Two laptops, which contained personal information for hundreds of thousands of patients, were recently stolen from University of Alberta Hospital in Canada.

How many victims? 250,000.

What type of personal information? Names and personal health numbers.

What happened? The laptops were stolen from a locked hospital laboratory room where they were chained to desks. The hard drives of the laptops contained a random sample of 250,000 lab reports, which contained the personally identifiable information (PII).

Details: The laptops are encrypted so it would be “extremely difficult” to access the sensitive information, making the risk of identity theft low – but still possible, hospital officials told the Edmonton Journal.
The hospital does not know which patient’s personal health numbers were contained on the computers because those on the list were randomly selected.

Quote: “The public should not be concerned,” Bill Trafford, chief information officer of Alberta Health Services told the Edmonton Journal. “We believe there’s very, very low risk of any information on those devices being made accessible to anybody else.”

Source: edmontonjournal.com, Edmonton Journal, “Laptops with patient information of thousands of Albertans stolen from U of A Hospital,” June 24, 2009.

Spammers recently used email addresses obtained from health insurer, Aetna’s job application website to conduct a phishing scam.

How many victims? Up to 450,000.

What type of personal information? Email addresses, and possibly Social Security numbers, phone numbers, addresses and employment histories.

What happened? Aetna’s Job application website, which was maintained by a third party, contained the email addresses for about 450,000 people who had applied for jobs or submitted resumes to the company. Some of the email addresses were copied from the site and used in a phishing scam.

In early May, Aetna began receiving complaints from individuals who received fraudulent emails seeming to be coming from Aetna. In the phony emails, victims were presented job offers or asked for personal information such as addresses and telephone numbers.

Details: Along with email addresses, the site stored the Social Security numbers of current and former employees and people who received job offers from the company. In addition, the phone numbers, addresses and employment histories of people who received job offers were also stored on the site. Aetna said it is not sure if any personal information beyond email addresses was accessed.

Quote: “We know for certain that the emails were accessed, we don’t know whether or not anything else was accessed,” Aetna spokeswoman Cynthia Michener told The Associated Press. “But we’re erring on the side of caution, we want people to know.”

What was the response? Aetna shut down the job application website, and hired an outside company to perform a forensic review of the site. They have not yet been able to determine how the breach occurred.

Aetna will offer free credit monitoring for a year to about 65,000 affected individuals. A warning about the fraudulent emails was posted Atena’s main site.

Source: The Associated Press, “Aetna offers credit monitoring after site breached,” May 28, 2009.

An laptop containing the personal information of patents of Moses Cone Hospital in Greenboro, N.C. was recently stolen from a supply chain management vendor that the hospital works with.

How many victims? 14,380.

What type of personal information? Social Security numbers.

What happened? The laptop was issued an employee of VHA, a supply chain management vendor for the hospital. In March, the laptop was stolen from the employee’s car. It was not encrypted but was password protected.

Details: The breach affected cardiology and orthopedic patients treated at Moses Cone Health System’s Hospitals between February 2004 and February 2009.

What was the response? Affected individuals have been offered free credit monitoring.

Quote: “Moses Cone Health System and its vendor, VHA, deeply regret this incident and both are making changes to make sure it does not happen again,” said Lynn Mathews, Moses Cone compliance and privacy officer.

Source: wxii12.com, WXIII12 Piedmont Triad, “Stolen Hospital Laptop Contained Patient Information,” April 13, 2009.

A hard drive containing the personal information of hundreds of thousands of patients at Jackson Memorial Hospital in Florida has been stolen.

How many victims? 200,000.

What type of personal information? Copies of the drivers’ licenses of patients who visited the hospital May 2007 through March 2008. No Social Security numbers or financial information was on the hard drive, Dennis Proul, the hospital’s chief information officer told the Miami Herald.

What happened? The hard drive was stolen from the hospital’s data center, which is secured by cyberlocks and swipe cards. Several dozen people have access to the center, Proul said.

Details: The hard drive was discovered missing Feb. 11 and reported to the police on March 4. The hospital does not have a back-up copy of the information so they do not know which patients were affected.

What was the response? Visitor information is now erased every 30 days. The hospital recommended individuals who visited Jackson from May 2007 through March 2008 notify one of three credit bureaus and place fraud alerts.

Quote: ”We’re very sorry this happened and are taking steps to make sure it doesn’t happen again,” Proul said.

Source: Miamiherald.com, Miami Herald, “Disk with information on 200,000 visitors to Jackson hospital stolen,” March 21, 2009.

Individuals who have been transported by Chicago Fire Department ambulances run the risk of identity theft following a laptop theft. But the data appears to have been encrypted.

How many victims? More than 60,000.

What type of personal information? Not disclosed.

What happened? The laptop was taken while in custody of an employee for DeZonia, a firm that does billing for the city’s ambulance transports. The thief broke into the employee’s car to steal the machine.

