The Agency for Healthcare Research and Quality (AHRQ) is a division of the U.S. Department of Health and Human Services focused on researching public health policy and implementation issues.AHRQ sells and purchases statewide personal hospital discharge data. AHRQ purchased data from at least 3 states: CA, PA, and TX [source]. AHRQ also sells statewide personal hospital discharge data for 23 states through its Federal-State-Industry partnership called the Healthcare Cost and Utilization Project (HCUP). [source]

City of Charlotte had a data breach in 2010, in North Carolina. The city of Charlotte says the personal information of 5,220 current and former city employees and elected officials has been lost. The loss affects individuals who received health insurance from the city in early 2002. Two DVDs containing the Social Security numbers of the affected individuals failed to arrive at the offices of Towers Watson & Co., the citys benefits consulting firm, in Atlanta. The discs also contained prescription-drug information for five individuals. (5,220 records involved) [source].

Health Planning & Development are regional government agencies. They are known to purchase statewide personal hospital discharge data from at least 3 states: CA, FL, WA [source]. The purchased data does not contain the person's name, but it is possible to match some people by name [source].

City of Monroeville had a data breach in 2013, in Pennsylvania. A number of inappropriate security practices may have exposed the information of people who called Monroevilles 911 dispatch center, police department, fire department, or EMS department in 2012 or 2013. Monroeville is being investigated for possible violations of federal health privacy laws. An August 2012 complaint to the U.S. Department of Health and Human Services Office for Civil Rights stated that protected health information may have been given to a former police chief via email and that weak and poorly managed usernames and passwords were used to access a database of 911 callers medical information. [source].

Indian Health Services,Office Environmental Health purchases statewide personal hospital discharge data from at least CA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

Contra Costa County had a data breach in 2011, in California. Residents who owed money to the county health department had their names inadvertently published in a public document. The names were published in a report to the Board of Supervisors dated July 27, 2010. The error was discovered at the end of November, 2011. No patient information was exposed, but the publication of the names in the report constitutes a breach of patient confidentiality laws. The information was removed from the online report. [source].

City Of Oviedo, FL purchases statewide personal hospital discharge data from at least FL [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

Department of Veterans Affairs had a data breach in 2010, in Texas. The names, Social Security numbers and treatment locations of about 140 veterans were mixed in with other paperwork. The paperwork was sent to an EEOC office and viewed by multiple persons there. It appears that the names should not have been visible. [source].

City of Seattle, WA purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

Florida Department of Veterans Affairs had a data breach in 2010, in Florida. A digital camera with veteran information was discovered missing on November 21. It contained the names, Social Security numbers, dates of birth and images of patients. Images of veterans who had been photographed in the last three weeks were on the camera. (55 records involved) [source].

County Of Sacramento, CA purchases statewide personal hospital discharge data from at least CA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

Hawaii State Department of Public Safety had a data breach in 2011, in Hawaii. A reporter requested statistics from the State Department of Public Safety. Though the reporter only wanted the number of people who use medical marijuana, he was sent an email with patient names, addresses, plant locations, certificate numbers, and the names of prescribing physicians. Patients became aware of the issue when information was printed in a front-page news story, though no patients were identified. [source].

County Of San Diego, CA purchases statewide personal hospital discharge data from at least CA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

Hidalgo County Commissioners Office had a data breach in 2007, in Texas. The private medical information, including Social Security numbers and treatment details of people who sought medical assistance from the county was posted on the Hidalgo County Website. (25 records involved) [source].

County Of Ventura, CA purchases statewide personal hospital discharge data from at least CA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

Lynchburg City had a data breach in 2007, in Virginia. Personal information of Lynchburg city employees and retirees was accidentally posted on the citys website among that information employees prescription medications. [source].

Joint Legislative Audit & Review Committee, WA purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

Milwaukee County had a data breach in 2008, in Wisconsin. Milwaukee County officials mistakenly released numerous confidential court records for a citizens groups web site that detail payments for tests and other costs linked to to mental competency, paternity and guardianship cases. Entries for psychiatric examinations and guardianship fees in which the clients names were still listed. [source].

Maine Bureau of Insurance purchases statewide personal hospital discharge data from at least ME [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

Pennsylvania Department of Aging had a data breach in 2007, in Pennsylvania. A state Department of Aging-owned laptop computer containing personal information on senior citizens was stolen from a Johnstown home. The information included names, addresses, Social Security numbers and some medical information. (21,000 records involved) [source].

