Breach Report 2010.Pdf

Report Date: Identity Theft Resource Center 12/29/2010 2010 Breach List: Breaches:662 Exposed: 16,167,542 Page 1 of 137

An employee accessed customer credit card accounts.

Attribution 1 Publication: notice to MD AGAuthor: Date Published: 4/2/2010 Article Title: StoresOnline Article URL: http://www.oag.state.md.us/idtheft/Breach%20Notices/ITU189226.pdf

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101223-03 Tiffany and Co. FLPaper Data Business Yes - Unknown # 0

Packages containing customer sales checks from Tiffany's Naples FL store transactions on April 7th, including credit catd numbers may have been "misplaced or lost" during transfer to the Tiffany sales audit dept. At least one MD resident was affected so this may include people from other states besides FL.

Attribution 1 Publication: notice to MD AGAuthor: Carolyn Skawinski Date Published: 5/5/2010 Article Title: Tiffany and Co. Article URL: http://www.oag.state.md.us/idtheft/Breach%20Notices/ITU191079.pdf

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101223-02 Serco USElectronic Business Yes - Unknown # 0

Two portable storage devices and 3 laptops were taken from Serco's office in Morrow, GA which supports the Army Reserve's Child, Youth and School Service. Names and SSNs were in at least one of these units.

Attribution 1 Publication: notice to MD AGAuthor: David Goldberg Date Published: 5/5/2010 Article Title: Serco Article URL: http://www.oag.state.md.us/idtheft/Breach%20Notices/ITU191075.pdf

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101223-01 Community First Credit Union WI 10/20/2010Electronic Banking/Credit/Financial Yes - Published # 1,600

Over 1,600 consumers that applied for employment online using the company’s website had name, SSN and employment info compromised.

Attribution 1 Publication: WI Office of Privacy ProtectionAuthor: Date Published: 12/23/2010 Article Title: Community First Credit Union Article URL: http://privacy.wi.gov/databreaches/databreaches.html

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101221-07 Erickson Retirement MDElectronic Business Yes - Published # 7,300 Communities Employee information including name, SSN and financial information was included in a public folder and accessible to those with Erickson e- mail login accounts. Approx 7300 MD residents are being advised of the incident.

Attribution 1 Publication: notice to MD AGAuthor: Paul Rundell Date Published: 5/14/2010 Article Title: Erickson Retirement Communities Article URL: http://www.oag.state.md.us/idtheft/Breach%20Notices/ITU191058.pdf

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101221-06 CaridianBCT Inc US 5/7/2010Electronic Business Yes - Unknown # 0

A file of current and former employees was "inadvertantly posted" on the company shared drive, and included names and SSNs.

Attribution 1 Publication: notice to MD AGAuthor: Scott Larson Date Published: 5/21/2010 Article Title: CaridianBCT Article URL: http://www.oag.state.md.us/idtheft/Breach%20Notices/ITU191065.pdf

An encrypted laptop was stolen from an employee car however the employee may have also had the passcode written on a sheet of paper in that same vehicle. SSNs were included on the laptop

Attribution 1 Publication: notice to MD AGAuthor: C Blum Date Published: 5/21/2010 Article Title: Chartis Article URL: http://www.oag.state.md.us/idtheft/Breach%20Notices/ITU191070.pdf

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101221-04 Novartis Vaccines and USPaper Data Business Yes - Published # 101 Diagnostics A security guard working for a third party vendor stole customer credit card information from business folders when they made purchases.

Attribution 1 Publication: notice to MD AGAuthor: K Kokrhoun Date Published: 5/21/2010 Article Title: Novartis Vaccines and Diagnostics Article URL: http://www.oag.state.md.us/idtheft/Breach%20Notices/ITU191071.pdf

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101221-03 National Gypsum Company USElectronic Business Yes - Unknown # 0

Towers Watson notified the company that two DVDs had been lost after being picked up from their mailroom for transfer.

Attribution 1 Publication: notice to MD AGAuthor: N. Rodono Date Published: 6/7/2010 Article Title: National Gypsum Company Article URL: http://www.oag.state.md.us/idtheft/Breach%20Notices/ITU191088.pdf

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101221-02 Experian USElectronic Business Yes - Unknown # 0

Unknown party with access code accessed credit reports online. Two reports sent, not sure if same incident.

Attribution 1 Publication: notice to MD AGAuthor: Laura Mundy Date Published: 6/14/2010 Article Title: Experian Article URL: http://www.oag.state.md.us/idtheft/Breach%20Notices/ITU191090.pdf

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101221-01 Newland Medical Center MIElectronic Medical/Healthcare Yes - Unknown # 0

A former Newland Medical Center Employee was charged Monday with 15 counts of identity theft and criminal enterprise.Camille Butler of Detroit is accused of stealing cancer patient information and giving it to her boyfriend.

Attribution 1 Publication: Clickon DetroitAuthor: Date Published: 12/20/2010 Article Title: Federal Investigators Shut Down Identity Theft Ring Article URL: http://www.clickondetroit.com/news/26197956/detail.html

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101220-07 SSA - NY NYElectronic Government/Military Yes - Published # 15,000

The Social Security Administration in New York City says that the Social Security numbers were stolen by a subcontractor who was working in Office of Temporary Disability Assistance making computer infrastructure upgrades. The administration says, while performing the upgrades, the contractor illegally downloaded around 15,000 Social Security numbers from computers belonging to private contractors working for the agency. The agency decides Social Security disability claims.

Attribution 1 Publication: WNYTAuthor: Michael Astrue Date Published: 12/15/2010 Article Title: Social security numbers stolen from state computers Article URL: http://wnyt.com/article/stories/S1884437.shtml?cat=300

A break-in and theft at Concur Technologies headquarters in Washington over the Thanksgiving weekend has resulted in the firm notifying 1,017 employees that their personal information – names, addresses, dates of birth, and Social Security Numbers – were stolen when the thieves stole computer equipment and software.

Attribution 1 Publication: notice to NH AGAuthor: Christine Arevalo Date Published: 12/8/2010 Article Title: Concur Technologies Article URL: http://doj.nh.gov/consumer/pdf/concur_technologies..pdf

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101220-05 Wachenhut Services LLC US 11/29/2010Electronic Business Yes - Unknown # 0

On December 9, Wackenhut Services Limited Liability Company notified the New Hampshire Attorney General’s Office that a hard drive stolen in transit between the firm’s office in Iraq and the firm’s U.S. office contained personal information on past employees, including their first and last names, dates of birth and places of birth, passport numbers, last known home addresses, and Social Security Numbers. The theft was discovered by the security services firm on November 29 and the firm indicated that those affected would be notified by certified mail on Dec. 13.

Attribution 1 Publication: notice to NH AGAuthor: Date Published: 12/9/2010 Article Title: Wachenhut Article URL: http://doj.nh.gov/consumer/pdf/wackenhut.pdf

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101220-04 Twin America - CitySights NY NY 9/26/2010Electronic Business Yes - Published # 110,000

According to the notification letter, the database contained unencrypted customer information: names, addresses, email addresses, credit card numbers, card expiration dates, and CVV2 data. Update: InformationWeek now reports the attack was against Twin America, the parent company of CitySights NY

Attribution 1 Publication: InformationWeekAuthor: Mathew J. Schwartz Date Published: 12/22/2010 Article Title: 100,000 Credit Cards Compromised By Data Breach Article URL: http://www.informationweek.com/news/security/attacks/showArticle.jhtml?articleID=228900062&subSection=Vulnerabil

Attribution 2 Publication: esecurityplanet.com and notice to NH AAuthor: Date Published: 12/17/2010 Article Title: CitySights NY Hit by Security Breach Article URL: http://www.esecurityplanet.com/headlines/article.php/3917571/article.htm

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101220-03 Dr. Lisa Barton CAElectronic Medical/Healthcare Yes - Published # 93

Dr. Lisa Barton is being tried for stealing patient information and using it to get prescription painkillers and identity theft

Attribution 1 Publication: KSWTAuthor: AP Date Published: 12/15/2010 Article Title: SoCal physician pleads guilty to 274 counts Article URL: http://www.kswt.com/Global/story.asp?S=13681673

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101220-02 Saint Louis University MOElectronic Educational Yes - Unknown # 0

Saint Louis University has sent out an email to employees: "...While core Banner and SLUCare systems were not affected, our ITS security team continues to investigate the attack and so far has determined that a database containing some personal information of employees, including Social Security Numbers, was accessed illegally. The system contained information of only those individuals who have been employed at SLU for five or more years."

Attribution 1 Publication: KSDKAuthor: Tim Brooks - VP Sain Date Published: 12/20/2010 Article Title: Saint Louis University staff, students notified of computer breach Article URL: http://www.ksdk.com/news/local/story.aspx?storyid=233993&catid=3

A former Fayetteville business owner was sentenced to more than five years in a federal prison after pleading guilty to identity theft and gun charges. "According to investigators, Pinella obtained customers' credit card numbers when they bought pizza. He would then make fraudulent purchases with the card numbers. Investigators with the U.S. Secret Service, who investigated the identify theft, said Pinella used more than 183 credit card numbers from past patrons for his personal benefit."

