Breach Report 2013.Pdf

Report Date: Identity Theft Resource Center 8/9/2013 2013 Breach List: Breaches: 360 Exposed: 7,534,496 Page 1 of 72

Attribution 1 Publication: hhs.gov Author: Date Published: Article Title: Northrop Grumman Retiree Health Plan Article URL: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130809-12 Med-El NC Electronic Medical/Healthcare Yes - Published # 609

other - email

Attribution 1 Publication: hhs.gov / phiprivacy.net Author: Date Published: Article Title: Med-El Article URL: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130809-11 Medtronic MN Paper Data Medical/Healthcare Yes - Published # 2,764

In early July, the manufacturer notified patients about a box of training records that had gone missing from a facility in Minnesota, Resman said. Most of the documents and records in the box dated back to 2008 and were connected with training in the use of insulin pumps or continuous glucose monitoring devices.

Attribution 1 Publication: phiprivacy.net / hhs.gov Author: Date Published: Article Title: Medtronic Article URL: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130809-10 Aflac GA Electronic Medical/Healthcare Yes - Published # 679

theft of laptop

Attribution 1 Publication: hhs.gov Author: Date Published: Article Title: Aflac Article URL: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130809-09 Sheet Metal Local 36 Welfare MO Electronic Medical/Healthcare Yes - Published # 4,560 Fund unauthorized access/disclosure - other

Attribution 1 Publication: hhs.gov Author: Date Published: Article Title: Sheet Metal Local 36 Welfare Fund Article URL: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130809-08 South Florida Neurology FL Electronic Medical/Healthcare Yes - Published # 900 Associates, P.A. theft of laptop

Attribution 1 Publication: hhs.gov Author: Date Published: Article Title: South Florida Neurology Associates, P.A. Article URL: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

Attribution 1 Publication: hhs.gov Author: Date Published: Article Title: Samaritan Regional Health System Article URL: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130809-06 Jacksonville Spine Center FL Paper Data Medical/Healthcare Yes - Published # 5,200

unauthorized access/disclosure - paper

Attribution 1 Publication: hhs.gov Author: Date Published: Article Title: Jacksonville Spine Center Article URL: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130809-05 Lone Star Circle of Care TX Electronic Medical/Healthcare Yes - Published # 1,955

theft of laptop

Attribution 1 Publication: phiprivacy.net / hhs.gov / LSCC website Author: Date Published: Article Title: Lone Star Circle of Care Article URL: http://www.lscctx.org/security/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130809-04 Cogent Healthcare, Inc. TN Electronic Medical/Healthcare Yes - Published # 32,000

The protected health information of some 32,000 patients across 48 states has been compromised after a health IT vendor's firewall was down for more than a month, allowing, in some cases, for patient data to be indexed by Google, officials announced Thursday.

Attribution 1 Publication: healthcareitnews.com Author: Date Published: Article Title: Site flaw puts patient data on Google Article URL: http://www.healthcareitnews.com/news/site-flaw-puts-patient-data-google

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130809-03 Office of Dr. James Fosnaugh NE Electronic Medical/Healthcare Yes - Published # 2,125

Somehow, somewhere, sometime in May, a computer chip containing medical records for more than 2,000 of a Lincoln doctor's patients went missing — likely having slipped from the thumb drive Dr. James Fosnaugh wore on a lanyard around his neck.

Attribution 1 Publication: JournalStar.com Author: Date Published: Article Title: Lost piece of thumb drive contained thousands of patient records Article URL: http://journalstar.com/news/local/lost-piece-of-thumb-drive-contained-thousands-of-patient-records/article_d3d422ab-e

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130809-02 Missouri HealthNet MO Electronic Medical/Healthcare Yes - Published # 1,357

MO HealthNet is in the process of notifying 1,357 individuals that some of their personal information was mailed to an incorrect address by one of its contractors, Infocrossing, Inc. The disclosure was caused by a software programming error.

Attribution 1 Publication: KRCG13 / PHIPrivacy.net Author: Date Published: Article Title: MO HealthNet notifies consumers of HIPAA disclosure Article URL: http://www.connectmidmissouri.com/news/story.aspx?id=930103 - .UgUeZ53n_mc

How is this report produced? What are the rules? See last page of report for details. ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130809-01 Retinal Consultants Medical CA Electronic Medical/Healthcare Yes - Unknown # 0 Group On June 7, 2013, it was discovered that a laptop computer, which was a component of a diagnostic imaging machine, was stolen sometime after our office closed on June 5, 2013. The laptop computer contained the following types of unsecured PHI: names, dates of birth, gender, race, and OCT (optical coherence tomography) images. Please be assured that information such as your Social Security Number, Driver’s License, and address was not on the laptop.

Attribution 1 Publication: eSecurity Planet - RCMG Notification let Author: Jeff Goldman Date Published: Article Title: Retinal Consultants Medical Group Admits Security Breach Article URL: http://www.esecurityplanet.com/network-security/retinal-consultants-medical-group-admits-security-breach.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130808-04 Auburn University AL Electronic Educational Yes - Unknown # 0

We represent Auburn University, 316 Leach Science Center, Alabama 36849 ("Auburn University") and are writing to notify you of a data event that may affect the security of personal information of two (2) New Hampshire residents. Auburn University's investigation into this event is ongoing, and this notice will be supplemented with any new significant facts learned subsequent to its submission. By providing this notice, Auburn University does not waive any rights or defenses under New Hampshire law.

Attribution 1 Publication: databreaches.net / NH AG's office Author: Date Published: Article Title: Auburn University Article URL: http://doj.nh.gov/consumer/security-breaches/documents/auburn-university-20130802.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130808-03 Rocky Mountain Spine Clinic CO Electronic Medical/Healthcare Yes - Published # 532

Rocky Mountain Spine Clinic announced Wednesday that a former employee misappropriated and stole protected health information from some of the clinic's patients.

The employee, who worked for RMSC's billing department, created a document containing the information of 532 patients and then sent the document to her personal email account, according to a news release.

Attribution 1 Publication: Denver Post / datalossdb.org Author: Matthew Payne Date Published: Article Title: Former Rocky Mountain Spine Clinic employee stole patient information Article URL: http://www.denverpost.com/breakingnews/ci_23769928/former-rocky-mountain-spine-clinic-employee-stole-patient

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130808-02 Fairfax County Public VA Electronic Educational Yes - Published # 2,000 Schools A laptop containing health records for 2,000 Fairfax County public school students was stolen out of a health department employee’s car, possibly compromising the confidential information, school and health officials said.

Attribution 1 Publication: datalossdb.org / Washington Post Author: T. Rees Shapiro Date Published: Article Title: Stolen laptop contained 2,000 Fairfax student health records Article URL: http://www.washingtonpost.com/local/education/stolen-laptop-contained-2000-fairfax-student-health-records/2013/07/2

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130808-01 Smartphone Experts FL Electronic Business Yes - Unknown # 0

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: Smartphone Experts Article URL: https://oag.ca.gov/system/files/602490607_1_%28BHDOCS%29_0.PDF?

Attribution 2 Publication: Author: Date Published: Article Title: Article URL:

US Airways recently began notifying its employees that programming error at ADP may have made it possible for other US Airways employees to view their names, Social Security numbers, and total taxable W-2 wages for the tax years 2010, 2011, and/or 2012 (h/t DataBreaches.net).

Attribution 1 Publication: eSecurity Planet Author: Jeff Goldman Date Published: Article Title: US Airways Acknowledges Data Breach Article URL: http://www.esecurityplanet.com/network-security/us-airways-acknowledges-data-breach.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130730-05 University of Delaware DE Electronic Educational Yes - Published # 72,000

The University of Delaware is notifying the campus community that it has experienced a cyberattack in which files were taken that included confidential personal information of current and past employees, including student employees. A criminal attack on one of the University’s systems took advantage of a vulnerability in software acquired from a vendor.

Attribution 1 Publication: University of Delaware website / databre Author: Date Published: Article Title: University of Delaware Article URL: http://www.udel.edu/udaily/2014/jul/resources073013.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130730-04 Oregon Health & Science OR Electronic Medical/Healthcare Yes - Published # 3,044 University Information for more than 3,000 patients at Oregon Health & Science University was put at risk when medical residents stored the data on a password protected cloud computing system, the institution announced this week. The potential data breach is the third such reported incident to occur at the university in less than a year, and the fifth since 2008.

Attribution 1 Publication: FierceHealthIT Author: Dan Bowman Date Published: Article Title: Oregon Health & Science University Article URL: http://www.fiercehealthit.com/story/cloud-storage-debacle-marks-hospitals-third-privacy-incident-year/2013-07-30

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130730-03 California Correctional CA Electronic Medical/Healthcare Yes - Unknown # 0 Health Care Services On June 19, 2013, dental records were reported missing from a California Correctional Health Care Services (CCHCS) staff member’s possession while off the premises of a correctional institution. The missing documents contained information such as patient name, CDCR number, date of birth, and dental treatment plan. It is possible that your dental record may have been included in the missing documents.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: California Correctional Health Care Services (CCHCS) Article URL: https://oag.ca.gov/system/files/Incident%2013-0613%20Breach%20Notice%20Final_0.pdf?

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130730-02 Brandywine Senior Living NJ Electronic Business Yes - Unknown # 0

We believe Brandywine’s payroll system was compromised on or about February 20, 2013. The payroll system contained social security numbers, birth dates and bank account numbers. Based on the evidence we could see in our system, (i) some of the payroll information was changed and (ii) none of the aforementioned information was downloaded; however, we cannot be certain that the aforementioned information was not extracted. The breach was detected by our company before any payroll was processed so there were no payroll transfers to unauthorized bank accounts. We have since corrected and verified all information in Brandywine’s payroll system.

Attribution 1 Publication: MD AG's office Author: Date Published: Article Title: Brandywine Senior Living Article URL: http://www.oag.state.md.us/idtheft/Breach%20Notices/itu-225397.pdf

This letter is being sent to individuals who were interviewed by a case manager regarding health insurance from October 10, 2010 through January 6, 2013. In January 2013, a Choice Research Associates subcontractual research associate was charged with obtaining an unauthorized credit card using the social security number and name of an executive from another organization. This subcontractor also had access to a database containing the names, social security numbers, dates of birth, address, and phone numbers of 163 Maryland residents who were interviewed by a case manager regarding health insurance.

Attribution 1 Publication: MD AG's office Author: Date Published: Article Title: Choice Research Associates Article URL: http://www.oag.state.md.us/idtheft/Breach%20Notices/itu-227417.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130729-01 Clark Memorial Hospital IN Paper Data Medical/Healthcare Yes - Published # 1,087

The hospital learned on July 16 that Mail Louisville Inc., a contractor that processes and mails billing statements, on July 15 sent statements to the wrong name and address. “Accordingly, for each of the affected patients, the billing statement was sent to another one of those affected patients,” according to the hospital’s public notice.

Attribution 1 Publication: healthdatamanagement.com Author: Joseph Goedert Date Published: Article Title: Mailing Error Causes Breach for Nearly 1,100 Indiana Patients Article URL: http://www.healthdatamanagement.com/news/breach-notification-hipaa-privacy-security-46419-1.html?ET=healthdatam

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130725-05 Securities and Exchange DC Electronic Government/Military Yes - Unknown # 0 Commission A serious data breach at the Securities and Exchange Commission transferred personal data about current and former employees into the computer system of another federal agency, a letter sent by the SEC to staff reveals. The July 8 letter, obtained by The Hill, is from Thomas Bayer, the SEC’s chief information officer and senior agency official on privacy. It warned that personal employee data had been discovered on the networks of another, unnamed federal agency. It said a former SEC employee “inadvertently and unknowingly” downloaded the names, birthdates and Social Security numbers of employees onto a thumb drive, and then transferred them to the other agency.

Attribution 1 Publication: The Hill Author: Peter Schroeder Date Published: Article Title: Staff data leaks out of the SEC Article URL: http://thehill.com/blogs/on-the-money/1007-other/313387-staff-data-leaks-out-of-the-sec

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130725-04 Harbor Freight CA Electronic Business Yes - Unknown # 0

Harbor Freight Tools, a U.S.-based chain of 400 retail tool stores, has reported a breach against its payment processing system.

Attribution 1 Publication: databreachtoday.com Author: Jeffrey Roman Date Published: Article Title: New Retail Breach Reported Article URL: http://www.databreachtoday.com/new-retail-breach-reported-a-5927?rf=2013-07-25-edbt&elq=d104a16378344c8e8c1134

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130725-03 University of Virginia VA Paper Data Educational Yes - Published # 18,700

Thousands of University of Virginia students were affected by a printing error that caused their personal information, including Social Security numbers, to be printed on a mailing address label.

How many victims? 18,700 students.

What type of personal information? Names, addresses and Social Security numbers.

Attribution 1 Publication: SC Magazine Author: Date Published: Article Title: Social Security numbers of Va. students printed on mailing labels Article URL: http://www.scmagazine.com/social-security-numbers-of-va-students-printed-on-mailing-labels/article/304210/

How is this report produced? What are the rules? See last page of report for details. ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130725-02 Regional Medical Center FL Paper Data Medical/Healthcare Yes - Unknown # 0 Bayonet Point Requests from patients for medical records are a routine task for hospitals. “I went to the hospital and was given a form to fill out for medical records,” said Micki Thoms. Thoms asked for her records after undergoing surgery at Regional Medical Center Bayonet Point in Hudson, and was told they would be mailed to her. Days later, the papers arrived in the mail. As she opened the envelope and began to look through them, she noticed something was not quite right. “I read the first name and it wasn’t mine, and I turned the page and read the second name and it was not mine,” she said.

Attribution 1 Publication: phiprivacy.net / ABCactionnews.com Author: Date Published: Article Title: Regional medical center Bayonet Point Hospital sends records of multiple patients without permission Article URL: http://www.abcactionnews.com/dpp/news/local_news/investigations/regional-medical-center-bayonet-point-hospital-se

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130725-01 St. Mary's Bank NH Electronic Banking/Credit/Financial Yes - Published # 115,775

St. Mary's Bank ("St. Mary's") is a state-chartered community based credit union regulated by the New Hampshire Banking Department. On May 26, 2013, our client, St. Mary's, discovered malware on an employee workstation computer. An analysis by a nationally recognized computer security consulting firm found that the malware was designed to capture information as it appeared on individual computer screens and could have been introduced into 23 workstation computers beginning in February, 2013. As soon as the malware was discovered, St. Mary's brought in independent security experts to analyze its entire computer system and isolate and eliminate the malware using the most sophisticated computer security tools available.

Attribution 1 Publication: SC Magazine Author: Date Published: Article Title: Malware in NH bank computers may affect hundreds of thousands Article URL: http://www.scmagazine.com/malware-in-nh-bank-computers-may-affect-hundreds-of-thousands/article/303729/

Attribution 2 Publication: NH AG's office Author: Date Published: Article Title: St. Mary's Bank Article URL: http://doj.nh.gov/consumer/security-breaches/documents/st-marys-bank-20130712.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130724-04 AHW LLC IL Electronic Business Yes - Unknown # 0

AHW LLC is providing this notification in addition to the individuai notifications it had provided to residents of your State and other states relating to an apparent breach in the security of an on-line store that AHW LLC operates.

Attribution 1 Publication: NH AG's office Author: Date Published: Article Title: AHW LLC Article URL: http://doj.nh.gov/consumer/security-breaches/documents/ahw-20130522.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130724-03 AlliedBarton Security CA Electronic Business Yes - Unknown # 0 Services - ADP I am writing to inform you about a potential security breach regarding personal information held by AlliedBarton's service provider ADP.

Attribution 1 Publication: NH AG's office Author: Date Published: Article Title: AlliedBarton Security Services Article URL: http://doj.nh.gov/consumer/security-breaches/documents/alliedbarton-20130716.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130724-02 San Jose Medical Supply CA Electronic Medical/Healthcare Yes - Published # 800

This letter is written to you as a current or former customer of San Jose Medical Supply Co., Inc. (“San Jose Medical”), as required by law, to notify you of a potential violation relating to disclosure of your personal information. The violation arises from incidents that took place in 2011, but were only recently discovered by San Jose Medical’s new owner and management. Please read this letter and contact me directly if you have any questions or if you wish to discuss this matter further.

How is this report produced? What are the rules? See last page of report for details.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: San Jose Medical Supply Article URL: https://oag.ca.gov/system/files/HIPAA%20Breach%20Letter%20-%20San%20Jose%20Medical%20Supply_0.pdf?

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130724-01 Citi Bike NY Electronic Business Yes - Published # 1,174

Citi Bike users – many of them already frustrated by other problems with the program – have now learned that their personal information has been compromised.

As CBS 2’s Hazel Sanchez reported Tuesday, the program is already wildly unpopular with many cyclists who have been stuck left waiting for a ride. But Link Salas was also wondering if someone took him for a ride, after he and 1,173 other cyclists received an alarming e-mail from Citi Bike.

Attribution 1 Publication: CBS New York Author: Date Published: Article Title: City Admits Security Guarding Citi Bike Users’ Information Was Breached Article URL: http://newyork.cbslocal.com/2013/07/23/city-admits-security-may-have-been-breached-for-citi-bike-users-information/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130717-01 Office of the Medicaid NY Electronic Medical/Healthcare Yes - Published # 17,743 Inspector General (OMIG) On October 12, 2012, an employee of the Office of the Medicaid Inspector General (OMIG) is suspected of having made a personal decision, without agency involvement or authorization from OMIG leadership or his or her personal supervisors, to send 17,743 records of Medicaid recipients to his or her own personal e-mail account.

Attribution 1 Publication: HealthITSecurity / OMIG Author: Patrick Ouellette Date Published: Article Title: Office of the Medicaid Inspector General (OMIG) Article URL: http://apps.cio.ny.gov/apps/mediaContact/public/preview.cfm?parm=E5EBBF49-5056-9D2A-10DAA90DCDDE22E1

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130716-09 Union Security Insurance MO Electronic Medical/Healthcare Yes - Published # 1,127 Company improper disposal - email

Attribution 1 Publication: hhs.gov / phiprivacy.net Author: Date Published: Article Title: Union Security Insurance Company Article URL: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130716-08 Edge Studio NY Electronic Business Yes - Published # 481

Please be advised that we were recently informed of a breach of security of our vendor's website containing personal information of consumers, said breach lasting for an indeterminate period of time during the first quarter of 2013. The breach resulted in a disclosure of unencrypted personal information consisting of individuals' names, addresses, telephone numbers, and social security numbers.

Attribution 1 Publication: MD AG's office Author: Date Published: Article Title: Edge Studio Article URL: http://www.oag.state.md.us/idtheft/Breach%20Notices/itu-227162.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130716-07 Bridgewater CT Electronic Business Yes - Unknown # 0

This letter is to inform you of a data security incident that occurred on or around April11, 2013. The incident was discovered approximately one day later and an investigation was immediately conducted. As a former or rehired Bridgewater employee, you were offered continuing health care coverage (COBRA) upon your separation from Bridgewater. Bridgewater utilizes a third party provider (Ceridian) to administer these benefits.

Attribution 1 Publication: NH AG's office Author: Date Published: Article Title: Bridgewater Article URL: http://doj.nh.gov/consumer/security-breaches/documents/bridgewater-20130628.pdf

How is this report produced? What are the rules? See last page of report for details.

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130716-06 Automatic Data Processing NJ Electronic Business Yes - Unknown # 0 (ADP) I am writing to let you know about a security incident that exposed the personal information of 680 New Hampshire residents. ADP prepares annual payroll tax statements for; employees of our clients, as required for the individuals to file with their annual income tax forms. In some cases, client employees can access their statement via an online service, allowing them to download and save a PDF version of the statement. As required for tax filing purposes, each PDF presents the payroll tax information (including the employee's name and Social Security number as well as income and tax information) on the face of the document. On April 29, we discovered that a small number of the PDF files created for one client contained embedded information pertaining to another employee of the same client. This information included the other employee's name, Social Security number and gross annual wages.

Attribution 1 Publication: NH AG's office Author: Date Published: Article Title: Automatic Data Processing (ADP) Article URL: http://doj.nh.gov/consumer/security-breaches/documents/automatic-data-processing-20130604.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130716-05 AHW LLC IL Electronic Banking/Credit/Financial Yes - Unknown # 0

Attribution 1 Publication: NH AG's office Author: Date Published: Article Title: AHW LLC Article URL: http://doj.nh.gov/consumer/security-breaches/documents/ahw-20130522.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130716-04 Advantage Health Solutions IN Electronic Medical/Healthcare Yes - Unknown # 0

A security breach with a local health insurance company has been exposing members’ home addresses, cell phone numbers, prescriptions and extensive medical information in an online portal.

Attribution 1 Publication: Fox59 Author: Date Published: Article Title: Clients discover security breach on insurance carrier’s patient portal Article URL: http://fox59.com/2013/07/01/clients-discover-security-breach-on-insurance-carriers-patient-portal/ - axzz2ZEyQiEDH

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130716-03 Behavioral Health Network MA Paper Data Medical/Healthcare Yes - Unknown # 0

You'd like to think your medical records are safe but the 22News I-Team discovered today a number of personal documents left in a dumpster for anyone to see.

Attribution 1 Publication: WWLP.com Author: Date Published: Article Title: Behavioral Health Network Article URL: http://www.wwlp.com/dpp/news/i_team/medical-records-discovered-in-dumpster

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130716-02 Department of Healthcare IL Paper Data Medical/Healthcare Yes - Published # 3,100 and Family Services The Illinois Department of Healthcare and Family Services says information on about 3,100 clients in Cook County may have been released.

Attribution 1 Publication: WLS-TV Chicago Author: Date Published: Article Title: Illinois health agency reports potential privacy breach to 3,100 Cook County residents Article URL: http://abclocal.go.com/wls/story?section=news/local&id=9163529

Suffolk University was recently contacted about a potential breach of personal information through its third-party ticketing vendor, Vendini, Inc. Vendini has reported that, on April 25, 2013, the company detected an unauthorized intrusion into its systems. If you used your credit card to make a purchase for a Suffolk University event through Vendini prior to April 25, 2013, your information, including your credit card number, may have been compromised.

Attribution 1 Publication: Suffolk University notification Author: Date Published: Article Title: Suffolk University Article URL: http://www.suffolk.edu/documents/Campus%20Life/Security_Notification_Credit_Card_Customers_62113.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130715-02 Harris County TX Electronic Government/Military Yes - Published # 21,000

he Houston Chronicle is reporting that sources say that at least one stolen electronic file containing sensitive personal information on thousands of current and former Harris County employees was found in Vietnam by the FBI.

Attribution 1 Publication: The Republic / Houston Chronicle Author: Date Published: Article Title: Sources: Harris County personal data found in Vietnam, FBI investigating agency Article URL: http://www.therepublic.com/view/story/99499c94793a4b41b4c21626e44d8162/TX--Harris-County-Data-Stolen

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130715-01 Long Beach Memorial CA Electronic Medical/Healthcare Yes - Published # 2,864 Medical Center Long Beach Memorial Medical Center alerted 2,864 patients who received treatment from September 2012 to last month that it has experienced a health data breach.

Attribution 1 Publication: HealthIT Security Author: Patrick Ouellette Date Published: Article Title: Long Beach Memorial Medical Center announces data breach Article URL: http://healthitsecurity.com/2013/07/12/long-beach-memorial-medical-center-announces-data-breach/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130712-01 Texas Health Harris TX Paper Data Medical/Healthcare Yes - Published # 277,000 Methodist Hospital Texas Health Harris Methodist Hospital Fort Worth says it is notifying hundreds of thousands of former patients whose personal information on decades-old records turned up in a Dallas park instead of being destroyed by a contractor.

Attribution 1 Publication: Star-Telegram Author: Jim Fuguay Date Published: Article Title: Fort Worth hospital reports huge data breach Article URL: http://www.star-telegram.com/2013/07/11/4997021/fort-worths-harris-hospital-says.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130711-02 Internal Revenue Service US Electronic Government/Military Yes - Published # 100,000

By exposing tens of thousands of Social Security numbers on government websites, the Internal Revenue Service finds itself between the proverbial rock and a hard place.

The public interest group Public.Resource.org says it discovered the IRS postings, which the IRS confirmed. It then removed the database containing the Social Security numbers from public view.

Attribution 1 Publication: SC Magazine Author: Date Published: Article Title: IRS leaks tens of thousands of Social Security numbers Article URL: http://www.scmagazine.com//irs-leaks-tens-of-thousands-of-social-security-numbers/article/302212/?utm_source=feed

Attribution 2 Publication: govinfosecurity.com Author: Eric Chabrow Date Published: Article Title: Is IRS Legally Free to Expose Private Info? Article URL: http://www.govinfosecurity.com/blogs/irs-legally-free-to-expose-private-info-p-1508?rf=2013-07-11-eg&elq=46fa2afefa0e

How is this report produced? What are the rules? See last page of report for details. ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130711-01 Indiana Family and Social IN Electronic Medical/Healthcare Yes - Published # 187,533 Services Administration The Indiana Family and Social Services Administration is notifying almost 188,000 clients that their personal information may have been inadvertently disclosed in mailings to other clients, apparently as a result of a computer programming error by a business associate. The information potentially exposed includes Social Security numbers for about 4,000 clients.

Attribution 1 Publication: Data Breach Today Author: Marianne Kolbasuk M Date Published: Article Title: Indiana Agency Notifies 188,000 of Breach Article URL: http://www.databreachtoday.com/indiana-agency-notifies-188000-breach-a-5893?rf=2013-07-11-edbt&elq=9772fb9067fa4

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130709-03 Citi Prepaid Services PA Electronic Business Yes - Unknown # 0

On behalf of Citi Prepaid Services, I am writing to inform you about a recent incident that may have involved your personal information. We recently discovered that a code change to our prepaid cardholder website impacted the security features that we use to authenticate cardholders logging into their accounts between June 2 and June 13

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: Citi Prepaid Services Article URL: https://oag.ca.gov/system/files/Cardholder%20Letter%20Sample_CA_062713_0.pdf?

