Two laptops, which contained personal information for hundreds of thousands of patients, were recently stolen from University of Alberta Hospital in Canada.

How many victims? 250,000.

What type of personal information? Names and personal health numbers.

What happened? The laptops were stolen from a locked hospital laboratory room where they were chained to desks. The hard drives of the laptops contained a random sample of 250,000 lab reports, which contained the personally identifiable information (PII).

Details: The laptops are encrypted so it would be “extremely difficult” to access the sensitive information, making the risk of identity theft low – but still possible, hospital officials told the Edmonton Journal.
The hospital does not know which patient’s personal health numbers were contained on the computers because those on the list were randomly selected.

Quote: “The public should not be concerned,” Bill Trafford, chief information officer of Alberta Health Services told the Edmonton Journal. “We believe there’s very, very low risk of any information on those devices being made accessible to anybody else.”

Source: edmontonjournal.com, Edmonton Journal, “Laptops with patient information of thousands of Albertans stolen from U of A Hospital,” June 24, 2009.

The personal information of nearly 3,000 workers from large corporations around the state of Florida may be at risk after a sensative flash drive was stolen from a Florida Department of Revenue employee.

How many victims? 2,828.

What type of personal information? Names, addresses and Social Security numbers.

What happened? The flash drive contained a file with personal information for current or past employees of six large corporations that are being audited by the state. The flash drive was connected to a laptop that was stolen from the unlocked car of a Florida Department of Revenue employee’s home in Marietta, Ga., on April 9. The thief also took a cell phone and GPS device.

Details: The names of the companies being audited are confidential, Walter Boyd, the department’s chief confidential information officer told The Gainesville Sun.

The sensitive file was password-protected, but not encrypted – so, with the technical knowledge it would be possible for someone to access it, Boyd said. Currently, the department has guidelines that say flash drives should be encrypted, but it is not required, he said.

Quote: “We can hope for a stereotypical thief, some unsophisticated thief that just wants to sell the equipment and doesn’t know what’s on there,” Boyd said.

What was the response? Letters were sent to affected individuals. In addition, a new department policy is pending approval that would require flash drives and other mobile devices to be encrypted.

Source: Gainesville.com, The Gainesville Sun, “Stolen flash drive held personal data on 2,828 people,” June 24, 2009.

A stolen computer belonging to Cornell University contained the personal information for current and former students, faculty and other staff.

How many victims? 45,277.

What type of personal information? Names and Social Security numbers.

Details: Currently, no misuse of this sensitive information has been discovered, according to an email obtained by WVBR.

What was the response? Affected individuals will be notified by mail and will receive free fraud counseling and credit monitoring services at the university’s expense. In addition, the university will establish a call center and a set of frequently asked questions for those who have been affected.

Source: wvbr.com, WVBR 93.5 FM, “Cornell Computer Security Breach,” June 23, 2009.

A stolen mobile storage device belonging to Kirkwood Community College in Iowa was retrieved, but school officials cannot determine whether sensitive information was copied from it.

How many victims? 1,600.

What type of personal information? Names and Social Security numbers for certain individuals in Iowa’s welfare-reform program, PROMISE JOBS.

What happened? The device was stolen by a visitor to the school’s employment office on June 4. A school employee quickly recognized it was missing and notified police and the device was returned less than three hours later.

James Lee Mumford, 23, of Coralville, Iowa was charged with fifth-degree theft for the crime.

Details: The police investigation is underway but a computer expert could not determine whether the information on the data storage device had been copied off it.

What was the response? The college is providing affected individuals with free credit monitoring for a year. In addition, Kirkwood has banned the use of any portable data storage devices in its skills to employment division and is conducting training sessions on data security, the school told The Gazette.

Source: Gazetteonline.com, The Gazette, “Kirkwood offers free credit monitoring to 1,600 after storage device stolen,” June 12, 2009.

The financial information of those who donated money to the University of North Dakota may be at risk after a laptop was stolen from a third-party company that handled the information for the UND alumni association.

How many victims? 84,000.

What type of personal information? Unspecified.

What happened? The stolen laptop belonged to a South Carolina-based software company called Blackbaud, which specializes in financial software and services for nonprofit fundraising organizations. The laptop, which contained information belonging to the University of North Dakota’s foundation and alumni association, was stolen from a Blackbaud employee’s car in Charleston, S.C.

Blackbaud said the employee responsible for the computer violated company policy by keeping the data too long but did not specify if the employee was reprimanded.

Details: All of the information was password-protected and encrypted. Jake Marcinko, Blackbaud’s manager of information security and monitoring told The Post and Courier that currently, no known breach of information has occurred.

Quote: “No matter how well-designed and implemented our security procedures are, including levels of password protection and data encryption, in the case of the physical theft of a computer we presume that the security of customer data has been compromised and move immediately to do everything we can to help our customers notify the people whose names and personal information are on those files,” Marc Chardon, Blackbaud’s president and chief executive, told The Post and Courier in a statement.

What was the response? Affected individuals were notified.

Source: www.postandcourier.com, The Post and Courier, “Stolen laptop contained donors’ financial data,” June 17, 2009.

52 computers are missing from the Illinois Department of Financial and Professional Regulation, according to a recent report from Illionis Auditor General William Holland’s office.

How many victims? Unspecified.

What type of personal information? The agency is unsure whether confidential information was contained on the missing computers.