Attribution 1 Publication: FayObserverAuthor: Drew Brooks Date Published: 12/19/2010 Article Title: Ex-pizza parlor owner gets 5 years for identity theft Article URL: http://www.fayobserver.com/articles/2010/12/19/1056594?sac=Home

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101217-01 Fingerprint Applicant TXElectronic Business Yes - Unknown # 0 Services of Texas (FAST) A federal court indictment alleges when Angela Cuellar left FAST, she stole thousands of background-check applications she had processed then stole rather than destroy - and that the information was used to obtain credit cards fraudulently, open accounts, and purchase goods and services. The alleged scheme involved FAST applications that are required by licensing and certification agencies such as the Texas Education Agency between March 10, 2008 and July 27,2008 while Cuellar was employed as a live scan operator by Integrated Biometrics Technology in Waco, U.S. Attorney John E. Murphy said Thursday.

Attribution 1 Publication: KWTXAuthor: Date Published: 12/16/2010 Article Title: Local Women Indicted For Identity Theft: Scheme Could Affect Thousands Article URL: http://www.kwtx.com/home/headlines/Four_Local_Women_Indicted_In_Identity_Theft_Scheme_112032149.html

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101216-01 California Department of CA 9/27/2010Electronic Government/Military Yes - (Password) Publish 3,150 Public Health (CDPH) A magnetic tape containing sensitive personal and medical information for up to 2,550 residents and employees of 600 Southern California skilled nursing facilities has gone missing in the mail, state officials said Wednesday. The tape contains e-mail addresses, investigative reports and background information on healthcare workers, names of health care facility residents, some medical diagnoses and social security numbers of CDPH employees, facility residents and healthcare workers dating from 2003. The material is encrypted under a system that may be hard for a non-state employee to decode, state officials said.

Attribution 1 Publication: HealthLeaders MediaAuthor: Cheryl Clark Date Published: 12/16/2010 Article Title: CDPH Reports 'Big' Data Security Breach Article URL: http://www.healthleadersmedia.com/content/TEC-260264/CDPH-Reports-Big-Data-Security-Breach

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101215-04 Liberty Tax Services VAPaper Data Business Yes - Unknown # 0

Liberty Tax Service appears to have dumped 2008 tax documents into an open dumpster. It was discovered by a stranger who then called her. A search by a news station found the office empty and more documents in the dumpster.

Attribution 1 Publication: WTKRAuthor: Date Published: 12/13/2010 Article Title: Personal information exposed after a Portsmouth tax service improperly disposes tax documents Article URL: http://www.wtkr.com/news/wtkr-pt-liberty-tax-dec13,0,5376292.story

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101215-03 Home Depot - FL FL 12/8/2010Electronic Business Yes - Unknown # 0

On December 8, 2010 the Loss Prevention Officer from The Home Depot reported that an employee had been observed skimming credit card information from customers.

Attribution 1 Publication: Florida News WCTVAuthor: LCOS press release Date Published: 12/15/2010 Article Title: Detectives Arrest Home Depot Employee for Stealing Credit Card Information Article URL: http://www.wctv.tv/floridanews/headlines/Detectives_Arrest_Home_Depot_Employee_for_Stealing_Credit_Card_Inform

Potentially more than 200,000 files from the last 20 years of the Mesa County Sheriff’s Office of Colorado, including names, Social Security numbers and contact information on drug informants, employees, suspects and victims in criminal investigations, were publicly available on the Internet from April to November this year. Information on people who had been served with civil papers, had spent time in the county jail or had applied for a concealed weapons permit also was exposed.

Attribution 1 Publication: GCNAuthor: Kathleen Hickey Date Published: 12/15/2010 Article Title: Personal info on drug informants, suspects, others exposed in Colo. Article URL: http://gcn.com/articles/2010/12/15/colorado-sheriff-exposes-personal-info.aspx

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101215-01 Ohio State University OH 10/25/2010Electronic Educational Yes - Published # 760,000

During a routine information-technology security review in late October, suspicious log-in activity was discovered on a university computer server that contains personal information of approximately 760,000 individuals. This would include current and former faculty, students and staff as well as applicants and other individuals who have been associated with the university. There is no evidence that any personal data were acquired, however information on the server included name, Social Security number, date of birth, and address. No OSU Medical Center patient records or student health records were involved.

Attribution 1 Publication: Columbus Business FirstAuthor: Date Published: 12/15/2010 Article Title: OSU reports hackers accessed student, employee data Article URL: http://www.bizjournals.com/columbus/news/2010/12/15/osu-reports-hackers-accessed-student.html

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101213-10 Emily Morgan Hotel TXElectronic Business Yes - Published # 17,000

The hotel didn't learn of the thefts until August 2008, and since then, federal investigators have learned at least 17,000 receipts were stolen in what they say is San Antonio's largest identity theft case. Details had remained sketchy until the ringleader, Ruben “Hollywood” Costello, 36, recently pleaded guilty to ID theft fraud conspiracy, access device fraud, and conspiracy to launder money, and documents in the case were unsealed. They identify Jones, 34, as his partner in the crimes and name him and Flaharty, 31, as two people who helped take the records from the Emily Morgan. The receipts, officials say, helped the men manufacture counterfeit credit cards in document “boiler rooms” and card “chop shops,” which they then used to buy $300,000 worth of merchandise in Texas, Oklahoma and Louisiana.

Attribution 1 Publication: My SAAuthor: Guillermo Contreras Date Published: 12/2/2010 Article Title: Ringleader pleads in S.A.'s largest ID theft case Article URL: http://www.mysanantonio.com/news/local_news/article/Ringleader-pleads-in-S-A-s-largest-ID-theft-case-859510.php

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101213-09 American Check Cashers of OK 12/3/2010Paper Data Business Yes - Unknown # 0 Oklahoma LLC Another company discovered hundreds of documents contained all sorts of personal information, dating as far back as 2004 and as early as 2009. An employee managed to save 96 of them before sanitation workers came by and emptied the dumpster. "Blank checks, social security cards, id's, bank statements, telephone statements, everything. I mean it's, it's quite extensive," Probst said. The owner of the breached company said there were two stacks- one for shredding and one for tossing that apparently got mixed up.

Attribution 1 Publication: KJRHAuthor: Jason Grubbs Date Published: 12/3/2010 Article Title: Hundreds of personal documents found in dumpster Article URL: http://www.kjrh.com/dpp/news/local_news/hundreds-of-personal-documents-found-in-dumpster

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101213-08 Dartmouth College NH 11/8/2010Electronic Educational Yes - Published # 147

Dartmouth College has notified the New Hampshire Attorney General’s Office that a storage device stolen from a secure room on or about Nov. 8 contained credit card information on 147 freshmen or their parents. According to the letter sent Nov. 22, data on the stolen device contained some combination of student and/or parent names, phone numbers, and full card numbers with expiration dates. The data had been collected for the Dartmouth Outdoor Club First Year Trips Program for the incoming freshmen.

How is this report produced? What are the rules? See last page of report for details.

Attribution 1 Publication: notice to NH AGAuthor: C Lark Date Published: 11/22/2010 Article Title: Dartmouth College Article URL: http://doj.nh.gov/consumer/pdf/dartmouth-college.pdf

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101213-07 Kmax Systems FL 12/1/2010Paper Data Business Yes - Unknown # 0

KMax Systems said a new manager threw out a box of job applications in a Dumpster by mistake. The files contain personal information including SSNs. KMax sells Kirby vacuum cleaners door-to-door.

Attribution 1 Publication: Click Orlando WKMGAuthor: Date Published: 12/2/2010 Article Title: Company Dumps Files, Exposing Personal Information Article URL: http://www.clickorlando.com/news/26002104/detail.html

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101213-06 Gregg County Tax Assessor TXElectronic Government/Military Yes - Unknown # 0

An international cyber attack on the Gregg County Tax Assessor has cost at least seven taxing entities a total of about $200,000, officials said Monday. Other Texas counties could also be victims. The cyber theft hijacked local tax payments from a daily electronic transfer, that day totaling $690,000, destined for schools and cities in what tax assessor/collector Kirk Shields described as the first such incident he’s seen in his 14 years leading the department. Also known as siphoning this is a form of electronic breach into the gvt database to intercept bank transfers.

Attribution 1 Publication: News JournalAuthor: Glenn Evans Date Published: 12/11/2010 Article Title: Cyber thieves hit Gregg County for $200K Article URL: http://www.news-journal.com/news/local/article_435ad702-0626-595b-990e-1ba232f50bca.html

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101213-05 Methodist Theological School OH 10/13/2010Electronic Educational Yes - Unknown # 0

The Methodist Theological School in Ohio notified the New Hampshire Attorney General’s Office that a laptop stolen on October 13 from a locked off-campus site contained personal information on “some individuals with a connection to MTSO.” The personal information for any one individual may have included name, date of birth, Social Security number, letter grades received in completed courses, and financial payments received. No financial account numbers were stored on the laptop, however.

Attribution 1 Publication: notice to NH AGAuthor: J Jump Date Published: 12/10/2010 Article Title: Methodist Theological School Article URL: http://doj.nh.gov/consumer/pdf/methodist_theological.pdf

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101213-04 Genesco USElectronic Business Yes - Unknown # 0

Genesco Inc. (NYSE: GCO) announced today that it suffered a criminal intrusion into the portion of its computer network that processes payment card transactions for its United States Journeys, Journeys Kidz, Shi by Journeys and Johnston & Murphy stores, and for some of its Underground Station stores.

