What You Need to Know:
Data breaches aren’t going anywhere and we’re here to keep you up-to-date on the worst data breaches of the year putting you at risk of identity theft.
Note: This post will be continuously updated with new information as additional 2021 data breaches are reported. Breaches appear in descending order, with the most recent appearing at the bottom of the page.
January 14, 2022: Nonprofit Goodwill experienced a data breach that affected the accounts of customers using its ShopGoodwill.com e-commerce auction platform. The attack disclosed contact information including first and last name, email address, phone number and mailing address. No payment information was disclosed as ShopGoodwill.com does not store payment card information. The nonprofit attributed the breach to a site vulnerability which has since been fixed.
SOURCE | BleepingComputer
State of Washington
February 11, 2022: A security breach at the Washington State Department of Licensing affected the personal data in active, expired, revoked or suspended licenses for 23 of the 39 professions and businesses that require state licensing. At least 650,000 professionals who require licensing were impacted, possibly affecting their professional lives as a license is required to obtain professional service. Authorities believe Social Security numbers and some personal data were compromised.
SOURCE | KOMO News
International Order of the Red Cross
February 16, 2022: The International Committee of the Red Cross (ICRC) said a targeted cyberattack against its servers was likely coordinated by a state-backed hacking group. During the incident, the attackers gained access to the personal information (names, locations and contact information) of over 515,000 people in the “Restoring Family Links” program that helps reunite families separated by war, disaster and migration. The intruders were able to maintain access to ICRC’s servers for 70 days after the initial breach.
SOURCE | BleepingComputer
February 23, 2022: Video surveillance solutions manufacturer Axis Communications was victim of a cyberattack. The attack interrupted many of Axis’s offerings and as of the date of this notice, the company was working to restore affected services and preserve the safety of its systems and data. The company does not believe any sensitive customer or partner data was compromised.
SOURCE | Securityinfowatch.com
State Bar of California
February 28, 2022: A third party unlawfully accessed a State Bar of California public website that aggregates nationwide court case records. The site temporarily displayed confidential information on 260,000 non-public attorney discipline case records, along with about 60,000 public State Bar court case records,s and may have included information from other jurisdictions. The case profile data exposed included case number, file date, case type, case status and respondent and complaining witness names. It did not include full case records.
SOURCE | The State Bar of California
February 28, 2022: Toyota, the world’s largest automaker, was forced to halt production at all of its Japanese plants after one of its major suppliers was hit with a cyberattack, disrupting the automaker’s parts supply management system. The supplier, Kojima Industries, provides plastic parts to Toyota. Toyota’s subsidiaries Hino Motors and Daihatsu Motor were also forced to cease operations at some plants in Japan.
SOURCE | Nikkei Asia
March 1, 2022: Professional services and insurance giant Aon, which also provides cybersecurity services to its customers, has itself experienced a cyberattack. In a statement to its investors, the company said the Feb. 23 incident impacted a limited number of systems but declined to provide further details. The company has launched an inquiry into the breach.
SOURCE | CyberNews
March 2, 2022: Montana-based Logan Health Medical Center notified 213,543 patients, employees and business associates that their personal and health data was possibly accessed. A sophisticated cyberattack on its IT systems led to the unlawful entry of a file server containing protected health information. The compromised data varied by individual and could include names, Social Security numbers, dates of birth, contact information and email addresses.
SOURCE | SC Media
March 3, 2022: Laboratory Bako Diagnostics (BakoDX) confirmed that the company experienced a data breach resulting in the personal and healthcare information of certain consumers being compromised. Bako Diagnostics’ services cover more than 250 million individuals. While the compromised information varies by consumer, it may include the affected parties’ name, date of birth, address, telephone number, email address, Social Security number, driver’s license number, state identification number, health insurance information, medical information and billing and claims information.
SOURCE | JD Supra
March 7, 2022: PracticeMax, a provider of healthcare support services, informed 165,698 individuals of a security incident resulting in an unauthorized party gaining access to their sensitive information. While the compromised information varies by consumer, it may include the affected parties’ names, addresses, Social Security numbers, dates of birth, treatment and diagnosis information, health insurance information, financial information, patient account numbers, employer and employee identification numbers, passport numbers, driver’s license numbers, state identification numbers, prescription information, and provider or employee login information.
SOURCE | JD Supra
March 11, 2022: Alabama-based Norwood Clinic notified 228,103 patients that their data was potentially accessed or acquired after a cyberattack in October 2021. The investigation determined the cyberthieves gained access to folders that contain personal information of patients, including names, contact details, date of birth, Social Security numbers, driver’s licenses, some health information, and/or health insurance policy numbers.
SOURCE | SC Media
South Denver Cardiology Associates
March 15, 2022: An unknown actor was able to gain access to the computer network of South Denver Cardiology Associates (SDCA). The unknown perpetrator(s) gained access to files containing information on 287,652 patients. The information exposed includes patients’ names, dates of birth, Social Security numbers and/or drivers’ license numbers, patient account numbers, health insurance information and clinical information, such as physician names, dates and types of service and diagnoses.
