Documenting all the places
personal data goes.


Legend: with your name, without your name.
Click on a circle above for names of organizations and details of data shared.

Education includes childcare, primary, secondary and college educational institutions. This excludes research or healthcare provider divisions at universities. The families of children in school are required to submit vaccine and allergy information and often encouraged to share medical conditions and medications with the staff at the school.


Caduceus Therapeutics purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.


Berkeley Public Schools had a data breach in 2016, in California. The Bay Area News Group, a publisher of multiple Bay Area newspapers, requested information on public employee salaries of the school district. The school district complied with the request, however the employee who transmitted this information to the news group inadvertently put Social Security numbers of the employees as part of the information. The school district is offering one year free subscription to an identity protection program provide by Identity Fraud Inc. [source]


Bonita Unified School District had a data breach in 2015, in California. [source]


Campbell Union High School District had a data breach in 2017, in California. [source]


Central Islip Union Free School District had a data breach in 2018, in New York. On February 1, 2018, Central Islip Union Free School District  learned of a potential data incident which may have resulted in unauthorized access to certain personal information. Specifically, a window envelope was utilized to mail certain forms to current and former employees of the District. It appears if the contents were placed in a certain way within the envelope and the envelope was tapped in various ways it may have permitted some information to be viewable through the envelope's window. The data elements involved may have included name, address, and Social Security number. [source]


DeKalb County School System had a data breach in 2015, in Georgia. DeKalb County School System notified teachers of a data breach when a mass email was sent out to the system's special education teachers. Sensitive information was exposed within the email which included first, middle and last names, and Social Security numbers.[source]


Escondido Union School District had a data breach in 2015, in California. Name and ssn were breached via Desktop Computer . [source]


Essex Youth Commision Summer Program had a data breach in 2010, in Massachusetts. Name, email address, phone number, billing address, shipping address, order info, user name, credit/debit card data, [source]


Harvard University had a data breach in 2015, in Massachusetts. Harvard University notified individuals of a data breach to their system that included 8 colleges and administrations. Those colleges and administrations include the Faculty of Arts and Sciences, Harvard Divinity School, Radcliffe Institute for Advanced Study, Central Administration, the Graduate School of Design, Harvard Graduate School of Education, Harvard John A. Paulson School of Engineering and Applied Sciences, or Harvard T.H. Chan School of Public Health. The university has not commented on how many individuals were affected or what information was compromised. The university is requesting that anyone who is associated with any of the entities to change their username and password. [source]


Lake Norman High School had a data breach in 2015, in California. Lake Norman High School notified students of a breach when a Lake Norman High School student who obtained an administrative password, however the student was able to manipulate the script that contains the admin password. [source]


Lake Ridge Middle School had a data breach in 2010, in Virginia. A USB drive containing student names, identification numbers, phone numbers, and medical information was stolen from the unlocked car of a school administrator at the employees home. Over 1,200 students were affected. [source]


Langston Hughes Young Explorers Academy had a data breach in 2016, in New York. Eyewitness News has learned exclusively that the pile of papers contain extremely personal documents, including private medical information and social security numbers of students, documents that no one outside the school is supposed to see, but that were left fully exposed on the street for anyone to see.The papers were apparently left by workers at the Langston Hughes Young Explorers Academy, also called PS 236.They are from the 2007-2008 school year, but many contain up to date addresses and phone numbers of students and parents, and potentially embarrassing medical information along with social security numbers.[source]


Las Cruces Public Schools had a data breach in 2008, in New Mexico. A part-time computer analyst for las Cruces Public Schools inadvertently posted personal data for 50 special education students and 1,750 district employees on the Internet. information posted included Social Security number, date of birth, name, the nature of disability and caseworkers name. [source]


Lewis-Palmer School District 38 had a data breach in 2016, in Colorado. [source]


Mallard Creek High School had a data breach in 2017, in North Carolina. [source]


Miami Dade County School District had a data breach in 2017, in Florida. [source]


Miami Northwestern Senior High School had a data breach in 2012, in Florida. A group of volunteers discovered school materials inside of a public dumpster. There were folders containing sensitive student records among textbooks, novels, and workbooks. The folders contained student Social Security numbers, health records, grade reports, and student education forms. An administrative error meant that custodians discarded obsolete materials that had been stored. The items should have been delivered to the districts central warehouse or sold to used-book dealers. The items were recovered and transmitted to the correct locations. [source]