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130709-02 Bureau of Automotive Repair CA Electronic Government/Military Yes - Unknown # 0

We are writing to you because of a security incident involving bank routing information of Smog Check stations licensed with the Bureau of Automotive Repair (BAR).

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: Bureau of Automotive Repair Article URL: https://oag.ca.gov/system/files/Notification_Letter_0.pdf?

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130709-01 Roy's Holdings HI Electronic Business Yes - Unknown # 0

Honolulu, Hawaii- July 5, 2013- Roy's Holdings, Inc. ("Roy's"), the holding company which includes six restaurants in Hawaii, has confirmed that the desktop computer of a Roy's corporate employee became infected by mal ware of unknown origin, resulting in a potential compromise of credit card information from individuals who patronized Roy's restaurants in Ko'Olina, Waikiki, Kaanapali, Poipu, and Waikoloa, and utilized credit or debit cards at these restaurant locations, between February 1, 2013 to February 25, 2013.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: Roy's Holdings Article URL: https://oag.ca.gov/system/files/nldh-prolaw%20nldh%20com_Exchange_07-05-2013_15-47-37_0.pdf?

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130708-04 Quayside Publishing Group MN Electronic Business Yes - Unknown # 0

We are writing to notify you of an incident that involved unauthorized access to our web server in which your personal information, including your credit card number, may have been stolen. We were recently made aware of this incident and have taken action to secure our servers.

Attribution 1 Publication: VT AG's office Author: Date Published: Article Title: Quayside Publishing Group Article URL: http://www.atg.state.vt.us/assets/files/Quayside%20Publishing%20Consumer%20Notice.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130708-03 Morningstar Inc. IL Electronic Banking/Credit/Financial Yes - Published # 2,300

Morningstar Inc. says it discovered an illegal intrusion into its systems that may have compromised some of its clients' personal information, including email addresses, passwords, and credit card numbers.

How is this report produced? What are the rules? See last page of report for details.

Attribution 1 Publication: Las Vegas Sun Author: AP Date Published: Article Title: Morningstar: Client credit card data may be leaked Article URL: http://www.lasvegassun.com/news/2013/jul/07/us-morningstar-data-breach/ - axzz2YTHymzPW

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130708-02 Health Net of California CA Paper Data Medical/Healthcare Yes - Published # 8,331

Health Net of California, a subsidiary of insurer Health Net Inc., is notifying approximately 6,700 members of its Health Net Medi-Cal program of a breach of their protected information.

Attribution 1 Publication: HealthDataManagement / hhs.gov Author: Joseph Goedert Date Published: Article Title: Health Net of California Article URL: http://www.healthdatamanagement.com/news/breach-notification-hipaa-privacy-security-46355-1.html?ET=healthdatam

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130708-01 Department of Community MI Electronic Government/Military Yes - Published # 49,000 Health The Michigan Department of Community Health has notified more than 49,000 individuals that a server of the Michigan Cancer Consortium holding their names, birth dates, Social Security numbers, cancer screening test results and testing dates was hacked.

Attribution 1 Publication: HealthData Management Author: Joseph Goedert Date Published: Article Title: Michigan Agency Breaches PHI But Says Not Bound by HIPAA Article URL: http://www.healthdatamanagement.com/news/breach-notification-hipaa-privacy-security-46359-1.html?ET=healthdatam

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130701-01 Boston Teachers Union MA Electronic Business Yes - Published # 506 Health And Welfare Fund The Boston Teachers Union Health and Welfare Fund began notifying 506 of its members that their names and Social Security numbers were mistakenly made available in search results for a Web site maintained by Classic Optical, the parent company of Classic Administrative Services (h/t DataBreaches.net).

Attribution 1 Publication: eSecurity Planet Author: Jeff Goldman Date Published: Article Title: Boston Teachers Union Suffers Security Breach Article URL: http://www.esecurityplanet.com/network-security/boston-teachers-union-suffers-security-breach.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130628-02 University of South Carolina SC Electronic Educational Yes - Published # 6,300

The University of South Carolina sent letters this week to 6,300 students whose personal information, including Social Security numbers, could have been on a laptop stolen from the school.

Attribution 1 Publication: The State Author: Andrew Shain Date Published: Article Title: 6,300 USC students warn Article URL: http://www.thestate.com/2013/06/28/2839028/6300-usc-students-warned-about.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130628-01 Oregon State University OR Electronic Educational Yes - Published # 8,600

People who bought tickets to events at Oregon State University’s Memorial Union or University Theater in the past three years may have been the victims of identity theft.

Attribution 1 Publication: Gazette-Times Author: Date Published: Article Title: Ticket vendor reports security breach Article URL: http://www.gazettetimes.com/news/local/ticket-vendor-reports-security-breach/article_961218ee-df64-11e2-829f-0019bb

How is this report produced? What are the rules? See last page of report for details. ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130627-01 Department of Human IA Electronic Government/Military Yes - Published # 7,335 Services Iowa Department of Human Services officials issued an alert Wednesday to former patients at the Mental Health Institute in Independence and hundreds of state employees there and at other state facilities concerning a possible breach of their confidential information.

Attribution 1 Publication: WCFCourier.com / datalossdb.org Author: Date Published: Article Title: Confidential records missing at MHI in Independence Article URL: http://wcfcourier.com/news/local/govt-and-politics/confidential-records-missing-at-mhi-in-independence/article_efe73f7

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130625-04 Millimaki Eggert CA Electronic Business Yes - Unknown # 0

We are writing to notify you of an incident that may affect the security of your personal information. On April 27, 2013, an unknown individual(s) burglarized Millimaki Eggert's San Diego, California office and stole, among other things, two password-protected laptops containing sensitive information. We reported the theft to local law enforcement, and law enforcement's investigation into this incident is ongoing.

Attribution 1 Publication: VT AG's office Author: Date Published: Article Title: Millimaki Eggert Article URL: http://www.atg.state.vt.us/issues/consumer-protection/privacy-and-data-security/documents-and-resources5/millimaki-

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130625-03 Montana State University MT Electronic Educational Yes - Published # 4,500

Montana State University ("MSU") is committed to protecting the personal information it maintains. Regrettably, we are writing to inform you about an incident involving some of that information. On March 5, 2013, MSU discovered unusual activity on a computer in a central administration department. The computer was immediately taken offiine and we began an investigation to examine what happened. We also hired an expert computer forensics company to assist with our investigation. After completing a thorough analysis of the computer, the forensics company determined that a computer virus may have allowed an unauthorized person to access information on the computer.

Attribution 1 Publication: Missoulian Author: Date Published: Article Title: MSU: Employee Social Security numbers at risk Article URL: http://missoulian.com/news/state-and-regional/montana/msu-employee-social-security-numbers-at-risk/article_ac4e2c9

Attribution 2 Publication: VT AG's office Author: Date Published: Article Title: Montana State University Article URL: http://www.atg.state.vt.us/issues/consumer-protection/privacy-and-data-security/documents-and-resources5/montana-

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130625-02 King County sheriff's office WA Electronic Government/Military Yes - Unknown # 0

Thousands of people are now vulnerable to identity theft, and it's all because of a stolen laptop.

The information, which includes Social Security and drivers license numbers, was on a King County sheriff's office computer that was stolen from a detective.

Attribution 1 Publication: komonews.com Author: Date Published: Article Title: Detective's stolen laptop puts thousands at risk of identity theft Article URL: http://www.komonews.com/news/local/Stolen-sheriffs-office-laptop-puts-thousand-at-risk-of-identity-theft-212860341.ht

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130625-01 Foundations Recovery TN Electronic Medical/Healthcare Yes - Unknown # 0 Network I am writing on behalf of Foundations Recovery Network to inform you of a recent privacy incident concerning your personal information. On Saturday, June 15 th, one of our employees informed us that she had been the victim of a burglary during the early morning hours on June 15 th at approximately 2:45 a.m. and that her company laptop had been stolen. The laptop contained certain aspects of patient information which she needed as part of her role with our company. The employee reported the theft immediately to law enforcement authorities. We understand that the theft was one of several that took place in her neighborhood that night, so we do not believe the thief specifically targeted her or the laptop.

How is this report produced? What are the rules? See last page of report for details.

Attribution 1 Publication: phiprivacy.net / CA AG's office Author: Date Published: Article Title: Foundations Recovery Network notifying patients after a laptop with PHI was stolen from an employee’s car Article URL: http://www.phiprivacy.net/?p=12980

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130624-03 University of Illinois IL Electronic Educational Yes - Published # 3,000

Another exploit of the former University of Illinois student known as the ECE Hacker has been uncovered, but police said the situation is under control.

Daniel Beckwitt was recently sentenced to probation in connection with the tampering of campus computers and e-mail accounts. And this week, it was made known that Beckwitt gained access to nearly 3000 social security numbers of residents at the Hendrick House residence hall in Urbana, where Beckwitt was at one time a resident.

Attribution 1 Publication: The News-Gazette Author: Date Published: Article Title: Another hack from former UI student uncovered Article URL: http://www.news-gazette.com/news/local/2013-06-20/another-hack-former-ui-student-uncovered.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130624-02 Facebook CA Electronic Business Yes - Unknown # 0

The social networking giant Facebook just had a huge security breach, sharing 6 million Facebook users’ email addresses and phone numbers due to a bug in their software. Those users whose security has been compromised will be notified by email, according to Facebook.

Attribution 1 Publication: intomobile.com Author: Date Published: Article Title: Facebook Security Breach Exposes 6 Million Users’ Phone Numbers, Email Addresses Article URL: http://www.intomobile.com/2013/06/21/facebook-security-breach-exposes-6-million-users-phone-numbers-email-addres

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130624-01 Department of Education FL Electronic Educational Yes - Published # 47,000

Personal information of roughly 47,000 teacher preparation program participants in the state was compromised for 14 days in late May, according to a statement Saturday by the Florida Department of Education.

Attribution 1 Publication: abcactionnews.com Author: Date Published: Article Title: Dept. of Education: Personal info breach for 47K teacher prep participants Article URL: http://www.abcactionnews.com/dpp/news/dept-of-education-personal-info-breach-for-47k-teacher-prep-participants

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130620-03 North Lincoln County OR Electronic Government/Military Yes - Published # 950 Community Health Center During the evening of April 17, 2013 the North Lincoln County Community Health Center Clinic and surrounding offices in the same building, were broken into by an unknown person or persons. Locked doors, rooms and cabinets were forcibly entered. Money was taken from the clinic, but it appears no other records or materials were removed. No electronic devices were taken or accessed. However, the locked room which contains medical charts for our clients was breached.

Attribution 1 Publication: Lincoln County Media Release / Healthc Author: Date Published: Article Title: North Lincoln County Community Health Center Article URL: http://www.lincolncountyhealth.com/press/Lincoln%20County%20-%20Media%20Release%20-%20Notice.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130620-02 Sight and Sun Eyeworks Gulf FL Electronic Government/Military Yes - Published # 9,000 Breeze Gulf Breeze Family Eyecare, Inc., d/b/a Sight and Sun Eyeworks Gulf Breeze has discovered a patient privacy issue. On May 17, 2013, Sight and Sun Eyeworks Gulf Breeze learned that its patients' personal information, including name, address, social security number and medical record had been accessed inappropriately.

Attribution 1 Publication: healthcareinfosecurity.com Author: Date Published: Article Title: Gulf Breeze Family Eyecare d/b/a Gulf Breeze Family Eyecare Article URL: http://www.healthcareinfosecurity.com/fifth-stanford-breach-leads-roundup-a-5848?rf=2013-06-20-eh&elq=f519ab7cae4

How is this report produced? What are the rules? See last page of report for details.

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130620-01 City of Houston TX Electronic Government/Military Yes - Published # 5,000

Technical issues encountered by the city of Houston's payroll contractor could have potentially exposed personal information for nearly 5,000 local government workers, including more than 1,000 in the Houston Police Department.

Attribution 1 Publication: Cindy George Author: Date Published: Article Title: Payroll company error prompts security breach concern Article URL: http://www.chron.com/news/houston-texas/houston/article/Payroll-company-error-prompts-security-breach-4611194.ph

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130618-07 South Florida State Hospital FL Electronic Medical/Healthcare Yes - Published # 1,000

Curtis Fullwood's job was to help patients with mental health problems find work they could do in the South Florida State Hospital in Pembroke Pines, but instead, authorities say, he stole their identities.

Fullwood, 57, and his cousin, Terri Davis, 45, have pleaded not guilty to a federal indictment charging them with conspiracy to commit identity theft, conspiring to disclose individual's health information, access device fraud, wrongful disclosure of health information and aggravated identity theft.

Attribution 1 Publication: Sun Sentinel - PHIprivacy.net Author: Date Published: Article Title: Psychiatric patients' IDs stolen by hospital worker, feds say Article URL: http://www.sun-sentinel.com/fl-id-theft-psych-hospital-20130611,0,5669451.story

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130618-06 Lucile Packard Children's CA Electronic Medical/Healthcare Yes - Published # 12,900 Hospital Law enforcement is investigating a recent computer theft at Lucile Packard Children’s Hospital at Stanford.

The incident was reported to the hospital by an employee on May 8. A password-protected, non-functional laptop containing limited medical information on pediatric patients was stolen from a secured, badge-access controlled area of the hospital. Immediately following discovery of the theft, Packard Children’s launched an aggressive and ongoing investigation with security and law enforcement.

Attribution 1 Publication: LPCH company website Author: Date Published: Article Title: Lucile Packard Children's Hospital Article URL: http://www.lpch.org/aboutus/news/releases/2013/patient-notification.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130618-04 Vendini - University of MI Electronic Business Yes - Published # 33,000 Michigan Hackers accessed the credit card information of tens of thousands customers of the University of Michigan's Union Ticket Office, the latest organization that has fallen victim to a breach affecting a third-party vendor.

Attribution 1 Publication: SC Magazine Author: Date Published: Article Title: Another victim comes forward in massive ticketing software company breach Article URL: http://www.scmagazine.com//another-victim-comes-forward-in-massive-ticketing-software-company-breach/article/2987

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130618-03 Veterans Affairs - Fayetteville NC Paper Data Government/Military Yes - Published # 1,093

The personal information of more than 1,000 military veterans who were patients at the Veterans Affairs hospital in Fayetteville, N.C., was exposed after a hospital employee improperly disposed of the records.

Attribution 1 Publication: SC Magazine Author: Date Published: Article Title: Veterans' patient information found in recycle bin Article URL: http://www.scmagazine.com//veterans-patient-information-found-in-recycle-bin/article/299254/

We (VYC Tires, Inc.) are writing to you because of an incident which occurred with the off-site computer system which we use to manage and process our customer orders.

Attribution 1 Publication: VT AG's office Author: Date Published: Article Title: VYC Tires Inc. Article URL: http://www.atg.state.vt.us/issues/consumer-protection/privacy-and-data-security/documents-and-resources5/vyc-tires-i

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130618-01 Yolo Federal Credit Union CA Electronic Banking/Credit/Financial Yes - Unknown # 0

Your account security is a top priority for Yolo Federal Credit Union. As part of our regular security process, we have identified your VISA card number as being at risk for unauthorized charges and are taking the proactive step of sending you a new VISA card.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: Yolo Federal Credit Union Article URL: https://oag.ca.gov/system/files/Mbr%20notification%20letter%2007Jun13%20and%2010Jun13_0.pdf?

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130611-10 LabCorp NC Electronic Medical/Healthcare Yes - Unknown # 0

It was reported on March 15, 2013, that a computer tagged for destruction was stolen from one of our facilities in Burlington, North Carolina. The incident affected 115 Maryland residents and the data elements included the patient first and last name, date of bitth, and the Medicare Subscriber numbers.

Attribution 1 Publication: LabCorp Notification / phiprivacy.net Author: Date Published: Article Title: LabCorp Article URL: http://www.oag.state.md.us/idtheft/Breach%20Notices/itu-227421.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130611-09 Republic Bank & Trust KY Paper Data Banking/Credit/Financial Yes - Unknown # 0 Company Enclosed please find a copy of Incident Response Form 02152013-1 describing a potential security incident relative to personal information at Republic Bank & Trust Company. On January 28th an error occurred during the mailing process of 1 099c forms. As a result of our investigation, the Bank has identified that some of the correspondence that was shipped out had sensitive data partially or fully exposed in the envelope window, including social security or tax identification numbers, along with traditional address information.

Attribution 1 Publication: MD AG's office Author: Date Published: Article Title: Republic Bank & Trust Company Article URL: http://www.oag.state.md.us/idtheft/Breach%20Notices/itu-226836.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130611-08 Verizon NY Electronic Business Yes - Unknown # 0

We are writing to inform you that a thumb drive containing a Verizon document that had your name and Social Security number was recently lost, recovered and returned to Verizon. We understand the increased risks and sensitivity surrounding identity theft. As such, we are notifying you so that you may be vigilant for any signs of misuse of your information.

Attribution 1 Publication: MD AG's Office Author: Date Published: Article Title: Verizon Article URL: http://www.oag.state.md.us/idtheft/Breach%20Notices/itu-227413.pdf

How is this report produced? What are the rules? See last page of report for details. ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130611-07 Mercer County Community NJ Electronic Educational Yes - Unknown # 0 College We are writing to notify you of a data security event that compromised the security of personal information. Mercer County Community College ("the College"), 1200 Old Trenton Road, West Windsor, NJ, 08550, is informing your office of pertinent facts that are known at this time related to an exposure of certain student personal information. Specifically, the College's local network security setting had been inadvertently set to permit all local network users access to a database intended to be accessible by those with administrator credentials only. This database contained the names, addresses (home and email), dates of birth, and Social Security numbers of certain College students.

Attribution 1 Publication: MD AG's office Author: Date Published: Article Title: Mercer County Community College Article URL: http://www.oag.state.md.us/idtheft/Breach%20Notices/itu-224417.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130611-06 Publishers Circulation MD Electronic Business Yes - Unknown # 0 Fulfillment Please be advised that on January 11, 2013, Fidelity Management Trust Company (11Fidelity11 ) (recordkeeper and trustee for the Plan) reported to my client, Publishers Circulation Fulfillment, Inc. (PCF), instances of unauthorized access and withdrawals of funds from certain participants1 accounts under PCF's 401(k) retirement plan ("Plan11) suggesting a potential security incident.

Attribution 1 Publication: MD AG's office Author: Date Published: Article Title: Publishers Circulation Fulfillment Article URL: http://www.oag.state.md.us/idtheft/Breach%20Notices/itu-226834.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130611-05 Contact Solutions VA Electronic Business Yes - Unknown # 0

Contact Solutions has been notified that employee names and social security numbers may have been compromised. Summary: A spreaadsheet containing Contact Solutions employee names and social security numbers was inadvertently emailed to an external contractor whose email account was then compromised. No other personal information was contained in that specific file.'

Attribution 1 Publication: MD AG's office Author: Date Published: Article Title: Contact Solutions Article URL: http://www.oag.state.md.us/idtheft/Breach%20Notices/itu-226829.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130611-04 Emmorton Associates MD Electronic Medical/Healthcare Yes - Unknown # 0

Please consider this a security breach notification. On December 21, 2012, Emmorton Psych became aware of a possible breach of personal health information. We are unable to determine the exact date and the extent of the breach but.a possible information leakage occurred between December 10, 2012 and December 21, 2012. We will be notifying the affected individuals in as timely a mrumer as possible to reduce or eliminate potential harm.

Attribution 1 Publication: MD AG's office Author: Date Published: Article Title: Emmorton Associates Article URL: http://www.oag.state.md.us/idtheft/Breach%20Notices/itu-224437.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130611-03 Calvert Internal Medicine MD Electronic Medical/Healthcare Yes - Unknown # 0

Calvert Internal Medicine Group recently learned that one of our computers may have been compromised and that employee personal information, including names, addresses and social security numbers, could have been acquired by unauthorized persons. Although we have no definitive evidence of a compromise, we are taking, and would suggest you take, precautionary measures to assure that your personal information has not been misused.

Attribution 1 Publication: databreaches.net Author: Date Published: Article Title: Calvert Internal Medicine Article URL: http://www.databreaches.net/?p=27864

In a report to the Maryland Attorney General dated March 12, Stratis Pridgeon, Group Vice President of Legal Services for Wyndham Vacation Ownership, Inc. (which includes its subsidiary Wyndham Vacation Resorts, Inc.), writes that on or about January 18, they were notified by Orlando Florida police that a then-current employee had been arrested and tied to fraudulent credit card purchases. Wyndham terminated the employee the next day and their investigation suggested that he may have manually recorded customers’ credit card numbers during telephone calls in a private ledger he maintained. The employee was arrested on January 16.

Attribution 1 Publication: databreaches.net Author: Date Published: Article Title: Wyndham Vacation Resorts reports an insider breach Article URL: http://www.databreaches.net/?p=27862

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130611-01 Edgewood Centre NH Electronic Business Yes - Unknown # 0

I am writing to inform you of a potential breach of your confidential personal information that may have occurred during our payroll processing and the transfer of specific information to the Northeast Credit Union. This potential breach happened on Thursday, May 16th during the transfer of information from Edgewood to Northeast Credit Union which included your name, social security number, bank account number and the amount of money transferred into your account(s).

Attribution 1 Publication: NH AG's office Author: Date Published: Article Title: Edgewood Centre Article URL: http://doj.nh.gov/consumer/security-breaches/documents/edgewood-centre-20130520.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130607-08 Goldner Associates VT Electronic Business Yes - Unknown # 0

We recently notified you of the security incident involving the [Goldner customer name] online store. As we noted in the email that we sent to you, Goldner Associates provides services to [Goldner customer name]. By way of update from our May 17th email, we have now confirmed that on May 14, 2013 there was unauthorized access to the server of our service provider hosting the [Goldner customer name) online store. We have also confirmed that these unauthorized third parties obtained your name, credit card or debit card number for the card noted above and the expiration date and CVV code of that card, and your address and phone number. Since we do not collect PINs for debit cards, social security numbers, dates of birth or driver's license information, these types of personal information were not involved.

Attribution 1 Publication: VT AG's office / NH AG's office Author: Date Published: Article Title: Goldner Associates Article URL: http://www.atg.state.vt.us/issues/consumer-protection/privacy-and-data-security/documents-and-resources5/oldner-as

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130607-07 Green Mountain Club VT Electronic Business Yes - Unknown # 0

We are writing to you because of recent security incident at the Green Mountain Club. Our website was compromised and personal information may have been stolen including: address, phone number, email address, and credit card number.

Attribution 1 Publication: VT AG's office Author: Date Published: Article Title: Green Mountain Club Article URL: http://www.atg.state.vt.us/assets/files/Green%20Mountain%20Club%20Security%20Breach%20Notice%20Ltr%20to%20c

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130607-06 Independence Care System NY Electronic Medical/Healthcare Yes - Published # 2,434

Independence Care System, a long-term care insurance provider based in New York, is notifying more than 2,400 of its members about the theft of an unencrypted laptop containing sensitive information.

Attribution 1 Publication: Data Breach Today Author: Date Published: Article Title: Independence Care System Article URL: http://www.databreachtoday.com/payroll-information-breach-leads-roundup-a-5831

Other physical breaches can’t be avoided, such as at Health Resources of Arkansas, where 1,911 patient records were potentially compromised on April 14, 2013. One of its locations was robbed and though no records were stolen, the office did contain protected health information (PHI) such as name, address, date of birth, Social Security number, diagnosis, type of treatment, class attended, court information, services provided or insurance information of persons served by that location.

Attribution 1 Publication: HHS.gov / HealthIT Security Author: Date Published: Article Title: Health Resources of Arkansas Article URL: http://healthitsecurity.com/2013/06/11/carefirst-reports-three-separate-breaches-to-oag/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130607-04 Raley's Family of Fine Stores CA Electronic Business Yes - Unknown # 0

Raley's Family of Fine Stores, a supermarket chain with more than 120 stores in California and Nevada, has been stung by a hack that compromised the credit and debit card information of its customers.

Raley's spokeswoman Nicole Townsend said a "portion" of its computer systems were the target of a “complex, criminal cyber attack,” she said in a Thursday statement posted on Raley's website. No further details about the intrusion were provided.

Attribution 1 Publication: Raley's website Author: Date Published: Article Title: Raley's Family of Fine Stores Targeted in Cyber Attack Article URL: http://www.raleys.com/www/feature/media.jsp?viewFullSite=yes

Attribution 2 Publication: scmagazine.com Author: Date Published: Article Title: Hackers invade Raley's grocery chain Article URL: http://www.scmagazine.com/hackers-invade-raleys-grocery-chain/article/296778/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130607-03 Sutter Health East Bay Region CA Electronic Medical/Healthcare Yes - Published # 4,479

We are writing to notify you that on May 23, 2013, the Alameda County Sheriff's office notified us that personal information pertaining to a number of people, including you, was recovered during and investigation. The information may have originated from Sutter Health's Alta Bates Summitt Medical Center, Sutter Delta Medical Center or Eden Medical Center, and may have included the following: your name, SSN, date of birth, gender, address, zip code, home phone number, marital status, name of your employer and your work phone number.

Attribution 1 Publication: CA AG's Office Author: Date Published: Article Title: Sutter Health East Bay Region Article URL: https://oag.ca.gov/system/files/Patient%20Notification%20Letter_0.pdf?

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130607-02 Inland Empire Health Plan - CA Electronic Medical/Healthcare Yes - Published # 1,566 SynerMed The purpose of this letter is to report a security incident of which SynerMed has become aware, that involved the theft from one of our employees of a laptop computer containing protected health information (PHI) of members of Inland Valleys IPA (IVIPA).