SOURCE | Infosecurity
Jefferson Dental and Orthodontics
March 18, 2022: More than one million Texans were impacted by a data breach at Jefferson Dental and Orthodontics. The breach is the largest ever reported to the Texas Attorney General. Types of data exposed or stolen include Social Security numbers, driver’s license numbers, health insurance information and financial information.
SOURCE | CBS News
New York City Public Schools
March 28, 2022: In what may be the largest breach of student data in U.S. history, the personal information for roughly 820,000 current and former New York City public school students has been compromised. Every student profile in the database had information about which teachers they have, what courses they take, their grades and more.
SOURCE | The Record
March 31, 2022: Cytometry Specialists, Inc. (doing business as CSI Laboratories) in Alpharetta, GA announced it was the victim of a cyberattack. An investigation determined that 312,000 individuals were impacted. Information disclosed includes patient names and case numbers used for identifying patients. A subset of patients also had their address, date of birth, medical record number and health insurance information compromised.
SOURCE | HIPAA Journal
Partnership Health Plan of California
April 5, 2022: The Hive ransomware group posted a message on its HiveLeaks dark website declaring the group had access to the personal private information of approximately 850,000 patients of healthcare coverage provider Partnership Healthplan of California (“PHC”). This data included their patients’ names, addresses, and Social Security numbers.
SOURCE | Healthleaders
April 6, 2022: Block, the company behind the mobile payment service Cash App, acknowledged a Cash App data breach in which a former employee accessed reports that included U.S. customer information. The company is notifying about 8.2 million current and former customers about the breach. The reports included customer names and brokerage account numbers, and in some cases brokerage portfolio values, brokerage portfolio holdings and stock trading activity for one trading day.
SOURCE | CNET
Texas Department of Insurance
April 6, 2022: A data breach at the Texas Department of Insurance affected approximately 1,800,000 Texans. The department discovered a security issue with a TDI web service application that manages workers’ compensation information. The data breach exposed names, addresses, Social Security numbers and medical information.
SOURCE | Insurance Journal
Clinic of North Texas
April 6, 2022: Clinic of North Texas (CNT) fell victim to a cyberattack that resulted in unauthorized access to patient information for 244,174 individuals. The unauthorized actor accessed a folder containing names, birth dates, addresses and limited health information.
SOURCE | HealthITSecurity
April 7, 2022: SuperCare Health in California suffered a data breach which impacted 318,379 individuals. The respiratory care provider determined that names, addresses, health insurance information, medical record numbers, birth dates, patient account numbers, claim information, treatment information and hospital or medical group information were involved in the incident. A smaller number of Social Security numbers and driver’s license numbers were also involved.
SOURCE | HealthITSecurity
Lakeview Loan Servicing
April 12, 2022: Mortgage servicer Lakeview Loan Servicing disclosed a data breach that went undetected for over a month. The company said in public notices that the breach impacted 2,537,261 borrowers. An unauthorized person external to the company obtained access to the firm’s servers and information including names, addresses, loan information and Social Security numbers.
SOURCE | National Mortgage News
April 13, 2022: Illinois-based medical practice Christie Clinic disclosed a data breach occurred when a third party gained unauthorized access by way of a single business email account. The personal information of roughly 500,000 individuals was potentially compromised. The hacked email account contained names, addresses, medical and health insurance information and Social Security numbers.
SOURCE | SecurityWeek
May 7, 2022: An unauthorized person accessed Choice Health database and took multiple files. This breach occurred because Choice Health’s service provider failed to properly configure the security settings. The unauthorized person had the intention of making these stolen files available to others. The files contained information including first and last name, social security numbers, Medicare beneficiary identification numbers, date of birth, address, contact information, and health insurance information. It is assumed the breach allowed for 2.1 million records to be compromised.
SOURCE |Legal Scoops
May 25, 2022: Seattle based MCG Health discovered that files including social security numbers, medical codes, postal addresses, telephone numbers, email addresses, dates of birth and genders were missing from their database, affecting 793,283 individuals. Investigators discovered that information of up to 11 million people was potentially obtained.
SOURCE |Hippa Journal
June 2, 2022: Flagstar Bank experienced a breach between December 3rd and 4th 2021 but did not discover it until June 2, 2022. The breach was caused by “unauthorized access” to the bank’s private network and after careful investigation Flagstar determined information, including social security numbers, were accessed to over 1.5 million people.
SOURCE | ZDNet
Baptist Health System
June 16, 2022: An unauthorized party gained access to the Baptist Health System’s computer network by installing a line of malicious code onto their system’s website. This breach affected over 1.2 million patients and the compromised information included full names, dates of birth, addressed, social security numbers, health insurance information, as well as medical and billing information.
SOURCE | JDSurpa