This rule, issued in response to ARRA, goes into effect on Wednesday. At that point, all HIPPA-covered entities and their business associates must notify individuals and HHS when personal health information has been breached. HIPPA-covered entities include health plans, health care clearinghouses, or health care providers. The rule also covers “business associates” which include billing companies, transaction companies, lawyers, accountants, managers, administrators, or anyone who handles health information on behalf of a HIPPA-covered entity.

A breach is when individually identifiable health information is acquired, used, accessed, or disclosed to an unauthorized party, in a way that compromises its security or privacy. A “breach” does not include inadvertent disclosures among employees who are normally authorized to view protected health information. A breach also does not include exposure of encrypted personal health information, for example.

When a breach occurs, the covered entity must notify victims and the Secretary of Human Services “without unreasonable delay,” and within 60 days of the discovery of the breach. The covered entity must notify the individual directly if possible (ie, by mail), and must also post a notice on its website if the breach involves 10 or more victims who are not directly reachable. If the breach involves more than 500 residents of a single state, the covered entity must also notify statewide media.

In certain limited circumstances a vendor might be subject to HHS and FTC notification rules. In this case, a vendor which serves the public and HIPPA-covered entities may comply with both rules by providing notice to individuals and the HIPPA-covered entity. In many instances, entities covered by this rule must also comply with applicable State notification laws. The test for pre-emption is whether the State law is “contrary,” to the federal law or whether “a covered entity could find it impossible to comply with both the State and federal requirements.”

Compliance

Of course, the best way to comply with the law is to avoiding breaches altogether. The most straightforward way to avoid having a breach is to encrypt personal health information. But if a breach does occur, complying with the law is straightforward. In addition to the requirements above, the notification must include a brief description of the incident, including the following information:

• Date of the breach;
• Date of discovery;
• Description of the types of protected health information breached;
• Steps individuals should take to protect themselves from potential harm resulting from the breach;
• A brief description of the investigation, efforts to minimize losses and prevent future breaches;
• Contact information for individuals who wish to ask questions or learn more information, including a toll-free phone number, e-mail address, website, or postal address.

Beyond that, you’ll have to minimize your losses by repairing your company’s public image, regaining your customers’ trust, and mitigating civil liability.

References: 45 CFR parts 160, 162, and 164.

Note: This article was originally published on the J.C. Neu & Associates Blog.

“We’ve had a breach.” It’s a sentence nobody wants to hear, but when it happens to you, what to you do? If you’re in the healthcare industry, new federal regulations probably require you write a letter to the victims of the breach, or more. When and how quickly do you have to send a HIPAA/ ARRA notification? And what does it have to say?

The American Recovery and Reinvestment Act of 2009 (ARRA) requires HIPAA-covered entities to notify breach victims when protected health information has been disclosed to an unauthorized person. The legislation gives liberal exceptions for good faith and inadvertent disclosure. Redaction or encryption is an absolute defense to a breach.

“Protected Health Information” is any stored or transmitted health information which can be tied to an individual. It may include information not directly related to health, such as a full name, social security number, date of birth, home address, account number, or disability code. The law also requires third-party contractors or “business associates” to report breaches to the covered entity.

When a breach occurs, the covered entity must notify victims and the Secretary of Human Services “without unreasonable delay,” and within 60 days of the discovery of the breach. The covered entity must notify the individual directly if possible (ie, by mail), and must also post a notice on its website if the breach involves 10 or more victims who are not directly reachable. If the breach involves more than 500 residents of a single state, the covered entity must also notify statewide media.

A breach notification letter must meet differing but complementary legal and economic goals. They include:

1. Complying with law
2. Minimizing Losses
   • Repairing your company’s public image
   • Regaining your customers’ trust
   • Mitigating civil liability

Compliance with Law

Complying with the law is straightforward. In addition to the requirements above, the notification must include a brief description of the incident, including the following information:

• Date of the breach;
• Date of discovery;
• Description of the types of protected health information breached;
• Steps individuals should take to protect themselves from potential harm resulting from the breach;
• A brief description of the investigation, efforts to minimize losses and prevent future breaches;
• Contact information for individuals who wish to ask questions or learn more information, including a toll-free phone number, e-mail address, website, or postal address.

