced? What are the rules? See last page of report for details.

Attribution 1 Publication: wcsi.com / phiprivacy.net Author: Date Published: Article Title: Schneck Patient Information Available Online Article URL: http://wcsi.whiterivernews.com/templates/localnews_temp.asp?id=6993&storyno=1

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130423-05 Kmart AR Electronic Business Yes - Published # 788

**ITRC does not consider a password adequate protection Kmart forsays breached some customer data. information may have been compromised during an armed robbery of its store in Little Rock last month.

Attribution 1 Publication: therepublic.com / hhs.gov Author: Date Published: Article Title: Kmart says some confidential customer information stolen during robbery of Little Rock store Article URL: http://www.therepublic.com/view/story/e7f70c989f354066a2c017b2ee20a4bb/AR--Kmart-Robbery

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130423-04 Dead River Company ME Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionWe are for writing breached to supplement data. our notice to your office dated March 22, 2013. Dead River Company ("Dead River"), 82 Running Hill, Suite 400, South Portland, ME 04106, sent a letter to your office informing you of pertinent facts known at that time related to the March 6, 2013 detection of malware on Dead River's computer network. For your convenience, attached as Exhibit A, is a copy of the March 22, 2013 letter sent to your office with exhibits.

Attribution 1 Publication: NH AG's Office Author: Date Published: Article Title: Dead River Company Article URL: http://doj.nh.gov/consumer/security-breaches/documents/dead-river-company-20130410.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130423-03 Adventist Health FL Electronic Medical/Healthcare Yes - Published # 763,000 System/Sunbelt **ITRC does not consider a password adequate protectionAltamonte for breachedSprings, Fla.-baseddata. Adventist Health System/Sunbelt has been slammed by a class action lawsuit for allegedly failing to safeguard the protected health information of more than 763,000 patients in its electronic database, according to a Health IT Security report.

Attribution 1 Publication: Becker's Hospital Review Author: Date Published: Article Title: Adventist Health Faces Lawsuit Over Data Breach Affecting More Than 763K Article URL: http://www.beckershospitalreview.com/healthcare-information-technology/adventist-health-faces-lawsuit-over-data-bre

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130423-02 OptiNose US Inc. PA Electronic Medical/Healthcare Yes - Unknown # 0

**ITRC does not consider a password adequate protectionWe have for recently breached learned data. of a data security breach involving a laptop belonging to OptiNose US Inc. ("OptiNose"}, which was stolen on March 26, 2013. The laptop may have included your name and social security number. We have no reason to believe that any personal data was targeted for misuse, and we have no information that any personal data has been accessed by an unauthorized party. Nevertheless, because the incident may have compromised this personally identifiable information, we are bringing this situation to your attention.

Attribution 1 Publication: VT AG's office Author: Date Published: Article Title: OptiNose US Inc. Article URL: http://www.atg.state.vt.us/issues/consumer-protection/privacy-and-data-security/documents-and-resources5/2013-04-2

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130423-01 Glen Falls Hospital NY Electronic Medical/Healthcare Yes - Published # 2,360

**ITRC does not consider a password adequate protectionThousands for breached of patients data. of a New York state hospital had their medical records exposed when they were left unprotected on a third-party server for several months.

Attribution 1 Publication: hhs.gov Author: Date Published: Article Title: Glen Falls Hospital Article URL: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

How is this report produced? What are the rules? See last page of report for details.

Attribution 2 Publication: SC Magazine Author: Danielle Walker Date Published: Article Title: Medical records of 2k patients left unprotected on contractor's server Article URL: http://www.scmagazine.com/medical-records-of-2k-patients-left-unprotected-on-contractors-server/article/287707/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130418-01 Arizona Counseling and AZ Electronic Medical/Healthcare Yes - Published # 3,800 Treatment Services **ITRC does not consider a password adequate protectionArizona for Counseling breached anddata. Treatment Services, a behavioral health provider serving the greater Yuma, Ariz. region, is notifying about 3,000 patients following the theft of a laptop computer and external hard drive.

Attribution 1 Publication: Health Data Management / hhs.gov Author: Joseph Goedert Date Published: Article Title: Behavioral Health Provider Reaches Out to 3,000 after Breach Article URL: http://www.healthdatamanagement.com/news/breach-notification-hipaa-privacy-security-46025-1.html?ET=healthdatam

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130416-11 Vudu CA Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionVudu notified for breached users thatdata. a break-in at its offices on 24 March compromised users' personal information and account activity, warning customers to be on the lookout for "spam email, emails asking for personal information, or emails asking you to click on links to other websites" as a result. The streaming video provider said "a number of items were stolen, including hard drives" during the burglary of its Santa Clara, California- based offices. Vudu informed customers in an email message that it was implementing a system-wide password reset because the hard drives contained user emails, addresses, account activity, dates of birth, and in some cases, credit card information.

Attribution 1 Publication: ITproportal.com / databreaches.net Author: Date Published: Article Title: Vudu Article URL: http://www.itproportal.com/2013/04/10/vudu-warns-customers-after-user-data-stolen-in-burglary/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130416-10 Sacred Art Tattoo MI Paper Data Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionThe tattoos for breached may be sacred,data. but your personal information may not be.

Fox 2 found company documents containing client's personal information, including birth certificates, drivers licenses, social security numbers and credit card information.

Attribution 1 Publication: myfoxdetroit.com / databreaches.net Author: Date Published: Article Title: Sacred Art Tattoo in Flat Rock admits tossing sensitive documents Article URL: http://www.myfoxdetroit.com/story/21975732/sacred-art-tattoo-in-flat-rock-admits-tossing-sensitive-documents

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130416-09 Comfort Dental Office IN Paper Data Medical/Healthcare Yes - Published # 5,388

**ITRC does not consider a password adequate protectionThousands for breached of patient data. records found by our 13 Investigates team are now in the hands of state investigators.

Late Tuesday afternoon, special agents with the attorney general's office picked up boxes loaded with thousands of sensitive, personal documents. We found the sensitive information dumped at an Indianapolis church parking lot.

Attribution 1 Publication: wthr.com / hhs.gov Author: Date Published: Article Title: Comfort Dental Office Article URL: http://www.wthr.com/story/21675639/medical-dental-records-found-in-church-recycling-dumpster

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130416-08 Tradebe IL Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionI am writing for breached on behalf data. of TRADEBE Environmental Services, LLC ("Trade be") to notify the Attorney General's Office, pursuant to N.H. Rev. Stat. Ann.§§ 359- C: 19 to 21, of a recent data security breach affecting New Hampshire residents. Specifically, on March 20, 2013, Tradebe was notified by an employee of the theft of a Tradebe laptop from the employee's vehicle. The laptop is believed to have contained payroll and tax information with names and Social Security numbers of current arid former Tradebe employees. The laptop was password protected, but the data was not encrypted.

How is this report produced? What are the rules? See last page of report for details.

Attribution 1 Publication: NH AG's office Author: Date Published: Article Title: Tradebe Article URL: http://doj.nh.gov/consumer/security-breaches/documents/tradebe-20130402.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130416-07 Lyons & Lyons CT Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionWe represent for breached Lyons data.& Lyons PC ("Lyons"), a Connecticut-based corporation that provides tax preparation services, with respect to an incident involving the exposure of certain personal information described in detail below. 1. Nature of the security breach or unauthorized use or access. On February 20, 2013, Lyons learned that two of its clients received notification that their tax return had been filed. Lyons had not filed those returns. Lyons immediately initiated an investigation, including an investigation of its computer system. On February 22, 2013, Lyons contacted the Internal Revenue Service ("IRS") and learned that an investigation was under way, and involved the United States Secret Service ("USSS"). Lyons then communicated with the USSS, and learned that an unauthorized individual may have accessed its computer systems and obtained certain tax returns filed last year.

Attribution 1 Publication: NH AG's office Author: Date Published: Article Title: Lyons & Lyons Article URL: http://doj.nh.gov/consumer/security-breaches/documents/lyons-20130319.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130416-06 Clinton Health Access MA Paper Data Business Yes - Unknown # 0 Initiative **ITRC does not consider a password adequate protectionAs you forare breached aware, New data. Hampshire state law requires notice to the New Hampshire Attorney General in the event of an information security breach involving the personal information of New Hampshire residents. In accordance with that requirement, we write to inform you of an information security breach that we discovered on March 20, 2013. On that date, we learned that we inadvertently e-mailed the Form W-2s of 107 employees to an unintended recipient (another CHAI employee). This e-mail contained each affected employee's name, address, Social Security number and wage information.

Attribution 1 Publication: NH AG's office Author: Date Published: Article Title: Clinton Health Access Initiative Article URL: http://doj.nh.gov/consumer/security-breaches/documents/clinton-health-access-20130329.pdf

Attribution 2 Publication: NH AG's office Author: Date Published: Article Title: Clinton Health Access Initiative Article URL: http://doj.nh.gov/consumer/security-breaches/documents/clinton-health-access-20130329.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130416-05 80sTees.com PA Electronic Business Yes - Published # 2,598

**ITRC does not consider a password adequate protectionI am writing for breached to you on data. behalf of my client 80sTees.com, Inc. ("80sTees"), a Pennsylvania corporation that specializes in online sales of 80's memorabilia and pop culture gear. 80sTees is providing notice pursuant to N.H. Rev. Stat. Ann.§ 359-C:20I(b) (2007) of a data security incident. 80sTees is notifying you because it recently learned that a cyber attacker obtained unauthorized access to the names, addresses, email addresses, phone numbers and credit card information of 14 New Hampshire residents after they completed credit card purchases on the 80sTees website. UPDATE NUMBER OF RECORDS 2/25/2014 PER VT AG'S LETTER

Attribution 1 Publication: Author: Date Published: Article Title: Article URL:

Attribution 2 Publication: NH AG's office / VT AG'S office Author: Date Published: Article Title: 80sTees.com Article URL: http://doj.nh.gov/consumer/security-breaches/documents/80stees-20130403.pdf

**ITRC does not consider a password adequate protectionOn February for breached 27, 2013 data. Chapman University officials learned that certain electronic documents containing personal information could have been viewed by authenticated users of the Chapman University system. These documents were never available to the general public, and only authenticated users of the on-campus network who were logged into the system could have accessed them. As a precautionary measure you are being notified of this matter.

The university’s Department of Information Systems and Technology discovered this vulnerability during standard security testing and the documents were immediately blocked from access by unauthorized users. Some of these documents contained names, social security numbers, student identification numbers and dates of birth.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: Chapman University Article URL: https://oag.ca.gov/system/files/Sample%20Version%20%28SENT%204-11-13%29_0.pdf?

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130416-03 State of North Carolina - NC Electronic Government/Military Yes - Published # 553 Computer Sciences Corp. **ITRC does not consider a password adequate protectionWe at Computerfor breached Sciences data. Corporation (CSC) want to inform you of a recent incident that involves your personal information. Although we are not aware of any misuse of this information, we are taking steps to protect you and your identity.

CSC is a contractor for the State of North Carolina. In the course of performing services for the State, we put information from the Medicare Exclusion Database on a thumb drive. This information included your name, Social Security Number (SSN), federal tax Employer Identification Number (EIN), and date of birth. It also included other information from the database that is publicly available.

Attribution 1 Publication: CA AG's office / MD AG's office Author: Date Published: Article Title: State of North Carolina Article URL: http://www.oag.state.md.us/idtheft/Breach%20Notices/itu-226408.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130416-02 Citigroup TX Electronic Banking/Credit/Financial Yes - Published # 150,000

**ITRC does not consider a password adequate protectionThis letter for breachedis to inform data. you of a matter involving your personal information. You are receiving this letter because you are currently, or were previously, a party in a bankruptcy proceeding involving a loan from Citi. Citi filed legal documents in court related to that loan in which certain personally identifiable information was, pursuant to court rules, intended to be concealed from the publicly available versions of the documents to prevent access to that information by members of the public who search electronic court records.

Attribution 1 Publication: American Banker Author: Date Published: Article Title: Through Software Glitch, Citi Exposes Data on 150,000 Customers Article URL: http://www.americanbanker.com/issues/178_137/through-software-glitch-citi-exposes-data-on-150000-customers-10606

Attribution 2 Publication: CA AG's Office Author: Date Published: Article Title: Citi Article URL: https://oag.ca.gov/system/files/BK%20Redaction%20Fully%20Remediated%20Consumer%20Notice%20%282%29_0.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130416-01 Iberdrola USA - Central ME Electronic Business Yes - Published # 5,100 Maine Power (CMP) **ITRC does not consider a password adequate protectionCentral for Maine breached Power data. has revealed that a security breach of its parent company’s recruitment website has potentially exposed the personal data of anyone who has applied for or accepted a job at CMP or any of its sister companies in the past six years.

Attribution 1 Publication: bangordailynews.com Author: Whit Richardson Date Published: Article Title: CMP parent company’s website breach puts employee data at risk Article URL: http://bangordailynews.com/2013/04/16/business/cmp-parent-companys-website-breach-puts-employee-data-at-risk/

**ITRC does not consider a password adequate protectionKirkwood for Communitybreached data. College officials say hackers broke into the university's website and accessed a database with applicant's names, social security numbers and other personal information.

Attribution 1 Publication: MarionPatch.com Author: B.A. Morelli Date Published: Article Title: FBI Investigates as 'Sophisticated Hackers' Illegally Access 125,000 Personal Records of Kirkwood Applicants Article URL: http://marion.patch.com/articles/fbi-investigates-as-sophisticated-hackers-illegally-access-125-000-personal-records-of-

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130415-01 VAMC - William Jennings SC Electronic Government/Military Yes - Published # 7,405 Bryan Dorn **ITRC does not consider a password adequate protectionThe William for breached Jennings data. Bryan Dorn VA Medical Center in Columbia, S.C., has informed 7,405 patients about a recent data breach, according to a Health IT Security report.

Attribution 1 Publication: hhs.gov Author: Date Published: Article Title: VAMC - William Jennings Bryan Dorn Article URL: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

Attribution 2 Publication: Becker's Hospital Review Author: Anuja Vaidya Date Published: Article Title: VA Medical Center Data Breach Could Affect More Than 7k People Article URL: http://www.beckershospitalreview.com/healthcare-information-technology/va-medical-center-data-breach-could-affect-

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130405-01 Alamance Caswell NC Electronic Medical/Healthcare Yes - Published # 5,370

**ITRC does not consider a password adequate protectionHospice for of breached Alamance data. Caswell in Burlington, N.C., has notified 5,370 patients or next of kin that their protected health information was compromised following a burglary at the organization’s main office.