Attribution 1 Publication: genesco websiteAuthor: Robert Dennis Date Published: 12/10/2010 Article Title: Genesco Article URL: http://www.genesco.com/images/stories/a_message_from_genesco_ceo.pdf

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101213-03 Chicken Express TXElectronic Business Yes - Published # 6,500

Chicken Express was one of the businesses used by a crime ring to skim credit cards. One of the employees was found due to an investigation by law enforcement task forces. She had several accomplices who have also been committing identity theft schemes.

Attribution 1 Publication: 19 KYTXAuthor: Date Published: 12/10/2010 Article Title: Update: Fourth suspect in custody in credit card fraud Article URL: http://www.cbs19.tv/Global/story.asp?S=13639328

How is this report produced? What are the rules? See last page of report for details.

Attribution 2 Publication: Athens Daily ReviewAuthor: Rich Flowers Date Published: 12/8/2010 Article Title: Locals named in fraud ring Article URL: http://www.athensreview.com/local/x1894468651/Locals-named-in-fraud-ring

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101213-02 Southwestern Indiana IN 11/8/2010Electronic Business Yes - (Password) Publish 757 Regional Council on Aging, The Southwestern Indiana Regional Council on Aging, Inc. (SWIRCA) is in the process of notifying 757 clients of a breach of their protected personal information due to the theft of a case manager's laptop computer from SWIRCA's offices sometime between Nov 4-8. It is double password protected but does have Names and SSNs. See also www.swirca.org.

Attribution 1 Publication: Warrick PublishingAuthor: Date Published: 12/10/2010 Article Title: SWIRCA laptop computer stolen Article URL: http://www.tristate-media.com/warrick/community/community_news/article_8936b50e-02de-11e0-a000-001cc4c03286.ht

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101213-01 University of Wisconsin - WI 10/26/2010Electronic Educational Yes - Published # 60,000 Madison UW-Madison disclosed that a campus database containing Social Security numbers of 60,000 former students and staff had been repeatedly hacked or accessed since 2008. One of the files in the Wiscard system, which is administered through the Wisconsin Union, contained old university photo IDs that had social security numbers embedded in the ID number along with corresponding cardholder names.

Attribution 1 Publication: ExaminerAuthor: Joe Campana Date Published: 12/12/2010 Article Title: Wisconsin bungles another data breach and ID theft threat to 60,000 Article URL: http://www.examiner.com/identity-theft-in-national/wisconsin-bungles-another-data-breach-and-id-theft-threat-to-60-000

Attribution 2 Publication: WI State JournalAuthor: Samara Derby Date Published: 12/10/2010 Article Title: UW-Madison warns 60,000 of card data theft Article URL: http://host.madison.com/wsj/news/local/education/university/article_f5966aac-0408-11e0-af11-001cc4c03286.html

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101202-05 Mercer and Marsh MDElectronic Business Yes - Published # 1,463

Marsh and Mercer had a server back-up tape lost by a 3rd party courier whilst being sent from one office to another. At least 1400 MD residents are involved due to the loss of name and SSN which is listed in their employee benefit program info.

Attribution 1 Publication: notice to MD AGAuthor: C. John Requist Date Published: 8/4/2010 Article Title: Marsh and Mercer Article URL: http://www.oag.state.md.us/idtheft/Breach%20Notices/ITU191095A.pdf

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101202-04 T-Mobile US 6/21/2010Paper Data Business Yes - Published # 22

An employee copied credit card numbers while at work at the call center.

Attribution 1 Publication: notice to MD AGAuthor: Jennifer Etkin Date Published: 10/13/2010 Article Title: T-Mobile Article URL: http://www.oag.state.md.us/idtheft/Breach%20Notices/ITU191097.pdf

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101202-03 University of Arizona AZElectronic Educational Yes - Published # 8,300

A missing hard drive prompted University of Arizona officials to notify 8,300 former students that their identities could be at risk. Some records contain SSNs

Attribution 1 Publication: Arizona Daily StarAuthor: Becky Pallack Date Published: 12/2/2010 Article Title: Records of 8,300 former UA students are missing Article URL: http://azstarnet.com/news/local/article_3e42fcde-fe2d-11df-a857-001cc4c03286.html

How is this report produced? What are the rules? See last page of report for details. ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101202-02 BlueCross BlueShield - Triple US 9/9/2010Electronic Business Yes - Published # 400,000 S Management (Puerto Rico) Triple S Management, a licensee of BCBS in Puerto Rico, announced that employees of competitors hacked into their computer system and accessed the records of 400,000+ members. The breach is also listed a Puerto Rico Dept. of Health on the HHS breach website

Attribution 1 Publication: HealthdatamanagementAuthor: Joseph Goedert Date Published: 11/29/2010 Article Title: Puerto Rico Breach Affects 400,000+ Article URL: http://www.healthdatamanagement.com/news/breach-blues-puerto-rico-notification-hitech-41409-1.html

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101202-01 Houston Independent School TX 10/4/2010Electronic Educational Yes - Unknown # 0 District (HISD) The HISD system was breached Oct 4th by a hacker. It appears only one student's information was viewed but all HISD students, employees, job applicants over the past 10 years, and vendors information was vulnerable. This includes student grades, Social Security numbers, drivers license numbers, addresses, phone numbers, birth dates, salary information, and employee direct‐deposit banking information.

Attribution 1 Publication: district websiteAuthor: press release Date Published: 12/2/2010 Article Title: HISD Article URL: http://www.houstonisd.org/HISDConnectEnglish/Images/Documents/NetworkSecurityBreach_FAQ.pdf

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101201-06 State Farm - FL USElectronic Business Yes - Unknown # 0

A employee stole information and sold it "to a third party" so that it could be used for identity theft purposes.

Attribution 1 Publication: notice to MD AGAuthor: Debra Vasey Date Published: 6/24/2010 Article Title: State Farm Florida agent Article URL: http://www.oag.state.md.us/idtheft/Breach%20Notices/ITU191099.pdf

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101201-05 K Hovnanian Enterprises US 1/25/2010Electronic Business Yes - Published # 799

A spreadsheet with almost 800 names and SSNs of current/former employees was accidentally posted to the company's X drive and visible to others.

Attribution 1 Publication: notice to MD AGAuthor: Jackson Lewis Date Published: 6/30/2010 Article Title: K Hovnanian Enterprises Article URL: http://www.oag.state.md.us/idtheft/Breach%20Notices/ITU191102.pdf

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101201-04 ING Americas US 6/3/2010Electronic Business Yes - Unknown # 0

A password encrypted file from ReliaStar Life Insurance Company was sent to a 3rd party HR department. The information contained names and SSNs and at least 470 MD residents were affected; the total was not listed.

Attribution 1 Publication: notice to MD AGAuthor: Lael Bellamy Date Published: 7/1/2010 Article Title: ING Americas Article URL: http://www.oag.state.md.us/idtheft/Breach%20Notices/ITU191131.pdf

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101201-03 WA State Employees Credit WA 11/23/2010Paper Data Banking/Credit/Financial Yes - Unknown # 0 Union Three agencies were found to be placing sensitive documents in a recycle bin outside of a state-owned building instead of shredding them. Names and Social Security numbers, health and injury claims, and copies of business checks complete with account and routing numbers were in plain sight. WA State Department of Labor and Industries, Court of Appeals and Washington State Employees Credit Union. According to onlookers despite the warning, there are still papers being added to the recycle bin with information on them.

How is this report produced? What are the rules? See last page of report for details.

Attribution 1 Publication: KOMOAuthor: Tracy Vedder Date Published: 11/23/2010 Article Title: ID theft bonanza left unsecured at state building Article URL: http://www.komonews.com/news/problemsolvers/110243174.html

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101201-02 WA Court of Appeals WA 11/23/2010Paper Data Government/Military Yes - Unknown # 0

Three agencies were found to be placing sensitive documents in a recycle bin instead of shredding. Names and Social Security numbers, health and injury claims, and copies of business checks complete with account and routing numbers were in plain site. WA State Department of Labor and Industries, Court of Appeals and Washington State Employees Credit Union. According to onlookers despite the warning, there are still papers being added to the recycle bin with information on them.

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101201-01 WA State Department of WA 11/23/2010Paper Data Government/Military Yes - Unknown # 0 Labor & Industries Three agencies were found to be placing sensitive documents in a recycle bin instead of shredding. Names and Social Security numbers, health and injury claims, and copies of business checks complete with account and routing numbers were in plain site. WA State Department of Labor and Industries, Court of Appeals and Washington State Employees Credit Union. According to onlookers despite the warning, there are still papers being added to the recycle bin with information on them.

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101130-16 Knights of Columbus CT 6/15/2010Paper Data Business Yes - Published # 268

Some of the Knights of Columbus underwriting reports were found outside and included names, DL#, SSN, medical information and financial account number.

Attribution 1 Publication: notice to MD AGAuthor: Jackson Lewis Date Published: 10/15/2010 Article Title: Knights of Columbus Article URL: http://www.oag.state.md.us/idtheft/Breach%20Notices/ITU191141.pdf

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101130-15 Ameriprise Financial Services USElectronic Business Yes - Unknown # 0

A back-up hard drive used by an independent contractor was stolen and held names, SSNs and other financial information. The MD AG just added it to their list in October.

Attribution 1 Publication: notice to MD AGAuthor: Dedenbach Date Published: 7/14/2010 Article Title: Ameriprise Financial Article URL: http://www.oag.state.md.us/idtheft/Breach%20Notices/ITU191145.pdf

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101130-14 Principal Funds US 6/22/2010Paper Data Business Yes - Unknown # 0

Some confirmation statements were mailed to the wrong customers resulting in them receiving the information of others - account number, name, transaction records. The PIN was not sent nor was the SSN. This occurred between June 22 - July 2. The notification letter was released in October 2010 by the AG.