Repairing your Company’s Image

Avoid the natural tendency to clamp up. Of course, the best way to protect your company’s image is to keep bad news out of the public eye. But once the cat’s out of the bag, several studies indicate that more than two-thirds of economic losses arising from a data breach are due to brand diminishment and lost customer trust, rather than litigation or identity theft expenses.

Above all, your company must maintain credibility. Be honest, open, and share enough detail to convince an educated person that you know what you’re talking about, and that you’ve actually fixed the problem. Consider hiring an outside security consultant who can 1. Give you genuine feedback on your security practices, and 2. Vouch for your credibility when you say that your customers are safe.

Rebuilding Customer Trust

Consider your last trip to the Department of Motor Vehicles. It probably consisted of waiting for hours in multiple serpentine lines without any direction, followed by more waiting, followed by spending money. The best part is riding away in your car when you’re done. Surprisingly, Disneyland and the DMV have a lot in common: Long lines, spending money, and rides. What sets the DMV apart from the happiest place on earth? One important ingredient is Customer Empowerment.

One way the Disney folks empower customers is by posting periodic signs in long lines: “Wait Time: 45 minutes from this point.” Though the sign does not decrease wait time, it informs and empowers customers. And as Disney knows, empowered customers are happy customers. Frustrated, angry customers are far more likely to cause trouble or leave altogether.

The best way to rebuild your customers’ trust is to empower them. Too many breach notifications include the unhelpful statement, “We have no reason to believe that anyone has accessed or misused your information.” The statement is faulty because it does not empower the customer to take action. Also, if the statement isn’t completely true, or if it changes in the future, it may inadvertently induce liability under certain circumstances. Further, these types of statements tend to frustrate rather than empower customers, causing some to conclude that the notification is incomplete or disingenuous.

Instead, consider these options:

• Say, “Although we have no reason to believe that anyone has accessed or misused your information, if you think your personal information has been misused as a result of this breach, please call 1-800-XXX-XXXX so we can investigate…”
• Include statistics on typical rates of harm for similar breaches, where possible.
• Actually investigate the breach.
• Create a website where customers can get up-to-the minute updates on the investigation directly from you, rather than from the media (and update it after the media buzz has subsided).

Mitigating Civil Liability

ARRA does not expressly create a private right of action for a HIPAA breach. Other theoretical sources of liability exist, though. For example, an individual may be able to rely upon a notification statute as the basis for a suit alleging negligence per se, where the breach of the duty to notify causes proximate harm to the plaintiff. Next, failure to correct statements (such as privacy policies) which have become false or misleading in light of new events, may create a tortious cause of action if the company fails to warn customers about foreseeable risks to personal information.

In contrast, most breaches are not likely to create privacy liability. Privacy tort actions usually require the breached information to cause extreme emotional distress, or a dilution of the property value of reputation or prestige. In addition, most courts have consistently failed to force companies to pay for credit monitoring services unless:

1. A person has become an actual victim of identity theft.
2. The person has found the thief
3. The person can prove that the thief’s copy of their SSN or other personal information came from the breaching entity, and
4. The person proves that the entity had a legal obligation to keep that information private.

Instead, it’s important to remember that businesses stand to loose more money from brand diminishment and lost customer trust than from litigation.

Streamlining medical records has been a recurring theme of the Obama administration. Tucked away in the pending economic stimulus legislation, known as the American Recovery and Reinvestment Act (ARRA), is a provision which would create a breach notification requirement for health information breaches.

Starting in Subtitle D, ARRA takes an unprecedented foray into federalizing data breach notifications. Although ARRA regulates breaches of health information, this legislation will no doubt be front and center of future debates about creating a Federal Breach Notification Law.

