theDataMap

Documenting all the places
personal data goes.

healthDataMap


Legend: with your name, without your name.
Click on a circle above for names of organizations and details of data shared.


Social Services are local, state or federal government public services including healthcare, public housing, youth, family and senior programs and assistance for people with disabilities. These government organizations collect medical information from you, if you are a member of a population they serve. Even being on a department's list may imply medical conditions.

Examples

DHHS purchases statewide personal hospital discharge data from at least ME [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Area Agency on Aging, Inc. had a data breach in 2011, in Ohio. The June 3 theft of a laptop from an employees car resulted in the exposure of consumer information. The laptop was assigned to a PASSPORT case manager. It contained the health information of 43,000 consumers and the personal contact information of 35,000 related clients personal representatives. [source].

  

Ca Wic Association purchases statewide personal hospital discharge data from at least CA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Avalon Centers had a data breach in 2011, in New York. A former judge was arrested for making false statements to a federal agent. The former judge was attempting to reopen an eating-disorder clinic and tossed old records into a nearby dumpster in June of 2010. Authorities found 15 to 20 boxes of papers with patient names, Social Security numbers, addresses, dates of birth, medical complaints, medical diagnosis, treatment information and other health information. When a federal agent asked the former judge about the boxes, he responded that they contained business information without any sensitive medical information. (172 records involved) [source].

  

Department Of Social & Health Services, WA purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Butler County Department of Job and Family Services had a data breach in 2010, in Ohio. The Agency learned in 2008 that confidential records were being left in public dumpsters without being shredded. Documents from Medicaid, Food Stamps, Ohio Works First, and child care programs included information such as Social Security number, name, address, phone number and pay stub. The agency failed to notify those who were affected. (10,600 records involved) [source].

  

Department Of Veterans Affairs, Palo Alto purchases statewide personal hospital discharge data from at least NY [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

California Department of Health Care Services had a data breach in 2010, in California. The California Department of Health Care Services released confidential and identifying information about HIV positive Medi-Cal recipients to a third party service provider. A network of organizations have deemed this action illegal and unauthorized. A letter was sent by the network asking for an explanation of how this happened and reassurance that it will not happen again. [source].

  

DSHS-Cancer Epi. & Surveillance purchases statewide personal hospital discharge data from at least TX [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

California Department of Health Care Services had a data breach in 2010, in California. The personal security of nearly 50,000 people may have been breached by the California Department of Health Care Services. Social Security numbers were printed on the address labels of letters that were mailed by the department. State employees mistakenly included the numbers in a list of patient addresses. The list was sent to an outside contractor, who printed and mailed the envelopes. (50,000 records involved) [source].

  

DSHS-Community Preparedness Section purchases statewide personal hospital discharge data from at least TX [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

California Department of Health Services had a data breach in 2005, in California. A laptop containing the names, Social Security numbers, and medical information of Medi-Cal beneficiaries was stolen from the car trunk of an employee. The Department of Health Services began notifying beneficiaries in late May. (21,600 records involved) [source].

  

DSHS-Emerg & Acute Infec Disease purchases statewide personal hospital discharge data from at least TX [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

California Department of Health Services (CDHS) had a data breach in 2006, in California. On June 12, a box of medi-Cal forms from December 2005 were found in the cubicle of a california Dept. of Health Services employee. The claim forms contained the names, addresses, Social security numbers and prescriptions for beneficiaries or their family members. (1,550 records involved) [source].

  

DSHS-Region 9/10 purchases statewide personal hospital discharge data from at least TX [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

California Department of Healthcare Services had a data breach in 2012, in California. Names and Social Security numbers were discovered on the website of the Department of Health Care Services. People who sent their information in order to become a provider of In-Home Supportive Services (IHSS) may have had their information exposed online between November 5, 2012 and November 20. The issue was discovered on November 14 and was not fully addressed until November 20. The list should have only contained provider names, addresses, and provider types. It also contained Social Security numbers that were listed in the column for Provider Billing Numbers. The Social Security numbers were not easily recognizable in this format.UPDATE(12/11/2012): Nearly 14,000 people were affected. (14,000 records involved) [source].

  

DSHS-Tower Library- Chsu purchases statewide personal hospital discharge data from at least TX [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Chautauqua County Department of Social Services had a data breach in 2006, in New York. Paperwork being used in Medicaid fraud investigations was stolen from an employees car. The theft occurred sometime between July 31 and August 1. People who were being investigated may have had their private information exposed. (12 records involved) [source].

  

Florida Department Of Children & Families purchases statewide personal hospital discharge data from at least FL [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Child Protective Services had a data breach in 2008, in Texas. Hundreds of private, personal records were discarded with the trash, including records detailing medical histories of clients with diseases and drug addictions. Documents showing sexual abuse and information that could be used for identity theft, such as Social Security numbers, were also found in the trash. [source].

  

JWB Childrens Services Council Of Pinellas purchases statewide personal hospital discharge data from at least FL [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Department of Social and Health Services - Washington had a data breach in 2011, in Washington. A coding error caused mailing mistakes to be made in July. Medical enrollment forms with the addresses of custodial parents were sent to non-custodial parents. However, no addresses were disclosed in cases involving foster care of domestic violence. [source].

  

Academy of Art University had a data breach in 2016, in California. Three thousand employees with the Academy of Art are scrambling to find out if their financial and credit information has been compromised in the wake of a sophisticated email spoof.On March 4th, someone in the Academy of Art human resources department received an e-mail purporting to be from a senior executive with the Academy demanding the W-2's of every single employee. The e-mail address looked legit, but it wasn't. It had been spoofed. [source]

  

California Department of Child Support Services had a data breach in 2014, in California. The California Department of Child Support Services has notified individuals of a data breach that resulted in unauthorized disclosure of personal information. On April 7, 2014 letters from the Solano County Department of Child Support Services were misplaced while in the custody of a contracted courier who was transporting mail to the US Post Office. [source]

  

California Department of Corrections and Rehabilitation had a data breach in 2016, in California. [source]

  

California Department of Justice had a data breach in 2016, in California. Radio (KPCC), an NPR affiliate, sought all information on Firearms Safety Certifications available from the California Department of Justice.The information was released in October, and a clerical error gave the reporter wide access to the personal information of 3,424 firearms instructors -- whose dates of birth, driver's license numbers and California identification numbers were handed over, according to NRA-ILA, the legislative arm of the National Rifle Association.The error was caught two months later, and the California DOJ sent out a letter to all of the Golden State's instructors letting them know their personal information had been compromised. [source]

  

California Department of Motor Vehicles had a data breach in 2015, in California. [source]

  

Damariscotta County Sherrifs Department had a data breach in 2015, in Maine. A Sheriffs Department in Damariscotta Maine was forced to pay hackers $300 in bitcoins to retrieve confidential records being held hostage by hackers who broke into their system. The FBI traced back the bitcoins to a Swiss account but have no other details as to who perpetrated this hacking. The malware installed on the system happened when someone at the Sheriffs department clicked a link allowing the malware to be installed on their system, which in turn the hackers then held the information hostage until they were paid a ransom to release the malware. [source]

  

Dover School District had a data breach in 2015, in Massachusetts. Personal information for close to 160 volunteers in Dover's school district — including their fingerprint cards and social security numbers — was “mistakenly destroyed” this fall, according to city officials.Between early September and the beginning of last month, a janitor working for S.J. Services in Danvers, Mass., bagged up numerous postmarked envelopes to be sent to the state for background checks, and walked them out to the Dumpster. Inside the envelopes was personal biographical information. [source]

  

Erie County Department of Social Services had a data breach in 2013, in New York. An audit revealed that several employees had not been following correct protocol for patient record disposal. Employees had inadvertently exposed Social Security numbers, copies of birth certificates, personal medical records, tax returns, bank account information, inmate records, payroll information, court records, and passports. Employees should have been using locked disposal totes for shredding and were discarding documents in recycling totes instead. [source]