Maine Department of Labor purchases statewide personal hospital discharge data from at least ME [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

Pinellas County and Florida state agency offices had a data breach in 2008, in Florida. Documents with Social Security numbers, medical information and other legally protected data were found in trash containers at government buildings. Also found were hundreds of improperly discarded records were found that included medical data, privileged communications between attorneys and clients, juvenile defendant records and child abuse materials. [source].

Maine House of Representatives purchases statewide personal hospital discharge data from at least ME [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

Southwestern Indiana Regional Council on Aging (SWIRCA) had a data breach in 2010, in Indiana. Client information was on a case managers laptop that was stolen from the SWIRCA office. Files on the laptop contained patient names, Social Security numbers, dates of birth, addresses, phone numbers, demographic information, medical condition information and case information. The laptop was stolen sometime between November 4 and 8. (757 records involved) [source].

Maine State Legislature purchases statewide personal hospital discharge data from at least ME [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

Town Council of Chapel Hill had a data breach in 2012, in North Carolina. A licensed clinical social worked accidentally attached confidential client information to an email that was forwarded to town council colleagues. A copy of her and her husbands 2011 income tax returns was also in the email. The email automatically became available to the public and the error was noticed nearly a week later. Unfortunately, the email was also forwarded a second time to a public account. Consequently, the information was publicly available for a week. Many of the affected clients were University of North Carolina students. Names, Social Security numbers, clinical notes about client mental health, payment amounts, and insurance forms were exposed. (12 records involved) [source].

Office of Policy and Legal Analysis, Maine State Legislature, ME purchases statewide personal hospital discharge data from at least ME [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

Utah Department of Workforce Services had a data breach in 2010, in Utah. A leak that allowed anti-immigration activists to post and circulate the names, Social Security numbers, medical information, addresses, workplaces, and phone numbers of alleged illegal immigrants in Utah has been linked to Utahs Department of Workforce Services. A large number of employees had access to this information. [source].

Office of the Governor, ME purchases statewide personal hospital discharge data from at least ME [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

Veterans Affairs Chicago HCS had a data breach in 2010, in Illinois. The Orthopedics Department was using Yahoo.com to keep track of patient scheduling. The information had been stored on Yahoo.com since July of 2007 and multiple current and former residents of the center had access to the password and account. Patients had their name, date and type of surgery and final four digits of Social Security number exposed. The information was deleted from the web page on November 29. [source].

211 LA County had a data breach in 2018, in California. Los Angeles Times reports:The nonprofit organization that operates Los Angeles County's social services hotline inadvertently exposed personal information that was stored online, according to county officials and a private security firm that discovered the vulnerability.UpGuard, a cybersecurity firm based in Mountain View, Calif., said it notified the county in April that it discovered exposed Social Security numbers, addresses and sensitive notes about calls regarding mental health and abuse. It was not immediately clear whether any unauthorized people accessed the data, which was kept in a cloud storage repository maintained by 211 L.A. County, the nonprofit group that operates the county's 211 hotline. Chris Vickery, director of UpGuard's cyberspace risk research team, said the information he discovered included names, email addresses and weakly encrypted passwords of users operating the 211 system, potentially opening them to attack. He said it was available for public download from an Amazon web server.The data also contained records for 3.5 million calls and a substantial amount of personally identifiable information, Vickery said. That included 33,000 Social Security numbers, and in many cases full names and addresses — as well as detailed notes for 200,000 calls logged between 2010 and 2016.In one example, the notes described an elderly woman with dementia who was allegedly being abused by her son. In another, they described a meth addict who said she was suicidal. A third example included details about a woman who suffered from paranoia and was on the verge of being evicted. The firm provided The Times with screen shots of redacted records to document its discovery. [source]

Central City Concern had a data breach in 2014, in Oregon. Central City Concern, a non-profit in Portland Oregon, notified individuals of a data breach that was perpetrated by an ex-employee of the agency.  Federal law enforcement officers notified the non-profit that this former employee copied files from approximately 15 clients from its Access Center with the intention of filing fraudulent tax returns.CCC began an investigation and has noted that this former employee may have accessed files from March 23, 2010 through May 24, 2013. The former employee stated to authorities that they had only copied 15 files. The non-profit has set up 12 months free monitoring through Experians ProtectMyID alert. [source]