Attribution 1 Publication: notice to MD AGAuthor: Cary Fuchs Date Published: 7/20/2010 Article Title: Principal Funds Article URL: http://www.oag.state.md.us/idtheft/Breach%20Notices/ITU191149.pdf

Guests at various Shell Vacations resorts have reported fraudulent activity on credit and debit cards. This incident, which may have affected certain Shell Vacations guests and employees occurred between June 2010 and October 2010. The company is unsure of how this breach occurred. The company owns 26 properties in various states.

Attribution 1 Publication: company websiteAuthor: press relations Date Published: 11/30/2010 Article Title: Frequently Asked Questions Regarding Credit Card Data Issues Article URL: http://www.shellhospitality.com/faq.html

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101130-12 Farmers Insurance - CA CA 3/16/2010Electronic Business Yes - Unknown # 0

Computer equipment with names, SSNs, addresses, insurance policy numbers, DL numbers, and other information was stolen from an office in San Diego, Michael Abdou Insurance

Attribution 1 Publication: notice to MD AGAuthor: Rudy Trevino Date Published: 7/26/2010 Article Title: Farmers Insurance Article URL: http://www.heraldextra.com/news/local/article_1e5021b1-24ba-5842-8e30-cfa84490e268.html

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101130-11 High Point University NCElectronic Educational Yes - Unknown # 0

In late June students began to complain that their credit cards were used for fraudulent purposes. All tracked back to the University as the originating source of breach. The perpetrator also seems to have access to names, parent's maiden names and SSNs. To date about 650 MD residents have been advised of the situation.

Attribution 1 Publication: notice to MD AGAuthor: William Duncan Date Published: 7/15/2010 Article Title: High Point University Article URL: http://www.oag.state.md.us/idtheft/Breach%20Notices/ITU191155.pdf

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101130-10 NVR Ryan Homes USElectronic Business Yes - Unknown # 0

A password protected laptop was stolen from a Model Home Sales Office and contained customer information including names and SSNs.

Attribution 1 Publication: notice to MD AGAuthor: Jack Sack Date Published: 8/3/2010 Article Title: NVR Ryan Homes Article URL: http://www.oag.state.md.us/idtheft/Breach%20Notices/ITU191171.pdf

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101130-09 Walsh Pharmacy MA 6/5/2010Electronic Medical/Healthcare Yes - Published # 11,400

A DVD containing prescription and other information mailed on June 3 by McKesson Pharmacy Systems — a business associate systems vendor for Walsh Pharmacy — was not received at the pharmacy. The DVD contained personal information of pharmacy patients, including names and in some instances social security, health care and driver’s license numbers, as well as prescription information. No credit or debit card, or bank account numbers were on the DVD.

Attribution 1 Publication: Herald NewsAuthor: Will Richmond Date Published: 8/6/2010 Article Title: Walsh Pharmacy customers at risk of identity theft Article URL: http://www.heraldnews.com/news/x1869746710/Walsh-Pharmacy-customers-at-risk-of-identity-theft

Attribution 2 Publication: notice to MD AGAuthor: Date Published: 8/4/2010 Article Title: Walsh Pharmacy Article URL: http://www.oag.state.md.us/idtheft/Breach%20Notices/ITU191174.pdf

A pile of documents that appeared to come from Farber Enterprises in Kerrville was found near a bridge. In the pile of papers were receipts, invoices and canceled checks. There were also phone numbers, addresses, drivers licenses and a Social Security card. The documents were reported to The Texas Attorney General's Office and Harlingen police. The paperwork will be turned over to the AG's office.

Attribution 1 Publication: KRGVAuthor: Farrah Fazal Date Published: 11/30/2010 Article Title: Pile of Sensitive Documents Found Near Bridge Article URL: http://www.krgv.com/news/local/story/Pile-of-Sensitive-Documents-Found-Near-Bridge/kanA4_oO8kGVBHKwFblvyQ.cs

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101130-07 Verizon Wireless US 2:08:00 AMElectronic Business Yes - Unknown # 0

On August 4, Verizon Wireless notified the Maryland Attorney General’s Office of a security incident. According to their letter, an investigation revealed that sometime between February 8 and May 19, 2010, someone unrelated to Verizon Wireless accessed a system containing some customer information. The types of customer information that the intruder could have accessed included names, billing addresses, phone numbers, SSN, and information about the wireless accounts (price plans, features, and mobile numbers).

Attribution 1 Publication: notice to MD AGAuthor: Michael Holden Date Published: 8/4/2010 Article Title: Verizon Wireless Article URL: http://www.oag.state.md.us/idtheft/Breach%20Notices/ITU191175.pdf

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101130-06 Dr. Ward Morris, DDS MD 7/16/2010Electronic Medical/Healthcare Yes - (Password) Unkno 0

A computer was stolen from the offices of dentist Ward Morris. Password protected but contained names and SSNs of clients

Attribution 1 Publication: notice to MD AGAuthor: C Arevalo Date Published: 8/10/2010 Article Title: Dr. Ward Morris Article URL: http://www.oag.state.md.us/idtheft/Breach%20Notices/ITU191179.pdf

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101130-05 Atlanta Housing Authority GAElectronic Government/Military Yes - Unknown # 0

In response to a request for information by an advocacy group, the AHA accidentally also provided the names and SSNs of clients the agency is working with.

Attribution 1 Publication: notice to MD AGAuthor: Gloria Green, General Date Published: 8/13/2010 Article Title: Atlanta Housing Authority Article URL: http://www.oag.state.md.us/idtheft/Breach%20Notices/ITU191178.pdf

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101130-04 Darden Restaurant Chain FL 8/28/2010Electronic Business Yes - (Password) Unkno 0

A laptop was stolen from an locked employee car that contained information on employees including names and SSN. It was password protected

Attribution 1 Publication: notice to MD AGAuthor: Bruce Brown, Associa Date Published: 9/30/2010 Article Title: Darden Restaurant Chain Article URL: http://www.oag.state.md.us/idtheft/Breach%20Notices/ITU191415.pdf

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101130-03 Cheseapeake Energy Corp OK 7/29/2010Paper Data Business Yes - Published # 957

On July 29, a box containing papers with "owners" information fell off of a shredding vendor's truck. The information included names and SSNs.

How is this report produced? What are the rules? See last page of report for details.

Attribution 1 Publication: notice to MD AGAuthor: Paul Trimble Date Published: 9/20/2010 Article Title: Cheseapeake Energy Corp Article URL: http://www.oag.state.md.us/idtheft/Breach%20Notices/ITU191413.pdf

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101130-02 Science Applications USElectronic Business Yes - Unknown # 0 International Corp (SAIC) In a letter sent on June 30th to the MD AG, SAIC disclosed that the loss of a backup tape may have exposed names, SSNs and dates of birth. It was not clear if these names were former/current employees or customers.

Attribution 1 Publication: notice to MD AGAuthor: Amy Carlson Date Published: 9/17/2010 Article Title: SAIC Article URL: http://www.oag.state.md.us/idtheft/Breach%20Notices/ITU191101.pdf

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101130-01 Hillsborough County FLPaper Data Government/Military Yes - Unknown # 0 Supervisor of Elections Someone dumped election petitions that contained voters' names, voter registration numbers, addresses, dates of birth, political affiliation, and signature. So who dumped the petitions? The Hillsborough County Supervisor of Elections' office says they never received any petitions.

Attribution 1 Publication: ABC Action NewsAuthor: Michael George Date Published: 11/30/2010 Article Title: Thousands of voters' personal information left in dumpster Article URL: http://www.abcactionnews.com/dpp/news/region_hillsborough/thousands-of-voters'-personal-information-left-in-dump

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101129-03 St. Francis Hospital OKElectronic Medical/Healthcare Yes - Published # 60

Two hospital employees stole patient data including SSNs to obtain credit cards. They were sentenced late November.

Attribution 1 Publication: Tulsa WorldAuthor: David Harper Date Published: 11/24/2010 Article Title: Tulsa woman's sentence nearly 4 years for credit-card fraud Article URL: http://www.tulsaworld.com/webextra/content/2010/crimesite/article.aspx?subjectid=450&articleid=20101124_14_A20_A

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101129-02 University of Tennessee TN 11/4/2010Paper Data Medical/Healthcare Yes - Published # 8,000 Medical Center Close to 8,000 patients at UT Medical Center found out that an administrative report was thrown in the trash instead of shredded like the hospital policy. While there was no information on the outside of the report, there was patient information including their name and a social security number inside of the report.

Attribution 1 Publication: WBIRAuthor: Date Published: 11/26/2010 Article Title: UT Medical Centers alerts patients about possible security incident Article URL: http://www.wbir.com/news/article/144680/2/UT-Medical-Centers-alerts-patients-about-possible-security-incident

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101129-01 Pacific Hospital of Long CAElectronic Medical/Healthcare Yes - Published # 14 Beach An official report of findings by the CDPH indicates that Pacific Hospital self-reported the violation and terminated the employee, working closely with local law enforcement. Police arrested the healthcare worker - a female telemetry technician/unit clerk in the Medical/Surgical unit - on November 5, 2009. The CDPH began their investigation the following day. The employee admitted her crimes to police in December 2009. According to police reports cited in the CDPH investigation, she "Admitted to memorizing several patients' profiles, going home, and writing the memorized profiles on papers. She then allowed other people to use this information in order to open up fraud accounts with Verizon."

