Once more unto the breach
What will it be like to live in a world where it is mandatory to report data breach notifications? Australia's proposed Privacy Amendment (Privacy Alerts) Bill 2013 did not make it through federal Parliament before the last government imploded, while New Zealand is still considering whether to make it compulsory to send out alerts when incidents put people at risk
The Identity Theft Resource Center has published a summary of more than 404 breaches reported in the US in 2013, ranging from a single lost thumb drive to a hospital that allowed protected health information of some 32,000 patients to be indexed by Google after a firewall breach.
The list makes for fascinating reading, and IDM has published some highlights below. The full list is available at http://www.idtheftcenter.org/images/breach/ITRC_Breach_Report_2013.pdf
Washington Inventory Service
A box full of personal employee records found in a public recycling dumpster in Merriam, Kan., has left hundreds of people at risk of identity theft. A coupon collector who did not want to be identified said he was looking for a coupon for Miracle Whip when he found the private information. "I noticed files in the dumpsters, and I took a look at the files, and I noticed social security numbers and driving records," the collector said. "If that were my information, I would expect that that would be shredded and disposed of properly, not thrown in a recycle dumpster or any other kind of dumpster.
St. Anthony's, Iowa
A laptop computer and flash drive containing information on 2,600 St. Anthony's nursing home patients was stolen from a doctor's car on July 29.
University of Texas
UT Physicians, part of The University of Texas Health Science Center at Houston Medical School, has taken steps to inform patients of a potential patient data breach. A laptop was stolen out of a UT Physicians orthopedic clinic, containing the information of 596 patients. UTHealth does not believe any information has been compromised, but has begun mailing letters to the affected patients
University of Mississippi Medical Center
The University of Mississippi Medical Center mistakenly gave out Social Security numbers, grade-point averages and other personal information for most of its student body this week, violating state and federal privacy laws. UMC’s accounting department on Wednesday attached the private data to a mass email notifying students about changes to the school’s health insurance. The attached spreadsheet contained the names, Social Security numbers, GPAs, race, gender, birthdays, addresses and phone numbers for the nearly 2,300 students enrolled in the university
Sylvan Learning Center
Seven large boxes filled with personal information of clients from the Sylvan Learning Center, including names, birth dates, Social Security numbers and credit card information, were found in a Dumpster in Beaverton.
Hope Community Resources of Alaska
Hope Community Resources inadvertently dispersed private identification information on more than 3,700 clients – disabled Alaska families and individuals across the state – in an email survey, Monday night. Families and caregivers connected to Alaska’s disabled are speaking out after the inadvertent release of private, personal and sensitive identity and healthcare information was blasted out in an email chain on Monday night. Some are just angry that an attachment with personal information was accidentally added to a survey solicitation for Hope Community Resources of Alaska.
Novartis, New Hampshire
"We are writing to inform you about an incident that involved the loss of personal information of one resident of New Hampshire. On or about March 4 of 2013 a media storage device (a/k/a thumb drive) was discovered to be missing from a limited access area. Subsequently, after a lengthy review of barely legible archived materials, we determined that one resident of New Hampshire was affected. We deeply regret that this incident occurred and take very seriously the security of personal information."
San Francisco State College of Extended Learning
"San Francisco State College of Extended Learning takes our responsibility to protect your personal data very seriously. For this reason, we are writing to inform you that on Monday, June 11, 2013 we were notified by federal law enforcement of a compromise of the College of Extended Learning server that occurred on March 25th, 2013 at 3 am. The incident involved the unauthorized use of the server by a group not associated with SF State. Although we have no evidence of compromise of the databases also located on this server, federal law enforcement indicated more than 500 other sites were compromised by this same group and some of those sites did find evidence of compromised data. As a precaution, we are advising you of the possibility that SF State data has been compromised."
Department of Energy
The United States Department of Energy notified employees via an email Wednesday that hackers gained personal information, such as names and social security numbers, of 14,000 current and former agency employees as the result of a hack that occurred in late July. This is the second attack this year that involved a breach of employee data.
Cogent Healthcare
The protected health information of some 32,000 patients across 48 states has been compromised after a health IT vendor's firewall was down for more than a month, allowing, in some cases, for patient data to be indexed by Google, officials announced Thursday.
Oregon Health & Science
Information for more than 3,000 patients at Oregon Health & Science University was put at risk when medical residents stored the data on a password protected cloud computing system, the institution announced this week. The potential data breach is the third such reported incident to occur at the university in less than a year, and the fifth since 2008.
Office of Dr. James Fosnaugh NE
Somehow, somewhere, sometime in May, a computer chip containing medical records for more than 2,000 of a Lincoln doctor's patients went missing — likely having slipped from the thumb drive Dr. James Fosnaugh wore on a lanyard around his neck.