April 8, 2015 – Zecurion offers deeper insight into selected incidents caused either by accidental or intentional data breaches. With all such incidents, the common elements describing the impact of this growing problem are financial loss, compromised intellectual property and dwindling customer confidence. The graph below shows that the number of data breaches hit a record high of 761 even before the year ended.
“End users need to be made aware that the threat, posed by increased number of data loss incidents every year, is becoming very real and critical. Confidential information is being compromised at all stages of the data lifecycle because of internal as well as external factors. Organizations need to make sure that their endpoints and networks are secure, data is encrypted and data protection is a priority at all stages – at rest, in motion, in storage or in the cloud,” said Alexey Raevsky, CEO, Zecurion.
*The ITRC tracks seven categories of data loss methods: Insider Theft, Hacking, Data on the Move, Subcontractor/Third Party, Employee Error/Negligence, Accidental Web/Internet Exposure, and Physical Theft.
The ITRC tracks four types of compromised information: Social Security number, Credit/Debit Card number, Email/Password/User Name, and Protected Health Information (PHI).
Total records exposed only include records for which count is available.
Data Breaches Across All Sectors
The excerpts below only provide a glimpse of some of these incidents – the list goes on.
November 2014 – Prince George’s County Public Schools (PGCPS), Maryland, notified around 10,000 individuals of a data breach which occurred when a file containing personal information was included in a report by mistake which was shared internally and with individuals outside the PGCPS network. The information contained in the file included names, addresses, birth dates, Social Security numbers, email addresses, student ID numbers, and telephone numbers.
Later, the PGCPS email accounts got suspended so the email report could be removed and PGCPS also offered one year of free credit monitoring services to all impacted individuals.
Source: SC Magazine
November 2014 – The Seattle Public School notified parents about a data breach that involved their children’s information. The breach comprised the information of over 8,000 special education students, which included their names, addresses, student identification numbers, test scores, disabilities, and many more personal details. The school learnt that the law firm retained by the District inadvertently sent personal student information to an individual involved in the case.
The law firm has been removed from the case and the District is trying either to retrieve or destroy the data lost.
August 2014 – The Park Hill School District, Kansas, notified more than 10,000 current/ex- employees and students about a potential data breach. A worker had downloaded staff and students personal data from a computer to his hard drive without seeking approval from the district authority. The information was later made available on the internet.
The information included Social Security numbers, student records, personal information and employee evaluations.
The district has planned to upgrade their systems and policies to prevent unauthorized data access and storage to external devices in future.
June 2014 – The Riverside Community College District (RCCD), California, suffered a data breach affecting 35,212 students when an employee mistyped an email address while using a personal email account to send a file, too large for college email system, to an employee of the college working from home due to illness.
The information contained in the file included names, addresses, birth dates, Social Security numbers, email addresses, student ID numbers, and telephone numbers.
Healthcare and Medical Providers
November 2014 – University Hospital, Ohio, informed 692 patients of a data breach involving their personal information by an employee of the hospital. The employee involved had been accessing the personal information of patients for over 3 years. The information accessed included names, addresses, phone numbers, email addresses, medical and health insurance account numbers, financial information including debit/credit card information and Social Security numbers.
The Hospital System is planning to increase the number of audits to reduce such incidents in future, along with providing one year of free credit monitoring and identity theft protection to the patients whose Social Security number has been compromised.
October 2014 – A medical assistant was sentenced to three years in prison for using her position in an organization to steal the personal information of patients, and later on selling it to an individual who used these IDs to file fraudulent tax returns, including patients’ names, birth dates and Social Security numbers.
The medical assistant sold the personal information of approximately 2,000 people for $1 each.
Source: eSecurity Planet
August 2014 – AltaMed Health, Georgia, notified patients of a data breach by a former temporary employee who had a hard drive potentially containing personal data that could be misused by identity theft rings. About 3,000 patient records were compromised and included names, email addresses, telephone numbers, Social Security numbers, provider information, insurance information, dates of birth, and addresses, of individuals who attended community events in Orange and Los Angeles counties from October 24, 2013 to June 6, 2014.
Source: SC Magazine
August 2014 – CareEvolve Inc, a subsidiary of BioReference Laboratories, Inc. notified 3,334 patients of a data breach which occurred when the organization accidentally exposed the server, while reconfiguring a test server, making all the information accessible via internet. The information exposed included patient names, home addresses, telephone numbers, ages, patient/medical record numbers, clinical tests, collection dates, dates of birth and Social Security numbers.
BioReference is offering free one year of credit monitoring, identity theft protection and other services to anyone whose information may have been exposed.
Source: PHI Privacy
June 2014 – Rady’s Children’s Hospital suffered a data breach when an employee inadvertently sent an email with a confidential file to 6 potential job applicants. The applicants were meant to receive approved information for an internal evaluation whereas they received the original file with the information of 14,100 patients. The file contained information, on the patients admitted to the hospital between Jul 1 2012 and Jun 30 2013, and included names, dates of birth, primary diagnoses, medical records and insurance carrier claim information.
Source: SC Magazine
August 2014 – Memorial Hermann Hospital sent out letters to patients about a data breach by a former employee who had been accessing medical and electronic records of 10,604 patients for 7 years. The data compromised included health insurance information, names, addresses, social security numbers and dates of birth.
Financial and Insurance Services
November 2014 – Anthem Blue Cross, California, sent text emails with personal details, like individuals’ health information and demographic information including age, language spoken and specific medical test received or not received. The mail was intended to be routine check-up email; however the personal information was shared in subject line instead of Routine check-up.
Blue Cross representative stated that they are still investigating the incident.
October 2014 – An individual working in a bank as a financial service representative stole the bank account details of customers in order to generate fake transfer slips for transferring the funds from customer’s accounts to his own account.
The individual allegedly stole $100,806.85 from one customer, and $11,137.01 from another customer for which he has been charged with two counts of bank fraud.
Source: eSecurity Planet
November 2014 – The Texas Health and Human Services department informed individuals that a data breach occurred when Xerox Corporation, at the time of contract termination, did not return computer equipment and paper records containing Medicaid and health information of over 2 million people. The reason for detaining the company’s assets has been attributed to ongoing dispute between both the parties.
The information included Medicaid clients’ names, birth dates, Medicaid numbers, and medical and billing records related to care provided through Medicaid – reports, diagnosis codes and photographs.
July 2014 – Stanford Federal Credit Union learnt of a data breach affecting 18,000 members when one of its employees accidentally sent the list of members, who were pre-approved for loans, to an individual with the same name as the employee it was meant for.
The personal information sent included customer names, mailing addresses, member numbers, credit information, loan offers, and tax identification numbers. The Union realized it immediately and removed the list before it could have been read by the recipient.
Business – Retail/ Merchant
October 2014 – AT&T informed about 1,600 customers of a data breach by a staff member. The breach involved Social Security Numbers, driver’s license numbers and unique customer numbers i.e. Customer Proprietary Network Information (CPNI). AT&T terminated the employee and personally contacted the affected customers.