What was the response? DeZonia is providing one year of free credit monitoring for victims. Meanwhile, the city is considering punishment against DeZonia.

Details: The laptop was encrypted and password protected, according to the the city’s Revenue Department.

Source: wbbm780.com, WBBM newsradio 780, “Been In An Ambulance Lately? Your Identity May Be At Risk,” March 19, 2009.

A pharmacy benefits management provider has notified about 28,000 Kentucky retirees that their personal information was not protected during electronic transmission.

What type of personal information? Names, dates of birth, Social Security numbers.

What happened? Walgreens Health Initiative failed to encrypt an email containing the information that was sent to Kentucky Retirement Services.

What was the response? Walgreens said in a notification letter to affected individuals that there was a “remote” chance their records could have been compromised in transit.

Details: The email was received by a state employee, and Walgreens has not reason to believe the data was exposed at any point. The victims used Walgreens to manage their pharmacy benefits in 2007.

Source: courier-journal.com, The Courier-Journal (of Louisville, Ky.), “Ky. retiree data sent without proper security,” March 18, 2009.

Attackers recently targeted science journal, Nature.com and gained access to stored user login credentials, a spokeswoman for the parent company, Nature Publishing Group told SCMagazineUS.com.

How many victims? Less than 1 percent of users were affected — approximately 21,000 out of 2.1 million.

What type of personal information? Name, username (which is email address) and password.

Details: “The breach occurred because someone added some code into a URL and tried to bring the site down,” the spokeswoman said.

Passwords are stored in an encrypted form, so the company reset them as a precaution.

What was the response? The company has taken steps to mitigate the vulnerability that lead to this attack and is monitoring for any further attempts to access data.

A laptop that was stolen from Parkland Memorial Hospital in Dallas could have contained the personal information of employees.

How many victims? 9,300.

What type of personal information? Names, birthdates and Social Security numbers.

Details: The laptop was stolen on Feb. 3 and contained no patient information but hospital staff is unsure whether personal information of employees was contained on the computer.

What was the response? An investigation is being conducted by hospital district police, employees were notified of the theft by email and were advised to monitor their credit profiles and place fraud alerts on their accounts. They were offered one-year online credit monitoring for free.

Quote: “We regret this unfortunate event occurred and are working to mitigate any possible adverse impact on our employees,” said Dr. Ron Anderson, Parkland’s president and chief executive.

Source: www.dallasnews.com/, The Dallas Morning News, “Laptop theft at Parkland Memorial Hospital could imperil employee information,” Feb. 9, 2009.

Health insurance provider, Kaiser Permanente recently experienced a data breach that led to the release of the personal information of tens of thousands of employees.

How many victims? 29,500.

What type of personal information? Names, addresses, dates of birth and Social Security numbers for Kaiser employees in Northern California.

What was the response? The company launched an internal investigation to determine the source of this breach and is working closely with law enforcement. A toll-free phone line was set up to answer employee questions. Affected employees will receive one year of free credit monitoring.

Details: The breach did not involve Kaiser member information and no personal health details have been jeopardized, according to a written statement issued by Gay Westfall, senior vice president of human resources for the Kaiser Foundation Health Plan.

A “handful” of employees have reported identity thefts as a result of the breach, Kaiser said.

The breach came to light after the arrest of San Ramon resident Mia Garza, 28, on Dec. 23 on suspicion of possession of stolen property and forgery. In a confiscated computer, San Ramon police later found a file with Kaiser employee data, said San Ramon police Cpl. Rich Persson.

Garza is not a Kaiser employee, and it was not immediately clear how she might have obtained the Kaiser information.

Kaiser was informed of the security breach in late January, said spokesman Jim Caroompas.

Garza, who was released from jail Jan. 14, faces felony charges involving two counts of receiving stolen property, two counts of identity theft and two counts of forgery.

Quote: “We regret that this unfortunate incident occurred,” Westfall said. “We are notifying each employee who may be affected by phone and letter to provide additional information.”

Source: www.mercurynews.com, San Jose Mercury News, “Kaiser warns nearly 30,000 employees of data breach,” Feb. 6, 2009.

New Hampshire residents may have had their personal information exposed after the state Department of Health and Human services accidentally included an attachment in an email to health care providers.

How many victims? 9,300 people enrolled in prescription drug program Medicare Part D.

What type of personal information? Names, addresses, Social Security numbers.

What happened? The state agency errantly included the attachment in Dec. 1 emails to health care providers, such as nursing homes, home care providers and case managers. The emails were intended to update these 61 providers on changes to Medicare Part D, a prescription drug plan for the elderly and disabled.

What was the response? The department, which set up a hot-line to answer calls, encouraged victims to monitor their credit report. Also, officials have asked the email recipients to delete it.

Details: There is no evidence any of the data has been misused.

Source: concordmonitor.com, Concord (N.H) Monitor, “Medicare data accidentally breached,” Dec. 18, 2008.