Attribution 1 Publication: Long Beach NewsAuthor: Ryan ZumMallen Date Published: 11/22/2010 Article Title: Pacific Hospital Self-Reported Employee Fraud, Still Fined $225k Article URL: http://www.lbpost.com/news/ryan/10700

Due to a programming error, the SSN of the Writing agent was visible through the contracted broker's portal and may have been visible to individual applicants. It included name and SSN.

Attribution 1 Publication: notice to MD AGAuthor: P Todd Cioni Date Published: 9/21/2010 Article Title: CareFirst Article URL: http://www.oag.state.md.us/idtheft/Breach%20Notices/ITU191409.pdf

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101123-02 VisionQuest US 6/7/2010Electronic Business Yes - Unknown # 0

Laptop stolen from employees car included names and SSNs of clients. Added to MD list on 9/24/10. 208 MD residents affected, does not indicate total number of records.

Attribution 1 Publication: notice to MD AGAuthor: Phyllis Yester Date Published: 6/11/2010 Article Title: VisionQuest Article URL: http://www.oag.state.md.us/idtheft/Breach%20Notices/ITU191092.pdf

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101123-01 University of Central Missouri MOElectronic Medical/Healthcare Yes - Published # 90,000

Investigators traced a computer hacking scheme to two University of Central Missouri students. A federal grand jury indicted the former Central Missouri students for an alleged computer hacking scheme in which they gained unauthorized access to the UCM computer network where they downloaded databases with thousands of faculty, staff, alumni and student information that they later tried to sell. Camp allegedly tried to sell 90,000 identities to a person in New York for $35,000.

Attribution 1 Publication: Pitch.comAuthor: Justin Kendall Date Published: 11/23/2010 Article Title: Joseph Camp and Daniel Fowler indicted for computer hacking at University of Central Missouri Article URL: http://blogs.pitch.com/plog/2010/11/joseph_camp_daniel_fowler_computer_hackers.php

Attribution 2 Publication: Kansas City StarAuthor: Mark Morris Date Published: 11/22/2010 Article Title: Two former University of Central Missouri students charged with hacking, identity theft Article URL: http://www.kansascity.com/2010/11/22/2462909/two-former-university-of-central.html

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101122-11 EOD Technology (EODT) TN 8/1/2008Electronic Business Yes - Unknown # 0

EOD Technology (EODT) recently notified the New Hampshire Attorney General’s Office of a breach that occurred in August 2008. They became aware that one of their computers had been accessed by an individual or individuals outside of the U.S. while the computer was connected to a non-EODT network. The incident was reported to the FBI at the time but there was no indication of harm. The FBI has now found that names and SSNs of employees have been accessed. "EOD Technology, Inc. (EODT) is a professional services company providing strategic stability operations support and integrated critical mission solutions that ensure the safety and operational readiness of government and corporations worldwide."

Attribution 1 Publication: notice to NH AGAuthor: Leo Beale Date Published: 11/12/2010 Article Title: EOD Technology (EODT) Article URL: http://doj.nh.gov/consumer/pdf/eodt.pdf

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101122-10 Hanger Orthopedic Group TX 11/4/2010Electronic Medical/Healthcare Yes - (Password) Unkno 0

By letter dated November 12, the firm reported that a laptop was stolen from an employee in the Human Resources Department on November 4. The laptop contained several human resource related files, which “we unfortunately believe may have contained certain personal information, including employee names, addresses, and social security numbers. ” The laptop was reportedly password-protected but not all of the contents were encrypted.

Attribution 1 Publication: notice to NH AGAuthor: Julie Kim Date Published: 11/12/2010 Article Title: Hanger Orthopedic Group Article URL: http://doj.nh.gov/consumer/pdf/hanger-orthopedic.pdf Copyright 2010 Identity Theft Resource Center Report Date: Identity Theft Resource Center 12/29/2010 2010 Breach List: Breaches:662 Exposed: 16,167,542 Page 14 of 137

How is this report produced? What are the rules? See last page of report for details.

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101122-09 US Federal Reserve Bank of USElectronic Banking/Credit/Financial Yes - Published # 400,000 Cleveland A Malaysian man has been charged with hacking into major U.S. corporations, including the U.S. Federal Reserve Bank of Cleveland and FedComp, a company that processes financial transactions for credit unions. U.S. Secret Service investigators found more than "400,000 stolen credit and debit card account numbers allegedly obtained by hacking into various computer systems of other financial institutions," the Secret Service said in a news release. ITRC NOTE: it is not known how many of the breaches listed connect to this case. FedComp is on the breach list already but none of the others listed are.

Attribution 1 Publication: ComputerworldAuthor: Robert McMillan, IDG Date Published: 11/18/2010 Article Title: Malaysian charged with hacking Federal Reserve, others Article URL: http://www.computerworld.com/s/article/9197220/Malaysian_charged_with_hacking_Federal_Reserve_others

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101122-08 New York Life Insurance - USElectronic Business Yes - Unknown # 0 AARP A mailing error by New York Life Insurance has exposed the fact that AARP insurance program reviews were sent to the wrong people: information including customer's names, date of birth, and policy number.

Attribution 1 Publication: WBAL TVAuthor: Date Published: 11/19/2010 Article Title: Insurance Glitch Affects AARP Customers Article URL: http://www.wbaltv.com/money/25855398/detail.html

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101122-07 1st Source Bank INElectronic Banking/Credit/Financial Yes - Unknown # 0

Some 1st Source Bank customers got a letter Friday informing them they will be getting a new pin and debit card in the mail. The letter said there was a breach at a third-party payment service, and some account numbers and card expiration dates may have been exposed. ITRC- No other information is available

Attribution 1 Publication: WNDUAuthor: Rich Molina Date Published: 11/19/2010 Article Title: Some 1st Source Bank customers get letter informing them of possible security breach Article URL: http://www.wndu.com/localnews/headlines/Some_First_Source_Bank_customers_get_letter_informing_them_of_possi

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101122-06 Shaw Air Force Base SCElectronic Government/Military Yes - Unknown # 0

Instances of credit card fraud involved Shaw Air Foci Base 20th Force Support Squadron buildings at Shaw. No Army and Air Force Exchange Service facilities. The cause of the breach is not yet known.

Attribution 1 Publication: Air Force TimesAuthor: staff Date Published: 11/21/2010 Article Title: Shaw airmen exposed to credit card fraud Article URL: http://www.airforcetimes.com/news/2010/11/air-force-shaw-credit-card-fraud-112110w/

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101122-05 BECU - Renton WAElectronic Banking/Credit/Financial Yes - Unknown # 0

Prosecutors have filed charges against two men believed to have defrauded hundreds of BECU members by "skimming" debit cards at Seattle-area ATMs. During periods in Sept., the alleged thieves attached skimmers and cameras to the Renton ATM. "Only a small fraction of the victims in this case have been contacted thus far regarding their loses," Deputy Prosecutor Lisa Napoli O'Toole told the court. "Once the investigation is completed, hundreds of additional counts of identity theft may be charged."

Attribution 1 Publication: Seattle PIAuthor: LEVI PULKKINEN Date Published: 11/19/2010 Article Title: Two charged in BECU ID theft thought to impact 100s Article URL: http://www.seattlepi.com/local/430469_BECU19.html

On October 25, a VA employee in Honolulu took home a list with 180 Veterans’ information, including their full SSN, to have his spouse help him develop a Word document from the list. The employee tried to email the completed Word document to his VA email account but the VA server rejected it. All the documents are back in the hands of the HIMS Chief. She has consulted with HR on the matter and will counsel the employee. The Veterans received a letter offering credit protection services.

Attribution 1 Publication: report to CongressAuthor: VA Date Published: 10/25/2010 Article Title: VA Honolulu Article URL: http://www4.va.gov/ABOUT_VA/docs/monthly_rfc_oct2010.pdf

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101122-03 Veterans Affairs - NY US 10/15/2010Paper Data Government/Military Yes - Published # 146 Education Department On October 25, the Education Department was moving from one storage area to another in the Bronx and a box containing information pertaining to 146 employees who took the Cardiopulmonary Resuscitation (CPR) test was left in the open. The location was accessible by employees as well as volunteers. Privacy information included employee’s names and social security numbers. The employees were notified and offered credit protection.

Attribution 1 Publication: report to CongressAuthor: Veterans Affairs Date Published: 10/25/2010 Article Title: VA Education Department in NY Article URL: http://www4.va.gov/ABOUT_VA/docs/monthly_rfc_oct2010.pdf

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101122-02 Veterans Affairs - TN US 10/8/2010Electronic Government/Military Yes - Published # 240

A Regional Office (RO) guard at the Veterans Benefits Administration in Tennessee found an unencrypted thumb drive inside the facility doors on October 8. The guard took the drive home to investigate. The guard’s spouse identified the information on the thumb drive as VA sensitive information and the thumb drive was turned in VA custody the next morning. The thumb drive belonged to a VA staff member and had fiduciary information for approximately 240 Veterans and/or beneficiaries. Their full names, SSNs, DOBs, mailing addresses, medical data (health information), and other financial information was included. The thumb drive was the personal property of the employee.