Attribution 1 Publication: SC Magazine Author: Date Published: Article Title: Laptop stolen from Calif. health care provider exposing data of 1,500 Article URL: http://www.scmagazine.com//laptop-stolen-from-calif-health-care-provider-exposing-data-of-1500/article/298999/

Attribution 2 Publication: CA AG's office Author: Date Published: Article Title: SynerMed Article URL: https://oag.ca.gov/system/files/Sample%20Member%20Notice_0.pdf?

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130607-01 County of Brookhaven NY Electronic Government/Military Yes - Published # 78

Brookhaven Supervisor Edward P. Romaine on Thursday handed off an investigation into the inadvertent online posting of personal information to the town's law department -- the same unit that made the mistake.

How is this report produced? What are the rules? See last page of report for details.

Attribution 1 Publication: newsday.com Author: Deon J. Hampton Date Published: Article Title: Brookhaven data breach 'was clerical error,' officials say Article URL: http://www.newsday.com/long-island/towns/brookhaven-data-breach-was-clerical-error-officials-say-1.5426405

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130606-01 Arlington School District TX Electronic Educational Yes - Unknown # 0

Arlington school district employees and some former employees were notified this week that two laptops possibly containing their personal information were stolen overnight May 27 from the administration building.

Attribution 1 Publication: Star-Telegram Author: Date Published: Article Title: Arlington school employees notified about possible d Article URL: http://www.star-telegram.com/2013/06/05/4912668/arlington-school-district-employees.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130605-02 Bon Secours Hampton VA Electronic Medical/Healthcare Yes - Unknown # 0 Roads Health System Virginia's Bon Secours Hampton Roads Health System recently announced the firing of two nursing assistants for improperly accessing patients' medical records (h/t PHIprivacy.net).

According to a statement from the health system, the information improperly accessed included one or more of the following: names, birthdates, dates and times of service, provider and facility names, hospital medical record and account numbers (which may have included Social Security numbers), and treatment information.

Attribution 1 Publication: eSecurity Planet Author: Jeff Goldman Date Published: Article Title: Virginia Health System Admits Security Breach Article URL: http://www.esecurityplanet.com/network-security/virginia-health-system-admits-security-breach.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130605-01 University of Massachusetts - MA Electronic Educational Yes - Unknown # 0 Center for Language, Speech UMass officials are notifying patients of the school’s Center for Language, Speech, and Hearing that their personal health data may have been compromised after malware infected a workstation.

Attribution 1 Publication: WGGB.com Author: Date Published: Article Title: Patients of UMass Center Warned of Security Breach Article URL: http://www.wggb.com/2013/06/04/patients-of-umass-center-warned-of-security-breach/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130604-04 Shumsky Promotional Agency OH Electronic Business Yes - Published # 1,400

On May 16, 2013, Shumsky was notified by its e-commerce platform provider that on May 14, 2013, an unauthorized third party accessed the e-commerce platform and accessed nearly 1,400 of Shumsky cardholder records.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: Shumsky Promotional Agency Article URL: https://oag.ca.gov/system/files/CardHolder_Notice_PRINT_0.pdf?

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130604-03 Godiva Chocolatier Inc. PA Electronic Business Yes - Unknown # 0

On April 15, 2013, Godiva received a letter informing us that an individual, without authorization, had obtained and accessed a flash drive containing certain personal information about some individuals who worked at Godiva, or applied for positions at Godiva, prior to August 5, 2010. The information accessed varies from individual to individual, but could, in some cases, include names, addresses, social security numbers, phone numbers, and other information related to employment records at Godiva.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: Godiva Chocolatier Inc. Article URL: https://oag.ca.gov/system/files/Godiva%20CA%20Online%20System_0.pdf?

This letter is being sent to you because our records indicate that you were a guest at Anasazi Hotel LLC (“Anasazi”) sometime between June 18, 2012 and March 21, 2013, and one or more credit cards was used as payment at our facility in connection with your stay with us. As described in more detail below, we have discovered that cards processed at Anasazi during that time period may have been accessed by an unauthorized person. We wanted to inform you of our investigation of this incident, let you know of the steps we suggest you take to protect yourself against any potential identity theft, and offer you an identity theft protection service at no charge to you, as described in greater detail below and in the enclosed materials.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: Anasazi Hotel LLC Article URL: https://oag.ca.gov/system/files/Anasazi%20-%20Sample%20Consumer%20Security%20Breach%20Notice_0.pdf?

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130604-01 RentPath, Inc. (Primedia) GA Electronic Business Yes - Published # 56,000

We recently discovered a security incident that occurred at our offices which may have resulted in the exposure of some of your personal information. At this time, we are not aware of any misuse of your personal information. We take the security of your personal information very seriously, and sincerely apologize for any inconvenience this may cause you.

Attribution 1 Publication: eSecurity Planet / VT AG's office Author: Jeff Goldman Date Published: Article Title: RentPath Security Breach May Have Exposed 56,000 Social Security Numbers Article URL: http://www.esecurityplanet.com/network-security/rentpath-security-breach-may-have-exposed-56000-social-security-nu

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130603-01 Champlain College VT Electronic Educational Yes - Published # 14,217

Champlain College is offering data protection services to more than 14,000 students and their families after a computer drive containing their Social Security numbers and other data was left unsecured in a computer lab.

Attribution 1 Publication: AP / VT AG's office Author: Date Published: Article Title: Champlain College Warns Of Data Security Breach Article URL: http://digital.vpr.net/post/champlain-college-warns-data-security-breach

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130531-02 Beachbody, LLC CA Electronic Business Yes - Unknown # 0

We represent Beachbody, LLC ("Beachbody"), and are writing to notify you of a data event that compromised the security of personal information of one hundred sixty one ( 161) New Hampshire residents.

Attribution 1 Publication: NH AG's office Author: Date Published: Article Title: Beachbody, LLC Article URL: http://doj.nh.gov/consumer/security-breaches/documents/beachbody-20130523.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130531-01 Mary Immaculate Hospital VA Electronic Medical/Healthcare Yes - Published # 5,000

Bon Secours has terminated the employment of two CNAs, certified nursing assistants, for improper use of the health system's electronic medical records at Mary Immaculate Hospital in Newport News, it announced Wednesday.

Attribution 1 Publication: Daily Press Author: Prue Salasky Date Published: Article Title: Electronic health records breach reported Article URL: http://www.dailypress.com/health/dp-nws-electronic-records-breach-0530-20130530,0,2904197.story?goback=%2Egde_

FOX 13 News has learned authorities are investigating a data breach of personal information at the Utah Department of Motor Vehicles. Investigators are accusing a former employee at the DMV of taking people’s information and passing it to others, who would then go out and commit crimes. But state officials acknowledge they may have no way of knowing how widespread the problem is.

Attribution 1 Publication: Fox 13 News - SLC Author: Ben Winslow Date Published: Article Title: Authorities investigate personal info data breach at DMV Article URL: http://fox13now.com/2013/05/29/authorities-investigate-personal-info-data-breach-at-dmv/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130529-01 University of Florida - Health FL Electronic Medical/Healthcare Yes - Published # 5,682 Pediatrics An employee working at a University of Florida medical practice who had ties to an identity theft ring may have compromised patient personal and health information.

Attribution 1 Publication: Campus website Author: Date Published: Article Title: Parents, patients notified of potential identity theft incident Article URL: http://news.ufl.edu/2013/05/29/potential-identity-theft-2/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130528-09 Hawaii State Department of HI Electronic Medical/Healthcare Yes - Published # 674 Health Hawaii State Department of Health, Adult Mental Health Division disclosed a breach in October 2012 that is also first appearing on HHS’s breach tool. According to the entry, 674 clients were affected by a hack that occurred on September 25, 2012.

Attribution 1 Publication: phiprivacy.net / hhs.gov Author: Date Published: Article Title: Hawaii State Department of Health Article URL: http://www.phiprivacy.net/?s=silverscript

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130528-08 Sovereign Medical Group NJ Electronic Medical/Healthcare Yes - Published # 27,800

Sovereign Medical Group, LLC in New Jersey reported that 27,800 were affected by a breach on October 10, 2012. HHS’s breach tool codes the incident as “Theft, Hacking/IT Incident”, Network Server,”

Attribution 1 Publication: hhs.gov / phiprivacy.net Author: Date Published: Article Title: Sovereign Medical Group Article URL: http://www.phiprivacy.net/?s=silverscript

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130528-07 SilverScript Insurance AZ Paper Data Medical/Healthcare Yes - Published # 852 Company unauthorized access - paper

Attribution 1 Publication: hhs.gov / datalossdb.org Author: Date Published: Article Title: SilverScript Insurance Company Article URL: http://datalossdb.org/incidents/10191-852-paper-records-compromised-by-unauthorized-access

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130528-06 HealthMarkets TX Electronic Business Yes - Unknown # 0

Recently HealthMarkets, Inc. subsidiaries became aware of an inadvertent distribution of personal non-public information maintained by our subsidiaries. Upon notification of the error, we performed an investigation to determine the amount and content of information that was released and the parties who were involved. The personal information that was included in the electronic communication included a list of agents' names, addresses, social security numbers, date of birth and some financial information. Our investigation included interviews with employees and inspection of all affected electronic records.

How is this report produced? What are the rules? See last page of report for details.

Attribution 1 Publication: NH AG's Office Author: Date Published: Article Title: HealthMarkets Article URL: http://doj.nh.gov/consumer/security-breaches/documents/healthmarkets-20130514.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130528-05 Callaway Gardens GA Electronic Business Yes - Unknown # 0

Callaway Gardens is reporting a breach of its credit card security system in an announcement Friday, suggesting that private customer information that can be used for financial fraud might have been taken.

Attribution 1 Publication: Atlanta Journal Constitution Author: Date Published: Article Title: Callaway Gardens alerts customers about credit card security breach Article URL: http://www.ajc.com/news/news/breaking-news/callaway-gardens-alerts-customers-about-credit-car/nX3g7/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130528-04 Sonoma Valley Hospital CA Electronic Medical/Healthcare Yes - Published # 1,350

What happened? A hospital worker accidentally uploaded the patient data onto the hospital's public website as part of a routine update, according to a news release. The data was not directly accessible through the website, but did show up in search engine queries.

Attribution 1 Publication: SC Magazine Author: Marcos Colon Date Published: Article Title: Hospital posts personal patient information on public website Article URL: http://www.scmagazine.com//hospital-posts-personal-patient-information-on-public-website/article/295190/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130528-03 Department of State Hospitals CA Electronic Medical/Healthcare Yes - Unknown # 0

DSH discovered that an employee roster containing confidential personal information was placed on the Patton State Hospital intranet website by mistake. The personal information was the first name, middle initial and last name, social security number, DSH position number and title, and Bargaining Unit of DSH-Patton employees, including you. This was on the intranet website for approximately 6 hours on May 8, 2013 until the mistake was discovered and corrected.

Attribution 1 Publication: CA AG's Office Author: Date Published: Article Title: Department of State Hospitals Article URL: https://oag.ca.gov/system/files/DSH%20SSN%20Breach%20Template%20Notification%20Letter_0.pdf?

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130528-02 Jackson Health System FL Electronic Medical/Healthcare Yes - Published # 556

With the approval of law enforcement officials, Jackson Health System, a nonprofit that includes 2,500 beds among six hospitals, only recently disclosed the March 2012 incident, which involved 556 patients. In what could be fodder for a television show on dumb criminals, Jackson officials said the theft came to light when three men were spotted sitting in a Miramar, Fla., McDonald’s parking lot, attempting to use the restaurant’s free WiFi connection to file fraudulent tax returns.

Attribution 1 Publication: AIS Health Author: Date Published: Article Title: Identity Theft Ring Results in Smartphone Ban at Health System Article URL: http://aishealth.com/archive/hipaa0113-03?utm_source=Fierce

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130528-01 Jackson Health System FL Paper Data Medical/Healthcare Yes - Published # 1,407

Jackson Health System is reporting more issues with protecting patient data. Shortly after a 566-patient breach that was announced in December 2012, Jackson lost more than 1,400 patients’ data in January 2013 and have sent those patients notification letters.

Attribution 1 Publication: HealthITSEcurity / phiprivacy.net Author: Patrick Ouellette Date Published: Article Title: New patient data breach reported at Jackson Health System Article URL: http://healthitsecurity.com/2013/05/28/new-patient-data-breach-reported-at-jackson-health-system/

How is this report produced? What are the rules? See last page of report for details. ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130523-02 Idaho State University - ID Electronic Medical/Healthcare Yes - Published # 17,500 Pocatello Family Medicine Idaho State University (ISU) has agreed to pay $400,000 to the U.S. Department of Health Human Services (HHS) to settle alleged violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. The settlement involves the breach of unsecured electronic protected health information (ePHI) of approximately 17,500 patients at ISU’s Pocatello Family Medicine Clinic.

Attribution 1 Publication: phiprivacy.net Author: Date Published: Article Title: Idaho State University Settles HIPAA Security Case for $400,000 Article URL: http://www.phiprivacy.net/?p=12728

Attribution 2 Publication: Author: Date Published: Article Title: Article URL:

Attribution 3 Publication: Author: Date Published: Article Title: Article URL: http://www.phiprivacy.net/?p=12728

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130523-01 Venidini Inc. / South Orange CA Electronic Business Yes - Published # 23,000 PAC The Maine Attorney General's office is issuing an alert for people who may have used an out-of-state service for buying tickets for shows and other forms of entertainment recently.

The service, Venidini, Inc., has been hacked, exposing financial information for tens of thousands of customers.

Attribution 1 Publication: WCSH6.com Author: Date Published: Article Title: Data breach may affect 23,000 Mainers who bought tickets online Article URL: http://www.wcsh6.com/news/article/244721/2/Data-breach-may-affect-Mainers-who-bought-tickets-online

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130522-01 DHS - Customs and Border DC Electronic Government/Military Yes - Unknown # 0 Protection Tens of thousands of current and former Homeland Security Department employees are at risk of identity theft after officials discovered a vulnerability in a vendor's system used for processing background investigations.

Attribution 1 Publication: Federalnewsradio.com Author: Jason Miller Date Published: Article Title: Data breach puts DHS employees at risk of identity theft Article URL: http://www.federalnewsradio.com/473/3332836/Data-breach-puts-DHS-employees-at-risk-of-identity-theft

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130521-12 Toshiba America Information CO Electronic Business Yes - Unknown # 0 Systems Revana, Inc. and TeleTech Services, Corp. (together, "Revana") provide customer services to Toshiba America Information Systems, Inc. ("TAIS"). Revana is contacting you on behalf of TAIS pursuant to N.H Rev. Stat. § 359-C:20(1)(b) concerning a data security incident involving the personal information of four New Hampshire residents. Revana uses a data protection tool to detect when certain types of personal information are exported out of its system. On April 8, 2013, Revana discovered that one of its employees had improperly saved the personal information of one TAIS customer residing in New Hampshire outside ofRevana's secure network in violation of company policies. This information consisted of names, addresses, credit card account numbers, credit card expiration dates and CVVs (card security codes).

Attribution 1 Publication: NH AG's office Author: Date Published: Article Title: Toshiba America Information Systems Article URL: http://doj.nh.gov/consumer/security-breaches/documents/toshiba-america-20130430.pdf

How is this report produced? What are the rules? See last page of report for details. ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130521-11 El Centro Regional Medical CA Paper Data Medical/Healthcare Yes - Published # 189,489 Center On March 22, 2013, El Centro Regional Medical Center (ECRMC) was notified that x-rays ECRMC had provided to a trusted vendor for digitization and destruction were missing from a storage warehouse and may not have been properly destroyed. ECRMC immediately began a thorough internal investigation to determine what happened to the x-rays, but has been unable to find the missing x-rays. ECRMC has also not been able to make contact with the vendor. The radiology films and records are for dates of service prior to February 2011. As a precaution, ECRMC began sending letters to affected patients on May 7 to let them know this occurred.

Attribution 1 Publication: phiprivacy.net Author: Date Published: Article Title: Notice Regarding Missing X-Rays for El Centro Regional Medical Center Patients Article URL: http://www.phiprivacy.net/?p=12650

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130521-10 Public Health Center - Seattle WA Paper Data Medical/Healthcare Yes - Published # 750 & King County This posting is to inform you that, on March 7, 2013, a substitute custodian employed by the building owner at Downtown Public Health Center disposed of some clients' protected health information in a way that did not follow proper procedure.

Attribution 1 Publication: phiprivacy.net / hhs.gov Author: Date Published: Article Title: Public Health Center - Seattle & King County Article URL: http://www.phiprivacy.net/?p=12692

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130521-09 Orthopedics & Adult TX Electronic Medical/Healthcare Yes - Published # 22,000 Reconstructive Surgery Orthopedics & Adult Reconstructive Surgery in Texas reported that their business associate, AssuranceMD (formerly known as Harbor Group) lost a portable electronic device sometime during the first half of March. The device contained information on 22,000 patients.

Attribution 1 Publication: phiprivacy.net / hhs.gov Author: Date Published: Article Title: Orthopedics & Adult Reconstructive Surgery Article URL: http://www.phiprivacy.net/?p=12692

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130521-08 Stronghold Counseling SD Electronic Medical/Healthcare Yes - Published # 8,500 Services, Inc. Stronghold Counseling Services Inc. of South Dakota reported that 8,500 patients had information on a computer stolen on December 24, 2012.

Attribution 1 Publication: phiprivacy.net / hhs.gov Author: Date Published: Article Title: Stronghold Counseling Services, Inc. Article URL: http://www.phiprivacy.net/?p=12692

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130521-07 Guidance Center of NY Electronic Medical/Healthcare Yes - Published # 1,416 Westchester The Guidance Center of Westchester, Inc. is notifying clients of a breach of their personal information after discovering that the following has occurred:

On February 22, 2013, the Center discovered that a central processing unit (CPU) had been removed from a staff member’s office at its 70 Grand Street, New Rochelle, New York location. The Center immediately conducted a preliminary investigation into the incident and determined that the CPU was taken on February 21, 2013. The Center notified local law enforcement and filed a police report. The New Rochelle Police Department is currently investigating the incident.

Attribution 1 Publication: phiprivacy.net / hhs.gov Author: Date Published: Article Title: Guidance Center of Westchester Article URL: http://www.phiprivacy.net/?p=12692

Valley Mental Health of Utah reported that 700 patients had information on a stolen computer. The theft occurred on February 27, and I can find no statement on their web site or substitute notice anywhere.

Attribution 1 Publication: phiprivacy.net / hhs.gov Author: Date Published: Article Title: Valley Mental Health Article URL: http://www.phiprivacy.net/?p=12692

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130521-05 Wood County Hospital OH Electronic Medical/Healthcare Yes - Published # 2,500

Authorities are investigating the theft of radiology films of between 2,000 to 2,500 patients stolen in March from a Wood County Hospital storage room.

Catharine Harned, director of marketing and business development for Wood County Hospital, said the radiology films were among those being prepared for destruction through recycling.

“The individuals who committed the theft gained access posing as subcontractors that the vendor retained for recycling,” Ms. Harned said. She said footage of the suspects was recorded by cameras and the hospital is working with the Bowling Green Police Department to identify the suspects.

Attribution 1 Publication: toledoblade.com / phiprivacy.net Author: Date Published: Article Title: Police probe theft of radiology films Article URL: http://www.toledoblade.com/Police-Fire/2013/05/09/Police-probe-theft-of-radiology-films.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130521-04 Delta Dental of Pennsylvania PA Paper Data Medical/Healthcare Yes - Published # 14,829

Delta Dental of Pennsylvania notified 14,829 employees of Select Medical Corporation that a mailing to their employer arrived with pages missing that contained enrollees’ personal information.

Attribution 1 Publication: phiprivacy.net / hhs.gov Author: Date Published: Article Title: Delta Dental of Pennsylvania Article URL: http://www.phiprivacy.net/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130521-03 NTT Docomo USA NY Electronic Business Yes - Unknown # 0

NTT DOCOMO USA, Inc. recently discovered that, on April26, 2013, due to an unauthorized external access to our server from an outside source, information pertaining to some of our DOCOMO USA Wireless™ subscribers was accessed. Through our investigation, we have determined that the personal information involved in this incident included name and payment card information. We deeply regret that this incident occurred and take very seriously the security of personal information.

Attribution 1 Publication: VT AG's office Author: Date Published: Article Title: NTT Docomo USA Article URL: http://www.atg.state.vt.us/issues/consumer-protection/privacy-and-data-security/documents-and-resources5/ntt-docom

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130521-02 ThyssenKrupp OnlineMetals WA Electronic Business Yes - Unknown # 0

We are writing to inform you that personal information collected through the ThyssenKrupp OnlineMetals, LLC website, www.onlinemetals.com, may have been compromised. We deeply regret that this incident occurred, and because you are potentially affected, we want to share with you what we know and urge you to take steps to protect your personal information.

Attribution 1 Publication: VT AG's office Author: Date Published: Article Title: ThyssenKrupp OnlineMetals Article URL: http://www.atg.state.vt.us/issues/consumer-protection/privacy-and-data-security/documents-and-resources5/thyssenkr

How is this report produced? What are the rules? See last page of report for details. ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130521-01 Community Health Med- IN Electronic Medical/Healthcare Yes - Published # 180 Check After learning of a former employee stealing patient identities, Community Health Med-check in Speedway, Ind. has notified about 180 patients that their data may have been compromised.

Attribution 1 Publication: HealthIT Security Author: Patrick Ouellette Date Published: Article Title: Community Health sends patients data breach notifications Article URL: http://healthitsecurity.com/2013/05/17/community-health-sends-patients-data-breach-notifications/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130520-02 LSU Health Shreveport LA Paper Data Medical/Healthcare Yes - Published # 8,330

LSU Health Shreveport recently began notifying patients that a processing error at Siemens Healthcare, which prints and mails doctors' bills on behalf of LSU Health, resulted in the exposure of 8,330 patients' personal information (h/t PHIprivacy.net).

Attribution 1 Publication: eSecurity Planet / phiprivacy.net Author: Jeff Goldman Date Published: Article Title: LSU Health Acknowledges Data Breach Article URL: http://www.esecurityplanet.com/network-security/lsu-health-acknowledges-data-breach.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130520-01 Piedmont HealthCare NC Electronic Medical/Healthcare Yes - Published # 10,000

A local healthcare company is now trying to contact 10,000 job applicants whose private information was exposed in a major security breach.

Attribution 1 Publication: WSOCTV.com / VT AG's office Author: Date Published: Article Title: Information for 10K job applicants exposed in security breach Article URL: http://www.wsoctv.com/news/news/local/piedmont-compromise/nXtt3/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130517-01 City of Akron OH Electronic Government/Military Yes - Published # 8,000

The city of Akron notified Friday some of the taxpayers whose personal information — possibly including Social Security numbers, credit card numbers and checking account numbers — was compromised in a cyber attack and posted on the Internet.

Attribution 1 Publication: Ohio.com Author: Betty Lin-Fisher Date Published: Article Title: Akron notifies some people named in hacked city files; victims appear to be individuals who e-filed city taxes in 2013 Article URL: http://www.ohio.com/news/break-news/akron-notifies-some-people-named-in-hacked-city-files-victims-appear-to-be-ind

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130516-03 Erskine Family Dentistry IN Electronic Medical/Healthcare Yes - Unknown # 0

A local dentist's office is working to ensure its patients' records are secure after a virus attacked the office's computer system in March.

Staff at Erskine Family Dentistry, 734 E. Ireland Road, say there is no indication the virus has accessed the personal information of patients, according to a news release.

Attribution 1 Publication: South Bend Tribune Author: Date Published: Article Title: ocal dentist office faced with computer security breach Article URL: http://www.southbendtribune.com/news/sbt-local-dentist-office-faced-with-computer-security-breach-20130514,0,68688

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130516-02 Louisiana State University LA Paper Data Medical/Healthcare Yes - Published # 8,330

A database error in a computer entry field led to the disclosure of personal health information of 8,330 LSU Health patients.

The hospital says it notified each patient on Wednesday of the release of personal information and that each patient's bill contained incorrect information. A hospital news release says no Social Security numbers, birth dates, or financial account numbers were disclosed.

How is this report produced? What are the rules? See last page of report for details.

Attribution 1 Publication: ksla.com Author: Date Published: Article Title: LSU Health: Personal information of 8,300 patients unintentionally released Article URL: http://www.ksla.com/story/22265674/lsu-health-personal-information-of-8300-patients-unintentionally-released

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130516-01 Dent Neurologic Institute NY Electronic Medical/Healthcare Yes - Published # 10,200

Confidential information about more than 10,200 patients of Dent Neurologic Institute was inadvertently sent to more than 200 patients Monday in an email attachment.

The personal information – including patients’ names and home addresses, their doctors’ names, last appointment dates and their email addresses – was contained on an Excel patient spreadsheet.

Attribution 1 Publication: The Buffalo News Author: Melinda Miller Date Published: Article Title: Mass email by Dent Neurologic inadvertently breaches privacy of 10,200 patients Article URL: http://www.buffalonews.com/apps/pbcs.dll/article?AID=/20130514/CITYANDREGION/130519516/1003

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130514-09 Sedgwick Claims TN Electronic Business Yes - Unknown # 0 Management Services, Inc. Sedgwick coordinates your short term disability claim for and we take your privacy very seriously. That is why we are very sorry to report that we became aware on April 8, 2013 that information containing your name, Social Security Number, and employee ID was obtained by an unauthorized party through a sophisticated attack on an individual Sedgwick desk top computer.