Attribution 1 Publication: healthdatamanagement.com Author: Date Published: Article Title: Burglary = 5,370 Breach Notifications Article URL: http://www.healthdatamanagement.com/news/breach-notification-hipaa-privacy-security-45976-1.html?ET=healthdatam

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130404-01 University of Florida - FL Electronic Medical/Healthcare Yes - Published # 14,339 Shands Family Medicine **ITRC does not consider a password adequate protectionAn employee for breached working data. at a University of Florida medical clinic who had ties to an identity theft ring may have compromised patient personal and health information. UF is notifying 14,339 patients of the UF & Shands Family Medicine at Main practice that they should take appropriate measures to protect themselves from identity theft.

Attribution 1 Publication: University of FL website Author: Date Published: Article Title: University of Florida Article URL: http://news.ufl.edu/2013/04/03/potential-identity-theft/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130402-08 Family (Women's) Health GA Electronic Medical/Healthcare Yes - Published # 3,000 Enterprise **ITRC does not consider a password adequate protectionWomen’s for Healthbreached Enterprise, data. Inc., d/b/a Family Health Enterprise (FHE), a non-profit primary care services provider, notifies approximately 3000 patients of FHE’s Breast Health Promotion Program of a breach of unsecured personal medical information. On January 2, 2013, FHE’s locked office at 634 McDonough Blvd SE in Atlanta, Georgia was broken into after business hours, and 2 laptop computers were stolen. FHE immediately notified local police.

Attribution 1 Publication: prhiprivacy.net / FHE release Author: Date Published: Article Title: Family Health Enterprise notifies patients after laptops stolen in office burglary Article URL: http://familyhealthenterprisecenter.org/wp-content/uploads/2013/02/Press_Release.pdf

**ITRC does not consider a password adequate protectionStacks forof paperworkbreached data. containing personal information — including Social Security numbers — of patients were carelessly dumped on the sidewalk when a Brooklyn medical supply store was shuttered.

Attribution 1 Publication: Author: Date Published: Article Title: Documents containing personal information of patients left on Brooklyn sidewalk after medical supply company is shuttered Article URL: http://www.nydailynews.com/new-york/brooklyn/document-scare-medical-patients-brooklyn-article-1.1302543

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130402-06 OrthoCare Medical MA Electronic Medical/Healthcare Yes - Published # 93 Equipment, LLC **ITRC does not consider a password adequate protectionOn February for breached 14, OrthoCare data. learned that a binder with 93 patients’ information had been stolen. The firm does not indicate where the theft occurred – whether it was from an office or an employee’s car, etc. OrthoCare is headquartered in Lebanon, NH, but only one of the individuals affected is a New Hampshire resident. The firm maintains a number of offices, including Boston, however, where the theft was reported to the Boston Police.

Attribution 1 Publication: NH AG's office / phiprivacy.net Author: Date Published: Article Title: OrthoCare Medical Equipment, LLC Article URL: doj.nh.gov_consumer_security-breaches_documents_orthocare-20130325.pd

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130402-05 United HomeCare Services of FL Electronic Medical/Healthcare Yes - Published # 13,617 Southwest Florida **ITRC does not consider a password adequate protection United for HomeCare breached (UHC) data. is alerting clients that the confidentiality of certain personal health information may have been compromised due to the theft of an employee’s company laptop computer.

Attribution 1 Publication: Phiprivacy.net / UHC press release Author: Date Published: Article Title: United HomeCare Services notifies over 13,000 clients after laptop stolen from employee’s car Article URL: http://www.phiprivacy.net/?p=12171

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130402-04 General Services DC Electronic Government/Military Yes - Unknown # 0 Administration (GSA) **ITRC does not consider a password adequate protectionRecently, for thebreached General data. Services Administration sent an e-mail alert to users of its System for Award Management (SAM), reporting that a security vulnerability exposed the users' names, taxpayer identification numbers (TINs), marketing partner information numbers, and bank account information to "[r]egistered SAM users with entity administrator rights and delegated entity registration rights."

Attribution 1 Publication: GSA Author: Date Published: Article Title: GSA Security Breach Communications Article URL: /url?sa=t&rct=j&q=gsa%20security%20breach%20communication&source=web&cd=1&cad=rja&ved=0CC8QFjAA&url=h

Attribution 2 Publication: C/Net Author: Dennis O'Reilly Date Published: Article Title: GSA vulnerability highlights dangers of SSNs as IDs Article URL: http://howto.cnet.com/8301-11310_39-57575873-285/gsa-vulnerability-highlights-dangers-of-ssns-as-ids/?part=rss&tag=

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130402-03 City of Jacksonville FL Electronic Government/Military Yes - Unknown # 0

**ITRC does not consider a password adequate protectionEarlier fortoday, breached a City employeedata. accessed confidential information on an internal network, which is not public, and distributed that information to a number of Council members. The information included the names and Social Security numbers of many City employees hired after 2005.

Attribution 1 Publication: Fox 30 WAWS Author: Date Published: Article Title: City Security Breach Of Worker's Personal Information Article URL: http://www.fox30jax.com/mostpopular/story/City-Security-Breach-Of-Workers-Personal/AmT1--EKdEqCYCAv-dDUwg.cs

**ITRC does not consider a password adequate protectionWe recently for breached learned data.of a security incident that may have resulted in the disclosure of the credit card information, names, and addresses associated with your account. As a reminder, we do not collect your social security number or date of birth. We take the security of your information very seriously, and sincerely apologize for any inconvenience this may cause you.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: shoplet.com Article URL: https://oag.ca.gov/system/files/ShopletCA%20notification4_2_13_0.pdf?

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130402-01 Rollins GA Paper Data Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionWe are for writing breached to inform data. you of an incident that came to our attention on March 12, which may have involved the unintentional exposure of your Social Security number (SSN). This occurred as a result of a system mistake involving the recent Rollins TODAY mailing. This distribution may have inadvertently displayed your SSN in a number sequence on the mailing label.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: Rollins Article URL: https://oag.ca.gov/system/files/Rollins%20Ad_1.pdf?

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130401-02 Kelly Plaza Dental Center MI Paper Data Medical/Healthcare Yes - Unknown # 0

**ITRC does not consider a password adequate protectionPersonal for patient breached information data. from a dental office on Detroit's east side has been dumped out in the open.

Attribution 1 Publication: clickondetroit.com / datalossdb.org Author: Date Published: Article Title: Dental patients' info dumped outside building on Detroit's east side Article URL: http://www.clickondetroit.com/news/Dental-patients-info-dumped-outside-building-on-Detroit-s-east-side/-/1719418/194

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130401-01 Department of Social and WA 2/4/2013 Electronic Medical/Healthcare Yes - Published # 629 Health Services (DSHS) **ITRC does not consider a password adequate protection A private for contractor'sbreached data. laptop computer containing confidential and personal health information on 652 state Department of Social and Health Services clients was discovered to be stolen Feb. 4 in Gig Harbor. - Dr. Sunil Kakar - CHANGED FROM GOVERNMENT TO MEDICAL PER HHS 2/2014

Attribution 1 Publication: WA State Dept. of Social and Health Ser Author: Date Published: Article Title: Stolen laptop contained information about DSHS clients Article URL: http://dshs.wa.gov/mediareleases/2013/pr13011.shtml

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130329-01 Tooele County UT Electronic Government/Military Yes - Published # 200

**ITRC does not consider a password adequate protectionThe Tooele for breached County commissionersdata. sent letters to about 200 current and former employ ees Thursday , explaining that their personal data had been briefly breached in an isolated incident caused by human error.

Attribution 1 Publication: Salt Lake Tribune Author: Cathy Mckitrick Date Published: Article Title: Tooele officials: human error caused isolated data breach Article URL: http://www.sltrib.com/sltrib/news/56074611-78/county-brozovich-tooele-data.html.csp

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130328-04 Allen County Information OH Electronic Government/Military Yes - Published # 1,152 Technology Department **ITRC does not consider a password adequate protectionAllen County for breached Information data. Technology Department officials discovered March 21 more than 1,100 Allen County employees had personal information accidentally made available to unauthorized users, including social security numbers.

How is this report produced? What are the rules? See last page of report for details.

Attribution 1 Publication: limaohio.com / datalossdb.org Author: KATE MALONGOWS Date Published: Article Title: Security breach releases personal information of Allen County employees Article URL: http://www.limaohio.com/news/local_news/article_01fb7dc0-96e0-11e2-97b9-001a4bcf6878.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130328-03 HealthCare for Women MA Electronic Medical/Healthcare Yes - Published # 8,727

**ITRC does not consider a password adequate protectionA computer for breached server for data. SouthCoast medical provider HealthCare for Women was hacked in January, potentially exposing summaries of patient visits occurring from June 2012 to January 2013.

Patient names, addresses, telephone numbers and dates of birth could also have been accessed.

Attribution 1 Publication: hhs.gov Author: Date Published: Article Title: HealthCare for Women Article URL: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

Attribution 2 Publication: SouthCoastToday / datalossdb.org Author: Ariel Wittenberg Date Published: Article Title: HealthCare for Women server breached by hackers Article URL: http://www.southcoasttoday.com/apps/pbcs.dll/article?AID=/20130326/NEWS/303260334/1001

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130328-02 Texas Tech University Health TX Electronic Medical/Healthcare Yes - Published # 697 Sciences Center **ITRC does not consider a password adequate protectionLubbock-based for breached Texas data. Tech University Health Sciences Center has announced a data breach that could affect approximately 700 patients, according to an eSecurity Planet report.

Attribution 1 Publication: Becker's Hospital Review Author: Anuja Vaidya Date Published: Article Title: Texas Tech Data Breach Could Affect 700 Patients Article URL: http://www.beckershospitalreview.com/healthcare-information-technology/texas-tech-data-breach-could-affect-700-pati

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130328-01 Schnucks MO Electronic Business Yes - Published # 2,400,000

**ITRC does not consider a password adequate protectionThe St. for Louis-based breached data.Schnucks grocery store chain is investigating a possible breach of debit and credit card data.

One card issuer tells BankInfoSecurity it appears likely that a breach occurred at Schnucks or its payments processor. Fraudulent transactions tied to cards used at Schnucks stores date as far back as January, this issuer says.

Attribution 1 Publication: SC Magazine Author: Dan Kaplan Date Published: 4/15/2013 Article Title: Schnucks supermarket chain discloses breach that stole 2.4 million credit card numbers Article URL: http://www.scmagazine.com/schnucks-supermarket-chain-discloses-breach-that-stole-24-million-credit-card-numbers/a

Attribution 2 Publication: St. Louis Public Radio Author: Date Published: Article Title: Data Breach At Schnucks Could Affect More Than Two Million Cards Article URL: http://news.stlpublicradio.org/post/data-breach-schnucks-could-affect-more-two-million-cards

Attribution 3 Publication: Data Breach Today Author: Tracy Kitten Date Published: Article Title: Retailer Investigates Possible Card Breach Article URL: http://www.databreachtoday.com/retailer-investigates-possible-card-breach-a-5640?rf=2013-03-28-edbt&elq=944fd24edf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130326-01 Oregon Health & Science OR Electronic Medical/Healthcare Yes - Published # 1,114 University **ITRC does not consider a password adequate protectionThe Oregon for breached Health anddata. Science University (OHSU) sent 4,022 patient data breach notification letters last week about a month after a surgeon’s unencrypted laptop was stolen from their Hawaii vacation rental home.

Attribution 1 Publication: HealthITSecurity.com Author: Patrick Ouellette Date Published: Article Title: Oregon Health and Science University reports data breach Article URL: http://healthitsecurity.com/2013/03/26/oregon-health-and-science-university-reports-data-breach/

**ITRC does not consider a password adequate protectionWe are for writing breached to notify data. you of a data security event that may have compromised the security of eighty (80) New Hampshire residents' personal information. Finish Line, 3308 N. Mitthoeffer Road, Indianapolis, IN 46235, is informing your office of pertinent facts that are known at this time relating to a theft of an employee laptop that contained the personal information of certain current and former Finish line employees.

Attribution 1 Publication: NH AG's office Author: Date Published: Article Title: Finish Line Article URL: http://doj.nh.gov/consumer/security-breaches/documents/finish-line-20130315.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130325-13 Cartier North America NY Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionWe write for to breached advise you data. of an incident involving the loss of a laptop computer, which resulted in the potential compromise of the personal information of one New Hampshire resident. The incident occurred in Boston, Massachusetts on January 18,2013. To our knowledge, the laptop contained, among other things, certain personal information of 13 U.S. residents, one of whom is a New Hampshire resident.

Attribution 1 Publication: NH AG's office Author: Date Published: Article Title: Cartier North America Article URL: http://doj.nh.gov/consumer/security-breaches/documents/cartier-20130225.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130325-12 Anthem Blue Cross - Blue OH Electronic Medical/Healthcare Yes - Published # 6,000 Shield **ITRC does not consider a password adequate protectionOn January for breached 7, 2013, data. we learned that an employee at Connextions, a vendor that supplies call center services to Anthem Blue Cross Blue Shield (Anthem), took Social Security Numbers (SSNs) of a number of Anthem members between November 1, 2011, and October 11,2012. There are indications that the employee may have conveyed some information to third-parties who are the subject of an ongoing criminal investigation. As soon as Connextions notified us about the incident, we began working to identify all members whose information may have been accessed by the vendor's employee.

Attribution 1 Publication: Becker's Hospital Review Author: Anuja Vaidya Date Published: 4/10/2013 Article Title: More Than 6,000 May Be Affected in BCBS Data Breach Article URL: http://www.beckershospitalreview.com/healthcare-information-technology/more-than-6000-may-be-affected-in-bcbs-dat

Attribution 2 Publication: NH AG's office Author: Date Published: Article Title: Anthem Blue Cross - Blue Shield Article URL: doj.nh.gov_consumer_security-breaches_documents_anthem-blue-cross-blue-shield-20130314.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130325-11 TLO FL Electronic Business Yes - Published # 380

**ITRC does not consider a password adequate protectionWe are for writing breached to tell data. you about a data security incident that may have exposed a limited amount of your personal information. We take the protection and proper use of information very seriously. We are contacting you directly to let you know how we are protecting you personally and how we are strengthening our security.

Attribution 1 Publication: CA AG's office / MD AG's office Author: Date Published: Article Title: TLO Article URL: https://oag.ca.gov/system/files/TLO%20Consumer%20Notice_0.pdf?

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130325-10 OCS America NY 3/4/2013 Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionOn March for breached4, 2013, OCS data. America, Inc. discovered that one of its computers may have been affected by a malicious phishing attack. We are sending you this letter as a cautionary measure because we believe that certain information about you, which may have included your name, address, telephone number, date of birth, job title, salary information and Social Security number, was contained in a file on the computer.

How is this report produced? What are the rules? See last page of report for details.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: OCS America Article URL: https://oag.ca.gov/system/files/CA%20OCS%20Employee%20Breach%20Notice%20Letter%20%2811%20March%202013

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130325-09 Saint Francis Hospital OK Paper Data Medical/Healthcare Yes - Unknown # 0

**ITRC does not consider a password adequate protectionImagine for finding breached a stack data. of someone's medical records, with all their personal and private information. That's what happened to a stack of records from Tulsa's Saint Francis Hospital. The records showed up in Ponca City, and it might have gone unnoticed, except for where they were found - on the loading dock of the local newspaper.

The story made the front page, above the fold, in the Friday edition of the Ponca City News. A 3-inch tall stack of medical records turned up there - in a stack of pallets shipped from a recycling operation near Tulsa.

Attribution 1 Publication: NewsOn6.com Author: Emory Bryan Date Published: Article Title: Tulsa Medical Records Turn Up On Ponca City Newspaper Loading Dock Article URL: http://www.newson6.com/story/21476118/tulsa-medical-records-turn-up-on-ponca-city-newspaper-loading-dock

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130325-08 Crozer-Chester Medical PA Electronic Medical/Healthcare Yes - Published # 144 Center - Chester Community **ITRC does not consider a password adequate protectionA Chester for breachedCounty couple data. has been charged in a $257,710 tax fraud scam that involved the stolen identities of patients at Crozer-Chester Medical Center and Chester Community Hospital.

Rafael Henriquez Polanco, 30, and his wife, Yanira Lopez, 27, residents of Chester Springs, allegedly filed fraudulent tax returns seeking more than $1.7 million in refunds, according to U.S. Attorney Zane David Memeger. According to the charging documents, Polanco and Lopez obtained the names, dates of birth and Social Security numbers of 144 patients of Community Hospital in Chester and Crozer-Chester Medical Center in Upland by paying employees of the hospitals to steal confidential medical forms.

Attribution 1 Publication: Daily Times Author: Cindy Scharr Date Published: Article Title: Chesco couple charged in tax fraud scam Article URL: http://delcotimes.com/articles/2013/03/12/news/doc513fe4efe6d50563393172.txt

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130325-07 Granger Clinic UT Paper Data Medical/Healthcare Yes - Published # 2,600

**ITRC does not consider a password adequate protectionA West for Valley breached City-based data. medical clinic has alerted federal health officials of a possible data breach after a collection of about 2,600 medical appointment records slated for shredding went missing.

Attribution 1 Publication: Salt Lake Tribune / PHIprivacy.net Author: Jennifer Dobner Date Published: Article Title: Granger Clinic may have lost patients’ appointment documents Article URL: http://www.sltrib.com/sltrib/news/56048214-78/records-clinic-medical-breach.html.csp

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130325-06 Discover Card US Electronic Banking/Credit/Financial Yes - Unknown # 0

**ITRC does not consider a password adequate protectionWe've beenfor breached advised data.that your Discover Card account information may have been compromised. This incident did not involve any Discover Card systems, and there is no evidence that an unauthorized individual is using this account number. We are confident that it is not necessary to provide you with a new account number at this lime, and you may continue to use your existing card.

Attribution 1 Publication: VT AG's office Author: Date Published: Article Title: Discover Card Article URL: http://www.atg.state.vt.us/issues/consumer-protection/privacy-and-data-security/documents-and-resources5/discover-s

**ITRC does not consider a password adequate protectionTennis forExpress breached recognizes data. the importance of the privacy and confidentiality of the personal information provided to us by our customers. We are writing to inform you about an incident involving some of that information. We learned in mid-February 2013 that an unknown person gained access to our computer network on December 19, 2012, because of a vulnerability in a program provided to us by a third party vendor. The unknown person may have had the ability to decrypt and take sales transaction information stored in our database server. This information may have included your name, address, credit card number, verification value, and expiration date. Upon learning of this incident, we took additional steps to secure our computer network, we notified the credit card companies, and began a forensic investigation.

Attribution 1 Publication: VT AG's office / MD AG's office Author: Date Published: Article Title: Tennis Express Article URL: http://www.atg.state.vt.us/issues/consumer-protection/privacy-and-data-security/documents-and-resources5/tennis-exp

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130325-04 Frontier Natural Products Co- IA Electronic Business Yes - Unknown # 0 Op **ITRC does not consider a password adequate protectionWe are for writing breached to inform data. you of a security incident involving personal information maintained by Frontier Natural Products Co-op ("Frontier"), operator of www.auracacia.com, www.simplyorganic.com, www.frontiercoop.com and www.wholesale.frontiercoop.com ("Websites"). While we do not know if your personal information has been (or will be) misused, out of an abundance of caution, we are providing this notice and outlining some steps you may take to help protect yourself. We sincerely apologize for any inconvenience or concern this may cause you.

Attribution 1 Publication: VT AG's office Author: Date Published: Article Title: Frontier Natural Products Co-Op Article URL: http://www.atg.state.vt.us/issues/consumer-protection/privacy-and-data-security/documents-and-resources5/frontier-se

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130325-03 Inova Health System VA Electronic Medical/Healthcare Yes - Published # 2,169

**ITRC does not consider a password adequate protectionInova recognizes for breached the data. importance of the privacy and confidentiality of the personal information provided to us by our employees. Regrettably, I am writing to inform you about an incident involving some of that information. We learned on February 8, 2013, that a setting was inadvertently left open following application maintenance, which resulted in a human resources file folder becoming accessible to the Internet.

Attribution 1 Publication: VT AG's office / MD AG's office Author: Date Published: Article Title: Inova Health System Article URL: http://www.atg.state.vt.us/issues/consumer-protection/privacy-and-data-security/documents-and-resources5/inova-sec

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130325-02 United Shore Financial MI Electronic Banking/Credit/Financial Yes - Unknown # 0 Services **ITRC does not consider a password adequate protectionI am writing for breached to make data.you aware that United Shore Financial Services, LLC ("USFS") recently discovered that it was the victim of a computer intrusion by an unauthorized third party. The server that was accessed may have contained your personal information, including your name, contact infonnatlon, date of birth, driver's license number, social security number and financial account infonnation you may have previously provided to us.

Attribution 1 Publication: VT AG's office Author: Date Published: Article Title: United Shore Financial Services Article URL: http://www.atg.state.vt.us/issues/consumer-protection/privacy-and-data-security/documents-and-resources5/usfs-secur

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130325-01 TD Bank CT Electronic Banking/Credit/Financial Yes - Published # 14

**ITRC does not consider a password adequate protectionA former for TD breached Bank employee data. faces multiple charges of computer crime and identity theft after police said she filled out fraudulent credit card applications at a local bank office to boost her annual bonus.

Attribution 1 Publication: Fairfield Citizen Author: Date Published: Article Title: Former bank worker faces computer, ID theft charges Article URL: http://www.fairfieldcitizenonline.com/news/article/Former-bank-worker-faces-computer-ID-theft-4377018.php

How is this report produced? What are the rules? See last page of report for details. ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130322-04 Department of Energy - GA Electronic Government/Military Yes - Published # 12,000 Savannah River Site **ITRC does not consider a password adequate protectionFederal for officials breached are data.investigating a security breach that allowed access to the personal information of at least 12,000 Savannah River Site workers, reports The Augusta Chronicle.

Attribution 1 Publication: Atlanta Business Chronicle Author: Carla Caldwell Date Published: Article Title: Data breach affects 12,000 workers at Savannah River Site Article URL: http://www.bizjournals.com/atlanta/morning_call/2013/03/data-breach-affects-1200-workers-at.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130322-03 Xbox Entertainment Awards VA Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionMicrosoft for isbreached picking updata. the pieces from a data breach on its Xbox Entertainment Awards website, after thousands of voters entering a prize draw had their personal details inadvertently published on the site.

Attribution 1 Publication: ITProPortal Author: Date Published: Article Title: Thousands have data exposed in Microsoft security breach Article URL: http://www.itproportal.com/2013/03/20/thousands-have-data-exposed-in-microsoft-security-breach/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130322-02 Tallahassee Community FL Electronic Educational Yes - Published # 3,300 College **ITRC does not consider a password adequate protectionTallahassee for breached Community data. College, on Friday, announced that an unauthorized acquisition of computerized data that may materially compromise the security, confidentiality, or integrity of personal information occurred in March 2011.

Attribution 1 Publication: wctv.tv/news Author: Date Published: Article Title: TCC Data Breach Article URL: http://www.wctv.tv/news/headlines/TCC--199528531.html?ref=531

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130322-01 University of Mississippi MS Electronic Medical/Healthcare Yes - Published # 500 Medical Center **ITRC does not consider a password adequate protectionThe University for breached of Mississippi data. Medical Center (UMMC) recently alerted an unknown number of patients that entered the hospital between 2008 and 2013 that password-protected laptop with their data had been lost. The data included names, addresses, dates of birth, Social Security Numbers, diagnoses, medications, treatments and other personal information.

Attribution 1 Publication: hhs.gov Author: Date Published: Article Title: University of Mississippi Medical Center Article URL: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

Attribution 2 Publication: healthitsecurity.com Author: Patrick Ouellette Date Published: Article Title: University of Mississippi Medical Center reports data breach Article URL: http://healthitsecurity.com/2013/03/22/university-of-mississippi-medical-center-reports-data-breach/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130318-03 U.S. General Services DC 3/8/2013 Electronic Government/Military Yes - Unknown # 0 Administration **ITRC does not consider a password adequate protectionRecently, for U.S.breached GSA data.officials identified a security vulnerability in the System for Award Management (SAM), which could allow some existing users in the system to view certain registration information.

Attribution 1 Publication: GSA website Author: Date Published: Article Title: U.S. General Services Administration Article URL: http://www.gsa.gov/portal/content/167855

Attribution 1 Publication: HealthITSecurity Author: Patrick Ouellette Date Published: Article Title: Lawrence Melrose Medical Electronic Record data breach update Article URL: http://healthitsecurity.com/2013/03/20/lawrence-melrose-medical-electronic-record-breach-update/

Attribution 2 Publication: healthitsecurity.com Author: Date Published: Article Title: Lawrence Melrose Medical Electronic Record Article URL: http://healthitsecurity.com/2013/03/18/lawrence-melrose-medical-electronic-record-reports-breach/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130318-01 Salem State University MA Electronic Educational Yes - Published # 25,000

**ITRC does not consider a password adequate protectionA data forbreach breached at Salem data. State University may have compromised the personal information of an estimated 25,000 current and former employees.

According to university officials, a letter was sent to those affected on March 11 after virus detection software became aware of the issue.

Attribution 1 Publication: wcvb.com Author: Date Published: Article Title: 25,000 potentially affected by data breach at Salem State University Article URL: http://www.wcvb.com/news/local/boston-north/25-000-potentially-affected-by-data-breach-at-Salem-State-University/-/11

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130312-06 1st Response Medical MD Electronic Medical/Healthcare Yes - Published # 552 Transpot Corp. **ITRC does not consider a password adequate protectionUnauthorized for breached Access/Disclosure data. -Desktop computer

Attribution 1 Publication: hhs.gov Author: Date Published: Article Title: 1st Response Medical Transpot Corp. Article URL: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130312-05 Stanley Black & Decker, Inc. CT Electronic Business Yes - Published # 944

**ITRC does not consider a password adequate protectionOn behalf for breachedof Stanley data. Black & Decker, Inc., I am writing to inform you about a recent incident that involved personal information about you. On January 28, 2013, the company-issued laptop of an employee in the Finance department who handled T&E charges was stolen. We began investigating the incident as soon as we learned of it. From our investigation, we believe that information stored on the laptop may have included your name and the account number and routing number of the account that you have designated as the account to which direct deposits are to be made to reimburse you for expenses incurred on the Company’s behalf.

Attribution 1 Publication: CA AG's office / MD AG's office Author: Date Published: Article Title: Stanley Black & Decker, Inc. Article URL: https://oag.ca.gov/system/files/L2Employees%20re%20stolen%20laptop_0.pdf?

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130312-04 Benny's Pizza OH Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionA Marysville for breached restaurant data. has received new information about a credit data theft investigation that 10TV reported on last month.

The owner of Benny's Pizza said a forensics company determined that the restaurant's computer system was compromised remotely with malicious software. They believe that's how customers' credit card information was accessed.

Attribution 1 Publication: 10TV.com Author: Date Published: Article Title: Popular Marysville Restaurant Computer Compromised; Credit Card Information Stolen Article URL: http://www.10tv.com/content/stories/2013/03/07/marysville-restaurant-credit-card-folo.html

**ITRC does not consider a password adequate protectionThe Times for breached Union reported data. last Friday that Good Samaritan Hospital of Troy, NY alerted about 23 people that their data had been breached via computer at Rensselaer County Jail’s nurse’s station between 2008 and Nov. 16, 2011.

Attribution 1 Publication: HealthITSecurity Author: Patrick Ouellette Date Published: Article Title: Good Samaritan Hospital sends health data breach letters Article URL: http://healthitsecurity.com/2013/03/11/good-samaritan-hospital-sends-health-data-breach-letters/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130312-02 University of Connecticut CT Electronic Medical/Healthcare Yes - Published # 1,382 Health Center **ITRC does not consider a password adequate protectionThe University for breached of Connecticut data. Health Center in Farmington will be warning 1,400 patients of a data breach, according to a report by The Hartford Courant.

Attribution 1 Publication: Becker's Hospital Review / MD AG's offi Author: Date Published: Article Title: University of Connecticut Health Center Data Breach Affects 1,400 Patients Article URL: http://www.beckershospitalreview.com/healthcare-information-technology/university-of-connecticut-health-center-data-

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130312-01 MedAmerica Insurance FL Electronic Medical/Healthcare Yes - Unknown # 0 Companies **ITRC does not consider a password adequate protectionOn January for breached 15, 2013, data. we learned that MedAmerica long term care insurance enrollment forms placed on what was believed to be a secure server had become publicly accessible through the internet from July 10, 2012 to January 15, 2013. Not all enrollment forms were affected. Only certain electronic forms used for web enrollment were accessible over this six month period. We immediately implemented security measures to restore the privacy and confidentiality of the information and remove it from public access. We also began a thorough investigation to determine what information may have been accessible and confirmed that it included your name, address, date of birth, and Social Security number. To the extent you provided health information or the name of your other insurance companies on the enrollment form, that information may have been included as well.

Attribution 1 Publication: VT AG's office Author: Date Published: Article Title: MedAmerica Insurance Companies Article URL: http://www.atg.state.vt.us/issues/consumer-protection/privacy-and-data-security/documents-and-resources5/medameri

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130311-03 Arkansas State University AR Electronic Educational Yes - Published # 150

**ITRC does not consider a password adequate protectionMore employees for breached on data.the campus of Arkansas State University have been affected by tax fraud.

According to Vice Chancellor of ASU, Dr. Len Frey, roughly 150 employees have now become victims, that's about 10% of their staff.

Attribution 1 Publication: kait8.com Author: Date Published: Article Title: ASU employees still affected by security breach Article URL: http://www.kait8.com/story/21557312/asu-employees-still-affected-by-security-breach

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130311-02 Midwest Health Care Network MN Electronic Government/Military Yes - Unknown # 0 (VAMC) **ITRC does not consider a password adequate protectionThe Office for breached of Information data. Technology at the U.S. Department of Veterans Affairs has disputed a finding by the agency's Inspector General that several VA centers routinely transmit unencrypted sensitive personal data over the public Internet.

Attribution 1 Publication: networkworld.com Author: Jaikumar Vijayan Date Published: Article Title: VA disputes charge that it transmits unencrypted personal data over public Internet Article URL: http://www.networkworld.com/cgi-bin/mailto/x.cgi?pagetosend=/news/2013/030813-va-disputes-charge-that-it-267528.ht

How is this report produced? What are the rules? See last page of report for details. ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130311-01 Department of Health and NC Electronic Medical/Healthcare Yes - Published # 50,000 Human Services **ITRC does not consider a password adequate protectionThe contractor for breached building data. North Carolina's over-budget and overdue Medicaid billing system has lost a thumb drive containing the personal information of thousands of Medicaid providers.

Attribution 1 Publication: wral.com Author: Date Published: Article Title: Medicaid contractor loses provider's personal information Article URL: http://www.wral.com/medicaid-contractor-loses-provider-s-personal-information/12201020/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130305-12 Information Handling CO Electronic Business Yes - Unknown # 0 Services, Inc. **ITRC does not consider a password adequate protectionHackers for breached breached the data. servers of IHS and may have been able to access credit card, customer, and nuclear information. IHS does not believe that confidential information was compromised. The hacker group claimed to have obtained the records of 8,500 customers. They attacked in order to further their goal of revealing sensitive nuclear data to pressure the Israeli government and others into disclosing their nuclear activities.

Information Source: Media

Attribution 1 Publication: Privacy Rights Clearinghouse Author: Date Published: Article Title: Information Handling Services, Inc. Article URL: http://www.privacyrights.org/data-breach-asc?title=information+handling+services

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130305-11 First National Bank of CA Electronic Banking/Credit/Financial Yes - Unknown # 0 California **ITRC does not consider a password adequate protectionWe were for recently breached notified data. by our data service provider that a back-up tape containing certain of your personal information including account number(s), account balances, taxpayer identification number, and social security number was stolen on February 1, 2013. This theft did not occur at our Bank nor did it involve any of our employees. While we have no reason to believe your personal information has been, or will be compromised, we wanted to notify you of the incident and outline the steps we are taking to respond to this security breach.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: First National Bank of California Article URL: https://oag.ca.gov/system/files/sample%20final%20letter_0.pdf?

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130305-10 Bank of Hawaii - First HI Electronic Banking/Credit/Financial Yes - Unknown # 0 Hawaiian Bank **ITRC does not consider a password adequate protectionBank of for Hawaii breached and Firstdata. Hawaiian Bank have blocked debit and credit cards for an unspecified number of customers as a precaution after a restaurant on Oahu had its computer system breached.

Attribution 1 Publication: Staradviser.com Author: Date Published: Article Title: Bank of Hawaii - First Hawaiian Bank Article URL: http://www.staradvertiser.com/s?action=login&f=y&id=194112561&id=194112561

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130305-09 Baptist Health - South Miami FL Electronic Medical/Healthcare Yes - Published # 834 Hospital **ITRC does not consider a password adequate protectionBaptist forHealth breached says itsdata. privacy office has recently learned that a South Miami Hospital employee inappropriately accessed 834 patient records.

Attribution 1 Publication: Local10.com / PHIPrivacy.net Author: Date Published: Article Title: South Miami Hospital employee accesses patient records Article URL: http://www.local10.com/news/South-Miami-Hospital-employee-accesses-patient-records/-/1717324/19144144/-/d62wpkz/

**ITRC does not consider a password adequate protectionThe FBI for is breachedinvestigating data. a dumpster full of medical documents that Channel 2's Ross Cavitt found outside an office complex in Hiram.

Cavitt called authorities after finding the documents full of people's sensitive identification and medical information. The caller who gave Cavitt the tip said the documents were in the dumpster all weekend. Someone also might have dumped other boxes in the past 48 hours, the caller said.

Attribution 1 Publication: PHIprivacy.net / WSBTV.com Author: Date Published: Article Title: Confidential records found in Paulding Co. dumpster Article URL: http://www.wsbtv.com/news/news/local/personal-medical-records-found-paulding-co-dumpste/nWghG/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130305-07 Prudential Insurance NJ Electronic Business Yes - Unknown # 0 Company of America - Unisys **ITRC does not consider a password adequate protectionPrudential for breachedprovides, data.or in the past did provide, group life insurance to you as a result of your employment relationship with Unisys. I am writing to let you know that a Prudential associate made a clerical error and inadvertently emailed a document containing information relating to your insurance relationship with us, including your name, address, date of birth, Social Security number, and salary information, to another individual at Unisys. This occurred on December 13, 2012. The recipient notified the Prudential associate immediately and notified Unisys management, which also notified Prudential. The recipient has deleted the document as well.

Attribution 1 Publication: CA AG's Office Author: Date Published: Article Title: Prudential Insurance Company of America Article URL: https://oag.ca.gov/system/files/03.04.2013%20Individual%20Notice%20Letter_0.PDF?

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130305-06 FabricDepot OR Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionOn January for breached 7, 2013, data. I (FabricDepot) learned of a data security incident that may have resulted in the disclosure of the credit card information, names, and billing address associated with your online purchase. Shortly after learning of the incident, we retained a forensic computer investigator, who determined that on or about October 16, 2012 an unauthorized third party gained access to our website and data system.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: FabricDepot Article URL: https://oag.ca.gov/system/files/Customer_Notification_Ltr_0.pdf?

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130305-05 TD Bank, N.A. NJ Electronic Banking/Credit/Financial Yes - Unknown # 0

**ITRC does not consider a password adequate protectionWe are for writing breached to let data.you know about an incident involving your personal information. You are receiving this letter either because you are (or were) a customer of TD Bank, or because you or another person or account holder provided TD Bank with your personal information. For example, you may be a relative, dependent, beneficiary, guarantor or otherwise connected to a current or former account holder.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: TD Bank, N.A. Article URL: https://oag.ca.gov/system/files/MT-March%202013_0.pdf?

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130305-04 Unknown Medical Facility UT Electronic Medical/Healthcare Yes - Published # 35

**ITRC does not consider a password adequate protectionThere arefor breachedvery few places data. off-limits for identity thieves. They don’t really care how they get your information—even if you’re sitting in a hospital. One woman found that out the hard way. "The dream was gone. Everything we worked for, gone,” Elsy, a victim of identity theft, says. Elsy was devastated after discovering the money she and her husband had been saving for a new home had been stolen from their bank account. "They got our personal information from the medical facility where my husband was getting treatment for leukemia,” she says.

Attribution 1 Publication: KUTV.com Author: Date Published: Article Title: Clinic Corruption: Hospital Identity Theft Article URL: http://www.kutv.com/news/top-stories/stories/vid_4077.shtml

**ITRC does not consider a password adequate protectionMobile forpolice breached have arrested data. a man for credit card fraud and trafficking in stolen identities after they say he took credit card information from 23 motel customers.

Attribution 1 Publication: Fox10tv.com Author: Letisha Bush Date Published: Article Title: Hotel clerk stole 23 credit card numbers Article URL: http://www.fox10tv.com/dpp/news/local_news/mobile_county/mpd-hotel-clerk-stole-23-credit-card-numbers

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130305-02 Samaritan Hospital NY Electronic Medical/Healthcare Yes - Unknown # 0

**ITRC does not consider a password adequate protectionAn official for breachedat Samaritan data. Hospital confirmed a nursing supervisor at the Rensselaer County jail improperly accessed the hospital’s patient records, triggering an investigation by Sheriff Jack Mahar.

Attribution 1 Publication: The Saratogian Author: Date Published: Article Title: Samaritan Hospital confirms patient records security breach in 2011 Article URL: http://saratogian.com/articles/2013/03/01/news/doc513105ba6f4ba045285003.txt

Attribution 2 Publication: timesunion.com Author: Brendan J. Lyons Date Published: Article Title: Guards allege privacy breach Article URL: http://www.timesunion.com/local/article/Guards-allege-privacy-breach-4837533.php

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130305-01 Orleans County NY Electronic Government/Military Yes - Published # 25 Administration **ITRC does not consider a password adequate protectionCounty for officials breached learned data. last Wednesday that around 25 of the 600 people employed by the county may have had their identity compromised. Once officials found out, they started investigating and alerting employees.

Attribution 1 Publication: Rochester Your News Now (YNN) Author: Katie Cummings Date Published: Article Title: Investigation into security breach at Orleans County office building Article URL: http://rochester.ynn.com/content/top_stories/643722/investigation-into-security-breach-at-orleans-county-office-buildin

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130227-08 Variable Annuity Life TX Electronic Business Yes - Unknown # 0 Insurance Company **ITRC does not consider a password adequate protectionOn behalf for breachedof V ALIC data.we would like to advise you that certain elements of your personal and financial information may have recently been compromised. Our systems indicate that a user ID and profile was recently set-up on www.valic.com to view your V ALIC account(s) online. A confirmation of this transaction was mailed to you. We believe you may not have initiated this transaction.

Attribution 1 Publication: VT AG's office Author: Date Published: Article Title: Variable Annuity Life Insurance Company Article URL: http://www.atg.state.vt.us/issues/consumer-protection/privacy-and-data-security/documents-and-resources5/variable-a

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130227-07 Wallboard Supply Company NH Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionThe McLane for breached law firm data. represents Agincourt Wallboard, LLC d/b/a Wallboard Supply Company ("Wallboard"), which is headquartered in Londonderry, New Hampshire. We are writing to inform you about a recent data security breach at Wallboard that affects 36 residents of New Hampshire. On January 17, 2013, Wallboard learned that eight of its employees received a physical payroll check, rather than having their wages deposited directly into their bank accounts, as was the norm for them. Wall board immediately launched an investigation into the matter, notified and filed a report with law enforcement, and gave notice to its employees orally and by email. Wallboard learned from its payroll vendor that someone had used the administrator's credentials to access (without authorization) Wallboard's payroll system. The payroll system contained the names and addresses of Wallboard's sixty-two employees, their social security numbers, their bank account routing information, and other employment information about them.

How is this report produced? What are the rules? See last page of report for details.

Attribution 1 Publication: NH AG's office Author: Date Published: Article Title: Wallboard Supply Company Article URL: http://doj.nh.gov/consumer/security-breaches/documents/wallboard-supply-20130211.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130227-06 Mt. Rushmore Securities LLC IA Electronic Banking/Credit/Financial Yes - Unknown # 0

**ITRC does not consider a password adequate protectionPursuant for to breached N.H.R.S. data. § 359C:20(b), I am providing notice to you of a breach of security that may have affected two New Hampshire residents. Personal information of certain clients of Mt Rushmore Securities LLC, Mt Rushmore Management LLC, Mt Rushmore Investment Corp, MidAmerica Financial Services ("the Mt. Rushmore firms") was made available through Google queries when confidential documents were inadvertently made accessible to Google' s web indexing software on an IT contractor's server.

Attribution 1 Publication: NH AG's office Author: Date Published: Article Title: Mt. Rushmore Securities LLC Article URL: http://doj.nh.gov/consumer/security-breaches/documents/mt-rushmore-20130214.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130227-05 MassMutual Retirement MA Electronic Business Yes - Published # 917 Services **ITRC does not consider a password adequate protectionOn January for breached 28, 2013, data. the benefits coordinator for Crotched Mountain Foundation Plan ("Plan"), a MassMutual Retirement Services ("RS") client, sent an email to the Plan's MassMutual RS account manager. The Plan benefits coordinator copied a participant in the Plan on the email to MassMutual Later that same day, the MassMutual RS account manager responded to the email. which was sent to both individuals, and included a participant demographic file. The participant demographic file contained the contract number of the Plan and the full names. addresses, and Social Secunty numbers of 917 participants in the Plan.

Attribution 1 Publication: NH AG's office Author: Date Published: Article Title: MassMutual Retirement Services - Crotched Mountain Foundation Plan Article URL: http://doj.nh.gov/consumer/security-breaches/documents/massachusetts-mutual-20130214.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130227-04 CoreLogic Credco CA Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionCoreLogic for breachedCredco ("Credco") data. resells credit reports to authorized business clients who use the reports to make lending decisions. An unauthorized third party fraudulently obtained credentials to obtain access to Credco credit report ordering system.

Attribution 1 Publication: NH AG's office Author: Date Published: Article Title: CoreLogic Credco Article URL: http://doj.nh.gov/consumer/security-breaches/documents/corelogic-credco-20130207.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130227-03 Haagen-Daz FL Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionAnyone for who breached made a data. purchase at the Häagen-Daz inside the food court in International Plaza since April of 2012 may have been affected by identity theft. A flash drive that contained key-logger software was connected to a register at the store. It recorded payment card transactions and allowed thieves to make counterfeit credit cards. Two men were arrested in June of 2012 for using fraudulent card information and that information was later linked to the Häagen-Daz shop.

Attribution 1 Publication: Privacy Rights Clearinghouse Author: Date Published: Article Title: Haagen-Daz Article URL: https://www.privacyrights.org/node/56003

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130227-02 Massachusetts Mutual Life MA Paper Data Business Yes - Unknown # 0 Insurance Company **ITRC does not consider a password adequate protectionMassachusetts for breached Mutual data. Life Insurance Company and its subsidiaries ("MassMutual") understand the importance of protecting the privacy and security of information about our customers, and take seriously our obligations to protect this information. MassMutual has an established business relationship with Convey Compliance Systems, Inc. ("Convey") to provide print and mailing services for MassMutual's annual IRS Form I 099 mailing. On February 1, 2013, Convey notified us of an incident that resulted in the Forms 1099 for a number of MassMutual clients being mailed with an incorrect mailing address. Unfortunately, your Form 1099 was in the affected group.

How is this report produced? What are the rules? See last page of report for details.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: Massachusetts Mutual Life Insurance Company Article URL: https://oag.ca.gov/system/files/MassMutual%20Sample%20Breach%20Notice%20CA%2022013_0.pdf?

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130227-01 Mercedes-Benz of Walnut CA Electronic Business Yes - Unknown # 0 Creek **ITRC does not consider a password adequate protectionI am contacting for breached you regardingdata. a data security incident that has occurred at Mercedes-Benz of Walnut Creek. On Friday, February 8, 2013, around 7:00 am we discovered a forcible break-in at Mercedes-Benz of Walnut Creek’s dealership. Between the close of business on Thursday, February 7th and the morning of Friday, February 8th, a thief or thieves pried open a locked exterior door to the dealership, another locked interior door into the Business Office was pried open, and once inside the Business Office, locked file cabinets containing customer deal jackets were pried open and some customer deal files were removed. Additionally, some files containing customer personal information were removed from our Service Department.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: Mercedes-Benz of Walnut Creek Article URL: https://oag.ca.gov/system/files/MB%20sample%20letter%20proof%20v2_0.pdf?

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130226-02 Crescent Healthcare CA Electronic Medical/Healthcare Yes - Published # 109,000

**ITRC does not consider a password adequate protectionLast week, for breached Crescent data. Healthcare -- an Anaheim-based Walgreens company -- began notifying patients and employees of a data breach that occurred late last year, Healthcare IT News reports.

Attribution 1 Publication: hhs.gov Author: Date Published: Article Title: Crescent Healthcare Article URL: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

Attribution 2 Publication: CaliforniaHealthline / CA AG's office Author: Date Published: Article Title: Crescent Healthcare Notifies Individuals of 2012 Data Breach Article URL: http://www.californiahealthline.org/articles/2013/2/26/crescent-healthcare-notifies-individuals-of-2012-data-breach.aspx

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130226-01 North Carolina Department of NC Paper Data Government/Military Yes - Published # 26,000 State **ITRC does not consider a password adequate protectionNorth Carolina for breached officials data. have warned about 26,000 retired government employees that their Social Security numbers may have been exposed to public view in an apparent security breach made in January.

Attribution 1 Publication: Newsobserver.com / datalossdb.org Author: Date Published: Article Title: 26,000 NC retirees warned of security breach Article URL: http://blogs.newsobserver.com/business/26000-nc-retirees-warned-of-security-breach

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130225-01 Sprouts Farmers Market AZ Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionSprouts for Farmers breached Market data. is encouraging customers to check their bank accounts for unusual activity in the last month.

The chain learned that illegal software targeted customers' information at 19 of its 151 stores between Jan. 25 and Jan. 29, 2013.

Attribution 1 Publication: ABC15.com Author: Erisa Nakano / Steve Date Published: Article Title: Sprouts Farmers Market Alert: Security breach affects Arizona, California stores Article URL: http://www.abc15.com/dpp/news/state/sprouts-farmers-market-alert-security-breach-affects-arizona-stores

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130222-01 Polk County School District FL Paper Data Educational Yes - Published # 200

**ITRC does not consider a password adequate protectionhe Social for Securitybreached numbers data. of nearly 200 students who paid tuition for education programs could be compromised, according to a letter sent out recently by the Polk County School District. Students affected can contact the School District, which will pay for a one-year membership to an online identity theft protection program that will cost the district between $80 and $90 per student.

How is this report produced? What are the rules? See last page of report for details.

Attribution 1 Publication: theledger.com / datalossdb.org Author: Jeremy Maready Date Published: Article Title: Nearly 200 Students Warned of ID Theft Risk Article URL: http://www.theledger.com/article/20130220/NEWS/130229907/1134?Title=Nearly-200-Students-Warned-of-ID-Theft-Risk-

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130220-07 Silver Star Motors IL Electronic Business Yes - Published # 25

**ITRC does not consider a password adequate protection The owner for breached of a Cortland data. used-car dealership was charged with seven counts of identity theft Wednesday for allegedly using his customers’ information to take out phony car loans.

Attribution 1 Publication: datalossdb.org / Daily Chronicle Author: Jeff Engelhardt Date Published: Article Title: Cortland car dealership owner charged with ID theft Article URL: http://www.daily-chronicle.com/2013/01/30/cortland-car-dealership-owner-charged-with-id-theft/ab2qnpq/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130220-06 Central Laborers' Pension IL Electronic Business Yes - Published # 30,000 Fund **ITRC does not consider a password adequate protectionThe U.S. for Court breached of Appeals data. for the Seventh recently ruled that Nationwide Insurance Co. has no duty to defend or indemnify an accountant who lost sensitive personal information from client files. According to the lawsuit, the accountant's loss of the information stemmed from the theft of a CD containing confidential client information from the accountant's personal car. The CD contained the social security numbers, names, and birth dates of over 30,000 beneficiaries of the accounting firm's clients, the Central Laborers' Pension Fund, Central Laborers' Welfare Fund, and Central Laborers' Annuity Fund. After the Funds sued the accounting firm to recoup $200,000 (the costs of credit monitoring and insurance),

Attribution 1 Publication: Lexology Author: Date Published: Article Title: Insurance company need not defend accountant who lost sensitive client information Article URL: http://www.lexology.com/library/detail.aspx?g=b4cf8fba-cfe6-4780-9daa-7ba827dd9c2a

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130220-05 HSBC Bank USA IL Electronic Banking/Credit/Financial Yes - Unknown # 0

**ITRC does not consider a password adequate protectionWe are for writing breached to notify data. you of a breach and unauthorized access of customer data involving eleven (11) New Hampshire residents. On December 20, 2012, HSBC became aware that an employee accessed customer accounts and is suspected of supplying fraudsters with customer account and personal data with the intent of creating false identification cards to affect fraudulent withdrawals from bank deposit accounts. The type of information involved in the incident that may have been accessed includes a customer's name, social security number, personal identification type (i.e., driver's license number), telephone number, account number and account type.

Attribution 1 Publication: NH AG's office Author: Date Published: Article Title: HSBC Bank USA Article URL: http://doj.nh.gov/consumer/security-breaches/documents/hsbc-bank-20130131.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130220-04 Capella University MN Electronic Educational Yes - Unknown # 0

**ITRC does not consider a password adequate protectionCapella for University breached is data. committed to protecting the information it maintains on behalf of its learners. Regrettably, we are writing to inform you about an incident involving some of that information. During the week of January 28, 2013, we determined that an employee in the collection department had sent information that included the name and Social Security numbers of a small group of learners to a personal e-mail account in violation of Capella policy. Capella promptly took action by terminating the employee, removing the employee's access to our networks, and further securing the records we maintain.

Attribution 1 Publication: VT AG's office Author: Date Published: Article Title: Capella University Article URL: http://www.atg.state.vt.us/issues/consumer-protection/privacy-and-Data-Security/documents-and-resources5/capella-u

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130220-03 Central Hudson Gas & NY Electronic Business Yes - Published # 110,000 Electric Corp. **ITRC does not consider a password adequate protectionCentral for Hudson breached Gas data. & Electric Corp. has determined that about 110,000 customers may have been affected by a weekend cyber security attack, but there's still not evidence that customer information was downloaded or misused, the company stated in a press release.

How is this report produced? What are the rules? See last page of report for details.

Attribution 1 Publication: Poughkeepsie Journal Author: Date Published: Article Title: CYBER ATTACK UPDATE: Central Hudson: Free year of credit checks for 110,000 customers Article URL: http://www.poughkeepsiejournal.com/article/20130220/NEWS/130219026/Central-Hudson-Cyber-attack-updates-expecte

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130220-02 Mid-Florida Urological FL Paper Data Medical/Healthcare Yes - Unknown # 0 Associates - Orlando Health **ITRC does not consider a password adequate protectionAnother for insider breached breach data. at a Florida medical practice for a fraud scheme; this time it’s insurance fraud.

Attribution 1 Publication: phiprivacy.net / datalossdb.org Author: Date Published: Article Title: Medical assistant stole patient information for insurance fraud scheme Article URL: http://www.phiprivacy.net/?p=11709

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130220-01 Bank of America WA Electronic Banking/Credit/Financial Yes - Unknown # 0

**ITRC does not consider a password adequate protectionBank of for America breached last data. week blamed a suspected breach of credit card data on an unidentified third party, which the bank later revealed to be a merchant. The incident illustrates security risks institutions increasingly face, whether because of a merchant breach or relying too heavily on partners and suppliers.

Attribution 1 Publication: BankInfoSecurity Author: Tracy Kitten Date Published: Article Title: Bank of America Responds to Breach Article URL: http://www.bankinfosecurity.com/bank-america-responds-to-breach-a-4487

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130219-02 Union County Public Schools NC Electronic Educational Yes - Unknown # 0

**ITRC does not consider a password adequate protectionUnion Countyfor breached Public data. Schools employees are at-risk after someone hacked the Public School System web server Thursday.

According to an email from Superintendent Mary Ellis, "It is possible that confidential employee information, including social security numbers, has been compromised."

Attribution 1 Publication: WBTV.com Author: Jessica Sells Date Published: Article Title: Union County Public Schools: Web server hacked, information may be compromised Article URL: http://www.wbtv.com/story/21216611/union-county-public-schools-web-server-hacked-information-may-be-compromise

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130219-01 Heyman Hospice Care GA Electronic Medical/Healthcare Yes - Published # 1,819

**ITRC does not consider a password adequate protectionHeyman for HospiceCare breached data. at Floyd (“Heyman HospiceCare”) is committed to protecting the personal information it maintains on behalf of its patients. Regrettably, this notice is regarding an incident involving some of that information.

Attribution 1 Publication: hhs.gov Author: Date Published: Article Title: Heyman Hospice Care Article URL: Heyman Hospice Care

Attribution 2 Publication: Company website Author: Date Published: Article Title: Privacy Notice for Heyman HospiceCare at Floyd Patients Article URL: http://www.floyd.org/hospice/privacy_notice.htm

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130214-02 Cbr Systems, Inc. CA Electronic Medical/Healthcare Yes - Published # 300,000

**ITRC does not consider a password adequate protectionThe operator for breached of a leading data. cord blood bank, Cbr Systems, Inc., agreed to settle Federal Trade Commission charges that it failed to protect the security of customers’ personal information, and that its inadequate security practices contributed to a breach that exposed Social Security numbers and credit and debit card numbers of nearly 300,000 consumers.

How is this report produced? What are the rules? See last page of report for details.

Attribution 1 Publication: FTC Author: Date Published: Article Title: Cord Blood Bank Settles FTC Charges that it Failed to Protect Consumers’ Sensitive Personal Information Article URL: http://ftc.gov/opa/2013/01/cbr.shtm

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130214-01 Froedtert Hospital WI Electronic Medical/Healthcare Yes - Published # 43,000

**ITRC does not consider a password adequate protectionA computer for breached hacker may data. have information on 43,000 patients at Froedtert Hospital and some of its clinics.

Attribution 1 Publication: WTMJ4 Author: Date Published: Article Title: Hacker may have obtained 43,000 Froedtert patients' information Article URL: http://www.todaystmj4.com/news/local/191181111.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130213-01 Palm Beach County Health FL Electronic Medical/Healthcare Yes - Published # 877 Department **ITRC does not consider a password adequate protectionA senior for clerk breached at the data.Palm Beach Health Department was arrested Tuesday and charged with using her job to steal identity information from more than 2,800 patients.

Attribution 1 Publication: Sun Sentinel Author: Date Published: Article Title: Health Department clerk arrested for ID theft Article URL: http://www.sun-sentinel.com/news/palm-beach/fl-health-idtheft-20130212,0,4593292.story

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130212-13 Riderwood Village MD Electronic Medical/Healthcare Yes - Published # 3,230

**ITRC does not consider a password adequate protectionRiderwood for breached Village,MD,,3230,11/18/2012,Theft,Laptop,2/8/2013,, data.

Attribution 1 Publication: hhs.gov / phiprivacy.net Author: Date Published: Article Title: Riderwood Village Article URL: http://www.phiprivacy.net/?cat=19

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130212-12 American HomePatient Inc. TN Electronic Medical/Healthcare Yes - Published # 1,103

**ITRC does not consider a password adequate protectionAmerican for Homebreached Patient data. Inc.,TN,LifeGas,1103,10/11/2012,Theft,Laptop,2/7/2013,,

Attribution 1 Publication: HHS.gov / PHIPrivacy.net Author: Date Published: Article Title: American HomePatient Inc. Article URL: http://www.phiprivacy.net/?cat=19

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130212-11 Lee Miller Rehab Associates MD Electronic Medical/Healthcare Yes - Published # 10,480

**ITRC does not consider a password adequate protectionLee Miller for breachedRehab Associates,MD,,10480,1/15/2012,Theft,Network data. Server,2/7/2013,,

Attribution 1 Publication: HHS.gov / PHIPrivacy.net Author: Date Published: Article Title: Lee Miller Rehab Associates Article URL: http://www.phiprivacy.net/?cat=19

**ITRC does not consider a password adequate protectionPursuant for to breached N.H. Rev. data. Stat. Ann. § 359-C:20(1)(b), I am writing to notifY you of potential unauthorized access to personal information involving 2 New Hampshire residents. On January 28, 2013, Zalicus Inc. prepared and mailed approximately 48 2012 1099-MISC tax forms (the "Forms") to its third party vendors, consultants and other individuals. Due to human error, some of the Forms were inadvertently mailed to incorrect recipients (the "Unintended Recipients"). Along with the first and last name of an individual recipient, the Forms contained the social security number of the individual recipient in the box labeled "Recipient's Identification Number".

Attribution 1 Publication: NH AG's office Author: Date Published: Article Title: Zalicus Inc. Article URL: http://doj.nh.gov/consumer/security-breaches/documents/zalicus-20130201.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130212-09 NECA / IBEW Family Medical GA Paper Data Business Yes - Unknown # 0 Care Plan **ITRC does not consider a password adequate protectionPursuant for to breached New Hampshire data. state law, we are writing to notify you of an unauthorized use of personal information involving three (3) New Hampshire residents. CHANGED FROM MEDICAL TO BUSINESS 2/2014 - SSN'S NOT PHI Late in December 2012, the NECA/IBEW Family Medical Care Plan ("FMCP") mailed to its participants the FMCP's generic Summary of Benefits Coverage and the Summary of Material Modifications disclosure documents. The Social Security numbers of some the individuals were inadvertently displayed on the envelope of these mailings.

Attribution 1 Publication: NH AG's office Author: Date Published: Article Title: NECA / IBEW Family Medical Care Plan Article URL: http://doj.nh.gov/consumer/security-breaches/documents/neca-ibew-20130118.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130212-08 Federal Network Systems LLC VA Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionWe are for writing breached to inform data. you that in December 2012 we discovered that a computer containing a file with personal information, including names and Social Security numbers, for some of our former and current employees and independent contractors, was infected with malware. Upon learning of the malware, our network security team immediately isolated the infected machine and took it off line. The malware was then removed from our systems.

Attribution 1 Publication: NH AG's office Author: Date Published: Article Title: Federal Network Systems LLC Article URL: http://doj.nh.gov/consumer/security-breaches/documents/federal-network-20130116.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130212-07 Agincourt Wallboard ME Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionOn January for breached 19, 2013, data. Wallboard gave employees notice about a security breach of its payroll system. In that notice, Wallboard described its understanding of the general nature of the situation and the type of information compromised, and gave some recommendations as to the immediate actions employees should have taken to protect themselves financially and their personal information. This notice now provides more comprehensive information about the incident.

Attribution 1 Publication: VT AG's office Author: Date Published: Article Title: Agincourt Wallboard Article URL: http://www.atg.state.vt.us/issues/consumer-protection/privacy-and-Data-Security/documents-and-resources5/agincourt

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130212-06 Boca Raton Regional Hospital FL Electronic Medical/Healthcare Yes - Unknown # 0

**ITRC does not consider a password adequate protectionThe Miami for breached area, infamous data. for its smorgasbord of fraud schemes, is among the worst spots for what he described as an “epidemic” ID-theft crime wave. To drive home his point at the height of the tax season, Ferrer’s office unveiled the latest prosecutions of 14 defendants in a variety of tax-refund rackets. Among them: Yet another case of a South Florida hospital employee swiping patients’ Social Security numbers and dates of birth to defraud the Internal Revenue Service. According to an indictment filed in January, Boca Raton Regional Hospital scheduler Shalamar Major, 32, of Deerfield Beach, stole the personal information of patients and supplied the data to Tanisha Wright in exchange for a split fee for every successful false return submitted to the IRS.

How is this report produced? What are the rules? See last page of report for details.

Attribution 1 Publication: Miami Herald Author: Jay Weaver Date Published: Article Title: Miami U.S. attorney issues warning and crackdown on ID theft, tax-refund fraud Article URL: http://www.miamiherald.com/2013/02/06/3220176/miami-us-attorney-issues-warning.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130212-05 Wayne Memorial Hospital PA Electronic Medical/Healthcare Yes - Published # 1,182

**ITRC does not consider a password adequate protectionWayne forMemorial breached Hospital data. in Honesdale, Pa., has issued the following public notice of a major breach of protected health information. The notice does not indicate the size of the breach; The Citizens’ Voice newspaper in Wilkes-Barre reports 1,182 patients were affected and Social Security numbers were among the compromised data. Here is the hospital notice:

“Wayne Memorial Hospital ("WMH") is committed to protecting the information it maintains on behalf of its patients. Regrettably, this notice is regarding an incident involving some of that information.

“On December 3, 2012, we learned that an unencrypted CD containing patient information had gone missing. The CD was included in a package sent by certified mail to our government authorized Medicare Administrative Contractor. Our contractor received the package damaged and without the CD. Upon learning this, we immediately conducted a thorough investigation, including a diligent search for the CD with both the United States Post Office and the contractor. To date, we have been unable to locate the CD. We have confirmed that the CD contained patient names, account balances, and, in some instances, Medicare numbers. The CD did not contain any financial information (such as credit card and/or bank account number).

Attribution 1 Publication: Health Data Management / hhs.gov Author: Date Published: Article Title: Breach Reported after CD Shipped to Medicare is Lost Article URL: http://www.healthdatamanagement.com/news/breach-notification-hipaa-privacy-security-hospital-45565-1.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130212-04 THORLO NC Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionMy name for isbreached Jim Throneburg data. and I am the owner of THORLO. I am sending you this letter because you, and our company, have been the victims of a cybercrime that has potentially resulted in the theft of certain of your personal information, including your credit card information. This theft could result in fraudulent charges on your credit card account. We have filed reports with the FBI Cyber Crimes Unit and our local police department, and they have active investigations under way as well.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: THORLO Article URL: https://oag.ca.gov/system/files/Thorlo%20Inc%20Ad%20NO%20Credit%20Services%20r3prf_0.pdf?

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130212-03 Schneider-Electric IL Paper Data Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionI am writing for breached to inform data. you that Schneider Electric recently learned that on or about January 16, 2013, one of the bulk mail vendors that performs mailing activities on behalf of our Employee Share Plan mistakenly included your Social Security Number ("SSN") in the address field of a Call for Candidacy letter (the "Mailing") mailed to you on our behalf. Accordingly, the Mailing to you included the following categories of data in the address window: SSN, Name, and Address.

Attribution 1 Publication: CA AG's Office Author: Date Published: Article Title: Schneider-Electric Article URL: https://oag.ca.gov/system/files/Employee%20Letter%20Signed_0.pdf?

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130212-02 Talk Fusion FL Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionWe are for writing breached to make data. you aware that a portion of Talk Fusion’s computer network was criminally attacked, and we regret that certain elements of your information may have been compromised. At Talk Fusion, protecting the privacy and security of your information is an absolute top priority, and we want to assure you that we have taken multiple steps to prevent this type of attack from happening again.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: Talk Fusion Article URL: https://oag.ca.gov/system/files/Talk%20Fusion%20-%20Form%20of%20consumer%20notification%2021113_0.pdf?

**ITRC does not consider a password adequate protectionWe are for writing breached to inform data. you of a recent incident during which your personal information may have been accessed without your authorization. On January 25, 2013, we discovered that a file on our internet servers containing your name, address, phone and credit card number had been potentially accessible to outsiders without authorization for several weeks. The credit card number in the file was used on Knitpicks.com, ArtistsClub.com or ConnectingThreads.com.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: Crafts Americana Group, Inc. Article URL: https://oag.ca.gov/system/files/Multi-state%20notification%20letter%20-%20Crafts%20Americana%20-%20letterhead_0.

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130211-01 Penn State Harrisburg PA Electronic Educational Yes - Published # 808

**ITRC does not consider a password adequate protectionA computer for breached at Penn data.State Harrisburg that contained 808 Social Security numbers (SSNs) was found to be infected with malware that enabled it to communicate with an unauthorized computer outside the network. The SSNs were found in archived documents related to conference registrations from 1999 to 2001. "Malware" is short for malicious software and refers to any software designed to cause damage to a single computer, server, or computer network, whether it's a virus, spyware, worm or other destructive program.

Attribution 1 Publication: Penn State Publication / datalossdb.org Author: Date Published: Article Title: Malware opens door to possible information exposure Article URL: http://live.psu.edu/story/64189

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130205-05 Walz and Associates Law NM Paper Data Business Yes - Unknown # 0 Firm **ITRC does not consider a password adequate protectionHundreds for breachedof personal data. documents from dozens of people were all found in a very public place, but how did they get there and who's at risk?

The court files were found in a Bernalillo County Recycling Center in Tijeras and contained people's criminal histories, depositions and even medical records.

Attribution 1 Publication: KRQE.com / datalossdb.org Author: Date Published: Article Title: Personal information found in trash Article URL: http://www.krqe.com/dpp/news/crime/personal-information-found-in-trash

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130205-04 McDonalds FL Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionSome customersfor breached at onedata. Boca Raton McDonald's aren't lovin' it.

Not after they rolled through the drive-through on West Yamato Road and handed their credit cards to Percival James, whom Boca Raton police say promptly stole their credit card information and sold it on the streets for cash.

James, 22, of Delray Beach, is charged with using a scamming device to defraud McDonald's customers, according to a Boca Raton police report.

Attribution 1 Publication: datalossdb.org / SunSentinel Author: Date Published: Article Title: Boca McDonald's employee stole customer credit card information, police say Article URL: http://www.sun-sentinel.com/news/palm-beach/fl-boca-mcdonalds-scammer-arrest-20130131,0,2137385.story

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130205-03 Bashas' Family of Stores AZ Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionThe compromise for breached of hundredsdata. of payment cards, apparently tied to fraud worldwide, has been linked to a network hack affecting Arizona- based supermarket chain Bashas' Family of Stores.

An executive with a card-issuing institution that serves the West Coast, who asked not to be named, says fraudulent transactions linked to the Bashas' breach have shown up in international markets. "From what we are seeing, this is a corporate breach that is very active with fraud occurring worldwide," the executive says.

How is this report produced? What are the rules? See last page of report for details.

Attribution 1 Publication: BankInfoSecurity Author: Tracy Kitten Date Published: Article Title: New Retail Breach Tied to Global Fraud Article URL: http://www.bankinfosecurity.com/new-retail-breach-tied-to-global-fraud-a-5483/op-1

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130205-02 TheConnecticutStore.com CT Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionI am so for very breached sorry to data. have to notify you of a potential security breach on our Connecticut Store online e-commerce system. Our records indicate that you ordered from our website, (TheConnecticutStore.com). While I currently have no evidence that your personal information was misused, I want to notify you of this incident.

Attribution 1 Publication: VT AG's office Author: Date Published: Article Title: TheConnecticutStore.com Article URL: REFERENCES

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130205-01 Department of Energy DC Electronic Government/Military Yes - Unknown # 0

**ITRC does not consider a password adequate protectionOnline forattackers breached successfully data. penetrated the Department of Energy (DOE) network in the middle of January and obtained copies of personally identifiable information (PII) pertaining to several hundred of the agency's employees and contractors.

Attribution 1 Publication: InformationWeek Security Author: Mathew Schwartz Date Published: Article Title: Department of Energy Confirms Data Breach Article URL: http://www.informationweek.com/security/attacks/department-of-energy-confirms-data-breac/240147877

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130204-03 Tallahassee Memorial FL Electronic Medical/Healthcare Yes - Published # 124 HealthCare **ITRC does not consider a password adequate protectionIn response for breached to former data. Tallahassee Memorial HealthCare food service employee Spencer Larry Parson being indicted in U.S. District Court this week for, among other charges, identity theft, the hospital says that it has amended its patient privacy policies.

Memorial HealthCare maintains that it has reminded employees of the importance of keeping patient data safe and using provided bins to shred paper records. It has also provided identity protection services to 124 patients after Parson stole patient names and dates of birth from food tray receipts, according to Tallahassee.com. The hospital notified the potentially affected patients through letters as well as offering credit monitoring and identity recovery services.

Attribution 1 Publication: HealthIT Security Author: Patrick Ouellette Date Published: Article Title: Tallahassee Memorial HealthCare strengthens privacy policies Article URL: http://healthitsecurity.com/2013/02/01/tallahassee-memorial-healthcare-strengthens-privacy-policies/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130204-02 River Falls Medical Clinic WI Paper Data Medical/Healthcare Yes - Published # 2,400

**ITRC does not consider a password adequate protectionPerhaps for the breached Office for data. Civil Rights (OCR) was so specific with subcontractor language and breach notification amendments in the HIPAA omnibus rule for good reason. Similar to many recent healthcare data breaches, River Falls Medical Clinic notified about 2,400 clients of a breach that was tied to a subcontractor, in this case an outside cleaning service employee who stole patient records during the summer of 2012.

Attribution 1 Publication: HealthIT Security Author: Date Published: Article Title: River Falls Medical Clinic announces patient data breach Article URL: http://healthitsecurity.com/2013/02/04/river-falls-medical-clinic-announces-patient-data-breach/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130204-01 Twitter CA Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionThis week, for breached we detected data. unusual access patterns that led to us identifying unauthorized access attempts to Twitter user data. We discovered one live attack and were able to shut it down in process moments later. However, our investigation has thus far indicated that the attackers may have had access to limited user information ? usernames, email addresses, session tokens and encrypted/saltedversions of passwords ? for approximately 250,000 users.

How is this report produced? What are the rules? See last page of report for details.

Attribution 1 Publication: Twitter's Blog Author: Date Published: Article Title: Twitter Article URL: http://blog.twitter.com/2013/02/keeping-our-users-secure.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130131-05 Works Café NH Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionLate Wednesday for breached night, data. the Reformer received the following statement from Richard French, president of the Works Bakery Cafe. "The Works Cafe, with locations in Manchester and Brattleboro; Keene, Durham, Portsmouth and Concord, N.H.; and Portland, Maine, is investigating third-party allegations concerning theft of customer credit card and debit card account information.

Attribution 1 Publication: Brattleboro Reformer Author: Date Published: Article Title: Possible data breach at local café Article URL: http://www.reformer.com/localnews/ci_22486294/possible-data-breach-at-local-cafe

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130131-04 Los Angeles County CA Electronic Government/Military Yes - Unknown # 0 Department of Public Social **ITRC does not consider a password adequate protectionVeronico for Niko, breached a former data. Los Angeles County Department of Public Social Services employee, has pleaded guilty to stealing names and Social Security numbers for use in a tax refund fraud scheme.

Attribution 1 Publication: databreaches.net Author: Date Published: Article Title: LA DPPS employee pleads guilty to stealing clients’ info for tax refund fraud scheme Article URL: http://www.databreaches.net/?cat=15

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130131-03 Antioch Unified School CA Electronic Educational Yes - Unknown # 0 District **ITRC does not consider a password adequate protection District for officials breached have data. been working to fix an inadvertent disclosure of some personal employee information that spread last week via email. While a former Antioch Unified employee was trying to pass on information about a replacement's responsibilities at the end of the workday Jan. 18, the employee attached a file to an email that went to a limited number of district personnel that had confidential information -- namely Social Security numbers and some worker compensation claim information for current and former employees who reported injuries, Superintendent Donald Gill said.

Attribution 1 Publication: MercuryNews.com / databreaches.net Author: Paul Burgarino Date Published: Article Title: Antioch district working to fix inadvertent disclosure of employee data Article URL: http://www.mercurynews.com/breaking-news/ci_22467261/antioch-district-working-fix-inadvertent-disclosure-employee

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130131-02 Stethoscope.com MA Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionWe are for writing breached to inform data. you of the data intrusion incident and the steps we have been taking to help safeguard your personal information. CHANGED FROM MEDICAL TO BUSINESS 2/2014

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: Stethoscope.com Article URL: https://oag.ca.gov/system/files/Template%20Breach%20Notice%20Letter_0.pdf?

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130131-01 North Los Angeles County CA Electronic Medical/Healthcare Yes - Unknown # 0 Regional Center **ITRC does not consider a password adequate protectionNorth Los for breachedAngeles County data. Regional Center (NLACRC) is writing to you because of an incident which may have potentially exposed your contact information.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: North Los Angeles County Regional Center Article URL: https://oag.ca.gov/system/files/NLACRC%20Notice_0.pdf?

**ITRC does not consider a password adequate protectionWe take for your breached privacy data. and the confidentiality of the information entrusted to us very seriously. Despite our best attempts, there was a recent incident in which your personal information, in connection with your participation in the Boy Scouts of America 2003 health benefit plan, may have been compromised. We wanted to make you aware, as well as explain some options available to you to protect you. According to RR Donnelley, a print and mailing vendor that UnitedHealthcare uses, sometime between the second half of September and the end of November, 2012, an unencrypted desktop computer was stolen from one of its facilities.

Attribution 1 Publication: CA AG's office / hhs.gov Author: Date Published: Article Title: RR Donnelley Article URL: https://oag.ca.gov/system/files/Notification%20Letter_1.pdf?

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130129-03 Department of Juvenile FL Electronic Government/Military Yes - Unknown # 0 Justice **ITRC does not consider a password adequate protectionThree computersfor breached containing data. sensitive Department of Juvenile Justice information were stolen, Orlando police reported Thursday.

Few details about the theft were released.

A brief Orlando police incident report said the computers and television were stolen from the Boca Club apartments Wednesday morning.

Police would not release any other information, citing the case is under investigation.

Attribution 1 Publication: Orlando Sentinel / databreaches.net Author: Amy Pavuk Date Published: 9/6/2012 Article Title: Computers with sensitive Juvenile Justice data stolen Article URL: http://articles.orlandosentinel.com/2012-09-06/news/os-juvenile-justice-computers-stolen-20120906_1_orlando-police-th

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130129-01 Brentwood Primary Care FL Electronic Medical/Healthcare Yes - Published # 261 Clinic **ITRC does not consider a password adequate protectionNames for and breached Social Security data. numbers of 261 people were illegally photographed at a Shands Jacksonville clinic then transmitted to another person, according to an arrest report in the case.

Attribution 1 Publication: phiprivacy.net / jacksonville.com Author: Dana Treen Date Published: Article Title: Office intern at Jacksonville primary care center charged with ID theft Article URL: http://www.phiprivacy.net/?p=11486

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130128-01 Cheyney University PA Electronic Educational Yes - Unknown # 0

**ITRC does not consider a password adequate protectionOfficials for at breached Cheyney data.University are urging students to check their credit reports after an inadvertent release of their personal data, including Social Security numbers.

Attribution 1 Publication: Author: Date Published: Article Title: Pa. university warns students of privacy breach Article URL: http://www.sfgate.com/news/article/Pa-university-warns-students-of-privacy-breach-4224641.php

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130122-03 King Drug & Home Care KY Electronic Medical/Healthcare Yes - Published # 13,619

**ITRC does not consider a password adequate protectionKing Drug for breached& Home Care data. has mailed letters to 13,619 clients regarding a potential breach of their protected health information. The breach occurred on or around November 19, 2010 and was discovered on November 23, 2010. The potential data breach was discovered by the Director of Information Systems when a portable electronic hard drive device was reportedly misplaced by an employee. Upon learning of the incident, a thorough search ensued, but the device was never located. T

Attribution 1 Publication: Public Notice / PHIprivacy.net Author: Date Published: Article Title: King Drug & Home Care Article URL: www.kingdrug.com/docs/PHIBreachNotice.pdf

Attribution 1 Publication: Fox 31 Denver - PHIprivacy.net Author: Date Published: Article Title: Office of Dr. Sandra Bujanda-Wagner Article URL: http://kdvr.com/2013/01/08/patients-personal-information-found-in-dumpster-outside-dentists-office/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130122-01 Lucile Packard Children's CA Electronic Medical/Healthcare Yes - Published # 57,000 Hospital / Stanford School of **ITRC does not consider a password adequate protectionLucile Packardfor breached Children’s data. Hospital at Stanford and the Stanford University School of Medicine are notifying patients by mail that a password- protected laptop computer containing limited medical information on pediatric patients was stolen from a physician’s car away from campus on the night of January 9, 2013. The medical information on the stolen laptop was predominantly from 2009 and related to past care and research.

Attribution 1 Publication: Company website / phiprivacy.net Author: Date Published: Article Title: Lucile Packard Children's Hospital Article URL: http://www.lpch.org/aboutus/news/for-patients.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130118-11 Westerville Dental Center OH Electronic Medical/Healthcare Yes - Published # 850

**ITRC does not consider a password adequate protectionWesterville for breached Dental Center data. OH Healthcare Provider 850 12/20/2012 Theft Laptop, Network Server

Attribution 1 Publication: hhs.gov Author: Date Published: Article Title: Westerville Dental Center Article URL:

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130118-10 OHP PHSP NY Electronic Medical/Healthcare Yes - Published # 28,187

**ITRC does not consider a password adequate protectionOHP PHSP, for breached Inc (OHP) data. learned that Amerigroup Corporation (Amerigroup) had inadvertently disclosed OHP's protected health information to certain health care facilities in New York.

Attribution 1 Publication: hhs.gov / public notice Author: Date Published: Article Title: OHP PHSP Article URL: http://classifieds.nydailynews.com/default/noticesannouncements/public-notice-on-nov.-28-2012/C0A8017B1ddc81AE2

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130118-09 Group Health Incorporated NY 11/13/2012 Paper Data Medical/Healthcare Yes - Published # 1,771

**ITRC does not consider a password adequate protection Group forHealth breached Incorporated data. NY 1771 11/13/2012 Theft Paper

Attribution 1 Publication: hhs.gov Author: Date Published: Article Title: Group Health Incorporated Article URL: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130118-08 City of Seguin TX Electronic Medical/Healthcare Yes - Published # 839

**ITRC does not consider a password adequate protectionThe Seguin for breached Gazette data.reported Thursday that Seguin EMS may have been hit by a hacker. The personal information of 839 clients may have been compromised, the Gazette said. The report went on to say that Texas customers of Advanced Data Processing Inc., a.k.a. Intermix, has notified several of their customers including: the Seguin EMS, Victoria Fire Department, City of Azle, Bonham Fire Department, Harris County Emergency Corps and Washington County EMS that a former employee may have diddled with their data, accessing clients' names, Social Security numbers and dates of birth.

How is this report produced? What are the rules? See last page of report for details.

Attribution 1 Publication: ken5.com Author: Date Published: Article Title: City of Sequin - Fire/EMS Department Article URL: http://www.kens5.com/story/news/local/2014/06/25/10325780/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130118-07 Department of Health Care CA Electronic Medical/Healthcare Yes - Published # 2,643 Services **ITRC does not consider a password adequate protectionThose whofor breached were affected data. may call DHCS at (855) 297-5064. Beneficiary Identification Cards (BICs) were mailed to the wrong recipients between December 10 and December 18. A computer programming error caused the BICs of children being moved from Healthy Families program enrollment to Medi-Cal enrollment to be sent to households of other Medi-Cal and Healthy Families participants. Names, Client Index Numbers, dates of birth, genders, and card issue dates were exposed. People who received incorrect cards were instructed to return them. Stamped envelopes that were addressed to DHCS were sent out with breach notifications.

Attribution 1 Publication: privacyrights.org / hhs.org Author: Date Published: Article Title: California Department of Health Care Services Article URL: https://www.privacyrights.org/data-breach-asc?title=california+department

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130118-06 Cabinet for Health & Family KY Electronic Medical/Healthcare Yes - Published # 1,090 Services, Dept. of Medicaid **ITRC does not consider a password adequate protectionHHS update for breached 11/14/2014: data. Business Associate Involved: HP Enterprise Services Web Description: An employee of a subcontractor for the covered entity’s (CE) Business Associate (BA), responded to a telephone phishing attack and permitted a hacker to remotely access the laptop computer of the subcontractor. In violation of the subcontractor BA’s policies, the laptop contained the protected health information (PHI) of 1,090 individuals, including names, dates of birth, diagnosis codes, and diagnosis code descriptions and some social security numbers and treatment descriptions.

Attribution 1 Publication: hhs.gov Author: Date Published: Article Title: Cabinet for Health & Family Services, Dept. of Medicaid Services Article URL: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130118-05 Harbor Medical Associates MA Electronic Medical/Healthcare Yes - Published # 4,343

**ITRC does not consider a password adequate protectionSeveral for medical breached groups data. in Massachusetts were notified by their hosting service, Clearpoint Design, Inc., that a dedicated server on Hosting.com was hacked on October 18, 2012. The practices affected were South Shore Medical Center, who notified 4,100 patients, Harbor Medical Associates, P.C., who notified 4,343 patients, and Child & Family Psychological Services, Inc., who notified 7,250 patients. The numbers were reported in an update to HHS’s breach tool today.

Attribution 1 Publication: hhs.gov Author: Date Published: Article Title: Harbor Medical Associates Article URL: http://www.phiprivacy.net/dedicated-server-hosting-three-medical-practices-hacked-some-patient-information-exfiltrate

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130118-04 Integrated Behavioral MA Electronic Medical/Healthcare Yes - Published # 7,250 Associates - CFPS **ITRC does not consider a password adequate protectionAs you forare breached aware, Child data. & Family Psychological Services, Inc. also d/b/a Integrated Behavioral Associates (“CFPS”) had a website which allowed patients to communicate with CFPS. The website included an online intake form (the “Intake Form”) that patients could complete in order to request services with CFPS clinicians, as well as several other communication tools such as requests for prescription refills, requests for appointments, and a general contact form. CFPS engaged ClearPoint Design, Inc. (“ClearPoint”) in 2009 as the vendor to host, maintain and monitor that CFPS website.

Attribution 1 Publication: HIPAA Breach letter / phiprivacy.net Author: Date Published: Article Title: Integrated Behavioral Associates Article URL: http://www.cfpsych.org/HIPAA-Breach-Letter.pdf

**ITRC does not consider a password adequate protectionThis is foran importantbreached data.notice for patients of South Shore Medical Center of Norwell, Kingston and Weymouth, Massachusetts. On December 3, 2012, the vendor that hosted our website informed us of a hacking incident that occurred between October 18, 2012 and November 15, 2012. This resulted in unauthorized access to certain information entered on our website between January, 2007 and November 15, 2012. The breach did not impact our electronic health record system or our secure patient portal, MyHealth Online.

Attribution 1 Publication: company website / phiprivacy.net Author: Date Published: Article Title: South Shore Medical Center Article URL: http://www.ssmedcenter.com/SSMC-Public-Notice-010313.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130118-02 St. Mark's Medical Center TX Electronic Medical/Healthcare Yes - Published # 2,988

**ITRC does not consider a password adequate protectionOn November for breached 15, 2012, data. we learned that on May 21, 2012, one of our employee’s computers had become infected with malware that appears to have been designed to look for personal information stored on the computer. We immediately began an investigation and engaged a computer forensic investigation firm to examine the computer. Although the firm could not rule out the possibility, they did not find any evidence to confirm that any unauthorized person removed the personal information stored on the computer. If an unauthorized person did gain access to files stored on the computer, they would have been able to view billing files that contained patient names, account numbers, medical record numbers, dates of birth, gender, Social Security numbers, treatment dates, insurance provider names, and account balances. No medical records were accessed in the incident.

Attribution 1 Publication: St. Mark's Medical Center website / phip Author: Date Published: Article Title: St. Mark's Medical Center Article URL: http://www.smmctx.org/news/privacy-notice-for-st-marks-medical-center-patients/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130118-01 Hebrew Health Care CT Electronic Medical/Healthcare Yes - Unknown # 0

**ITRC does not consider a password adequate protectionOn December for breached 18, 2012, data. an employee informed our client, Hebrew Health Care ("Hebrew Health"), that a spreadsheet containing Hebrew Health employee information had been inadvertently e-mailed to the employee's personal e-mail account earlier that day. As soon as it learned of the incident, Hebrew Health immediately began a thorough investigation to determine what information was on the spreadsheet.

