The personal information of Delaware state retirees was included in a request for proposal (RFP) that made its way onto the state's website for five days before it was discovered and removed.

How many victims? 22,000.

What type of personal information? Social Security numbers, genders and dates of birth.

What happened? The RFP, which contained sensitive state retirees' information, was prepared by Aon, a consulting company that provides services to the state of Delaware for health and benefit programs. Aon prepared the document for the state to solicit bids from insurance companies interested in providing vision benefits to state employees and retirees. The RFP was posted to the procurement section of the state website to allow interested bidders access to the proposal document.

State staff discovered and removed the document five days after it was posted.

Details: The document did not include retiree names or current state employee information.

What was the response? Letters are being sent to affected individuals who will be offered one year of free credit monitoring.

Source: http://www.newarkpostonline.com/, Newark (Del.) Post, “State employee retirees' Social Security numbers posted on website by vendor,” Aug. 30, 2010.

A laptop containing sensitive data from University of Connecticut applications recently was stolen.

How many victims? 10,174.

What type of personal information? Names and Social Security numbers.

What happened? The laptop, which was being kept in a storage cabinet at the UConn West Hartford campus' information technology department, was discovered missing on Aug. 3.

Details: The computer had undergraduate admissions files that contained contact information and Social Security numbers of the applicants. The information spans the period from 2004 through July 30, 2010.

There is no indication the laptop was stolen for the purpose of identify theft.

What was the response? Steps have been taken to prevent unauthorized access to the university through the computer. UConn police are looking into whether school security policies were followed.

Affected individuals are being notified about the breach and offered free credit monitoring coverage for two years.

Source: www.westhartfordnews.com, West Hartford News, “Laptop with Social Security numbers stolen from UConn West Hartford,” Aug. 19, 2010.

Two Oregon car burglaries in the past week have resulted in the loss of the personal information of thousands of Portland, Ore. psychology patients and unemployed state residents.

How many victims? 4,000 Portland, Ore. psychology patients and 2,900 unemployed state residents.

What happened? An unsecured laptop containing patient names, Social Security numbers and diagnoses was stolen from Oregon psychologist David Gostnell's vehicle during the weekend of Aug. 6. Separately, a data storage device containing the names and Social Security numbers of unemployed residents of Multnomah County in Oregon was stolen from the car of a Portland Community College (PCC) employee on Aug. 5.

Details: Gostnell runs a private practice in northeast Portland and works at Oregon Health & Science University. Records from patients Gostnell treated at OHSU were not on the stolen laptop.

The laptop was password-protected, but a disc left in the CD drive contained a partial backup of the hard drive, including sensitive patient information. His briefcase, which also contained patient evaluation records, also was stolen. All of those records were recovered in a nearby trash bin shortly after the theft. Gostnell does not believe the items were stolen to obtain patient information.

Meanwhile, the PCC-related burglary involved the theft of a flash drive containing the personal information of participants in the Oregon Food Stamp Employment Transition Program, which is operated at PCC and provides support and job-hunting skills for unemployed Oregon residents. A PCC employee who worked at multiple sites was transferring the data from one site to another when the theft occurred. The flash drive was in a bag that was stolen from the car.

Quote: "There is no evidence that any name or Social Security number has been used so far," said Dana Haynes, spokesman for PCC.

What was the response? Individuals who have been evaluated by Gostnell can call (877) 461-7657, if they have questions about the matter.

PCC has sent letters to affected individuals and offered them a one-year subscription for credit-protection services. The college also has posted credit protection information online.

Source: http://www.oregonlive.com/, The Oregonian, “Car thieves get personal data on Portland psychology patients, unemployed Oregonians,” Aug. 12, 2010.

The confidential information of students and employees at six Florida community colleges was publicly available on the internet for five days due to a state library service center software glitch.

How many victims? 126,000.

What type of personal information? Unspecified data that is protected under Florida state law. This means it may have included names, Social Security numbers and driver's license or Florida information card numbers. Compromised information did not include financial or library records.

What happened? The College Center for Library Automation (CCLA), which provides services and resources to Florida's public colleges, determined the breach happened as a result of a software upgrade.

The information was available online from May 29 to June 2. Six state community college colleges were affected because their borrower records were contained in temporary work files that were being processed at the time the breach occurred. The library agency learned of the incident on June 23, after a student reported finding personal information through a Google search.

Officials from the library agency said they believe the information was viewed by unauthorized individuals, but there is no evidence the data has been misused.

Details: Employees and students were affected at Broward College, Florida State College at Jacksonville, Northwest Florida State College, Pensacola State College, South Florida Community College and Tallahassee Community College.

Quote: "We pride ourselves on protecting private information and deeply regret this inadvertent exposure," said Richard Madaus, CEO of CCLA. "I apologize to those involved for any worry or inconvenience this may cause them. We will continue to enhance our technology to safeguard all of the information entrusted to us."

What was the response? Affected individuals are being notified by letter. Additionally, the agency began an investigation after discovering the breach, and the case has also been turned over to the county sheriff's office.

Source: Sun-Sentinel.com, South Florida Sun-Sentinel, “Broward College student data exposed,” Aug. 10, 2010.

A laptop containing the personal information of patients was stolen from an office at Thomas Jefferson University Hospital in Philadelphia.

How many victims? 21,000.

What type of personal information? Names, birth dates, insurance information and Social Security numbers.

What happened? The laptop was stolen from an office in the hospital on June 14.

A hospital employee violated policy by copying data from the hospital's computer system to a laptop. The employee will be subject to unspecified disciplinary action.

Details: The laptop was password-protected, but the data was not encrypted.