Attribution 1 Publication: NH AG's office Author: Date Published: Article Title: Sedgwick Claims Management Services, Inc. Article URL: http://doj.nh.gov/consumer/security-breaches/documents/sedgwick-claims-20130506.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130514-08 Pearl Izumi CA Electronic Business Yes - Published # 1,250

We are notifYing you in connection with a recently uncovered security breach that may have affected your account with Pearl Izumi. On February 18th, 2013, we discovered that malware had been introduced into our online store without our knowledge. As we had recently implemented a new monitoring system to combat just this kind of issue, we were able to eliminate this potential threat soon after discovery, and we believed at the time that the breach affected only a handful of customers.

Attribution 1 Publication: NH Ag's Office Author: Date Published: Article Title: Pearl Izumi Article URL: http://doj.nh.gov/consumer/security-breaches/documents/pearl-izumi-20130429.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130514-07 Peoples Bank of Commerce MN Electronic Banking/Credit/Financial Yes - Unknown # 0

We are writing to notify you of a data event that may have compromised the security of personal information of two (2) New Hampshire residents. Peoples Bank of Commerce, 234 E. First A venue, Cambridge, MN 55008 is informing your office of pertinent facts that are known at this time related to the data event described below. Peoples Bank of Commerce retained privacy and data security legal counsel to assist in the ongoing investigation of, and response to, the incident.

Attribution 1 Publication: NH AG's office Author: Date Published: Article Title: Peoples Bank of Commerce Article URL: http://doj.nh.gov/consumer/security-breaches/documents/peoples-bank-20130501.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130514-06 IHS CO Electronic Business Yes - Unknown # 0

We are writing to notify you of a data security incident involving IHS Inc. On February 22, 2013, IHS discovered that some of our databases, including those containing personal information you provided as a customer of IHS Jane's, were illegally accessed by unauthorized parties. Our investigation indicates that the unauthorized parties acquired the relevant data from the IHS Jane's environment on or about November 22, 2012.

How is this report produced? What are the rules? See last page of report for details.

Attribution 1 Publication: NH AG's office Author: Date Published: Article Title: IHS Article URL: ihs-inc-20130502[1].pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130514-05 Columbia University Medical NY Electronic Educational Yes - Published # 407 Center On March 15, 2013 Columbia University Medical Center of Columbia University ("CUMC") was informed that a file containing personal information of 407 medical students from the graduating classes of years 2008, 2009 and 2013 had been released inadvertently to Columbia students, faculty, and staff via email. One (1) New Hampshire residents were among those affected.

Attribution 1 Publication: NH AG's office Author: Date Published: Article Title: Columbia University Medical Center Article URL: http://doj.nh.gov/consumer/security-breaches/documents/columbia-university-medical-center-20130506.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130514-04 PHH Corporation GA Electronic Business Yes - Unknown # 0

We are writing to let you know that, on April 3, 2013, we learned that a temporary worker placed at a PHH Corporation (“PHH”) location had been indicted in connection with identity fraud unrelated to the work performed at PHH. The individual is no longer working at PHH. Because the temporary worker had access to personal information of certain PHH current and former employees and applicants, we promptly initiated a review of the individual’s access to this information. We are cooperating with law enforcement authorities to investigate the issue.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: PHH Corporation Article URL: https://oag.ca.gov/system/files/Letter%20Version%201_proof_PHH_0.pdf?

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130514-03 Equity Trust Company OH Electronic Business Yes - Unknown # 0

We are writing to notify you that a portion of Equity Trust’s computer network was recently accessed by an unauthorized third party. We are very sorry that this situation has occurred. Protecting the privacy and security of your information is a top priority for us. Accordingly, upon discovering the event, we promptly installed software to block similar intrusions, and denied access to our network from certain international locations. Although we did not find any evidence that the unauthorized third party actually acquired, copied or removed any customer information from our network, we want to inform you about the situation and encourage you to take the steps set forth in this notice.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: Equity Trust Company Article URL: https://oag.ca.gov/system/files/Security%20Breach%20Notice%20%28retail%20final%20draft%29_1.pdf?

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130514-02 TerraCom - YourTel (Lifeline) OK Electronic Business Yes - Published # 150,000

The Oklahoma City-based wireless companies TerraCom and YourTel America said Monday that journalists had accessed the personal information of about 150,000 prospective clients and that the personal information of 200 people had been readily available online via a simple Google search.

Attribution 1 Publication: NewsOK Author: Brianna Bailey Date Published: Article Title: Oklahoma City-based wireless companies report data breach Article URL: http://newsok.com/article/3809598

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130514-01 Presbyterian Anesthesia NC Electronic Medical/Healthcare Yes - Published # 9,988 Associates The credit card information of nearly 10,000 people may have been accessed in a data breach at a Charlotte medical practice.

Presbyterian Anesthesia Associates has disclosed that a hacker broke through a security flaw of the practice’s website to gain access to a database of personal information, including names, contact information, dates of birth and credit card numbers for 9,988 people.

How is this report produced? What are the rules? See last page of report for details.

Attribution 1 Publication: Charlotte Observer Author: Andrew Dunn Date Published: Article Title: Presbyterian Anesthesia reports data breach affecting nearly 10,000 Article URL: http://www.charlotteobserver.com/2013/05/13/4039763/presbyterian-anesthesia-reports.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130513-02 Regional Medical Center TN Electronic Medical/Healthcare Yes - Published # 1,200

The sending of three emails including personally identifiable information of patients between October 2012 and February 2013 has led the Regional Medical Center in Memphis (the MED) to report a health data breach, according to a public notice issued by the healthcare organization on May 9, 2013. The details from the notice are sparse. The organization determined on March 15, 2013, that three emails were sent on Oct. 29, 2012; Nov. 1, 2013; and Feb. 4, 2013. Each contained some protected health information (PHI) of patients receiving outpatient physician therapy treatment between May 1, 2012, and Jan. 31, 2013.

Attribution 1 Publication: Healthitsecurity.com Author: Kyle Murphy, PhD Date Published: Article Title: Memphis Regional Medical Center reports health data breach Article URL: http://healthitsecurity.com/2013/05/13/memphis-regional-medical-center-reports-health-data-breach/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130513-01 Indiana University Health IN Electronic Medical/Healthcare Yes - Published # 10,350 Arnett More than 10,000 patients of Indiana University Health Arnett are receiving notifications that some of their personal information was on a laptop computer stolen last month

Attribution 1 Publication: jconline.com Author: Date Published: Article Title: IU Health Arnett laptop stolen Article URL: http://www.jconline.com/article/20130510/NEWS03/305100032/IU-Health-Arnett-laptop-stolen?gcheck=1

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130510-02 Lutheran Social Services of PA Electronic Business Yes - Published # 7,300 South Central PA Lutheran Social Services of South Central Pennsylvania recently made 7,300 current and former senior residents aware of a data breach that was discovered in March. According to YorkDispatch.com, the root of the issue was a malware program that the organization’s IT staff found during a routine system check of the four York senior living locations. Potentially-compromised data includes residents’ names, dates of birth, Social Security numbers, Medicare numbers, health insurance numbers and payer names and medical diagnosis codes.

Attribution 1 Publication: Author: Date Published: Article Title: Southern Penn. senior living experiences resident data breach Article URL: http://healthitsecurity.com/2013/05/09/southern-penn-senior-living-experiences-resident-data-breach/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130510-01 Administrative Office of the WA Electronic Government/Military Yes - Published # 1,160,000 Courts Attackers hacked into Washington state's Administrative Office of the Courts (AOC) servers and obtained copies of up to 160,000 social security numbers and 1 million driver's license numbers, state officials said Thursday. Officials don't know exactly when the breach occurred or how many records -- which could be used to commit identity theft -- were stolen.

Attribution 1 Publication: Information Week Author: Mathew J. Schwartz Date Published: Article Title: Washington State Courts Reveal Security Breach Article URL: http://www.informationweek.com/security/attacks/washington-state-courts-reveal-security/240154638

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130507-08 Lakeshore Mental Health TN Paper Data Medical/Healthcare Yes - Unknown # 0 Institute Lakeshore Mental Health Institute of Tennessee has been associated with a strange patient data breach of records that date back to 1995, but the incident doesn’t involve any current patients. That’s because, as WBIR.com reports, the organization ended patient admissions in June 2012, but sensitive data has still been exposed to the public.

How is this report produced? What are the rules? See last page of report for details.

Attribution 1 Publication: HealthITSecurity Author: Date Published: Article Title: Update: Lakeshore Mental Health leaves patient data exposed Article URL: http://healthitsecurity.com/2013/05/01/lakeshore-mental-health-institute-leaves-patient-data-exposed/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130507-07 York Technical College SC Electronic Educational Yes - Published # 12,000

The names, Social Security numbers and driver’s license numbers of more than 12,000 online student applicants at York Technical College might have been exposed, school officials said Tuesday.And it was one of the applicants who discovered the problem and brought it to the college’s attention.An online admissions system used from January 2012 to April 2013 was at risk, officials said.

Attribution 1 Publication: TheState.com Author: Don Worthington Date Published: Article Title: Personal data from 12,000 York Tech applicants may have been exposed Article URL: http://www.thestate.com/2013/05/07/2760730/personal-data-from-12000-york.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130507-06 WorldVentures Marketing LLC GA Electronic Business Yes - Unknown # 0

We are writing to notify you of an incident that involved unauthorized access to our computer servers in which general payment cardholder information is stored. We were recently made aware of this incident and it may have involved your cardholder information.

Attribution 1 Publication: VT AG's office Author: Date Published: Article Title: WorldVentures Marketing LLC Article URL: http://www.atg.state.vt.us/issues/consumer-protection/privacy-and-data-security/documents-and-resources5/brittontum

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130507-05 Tomren Wealth Management CA Electronic Business Yes - Unknown # 0

We are writing to inform you about a recent incident that may have involved personal information about you. We recently discovered that, between February 21 and March, 6, 2013 , a server containing information about you was accessed by an unauthorized third party. We deeply regret that this incident occurred and take very seriously the security of personal information.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: https://oag.ca.gov/system/files/State%20Notification%20Packet_0.PDF? Article URL: https://oag.ca.gov/system/files/State%20Notification%20Packet_0.PDF?

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130507-04 California Department of CA Electronic Medical/Healthcare Yes - Published # 2,000 Public Health State health leaders on Monday announced a possible security breach involving 2,000 birth records. A reel containing names, addresses, Social Security numbers and some medical information was found in an unsecure location, the California Department of Public Health reported.

Attribution 1 Publication: Oakland Tribune / insidebayarea.com Author: Date Published: Article Title: Possible security breach: California says birth records found in unsecure location Article URL: http://www.insidebayarea.com/breaking-news/ci_23184400/possible-security-breach-california-says-birth-records-found

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130507-03 University of Rochester NY Electronic Medical/Healthcare Yes - Published # 537 Medical Center The University of Rochester (N.Y.) Medical Center announced that it has sent letters to 537 former orthopedic patients alerting them of a potential data breach.

Attribution 1 Publication: Becker's Hospital Review Author: Date Published: Article Title: URMC Notifies 537 Patients of Possible Data Breach Article URL: http://www.beckershospitalreview.com/healthcare-information-technology/urmc-notifies-537-patients-of-possible-data-

More than 17,000 patients at the Raleigh Orthopaedic Clinic are potential victims of a health data breach as a result of a third-party vendor’s crooked activities, according to an announcement from the healthcare organization. The clinic has not mentioned the third-party vendor by name and could not be reached for comment at the time of this report. The clinic hired the vendor in order to transfer its X-ray media from film to an electronic format. The potential breach stems from the unknown whereabouts or condition of the film in question:

Attribution 1 Publication: healthitsecurity.com Author: Date Published: Article Title: Home > Articles > X-ray film scam exposes 17k patients to possible data breach Article URL: http://healthitsecurity.com/2013/05/07/x-ray-film-scam-exposes-17k-patients-to-possible-data-breach/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130507-01 MAPCO Express Inc. TN Electronic Business Yes - Unknown # 0

Convenience store operator MAPCO Express Inc. has experienced a security breach by third-party hackers that may have compromised the credit/debit card information of certain MAPCO customers.

Attribution 1 Publication: NACS online Author: Date Published: Article Title: MAPCO EXPRESS EXPERIENCES DATA SECURITY BREACH Article URL: http://www.nacsonline.com/News/Daily/Pages/ND0507133.aspx

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130430-08 Life Flight UT Electronic Medical/Healthcare Yes - Published # 842

Patients flown by Life Flight helicopters during at least three months of 2004 were advised Friday that their personal information may have been compromised.

The information, collected from patients in April, May and June of that year, was inadvertently put on an employee website where it may have been accessed by individuals outside of the emergency transport company.

Attribution 1 Publication: deseretnews.com Author: Date Published: Article Title: Life Flight informs patients of possible confidential information breach Article URL: http://www.deseretnews.com/article/865579041/Life-Flight-informs-patients-of-possible-confidential-information-breach

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130430-07 Orthopedic Physician WA Electronic Medical/Healthcare Yes - Unknown # 0 Associates - Proliance On April, 1, 2013, a laptop and ten patient files were stolen during a car break-in. The patient files were subsequently recovered. However, information regarding some patients of Orthopedic Physician Associates, a division of Proliance Surgeons, may have been compromised by this theft. Sensitive information, including name, address, telephone number, social security number, name of provider, health insurance information and the reason for the patient’s appointment was included in emails stored in the laptop’s cache file.

Attribution 1 Publication: Privacyrights.org / Proliance Surgeons' Author: Date Published: Article Title: Orthopedic Physician Associates - Proliance Surgeons Article URL: http://proliancesurgeons.adhostclient.com/images/PDF/websitenotice.pdf.

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130430-06 Oakland Community College CA Electronic Educational Yes - Published # 100

Oakland Community College is investigating how personal information of more than 100 students in connection with student loans became available on the college website.

Attribution 1 Publication: Oakland Press Author: Diana Dillaber Murray Date Published: Article Title: ‘Glitch’ publishes private info of more than 100 Oakland Community College students Article URL: http://www.theoaklandpress.com/articles/2013/04/24/news/local_news/doc517834de0d35d600294321.txt?viewmode=full

Following this week’s disclosure by Berkeley city staff that roughly 11,000 municipal employee social security numbers had been erroneously divulged to a local media outlet in March, the media outlet’s managing editor said Tuesday that he doubted the data could have been compromised, though it had been “passed around” by employees over email.

Attribution 1 Publication: WMCTV.com Author: Date Published: Article Title: Mayor's donation check among records found in dumpster Article URL: http://www.600wrec.com/pages/goout.php?url=http://www.wmctv.com/story/22092795/mayors-donation-check-among-r

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130430-04 Mid-South Reading Alliance TN Paper Data Business Yes - Unknown # 0

The director of an adult literacy charity is trying to figure out how the personal information of former associates and donors, including Memphis Mayor AC Wharton, were piled up inside the charity's dumpster.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: Westcoast Children's Clinic Article URL: https://oag.ca.gov/system/files/OAG%20PHI%20BREACH%20SAMPLE%20NOTICE_0.pdf?

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130430-03 OneWest Bank CA Electronic Banking/Credit/Financial Yes - Unknown # 0

We recently learned that one of our service providers, was the victim of an illegal and unauthorized intrusion into its network (“Network Intrusion”) during the first quarter of 2011. In response, the service provider enhanced the security of its network systems, cooperated with law enforcement including the United States Secret Service (“USSS”), and investigated using leading outside security firms. Given the size and complexity of the issues, they have continued to investigate the scope and extent of the Network Intrusion. As a result, the service provider recently notified us that they have determined that an unauthorized person had access to files which contain some or all of the following information about you: name, address, birthdate, phone number, drivers license number, passport number, and Social Security Number.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: OneWest Bank Article URL: https://oag.ca.gov/system/files/Network%20Intrusion_Breach%20Notification%20on_0.pdf?

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130430-02 Hope Hospice TX Electronic Medical/Healthcare Yes - Published # 800

Hope Hospice, located in New Braunfels, Texas, has sent out more than 800 patient notifications after an employee sent out sensitive patient data through unsecured email twice since December 2012.

Attribution 1 Publication: HealthITSecurity Author: Patrick Ouellette Date Published: Article Title: Hope Hospice informs 800 patients of health data breach Article URL: http://healthitsecurity.com/2013/04/29/hope-hospice-informs-800-patients-of-health-data-breach/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130430-01 LivingSocial DC Electronic Business Yes - Unknown # 0

Cyber-attackers recently breached LivingSocial's systems and illegally accessed customer information for more than 50 million users, LivingSocial said. Users need to change their passwords immediately.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: LivingSocial Article URL:

Attribution 2 Publication: PC Magazine Author: Fahmida Y. Rashid Date Published: Article Title: LivingSocial Password Breach Affects 50 Million Accounts Article URL: http://securitywatch.pcmag.com/news-events/310828-livingsocial-password-breach-affects-50-million-accounts

Upstate University Hospital, affiliated with the State University of New York (SUNY) system, told 283 patients recently of a late March data breach involving the theft of a portable electronic device. According to centralny.ynn.com, patient names, date of birth, hospital medical record number, and diagnosis may have been included on the device when it was stolen on March 30 or 31. However, fortunately for the patients, it did not include Social Security number, insurance information or address.

Attribution 1 Publication: HealthITSecurity Author: Patrick Ouellett Date Published: Article Title: Upstate University Hospital alerts patients of data breach Article URL: http://healthitsecurity.com/2013/04/29/upstate-university-hospital-alerts-patients-of-data-breach/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130426-01 Teavana GA Electronic Business Yes - Unknown # 0

Multiple sources in law enforcement and the financial community are warning about a possible credit and debit card breach at Teavana, a nationwide tea products retailer. Seattle-based coffee giant Starbucks, which acquired Teavana late last year, declined to confirm a breach at Teavana, saying only that the company is currently responding to inquiries from card-issuing banks and credit card brands.

Attribution 1 Publication: KrebsonSecurity Author: Brian Krebs Date Published: Article Title: Sources: Tea Leaves Say Breach at Teavan Article URL: http://krebsonsecurity.com/2013/04/sources-tea-leaves-say-breach-at-teavana/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130425-19 State of California - CA Electronic Medical/Healthcare Yes - Published # 18,162 Department of theft - laptop

Attribution 1 Publication: hhs.gov Author: Date Published: Article Title: State of California - Department of Developmental Services Article URL: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130425-18 John J. Pershing VA Medical MD Paper Data Medical/Healthcare Yes - Published # 589 Center other - paper

Attribution 1 Publication: hhs.gov Author: Date Published: Article Title: ohn J. Pershing VA Medical Center Article URL: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

Attribution 2 Publication: phiprivacy.net Author: Date Published: Article Title: John J. Pershing VA Medical Center Article URL: http://www.phiprivacy.net/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130425-17 Utah Department of Health UT Electronic Medical/Healthcare Yes - Published # 6,332

loss - other portable electronic device

Attribution 1 Publication: hhs.gov Author: Date Published: Article Title: Utah Department of Health Article URL: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

unauthorized access/disclosure - electronic medical records

Attribution 1 Publication: hhs.gov Author: Date Published: Article Title: South Miami Hospital Article URL: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130425-15 West Georgia Ambulance GA Electronic Medical/Healthcare Yes - Published # 500

theft - laptop

Attribution 1 Publication: hhs.gov Author: Date Published: Article Title: West Georgia Ambulance Article URL: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130425-14 HomeCare of Mid-Missouri MO Electronic Medical/Healthcare Yes - Published # 4,027 Inc. theft - laptop

Attribution 1 Publication: hhs.gov Author: Date Published: Article Title: HomeCare of Mid-Missouri Inc. Article URL: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130425-13 Arizona Oncology AZ Electronic Medical/Healthcare Yes - Published # 501

theft - laptop

Attribution 1 Publication: hhs.gov Author: Date Published: Article Title: Arizona Oncology Article URL: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130425-12 Kindred Healthcare, Inc. MA Electronic Medical/Healthcare Yes - Published # 716

theft - other portable electronic device

Attribution 1 Publication: hhs.gov Author: Date Published: Article Title: Kindred Healthcare, Inc. d/b/a Kindred Transitional Care and Rehabilitation Article URL: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130425-11 Agency for Health Care FL Paper Data Medical/Healthcare Yes - Published # 1,892 Administration unauthorized access/disclosure - paper

Attribution 1 Publication: hhs.gov Author: Date Published: Article Title: Agency for Health Care Administration Article URL: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

theft - laptop

Attribution 1 Publication: hhs.gov Author: Date Published: Article Title: Riderwood Village Article URL: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130425-09 Child & Family Psychological MA Electronic Medical/Healthcare Yes - Published # 7,250 Services, Inc. hacking/IT incident - network server

Attribution 1 Publication: hhs.gov Author: Date Published: Article Title: Child & Family Psychological Services, Inc. Article URL: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130425-08 Office of Thomas L. Davis, Jr. OR Electronic Medical/Healthcare Yes - Published # 3,269 DDS theft - desktop computer, electronic medical records

Attribution 1 Publication: hhs.gov Author: Date Published: Article Title: Office of Thomas L. Davis, Jr. DDS Article URL: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130425-07 Mount Sinai Medical Center FL Electronic Medical/Healthcare Yes - Published # 628

theft - desktop computer, paper

Attribution 1 Publication: Author: Date Published: Article Title: Mount Sinai Medical Center Article URL: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

Attribution 2 Publication: phiprivacy.net Author: Date Published: Article Title: Mount Sinai Medical Center Article URL: http://www.phiprivacy.net/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130425-06 Carpenters Health & Welfare CA Paper Data Medical/Healthcare Yes - Published # 2,400 Trust Fund for California unauthorized access/disclosure - paper

Attribution 1 Publication: hhs.gov Author: Date Published: Article Title: Carpenters Health & Welfare Trust Fund for California Article URL: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130425-05 Lake Granbury Medical TX 2/13/2013 Paper Data Medical/Healthcare Yes - Published # 502 Center theft - paper

How is this report produced? What are the rules? See last page of report for details.

Attribution 1 Publication: hhs.gov Author: Date Published: Article Title: Lake Granbury Medical Center Article URL: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130425-04 Hospice and Palliative Care NC 2/24/2013 Electronic Medical/Healthcare Yes - Published # 5,371 Center of Alamance Caswell theft, unauthorized access/disclosure - laptop, paper

Attribution 1 Publication: hhs.gov Author: Date Published: Article Title: Hospice and Palliative Care Center of Alamance Caswell Article URL: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130425-03 Texas Health Care, PLLC TX Paper Data Medical/Healthcare Yes - Published # 554

theft - paper

Attribution 1 Publication: hhs.gov Author: Date Published: Article Title: Texas Health Care, PLLC Article URL: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130425-02 Brookdale University NY 8/11/2012 Paper Data Medical/Healthcare Yes - Published # 2,261 Hospital and Medical Center unauthorized access/disclosure - paper

Attribution 1 Publication: hhs.gov Author: Date Published: Article Title: Brookdale University Hospital and Medical Center Article URL: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130425-01 Brookdale University NY 9/21/2012 Electronic Medical/Healthcare Yes - Published # 28,187 Hospital and Medical Center Unauthorized Access/Disclosure - other portable electronic device

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130423-13 Erlanger Health Systems TN Paper Data Medical/Healthcare Yes - Published # 87

87 families received notification from Erlanger Health System, saying their child's medical records were found outside the hospital.

Attribution 1 Publication: wdef.com Author: Alisha Searl Date Published: Article Title: Security Breach at Erlanger Health System has Families Upset Article URL: http://www.wdef.com/news/story/Security-Breach-at-Erlanger-Health-System-has/dF_wE2QwdUKWmNoq2KnHDw.cspx

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130423-12 Multiple Health Plans - Coast CA Paper Data Medical/Healthcare Yes - Published # 1,368 Healthcare Management theft - paper

How is this report produced? What are the rules? See last page of report for details.

Attribution 1 Publication: hhs.gov Author: Date Published: Article Title: Multiple Health Plans - Coast Healthcare Management Article URL: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130423-11 Catoctin Dental - Richard B. MD Electronic Medical/Healthcare Yes - Published # 6,400 Love, DDS hacking/IT incident - network server

Attribution 1 Publication: hhs.gov Author: Date Published: Article Title: Catoctin Dental - Richard B. Love, DDS Article URL: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130423-10 Department of Behavioral CA Paper Data Medical/Healthcare Yes - Published # 683 Health - County of San theft - paper

Attribution 1 Publication: hhs.gov Author: Date Published: Article Title: Department of Behavioral Health - County of San Bernardino Article URL: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130423-09 Intervention Services, Inc. FL Electronic Medical/Healthcare Yes - Published # 1,200

theft - laptop

Attribution 1 Publication: hhs.gov Author: Date Published: Article Title: Intervention Services, Inc. Article URL: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130423-08 Center for Pain Management MD Electronic Medical/Healthcare Yes - Published # 5,822 LLC theft - laptop

Attribution 1 Publication: hhs.gov Author: Date Published: Article Title: Center for Pain Management LLC Article URL: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130423-07 Lancaster General Medical PA Paper Data Medical/Healthcare Yes - Published # 527 Group theft - paper

Attribution 1 Publication: hhs.gov Author: Date Published: Article Title: Lancaster General Medical Group Article URL: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130423-06 Schneck Medical Center IN Electronic Medical/Healthcare Yes - Unknown # 0

A Seymour hospital reported Monday that protected health information for thousands of patients was inadvertently made available online.

How is this report produced? What are the rules? See last page of report for details.

Attribution 1 Publication: wcsi.com / phiprivacy.net Author: Date Published: Article Title: Schneck Patient Information Available Online Article URL: http://wcsi.whiterivernews.com/templates/localnews_temp.asp?id=6993&storyno=1

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130423-05 Kmart AR Electronic Business Yes - Unknown # 0

Kmart says some customer information may have been compromised during an armed robbery of its store in Little Rock last month.