Synopsis

Here is a quick analysis: ARRA mirrors most state breach notification laws, in that it requires “covered entities” (ie, Health Plans, Health Care Providers, and Health Care Clearinghouses) to notify each individual if their “unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, or disclosed as a result of [a] breach.” Business Associates, or subcontractors, must alert the Health Care Provider of a breach. The statute also places additional limits on how health information can be sold and shared.
The statute dramatically broadens the ambiguous state-law concept of “data owners,” and applies to any HIPPA-covered entity that “accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured protected health information.”

As expected, the Federal law takes a lowest-common-denominator approach to duties. For example, although notifications must be made “without reasonable delay,” the statute allows up to 60 calendar days to comply. This is substantially longer than the longest state requirement, which requires notification within 45 days.
Each state notification law requires direct (ie mail) notification to affected individuals unless the person can’t be found, and allows “Substitute Notice” in cases of large breaches. “Substitute Notice” usually comprises posting an announcement on the organization’s website and notifying the media. Some states do not permit Substitute Notice unless the breach is extremely large (250,000+ in some cases). But ARRA allows substitute notice if the breach involves just 500 people in a single state.

The statute also reaches well beyond traditional “covered entities” to any service provider or vendor of personal health records. Presumably, this would include data warehouses like Google or Microsoft, each of which has or has announced plans to create online consumer health records warehouses. However, these vendors need only report the breach to the FTC, which will treat it as a deceptive trade practice. Individuals should not expect a letter from Google or Microsoft if their health care records are breached.

On one hand, this federal legislation will plug holes in several states statutes by regulating health information. Arizona, California, Hawaii, Michigan, Oregon, and Rhode Island, for example, regulate health care providers and insurers differently from other companies, and may even completely exempt them from notification requirements.

This bill will no doubt spur the national discussion about breach notification laws. But because they mimic existing state laws, the bill comes up short. Breach Notification Laws were a step in the right direction when California passed the first one almost seven years ago. But since that time, they have displayed several shortcomings, which I critique here. Instead of fixing these problems, ARRA will exacerbate many of them.

After comparing data from 43 companies (including several repeat offenders), companies loose just over $200 per compromised record. Significantly, lost business due to a lack of customer trust and brand diminishment comprises 69% of the cost.

Forget about the cost of postage… businesses stand to loose much more in sales from customers who read, “We regret to inform you…”

I have personally discovered more than a hundred data breaches by schools, companies, doctors’ offices, tax professionals, government agencies, and individuals over the past several years. Unfortunately, very few of the breaching entities proactively announce an average breach, regardless of the law. Here are the most common reasons:

1. Failure to Detect
2. Market Devaluation of Privacy
3. Poor Communication
4. Ignorance of Law
5. Notification Difficulty

Failure to Detect

Many organizations do not have proper diagnostic processes to detect breaches when they occur, and many do not keep proper logs. Thus, when a press releases reads, “we have no evidence that the sensitive information was accessed…” it may simply mean that they did not keep any records, and thus literally have “no evidence.”

Market Devaluation of Privacy

The market does not value privacy. Ensuring privacy is expensive, but the costs of violating privacy are small. Doing a simple cost/benefit analysis, organizations often come to the logical conclusion that the PR ‘costs’ of announcing a breach (especially when no hard proof of access exists) far outweigh any benefits.

In addition, most data breach notifications laws only require an organization to say, “Oops.” If the organization is feeling nice, they’ll say, “Oops, sorry.” And if they’re feeling gregarious, they’ll say, “Oops, sorry, and here’s a free report of how much damage has been done to your credit. You’ll still be at risk for years to come, though, so stay vigilant. Good luck.” But they have no responsibility to help you recover from financial identity theft, medical identity theft, or criminal identity theft. Merely getting a credit report does not protect against any of these risks.