Attribution 1 Publication: DVAAuthor: report to Congress Date Published: 11/16/2010 Article Title: Veterans Affairs October Report to Congress Article URL: http://www4.va.gov/ABOUT_VA/docs/monthly_rfc_oct2010.pdf

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101122-01 Coliseum Hospital GAElectronic Medical/Healthcare Yes - Unknown # 0

A former Coliseum Hospital employee accessed a secure area and logged into hospital computer records that contain patient information.

Attribution 1 Publication: Macon NewsAuthor: Phillip Ramati Date Published: 11/20/2010 Article Title: Ex-Macon hospital worker accused of accessing patient information Article URL: http://www.macon.com/2010/11/20/1347629/ex-hospital-worker-accused-of.html

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101117-04 Kayser-Roth, Golden Lady NC 10/15/2010Electronic Business Yes - (Password) Unkno 0 Group Kayser-Roth Corporation, an affiliate of Golden Lady Group had a password-protected laptop stolen from their corporate office in Greensboro, North Carolina which contained personal and financial information on an unspecified number of current and former employees including SSNs and bank account info. The laptop, which was stolen from the Corporate Payroll Department sometime between 4:30 pm on October 14 and 7:15 am on October 15. In their police statement, they reported the value of the employee information as $1.00

Attribution 1 Publication: notice to NH AGAuthor: Lisa Furdas Date Published: 11/4/2010 Article Title: Kayser-Roth, Golden Lady Group Article URL: http://doj.nh.gov/consumer/pdf/kayser_roth.pdf

ECS, also an online store, became aware of the intrusion on October 15, and their investigation revealed that 1300 customers’ information may have been compromised. Personal information in the database included names, addresses, telephone numbers, email addresses, and/or credit card or debit card information

Attribution 1 Publication: notice to NH AGAuthor: Sam Mammen Date Published: 10/8/2010 Article Title: ECS Learning Systems Article URL: http://www.atg.state.vt.us/assets/files/ECS%20Learning%20Systems%20Security%20Breach.pdf

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101117-02 Monadnock Community Bank NHElectronic Banking/Credit/Financial Yes - Unknown # 0

MCB’s card processor notified it that an unnamed third party payment service provider’s network had a data breach involving customer information, including debit card numbers, expiration dates, CVC, and PIN offset for 13 New Hampshire residents. The total number of affected customers was not reported.

Attribution 1 Publication: notice to NH AGAuthor: Donald Blanchette Date Published: 11/9/2010 Article Title: Monadnock Community Bank Article URL: http://doj.nh.gov/consumer/pdf/monadnock_bank2.pdf

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101117-01 Messiah College PA 11/1/2010Electronic Educational Yes - Published # 43,000

A computer hard drive containing personal information of 43,000 current, former and prospective Messiah College students disappeared about two weeks ago, a representative of the small private college said Monday. The external hard drive -- which backed up information on a laptop in the financial aid department -- contained data like social security numbers, transcripts and dates of birth. A total of 43,000 students, alumni and prospectives and some of their parents from 1994 to 2010 are affected. Update: The missing hard drive was found according to reports on Nov. 19. ITRC note- Who may have seen it or what happened to it was not explained.

Attribution 1 Publication: WGALAuthor: Date Published: 11/19/2010 Article Title: Missing Messiah College Hard Drive Found Article URL: http://www.wgal.com/news/25851317/detail.html

Attribution 2 Publication: WGALAuthor: Date Published: 11/16/2010 Article Title: Hard Drive With Messiah Student Information Missing Article URL: http://www.wgal.com/news/25801449/detail.html

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101115-01 Northridge Hospital Medical CA 10/18/2010Paper Data Medical/Healthcare Yes - Published # 716 Center On October 18, 2010, Northridge Hospital Medical Center discovered that a package sent thru a national courier containing information for 716 Medicare and Medi-Cal patients was damaged in transit, potentially exposing patient information to courier employees. The documents may have contained patient names, addresses, phone numbers, social security numbers, guarantor social security number, date of birth, date of death, medical record number, admission and discharge dates, discharge summary, physician, procedure, notes for pregnancy- related emergency, admission, financial account number, provider number, insurance ID, Medicare or Medi-Cal charges billed and paid, hospital room and board charges, Medi-Cal ID number, California Children's Services Authorization, and Medi-Cal Treatment Authorization for patients between Sept 2004 and June 2006. NOTE: Since guarantor's SSNs were added there may be more than one SSN per patient.

Attribution 1 Publication: Hospital websiteAuthor: hospital Date Published: 11/14/2010 Article Title: Northridge Hospital Medical Center Article URL: http://www.northridgehospital.org/footer/Security_Breach/index.htm

Holy Cross Hospital in Fort Lauderdale has been informed by federal investigators that patient records were found while working on another case. The incident involved the theft of paper copies of Emergency Room patient data sheets, which included basic information including name, address, date of birth, social security number and initial diagnosis from the Emergency Room visit. "Based on evidence collected in the investigation, while information from 38 patients was uncovered, we believe as many as 1,500 patient data sheets of Emergency Room patients may have potentially been compromised by an employee who then sold the information to a third party for fraudulent purposes. However, since we cannot identify which files were compromised, we are taking the precaution of notifying each patient who checked into the Holy Cross Emergency Room from April 27, 2009 to September 29, 2010. "

Attribution 1 Publication: InfoSecurityAuthor: Date Published: 11/15/2010 Article Title: Florida hospital admits to data breach affecting 1500 patients Article URL: http://www.infosecurity-us.com/view/13963/florida-hospital-admits-to-data-breach-affecting-1500-patients/

Attribution 2 Publication: website of hospitalAuthor: PR dept Date Published: 11/11/2010 Article Title: Holy Cross Hospital Article URL: http://www.holycrossidprotect.com/

Attribution 3 Publication: Orlando SentinelAuthor: Sofia Santana Date Published: 11/10/2010 Article Title: Five accused of stealing patient data from Holy Cross ER Article URL: http://www.orlandosentinel.com/news/local/fl-holy-cross-arrests-20101110,0,7080301.story

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101110-04 General Services USElectronic Government/Military Yes - Published # 12,000 Administration 12,000 Federal workers at the General Services Administration were notified that an employee sent the names and Social Security numbers of the agency’s entire staff to a private e-mail address. "The agency explained to employees that one worker had apparently transmitted the file containing the personal data by accident while seeking “work-related assistance,” and that it had not been forwarded. Those involved had cooperated, and the computer that received the data was scrubbed clean by agency technicians."

Attribution 1 Publication: NY TimesAuthor: Ashley Southall Date Published: 11/6/2010 Article Title: U.S. Workers Are on Alert After Breach of Data Article URL: http://www.nytimes.com/2010/11/07/us/07breach.html?_r=1

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101110-03 Richmond Public Schools VAElectronic Educational Yes - Published # 110

An e-mail sent out inadvertently Tuesday morning to all Richmond school staff contained personal information including Social Security numbers for more than 100 employees.

Attribution 1 Publication: Richmond Times-DispatchAuthor: Jeremy Slayton Date Published: 9/10/2010 Article Title: Richmond school system inadvertently sent e-mail with personal data Article URL: http://www2.timesdispatch.com/news/2010/nov/04/richmond-school-system-inadvertently-sent-e-mail-p-ar-631673/

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101110-02 Murphy USA Gas Station IN 10/29/2010Paper Data Business Yes - Unknown # 0

A file cabinet filled with dozens of files containing people's personal information was dumped in a dumpster behind a Shelbyville gas station. A teenager found it last week. His father called police and 24-Hour News 8. Inside were copies of social security cards, drivers licenses and other personnel documents. Most of them are connected to former employees of Murphy USA gas station.

Attribution 1 Publication: WISH TV 8Author: Phil Sanchez Date Published: 11/5/2010 Article Title: Salvager finds personnel files in trash Article URL: http://www.wishtv.com/dpp/news/local/east_central/salvager-finds-personnel-files-in-trash

The Social Security numbers of 165 of New Hanover County property owners who were delinquent on their taxes were mistakenly published on the county website for anyone to see. It's unclear how many people were affected because some numbers are linked to more than one account.

Attribution 1 Publication: Star News OnlineAuthor: Chris Mazzolini Date Published: 11/9/2010 Article Title: County published some property owners' Social Security numbers online Article URL: http://www.starnewsonline.com/article/20101109/ARTICLES/101109611?Title=County-published-some-property-owners-

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101105-01 Bare Escentual CAElectronic Business Yes - Unknown # 0

Laptop containing PII of current and former Bare Escentuals employees has been reported as stolen. At least 27 people in NH were affected. This is a chain store with some in San Diego CA also.

Attribution 1 Publication: notice to NH AGAuthor: Matt Town Date Published: 11/1/2010 Article Title: Bare Escentual Article URL: http://doj.nh.gov/consumer/pdf/bare_escentuals.pdf

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101103-02 Multiple businesses, Capitol WAElectronic Business Yes - Published # 100 Hill Seattle Secret Service electronic crimes task force has made a major break in its investigation of a wave of credit card fraud emanating from Capitol Hill. Iacovetti told CHS it was too early to release details of how the information was accessed and where the 'point of interest' was located because of the ongoing investigation into the chain of people likely involved in this kind of crime. Iacovetti later told KOMO that multiple Capitol Hill stores may be involved: In the newest Seattle case, police and Secret Service investigators say they've identified multiple points of compromise, and the businesses involved have upgraded their anti-virus software so the fraud cannot continue. The Electronic Crimes Task Force is pursuing leads on suspects, but the businesses involved are not being identified at this time

Attribution 1 Publication: Capitol Hill SeattleAuthor: jseattle Date Published: 11/12/2010 Article Title: Capitol Hill credit card fraud victim total nears 100 Article URL: http://capitolhillseattle.com/2010/11/02/capitol-hill-credit-card-fraud-victim-total-nears-100

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101103-01 AFTRA CA 9/14/2010Electronic Business Yes - Published # 2,811

The American Federation of Television and Radio Artists (AFTRA, AFL-CIO) today discovered and immediately notified members who joined the union through its online website portal, called Join Online, that computer hackers unlawfully accessed the join online system on Sept. 14, and that confidential information, including credit card and social security numbers, may have been stolen. AFTRA immediately shut down the join online website portal and notified the state and federal authorities, as well as the credit reporting bureaus. The notice, which was sent to 2,811 members.