Attribution 1 Publication: Author: Date Published: Article Title: Kmart says some confidential customer information stolen during robbery of Little Rock store Article URL: http://www.therepublic.com/view/story/e7f70c989f354066a2c017b2ee20a4bb/AR--Kmart-Robbery

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130423-04 Dead River Company ME Electronic Business Yes - Unknown # 0

We are writing to supplement our notice to your office dated March 22, 2013. Dead River Company ("Dead River"), 82 Running Hill, Suite 400, South Portland, ME 04106, sent a letter to your office informing you of pertinent facts known at that time related to the March 6, 2013 detection of malware on Dead River's computer network. For your convenience, attached as Exhibit A, is a copy of the March 22, 2013 letter sent to your office with exhibits.

Attribution 1 Publication: NH AG's Office Author: Date Published: Article Title: Dead River Company Article URL: http://doj.nh.gov/consumer/security-breaches/documents/dead-river-company-20130410.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130423-03 Adventist Health FL Electronic Medical/Healthcare Yes - Published # 763,000 System/Sunbelt Altamonte Springs, Fla.-based Adventist Health System/Sunbelt has been slammed by a class action lawsuit for allegedly failing to safeguard the protected health information of more than 763,000 patients in its electronic database, according to a Health IT Security report.

Attribution 1 Publication: Becker's Hospital Review Author: Date Published: Article Title: Adventist Health Faces Lawsuit Over Data Breach Affecting More Than 763K Article URL: http://www.beckershospitalreview.com/healthcare-information-technology/adventist-health-faces-lawsuit-over-data-bre

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130423-02 OptiNose US Inc. PA Electronic Business Yes - Unknown # 0

We have recently learned of a data security breach involving a laptop belonging to OptiNose US Inc. ("OptiNose"}, which was stolen on March 26, 2013. The laptop may have included your name and social security number. We have no reason to believe that any personal data was targeted for misuse, and we have no information that any personal data has been accessed by an unauthorized party. Nevertheless, because the incident may have compromised this personally identifiable information, we are bringing this situation to your attention.

Attribution 1 Publication: VT AG's office Author: Date Published: Article Title: OptiNose US Inc. Article URL: http://www.atg.state.vt.us/issues/consumer-protection/privacy-and-data-security/documents-and-resources5/2013-04-2

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130423-01 Glen Falls Hospital NY Electronic Medical/Healthcare Yes - Published # 2,360

Thousands of patients of a New York state hospital had their medical records exposed when they were left unprotected on a third-party server for several months.

Attribution 1 Publication: SC Magazine Author: Danielle Walker Date Published: Article Title: Medical records of 2k patients left unprotected on contractor's server Article URL: http://www.scmagazine.com/medical-records-of-2k-patients-left-unprotected-on-contractors-server/article/287707/

How is this report produced? What are the rules? See last page of report for details.

Attribution 2 Publication: hhs.gov Author: Date Published: Article Title: Glen Falls Hospital Article URL: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130418-01 Arizona Counseling and AZ Electronic Medical/Healthcare Yes - Unknown # 0 Treatment Services Arizona Counseling and Treatment Services, a behavioral health provider serving the greater Yuma, Ariz. region, is notifying about 3,000 patients following the theft of a laptop computer and external hard drive.

Attribution 1 Publication: Health Data Management Author: Joseph Goedert Date Published: Article Title: Behavioral Health Provider Reaches Out to 3,000 after Breach Article URL: http://www.healthdatamanagement.com/news/breach-notification-hipaa-privacy-security-46025-1.html?ET=healthdatam

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130416-11 Vudu CA Electronic Business Yes - Unknown # 0

Vudu notified users that a break-in at its offices on 24 March compromised users' personal information and account activity, warning customers to be on the lookout for "spam email, emails asking for personal information, or emails asking you to click on links to other websites" as a result. The streaming video provider said "a number of items were stolen, including hard drives" during the burglary of its Santa Clara, California- based offices. Vudu informed customers in an email message that it was implementing a system-wide password reset because the hard drives contained user emails, addresses, account activity, dates of birth, and in some cases, credit card information.

Attribution 1 Publication: ITproportal.com / databreaches.net Author: Date Published: Article Title: Vudu Article URL: http://www.itproportal.com/2013/04/10/vudu-warns-customers-after-user-data-stolen-in-burglary/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130416-10 Sacred Art Tattoo MI Paper Data Business Yes - Unknown # 0

The tattoos may be sacred, but your personal information may not be.

Fox 2 found company documents containing client's personal information, including birth certificates, drivers licenses, social security numbers and credit card information.

Attribution 1 Publication: myfoxdetroit.com / databreaches.net Author: Date Published: Article Title: Sacred Art Tattoo in Flat Rock admits tossing sensitive documents Article URL: http://www.myfoxdetroit.com/story/21975732/sacred-art-tattoo-in-flat-rock-admits-tossing-sensitive-documents

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130416-09 Comfort Dental Office IN Paper Data Medical/Healthcare Yes - Published # 7,000

Thousands of patient records found by our 13 Investigates team are now in the hands of state investigators.

Late Tuesday afternoon, special agents with the attorney general's office picked up boxes loaded with thousands of sensitive, personal documents. We found the sensitive information dumped at an Indianapolis church parking lot.

Attribution 1 Publication: wthr.com Author: Date Published: Article Title: Comfort Dental Office Article URL: http://www.wthr.com/story/21675639/medical-dental-records-found-in-church-recycling-dumpster

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130416-08 Tradebe IL Electronic Business Yes - Unknown # 0

I am writing on behalf of TRADEBE Environmental Services, LLC ("Trade be") to notify the Attorney General's Office, pursuant to N.H. Rev. Stat. Ann.§§ 359- C: 19 to 21, of a recent data security breach affecting New Hampshire residents. Specifically, on March 20, 2013, Tradebe was notified by an employee of the theft of a Tradebe laptop from the employee's vehicle. The laptop is believed to have contained payroll and tax information with names and Social Security numbers of current arid former Tradebe employees. The laptop was password protected, but the data was not encrypted.

How is this report produced? What are the rules? See last page of report for details.

Attribution 1 Publication: NH AG's office Author: Date Published: Article Title: Tradebe Article URL: http://doj.nh.gov/consumer/security-breaches/documents/tradebe-20130402.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130416-07 Lyons & Lyons CT Electronic Business Yes - Unknown # 0

We represent Lyons & Lyons PC ("Lyons"), a Connecticut-based corporation that provides tax preparation services, with respect to an incident involving the exposure of certain personal information described in detail below. 1. Nature of the security breach or unauthorized use or access. On February 20, 2013, Lyons learned that two of its clients received notification that their tax return had been filed. Lyons had not filed those returns. Lyons immediately initiated an investigation, including an investigation of its computer system. On February 22, 2013, Lyons contacted the Internal Revenue Service ("IRS") and learned that an investigation was under way, and involved the United States Secret Service ("USSS"). Lyons then communicated with the USSS, and learned that an unauthorized individual may have accessed its computer systems and obtained certain tax returns filed last year.

Attribution 1 Publication: NH AG's office Author: Date Published: Article Title: Lyons & Lyons Article URL: http://doj.nh.gov/consumer/security-breaches/documents/lyons-20130319.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130416-06 Clinton Health Access MA Paper Data Business Yes - Unknown # 0 Initiative As you are aware, New Hampshire state law requires notice to the New Hampshire Attorney General in the event of an information security breach involving the personal information of New Hampshire residents. In accordance with that requirement, we write to inform you of an information security breach that we discovered on March 20, 2013. On that date, we learned that we inadvertently e-mailed the Form W-2s of 107 employees to an unintended recipient (another CHAI employee). This e-mail contained each affected employee's name, address, Social Security number and wage information.

Attribution 1 Publication: NH AG's office Author: Date Published: Article Title: Clinton Health Access Initiative Article URL: http://doj.nh.gov/consumer/security-breaches/documents/clinton-health-access-20130329.pdf

Attribution 2 Publication: NH AG's office Author: Date Published: Article Title: Clinton Health Access Initiative Article URL: http://doj.nh.gov/consumer/security-breaches/documents/clinton-health-access-20130329.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130416-05 80sTees.com PA Electronic Business Yes - Unknown # 0

I am writing to you on behalf of my client 80sTees.com, Inc. ("80sTees"), a Pennsylvania corporation that specializes in online sales of 80's memorabilia and pop culture gear. 80sTees is providing notice pursuant to N.H. Rev. Stat. Ann.§ 359-C:20I(b) (2007) of a data security incident. 80sTees is notifying you because it recently learned that a cyber attacker obtained unauthorized access to the names, addresses, email addresses, phone numbers and credit card information of 14 New Hampshire residents after they completed credit card purchases on the 80sTees website.

Attribution 1 Publication: NH AG's office Author: Date Published: Article Title: 80sTees.com Article URL: http://doj.nh.gov/consumer/security-breaches/documents/80stees-20130403.pdf

Attribution 2 Publication: Author: Date Published: Article Title: Article URL:

On February 27, 2013 Chapman University officials learned that certain electronic documents containing personal information could have been viewed by authenticated users of the Chapman University system. These documents were never available to the general public, and only authenticated users of the on-campus network who were logged into the system could have accessed them. As a precautionary measure you are being notified of this matter.

The university’s Department of Information Systems and Technology discovered this vulnerability during standard security testing and the documents were immediately blocked from access by unauthorized users. Some of these documents contained names, social security numbers, student identification numbers and dates of birth.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: Chapman University Article URL: https://oag.ca.gov/system/files/Sample%20Version%20%28SENT%204-11-13%29_0.pdf?

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130416-03 State of North Carolina - NC Electronic Business Yes - Unknown # 0 Computer Sciences Corp. We at Computer Sciences Corporation (CSC) want to inform you of a recent incident that involves your personal information. Although we are not aware of any misuse of this information, we are taking steps to protect you and your identity.

CSC is a contractor for the State of North Carolina. In the course of performing services for the State, we put information from the Medicare Exclusion Database on a thumb drive. This information included your name, Social Security Number (SSN), federal tax Employer Identification Number (EIN), and date of birth. It also included other information from the database that is publicly available.

Attribution 1 Publication: CA AG's office / MD AG's office Author: Date Published: Article Title: State of North Carolina Article URL: https://oag.ca.gov/system/files/Form%20Individual%20Notification%20Letter_0.pdf?

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130416-02 Citi TX Electronic Banking/Credit/Financial Yes - Published # 150,000

This letter is to inform you of a matter involving your personal information. You are receiving this letter because you are currently, or were previously, a party in a bankruptcy proceeding involving a loan from Citi. Citi filed legal documents in court related to that loan in which certain personally identifiable information was, pursuant to court rules, intended to be concealed from the publicly available versions of the documents to prevent access to that information by members of the public who search electronic court records.

Attribution 1 Publication: American Banker Author: Date Published: Article Title: Through Software Glitch, Citi Exposes Data on 150,000 Customers Article URL: http://www.americanbanker.com/issues/178_137/through-software-glitch-citi-exposes-data-on-150000-customers-10606

Attribution 2 Publication: CA AG's Office Author: Date Published: Article Title: Citi Article URL: https://oag.ca.gov/system/files/BK%20Redaction%20Fully%20Remediated%20Consumer%20Notice%20%282%29_0.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130416-01 Iberdrola USA - Central ME Electronic Business Yes - Published # 5,100 Maine Power (CMP) Central Maine Power has revealed that a security breach of its parent company’s recruitment website has potentially exposed the personal data of anyone who has applied for or accepted a job at CMP or any of its sister companies in the past six years.

Attribution 1 Publication: bangordailynews.com Author: Whit Richardson Date Published: Article Title: CMP parent company’s website breach puts employee data at risk Article URL: http://bangordailynews.com/2013/04/16/business/cmp-parent-companys-website-breach-puts-employee-data-at-risk/

Kirkwood Community College officials say hackers broke into the university's website and accessed a database with applicant's names, social security numbers and other personal information.

Attribution 1 Publication: MarionPatch.com Author: B.A. Morelli Date Published: Article Title: FBI Investigates as 'Sophisticated Hackers' Illegally Access 125,000 Personal Records of Kirkwood Applicants Article URL: http://marion.patch.com/articles/fbi-investigates-as-sophisticated-hackers-illegally-access-125-000-personal-records-of-

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130415-01 VA Medical Center - William SC Electronic Government/Military Yes - Published # 7,405 Jennings Bryan Dorn The William Jennings Bryan Dorn VA Medical Center in Columbia, S.C., has informed 7,405 patients about a recent data breach, according to a Health IT Security report.

Attribution 1 Publication: Becker's Hospital Review Author: Anuja Vaidya Date Published: Article Title: VA Medical Center Data Breach Could Affect More Than 7k People Article URL: http://www.beckershospitalreview.com/healthcare-information-technology/va-medical-center-data-breach-could-affect-

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130405-01 Alamance Caswell NC Electronic Medical/Healthcare Yes - Published # 5,370

Hospice of Alamance Caswell in Burlington, N.C., has notified 5,370 patients or next of kin that their protected health information was compromised following a burglary at the organization’s main office.

Attribution 1 Publication: healthdatamanagement.com Author: Date Published: Article Title: Burglary = 5,370 Breach Notifications Article URL: http://www.healthdatamanagement.com/news/breach-notification-hipaa-privacy-security-45976-1.html?ET=healthdatam

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130404-01 University of Florida - FL Electronic Medical/Healthcare Yes - Published # 14,339 Shands Family Medicine An employee working at a University of Florida medical clinic who had ties to an identity theft ring may have compromised patient personal and health information. UF is notifying 14,339 patients of the UF & Shands Family Medicine at Main practice that they should take appropriate measures to protect themselves from identity theft.

Attribution 1 Publication: University of FL website Author: Date Published: Article Title: University of Florida Article URL: http://news.ufl.edu/2013/04/03/potential-identity-theft/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130402-08 Family (Women's) Health GA Electronic Medical/Healthcare Yes - Published # 3,000 Enterprise Women’s Health Enterprise, Inc., d/b/a Family Health Enterprise (FHE), a non-profit primary care services provider, notifies approximately 3000 patients of FHE’s Breast Health Promotion Program of a breach of unsecured personal medical information. On January 2, 2013, FHE’s locked office at 634 McDonough Blvd SE in Atlanta, Georgia was broken into after business hours, and 2 laptop computers were stolen. FHE immediately notified local police.

Attribution 1 Publication: prhiprivacy.net / FHE release Author: Date Published: Article Title: Family Health Enterprise notifies patients after laptops stolen in office burglary Article URL: http://familyhealthenterprisecenter.org/wp-content/uploads/2013/02/Press_Release.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130402-07 Landmark Medical Supplies NY Electronic Medical/Healthcare Yes - Unknown # 0

Stacks of paperwork containing personal information — including Social Security numbers — of patients were carelessly dumped on the sidewalk when a Brooklyn medical supply store was shuttered.

How is this report produced? What are the rules? See last page of report for details.

Attribution 1 Publication: Author: Date Published: Article Title: Documents containing personal information of patients left on Brooklyn sidewalk after medical supply company is shuttered Article URL: http://www.nydailynews.com/new-york/brooklyn/document-scare-medical-patients-brooklyn-article-1.1302543

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130402-06 OrthoCare Medical MA Electronic Medical/Healthcare Yes - Published # 93 Equipment, LLC On February 14, OrthoCare learned that a binder with 93 patients’ information had been stolen. The firm does not indicate where the theft occurred – whether it was from an office or an employee’s car, etc. OrthoCare is headquartered in Lebanon, NH, but only one of the individuals affected is a New Hampshire resident. The firm maintains a number of offices, including Boston, however, where the theft was reported to the Boston Police.

Attribution 1 Publication: NH AG's office / phiprivacy.net Author: Date Published: Article Title: OrthoCare Medical Equipment, LLC Article URL: doj.nh.gov_consumer_security-breaches_documents_orthocare-20130325.pd

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130402-05 United HomeCare Services of FL Electronic Medical/Healthcare Yes - Published # 13,617 Southwest Florida United HomeCare (UHC) is alerting clients that the confidentiality of certain personal health information may have been compromised due to the theft of an employee’s company laptop computer.

Attribution 1 Publication: Phiprivacy.net / UHC press release Author: Date Published: Article Title: United HomeCare Services notifies over 13,000 clients after laptop stolen from employee’s car Article URL: http://www.phiprivacy.net/?p=12171

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130402-04 General Services DC Electronic Government/Military Yes - Unknown # 0 Administration (GSA) Recently, the General Services Administration sent an e-mail alert to users of its System for Award Management (SAM), reporting that a security vulnerability exposed the users' names, taxpayer identification numbers (TINs), marketing partner information numbers, and bank account information to "[r]egistered SAM users with entity administrator rights and delegated entity registration rights."

Attribution 1 Publication: C/Net Author: Dennis O'Reilly Date Published: Article Title: GSA vulnerability highlights dangers of SSNs as IDs Article URL: http://howto.cnet.com/8301-11310_39-57575873-285/gsa-vulnerability-highlights-dangers-of-ssns-as-ids/?part=rss&tag=

Attribution 2 Publication: GSA Author: Date Published: Article Title: GSA Security Breach Communications Article URL: /url?sa=t&rct=j&q=gsa%20security%20breach%20communication&source=web&cd=1&cad=rja&ved=0CC8QFjAA&url=h

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130402-03 City of Jacksonville FL Electronic Government/Military Yes - Unknown # 0

Earlier today, a City employee accessed confidential information on an internal network, which is not public, and distributed that information to a number of Council members. The information included the names and Social Security numbers of many City employees hired after 2005.

Attribution 1 Publication: Fox 30 WAWS Author: Date Published: Article Title: City Security Breach Of Worker's Personal Information Article URL: http://www.fox30jax.com/mostpopular/story/City-Security-Breach-Of-Workers-Personal/AmT1--EKdEqCYCAv-dDUwg.cs

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130402-02 shoplet.com NY Electronic Business Yes - Unknown # 0

We recently learned of a security incident that may have resulted in the disclosure of the credit card information, names, and addresses associated with your account. As a reminder, we do not collect your social security number or date of birth. We take the security of your information very seriously, and sincerely apologize for any inconvenience this may cause you.

How is this report produced? What are the rules? See last page of report for details.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: shoplet.com Article URL: https://oag.ca.gov/system/files/ShopletCA%20notification4_2_13_0.pdf?

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130402-01 Rollins GA Paper Data Business Yes - Unknown # 0

We are writing to inform you of an incident that came to our attention on March 12, which may have involved the unintentional exposure of your Social Security number (SSN). This occurred as a result of a system mistake involving the recent Rollins TODAY mailing. This distribution may have inadvertently displayed your SSN in a number sequence on the mailing label.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: Rollins Article URL: https://oag.ca.gov/system/files/Rollins%20Ad_1.pdf?

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130401-02 Kelly Plaza Dental Center MI Paper Data Medical/Healthcare Yes - Unknown # 0

Personal patient information from a dental office on Detroit's east side has been dumped out in the open.

Attribution 1 Publication: clickondetroit.com / datalossdb.org Author: Date Published: Article Title: Dental patients' info dumped outside building on Detroit's east side Article URL: http://www.clickondetroit.com/news/Dental-patients-info-dumped-outside-building-on-Detroit-s-east-side/-/1719418/194

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130401-01 Department of Social and WA Electronic Government/Military Yes - Published # 652 Health Services (DSHS) A private contractor's laptop computer containing confidential and personal health information on 652 state Department of Social and Health Services clients was discovered to be stolen Feb. 4 in Gig Harbor. - Dr. Sunil Kakar

Attribution 1 Publication: WA State Dept. of Social and Health Ser Author: Date Published: Article Title: Stolen laptop contained information about DSHS clients Article URL: http://dshs.wa.gov/mediareleases/2013/pr13011.shtml

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130329-01 Tooele County UT Electronic Government/Military Yes - Published # 200

The Tooele County commissioners sent letters to about 200 current and former employ ees Thursday , explaining that their personal data had been briefly breached in an isolated incident caused by human error.

Attribution 1 Publication: Salt Lake Tribune Author: Cathy Mckitrick Date Published: Article Title: Tooele officials: human error caused isolated data breach Article URL: http://www.sltrib.com/sltrib/news/56074611-78/county-brozovich-tooele-data.html.csp

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130328-04 Allen County Information OH Electronic Government/Military Yes - Published # 1,152 Technology Department Allen County Information Technology Department officials discovered March 21 more than 1,100 Allen County employees had personal information accidentally made available to unauthorized users, including social security numbers.

Attribution 1 Publication: limaohio.com / datalossdb.org Author: KATE MALONGOWS Date Published: Article Title: Security breach releases personal information of Allen County employees Article URL: http://www.limaohio.com/news/local_news/article_01fb7dc0-96e0-11e2-97b9-001a4bcf6878.html

A computer server for SouthCoast medical provider HealthCare for Women was hacked in January, potentially exposing summaries of patient visits occurring from June 2012 to January 2013.

Patient names, addresses, telephone numbers and dates of birth could also have been accessed.

Attribution 1 Publication: hhs.gov Author: Date Published: Article Title: HealthCare for Women Article URL: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

Attribution 2 Publication: SouthCoastToday / datalossdb.org Author: Ariel Wittenberg Date Published: Article Title: HealthCare for Women server breached by hackers Article URL: http://www.southcoasttoday.com/apps/pbcs.dll/article?AID=/20130326/NEWS/303260334/1001

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130328-02 Texas Tech University Health TX Electronic Medical/Healthcare Yes - Published # 697 Sciences Center Lubbock-based Texas Tech University Health Sciences Center has announced a data breach that could affect approximately 700 patients, according to an eSecurity Planet report.

Attribution 1 Publication: Becker's Hospital Review Author: Anuja Vaidya Date Published: Article Title: Texas Tech Data Breach Could Affect 700 Patients Article URL: http://www.beckershospitalreview.com/healthcare-information-technology/texas-tech-data-breach-could-affect-700-pati

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130328-01 Schnucks MO Electronic Business Yes - Published # 2,400,000

The St. Louis-based Schnucks grocery store chain is investigating a possible breach of debit and credit card data.

One card issuer tells BankInfoSecurity it appears likely that a breach occurred at Schnucks or its payments processor. Fraudulent transactions tied to cards used at Schnucks stores date as far back as January, this issuer says.

Attribution 1 Publication: SC Magazine Author: Dan Kaplan Date Published: 4/15/2013 Article Title: Schnucks supermarket chain discloses breach that stole 2.4 million credit card numbers Article URL: http://www.scmagazine.com/schnucks-supermarket-chain-discloses-breach-that-stole-24-million-credit-card-numbers/a

Attribution 2 Publication: St. Louis Public Radio Author: Date Published: Article Title: Data Breach At Schnucks Could Affect More Than Two Million Cards Article URL: http://news.stlpublicradio.org/post/data-breach-schnucks-could-affect-more-two-million-cards

Attribution 3 Publication: Data Breach Today Author: Tracy Kitten Date Published: Article Title: Retailer Investigates Possible Card Breach Article URL: http://www.databreachtoday.com/retailer-investigates-possible-card-breach-a-5640?rf=2013-03-28-edbt&elq=944fd24edf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130326-01 Oregon Health and Science OR Electronic Medical/Healthcare Yes - Published # 4,022 University The Oregon Health and Science University (OHSU) sent 4,022 patient data breach notification letters last week about a month after a surgeon’s unencrypted laptop was stolen from their Hawaii vacation rental home.

Attribution 1 Publication: HealthITSecurity.com Author: Patrick Ouellette Date Published: Article Title: Oregon Health and Science University reports data breach Article URL: http://healthitsecurity.com/2013/03/26/oregon-health-and-science-university-reports-data-breach/

We are writing to notify you of a data security event that may have compromised the security of eighty (80) New Hampshire residents' personal information. Finish Line, 3308 N. Mitthoeffer Road, Indianapolis, IN 46235, is informing your office of pertinent facts that are known at this time relating to a theft of an employee laptop that contained the personal information of certain current and former Finish line employees.

Attribution 1 Publication: NH AG's office Author: Date Published: Article Title: Finish Line Article URL: http://doj.nh.gov/consumer/security-breaches/documents/finish-line-20130315.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130325-13 Cartier North America NY Electronic Business Yes - Unknown # 0

We write to advise you of an incident involving the loss of a laptop computer, which resulted in the potential compromise of the personal information of one New Hampshire resident. The incident occurred in Boston, Massachusetts on January 18,2013. To our knowledge, the laptop contained, among other things, certain personal information of 13 U.S. residents, one of whom is a New Hampshire resident.

Attribution 1 Publication: NH AG's office Author: Date Published: Article Title: Cartier North America Article URL: http://doj.nh.gov/consumer/security-breaches/documents/cartier-20130225.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130325-12 Anthem Blue Cross - Blue OH Electronic Medical/Healthcare Yes - Published # 6,000 Shield On January 7, 2013, we learned that an employee at Connextions, a vendor that supplies call center services to Anthem Blue Cross Blue Shield (Anthem), took Social Security Numbers (SSNs) of a number of Anthem members between November 1, 2011, and October 11,2012. There are indications that the employee may have conveyed some information to third-parties who are the subject of an ongoing criminal investigation. As soon as Connextions notified us about the incident, we began working to identify all members whose information may have been accessed by the vendor's employee.

Attribution 1 Publication: Becker's Hospital Review Author: Anuja Vaidya Date Published: 4/10/2013 Article Title: More Than 6,000 May Be Affected in BCBS Data Breach Article URL: http://www.beckershospitalreview.com/healthcare-information-technology/more-than-6000-may-be-affected-in-bcbs-dat

Attribution 2 Publication: NH AG's office Author: Date Published: Article Title: Anthem Blue Cross - Blue Shield Article URL: doj.nh.gov_consumer_security-breaches_documents_anthem-blue-cross-blue-shield-20130314.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130325-11 TLO FL Electronic Business Yes - Unknown # 0

We are writing to tell you about a data security incident that may have exposed a limited amount of your personal information. We take the protection and proper use of information very seriously. We are contacting you directly to let you know how we are protecting you personally and how we are strengthening our security.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: TLO Article URL: https://oag.ca.gov/system/files/TLO%20Consumer%20Notice_0.pdf?