What happened? The agency told the Chicago Tribune that the equipment may have been transferred to another agency, but there was no record. The department said it would do a detailed inventory of equipment and improve its oversight.

Details: The Department of Financial and Professional Regulation regulates banking, insurance and various professions including health care, accounting and engineering.

Source: Chicagotrubune.com, Chicago Tribune, “Audits slap Ill. agencies for waste, lax oversight,” June 11, 2009.

A desktop computer, containing the personal information of current and former students of Virginia Commonwealth University, was recently stolen from a school library.

How many victims? 17,214.

What type of personal information? Names, Social Security numbers and test scores dating from October 2005 to the present.

What happened? The computer was part of a scanning system used to score tests and record grades for many university classes. It was stolen from a secure area — in a locked area within a locked room — at Cabell Library in mid-Arpil. It was discovered missing less than a day after the theft.

Campus police know who stole the computer but have been unable to recover it. Mark Willis, VCU’s chief information officer, told the Richmond Times Dispatch the computer was taken for personal use and then disposed of.

The computer was thrown away and not sold, Lepley said.

Details: Up until January 2007, VCU used Social Security numbers as school identification numbers.
22,500 additional students are being notified that their names and test scores may have been on the computer. No Social Security numbers were recorded with those names, but computer-generated student ID numbers may have been.

What was the response? VCU is offering one year free identity-theft insurance to affected individuals. The case has been turned over to the commonwealth’s attorney’s office.

Source: timesdispatch.com, Richmond Times Dispatch, “Stolen VCU computer exposes Social Security numbers,” June 5, 2009.

Personal information of customers was exposed and potentially used in identity crimes after a malicious hacker gained access to the server of online battery retailer, Batteries.com for several weeks.

How many victims? Unspecified.

What type of personal information? Names, addresses and credit card information.

What happened? The hacker gained access to the server on February 25; access was diminished “significantly” around March 17 and terminated on April 9.

Batteries.com learned of the breach on March 13 because a customer reported to the company potentially unauthorized activity regarding a credit card account. A “small” number of additional Batteries.com customers have contacted the company to report similar potential credit card fraud.

Details: Batteries.com had firewalls and antivirus protections in place at the time of the incident.

What was the response? The company launched an investigation with internal and external forensic experts to determine what happened. In addition, the company put measures in place to prevent similar incidents from occurring in the future, including limiting the amount of information stored and decreasing the time period it’s stored for.

Batteries.com is working with the U.S. Secret Service and law enforcement to identify those responsible. The major credit card companies (i.e., American Express, Discover, Mastercard and Visa) have been notified.

Affected individuals have been offered 2 years free credit monitoring.

Source: Batteries.com, “A message from batteries.com.”

Spammers recently used email addresses obtained from health insurer, Aetna’s job application website to conduct a phishing scam.

How many victims? Up to 450,000.

What type of personal information? Email addresses, and possibly Social Security numbers, phone numbers, addresses and employment histories.

What happened? Aetna’s Job application website, which was maintained by a third party, contained the email addresses for about 450,000 people who had applied for jobs or submitted resumes to the company. Some of the email addresses were copied from the site and used in a phishing scam.

In early May, Aetna began receiving complaints from individuals who received fraudulent emails seeming to be coming from Aetna. In the phony emails, victims were presented job offers or asked for personal information such as addresses and telephone numbers.

Details: Along with email addresses, the site stored the Social Security numbers of current and former employees and people who received job offers from the company. In addition, the phone numbers, addresses and employment histories of people who received job offers were also stored on the site. Aetna said it is not sure if any personal information beyond email addresses was accessed.

Quote: “We know for certain that the emails were accessed, we don’t know whether or not anything else was accessed,” Aetna spokeswoman Cynthia Michener told The Associated Press. “But we’re erring on the side of caution, we want people to know.”

What was the response? Aetna shut down the job application website, and hired an outside company to perform a forensic review of the site. They have not yet been able to determine how the breach occurred.

Aetna will offer free credit monitoring for a year to about 65,000 affected individuals. A warning about the fraudulent emails was posted Atena’s main site.

Source: The Associated Press, “Aetna offers credit monitoring after site breached,” May 28, 2009.

The New Jersey Department of Labor and Workforce Development recently sent the personal information of numerous unemployed individuals to companies they never worked for.

How many victims? 28,000 individuals are being notified that their information may be at risk, but the number of actual victims is believed to be much smaller.

What type of personal information? Names and Social Security numbers.

What happened? Last month, the Labor Department sent first-quarter notices to businesses listing former employees collecting unemployment benefits. Because some companies laid off a significant number of employees, the reports were longer than usual, requiring staff members to stuff the envelopes by hand rather by machine, Labor Department spokesman Kevin Smith told NJ.com.

As a result, some reports were placed in the wrong envelopes, he said. As of Monday, seven employers called the department to say they received information on people they never employed.

Details: New Jersey has about 375,000 residents collecting unemployment benefits. About 240,000 companies receive notices about former employees collecting benefits.

Quote: “This is a fluke,” Smith said. “This was just a clerical error.”

What was the response? Letter recipients were directed to call the New Jersey Division of Consumer Affairs for more information on credit reporting and identity theft protection.

Source: NJ.com, New Jersey On-Line, “N.J. accidentally reveals personal data of 28K unemployed residents,” May 18, 2009.