Mar 222018

From the notice on their web site:

March 21, 2018 – Clinical Pathology Laboratories Southeast, Inc. (“CPLSE”) has become aware of a data security incident that may have involved the personal and protected health information of its patients and their payment guarantors.

On September 20, 2017, a laptop issued to a CPLSE employee was stolen. The laptop may have contained personal and protected health information belonging to CPLSE patients and their payment guarantors. Upon learning of the incident, CPLSE disabled the stolen laptop’s access to its computer network and reported the laptop theft to the local police. CPLSE also conducted an investigation to determine what information may have been stored on the laptop. The information stored on the laptop may have included names, addresses, Social Security numbers, drivers’ license or government identification numbers, medical record identification numbers, and/or medical treatment information.

CPLSE takes the security of information belonging to its patients and their payment guarantors very seriously and has taken steps to prevent a similar event from occurring in the future. These steps include increasing the security of the CPLSE systems and networks through the use of encryption technology, updating relevant policies and procedures, and retraining staff.

Notification letters have been sent to the potentially impacted individuals which include information about the incident and steps that those individuals can take to monitor and protect their personal information. CPLSE has established a toll-free call center to answer questions about the incident and to address related concerns. The call center is available Monday through Friday from 8:00 a.m. to 8:00 p.m. Eastern Time and can be reached at 1-866-245-4291. In addition, out of an abundance of caution, CPLSE is offering potentially impacted individuals credit monitoring and identity theft protection services through ID Experts® at no cost.


For the full statement, see their site. Notification of this incident was also made to the Montana Attorney General’s Office today.

Mar 082018

Francesca Bacardi reports:

Los Angeles talent agency Innovative Artists might have exposed clients and employees’ “personal information” in a possible data security incident when it was burglarized last month, according to a letter from the agency obtained by Page Six.

The agency’s Santa Monica office was burglarized at 11 p.m. on Feb. 11, where three computers containing private information were snatched from the premises.

Innovative Artists, which represents celebrities such as Sterling K. Brown, Britt Robertson, Rachel Brosnahan, Channing Tatum, Lacey Chabert and Jane Seymour, believes the computer equipment was stolen for the “value of the hardware” and not the information it stored, according to the letter, because the burglar only took Apple computers which have a “street value” of “10-20x times the value of those computers that were not stolen.”

Read more on PageSix.

Mar 062018

Robert Rodriguez reports:

The theft of an external hard drive at Fresno State could expose the personal data of at least 15,000 people.

The hard drive was reported missing Jan. 12 and Fresno State officials said some of the files may have contained personal information, including names, addresses, phone numbers, birth dates, credit card numbers, driver’s license numbers and full or last four digits of Social Security numbers.

Officials said the data could affect former student athletes, sports-camp attendees and Athletic Corporation employees. The vast majority of data files were from 2003 to 2014.

Read more on Government Technology.

Feb 282018

From Santa Cruz Biotechnology’s notification template:

On Monday, December 18, 2017, we discovered that a burglary had occurred in our Santa Cruz office on or around December 17, 2017. We immediately contacted law enforcement and began an investigation in order to determine what happened and what may have been affected as a result. As a result of our investigation, we have determined that two computers were stolen, both of which were used for HR functions, but neither of which are capable of remotely accessing our systems.

Now watch what happens because their policy and practice wasn’t followed:

While it was our general practice to store documents with sensitive personal information about employees and potential employees on our servers and not on the local computers, our investigation has revealed that records containing some personal information was stored on at least one of the computers. …. It is possible that the following personal information may have been accessed and acquired as a result of this incident: full name, postal address, date of birth, Social Security number, medical and health insurance information, and work-related evaluations.

Read the full notification here:

Feb 282018

So I read the first sentence of the description of an incident reported by California College of the Arts, and wanted to just walk away:

On Friday January 19, 2018, a College laptop used by an employee was stolen out of the employee’s vehicle.

Why? WHY? WHY is this still happening?

But I made myself keep reading to see what kinds of data might be involved, and found:

The investigation has determined that files on the laptop may have contained some combination of an individual’s name, Social Security number, date of birth, subscriber member number and/or health insurance information.

But then I read their template notification to those affected, and it said:

What Information Was Involved? The investigation has determined that the following information related to you may have been on the laptop: name, Social Security number. We will be notifying all impacted individuals separately, so if your spouse and/or dependent are impacted, they will receive a separate letter of notification.

No mention of all of the other data fields? Hopefully, that was not sent to everyone if indeed, there were other data types involved for some of those affected.

The letter indicates that 2,581 California residents will be receiving notification letters, but it does not indicate how many non-residents may also be receiving letters.