Poor Communication

A cruel irony of data breaches is that the only source of information about a breach is filtered, packaged, and presented by the organization with the most incentive to skew the details. The breaching entity’s concern is to minimize perceived liability; therefore it is in their best interest to restrict the flow of information about the breach as far as possible.

I have read dozens of breach announcements, and they almost write themselves: “On X date, we discovered that some personal information was compromised. We acted immediately to make the information unavailable, and we have no evidence that anyone accessed it for inappropriate reasons. You should get a credit report as a precaution.” Keeping a victim in the dark about the details protects only the breaching entity.

Ignorance of Law

Even in states where breach notification laws exist, smaller organizations often assume that the law only applies in limited circumstances, to larger companies, or to particularly large breaches.

Notification Difficulty

For the most part, organizations which choose not to report breaches get away with it. But even under good circumstances, 100% victim notification is impossible. People move, phone numbers change, or addresses are incomplete or not on file. Letters that do arrive at the proper address may be ignored. Multiple contact strategies should be applied over long periods of time to reasonably ensure that most victims are notified.

I have suggested solutions to some of these problems here and with the creation of National ID Watch

Aaron Titus is the Privacy Director for the Liberty Coalition, and runs National ID Watch.

Starting with California’s 2003 law, all but a hand full of states have now enacted breach notification laws (BNLs). Though each is subtly different, all notification laws recognize that a if your identity, or Data Self, is treated as mere chattel, it is subject to fraud and abuse. These laws require data stewards to notify an individual when his identity has been lost or kidnapped.

Your identity or Data Self is a digital alter-ego: a collection of personal facts which has its own life, fallacies, and mortality. Data is Self, but data is also treated like property. If Self is data, and data is property, then Self is property. If your Self is the property of others, then it can be bought, sold, traded, lost, stolen, or damaged like any other form of property. Identity Theft is just that: Where a person’s Data Self is stolen and abused.

Measures of BNL Success

With five years of breach notification law experience, it is essential to ask, “Are they working?” My shorthand answer is “yes, sort of.”

I’ll be the first to admit that breach notifications are noisy, and contain a strong element of political theater. Some contend that notification laws may even be harmful, distracting and confusing consumers into thinking they aren’t at risk if they don’t receive a notice. I agree that as currently written, breach notification laws have several shortcomings. But their success or failure should be measured in several ways:

1. Decreased Incidence of Identity Theft
2. Increased Awareness and Identity Control
3. Decreased Risk Behaviors and Incidence of Breach
4. Increased Victims’ Rights

1. Decreased Incidence of Identity Theft

Q: Do breach notification laws decrease identity theft?

A: Probably not. Several breach notification laws emphasize the need to protect consumers from identity theft and other misuse of a person’s Data Self. However, researchers Sasha Romanosky, Professor Rahul Telang, and Professor Alessandro Acquisti presented a well-reviewed paper which measured the change in the rate of reported identity thefts before and after data breach laws went on the books. Though drawn from incomplete FTC data, the paper convincingly demonstrates that breach notification laws have a negligible effect on reported identity theft rates. Instead, they suggest that a state’s gross domestic product and general fraud rate has a much stronger correlation with ID theft.

2. Increased Awareness and Identity Control

Q: Do breach notification laws increase identity risk awareness? How about consumers’ control over their identities?
A: Yes, to varying degrees. A cruel irony of data breaches is that the responsible organization is the only one who knows exactly what happened, and they have the strongest incentive to hide or skew the details. Many breaches go under- or unreported, regardless of law. Even well-intentioned organizations issue vague, incomplete, blame-shifting or liability-reducing press releases that leave victims in the dark. In order to effectively empower consumers to conduct their own risk analysis, breach notifications must contain the following elements:

• Who: The class of victims affected by the breach.
• What: A complete list of exposed information, not just the ones required by law.
• Where: Exposing entity’s contact information.
• How and When: Sufficiently detailed information about the how and when the breach occurred.
• How Much: Total number affected, Sensitivity of information exposed, Duration of exposure, and Distribution method (ie, stolen laptop, online exposure, or dumpster).
• What Now: A clear statement of consumer’s legal rights (or lack of rights); Concrete actions taken by the organization to fix problems, mitigate risk, or remedy harm; Suggested actions for the victim.