City of Burlington had a data breach in 2014, in Vermont. The Office of The Clerk/Treasurer for the City of Burlington informed individuals that their names and Social Security numbers were inadvertently left unredacted as part of the individuals request for a tax abatement that was provided to the Burlington Board of Tax Abatement (which is made up of the City Council, Mayor and CIty Assessor).The information was part of a clickable agenda item that was posted on the City Council's website on January 9, 2014, the information was redacted on January 13, 2014. [source]

City of Detroit had a data breach in 2014, in Michigan. The information was breached via Portable Electronic Device. [source]

City of Encinitas/San Dieguito Water District had a data breach in 2014, in California. City of Encinitas and San Dieguito Water District recently were made aware that a Cal-PERS payment document containing Social Security numbers with corresponding employee and former employee names had inadvertently been made accessible to the public on the City’s website on or about May 13, 2014 to July 3, 2014. Based on our research, we found the exposure has been limited to (16) people that accessed the document during that period.The document contained information of employees and former employees who were enrolled in Cal-PERS during the following timeframes:City of Encinitas–July 1993-October 2011City of Encinitas Fire Safety/Fire Protection District–July 1986–October 2011San Dieguito Water District-July 1989–October 2011The city of Encinitas is offering 1 year free membership of Protect MyID Alert from Consumer Info.com by Experian. [source]

City of Hope had a data breach in 2014, in California. The City of Hope was informed by one of their vedors, Sutherland Healthcare Solutions, Inc. regarding a burglary that happened in one of their offices, where the thieves stole eight of their computers. Two of the computers contained City of Hope patient and patient guarantor information. Both computers were password protected. Sutherland Healthcare Solutions provides billing services for the City of Hope, who has since suspended their relationship with Sutherland.The information on the computers contained Social Security numbers, names, addresses, phone numbers, medical record numbers, account numbers and/or diagnoses. Law enforcement is currently investigating the incident.The City of Hope has secured the services of Kroll, a risk mitigation company, to provide identity theft protection at no cost for one year for those who may have been affected.  [source]

City of Middletown had a data breach in 2016, in New York. [source]

City of Thomasville had a data breach in 2018, in North Carolina. A public records request for employee payroll information was received. The documents were prepared by the Human Resources Department. One of the documents that was released had un-formatted SSN. They were not identified as SSN. Once the document was released to the person who requested they posted the information on a Closed Facebook page. The SSN were not identified. I was notified about the post and contacted our City Attorney. Person posting info and Facebook was notified and the information was taken down approximately 3 hours after we learned it was posted. [source]

City of Thousand Oaks had a data breach in 2018, in California. On Feb 28, 2018, City of Thousand Oaks Financial Department learned that an unauthorized individual may have gained access to the computer used by the City's vendor to process credit card transactions. During the incident, information entered into the City of Thousand Oaks' online payment system (Click2 Gov) between Jan 4 and Jan 10 may be have been accessed. This information may have included name, payment card number and expiration date. [source]

City of Vallejo had a data breach in 2016, in California. The information was breached via Website. [source]

Dallas County Texas had a data breach in 2015, in Texas. Dallas County Texas has admitted to a databreach of residents information that has been accessible online for over 6 months. The information included names, addresses, Social Security numbers and birth dates of residents, including children. The county has had over 6 months to pull the data offline, however as of the time of this report by CBS the information had not yet been pulled. [source]

Dallas Fire-Rescue had a data breach in 2014, in Texas. [source]

Harrison Municipality had a data breach in 2016, in New Jersey. [source]

Housing Authority of the City of Charlotte had a data breach in 2018, in North Carolina. An email was sent purportedly from the CEO requesting W-2s for 2016 and 2017. The staff member thought it was the CEO and sent the information. [source]

Jefferson County Texas had a data breach in 2015, in Texas. The information was breached via Network Server. [source]

Kentucky Department of Fish and Wildlife had a data breach in 2016, in Kentucky. Someone illegally accessed Kentucky Department of Fish and Wildlife Resources customer information, officials announced Thursday.The information included names, addresses, birth dates, last four digits of Social Security numbers and phone numbers and email addresses. No credit card numbers, full Social Security numbers, usernames or passwords were accessed, officials said.Fish and Wildlife officials acted immediately to fix the vulnerability after learning of it earlier this week, they said.The department is working with the Commonwealth Office of Technology and other states that had similar breaches to ensure the security of their web systems. [source]