Attribution 1 Publication: SAGWATCHAuthor: Date Published: 9/29/2010 Article Title: AFTRA Says Site Hacked, Join Online Compromised Article URL: http://www.sagwatch.net/2010/09/aftra-says-site-hacked-join-online-compromised/

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101102-01 Thai Café IN 10/30/2010Paper Data Business Yes - Unknown # 0

A school was paying a higher trash fee and found out why. Apparently Thai Café had been using their dumpster. The stubs, from the year 2000, had been in the possession of Richard Fischer, whose ex-wife owns the restaurant, but he said he paid someone to dispose of the personal information properly. "We were just shocked," said school administrator Betty Speight. "I was just amazed because I shred everything, anything with a person's birth date, Social Security number, addresses."

Attribution 1 Publication: The Indy ChannelAuthor: Rafael Sanchez Date Published: 11/1/2010 Article Title: Personal Info Found Dumped Outside School Article URL: http://www.theindychannel.com/news/25599182/detail.html

Many Robins employees in the past week have reported being victims of credit card fraud. Several transactions late last week at a few base locations, including the Base Restaurant, resulted in erroneous charges on several patrons' credit and debit cards.

Attribution 1 Publication: Macon TelegraphAuthor: HAROLD GOODRID Date Published: 10/31/2010 Article Title: Reports of debit, credit card fraud hitting midstate consumers Article URL: http://www.macon.com/2010/10/31/1322254/reports-of-debit-credit-card-fraud.html

Attribution 2 Publication: Air Force Print News TodayAuthor: staff Date Published: Article Title: Credit, debit cards compromised Article URL: http://www.robins.af.mil/news/story_print.asp?id=123218542

Attribution 3 Publication: Author: Date Published: Article Title: Article URL: http://www.macon.com/2010/10/31/1322254/reports-of-debit-credit-card-fraud.html

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101029-09 San Diego Regional Center CA 10/13/2010Electronic Government/Military Yes - Unknown # 0 (SDRC) On October 13, the San Diego Regional Center (SDRC) notified some of their clients that a backup tape had been lost. SDRC serves individuals with disabilities in San Diego and Imperial counties. The tape had been sent by UPS Overnight service to the Department of Developmental Services. The package arrived, but it was empty and UPS was unable to locate it. The types of information on the backup tape depended on the client but could have included name, address, telephone number, Social Security number, program benefits number, health and medical diagnostic information. When the client was a minor child, the parents’ Social Security numbers were also included.

Attribution 1 Publication: phiprivacy.netAuthor: Carlos Flores, Exec D Date Published: 10/13/2010 Article Title: San Diego Regional Center Article URL: http://www.phiprivacy.net/wp-content/uploads/sdrc_2010.pdf

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101029-08 Houston Independent School TX 10/24/2010Electronic Educational Yes - Unknown # 0 District - HISD The Houston school district is investigating possible security breaches after its computer system appears to have been hacked, keeping employees and students from the Internet and online classes for two days. It is unknown if the hacker looked at student and employee files. As one of the largest employers in Houston, the school district has loads of electronic data on its 30,000 workers and 202,000 students that could have been compromised.

Attribution 1 Publication: Houston ChronicleAuthor: Ericka Mellon Date Published: 10/26/2010 Article Title: HISD investigating how its computers were hacked Article URL: http://www.chron.com/disp/story.mpl/metropolitan/7264923.html

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101029-07 University of Connecticut - CT 10/4/2010Electronic Educational Yes - Published # 23 Storrs A recent security breach on the Storrs campus revealed a list of 23 former students' names and Social Security numbers and made them available on the Internet. The 23 students whose names and Social Security numbers were on the list were enrolled in a professor's class in 2000. He inadvertently posted it to the Web.

Attribution 1 Publication: The Daily CampusAuthor: Amy McDavitt Date Published: 10/27/2010 Article Title: University addresses security breach Article URL: http://www.dailycampus.com/news/university-addresses-security-breach-1.1732324

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101029-06 Tax preparer - Louisiana LAPaper Data Business Yes - Unknown # 0

The tax records of clients of Ester Gaino, who was a tax preparer and died last year, were stolen from a family residence. 8 filing cabinets full of records for the last 5 years were stolen. The home owner believes this was a targeted burglary.

How is this report produced? What are the rules? See last page of report for details.

Attribution 1 Publication: Laurinburg ExchangeAuthor: Matthew Hensley Date Published: 10/25/2010 Article Title: Tax records stolen Article URL: http://www.laurinburgexchange.com/view/full_story/10035339/article-Tax-records-stolen?instance=secondary_stories_l

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101029-05 Bureau of Emergency LA 9/17/2010Electronic Government/Military Yes - Published # 56,000 Services - Louisiana Some 56,000 emergency medical technicians were advised this week by the DHH that a hacker may have gained access to personal information about them contained in a state licensing database. The people in the database are individuals applying for classes or certifying as first responders or EMTs in the state of Louisiana. Anyone who has applied for a refresher class, state reciprocity or to take an EMT class is listed on the site. The list includes high school seniors who are in EMS-related programs through the education department.

Attribution 1 Publication: Advocate Capitol NewsAuthor: Marsha Shuler Date Published: 10/28/2010 Article Title: Hacker may have accessed DHH database Article URL: http://www.2theadvocate.com/news/105946193.html

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101029-04 University of California San CAElectronic Medical/Healthcare Yes - Published # 4,086 Francisco Medical Center A former IT staffer with UCSF Medical Center stole co-workers names and SSNs to use on health surveys. He received $100 vouchers for each he survey completed.

Attribution 1 Publication: PC WorldAuthor: Robert McMillan, IDG Date Published: 10/28/2010 Article Title: IT Worker Gets Prison After Stealing Data for Online Surveys Article URL: http://www.pcworld.com/businesscenter/article/209157/it_worker_gets_prison_after_stealing_data_for_online_surveys.

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101029-03 Onondaga County Civic NYElectronic Government/Military Yes - Unknown # 0 Center Investigators believe the scammers used either a skimming device or a computer hack to steal credit and debit card information from victims that had used their cards at the Onondaga County Civic Center. Police have now heard from more than 60 victims. So far, Syracuse Police say most of the victims have reported using their credit or debit card in the basement at the cafeteria of the Civic Center.

Attribution 1 Publication: WSYR TVAuthor: Date Published: 10/29/2010 Article Title: Civic Center credit card breach may be a computer hack Article URL: http://www.9wsyr.com/news/local/story/Civic-Center-credit-card-breach-may-be-a-computer/PSvXYnSEs0WFPp-zCXQf5

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101029-02 University of Hawaii - West HIElectronic Educational Yes - Published # 40,000 O'ahu, Manoa The University of Hawai`i – West O`ahu (UHWO) is notifying approximately 40,000 individuals that their personal information may have been compromised. The exposure occurred when a faculty member inadvertently uploaded files containing data including names, social security numbers, addresses, birth dates and educational information to an unencrypted faculty web server. Individuals potentially affected are students who attended the University of Hawai'i at Mānoa from 1990 – 1998 and during 2001. In addition, students who attended UHWO during Fall of 1994 or graduated from 1988 – 1993 may also be affected.

Attribution 1 Publication: school websiteAuthor: Ryan Mielke Date Published: 10/28/2010 Article Title: University of Hawaii - West O'ahu, Manoa Article URL: http://www.hawaii.edu/news/article.php?aId=3990

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101029-01 Japan Foundation of Los CA 9/18/2010Electronic Business Yes - Unknown # 0 Angeles According the October 21 letter filed by their attorneys, on September 18, JFLA discovered that the names, dates of birth and credit card information for those registering for their Japanese Language Proficiency Testing service in 2009 and 2010 had potentially been accessed. As of October 21, the company was still investigating the breach but is blaming an unnamed third party vendor.

Attribution 1 Publication: notice to NH AGAuthor: Susan L. Lyon Date Published: 10/21/2010 Article Title: Japan Foundation of Los Angeles Article URL: http://doj.nh.gov/consumer/pdf/japan_foundation_la.pdf

Credit reporting agency TransUnion has notified the New Hampshire Attorney General’s Office that the compromise of customer Midtown Motors’ login information resulted in the unauthorized access to an unspecified number of individuals’ credit reports.

Attribution 1 Publication: notice to NH AGAuthor: Daniel Halvorsen, Atty Date Published: 10/18/2010 Article Title: TransUnion Article URL: http://doj.nh.gov/consumer/pdf/transunion.pdf

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101025-01 MetLife US 10/10/2010Electronic Business Yes - Unknown # 0

A now-retired employee of MetLife had been misusing the database to run searches on public figures while working for the company. The improper searches reportedly occurred between October 2006 and September 2009. Information that could be viewed included name, address, SSN.