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130325-10 OCS America NY 3/4/2013 Electronic Business Yes - Unknown # 0

On March 4, 2013, OCS America, Inc. discovered that one of its computers may have been affected by a malicious phishing attack. We are sending you this letter as a cautionary measure because we believe that certain information about you, which may have included your name, address, telephone number, date of birth, job title, salary information and Social Security number, was contained in a file on the computer.

How is this report produced? What are the rules? See last page of report for details.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: OCS America Article URL: https://oag.ca.gov/system/files/CA%20OCS%20Employee%20Breach%20Notice%20Letter%20%2811%20March%202013

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130325-09 Saint Francis Hospital OK Paper Data Medical/Healthcare Yes - Unknown # 0

Imagine finding a stack of someone's medical records, with all their personal and private information. That's what happened to a stack of records from Tulsa's Saint Francis Hospital. The records showed up in Ponca City, and it might have gone unnoticed, except for where they were found - on the loading dock of the local newspaper.

The story made the front page, above the fold, in the Friday edition of the Ponca City News. A 3-inch tall stack of medical records turned up there - in a stack of pallets shipped from a recycling operation near Tulsa.

Attribution 1 Publication: NewsOn6.com Author: Emory Bryan Date Published: Article Title: Tulsa Medical Records Turn Up On Ponca City Newspaper Loading Dock Article URL: http://www.newson6.com/story/21476118/tulsa-medical-records-turn-up-on-ponca-city-newspaper-loading-dock

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130325-08 Crozer-Chester Medical PA Electronic Medical/Healthcare Yes - Published # 144 Center - Chester Community A Chester County couple has been charged in a $257,710 tax fraud scam that involved the stolen identities of patients at Crozer-Chester Medical Center and Chester Community Hospital.

Rafael Henriquez Polanco, 30, and his wife, Yanira Lopez, 27, residents of Chester Springs, allegedly filed fraudulent tax returns seeking more than $1.7 million in refunds, according to U.S. Attorney Zane David Memeger. According to the charging documents, Polanco and Lopez obtained the names, dates of birth and Social Security numbers of 144 patients of Community Hospital in Chester and Crozer-Chester Medical Center in Upland by paying employees of the hospitals to steal confidential medical forms.

Attribution 1 Publication: Daily Times Author: Cindy Scharr Date Published: Article Title: Chesco couple charged in tax fraud scam Article URL: http://delcotimes.com/articles/2013/03/12/news/doc513fe4efe6d50563393172.txt

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130325-07 Granger Clinic UT Paper Data Medical/Healthcare Yes - Unknown # 0

A West Valley City-based medical clinic has alerted federal health officials of a possible data breach after a collection of about 2,600 medical appointment records slated for shredding went missing.

Attribution 1 Publication: Salt Lake Tribune / PHIprivacy.net Author: Jennifer Dobner Date Published: Article Title: Granger Clinic may have lost patients’ appointment documents Article URL: http://www.sltrib.com/sltrib/news/56048214-78/records-clinic-medical-breach.html.csp

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130325-06 Discover Card US Electronic Banking/Credit/Financial Yes - Unknown # 0

We've been advised that your Discover Card account information may have been compromised. This incident did not involve any Discover Card systems, and there is no evidence that an unauthorized individual is using this account number. We are confident that it is not necessary to provide you with a new account number at this lime, and you may continue to use your existing card.

Attribution 1 Publication: VT AG's office Author: Date Published: Article Title: Discover Card Article URL: http://www.atg.state.vt.us/issues/consumer-protection/privacy-and-data-security/documents-and-resources5/discover-s

Tennis Express recognizes the importance of the privacy and confidentiality of the personal information provided to us by our customers. We are writing to inform you about an incident involving some of that information. We learned in mid-February 2013 that an unknown person gained access to our computer network on December 19, 2012, because of a vulnerability in a program provided to us by a third party vendor. The unknown person may have had the ability to decrypt and take sales transaction information stored in our database server. This information may have included your name, address, credit card number, verification value, and expiration date. Upon learning of this incident, we took additional steps to secure our computer network, we notified the credit card companies, and began a forensic investigation.

Attribution 1 Publication: VT AG's office Author: Date Published: Article Title: Tennis Express Article URL: http://www.atg.state.vt.us/issues/consumer-protection/privacy-and-data-security/documents-and-resources5/tennis-exp

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130325-04 Frontier Natural Products Co- IA Electronic Business Yes - Unknown # 0 Op We are writing to inform you of a security incident involving personal information maintained by Frontier Natural Products Co-op ("Frontier"), operator of www.auracacia.com, www.simplyorganic.com, www.frontiercoop.com and www.wholesale.frontiercoop.com ("Websites"). While we do not know if your personal information has been (or will be) misused, out of an abundance of caution, we are providing this notice and outlining some steps you may take to help protect yourself. We sincerely apologize for any inconvenience or concern this may cause you.

Attribution 1 Publication: VT AG's office Author: Date Published: Article Title: Frontier Natural Products Co-Op Article URL: http://www.atg.state.vt.us/issues/consumer-protection/privacy-and-data-security/documents-and-resources5/frontier-se

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130325-03 Inova Health System VA Electronic Medical/Healthcare Yes - Unknown # 0

Inova recognizes the importance of the privacy and confidentiality of the personal information provided to us by our employees. Regrettably, I am writing to inform you about an incident involving some of that information. We learned on February 8, 2013, that a setting was inadvertently left open following application maintenance, which resulted in a human resources file folder becoming accessible to the Internet.

Attribution 1 Publication: VT AG's office Author: Date Published: Article Title: Inova Health System Article URL: http://www.atg.state.vt.us/issues/consumer-protection/privacy-and-data-security/documents-and-resources5/inova-sec

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130325-02 United Shore Financial MI Electronic Business Yes - Unknown # 0 Services I am writing to make you aware that United Shore Financial Services, LLC ("USFS") recently discovered that it was the victim of a computer intrusion by an unauthorized third party. The server that was accessed may have contained your personal information, including your name, contact infonnatlon, date of birth, driver's license number, social security number and financial account infonnation you may have previously provided to us.

Attribution 1 Publication: VT AG's office Author: Date Published: Article Title: United Shore Financial Services Article URL: http://www.atg.state.vt.us/issues/consumer-protection/privacy-and-data-security/documents-and-resources5/usfs-secur

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130325-01 TD Bank CT Electronic Banking/Credit/Financial Yes - Published # 14

A former TD Bank employee faces multiple charges of computer crime and identity theft after police said she filled out fraudulent credit card applications at a local bank office to boost her annual bonus.

Attribution 1 Publication: Fairfield Citizen Author: Date Published: Article Title: Former bank worker faces computer, ID theft charges Article URL: http://www.fairfieldcitizenonline.com/news/article/Former-bank-worker-faces-computer-ID-theft-4377018.php

How is this report produced? What are the rules? See last page of report for details. ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130322-04 Department of Energy - GA Electronic Government/Military Yes - Published # 12,000 Savannah River Site Federal officials are investigating a security breach that allowed access to the personal information of at least 12,000 Savannah River Site workers, reports The Augusta Chronicle.

Attribution 1 Publication: Atlanta Business Chronicle Author: Carla Caldwell Date Published: Article Title: Data breach affects 12,000 workers at Savannah River Site Article URL: http://www.bizjournals.com/atlanta/morning_call/2013/03/data-breach-affects-1200-workers-at.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130322-03 Xbox Entertainment Awards VA Electronic Business Yes - Unknown # 0

Microsoft is picking up the pieces from a data breach on its Xbox Entertainment Awards website, after thousands of voters entering a prize draw had their personal details inadvertently published on the site.

Attribution 1 Publication: ITProPortal Author: Date Published: Article Title: Thousands have data exposed in Microsoft security breach Article URL: http://www.itproportal.com/2013/03/20/thousands-have-data-exposed-in-microsoft-security-breach/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130322-02 Tallahassee Community FL Electronic Educational Yes - Published # 3,300 College Tallahassee Community College, on Friday, announced that an unauthorized acquisition of computerized data that may materially compromise the security, confidentiality, or integrity of personal information occurred in March 2011.

Attribution 1 Publication: wctv.tv/news Author: Date Published: Article Title: TCC Data Breach Article URL: http://www.wctv.tv/news/headlines/TCC--199528531.html?ref=531

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130322-01 University of Mississippi MS Electronic Medical/Healthcare Yes - Published # 10,000 Medical Center The University of Mississippi Medical Center (UMMC) recently alerted an unknown number of patients that entered the hospital between 2008 and 2013 that password-protected laptop with their data had been lost. The data included names, addresses, dates of birth, Social Security Numbers, diagnoses, medications, treatments and other personal information.

Attribution 1 Publication: healthitsecurity.com Author: Patrick Ouellette Date Published: Article Title: University of Mississippi Medical Center reports data breach Article URL: http://healthitsecurity.com/2013/03/22/university-of-mississippi-medical-center-reports-data-breach/

Attribution 2 Publication: hhs.gov Author: Date Published: Article Title: University of Mississippi Medical Center Article URL: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130318-03 U.S. General Services DC 3/8/2013 Electronic Government/Military Yes - Unknown # 0 Administration Recently, U.S. GSA officials identified a security vulnerability in the System for Award Management (SAM), which could allow some existing users in the system to view certain registration information.

Attribution 1 Publication: GSA website Author: Date Published: Article Title: U.S. General Services Administration Article URL: http://www.gsa.gov/portal/content/167855

How is this report produced? What are the rules? See last page of report for details. ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130318-02 Lawrence Melrose Medical MA Electronic Medical/Healthcare Yes - Unknown # 0 Electronic Record Lawrence Melrose Medical Electronic Record of Melrose, Mass. sent a letter to the New Hampshire Attorney General’s office on March 12 that a few of its New Hampshire healthcare customers were part of a recent patient data breach.

Attribution 1 Publication: HealthITSecurity Author: Patrick Ouellette Date Published: Article Title: Lawrence Melrose Medical Electronic Record data breach update Article URL: http://healthitsecurity.com/2013/03/20/lawrence-melrose-medical-electronic-record-breach-update/

Attribution 2 Publication: healthitsecurity.com Author: Date Published: Article Title: Lawrence Melrose Medical Electronic Record Article URL: http://healthitsecurity.com/2013/03/18/lawrence-melrose-medical-electronic-record-reports-breach/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130318-01 Salem State University MA Electronic Educational Yes - Published # 25,000

A data breach at Salem State University may have compromised the personal information of an estimated 25,000 current and former employees.

According to university officials, a letter was sent to those affected on March 11 after virus detection software became aware of the issue.

Attribution 1 Publication: wcvb.com Author: Date Published: Article Title: 25,000 potentially affected by data breach at Salem State University Article URL: http://www.wcvb.com/news/local/boston-north/25-000-potentially-affected-by-data-breach-at-Salem-State-University/-/11

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130312-06 1st Response Medical MD Electronic Medical/Healthcare Yes - Published # 552 Transpot Corp. Unauthorized Access/Disclosure -Desktop computer

Attribution 1 Publication: hhs.gov Author: Date Published: Article Title: 1st Response Medical Transpot Corp. Article URL: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130312-05 Stanley Black & Decker, Inc. CT Electronic Business Yes - Unknown # 0

On behalf of Stanley Black & Decker, Inc., I am writing to inform you about a recent incident that involved personal information about you. On January 28, 2013, the company-issued laptop of an employee in the Finance department who handled T&E charges was stolen. We began investigating the incident as soon as we learned of it. From our investigation, we believe that information stored on the laptop may have included your name and the account number and routing number of the account that you have designated as the account to which direct deposits are to be made to reimburse you for expenses incurred on the Company’s behalf.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: Stanley Black & Decker, Inc. Article URL: https://oag.ca.gov/system/files/L2Employees%20re%20stolen%20laptop_0.pdf?

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130312-04 Benny's Pizza OH Electronic Business Yes - Unknown # 0

A Marysville restaurant has received new information about a credit data theft investigation that 10TV reported on last month.

The owner of Benny's Pizza said a forensics company determined that the restaurant's computer system was compromised remotely with malicious software. They believe that's how customers' credit card information was accessed.

Attribution 1 Publication: 10TV.com Author: Date Published: Article Title: Popular Marysville Restaurant Computer Compromised; Credit Card Information Stolen Article URL: http://www.10tv.com/content/stories/2013/03/07/marysville-restaurant-credit-card-folo.html

The Times Union reported last Friday that Good Samaritan Hospital of Troy, NY alerted about 23 people that their data had been breached via computer at Rensselaer County Jail’s nurse’s station between 2008 and Nov. 16, 2011.

Attribution 1 Publication: HealthITSecurity Author: Patrick Ouellette Date Published: Article Title: Good Samaritan Hospital sends health data breach letters Article URL: http://healthitsecurity.com/2013/03/11/good-samaritan-hospital-sends-health-data-breach-letters/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130312-02 University of Connecticut CT Electronic Medical/Healthcare Yes - Published # 1,400 Health Center The University of Connecticut Health Center in Farmington will be warning 1,400 patients of a data breach, according to a report by The Hartford Courant.

Attribution 1 Publication: Becker's Hospital Review Author: Date Published: Article Title: University of Connecticut Health Center Data Breach Affects 1,400 Patients Article URL: http://www.beckershospitalreview.com/healthcare-information-technology/university-of-connecticut-health-center-data-

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130312-01 MedAmerica Insurance FL Electronic Business Yes - Unknown # 0 Companies On January 15, 2013, we learned that MedAmerica long term care insurance enrollment forms placed on what was believed to be a secure server had become publicly accessible through the internet from July 10, 2012 to January 15, 2013. Not all enrollment forms were affected. Only certain electronic forms used for web enrollment were accessible over this six month period. We immediately implemented security measures to restore the privacy and confidentiality of the information and remove it from public access. We also began a thorough investigation to determine what information may have been accessible and confirmed that it included your name, address, date of birth, and Social Security number. To the extent you provided health information or the name of your other insurance companies on the enrollment form, that information may have been included as well.

Attribution 1 Publication: VT AG's office Author: Date Published: Article Title: MedAmerica Insurance Companies Article URL: http://www.atg.state.vt.us/issues/consumer-protection/privacy-and-data-security/documents-and-resources5/medameri

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130311-03 Arkansas State University AR Electronic Educational Yes - Published # 150

More employees on the campus of Arkansas State University have been affected by tax fraud.

According to Vice Chancellor of ASU, Dr. Len Frey, roughly 150 employees have now become victims, that's about 10% of their staff.

Attribution 1 Publication: kait8.com Author: Date Published: Article Title: ASU employees still affected by security breach Article URL: http://www.kait8.com/story/21557312/asu-employees-still-affected-by-security-breach

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130311-02 Midwest Health Care Network MN Electronic Medical/Healthcare Yes - Unknown # 0

he Office of Information Technology at the U.S. Department of Veterans Affairs has disputed a finding by the agency's Inspector General that several VA centers routinely transmit unencrypted sensitive personal data over the public Internet.

Attribution 1 Publication: Author: Jaikumar Vijayan Date Published: Article Title: VA disputes charge that it transmits unencrypted personal data over public Internet Article URL: http://www.networkworld.com/cgi-bin/mailto/x.cgi?pagetosend=/news/2013/030813-va-disputes-charge-that-it-267528.ht

How is this report produced? What are the rules? See last page of report for details. ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130311-01 Department of Health and NC Electronic Medical/Healthcare Yes - Published # 50,000 Human Services The contractor building North Carolina's over-budget and overdue Medicaid billing system has lost a thumb drive containing the personal information of thousands of Medicaid providers.

Attribution 1 Publication: wral.com Author: Date Published: Article Title: Medicaid contractor loses provider's personal information Article URL: http://www.wral.com/medicaid-contractor-loses-provider-s-personal-information/12201020/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130305-12 Information Handling CO Electronic Business Yes - Unknown # 0 Services, Inc. Hackers breached the servers of IHS and may have been able to access credit card, customer, and nuclear information. IHS does not believe that confidential information was compromised. The hacker group claimed to have obtained the records of 8,500 customers. They attacked in order to further their goal of revealing sensitive nuclear data to pressure the Israeli government and others into disclosing their nuclear activities.

Information Source: Media

Attribution 1 Publication: Privacy Rights Clearinghouse Author: Date Published: Article Title: Information Handling Services, Inc. Article URL: http://www.privacyrights.org/data-breach-asc?title=information+handling+services

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130305-11 First National Bank of CA Electronic Banking/Credit/Financial Yes - Unknown # 0 California We were recently notified by our data service provider that a back-up tape containing certain of your personal information including account number(s), account balances, taxpayer identification number, and social security number was stolen on February 1, 2013. This theft did not occur at our Bank nor did it involve any of our employees. While we have no reason to believe your personal information has been, or will be compromised, we wanted to notify you of the incident and outline the steps we are taking to respond to this security breach.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: First National Bank of California Article URL: https://oag.ca.gov/system/files/sample%20final%20letter_0.pdf?

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130305-10 Bank of Hawaii - First HI Electronic Banking/Credit/Financial Yes - Unknown # 0 Hawaiian Bank Bank of Hawaii and First Hawaiian Bank have blocked debit and credit cards for an unspecified number of customers as a precaution after a restaurant on Oahu had its computer system breached.

Attribution 1 Publication: Staradviser.com Author: Date Published: Article Title: Bank of Hawaii - First Hawaiian Bank Article URL: http://www.staradvertiser.com/s?action=login&f=y&id=194112561&id=194112561

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130305-09 Baptist Health - South Miami FL Electronic Medical/Healthcare Yes - Published # 834 Hospital Baptist Health says its privacy office has recently learned that a South Miami Hospital employee inappropriately accessed 834 patient records.

Attribution 1 Publication: Local10.com / PHIPrivacy.net Author: Date Published: Article Title: South Miami Hospital employee accesses patient records Article URL: http://www.local10.com/news/South-Miami-Hospital-employee-accesses-patient-records/-/1717324/19144144/-/d62wpkz/

The FBI is investigating a dumpster full of medical documents that Channel 2's Ross Cavitt found outside an office complex in Hiram.

Cavitt called authorities after finding the documents full of people's sensitive identification and medical information. The caller who gave Cavitt the tip said the documents were in the dumpster all weekend. Someone also might have dumped other boxes in the past 48 hours, the caller said.

Attribution 1 Publication: PHIprivacy.net / WSBTV.com Author: Date Published: Article Title: Confidential records found in Paulding Co. dumpster Article URL: http://www.wsbtv.com/news/news/local/personal-medical-records-found-paulding-co-dumpste/nWghG/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130305-07 Prudential Insurance NJ Electronic Business Yes - Unknown # 0 Company of America - Unisys Prudential provides, or in the past did provide, group life insurance to you as a result of your employment relationship with Unisys. I am writing to let you know that a Prudential associate made a clerical error and inadvertently emailed a document containing information relating to your insurance relationship with us, including your name, address, date of birth, Social Security number, and salary information, to another individual at Unisys. This occurred on December 13, 2012. The recipient notified the Prudential associate immediately and notified Unisys management, which also notified Prudential. The recipient has deleted the document as well.

Attribution 1 Publication: CA AG's Office Author: Date Published: Article Title: Prudential Insurance Company of America Article URL: https://oag.ca.gov/system/files/03.04.2013%20Individual%20Notice%20Letter_0.PDF?

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130305-06 FabricDepot OR Electronic Business Yes - Unknown # 0

On January 7, 2013, I (FabricDepot) learned of a data security incident that may have resulted in the disclosure of the credit card information, names, and billing address associated with your online purchase. Shortly after learning of the incident, we retained a forensic computer investigator, who determined that on or about October 16, 2012 an unauthorized third party gained access to our website and data system.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: FabricDepot Article URL: https://oag.ca.gov/system/files/Customer_Notification_Ltr_0.pdf?

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130305-05 TD Bank, N.A. NJ Electronic Banking/Credit/Financial Yes - Unknown # 0

We are writing to let you know about an incident involving your personal information. You are receiving this letter either because you are (or were) a customer of TD Bank, or because you or another person or account holder provided TD Bank with your personal information. For example, you may be a relative, dependent, beneficiary, guarantor or otherwise connected to a current or former account holder.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: TD Bank, N.A. Article URL: https://oag.ca.gov/system/files/MT-March%202013_0.pdf?

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130305-04 Unknown Medical Facility UT Electronic Medical/Healthcare Yes - Published # 35

There are very few places off-limits for identity thieves. They don’t really care how they get your information—even if you’re sitting in a hospital. One woman found that out the hard way. "The dream was gone. Everything we worked for, gone,” Elsy, a victim of identity theft, says. Elsy was devastated after discovering the money she and her husband had been saving for a new home had been stolen from their bank account. "They got our personal information from the medical facility where my husband was getting treatment for leukemia,” she says.

Attribution 1 Publication: KUTV.com Author: Date Published: Article Title: Clinic Corruption: Hospital Identity Theft Article URL: http://www.kutv.com/news/top-stories/stories/vid_4077.shtml

Mobile police have arrested a man for credit card fraud and trafficking in stolen identities after they say he took credit card information from 23 motel customers.

Attribution 1 Publication: Fox10tv.com Author: Letisha Bush Date Published: Article Title: Hotel clerk stole 23 credit card numbers Article URL: http://www.fox10tv.com/dpp/news/local_news/mobile_county/mpd-hotel-clerk-stole-23-credit-card-numbers

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130305-02 Samaritan Hospital NY Electronic Medical/Healthcare Yes - Unknown # 0

An official at Samaritan Hospital confirmed a nursing supervisor at the Rensselaer County jail improperly accessed the hospital’s patient records, triggering an investigation by Sheriff Jack Mahar.

Attribution 1 Publication: The Saratogian Author: Date Published: Article Title: Samaritan Hospital confirms patient records security breach in 2011 Article URL: http://saratogian.com/articles/2013/03/01/news/doc513105ba6f4ba045285003.txt

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130305-01 Orleans County NY Electronic Government/Military Yes - Published # 25 Administration County officials learned last Wednesday that around 25 of the 600 people employed by the county may have had their identity compromised. Once officials found out, they started investigating and alerting employees.

Attribution 1 Publication: Rochester Your News Now (YNN) Author: Katie Cummings Date Published: Article Title: Investigation into security breach at Orleans County office building Article URL: http://rochester.ynn.com/content/top_stories/643722/investigation-into-security-breach-at-orleans-county-office-buildin

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130227-08 Variable Annuity Life TX Electronic Business Yes - Unknown # 0 Insurance Company On behalf of V ALIC we would like to advise you that certain elements of your personal and financial information may have recently been compromised. Our systems indicate that a user ID and profile was recently set-up on www.valic.com to view your V ALIC account(s) online. A confirmation of this transaction was mailed to you. We believe you may not have initiated this transaction.

Attribution 1 Publication: VT AG's office Author: Date Published: Article Title: Variable Annuity Life Insurance Company Article URL: http://www.atg.state.vt.us/issues/consumer-protection/privacy-and-data-security/documents-and-resources5/variable-a

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130227-07 Wallboard Supply Company NH Electronic Business Yes - Unknown # 0

The McLane law firm represents Agincourt Wallboard, LLC d/b/a Wallboard Supply Company ("Wallboard"), which is headquartered in Londonderry, New Hampshire. We are writing to inform you about a recent data security breach at Wallboard that affects 36 residents of New Hampshire. On January 17, 2013, Wallboard learned that eight of its employees received a physical payroll check, rather than having their wages deposited directly into their bank accounts, as was the norm for them. Wall board immediately launched an investigation into the matter, notified and filed a report with law enforcement, and gave notice to its employees orally and by email. Wallboard learned from its payroll vendor that someone had used the administrator's credentials to access (without authorization) Wallboard's payroll system. The payroll system contained the names and addresses of Wallboard's sixty-two employees, their social security numbers, their bank account routing information, and other employment information about them.

Attribution 1 Publication: NH AG's office Author: Date Published: Article Title: Wallboard Supply Company Article URL: http://doj.nh.gov/consumer/security-breaches/documents/wallboard-supply-20130211.pdf

Pursuant to N.H.R.S. § 359C:20(b), I am providing notice to you of a breach of security that may have affected two New Hampshire residents. Personal information of certain clients of Mt Rushmore Securities LLC, Mt Rushmore Management LLC, Mt Rushmore Investment Corp, MidAmerica Financial Services ("the Mt. Rushmore firms") was made available through Google queries when confidential documents were inadvertently made accessible to Google' s web indexing software on an IT contractor's server.

Attribution 1 Publication: NH AG's office Author: Date Published: Article Title: Mt. Rushmore Securities LLC Article URL: http://doj.nh.gov/consumer/security-breaches/documents/mt-rushmore-20130214.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130227-05 MassMutual Retirement MA Electronic Business Yes - Published # 917 Services On January 28, 2013, the benefits coordinator for Crotched Mountain Foundation Plan ("Plan"), a MassMutual Retirement Services ("RS") client, sent an email to the Plan's MassMutual RS account manager. The Plan benefits coordinator copied a participant in the Plan on the email to MassMutual Later that same day, the MassMutual RS account manager responded to the email. which was sent to both individuals, and included a participant demographic file. The participant demographic file contained the contract number of the Plan and the full names. addresses, and Social Secunty numbers of 917 participants in the Plan.