Of course, breach notification laws have much more lax reporting requirements than these. And although I agree that the average breach announcement is “noisy,” I think it would be a mischaracterization to label them as nothing more than “noise.” Even the least specific notifications build public awareness. For better or worse, most public awareness of identity risks come from news bulletins about data breaches. Although none of the announcements may put any particular individual on notice of a personal risk, these “noisy” notifications have a net positive effect of educating the population at large.

3. Decreased Risk Behaviors and Incidence of Breach

Q: Do breach notification laws decrease individual risk behavior?
A: Probably Not, but they have the potential to. An effective notification must contain actionable intelligence, which means Intelligence plus Action. For example, imagine that you are in a life raft in the middle of the ocean, with no hope of immediate rescue. You see bubbles. What do you do? You sink. You were able to gather intelligence, but had no way to act upon it. Intelligence without action breeds inaction.

However, imagine you’re on the same raft, and you see bubbles. But this time you have a patch kit and a hand pump. This time you have actionable intelligence, and you will likely attempt to patch the raft and pump it up.

An alert is only effective when it empowers a person to act. Typical breach announcements usually do nothing to empower individuals. Effective breach notifications require both intelligence and action. If either one of these elements is missing (as is often the case), it will fail to empower victims, and may even engender apathy.

Some suggest that in the current environment of data insecurity, consumers should be on constant high alert for identity theft, even without notice of a breach. After all, your Data Self is constantly being traded without your knowledge or consent in IT and business environments of questionable reputes.

It’s a nice thought, but not very helpful. Being on high alert all the time is essentially the same as not being on alert any of the time.

Q: Do breach notification laws encourage organizations to improve behavior?
A: Probably yes. The Romanosky paper found that notification laws likely encourage businesses to take more stringent safety precautions with personal information, because of the economic incentive to avoid breaches. However, the incentives to secure data do not appear to outweigh the market forces which devalue privacy. Both the Privacy Rights Clearinghouse and the OSF Data Loss Database show a steady, and perhaps even increasing number of breach incidents and lost records each year. While part of this increase may be attributable to better reporting, there is no solid indication that data breach incidents are decreasing.

4. Increased Victims’ Rights

Q: Do Breach Notification Laws Create New Rights for Consumers?
A: Absolutely yes. While not the silver bullet to cure all ails, breach notification laws are an important first step at creating rights for victims of breaches. Before BNLs, nobody had the right to know whether their Data Self had been compromised. Additional legislation will be necessary to address existing and emerging identity threats. Especially as Data Selves are treated as property, our society runs a risk that the unregulated trade of personal information could morph into a new form of digital human trafficking.

Legislative Improvements

Breach notification laws are a first step in regulating the trade of Data Selves. The right information at the right time, given to the right people, coupled with a clear course of action will empower people and catalyze change. Here are six legislative suggestions to effectively protect and empower consumers:

1. “Stewards,” not “Owners”: Given the tenuous and dangerous legal basis for “owning” personal information, notification laws should replace the concept of “personal information owners” with “personal information stewards.” This change would help sharpen the distinction between Data as Self versus Data as Property, and emphasize that third parties can’t “own” a Data Self. When Self is Data and Data is Property, then we run the risk that Self becomes Property.
2. Expand Reporting Requirements: Breach notifications should provide actionable intelligence, including who, what, when, how, how much, and “what now?” of each breach.
3. Standard Measures of Risk: I suggest using Size, Sensitivity, Duration, and Distribution.
4. Presumptive Loss: In order to successfully sue for a breach, a consumer must 1. Become an actual victim of identity theft, 2. Find the identity thief, 3. Prove that the thief’s copy of their SSN or other personal information came from the breaching entity, and 4. Prove that the entity had a legal obligation to keep that information private (a rare duty). This is an unreasonable and often insurmountable burden of proof. Instead, Tennessee has adopted a small presumptive “ascertainable loss” whenever a breach occurs. These nominal damages would recognize harm to reputation, apprehension, emotional distress, and violation of selfhood. They would also help counteract the market’s failure to value privacy
5. Require a Data Audit Trail: Stewards of personal information should maintain standard inventory controls on personal information, recording with whom and when the personal information was shared. This data trail would be used for data audits and could help establish causation in the case of a breach.
6. Automatic Credit Reporting: Consumers should get an automatic notification at any activity on their credit.

Aaron Titus is the Privacy Director for the Liberty Coalition and runs National ID Watch, and welcomes feedback.

Footnotes

Cal. Civ. Code §§ 1798.82-84.
See, e.g. N.H. Rev. Stat. § 359-C:2.
See, e.g. Ga. Code § 10-1-910(4),(7).
See, e.g. Cal. Civ. Code § 1798.81.5.(a).

Tenn. Code § 47-18-2102(1).

Dentist Dr. Michell Burdine-Merai’s office in Oxon Hill, Maryland exposed private information about 9,911 patients, former patients, and their families to the public through an unsecured public wireless network, including roughly 2,569 social security numbers. The information also included appointments, dental treatments, and phone numbers.

In Alexandria, Virginia, the office of Martha Yungk, EA accidentally exposed the private information of 7,003 of her clients, former clients and their families on a public wireless network after an IT professional replaced a broken router with a wireless router, without her permission. The information includes more than 700 social security numbers, 400 addresses and phone numbers, and detailed tax information for 2,796 people. Letters to the IRS about criminal tax actions, state tax information, and notes about health and alimony were among the more than 300 sensitive documents exposed on the hot spot. The wireless network was available to any member of the public with a laptop, who came within 150 feet of the office (including the parking lot).

Maryland chiropractor Prime Care exposed private information about 56 patients over its public wireless network. Most of the individuals affected are patients of Dr. Steven Boesche, though Dr. Boesche was not responsible for the posting. The Hot Spot exposed 29 files with sensitive patient information, including patient account numbers, blood pressure, date of accident, diagnoses, examination results, patient history, pulse, prognosis, and treatments.

“This is an indemic problem among independent professionals. There’s an insecure wireless network in almost every office park,” says Aaron Titus, Privacy Director of the Liberty Coalition and SSNBreach.org. “This trend is predictable if regrettable, because independent practitioners have small staffs and often outsource IT functions to people of varying skill. When they outsource it to a non-professional, it can have a devastating effect on patient and client privacy.”

Individuals affected by this exposure should immediately visit www.ssnbreach.org and search for their names, to confirm what types of personal information were exposed.

About SSNBreach.org

Sponsored by the Washington, DC non-profit Liberty Coalition, SSNBreach.org provides hundreds of thousands of free personalized Identity Exposure Reports™ as a public service.
Each Identity Exposure Report (IXR) documents what types of personal information were exposed (such as Social Security Numbers, Birth Dates, Addresses, etc.), without revealing them. Each IXR also details the situation surrounding each exposure, and contact information of those responsible for the breach. Armed with this information, victims can further investigate, take action, or correct harm.

Sources:
https://www.ssnbreach.org/release.php?g=79
https://www.ssnbreach.org/release.php?g=82
https://www.ssnbreach.org/release.php?g=85

The Liberty Coalition discovered the files in late January, 2008 and notified the university. FSU quickly removed the files from the server, but they remained available through search engine caches until late March, 2008.

This incident falls into a nationwide pattern where university professors use public university servers to back up sensitive student personal information, either unaware of the sensitive information, or unaware that the information would be available to the public.

Individuals affected by this exposure should immediately visit www.ssnbreach.org and search for their names, to confirm what types of personal information were exposed.

About SSNBreach.org

Sponsored by the Washington, DC non-profit Liberty Coalition, SSNBreach.org provides hundreds of thousands of free personalized Identity Exposure Reports™ as a public service.

Each Identity Exposure Report (IXR) documents what types of personal information were exposed (such as Social Security Numbers, Birth Dates, Addresses, etc.), without revealing them. Each IXR also details the situation surrounding each exposure, and contact information of those responsible for the breach. Armed with this information, victims can further investigate, take action, or correct harm.

Source: https://www.ssnbreach.org/release.php?g=73

This breach fits within a common pattern where university faculty or staff use university servers to store backed-up files, assuming that since the system requires a password to upload files, that the servers are private. Unfortunately, in this instance, some of Dr. Munster’s backed-up files contained sensitive information which was made available online and picked up by search engines.

Individuals affected by this exposure should immediately visit www.ssnbreach.org and search for their names, to confirm what types of personal information were exposed.

About SSNBreach.org

Sponsored by the Washington, DC non-profit Liberty Coalition, SSNBreach.org provides hundreds of thousands of free personalized Identity Exposure Reports™ as a public service.
Each Identity Exposure Report (IXR) documents what types of personal information were exposed (such as Social Security Numbers, Birth Dates, Addresses, etc.), without revealing them. Each IXR also details the situation surrounding each exposure, and contact information of those responsible for the breach. Armed with this information, victims can further investigate, take action, or correct harm.

Source: https://www.ssnbreach.org/release.php?g=80

University officials had already discovered the file during an internal audit in early February, 2008, before the Liberty Coalition was able to notify them of the exposure. By the time the Liberty Coalition contacted the University of Connecticut, they had already deleted the file, worked with all major search engines to clear their caches, and notified each affected student. To its credit, the University also offered each student two free years of credit checking, which is not technically required by law.

This exposure falls into a national pattern where professor will use university public servers to store sensitive personal information.

Individuals affected by this exposure should immediately visit www.ssnbreach.org and search for their names, to confirm what types of personal information were exposed.

About SSNBreach.org

Sponsored by the Washington, DC non-profit Liberty Coalition, SSNBreach.org provides hundreds of thousands of free personalized Identity Exposure Reports™ as a public service.

Each Identity Exposure Report (IXR) documents what types of personal information were exposed (such as Social Security Numbers, Birth Dates, Addresses, etc.), without revealing them. Each IXR also details the situation surrounding each exposure, and contact information of those responsible for the breach. Armed with this information, victims can further investigate, take action, or correct harm.

Source: https://www.ssnbreach.org/release.php?g=81

By placing this information online, Stevens Institute of Technology has put these students at increased risk of identity theft and other forms of fraud.

Individuals affected by this exposure should immediately visit www.ssnbreach.org and search for their names, to confirm what types of personal information were exposed.

About SSNBreach.org

Sponsored by the Washington, DC non-profit Liberty Coalition, SSNBreach.org provides hundreds of thousands of free personalized Identity Exposure Reports™ as a public service.
SSNBreach.org documents the types of information exposed, but does NOT contain sensitive data, such as Social Security Numbers, Birth Dates, Addresses, etc. Consequently, there is no way to search for your SSN or any other type of sensitive data on SSNBreach.org. Once we document the types of exposed information and the situation surrounding the exposure, we include the information in personalized Identity Exposure Reports. This information allows victims to further investigate, take action, or correct harm.

Source: https://www.ssnbreach.org/release.php?g=71

According to the server, the information was posted online since at least November, 2004. Though the university acted quickly to delete the files from their servers, copies remained available through major search engine caches through late March, 2008.

Individuals affected by this exposure should immediately visit www.ssnbreach.org and search for their names, to confirm what types of personal information were exposed.

About SSNBreach.org

Sponsored by the Washington, DC non-profit Liberty Coalition, SSNBreach.org provides hundreds of thousands of free personalized Identity Exposure Reports™ as a public service.