  

Franklin County Children Services, Parenthesis Family Advocates had a data breach in 2011, in Ohio. Boxes of files were found by a recycling bin. The files contained sensitive information from children with Franklin County Children Services. Medical information, criminal records and other personal documents were left out in the open. The papers have been linked to someone with access to Parenthesis documents; however the cause of the breach is unknown. [source]

  

Idaho Department of Fish and Game had a data breach in 2016, in Idaho. Idaho Fish and Game today learned that personal information for license buyers who began purchasing hunting and fishing licenses and tags prior to 2008 was potentially accessed by a breach of the online computer license sales system owned and operated by Active Network, a Texas-based company.During a Friday afternoon conference call, Active Network executives told Fish and Game that it cannot confirm whether any personal information was actually taken but that it is possible.The data breach apparently occurred sometime over the summer.  Personal information potentially includes name, age, address, and Social Security Number.  Idaho Fish and Game is required by state law to obtain this information to issue a license. Credit card information is not kept in the Active Network licensing system and Fish and Game is confident it was not accessed. [source]

  

IRS had a data breach in 2016, in District Of Columbia. [source]

  

Kansas Department of Aging had a data breach in 2012, in Kansas. [source]

  

Los Angeles County Department of Social Services had a data breach in 2006, in California. File boxes containing names, dependents, Social Security numbers, telephone numbers, medical information, employer, W-2, and date of birth were left unattended for at least one month. This affects employees and clients. [source]

  

Main Department of Health and Human Services had a data breach in 2017, in Maine. The Maine state government is notifying 2,100 Mainers who have received foster care benefits that their personal information was temporarily compromised.The Maine Office of Information Technology said Monday that names, addresses and Social Security numbers of people involved with the Department of Health and Human Services' foster care system, including children and their legal guardians, were posted on a third-party website and taken down when state officials noticed. [source]

  

Maryland Department of Health and Mental Hygiene had a data breach in 2014, in Maryland. The Department of Health and Mental Hygiene says hackers hit Service Coordination Incorporated of Frederick, which provides case management services to nearly 14,000 Maryland residents. SCI,in a letter provided to WBAL News, indicates that its computers were hacked between October 20th and October 30th and that access was gained to confidential information. That potentially includes names, social security numbers, medical assistance numbers, and other vital information, some shared with the Maryland Developmental Disabilities Administration. [source]

  

Massachusetts Department of Revenue had a data breach in 2017, in Massachusetts. Officials with Massachusetts' tax collection agency suffered a data breach affecting 39,000 business taxpayers. The breach lasted from early August through Jan. 23, 2017, and allowed companies to view other business's names, tax identification numbers, amount and date of tax payments, number of employees and banking information about their payroll processor. Only one social security number was exposed. [source]

  

Metropolitan Health District had a data breach in 2011, in Texas. The information was breached via Email. [source]

  

Miami-Dade County had a data breach in 2014, in Florida. [source]

  

Milford Schools had a data breach in 2014, in Massachusetts. [source]

  

Mule Creek State Prison had a data breach in 2015, in California. Mule Creek State Prison notified individuals of a breach when documents submitted to the prison were scanned into a computer folder where employees outside of the prison may have access to it. The information contained names, Driver License numbers and Social Security numbers. [source]

  

New York City Human Resources Administration and New York City Department of Health and Mental Hygiene had a data breach in 2010, in New York. The information was breached via Network Server. [source]

  

New York State Psychiatric Institute had a data breach in 2016, in New York. For one week in late April and early May, a hacker (or hackers) got into servers that held information provided by 22,000 people for 11 mental health studies being done at the New York State Psychiatric Institute.These were not patients being treated at the institute, but subjects of its research.They included, among others, school children directly exposed to the events of Sept. 11; Puerto Rican youth; severely emotional disturbed young people in Westchester County and their caretakers; people in the Bronx suffering from post-traumatic stress who have family in the criminal justice system; students at three schools in Queens and four others in Washington Heights, Manhattan, whose mental health needs were being assessed.It was a hack with different fingers, infiltrating two servers operated by the State of New York and plucking out information of varying calibers. For about 9,000 people, it captured the kind of data that is sold to identity thieves, like names, addresses and so forth. [source]