Attribution 1 Publication: NH AG's office Author: Date Published: Article Title: MassMutual Retirement Services - Crotched Mountain Foundation Plan Article URL: http://doj.nh.gov/consumer/security-breaches/documents/massachusetts-mutual-20130214.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130227-04 CoreLogic Credco CA Electronic Business Yes - Unknown # 0

CoreLogic Credco ("Credco") resells credit reports to authorized business clients who use the reports to make lending decisions. An unauthorized third party fraudulently obtained credentials to obtain access to Credco credit report ordering system.

Attribution 1 Publication: NH AG's office Author: Date Published: Article Title: CoreLogic Credco Article URL: http://doj.nh.gov/consumer/security-breaches/documents/corelogic-credco-20130207.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130227-03 Haagen-Daz FL Electronic Business Yes - Unknown # 0

Anyone who made a purchase at the Häagen-Daz inside the food court in International Plaza since April of 2012 may have been affected by identity theft. A flash drive that contained key-logger software was connected to a register at the store. It recorded payment card transactions and allowed thieves to make counterfeit credit cards. Two men were arrested in June of 2012 for using fraudulent card information and that information was later linked to the Häagen-Daz shop.

Attribution 1 Publication: Privacy Rights Clearinghouse Author: Date Published: Article Title: Haagen-Daz Article URL: https://www.privacyrights.org/node/56003

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130227-02 Massachusetts Mutual Life MA Paper Data Business Yes - Unknown # 0 Insurance Company Massachusetts Mutual Life Insurance Company and its subsidiaries ("MassMutual") understand the importance of protecting the privacy and security of information about our customers, and take seriously our obligations to protect this information. MassMutual has an established business relationship with Convey Compliance Systems, Inc. ("Convey") to provide print and mailing services for MassMutual's annual IRS Form I 099 mailing. On February 1, 2013, Convey notified us of an incident that resulted in the Forms 1099 for a number of MassMutual clients being mailed with an incorrect mailing address. Unfortunately, your Form 1099 was in the affected group.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: Massachusetts Mutual Life Insurance Company Article URL: https://oag.ca.gov/system/files/MassMutual%20Sample%20Breach%20Notice%20CA%2022013_0.pdf?

How is this report produced? What are the rules? See last page of report for details. ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130227-01 Mercedes-Benz of Walnut CA Electronic Business Yes - Unknown # 0 Creek I am contacting you regarding a data security incident that has occurred at Mercedes-Benz of Walnut Creek. On Friday, February 8, 2013, around 7:00 am we discovered a forcible break-in at Mercedes-Benz of Walnut Creek’s dealership. Between the close of business on Thursday, February 7th and the morning of Friday, February 8th, a thief or thieves pried open a locked exterior door to the dealership, another locked interior door into the Business Office was pried open, and once inside the Business Office, locked file cabinets containing customer deal jackets were pried open and some customer deal files were removed. Additionally, some files containing customer personal information were removed from our Service Department.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: Mercedes-Benz of Walnut Creek Article URL: https://oag.ca.gov/system/files/MB%20sample%20letter%20proof%20v2_0.pdf?

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130226-02 Crescent Healthcare CA Electronic Medical/Healthcare Yes - Published # 109,000

Last week, Crescent Healthcare -- an Anaheim-based Walgreens company -- began notifying patients and employees of a data breach that occurred late last year, Healthcare IT News reports.

Attribution 1 Publication: hhs.gov Author: Date Published: Article Title: Crescent Healthcare Article URL: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

Attribution 2 Publication: CaliforniaHealthline / CA AG's office Author: Date Published: Article Title: Crescent Healthcare Notifies Individuals of 2012 Data Breach Article URL: http://www.californiahealthline.org/articles/2013/2/26/crescent-healthcare-notifies-individuals-of-2012-data-breach.aspx

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130226-01 North Carolina Department of NC Paper Data Government/Military Yes - Published # 26,000 State North Carolina officials have warned about 26,000 retired government employees that their Social Security numbers may have been exposed to public view in an apparent security breach made in January.

Attribution 1 Publication: Newsobserver.com / datalossdb.org Author: Date Published: Article Title: 26,000 NC retirees warned of security breach Article URL: http://blogs.newsobserver.com/business/26000-nc-retirees-warned-of-security-breach

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130225-01 Sprouts Farmers Market AZ Electronic Business Yes - Unknown # 0

Sprouts Farmers Market is encouraging customers to check their bank accounts for unusual activity in the last month.

The chain learned that illegal software targeted customers' information at 19 of its 151 stores between Jan. 25 and Jan. 29, 2013.

Attribution 1 Publication: ABC15.com Author: Erisa Nakano / Steve Date Published: Article Title: Sprouts Farmers Market Alert: Security breach affects Arizona, California stores Article URL: http://www.abc15.com/dpp/news/state/sprouts-farmers-market-alert-security-breach-affects-arizona-stores

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130222-01 Polk County School District FL Paper Data Educational Yes - Published # 200

he Social Security numbers of nearly 200 students who paid tuition for education programs could be compromised, according to a letter sent out recently by the Polk County School District. Students affected can contact the School District, which will pay for a one-year membership to an online identity theft protection program that will cost the district between $80 and $90 per student.

Attribution 1 Publication: theledger.com / datalossdb.org Author: Jeremy Maready Date Published: Article Title: Nearly 200 Students Warned of ID Theft Risk Article URL: http://www.theledger.com/article/20130220/NEWS/130229907/1134?Title=Nearly-200-Students-Warned-of-ID-Theft-Risk-

The owner of a Cortland used-car dealership was charged with seven counts of identity theft Wednesday for allegedly using his customers’ information to take out phony car loans.

Attribution 1 Publication: datalossdb.org / Daily Chronicle Author: Jeff Engelhardt Date Published: Article Title: Cortland car dealership owner charged with ID theft Article URL: http://www.daily-chronicle.com/2013/01/30/cortland-car-dealership-owner-charged-with-id-theft/ab2qnpq/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130220-06 Central Laborers' Pension IL Electronic Business Yes - Published # 30,000 Fund The U.S. Court of Appeals for the Seventh recently ruled that Nationwide Insurance Co. has no duty to defend or indemnify an accountant who lost sensitive personal information from client files. According to the lawsuit, the accountant's loss of the information stemmed from the theft of a CD containing confidential client information from the accountant's personal car. The CD contained the social security numbers, names, and birth dates of over 30,000 beneficiaries of the accounting firm's clients, the Central Laborers' Pension Fund, Central Laborers' Welfare Fund, and Central Laborers' Annuity Fund. After the Funds sued the accounting firm to recoup $200,000 (the costs of credit monitoring and insurance),

Attribution 1 Publication: Lexology Author: Date Published: Article Title: Insurance company need not defend accountant who lost sensitive client information Article URL: http://www.lexology.com/library/detail.aspx?g=b4cf8fba-cfe6-4780-9daa-7ba827dd9c2a

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130220-05 HSBC Bank USA IL Electronic Banking/Credit/Financial Yes - Unknown # 0

We are writing to notify you of a breach and unauthorized access of customer data involving eleven (11) New Hampshire residents. On December 20, 2012, HSBC became aware that an employee accessed customer accounts and is suspected of supplying fraudsters with customer account and personal data with the intent of creating false identification cards to affect fraudulent withdrawals from bank deposit accounts. The type of information involved in the incident that may have been accessed includes a customer's name, social security number, personal identification type (i.e., driver's license number), telephone number, account number and account type.

Attribution 1 Publication: NH AG's office Author: Date Published: Article Title: HSBC Bank USA Article URL: http://doj.nh.gov/consumer/security-breaches/documents/hsbc-bank-20130131.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130220-04 Capella University MN Electronic Educational Yes - Unknown # 0

Capella University is committed to protecting the information it maintains on behalf of its learners. Regrettably, we are writing to inform you about an incident involving some of that information. During the week of January 28, 2013, we determined that an employee in the collection department had sent information that included the name and Social Security numbers of a small group of learners to a personal e-mail account in violation of Capella policy. Capella promptly took action by terminating the employee, removing the employee's access to our networks, and further securing the records we maintain.

Attribution 1 Publication: VT AG's office Author: Date Published: Article Title: Capella University Article URL: http://www.atg.state.vt.us/issues/consumer-protection/privacy-and-Data-Security/documents-and-resources5/capella-u

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130220-03 Central Hudson Gas & NY Electronic Business Yes - Published # 110,000 Electric Corp. Central Hudson Gas & Electric Corp. has determined that about 110,000 customers may have been affected by a weekend cyber security attack, but there's still not evidence that customer information was downloaded or misused, the company stated in a press release.

Attribution 1 Publication: Poughkeepsie Journal Author: Date Published: Article Title: CYBER ATTACK UPDATE: Central Hudson: Free year of credit checks for 110,000 customers Article URL: http://www.poughkeepsiejournal.com/article/20130220/NEWS/130219026/Central-Hudson-Cyber-attack-updates-expecte

How is this report produced? What are the rules? See last page of report for details. ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130220-02 Mid-Florida Urological FL Paper Data Medical/Healthcare Yes - Unknown # 0 Associates - Orlando Health Another insider breach at a Florida medical practice for a fraud scheme; this time it’s insurance fraud.

Attribution 1 Publication: phiprivacy.net / datalossdb.org Author: Date Published: Article Title: Medical assistant stole patient information for insurance fraud scheme Article URL: http://www.phiprivacy.net/?p=11709

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130220-01 Bank of America WA Electronic Banking/Credit/Financial Yes - Unknown # 0

Bank of America last week blamed a suspected breach of credit card data on an unidentified third party, which the bank later revealed to be a merchant. The incident illustrates security risks institutions increasingly face, whether because of a merchant breach or relying too heavily on partners and suppliers.

Attribution 1 Publication: BankInfoSecurity Author: Tracy Kitten Date Published: Article Title: Bank of America Responds to Breach Article URL: http://www.bankinfosecurity.com/bank-america-responds-to-breach-a-4487

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130219-02 Union County Public Schools NC Electronic Educational Yes - Unknown # 0

Union County Public Schools employees are at-risk after someone hacked the Public School System web server Thursday.

According to an email from Superintendent Mary Ellis, "It is possible that confidential employee information, including social security numbers, has been compromised."

Attribution 1 Publication: WBTV.com Author: Jessica Sells Date Published: Article Title: Union County Public Schools: Web server hacked, information may be compromised Article URL: http://www.wbtv.com/story/21216611/union-county-public-schools-web-server-hacked-information-may-be-compromise

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130219-01 Heyman Hospice Care GA Electronic Medical/Healthcare Yes - Published # 1,819

Heyman HospiceCare at Floyd (“Heyman HospiceCare”) is committed to protecting the personal information it maintains on behalf of its patients. Regrettably, this notice is regarding an incident involving some of that information.

Attribution 1 Publication: hhs.gov Author: Date Published: Article Title: Heyman Hospice Care Article URL: Heyman Hospice Care

Attribution 2 Publication: Company website Author: Date Published: Article Title: Privacy Notice for Heyman HospiceCare at Floyd Patients Article URL: http://www.floyd.org/hospice/privacy_notice.htm

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130214-02 Cbr Systems, Inc. CA Electronic Medical/Healthcare Yes - Published # 300,000

The operator of a leading cord blood bank, Cbr Systems, Inc., agreed to settle Federal Trade Commission charges that it failed to protect the security of customers’ personal information, and that its inadequate security practices contributed to a breach that exposed Social Security numbers and credit and debit card numbers of nearly 300,000 consumers.

Attribution 1 Publication: FTC Author: Date Published: Article Title: Cord Blood Bank Settles FTC Charges that it Failed to Protect Consumers’ Sensitive Personal Information Article URL: http://ftc.gov/opa/2013/01/cbr.shtm

A computer hacker may have information on 43,000 patients at Froedtert Hospital and some of its clinics.

Attribution 1 Publication: WTMJ4 Author: Date Published: Article Title: Hacker may have obtained 43,000 Froedtert patients' information Article URL: http://www.todaystmj4.com/news/local/191181111.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130213-01 Palm Beach County Health FL Electronic Medical/Healthcare Yes - Published # 2,800 Department A senior clerk at the Palm Beach Health Department was arrested Tuesday and charged with using her job to steal identity information from more than 2,800 patients.

Attribution 1 Publication: Sun Sentinel Author: Date Published: Article Title: Health Department clerk arrested for ID theft Article URL: http://www.sun-sentinel.com/news/palm-beach/fl-health-idtheft-20130212,0,4593292.story

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130212-13 Riderwood Village MD Electronic Medical/Healthcare Yes - Published # 3,230

Riderwood Village,MD,,3230,11/18/2012,Theft,Laptop,2/8/2013,,

Attribution 1 Publication: hhs.gov / phiprivacy.net Author: Date Published: Article Title: Riderwood Village Article URL: http://www.phiprivacy.net/?cat=19

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130212-12 American HomePatient Inc. TN Electronic Medical/Healthcare Yes - Published # 1,103

American HomePatient Inc.,TN,LifeGas,1103,10/11/2012,Theft,Laptop,2/7/2013,,

Attribution 1 Publication: HHS.gov / PHIPrivacy.net Author: Date Published: Article Title: American HomePatient Inc. Article URL: http://www.phiprivacy.net/?cat=19

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130212-11 Lee Miller Rehab Associates MD Electronic Medical/Healthcare Yes - Published # 10,480

Lee Miller Rehab Associates,MD,,10480,1/15/2012,Theft,Network Server,2/7/2013,,

Attribution 1 Publication: HHS.gov / PHIPrivacy.net Author: Date Published: Article Title: Lee Miller Rehab Associates Article URL: http://www.phiprivacy.net/?cat=19

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130212-10 Zalicus Inc. MA Paper Data Business Yes - Unknown # 0

Pursuant to N.H. Rev. Stat. Ann. § 359-C:20(1)(b), I am writing to notifY you of potential unauthorized access to personal information involving 2 New Hampshire residents. On January 28, 2013, Zalicus Inc. prepared and mailed approximately 48 2012 1099-MISC tax forms (the "Forms") to its third party vendors, consultants and other individuals. Due to human error, some of the Forms were inadvertently mailed to incorrect recipients (the "Unintended Recipients"). Along with the first and last name of an individual recipient, the Forms contained the social security number of the individual recipient in the box labeled "Recipient's Identification Number".

How is this report produced? What are the rules? See last page of report for details.

Attribution 1 Publication: NH AG's office Author: Date Published: Article Title: Zalicus Inc. Article URL: http://doj.nh.gov/consumer/security-breaches/documents/zalicus-20130201.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130212-09 Family Medical Care Plan GA Paper Data Medical/Healthcare Yes - Unknown # 0

Pursuant to New Hampshire state law, we are writing to notify you of an unauthorized use of personal information involving three (3) New Hampshire residents. Late in December 2012, the NECA/IBEW Family Medical Care Plan ("FMCP") mailed to its participants the FMCP's generic Summary of Benefits Coverage and the Summary of Material Modifications disclosure documents. The Social Security numbers of some the individuals were inadvertently displayed on the envelope of these mailings.

Attribution 1 Publication: NH AG's office Author: Date Published: Article Title: Family Medical Care Plan Article URL: http://doj.nh.gov/consumer/security-breaches/documents/neca-ibew-20130118.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130212-08 Federal Network Systems LLC VA Electronic Business Yes - Unknown # 0

We are writing to inform you that in December 2012 we discovered that a computer containing a file with personal information, including names and Social Security numbers, for some of our former and current employees and independent contractors, was infected with malware. Upon learning of the malware, our network security team immediately isolated the infected machine and took it off line. The malware was then removed from our systems.

Attribution 1 Publication: NH AG's office Author: Date Published: Article Title: Federal Network Systems LLC Article URL: http://doj.nh.gov/consumer/security-breaches/documents/federal-network-20130116.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130212-07 Agincourt Wallboard ME Electronic Business Yes - Unknown # 0

On January 19, 2013, Wallboard gave employees notice about a security breach of its payroll system. In that notice, Wallboard described its understanding of the general nature of the situation and the type of information compromised, and gave some recommendations as to the immediate actions employees should have taken to protect themselves financially and their personal information. This notice now provides more comprehensive information about the incident.

Attribution 1 Publication: VT AG's office Author: Date Published: Article Title: Agincourt Wallboard Article URL: http://www.atg.state.vt.us/issues/consumer-protection/privacy-and-Data-Security/documents-and-resources5/agincourt

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130212-06 Boca Raton Regional Hospital FL Electronic Medical/Healthcare Yes - Unknown # 0

The Miami area, infamous for its smorgasbord of fraud schemes, is among the worst spots for what he described as an “epidemic” ID-theft crime wave. To drive home his point at the height of the tax season, Ferrer’s office unveiled the latest prosecutions of 14 defendants in a variety of tax-refund rackets. Among them: Yet another case of a South Florida hospital employee swiping patients’ Social Security numbers and dates of birth to defraud the Internal Revenue Service. According to an indictment filed in January, Boca Raton Regional Hospital scheduler Shalamar Major, 32, of Deerfield Beach, stole the personal information of patients and supplied the data to Tanisha Wright in exchange for a split fee for every successful false return submitted to the IRS.

Attribution 1 Publication: Miami Herald Author: Jay Weaver Date Published: Article Title: Miami U.S. attorney issues warning and crackdown on ID theft, tax-refund fraud Article URL: http://www.miamiherald.com/2013/02/06/3220176/miami-us-attorney-issues-warning.html

Wayne Memorial Hospital in Honesdale, Pa., has issued the following public notice of a major breach of protected health information. The notice does not indicate the size of the breach; The Citizens’ Voice newspaper in Wilkes-Barre reports 1,182 patients were affected and Social Security numbers were among the compromised data. Here is the hospital notice:

“Wayne Memorial Hospital ("WMH") is committed to protecting the information it maintains on behalf of its patients. Regrettably, this notice is regarding an incident involving some of that information.

“On December 3, 2012, we learned that an unencrypted CD containing patient information had gone missing. The CD was included in a package sent by certified mail to our government authorized Medicare Administrative Contractor. Our contractor received the package damaged and without the CD. Upon learning this, we immediately conducted a thorough investigation, including a diligent search for the CD with both the United States Post Office and the contractor. To date, we have been unable to locate the CD. We have confirmed that the CD contained patient names, account balances, and, in some instances, Medicare numbers. The CD did not contain any financial information (such as credit card and/or bank account number).

Attribution 1 Publication: Health Data Management Author: Date Published: Article Title: Breach Reported after CD Shipped to Medicare is Lost Article URL: http://www.healthdatamanagement.com/news/breach-notification-hipaa-privacy-security-hospital-45565-1.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130212-04 THORLO NC Electronic Business Yes - Unknown # 0

My name is Jim Throneburg and I am the owner of THORLO. I am sending you this letter because you, and our company, have been the victims of a cybercrime that has potentially resulted in the theft of certain of your personal information, including your credit card information. This theft could result in fraudulent charges on your credit card account. We have filed reports with the FBI Cyber Crimes Unit and our local police department, and they have active investigations under way as well.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: THORLO Article URL: https://oag.ca.gov/system/files/Thorlo%20Inc%20Ad%20NO%20Credit%20Services%20r3prf_0.pdf?

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130212-03 Schneider-Electric IL Paper Data Business Yes - Unknown # 0

I am writing to inform you that Schneider Electric recently learned that on or about January 16, 2013, one of the bulk mail vendors that performs mailing activities on behalf of our Employee Share Plan mistakenly included your Social Security Number ("SSN") in the address field of a Call for Candidacy letter (the "Mailing") mailed to you on our behalf. Accordingly, the Mailing to you included the following categories of data in the address window: SSN, Name, and Address.

Attribution 1 Publication: CA AG's Office Author: Date Published: Article Title: Schneider-Electric Article URL: https://oag.ca.gov/system/files/Employee%20Letter%20Signed_0.pdf?

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130212-02 Talk Fusion FL Electronic Business Yes - Unknown # 0

We are writing to make you aware that a portion of Talk Fusion’s computer network was criminally attacked, and we regret that certain elements of your information may have been compromised. At Talk Fusion, protecting the privacy and security of your information is an absolute top priority, and we want to assure you that we have taken multiple steps to prevent this type of attack from happening again.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: Talk Fusion Article URL: https://oag.ca.gov/system/files/Talk%20Fusion%20-%20Form%20of%20consumer%20notification%2021113_0.pdf?

We are writing to inform you of a recent incident during which your personal information may have been accessed without your authorization. On January 25, 2013, we discovered that a file on our internet servers containing your name, address, phone and credit card number had been potentially accessible to outsiders without authorization for several weeks. The credit card number in the file was used on Knitpicks.com, ArtistsClub.com or ConnectingThreads.com.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: Crafts Americana Group, Inc. Article URL: https://oag.ca.gov/system/files/Multi-state%20notification%20letter%20-%20Crafts%20Americana%20-%20letterhead_0.

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130211-01 Penn State Harrisburg PA Electronic Educational Yes - Published # 808

A computer at Penn State Harrisburg that contained 808 Social Security numbers (SSNs) was found to be infected with malware that enabled it to communicate with an unauthorized computer outside the network. The SSNs were found in archived documents related to conference registrations from 1999 to 2001. "Malware" is short for malicious software and refers to any software designed to cause damage to a single computer, server, or computer network, whether it's a virus, spyware, worm or other destructive program.

Attribution 1 Publication: Penn State Publication / datalossdb.org Author: Date Published: Article Title: Malware opens door to possible information exposure Article URL: http://live.psu.edu/story/64189

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130205-05 Walz and Associates Law NM Paper Data Business Yes - Unknown # 0 Firm Hundreds of personal documents from dozens of people were all found in a very public place, but how did they get there and who's at risk?

The court files were found in a Bernalillo County Recycling Center in Tijeras and contained people's criminal histories, depositions and even medical records.

Attribution 1 Publication: KRQE.com / datalossdb.org Author: Date Published: Article Title: Personal information found in trash Article URL: http://www.krqe.com/dpp/news/crime/personal-information-found-in-trash

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130205-04 McDonalds FL Electronic Business Yes - Unknown # 0

Some customers at one Boca Raton McDonald's aren't lovin' it.

Not after they rolled through the drive-through on West Yamato Road and handed their credit cards to Percival James, whom Boca Raton police say promptly stole their credit card information and sold it on the streets for cash.

James, 22, of Delray Beach, is charged with using a scamming device to defraud McDonald's customers, according to a Boca Raton police report.

Attribution 1 Publication: datalossdb.org / SunSentinel Author: Date Published: Article Title: Boca McDonald's employee stole customer credit card information, police say Article URL: http://www.sun-sentinel.com/news/palm-beach/fl-boca-mcdonalds-scammer-arrest-20130131,0,2137385.story

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130205-03 Bashas' Family of Stores AZ Electronic Business Yes - Unknown # 0

The compromise of hundreds of payment cards, apparently tied to fraud worldwide, has been linked to a network hack affecting Arizona- based supermarket chain Bashas' Family of Stores.

An executive with a card-issuing institution that serves the West Coast, who asked not to be named, says fraudulent transactions linked to the Bashas' breach have shown up in international markets. "From what we are seeing, this is a corporate breach that is very active with fraud occurring worldwide," the executive says.

How is this report produced? What are the rules? See last page of report for details.

Attribution 1 Publication: BankInfoSecurity Author: Tracy Kitten Date Published: Article Title: New Retail Breach Tied to Global Fraud Article URL: http://www.bankinfosecurity.com/new-retail-breach-tied-to-global-fraud-a-5483/op-1

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130205-02 TheConnecticutStore.com CT Electronic Business Yes - Unknown # 0

I am so very sorry to have to notify you of a potential security breach on our Connecticut Store online e-commerce system. Our records indicate that you ordered from our website, (TheConnecticutStore.com). While I currently have no evidence that your personal information was misused, I want to notify you of this incident.

Attribution 1 Publication: VT AG's office Author: Date Published: Article Title: TheConnecticutStore.com Article URL: REFERENCES

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130205-01 Department of Energy DC Electronic Government/Military Yes - Unknown # 0

Online attackers successfully penetrated the Department of Energy (DOE) network in the middle of January and obtained copies of personally identifiable information (PII) pertaining to several hundred of the agency's employees and contractors.

Attribution 1 Publication: InformationWeek Security Author: Mathew Schwartz Date Published: Article Title: Department of Energy Confirms Data Breach Article URL: http://www.informationweek.com/security/attacks/department-of-energy-confirms-data-breac/240147877

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130204-03 Tallahassee Memorial FL Electronic Medical/Healthcare Yes - Published # 124 HealthCare In response to former Tallahassee Memorial HealthCare food service employee Spencer Larry Parson being indicted in U.S. District Court this week for, among other charges, identity theft, the hospital says that it has amended its patient privacy policies.

Memorial HealthCare maintains that it has reminded employees of the importance of keeping patient data safe and using provided bins to shred paper records. It has also provided identity protection services to 124 patients after Parson stole patient names and dates of birth from food tray receipts, according to Tallahassee.com. The hospital notified the potentially affected patients through letters as well as offering credit monitoring and identity recovery services.

Attribution 1 Publication: HealthIT Security Author: Patrick Ouellette Date Published: Article Title: Tallahassee Memorial HealthCare strengthens privacy policies Article URL: http://healthitsecurity.com/2013/02/01/tallahassee-memorial-healthcare-strengthens-privacy-policies/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130204-02 River Falls Medical Clinic WI Paper Data Medical/Healthcare Yes - Published # 2,400

Perhaps the Office for Civil Rights (OCR) was so specific with subcontractor language and breach notification amendments in the HIPAA omnibus rule for good reason. Similar to many recent healthcare data breaches, River Falls Medical Clinic notified about 2,400 clients of a breach that was tied to a subcontractor, in this case an outside cleaning service employee who stole patient records during the summer of 2012.