Attribution 1 Publication: notice to NH AGAuthor: Juliane Kowalski Date Published: 10/18/2010 Article Title: MetLife Article URL: http://doj.nh.gov/consumer/pdf/metlife.pdf

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101022-05 Deloitte Tax LLP US 8/5/2010Electronic Business Yes - Unknown # 0

Email sent with names, ssn and pay slip of fellow employees to wrong person

Attribution 1 Publication: notice to MD AGAuthor: Murrell Shields Date Published: 9/7/2010 Article Title: Deloitte Tax LLP Article URL: http://www.oag.state.md.us/idtheft/Breach%20Notices/ITU191404.pdf

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101022-04 Wells Fargo USPaper Data Banking/Credit/Financial Yes - Unknown # 0

Mortgage papers including SSN sent to wrong address. ITRC called and was unable to find out how many people were involved. At least 1 in MD was involved.

Attribution 1 Publication: notice to MD AGAuthor: N Brian Gentry Date Published: 8/20/2010 Article Title: Wells Fargo Article URL: http://www.oag.state.md.us/idtheft/Breach%20Notices/ITU191186.pdf

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101022-03 Norman Pediatric Associates, OK 10/21/2010Paper Data Medical/Healthcare Yes - Unknown # 0 Norman Urology A Norman man was dropping off some recycling items Thursday morning at a Norman Recycling Center when he came across a disturbing discovery, hundreds of folders containing medical records scattered throughout the bin. The files had detailed personal information about oncology patients, children and parents, from all over, including Norman, Moore, Noble, Blanchard, Maysville and Oklahoma City. They appear to have come from at least two different doctors' offices in the Norman area.

Attribution 1 Publication: KFORAuthor: Chellie Mills Date Published: 10/21/2010 Article Title: Medical records found in public recycle deposit Article URL: http://www.kfor.com/news/local/kfor-news-med-records-found-trash-story,0,7956821.story

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101022-02 Johns Hopkins University MDElectronic Educational Yes - Published # 692 Applied Physics Laboratory In mid-June, approximately 85 staff members received an e-mail from the Lab’s benefits office with an incorrect attachment that included names, Social Security numbers, birthdates and other information on 692 dependents of APL staff members. First seen at HHS website, additional info from databreaches.net

How is this report produced? What are the rules? See last page of report for details.

Attribution 1 Publication: HHS, then statement to databreaches.nAuthor: Date Published: 10/22/2010 Article Title: Johns Hopkins University e-mail attachment error exposed personal info Article URL: http://www.databreaches.net/?p=14853

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101022-01 University of Arkansas AR 10/2/2010Electronic Medical/Healthcare Yes - Unknown # 0 Medical Center Officials at the University of Arkansas for Medical Sciences say a digital camera stolen from a nurse's lab coat has pictures in its memory of newborn babies as well as personal data about the infants and their mothers. Information included identification labels for the babies and mothers, including names, dates of birth, addresses, telephone numbers, insurance status, doctor's name and medical record numbers dating back to July.

Attribution 1 Publication: Fox 16Author: AP Date Published: 10/22/2010 Article Title: Camera stolen from UAMS nurse had newborns' pics Article URL: http://www.fox16.com/news/local/story/Camera-stolen-from-UAMS-nurse-had-newborns-pics/kFMX6d_2j0GOCada49cA

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101020-03 PNC Bank PAElectronic Banking/Credit/Financial Yes - Published # 200

A foreign national from Spain pleaded guilty in federal court to conspiring with a Romanian national to install electronic skimming devices on PNC Bank ATMs located throughout Western Pennsylvania in April and May of this year, United States Attorney David J. Hickton announced today. The prosecutor stated that over 200 PNC customer account numbers were believed to have been compromised, with losses between $120,000 to $200,000 dollars.

Attribution 1 Publication: infosec islandAuthor: staff Date Published: 10/19/2010 Article Title: Spanish national pleads guilty to ATM skimming in Pennsylvania Article URL: https://infosecisland.com/security-breaches-view/8958-Spanish-national-pleads-guilty-to-ATM-skimming-in-Pennsylvani

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101020-02 Keystone Mercy Health Plan PAElectronic Business Yes - Published # 280,000 and AmeriHealth Mercy Keystone Mercy Health Plan and AmeriHealth Mercy Health Plan said Tuesday that a portable computer drive containing the names, addresses, and health information of 280,000 Medicaid members in Pennsylvania has been lost in its Keystone corporate office. The computer drive included members' health plan identification numbers and some of their health information, the insurers said. Also stored on the drive were the last four digits of 801 members' Social Security numbers, plus complete Social Security numbers for seven others.

Attribution 1 Publication: Philadelphia InquirerAuthor: Jane M. Von Bergen Date Published: 10/20/2010 Article Title: Health insurers say data on 280,000 Pennsylvania clients may be compromised Article URL: http://www.philly.com/inquirer/business/20101020_Health_insurers_say_data_on_280_000_Pennsylvania_clients_may_

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101020-01 University of Oklahoma's OK 7/28/2010Electronic Medical/Healthcare Yes - Unknown # 0 Tulsa Neurology Clinic The University of Oklahoma's Tulsa Neurology practice announced that one of its clinic computers had been compromised by a virus. The Clinic is notifying individuals whose records were maintained on the computer of the discovery. Patients of Dr. John Cattaneo and of Neurology, LLC. Many of these documents included some or all of the following: patient name, telephone number, address, birth date, Social Security Number, medical record and insurance numbers, procedure billing codes, diagnosis codes, lab reports, office notes, radiology reports, and service dates. In some records, guarantor information was also included. The virus was detected on or about July 28, and its properties were determined during the investigation.

Attribution 1 Publication: college websiteAuthor: press release Date Published: 9/24/2010 Article Title: OU Tulsa Neurology Clinic Computer Compromised Article URL: http://ouhsc.edu/hipaa/compromised.asp

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101019-08 Trade Center Management USElectronic Business Yes - Unknown # 0 Association LLC In June, Trade Center Management Associates in Washington, D.C. became aware that employee data had been stolen from a TCMA facility. Employee information on the stolen equipment included names, SSN, and in some cases, fingerprints. Among those with data on the device were 284 Maryland residents

How is this report produced? What are the rules? See last page of report for details.

Attribution 1 Publication: notice to MD AGAuthor: Bart Lazar Date Published: 7/26/2010 Article Title: Trade Center Management Associates Article URL: http://www.oag.state.md.us/idtheft/Breach%20Notices/ITU191157.pdf

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101019-07 Medicare USElectronic Government/Military Yes - Unknown # 0

An Armenian-American crime syndicate stole the identities of doctors and thousands of patients and used them and more than a hundred spurious clinics in 25 states to bill Medicare for more than $100 million for treatments no doctor ever performed and no patient ever received, the federal authorities announced on Wednesday. The group used the stolen identities of the doctors and patients to bill Medicare for more than $100 million in nonexistent treatments over four years, according to a news release announcing the charge.

Attribution 1 Publication: NY TimesAuthor: WILLIAM K. RASHBA Date Published: 10/13/2010 Article Title: 44 Charged in Huge Medicare Fraud Scheme Article URL: http://cityroom.blogs.nytimes.com/2010/10/13/44-charged-in-huge-medicare-fraud-scheme/

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101019-06 Patuxent River Naval Air USElectronic Government/Military Yes - Published # 17 Station Seventeen Patuxent River Naval Air Station clinic patients' personal information was stolen between November 2008 and May 2009, federal authorities reported, and that information was used to access the patients' financial accounts during phone calls to the credit union's operators. The calls resulted in fraudulent fund transfers of $500 or less to Western Union, and the money was picked up at its offices in locations in and around Washington, D.C., and as far away as South Carolina. St. Mary's Assistant State's Attorney Daniel White said during the court proceeding: "It is substantial, and it's still growing."

Attribution 1 Publication: So MD NewsAuthor: JOHN WHARTON Date Published: 10/13/2010 Article Title: Two charged with credit union theft- Scheme allegedly used Navy clinic data Article URL: http://www.somdnews.com/stories/10132010/entetop162252_32306.shtml

ITRC Breach ID Company or Agency State Est. DateBreach Type Breach Category Records Exposed? # Records Rptd ITRC20101019-05 Veteran Affairs - US 9/1/2010Paper Data Government/Military Yes - Published # 6,299 Massachusetts In its most recent report to Congress, the Veterans Affairs Department reported that on August 25, 6,299 out of the 69,366 ”Benefit Summary” letters intended for veterans and non-veterans in Massachusetts were mailed to incorrect addresses. The letters contained the veterans’ and non-veterans’ benefit information including their claim number, which, in some instances, was the veterans’ full social security number (SSN). The incident was discovered on September 1 when a civilian notified the Boston VBA Regional Office of the mismailing. The incident was investigated and it was determined that 3,913 of the 6,299 mis-mailed letters contained the full SSN and 2,386 contained the Veterans Benefits Adminstration (VBA) claim number.

Attribution 1 Publication: govinfo securityAuthor: Howard Anderson Date Published: 10/14/2010 Article Title: Mismailing Causes VA Information Breach Article URL: http://www.govinfosecurity.com/articles.php?art_id=3012

Attribution 2 Publication: VA report to CongressAuthor: