By Jennifer L. Saunders, CIPP/US

Headline after headline, the news is similar if not the same: PII lost, stolen or compromised through human error. And amidst October’s onslaught of breach reports from across the globe, the world’s premiere search engine is acknowledging just how devastating a breach of its data could be.

“If Google were to have a significant data breach today, of any kind, it would be terrible for the company,” Google Executive Chairman Eric Schmidt has said.

However, as The Wall Street Journal reports, he has also indicated Google CEO Larry Page “is ‘so wired’ to the risks that it is ‘inconceivable’ that a major data loss would occur.”

Want to minimize human error in your organization? Check out Tips for minimizing human privacy errors in the IAPP Resource Center.

This comes after last week’s report of a hack affecting 2.9 million Adobe customers and the company’s move this week to reset relevant customer passwords and notify “customers whose credit or debit card information may have been compromised.”

And, in the wake of privacy concerns about the reuse of inactive Yahoo e-mail addresses, PCWorld has reported on Microsoft’s recycling of old addresses.

The most recent reports follow multiple headlines during the first week of October on breaches at schools and health providers—including claims from a New Orleans teachers' union that employee privacy rights were violated when a school system purchased a full-page ad to congratulate 1,113 educators by name and health data breaches in Illinois, California and Iowa.

Healthcare Breaches Abound

This week, HealthITSecurity reports on Tennessee-based Hope Family Health’s loss via theft of an unencrypted laptop holding personal information on 8,000 patients treated between 2005 and August of this year. The company’s chief compliance officer has said the information was “fingerprint- and password-protected; however, it was not encrypted.” The laptop has not been recovered, the report states, noting that while Hope is not offering patients a year of free credit monitoring, as is often done in similar breach cases, it has “augmented security by moving all protected health information over to a state-of-the-art encrypted database server.”

In another health data breach incident, Saint Louis University (SLU) is reporting an incident affecting 3,000 patients after “a few SLU employees gave out their account information by mistake as part of a phishing scam e-mail they received.” The scam resulted in the unauthorized access of “about 20 SLU e-mail accounts that held protected health information of about 3,000 people and about 200 Social Security numbers as well. SLU’s EHR system was not accessed through the scam and, according to the spokesman, employees’ financial information was the main target of the scam,” the report states, noting SLU is offering free credit monitoring and identity protection services to those affected by the breach.

Pennsylvania-based Rothman Institute has announced an internal breach of patient data after a former employee removed copies of patient schedules—including such data as patient names, telephone numbers, dates of birth, date and time of appointments and reasons for visits—without permission. The institute is offering a free year of credit monitoring as a precaution, Press of Atlantic City reports.

And North Carolina-based CaroMont Health exposed about 1,300 patients’ data in an unsecure e-mail.

In Canada, the Region of Peel is notifying 18,000 clients of a breach involving the theft of a digital card containing “the names, addresses, birth dates/ages, marital status and assessment information of clients” from the region’s Healthy Babies Healthy Children program, Brampton Guardian reports.

In Ireland, The Journal reports on 11 patient data breaches at hospitals in a six-month period.

Other Breaches

In early October, Krebs on Security reported “miscreants responsible for breaking into the networks of America’s top consumer and business data brokers appear to have also infiltrated and stolen huge amounts of data” from the U.S. National White Collar Crime Center.

California-based PayJunction has been notifying “an undisclosed number of its sales agents that their names, Social Security numbers and bank account numbers may have been exposed when a data backup of an internal business system was inappropriately accessed.” The company learned of the unauthorized access in late September, eSecurity Planet reports this week, but the access occurred in July. The company has notified law enforcement and is offering those affected one year of free identity protection, the report states. 

In Alabama, Colonial Properties Trust is notifying customers “that their names and Social Security numbers may have been accessed when Colonial's network was infected with malware” in April and May of this year.

The Florida ACLU is “looking into privacy policies at the Sarasota Police Department after a news release included the names of five women whose identities should have been protected under health privacy laws,” Herald-Tribune reports. The release included the names and birthdates of five women detained during an undercover operation. It was followed by an e-mail “asking the names of the women not be released on media outlets or websites at this time.” The Florida ACLU contends the names should have been protected under HIPAA “because the women are seeking medical attention for substance abuse,” the report states.

In the UK, human error resulted in the exposure of hundreds of personal e-mail addresses, while the Information Commissioner's Office has revealed that despite prior warnings, sensitive personal data was “incorrectly handled” by Luton Borough Council staff.

And in New Zealand, amidst reports of high-profile data breaches in recent years and plans to expand the practice of sharing private information about New Zealanders between government departments, Labour Leader and Information and Communications Technology spokesperson David Cunliffe is calling for strict rules around data sharing, noting the government has a “terrible record of protecting personal information,” The New Zealand Herald reports.

In the Courts

Meanwhile, in data breach-related litigation, Barnes & Noble has urged a federal judge “to nix a revamped putative class-action over a security breach that affected PIN pad devices in 63 of its stores, arguing the allegations are ‘virtually identical’ to the ones that were dismissed last month,” Law360 reports. A class-action suit against an ISP that partnered with ad targeting company NebuAd back in 2008 has been dismissed by an Illinois federal judge, while Symantec is seeking a dismissal of an unrelated class-action.

In Vermont, Natural Provisions has agreed to pay $30,000 to settle a violation of state data breach laws, Mondaq reports.

And a former South Carolina Department of Health and Human Services employee, Christopher Lykes Jr., has pleaded guilty “to four counts of willful examination of private records by a public employee and one count of criminal conspiracy.” The incident involved the compilation of more than 228,000 Medicaid patients' personal information on a spreadsheet that he sent to his private e-mail, The Associated Press reports, noting Lykes faces a potential sentence of 25 years in prison.

What To Do

If there is a bright side to all these breach reports, perhaps it comes in the number of experts weighing in with tips to help others avoid mistakes that can come at a high cost not only in terms of the bottom line, but also for the brand.

UCLA Health System Chief Compliance Officer Marti Arvin, for example, offered extensive tips for complying with the final Health Insurance Portability and Accountability Act omnibus rule at a recent event in Baltimore, MD, reported here by Bloomberg BNA.

And, an InformationWeek feature suggests “lessons learned from a data breach—embarrassing publicity and all—are sometimes the most enlightening because they show you how to fix security holes.”

Read more by Jen Saunders:
Clapper Offers NSA Explanations; Criticism, Concerns Abound
Roundup: NSA, UK Fallout Persists
NSA and Legislative Breach Implications, New Breach Announcements: A Roundup
GPEN Concludes Its First Internet Privacy Sweep


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.


The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

IAPP-OneTrust PIA Platform

New U.S. Government Agency privacy impact assessments - free to IAPP members!

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

More Resources »

Europe Data Protection Intensive 2017

The Intensive is sold out! But cancellations do happen—so hurry and get on the wait list in case more seats become available.

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds, unparalleled programs and preeminent networking opportunities.

Canada Privacy Symposium 2017

The Symposium returns to Toronto this spring and registration has opened! Take advantage of Early Bird rates and join your fellow privacy pros for another stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum returns to Washington, DC April 21, delivering renowned keynote speakers and a distinguished panel of legal and privacy experts.

Asia Privacy Forum 2017

The Forum returns to Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region. Call for Speakers open!

Privacy. Security. Risk. 2017

This year, we're bringing P.S.R. to San Diego. The Call for Speakers is now open. Submit today and be a part of something big! Submission deadline: February 26.

Europe Data Protection Congress 2017

European policy debate, multi-level strategic thinking and thought-provoking discussion. The Call for Speakers is open until March 19.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»