  

Ohio Department of Developmental Disabilities had a data breach in 2010, in Ohio. Names, birth dates, Social security numbers and medical information were accessed in records of students dating back to 2001, plus faculty, workers and regional campus students. [source]

  

Shelby County Tennessee had a data breach in 2017, in Tennessee. A polling machine sold on eBay and purchased for use at the DEF CON hacker conference in Las Vegas has been found to contain the personal information of over 650,000 voters.Organizers purchased what they believed to be a decommissioned machine, an ExpressPoll-5000, for use at the DEF CON Voting Village, where hackers tested the security of voting machines (with frightening results). Rather than a blank machine, with all sensitive information wiped from its memory, hackers discovered the personal data of hundreds of thousands of voters from Shelby County in Tennessee.According to Gizmodo, whose reporter views some of the records, the information included name, address, birth date as well as political party and method of voting - in absentee or after providing identification. [source]

  

Solano Community College had a data breach in 2016, in California. [source]

  

State Department had a data breach in 2015, in District Of Columbia. [source]

  

State of California Department of Health Care Services (DHCS) had a data breach in 2012, in California. Beneficiary Identification Cards (BICs) were mailed to the wrong recipients between December 10 and December 18. A computer programming error caused the BICs of children being moved from Healthy Families program enrollment to Medi-Cal enrollment to be sent to households of other Medi-Cal and Healthy Families participants. Names, Client Index Numbers, dates of birth, genders, and card issue dates were exposed. People who received incorrect cards were instructed to return them. Stamped envelopes that were addressed to DHCS were sent out with breach notifications. [source]

  

Texas Department of Assistive and Rehabilitative Services had a data breach in 2011, in Texas. Current and former employees may have had their personal information exposed. Notification of the incident was sent as soon as Department of Assistiveand Rehabilitative Services (DARS) officials learned of the breach. Though a law enforcement investigation is taking place, no information regarding the date of the breach, the cause of the breach or the type of information exposed has been disclosed. [source]

  

Texas Department of Health and Human Services had a data breach in 2013, in Texas. A dishonest employee was arrested on suspicion of misusing client information to apply for credit cards. The dishonest employee was able to pose as different clients seeking immunizations and other services. She was charged with fraudulent use or possession of identifying information and credit card abuse. UPDATE(01/31/2013): The employee was working for the Northeast Texas Public Health district when she was arrested for stealing the identities of patients at a clinic in Mount Pleasant. She began working in the Texas Department of State Health Services clinic in 2008. [source]

  

University of Kentucky Newborn Screening Program had a data breach in 2010, in Kentucky. A laptop with information from the Department of Pediatrics Newborn Screening Program was stolen from a locked private office. Patient dates of birth, names and medical record numbers were on the password-protected laptop. Some patients also had Social Security numbers on the laptop. [source]

  

US Investigations Services (USIS) had a data breach in 2014, in Virginia. Name, dob, ssn, username/passwords were breached [source]

  

Virginia Beach Dept. of Social Services had a data breach in 2010, in Virginia. At least eight human services employees, including supervisors, have been fired or disciplined in the past year for wrongfully accessing confidential and personal information about former employees, family members and clients. The violations include a boss who forced her employees to gather information from a state database about her husbands child and a worker who checked on the status of a dead clients Medicaid benefits to help the clients family. Most of the cases stemmed from the agencys financial assistance department, which handles food stamps, Medicaid assistance, grants for the disabled and emergency relief for needy families. As part of their jobs, the 330 employees in the department who provide social services have varying degrees of access to secured databases. They need the information to determine whether a client qualifies for financial help. [source]

  
  

(return to health DataMap)



Copyright © 2012-2016 President and Fellows Harvard University.