Quote: “As upsetting as it is for me, I know it is even more upsetting for the people who have gone through it and I am really sorry that they have to deal with this,” said Thomas Lewis, Jefferson's president and chief executive.

What was the response? Jefferson has notified affected individuals and offered to provide them with identity theft protection services. Risk consultancy firm Kroll was brought in to conduct an investigation into the incident. Also, an internal review of hospital policies and procedures was carried out to ensure a similar incident does not occur in the future.

Source: Philly.com, “Huge loss of patient data at Jefferson,” July 29, 2010.

A thumb drive containing the personal data of current and former graduate medical education residents and fellows at Cooper University Hospital in Camden, N.J. has gone missing.

How many victims? Unspecified.

What type of personal information? Social Security numbers, addresses and phone numbers.

Details: The thumb drive went missing on July 8. No employee or patient information is believed to have been compromised.

What was the response? Affected individuals have been notified. Additionally, the hospital reported the incident to state and local police, who are investigating the incident. The hospital also is conducting an investigation and has initiated a plan to protect any personnel who could be affected by the breach. 

Quote: "Cooper University Hospital is investigating the circumstances surrounding a missing thumb drive," the hospital said in a statement.

Source: 6abc.com, 6 ABC Action News, “Potential security breach at Cooper Univ. Hospital,” July 28, 2010.

The personal information of clients of the Maryland Department of Human Resources (DHR) recently was posted on a third-party website, where it remained for nearly three months.

How many victims? 3,000.

What type of personal information? Social Security numbers and other unspecified personal information.

What happened? The information was posted by an employee of the Maryland DHR, a state agency that provides benefits, such as food stamps and other aid, to clients. The employee has since been placed on administrative leave and could face disciplinary action.

The breach was discovered by staff of the Liberty Coalition, a nonprofit that promotes individual freedoms. The group's privacy director, Aaron Titus, said the information was posted from April 27 to July 14.

Staff members at Liberty Coalition tried to notify DHR officials about the breach on July 9 but were unsuccessful until July 12. The data was taken down on July 14.

Details: There currently is no evidence that the information was used for identity theft.

Quote: "We take the privacy of the data that's entrusted to us very seriously," said DHR spokeswoman Nancy Lineman.

What was the response? An investigation into the incident was initiated. Affected individuals are being notified and offered a one-year subscription for credit monitoring services.

Source: www.baltimoresun.com, The Baltimore Sun, “State employee posts nearly 3,000 SSNs online,” July 19, 2010.

A sensitive database belonging to Buena Vista University in Iowa was compromised, exposing the information of students and staff.

How many victims? 93,000.

What type of personal information? Social Security numbers, addresses and driver's license information.

What happened? An investigation conducted by auditing and advisory firm KPMG revealed "some irregularities" in Buena Vista University's network. It was confirmed that unauthorized access to the database occurred in June.

Details: Personal information of students and staff dating back to 1987 could be vulnerable.

University President Frederick Moore has apologized for the incident and said that the university is trying to mitigate potential harm.

Quote: “We do not believe any of the information was misused or provided to a third party,” a university spokesperson said.

What was the response? The case has been handed over to the U.S. attorney's office, which is conducting an  investigation into the matter.

Affected individuals are being notified and offered a one year subscription for credit monitoring services.

Source: www.SCMagazineUK.com, SC Magazine UK, “Personal details of 93,000 staff and students at US university could be exposed after database compromise,” July 19, 2010.

A hard drive containing the personal information of tens of thousands of current and former employees of American Airlines recently was stolen from the company's Fort Worth, Texas headquarters.

How many victims? 79,000.

What type of personal information? Names, addresses, dates of birth, Social Security numbers and a "limited amount" of bank account information. Additionally, some health insurance information may have also been included — mostly enrollment forms, but also details about coverage, treatment, and other administrative information.

Details: The stolen hard drive contained images of microfilm files that contained the sensitive information. Some of the employee files also contained information on beneficiaries and dependents. The data spans a period from 1960 to 1995.

What was the response? Affected individuals have been notified and offered one year of free credit monitoring services. Additionally, the airline has increased security at its headquarters, including testing its computers for vulnerabilities. An investigation into the incident is currently ongoing.

Source: cbs11tv.com, “American Air Parent Claims Worker Data Compromised,” July 2, 2010.

A cybercriminal recently gained access to a University of Hawaii at Manoa (UH-Manoa) parking office computer server that contained the personal information of tens of thousands of individuals.

How many victims? 53,000.

What type of personal information? Names, Social Security numbers, addresses, driver's license numbers, vehicle information and credit card information

Details: A server used by the UH-Manoa parking office was accessed on May 30, though school officials are unsure how the cybercriminal gained entry. The hacker left behind a virus on the server. The breach was discovered during a routine audit on June 15.

There were 40,870 Social Security numbers and 200 credit card numbers on the server. Those affected include UH-Manoa faculty and staff members employed in 1998, along with anyone who did business with the parking office between Jan. 1, 1998, and June 30, 2009.

Students who paid for parking passes using a credit card were not affected.

Quote: "There is no indication that any information was misused, downloaded or viewed by the hacker,” said Gregg Takayama, a university spokesman.

What was the response? Social Security numbers, which are no longer used for parking transactions, are being removed from all parking databases. The university is strengthening its internal automated network monitoring practices and performing evaluations of systems to identify other potential security risks.

Affected individuals have been notified by mail and email. The matter was turned over to Honolulu police, the FBI and UH-Manoa's forensic investigator.

Source: Staradvertiser.com, Honolulu Star Advertiser, “UH breach affects 53,000,” July 7, 2010.