Monticello Central School District had a data breach in 2017, in New York. Name or other personal identifier in combination with SSN for 2 Maine citizens breached. [source]


Nazareth Area School District had a data breach in 2016, in Pennsylvania. [source]


Orange Public School District had a data breach in 2014, in New Jersey. Orangeburg-Calhoun Technical College in South Carolina is notifying 20,000 former and current students and faculty members that an unencrypted laptop computer stolen this month from a staff member's office contained their personal information.The information contained on the laptops included names, birth dates and Social Security numbers of individuals.The college stated that the information goes back 6 or 7 years and that they believe the thief was after the hardware, not the data stored on it. The college neglected to comment on whether or not they are providing credit monitoring services for those affected. [source]


Platt College had a data breach in 2017, in California. [source]


Poway Unified School District had a data breach in 2016, in California. The Poway Unified School District notified parents of a data breach when the district inadvertently sent information on 70,000 individuals, including students to a parent who requested information on their specific child only."The information released did not include Social Security numbers,” the statement said. However, it included directory information and district-based test scores, some of which are protected information under the Family Educational Rights and Privacy Act.”The information compromised included children's names, nicknames, addresses, phone numbers, hearing and vision exam results, dates of birth, language fluency, academic test results and occupation of parents. [source]


Provo City School District had a data breach in 2014, in Utah. [source]


Questar Assesment had a data breach in 2016, in Mississippi. Mississippi education officials said Monday that a recently disclosed data breach by a testing vendor has exposed information from 663 students in Tupelo and Jefferson County.State Superintendent Carey Wright said that Questar Assessment believes an unauthorized user gained access to records from 2016 tests for 490 students at Tupelo Middle School, 72 at Tupelo High School and 101 at Jefferson County Junior High on Dec. 31 or Jan. 1.Among the items exposed were student names, state identification numbers, grade levels, teacher names and test results. Mississippi officials say they don't share addresses or Social Security numbers with Questar. [source]


Questar Assessment had a data breach in 2017, in Minnesota. A data breach at testing vendor Questar Assessment exposed personal information of about 52 students in five New York schools, state Education Commissioner MaryEllen Elia said Thursday.Questar, headquartered in Apple Valley, Minnesota, reported that someone accessed a small amount of “personally identifiable” information from Dec. 30 to Jan. 2, Elia said. The data included some student names, identification numbers, grade levels and teachers’ names, but not student addresses, Social Security numbers, disability status or test scores. [source]


Ravenel Elementary School had a data breach in 2011, in South Carolina. A Memorial Day weekend office burglary resulted in the theft of two laptops and a flash drive. The flash drive may have contained student information. This potential exposure includes copies of Medicaid release forms with student names, parent names and Medicaid numbers. [source]


Risk Solutions International LLC, Loudoun County Public Schools had a data breach in 2014, in Virginia. Loudoun County school officials have responded to a data breach that made publicly available personal information about students and staff members, along with detailed emergency response plans for each school.More than 1,300 links could be accessed through a Google search, thought to be password protected, unveiled thousands of detailed documents as to how each school in the district will respond to a long list of emergencies, which included the staging areas for response teams as well as where the students and staff would be located during an emergency.Additional documents that could be accessed included students' courrse schedules, locker combinations, home addresses, phone numbers and birthdates along with the address and cell phone numbers for many school administrators.The contractor Risk Solution International acknowledged that the breach was caused by "human error" on their part, which is said to be the cause of the data breach. UPDATE: Loudoun County Public Schools administrators released a more detailed statement about the information made publicly available on the Internet due to errors committed by the contractor Risk Solutions International (RSI).According to school officials, the investigation is continuing as to how the webpage, which was made accessible through online search engines without any password protection happened. The page included 1,286 links detailing information on 84 Loudoun schools. It is unknown how long the information was exposed or how many links were opened by unauthorized individuals.Locker combinations were revealed for one school and only one parent contact information was revealed for fewer than 10 schools according to the spokesperson for the district. The statement also made clear that RSI's website was not hacked and that it never lost its password security. Instead, the breach occurred when RSI employees were doing technical testing on November 4th , December 19th and December 24th 2013. (1/9/2014) [source]