Linn County Auditor had a data breach in 2017, in Iowa. [source]

Los Angeles City Employees Retirement System had a data breach in 2017, in California. [source]

Oregon Department of Veterans Affair had a data breach in 2015, in Oregon. Name, benefit number, address, dob, ssn, benefit plan selections, names of dependents were breached. [source]

Osceola County Juvenile Division Clerk of Courts had a data breach in 2015, in Florida. The county of Osceola in Florida, specifically the Juvenile Division of the Clerk of Courts, when children's information was inadvertently exposed on their website. The names for every child charged in court cases and names of children in their foster system were exposed online via their e-file system. Currently the disclosure is being investigated. [source]

Osceola County Juvenile Division Court of Clerks had a data breach in 2015, in Florida. The county of Osceola in Florida, specifically the Juvenile Division of the Clerk of Courts, when children's information was inadvertently exposed on their website. The names for every child charged in court cases and names of children in their foster system were exposed online via their e-file system. Currently the disclosure is being investigated. [source]

Palo Alto VA Health Care System had a data breach in 2015, in Virginia. [source]

Pinellas County Board of County Commissioners had a data breach in 2016, in Florida. The information was breached via Email. [source]

Regional Income Tax Agency had a data breach in 2015, in Ohio. The Regional Income Tax Agency announced Dec. 31 that nearly two months earlier it lost personal data for about 50,000 people who filed tax forms with the agency. A backup DVD with the information cannot be located, according to RITA. The agency says it will provide one-year of free credit monitoring to those affected. Nothing in our investigation indicates that the DVD was stolen, or that there has been any misuse of information, agency attorney Amy L. Arrighi said today. Our investigation to locate the missing DVD led us to the conclusion that it was most likely destroyed. [source]

Sutter County Courthouse had a data breach in 2016, in California. Private personal information of potentially thousands of people was unintentionally available on public access computers in the Sutter County Superior Courthouse on Monday.The data breach occurred when a new case management system went live Monday morning. The system was taken down the same afternoon after an Appeal-Democrat reporter alerted Court Executive Officer Stephanie Hansel that sensitive and private information was viewable to the public.For about six hours, anyone who searched for a criminal or traffic case on public access computers could view the defendant's Social Security number, birthday, driver's license number and home address. State court rules clearly say such data should be redacted by court clerks for the protection of privacy. [source]

Sutter County Superior Court had a data breach in 2016, in California. Private personal information of potentially thousands of people was unintentionally available on public access computers in the Sutter County Superior Courthouse on Monday. The data breach occurred when a new case management system went live Monday morning. The system was taken down the same afternoon after an Appeal-Democrat reporter alerted Court Executive Officer Stephanie Hansel that sensitive and private information was viewable to the public. For about six hours, anyone who searched for a criminal or traffic case on public access computers could view the defendant's Social Security number, birthday, driver's license number and home address. State court rules clearly say such data should be redacted by court clerks for the protection of privacy.More Information: [source]

The City of Beaumont had a data breach in 2017, in California. The City of Beaumont has suspended its online water bill payment system due to a potential data breach, chief technology officer Bart Bartkowiak said.Bartkowiak said the City of Beaumont received several notifications of unauthorized iTunes charges on bill-payers' accounts. Bartkowiak suggested any residents who have paid their water bills online between Aug. 1 and Aug. 24 to check their accounts for suspicious activity. He said that anyone who finds suspicious activity on their account should report it to their credit card issuer and their bank, to ask that their card be deactivated, to request that a fraud alert be placed on their account, and to request copies of all credit reports. [source]

The City Of Oceanside had a data breach in 2017, in California. Name, ssn, dln, government identification numbers were breached. [source]

US Election Assistance Commission had a data breach in 2016, in District Of Columbia. The US agency responsible for certifying the security of voting machines reportedly fell victim to a hacker believed to be Russian.Security firm Recorded Future said Thursday that it discovered login credentials for computers at the US Election Assistance Commission for sale on the internet black market. The firm said its analysis identified the hacker as Russian.The breach appeared to include more than one hundred access credentials, including some with the highest administrative privileges, Andrei Barysevich, director of advanced collection at Recorded Future, wrote in a blog post. These administrative accounts could potentially be used to access sensitive information as well as surreptitiously modify or plant malware on the EAC site. [source]