SSNBreach.org documents the types of information exposed, but does NOT contain sensitive data, such as Social Security Numbers, Birth Dates, Addresses, etc. Consequently, there is no way to search for your SSN or any other type of sensitive data on SSNBreach.org. Once we document the types of exposed information and the situation surrounding the exposure, we include the information in personalized Identity Exposure Reports. This information allows victims to further investigate, take action, or correct harm.

Source: https://www.ssnbreach.org/release.php?g=70

The file was created on October 9, 2006. The school acted quickly to delete the file from their server and notify parents, but the file remained available through search engine caches until late February, 2008.

Individuals affected by this exposure should immediately visit www.ssnbreach.org and search for their names, to confirm what types of personal information were exposed.

About SSNBreach.org

Sponsored by the Washington, DC non-profit Liberty Coalition, SSNBreach.org provides hundreds of thousands of free personalized Identity Exposure Reports™ as a public service.
SSNBreach.org documents the types of information exposed, but does NOT contain sensitive data, such as Social Security Numbers, Birth Dates, Addresses, etc. Consequently, there is no way to search for your SSN or any other type of sensitive data on SSNBreach.org. Once we document the types of exposed information and the situation surrounding the exposure, we include the information in personalized Identity Exposure Reports. This information allows victims to further investigate, take action, or correct harm.

Source: https://www.ssnbreach.org/release.php?g=78

According to Dr. Lieh, the files were made during a large backup a corrupted and damaged PC in March 2006, though many of the files are considerably older than that. This breach falls within a common national pattern of faculty who use online university servers to back up files, some of which may be sensitive in nature. The Liberty Coalition notified Dr. Lieh, the Wright State University General Counsel. Though the files were deleted from the server within 24 hours, copies remained available through Yahoo’s search engine cache until late March, 2008.

Much of the information exposed in this incident may be protected by FERPA. In addition, the last four or five digits of the social security number are used by some financial institutions and businesses to extend credit, or as passwords.

Individuals affected by this exposure should immediately visit www.ssnbreach.org and search for their names, to confirm what types of personal information were exposed.

About SSNBreach.org

Sponsored by the Washington, DC non-profit Liberty Coalition, SSNBreach.org provides hundreds of thousands of free personalized Identity Exposure Reports™ as a public service.

SSNBreach.org documents the types of information exposed, but does NOT contain sensitive data, such as Social Security Numbers, Birth Dates, Addresses, etc. Consequently, there is no way to search for your SSN or any other type of sensitive data on SSNBreach.org. Once we document the types of exposed information and the situation surrounding the exposure, we include the information in personalized Identity Exposure Reports. This information allows victims to further investigate, take action, or correct harm.

Source: https://www.ssnbreach.org/release.php?g=77

Following the second notification, a county representative contacted the Liberty Coalition and pledged that Suffolk County plans to change its procedure, and stop using partial SSNs as an identifying number.

The last four digits of the social security number is used by businesses to extend credit, and financial institutions sometimes use it as a password. By placing this information online, Suffolk County has placed these individuals at an elevated risk of identity theft.

Individuals affected by this exposure should immediately visit www.ssnbreach.org and search for their names, to confirm what types of personal information were exposed.

About SSNBreach.org

Sponsored by the Washington, DC non-profit Liberty Coalition, SSNBreach.org provides hundreds of thousands of free personalized Identity Exposure Reports™ as a public service.

SSNBreach.org documents the types of information exposed, but does NOT contain sensitive data, such as Social Security Numbers, Birth Dates, Addresses, etc. Consequently, there is no way to search for your SSN or any other type of sensitive data on SSNBreach.org. Once we document the types of exposed information and the situation surrounding the exposure, we include the information in personalized Identity Exposure Reports. This information allows victims to further investigate, take action, or correct harm.

Source: https://www.ssnbreach.org/release.php?g=76