Riverside Unified School District had a data breach in 2017, in California. On December 5, 2017, a San Diego County office of Education employee inadvertently sent an employee retirement contribution spreadsheet to San Diego County Office of Education's retirement contribution contacts at forty-four (44) school districts throughout Southern California. The impact likely affected 1 Idaho resident. [source]


San Mateo Foster City School District had a data breach in 2016, in California. On April 6, 2016, we were informed that a thumb drive, containing certain information on all of our active employees, including me, was inadvertently misplaced.  We have devoted considerable time and effort to try and locate the thumb drive, as well as to determine what exact information may have been included on it, and as such, is at risk of disclosure.Please know that we take this situation very seriously.  The police were notified and a pollice report was filed; however, at this time, the thumb drive has not been recovered.The information compromised included names, addresses and Social Security numbers. [source]


School for the Physical City High School had a data breach in 2009, in New York. Boxes of student records were piled in the street in front of the old home of the School for the physical City. Some records contained the Social Security numbers, grades, signatures and even psychological reports of former students of the public intermediate high school. The boxes contained hundreds of records and were sitting next to a trash bin filled with old desks and other discarded school supplies. the School for the Physical City moved to a new location over the summer and apparently the records were thrown out with the trash during the relocation.UPDATE (9/12/10): A parent and child are suing the New York City Department of Education. [source]


Seattle Public Schools had a data breach in 2014, in Washington. The information was breached via Website. [source]


South Washington County School District had a data breach in 2017, in Minnesota. The information was breached via Email. [source]


St. Vrain Valley School District had a data breach in 2006, in Colorado. [source]


Thomas Nelson Community College had a data breach in 2015, in Virginia. Thomas Nelson Community College notified students of a data breach when their personal information was inadvertently sent to 11 current nursing students. "We learned on December 9, 2015, that on December 8, 2015, your confidential student information to include name, address, phone number, social security number, student identification number, date of birth, immunization dates, background check results (no offenses listed), grades, and student progress indicators were emailed to eleven current nursing students.  Each of the email recipients has been contacted and directed to permanently delete this information.  While there is no indication that your information has been misused in any way, as a precautionary measure, we are offering a complimentary one-year membership to Experian’s® ProtectMyID®." [source]


University California Santa Cruz had a data breach in 2017, in California. On January 13, 2017, two unencrypted laptops were stolen from the home of a University of California, Santa Cruz (UC Santa Cruz) researcher/instructor. The theft was discovered the same day and a police report was filed, but at this time no items have been recovered.Our investigation confirmed that the stolen laptop contained copies of your UC Santa Cruz narrative evaluations. There is no indication that the student information was the intended target.What Information Was Involved? These UC Santa Cruz narrative evaluations dating from 2000 to 2004 contained personally identifiable information including your name and Social Security Number (SSN) (which was used as the Student ID number prior to 2005). In addition to SSN, student record information including grades, narrative evaluations and email addresses were on the stolen laptops.The data was not encrypted. [source]


University of Connecticut had a data breach in 2016, in Connecticut. The University of Connecticut has notified individuals of a breach when malware was found on their website "prompting visitors to download a malicious program posing as Adobe Flash Player, according to a university spokesman." [source]


Uxbridge School District had a data breach in 2014, in Massachusetts. [source]


Valley of the Sun YMCA had a data breach in 2017, in Arizona. On 9/21/2017 Valley of the Sun YMCA suffered a system breach (hack) that affected 2649 records, which included names as well as credit card or financial account information. [source]


West Virginia Division of Rehabilitation Services had a data breach in 2006, in West Virginia. A laptop was stolen July 24 containing clients names, addresses, SSNs, and phone numbers. data was password protected. [source]


Xavier University had a data breach in 2011, in Ohio. Sensitive student athlete medical records were misplaced by a coach who was transplanting them to an athletic event. A recently released prisoner found the documents and attempted to sell them back to the University for $20,000. The man was caught, pled guilty to extortion, and was sentenced to two years in prison. [source]


YMCA of Greater Providence had a data breach in 2006, in Rhode Island. A laptop computer containing personal information of members was stolen. The information included credit card and debit card numbers, checking account information, social Security numbers, the names and addresses of children in daycare programs and medical information about the children, such as allergies and the medicine they take, though the type of stolen information about each person varies. Those affected were notified. [source]


(return to health DataMap)

Copyright © 2012-2016 President and Fellows Harvard University.