Attribution 1 Publication: NH AG's office Author: Date Published: Article Title: Hebrew Health Care Article URL: http://doj.nh.gov/consumer/security-breaches/documents/hebrew-health-20130111.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130117-05 Office of Friel Clark and P.A. ME Electronic Business Yes - Unknown # 0 Joyce **ITRC does not consider a password adequate protectionWe want for to breached make you data. aware of a break-in and theft at our Portland office and the possible impact of that incident on the privacy of some of your personal information. Sometime during the overnight hours of November 18-19, an unknown individual or individuals broke a cellar window in our building and gained access to our Portland office. The intruders went through our offices, opening drawers, closets, apparently looking for anything of value they could take. In addition to some petty cash, the intruders took a portable hard drive that contained back-up of our Portland office's business data. Because our Sanford office uses different servers, no client data from that office is at risk.

Attribution 1 Publication: VT AG's office Author: Date Published: Article Title: Office of Friel Clark and P.A. Joyce Article URL: http://www.atg.state.vt.us/issues/consumer-protection/privacy-and-Data-Security/documents-and-resources5/clark-friel

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130117-04 Town of Cumberland ME Electronic Government/Military Yes - Published # 275

**ITRC does not consider a password adequate protectionCumberland for breached town officials data. are trying to determine how 275 names and Social Security numbers of current and former town employees were posted to the town's website, a town official said.

Attribution 1 Publication: Portland Press Herald / datalossdb.org Author: Matt Byrne Date Published: Article Title: Cumberland searching for source of personal data breach Article URL: http://www.pressherald.com/news/Cumberland-employees-data-accidentally-leaked-on-web.html

**ITRC does not consider a password adequate protectionThe Bibb for County breached Sheriff’s data. Office is investigating how hard drives containing names and Social Security numbers of Macon police officers, as well as personal data from other local businesses, were sold through an online auction site.The investigation is still in its early stages and likely will take some time because specially trained investigators must examine 39 hard drives, two computer servers and two central processing units, sheriff’s Capt. Mike Smallwood said Tuesday. The equipment has been turned over to the sheriff’s office.“It’s going to take a little while,” he said. “People think their hard drives are cleared, but that’s not always the case.

Attribution 1 Publication: The Telegraph / databreaches.net Author: By PHILLIP RAMATI Date Published: Article Title: Computers containing personal data sold by city of Macon Article URL: http://www.macon.com/2013/01/08/2309218/computers-containing-personal.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130117-02 KTSU - Texas Southern TX Electronic Educational Yes - Unknown # 0 University **ITRC does not consider a password adequate protectionA former for KTSU breached Radio data. volunteer is behind bars on accusations he stole personal information from hundreds of donors.

Attribution 1 Publication: MyFox Houston / DataBreaches.net Author: Date Published: Article Title: KTSU - Texas Southern University Article URL: KTSU - Texas Southern University

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130117-01 Department of Health UT Electronic Medical/Healthcare Yes - Published # 6,332

**ITRC does not consider a password adequate protectionPersonal for information breached data. for Utah Medicaid recipients has once again been compromised after a USB memory stick containing the data was lost, the state Department of Health announced Wednesday. CHANGED FROM GOVERNMENT TO MEDICAL PER HHS.GOV 2/2014

Attribution 1 Publication: Deseret News / HHS.GOV Author: Date Published: Article Title: Health Department reports another data breach Article URL: http://www.deseretnews.com/article/765620371/Health-Department-reports-another-data-breach.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130116-05 Office of Calvin L. Schuster, CA 11/5/2012 Electronic Medical/Healthcare Yes - Unknown # 0 MD **ITRC does not consider a password adequate protectionThe security, for breached confidentiality, data. integrity and privacy of patient personal information are highly valued at our office. Unfortunately, we are writing you because of a recent theft. Our office received notice on Monday, November 5, 2012, that there had been a burglary and that an office computer had been stolen, which contained patient personal information. A police report was filed with the Reedley Policy Department Regrettably, the stolen property has not yet been recovered.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: Office of Calvin L. Schuster, MD Article URL: https://oag.ca.gov/system/files/Calvin%20Schuster%20Breach%20Notice%20_0.pdf?

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130116-04 EJ Phair Brewing Co and Ale CA Electronic Business Yes - Unknown # 0 House **ITRC does not consider a password adequate protectionWe are for strongly breached committed data. to the security of our Cardmembers’ information and strive to let you know about security concerns as soon as possible. A merchant where you used your American Express Card detected unauthorized access to its data files. At this time, we believe the merchant’s affected data files included your American Express Card account number, your name and other Card information such as the expiration date. Importantly, your Social Security number was not impacted and our systems have not detected any unauthorized activity on your Card account related to this incident.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: EJ Phair Brewing Co and Ale House Article URL: https://oag.ca.gov/system/files/EJ%20PHAIR%20BREWING%20CO%20and%20ALE%20HOUS-C2012116470%20CA%20A

Attribution 1 Publication: eSecurity Planet Author: Jeff Goldman Date Published: Article Title: Health Clinic Employee Charged With Identity Theft Article URL: http://www.esecurityplanet.com/network-security/health-clinic-employee-charged-with-identity-theft.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130116-02 Department of Public Safety - MN Electronic Government/Military Yes - Published # 5,000 DVS **ITRC does not consider a password adequate protectionState officials for breached said Tuesday data. they're alerting 5,000 people that a public employee accessed their driver's license information inappropriately, the latest case illustrating widespread misuse of the protected database.

The state's driver and vehicle services (DVS) database, which contains addresses, photographs and driving records on nearly every Minnesotan, has recently been the subject of at least two lawsuits and a criminal case stemming from misuse.

Attribution 1 Publication: StarTribune.com Author: Eric Roper Date Published: Article Title: 5,000 alerted of records breach in abuse of drivers’ data by DNR employee Article URL: http://www.startribune.com/local/187056231.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130116-01 Washington University IL Electronic Medical/Healthcare Yes - Published # 1,100 School of Medicine **ITRC does not consider a password adequate protectionWashington for breached University data. in St. Louis has notified more than 1,000 patients about a data breach after the surgeon who treated them over the past decade had his laptop stolen during a conference in Argentina.

Attribution 1 Publication: Health Data Management Author: Joseph Goedert Date Published: Article Title: Washington University Loses Laptop, Notifies Patients Article URL: http://www.healthdatamanagement.com/news/breach-notification-hipaa-privacy-security-45514-1.html?ET=healthdatam

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130114-03 Centric Group LLC MO Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionOn approximately for breached December data. 13, 2012, Centric Group learned that its computer system may have been accessed without authorization begimling in August 2010. As of December 21,2012, based on its internal investigation, Centric Group reasonably believed it had suffered a breach of its system. The data accessed may have included cetiain customer information, such as the customer's name, credit or debit card number, expiration date, and card verification code.

Attribution 1 Publication: cyberenvoy.com / CA AG's office / NH A Author: Date Published: Article Title: Centric Group LLC Article URL: http://doj.nh.gov/consumer/security-breaches/documents/centric-group-20130109.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130114-02 Department of Juvenile FL Electronic Government/Military Yes - Published # 100,000 Justice **ITRC does not consider a password adequate protectionState law-enforcement for breached data. officials are investigating a security breach at the Florida Department of Juvenile Justice that could affect the identities of more than 100,000 DJJ employees and youth offenders, state officials said Friday.

Attribution 1 Publication: Palm Beach Post Author: Julius Whigham Date Published: Article Title: State investigates security breach at Department of Juvenile Justice Article URL: http://www.palmbeachpost.com/news/news/crime-law/state-investigates-security-breach-at-department-o/nTtQB/

**ITRC does not consider a password adequate protectionZaxby's for Franchising, breached data. Inc. announced today that certain licensed locations have identified suspicious files on their systems that may have resulted in unauthorized access to credit and debit card information or have been identified by credit card processing companies as common points of purchase for some fraudulent activity.

Attribution 1 Publication: HT - Hospitality Technology Author: Date Published: Article Title: Zaxby's IDs Data Security Breach Article URL: http://hospitalitytechnology.edgl.com/news/Zaxby-s-IDs-Data-Security-Breach84214

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130108-02 Charlotte-Mecklenburg NC 11/28/2012 Electronic Educational Yes - Published # 80 Schools **ITRC does not consider a password adequate protectionAbout 80for Charlotte-Mecklenburg breached data. Schools employees have been warned to be on guard against identity theft after files containing their personal data were stolen from a human resource employee’s car.

Attribution 1 Publication: Charlotte Observer Author: Ann Doss Helms Date Published: Article Title: CMS files stolen from employee’s car Article URL: http://www.charlotteobserver.com/2013/01/08/3770745/cms-files-stolen-from-employees.html?goback=%2Egde_463675

Attribution 2 Publication: charlotteobserver.com Author: Date Published: Article Title: CMS files stolen from employee’s car Read more here: http://www.charlotteobserver.com/2013/01/08/3770745/cms-files-stol Article URL: http://www.charlotteobserver.com/2013/01/08/3770745/cms-files-stolen-from-employees.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130108-01 Morgan Road Middle School GA Electronic Educational Yes - Unknown # 0

**ITRC does not consider a password adequate protectionSome Morganfor breached Road data.Middle School Students could be in trouble. Not because of their actions at school...but because their personal information, including social security numbers, were stolen.

Their teacher left their information in her car and then her car was broken into. The thieves stole her her gradebook and her zip drive. The Richmond County Board of Education sent out a letter letting parents know their child's information had been stolen, but one parent says this wasn't enough.

Attribution 1 Publication: WJBF.com / datalossdb.org Author: Date Published: Article Title: Richmond County Middle School Student's SSNs Stolen Article URL: http://www2.wjbf.com/news/2013/jan/07/richmond-county-middle-school-students-ssns-stolen-ar-5315706/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130107-03 Mid America Health, Inc. IN Electronic Medical/Healthcare Yes - Published # 1,444

**ITRC does not consider a password adequate protectionPUBLIC for NOTICE: breached HIPAA data. Security Breach Mid America Health, Inc. has discovered a potential data breach that may result in the compromise of private information for a number of Maryland residents. The limited information that is potentially compromised includes names, dates of birth, social security numbers, residential facility names, and digital oral x-ray images. It is known that the breach occurred as a result of a theft of a laptop computer containing such information. Since the investigation is ongoing, the State’s Attorney’s office has asked that specifics of the case be withheld until they have concluded their investigation. At the moment, the impact this event may cause is still unclear. However, we believe that the risk of harm to the individuals potentially affected is low because such information was password protected.

Attribution 1 Publication: MAH, Inc. website / hhs.gov Author: Date Published: Article Title: Mid America Health, Inc. Article URL: http://mahweb.com/maryland-hipaa-security-breach/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130107-02 University of North Carolina - NC Electronic Educational Yes - Unknown # 0 Lineberger Comprehensive **ITRC does not consider a password adequate protectionSome 3,500for breached people haddata. their personal information exposed when hackers hit two servers of the UNC Lineberger Comprehensive Cancer Center. The attack was discovered by UNC-Chapel Hill’s information technology employees in May, yet potential victims were not informed until last week when they received letters from center director Dr. Shelley Earp.

How is this report produced? What are the rules? See last page of report for details.

Attribution 1 Publication: Chapel Hill News / datalossdb.org Author: Date Published: Article Title: University of North Carolina - Lineberger Comprehensive Cancer Center Article URL: http://www.chapelhillnews.com/2013/01/04/74450/unc-cancer-center-computers-hacked.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130107-01 Oldcastle Law Group GA Electronic Business Yes - Published # 5,083

**ITRC does not consider a password adequate protectionPlease forbe breachedadvised that data. on or about December 13, 2012, Oldcastle APG, Inc. ("Company") learned that an employee's laptop was stolen during a break-in to her car on or around December 10, 2012. We believe the laptop may have contained some personal information relating to APG employees, including but not limited to, names, bank account information and social security numbers. Immediately upon learning of the theft, the Company contacted the Dekalb County Georgia Sherriff's Department and a police report was filed. To date, the laptop has not been recovered.

Attribution 1 Publication: NH AG's office / databreaches.net Author: Date Published: Article Title: Oldcastle Law Group Article URL: http://doj.nh.gov/consumer/security-breaches/documents/oldcastle-20130102.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130104-01 Reyes Beverage Group IL Electronic Business Yes - Unknown # 0

**ITRC does not consider a password adequate protectionOn November for breached 9, 2012, data. a report containing the names and social security numbers of some of Reyes Beverage Group's California employees was inadvertently sent to the personal email address of an employee of Reinhart Foodservice, a Reyes Holdings company. The report did not include dates of birth, addresses, telephone numbers, driver's license numbers, bank account numbers or any similar sensitive information. This incident occurred due to a coding error which was corrected within hours of its discovery. Reyes Beverage Group values your privacy and deeply regrets that this incident occurred. In addition to correcting the coding, we have implemented additional safeguards designed to prevent a recurrence of this incident and to protect the privacy of our employees.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: Reyes Beverage Group Article URL: https://oag.ca.gov/system/files/RBGDataBreachLetterFINAL_0.pdf?

2013 Breaches Identified by the ITRC as of: 2/27/2015 Total Breaches: 614 Records Exposed: 62,001,589

The ITRC Breach database is updated on a daily basis, and published to our website on each Tuesday. Unless noted otherwise, each report includes breachs that occurred in the year of the report name (such as "2013 Breach List"), or became public in the report name year, but were not public in the previous year. Each item must be previously published by a credible source, such as Attorney General's website, TV, radio, press, etc. The item will not be included at all if ITRC is not certain that the source is real and credible. We include in each item a link or source of the article, and the information presented by that article. Many times, we have attributions from a multitude of media sources and media outlets. ITRC sticks to the facts as reported, and does not add or subtract from the previously published information. When the number of exposed records is not reported, we note that fact. When records are encrypted, we state that we do not (at this time) consider that to be a data exposure. However, we do not consider password protection as adequate, and we do consider those events to be a data exposure.

What is a breach? A breach is defined as an event in which an individual’s name plus Social Security Number (SSN), driver’s license number, medical record, or a financial record/credit/debit card is potentially put at risk – either in electronic or paper format.

The ITRC Breach Report presents individual information about data exposure events and running totals for the year. The ITRC Breach Stats Report develops some statistics based upon the type of entity involved in the data exposure.