Attribution 1 Publication: HealthIT Security Author: Date Published: Article Title: River Falls Medical Clinic announces patient data breach Article URL: http://healthitsecurity.com/2013/02/04/river-falls-medical-clinic-announces-patient-data-breach/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130204-01 Twitter CA Electronic Business Yes - Unknown # 0

This week, we detected unusual access patterns that led to us identifying unauthorized access attempts to Twitter user data. We discovered one live attack and were able to shut it down in process moments later. However, our investigation has thus far indicated that the attackers may have had access to limited user information ? usernames, email addresses, session tokens and encrypted/saltedversions of passwords ? for approximately 250,000 users.

How is this report produced? What are the rules? See last page of report for details.

Attribution 1 Publication: Twitter's Blog Author: Date Published: Article Title: Twitter Article URL: http://blog.twitter.com/2013/02/keeping-our-users-secure.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130131-05 Works Café NH Electronic Business Yes - Unknown # 0

Late Wednesday night, the Reformer received the following statement from Richard French, president of the Works Bakery Cafe. "The Works Cafe, with locations in Manchester and Brattleboro; Keene, Durham, Portsmouth and Concord, N.H.; and Portland, Maine, is investigating third-party allegations concerning theft of customer credit card and debit card account information.

Attribution 1 Publication: Brattleboro Reformer Author: Date Published: Article Title: Possible data breach at local café Article URL: http://www.reformer.com/localnews/ci_22486294/possible-data-breach-at-local-cafe

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130131-04 Los Angeles County CA Electronic Government/Military Yes - Unknown # 0 Department of Public Social Veronico Niko, a former Los Angeles County Department of Public Social Services employee, has pleaded guilty to stealing names and Social Security numbers for use in a tax refund fraud scheme.

Attribution 1 Publication: databreaches.net Author: Date Published: Article Title: LA DPPS employee pleads guilty to stealing clients’ info for tax refund fraud scheme Article URL: http://www.databreaches.net/?cat=15

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130131-03 Antioch Unified School CA Electronic Educational Yes - Unknown # 0 District District officials have been working to fix an inadvertent disclosure of some personal employee information that spread last week via email. While a former Antioch Unified employee was trying to pass on information about a replacement's responsibilities at the end of the workday Jan. 18, the employee attached a file to an email that went to a limited number of district personnel that had confidential information -- namely Social Security numbers and some worker compensation claim information for current and former employees who reported injuries, Superintendent Donald Gill said.

Attribution 1 Publication: MercuryNews.com / databreaches.net Author: Paul Burgarino Date Published: Article Title: Antioch district working to fix inadvertent disclosure of employee data Article URL: http://www.mercurynews.com/breaking-news/ci_22467261/antioch-district-working-fix-inadvertent-disclosure-employee

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130131-02 Stethoscope.com MA Electronic Medical/Healthcare Yes - Unknown # 0

We are writing to inform you of the data intrusion incident and the steps we have been taking to help safeguard your personal information.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: Stethoscope.com Article URL: https://oag.ca.gov/system/files/Template%20Breach%20Notice%20Letter_0.pdf?

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130131-01 North Los Angeles County CA Electronic Medical/Healthcare Yes - Unknown # 0 Regional Center North Los Angeles County Regional Center (NLACRC) is writing to you because of an incident which may have potentially exposed your contact information.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: North Los Angeles County Regional Center Article URL: https://oag.ca.gov/system/files/NLACRC%20Notice_0.pdf?

We take your privacy and the confidentiality of the information entrusted to us very seriously. Despite our best attempts, there was a recent incident in which your personal information, in connection with your participation in the Boy Scouts of America 2003 health benefit plan, may have been compromised. We wanted to make you aware, as well as explain some options available to you to protect you. According to RR Donnelley, a print and mailing vendor that UnitedHealthcare uses, sometime between the second half of September and the end of November, 2012, an unencrypted desktop computer was stolen from one of its facilities.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: RR Donnelley Article URL: https://oag.ca.gov/system/files/Notification%20Letter_1.pdf?

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130129-03 Department of Juvenile FL Electronic Government/Military Yes - Unknown # 0 Justice Three computers containing sensitive Department of Juvenile Justice information were stolen, Orlando police reported Thursday.

Few details about the theft were released.

A brief Orlando police incident report said the computers and television were stolen from the Boca Club apartments Wednesday morning.

Police would not release any other information, citing the case is under investigation.

Attribution 1 Publication: Orlando Sentinel / databreaches.net Author: Amy Pavuk Date Published: 9/6/2012 Article Title: Computers with sensitive Juvenile Justice data stolen Article URL: http://articles.orlandosentinel.com/2012-09-06/news/os-juvenile-justice-computers-stolen-20120906_1_orlando-police-th

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130129-01 Brentwood Primary Care FL Electronic Medical/Healthcare Yes - Published # 261 Clinic Names and Social Security numbers of 261 people were illegally photographed at a Shands Jacksonville clinic then transmitted to another person, according to an arrest report in the case.

Attribution 1 Publication: phiprivacy.net / jacksonville.com Author: Dana Treen Date Published: Article Title: Office intern at Jacksonville primary care center charged with ID theft Article URL: http://www.phiprivacy.net/?p=11486

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130128-01 Cheyney University PA Electronic Educational Yes - Unknown # 0

Officials at Cheyney University are urging students to check their credit reports after an inadvertent release of their personal data, including Social Security numbers.

Attribution 1 Publication: Author: Date Published: Article Title: Pa. university warns students of privacy breach Article URL: http://www.sfgate.com/news/article/Pa-university-warns-students-of-privacy-breach-4224641.php

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130122-03 King Drug & Home Care KY Electronic Medical/Healthcare Yes - Published # 13,619

King Drug & Home Care has mailed letters to 13,619 clients regarding a potential breach of their protected health information. The breach occurred on or around November 19, 2010 and was discovered on November 23, 2010. The potential data breach was discovered by the Director of Information Systems when a portable electronic hard drive device was reportedly misplaced by an employee. Upon learning of the incident, a thorough search ensued, but the device was never located. T

Attribution 1 Publication: Public Notice / PHIprivacy.net Author: Date Published: Article Title: King Drug & Home Care Article URL: www.kingdrug.com/docs/PHIBreachNotice.pdf

How is this report produced? What are the rules? See last page of report for details. ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130122-02 Office of Dr. Sandra Bujanda- CO Paper Data Medical/Healthcare Yes - Unknown # 0 Wagner A viewer sent FOX31 a tip about medical records tossed in the trash at Southlands in Aurora.

Attribution 1 Publication: Fox 31 Denver - PHIprivacy.net Author: Date Published: Article Title: Office of Dr. Sandra Bujanda-Wagner Article URL: http://kdvr.com/2013/01/08/patients-personal-information-found-in-dumpster-outside-dentists-office/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130122-01 Lucile Packard Children's CA Electronic Medical/Healthcare Yes - Published # 57,000 Hospital / Stanford School of Lucile Packard Children’s Hospital at Stanford and the Stanford University School of Medicine are notifying patients by mail that a password- protected laptop computer containing limited medical information on pediatric patients was stolen from a physician’s car away from campus on the night of January 9, 2013. The medical information on the stolen laptop was predominantly from 2009 and related to past care and research.

Attribution 1 Publication: Company website / phiprivacy.net Author: Date Published: Article Title: Lucile Packard Children's Hospital Article URL: http://www.lpch.org/aboutus/news/for-patients.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130118-11 Westerville Dental Center OH Electronic Medical/Healthcare Yes - Published # 850

Laptop, Network Server

Attribution 1 Publication: hhs.gov Author: Date Published: Article Title: Westerville Dental Center Article URL: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130118-10 OHP PHSP NY Electronic Medical/Healthcare Yes - Published # 28,187

OHP PHSP, Inc (OHP) learned that Amerigroup Corporation (Amerigroup) had inadvertently disclosed OHP's protected health information to certain health care facilities in New York.

Attribution 1 Publication: hhs.gov / public notice Author: Date Published: Article Title: OHP PHSP Article URL: http://classifieds.nydailynews.com/default/noticesannouncements/public-notice-on-nov.-28-2012/C0A8017B1ddc81AE2

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130118-09 Group Health Incorporated NY Electronic Medical/Healthcare Yes - Published # 1,771

Unauthorized Access/Disclosure

Attribution 1 Publication: hhs.gov Author: Date Published: Article Title: Group Health Incorporated Article URL: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130118-08 City of Sequin TX Electronic Medical/Healthcare Yes - Published # 839

Desktop Computer

Attribution 1 Publication: hhs.gov Author: Date Published: Article Title: City of Sequin - Fire/EMS Department Article URL: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

How is this report produced? What are the rules? See last page of report for details. ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130118-07 Department of Health Care CA Electronic Medical/Healthcare Yes - Published # 2,643 Services Unauthorized Access/Disclosure

Attribution 1 Publication: hhs.gov Author: Date Published: Article Title: California Department of Health Care Services Article URL: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130118-06 Cabinet for Health & Family KY Electronic Medical/Healthcare Yes - Published # 1,090 Services, Dept. of Medicaid Unauthorized Access/Disclosure

Attribution 1 Publication: hhs.gov Author: Date Published: Article Title: Cabinet for Health & Family Services, Dept. of Medicaid Services Article URL: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130118-05 Harbor Medical Associates MA Electronic Medical/Healthcare Yes - Published # 4,343

Hacking/IT incident - server

Attribution 1 Publication: hhs.gov Author: Date Published: Article Title: Harbor Medical Associates Article URL: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130118-04 Integrated Behavioral MA Electronic Medical/Healthcare Yes - Published # 7,250 Associates - CFPS As you are aware, Child & Family Psychological Services, Inc. also d/b/a Integrated Behavioral Associates (“CFPS”) had a website which allowed patients to communicate with CFPS. The website included an online intake form (the “Intake Form”) that patients could complete in order to request services with CFPS clinicians, as well as several other communication tools such as requests for prescription refills, requests for appointments, and a general contact form. CFPS engaged ClearPoint Design, Inc. (“ClearPoint”) in 2009 as the vendor to host, maintain and monitor that CFPS website.

Attribution 1 Publication: HIPAA Breach letter / phiprivacy.net Author: Date Published: Article Title: Integrated Behavioral Associates Article URL: http://www.cfpsych.org/HIPAA-Breach-Letter.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130118-03 South Shore Medical Center MA Electronic Medical/Healthcare Yes - Published # 4,100

This is an important notice for patients of South Shore Medical Center of Norwell, Kingston and Weymouth, Massachusetts. On December 3, 2012, the vendor that hosted our website informed us of a hacking incident that occurred between October 18, 2012 and November 15, 2012. This resulted in unauthorized access to certain information entered on our website between January, 2007 and November 15, 2012. The breach did not impact our electronic health record system or our secure patient portal, MyHealth Online.

Attribution 1 Publication: company website / phiprivacy.net Author: Date Published: Article Title: South Shore Medical Center Article URL: http://www.ssmedcenter.com/SSMC-Public-Notice-010313.pdf

On November 15, 2012, we learned that on May 21, 2012, one of our employee’s computers had become infected with malware that appears to have been designed to look for personal information stored on the computer. We immediately began an investigation and engaged a computer forensic investigation firm to examine the computer. Although the firm could not rule out the possibility, they did not find any evidence to confirm that any unauthorized person removed the personal information stored on the computer. If an unauthorized person did gain access to files stored on the computer, they would have been able to view billing files that contained patient names, account numbers, medical record numbers, dates of birth, gender, Social Security numbers, treatment dates, insurance provider names, and account balances. No medical records were accessed in the incident.

Attribution 1 Publication: St. Mark's Medical Center website / phip Author: Date Published: Article Title: St. Mark's Medical Center Article URL: http://www.smmctx.org/news/privacy-notice-for-st-marks-medical-center-patients/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130118-01 Hebrew Health Care CT Electronic Medical/Healthcare Yes - Unknown # 0

On December 18, 2012, an employee informed our client, Hebrew Health Care ("Hebrew Health"), that a spreadsheet containing Hebrew Health employee information had been inadvertently e-mailed to the employee's personal e-mail account earlier that day. As soon as it learned of the incident, Hebrew Health immediately began a thorough investigation to determine what information was on the spreadsheet.

Attribution 1 Publication: NH AG's office Author: Date Published: Article Title: Hebrew Health Care Article URL: http://doj.nh.gov/consumer/security-breaches/documents/hebrew-health-20130111.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130117-05 Office of Friel Clark and P.A. ME Electronic Business Yes - Unknown # 0 Joyce We want to make you aware of a break-in and theft at our Portland office and the possible impact of that incident on the privacy of some of your personal information. Sometime during the overnight hours of November 18-19, an unknown individual or individuals broke a cellar window in our building and gained access to our Portland office. The intruders went through our offices, opening drawers, closets, apparently looking for anything of value they could take. In addition to some petty cash, the intruders took a portable hard drive that contained back-up of our Portland office's business data. Because our Sanford office uses different servers, no client data from that office is at risk.

Attribution 1 Publication: VT AG's office Author: Date Published: Article Title: Office of Friel Clark and P.A. Joyce Article URL: http://www.atg.state.vt.us/issues/consumer-protection/privacy-and-Data-Security/documents-and-resources5/clark-friel

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130117-04 Town of Cumberland ME Electronic Government/Military Yes - Published # 275

Cumberland town officials are trying to determine how 275 names and Social Security numbers of current and former town employees were posted to the town's website, a town official said.

Attribution 1 Publication: Portland Press Herald / datalossdb.org Author: Matt Byrne Date Published: Article Title: Cumberland searching for source of personal data breach Article URL: http://www.pressherald.com/news/Cumberland-employees-data-accidentally-leaked-on-web.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130117-03 City of Macon GA Electronic Government/Military Yes - Unknown # 0

The Bibb County Sheriff’s Office is investigating how hard drives containing names and Social Security numbers of Macon police officers, as well as personal data from other local businesses, were sold through an online auction site.The investigation is still in its early stages and likely will take some time because specially trained investigators must examine 39 hard drives, two computer servers and two central processing units, sheriff’s Capt. Mike Smallwood said Tuesday. The equipment has been turned over to the sheriff’s office.“It’s going to take a little while,” he said. “People think their hard drives are cleared, but that’s not always the case.

Attribution 1 Publication: The Telegraph / databreaches.net Author: By PHILLIP RAMATI Date Published: Article Title: Computers containing personal data sold by city of Macon Article URL: http://www.macon.com/2013/01/08/2309218/computers-containing-personal.html

How is this report produced? What are the rules? See last page of report for details. ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130117-02 KTSU - Texas Southern TX Electronic Educational Yes - Unknown # 0 University A former KTSU Radio volunteer is behind bars on accusations he stole personal information from hundreds of donors.

Attribution 1 Publication: MyFox Houston / DataBreaches.net Author: Date Published: Article Title: KTSU - Texas Southern University Article URL: KTSU - Texas Southern University

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130117-01 Department of Health UT Electronic Government/Military Yes - Published # 6,000

Personal information for Utah Medicaid recipients has once again been compromised after a USB memory stick containing the data was lost, the state Department of Health announced Wednesday.

Attribution 1 Publication: Deseret News Author: Date Published: Article Title: Health Department reports another data breach Article URL: http://www.deseretnews.com/article/765620371/Health-Department-reports-another-data-breach.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130116-05 Office of Calvin L. Schuster, CA 11/5/2012 Electronic Medical/Healthcare Yes - Unknown # 0 MD The security, confidentiality, integrity and privacy of patient personal information are highly valued at our office. Unfortunately, we are writing you because of a recent theft. Our office received notice on Monday, November 5, 2012, that there had been a burglary and that an office computer had been stolen, which contained patient personal information. A police report was filed with the Reedley Policy Department Regrettably, the stolen property has not yet been recovered.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: Office of Calvin L. Schuster, MD Article URL: https://oag.ca.gov/system/files/Calvin%20Schuster%20Breach%20Notice%20_0.pdf?

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130116-04 EJ Phair Brewing Co and Ale CA Electronic Business Yes - Unknown # 0 House We are strongly committed to the security of our Cardmembers’ information and strive to let you know about security concerns as soon as possible. A merchant where you used your American Express Card detected unauthorized access to its data files. At this time, we believe the merchant’s affected data files included your American Express Card account number, your name and other Card information such as the expiration date. Importantly, your Social Security number was not impacted and our systems have not detected any unauthorized activity on your Card account related to this incident.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: EJ Phair Brewing Co and Ale House Article URL: https://oag.ca.gov/system/files/EJ%20PHAIR%20BREWING%20CO%20and%20ALE%20HOUS-C2012116470%20CA%20A

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130116-03 Department of State Health TX Electronic Government/Military Yes - Unknown # 0 Services The Texas Department of State Health Services (DSHS) recently announced that it's investigating a former DSHS Mount Pleasant clinic employee who is alleged to have stolen credit card and other personal information from clients.

Attribution 1 Publication: eSecurity Planet Author: Jeff Goldman Date Published: Article Title: Health Clinic Employee Charged With Identity Theft Article URL: http://www.esecurityplanet.com/network-security/health-clinic-employee-charged-with-identity-theft.html

How is this report produced? What are the rules? See last page of report for details. ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130116-02 Department of Public Safety - MN Electronic Government/Military Yes - Published # 5,000 DVS State officials said Tuesday they're alerting 5,000 people that a public employee accessed their driver's license information inappropriately, the latest case illustrating widespread misuse of the protected database.

The state's driver and vehicle services (DVS) database, which contains addresses, photographs and driving records on nearly every Minnesotan, has recently been the subject of at least two lawsuits and a criminal case stemming from misuse.

Attribution 1 Publication: StarTribune.com Author: Eric Roper Date Published: Article Title: 5,000 alerted of records breach in abuse of drivers’ data by DNR employee Article URL: http://www.startribune.com/local/187056231.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130116-01 Washington University IL Electronic Medical/Healthcare Yes - Published # 1,100 School of Medicine Washington University in St. Louis has notified more than 1,000 patients about a data breach after the surgeon who treated them over the past decade had his laptop stolen during a conference in Argentina.

Attribution 1 Publication: Health Data Management Author: Joseph Goedert Date Published: Article Title: Washington University Loses Laptop, Notifies Patients Article URL: http://www.healthdatamanagement.com/news/breach-notification-hipaa-privacy-security-45514-1.html?ET=healthdatam

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130114-03 Centric Group LLC MO Electronic Business Yes - Unknown # 0

On approximately December 13, 2012, Centric Group learned that its computer system may have been accessed without authorization begimling in August 2010. As of December 21,2012, based on its internal investigation, Centric Group reasonably believed it had suffered a breach of its system. The data accessed may have included cetiain customer information, such as the customer's name, credit or debit card number, expiration date, and card verification code.

Attribution 1 Publication: cyberenvoy.com / CA AG's office / NH A Author: Date Published: Article Title: Centric Group LLC Article URL: http://doj.nh.gov/consumer/security-breaches/documents/centric-group-20130109.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130114-02 Department of Juvenile FL Electronic Government/Military Yes - Published # 100,000 Justice State law-enforcement officials are investigating a security breach at the Florida Department of Juvenile Justice that could affect the identities of more than 100,000 DJJ employees and youth offenders, state officials said Friday.

Attribution 1 Publication: Palm Beach Post Author: Julius Whigham Date Published: Article Title: State investigates security breach at Department of Juvenile Justice Article URL: http://www.palmbeachpost.com/news/news/crime-law/state-investigates-security-breach-at-department-o/nTtQB/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130114-01 Zaxby's Franchising GA Electronic Business Yes - Unknown # 0

Zaxby's Franchising, Inc. announced today that certain licensed locations have identified suspicious files on their systems that may have resulted in unauthorized access to credit and debit card information or have been identified by credit card processing companies as common points of purchase for some fraudulent activity.

Attribution 1 Publication: HT - Hospitality Technology Author: Date Published: Article Title: Zaxby's IDs Data Security Breach Article URL: http://hospitalitytechnology.edgl.com/news/Zaxby-s-IDs-Data-Security-Breach84214

How is this report produced? What are the rules? See last page of report for details. ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130108-02 Charlotte-Mecklenburg NC 11/28/2012 Electronic Educational Yes - Published # 80 Schools About 80 Charlotte-Mecklenburg Schools employees have been warned to be on guard against identity theft after files containing their personal data were stolen from a human resource employee’s car.

Attribution 1 Publication: Charlotte Observer Author: Ann Doss Helms Date Published: Article Title: CMS files stolen from employee’s car Article URL: http://www.charlotteobserver.com/2013/01/08/3770745/cms-files-stolen-from-employees.html?goback=%2Egde_463675

Attribution 2 Publication: charlotteobserver.com Author: Date Published: Article Title: CMS files stolen from employee’s car Read more here: http://www.charlotteobserver.com/2013/01/08/3770745/cms-files-stol Article URL: http://www.charlotteobserver.com/2013/01/08/3770745/cms-files-stolen-from-employees.html

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130108-01 Morgan Road Middle School GA Electronic Educational Yes - Unknown # 0

Some Morgan Road Middle School Students could be in trouble. Not because of their actions at school...but because their personal information, including social security numbers, were stolen.

Their teacher left their information in her car and then her car was broken into. The thieves stole her her gradebook and her zip drive. The Richmond County Board of Education sent out a letter letting parents know their child's information had been stolen, but one parent says this wasn't enough.

Attribution 1 Publication: WJBF.com / datalossdb.org Author: Date Published: Article Title: Richmond County Middle School Student's SSNs Stolen Article URL: http://www2.wjbf.com/news/2013/jan/07/richmond-county-middle-school-students-ssns-stolen-ar-5315706/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130107-03 Mid America Health, Inc. IN Electronic Medical/Healthcare Yes - Published # 1,444

PUBLIC NOTICE: HIPAA Security Breach Mid America Health, Inc. has discovered a potential data breach that may result in the compromise of private information for a number of Maryland residents. The limited information that is potentially compromised includes names, dates of birth, social security numbers, residential facility names, and digital oral x-ray images. It is known that the breach occurred as a result of a theft of a laptop computer containing such information. Since the investigation is ongoing, the State’s Attorney’s office has asked that specifics of the case be withheld until they have concluded their investigation. At the moment, the impact this event may cause is still unclear. However, we believe that the risk of harm to the individuals potentially affected is low because such information was password protected.

Attribution 1 Publication: MAH, Inc. website / hhs.gov Author: Date Published: Article Title: Mid America Health, Inc. Article URL: http://mahweb.com/maryland-hipaa-security-breach/

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130107-02 University of North Carolina - NC Electronic Educational Yes - Unknown # 0 Lineberger Comprehensive Some 3,500 people had their personal information exposed when hackers hit two servers of the UNC Lineberger Comprehensive Cancer Center. The attack was discovered by UNC-Chapel Hill’s information technology employees in May, yet potential victims were not informed until last week when they received letters from center director Dr. Shelley Earp.

Attribution 1 Publication: Chapel Hill News / datalossdb.org Author: Date Published: Article Title: University of North Carolina - Lineberger Comprehensive Cancer Center Article URL: http://www.chapelhillnews.com/2013/01/04/74450/unc-cancer-center-computers-hacked.html

Please be advised that on or about December 13, 2012, Oldcastle APG, Inc. ("Company") learned that an employee's laptop was stolen during a break-in to her car on or around December 10, 2012. We believe the laptop may have contained some personal information relating to APG employees, including but not limited to, names, bank account information and social security numbers. Immediately upon learning of the theft, the Company contacted the Dekalb County Georgia Sherriff's Department and a police report was filed. To date, the laptop has not been recovered.

Attribution 1 Publication: NH AG's office / databreaches.net Author: Date Published: Article Title: Oldcastle Law Group Article URL: http://doj.nh.gov/consumer/security-breaches/documents/oldcastle-20130102.pdf

ITRC Breach ID Company or Agency State Est. Date Breach Type Breach Category Records Exposed? # Records Rptd ITRC20130104-01 Reyes Beverage Group IL Electronic Business Yes - Unknown # 0

On November 9, 2012, a report containing the names and social security numbers of some of Reyes Beverage Group's California employees was inadvertently sent to the personal email address of an employee of Reinhart Foodservice, a Reyes Holdings company. The report did not include dates of birth, addresses, telephone numbers, driver's license numbers, bank account numbers or any similar sensitive information. This incident occurred due to a coding error which was corrected within hours of its discovery. Reyes Beverage Group values your privacy and deeply regrets that this incident occurred. In addition to correcting the coding, we have implemented additional safeguards designed to prevent a recurrence of this incident and to protect the privacy of our employees.

Attribution 1 Publication: CA AG's office Author: Date Published: Article Title: Reyes Beverage Group Article URL: https://oag.ca.gov/system/files/RBGDataBreachLetterFINAL_0.pdf?

2013 Breaches Identified by the ITRC as of: 8/9/2013 Total Breaches: 360 Records Exposed: 7,534,496

The ITRC Breach database is updated on a daily basis, and published to our website on each Tuesday. Unless noted otherwise, each report includes breachs that occurred in the year of the report name (such as "2012 Breach List"), or became public in the report name year, but were not public in the previous year. Each item must be previously published by a credible source, such as Attorney General's website, TV, radio, press, etc. The item will not be included at all if ITRC is not certain that the source is real and credible. We include in each item a link or source of the article, and the information presented by that article. Many times, we have attributions from a multitude of media sources and media outlets. ITRC sticks to the facts as reported, and does not add or subtract from the previously published information. When the number of exposed records is not reported, we note that fact. When records are encrypted, we state that we do not (at this time) consider that to be a data exposure. However, we do not consider password protection as adequate, and we do consider those events to be a data exposure.

What is a breach? A breach is defined as an event in which an individual’s name plus Social Security Number (SSN), driver’s license number, medical record, or a financial record/credit/debit card is potentially put at risk – either in electronic or paper format.

The ITRC Breach Report presents individual information about data exposure events and running totals for the year. The ITRC Breach Stats Report develops some statistics based upon the type of entity involved in the data exposure.